void pairmove(VALUE_PAIR **to, VALUE_PAIR **from);
void pairmove2(VALUE_PAIR **to, VALUE_PAIR **from, unsigned int attr, unsigned int vendor, int8_t tag);
int pairparsevalue(VALUE_PAIR *vp, const char *value);
-VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op);
+VALUE_PAIR *pairmake(TALLOC_CTX *ctx, VALUE_PAIR **vps, const char *attribute, const char *value, FR_TOKEN op);
int pairmark_xlat(VALUE_PAIR *vp, const char *value);
FR_TOKEN pairread(const char **ptr, VALUE_PAIR_RAW *raw);
FR_TOKEN userparse(const char *buffer, VALUE_PAIR **head);
int radius_find_compare(unsigned int attribute);
VALUE_PAIR *radius_paircreate(REQUEST *request, VALUE_PAIR **vps,
unsigned int attribute, unsigned int vendor);
-VALUE_PAIR *radius_pairmake(REQUEST *request, VALUE_PAIR **vps,
- const char *attribute, const char *value,
- FR_TOKEN op);
void module_failure_msg(REQUEST *request, const char *fmt, ...);
+/*
+ * Less code == less bugs
+ */
+#define pairmake_packet(_a, _b, _c) pairmake(request->packet, &request->packet->vps, _a, _b, _c)
+#define pairmake_reply(_a, _b, _c) pairmake(request->reply, &request->reply->vps, _a, _b, _c)
+#define pairmake_config(_a, _b, _c) pairmake(request, &request->config_items, _a, _b, _c)
+
/* xlat.c */
typedef size_t (*RADIUS_ESCAPE_STRING)(REQUEST *, char *out, size_t outlen, const char *in, void *arg);
extern "C" {
#endif
- int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigned int data_len);
+int soh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len);
uint16_t soh_pull_be_16(const uint8_t *p);
uint32_t soh_pull_be_24(const uint8_t *p);
uint32_t soh_pull_be_32(const uint8_t *p);
* Loop over all of the entries, building VPs
*/
for (i = 0; i < num_entries; i++) {
- vp = pairmake(da->name, NULL, T_OP_ADD);
+ vp = pairmake(packet, NULL, da->name, NULL, T_OP_ADD);
if (!vp) {
fr_strerror_printf("Cannot build attribute %s",
fr_strerror());
* Decode the header.
*/
for (i = 0; i < 14; i++) {
- vp = pairmake(dhcp_header_names[i], NULL, T_OP_EQ);
+ vp = pairmake(packet, NULL, dhcp_header_names[i], NULL, T_OP_EQ);
if (!vp) {
char buffer[256];
strlcpy(buffer, fr_strerror(), sizeof(buffer));
p = packet->data;
for (i = 0; i < 14; i++) {
- vp = pairmake(dhcp_header_names[i], NULL, T_OP_EQ);
+ vp = pairmake(packet, NULL,
+ dhcp_header_names[i], NULL, T_OP_EQ);
if (!vp) {
char buffer[256];
strlcpy(buffer, fr_strerror(), sizeof(buffer));
* @param op to assign to new valuepair.
* @return new valuepair or NULL on error.
*/
-static VALUE_PAIR *pairmake_any(const char *attribute, const char *value,
+static VALUE_PAIR *pairmake_any(TALLOC_CTX *ctx,
+ const char *attribute, const char *value,
FR_TOKEN op)
{
VALUE_PAIR *vp;
* it. This next stop also looks the attribute up in the
* dictionary, and creates the appropriate type for it.
*/
- vp = pairalloc(NULL, da);
- if (!vp) {
- return NULL;
- }
+ vp = pairalloc(ctx, da);
+ if (!vp) return NULL;
vp->op = (op == 0) ? T_OP_EQ : op;
* @param[in] op to assign to new VALUE_PAIR.
* @return a new VALUE_PAIR.
*/
-VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op)
+VALUE_PAIR *pairmake(TALLOC_CTX *ctx, VALUE_PAIR **vps,
+ const char *attribute, const char *value, FR_TOKEN op)
{
const DICT_ATTR *da;
VALUE_PAIR *vp;
*/
da = dict_attrbyname(attrname);
if (!da) {
- return pairmake_any(attrname, value, op);
- }
-
- vp = pairalloc(NULL, da);
- if (!vp) {
- return NULL;
+ vp = pairmake_any(ctx, attrname, value, op);
+ if (vp) pairadd(vps, vp);
+ return vp;
}
- vp->op = (op == 0) ? T_OP_EQ : op;
-
/* Check for a tag in the 'Merit' format of:
* :Tag:Value. Print an error if we already found
* a tag in the Attribute.
value, vp->da->name);
DEBUG("Duplicate tag %s for attribute %s\n",
value, vp->da->name);
- pairbasicfree(vp);
return NULL;
}
/* Colon found and attribute allows a tag */
value = tc + 1;
else tag = 0;
}
- found_tag = 1;
}
- if (found_tag) {
- vp->tag = tag;
+ vp = pairalloc(ctx, da);
+ if (!vp) {
+ return NULL;
}
+ vp->op = (op == 0) ? T_OP_EQ : op;
+ vp->tag = tag;
+
switch (vp->op) {
default:
break;
- /*
- * For =* and !* operators, the value is irrelevant
- * so we return now.
- */
case T_OP_CMP_TRUE:
case T_OP_CMP_FALSE:
vp->vp_strvalue[0] = '\0';
vp->length = 0;
- return vp;
+ value = NULL; /* ignore it! */
break;
/*
return NULL;
#else
- if (!value) {
- /*
- * Just return the vp.
- *
- * The value will likely be provided later by
- * an xlat expansion.
- */
- return vp;
- }
+
+ /*
+ * Someone else will fill in the value.
+ */
+ if (!value) break;
pairbasicfree(vp);
}
}
- vp = pairmake(attribute, NULL, op);
- if (!vp) {
- return NULL;
- }
+ vp = pairmake(ctx, NULL, attribute, NULL, op);
+ if (!vp) return NULL;
if (pairmark_xlat(vp, value) < 0) {
pairbasicfree(vp);
return NULL;
}
-
- return vp;
+
+ value = NULL; /* ignore it */
+ break;
#endif
}
return NULL;
}
+ if (vps) pairadd(vps, vp);
return vp;
}
last_token = pairread(&p, &raw);
if (last_token == T_OP_INVALID) break;
- vp = pairmake(raw.l_opand, raw.r_opand, raw.op);
+ vp = pairmake(NULL, NULL, raw.l_opand, raw.r_opand, raw.op);
if (!vp) break;
if (raw.quote == T_DOUBLE_QUOTED_STRING) {
* Remove ALL reply attributes.
*/
pairfree(&request->reply->vps);
- radius_pairmake(request, &request->reply->vps,
- "Reply-Message",
- user_msg, T_OP_SET);
+ pairmake_reply("Reply-Message",
+ user_msg, T_OP_SET);
snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s",
check_item->vp_integer,
if (request->reply->code == PW_AUTHENTICATION_REJECT) {
pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
- vp = radius_pairmake(request, &request->config_items,
- "Post-Auth-Type", "Reject",
- T_OP_SET);
+ vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
if (vp) rad_postauth(request);
}
}
}
- if (buffer[0]) {
- radlog(L_ERR, "%s", buffer);
-
- if (request) {
- VALUE_PAIR *vp;
-
- vp = pairmake("Module-Failure-Message", buffer, T_OP_ADD);
- if (vp) pairadd(&request->packet->vps, vp);
- }
+ if (buffer[0] && request) {
+ RDEBUGE("SSL says: %s", buffer);
}
}
(pair->value_type == T_BACK_QUOTED_STRING))) {
VALUE_PAIR *vp;
- vp = pairmake(pair->attr, NULL, pair->op);
+ vp = pairmake(pair, NULL, pair->attr, NULL, pair->op);
if (!vp) {
return NULL;
}
return vp;
}
- return pairmake(pair->attr, pair->value, pair->op);
+ return pairmake(pair, NULL, pair->attr, pair->value, pair->op);
}
/*
*/
da = dict_attrbyname(pleft);
if (da && (da->vendor == 0) && radius_find_compare(da->attr)) {
- VALUE_PAIR *check = pairmake(pleft, pright, token);
+ VALUE_PAIR *check;
+ check = pairmake(request, NULL, pleft, pright, token);
*presult = (radius_callback_compare(request, NULL, check, NULL, NULL) == 0);
RDEBUG3(" Callback returns %d",
*presult);
case PW_ACCESS_CHALLENGE:
pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0,
TAG_ANY);
- vp = radius_pairmake(request, &request->config_items,
- "Post-Auth-Type", "Challenge",
- T_OP_SET);
-
+ vp = pairmake_config("Post-Auth-Type", "Challenge", T_OP_SET);
if (vp) rad_postauth(request);
break;
default:
*/
if (request->reply->code == PW_AUTHENTICATION_REJECT) {
pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
- vp = radius_pairmake(request, &request->config_items,
- "Post-Auth-Type", "Reject",
- T_OP_SET);
+ vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
if (vp) rad_postauth(request);
}
/*
* Remember that we sent the request to a Realm.
