2 * client.c Read clients into memory.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Miquel van Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/rad_assert.h>
36 #ifdef WITH_DYNAMIC_CLIENTS
42 struct radclient_list {
44 * FIXME: One set of trees for IPv4, and another for IPv6?
46 rbtree_t *trees[129]; /* for 0..128, inclusive. */
52 static rbtree_t *tree_num = NULL; /* client numbers 0..N */
53 static int tree_num_max = 0;
55 static RADCLIENT_LIST *root_clients = NULL;
57 #ifdef WITH_DYNAMIC_CLIENTS
58 static fr_fifo_t *deleted_clients = NULL;
62 * Callback for freeing a client.
64 void client_free(RADCLIENT *client)
66 #ifdef WITH_DYNAMIC_CLIENTS
67 if (client->dynamic == 2) {
70 if (!deleted_clients) {
71 deleted_clients = fr_fifo_create(1024,
72 (void *) client_free);
73 if (!deleted_clients) return; /* MEMLEAK */
77 * Mark it as in the fifo, and remember when we
81 client->created = now = time(NULL); /* re-set it */
82 fr_fifo_push(deleted_clients, client);
85 * Pop the head of the fifo. If it might still
86 * be in use, return. Otherwise, fall through
89 client = fr_fifo_peek(deleted_clients);
90 if ((client->created + 120) >= now) return;
94 free(client->longname);
96 free(client->shortname);
97 free(client->nastype);
99 free(client->password);
100 free(client->server);
104 #ifdef WITH_ACCOUNTING
109 #ifdef WITH_DYNAMIC_CLIENTS
110 free(client->client_server);
117 * Callback for comparing two clients.
119 static int client_ipaddr_cmp(const void *one, const void *two)
121 const RADCLIENT *a = one;
122 const RADCLIENT *b = two;
124 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
128 static int client_num_cmp(const void *one, const void *two)
130 const RADCLIENT *a = one;
131 const RADCLIENT *b = two;
133 return (a->number - b->number);
138 * Free a RADCLIENT list.
140 void clients_free(RADCLIENT_LIST *clients)
144 if (!clients) return;
146 for (i = 0; i <= 128; i++) {
147 if (clients->trees[i]) rbtree_free(clients->trees[i]);
148 clients->trees[i] = NULL;
151 if (clients == root_clients) {
153 if (tree_num) rbtree_free(tree_num);
160 #ifdef WITH_DYNAMIC_CLIENTS
162 * FIXME: No fr_fifo_delete()
170 * Return a new, initialized, set of clients.
172 RADCLIENT_LIST *clients_init(void)
174 RADCLIENT_LIST *clients = calloc(1, sizeof(RADCLIENT_LIST));
176 if (!clients) return NULL;
178 clients->min_prefix = 128;
185 * Sanity check a client.
187 static int client_sane(RADCLIENT *client)
189 switch (client->ipaddr.af) {
191 if (client->prefix > 32) {
196 * Zero out the subnet bits.
198 if (client->prefix == 0) {
199 memset(&client->ipaddr.ipaddr.ip4addr, 0,
200 sizeof(client->ipaddr.ipaddr.ip4addr));
202 } else if (client->prefix < 32) {
205 mask <<= (32 - client->prefix);
206 client->ipaddr.ipaddr.ip4addr.s_addr &= htonl(mask);
211 if (client->prefix > 128) return 0;
213 if (client->prefix == 0) {
214 memset(&client->ipaddr.ipaddr.ip6addr, 0,
215 sizeof(client->ipaddr.ipaddr.ip6addr));
217 } else if (client->prefix < 128) {
219 uint32_t mask, *addr;
221 addr = (uint32_t *) &client->ipaddr.ipaddr.ip6addr;
223 for (i = client->prefix; i < 128; i += 32) {
225 mask <<= ((128 - i) & 0x1f);
226 addr[i / 32] &= mask;
240 * Add a client to the tree.
242 int client_add(RADCLIENT_LIST *clients, RADCLIENT *client)
249 * If "clients" is NULL, it means add to the global list.
253 * Initialize it, if not done already.
256 root_clients = clients_init();
257 if (!root_clients) return 0;
259 clients = root_clients;
262 if ((client->prefix < 0) || (client->prefix > 128)) {
266 if (!client_sane(client)) return 0;
269 * Create a tree for it.
271 if (!clients->trees[client->prefix]) {
272 clients->trees[client->prefix] = rbtree_create(client_ipaddr_cmp,
273 (void *) client_free, 0);
274 if (!clients->trees[client->prefix]) {
280 * Cannot insert the same client twice.
