The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_radius.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 26120db98034064bdc1926c0e3cf9c4b82f4c585 $
19 * @file rlm_radius.c
20 * @brief A RADIUS client library.
21 *
22 * @copyright 2016 The FreeRADIUS server project
23 * @copyright 2016 Network RADIUS SAS
24 */
25RCSID("$Id: 26120db98034064bdc1926c0e3cf9c4b82f4c585 $")
26
27#include <freeradius-devel/io/application.h>
28#include <freeradius-devel/server/modpriv.h>
29#include <freeradius-devel/unlang/xlat_func.h>
30#include <freeradius-devel/util/debug.h>
31#include <freeradius-devel/util/dlist.h>
32
33#include "rlm_radius.h"
34
35static int mode_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
36static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
37static int status_check_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
38static int status_check_update_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
39static int radius_fixups(rlm_radius_t const *inst, request_t *request);
40
47
52 { FR_CONF_OFFSET("num_answers_to_alive", rlm_radius_t, num_answers_to_alive), .dflt = STRINGIFY(3) },
53
55};
56
57/*
58 * Retransmission intervals for the packets we support.
59 */
61 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt), .dflt = STRINGIFY(2) },
62 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt), .dflt = STRINGIFY(16) },
63 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc), .dflt = STRINGIFY(5) },
64 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd), .dflt = STRINGIFY(30) },
66};
67
69 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt), .dflt = STRINGIFY(2) },
70 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt), .dflt = STRINGIFY(5) },
71 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc), .dflt = STRINGIFY(1) },
72 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd), .dflt = STRINGIFY(30) },
74};
75
77 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].irt), .dflt = STRINGIFY(2) },
78 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrt), .dflt = STRINGIFY(5) },
79 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrc), .dflt = STRINGIFY(5) },
80 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrd), .dflt = STRINGIFY(30) },
82};
83
85 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].irt), .dflt = STRINGIFY(2) },
86 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrt), .dflt = STRINGIFY(16) },
87 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrc), .dflt = STRINGIFY(5) },
88 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrd), .dflt = STRINGIFY(30) },
90};
91
93 { FR_CONF_OFFSET("initial_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt), .dflt = STRINGIFY(2) },
94 { FR_CONF_OFFSET("max_rtx_time", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt), .dflt = STRINGIFY(16) },
95 { FR_CONF_OFFSET("max_rtx_count", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc), .dflt = STRINGIFY(5) },
96 { FR_CONF_OFFSET("max_rtx_duration", rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd), .dflt = STRINGIFY(30) },
98};
99
105
106/*
107 * We only parse the pool options if we're connected.
108 */
110 { FR_CONF_POINTER("status_check", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_check_config },
111
112 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_radius_t, trunk_conf, trunk_config ) },
113
114 { FR_CONF_POINTER("udp", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OPTIONAL, NULL), .subcs = (void const *) transport_config },
115
116 { FR_CONF_POINTER("tcp", 0, CONF_FLAG_SUBSECTION | CONF_FLAG_OPTIONAL, NULL), .subcs = (void const *) transport_config },
117
119};
120
121/*
122 * We only parse the pool options if we're connected.
123 */
124static conf_parser_t const pool_config[] = {
125 { FR_CONF_POINTER("status_check", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_check_config },
126
127 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_radius_t, trunk_conf, trunk_config ) },
128
130};
131
132/*
133 * A mapping of configuration file names to internal variables.
134 */
135static conf_parser_t const module_config[] = {
136 { FR_CONF_OFFSET_FLAGS("mode", CONF_FLAG_REQUIRED, rlm_radius_t, mode), .func = mode_parse, .dflt = "proxy" },
137
139
141 .func = type_parse },
142
143 { FR_CONF_OFFSET("max_packet_size", rlm_radius_t, max_packet_size), .dflt = "4096" },
144 { FR_CONF_OFFSET("max_send_coalesce", rlm_radius_t, max_send_coalesce), .dflt = "1024" },
145
146 { FR_CONF_OFFSET("max_attributes", rlm_radius_t, max_attributes), .dflt = STRINGIFY(RADIUS_MAX_ATTRIBUTES) },
147
148 { FR_CONF_OFFSET("require_message_authenticator", rlm_radius_t, require_message_authenticator),
149 .func = cf_table_parse_int,
151 .dflt = "no" },
152
153 { FR_CONF_OFFSET("response_window", rlm_radius_t, response_window), .dflt = STRINGIFY(20) },
154
155 { FR_CONF_OFFSET("zombie_period", rlm_radius_t, zombie_period), .dflt = STRINGIFY(40) },
156
157 { FR_CONF_OFFSET("revive_interval", rlm_radius_t, revive_interval) },
158
159 { FR_CONF_OFFSET("home_server_lifetime", rlm_radius_t, home_server_lifetime) },
160
162};
163
165 [FR_RADIUS_CODE_ACCESS_REQUEST] = { FR_CONF_POINTER("Access-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config },
166
167 [FR_RADIUS_CODE_ACCOUNTING_REQUEST] = { FR_CONF_POINTER("Accounting-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) acct_config },
168 [FR_RADIUS_CODE_STATUS_SERVER] = { FR_CONF_POINTER("Status-Server", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) status_config },
169 [FR_RADIUS_CODE_COA_REQUEST] = { FR_CONF_POINTER("CoA-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) coa_config },
170 [FR_RADIUS_CODE_DISCONNECT_REQUEST] = { FR_CONF_POINTER("Disconnect-Request", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) disconnect_config },
171};
172
173static fr_dict_t const *dict_radius;
174
177 { .out = &dict_radius, .proto = "radius" },
178 { NULL }
179};
180
185
195
198 { .out = &attr_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
199 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
200 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius },
201 { .out = &attr_proxy_state, .name = "Proxy-State", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
202
203 { .out = &attr_error_cause, .name = "Error-Cause", .type = FR_TYPE_UINT32, .dict = &dict_radius },
204 { .out = &attr_event_timestamp, .name = "Event-Timestamp", .type = FR_TYPE_DATE, .dict = &dict_radius},
205 { .out = &attr_extended_attribute_1, .name = "Extended-Attribute-1", .type = FR_TYPE_TLV, .dict = &dict_radius},
206 { .out = &attr_message_authenticator, .name = "Message-Authenticator", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
207 { .out = &attr_eap_message, .name = "EAP-Message", .type = FR_TYPE_OCTETS, .dict = &dict_radius},
208 { .out = &attr_nas_identifier, .name = "NAS-Identifier", .type = FR_TYPE_STRING, .dict = &dict_radius},
209 { .out = &attr_original_packet_code, .name = "Extended-Attribute-1.Original-Packet-Code", .type = FR_TYPE_UINT32, .dict = &dict_radius},
210 { .out = &attr_response_length, .name = "Extended-Attribute-1.Response-Length", .type = FR_TYPE_UINT32, .dict = &dict_radius },
211 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius},
212
213 { NULL }
214};
215
216#include "bio.c"
217
219 { L("client"), RLM_RADIUS_MODE_CLIENT },
220 { L("dynamic-proxy"), RLM_RADIUS_MODE_XLAT_PROXY },
221 { L("proxy"), RLM_RADIUS_MODE_PROXY },
222 { L("replicate"), RLM_RADIUS_MODE_REPLICATE },
223 { L("unconnected-replicate"), RLM_RADIUS_MODE_UNCONNECTED_REPLICATE },
224};
226
227
228/** Set the mode of operation
229 *
230 * @param[in] ctx to allocate data in (instance of rlm_radius).
