MAKE = @MAKE@
CC = @CC@
RANLIB = @RANLIB@
-INCLUDE =
+INCLUDE =
CFLAGS = $(INCLUDE) @CFLAGS@
CPPFLAGS = @CPPFLAGS@
LIBPREFIX = @LIBPREFIX@
-EXEEXT = @EXEEXT@
+EXEEXT = @EXEEXT@
LIBTOOL = @LIBTOOL@
ACLOCAL = @ACLOCAL@
my $session = Net::Telnet::Cisco->new(Host => $host);
$session->login($login, $passwd);
- if ($port >= 20000){
+ if ($port >= 20000){
my @output = $session->cmd("sh caller user $username");
foreach $line (@output){
if ($line =~ /User: $username, line (Vi\d+),/){
#
# Defaults:
# radius.log: none
-# admin.conf: /usr/local/dialup_admin/conf/admin.conf
+# admin.conf: /usr/local/dialup_admin/conf/admin.conf
# all: no. Go to the end of the file. Don't read it all.
use Date::Manip qw(ParseDate UnixDate);
for(;;){
while(<LOG>){
if ($verbose > 1) { print STDOUT "DEBUG: Reading $file\n" }
- $do=0;
+ $do=0;
chomp;
next if ($regexp ne '' && !/$regexp/);
if ($_ ne ''){
"v90",
"v27ter",
);
-
+
@Protocol = (
"error",
"normal",
"ara20",
"unknown",
);
-#DEBUG#print "$snmpwalkcmd enterprises.9.2.9.2.1.18 | grep $user\n";
+#DEBUG#print "$snmpwalkcmd enterprises.9.2.9.2.1.18 | grep $user\n";
$modem=`$snmpwalkcmd enterprises.9.2.9.2.1.18 | grep $user`;
if($modem=~/enterprises\.9\.2\.9\.2\.1\.18\.(\d+) =/){
$modem=$1;
$port=$modem%120-1;
$modem="$slot.$port";
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.9.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.9.$modem\n";
$duration=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.9.$modem` or die "No MIB\n";
$duration=~/\) (.*)\./;
$duration=$1;
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.12.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.12.$modem\n";
$modulation=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.12.$modem` or die "No MIB\n";
$modulation=~/ \= (\d+)/;
$modulation=$ModulationScheme[$1];
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.13.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.13.$modem\n";
$protocol=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.13.$modem` or die "No MIB\n";
$protocol=~/ \= (\d+)/;
$protocol=$Protocol[$1];
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.14.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.14.$modem\n";
$txrate=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.14.$modem` or die "No MIB\n";
$txrate=~/Gauge32\: (\d+)/;
$txrate=$1;
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.15.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.15.$modem\n";
$rxrate=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.15.$modem` or die "No MIB\n";
$rxrate=~/Gauge32\: (\d+)/;
$rxrate=$1;
-#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.17.$modem\n";
+#DEBUG#print "$snmpgetcmd enterprises.9.9.47.1.3.1.1.17.$modem\n";
$rxsignal=`$snmpgetcmd enterprises.9.9.47.1.3.1.1.17.$modem` or die "No MIB\n";
# $rxsignal=~ s/INTEGER\://;
$rxsignal=~/ \= (.*)\n/;
while(<>){
chomp;
`$sqlrelay '$host' '$port' '$socket' '$user' '$passwd' '$_'`;
- $exit = $? >> 8;
+ $exit = $? >> 8;
if ($exit != 0){
exit $exit;
}
$this->item=$item;
$this->operator=$operator;
}
-
+
function show() { global $operators;
global $items;
$nam = $this->item;
</td></tr>
EOM;
}
-
+
function get($designator) { global ${"item_of_$designator"};
global ${"value_of_$designator"};
global ${"operator_of_$designator"};
$this->operator=${"operator_of_$designator"};
$this->item=${"item_of_$designator"};
}
- }
+ }
function query(){
global $operators;
global $items;
while (${"item_of_w$number"}) {
if(${"delete_w$number"}==1) {$offset=1;$number++;}
else {
- $designator=$number-$offset;
+ $designator=$number-$offset;
${"w$designator"} = new Qi("w$designator","","");
${"w$designator"}->get("w$number");
${"w$designator"}->show();
$number++;
}
}
-if($add==1) {
+if($add==1) {
${"w$number"} = new Qi("w$number","$item_name","$operators[0]");
${"w$number"}->show();
}
include("../html/buttons/default/buttons.html.php3");
}
}
-else{
+else{
if (is_file("../html/buttons/default/buttons.html.php3"))
include("../html/buttons/default/buttons.html.php3");
}
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
EOM;
-
+
if ($drop_conns == 1){
$method = 'snmp';
$nastype = 'cisco';
<select name="radius_attr" editable>
EOM;
foreach($show_attrs as $key => $desc)
- echo "<option $selected[$key] value=\"$key\">$desc\n";
+ echo "<option $selected[$key] value=\"$key\">$desc\n";
echo <<<EOM
</select>
</td>
include("../lib/$config[general_lib_type]/group_info.php3");
}
?>
-
-
+
+
<form method=post>
<input type=hidden name=login value=<?php echo $login ?>>
<input type=hidden name=do_changes value=0>
Group Members (Check to Delete)
</td>
<td>
-<select name=del_members[] multiple size=5>
+<select name=del_members[] multiple size=5>
<?php
foreach ($group_members as $member){