282 if (rbtree_find(clients->trees[client->prefix], client)) {
283 radlog(L_ERR, "Failed to add duplicate client %s",
289 * Other error adding client: likely is fatal.
291 if (!rbtree_insert(clients->trees[client->prefix], client)) {
297 tree_num = rbtree_create(client_num_cmp, NULL, 0);
302 * Catch clients added by rlm_sql.
305 client->auth = rad_malloc(sizeof(*client->auth));
306 memset(client->auth, 0, sizeof(*client->auth));
309 #ifdef WITH_ACCOUNTING
311 client->acct = rad_malloc(sizeof(*client->acct));
312 memset(client->acct, 0, sizeof(*client->acct));
316 #ifdef WITH_DYNAMIC_CLIENTS
318 * More catching of clients added by rlm_sql.
320 * The sql modules sets the dynamic flag BEFORE calling
321 * us. The client_create() function sets it AFTER
324 if (client->dynamic && (client->lifetime == 0)) {
328 * If there IS an enclosing network,
329 * inherit the lifetime from it.
331 network = client_find(clients, &client->ipaddr);
333 client->lifetime = network->lifetime;
338 client->number = tree_num_max;
340 if (tree_num) rbtree_insert(tree_num, client);
343 if (client->prefix < clients->min_prefix) {
344 clients->min_prefix = client->prefix;
351 #ifdef WITH_DYNAMIC_CLIENTS
352 void client_delete(RADCLIENT_LIST *clients, RADCLIENT *client)
354 if (!clients || !client) return;
356 rad_assert((client->prefix >= 0) && (client->prefix <= 128));
358 client->dynamic = 2; /* signal to client_free */
360 rbtree_deletebydata(tree_num, client);
361 rbtree_deletebydata(clients->trees[client->prefix], client);
367 * Find a client in the RADCLIENTS list by number.
368 * This is a support function for the statistics code.
370 RADCLIENT *client_findbynumber(const RADCLIENT_LIST *clients,
374 if (!clients) clients = root_clients;
376 if (!clients) return NULL;
378 if (number >= tree_num_max) return NULL;
383 myclient.number = number;
385 return rbtree_finddata(tree_num, &myclient);
388 clients = clients; /* -Wunused */
389 number = number; /* -Wunused */
396 * Find a client in the RADCLIENTS list.
398 RADCLIENT *client_find(const RADCLIENT_LIST *clients,
399 const fr_ipaddr_t *ipaddr)
404 if (!clients) clients = root_clients;
406 if (!clients || !ipaddr) return NULL;
408 switch (ipaddr->af) {
421 for (i = max_prefix; i >= clients->min_prefix; i--) {
425 myclient.ipaddr = *ipaddr;
426 client_sane(&myclient); /* clean up the ipaddress */
428 if (!clients->trees[i]) continue;
430 data = rbtree_finddata(clients->trees[i], &myclient);
441 * Old wrapper for client_find
443 RADCLIENT *client_find_old(const fr_ipaddr_t *ipaddr)
445 return client_find(root_clients, ipaddr);
448 static struct in_addr cl_ip4addr;
449 static struct in6_addr cl_ip6addr;
451 static const CONF_PARSER client_config[] = {
452 { "ipaddr", PW_TYPE_IPADDR,
453 0, &cl_ip4addr, NULL },
454 { "ipv6addr", PW_TYPE_IPV6ADDR,
455 0, &cl_ip6addr, NULL },
456 { "netmask", PW_TYPE_INTEGER,
457 offsetof(RADCLIENT, prefix), 0, NULL },
459 { "require_message_authenticator", PW_TYPE_BOOLEAN,
460 offsetof(RADCLIENT, message_authenticator), 0, "no" },
462 { "secret", PW_TYPE_STRING_PTR,
463 offsetof(RADCLIENT, secret), 0, NULL },
464 { "shortname", PW_TYPE_STRING_PTR,
465 offsetof(RADCLIENT, shortname), 0, NULL },
466 { "nastype", PW_TYPE_STRING_PTR,
467 offsetof(RADCLIENT, nastype), 0, NULL },
468 { "login", PW_TYPE_STRING_PTR,
469 offsetof(RADCLIENT, login), 0, NULL },
470 { "password", PW_TYPE_STRING_PTR,
471 offsetof(RADCLIENT, password), 0, NULL },
472 { "virtual_server", PW_TYPE_STRING_PTR,
