6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2001-2012 The FreeRADIUS server project
21 * Copyright 2012 Matthew Newton <matthew@newtoncomputing.co.uk>
22 * Copyright 2001 Kostas Kalevras <kkalev@noc.ntua.gr>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
33 #include "../../include/md5.h"
34 #include "../../include/sha1.h"
39 * Define a structure for our module configuration.
41 * These variables do not need to be in a structure, but it's
42 * a lot cleaner to do so, and a pointer to the structure can
43 * be used as the instance handle.
45 typedef struct rlm_pap_t {
46 const char *name; /* CONF_SECTION->name, not strdup'd */
52 * A mapping of configuration file names to internal variables.
54 * Note that the string is dynamically allocated, so it MUST
55 * be freed. When the configuration file parse re-reads the string,
56 * it free's the old one, and strdup's the new one, placing the pointer
57 * to the strdup'd string into 'config.string'. This gets around
60 static const CONF_PARSER module_config[] = {
61 { "auto_header", PW_TYPE_BOOLEAN, offsetof(rlm_pap_t,auto_header), NULL, "no" },
62 { NULL, -1, 0, NULL, NULL }
67 * For auto-header discovery.
69 static const FR_NAME_NUMBER header_names[] = {
70 { "{clear}", PW_CLEARTEXT_PASSWORD },
71 { "{cleartext}", PW_CLEARTEXT_PASSWORD },
72 { "{md5}", PW_MD5_PASSWORD },
73 { "{BASE64_MD5}", PW_MD5_PASSWORD },
74 { "{smd5}", PW_SMD5_PASSWORD },
75 { "{crypt}", PW_CRYPT_PASSWORD },
76 { "{sha}", PW_SHA_PASSWORD },
77 { "{ssha}", PW_SSHA_PASSWORD },
78 { "{nt}", PW_NT_PASSWORD },
79 { "{nthash}", PW_NT_PASSWORD },
80 { "{x-nthash}", PW_NT_PASSWORD },
81 { "{ns-mta-md5}", PW_NS_MTA_MD5_PASSWORD },
82 { "{x- orcllmv}", PW_LM_PASSWORD },
83 { "{X- ORCLNTV}", PW_NT_PASSWORD },
88 static int pap_detach(void *instance)
90 rlm_pap_t *inst = (rlm_pap_t *) instance;
98 static int pap_instantiate(CONF_SECTION *conf, void **instance)
104 * Set up a storage area for instance data
106 inst = rad_malloc(sizeof(*inst));
110 memset(inst, 0, sizeof(*inst));
113 * If the configuration parameters can't be parsed, then
116 if (cf_section_parse(conf, inst, module_config) < 0) {
121 inst->name = cf_section_name2(conf);
123 inst->name = cf_section_name1(conf);
126 dval = dict_valbyname(PW_AUTH_TYPE, 0, inst->name);
128 inst->auth_type = dval->value;
140 * Decode one base64 chunk
142 static int decode_it(const char *src, uint8_t *dst)
147 for(i = 0; i < 4; i++) {
148 if (src[i] >= 'A' && src[i] <= 'Z')
149 x = (x << 6) + (unsigned int)(src[i] - 'A' + 0);
150 else if (src[i] >= 'a' && src[i] <= 'z')
151 x = (x << 6) + (unsigned int)(src[i] - 'a' + 26);
152 else if(src[i] >= '0' && src[i] <= '9')
153 x = (x << 6) + (unsigned int)(src[i] - '0' + 52);
154 else if(src[i] == '+')
156 else if (src[i] == '/')
158 else if (src[i] == '=')
163 dst[2] = (unsigned char)(x & 255); x >>= 8;
164 dst[1] = (unsigned char)(x & 255); x >>= 8;
165 dst[0] = (unsigned char)(x & 255);
174 static int base64_decode (const char *src, uint8_t *dst)
181 while (src[length] && src[length] != '=') length++;
183 while (src[length + equals] == '=') equals++;
185 num = (length + equals) / 4;
187 for (i = 0; i < num - 1; i++) {
188 if (!decode_it(src, dst)) return 0;
193 decode_it(src, last);
194 for (i = 0; i < (3 - equals); i++) {
198 return (num * 3) - equals;
203 * Hex or base64 or bin auto-discovery.
