2 * modules.c Radius module support.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
21 * Copyright 2000 Alan DeKok <aland@ox.org>
22 * Copyright 2000 Alan Curry <pacman@world.std.com>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/autoconf.h>
34 #include <freeradius-devel/radiusd.h>
35 #include <freeradius-devel/modpriv.h>
36 #include <freeradius-devel/modcall.h>
37 #include <freeradius-devel/rad_assert.h>
39 typedef struct indexed_modcallable {
42 modcallable *modulelist;
43 } indexed_modcallable;
46 * For each component, keep an ordered list of ones to call.
48 static lrad_hash_table_t *components;
50 static rbtree_t *module_tree = NULL;
52 typedef struct section_type_value_t {
56 } section_type_value_t;
60 * Ordered by component
62 static const section_type_value_t section_type_value[RLM_COMPONENT_COUNT] = {
63 { "authenticate", "Auth-Type", PW_AUTH_TYPE },
64 { "authorize", "Autz-Type", PW_AUTZ_TYPE },
65 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
66 { "accounting", "Acct-Type", PW_ACCT_TYPE },
67 { "session", "Session-Type", PW_SESSION_TYPE },
68 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
69 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
70 { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE },
76 static const section_type_value_t old_section_type_value[] = {
77 { "authenticate", "authtype", PW_AUTH_TYPE },
78 { "authorize", "autztype", PW_AUTZ_TYPE },
79 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },/* unused */
80 { "accounting", "acctype", PW_ACCT_TYPE },
81 { "session", "sesstype", PW_SESSION_TYPE },
82 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE }, /* unused */
83 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE }, /* unused */
84 { "post-auth", "post-authtype", PW_POST_AUTH_TYPE }
88 static void indexed_modcallable_free(void *data)
90 indexed_modcallable *c = data;
92 modcallable_free(&c->modulelist);
96 static uint32_t indexed_modcallable_hash(const void *data)
99 const indexed_modcallable *c = data;
101 hash = lrad_hash(&c->comp, sizeof(c->comp));
102 return lrad_hash_update(&c->idx, sizeof(c->idx), hash);
105 static int indexed_modcallable_cmp(const void *one, const void *two)
107 const indexed_modcallable *a = one;
108 const indexed_modcallable *b = two;
110 if (a->comp < b->comp) return -1;
111 if (a->comp > b->comp) return +1;
113 return a->idx - b->idx;
118 * Free a module instance.
120 static void module_instance_free(void *data)
122 module_instance_t *this = data;
124 if (this->entry->module->detach)
125 (this->entry->module->detach)(this->insthandle);
126 #ifdef HAVE_PTHREAD_H
130 * The mutex MIGHT be locked...
131 * we'll check for that later, I guess.
133 pthread_mutex_destroy(this->mutex);
142 * Compare two module entries
144 static int module_entry_cmp(const void *one, const void *two)
146 const module_entry_t *a = one;
147 const module_entry_t *b = two;
149 return strcmp(a->name, b->name);
153 * Free a module entry.
155 static void module_entry_free(void *data)
157 module_entry_t *this = data;
159 lt_dlclose(this->handle); /* ignore any errors */
165 * Remove the module lists.
167 int detach_modules(void)
169 lrad_hash_table_free(components);
170 rbtree_free(module_tree);
177 * Find a module on disk or in memory, and link to it.
179 static module_entry_t *linkto_module(const char *module_name,
180 const char *cffilename, int cflineno)
182 module_entry_t myentry;
183 module_entry_t *node;
185 char module_struct[256];
189 strlcpy(myentry.name, module_name, sizeof(myentry.name));
190 node = rbtree_finddata(module_tree, &myentry);
191 if (node) return node;
194 * Keep the handle around so we can dlclose() it.
196 handle = lt_dlopenext(module_name);
197 if (handle == NULL) {
198 radlog(L_ERR|L_CONS, "%s[%d] Failed to link to module '%s':"
199 " %s\n", cffilename, cflineno, module_name, lt_dlerror());
204 * Link to the module's rlm_FOO{} module structure.
206 * The module_name variable has the version number
207 * embedded in it, and we don't want that here.
209 strcpy(module_struct, module_name);
210 p = strrchr(module_struct, '-');
213 DEBUG3(" (Loaded %s, checking if it's valid)", module_name);
216 * libltld MAY core here, if the handle it gives us contains
219 module = lt_dlsym(handle, module_struct);
221 radlog(L_ERR|L_CONS, "%s[%d] Failed linking to "
222 "%s structure in %s: %s\n",
223 cffilename, cflineno,
224 module_name, cffilename, lt_dlerror());
229 * Before doing anything else, check if it's sane.