*/
- if (realmname) pairadd(&request->packet->vps,
- pairmake("Realm", realmname, T_OP_EQ));
+ if (realmname) pairmake_packet("Realm", realmname, T_OP_EQ);
/*
* Strip the name, if told to.
if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) {
request->proxy->code = PW_STATUS_SERVER;
- radius_pairmake(request, &request->proxy->vps,
- "Message-Authenticator", "0x00", T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Message-Authenticator", "0x00", T_OP_SET);
} else if (home->type == HOME_TYPE_AUTH) {
request->proxy->code = PW_AUTHENTICATION_REQUEST;
- radius_pairmake(request, &request->proxy->vps,
- "User-Name", home->ping_user_name, T_OP_SET);
- radius_pairmake(request, &request->proxy->vps,
- "User-Password", home->ping_user_password, T_OP_SET);
- radius_pairmake(request, &request->proxy->vps,
- "Service-Type", "Authenticate-Only", T_OP_SET);
- radius_pairmake(request, &request->proxy->vps,
- "Message-Authenticator", "0x00", T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "User-Name", home->ping_user_name, T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "User-Password", home->ping_user_password, T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Service-Type", "Authenticate-Only", T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Message-Authenticator", "0x00", T_OP_SET);
} else {
#ifdef WITH_ACCOUNTING
request->proxy->code = PW_ACCOUNTING_REQUEST;
- radius_pairmake(request, &request->proxy->vps,
- "User-Name", home->ping_user_name, T_OP_SET);
- radius_pairmake(request, &request->proxy->vps,
- "Acct-Status-Type", "Stop", T_OP_SET);
- radius_pairmake(request, &request->proxy->vps,
- "Acct-Session-Id", "00000000", T_OP_SET);
- vp = radius_pairmake(request, &request->proxy->vps,
- "Event-Timestamp", "0", T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "User-Name", home->ping_user_name, T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Acct-Status-Type", "Stop", T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Acct-Session-Id", "00000000", T_OP_SET);
+ vp = pairmake(request->proxy, &request->proxy->vps,
+ "Event-Timestamp", "0", T_OP_SET);
vp->vp_date = now.tv_sec;
#else
rad_assert("Internal sanity check failed");
#endif
}
- vp = radius_pairmake(request, &request->proxy->vps,
- "NAS-Identifier", "", T_OP_SET);
+ vp = pairmake(request->proxy, &request->proxy->vps,
+ "NAS-Identifier", "", T_OP_SET);
if (vp) {
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue),
"Status Check %u. Are you alive?",
*/
if ((request->packet->code == PW_AUTHENTICATION_REQUEST) &&
!pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY)) {
- radius_pairmake(request, &request->proxy->vps,
- "Message-Authenticator", "0x00",
- T_OP_SET);
+ pairmake(request->proxy, &request->proxy->vps,
+ "Message-Authenticator", "0x00",
+ T_OP_SET);
}
}
* @param data_len length of blob
* @return 1 on success, 0 on failure
*/
-static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, unsigned int data_len) {
+static int eapsoh_mstlv(REQUEST *request, const uint8_t *p, unsigned int data_len) {
VALUE_PAIR *vp;
uint8_t c;
int t;
}
data_len -= 18;
- vp = pairmake("SoH-MS-Machine-OS-vendor", "Microsoft", T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-OS-vendor", "Microsoft", T_OP_EQ);
if (!vp) return 0;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-OS-version", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-OS-version", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_32(p); p+=4;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-OS-release", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-OS-release", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_32(p); p+=4;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-OS-build", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-OS-build", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_32(p); p+=4;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-SP-version", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-SP-version", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_16(p); p+=2;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-SP-release", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-SP-release", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_16(p); p+=2;
- pairadd(&sohvp, vp);
- vp = pairmake("SoH-MS-Machine-Processor", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-Processor", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = soh_pull_be_16(p); p+=2;
- pairadd(&sohvp, vp);
break;
case 2:
t = soh_pull_be_16(p);
p += 2;
- vp = pairmake("SoH-MS-Machine-Name", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-Name", NULL, T_OP_EQ);
if (!vp) return 0;
memcpy(vp->vp_strvalue, p, t);
vp->vp_strvalue[t] = 0;
- pairadd(&sohvp, vp);
p += t;
data_len -= 2 + t;
break;
* 24 bytes opaque binary which we might, in future, have
* to echo back to the client in a final SoHR
*/
- vp = pairmake("SoH-MS-Correlation-Id", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Correlation-Id", NULL, T_OP_EQ);
if (!vp) return 0;
memcpy(vp->vp_octets, p, 24);
vp->length = 24;
- pairadd(&sohvp, vp);
p += 24;
data_len -= 24;
break;
* 1 byte product type (client=1 domain_controller=2 server=3)
*/
p += 4;
- vp = pairmake("SoH-MS-Machine-Role", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Machine-Role", NULL, T_OP_EQ);
if (!vp) return 0;
vp->vp_integer = *p;
- pairadd(&sohvp, vp);
p++;
data_len -= 5;
break;
* @return 0 on success, -1 on failure
*
*/
-int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigned int data_len) {
+int soh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len) {
VALUE_PAIR *vp;
eap_soh hdr;
*/
if (curr_shid==0x137 && curr_shid_c==0) {
RDEBUG2("SoH MS type-value payload");
- eapsoh_mstlv(request, sohvp, data + 4, tlv.tlv_len - 4);
+ eapsoh_mstlv(request, data + 4, tlv.tlv_len - 4);
} else {
RDEBUG2("SoH unhandled vendor-specific TLV %08x/component=%i %i bytes payload", curr_shid, curr_shid_c, tlv.tlv_len);
}
RDEBUG2("SoH Health-Class-Status microsoft DWORD=%08x", hcstatus);
- vp = pairmake("SoH-MS-Windows-Health-Status", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Windows-Health-Status", NULL, T_OP_EQ);
if (!vp) return 0;
switch (curr_hc) {
break;
}
} else {
- vp = pairmake("SoH-MS-Health-Other", NULL, T_OP_EQ);
+ vp = pairmake_packet("SoH-MS-Health-Other", NULL, T_OP_EQ);
if (!vp) return 0;
/* FIXME: what to do with the payload? */
snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%08x/%i ?", curr_shid, curr_shid_c);
}
- pairadd(&sohvp, vp);
break;
default:
int verify_mode;
tls_session_t *ssn = NULL;
- ssn = (tls_session_t *) malloc(sizeof(*ssn));
- memset(ssn, 0, sizeof(*ssn));
+ ssn = talloc_zero(conf, tls_session_t);
+ if (!ssn) return NULL;
ssn->ctx = conf->ctx;
ssn->ssl = SSL_new(ssn->ctx);
SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify);
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
+ SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
SSL_set_fd(ssn->ssl, fd);
if (SSL_connect(ssn->ssl) <= 0) {
int err;
DEBUG("OpenSSL Err says %s",
ERR_error_string(err, NULL));
}
- free(ssn);
+ talloc_free(ssn);
return NULL;
}
/* We use the SSL's "app_data" to indicate a call-back */
SSL_set_app_data(new_tls, NULL);
- state = (tls_session_t *)malloc(sizeof(*state));
- memset(state, 0, sizeof(*state));
+ state = talloc_zero(conf, tls_session_t);
session_init(state);
state->ctx = conf->ctx;
SSL_set_verify(state->ssl, verify_mode, cbtls_verify);
SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
+ SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_SSN, (void *)state);
state->length_flag = conf->include_length;
/*
if ((l = ERR_get_error()) != 0) {
const char *p = ERR_error_string(l, NULL);
- VALUE_PAIR *vp;
-
- radlog(L_ERR, "SSL error %s", p);
- if (request) {
- vp = pairmake("Module-Failure-Message", p, T_OP_ADD);
- if (vp) pairadd(&request->packet->vps, vp);
- }
+ if (request && p) RDEBUGE("SSL says: %s", p);
}
e = SSL_get_error(s, ret);
session_close(sess);
- free(sess);
+ talloc_free(sess);
}
static void record_init(record_t *rec)
}
/* alloc and convert to ASN.1 */
- sess_blob = malloc(blob_len);
+ sess_blob = talloc_array(conf, unsigned char, blob_len);
if (!sess_blob) {
DEBUG2(" SSL: could not allocate buffer len=%d to persist session", blob_len);
return 0;
/* open output file */
rv = snprintf(filename, sizeof(filename), "%s%c%s.asn1",
- conf->session_cache_path, FR_DIR_SEP, buffer
- );
+ conf->session_cache_path, FR_DIR_SEP, buffer);
fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd < 0) {
DEBUG2(" SSL: could not open session file %s: %s", filename, strerror(errno));
}
error:
- if (sess_blob) free(sess_blob);
+ if (sess_blob) talloc_free(sess_blob);
return 0;
}
goto err;
}
- sess_data = malloc(st.st_size);
+ sess_data = talloc_array(conf, unsigned char, st.st_size);
if (!sess_data) {
DEBUG2(" SSL: could not alloc buffer for persisted session len=%d", (int) st.st_size);
close(fd);
DEBUG2(" SSL: Successfully restored session %s", buffer);
}
err:
- if (sess_data) free(sess_data);
+ if (sess_data) talloc_free(sess_data);
if (pairlist) pairlist_free(&pairlist);
*copy = 0;
X509_STORE *ocsp_store = NULL;
X509 *issuer_cert;
#endif
+ tls_session_t *ssn;
client_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
#ifdef HAVE_OPENSSL_OCSP_H
ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE);
#endif
-
+ ssn = (tls_session_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_SSN);
/*
* Get the Serial Number
sprintf(p, "%02x", (unsigned int)sn->data[i]);
p += 2;
}
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET);
}
(asn_time->length < (int) sizeof(buf))) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET);
}
/*
subject[sizeof(subject) - 1] = '\0';
if (identity && (lookup <= 1) && subject[0] &&
(strlen(subject) < MAX_STRING_LEN)) {
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET);
}
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
issuer[sizeof(issuer) - 1] = '\0';
if (identity && (lookup <= 1) && issuer[0] &&
(strlen(issuer) < MAX_STRING_LEN)) {
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET);
}
/*
common_name[sizeof(common_name) - 1] = '\0';
if (identity && (lookup <= 1) && common_name[0] && subject[0] &&
(strlen(common_name) < MAX_STRING_LEN)) {
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET);
}
#ifdef GEN_EMAIL
if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN)
break;
- pairadd(certs,
- pairmake(cert_attr_names[FR_TLS_SAN_EMAIL][lookup],
- (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET));
+ pairmake(ssn, certs, cert_attr_names[FR_TLS_SAN_EMAIL][lookup],
+ (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET);
break;
default:
/* XXX TODO handle other SAN types */
if (!my_ok) {
const char *p = X509_verify_cert_error_string(err);
radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p);
- radius_pairmake(request, &request->packet->vps,
- "Module-Failure-Message", p, T_OP_SET);
+ RDEBUGE("SSL says error %d : %s", err, p);
return my_ok;
}
}
fclose(fp);
- if (!radius_pairmake(request, &request->packet->vps,
- "TLS-Client-Cert-Filename",
+ if (!pairmake_packet("TLS-Client-Cert-Filename",
filename, T_OP_SET)) {
RDEBUG("Failed creating TLS-Client-Cert-Filename");
FILE* cmd_pipe = popen(cmd, "r");
if (!cmd_pipe) {
- radlog(L_ERR, "rlm_eap: %s command failed. Unable to get private_key_password", cmd);
- radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file);
+ radlog(L_ERR, "TLS: %s command failed. Unable to get private_key_password", cmd);
+ radlog(L_ERR, "Error reading private_key_file %s", conf->private_key_file);
return NULL;
}
- free(conf->private_key_password);
- conf->private_key_password = malloc(max_password_len * sizeof(char));
+ talloc_free(conf->private_key_password);
+ conf->private_key_password = talloc_array(conf, char, max_password_len);
if (!conf->private_key_password) {
- radlog(L_ERR, "rlm_eap: Can't malloc space for private_key_password");
- radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file);
+ radlog(L_ERR, "TLS: Can't allocate space for private_key_password");
+ radlog(L_ERR, "TLS: Error reading private_key_file %s", conf->private_key_file);
pclose(cmd_pipe);
return NULL;
}
conf->ocsp_store = NULL;
#endif
+#ifndef NDEBUG
memset(conf, 0, sizeof(*conf));
- free(conf);
+#endif
+ talloc_free(conf);
}
return conf;
}
- conf = malloc(sizeof(*conf));
+ conf = talloc_zero(cs, fr_tls_server_conf_t);
if (!conf) {
radlog(L_ERR, "Out of memory");
return NULL;
}
- memset(conf, 0, sizeof(*conf));
if (cf_section_parse(cs, conf, tls_server_config) < 0) {
error:
return conf;
}
- conf = malloc(sizeof(*conf));
+ conf = talloc_zero(cs, fr_tls_server_conf_t);
if (!conf) {
radlog(L_ERR, "Out of memory");
return NULL;
}
- memset(conf, 0, sizeof(*conf));
if (cf_section_parse(cs, conf, tls_client_config) < 0) {
error:
/*
* Mark the request as resumed.