205 static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
210 if (min_length >= sizeof(buffer)) return; /* paranoia */
215 if (vp->length >= (2 * min_length)) {
216 decoded = fr_hex2bin(vp->vp_strvalue, buffer, vp->length >> 1);
217 if (decoded == (vp->length >> 1)) {
218 RDEBUG2("Normalizing %s from hex encoding", vp->name);
219 memcpy(vp->vp_octets, buffer, decoded);
220 vp->length = decoded;
226 * Base 64 encoding. It's at least 4/3 the original size,
227 * and we want to avoid division...
229 if ((vp->length * 3) >= ((min_length * 4))) {
230 decoded = base64_decode(vp->vp_strvalue, buffer);
231 if (decoded >= min_length) {
232 RDEBUG2("Normalizing %s from base64 encoding", vp->name);
233 memcpy(vp->vp_octets, buffer, decoded);
234 vp->length = decoded;
240 * Else unknown encoding, or already binary. Leave it.
246 * Authorize the user for PAP authentication.
248 * This isn't strictly necessary, but it does make the
249 * server simpler to configure.
251 static int pap_authorize(void *instance, REQUEST *request)
253 rlm_pap_t *inst = instance;
254 int auth_type = FALSE;
255 int found_pw = FALSE;
256 VALUE_PAIR *vp, *next;
258 for (vp = request->config_items; vp != NULL; vp = next) {
261 switch (vp->attribute) {
262 case PW_USER_PASSWORD: /* deprecated */
263 RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
264 RDEBUG("!!! Please update your configuration so that the \"known !!!");
265 RDEBUG("!!! good\" clear text password is in Cleartext-Password, !!!");
266 RDEBUG("!!! and NOT in User-Password. !!!");
267 RDEBUG("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
270 case PW_PASSWORD_WITH_HEADER: /* preferred */
281 p = strchr(q + 1, '}');
286 * Password already exists: use
287 * that instead of this one.
289 if (pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0)) {
290 RDEBUG("Config already contains \"known good\" password. Ignoring Password-With-Header");
295 * If it's binary, it may be
296 * base64 encoded. Decode it,
297 * and re-write the attribute to
298 * have the decoded value.
300 decoded = base64_decode(vp->vp_strvalue, binbuf);
301 if ((decoded > 0) && (binbuf[0] == '{') &&
302 (memchr(binbuf, '}', decoded) != NULL)) {
303 memcpy(vp->vp_octets, binbuf, decoded);
304 vp->length = decoded;
308 RDEBUG("Failed to decode Password-With-Header = \"%s\"", vp->vp_strvalue);
312 if ((size_t) (p - q) > sizeof(charbuf)) break;
314 memcpy(charbuf, q, p - q + 1);
315 charbuf[p - q + 1] = '\0';
317 attr = fr_str2int(header_names, charbuf, 0);
319 RDEBUG2("Found unknown header {%s}: Not doing anything", charbuf);
323 new_vp = radius_paircreate(request,
324 &request->config_items,
325 attr, 0, PW_TYPE_STRING);
328 * The data after the '}' may be binary,
329 * so we copy it via memcpy.
331 new_vp->length = vp->length;
332 new_vp->length -= (p - q + 1);
333 memcpy(new_vp->vp_strvalue, p + 1, new_vp->length);
337 case PW_CLEARTEXT_PASSWORD:
338 case PW_CRYPT_PASSWORD:
339 case PW_NS_MTA_MD5_PASSWORD:
341 break; /* don't touch these */
343 case PW_MD5_PASSWORD:
344 case PW_SMD5_PASSWORD:
347 normify(request, vp, 16); /* ensure it's in the right format */
351 case PW_SHA_PASSWORD:
352 case PW_SSHA_PASSWORD:
353 normify(request, vp, 20); /* ensure it's in the right format */
358 * If it's proxied somewhere, don't complain
359 * about not having passwords or Auth-Type.
361 case PW_PROXY_TO_REALM:
363 REALM *realm = realm_find(vp->vp_strvalue);
364 if (realm && realm->auth_pool) {
365 return RLM_MODULE_NOOP;
374 * Auth-Type := Accept
375 * Auth-Type := Reject
377 if ((vp->vp_integer == 254) ||
378 (vp->vp_integer == 4)) {
384 break; /* ignore it */
390 * Print helpful warnings if there was no password.
394 * Likely going to be proxied. Avoid printing
397 if (pairfind(request->config_items, PW_REALM, 0) ||
398 (pairfind(request->config_items, PW_PROXY_TO_REALM, 0))) {
399 return RLM_MODULE_NOOP;
403 * The TLS types don't need passwords.