231 * @param[out] out Where to write the parsed data.
232 * @param[in] parent Base structure address.
233 * @param[in] ci #CONF_PAIR specifying the name of the type module.
234 * @param[in] rule unused.
235 * @return
236 * - 0 on success.
237 * - -1 on failure.
238 */
239static int mode_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent,
240 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
241{
242 char const *name = cf_pair_value(cf_item_to_pair(ci));
244 rlm_radius_t *inst = talloc_get_type_abort(parent, rlm_radius_t);
246
248
249 if (mode == RLM_RADIUS_MODE_INVALID) {
250 cf_log_err(ci, "Invalid mode name \"%s\"", name);
251 return -1;
252 }
253
254 *(rlm_radius_mode_t *) out = mode;
255
256 /*
257 * Normally we want connected sockets, in which case we push additional configuration for
258 * connected sockets.
259 */
260 switch (mode) {
261 default:
262 inst->fd_config.type = FR_BIO_FD_CONNECTED;
263
264 if (cf_section_rules_push(cs, connected_config) < 0) return -1;
265 break;
266
268 inst->fd_config.type = FR_BIO_FD_UNCONNECTED; /* reset later when the home server is allocated */
269
270 if (cf_section_rules_push(cs, pool_config) < 0) return -1;
271 break;
272
274 inst->fd_config.type = FR_BIO_FD_UNCONNECTED;
275 break;
276 }
277
278 return 0;
279}
280
281
282/** Set which types of packets we can parse
283 *
284 * @param[in] ctx to allocate data in (instance of rlm_radius).
285 * @param[out] out Where to write the parsed data.
286 * @param[in] parent Base structure address.
287 * @param[in] ci #CONF_PAIR specifying the name of the type module.
288 * @param[in] rule unused.
289 * @return
290 * - 0 on success.
291 * - -1 on failure.
292 */
293static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
294 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
295{
296 char const *type_str = cf_pair_value(cf_item_to_pair(ci));
298 fr_dict_enum_value_t const *type_enum;
299 uint32_t code;
300
301 /*
302 * Must be the RADIUS module
303 */
304 fr_assert(cs && (strcmp(cf_section_name1(cs), "radius") == 0));
305
306 /*
307 * Allow the process module to be specified by
308 * packet type.
309 */
310 type_enum = fr_dict_enum_by_name(attr_packet_type, type_str, -1);
311 if (!type_enum) {
312 invalid_code:
313 cf_log_err(ci, "Unknown or invalid RADIUS packet type '%s'", type_str);
314 return -1;
315 }
316
317 code = type_enum->value->vb_uint32;
318
319 /*
320 * Status-Server packets cannot be proxied.
321 */
322 if (code == FR_RADIUS_CODE_STATUS_SERVER) {
323 cf_log_err(ci, "Invalid setting of 'type = Status-Server'. Status-Server packets cannot be proxied.");
324 return -1;
325 }
326
327 if (!code ||
328 (code >= FR_RADIUS_CODE_MAX) ||
329 (!type_interval_config[code].name1)) goto invalid_code;
330
331 /*
332 * If we're doing async proxying, push the timers for the
333 * various packet types.
334 */
336
337 *(uint32_t *) out = code;
338
339 return 0;
340}
341
342/** Allow for Status-Server ping checks
343 *
344 * @param[in] ctx to allocate data in (instance of proto_radius).
345 * @param[out] out Where to write our parsed data.
346 * @param[in] parent Base structure address.
347 * @param[in] ci #CONF_PAIR specifying the name of the type module.
348 * @param[in] rule unused.
349 * @return
350 * - 0 on success.
351 * - -1 on failure.
352 */
353static int status_check_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
354 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
355{
356 char const *type_str = cf_pair_value(cf_item_to_pair(ci));
358 fr_dict_enum_value_t const *type_enum;
359 uint32_t code;
360
361 /*
362 * Allow the process module to be specified by
363 * packet type.
364 */
365 type_enum = fr_dict_enum_by_name(attr_packet_type, type_str, -1);
366 if (!type_enum) {
367 invalid_code:
368 cf_log_err(ci, "Unknown or invalid RADIUS packet type '%s'", type_str);
369 return -1;
370 }
371
372 code = type_enum->value->vb_uint32;
373
374 /*
375 * Cheat, and reuse the "type" array for allowed packet
376 * types.