231 if ((*(const uint32_t *) module) != RLM_MODULE_MAGIC_NUMBER) {
233 radlog(L_ERR|L_CONS, "%s[%d] Invalid version in module '%s'",
234 cffilename, cflineno, module_name);
239 /* make room for the module type */
240 node = rad_malloc(sizeof(*node));
241 memset(node, 0, sizeof(*node));
242 strlcpy(node->name, module_name, sizeof(node->name));
243 node->module = module;
244 node->handle = handle;
246 DEBUG("Module: Loaded %s ", node->module->name);
249 * Add the module as "rlm_foo-version" to the configuration
252 if (!rbtree_insert(module_tree, node)) {
253 radlog(L_ERR, "Failed to cache module %s", module_name);
263 * Find a module instance.
265 module_instance_t *find_module_instance(CONF_SECTION *modules,
266 const char *instname)
269 const char *name1, *name2;
270 module_instance_t *node;
271 char module_name[256];
273 if (!modules) return NULL;
276 * Module instances are declared in the modules{} block
277 * and referenced later by their name, which is the
278 * name2 from the config section, or name1 if there was
281 cs = cf_section_sub_find_name2(modules, NULL, instname);
283 radlog(L_ERR|L_CONS, "ERROR: Cannot find a configuration entry for module \"%s\".\n", instname);
288 * If there's already a module instance, return it.
290 node = cf_data_find(cs, "instance");
291 if (node) return node;
293 name1 = cf_section_name1(cs);
294 name2 = cf_section_name2(cs);
297 * Found the configuration entry.
299 node = rad_malloc(sizeof(*node));
300 memset(node, 0, sizeof(*node));
302 node->insthandle = NULL;
305 * Names in the "modules" section aren't prefixed
306 * with "rlm_", so we add it here.
308 snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
310 node->entry = linkto_module(module_name,
311 mainconfig.radiusd_conf,
312 cf_section_lineno(cs));
315 /* linkto_module logs any errors */
320 * Call the module's instantiation routine.
322 if ((node->entry->module->instantiate) &&
323 ((node->entry->module->instantiate)(cs, &node->insthandle) < 0)) {
325 "%s[%d]: %s: Module instantiation failed.\n",
326 mainconfig.radiusd_conf, cf_section_lineno(cs),
333 * We're done. Fill in the rest of the data structure,
334 * and link it to the module instance list.
336 strlcpy(node->name, instname, sizeof(node->name));
338 #ifdef HAVE_PTHREAD_H
340 * If we're threaded, check if the module is thread-safe.
342 * If it isn't, we create a mutex.
344 if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
345 node->mutex = (pthread_mutex_t *) rad_malloc(sizeof(pthread_mutex_t));
347 * Initialize the mutex.
349 pthread_mutex_init(node->mutex, NULL);
352 * The module is thread-safe. Don't give it a mutex.
358 cf_data_add(cs, "instance", node, module_instance_free);
360 DEBUG("Module: Instantiated %s (%s) ", name1, node->name);
365 static indexed_modcallable *lookup_by_index(int comp, int idx)
367 indexed_modcallable myc;
372 return lrad_hash_table_finddata(components, &myc);
376 * Create a new sublist.
378 static indexed_modcallable *new_sublist(int comp, int idx)
380 indexed_modcallable *c;
382 c = lookup_by_index(comp, idx);
384 /* It is an error to try to create a sublist that already
385 * exists. It would almost certainly be caused by accidental
386 * duplication in the config file.