405 vp = pairfind(request->packet->vps, PW_EAP_TYPE, 0);
407 ((vp->vp_integer == 13) || /* EAP-TLS */
408 (vp->vp_integer == 21) || /* EAP-TTLS */
409 (vp->vp_integer == 25))) { /* PEAP */
410 return RLM_MODULE_NOOP;
413 RDEBUG("WARNING! No \"known good\" password found for the user. Authentication may fail because of this.");
414 return RLM_MODULE_NOOP;
418 * Don't touch existing Auth-Types.
421 RDEBUG2("WARNING: Auth-Type already set. Not setting to PAP");
422 return RLM_MODULE_NOOP;
426 * Can't do PAP if there's no password.
428 if (!request->password ||
429 (request->password->attribute != PW_USER_PASSWORD)) {
431 * Don't print out debugging messages if we know
434 if (request->packet->code == PW_ACCESS_CHALLENGE) {
435 return RLM_MODULE_NOOP;
438 RDEBUG2("No clear-text password in the request. Not performing PAP.");
439 return RLM_MODULE_NOOP;
442 if (inst->auth_type) {
443 vp = radius_paircreate(request, &request->config_items,
444 PW_AUTH_TYPE, 0, PW_TYPE_INTEGER);
445 vp->vp_integer = inst->auth_type;
448 return RLM_MODULE_UPDATED;
453 * Authenticate the user via one of any well-known password.
455 static int pap_authenticate(void *instance, REQUEST *request)
458 VALUE_PAIR *module_fmsg_vp;
459 char module_fmsg[MAX_STRING_LEN];
460 int rc = RLM_MODULE_INVALID;
461 int (*auth_func)(REQUEST *, VALUE_PAIR *, char *) = NULL;
463 /* Shut the compiler up */
466 if (!request->password ||
467 (request->password->attribute != PW_USER_PASSWORD)) {
468 RDEBUG("ERROR: You set 'Auth-Type = PAP' for a request that does not contain a User-Password attribute!");
469 return RLM_MODULE_INVALID;
473 * The user MUST supply a non-zero-length password.
475 if (request->password->length == 0) {
476 snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: empty password supplied");
477 module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
478 pairadd(&request->packet->vps, module_fmsg_vp);
479 return RLM_MODULE_INVALID;
482 RDEBUG("login attempt with password \"%s\"", request->password->vp_strvalue);
485 * Auto-detect passwords, by attribute in the
486 * config items, to find out which authentication
489 for (vp = request->config_items; vp != NULL; vp = vp->next) {
490 switch (vp->attribute) {
491 case PW_CLEARTEXT_PASSWORD:
492 auth_func = &pap_auth_clear;
495 case PW_CRYPT_PASSWORD:
496 auth_func = &pap_auth_crypt;
499 case PW_MD5_PASSWORD:
500 auth_func = &pap_auth_md5;
503 case PW_SMD5_PASSWORD:
504 auth_func = &pap_auth_smd5;
507 case PW_SHA_PASSWORD:
508 auth_func = &pap_auth_sha;
511 case PW_SSHA_PASSWORD:
512 auth_func = &pap_auth_ssha;
516 auth_func = &pap_auth_nt;
520 auth_func = &pap_auth_lm;
523 case PW_NS_MTA_MD5_PASSWORD:
524 auth_func = &pap_auth_ns_mta_md5;
531 if (auth_func != NULL) break;
535 * No attribute was found that looked like a password to match.
537 if (auth_func == NULL) {
538 RDEBUG("No password configured for the user. Cannot do authentication");
539 return RLM_MODULE_FAIL;
543 * Authenticate, and return.