377 */
378 if (!code ||
379 (code >= FR_RADIUS_CODE_MAX) ||
380 (!type_interval_config[code].name1)) goto invalid_code;
381
382 /*
383 * Add irt / mrt / mrd / mrc parsing, in the parent
384 * configuration section.
385 */
387
388 memcpy(out, &code, sizeof(code));
389
390 /*
391 * Nothing more to do here, so we stop.
392 */
393 if (code == FR_RADIUS_CODE_STATUS_SERVER) return 0;
394
396
397 return 0;
398}
399
400static int status_check_verify(map_t *map, void *ctx)
401{
403 fr_dict_attr_t const *da;
404
406
407 if (unlang_fixup_update(map, NULL) < 0) return -1;
408
409 if (!map->rhs) return 0;
410
411 if (tmpl_is_xlat(map->rhs)) {
412 if (xlat_impure_func(tmpl_xlat(map->rhs))) {
413 invalid_xlat:
414 cf_log_err(map->ci, "Cannot assign dynamic values here");
415 return -1;
416 }
417 } else if (!tmpl_is_data(map->rhs)) {
418 goto invalid_xlat;
419 }
420
421 da = tmpl_attr_tail_da(map->lhs);
422
423 /*
424 * Ignore internal attributes.
425 */
426 if (da->flags.internal) {
427 cf_log_err(map->ci, "Cannot use internal attributes");
428 return -1;
429 }
430
431 /*
432 * Ignore signalling attributes. They shouldn't exist.
433 */
434 if ((da == attr_proxy_state) ||
436 cannot_use:
437 cf_log_err(map->ci, "Cannot use %s here.", da->name);
438 return -1;
439 }
440
441 /*
442 * Allow passwords only in Access-Request packets.
443 */
444 if ((inst->status_check != FR_RADIUS_CODE_ACCESS_REQUEST) &&
445 ((da == attr_user_password) || (da == attr_chap_password) || (da == attr_eap_message))) {
446 goto cannot_use;
447 }
448
449 return 0;
450}
451
452/** Allow the admin to set packet contents for Status-Server ping checks
453 *
454 * @param[in] ctx to allocate data in (instance of proto_radius).
455 * @param[out] out Where to write our parsed data
456 * @param[in] parent Base structure address.
457 * @param[in] ci #CONF_SECTION specifying the things to update
458 * @param[in] rule unused.
459 * @return
460 * - 0 on success.
461 * - -1 on failure.
462 */
463static int status_check_update_parse(TALLOC_CTX *ctx, void *out, void *parent,
464 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
465{
466 int rcode;
467 CONF_SECTION *cs;
468 char const *name2;
469 map_list_t *head = (map_list_t *)out;
470
472 map_list_init(head);
473
474 cs = cf_item_to_section(ci);
475 name2 = cf_section_name2(cs);
476 if (name2 && (strcmp(name2, "request") != 0)) {
477 cf_log_err(cs, "Only 'request' can be specified as the destination list");
478 return -1;
479 }
480
481 /*
482 * Compile the "update" section.
483 */
484 {
485 tmpl_rules_t parse_rules = {
486 .attr = {
488 .namespace = fr_dict_root(dict_radius),
489 .list_def = request_attr_request,
490 .list_presence = TMPL_ATTR_LIST_FORBID,
491 },
492 .literals_safe_for = FR_VALUE_BOX_SAFE_FOR_ANY,
493 };
494
495 rcode = map_afrom_cs(ctx, head, cs, &parse_rules, &parse_rules, status_check_verify, parent, 128);
496 if (rcode < 0) return -1; /* message already printed */
497 if (map_list_empty(head)) {
498 cf_log_err(cs, "Invalid configuration - status check packets cannot be empty");
499 return -1;
500 }
501 }
502
503 /*
504 * Rely on "bootstrap" to do sanity checks between 'type
505 * = Access-Request', and 'update' containing passwords.
506 */
507 return 0;
508}
509
510
511/** Do any RADIUS-layer fixups for proxying.
512 *
513 */
514static int radius_fixups(rlm_radius_t const *inst, request_t *request)
515{
516 fr_pair_t *vp;
517
518 if (request->packet->code == FR_RADIUS_CODE_STATUS_SERVER) {
519 RWDEBUG("Status-Server is reserved for internal use, and cannot be sent manually.");
520 return 0;
521 }
522
523 if (!inst->allowed[request->packet->code]) {
524 REDEBUG("Packet code %s is disallowed by the configuration",
525 fr_radius_packet_name[request->packet->code]);
526 return -1;
527 }
528
529 /*
530 * Check for proxy loops.
531 *
532 * There should _never_ be two instances of the same Proxy-State in the packet.
533 */
534 if ((inst->mode == RLM_RADIUS_MODE_PROXY) && RDEBUG_ENABLED) {
535 unsigned int count = 0;
536 fr_dcursor_t cursor;
537
538 for (vp = fr_pair_dcursor_by_da_init(&cursor, &request->request_pairs, attr_proxy_state);
539 vp;
540 vp = fr_dcursor_next(&cursor)) {
541 if (vp->vp_length != sizeof(inst->common_ctx.proxy_state)) continue;
542
543 if (memcmp(vp->vp_octets, &inst->common_ctx.proxy_state,
544 sizeof(inst->common_ctx.proxy_state)) == 0) {
545
546 /*
547 * Cancel proxying when there are two instances of the same Proxy-State
548 * in the packet. This limitation could be configurable, but it likely
549 * doesn't make sense to make it configurable.
550 */
551 if (count == 1) {
552 RWARN("Canceling proxy due to loop of multiple %pV", vp);
553 return -1;
554 }
555
556 RWARN("Proxied packet contains our own %pV", vp);
557 RWARN("Check if there is a proxy loop. Perhaps the server has been configured to proxy to itself.");
558 count++;
559 }
560 }
561 }
562
563 if (request->packet->code != FR_RADIUS_CODE_ACCESS_REQUEST) return 0;
564
565 if (fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password) &&
566 !fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_challenge)) {
568 fr_pair_value_memdup(vp, request->packet->vector, sizeof(request->packet->vector), true);
569 }
570
571 return 0;
572}
573
574
575/** Send packets outbound.
