raddb/attrs.access_challenge src/modules/frs_coa/Makefile src/modules/frs_coa/frs_coa.c @@ -162,6 +162,13 @@ client localhost { # item, as in the example below. # # virtual_server = home1 + + # + # A pointer to the "home_server_pool" OR a "home_server" + # section that contains the CoA configuration for this + # client. For an example of a coa home server or pool, + # see raddb/sites-available/originate-coa +# coa_server = coa } # IPv6 Client raddb/clients.conf @@ -39,14 +39,20 @@ mod_accounting = radiusd_test func_accounting = accounting - mod_preproxy = radiusd_test - func_preproxy = preproxy + mod_pre_proxy = radiusd_test + func_pre_proxy = pre_proxy - mod_postproxy = radiusd_test - func_postproxy = postproxy + mod_post_proxy = radiusd_test + func_post_proxy = post_proxy - mod_postauth = radiusd_test - func_postauth = postauth + mod_post_auth = radiusd_test + func_post_auth = post_auth + + mod_recv_coa = radiusd_test + func_recv_coa = recv_coa + + mod_send_coa = radiusd_test + func_send_coa = send_coa mod_detach = radiusd_test func_detach = detach raddb/experimental.conf @@ -28,6 +28,16 @@ attr_filter attr_filter.access_reject { attrsfile = ${confdir}/attrs.access_reject } +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter_access_challenge { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_challenge +} + + # Enforce RFC requirements on the contents of the # Accounting-Response packets. See the comments at the # top of the file for more details. raddb/modules/attr_filter @@ -42,6 +42,8 @@ perl { #func_pre_proxy = pre_proxy #func_post_proxy = post_proxy #func_post_auth = post_auth + #func_recv_coa = recv_coa + #func_send_coa = send_coa #func_xlat = xlat #func_detach = detach raddb/modules/perl @@ -192,6 +192,20 @@ home_server localhost { # ############################################################ + # + # You can optionally specify the source IP address used when + # proxying requests to this home server. When the src_ipaddr + # it set, the server will automatically create a proxy + # listener for that IP address. + # + # If you specify this field for one home server, you will + # likely need to specify it for ALL home servers. + # + # If you don't care about the source IP address, leave this + # entry commented. + # +# src_ipaddr = 127.0.0.1 + # RFC 5080 suggests that all clients SHOULD include it in an # Access-Request. The configuration item below tells the # proxying server (i.e. this one) whether or not the home raddb/proxy.conf @@ -247,16 +247,23 @@ listen { # raddb/sites-available/copy-acct-to-home-server # status listen for Status-Server packets. For examples, # see raddb/sites-available/status + # coa listen for CoA-Request and Disconnect-Request + # packets. For examples, see the file + # raddb/sites-available/coa-server # type = auth # Note: "type = proxy" lets you control the source IP used for # proxying packets, with some limitations: # - # * Only ONE proxy listener can be defined. # * A proxy listener CANNOT be used in a virtual server section. # * You should probably set "port = 0". # * Any "clients" configuration will be ignored. + # + # See also proxy.conf, and the "src_ipaddr" configuration entry + # in the sample "home_server" section. When you specify the + # source IP address for packets sent to a home server, the + # proxy listeners are automatically created. # IP address on which to listen. # Allowed values are: raddb/radiusd.conf.in @@ -117,7 +117,7 @@ home_server localhost-coa { home_server_pool coa { type = fail-over - # Point to the CoA server aboce. + # Point to the CoA server above. home_server = localhost-coa # CoA requests are run through the pre-proxy section. raddb/sites-available/originate-coa @@ -59,7 +59,7 @@ CREATE TABLE radacct ( CREATE TABLE radcheck ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', - attribute varchar(32) NOT NULL default '', + attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), @@ -73,7 +73,7 @@ CREATE TABLE radcheck ( CREATE TABLE radgroupcheck ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', - attribute varchar(32) NOT NULL default '', + attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '==', value varchar(253) NOT NULL default '', PRIMARY KEY (id), @@ -87,7 +87,7 @@ CREATE TABLE radgroupcheck ( CREATE TABLE radgroupreply ( id int(11) unsigned NOT NULL auto_increment, groupname varchar(64) NOT NULL default '', - attribute varchar(32) NOT NULL default '', + attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), @@ -101,7 +101,7 @@ CREATE TABLE radgroupreply ( CREATE TABLE radreply ( id int(11) unsigned NOT NULL auto_increment, username varchar(64) NOT NULL default '', - attribute varchar(32) NOT NULL default '', + attribute varchar(64) NOT NULL default '', op char(2) NOT NULL DEFAULT '=', value varchar(253) NOT NULL default '', PRIMARY KEY (id), raddb/sql/mysql/schema.sql @@ -61,7 +61,7 @@ CREATE OR REPLACE TRIGGER radacct_serialnumber CREATE TABLE radcheck ( id INT PRIMARY KEY, username VARCHAR(30) NOT NULL, - attribute VARCHAR(30), + attribute VARCHAR(64), op VARCHAR(2) NOT NULL, value VARCHAR(40) ); @@ -84,7 +84,7 @@ CREATE OR REPLACE TRIGGER radcheck_serialnumber CREATE TABLE radgroupcheck ( id INT PRIMARY KEY, groupname VARCHAR(20) UNIQUE NOT NULL, - attribute VARCHAR(40), + attribute VARCHAR(64), op CHAR(2) NOT NULL, value VARCHAR(40) ); @@ -96,7 +96,7 @@ CREATE SEQUENCE radgroupcheck_seq START WITH 1 INCREMENT BY 1; CREATE TABLE radgroupreply ( id INT PRIMARY KEY, GroupName VARCHAR(20) UNIQUE NOT NULL, - Attribute VARCHAR(40), + Attribute VARCHAR(64), op CHAR(2) NOT NULL, Value VARCHAR(40) ); @@ -108,7 +108,7 @@ CREATE SEQUENCE radgroupreply_seq START WITH 1 INCREMENT BY 1; CREATE TABLE radreply ( id INT PRIMARY KEY, UserName VARCHAR(30) NOT NULL, - Attribute VARCHAR(30), + Attribute VARCHAR(64), op CHAR(2) NOT NULL, Value VARCHAR(40) ); raddb/sql/oracle/schema.sql @@ -176,5 +176,5 @@ CREATE TABLE radpostauth ( reply VARCHAR(32), CalledStationId VARCHAR(50), CallingStationId VARCHAR(50), - authdate TIMESTAMP with time zone NOT NULL default 'now' + authdate TIMESTAMP with time zone NOT NULL default 'now()' ); raddb/sql/postgresql/schema.sql @@ -10,6 +10,9 @@ sqlippool { ######################################### ## SQL instance to use (from sql.conf) ## + ## + ## If you have multiple sql instances, such as "sql sql1 {...