echo "<option value=\"$member\">$member\n";
<tr bgcolor="black" valign=top><td colspan=2>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
-
+
<?php
if (is_file("../lib/$config[general_lib_type]/group_info.php3"))
include("../lib/$config[general_lib_type]/group_info.php3");
if (!isset($existing_groups))
echo "<b>No groups available</b>\n";
else{
- echo "<select name=\"existing_groups\">\n";
+ echo "<select name=\"existing_groups\">\n";
foreach ($existing_groups as $group => $count)
echo "<option value=\"$group\">$group\n";
echo "</select>\n";
<textarea name=members cols="15" wrap="PHYSICAL" rows=5></textarea>
</td>
</tr>
-
+
EOM;
foreach($show_attrs as $key => $desc){
$name = $attrmap["$key"];
$rulestr = "$rule";
else
$rulestr .= ",$rule";
-}
+}
if ($update == 1 && $val != '')
echo <<<EOM
<script language="JavaScript1.1" type="text/javascript">
echo "</select>\n";
}
else
- echo "<i>No rules available</i><br>\n";
+ echo "<i>No rules available</i><br>\n";
?>
</td></tr>
<tr><td colspan=5 align=center><?php echo $err_msg ?></td></tr>
NAS List
</td>
<td>
-<select name=selected_nas size=5 OnChange="this.form.select_nas.value=1;this.form.submit()">
+<select name=selected_nas size=5 OnChange="this.form.select_nas.value=1;this.form.submit()">
<?php
foreach ($my_nas_list as $member){
$name = $member[name];
echo <<<EOM
<tr>
<td align=right bgcolor="#d0ddb0">
-NAS Name
+NAS Name
</td>
<td>
<input type=text name=nasname size=40 value="$array[name]" $readonly>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
<table border=1 bordercolordark=#ffffe0 bordercolorlight=#000000 width=100% cellpadding=2 cellspacing=0 bgcolor="#ffffe0" valign=top>
- <tr><td align=center bgcolor="#d0ddb0">Password</td><td><input type="password" name="passwd" value=""> <input type="submit" class=button value="check"></td></tr>
+ <tr><td align=center bgcolor="#d0ddb0">Password</td><td><input type="password" name="passwd" value=""> <input type="submit" class=button value="check"></td></tr>
</table>
</table>
</table>
$counter = $after_time + 86400;
$i = 1;
while($counter < $before_time){
- $days[$i++] = date($config[sql_date_format],$counter);
+ $days[$i++] = date($config[sql_date_format],$counter);
$counter += 86400;
}
$days[$i] = $before;
else
$search = @da_sql_query($link,$config,
"SELECT $res[1],$res[2],$res[3] FROM $config[sql_accounting_table]
- $sql_val[user] AND acctstoptime >= '$day 00:00:00'
+ $sql_val[user] AND acctstoptime >= '$day 00:00:00'
AND acctstoptime <= '$day 23:59:59' $s $sql_extra_query;");
if ($search){
$row = @da_sql_fetch_array($search,$config);
$remaining = $remaining - $lastlog_session_time;
if ($remaining < 0)
$remaining = 0;
- $log_color = ($remaining) ? 'green' : 'red';
+ $log_color = ($remaining) ? 'green' : 'red';
}
$lastlog_session_time_jvs = 1000 * $lastlog_session_time;
$lastlog_session_time = time2strclock($lastlog_session_time);
- $lastlog_client_ip = $row['framedipaddress'];
+ $lastlog_client_ip = $row['framedipaddress'];
$lastlog_server_name = @gethostbyaddr($lastlog_server_ip);
$lastlog_client_name = @gethostbyaddr($lastlog_client_ip);
$lastlog_callerid = $row['callingstationid'];
$lastlog_server_ip = $row['nasipaddress'];
$lastlog_server_port = $row['nasportid'];
$lastlog_session_time = time2str($row['acctsessiontime']);
- $lastlog_client_ip = $row['framedipaddress'];
+ $lastlog_client_ip = $row['framedipaddress'];
$lastlog_server_name = ($lastlog_server_ip != '') ? @gethostbyaddr($lastlog_server_ip) : '-';
$lastlog_client_name = ($lastlog_client_ip != '') ? @gethostbyaddr($lastlog_client_ip) : '-';
$lastlog_callerid = $row['callingstationid'];
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
EOM;
-
+
if ($delete_user == 1){
if ($user_type != 'group'){
if (is_file("../lib/$config[general_lib_type]/delete_user.php3"))
if ($user_type != 'group')
include("../html/user_toolbar.html.php3");
else
- include("../html/group_toolbar.html.php3");
+ include("../html/group_toolbar.html.php3");
print <<<EOM
</table>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
EOM;
-
+
if ($change == 1){
if (is_file("../lib/$config[general_lib_type]/change_attrs.php3"))
include("../lib/$config[general_lib_type]/change_attrs.php3");
if ($user_type != 'group'){
- if ($config[general_show_user_password] != 'no' && $passwd != ''
+ if ($config[general_show_user_password] != 'no' && $passwd != ''
&& is_file("../lib/$config[general_lib_type]/change_passwd.php3"))
include("../lib/$config[general_lib_type]/change_passwd.php3");
if (is_file("../lib/$config[general_lib_type]/user_info.php3"))
if (is_file("../lib/add_badusers.php3"))
include("../lib/add_badusers.php3");
}
-
+
?>
<form name="edituser" method=post>
<input type=hidden name=login value=<?php print $login ?>>