473 offsetof(RADCLIENT, server), 0, NULL },
474 { "server", PW_TYPE_STRING_PTR, /* compatability with 2.0-pre */
475 offsetof(RADCLIENT, server), 0, NULL },
477 #ifdef WITH_DYNAMIC_CLIENTS
478 { "dynamic_clients", PW_TYPE_STRING_PTR,
479 offsetof(RADCLIENT, client_server), 0, NULL },
480 { "lifetime", PW_TYPE_INTEGER,
481 offsetof(RADCLIENT, lifetime), 0, NULL },
485 { "coa_server", PW_TYPE_STRING_PTR,
486 offsetof(RADCLIENT, coa_name), 0, NULL },
489 { NULL, -1, 0, NULL, NULL }
493 static RADCLIENT *client_parse(CONF_SECTION *cs, int in_server)
498 name2 = cf_section_name2(cs);
500 cf_log_err(cf_sectiontoitem(cs),
501 "Missing client name");
506 * The size is fine.. Let's create the buffer
508 c = rad_malloc(sizeof(*c));
509 memset(c, 0, sizeof(*c));
513 c->auth = rad_malloc(sizeof(*c->auth));
514 memset(c->auth, 0, sizeof(*c->auth));
516 #ifdef WITH_ACCOUNTING
517 c->acct = rad_malloc(sizeof(*c->acct));
518 memset(c->acct, 0, sizeof(*c->acct));
522 memset(&cl_ip4addr, 0, sizeof(cl_ip4addr));
523 memset(&cl_ip6addr, 0, sizeof(cl_ip6addr));
526 if (cf_section_parse(cs, c, client_config) < 0) {
528 cf_log_err(cf_sectiontoitem(cs),
529 "Error parsing client section.");
534 * Global clients can set servers to use,
535 * per-server clients cannot.
537 if (in_server && c->server) {
539 cf_log_err(cf_sectiontoitem(cs),
540 "Clients inside of an server section cannot point to a server.");
545 * No "ipaddr" or "ipv6addr", use old-style
546 * "client <ipaddr> {" syntax.
548 if (!cf_pair_find(cs, "ipaddr") &&
549 !cf_pair_find(cs, "ipv6addr")) {
552 prefix_ptr = strchr(name2, '/');
558 c->prefix = atoi(prefix_ptr + 1);
559 if ((c->prefix < 0) || (c->prefix > 128)) {
561 cf_log_err(cf_sectiontoitem(cs),
562 "Invalid Prefix value '%s' for IP.",
566 /* Replace '/' with '\0' */
571 * Always get the numeric representation of IP
573 if (ip_hton(name2, AF_UNSPEC, &c->ipaddr) < 0) {
575 cf_log_err(cf_sectiontoitem(cs),
576 "Failed to look up hostname %s: %s",
577 name2, fr_strerror());
581 if (prefix_ptr) *prefix_ptr = '/';
582 c->longname = strdup(name2);
584 if (!c->shortname) c->shortname = strdup(c->longname);
590 * Figure out which one to use.
592 if (cf_pair_find(cs, "ipaddr")) {
593 c->ipaddr.af = AF_INET;
594 c->ipaddr.ipaddr.ip4addr = cl_ip4addr;
596 if ((c->prefix < -1) || (c->prefix > 32)) {
598 cf_log_err(cf_sectiontoitem(cs),
599 "Netmask must be between 0 and 32");
603 } else if (cf_pair_find(cs, "ipv6addr")) {
604 c->ipaddr.af = AF_INET6;
605 c->ipaddr.ipaddr.ip6addr = cl_ip6addr;
607 if ((c->prefix < -1) || (c->prefix > 128)) {
609 cf_log_err(cf_sectiontoitem(cs),
610 "Netmask must be between 0 and 128");
614 cf_log_err(cf_sectiontoitem(cs),
615 "No IP address defined for the client");
620 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer));
621 c->longname = strdup(buffer);
624 * Set the short name to the name2
626 if (!c->shortname) c->shortname = strdup(name2);
629 if (c->prefix < 0) switch (c->ipaddr.af) {
640 #ifdef WITH_DYNAMIC_CLIENTS
641 if (c->client_server) {
643 c->secret = strdup("testing123");
645 if (((c->ipaddr.af == AF_INET) &&
646 (c->prefix == 32)) ||
647 ((c->ipaddr.af == AF_INET6) &&
648 (c->prefix == 128))) {
649 cf_log_err(cf_sectiontoitem(cs),
650 "Dynamic clients MUST be a network, not a single IP address.");
659 if (!c->secret || !*c->secret) {
661 const char *value = NULL;
662 CONF_PAIR *cp = cf_pair_find(cs, "dhcp");
664 if (cp) value = cf_pair_value(cp);
667 * Secrets aren't needed for DHCP.
