2 * client.c Read clients into memory.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/rad_assert.h>
36 #ifdef WITH_DYNAMIC_CLIENTS
42 struct radclient_list {
44 * FIXME: One set of trees for IPv4, and another for IPv6?
46 rbtree_t *trees[129]; /* for 0..128, inclusive. */
52 static rbtree_t *tree_num = NULL; /* client numbers 0..N */
53 static int tree_num_max = 0;
55 static RADCLIENT_LIST *root_clients = NULL;
57 #ifdef WITH_DYNAMIC_CLIENTS
58 static fr_fifo_t *deleted_clients = NULL;
62 * Callback for freeing a client.
64 void client_free(RADCLIENT *client)
66 #ifdef WITH_DYNAMIC_CLIENTS
67 if (client->dynamic == 2) {
70 if (!deleted_clients) {
71 deleted_clients = fr_fifo_create(1024,
72 (void *) client_free);
73 if (!deleted_clients) return; /* MEMLEAK */
77 * Mark it as in the fifo, and remember when we
81 client->created = now = time(NULL); /* re-set it */
82 fr_fifo_push(deleted_clients, client);
85 * Peek at the head of the fifo. If it might
86 * still be in use, return. Otherwise, pop it
87 * from the queue and delete it.
89 client = fr_fifo_peek(deleted_clients);
90 if ((client->created + 120) >= now) return;
92 client = fr_fifo_pop(deleted_clients);
93 rad_assert(client != NULL);
97 free(client->longname);
99 free(client->shortname);
100 free(client->nastype);
102 free(client->password);
103 free(client->server);
107 #ifdef WITH_ACCOUNTING
112 #ifdef WITH_DYNAMIC_CLIENTS
113 free(client->client_server);
120 * Callback for comparing two clients.
122 static int client_ipaddr_cmp(const void *one, const void *two)
124 const RADCLIENT *a = one;
125 const RADCLIENT *b = two;
127 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
131 static int client_num_cmp(const void *one, const void *two)
133 const RADCLIENT *a = one;
134 const RADCLIENT *b = two;
136 return (a->number - b->number);
141 * Free a RADCLIENT list.
143 void clients_free(RADCLIENT_LIST *clients)
147 if (!clients) return;
149 for (i = 0; i <= 128; i++) {
150 if (clients->trees[i]) rbtree_free(clients->trees[i]);
151 clients->trees[i] = NULL;
154 if (clients == root_clients) {
156 if (tree_num) rbtree_free(tree_num);
163 #ifdef WITH_DYNAMIC_CLIENTS
165 * FIXME: No fr_fifo_delete()
173 * Return a new, initialized, set of clients.
175 RADCLIENT_LIST *clients_init(void)
177 RADCLIENT_LIST *clients = calloc(1, sizeof(RADCLIENT_LIST));
179 if (!clients) return NULL;
181 clients->min_prefix = 128;
188 * Sanity check a client.
190 static int client_sane(RADCLIENT *client)
192 switch (client->ipaddr.af) {
194 if (client->prefix > 32) {
199 * Zero out the subnet bits.
201 if (client->prefix == 0) {
202 memset(&client->ipaddr.ipaddr.ip4addr, 0,
203 sizeof(client->ipaddr.ipaddr.ip4addr));
205 } else if (client->prefix < 32) {
208 mask <<= (32 - client->prefix);
209 client->ipaddr.ipaddr.ip4addr.s_addr &= htonl(mask);
214 if (client->prefix > 128) return 0;
216 if (client->prefix == 0) {
217 memset(&client->ipaddr.ipaddr.ip6addr, 0,
218 sizeof(client->ipaddr.ipaddr.ip6addr));
220 } else if (client->prefix < 128) {
222 uint32_t mask, *addr;
224 addr = (uint32_t *) &client->ipaddr.ipaddr.ip6addr;
226 for (i = client->prefix; i < 128; i += 32) {
228 mask <<= ((128 - i) & 0x1f);
229 addr[i / 32] &= mask;
243 * Add a client to the tree.
245 int client_add(RADCLIENT_LIST *clients, RADCLIENT *client)
252 * If "clients" is NULL, it means add to the global list.
256 * Initialize it, if not done already.
259 root_clients = clients_init();
260 if (!root_clients) return 0;
262 clients = root_clients;
265 if ((client->prefix < 0) || (client->prefix > 128)) {
269 if (!client_sane(client)) return 0;
272 * Create a tree for it.
274 if (!clients->trees[client->prefix]) {
275 clients->trees[client->prefix] = rbtree_create(client_ipaddr_cmp,
276 (void *) client_free, 0);
277 if (!clients->trees[client->prefix]) {
283 * Cannot insert the same client twice.