$vals[] = $default_vals["$key"][$i];
$ops[] = $default_vals["$key"][operator][$i];
}
- }
+ }
if ($add && $name == $add_attr){
$vals[] = $default_vals["$key"][0];
$ops[] = ($default_vals["$key"][operator][0] != '') ? $default_vals["$key"][operator][0] : '=';
<tr bgcolor="black" valign=top><td colspan=2>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
-
+
<form method=post>
<input type=hidden name=login value="<?php echo $login?>">
<input type=hidden name=change value="0">
<tr bgcolor="black" valign=top><td colspan=2>
<table border=0 width=100% cellpadding=12 cellspacing=0 bgcolor="#ffffd0" valign=top>
<tr><td>
-
+
<?php
if ($create == 1){
if (is_file("../lib/$config[general_lib_type]/user_info.php3"))
$req=file($config[general_auth_request_file]);
if ($config[general_ld_library_path] != '')
putenv("LD_LIBRARY_PATH=$config[general_ld_library_path]");
- $comm = $config[general_radclient_bin] . " $server:$port" . ' auth ' . $config[general_radius_server_secret]
+ $comm = $config[general_radclient_bin] . " $server:$port" . ' auth ' . $config[general_radius_server_secret]
. ' >' . $tmp_file;
$fp = popen("$comm","w");
if ($fp){
<tr>
<td colspan=2>
<center>
- statistics for
+ statistics for
<?php
if ($login == '')
echo <<<EOM
<tr> <td colspan=2><hr size=1 noshade>
</td>
</tr>
-
+
</table>
</td>
</tr>
<!--
var start;
var our_time;
-
- function startcounter()
+
+ function startcounter()
{
var start_date = new Date();
start = start_date.getTime();
{
var now_date = new Date();
var diff = now_date.getTime() - start + our_time;
-
+
var hours = parseInt(diff / 3600000);
if(isNaN(hours)) hours = 0;
-
+
var minutes = parseInt((diff % 3600000) / 60000);
if(isNaN(minutes)) minutes = 0;
-
+
var seconds = parseInt(((diff % 3600000) % 60000) / 1000);
if(isNaN(seconds)) seconds = 0;
-
+
var timeValue = " " ;
timeValue += ((hours < 10) ? "0" : "") + hours;
timeValue += ((minutes < 10) ? ":0" : ":") + minutes;
timeValue += ((seconds < 10) ? ":0" : ":") + seconds;
-
+
document.online.status.value = timeValue;
setTimeout("showcounter()", 1000);
}
</td></tr>
<tr><td align=center bgcolor="#d0ddb0">
Connection Duration
- </td><td>
+ </td><td>
<input type="text" name="status" size=10 value="$lastlog_session_time">
</form>
</td></tr>
<tr><td align=center bgcolor="#d0ddb0">Average Upload</td><td>
$avg_input</td></tr></td></tr>
<tr><td align=center bgcolor="#d0ddb0">Average Download</td><td>
- $avg_output</td></tr></td></tr>
+ $avg_output</td></tr></td></tr>
</table>
</table>
</table>
echo <<<EOM
<tr><td align=center bgcolor="#d0ddb0">
Server
- </td><td>
+ </td><td>
<b>$lastlog_server_name</b> ($lastlog_server_ip)
</td></tr>
<tr><td align=center bgcolor="#d0ddb0">
$i = 0;
$j = -1;
$name = $attrmap["$key"] . $i;
-
+
while (isset($$name)){
$val = $$name;
$i++;
// if values is the same as the default or if the value is null and the ldap attribute exists
// then delete them
//
- if ((check_defaults($val,'',$default_vals["$key"]) || $val == '') &&
+ if ((check_defaults($val,'',$default_vals["$key"]) || $val == '') &&
isset($item_vals["$key"][$j]))
$del[$attrmap["$key"]][] = $item_vals["$key"][$j];
//
$mod['givenname'] = ($decode_normal) ? encode_string($mod['givenname'],$k) : $mod['givenname'];
$mod['sn'] = $sn;
$mod['sn'] = ($decode_normal) ? encode_string($mod['sn'],$k) : $mod['sn'];
-
+
}
if ($Fmail != '' && $Fmail != '-' && $Fmail != $mail)
$mod['mail'] = $Fmail;
return FALSE;
return FALSE;
-}
+}
function closedb($ds,$config)
{
function check_operator($op,$type)
{
switch($op){
- case '=':
+ case '=':
case ':=':
case '+=':
return 0;
if (!$res || !@da_sql_affected_rows($link,$res,$config))
echo "<b>Delete failed for attribute $key: " . da_sql_error($link,$config) . "</b><br>\n";
}
- // if value is null or equals the default value then don't add it
+ // if value is null or equals the default value then don't add it
else if ($val == '' || check_defaults($val,$op_val,$default_vals["$key"]))
continue;
// if value differs from the sql value then update
}
else
echo "<b>Cannot use the user info table. Check the sql_use_user_info_table directive in admin.conf</b><br>\n";
-
+
}
else
echo "<b>Could not connect to SQL database</b><br>\n";
"UPDATE $config[sql_check_table] SET value = '$passwd' $text3 WHERE
attribute = '$config[sql_password_attribute]' AND username = '$login';");
if (!$res || !@da_sql_affected_rows($link,$res,$config))
- echo "<b>Error while changing password: " . da_sql_error($link,$config) . "</b><br>\n";
+ echo "<b>Error while changing password: " . da_sql_error($link,$config) . "</b><br>\n";
}
else{
$res = @da_sql_query($link,$config,
$Fou = da_sql_escape_string($Fou);
$Fhomephone = da_sql_escape_string($Fhomephone);
$Fworkphone = da_sql_escape_string($Fworkphone);