*/
- vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
- if (vp) pairadd(&request->packet->vps, vp);
+ pairmake_packet("EAP-Session-Resumed", "1", T_OP_SET);
}
}
return vp;
}
-/** Create a VALUE_PAIR from ASCII strings and add it to a list of VALUE_PAIR s
- *
- * Converts an attribute string identifier (with an optional tag qualifier)
- * and value string into a VALUE_PAIR.
- *
- * The string value is parsed according to the type of VALUE_PAIR being created.
- *
- * @param[in] request current request.
- * @param[out] vps List to add new VALUE_PAIR to, if NULL will just
- * return VALUE_PAIR.
- * @param[in] attribute name.
- * @param[in] value attribute value.
- * @param[in] op fr_tokens value.
- * @return a new VALUE_PAIR.
- */
-VALUE_PAIR *radius_pairmake(UNUSED REQUEST *request, VALUE_PAIR **vps,
- const char *attribute, const char *value,
- FR_TOKEN op)
-{
- VALUE_PAIR *vp;
-
- vp = pairmake(attribute, value, op);
- if (!vp) return NULL;
-
- if (vps) pairadd(vps, vp);
-
- return vp;
-}
-
/** Print a single valuepair to stderr or error log.
*
* @param[in] vp list to print.
DEBUG2("%s: xlat on replace string failed.", inst->name);
return rcode;
}
- attr_vp = pairmake(inst->attribute,replace_STR,0);
+
+ /*
+ * @todo: this shouldn't really be the request.
+ */
+ attr_vp = pairmake(request, NULL, inst->attribute,replace_STR,0);
if (attr_vp == NULL){
DEBUG2("%s: Could not add new attribute %s with value '%s'", inst->name,
inst->attribute,replace_STR);
}
RDEBUG("Setting 'Auth-Type := CHAP'");
- pairadd(&request->config_items,
- pairmake("Auth-Type", "CHAP", T_OP_EQ));
+ pairmake_config("Auth-Type", "CHAP", T_OP_EQ);
return RLM_MODULE_OK;
}
*/
sprintf(msg, "Your maximum %s usage time has been reached",
inst->reset);
- reply_item=pairmake("Reply-Message", msg, T_OP_EQ);
- pairadd(&request->reply->vps, reply_item);
+ pairmake_reply("Reply-Message", msg, T_OP_EQ);
RDEBUGE("Maximum %s usage time reached",
inst->reset);
* Everything's OK, add a digest authentication type.
*/
RDEBUG("Adding Auth-Type = DIGEST");
- pairadd(&request->config_items,
- pairmake("Auth-Type", "DIGEST", T_OP_EQ));
+ pairmake_config("Auth-Type", "DIGEST", T_OP_EQ);
return RLM_MODULE_OK;
}
* correctly
*/
RDEBUG2("Broken NAS did not set User-Name, setting from EAP Identity");
- vp = pairmake("User-Name", handler->identity, T_OP_EQ);
+ vp = pairmake(request->packet, NULL, "User-Name", handler->identity, T_OP_EQ);
if (vp == NULL) {
RDEBUG("Out of memory");
free(*eap_packet_p);
* correctly
*/
RDEBUG2W("NAS did not set User-Name. Setting it locally from EAP Identity");
- vp = pairmake("User-Name", handler->identity, T_OP_EQ);
+ vp = pairmake(request->packet, NULL, "User-Name", handler->identity, T_OP_EQ);
if (vp == NULL) {
RDEBUG("Out of memory");
free(*eap_packet_p);
#ifdef HAVE_OPENSSL_OCSP_H
SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store);
#endif
+ SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
return ssn;
}
{
VALUE_PAIR *vp;
- vp = pairmake(name, "", T_OP_EQ);
+ vp = pairmake_reply(name, "", T_OP_EQ);
if (!vp) {
RDEBUGE("Did not create attribute %s: %s\n",
name, fr_strerror());
memcpy(vp->vp_octets, value, len);
vp->length = len;
- pairadd(&request->reply->vps, vp);
}
* Generate State, since we've been asked to add it to
* the list.
*/
- state = pairmake("State", "0x00", T_OP_EQ);
+ state = pairmake_reply("State", "0x00", T_OP_EQ);
if (!state) return 0;
/*
state->vp_octets[2], state->vp_octets[3],
state->vp_octets[4], state->vp_octets[5],
state->vp_octets[6], state->vp_octets[7]);
-
- pairadd(&(request->reply->vps), state);
return 1;
}
if (vp) {
vp = pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY);
if (!vp) {
- vp = pairmake("Message-Authenticator",
- "0x00", T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(&(request->proxy->vps), vp);
+ pairmake(request->proxy,
+ &request->proxy->vps,
+ "Message-Authenticator",
+ "0x00", T_OP_EQ);
}
}
*/
vp = pairfind(request->reply->vps, PW_USER_NAME, 0, TAG_ANY);
if (!vp) {
- vp = pairmake("User-Name", "",
+ vp = pairmake_reply("User-Name", "",
T_OP_EQ);
strlcpy(vp->vp_strvalue, request->username->vp_strvalue,
sizeof(vp->vp_strvalue));
vp->length = request->username->length;
- rad_assert(vp != NULL);
- pairadd(&(request->reply->vps), vp);
}
/*
*/
vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
if ((!vp) || (vp->vp_integer != PW_AUTHTYPE_REJECT)) {
- vp = pairmake("Auth-Type", inst->xlat_name, T_OP_EQ);
+ vp = pairmake_config("Auth-Type", inst->xlat_name, T_OP_EQ);
if (!vp) {
RDEBUG2("Failed to create Auth-Type %s: %s\n",
inst->xlat_name, fr_strerror());
return RLM_MODULE_FAIL;
}
- pairadd(&request->config_items, vp);
} else {
RDEBUG2W("Auth-Type already set. Not setting to EAP");
}
*/
vp = pairfind(request->reply->vps, PW_USER_NAME, 0, TAG_ANY);
if (!vp) {
- vp = pairmake("User-Name", request->username->vp_strvalue,
- T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(&(request->reply->vps), vp);
+ pairmake_reply("User-Name",
+ request->username->vp_strvalue,
+ T_OP_EQ);
}
}
*/
vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY);
if (!vp) {
- vp = pairmake("Message-Authenticator",
- "0x00", T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(&(request->reply->vps), vp);
+ pairmake_reply("Message-Authenticator", "0x00", T_OP_EQ);
}
return RLM_MODULE_UPDATED;
/*
* Get the Cleartext-Password for this user.
*/
- rad_assert(handler->request != NULL);
+ rad_assert(request != NULL);
rad_assert(handler->stage == AUTHENTICATE);
/*
/*
* For now, do clear-text password authentication.
*/
- vp = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
+ vp = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
if (!vp) {
RDEBUG2E("Cleartext-Password is required for authentication.");
eap_ds->request->code = PW_EAP_FAILURE;
* If there was a User-Password in the request,
* why the heck are they using EAP-GTC?
*/
- pairdelete(&handler->request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
+ pairdelete(&request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
- vp = pairmake("User-Password", "", T_OP_EQ);
+ vp = pairmake_packet("User-Password", "", T_OP_EQ);
if (!vp) {
radlog(L_ERR, "rlm_eap_gtc: out of memory");
return 0;
* Add the password to the request, and allow
* another module to do the work of authenticating it.
*/
- pairadd(&handler->request->packet->vps, vp);
- handler->request->password = vp;
+ request->password = vp;
/*
* This is a wild & crazy hack.