388 * index 0 is the exception, because it is used when we want
389 * to collect _all_ listed modules under a single index by
390 * default, which is currently the case in all components
391 * except authenticate. */
399 c = rad_malloc(sizeof(*c));
400 c->modulelist = NULL;
404 if (!lrad_hash_table_insert(components, c)) {
412 static int indexed_modcall(int comp, int idx, REQUEST *request)
415 indexed_modcallable *this;
417 this = lookup_by_index(comp, idx);
419 if (idx != 0) DEBUG2(" ERROR: Unknown value specified for %s. Cannot perform requested action.",
420 section_type_value[comp].typename);
421 request->component = section_type_value[comp].typename;
422 rcode = modcall(comp, NULL, request); /* does default action */
424 DEBUG2(" Processing the %s section of %s",
425 section_type_value[comp].section,
426 mainconfig.radiusd_conf);
427 request->component = section_type_value[comp].typename;
428 rcode = modcall(comp, this->modulelist, request);
430 request->module = "<server-core>";
431 request->component = "<server-core>";
436 * Load a sub-module list, as found inside an Auth-Type foo {}
439 static int load_subcomponent_section(modcallable *parent,
440 CONF_SECTION *cs, int comp,
441 const char *filename)
443 indexed_modcallable *subcomp;
446 const char *name2 = cf_section_name2(cs);
448 rad_assert(comp >= RLM_COMPONENT_AUTH);
449 rad_assert(comp <= RLM_COMPONENT_COUNT);
456 "%s[%d]: No name specified for %s block",
457 filename, cf_section_lineno(cs),
458 section_type_value[comp].typename);
465 ml = compile_modgroup(parent, comp, cs, filename);
471 * We must assign a numeric index to this subcomponent.
472 * It is generated and placed in the dictionary by
473 * setup_modules(), when it loads the sections. If it
474 * isn't found, it's a serious error.
476 dval = dict_valbyname(section_type_value[comp].attr, name2);
479 "%s[%d] %s %s Not previously configured",
480 filename, cf_section_lineno(cs),
481 section_type_value[comp].typename, name2);
482 modcallable_free(&ml);
486 subcomp = new_sublist(comp, dval->value);
489 "%s[%d] %s %s already configured - skipping",
490 filename, cf_section_lineno(cs),
491 section_type_value[comp].typename, name2);
492 modcallable_free(&ml);
496 subcomp->modulelist = ml;
500 static int load_component_section(modcallable *parent,
501 CONF_SECTION *cs, int comp,
502 const char *filename)
507 indexed_modcallable *subcomp;
509 const char *visiblename;
512 * Loop over the entries in the named section.
514 for (modref = cf_item_find_next(cs, NULL);
516 modref = cf_item_find_next(cs, modref)) {
517 CONF_PAIR *cp = NULL;
518 CONF_SECTION *scs = NULL;
521 * Look for Auth-Type foo {}, which are special
522 * cases of named sections, and allowable ONLY
525 * i.e. They're not allowed in a "group" or "redundant"
528 if (cf_item_is_section(modref)) {
529 const char *sec_name;
530 scs = cf_itemtosection(modref);
532 sec_name = cf_section_name1(scs);
535 section_type_value[comp].typename) == 0) {
536 if (!load_subcomponent_section(parent, scs,
539 return -1; /* FIXME: memleak? */
545 * Allow old names, too.
548 old_section_type_value[comp].typename) == 0) {
549 if (!load_subcomponent_section(parent, scs,
552 return -1; /* FIXME: memleak? */
557 } else if (cf_item_is_pair(modref)) {
558 cp = cf_itemtopair(modref);
560 continue; /* ignore it */
564 * Try to compile one entry.
566 this = compile_modsingle(parent, comp, modref, filename,
570 "%s[%d] Failed to parse %s section.\n",
571 filename, cf_section_lineno(cs),
572 cf_section_name1(cs));
576 if (comp == RLM_COMPONENT_AUTH) {
578 const char *modrefname = NULL;
582 modrefname = cf_pair_attr(cp);
583 lineno = cf_pair_lineno(cp);
585 modrefname = cf_section_name2(scs);
586 lineno = cf_section_lineno(scs);
589 "%s[%d] Failed to parse %s sub-section.\n",
591 cf_section_name1(scs));
596 dval = dict_valbyname(PW_AUTH_TYPE, modrefname);
599 * It's a section, but nothing we
602 radlog(L_ERR|L_CONS, "%s[%d] Unknown Auth-Type \"%s\" in %s sub-section.",
604 modrefname, section_type_value[comp].section);
609 /* See the comment in new_sublist() for explanation
610 * of the special index 0 */
614 subcomp = new_sublist(comp, idx);
615 if (subcomp == NULL) {
616 radlog(L_INFO|L_CONS,
617 "%s %s %s already configured - skipping",
618 filename, section_type_value[comp].typename,
620 modcallable_free(&this);
624 /* If subcomp->modulelist is NULL, add_to_modcallable will
626 visiblename = cf_section_name2(cs);
627 if (visiblename == NULL)
628 visiblename = cf_section_name1(cs);
629 add_to_modcallable(&subcomp->modulelist, this,
638 * Parse the module config sections, and load
639 * and call each module's init() function.
641 * Libtool makes your life a LOT easier, especially with libltdl.