- $Fmobile = da_sql_escape_string($Fmobile);
+ $Fmobile = da_sql_escape_string($Fmobile);
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_user_info_table]
(username,name,mail,department,homephone,workphone,mobile) VALUES
foreach ($member_groups as $group)
$in .= "'$group',";
$in = substr($in,0,-1);
- $in .= ')';
+ $in .= ')';
$res = @da_sql_query($link,$config,
"SELECT attribute,value $op FROM $config[sql_groupcheck_table]
WHERE groupname IN $in;");
function da_sql_list_fields($table,$link,$config)
{
- $res = @dbx_query($link,"SELECT * FROM ".$table." LIMIT 1 ;");
+ $res = @dbx_query($link,"SELECT * FROM ".$table." LIMIT 1 ;");
if ($res){
$fields[num] = $res->cols;
}
function da_sql_num_rows($statement,$config)
{
// Unfortunately we need to fetch the statement as ocirowcount doesn't work on SELECTs
- $rows = OCIFetchStatement($statement,$res);
+ $rows = OCIFetchStatement($statement,$res);
if ($config[sql_debug] == 'true'){
print "<b>DEBUG(SQL,OCI DRIVER): Query Result: Num rows:: " . $rows . "</b><br>\n";
}
// Unfortunately we need to re-execute because the statement cursor is reset after OCIFetchStatement :-(
- OCIExecute($statement);
+ OCIExecute($statement);
return $rows;
}
function da_sql_field_name($fields,$num,$config)
{
if ($fields){
- $row = @pg_fetch_row($fields[res],$num);
+ $row = @pg_fetch_row($fields[res],$num);
if ($row)
return $row[0];
}
return '';
case 2:
return "LIMIT $limit";
- }
+ }
}
function da_sql_host_connect($server,$config)
$max = 10;
if ($max > 500)
$max = 10;
- if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username') &&
+ if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username') &&
$config[sql_use_user_info_table] == 'true'){
$res = @da_sql_query($link,$config,
"SELECT " . da_sql_limit($max,0,$config) . " username FROM $config[sql_user_info_table] WHERE
$row = @da_sql_fetch_array($res,$config);
if ($row)
return $row[name];
- }
+ }
}
}
if ($res){
if (@da_sql_num_rows($res,$config))
echo "<b>User $new_member already is a member of the group</b><br>\n";
- else{
+ else{
$res = @da_sql_query($link,$config,
"INSERT INTO $config[sql_usergroup_table] (groupname,username)
VALUES ('$login','$new_member');");
$member = $row[username];
$group_members[] = "$member";
}
- }
+ }
else
echo "<b>Database query failed partially: " . da_sql_error($link,$config) . "</b><br>\n";
if (isset($tmp)){
$NAS_ARR = split(',',$mappings[$auth_user][nasdb]);
$extra = 'WHERE nasname IN (';
foreach ($NAS_ARR as $nas)
- $extra .= "'$nasname',";
+ $extra .= "'$nasname',";
unset($NAS_ARR);
$extra = rtrim($extra,",");
- $extra .= ')';
+ $extra .= ')';
}
$search = @da_sql_query($link,$config,
"SELECT * FROM $config[sql_nas_table] $extra;");
$user_exists = 'yes';
$user_info = 1;
}
- if (($row = @da_sql_fetch_array($res,$config))){
+ if (($row = @da_sql_fetch_array($res,$config))){
$cn = ($row[name] != '') ? $row[name] : '-';
$telephonenumber = ($row[workphone] != '') ? $row[workphone] : '-';
$homephone = ($row[homephone] != '') ? $row[homephone] : '-';
$mail = ($row[mail] != '') ? $row[mail] : '-';
$mobile = ($row[mobile] != '') ? $row[mobile] : '-';
}
- }
+ }
else
echo "<b>Database query failed partially: " . da_sql_error($link,$config) . "</b><br>\n";
}
* This trigger updates fills in the groupname field (which doesnt come in Accounting packets)
* by querying the radusergroup table.
* This makes it easier to do group summary reports, however note that it does add some extra
- * database load to 50% of your SQL accounting queries. If you dont care about group summary
+ * database load to 50% of your SQL accounting queries. If you dont care about group summary
* reports then you dont need to install this.
*
*/
# Check the RADIUS server configuration files.
#
# If everything is OK, this script exits without an error.
-#
+#
# If there was an error parsing the configuration files, this script
# prints the errors to the screen, and exits with an error.
#
while (<OLD>) {
next if (/^\s*\#/);
next if (/^\s*$/);
-
+
split;
if (!defined $clients{$_[0]}) {
$num--;
next;
}
- $userlist{$username} = 1;
-
+ $userlist{$username} = 1;
+
# generate password
$password = "";
for($i=0; $i<rand($passlen)+2; $i++) {
printf RAD "User-Name=$username, User-Password=$password,NAS-IP-Address=127.0.0.1,NAS-Port-Id=0\n\n";
print NOCRYPT "$username:$password\n";
print USERS "$username Auth-Type:=Local, User-Password==\"$password\"\n\tClass=\"0x$num\"\n\n";
-}
-
+}
+
close(PASS);
close(SHAD);
close(RAD);
$processed{$file}++;
open FILE, "<$file" or die "Failed to open $file: $!\n";
-
+
$line = 0;
while (<FILE>) {
$line++;
-
+
next if (!/^\s*\#\s*include\s+/);
-
+
if (/^\s*\#\s*include\s+"(.+?)"/) {
$refs{$file}{$1} = $line;
$include{$1}++;
}
}
-
+
close FILE;