}", + ## use the *instance* name here: sql1. ######################################### sql-instance-name = "sql" @@ -27,20 +30,24 @@ sqlippool { # pool-key = "%{Calling-Station-Id}" ################################################################ - ## Uncomment the appropriate config file for your SQL dialect ## # # WARNING: MySQL has certain limitations that means it can # hand out the same IP address to 2 different users. # # We suggest using an SQL DB with proper transaction - # support, such as PostgreSQL. + # support, such as PostgreSQL, or using MySQL + # with InnoDB. # ################################################################ - # $INCLUDE sql/mysql/ippool.conf - $INCLUDE sql/postgresql/ippool.conf - - + # + # Use the same database as configured in the "sql" module, "database" + # configuration item. Change the "postgresql" name below to be the + # same as the "database" field of the SQL module referred to in the + # "sql-instance-name", above. + # +$INCLUDE sql/postgresql/ippool.conf + ## Logging configuration. (Comment out to disable logging) sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \ (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})" raddb/sqlippool.conf @@ -207,6 +207,12 @@ ATTRIBUTE EAP-MSK 1129 octets ATTRIBUTE EAP-EMSK 1130 octets # +# For send/recv CoA packets (like Auth-Type, Acct-Type, etc.) +# +ATTRIBUTE Recv-CoA-Type 1131 integer +ATTRIBUTE Send-CoA-Type 1132 integer + +# # Range: 1200-1279 # EAP-SIM (and other EAP type) weirdness. # share/dictionary.freeradius.internal @@ -24,7 +24,11 @@ enum { RLM_COMPONENT_PRE_PROXY, /* 5 */ RLM_COMPONENT_POST_PROXY, /* 6 */ RLM_COMPONENT_POST_AUTH, /* 7 */ - RLM_COMPONENT_COUNT /* 8: How many components are there */ +#ifdef WITH_COA + RLM_COMPONENT_RECV_COA, /* 8 */ + RLM_COMPONENT_SEND_COA, /* 9 */ +#endif + RLM_COMPONENT_COUNT /* 8 / 10: How many components are there */ }; #define RLM_TYPE_THREAD_SAFE (0 << 0) @@ -68,6 +72,13 @@ int module_checksimul(int type, REQUEST *request, int maxsimul); int module_pre_proxy(int type, REQUEST *request); int module_post_proxy(int type, REQUEST *request); int module_post_auth(int type, REQUEST *request); +#ifdef WITH_COA +int module_recv_coa(int type, REQUEST *request); +int module_send_coa(int type, REQUEST *request); +#define MODULE_NULL_COA_FUNCS ,NULL,NULL +#else +#define MODULE_NULL_COA_FUNCS +#endif int indexed_modcall(int comp, int idx, REQUEST *request); /* src/include/modules.h @@ -225,6 +225,8 @@ #define PW_MODULE_RETURN_CODE 1108 #define PW_PACKET_ORIGINAL_TIMESTAMP 1109 #define PW_HOME_SERVER_POOL 1111 +#define PW_RECV_COA_TYPE 1131 +#define PW_SEND_COA_TYPE 1132 /* * Integer Translations src/include/radius.h @@ -544,7 +544,7 @@ void fr_suid_down_permanent(void); /* listen.c */ void listen_free(rad_listen_t **head); int listen_init(CONF_SECTION *cs, rad_listen_t **head); -rad_listen_t *proxy_new_listener(void); +rad_listen_t *proxy_new_listener(fr_ipaddr_t *ipaddr, int exists); RADCLIENT *client_listener_find(const rad_listen_t *listener, const fr_ipaddr_t *ipaddr, int src_port); rad_listen_t *listener_find_byipaddr(const fr_ipaddr_t *ipaddr, int port); src/include/radiusd.h @@ -77,6 +77,8 @@ typedef struct home_server { #ifdef WITH_STATS int number; + fr_ipaddr_t src_ipaddr; /* preferred source IP address */ + fr_stats_t stats; fr_stats_ema_t ema; @@ -139,6 +141,7 @@ REALM *realm_find2(const char *name); /* ... with name taken from realm_find */ fr_realm_status_t realm_status(const char *name, int flag); home_server *home_server_ldb(const char *realmname, home_pool_t *pool, REQUEST *request); home_server *home_server_find(fr_ipaddr_t *ipaddr, int port); +int home_server_create_listeners(void *head); #ifdef WITH_COA home_server *home_server_byname(const char *name); #endif src/include/realms.h @@ -47,6 +47,9 @@ typedef enum RAD_LISTEN_TYPE { #ifdef WITH_COMMAND_SOCKET RAD_LISTEN_COMMAND, #endif +#ifdef WITH_COA + RAD_LISTEN_COA, +#endif RAD_LISTEN_MAX } RAD_LISTEN_TYPE; src/include/smodule.h @@ -607,7 +607,7 @@ int fr_packet_list_num_elements(fr_packet_list_t *pl) int fr_packet_list_id_alloc(fr_packet_list_t *pl, RADIUS_PACKET *request) { - int i, id, start; + int i, id, start, fd; uint32_t free_mask; fr_packet_dst2id_t my_pd, *pd; fr_packet_socket_t *ps; @@ -647,6 +647,7 @@ int fr_packet_list_id_alloc(fr_packet_list_t *pl, id = start = (int) fr_rand() & 0xff; while (pd->id[id] == pl->mask) { /* all sockets are using this ID */ + redo: id++; id &= 0xff; if (id == start) return 0; @@ -654,20 +655,48 @@ int fr_packet_list_id_alloc(fr_packet_list_t *pl, free_mask = ~((~pd->id[id]) & pl->mask); - start = -1; + /* + * This ID has at least one socket free. Check the sockets + * to see if they are satisfactory for the caller. + */ + fd = -1; for (i = 0; i < MAX_SOCKETS; i++) { if (pl->sockets[i].sockfd == -1) continue; /* paranoia */ - if ((free_mask & (1 << i)) == 0) { - start = i; - break; - } + /* + * This ID is allocated. + */ + if ((free_mask & (1 << i)) != 0) continue; + + /* + * If the caller cares about the source address, + * try to re-use that. This means that the + * requested source address is set, AND this + * socket wasn't bound to "*", AND the requested + * source address is the same as this socket + * address. + */ + if ((request->src_ipaddr.af != AF_UNSPEC) && + !pl->sockets[i].inaddr_any && + (fr_ipaddr_cmp(&request->src_ipaddr, &pl->sockets[i].ipaddr) != 0)) continue; + + /* + * They asked for a specific address, and this socket + * is bound to a wildcard address. Ignore this one, too. + */ + if ((request->src_ipaddr.af != AF_UNSPEC) && + pl->sockets[i].inaddr_any) continue; + + fd = i; + break; } - if (start < 0) return 0; /* bad error */ + if (fd < 0) { + goto redo; /* keep searching IDs */ + } - pd->id[id] |= (1 << start); - ps = &pl->sockets[start]; + pd->id[id] |= (1 << fd); + ps = &pl->sockets[fd]; ps->num_outgoing++; pl->num_outgoing++; src/lib/packet.c @@ -438,10 +438,15 @@ static void make_passwd(uint8_t *output, int *outlen, * If the length is zero, round it up. */ len = inlen; + + if (len > MAX_PASS_LEN) len = MAX_PASS_LEN; + + memcpy(passwd, input, len); + memset(passwd + len, 0, sizeof(passwd) - len); + if (len == 0) { len = AUTH_PASS_LEN; } - else if (len > MAX_PASS_LEN) len = MAX_PASS_LEN; else if ((len & 0x0f) != 0) { len += 0x0f; @@ -449,9 +454,6 @@ static void make_passwd(uint8_t *output, int *outlen, } *outlen = len; - memcpy(passwd, input, len); - memset(passwd + len, 0, sizeof(passwd) - len); - fr_MD5Init(&context); fr_MD5Update(&context, (const uint8_t *) secret, strlen(secret)); old = context; @@ -1818,6 +1820,7 @@ int rad_packet_ok(RADIUS_PACKET *packet, int flags) */ RADIUS_PACKET *rad_recv(int fd, int flags) { + int sock_flags = 0; RADIUS_PACKET *packet; /* @@ -1829,7 +1832,12 @@ RADIUS_PACKET *rad_recv(int fd, int flags) } memset(packet, 0, sizeof(*packet)); - packet->data_len = rad_recvfrom(fd, &packet->data, 