545 rc = auth_func(request, vp, module_fmsg);
547 if (rc == RLM_MODULE_REJECT) {
548 RDEBUG("Passwords don't match");
549 module_fmsg_vp = pairmake("Module-Failure-Message",
550 module_fmsg, T_OP_EQ);
551 pairadd(&request->packet->vps, module_fmsg_vp);
554 if (rc == RLM_MODULE_OK) {
555 RDEBUG("User authenticated successfully");
563 * PAP authentication functions
566 static int pap_auth_clear(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
568 RDEBUG("Using clear text password \"%s\"", vp->vp_strvalue);
570 if ((vp->length != request->password->length) ||
571 (rad_digest_cmp(vp->vp_octets,
572 request->password->vp_octets,
574 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
575 "rlm_pap: CLEAR TEXT password check failed");
576 return RLM_MODULE_REJECT;
578 return RLM_MODULE_OK;
581 static int pap_auth_crypt(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
583 RDEBUG("Using CRYPT password \"%s\"", vp->vp_strvalue);
585 if (fr_crypt_check(request->password->vp_strvalue,
586 vp->vp_strvalue) != 0) {
587 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
588 "rlm_pap: CRYPT password check failed");
589 return RLM_MODULE_REJECT;
591 return RLM_MODULE_OK;
594 static int pap_auth_md5(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
596 FR_MD5_CTX md5_context;
599 RDEBUG("Using MD5 encryption.");
601 normify(request, vp, 16);
602 if (vp->length != 16) {
603 RDEBUG("Configured MD5 password has incorrect length");
604 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
605 "rlm_pap: Configured MD5 password has incorrect length");
606 return RLM_MODULE_REJECT;
609 fr_MD5Init(&md5_context);
610 fr_MD5Update(&md5_context, request->password->vp_octets,
611 request->password->length);
612 fr_MD5Final(binbuf, &md5_context);
614 if (rad_digest_cmp(binbuf, vp->vp_octets, vp->length) != 0) {
615 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
616 "rlm_pap: MD5 password check failed");
617 return RLM_MODULE_REJECT;
620 return RLM_MODULE_OK;
624 static int pap_auth_smd5(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
626 FR_MD5_CTX md5_context;
629 RDEBUG("Using SMD5 encryption.");
631 normify(request, vp, 16);
632 if (vp->length <= 16) {
633 RDEBUG("Configured SMD5 password has incorrect length");
634 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
635 "rlm_pap: Configured SMD5 password has incorrect length");
636 return RLM_MODULE_REJECT;
639 fr_MD5Init(&md5_context);
640 fr_MD5Update(&md5_context, request->password->vp_octets,
641 request->password->length);
642 fr_MD5Update(&md5_context, &vp->vp_octets[16], vp->length - 16);
643 fr_MD5Final(binbuf, &md5_context);
646 * Compare only the MD5 hash results, not the salt.
648 if (rad_digest_cmp(binbuf, vp->vp_octets, 16) != 0) {
649 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
650 "rlm_pap: SMD5 password check failed");
651 return RLM_MODULE_REJECT;
654 return RLM_MODULE_OK;
657 static int pap_auth_sha(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
659 fr_SHA1_CTX sha1_context;
662 RDEBUG("Using SHA1 encryption.");
664 normify(request, vp, 20);
665 if (vp->length != 20) {
666 RDEBUG("Configured SHA1 password has incorrect length");
667 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
668 "rlm_pap: Configured SHA1 password has incorrect length");
669 return RLM_MODULE_REJECT;
672 fr_SHA1Init(&sha1_context);
673 fr_SHA1Update(&sha1_context, request->password->vp_octets,
674 request->password->length);
675 fr_SHA1Final(binbuf,&sha1_context);
677 if (rad_digest_cmp(binbuf, vp->vp_octets, vp->length) != 0) {
678 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
679 "rlm_pap: SHA1 password check failed");
680 return RLM_MODULE_REJECT;
683 return RLM_MODULE_OK;
686 static int pap_auth_ssha(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
688 fr_SHA1_CTX sha1_context;
691 RDEBUG("Using SSHA encryption.");
693 normify(request, vp, 20);
694 if (vp->length <= 20) {
695 RDEBUG("Configured SSHA password has incorrect length");
696 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
697 "rlm_pap: Configured SHA password has incorrect length");
698 return RLM_MODULE_REJECT;
701 fr_SHA1Init(&sha1_context);
702 fr_SHA1Update(&sha1_context, request->password->vp_octets,
703 request->password->length);
704 fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20);
705 fr_SHA1Final(binbuf,&sha1_context);
707 if (rad_digest_cmp(binbuf, vp->vp_octets, 20) != 0) {
708 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