}
#
# Where include files are located.
#
-# FIXME:
+# FIXME:
#
@directories = ("src/lib", "src");
$do_it = 0;
if (!$do_it) {
foreach $file (sort keys %duplicate) {
print $file, "\n";
-
+
foreach $inc (sort keys %{$duplicate{$file}}) {
print "\t[", $refs{$file}{$inc}, "] ", $inc, " (", $duplicate{$file}{$inc}, " at ", $refs{$file}{$duplicate{$file}{$inc}}, ")\n";
}
foreach $file (sort keys %duplicate) {
open FILE, "<$file" or die "Failed to open $file: $!\n";
open OUTPUT, ">$file.tmp" or die "Failed to create $file.tmp: $!\n";
-
+
$line = 0;
while (<FILE>) {
$line++;
# -----------------------------------------------------------------------
-# TODO:
+# TODO:
# currently does not encrypt passwords (takes them from outside file)
# Command line options
getopts('dpmf:');
$debug = $opt_d;
-%passwords;
+%passwords;
# This might or might not be necessary depending if your LDAP server
# when importing from ldif introduces crypted passwords in the LDAP db
# (not necessary for Netscape's Directory Server)
# { "radiusLoginLATPort", "Login-LAT-Port" },
# You can change to the mappings below like this
# cat radius2ldif.pl | grep ^# | \
-# perl -ne 'if ( /\{ \"(.*?)\", \"(.*?)\" \}/ ) \
+# perl -ne 'if ( /\{ \"(.*?)\", \"(.*?)\" \}/ ) \
# { $attr=lc $2; print "\$mapping{\"$attr\"} = \"$1\";\n" ; } '
# Warning: sometimes password must be encrypted before sent to the LDAP
# Which Perl libraries are available? Only way I find is through
-# Netscape's NDS getpwenc.
-# However NDS does the cyphering even if sending plain passwords
+# Netscape's NDS getpwenc.
+# However NDS does the cyphering even if sending plain passwords
# (do all LDAP's do this?)
# TODO: test with OpenLDAP
$mapping{'password'} = "userpassword";
}
# Start line is hardcoded must be uid followed by password
# this could be changed to use any other parameter however
- if ( $line =~ /^(\w+)\s*\t*(?:User-)?Password=(\w+)/ ) {
+ if ( $line =~ /^(\w+)\s*\t*(?:User-)?Password=(\w+)/ ) {
$uid = $1;
$password= $2;
$password = $passwords{$password} if $opt_f;
$dn=$predn.$uid.$basedn; # Start of LDIF entry
$header = "$dn\n";
push @userlist, $dn;
- if ( $opt_m ) {
+ if ( $opt_m ) {
$header= $header."changetype: modify\n";
} else {
for (my $i=0; $i < $#objectClass+1; $i++) {
}
} # of if line
} # of if startentry
-
+
} # of while
print "undefined parameter!\n";
return undef;
};
-
+
$attr = $_[0];
$val = $_[1];
-
+
if ($attr !~ /Password|Framed-IP-Address|Framed-IP-Netmask|Framed-IP-Routing|Framed-Routing|Framed-IP-Route|Password|Simultaneous-Use|Idle-Timeout|Auth-Type|Service-Type|Netmask|Framed-Protocol/ ) {
print "unrecognized attribute: $attr\n" if $debug>1;
return undef;
};
-
+
return undef if ( (! defined($val) ) or
( ($attr =~ /Simultaneous\-Use/i) && ( $val !~ /^[0-9]*$/ ) )
);
$duser=$_[1];
$dattrib=$_[2];
$dval=$_[3];
-
+
print "inserting \"$dattrib\", \"$dval\" for \"$duser\" in rad$dtable\n" if ( $dtable !~ /group/ and $debug>2);
print "inserting \"$duser\" into usergroup table as member of \"$dattrib\"\n" if ( $dtable =~ /group/ and $debug>2);
-
+
if ( $dtable =~ /group/ ) {
$table = "usergroup";
} elsif ( $dtable =~ /check/ ) {
} else {
die "argh! what table is $dtable?\n";
};
-
+
if ( $table =~ /usergroup/ ) {
if ( $dattrib =~ /static/ ) {
$return = $database->do ("DELETE FROM `$table` WHERE `UserName`='$duser' LIMIT 1");
};
$return = $database->do ("INSERT INTO `$table` SET `UserName`='$duser',`GroupName`='$dattrib'");
-
+
} else {
$return = $database->do ("INSERT INTO `$table` SET `UserName`='$duser',`Attribute`='$dattrib',`Value`='$dval', `op`=':='");
};
next if ( /^\#/ );
next if ( /^$/ );
next if ( /^\s*$/ );
-
+
if ( /^[a-zA-Z0-9]+/ ) {
print "located a user entry: $_\n" if $debug>6;
($user,$rest) = split /\s/, $_, 2;
# Already found the user, now finding attributes...
@attribs = $_;
};
-
+
foreach $attr (@attribs) {
($attrib,$value) = split /=/, $attr, 2;
#TODO: insert sanity checks here!
next;
};
print "attrib: $attrib has value: $value\n" if $debug>8;
-
+
if ( $attrib =~ /Framed-IP-Address/ ) {
#user is a static IP user...
$static{$user} = 1;
user_attribute("group",$user,"static","");
};
-
+
if ( $attrib =~ /Password|Simultaneous-Use/ ) {
#This is an individual check attribute, so we'll pass it along...
user_attribute("check",$user,$attrib,$value);
user_attribute("reply",$user,$attrib,$value);
};
};
-
+
};
close USERS;
# query string of %u, but note for convenience
# without the leading "/".
# %t - matched destination group or "unknown"
-# %u - requested URL
-# %% - single '%'
+# %u - requested URL
+# %% - single '%'