576 *
577 */
578static unlang_action_t CC_HINT(nonnull) mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
579{
581 bio_thread_t *thread = talloc_get_type_abort(mctx->thread, bio_thread_t);
582 fr_client_t *client;
583 int rcode;
584 bio_request_t *u = NULL;
585 fr_retry_config_t const *retry_config = NULL;
586
587 if (!request->packet->code) {
588 REDEBUG("You MUST specify a packet code");
590 }
591
592 if ((request->packet->code >= FR_RADIUS_CODE_MAX) ||
593 !fr_time_delta_ispos(inst->retry[request->packet->code].irt)) { /* can't be zero */
594 REDEBUG("Invalid packet code %u", request->packet->code);
596 }
597
598 /*
599 * Unconnected sockets use %radius.replicate(ip, port, secret),
600 * or %radius.sendto(ip, port, secret)
601 */
603 (inst->mode == RLM_RADIUS_MODE_XLAT_PROXY)) {
604 REDEBUG("When using 'mode = unconnected-*', this module cannot be used in-place. Instead, it must be called via a function call");
606 }
607
608 client = client_from_request(request);
609 if (client && client->dynamic && !client->active) {
610 REDEBUG("Cannot proxy packets which define dynamic clients");
612 }
613
614 /*
615 * Push the request and it's data to the IO submodule.
616 *
617 * This may return YIELD, for "please yield", or it may
618 * return another code which indicates what happened to
619 * the request...
620 */
621 rcode = mod_enqueue(&u, &retry_config, inst, thread->ctx.trunk, request);
622 if (rcode == 0) RETURN_UNLANG_NOOP;
623 if (rcode < 0) RETURN_UNLANG_FAIL;
624
626}
627
628
629static int mod_instantiate(module_inst_ctx_t const *mctx)
630{
631 size_t i, num_types;
632 rlm_radius_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
633 CONF_SECTION *conf = mctx->mi->conf;
634
635 inst->name = mctx->mi->name;
636 inst->received_message_authenticator = talloc_zero(NULL, bool); /* Allocated outside of inst to default protection */
637
638 /*
639 * Replication is write-only, and append by default.
640 */
641 if (inst->mode == RLM_RADIUS_MODE_REPLICATE) {
642 if (inst->fd_config.filename && (inst->fd_config.flags != O_WRONLY)) {
643 cf_log_info(conf, "Setting 'flags = write-only' for writing to a file");
644 }
645 inst->fd_config.flags = O_WRONLY | O_APPEND;
646
647 } else if (inst->fd_config.filename) {
648 cf_log_err(conf, "When using an output 'filename', you MUST set 'mode = replicate'");
649 return -1;
650
651 } else {
652 /*
653 * All other IO is read+write.
654 */
655 inst->fd_config.flags = O_RDWR;
656 }
657
658 if (fr_bio_fd_check_config(&inst->fd_config) < 0) {
659 cf_log_perr(conf, "Invalid configuration");
660 return -1;
661 }
662
663 /*
664 * Clamp max_packet_size first before checking recv_buff and send_buff
665 */
666 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 64);
667 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
668
669 /*
670 * Check invalid configurations.
671 */
672 switch (inst->mode) {
673 default:
674 /*
675 * Filenames are write-only, and cannot get response packets.
676 */
677 if (inst->fd_config.filename) {
678 cf_log_err(conf, "Cannot set 'filename' here - it is only supported for 'mode=replicate'");
679 return -1;
680 }
681
682 /*
683 * When we expect replies, we need to be able to open multiple source ports. So the
684 * admin can't force a particular source port.
685 */
686 if (inst->fd_config.src_port) {
687 cf_log_err(conf, "Cannot 'src_port' here - it can only be set for replicating packets");
688 return -1;
689 }
690
691 /*
692 * Encorce limits per trunk, due to the 8-bit ID space.
693 */
694 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, >=, 2);
695 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, <=, 255);
696 FR_INTEGER_BOUND_CHECK("trunk.per_connection_target", inst->trunk_conf.target_req_per_conn, <=, inst->trunk_conf.max_req_per_conn / 2);
697
698 /*
699 * This only applies for XLAT_PROXY, but what the heck.
700 */
701 FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, >=, fr_time_delta_from_sec(10));
702 FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, <=, fr_time_delta_from_sec(3600));
703
704 /*
705 * No src_port range, we don't need to check any other settings.
706 */
707 if (!inst->fd_config.src_port_start && !inst->fd_config.src_port_end) break;
708
709 if (inst->fd_config.path) {
710 cf_log_err(conf, "Cannot set 'src_port_start' or 'src_port_end' for outgoing Unix sockets");
711 return -1;
712 }
713
714 /*
715 * Cross-check src_port, src_port_start, and src_port_end.
716 */
717 if (inst->fd_config.src_port_start) {
718 if (!inst->fd_config.src_port_end) {
719 cf_log_err(conf, "Range has 'src_port_start', but is missing 'src_port_end'");
720 return -1;
721 }
722
723 if (inst->fd_config.src_port_start >= inst->fd_config.src_port_end) {
724 cf_log_err(conf, "Range has invalid values for 'src_port_start' ... 'src_port_end'");
725 return -1;
726 }
727
728 } else if (inst->fd_config.src_port_end) {
729 cf_log_err(conf, "Range has 'src_port_end', but is missing 'src_port_start'");
730 return -1;
731 }
732
733 /*
734 * The source port range is split by worker - so there needs to be sufficient for at least
735 * one per worker.
736 */
737 if ((inst->fd_config.src_port_end - inst->fd_config.src_port_start + 1) < (int) main_config->max_workers) {
738 cf_log_perr(conf, "src_port_start / end range is not enough for %u worker threads",
740 return -1;
741 }
742
743 /*
744 * If there is a limited source port range, then set the reuse port flag. This lets us
745 * bind multiple sockets to the same port before we connect() them.