642 * see: http://www.gnu.org/software/libtool/
644 int setup_modules(int reload)
647 CONF_SECTION *cs, *modules;
648 int do_component[RLM_COMPONENT_COUNT];
649 rad_listen_t *listener;
652 * If necessary, initialize libltdl.
656 * Set the default list of preloaded symbols.
657 * This is used to initialize libltdl's list of
660 * i.e. Static modules.
662 LTDL_SET_PRELOADED_SYMBOLS();
664 if (lt_dlinit() != 0) {
665 radlog(L_ERR|L_CONS, "Failed to initialize libraries: %s\n",
671 * Set the search path to ONLY our library directory.
672 * This prevents the modules from being found from
673 * any location on the disk.
675 lt_dlsetsearchpath(radlib_dir);
677 DEBUG2("Module: Library search path is %s",
678 lt_dlgetsearchpath());
681 * Set up the internal module struct.
683 module_tree = rbtree_create(module_entry_cmp,
684 module_entry_free, 0);
686 radlog(L_ERR|L_CONS, "Failed to initialize modules\n");
690 lrad_hash_table_free(components);
693 components = lrad_hash_table_create(indexed_modcallable_hash,
694 indexed_modcallable_cmp,
695 indexed_modcallable_free);
697 radlog(L_ERR|L_CONS, "Failed to initialize components\n");
702 * Figure out which sections to load.
704 memset(do_component, 0, sizeof(do_component));
705 for (listener = mainconfig.listen;
707 listener = listener->next) {
708 switch (listener->type) {
709 case RAD_LISTEN_AUTH:
710 do_component[RLM_COMPONENT_AUTZ] = 1;
711 do_component[RLM_COMPONENT_AUTH] = 1;
712 do_component[RLM_COMPONENT_POST_AUTH] = 1;
713 do_component[RLM_COMPONENT_SESS] = 1;
716 case RAD_LISTEN_DETAIL: /* just like acct */
717 case RAD_LISTEN_ACCT:
718 do_component[RLM_COMPONENT_PREACCT] = 1;
719 do_component[RLM_COMPONENT_ACCT] = 1;
722 case RAD_LISTEN_PROXY:
723 do_component[RLM_COMPONENT_PRE_PROXY] = 1;
724 do_component[RLM_COMPONENT_POST_PROXY] = 1;
733 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
735 * Have the debugging messages all in one place.
737 if (!do_component[comp]) {
738 DEBUG2("modules: Not loading %s{} section",
739 section_type_value[comp].section);
744 * Create any DICT_VALUE's for the types. See
745 * 'doc/configurable_failover' for examples of 'authtype'
746 * used to create new Auth-Type values. In order to
747 * let the user create new names, we've got to look for
748 * those names, and create DICT_VALUE's for them.
750 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
755 CONF_SECTION *sub, *next;
759 * Not needed, don't load it.
761 if (!do_component[comp]) {
764 cs = cf_section_find(section_type_value[comp].section);
771 * See if there's a sub-section by that
774 next = cf_subsection_find_next(cs, sub,
775 section_type_value[comp].typename);
778 * Allow some old names, too.
780 if (!next && (comp <= 4)) {
781 next = cf_subsection_find_next(cs, sub,
782 old_section_type_value[comp].typename);
787 * If so, look for it to define a new
790 name2 = cf_section_name2(sub);
791 if (!name2) continue;
795 * If the value already exists, don't
798 dval = dict_valbyname(section_type_value[comp].attr,
803 * Find the attribute for the value.
805 dattr = dict_attrbyvalue(section_type_value[comp].attr);
807 radlog(L_ERR, "%s[%d]: No such attribute %s",
808 mainconfig.radiusd_conf,
809 cf_section_lineno(sub),
810 section_type_value[comp].typename);
815 * Create a new unique value with a
816 * meaningless number. You can't look at
817 * it from outside of this code, so it
818 * doesn't matter. The only requirement
819 * is that it's unique.
822 value = lrad_rand() & 0x00ffffff;
823 } while (dict_valbyattr(dattr->attr, value));
825 if (dict_addvalue(name2, dattr->name, value) < 0) {
826 radlog(L_ERR, "%s", librad_errstr);
829 } while (sub != NULL);
832 * Loop over the non-sub-sections, too.
837 * See if there's a conf-pair by that
840 cp = cf_pair_find_next(cs, cp, NULL);
845 * If the value already exists, don't
848 name2 = cf_pair_attr(cp);
849 dval = dict_valbyname(section_type_value[comp].attr,
854 * Find the attribute for the value.