#
ATTRIBUTE ASN-Webfilter-Redirect 114 string
#
##############################################################################
-VENDOR HP 11
+VENDOR HP 11
# Management authorization
BEGIN-VENDOR HP
-#
-# dictionary.patton
+#
+# dictionary.patton
# Dictionary for Patton IADs.
# Written by Pawel Pierscionek <pawel@voiceworks.pl>
# based on specifications available from vendor
# Version: @(#)dictionary.patton 1.00 urtho 08-Sep-2006
# $Id$
-VENDOR Patton 1768
+VENDOR Patton 1768
BEGIN-VENDOR Patton
-ATTRIBUTE Patton-Setup-Time 32 string
-ATTRIBUTE Patton-Connect-Time 33 string
+ATTRIBUTE Patton-Setup-Time 32 string
+ATTRIBUTE Patton-Connect-Time 33 string
ATTRIBUTE Patton-Disconnect-Time 34 string
ATTRIBUTE Patton-Disconnect-Cause 35 integer
ATTRIBUTE Patton-Disconnect-Source 36 string
-ATTRIBUTE Patton-Called-Unique-Id 48 string
+ATTRIBUTE Patton-Called-Unique-Id 48 string
ATTRIBUTE Patton-Called-IP-Address 49 ipaddr
ATTRIBUTE Patton-Called-Numbering-Plan 50 string
ATTRIBUTE Patton-Called-Type-Of-Number 51 string
ATTRIBUTE Patton-Calling-Unique-Id 80 string
-ATTRIBUTE Patton-Calling-IP-Address 81 ipaddr
+ATTRIBUTE Patton-Calling-IP-Address 81 ipaddr
ATTRIBUTE Patton-Calling-Numbering-Plan 82 string
ATTRIBUTE Patton-Calling-Type-Of-Number 83 string
ATTRIBUTE Patton-Calling-Presentation-Indicator 88 string
while (@ARGV) {
$filename = shift;
-
+
open FILE, "<$filename" or die "Failed to open $filename: $!\n";
-
+
@output = ();
-
+
while (<FILE>) {
#
# Clear out trailing whitespace
next;
}
- #
+ #
# Remember if we did begin-vendor.
#
if (/^BEGIN-VENDOR\s+([\w-]+)/) {
FROM StopTelephony;
CREATE OR REPLACE VIEW calls AS
-SELECT Date, Time, Length, Number, cust_ip, gw_ip
+SELECT Date, Time, Length, Number, cust_ip, gw_ip
FROM call_history
WHERE Length > 0
ORDER BY Date, Time, Number, Length, cust_ip ASC;
CREATE OR REPLACE FUNCTION TelephonyInsertRecord(StopTelephony.UserName%TYPE, StopTelephony.NASIPAddress%TYPE, StopTelephony.AcctSessionTime%TYPE,
StopTelephony.AcctInputOctets%TYPE, StopTelephony.AcctOutputOctets%TYPE, StopTelephony.CalledStationId%TYPE, StopTelephony.CallingStationId%TYPE,
StopTelephony.AcctDelayTime%TYPE, StopTelephony.CiscoNASPort%TYPE, StopTelephony.h323CallOrigin%TYPE, StopTelephony.h323SetupTime%TYPE,
- StopTelephony.h323ConnectTime%TYPE, StopTelephony.h323DisconnectTime%TYPE, StopTelephony.h323DisconnectCause%TYPE,
+ StopTelephony.h323ConnectTime%TYPE, StopTelephony.h323DisconnectTime%TYPE, StopTelephony.h323DisconnectCause%TYPE,
StopTelephony.H323VoiceQuality%TYPE, StopTelephony.CallID%TYPE) RETURNS BOOLEAN AS '
DECLARE
BEGIN
/*
* Table structure for 'customers'
- *
+ *
* This table should list your Customers names and company
* This can be used to make more useful reports.
*/
/*
* Table structure for 'cust_gw'
- *
+ *
* This table should list the IP addresses and Customer IDs of all your Customers gateways
* This can be used to make more useful reports.
*/
#!/usr/bin/perl
#
-# syslog2db - Extract Clarent VoIP CDRs from billing_record files and
-# insert them into a Postgresql database.
+# syslog2db - Extract Clarent VoIP CDRs from billing_record files and
+# insert them into a Postgresql database.
#
# Author: Peter Nixon <codemonkey@peternixon.net>
# Date: 2003-05-07
# Defaults
my $defaulttimezone = "UTC";
my $defaultyear = 2003;
-my $dbh;
+my $dbh;
my %working_record = ();
if ($verbose > 1) { print "DEBUG: Clean Record: @callrecord\n"; }
$recordno++; %working_record = ();
$working_record{local_setuptime} = clarent2normaltime($callrecord[0]);
- $working_record{start_time} = $callrecord[3]; # This is in Unix timetamp format, relative to the originating gateway.
+ $working_record{start_time} = $callrecord[3]; # This is in Unix timetamp format, relative to the originating gateway.