746 */
747 inst->fd_config.reuse_port = 1;
748 break;
749
751 /*
752 * Replication to dynamic filenames or dynamic unix sockets isn't supported.
753 */
754 if (inst->fd_config.filename || inst->fd_config.path) {
755 cf_log_err(conf, "Cannot set 'filename' or 'path' when using 'mode=unconnected-replicate'");
756 return -1;
757 }
758
759 /*
760 * Unconnected replicate has to use UDP.
761 */
762 if (inst->fd_config.socket_type != SOCK_DGRAM) {
763 cf_log_err(conf, "Cannot use TCP sockets with 'mode=unconnected-replicate'");
764 return -1;
765 }
766
768
770 /*
771 * We can force the source port, but then we have to set SO_REUSEPORT.
772 */
773 inst->fd_config.reuse_port = (inst->fd_config.src_port != 0);
774
775 /*
776 * Files and unix sockets are OK. The src_port can be set (or not), and that's fine.
777 */
778 if (inst->fd_config.src_port_start || inst->fd_config.src_port_end) {
779 cf_log_err(conf, "Cannot set 'src_port_start' or 'src_port_end' when replicating packets");
780 return -1;
781 }
782 break;
783 }
784
785 /*
786 * We allow what may otherwise be conflicting configurations, because the BIO code will pick one
787 * path, and the conflicts won't affect anything else. Only the src_port range is special.
788 */
789
790 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, >=, fr_time_delta_from_sec(1));
791 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, <=, fr_time_delta_from_sec(120));
792
793 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, >=, fr_time_delta_from_sec(1));
794 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, <=, fr_time_delta_from_sec(120));
795
796 if (!inst->status_check) {
797 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, >=, fr_time_delta_from_sec(10));
798 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, <=, fr_time_delta_from_sec(3600));
799 }
800
801 num_types = talloc_array_length(inst->types);
802 fr_assert(num_types > 0);
803
804 inst->timeout_retry = (fr_retry_config_t) {
805 .mrc = 1,
806 .mrd = inst->response_window,
807 };
808
809 inst->common_ctx = (fr_radius_ctx_t) {
810 .secret = inst->secret,
811 .secret_length = inst->secret ? talloc_array_length(inst->secret) - 1 : 0,
812 .proxy_state = ((uint64_t) fr_rand()) << 32 | fr_rand(),
813 };
814
815 /*
816 * Allow for O(1) lookup later...
817 */
818 for (i = 0; i < num_types; i++) {
819 uint32_t code;
820
821 code = inst->types[i];
822 fr_assert(code > 0);
824
825 inst->allowed[code] = true;
826 }
827
828 fr_assert(inst->status_check < FR_RADIUS_CODE_MAX);
829
830 /*
831 * If we're replicating, we don't care if the other end
832 * is alive.
833 */
834 if (inst->status_check) {
835 if (inst->mode == RLM_RADIUS_MODE_REPLICATE) {
836 cf_log_warn(conf, "Ignoring 'status_check = %s' due to 'mode = replicate'",
837 fr_radius_packet_name[inst->status_check]);
838 inst->status_check = false;
839
840 } else if ((inst->mode == RLM_RADIUS_MODE_UNCONNECTED_REPLICATE) ||
841 (inst->mode == RLM_RADIUS_MODE_XLAT_PROXY)) {
842 cf_log_warn(conf, "Ignoring 'status_check = %s' due to 'mode' setting",
843 fr_radius_packet_name[inst->status_check]);
844 inst->status_check = false;
845 }
846 }
847
848 /*
849 * If we have status checks, then do some sanity checks.
850 * Status-Server is always allowed. Otherwise, the
851 * status checks have to match one of the allowed
852 * packets.
853 */
854 if (inst->status_check) {
855 if (inst->status_check == FR_RADIUS_CODE_STATUS_SERVER) {
856 inst->allowed[inst->status_check] = true;
857
858 } else if (!inst->allowed[inst->status_check]) {
859 cf_log_err(conf, "Using 'status_check = %s' requires also 'type = %s'",
860 fr_radius_packet_name[inst->status_check], fr_radius_packet_name[inst->status_check]);
861 return -1;
862 }
863
864 /*
865 * @todo - check the contents of the "update"
866 * section, to be sure that (e.g.) Access-Request
867 * contains User-Name, etc.
868 */
869
870 if (inst->fd_config.filename) {
871 cf_log_info(conf, "Disabling status checks for output file %s", inst->fd_config.filename);
872 inst->status_check = 0;
873 }
874 }
875
876 /*
877 * Files and unix sockets can just have us call write().
878 */
879 if (inst->fd_config.filename || inst->fd_config.path) {
880 inst->max_send_coalesce = 1;
881 }
882
883 inst->trunk_conf.req_pool_headers = 4; /* One for the request, one for the buffer, one for the tracking binding, one for Proxy-State VP */
884 inst->trunk_conf.req_pool_size = 1024 + sizeof(fr_pair_t) + 20;
885
886 if (inst->trunk_conf.conn_triggers) {
888 char *server = NULL;
889
891 .module = mctx->mi->module->name,
892 .name = inst->name
893 };
894
895 /*
896 * Only client and proxy mode have fixed destinations
897 */
898 if ((inst->mode == RLM_RADIUS_MODE_CLIENT) || (inst->mode == RLM_RADIUS_MODE_PROXY)) {
899 fr_value_box_aprint(inst, &server, fr_box_ipaddr(inst->fd_config.dst_ipaddr), NULL);
900 args.server = server;
901 args.port = inst->fd_config.dst_port;
902 }
903
904 MEM(inst->trigger_args = fr_pair_list_alloc(inst));
905 if (module_trigger_args_build(inst->trigger_args, inst->trigger_args,
906 cf_section_find(conf, "pool", NULL), &args) < 0) return -1;
907 }
908
909 /*
910 * Only check the async timers when we're acting as a client.