*/
- rcode = module_authenticate(inst->auth_type, handler->request);
+ rcode = module_authenticate(inst->auth_type, request);
if (rcode != RLM_MODULE_OK) {
eap_ds->request->code = PW_EAP_FAILURE;
return 0;
*/
leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
- leap_session_t *session, VALUE_PAIR **reply_vps)
+ leap_session_t *session)
{
size_t i;
unsigned char ntpwdhash[16], ntpwdhashhash[16];
/*
* Calculate the leap:session-key attribute
*/
- vp = pairmake("Cisco-AVPair", "leap:session-key=", T_OP_ADD);
+ vp = pairmake_reply("Cisco-AVPair", "leap:session-key=", T_OP_ADD);
if (!vp) {
radlog(L_ERR, "rlm_eap_leap: Failed to create Cisco-AVPair attribute. LEAP cancelled.");
eapleap_free(&reply);
rad_tunnel_pwencode(vp->vp_strvalue + vp->length, &i,
request->client->secret, request->packet->vector);
vp->length += i;
- pairadd(reply_vps, vp);
return reply;
}
leap_session_t *session);
leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
- leap_session_t *session,
- VALUE_PAIR **reply_vps);
+ leap_session_t *session);
void eapleap_lmpwdhash(const unsigned char *password,unsigned char *lmhash);
void eapleap_mschap(const unsigned char *win_password,
DEBUG2(" rlm_eap_leap: Stage 6");
reply = eapleap_stage6(packet, handler->request,
handler->request->username, password,
- session, &handler->request->reply->vps);
+ session);
break;
/*
/*
* Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer.
*/
-static int mschapv2_initiate(void *instance, eap_handler_t *handler)
+static int mschapv2_initiate(UNUSED void *instance, eap_handler_t *handler)
{
int i;
VALUE_PAIR *challenge;
mschapv2_opaque_t *data;
- instance = instance; /* -Wunused */
-
- challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ);
- if (!challenge) {
- radlog(L_ERR, "rlm_eap_mschapv2: out of memory");
- return 0;
- }
+ challenge = pairmake(handler, NULL,
+ "MS-CHAP-Challenge", "0x00", T_OP_EQ);
/*
* Get a random challenge.
{
VALUE_PAIR *response = NULL;
mschapv2_opaque_t *data;
+ REQUEST *request = handler->request;
data = (mschapv2_opaque_t *) handler->opaque;
rad_assert(data != NULL);
tunnel_data = tunnel_data; /* -Wunused */
- DEBUG2(" rlm_eap_mschapv2: Passing reply from proxy back into the tunnel %p %d.",
- handler->request, handler->request->reply->code);
+ RDEBUG2("Passing reply from proxy back into the tunnel %d.",
+ request->reply->code);
/*
* There is only a limited number of possibilities.
*/
- switch (handler->request->reply->code) {
+ switch (request->reply->code) {
case PW_AUTHENTICATION_ACK:
- DEBUG(" rlm_eap_mschapv2: Proxied authentication succeeded.");
+ RDEBUG2("Proxied authentication succeeded.");
+
/*
* Move the attribute, so it doesn't go into
* the reply.
*/
pairmove2(&response,
- &handler->request->reply->vps,
+ &request->reply->vps,
PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
break;
/*
* Done doing EAP proxy stuff.
*/
- handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
eapmschapv2_compose(handler, response);
data->code = PW_EAP_MSCHAPV2_SUCCESS;
* access-accept e.g. vlan, etc. This lets the PEAP
* use_tunneled_reply code work
*/
- data->reply = paircopy(handler->request->reply->vps);
+ data->reply = paircopy(request->reply->vps);
/*
* And we need to challenge the user, not ack/reject them,
* so we re-write the ACK to a challenge. Yuck.
*/
- handler->request->reply->code = PW_ACCESS_CHALLENGE;
+ request->reply->code = PW_ACCESS_CHALLENGE;
pairfree(&response);
return 1;
EAP_DS *eap_ds = handler->eap_ds;
VALUE_PAIR *challenge, *response, *name;
rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg;
+ REQUEST *request = handler->request;
- rad_assert(handler->request != NULL);
+ rad_assert(request != NULL);
rad_assert(handler->stage == AUTHENTICATE);
data = (mschapv2_opaque_t *) handler->opaque;
DEBUG2(" rlm_eap_mschapv2: password change packet received");
- challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ);
+ challenge = pairmake_packet("MS-CHAP-Challenge", "0x00", T_OP_EQ);
if (!challenge) {
radlog(L_ERR, "rlm_eap_mschapv2: out of memory");
return 0;
}
challenge->length = MSCHAPV2_CHALLENGE_LEN;
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
- pairadd(&handler->request->packet->vps, challenge);
- cpw = pairmake("MS-CHAP2-CPW", "", T_OP_EQ);
+ cpw = pairmake_packet("MS-CHAP2-CPW", "", T_OP_EQ);
cpw->vp_octets[0] = 7;
cpw->vp_octets[1] = mschap_id;
memcpy(cpw->vp_octets+2, eap_ds->response->type.data + 520, 66);
cpw->length = 68;
- pairadd(&handler->request->packet->vps, cpw);
/*
* break the encoded password into VPs (3 of them)
if (to_copy > 243)
to_copy = 243;
- nt_enc = pairmake("MS-CHAP-NT-Enc-PW", "", T_OP_ADD);
+ nt_enc = pairmake_packet("MS-CHAP-NT-Enc-PW", "", T_OP_ADD);
nt_enc->vp_octets[0] = 6;
nt_enc->vp_octets[1] = mschap_id;
nt_enc->vp_octets[2] = 0;
memcpy(nt_enc->vp_octets + 4, eap_ds->response->type.data + 4 + copied, to_copy);
copied += to_copy;
nt_enc->length = 4 + to_copy;
- pairadd(&handler->request->packet->vps, nt_enc);
}
DEBUG2(" rlm_eap_mschapv2: built change password packet");
- debug_pair_list(handler->request->packet->vps);
+ debug_pair_list(request->packet->vps);
/*
* jump to "authentication"
}
failure:
- handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
eap_ds->request->code = PW_EAP_FAILURE;
return 1;
switch (ccode) {
case PW_EAP_MSCHAPV2_SUCCESS:
eap_ds->request->code = PW_EAP_SUCCESS;
- pairadd(&handler->request->reply->vps, data->mppe_keys);
+ pairadd(&request->reply->vps, data->mppe_keys);
data->mppe_keys = NULL;
/* fall through... */
/*
* It's a success. Don't proxy it.
*/
- handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
+ request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
#endif
- pairadd(&handler->request->reply->vps, data->reply);
+ pairadd(&request->reply->vps, data->reply);
data->reply = NULL;
return 1;
}
* to pass to the 'mschap' module. This is a little wonky,
* but it works.
*/
- challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ);
+ challenge = pairmake_packet("MS-CHAP-Challenge", "0x00", T_OP_EQ);
if (!challenge) {
radlog(L_ERR, "rlm_eap_mschapv2: out of memory");
return 0;
challenge->length = MSCHAPV2_CHALLENGE_LEN;
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
- response = pairmake("MS-CHAP2-Response", "0x00", T_OP_EQ);
+ response = pairmake_packet("MS-CHAP2-Response", "0x00", T_OP_EQ);
if (!response) {
- pairfree(&challenge);
radlog(L_ERR, "rlm_eap_mschapv2: out of memory");
return 0;
}
response->vp_strvalue[0] = eap_ds->response->type.data[1];
response->vp_strvalue[1] = eap_ds->response->type.data[5 + MSCHAPV2_RESPONSE_LEN];
- name = pairmake("NTLM-User-Name", "", T_OP_EQ);
+ name = pairmake_packet("NTLM-User-Name", "", T_OP_EQ);
if (!name) {
- pairfree(&challenge);
- pairfree(&response);
radlog(L_ERR, "rlm_eap_mschapv2: Failed creating NTLM-User-Name: %s", fr_strerror());
return 0;
}
name->length);
name->vp_strvalue[name->length] = '\0';
- /*
- * Add the pairs to the request, and call the 'mschap'
- * module.
- */
- pairadd(&handler->request->packet->vps, challenge);
- pairadd(&handler->request->packet->vps, response);
- pairadd(&handler->request->packet->vps, name);
-
packet_ready:
#ifdef WITH_PROXY
* EAP attributes, and proxy the MS-CHAP attributes to a
* home server.
*/
- if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) {
+ if (request->options & RAD_REQUEST_OPTION_PROXY_EAP) {
char *username = NULL;
eap_tunnel_data_t *tunnel;
/*
* Associate the callback with the request.
*/
- rcode = request_data_add(handler->request,
- handler->request->proxy,
+ rcode = request_data_add(request,
+ request->proxy,
REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, free);
rad_assert(rcode == 0);
* the State attribute back, before passing
* the handler & request back into the tunnel.
*/
- pairdelete(&handler->request->packet->vps, PW_STATE, 0, TAG_ANY);
+ pairdelete(&request->packet->vps, PW_STATE, 0, TAG_ANY);
/*
* Fix the User-Name when proxying, to strip off
* in the user name, THEN discard the user name.
*/
if (inst->with_ntdomain_hack &&
- ((challenge = pairfind(handler->request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) &&
+ ((challenge = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) &&
((username = strchr(challenge->vp_strvalue, '\\')) != NULL)) {
/*
* Wipe out the NT domain.
/*
* This is a wild & crazy hack.