669 if (value && (strcmp(value, "yes") == 0)) return c;
673 cf_log_err(cf_sectiontoitem(cs),
674 "secret must be at least 1 character long");
680 * Point the client to the home server pool, OR to the
681 * home server. This gets around the problem of figuring
682 * out which port to use.
685 c->coa_pool = home_pool_byname(c->coa_name, HOME_TYPE_COA);
687 c->coa_server = home_server_byname(c->coa_name);
689 if (!c->coa_server) {
691 cf_log_err(cf_sectiontoitem(cs), "No such home_server or home_server_pool \"%s\"", c->coa_name);
702 * Create the linked list of clients from the new configuration
703 * type. This way we don't have to change too much in the other
706 RADCLIENT_LIST *clients_parse_section(CONF_SECTION *section)
708 int global = FALSE, in_server = FALSE;
711 RADCLIENT_LIST *clients;
714 * Be forgiving. If there's already a clients, return
715 * it. Otherwise create a new one.
717 clients = cf_data_find(section, "clients");
718 if (clients) return clients;
720 clients = clients_init();
721 if (!clients) return NULL;
723 if (cf_top_section(section) == section) global = TRUE;
725 if (strcmp("server", cf_section_name1(section)) == 0) in_server = TRUE;
728 * Associate the clients structure with the section, where
729 * it will be freed once the section is freed.
731 if (cf_data_add(section, "clients", clients, (void *) clients_free) < 0) {
732 cf_log_err(cf_sectiontoitem(section),
733 "Failed to associate clients with section %s",
734 cf_section_name1(section));
735 clients_free(clients);
739 for (cs = cf_subsection_find_next(section, NULL, "client");
741 cs = cf_subsection_find_next(section, cs, "client")) {
742 c = client_parse(cs, in_server);
748 * FIXME: Add the client as data via cf_data_add,
749 * for migration issues.
752 #ifdef WITH_DYNAMIC_CLIENTS
754 if (c->client_server) {
759 struct stat stat_buf;
763 * Find the directory where individual
764 * client definitions are stored.
766 cp = cf_pair_find(cs, "directory");
767 if (!cp) goto add_client;
769 value = cf_pair_value(cp);
771 cf_log_err(cf_sectiontoitem(cs),
772 "The \"directory\" entry must not be empty");
777 DEBUG("including dynamic clients in %s", value);
779 dir = opendir(value);
781 cf_log_err(cf_sectiontoitem(cs), "Error reading directory %s: %s", value, strerror(errno));
787 * Read the directory, ignoring "." files.
789 while ((dp = readdir(dir)) != NULL) {
793 if (dp->d_name[0] == '.') continue;
796 * Check for valid characters
798 for (p = dp->d_name; *p != '\0'; p++) {
799 if (isalpha((int)*p) ||
802 (*p == '.')) continue;
805 if (*p != '\0') continue;
807 snprintf(buf2, sizeof(buf2), "%s/%s",
810 if ((stat(buf2, &stat_buf) != 0) ||
811 S_ISDIR(stat_buf.st_mode)) continue;
813 dc = client_read(buf2, in_server, TRUE);
815 cf_log_err(cf_sectiontoitem(cs),
816 "Failed reading client file \"%s\"", buf2);
822 * Validate, and add to the list.
824 if (!client_validate(clients, c, dc)) {
829 } /* loop over the directory */
831 #endif /* HAVE_DIRENT_H */
832 #endif /* WITH_DYNAMIC_CLIENTS */
835 if (!client_add(clients, c)) {
836 cf_log_err(cf_sectiontoitem(cs),
837 "Failed to add client %s",
838 cf_section_name2(cs));
846 * Replace the global list of clients with the new one.
847 * The old one is still referenced from the original
848 * configuration, and will be freed when that is freed.
851 root_clients = clients;
857 #ifdef WITH_DYNAMIC_CLIENTS
859 * We overload this structure a lot.