0, + if (flags & 0x02) { + sock_flags = MSG_PEEK; + flags &= ~0x02; + } + + packet->data_len = rad_recvfrom(fd, &packet->data, sock_flags, &packet->src_ipaddr, &packet->src_port, &packet->dst_ipaddr, &packet->dst_port); src/lib/radius.c @@ -587,6 +587,8 @@ static int WalkNodePostOrder(rbnode_t *X, int rbtree_walk(rbtree_t *tree, RBTREE_ORDER order, int (*callback)(void *, void *), void *context) { + if (tree->Root == NIL) return 0; + switch (order) { case PreOrder: return WalkNodePreOrder(tree->Root, callback, context); src/lib/rbtree.c @@ -282,7 +282,7 @@ static int proxy_id_alloc(REQUEST *request, RADIUS_PACKET *packet) * it to the tail of the list of listeners. With * some care, this can be thread-safe. */ - proxy_listener = proxy_new_listener(); + proxy_listener = proxy_new_listener(&packet->src_ipaddr, FALSE); if (!proxy_listener) { RDEBUG2("ERROR: Failed to create a new socket for proxying requests."); return 0; @@ -429,8 +429,9 @@ static void wait_for_proxy_id_to_expire(void *ctx) request->when = request->proxy_when; #ifdef WITH_COA - if ((request->proxy->code == PW_COA_REQUEST) || - (request->proxy->code == PW_DISCONNECT_REQUEST)) { + if (((request->proxy->code == PW_COA_REQUEST) || + (request->proxy->code == PW_DISCONNECT_REQUEST)) && + (request->packet->code != request->proxy->code)) { request->when.tv_sec += request->home_server->coa_mrd; } else #endif @@ -757,8 +758,8 @@ static void ping_home_server(void *ctx) REQUEST *request; VALUE_PAIR *vp; - if (home->state == HOME_STATE_ALIVE) { - radlog(L_INFO, "Suspicious proxy state... continuing"); + if ((home->state == HOME_STATE_ALIVE) || + (home->ping_check == HOME_PING_CHECK_NONE)) { return; } @@ -1987,13 +1988,50 @@ static int successfully_proxied_request(REQUEST *request) * * FIXME: This should really be a serious error. */ - if (request->in_proxy_hash) { + if (request->in_proxy_hash || + (request->proxy_reply && (request->proxy_reply->code != 0))) { return 0; } realmpair = pairfind(request->config_items, PW_PROXY_TO_REALM); if (!realmpair || (realmpair->length == 0)) { - return 0; + int pool_type; + + vp = pairfind(request->config_items, PW_HOME_SERVER_POOL); + if (!vp) return 0; + + switch (request->packet->code) { + case PW_AUTHENTICATION_REQUEST: + pool_type = HOME_TYPE_AUTH; + break; + +#ifdef WITH_ACCOUNTING + case PW_ACCOUNTING_REQUEST: + pool_type = HOME_TYPE_ACCT; + break; +#endif + +#ifdef WITH_COA + case PW_COA_REQUEST: + case PW_DISCONNECT_REQUEST: + pool_type = HOME_TYPE_COA; + break; +#endif + + default: + return 0; + } + + pool = home_pool_byname(vp->vp_strvalue, pool_type); + if (!pool) { + RDEBUG2("ERROR: Cannot proxy to unknown pool %s", + vp->vp_strvalue); + return 0; + } + + realmname = NULL; /* no realms */ + realm = NULL; + goto found_pool; } realmname = (char *) realmpair->vp_strvalue; @@ -2015,6 +2053,12 @@ static int successfully_proxied_request(REQUEST *request) pool = realm->acct_pool; #endif +#ifdef WITH_COA + } else if ((request->packet->code == PW_COA_REQUEST) || + (request->packet->code == PW_DISCONNECT_REQUEST)) { + pool = realm->acct_pool; +#endif + } else { rad_panic("Internal sanity check failed"); } @@ -2025,6 +2069,7 @@ static int successfully_proxied_request(REQUEST *request) return 0; } +found_pool: home = home_server_ldb(realmname, pool, request); if (!home) { RDEBUG2("ERROR: Failed to find live home server for realm %s", @@ -2043,8 +2088,8 @@ static int successfully_proxied_request(REQUEST *request) /* * Remember that we sent the request to a Realm. */ - pairadd(&request->packet->vps, - pairmake("Realm", realmname, T_OP_EQ)); + if (realmname) pairadd(&request->packet->vps, + pairmake("Realm", realmname, T_OP_EQ)); /* * Strip the name, if told to. @@ -2052,7 +2097,7 @@ static int successfully_proxied_request(REQUEST *request) * Doing it here catches the case of proxied tunneled * requests. */ - if (realm->striprealm == TRUE && + if (realm && (realm->striprealm == TRUE) && (strippedname = pairfind(request->proxy->vps, PW_STRIPPED_USER_NAME)) != NULL) { /* * If there's a Stripped-User-Name attribute in @@ -2091,7 +2136,8 @@ static int successfully_proxied_request(REQUEST *request) * since we can't use the request authenticator * anymore - we changed it. */ - if (pairfind(request->proxy->vps, PW_CHAP_PASSWORD) && + if ((request->packet->code == PW_AUTHENTICATION_REQUEST) && + pairfind(request->proxy->vps, PW_CHAP_PASSWORD) && pairfind(request->proxy->vps, PW_CHAP_CHALLENGE) == NULL) { vp = radius_paircreate(request, &request->proxy->vps, PW_CHAP_CHALLENGE, PW_TYPE_OCTETS); @@ -2350,6 +2396,10 @@ static void request_post_handler(REQUEST *request) } } +#ifdef WITH_COA + case PW_COA_REQUEST: + case PW_DISCONNECT_REQUEST: +#endif request->next_when.tv_sec += request->root->cleanup_delay; request->next_callback = cleanup_delay; child_state = REQUEST_CLEANUP_DELAY; @@ -2953,6 +3003,11 @@ REQUEST *received_proxy_response(RADIUS_PACKET *packet) * Having it here means that late or duplicate proxy * replies no longer get the home server marked as * "alive". This might be good for stability, though. + * + * FIXME: Do we really want to do this whenever we + * receive a packet? Setting this here means that we + * mark it alive on *any* packet, even if it's lost all + * of the *other* packets in the last 10s. */ request->home_server->state = HOME_STATE_ALIVE; @@ -3399,6 +3454,8 @@ int radius_event_init(CONF_SECTION *cs, int spawn_flag) #ifdef WITH_PROXY if (mainconfig.proxy_requests) { + pthread_mutexattr_t attr; + /* * Create the tree for managing proxied requests and * responses. @@ -3407,11 +3464,23 @@ int radius_event_init(CONF_SECTION *cs, int spawn_flag) if (!proxy_list) return 0; #ifdef HAVE_PTHREAD_H + pthread_mutexattr_init(&attr); + +#ifdef PTHREAD_MUTEX_RECURSIVE + if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE) < 0) { + radlog(L_ERR, "FATAL: Failed to set type for proxy mutex: %s", + strerror(errno)); + exit(1); + } +#endif + if (pthread_mutex_init(&proxy_mutex, NULL) != 0) { radlog(L_ERR, "FATAL: Failed to initialize proxy mutex: %s", strerror(errno)); exit(1); } + + pthread_mutexattr_destroy(&attr); #endif } #endif src/main/event.c @@ -174,12 +174,12 @@ RADCLIENT *client_listener_find(const rad_listen_t *listener, request->listener = listener; request->client = client; - request->packet = rad_alloc(0); - if (!request->packet) { + request->packet = rad_recv(listener->fd, 0x02); /* MSG_PEEK */ + if (!request->packet) { /* badly formed, etc */ request_free(&request); goto unknown; } - request->reply = rad_alloc(0); + request->reply = rad_alloc_reply(request->packet); if (!request->reply) { request_free(&request); goto