*/
- rcode = module_authenticate(PW_AUTHTYPE_MS_CHAP, handler->request);
+ rcode = module_authenticate(PW_AUTHTYPE_MS_CHAP, request);
/*
* Delete MPPE keys & encryption policy. We don't
*/
response = NULL;
if (rcode == RLM_MODULE_OK) {
- pairmove2(&response, &handler->request->reply->vps,
+ pairmove2(&response, &request->reply->vps,
PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY);
data->code = PW_EAP_MSCHAPV2_SUCCESS;
} else if (inst->send_error) {
- pairmove2(&response, &handler->request->reply->vps,
+ pairmove2(&response, &request->reply->vps,
PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT, TAG_ANY);
if (response) {
int n,err,retry;
return 1;
}
-static VALUE_PAIR* eapsoh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len) {
+static void eapsoh_verify(REQUEST *request, RADIUS_PACKET *packet,
+ const uint8_t *data, unsigned int data_len) {
VALUE_PAIR *vp;
uint8_t eap_method_base;
uint32_t eap_method;
int rv;
- vp = pairmake("SoH-Supported", "no", T_OP_EQ);
+ vp = pairmake(packet, &packet->vps, "SoH-Supported", "no", T_OP_EQ);
if (data && data[0] == PW_EAP_NAK) {
RDEBUG("SoH - client NAKed");
- goto done;
+ return;
}
if (!data || data_len < 8) {
RDEBUG("SoH - eap payload too short");
- goto done;
+ return;
}
eap_method_base = *data++;
if (eap_method_base != 254) {
RDEBUG("SoH - response is not extended EAP: %i", eap_method_base);
- goto done;
+ return;
}
eap_vendor = soh_pull_be_24(data); data += 3;
if (eap_vendor != 0x137) {
RDEBUG("SoH - extended eap vendor %08x is not Microsoft", eap_vendor);
- goto done;
+ return;
}
eap_method = soh_pull_be_32(data); data += 4;
if (eap_method != 0x21) {
RDEBUG("SoH - response eap type %08x is not EAP-SoH", eap_method);
- goto done;
+ return;
}
- rv = soh_verify(request, vp, data, data_len - 8);
+ rv = soh_verify(request, data, data_len - 8);
if (rv<0) {
RDEBUG("SoH - error decoding payload: %s", fr_strerror());
} else {
vp->vp_integer = 1;
}
-done:
- return vp;
}
/*
/*
* Save it for later.
*/
- t->username = pairmake("User-Name", "", T_OP_EQ);
+ t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ);
rad_assert(t->username != NULL);
memcpy(t->username->vp_strvalue, data + 1, data_len - 1);
case PEAP_STATUS_WAIT_FOR_SOH_RESPONSE:
fake = request_alloc_fake(request);
rad_assert(fake->packet->vps == NULL);
- fake->packet->vps = eapsoh_verify(request, data, data_len);
+ eapsoh_verify(request, fake->packet, data, data_len);
setup_fake_request(request, fake, t);
if (t->soh_virtual_server) {
if (t->default_method != 0) {
RDEBUG2("Setting default EAP type for tunneled EAP session.");
- vp = pairmake("EAP-Type", "0", T_OP_EQ);
+ vp = pairmake(fake, &fake->config_items, "EAP-Type", "0", T_OP_EQ);
vp->vp_integer = t->default_method;
- pairadd(&fake->config_items, vp);
}
break; }
* EAP-Identity packet.
*/
if ((data[0] == PW_EAP_IDENTITY) && (data_len > 1)) {
- t->username = pairmake("User-Name", "", T_OP_EQ);
+ t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ);
rad_assert(t->username != NULL);
memcpy(t->username->vp_strvalue, data + 1, data_len - 1);
*/
if (t->default_method != 0) {
DEBUG2(" PEAP: Setting default EAP type for tunneled EAP session.");
- vp = pairmake("EAP-Type", "0", T_OP_EQ);
+ vp = pairmake(fake, &fake->config_items, "EAP-Type", "0", T_OP_EQ);
vp->vp_integer = t->default_method;
- pairadd(&fake->config_items, vp);
}
}
} /* else there WAS a t->username */
/*
* Tell the request that it's a fake one.
*/
- vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
- if (vp) {
- pairadd(&fake->packet->vps, vp);
- }
+ pairmake(fake->packet, &fake->packet->vps,
+ "Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
if (t->username) {
vp = paircopy(t->username);
RDEBUG("pwd unable to create fake request!");
return 0;
}
- if ((fake->username = pairmake("User-Name", "", T_OP_EQ)) == NULL) {
+ fake->username = pairmake_request("User-Name", "", T_OP_EQ);
+ if (!fake->username);
RDEBUG("pwd unanable to create value pair for username!");
request_free(&fake);
return 0;
break;
case TNC_CONNECTION_STATE_ACCESS_NONE:
code = PW_EAP_FAILURE;
- pairadd(&handler->request->config_items,
- pairmake("TNC-Status", "None", T_OP_SET));
+ pairmake_config("TNC-Status", "None", T_OP_SET);
break;
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
code = PW_EAP_SUCCESS;
- pairadd(&handler->request->config_items,
- pairmake("TNC-Status", "Access", T_OP_SET));
+ pairmake_config("TNC-Status", "Access", T_OP_SET);
break;
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
code = PW_EAP_SUCCESS;
- pairadd(&handler->request->config_items,
- pairmake("TNC-Status", "Isolate", T_OP_SET));
+ pairmake_config("TNC-Status", "Isolate", T_OP_SET);
break;
default:
/*
* Tell the request that it's a fake one.
*/
- vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
- if (vp) {
- pairadd(&fake->packet->vps, vp);
- }
+ pairmake_packet("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ);
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Got tunneled request");
/*
* Create & remember a User-Name
*/
- t->username = pairmake("User-Name", "", T_OP_EQ);
+ t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ);
rad_assert(t->username != NULL);
memcpy(t->username->vp_strvalue, vp->vp_strvalue + 5,
int i, status;
uint32_t lvalue;
VALUE_PAIR *state;
+ REQUEST *request = handler->request;
rad_assert(handler != NULL);
rad_assert(handler->request != NULL);
* Generate State, since we've been asked to add it to
* the list.
*/
- state = pairmake("State", "0x00", T_OP_EQ);
+ state = pairmake_reply("State", "0x00", T_OP_EQ);
if (!state) return 0;
- pairadd(&(handler->request->reply->vps), state);
state->length = EAP_STATE_LEN;
/*
*/
}
- vp = radius_pairmake(request, &request->reply->vps,
- "MS-MPPE-Recv-Key", "", T_OP_EQ);
+ vp = pairmake_reply("MS-MPPE-Recv-Key", "", T_OP_EQ);
if (vp) {
memcpy(vp->vp_octets,
handler->server_ctx.eap_if->eapKeyData,
vp->length = length;
}
- vp = radius_pairmake(request, &request->reply->vps,
- "MS-MPPE-Send-Key", "", T_OP_EQ);
+ vp = pairmake_reply("MS-MPPE-Send-Key", "", T_OP_EQ);
if (vp) {
memcpy(vp->vp_octets,
handler->server_ctx.eap_if->eapKeyData + length,
static rlm_rcode_t example_authorize(void *instance, REQUEST *request)
{
VALUE_PAIR *state;
- VALUE_PAIR *reply;
/* quiet the compiler */
instance = instance;
/*
* Create the challenge, and add it to the reply.
*/
- reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ);
- pairadd(&request->reply->vps, reply);
- state = pairmake("State", "0", T_OP_EQ);
- pairadd(&request->reply->vps, state);
+ pairmake_reply("Reply-Message", "This is a challenge", T_OP_EQ);
+ pairmake_reply("State", "0", T_OP_EQ);
/*
* Mark the packet as an Access-Challenge packet.
return RLM_MODULE_FAIL;
}
- vp = pairmake("Reply-Message", msg, T_OP_ADD);
pairfree(&request->reply->vps);
- request->reply->vps = vp;
+ pairmake_reply("Reply-Message", msg, T_OP_ADD);
}
RDEBUGE("Account has expired [Expiration %s]",check_item->vp_strvalue);
snprintf(name, sizeof(name), "%%{%s}", check->da->name);
radius_xlat(value, sizeof(value), name, req, NULL, NULL);
- vp = pairmake(check->da->name, value, check->op);
+ vp = pairmake(req, NULL, check->da->name, value, check->op);
/*
* Paircmp returns 0 for failed comparison,
goto finish;
}
- vp = pairmake("LDAP-UserDn", dn, T_OP_EQ);
+ vp = pairmake(request, &request->config_items,
+ "LDAP-UserDn", dn, T_OP_EQ);
if (vp) {
- pairadd(&request->config_items, vp);
*rcode = RLM_MODULE_OK;
}
DEBUG("rlm_logintime: timestr returned reject");
if (data->msg && data->msg[0]){
char msg[MAX_STRING_LEN];
- VALUE_PAIR *tmp;
if (!radius_xlat(msg, sizeof(msg), data->msg, request, NULL, NULL)) {
radlog(L_ERR, "rlm_logintime: xlat failed.");
return RLM_MODULE_FAIL;
}
pairfree(&request->reply->vps);
- tmp = pairmake("Reply-Message", msg, T_OP_SET);
- request->reply->vps = tmp;
+ pairmake_reply("Reply-Message", msg, T_OP_SET);
}
RDEBUGE("Outside allowed timespan (time allowed %s)",
uint8_t *ntresponse,
uint8_t *peer_challenge, uint8_t *auth_challenge,
char *response);
-void mschap_add_reply(REQUEST *request, VALUE_PAIR ** vp, unsigned char ident,
+void mschap_add_reply(REQUEST *request, unsigned char ident,
const char* name, const char* value, int len);
* add_reply() adds either MS-CHAP2-Success or MS-CHAP-Error
* attribute to reply packet
*/
-void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident,
+void mschap_add_reply(REQUEST *request, unsigned char ident,
const char* name, const char* value, int len)
{
- VALUE_PAIR *reply_attr;
- reply_attr = pairmake(name, "", T_OP_EQ);
- if (!reply_attr) {
+ VALUE_PAIR *vp;
+
+ vp = pairmake_reply(name, "", T_OP_EQ);
+ if (!vp) {
RDEBUG("Failed to create attribute %s: %s\n", name, fr_strerror());
return;
}
- reply_attr->vp_octets[0] = ident;
- memcpy(reply_attr->vp_octets + 1, value, len);
- reply_attr->length = len + 1;
- pairadd(vp, reply_attr);
+ vp->vp_octets[0] = ident;
+ memcpy(vp->vp_octets + 1, value, len);
+ vp->length = len + 1;
}
/*
const char* name, const uint8_t * value, int len)
{
VALUE_PAIR *vp;
- vp = radius_pairmake(request, &request->reply->vps, name, "", T_OP_EQ);
+
+ vp = pairmake_reply(name, "", T_OP_EQ);
if (!vp) {
RDEBUG("rlm_mschap: mppe_add_reply failed to create attribute %s: %s\n", name, fr_strerror());
return;
* the new NT hash - this should be preferred over the
* cleartext password as it avoids unicode hassles
*/
- new_hash = radius_pairmake(request, &request->packet->vps,
- "MS-CHAP-New-NT-Password", "",
- T_OP_EQ);
+ new_hash = pairmake_packet("MS-CHAP-New-NT-Password", "",
+ T_OP_EQ);
fr_md4_calc(new_hash->vp_octets, p, passlen);
new_hash->length = 16;
* do some unpleasant vileness to turn it into
* utf8 without pulling in libraries like iconv
*/
- new_pass = radius_pairmake(request, &request->packet->vps,
- "MS-CHAP-New-Cleartext-Password", "",
- T_OP_EQ);
+ new_pass = pairmake_packet("MS-CHAP-New-Cleartext-Password", "",
+ T_OP_EQ);
new_pass->length = 0;
i = 0;
while (i<passlen) {
* will take care of turning clear-text passwords into
* NT/LM passwords.