285 if (rbtree_find(clients->trees[client->prefix], client)) {
286 radlog(L_ERR, "Failed to add duplicate client %s",
292 * Other error adding client: likely is fatal.
294 if (!rbtree_insert(clients->trees[client->prefix], client)) {
300 tree_num = rbtree_create(client_num_cmp, NULL, 0);
305 * Catch clients added by rlm_sql.
308 client->auth = rad_malloc(sizeof(*client->auth));
309 memset(client->auth, 0, sizeof(*client->auth));
312 #ifdef WITH_ACCOUNTING
314 client->acct = rad_malloc(sizeof(*client->acct));
315 memset(client->acct, 0, sizeof(*client->acct));
319 #ifdef WITH_DYNAMIC_CLIENTS
321 * More catching of clients added by rlm_sql.
323 * The sql modules sets the dynamic flag BEFORE calling
324 * us. The client_create() function sets it AFTER
327 if (client->dynamic && (client->lifetime == 0)) {
331 * If there IS an enclosing network,
332 * inherit the lifetime from it.
334 network = client_find(clients, &client->ipaddr);
336 client->lifetime = network->lifetime;
341 client->number = tree_num_max;
343 if (tree_num) rbtree_insert(tree_num, client);
346 if (client->prefix < clients->min_prefix) {
347 clients->min_prefix = client->prefix;
354 #ifdef WITH_DYNAMIC_CLIENTS
355 void client_delete(RADCLIENT_LIST *clients, RADCLIENT *client)
357 if (!clients || !client) return;
359 rad_assert((client->prefix >= 0) && (client->prefix <= 128));
361 client->dynamic = 2; /* signal to client_free */
363 rbtree_deletebydata(tree_num, client);
364 rbtree_deletebydata(clients->trees[client->prefix], client);
370 * Find a client in the RADCLIENTS list by number.
371 * This is a support function for the statistics code.
373 RADCLIENT *client_findbynumber(const RADCLIENT_LIST *clients,
377 if (!clients) clients = root_clients;
379 if (!clients) return NULL;
381 if (number >= tree_num_max) return NULL;
386 myclient.number = number;
388 return rbtree_finddata(tree_num, &myclient);
391 clients = clients; /* -Wunused */
392 number = number; /* -Wunused */
399 * Find a client in the RADCLIENTS list.
401 RADCLIENT *client_find(const RADCLIENT_LIST *clients,
402 const fr_ipaddr_t *ipaddr)
407 if (!clients) clients = root_clients;
409 if (!clients || !ipaddr) return NULL;
411 switch (ipaddr->af) {
424 for (i = max_prefix; i >= clients->min_prefix; i--) {
428 myclient.ipaddr = *ipaddr;
429 client_sane(&myclient); /* clean up the ipaddress */
431 if (!clients->trees[i]) continue;
433 data = rbtree_finddata(clients->trees[i], &myclient);
444 * Old wrapper for client_find
446 RADCLIENT *client_find_old(const fr_ipaddr_t *ipaddr)
448 return client_find(root_clients, ipaddr);
451 static struct in_addr cl_ip4addr;
452 static struct in6_addr cl_ip6addr;
454 static const CONF_PARSER client_config[] = {
455 { "ipaddr", PW_TYPE_IPADDR,
456 0, &cl_ip4addr, NULL },
457 { "ipv6addr", PW_TYPE_IPV6ADDR,
458 0, &cl_ip6addr, NULL },
459 { "netmask", PW_TYPE_INTEGER,
460 offsetof(RADCLIENT, prefix), 0, NULL },
462 { "require_message_authenticator", PW_TYPE_BOOLEAN,
463 offsetof(RADCLIENT, message_authenticator), 0, "no" },
465 { "secret", PW_TYPE_STRING_PTR,
466 offsetof(RADCLIENT, secret), 0, NULL },
467 { "shortname", PW_TYPE_STRING_PTR,
468 offsetof(RADCLIENT, shortname), 0, NULL },
469 { "nastype", PW_TYPE_STRING_PTR,
470 offsetof(RADCLIENT, nastype), 0, NULL },
471 { "login", PW_TYPE_STRING_PTR,
472 offsetof(RADCLIENT, login), 0, NULL },
473 { "password", PW_TYPE_STRING_PTR,
474 offsetof(RADCLIENT, password), 0, NULL },
475 { "virtual_server", PW_TYPE_STRING_PTR,