861 static const CONF_PARSER dynamic_config[] = {
862 { "FreeRADIUS-Client-IP-Address", PW_TYPE_IPADDR,
863 offsetof(RADCLIENT, ipaddr), 0, NULL },
864 { "FreeRADIUS-Client-IPv6-Address", PW_TYPE_IPV6ADDR,
865 offsetof(RADCLIENT, ipaddr), 0, NULL },
867 { "FreeRADIUS-Client-Require-MA", PW_TYPE_BOOLEAN,
868 offsetof(RADCLIENT, message_authenticator), NULL, NULL },
870 { "FreeRADIUS-Client-Secret", PW_TYPE_STRING_PTR,
871 offsetof(RADCLIENT, secret), 0, "" },
872 { "FreeRADIUS-Client-Shortname", PW_TYPE_STRING_PTR,
873 offsetof(RADCLIENT, shortname), 0, "" },
874 { "FreeRADIUS-Client-NAS-Type", PW_TYPE_STRING_PTR,
875 offsetof(RADCLIENT, nastype), 0, NULL },
876 { "FreeRADIUS-Client-Virtual-Server", PW_TYPE_STRING_PTR,
877 offsetof(RADCLIENT, server), 0, NULL },
879 { NULL, -1, 0, NULL, NULL }
883 int client_validate(RADCLIENT_LIST *clients, RADCLIENT *master, RADCLIENT *c)
888 * No virtual server defined. Inherit the parent's
891 if (master->server && !c->server) {
892 c->server = strdup(master->server);
896 * If the client network isn't global (not tied to a
897 * virtual server), then ensure that this clients server
898 * is the same as the enclosing networks virtual server.
900 if (master->server &&
901 (strcmp(master->server, c->server) != 0)) {
902 DEBUG("- Cannot add client %s: Virtual server %s is not the same as the virtual server for the network.",
904 buffer, sizeof(buffer)),
910 if (!client_add(clients, c)) {
911 DEBUG("- Cannot add client %s: Internal error",
913 buffer, sizeof(buffer)));
919 * Initialize the remaining fields.
922 c->lifetime = master->lifetime;
923 c->created = time(NULL);
924 c->longname = strdup(c->shortname);
926 DEBUG("- Added client %s with shared secret %s",
927 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer)),
938 RADCLIENT *client_create(RADCLIENT_LIST *clients, REQUEST *request)
945 if (!clients || !request) return NULL;
947 c = rad_malloc(sizeof(*c));
948 memset(c, 0, sizeof(*c));
949 c->cs = request->client->cs;
950 c->ipaddr.af = AF_UNSPEC;
952 for (i = 0; dynamic_config[i].name != NULL; i++) {
956 da = dict_attrbyname(dynamic_config[i].name);
958 DEBUG("- Cannot add client %s: attribute \"%s\"is not in the dictionary",
959 ip_ntoh(&request->packet->src_ipaddr,
960 buffer, sizeof(buffer)),
961 dynamic_config[i].name);
967 vp = pairfind(request->config_items, da->attr);
970 * Not required. Skip it.
972 if (!dynamic_config[i].dflt) continue;
974 DEBUG("- Cannot add client %s: Required attribute \"%s\" is missing.",
975 ip_ntoh(&request->packet->src_ipaddr,
976 buffer, sizeof(buffer)),
977 dynamic_config[i].name);
981 switch (dynamic_config[i].type) {
983 c->ipaddr.af = AF_INET;
984 c->ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
988 case PW_TYPE_IPV6ADDR:
989 c->ipaddr.af = AF_INET6;
990 c->ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
994 case PW_TYPE_STRING_PTR:
995 p = (char **) ((char *) c + dynamic_config[i].offset);
997 *p = strdup(vp->vp_strvalue);
1000 case PW_TYPE_BOOLEAN:
1001 pi = (int *) ((char *) c + dynamic_config[i].offset);
1002 *pi = vp->vp_integer;
1010 if (c->ipaddr.af == AF_UNSPEC) {
1011 DEBUG("- Cannot add client %s: No IP address was specified.",
1012 ip_ntoh(&request->packet->src_ipaddr,
1013 buffer, sizeof(buffer)));
1018 if (fr_ipaddr_cmp(&request->packet->src_ipaddr, &c->ipaddr) != 0) {
1021 DEBUG("- Cannot add client %s: IP address %s do not match",
1022 ip_ntoh(&request->packet->src_ipaddr,
1023 buffer, sizeof(buffer)),
1025 buf2, sizeof(buf2)));
1029 if (!client_validate(clients, request->client, c)) {
1037 * Read a client definition from the given filename.
1039 RADCLIENT *client_read(const char *filename, int in_server, int flag)
1046 if (!filename) return NULL;
1048 cs = cf_file_read(filename);
1049 if (!cs) return NULL;
1051 c = client_parse(cf_section_sub_find(cs, "client"), in_server);
1053 p = strrchr(filename, FR_DIR_SEP);
1060 if (!flag) return c;
1063 * Additional validations
1065 ip_ntoh(&c->ipaddr, buffer, sizeof(buffer));
1066 if (strcmp(p, buffer) != 0) {
1067 DEBUG("Invalid client definition in %s: IP address %s does not match name %s", filename, buffer, p);