911 */
912 if (inst->mode != RLM_RADIUS_MODE_CLIENT) {
913 return 0;
914 }
915
916 /*
917 * Set limits on retransmission timers
918 */
919 if (inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) {
920 FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, >=, fr_time_delta_from_sec(1));
921 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
922 FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1);
923 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
924
925 FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(15));
926 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
927 FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10);
928 FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(90));
929 }
930
931 /*
932 * Note that RFC 5080 allows for Accounting-Request to
933 * have mrt=mrc=mrd = 0, which means "retransmit
934 * forever". We allow that, with the restriction that
935 * the server core will automatically free the request at
936 * request.timeout.
937 */
939 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, >=, fr_time_delta_from_sec(1));
940#if 0
941 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
942 FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, >=, 0);
943 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, >=, fr_time_delta_from_sec(0));
944#endif
945
946 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, <=, fr_time_delta_from_sec(5));
947 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
948 FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, <=, 10);
949 FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
950 }
951
952 /*
953 * Status-Server
954 */
955 if (inst->allowed[FR_RADIUS_CODE_STATUS_SERVER]) {
956 FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, >=, fr_time_delta_from_sec(1));
957 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, >=, fr_time_delta_from_sec(5));
958 FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, >=, 1);
959 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, >=, fr_time_delta_from_sec(5));
960
961 FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, <=, fr_time_delta_from_sec(5));
962 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, <=, fr_time_delta_from_sec(30));
963 FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, <=, 10);
964 FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, <=, fr_time_delta_from_sec(30));
965 }
966
967 /*
968 * CoA
969 */
970 if (inst->allowed[FR_RADIUS_CODE_COA_REQUEST]) {
971 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, >=, fr_time_delta_from_sec(1));
972 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
973 FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, >=, 1);
974 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
975
976 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, <=, fr_time_delta_from_sec(5));
977 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, <=, fr_time_delta_from_sec(60));
978 FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, <=, 10);
979 FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
980 }
981
982 /*
983 * Disconnect
984 */
986 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, >=, fr_time_delta_from_sec(1));
987 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, >=, fr_time_delta_from_sec(5));
988 FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, >=, 1);
989 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, >=, fr_time_delta_from_sec(5));
990
991 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, <=, fr_time_delta_from_sec(5));
992 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, <=, fr_time_delta_from_sec(30));
993 FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, <=, 10);
994 FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, <=, fr_time_delta_from_sec(30));
995 }
996
997 return 0;
998}
999
1000static int mod_bootstrap(module_inst_ctx_t const *mctx)
1001{
1002 xlat_t *xlat;
1003 rlm_radius_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
1004
1005 switch (inst->mode) {
1007 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "sendto.ipaddr", xlat_radius_replicate, FR_TYPE_VOID);
1009 break;
1010
1012 xlat = module_rlm_xlat_register(mctx->mi->boot, mctx, "sendto.ipaddr", xlat_radius_client, FR_TYPE_UINT32);
1014 break;
1015
1016 default:
1017 break;
1018 }
1019
1020 return 0;
1021}
1022
1023
1024static int mod_detach(module_detach_ctx_t const *mctx)
1025{
1026 rlm_radius_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_radius_t);
1027
1028 talloc_free(inst->received_message_authenticator);
1029 return 0;
1030}
1031
1032static int mod_load(void)
1033{
1034 if (fr_radius_global_init() < 0) {
1035 PERROR("Failed initialising protocol library");
1036 return -1;
1037 }
1038 return 0;
1039}
1040
1041static void mod_unload(void)
1042{
1044}
1045
1046/*
1047 * The module name should be the only globally exported symbol.
1048 * That is, everything else should be 'static'.
1049 *
1050 * If the module needs to temporarily modify it's instantiation
1051 * data, the type should be changed to MODULE_TYPE_THREAD_UNSAFE.
1052 * The server will then take care of ensuring that the module
1053 * is single-threaded.
1054 */
1057 .common = {
1058 .magic = MODULE_MAGIC_INIT,
1059 .name = "radius",
1060 .inst_size = sizeof(rlm_radius_t),
1062 .dict = &dict_radius,
1063
1064 .onload = mod_load,
1065 .unload = mod_unload,
1066
1067 .bootstrap = mod_bootstrap,
1068 .instantiate = mod_instantiate,
1069 .detach = mod_detach,
1070
1071 .thread_inst_size = sizeof(bio_thread_t),
1072 .thread_inst_type = "bio_thread_t",
1073 .thread_instantiate = mod_thread_instantiate,
1074 },
1075 .method_group = {
1076 .bindings = (module_method_binding_t[]){
1077 { .section = SECTION_NAME(CF_IDENT_ANY, CF_IDENT_ANY), .method = mod_process },
1079 },
1080 }
1081};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
va_list args
Definition acutest.h:770
#define RCSID(id)
Definition build.h:485
#define L(_str)
Helper for initialising arrays of string literals.
Definition build.h:209
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define STRINGIFY(x)
Definition build.h:197
#define UNUSED
Definition build.h:317
#define NUM_ELEMENTS(_t)
Definition build.h:339
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition cf_parse.c:1633
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:614
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
char const * name2
Second identifier for CONF_SECTION.
Definition cf_parse.h:599
#define cf_section_rules_push(_cs, _rule)
Definition cf_parse.h:692
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:337
#define cf_section_rule_push(_cs, _rule)
Definition cf_parse.h:690
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:271
#define FR_CONF_OFFSET_REF(_struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:324
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:312
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:531
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:432
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:449
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:450
@ CONF_FLAG_OPTIONAL
subsection is pushed only if a non-optional matching one is pushed
Definition cf_parse.h:461
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:426
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
Common header for all CONF_* types.
Definition cf_priv.h:49
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
char const * cf_section_name1(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1170
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
bool cf_item_is_section(CONF_ITEM const *ci)
Determine if CONF_ITEM is a CONF_SECTION.
Definition cf_util.c:617
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1581
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
#define cf_log_info(_cf, _fmt,...)