*/
- if (!radius_pairmake(request, &request->config_items,
- "Auth-Type", inst->auth_type, T_OP_EQ)) {
+ if (!pairmake_config("Auth-Type", inst->auth_type, T_OP_EQ)) {
return RLM_MODULE_FAIL;
}
if (!smb_ctrl) {
password = pairfind(request->config_items, PW_SMB_ACCOUNT_CTRL_TEXT, 0, TAG_ANY);
if (password) {
- smb_ctrl = radius_pairmake(request,
- &request->config_items,
- "SMB-Account-CTRL", "0",
+ smb_ctrl = pairmake_config("SMB-Account-CTRL", "0",
T_OP_SET);
if (smb_ctrl) {
smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue);
if (!do_ntlm_auth) RDEBUG2("No Cleartext-Password configured. Cannot create LM-Password.");
} else { /* there is a configured Cleartext-Password */
- lm_password = radius_pairmake(request, &request->config_items,
- "LM-Password", "", T_OP_EQ);
+ lm_password = pairmake_config("LM-Password", "", T_OP_EQ);
if (!lm_password) {
radlog_request(L_ERR, 0, request, "No memory");
} else {
if (!do_ntlm_auth) RDEBUG2("No Cleartext-Password configured. Cannot create NT-Password.");
} else { /* there is a configured Cleartext-Password */
- nt_password = radius_pairmake(request, &request->config_items,
- "NT-Password", "", T_OP_EQ);
+ nt_password = pairmake_config("NT-Password", "", T_OP_EQ);
if (!nt_password) {
radlog_request(L_ERR, 0, request, "No memory");
return RLM_MODULE_FAIL;
RDEBUG("Password change failed");
snprintf(buffer, sizeof(buffer), "E=709 R=0 M=Password change failed");
- mschap_add_reply(request, &request->reply->vps,
+ mschap_add_reply(request,
cpw->vp_octets[1], "MS-CHAP-Error",
buffer, strlen(buffer));
return RLM_MODULE_REJECT;
snprintf(buffer + 45, sizeof(buffer) - 45,
" V=3 M=%s", inst->retry_msg);
}
- mschap_add_reply(request, &request->reply->vps,
+ mschap_add_reply(request,
*response->vp_octets, "MS-CHAP-Error",
buffer, strlen(buffer));
return RLM_MODULE_REJECT;
snprintf(buffer, sizeof(buffer), "E=648 R=0 C=%s V=3 M=Password Expired", newchal);
- mschap_add_reply(request, &request->reply->vps,
+ mschap_add_reply(request,
*response->vp_octets, "MS-CHAP-Error",
buffer, strlen(buffer));
return RLM_MODULE_REJECT;
response->vp_octets + 2, /* peer challenge */
challenge->vp_octets, /* our challenge */
msch2resp); /* calculated MPPE key */
- mschap_add_reply(request, &request->reply->vps, *response->vp_octets,
+ mschap_add_reply(request, *response->vp_octets,
"MS-CHAP2-Success", msch2resp, 42);
chap = 2;
if (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) ||
((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0)) {
RDEBUG2("SMB-Account-Ctrl says that the account is disabled, or is not a normal or workstatin trust account.");
- mschap_add_reply(request, &request->reply->vps,
+ mschap_add_reply(request,
*response->vp_octets,
"MS-CHAP-Error", "E=691 R=1", 9);
return RLM_MODULE_NOTFOUND;
*/
if ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0) {
RDEBUG2("SMB-Account-Ctrl says that the account is locked out.");
- mschap_add_reply(request, &request->reply->vps,
+ mschap_add_reply(request,
*response->vp_octets,
"MS-CHAP-Error", "E=647 R=0", 9);
return RLM_MODULE_USERLOCK;
mppe_sendkey, 16);
}
- radius_pairmake(request, &request->reply->vps,
- "MS-MPPE-Encryption-Policy",
- (inst->require_encryption)? "0x00000002":"0x00000001",
- T_OP_EQ);
- radius_pairmake(request, &request->reply->vps,
- "MS-MPPE-Encryption-Types",
- (inst->require_strong)? "0x00000004":"0x00000006",
+ pairmake_reply("MS-MPPE-Encryption-Policy",
+ (inst->require_encryption)? "0x00000002":"0x00000001",
+ T_OP_EQ);
+ pairmake_reply("MS-MPPE-Encryption-Types",
+ (inst->require_strong)? "0x00000004":"0x00000006",
T_OP_EQ);
} /* else we weren't asked to use MPPE */
if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) {
RDEBUG("no access control groups, all users allowed.");
if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) {
- pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ));
+ pairmake_config("Auth-Type", kAuthType, T_OP_EQ);
RDEBUG("Setting Auth-Type = %s", kAuthType);
}
return RLM_MODULE_OK;
}
if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) {
- pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ));
+ pairmake_config("Auth-Type", kAuthType, T_OP_EQ);
RDEBUG("Setting Auth-Type = %s", kAuthType);
}
otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt,
const char *passcode)
{
- VALUE_PAIR **avp = &request->reply->vps;
- VALUE_PAIR *cvp, *rvp, *vp;
+ VALUE_PAIR *cvp, *rvp;
cvp = pairfind(request->packet->vps, pwattr[pwe - 1]->attr, pwattr[pwe - 1]->vendor, TAG_ANY);
rvp = pairfind(request->packet->vps, pwattr[pwe]->attr, pwattr[pwe]->vendor, TAG_ANY);
case PWE_MSCHAP:
/* First, set some related attributes. */
- vp = pairmake("MS-MPPE-Encryption-Policy",
+ pairmake_reply("MS-MPPE-Encryption-Policy",
otp_mppe_policy[opt->mschap_mppe_policy], T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
- vp = pairmake("MS-MPPE-Encryption-Types",
+ pairmake_reply("MS-MPPE-Encryption-Types",
otp_mppe_types[opt->mschap_mppe_types], T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
/* If no MPPE, we're done. */
if (!opt->mschap_mppe_policy)
mppe_keys_string[1] = 'x';
for (i = 0; i < 32; ++i)
(void) sprintf(&mppe_keys_string[i*2+2], "%02X", mppe_keys[i]);
- vp = pairmake("MS-CHAP-MPPE-Keys", mppe_keys_string, T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
+ pairmake_reply("MS-CHAP-MPPE-Keys", mppe_keys_string, T_OP_EQ);
} /* (doing mppe) */
break; /* PWE_MSCHAP */
for (i = 0; i < sizeof(auth_md_string) - 1; ++i)
(void) sprintf(&auth_octet_string[i * 2 +4], "%02X", auth_md_string[i]);
- vp = pairmake("MS-CHAP2-Success", auth_octet_string, T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
+ pairmake_reply("MS-CHAP2-Success", auth_octet_string, T_OP_EQ);
} /* Generate mutual auth info. */
/*
* Now, set some MPPE related attributes.
*/
- vp = pairmake("MS-MPPE-Encryption-Policy",
+ pairmake_reply("MS-MPPE-Encryption-Policy",
otp_mppe_policy[opt->mschapv2_mppe_policy], T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
- vp = pairmake("MS-MPPE-Encryption-Types",
+ pairmake_reply("MS-MPPE-Encryption-Types",
otp_mppe_types[opt->mschapv2_mppe_types], T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
/* If no MPPE, we're done. */
if (!opt->mschapv2_mppe_policy)
mppe_key_string[1] = 'x';
for (i = 0; i < sizeof(MasterSendKey); ++i)
(void) sprintf(&mppe_key_string[i*2+2], "%02X", MasterSendKey[i]);
- vp = pairmake("MS-MPPE-Send-Key", mppe_key_string, T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
+ pairmake_reply("MS-MPPE-Send-Key", mppe_key_string, T_OP_EQ);
/*
* Generate the MS-MPPE-Recv-Key attribute.