476 offsetof(RADCLIENT, server), 0, NULL },
477 { "server", PW_TYPE_STRING_PTR, /* compatability with 2.0-pre */
478 offsetof(RADCLIENT, server), 0, NULL },
480 #ifdef WITH_DYNAMIC_CLIENTS
481 { "dynamic_clients", PW_TYPE_STRING_PTR,
482 offsetof(RADCLIENT, client_server), 0, NULL },
483 { "lifetime", PW_TYPE_INTEGER,
484 offsetof(RADCLIENT, lifetime), 0, NULL },
488 { "coa_server", PW_TYPE_STRING_PTR,
489 offsetof(RADCLIENT, coa_name), 0, NULL },
492 { NULL, -1, 0, NULL, NULL }
496 static RADCLIENT *client_parse(CONF_SECTION *cs, int in_server)
501 name2 = cf_section_name2(cs);
503 cf_log_err(cf_sectiontoitem(cs),
504 "Missing client name");
509 * The size is fine.. Let's create the buffer
511 c = rad_malloc(sizeof(*c));
512 memset(c, 0, sizeof(*c));
516 c->auth = rad_malloc(sizeof(*c->auth));
517 memset(c->auth, 0, sizeof(*c->auth));
519 #ifdef WITH_ACCOUNTING
520 c->acct = rad_malloc(sizeof(*c->acct));
521 memset(c->acct, 0, sizeof(*c->acct));
525 memset(&cl_ip4addr, 0, sizeof(cl_ip4addr));
526 memset(&cl_ip6addr, 0, sizeof(cl_ip6addr));
529 if (cf_section_parse(cs, c, client_config) < 0) {
531 cf_log_err(cf_sectiontoitem(cs),
532 "Error parsing client section.");
537 * Global clients can set servers to use,
538 * per-server clients cannot.
540 if (in_server && c->server) {
542 cf_log_err(cf_sectiontoitem(cs),
543 "Clients inside of an server section cannot point to a server.");
548 * No "ipaddr" or "ipv6addr", use old-style
549 * "client <ipaddr> {" syntax.
551 if (!cf_pair_find(cs, "ipaddr") &&
552 !cf_pair_find(cs, "ipv6addr")) {
555 prefix_ptr = strchr(name2, '/');
561 c->prefix = atoi(prefix_ptr + 1);
562 if ((c->prefix < 0) || (c->prefix > 128)) {
564 cf_log_err(cf_sectiontoitem(cs),
565 "Invalid Prefix value '%s' for IP.",
569 /* Replace '/' with '\0' */
574 * Always get the numeric representation of IP
576 if (ip_hton(name2, AF_UNSPEC, &c->ipaddr) < 0) {
578 cf_log_err(cf_sectiontoitem(cs),
579 "Failed to look up hostname %s: %s",
580 name2, fr_strerror());
584 if (prefix_ptr) *prefix_ptr = '/';
585 c->longname = strdup(name2);
587 if (!c->shortname) c->shortname = strdup(c->longname);
593 * Figure out which one to use.
595 if (cf_pair_find(cs, "ipaddr")) {
596 c->ipaddr.af = AF_INET;
597 c->ipaddr.ipaddr.ip4addr = cl_ip4addr;
599 if ((c->prefix < -1) || (c->prefix > 32)) {
601 cf_log_err(cf_sectiontoitem(cs),
602 "Netmask must be between 0 and 32");
606 } else if (cf_pair_find(cs, "ipv6addr")) {
607 c->ipaddr.af = AF_INET6;
608 c->ipaddr.ipaddr.ip6addr = cl_ip6addr;
610 if ((c->prefix < -1) || (c->prefix > 128)) {
612 cf_log_err(cf_sectiontoitem(cs),
613 "Netmask must be between 0 and 128");
617 cf_log_err(cf_sectiontoitem(cs),
618 "No IP address defined for the client");
623 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer));
624 c->longname = strdup(buffer);
627 * Set the short name to the name2
629 if (!c->shortname) c->shortname = strdup(name2);
632 if (c->prefix < 0) switch (c->ipaddr.af) {
643 #ifdef WITH_DYNAMIC_CLIENTS
644 if (c->client_server) {
646 c->secret = strdup("testing123");
648 if (((c->ipaddr.af == AF_INET) &&
649 (c->prefix == 32)) ||
650 ((c->ipaddr.af == AF_INET6) &&
651 (c->prefix == 128))) {
652 cf_log_err(cf_sectiontoitem(cs),
653 "Dynamic clients MUST be a network, not a single IP address.");
662 if (!c->secret || !*c->secret) {
664 const char *value = NULL;
665 CONF_PAIR *cp = cf_pair_find(cs, "dhcp");
667 if (cp) value = cf_pair_value(cp);
670 * Secrets aren't needed for DHCP.