Definition cf_util.h:288
#define cf_parent(_cf)
Definition cf_util.h:101
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:293
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:287
#define CF_IDENT_ANY
Definition cf_util.h:78
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
Definition dcursor.h:290
#define MEM(x)
Definition debug.h:36
@ FR_RADIUS_CODE_ACCESS_REQUEST
RFC2865 - Access-Request.
Definition defs.h:33
@ FR_RADIUS_CODE_DISCONNECT_REQUEST
RFC3575/RFC5176 - Disconnect-Request.
Definition defs.h:46
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
@ FR_RADIUS_CODE_COA_REQUEST
RFC3575/RFC5176 - CoA-Request.
Definition defs.h:49
@ FR_RADIUS_CODE_ACCOUNTING_REQUEST
RFC2866 - Accounting-Request.
Definition defs.h:36
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2496
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:287
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:300
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:250
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3532
Specifies an attribute which must be present for the module to function.
Definition dict.h:286
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:299
Value of an enumerated attribute.
Definition dict.h:246
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
@ FR_BIO_FD_CONNECTED
connected client sockets (UDP or TCP)
Definition fd.h:68
@ FR_BIO_FD_UNCONNECTED
unconnected UDP / datagram only
Definition fd.h:65
const conf_parser_t fr_bio_fd_client_config[]
Definition fd_config.c:271
int fr_bio_fd_check_config(fr_bio_fd_config_t const *cfg)
Checks the configuration without modifying anything.
Definition fd_open.c:927
bool active
for dynamic clients
Definition client.h:119
bool dynamic
Whether the client was dynamically defined.
Definition client.h:118
Describes a host allowed to send packets to the server.
Definition client.h:80
#define PERROR(_fmt,...)
Definition log.h:228
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RWARN(fmt,...)
Definition log.h:297
int map_afrom_cs(TALLOC_CTX *ctx, map_list_t *out, CONF_SECTION *cs, tmpl_rules_t const *lhs_rules, tmpl_rules_t const *rhs_rules, map_validate_t validate, void *uctx, unsigned int max)
Convert a config section into an attribute map.
Definition map.c:1131
talloc_free(reap)
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
uint32_t max_workers
for the scheduler
@ FR_TYPE_TLV
Contains nested attributes.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
int unlang_fixup_update(map_t *map, void *ctx)
Validate and fixup a map that's part of an update section.
Definition compile.c:350
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
void * thread
Thread specific instance data.
Definition module_ctx.h:43
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
Definition module_rlm.c:247
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
static int mod_enqueue(bio_request_t **p_u, fr_retry_config_t const **p_retry_config, rlm_radius_t const *inst, trunk_t *trunk, request_t *request)
Definition bio.c:2507
static void mod_retry(module_ctx_t const *mctx, request_t *request, fr_retry_t const *retry)
Handle module retries.
Definition bio.c:1539
bio_handle_ctx_t ctx
common struct for home servers and BIO handles
Definition bio.c:58
static xlat_action_t xlat_radius_replicate(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2764
static xlat_action_t xlat_radius_client(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Definition bio.c:2914
trunk_t * trunk
trunk handler
Definition bio.c:50
static unlang_action_t mod_resume(unlang_result_t *p_result, module_ctx_t const *mctx, UNUSED request_t *request)
Resume execution of the request, returning the rcode set during trunk execution.
Definition bio.c:2416
static xlat_arg_parser_t const xlat_radius_send_args[]
Definition bio.c:2754
Connect request_t to local tracking structure.
Definition bio.c:115
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2940
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:700
fr_pair_list_t * fr_pair_list_alloc(TALLOC_CTX *ctx)
Allocate a new pair list on the heap.
Definition pair.c:119
static const conf_parser_t config[]
Definition base.c:186
size_t fr_radius_require_ma_table_len
Definition base.c:92
int fr_radius_global_init(void)
Definition base.c:1235
void fr_radius_global_free(void)
Definition base.c:1259
fr_table_num_sorted_t const fr_radius_require_ma_table[]
Definition base.c:85
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:114
Functions to support RADIUS bio handlers.
#define fr_assert(_expr)
Definition rad_assert.h:38
static fr_bio_fd_config_t fd_config
static char * secret
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG_ENABLED()
Definition radclient.h:49
#define RADIUS_MAX_ATTRIBUTES
Definition radius.h:40
static rs_t * conf
Definition radsniff.c:53
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:105
#define RETURN_UNLANG_FAIL
Definition rcode.h:59
#define RETURN_UNLANG_NOOP
Definition rcode.h:65
fr_dict_attr_t const * request_attr_request
Definition request.c:43
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
static conf_parser_t coa_config[]
Definition rlm_radius.c:84
static conf_parser_t disconnect_config[]
Definition rlm_radius.c:92
static int status_check_type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static int mod_detach(module_detach_ctx_t const *mctx)
static int mod_load(void)
static fr_dict_attr_t const * attr_packet_type
Definition rlm_radius.c:183
static fr_dict_attr_t const * attr_user_password
Definition rlm_radius.c:194
static fr_dict_attr_t const * attr_eap_message
Definition rlm_radius.c:190
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static conf_parser_t const pool_config[]
Definition rlm_radius.c:124
static fr_dict_attr_t const * attr_chap_password
Definition rlm_radius.c:182
static int status_check_verify(map_t *map, void *ctx)
Definition rlm_radius.c:400
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Send packets outbound.
Definition rlm_radius.c:578
static fr_dict_t const * dict_radius
Definition rlm_radius.c:173
static int mod_bootstrap(module_inst_ctx_t const *mctx)
static fr_dict_attr_t const * attr_chap_challenge
Definition rlm_radius.c:181
static conf_parser_t status_config[]
Definition rlm_radius.c:76
fr_dict_attr_autoload_t rlm_radius_dict_attr[]
Definition rlm_radius.c:197
static fr_dict_attr_t const * attr_extended_attribute_1
Definition rlm_radius.c:188
static fr_dict_attr_t const * attr_error_cause
Definition rlm_radius.c:186
static void mod_unload(void)
static fr_dict_attr_t const * attr_proxy_state
Definition rlm_radius.c:184
static int radius_fixups(rlm_radius_t const *inst, request_t *request)
Do any RADIUS-layer fixups for proxying.