# It is therefore useless unless ALL gateways are set with the same timezone,
# so I don't bother to convert it to datetime format.
$working_record{duration} = $callrecord[4];
$file = @ARGV[0];
&file_read($file);
}
- if ($verbose >= 0) {
+ if ($verbose >= 0) {
my $runtime = (time() - $starttime);
if ($runtime < 1) { $runtime = 0.5; } # Prevent divide-by-zero errors
my $speed = ($recordno / $runtime);
- if ($fileno > 1) {
- print "\n$recordno records from $lineno lines in $fileno files were processed in ~$runtime seconds (~$speed records/sec)\n";
+ if ($fileno > 1) {
+ print "\n$recordno records from $lineno lines in $fileno files were processed in ~$runtime seconds (~$speed records/sec)\n";
} else {
- print "\n$recordno records from $lineno lines in $file were processed in ~$runtime seconds (~$speed records/sec)\n";
+ print "\n$recordno records from $lineno lines in $file were processed in ~$runtime seconds (~$speed records/sec)\n";
}
}
require Getopt::Long;
## Program and File locations
-# gzcat - 'cat for .gz / gzip files'
+# gzcat - 'cat for .gz / gzip files'
# If you don't have gzcat and do have gzip then use: ln gzip gzcat
$GZCAT = "/usr/bin/zcat";
# zcat - 'cat for .Z / compressed files'
sub procedure_insert { # FIXME: Does not work with current SQL schema. Use standard method
if ($verbose > 0) { print "Record: $passno) Conf ID: $h323_conf_id Setup Time: $h323_setup_time Call Length: $AcctSessionTime "; }
- if ($h323_call_type eq 'VoIP') {
+ if ($h323_call_type eq 'VoIP') {
$sth2 = $dbh->prepare("SELECT VoIPInsertRecord('$UserName', '$NasIPAddress', '$AcctSessionTime', '$AcctInputOctets', '$AcctOutputOctets',
'$Called_Station_Id', '$Calling_Station_Id', '$AcctDelayTime', '$h323_call_origin', '$h323_setup_time',
'$h323_connect_time','$h323_disconnect_time', '$h323_disconnect_cause', (NULLIF('$h323_remote_address', '')::inet), '$h323_voice_quality', '$h323_conf_id')");
}
sub db_insert {
- if ($h323_call_type eq 'VoIP') {
+ if ($h323_call_type eq 'VoIP') {
$sth2 = $dbh->prepare("INSERT into StopVoIP (
AcctTime, UserName, NASIPAddress, AcctSessionTime, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctDelayTime, H323RemoteAddress, h323gwid, h323callorigin,
values(($Timestamp)::abstime, '$UserName', '$NasIPAddress', '$AcctSessionTime', '$AcctInputOctets', '$AcctOutputOctets',
'$Called_Station_Id', '$Calling_Station_Id', '$AcctDelayTime', '$Cisco_NAS_Port', '$h323_call_origin', '$h323_conf_id',
'$h323_connect_time', '$h323_disconnect_cause', '$h323_disconnect_time', '$h323_setup_time', '$h323_voice_quality')");
- } else {
+ } else {
if ($h323_call_type) { print "ERROR: Unsupported h323calltype: \"$h323_call_type\"\n"; }
else { print "ERROR: Missing \"h323calltype\". This doesn't appear to be a VoIP record."; }
return; # Not a VoIP record. Bailout
## This sub can be used to update data in an existing database if you have some fields not in the Database.
sub db_update {
- my $sth2= $dbh->prepare("UPDATE radacct SET CalledStationId = '$Called_Station_Id',
+ my $sth2= $dbh->prepare("UPDATE radacct SET CalledStationId = '$Called_Station_Id',
AcctTerminateCause = '$AcctTerminateCause', H323RemoteAddress = '$h323_remote_address',
AcctStatusType = '$AcctStatusType', callid = '$h323_conf_id', h323calltype = '$h323_call_type',
CiscoNASPort = '$Cisco_NAS_Port', h323disconnectcause = '$h323_disconnect_cause',
# If its a valid record continue onto the database functions
# FIXME: More checks needed here.
- if ($h323_call_type) {
+ if ($h323_call_type) {
$passno++;
#@duplicate_records{$passno} += @record;
if (&procedure_get()) { &procedure_insert; }
}
my $file_runtime = (time() - $file_starttime);
if ($file_runtime < 1) { $file_runtime = 1; }
- my $file_speed = ($record_no / $file_runtime);
+ my $file_speed = ($record_no / $file_runtime);
if ($verbose >= 0) { print "\n $record_no total records read from $filename were processed in $file_runtime seconds ($file_speed records/sec) \n"; }
}
exit(SUCCESS);
}
- if ($opt_x) {
- print "DEBUG: Debug mode is enabled.\n";
+ if ($opt_x) {
+ print "DEBUG: Debug mode is enabled.\n";
$verbose = 2;
} elsif ($quiet) { $verbose -= $quiet; }
&procedure_set($opt_p);
- if ($opt_d) {
+ if ($opt_d) {
if ($verbose > 0) { print "Using database \"$opt_d\" instead of default database \"$database\"\n"; }
$database = $opt_d;
}
my $runtime = (time() - $starttime);
if ($runtime < 1) { $runtime = 1; }
- my $speed = ($passno / $runtime);
+ my $speed = ($passno / $runtime);
if ($verbose >= 0) { print "\n $passno valid records were processed in $runtime seconds ($speed records/sec) \n"; }
} else {
print "ERROR: Please specify one or more detail file(s) to import.\n";
lrad_ipaddr_t ipaddr;
-
+
int port;
int type; /* auth/acct */
lrad_event_t *ev;
struct timeval when;
-
+
int response_window;
int max_outstanding; /* don't overload it */
int currently_outstanding;
-
+
struct timeval zombie_period_start;
int zombie_period; /* unresponsive for T, mark it dead */
hash *= FNV_MAGIC_PRIME;
hash ^= (uint32_t ) (c & 0xff);
}
-
+
return hash;
}
librad_log("dict_addvendor: vendor name too long");
return -1;
}
-
+
if ((dv = malloc(sizeof(*dv) + length)) == NULL) {
librad_log("dict_addvendor: out of memory");
return -1;
dattr->flags.has_value = 1;
} else {
value_fixup_t *fixup;
-
+
fixup = (value_fixup_t *) malloc(sizeof(*fixup));
if (!fixup) {
librad_log("dict_addvalue: out of memory");
strlcpy(fixup->attrstr, attrstr, sizeof(fixup->attrstr));
fixup->dval = dval;
-
+
/*
* Insert to the head of the list.
*/
if (!lrad_hash_table_insert(values_byname, dval)) {
if (dattr) {
DICT_VALUE *old;
-
+
/*
* Suppress duplicates with the same
* name and value. There are lots in
/* Boolean flag, means this is a
tagged attribute */
flags.has_tag = 1;
-
+
} else if (strncmp(s, "encrypt=", 8) == 0) {
/* Encryption method, defaults to 0 (none).