672 if (value && (strcmp(value, "yes") == 0)) return c;
676 cf_log_err(cf_sectiontoitem(cs),
677 "secret must be at least 1 character long");
683 * Point the client to the home server pool, OR to the
684 * home server. This gets around the problem of figuring
685 * out which port to use.
688 c->coa_pool = home_pool_byname(c->coa_name, HOME_TYPE_COA);
690 c->coa_server = home_server_byname(c->coa_name);
692 if (!c->coa_server) {
694 cf_log_err(cf_sectiontoitem(cs), "No such home_server or home_server_pool \"%s\"", c->coa_name);
705 * Create the linked list of clients from the new configuration
706 * type. This way we don't have to change too much in the other
709 RADCLIENT_LIST *clients_parse_section(CONF_SECTION *section)
711 int global = FALSE, in_server = FALSE;
714 RADCLIENT_LIST *clients;
717 * Be forgiving. If there's already a clients, return
718 * it. Otherwise create a new one.
720 clients = cf_data_find(section, "clients");
721 if (clients) return clients;
723 clients = clients_init();
724 if (!clients) return NULL;
726 if (cf_top_section(section) == section) global = TRUE;
728 if (strcmp("server", cf_section_name1(section)) == 0) in_server = TRUE;
731 * Associate the clients structure with the section, where
732 * it will be freed once the section is freed.
734 if (cf_data_add(section, "clients", clients, (void *) clients_free) < 0) {
735 cf_log_err(cf_sectiontoitem(section),
736 "Failed to associate clients with section %s",
737 cf_section_name1(section));
738 clients_free(clients);
742 for (cs = cf_subsection_find_next(section, NULL, "client");
744 cs = cf_subsection_find_next(section, cs, "client")) {
745 c = client_parse(cs, in_server);
751 * FIXME: Add the client as data via cf_data_add,
752 * for migration issues.
755 #ifdef WITH_DYNAMIC_CLIENTS
757 if (c->client_server) {
762 struct stat stat_buf;
766 * Find the directory where individual
767 * client definitions are stored.
769 cp = cf_pair_find(cs, "directory");
770 if (!cp) goto add_client;
772 value = cf_pair_value(cp);
774 cf_log_err(cf_sectiontoitem(cs),
775 "The \"directory\" entry must not be empty");
780 DEBUG("including dynamic clients in %s", value);
782 dir = opendir(value);
784 cf_log_err(cf_sectiontoitem(cs), "Error reading directory %s: %s", value, strerror(errno));
790 * Read the directory, ignoring "." files.
792 while ((dp = readdir(dir)) != NULL) {
796 if (dp->d_name[0] == '.') continue;
799 * Check for valid characters
801 for (p = dp->d_name; *p != '\0'; p++) {
802 if (isalpha((int)*p) ||
805 (*p == '.')) continue;
808 if (*p != '\0') continue;
810 snprintf(buf2, sizeof(buf2), "%s/%s",
813 if ((stat(buf2, &stat_buf) != 0) ||
814 S_ISDIR(stat_buf.st_mode)) continue;
816 dc = client_read(buf2, in_server, TRUE);
818 cf_log_err(cf_sectiontoitem(cs),
819 "Failed reading client file \"%s\"", buf2);
825 * Validate, and add to the list.
827 if (!client_validate(clients, c, dc)) {
832 } /* loop over the directory */
834 #endif /* HAVE_DIRENT_H */
835 #endif /* WITH_DYNAMIC_CLIENTS */
838 if (!client_add(clients, c)) {
839 cf_log_err(cf_sectiontoitem(cs),
840 "Failed to add client %s",
841 cf_section_name2(cs));
849 * Replace the global list of clients with the new one.
850 * The old one is still referenced from the original
851 * configuration, and will be freed when that is freed.
854 root_clients = clients;
860 #ifdef WITH_DYNAMIC_CLIENTS
862 * We overload this structure a lot.