Definition rlm_radius.c:514
static fr_dict_attr_t const * attr_nas_identifier
Definition rlm_radius.c:191
static conf_parser_t const type_interval_config[FR_RADIUS_CODE_MAX]
Definition rlm_radius.c:164
static conf_parser_t auth_config[]
Definition rlm_radius.c:60
static int mode_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
module_rlm_t rlm_radius
fr_dict_autoload_t rlm_radius_dict[]
Definition rlm_radius.c:176
static conf_parser_t const transport_config[]
Definition rlm_radius.c:100
static int status_check_update_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
static fr_dict_attr_t const * attr_original_packet_code
Definition rlm_radius.c:192
static fr_dict_attr_t const * attr_event_timestamp
Definition rlm_radius.c:187
static conf_parser_t const status_check_update_config[]
Definition rlm_radius.c:48
static fr_dict_attr_t const * attr_response_length
Definition rlm_radius.c:193
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_radius.c:629
static conf_parser_t const status_check_config[]
Definition rlm_radius.c:41
static size_t mode_names_len
Definition rlm_radius.c:225
static fr_table_num_sorted_t mode_names[]
Definition rlm_radius.c:218
static conf_parser_t const module_config[]
Definition rlm_radius.c:135
static conf_parser_t const connected_config[]
Definition rlm_radius.c:109
static fr_dict_attr_t const * attr_message_authenticator
Definition rlm_radius.c:189
static conf_parser_t acct_config[]
Definition rlm_radius.c:68
struct rlm_radius_s rlm_radius_t
Definition rlm_radius.h:39
rlm_radius_mode_t
Definition rlm_radius.h:41
@ RLM_RADIUS_MODE_XLAT_PROXY
radius.sendto.ipaddr(), but we do look for a reply.
Definition rlm_radius.h:47
@ RLM_RADIUS_MODE_INVALID
Definition rlm_radius.h:42
@ RLM_RADIUS_MODE_PROXY
we proxy to one home server
Definition rlm_radius.h:43
@ RLM_RADIUS_MODE_REPLICATE
to a particular destination
Definition rlm_radius.h:45
@ RLM_RADIUS_MODE_UNCONNECTED_REPLICATE
radius.sendto.ipaddr(), but we don't look for a reply
Definition rlm_radius.h:46
@ RLM_RADIUS_MODE_CLIENT
we are a client to one home server
Definition rlm_radius.h:44
static char const * name
static conf_parser_t retry_config[]
Definition rlm_tacacs.c:39
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
char const * name
Instance name e.g. user_database.
Definition module.h:355
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
size_t inst_size
Size of the module's instance data.
Definition module.h:212
void * data
Module's instance data.
Definition module.h:291
void * boot
Data allocated during the boostrap phase.
Definition module.h:294
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:152
Named methods exported by a module.
Definition module.h:174
#define pair_append_request(_attr, _da)
Allocate and append a fr_pair_t to the request list.
Definition pair.h:37
#define tmpl_is_xlat(vpt)
Definition tmpl.h:210
#define tmpl_is_attr(vpt)
Definition tmpl.h:208
#define tmpl_xlat(_tmpl)
Definition tmpl.h:930
#define tmpl_is_data(vpt)
Definition tmpl.h:206
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:335
static fr_dict_attr_t const * tmpl_attr_tail_da(tmpl_t const *vpt)
Return the last attribute reference da.
Definition tmpl.h:801
@ TMPL_ATTR_LIST_FORBID
Attribute refs are forbidden from having a list.
Definition tmpl.h:263
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
fr_client_t * client_from_request(request_t *request)
Search up a list of requests trying to locate one which has a client.
Definition client.c:1103
return count
Definition module.c:155
unlang_action_t unlang_module_yield_to_retry(request_t *request, module_method_t resume, unlang_module_retry_t retry, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx, fr_retry_config_t const *retry_cfg)
Yield a request back to the interpreter, with retries.
Definition module.c:367
static void mod_signal(module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)
Cancel a call to a submodule.
eap_aka_sim_process_conf_t * inst
fr_pair_t * vp
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Value pair map.
Definition map.h:77
tmpl_t * lhs
Typically describes the attribute to add, modify or compare.
Definition map.h:78
tmpl_t * rhs
Typically describes a literal value or a src attribute to copy or compare.
Definition map.h:79
CONF_ITEM * ci
Config item that the map was created from.
Definition map.h:85
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
#define fr_table_value_by_str(_table, _name, _def)
Convert a string to a value using a sorted or ordered table.
Definition table.h:653
An element in a lexicographically sorted array of name to num mappings.
Definition table.h:49
#define talloc_get_type_abort_const
Definition talloc.h:287
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
#define fr_time_delta_ispos(_a)
Definition time.h:290
int module_trigger_args_build(TALLOC_CTX *ctx, fr_pair_list_t *list, CONF_SECTION *cs, module_trigger_args_t *args)
Build trigger args pair list for modules.
Definition trigger.c:493
Common values used by modules when building trigger args.
Definition trigger.h:42
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:341
bool xlat_impure_func(xlat_exp_head_t const *head)
static fr_slen_t head
Definition xlat.h:420
#define fr_pair_dcursor_by_da_init(_cursor, _list, _da)
Initialise a cursor that will return only attributes matching the specified fr_dict_attr_t.
Definition pair.h:624
struct value_pair_s fr_pair_t
Definition pair.h:48
static fr_slen_t parent
Definition pair.h:841
static fr_slen_t fr_value_box_aprint(TALLOC_CTX *ctx, char **out, fr_value_box_t const *data, fr_sbuff_escape_rules_t const *e_rules) 1(fr_value_box_print
#define fr_box_ipaddr(_val)
Definition value.h:316
int nonnull(2, 5))
static size_t char ** out
Definition value.h:1023
#define FR_VALUE_BOX_SAFE_FOR_ANY
Definition value.h:173
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363