mppe_key_string[1] = 'x';
for (i = 0; i < sizeof(MasterReceiveKey); ++i)
(void) sprintf(&mppe_key_string[i*2+2], "%02X", MasterReceiveKey[i]);
- vp = pairmake("MS-MPPE-Recv-Key", mppe_key_string, T_OP_EQ);
- rad_assert(vp != NULL);
- pairadd(avp, vp);
-
+ pairmake_reply("MS-MPPE-Recv-Key", mppe_key_string, T_OP_EQ);
} /* (doing mppe) */
} /* PWE_MSCHAP2 */
break; /* PWE_MSCHAP2 */
if (inst->allow_sync && !inst->allow_async) {
/* This is the token sync response. */
if (!auth_type_found) {
- pairadd(&request->config_items,
- pairmake("Auth-Type", inst->name, T_OP_EQ));
+ pairmake_config("Auth-Type", inst->name, T_OP_EQ);
}
return RLM_MODULE_OK;
DEBUG("rlm_otp: Sending Access-Challenge.");
if (!auth_type_found) {
- pairadd(&request->config_items,
- pairmake("Auth-Type", inst->name, T_OP_EQ));
+ pairmake_config("Auth-Type", inst->name, T_OP_EQ);
}
return RLM_MODULE_HANDLED;
#undef inst
}
-static void addresult (struct passwd_instance * inst, REQUEST *request, VALUE_PAIR ** vp, struct mypasswd * pw, char when, const char *listname)
+static void addresult (struct passwd_instance * inst, REQUEST *request, TALLOC_CTX *ctx, VALUE_PAIR **vps, struct mypasswd * pw, char when, const char *listname)
{
int i;
- VALUE_PAIR *newpair;
+ VALUE_PAIR *vp;
for (i=0; i<inst->nfields; i++) {
if (inst->pwdfmt->field[i] && *inst->pwdfmt->field[i] && pw->field[i] && i != inst->keyfield && inst->pwdfmt->listflag[i] == when) {
if ( !inst->ignoreempty || pw->field[i][0] != 0 ) { /* if value in key/value pair is not empty */
- if (! (newpair = pairmake (inst->pwdfmt->field[i], pw->field[i], T_OP_EQ))) {
- radlog(L_AUTH, "rlm_passwd: Unable to create %s: %s", inst->pwdfmt->field[i], pw->field[i]);
- return;
+ vp = pairmake(ctx, vps, inst->pwdfmt->field[i], pw->field[i], T_OP_EQ);
+ if (vp) {
+ RDEBUG("Added %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname);
}
- RDEBUG("Added %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname);
- pairadd (vp, newpair);
} else
RDEBUG("NOOP %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname);
}
continue;
}
do {
- addresult(inst, request, &request->config_items, pw, 0, "config_items");
- addresult(inst, request, &request->reply->vps, pw, 1, "reply_items");
- addresult(inst, request, &request->packet->vps, pw, 2, "request_items");
+ addresult(inst, request, request, &request->config_items, pw, 0, "config_items");
+ addresult(inst, request, request->reply, &request->reply->vps, pw, 1, "reply_items");
+ addresult(inst, request, request->packet, &request->packet->vps, pw, 2, "request_items");
} while ( (pw = get_next(buffer, inst->ht, &last_found)) );
found++;
if (!inst->allowmultiple) break;
* Value Pair Format
*
*/
-static int pairadd_sv(VALUE_PAIR **vp, char *key, SV *sv, FR_TOKEN op) {
+static int pairadd_sv(TALLOC_CTX *ctx, VALUE_PAIR **vps, char *key, SV *sv, FR_TOKEN op)
+{
char *val;
- VALUE_PAIR *vpp;
+ VALUE_PAIR *vp;
if (SvOK(sv)) {
val = SvPV_nolen(sv);
- vpp = pairmake(key, val, op);
- if (vpp != NULL) {
- pairadd(vp, vpp);
+ vp = pairmake(ctx, vps, key, val, op);
+ if (vp != NULL) {
radlog(L_DBG,
"rlm_perl: Added pair %s = %s", key, val);
return 1;
* Boyan :
* Gets the content from hashes
*/
-static int get_hv_content(HV *my_hv, VALUE_PAIR **vp)
+static int get_hv_content(TALLOC_CTX *ctx, HV *my_hv, VALUE_PAIR **vps)
{
SV *res_sv, **av_sv;
AV *av;
I32 key_len, len, i, j;
int ret=0;
- *vp = NULL;
+ *vps = NULL;
for (i = hv_iterinit(my_hv); i > 0; i--) {
res_sv = hv_iternextsv(my_hv,&key,&key_len);
if (SvROK(res_sv) && (SvTYPE(SvRV(res_sv)) == SVt_PVAV)) {
len = av_len(av);
for (j = 0; j <= len; j++) {
av_sv = av_fetch(av, j, 0);
- ret = pairadd_sv(vp, key, *av_sv, T_OP_ADD) + ret;
+ ret = pairadd_sv(ctx, vps, key, *av_sv, T_OP_ADD) + ret;
}
- } else ret = pairadd_sv(vp, key, res_sv, T_OP_EQ) + ret;
+ } else ret = pairadd_sv(ctx, vps, key, res_sv, T_OP_EQ) + ret;
}
return ret;
LEAVE;
vp = NULL;
- if ((get_hv_content(rad_request_hv, &vp)) > 0 ) {
+ if ((get_hv_content(request->packet, rad_request_hv, &vp)) > 0 ) {
pairfree(&request->packet->vps);
request->packet->vps = vp;
vp = NULL;
request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY);
}
- if ((get_hv_content(rad_reply_hv, &vp)) > 0 ) {
+ if ((get_hv_content(request->reply, rad_reply_hv, &vp)) > 0 ) {
pairfree(&request->reply->vps);
request->reply->vps = vp;
vp = NULL;
}
- if ((get_hv_content(rad_check_hv, &vp)) > 0 ) {
+ if ((get_hv_content(request, rad_check_hv, &vp)) > 0 ) {
pairfree(&request->config_items);
request->config_items = vp;
vp = NULL;
#ifdef WITH_PROXY
if (request->proxy &&
- (get_hv_content(rad_request_proxy_hv, &vp) > 0)) {
+ (get_hv_content(request->proxy, rad_request_proxy_hv, &vp) > 0)) {
pairfree(&request->proxy->vps);
request->proxy->vps = vp;
vp = NULL;
}
if (request->proxy_reply &&
- (get_hv_content(rad_request_proxy_reply_hv, &vp) > 0)) {
+ (get_hv_content(request->proxy_reply, rad_request_proxy_reply_hv, &vp) > 0)) {
pairfree(&request->proxy_reply->vps);
request->proxy_reply->vps = vp;
vp = NULL;
* in the string, like: H323-Attribute = "h323-attribute=value".
* This sort of behaviour is nonsense.
*/
-static void cisco_vsa_hack(VALUE_PAIR *vp)
+static void cisco_vsa_hack(REQUEST *request)
{
int vendorcode;
char *ptr;
char newattr[MAX_STRING_LEN];
+ VALUE_PAIR *vp;
- for ( ; vp != NULL; vp = vp->next) {
+ for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
vendorcode = vp->da->vendor;
if (!((vendorcode == 9) || (vendorcode == 6618))) continue; /* not a Cisco or Quintum VSA, continue */
gettoken(&p, newattr, sizeof(newattr));
if (dict_attrbyname(newattr) != NULL) {
- VALUE_PAIR *newvp;
-
- /*
- * Make a new attribute.
- */
- newvp = pairmake(newattr, ptr + 1, T_OP_EQ);
- if (newvp) {
- pairadd(&vp, newvp);
- }
+ pairmake_packet(newattr, ptr + 1, T_OP_EQ);
}
} else { /* h322-foo-bar = "h323-foo-bar = baz" */
/*
* We need to run this hack because the h323-conf-id
* attribute should be used.
*/
- cisco_vsa_hack(request->packet->vps);
+ cisco_vsa_hack(request);
}
if (data->with_alvarion_vsa_hack) {
* We need to run this hack because the h323-conf-id
* attribute should be used.
*/
- cisco_vsa_hack(request->packet->vps);
+ cisco_vsa_hack(request);
}
if (data->with_alvarion_vsa_hack) {
/* TODO: Convert this function to accept any iterable objects? */
-static void python_vptuple(VALUE_PAIR **vpp, PyObject *pValue,
+static void python_vptuple(TALLOC_CTX *ctx, VALUE_PAIR **vps, PyObject *pValue,
const char *funcname)
{
int i;
}
s1 = PyString_AsString(pStr1);
s2 = PyString_AsString(pStr2);
- vp = pairmake(s1, s2, op);
+ vp = pairmake(ctx, vps, s1, s2, op);
if (vp != NULL) {
- pairadd(vpp, vp);
radlog(L_DBG, "rlm_python:%s: '%s' = '%s'", funcname, s1, s2);
} else {
radlog(L_DBG, "rlm_python:%s: Failed: '%s' = '%s'", funcname, s1, s2);
/* Now have the return value */
ret = PyInt_AsLong(pTupleInt);
/* Reply item tuple */
- python_vptuple(&request->reply->vps,
+ python_vptuple(request->reply, &request->reply->vps,
PyTuple_GET_ITEM(pRet, 1), funcname);
/* Config item tuple */
- python_vptuple(&request->config_items,
+ python_vptuple(request, &request->config_items,
PyTuple_GET_ITEM(pRet, 2), funcname);
} else if (PyInt_CheckExact(pRet)) {
* entered.
*/
if (realm->name[0] != '~') realmname = realm->name;
- pairadd(&request->packet->vps, pairmake("Realm", realmname,
- T_OP_EQ));
+ pairmake_packet("Realm", realmname, T_OP_EQ);
RDEBUG2("Adding Realm = \"%s\"", realmname);
/*
}
/*
- * Add a "Proxy-To-Realm" attribute to the request.
- */
-static void add_proxy_to_realm(VALUE_PAIR **vps, REALM *realm)
-{
- VALUE_PAIR *vp;
-
- /*
- * Tell the server to proxy this request to another
- * realm.
- */
- vp = pairmake("Proxy-To-Realm", realm->name, T_OP_EQ);
- if (!vp) {
- radlog(L_ERR, "no memory");
- exit(1);
- }
-
- /*
- * Add it, even if it's already present.
- */
- pairadd(vps, vp);
-}
-
-/*
* Perform the realm module instantiation. Configuration info is
* stored in *instance for later use.
*/
*/
RDEBUG2("Preparing to proxy authentication request to realm \"%s\"\n",
realm->name);
- add_proxy_to_realm(&request->config_items, realm);
+ pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ);
return RLM_MODULE_UPDATED; /* try the next module */
}
*/
RDEBUG2("Preparing to proxy accounting request to realm \"%s\"\n",
realm->name);
- add_proxy_to_realm(&request->config_items, realm);
+ pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ);
return RLM_MODULE_UPDATED; /* try the next module */
}
*/
RDEBUG2("Preparing to proxy authentication request to realm \"%s\"\n",
realm->name);
- add_proxy_to_realm(&request->config_items, realm);
+ pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ);
return RLM_MODULE_UPDATED; /* try the next module */
}
/* Tuple to value pair conversion */
-static void add_vp_tuple(VALUE_PAIR **vpp, VALUE rb_value,
+static void add_vp_tuple(TALLOC_CTX *ctx, VALUE_PAIR **vpp, VALUE rb_value,
const char *function_name) {
int i, outertuplesize;
VALUE_PAIR *vp;
function_name, s1, s2);
/* xxx Might need to support other T_OP */
- vp = pairmake(s1, s2, T_OP_EQ);
+ vp = pairmake(ctx, vpp, s1, s2, T_OP_EQ);
if (vp != NULL) {
- pairadd(vpp, vp);
radlog(L_DBG, "%s: s1, s2 OK\n",
function_name);
} else {
rb_reply_items = rb_ary_entry(rb_result, 1);
rb_config_items = rb_ary_entry(rb_result, 2);
- add_vp_tuple(&request->reply->vps, rb_reply_items,
- function_name);
- add_vp_tuple(&request->config_items, rb_config_items,
- function_name);
+ add_vp_tuple(request->reply, &request->reply->vps,
+ rb_reply_items, function_name);
+ add_vp_tuple(request, &request->config_items,
+ rb_config_items, function_name);
}
} else if (FIXNUM_P(rb_result)) {
rcode = FIX2INT(rb_result);
* Generate State, since we've been asked to add it to
* the list.