709 "rlm_pap: SSHA password check failed");
710 return RLM_MODULE_REJECT;
713 return RLM_MODULE_OK;
716 static int pap_auth_nt(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
720 char buff2[MAX_STRING_LEN + 50];
722 RDEBUG("Using NT encryption.");
724 normify(request, vp, 16);
725 if (vp->length != 16) {
726 RDEBUG("Configured NT-Password has incorrect length");
727 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
728 "rlm_pap: Configured NT-Password has incorrect length");
729 return RLM_MODULE_REJECT;
732 strlcpy(buff2, "%{mschap:NT-Hash %{User-Password}}", sizeof(buff2));
733 if (!radius_xlat(charbuf, sizeof(charbuf),buff2,request,NULL)){
734 RDEBUG("mschap xlat failed");
735 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
736 "rlm_pap: mschap xlat failed");
737 return RLM_MODULE_REJECT;
740 if ((fr_hex2bin(charbuf, binbuf, 16) != vp->length) ||
741 (rad_digest_cmp(binbuf, vp->vp_octets, vp->length) != 0)) {
742 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
743 "rlm_pap: NT password check failed");
744 return RLM_MODULE_REJECT;
747 return RLM_MODULE_OK;
751 static int pap_auth_lm(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
755 char buff2[MAX_STRING_LEN + 50];
757 RDEBUG("Using LM encryption.");
759 normify(request, vp, 16);
760 if (vp->length != 16) {
761 RDEBUG("Configured LM-Password has incorrect length");
762 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
763 "rlm_pap: Configured LM-Password has incorrect length");
764 return RLM_MODULE_REJECT;
767 strlcpy(buff2, "%{mschap:LM-Hash %{User-Password}}", sizeof(buff2));
768 if (!radius_xlat(charbuf,sizeof(charbuf),buff2,request,NULL)){
769 RDEBUG("mschap xlat failed");
770 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
771 "rlm_pap: mschap xlat failed");
772 return RLM_MODULE_REJECT;
775 if ((fr_hex2bin(charbuf, binbuf, 16) != vp->length) ||
776 (rad_digest_cmp(binbuf, vp->vp_octets, vp->length) != 0)) {
777 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
778 "rlm_pap: LM password check failed");
779 return RLM_MODULE_REJECT;
782 return RLM_MODULE_OK;
785 static int pap_auth_ns_mta_md5(REQUEST *request, VALUE_PAIR *vp, char *fmsg)
787 FR_MD5_CTX md5_context;
789 uint8_t buff[MAX_STRING_LEN];
790 char buff2[MAX_STRING_LEN + 50];
792 RDEBUG("Using NT-MTA-MD5 password");
794 if (vp->length != 64) {
795 RDEBUG("Configured NS-MTA-MD5-Password has incorrect length");
796 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
797 "rlm_pap: Configured NS-MTA-MD5-Password has incorrect length");
798 return RLM_MODULE_REJECT;
802 * Sanity check the value of NS-MTA-MD5-Password
804 if (fr_hex2bin(vp->vp_strvalue, binbuf, 32) != 16) {
805 RDEBUG("Configured NS-MTA-MD5-Password has invalid value");
806 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
807 "rlm_pap: Configured NS-MTA-MD5-Password has invalid value");
808 return RLM_MODULE_REJECT;
812 * Ensure we don't have buffer overflows.
814 * This really: sizeof(buff) - 2 - 2*32 - strlen(passwd)
816 if (strlen(request->password->vp_strvalue) >= (sizeof(buff) - 2 - 2 * 32)) {
817 RDEBUG("Configured password is too long");
818 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
819 "rlm_pap: password is too long");
820 return RLM_MODULE_REJECT;
824 * Set up the algorithm.
829 memcpy(p, &vp->vp_octets[32], 32);
832 strcpy(p, request->password->vp_strvalue);
835 memcpy(p, &vp->vp_octets[32], 32);
838 fr_MD5Init(&md5_context);
839 fr_MD5Update(&md5_context, (uint8_t *) buff2, p - buff2);
840 fr_MD5Final(buff, &md5_context);
843 if (rad_digest_cmp(binbuf, buff, 16) != 0) {
844 snprintf(fmsg, sizeof(char[MAX_STRING_LEN]),
845 "rlm_pap: NS-MTA-MD5 password check failed");
846 return RLM_MODULE_REJECT;
849 return RLM_MODULE_OK;
853 * The module name should be the only globally exported symbol.
854 * That is, everything else should be 'static'.
856 * If the module needs to temporarily modify it's instantiation
857 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
858 * The server will then take care of ensuring that the module
859 * is single-threaded.
864 RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE, /* type */
865 pap_instantiate, /* instantiation */
866 pap_detach, /* detach */
868 pap_authenticate, /* authentication */
869 pap_authorize, /* authorization */
870 NULL, /* preaccounting */
871 NULL, /* accounting */
872 NULL, /* checksimul */
873 NULL, /* pre-proxy */
874 NULL, /* post-proxy */