864 static const CONF_PARSER dynamic_config[] = {
865 { "FreeRADIUS-Client-IP-Address", PW_TYPE_IPADDR,
866 offsetof(RADCLIENT, ipaddr), 0, NULL },
867 { "FreeRADIUS-Client-IPv6-Address", PW_TYPE_IPV6ADDR,
868 offsetof(RADCLIENT, ipaddr), 0, NULL },
870 { "FreeRADIUS-Client-Require-MA", PW_TYPE_BOOLEAN,
871 offsetof(RADCLIENT, message_authenticator), NULL, NULL },
873 { "FreeRADIUS-Client-Secret", PW_TYPE_STRING_PTR,
874 offsetof(RADCLIENT, secret), 0, "" },
875 { "FreeRADIUS-Client-Shortname", PW_TYPE_STRING_PTR,
876 offsetof(RADCLIENT, shortname), 0, "" },
877 { "FreeRADIUS-Client-NAS-Type", PW_TYPE_STRING_PTR,
878 offsetof(RADCLIENT, nastype), 0, NULL },
879 { "FreeRADIUS-Client-Virtual-Server", PW_TYPE_STRING_PTR,
880 offsetof(RADCLIENT, server), 0, NULL },
882 { NULL, -1, 0, NULL, NULL }
886 int client_validate(RADCLIENT_LIST *clients, RADCLIENT *master, RADCLIENT *c)
891 * No virtual server defined. Inherit the parent's
894 if (master->server && !c->server) {
895 c->server = strdup(master->server);
899 * If the client network isn't global (not tied to a
900 * virtual server), then ensure that this clients server
901 * is the same as the enclosing networks virtual server.
903 if (master->server &&
904 (strcmp(master->server, c->server) != 0)) {
905 DEBUG("- Cannot add client %s: Virtual server %s is not the same as the virtual server for the network.",
907 buffer, sizeof(buffer)),
913 if (!client_add(clients, c)) {
914 DEBUG("- Cannot add client %s: Internal error",
916 buffer, sizeof(buffer)));
922 * Initialize the remaining fields.
925 c->lifetime = master->lifetime;
926 c->created = time(NULL);
927 c->longname = strdup(c->shortname);
929 DEBUG("- Added client %s with shared secret %s",
930 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer)),
941 RADCLIENT *client_create(RADCLIENT_LIST *clients, REQUEST *request)
948 if (!clients || !request) return NULL;
950 c = rad_malloc(sizeof(*c));
951 memset(c, 0, sizeof(*c));
952 c->cs = request->client->cs;
953 c->ipaddr.af = AF_UNSPEC;
955 for (i = 0; dynamic_config[i].name != NULL; i++) {
959 da = dict_attrbyname(dynamic_config[i].name);
961 DEBUG("- Cannot add client %s: attribute \"%s\"is not in the dictionary",
962 ip_ntoh(&request->packet->src_ipaddr,
963 buffer, sizeof(buffer)),
964 dynamic_config[i].name);
970 vp = pairfind(request->config_items, da->attr);
973 * Not required. Skip it.
975 if (!dynamic_config[i].dflt) continue;
977 DEBUG("- Cannot add client %s: Required attribute \"%s\" is missing.",
978 ip_ntoh(&request->packet->src_ipaddr,
979 buffer, sizeof(buffer)),
980 dynamic_config[i].name);
984 switch (dynamic_config[i].type) {
986 c->ipaddr.af = AF_INET;
987 c->ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
991 case PW_TYPE_IPV6ADDR:
992 c->ipaddr.af = AF_INET6;
993 c->ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
997 case PW_TYPE_STRING_PTR:
998 p = (char **) ((char *) c + dynamic_config[i].offset);
1000 *p = strdup(vp->vp_strvalue);
1003 case PW_TYPE_BOOLEAN:
1004 pi = (int *) ((char *) c + dynamic_config[i].offset);
1005 *pi = vp->vp_integer;
1013 if (c->ipaddr.af == AF_UNSPEC) {
1014 DEBUG("- Cannot add client %s: No IP address was specified.",
1015 ip_ntoh(&request->packet->src_ipaddr,
1016 buffer, sizeof(buffer)));
1021 if (fr_ipaddr_cmp(&request->packet->src_ipaddr, &c->ipaddr) != 0) {
1024 DEBUG("- Cannot add client %s: IP address %s do not match",
1025 ip_ntoh(&request->packet->src_ipaddr,
1026 buffer, sizeof(buffer)),
1028 buf2, sizeof(buf2)));
1032 if (!client_validate(clients, request->client, c)) {
1040 * Read a client definition from the given filename.
1042 RADCLIENT *client_read(const char *filename, int in_server, int flag)
1049 if (!filename) return NULL;
1051 cs = cf_file_read(filename);
1052 if (!cs) return NULL;
1054 c = client_parse(cf_section_sub_find(cs, "client"), in_server);
1056 p = strrchr(filename, FR_DIR_SEP);
1063 if (!flag) return c;
1066 * Additional validations
1068 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer));
1069 if (strcmp(p, buffer) != 0) {
1070 DEBUG("Invalid client definition in %s: IP address %s does not match name %s", filename, buffer, p);