856 dattr = dict_attrbyvalue(section_type_value[comp].attr);
858 radlog(L_ERR, "%s[%d]: No such attribute %s",
859 mainconfig.radiusd_conf,
860 cf_section_lineno(sub),
861 section_type_value[comp].typename);
866 * Finally, create the new attribute.
869 value = lrad_rand() & 0x00ffffff;
870 } while (dict_valbyattr(dattr->attr, value));
871 if (dict_addvalue(name2, dattr->name, value) < 0) {
872 radlog(L_ERR, "%s", librad_errstr);
875 } while (cp != NULL);
876 } /* over the sections which can have redundent sub-sections */
879 * Remember where the modules were stored.
881 modules = cf_section_find("modules");
883 radlog(L_ERR, "Cannot find a \"modules\" section in the configuration file!");
888 * Look for the 'instantiate' section, which tells us
889 * the instantiation order of the modules, and also allows
890 * us to load modules with no authorize/authenticate/etc.
893 cs = cf_section_find("instantiate");
897 module_instance_t *module;
901 * Loop over the items in the 'instantiate' section.
903 for (ci=cf_item_find_next(cs, NULL);
905 ci=cf_item_find_next(cs, ci)) {
908 * Skip sections. They'll be handled
909 * later, if they're referenced at all...
911 if (cf_item_is_section(ci)) {
915 cp = cf_itemtopair(ci);
916 name = cf_pair_attr(cp);
917 module = find_module_instance(modules, name);
921 } /* loop over items in the subsection */
922 } /* if there's an 'instantiate' section. */
925 * Loop over all of the known components, finding their
926 * configuration section, and loading it.
928 for (comp = 0; comp < RLM_COMPONENT_COUNT; ++comp) {
929 cs = cf_section_find(section_type_value[comp].section);
933 if (!do_component[comp]) {
937 if (load_component_section(NULL, cs, comp, mainconfig.radiusd_conf) < 0) {
946 * Call all authorization modules until one returns
947 * somethings else than RLM_MODULE_OK
949 int module_authorize(int autz_type, REQUEST *request)
952 * Older versions of the server would pass proxy requests
953 * through the 'authorize' sections twice; once when the
954 * packet was received from the NAS, and again after the
955 * reply was received from the home server. Now that we
956 * have a 'post_proxy' section, the replies from the home
957 * server should be sent through that, instead of through
958 * the 'authorize' section again.
960 if (request->proxy != NULL) {
961 DEBUG2(" authorize: Skipping authorize in post-proxy stage");
962 return RLM_MODULE_NOOP;
965 return indexed_modcall(RLM_COMPONENT_AUTZ, autz_type, request);
969 * Authenticate a user/password with various methods.
971 int module_authenticate(int auth_type, REQUEST *request)
973 return indexed_modcall(RLM_COMPONENT_AUTH, auth_type, request);
977 * Do pre-accounting for ALL configured sessions
979 int module_preacct(REQUEST *request)
981 return indexed_modcall(RLM_COMPONENT_PREACCT, 0, request);
985 * Do accounting for ALL configured sessions
987 int module_accounting(int acct_type, REQUEST *request)
989 return indexed_modcall(RLM_COMPONENT_ACCT, acct_type, request);
993 * See if a user is already logged in.
995 * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
997 int module_checksimul(int sess_type, REQUEST *request, int maxsimul)
1001 if(!request->username)
1004 request->simul_count = 0;
1005 request->simul_max = maxsimul;
1006 request->simul_mpp = 1;
1008 rcode = indexed_modcall(RLM_COMPONENT_SESS, sess_type, request);
1010 if (rcode != RLM_MODULE_OK) {
1011 /* FIXME: Good spot for a *rate-limited* warning to the log */
1015 return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
1019 * Do pre-proxying for ALL configured sessions
1021 int module_pre_proxy(int type, REQUEST *request)
1023 return indexed_modcall(RLM_COMPONENT_PRE_PROXY, type, request);
1027 * Do post-proxying for ALL configured sessions
1029 int module_post_proxy(int type, REQUEST *request)
1031 return indexed_modcall(RLM_COMPONENT_POST_PROXY, type, request);
1035 * Do post-authentication for ALL configured sessions
1037 int module_post_auth(int postauth_type, REQUEST *request)
1039 return indexed_modcall(RLM_COMPONENT_POST_AUTH, postauth_type, request);