unknown; @@ -198,23 +198,6 @@ RADCLIENT *client_listener_find(const rad_listen_t *listener, * * and create the RADCLIENT structure from that. */ - - sock = listener->data; - request->packet->sockfd = listener->fd; - request->packet->src_ipaddr = *ipaddr; - request->packet->src_port = 0; /* who cares... */ - request->packet->dst_ipaddr = sock->ipaddr; - request->packet->dst_port = sock->port; - - request->reply->sockfd = request->packet->sockfd; - request->reply->dst_ipaddr = request->packet->src_ipaddr; - request->reply->src_ipaddr = request->packet->dst_ipaddr; - request->reply->dst_port = request->packet->src_port; - request->reply->src_port = request->packet->dst_port; - request->reply->id = request->packet->id; - request->reply->code = 0; /* UNKNOWN code */ - - DEBUG("server %s {", request->server); rcode = module_authorize(0, request); @@ -497,6 +480,11 @@ static int listen_bind(rad_listen_t *this) break; #endif +#ifdef WITH_COA + case RAD_LISTEN_COA: + sock->port = PW_COA_UDP_PORT; + break; +#endif default: radlog(L_ERR, "ERROR: Non-fatal internal sanity check failed in bind."); return -1; @@ -578,9 +566,12 @@ static int listen_bind(rad_listen_t *this) rcode = bind(this->fd, (struct sockaddr *) &salocal, salen); fr_suid_down(); if (rcode < 0) { + char buffer[256]; close(this->fd); - radlog(L_ERR, "Failed binding to socket: %s\n", - strerror(errno)); + + this->print(this, buffer, sizeof(buffer)); + radlog(L_ERR, "Failed binding to %s: %s\n", + buffer, strerror(errno)); return -1; } @@ -721,6 +712,9 @@ rad_listen_t *listen_alloc(const char *type_name) #ifdef WITH_DHCP case RAD_LISTEN_DHCP: #endif +#ifdef WITH_COA + case RAD_LISTEN_COA: +#endif this->data = rad_malloc(sizeof(listen_socket_t)); memset(this->data, 0, sizeof(listen_socket_t)); break; @@ -752,67 +746,91 @@ rad_listen_t *listen_alloc(const char *type_name) /* * Externally visible function for creating a new proxy LISTENER. * - * For now, don't take ipaddr or port. - * * Not thread-safe, but all calls to it are protected by the - * proxy mutex in request_list.c + * proxy mutex in event.c */ -rad_listen_t *proxy_new_listener() +rad_listen_t *proxy_new_listener(fr_ipaddr_t *ipaddr, int exists) { int last_proxy_port, port; rad_listen_t *this, *tmp, **last; listen_socket_t *sock, *old; - this = listen_alloc("proxy"); - if (!this) return NULL; - /* * Find an existing proxy socket to copy. - * - * FIXME: Make it per-realm, or per-home server! */ last_proxy_port = 0; old = NULL; last = &mainconfig.listen; for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) { - if (tmp->type == RAD_LISTEN_PROXY) { - sock = tmp->data; - if (sock->port > last_proxy_port) { - last_proxy_port = sock->port + 1; - } - if (!old) old = sock; + /* + * Not proxy, ignore it. + */ + if (tmp->type != RAD_LISTEN_PROXY) continue; + + sock = tmp->data; + + /* + * If we were asked to copy a specific one, do + * so. If we're just finding one that already + * exists, return a pointer to it. Otherwise, + * create ANOTHER one with the same IP address. + */ + if ((ipaddr->af != AF_UNSPEC) && + (fr_ipaddr_cmp(&sock->ipaddr, ipaddr) != 0)) { + if (exists) return tmp; + continue; + } + + if (sock->port > last_proxy_port) { + last_proxy_port = sock->port + 1; } + if (!old) old = sock; last = &(tmp->next); } if (!old) { - listen_free(&this); - return NULL; /* This is a serious error. */ - } + /* + * The socket MUST already exist if we're binding + * to an address while proxying. + * + * If we're initializing the server, it's OK for the + * socket to NOT exist. + */ + if (!exists) return NULL; - /* - * FIXME: find a new IP address to listen on? - * - * This could likely be done in the "home server" - * configuration, to have per-home-server source IP's. - */ - sock = this->data; - memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr)); + this = listen_alloc(RAD_LISTEN_PROXY); + + sock = this->data; + sock->ipaddr = *ipaddr; + + } else { + this = listen_alloc(RAD_LISTEN_PROXY); + + sock = this->data; + sock->ipaddr = old->ipaddr; + } /* * Keep going until we find an unused port. */ for (port = last_proxy_port; port < 64000; port++) { + int rcode; + sock->port = port; - if (listen_bind(this) == 0) { - /* - * Add the new listener to the list of - * listeners. - */ - *last = this; - return this; + + rcode = listen_bind(this); + if (rcode < 0) { + listen_free(&this); + return NULL; } + + /* + * Add the new listener to the list of + * listeners. + */ + *last = this; + return this; } listen_free(&this); @@ -1142,7 +1160,7 @@ int listen_init(CONF_SECTION *config, rad_listen_t **head) */ if (!*head) return -1; - if (defined_proxy) goto done; + if (defined_proxy) goto check_home_servers; /* * Find the first authentication port, @@ -1207,9 +1225,14 @@ int listen_init(CONF_SECTION *config, rad_listen_t **head) radlog(L_ERR, "Failed to open socket for proxying"); return -1; } + + /* + * Create *additional* proxy listeners, based + * on their src_ipaddr. + */ + check_home_servers: + if (home_server_create_listeners(*head) != 0) return -1; } - - done: /* used only in proxy code. */ #endif return 0; src/main/listen.c @@ -899,7 +899,6 @@ int read_mainconfig(int reload) /* Reload the modules. */ if (setup_modules(reload, mainconfig.config) < 0) { - radlog(L_ERR, "Errors initializing modules"); return -1; } @@ -967,6 +966,15 @@ void hup_mainconfig(void) cc = rad_malloc(sizeof(*cc)); memset(cc, 0, sizeof(*cc)); + /* + * Save the current configuration. Note that we do NOT + * free older ones. We should probably do so at some + * point. Doing so will require us to mark which modules + * are still in use, and which aren't. Modules that + * can't be HUPed always use the original configuration. + * Modules that can be HUPed use one of the newer + * configurations. + */ cc->created = time(NULL); cc->cs = cs; cc->next = cs_cache; @@ -982,5 +990,5 @@ void hup_mainconfig(void) */ virtual_servers_load(cs); - virtual_servers_free(cc->created - 120); + virtual_servers_free(cc->created - mainconfig.max_request_time * 4); } src/main/mainconfig.c @@ -304,7 +304,12 @@ static int default_component_results[RLM_COMPONENT_COUNT] = { RLM_MODULE_FAIL, /* SESS */ RLM_MODULE_NOOP, /* PRE_PROXY */ RLM_MODULE_NOOP, /* POST_PROXY */ - RLM_MODULE_NOOP /* POST_AUTH */ + RLM_MODULE_NOOP /* POST_AUTH */ +#ifdef WITH_COA + , + RLM_MODULE_NOOP, /* RECV_COA_TYPE */ + RLM_MODULE_NOOP /* SEND_COA_TYPE */ +#endif }; @@ -1179,6 +1184,87 @@ defaultactions[RLM_COMPONENT_COUNT][GROUPTYPE_COUNT][RLM_MODULE_NUMCODES] = MOD_ACTION_RETURN /* updated */ } } +#ifdef WITH_COA + , + /* recv-coa */ + { + /* group */ + { + MOD_ACTION_RETURN, /* reject */ + MOD_ACTION_RETURN, /* fail */ + 3, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + 1, /* notfound */ + 2, /* noop */ + 4 /* updated */ + }, + /* redundant */ + { + MOD_ACTION_RETURN, /* reject */ + 1, /* fail */ + MOD_ACTION_RETURN, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + MOD_ACTION_RETURN, /* notfound */ + MOD_ACTION_RETURN, /* noop */ + MOD_ACTION_RETURN /* updated */ + }, + /* append */ + { + MOD_ACTION_RETURN, /* reject */ + 1, /* fail */ + MOD_ACTION_RETURN, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + 2, /* notfound */ + MOD_ACTION_RETURN, /* noop */ + MOD_ACTION_RETURN /* updated */ + } + }, + /* send-coa */ + { + /* group */ + { + MOD_ACTION_RETURN, /* reject */ + MOD_ACTION_RETURN, /* fail */ + 3, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + 1, /* notfound */ + 2, /* noop */ + 4 /* updated */ + }, + /* redundant */ + { + MOD_ACTION_RETURN, /* reject */ + 1, /* fail */ + MOD_ACTION_RETURN, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + MOD_ACTION_RETURN, /* notfound */ + MOD_ACTION_RETURN, /* noop */ + MOD_ACTION_RETURN /* updated */ + }, + /* append */ + { + MOD_ACTION_RETURN, /* reject */ + 1, /* fail */ + MOD_ACTION_RETURN, /* ok */ + MOD_ACTION_RETURN, /* handled */ + MOD_ACTION_RETURN, /* invalid */ + MOD_ACTION_RETURN, /* userlock */ + 2, /* notfound */ + MOD_ACTION_RETURN, /* noop */ + MOD_ACTION_RETURN /* updated */ + } + } +#endif }; src/main/modcall.c @@ -84,7 +84,12 @@ static const section_type_value_t section_type_value[RLM_COMPONENT_COUNT] = { { "session", "Session-Type", PW_SESSION_TYPE }, { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE }, { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE }, - { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE }, + { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE } +#ifdef WITH_COA + , + { "recv-coa", "Recv-CoA-Type", PW_RECV_COA_TYPE }, + { "send-coa", "Send-CoA-Type", PW_SEND_COA_TYPE } +#endif }; @@ -1451,3 +1456,15 @@ int module_post_auth(int postauth_type, REQUEST *request) { return indexed_modcall(RLM_COMPONENT_POST_AUTH, postauth_type, request); } + +#ifdef WITH_COA +int module_recv_coa(int recv_coa_type, REQUEST *request) +{ + return indexed_modcall(RLM_COMPONENT_RECV_COA, recv_coa_type, request); +} + +int module_send_coa(int send_coa_type, REQUEST *request) +{ + return indexed_modcall(RLM_COMPONENT_SEND_COA, send_coa_type, request); +} +#endif src/main/modules.c @@ -490,6 +490,7 @@ static int send_one_packet(radclient_t *radclient) * this packet. */ retry: + radclient->request->src_ipaddr.af = AF_UNSPEC; rcode = fr_packet_list_id_alloc(pl, radclient->request); if (rcode < 0) { int mysockfd; @@ -966,11 +967,11 @@ int main(int argc, char **argv) packet_code = PW_STATUS_SERVER; } else if (strcmp(argv[2], "disconnect") == 0) { - if (server_port == 0) server_port = PW_POD_UDP_PORT; + if (server_port == 0) server_port = PW_COA_UDP_PORT; packet_code = PW_DISCONNECT_REQUEST; } else if (strcmp(argv[2], "coa") == 0) { - if (server_port == 0) server_port = PW_POD_UDP_PORT; + if (server_port == 0) server_port = PW_COA_UDP_PORT; packet_code = PW_COA_REQUEST; } else if (strcmp(argv[2], "auto") == 0) { src/main/radclient.c @@ -206,6 +206,7 @@ static void NEVER_RETURNS usage(int status) fprintf(output, "\t-f filter\tPCAP filter. (default is udp port 1812 or 1813 or 1814)\n"); fprintf(output, "\t-h\t\tPrint this help message.\n"); fprintf(output, "\t-i interface\tInterface to capture.\n"); + fprintf(output, "\t-I filename\tRead packets from filename.\n"); fprintf(output, "\t-p port\tList for packets on port.\n"); fprintf(output, "\t-r filter\tRADIUS attribute filter.\n"); fprintf(output, "\t-s secret\tRADIUS secret.\n"); @@ -224,6 +225,7 @@ int main(int argc, char *argv[]) char buffer[1024]; char *pcap_filter = NULL; char *radius_filter = NULL; + char *filename = NULL; int packet_count = -1; /* how many packets to sniff */ int opt; FR_TOKEN parsecode; @@ -234,7 +236,7 @@ int main(int argc, char *argv[]) dev = pcap_lookupdev(errbuf); /* Get options */ - while ((opt = getopt(argc, argv, "c:d:f:hi:p:r:s:X")) != EOF) { + while ((opt = getopt(argc, argv, "c:d:f:hi:I:p:r:s:X")) != EOF) { switch (opt) { case 'c': @@ -256,6 +258,9 @@ int main(int argc, char *argv[]) case 'i': dev = optarg; break; + case 'I': + filename = optarg; + break; case 'p': port = atoi(optarg); break; @@ -312,7 +317,11 @@ int main(int argc, char *argv[]) printf("RADIUS secret: [%s]\n", radius_secret); /* Open the device so we can spy */ - descr = pcap_open_live(dev, SNAPLEN, 1, 0, errbuf); + if (filename) { + descr = pcap_open_offline(filename, errbuf); + } else { + descr = pcap_open_live(dev, SNAPLEN, 1, 0, errbuf); + } if (descr == NULL) { printf("radsniff: pcap_open_live failed (%s)\n", errbuf); src/main/radsniff.c @@ -276,6 +276,7 @@ void realms_free(void) #ifdef WITH_PROXY static struct in_addr hs_ip4addr; static struct in6_addr hs_ip6addr; +static char *hs_srcipaddr = NULL; static char *hs_type = NULL; static char *hs_check = NULL; static char *hs_virtual_server = NULL; @@ -297,6 +298,9 @@ static CONF_PARSER home_server_config[] = { { "secret", PW_TYPE_STRING_PTR, offsetof(home_server,secret), NULL, NULL}, + { "src_ipaddr", PW_TYPE_STRING_PTR, + 0, &hs_srcipaddr, NULL }, + { "response_window", PW_TYPE_INTEGER, offsetof(home_server,response_window), NULL, "30" }, { "max_outstanding", PW_TYPE_INTEGER, @@ -431,6 +435,8 @@ static int home_server_add(realm_config_t *rc, CONF_SECTION *cs, int pool_type) hs_type = NULL; free(hs_check); hs_check = NULL; + free(hs_srcipaddr); + hs_srcipaddr = NULL; return 0; } @@ -540,6 +546,19 @@ static int home_server_add(realm_config_t *rc, CONF_SECTION *cs, int pool_type) goto error; } + /* + * Look up the name using the *same* address family as + * for the home server. + */ + if (hs_srcipaddr && (home->ipaddr.af != AF_UNSPEC)) { + if (ip_hton(hs_srcipaddr, home->ipaddr.af, &home->src_ipaddr) < 0) { + cf_log_err(cf_sectiontoitem(cs), "Failed parsing src_ipaddr"); + goto error; + } + } + free(hs_srcipaddr); + hs_srcipaddr = NULL; + if (!rbtree_insert(home_servers_byname, home)) { cf_log_err(cf_sectiontoitem(cs), "Internal error %d adding home server %s.", @@ -2007,6 +2026,11 @@ home_server *home_server_ldb(const char *realmname, * the 'hints' file. */ request->proxy->vps = paircopy(request->packet->vps); + + /* + * Set the source IP address for proxying. + */ + request->proxy->src_ipaddr = found->src_ipaddr; } /* @@ -2135,3 +2159,54 @@ home_pool_t *home_pool_byname(const char *name, int type) } #endif + +#ifdef WITH_PROXY +static int home_server_create_callback(void *ctx, void *data) +{ + rad_listen_t *head = ctx; + home_server *home = data; + rad_listen_t *this; + + /* + * If there WAS a src address defined, ensure that a + * proxy listener has been defined. + */ + if (home->src_ipaddr.af != AF_UNSPEC) { + this = proxy_new_listener(&home->src_ipaddr, TRUE); + + /* + * Failed to create it: Die + */ + if (!this) return 1; + + this->next = head->next; + head->next = this; + } + + return 0; +} + +/* + * Taking a void* here solves some header issues. + */ +int home_server_create_listeners(void *ctx) +{ + rad_listen_t *head = ctx; + + if (!home_servers_byaddr) return 0; + + rad_assert(head != NULL); + + /* + * Add the listeners to the TAIL of the list. + */ + while (head->next) head = head->next; + + if (rbtree_walk(home_servers_byaddr, InOrder, + home_server_create_callback, head) != 0) { + return -1; + } + + return 0; +} +#endif src/main/realms.c @@ -490,6 +490,12 @@ REQUEST *request_alloc_coa(REQUEST *request) { if (!request || request->coa) return NULL; + /* + * Originate CoA requests only when necessary. + */ + if ((request->packet->code != PW_AUTHENTICATION_REQUEST) && + (request->packet->code != PW_ACCOUNTING_REQUEST)) return NULL; + request->coa = request_alloc_fake(request); request->coa->packet->code = 0; /* unknown, as of yet */ request->coa->child_state = REQUEST_RUNNING; src/main/util.c @@ -109,6 +109,45 @@ static int dhcp_header_sizes[] = { #define DEFAULT_PACKET_SIZE (300) #define MAX_PACKET_SIZE (1500 - 40) +static int getcode(const uint8_t *data, size_t data_len, int *code) +{ + uint8_t *end, *p; + + end = data + data_len; + + while (p < end) { + /* + * End of packet or end of options + */ + if ((p[0] == 0) || (p[0] == 255)) return 0; + + /* + * Not enough room for 0x3501cc + */ + if ((end - p) < 3) return 0; /* t l v */ + + /* + * Option is larger than the packet. + */ + if ((p + p[1] + 2) > end) return 0; + + /* + * Found it. Ensure it's well formed. + */ + if (p[0] == 53) { + if ((p[1] != 1) || (p[2] == 0) || (p[2] > 8)) { + return 0; + } + *code = p[2]; + return 1; + } + + p += 2 + p[1]; + } + + return 0; +} + /* * DHCPv4 is only for IPv4. Broadcast only works if udpfromto is * defined. @@ -191,10 +230,20 @@ RADIUS_PACKET *fr_dhcp_recv(int sockfd) (packet->data[241] != 1) || (packet->data[242] == 0) || (packet->data[242] > 8)) { - fprintf(stderr, "Unknown, or badly formatted DHCP packet\n"); - rad_free(&packet); - return NULL; + /* + * Some clients send the packet type buried + * inside of the packet... + */ + if (!getcode(packet->data + 240, packet->data_len - 240, + &packet->code)) { + fprintf(stderr, "Unknown, or badly formatted DHCP packet\n"); + rad_free(&packet); + return NULL; + } + } else { + packet->code = packet->data[242]; } + packet->code |= PW_DHCP_OFFSET; /* * Create a unique vector from the MAC address and the @@ -209,15 +258,13 @@ RADIUS_PACKET *fr_dhcp_recv(int sockfd) */ memset(packet->vector, 0, sizeof(packet->vector)); memcpy(packet->vector, packet->data + 28, packet->data[2]); - packet->vector[packet->data[2]] = packet->data[242]; + packet->vector[packet->data[2]] = packet->code & 0xff; /* * FIXME: for DISCOVER / REQUEST: src_port == dst_port + 1 * FIXME: for OFFER / ACK : src_port = dst_port - 1 */ - packet->code = PW_DHCP_OFFSET | packet->data[242]; - /* * Unique keys are xid, client mac, and client ID? */ src/modules/frs_dhcp/dhcp.c @@ -115,7 +115,6 @@ static int proxy_socket_recv(rad_listen_t *listener, case PW_DISCONNECT_NAK: case PW_COA_ACK: case PW_COA_NAK: - fun = rad_coa_reply; /* run NEW function */ break; #endif @@ -140,10 +139,20 @@ static int proxy_socket_recv(rad_listen_t *listener, rad_assert(request->process != NULL); #ifdef WITH_COA - if (!fun) + /* + * Distinguish proxied CoA requests from ones we + * originate. If we've proxied a DIFFERENT packet type + * than the original, then it MUST be a CoA packet. In + * that case, we process it as a CoA reply packet, rather + * than re-running the original method. + */ + if (request->packet->code != request->proxy->code) { + rad_assert((request->proxy->code == PW_COA_REQUEST) || + (request->proxy->code == PW_DISCONNECT_REQUEST)); + fun = rad_coa_reply; /* run NEW function */ + } else #endif - fun = request->process; /* re-run original function */ - *pfun = fun; + *pfun = request->process; /* re-run original function */ *prequest = request; return 1; src/modules/frs_proxy/frs_proxy.c @@ -166,5 +166,10 @@ module_t rlm_always = { always_return, /* pre-proxy */ always_return, /* post-proxy */ always_return /* post-auth */ +#ifdef WITH_COA + , + always_return, /* recv-coa */ + always_return /* send-coa */ +#endif }, }; src/modules/rlm_always/rlm_always.c @@ -46,6 +46,46 @@ static const char *packet_codes[] = { "Password-Reject", "Accounting-Message", "Access-Challenge" + "Status-Server", + "Status-Client", + "14", + "15", + "16", + "17", + "18", + "19", + "20", + "Resource-Free-Request", + "Resource-Free-Response", + "Resource-Query-Request", + "Resource-Query-Response", + "Alternate-Resource-Reclaim-Request", + "NAS-Reboot-Request", + "NAS-Reboot-Response", + "28", + "Next-Passcode", + "New-Pin", + "Terminate-Session", + "Password-Expired", + "Event-Request", + "Event-Response", + "35", + "36", + "37", + "38", + "39", + "Disconnect-Request", + "Disconnect-ACK", + "Disconnect-NAK", + "CoA-Request", + "CoA-ACK", + "CoA-NAK", + "46", + "47", + "48", + "49", + "IP-Address-Allocate", + "IP-Address-Release" }; @@ -360,7 +400,7 @@ static int do_detail(void *instance, REQUEST *request, RADIUS_PACKET *packet, * Numbers, if not. */ if ((packet->code > 0) && - (packet->code <= PW_ACCESS_CHALLENGE)) { + (packet->code < 52)) { fprintf(outfp, "\tPacket-Type = %s\n", packet_codes[packet->code]); } else { @@ -515,6 +555,23 @@ static int detail_postauth(void *instance, REQUEST *request) return do_detail(instance,request,request->reply, FALSE); } +#ifdef WITH_COA +/* + * Incoming CoA - write the detail files. + */ +static int detail_recv_coa(void *instance, REQUEST *request) +{ + return do_detail(instance,request,request->packet, FALSE); +} + +/* + * Outgoing CoA - write the detail files. + */ +static int detail_send_coa(void *instance, REQUEST *request) +{ + return do_detail(instance,request,request->reply, FALSE); +} +#endif /* * Outgoing Access-Request to home server - write the detail files. @@ -577,6 +634,10 @@ module_t rlm_detail = { detail_pre_proxy, /* pre-proxy */ detail_post_proxy, /* post-proxy */ detail_postauth /* post-auth */ +#ifdef WITH_COA + , detail_recv_coa, + detail_send_coa +#endif }, }; src/modules/rlm_detail/rlm_detail.c @@ -411,8 +411,11 @@ static int