*/
- state = pairmake("State", session->state, T_OP_EQ);
+ state = pairmake_reply("State", session->state, T_OP_EQ);
if (!state) return -1;
state->length = SECURID_STATE_LEN;
-
-
status = rbtree_insert(inst->session_tree, session);
if (status) {
/* tree insert SUCCESS */
return -1;
}
- pairadd(&(request->reply->vps), state);
-
return 0;
}
{
int rcode;
rlm_securid_t *inst = instance;
- VALUE_PAIR *vp;
char buffer[MAX_STRING_LEN]="";
const char *username=NULL, *password=NULL;
break;
}
- if (*buffer) {
- /* Generate Reply-Message attribute with reply message data */
- vp = pairmake("Reply-Message", buffer, T_OP_EQ);
-
- /* make sure message ends with '\0' */
- if (vp->length < (int) sizeof(vp->vp_strvalue)) {
- vp->vp_strvalue[vp->length] = '\0';
- vp->length++;
- }
- pairadd(&request->reply->vps,vp);
- }
+ if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ);
+
return rcode;
}
static rlm_rcode_t sim_file_authorize(void *instance, REQUEST *request)
{
VALUE_PAIR *namepair;
- VALUE_PAIR *reply_tmp;
const char *name;
struct sim_file_instance *inst = instance;
VALUE_PAIR **reply_pairs;
- VALUE_PAIR **config_pairs;
FILE *triplets;
char tripbuf[sizeof("232420100000015,30000000000000000000000000000000,30112233,445566778899AABB")*2];
char imsi[128], chal[256], kc[128], sres[128];
int lineno;
reply_pairs = &request->reply->vps;
- config_pairs = &request->config_items;
/*
* Grab the canonical user name.
continue;
}
-
+ /* @todo: Fix this code to use pairmake? */
r = paircreate(request->reply, ATTRIBUTE_EAP_SIM_RAND1 + imsicount, 0);
pairparsevalue(r, chal);
pairadd(reply_pairs, r);
* and it will add the Autz-Type entry.
*/
- if((reply_tmp = pairmake ("EAP-Type", "SIM", T_OP_EQ)))
- {
- radlog(L_INFO, "rlm_sim_files: Adding EAP-Type: eap-sim");
- pairadd (config_pairs, reply_tmp);
- }
-
-#if 0
- DEBUG("rlm_sim_files: saw config");
- debug_pair_list(*config_pairs);
-
- DEBUG("rlm_sim_files: saw reply");
- debug_pair_list(*reply_pairs);
-#endif
+ pairmake_config("EAP-Type", "SIM", T_OP_EQ);
return RLM_MODULE_OK;
}
{
rlm_smsotp_t *inst = instance;
VALUE_PAIR *state;
- VALUE_PAIR *reply;
int bufsize;
int *fdp;
rlm_rcode_t rcode = RLM_MODULE_FAIL;
* Create the challenge, and add it to the reply.
*/
- reply = pairmake("Reply-Message", inst->challenge, T_OP_EQ);
- pairadd(&request->reply->vps, reply);
-
- state = pairmake("State", buffer, T_OP_EQ);
- pairadd(&request->reply->vps, state);
+ pairmake_reply("Reply-Message", inst->challenge, T_OP_EQ);
+ pairmake_reply("State", buffer, T_OP_EQ);
/*
* Mark the packet as an Access-Challenge packet.
DEBUG("rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type '%s'",inst->authtype);
pairdelete(&request->config_items, PW_AUTH_TYPE, 0, TAG_ANY); /* delete old auth-type */
- pairadd(&request->config_items, pairmake("Auth-Type", inst->authtype, T_OP_SET));
+ pairmake_config("Auth-Type", inst->authtype, T_OP_SET);
}
return RLM_MODULE_OK;
} else {
RDEBUG("SoH decoding NAP from DHCP request");
/* SoH payload */
- rcode = soh_verify(request, request->packet->vps, data, vlen);
+ rcode = soh_verify(request, data, vlen);
if (rcode < 0) {
return RLM_MODULE_FAIL;
}
RDEBUG("SoH radius VP found");
/* decode it */
- rv = soh_verify(request, request->packet->vps, vp->vp_octets, vp->length);
+ rv = soh_verify(request, vp->vp_octets, vp->length);
if (rv < 0) {
return RLM_MODULE_FAIL;
}
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
- sql_group = pairmake("Sql-Group", entry->name, T_OP_EQ);
+ sql_group = pairmake_packet("Sql-Group", entry->name, T_OP_EQ);
if (!sql_group) {
radlog_request(L_ERR, 0, request,
"Error creating Sql-Group attribute");
talloc_free(head);
return -1;
}
- pairadd(&request->packet->vps, sql_group);
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request,
"Error generating query; rejecting user");
talloc_free(head);
return -1;
}
- rows = sql_getvpdata(inst, &handle, &check_tmp, querystr);
+ rows = sql_getvpdata(inst, &handle, request, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving check pairs for group %s",
entry->name);
talloc_free(head);
return -1;
}
- if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
+ if (sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
entry->name);
/* Remove the grouup we added above */
talloc_free(head);
return -1;
}
- if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
+ if (sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
entry->name);
/* Remove the grouup we added above */
goto error;
}
- rows = sql_getvpdata(inst, &handle, &check_tmp, querystr);
+ rows = sql_getvpdata(inst, &handle, request, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
goto error;
}
- rows = sql_getvpdata(inst, &handle, &reply_tmp, querystr);
+ rows = sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
int sql_close_socket(rlm_sql_t *inst, rlm_sql_handle_t *handle);
rlm_sql_handle_t *sql_get_socket(rlm_sql_t *inst);
int sql_release_socket(rlm_sql_t *inst, rlm_sql_handle_t *handle);
-int sql_userparse(VALUE_PAIR **first_pair, rlm_sql_row_t row);
+int sql_userparse(TALLOC_CTX *ctx, VALUE_PAIR **first_pair, rlm_sql_row_t row);
int sql_read_realms(rlm_sql_handle_t *handle);
-int sql_getvpdata(rlm_sql_t *inst, rlm_sql_handle_t **handle, VALUE_PAIR **pair, char *query);
+int sql_getvpdata(rlm_sql_t *inst, rlm_sql_handle_t **handle, TALLOC_CTX *ctx, VALUE_PAIR **pair, char *query);
int sql_read_naslist(rlm_sql_handle_t *handle);
int sql_read_clients(rlm_sql_handle_t *handle);
int sql_dict_init(rlm_sql_handle_t *handle);
* Purpose: Read entries from the database and fill VALUE_PAIR structures
*
*************************************************************************/
-int sql_userparse(VALUE_PAIR **head, rlm_sql_row_t row)
+int sql_userparse(TALLOC_CTX *ctx, VALUE_PAIR **head, rlm_sql_row_t row)
{
VALUE_PAIR *vp;
const char *ptr, *value;
/*
* Create the pair
*/
- vp = pairmake(row[2], NULL, operator);
+ vp = pairmake(ctx, NULL, row[2], NULL, operator);
if (!vp) {
radlog(L_ERR, "rlm_sql: Failed to create the pair: %s",
fr_strerror());
* Purpose: Get any group check or reply pairs
*
*************************************************************************/
-int sql_getvpdata(rlm_sql_t * inst, rlm_sql_handle_t **handle, VALUE_PAIR **pair, char *query)
+int sql_getvpdata(rlm_sql_t * inst, rlm_sql_handle_t **handle,
+ TALLOC_CTX *ctx, VALUE_PAIR **pair, char *query)
{
rlm_sql_row_t row;
int rows = 0;
row = (*handle)->row;
if (!row)
break;
- if (sql_userparse(pair, row) != 0) {
+ if (sql_userparse(ctx, pair, row) != 0) {
radlog(L_ERR, "rlm_sql (%s): Error getting data from database", inst->config->xlat_name);
(inst->module->sql_finish_select_query)(*handle, inst->config);
* User is denied access, send back a reply message
*/
snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", data->reset);
- reply_item=pairmake("Reply-Message", msg, T_OP_EQ);
- pairadd(&request->reply->vps, reply_item);
+ pairmake_reply("Reply-Message", msg, T_OP_EQ);
RDEBUGE("Maximum %s usage time reached",
data->reset);
if (encrypted_pass[0] == 0)
return RLM_MODULE_NOOP;
- vp = pairmake("Crypt-Password", encrypted_pass, T_OP_SET);
+ vp = pairmake_config("Crypt-Password", encrypted_pass, T_OP_SET);
if (!vp) return RLM_MODULE_FAIL;
- pairadd(&request->config_items, vp);
-
return RLM_MODULE_UPDATED;
}
pairdelete(&request->reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
pairdelete(&request->reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
- vp = radius_pairmake(request, &request->reply->vps, "WiMAX-MSK", "0x00", T_OP_EQ);
+ vp = pairmake_reply("WiMAX-MSK", "0x00", T_OP_EQ);
if (vp) {
memcpy(vp->vp_octets, msk->vp_octets, msk->length);
vp->length = msk->length;
vp->vp_integer = counter;
vp->length = 4;
- radius_pairmake(request, &request->packet->vps, "Yubikey-Trigger",
+ pairmake_packet("Yubikey-Trigger",
yubikey_capslock(token.ctr) ? "keyboard" : "button",
T_OP_SET);
/*