eap_authenticate(void *instance, REQUEST *request) */ vp = pairfind(request->reply->vps, PW_USER_NAME); if (!vp) { - vp = pairmake("User-Name", request->username->vp_strvalue, + vp = pairmake("User-Name", "", T_OP_EQ); + strlcpy(vp->vp_strvalue, request->username->vp_strvalue, + sizeof(vp->vp_strvalue)); + vp->length = request->username->length; rad_assert(vp != NULL); pairadd(&(request->reply->vps), vp); } @@ -511,6 +514,11 @@ static int eap_post_proxy(void *inst, REQUEST *request) EAP_HANDLER *handler; /* + * Just in case the admin lists EAP in post-proxy-type Fail. + */ + if (!request->proxy_reply) return RLM_MODULE_NOOP; + + /* * If there was a handler associated with this request, * then it's a tunneled request which was proxied... */ @@ -548,7 +556,7 @@ static int eap_post_proxy(void *inst, REQUEST *request) * We are done, wrap the EAP-request in RADIUS to send * with all other required radius attributes */ - rcode = eap_compose(handler); + eap_compose(handler); /* * Add to the list only if it is EAP-Request, OR if @@ -592,7 +600,6 @@ static int eap_post_proxy(void *inst, REQUEST *request) RDEBUG2("No pre-existing handler found"); } - /* * There may be more than one Cisco-AVPair. * Ensure we find the one with the LEAP attribute. src/modules/rlm_eap/rlm_eap.c @@ -67,6 +67,10 @@ static const int JRADIUS_checksimul = 5; static const int JRADIUS_pre_proxy = 6; static const int JRADIUS_post_proxy = 7; static const int JRADIUS_post_auth = 8; +#ifdef WITH_COA +static const int JRADIUS_recv_coa = 9; +static const int JRADIUS_send_coa = 10; +#endif #define LOG_PREFIX "rlm_jradius: " #define MAX_HOSTS 4 @@ -1062,6 +1066,17 @@ static int jradius_post_auth(void *instance, REQUEST *request) return rlm_jradius_call(JRADIUS_post_auth, instance, request, 0); } +#ifdef WITH_COA +static int jradius_recv_coa(void *instance, REQUEST *request) +{ + return rlm_jradius_call(JRADIUS_recv_coa, instance, request, 0); +} +static int jradius_send_coa(void *instance, REQUEST *request) +{ + return rlm_jradius_call(JRADIUS_send_coa, instance, request, 0); +} +#endif + static int jradius_detach(void *instance) { JRADIUS *inst = (JRADIUS *) instance; @@ -1085,6 +1100,10 @@ module_t rlm_jradius = { jradius_pre_proxy, jradius_post_proxy, jradius_post_auth +#ifdef WITH_COA + , jradius_recv_coa, + jradius_send_coa +#endif }, }; src/modules/rlm_jradius/rlm_jradius.c @@ -288,5 +288,9 @@ module_t rlm_linelog = { do_linelog, /* pre-proxy */ do_linelog, /* post-proxy */ do_linelog /* post-auth */ +#ifdef WITH_COA + , do_linelog, /* recv-coa */ + do_linelog /* send-coa */ +#endif }, }; src/modules/rlm_linelog/rlm_linelog.c @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.in Revision: 1.3 . +# From configure.in Revision. # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61. # @@ -3301,6 +3301,55 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ targetname= fi + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +extern char Perl_hv_store(); +int +main () +{ + Perl_hv_store() + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + BROKEN= +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + BROKEN="yes" +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext + + if test "x$BROKEN" != "x"; then + fail="$fail libperl.so" + targetname= + fi + CFLAGS=$old_CFLAGS fi targetname=rlm_perl @@ -3334,7 +3383,11 @@ ac_config_headers="$ac_config_headers config.h" -ac_config_files="$ac_config_files Makefile" + + unset ac_cv_env_LIBS_set + unset ac_cv_env_LIBS_value + + ac_config_files="$ac_config_files Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4428,3 +4481,4 @@ if test "$no_create" != yes; then $ac_cs_success || { (exit 1); exit 1; } fi + src/modules/rlm_perl/configure @@ -50,6 +50,16 @@ if test x$with_[]modname != xno; then targetname= fi + AC_TRY_LINK([extern char Perl_hv_store();], + [ Perl_hv_store()], + BROKEN=, + BROKEN="yes") + + if test "x$BROKEN" != "x"; then + fail="$fail libperl.so" + targetname= + fi + CFLAGS=$old_CFLAGS fi targetname=modname src/modules/rlm_perl/configure.in @@ -69,6 +69,10 @@ typedef struct perl_inst { char *func_pre_proxy; char *func_post_proxy; char *func_post_auth; +#ifdef WITH_COA + char *func_recv_coa; + char *func_send_coa; +#endif char *xlat_name; char *perl_flags; PerlInterpreter *perl; @@ -105,6 +109,12 @@ static const CONF_PARSER module_config[] = { offsetof(PERL_INST,func_post_proxy), NULL, "post_proxy"}, { "func_post_auth", PW_TYPE_STRING_PTR, offsetof(PERL_INST,func_post_auth), NULL, "post_auth"}, +#ifdef WITH_COA + { "func_recv_coa", PW_TYPE_STRING_PTR, + offsetof(PERL_INST,func_recv_coa), NULL, "recv_coa"}, + { "func_send_coa", PW_TYPE_STRING_PTR, + offsetof(PERL_INST,func_send_coa), NULL, "send_coa"}, +#endif { "perl_flags", PW_TYPE_STRING_PTR, offsetof(PERL_INST,perl_flags), NULL, NULL}, { "func_start_accounting", PW_TYPE_STRING_PTR, @@ -868,6 +878,24 @@ static int perl_post_auth(void *instance, REQUEST *request) return rlmperl_call(instance, request, ((PERL_INST *)instance)->func_post_auth); } +#ifdef WITH_COA +/* + * Recv CoA request + */ +static int perl_recv_coa(void *instance, REQUEST *request) +{ + return rlmperl_call(instance, request, + ((PERL_INST *)instance)->func_recv_coa); +} +/* + * Send CoA request + */ +static int perl_send_coa(void *instance, REQUEST *request) +{ + return rlmperl_call(instance, request, + ((PERL_INST *)instance)->func_send_coa); +} +#endif /* * Detach a instance give a chance to a module to make some internal setup ... */ @@ -970,5 +998,9 @@ module_t rlm_perl = { perl_pre_proxy, /* pre-proxy */ perl_post_proxy, /* post-proxy */ perl_post_auth /* post-auth */ +#ifdef WITH_COA + , perl_recv_coa, + perl_send_coa +#endif }, }; src/modules/rlm_perl/rlm_perl.c @@ -1095,6 +1095,10 @@ const FR_NAME_NUMBER policy_component_names[] = { { "pre-proxy", RLM_COMPONENT_PRE_PROXY }, { "post-proxy", RLM_COMPONENT_POST_PROXY }, { "post-auth", RLM_COMPONENT_POST_AUTH }, +#ifdef WITH_COA + { "recv-coa", RLM_COMPONENT_RECV_COA }, + { "send-coa", RLM_COMPONENT_SEND_COA }, +#endif { NULL, RLM_COMPONENT_COUNT } }; src/modules/rlm_policy/parse.c @@ -189,6 +189,19 @@ static int policy_post_proxy(void *instance, REQUEST *request) "post-proxy"); } +#ifdef WITH_COA +static int policy_recv_coa(void *instance, REQUEST *request) +{ + return rlm_policy_evaluate((rlm_policy_t *) instance, request, + "recv-coa"); +} +static int policy_send_coa(void *instance, REQUEST *request) +{ + return rlm_policy_evaluate((rlm_policy_t *) instance, request, + "send-coa"); +} +#endif + /* * The "free" functions are here, for no particular reason. */ @@ -322,5 +335,9 @@ module_t rlm_policy = { policy_pre_proxy, /* pre-proxy */ policy_post_proxy, /* post-proxy */ policy_post_auth /* post-auth */ +#ifdef WITH_COA + , policy_recv_coa, + policy_send_coa +#endif }, }; src/modules/rlm_policy/rlm_policy.c @@ -31,18 +31,28 @@ def accounting(p): print p return radiusd.RLM_MODULE_OK -def preproxy(p): - print "*** preproxy ***" +def pre_proxy(p): + print "*** pre_proxy ***" print p return radiusd.RLM_MODULE_OK -def postproxy(p): - print "*** postproxy ***" +def post_proxy(p): + print "*** post_proxy ***" print p return radiusd.RLM_MODULE_OK -def postauth(p): - print "*** postauth ***" +def post_auth(p): + print "*** post_auth ***" + print p + return radiusd.RLM_MODULE_OK + +def recv_coa(p): + print "*** recv_coa ***" + print p + return radiusd.RLM_MODULE_OK + +def send_coa(p): + print "*** send_coa ***" print p return radiusd.RLM_MODULE_OK src/modules/rlm_python/radiusd_test.py @@ -54,6 +54,13 @@ struct rlm_python_t { preacct, accounting, checksimul, + pre_proxy, + post_proxy, + post_auth, +#ifdef WITH_COA + recv_coa, + send_coa, +#endif detach; }; @@ -77,6 +84,13 @@ static CONF_PARSER module_config[] = { A(preacct) A(accounting) A(checksimul) + A(pre_proxy) + A(post_proxy) + A(post_auth) +#ifdef WITH_COA + A(recv_coa) + A(send_coa) +#endif A(detach) #undef A @@ -587,6 +601,13 @@ static int python_instantiate(CONF_SECTION *conf, void **instance) A(preacct); A(accounting); A(checksimul); + A(pre_proxy); + A(post_proxy); + A(post_auth); +#ifdef WITH_COA + A(recv_coa); + A(send_coa); +#endif A(detach); #undef A @@ -628,6 +649,13 @@ A(authorize) A(preacct) A(accounting) A(checksimul) +A(pre_proxy) +A(post_proxy) +A(post_auth) +#ifdef WITH_COA +A(recv_coa) +A(send_coa) +#endif #undef A @@ -652,8 +680,12 @@ module_t rlm_python = { python_preacct, /* preaccounting */ python_accounting, /* accounting */ python_checksimul, /* checksimul */ - NULL, /* pre-proxy */ - NULL, /* post-proxy */ - NULL /* post-auth */ + python_pre_proxy, /* pre-proxy */ + python_post_proxy, /* post-proxy */ + python_post_auth /* post-auth */ +#ifdef WITH_COA + , python_recv_coa, + python_send_coa +#endif } }; src/modules/rlm_python/rlm_python.c @@ -2903,6 +2903,209 @@ fi old_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $RB_CFLAGS -I${RB_ARCH_DIR} -I${RB_INC_DIR}" # smart_try_dir=$RB_INC_DIR + + + +ac_safe=`echo "ruby.h" | sed 'y%./+-%__pm%'` +{ echo "$as_me:$LINENO: checking for ruby.h" >&5 +echo $ECHO_N "checking for ruby.h... $ECHO_C" >&6; } + +old_CFLAGS="$CFLAGS" +smart_include= +smart_include_dir= + +if test "x$smart_try_dir" != "x"; then + for try in $smart_try_dir; do + CFLAGS="$old_CFLAGS -I$try" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + #include <ruby.h> +int +main () +{ + int a = 1; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + smart_include="-I$try" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + smart_include= +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test "x$smart_include" != "x"; then + break; + fi + done + CFLAGS="$old_CFLAGS" +fi + +if test "x$smart_include" = "x"; then + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + #include <ruby.h> +int +main () +{ + int a = 1; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + smart_include=" " +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + smart_include= +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + +if test "x$LOCATE" != "x"; then + DIRS= + file=ruby.h + + for x in `${LOCATE} $file 2>/dev/null`; do + base=`echo $x | sed "s%/${file}%%"` + if test "x$x" = "x$base"; then + continue; + fi + + dir=`${DIRNAME} $x 2>/dev/null` + exclude=`echo ${dir} | ${GREP} /home` + if test "x$exclude" != "x"; then + continue + fi + + already=`echo \$smart_include_dir ${DIRS} | ${GREP} ${dir}` + if test "x$already" = "x"; then + DIRS="$DIRS $dir" + fi + done +fi + +eval "smart_include_dir=\"\$smart_include_dir $DIRS\"" + + + for try in $smart_include_dir /usr/local/include /opt/include; do + CFLAGS="$old_CFLAGS -I$try" + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + #include <ruby.h> +int +main () +{ + int a = 1; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + smart_include="-I$try" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + smart_include= +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test "x$smart_include" != "x"; then + break; + fi + done + CFLAGS="$old_CFLAGS" +fi + +if test "x$smart_include" != "x"; then + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } + eval "ac_cv_header_$ac_safe=yes" + CFLAGS="$old_CFLAGS $smart_include" + SMART_CFLAGS="$SMART_CFLAGS $smart_include" +else + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } +fi + + if test "x$ac_cv_header_ruby_h" != "xyes"; then + fail="$fail ruby.h" + targetname= + fi ruby_cflags=$CFLAGS CFLAGS=$old_CFLAGS src/modules/rlm_ruby/configure @@ -64,6 +64,11 @@ if test x$with_[]modname != xno; then old_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $RB_CFLAGS -I${RB_ARCH_DIR} -I${RB_INC_DIR}" # smart_try_dir=$RB_INC_DIR + FR_SMART_CHECK_INCLUDE(ruby.h) + if test "x$ac_cv_header_ruby_h" != "xyes"; then + fail="$fail ruby.h" + targetname= + fi ruby_cflags=$CFLAGS CFLAGS=$old_CFLAGS src/modules/rlm_ruby/configure.in @@ -47,6 +47,10 @@ typedef struct rlm_ruby_t { RLM_RUBY_STRUCT(preproxy); RLM_RUBY_STRUCT(postproxy); RLM_RUBY_STRUCT(postauth); +#ifdef WITH_COA + RLM_RUBY_STRUCT(recvcoa); + RLM_RUBY_STRUCT(sendcoa); +#endif RLM_RUBY_STRUCT(detach); char *scriptFile; @@ -388,6 +392,10 @@ static int ruby_instantiate(CONF_SECTION *conf, void **instance) { RLM_RUBY_LOAD(preproxy); RLM_RUBY_LOAD(postproxy); RLM_RUBY_LOAD(postauth); +#ifdef WITH_COA + RLM_RUBY_LOAD(recvcoa); + RLM_RUBY_LOAD(sendcoa); +#endif RLM_RUBY_LOAD(detach); *instance = data; @@ -411,6 +419,10 @@ RLM_RUBY_FUNC(checksimul) RLM_RUBY_FUNC(preproxy) RLM_RUBY_FUNC(postproxy) RLM_RUBY_FUNC(postauth) +#ifdef WITH_COA +RLM_RUBY_FUNC(recvcoa) +RLM_RUBY_FUNC(sendcoa) +#endif static int ruby_detach(void *instance) { int return_value; @@ -455,5 +467,9 @@ module_t rlm_ruby = { ruby_preproxy, /* pre-proxy */ ruby_postproxy, /* post-proxy */ ruby_postauth /* post-auth */ +#ifdef WITH_COA + , ruby_recvcoa, + ruby_sendcoa +#endif }, }; src/modules/rlm_ruby/rlm_ruby.c a62281184660ab621f4dd331f7ad94e207654685 4a5b18a653c5a35786f8a9dcfab8b4ebc0671101 Antti refresh.xss@gmail.com http://github.com/Antti/freeradius-server/commit/b06ff21b5e33995789c04366ce7326704f415c10 b06ff21b5e33995789c04366ce7326704f415c10 2009-06-09T10:51:17-07:00 2009-06-09T10:51:17-07:00 Merge branch 'master' of git://github.com/alandekok/freeradius-server 0f1da5a7ce451fc216f429526d80086f38344713 Antti refresh.xss@gmail.com