Currently valid is just type 2,
case PW_TYPE_INTEGER:
case PW_TYPE_DATE:
break;
-
+
default:
librad_log( "dict_init: %s[%d] Only IP addresses can have the \"array\" flag set.",
fn, line);
/* New format */
s += 7;
}
-
+
vendor = dict_vendorbyname(s);
if (!vendor) {
librad_log( "dict_init: %s[%d]: unknown vendor \"%s\"",
fn, line,
lrad_int2str(type_table, type, "?Unknown?"));
return -1;
-
+
}
}
}
p = format + 7;
- if ((strlen(p) != 3) ||
+ if ((strlen(p) != 3) ||
!isdigit((int) p[0]) ||
(p[1] != ',') ||
!isdigit((int) p[2])) {
fclose(fp);
librad_log("dict_init: Dictionary \"%s\" is not a regular file",
fn);
- return -1;
+ return -1;
}
/*
librad_log("dict_addvalue: Duplicate value name %s for attribute %s", this->dval->name, a->name);
return -1;
}
-
+
/*
* Allow them to use the old name, but
* prefer the new name when printing
lrad_hash_table_walk(attributes_byname, null_callback, NULL);
lrad_hash_table_walk(attributes_byvalue, null_callback, NULL);
-
+
lrad_hash_table_walk(values_byvalue, null_callback, NULL);
lrad_hash_table_walk(values_byname, null_callback, NULL);
if (dv) dval.attr = dv->value;
dval.value = value;
-
+
return lrad_hash_table_finddata(values_byvalue, &dval);
}
dv = (DICT_VENDOR *) buffer;
strlcpy(dv->name, name, DICT_VENDOR_MAX_NAME_LEN);
-
+
dv = lrad_hash_table_finddata(vendors_byname, dv);
if (!dv) return 0;
return 1;
}
-
+
int lrad_event_insert(lrad_event_list_t *el,
lrad_event_callback_t callback,
void *ctx, struct timeval *when,
*ev_p = ev;
return 1;
}
-
+
}
free(ev);
return 0;
}
w->ev = ev;
- return 1;
+ return 1;
}
el = lrad_event_list_create();
if (!el) exit(1);
-
+
memset(&rand_pool, 0, sizeof(rand_pool));
rand_pool.randrsl[1] = time(NULL);
-
+
lrad_randinit(&rand_pool, 1);
rand_pool.randcnt = 0;
}
lrad_event_insert(el, print_time, &array[i], &array[i]);
}
-
+
while (lrad_event_list_num_elements(el)) {
gettimeofday(&now, NULL);
when = now;
fi = lrad_fifo_create(MAX, NULL);
if (!fi) exit(1);
-
+
for (i = 0; i < MAX; i++) {
array[i] = i;
#define DONE_FLAGS (IP_SRC_ADDR_FLAG | IP_DEST_ADDR_FLAG | \
IP_SRC_PORT_FLAG | IP_DEST_PORT_FLAG | \
IP_PROTO_FLAG | IP_EST_FLAG)
-
+
/*
* ascend_parse_ip:
*
/*
- * These functions are defined and used only if the configure
+ * These functions are defined and used only if the configure
* cannot detect the standard getaddrinfo(), freeaddrinfo(),
* gai_strerror() and getnameinfo(). This avoids sprinkling of ifdefs.
*
- * FIXME: getaddrinfo() & getnameinfo() should
+ * FIXME: getaddrinfo() & getnameinfo() should
* return all IPv4 addresses provided by DNS lookup.
*/
#endif
#undef LOCAL_GETHOSTBYNAMERSTYLE
-#ifndef GETHOSTBYNAMERSTYLE
+#ifndef GETHOSTBYNAMERSTYLE
#define LOCAL_GETHOSTBYNAMERSTYLE 1
#elif (GETHOSTBYNAMERSTYLE != SYSVSTYLE) && (GETHOSTBYNAMERSTYLE != GNUSTYLE)
#define LOCAL_GETHOSTBYNAMERSTYLE 1
{
int i, len;
char *ptr = buffer;
-
+
*error = 0;
to->h_addrtype = from->h_addrtype;
to->h_length = from->h_length;
to->h_addr_list = (char**)ptr;
for(i = 0; (int *)from->h_addr_list[i] != 0; i++);
ptr += (i+1) * sizeof(int *);
-
+
for(i = 0; (int *)from->h_addr_list[i] != 0; i++) {
len = sizeof(int);
if ((ptr-buffer)+len < buflen) {
#ifdef LOCAL_GETHOSTBYNAMERSTYLE
static struct hostent *
-gethostbyname_r(const char *hostname, struct hostent *result,
+gethostbyname_r(const char *hostname, struct hostent *result,
char *buffer, int buflen, int *error)
{
struct hostent *hp;
#if GETHOSTBYNAMERSTYLE == SYSVSTYLE
hp = gethostbyname_r(hostname, &result, buffer, sizeof(buffer), &error);
#elif GETHOSTBYNAMERSTYLE == GNUSTYLE
- if (gethostbyname_r(hostname, &result, buffer,
+ if (gethostbyname_r(hostname, &result, buffer,
sizeof(buffer), &hp, &error) != 0) {
hp = NULL;
}
#ifndef HAVE_GETNAMEINFO
int
-getnameinfo(const struct sockaddr *sa, socklen_t salen,
- char *host, size_t hostlen,
- char *serv, size_t servlen,
+getnameinfo(const struct sockaddr *sa, socklen_t salen,
+ char *host, size_t hostlen,
+ char *serv, size_t servlen,
unsigned int flags)
{
struct sockaddr_in *sin = (struct sockaddr_in *)sa;
char tmpserv[16];
char buffer[2048];
int error;
-
+
if (serv) {
snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port));
if (strlen(tmpserv) > servlen)
}
#else
hp = gethostbyaddr_r((char *)&sin->sin_addr,
- sizeof(struct in_addr), AF_INET,
+ sizeof(struct in_addr), AF_INET,
&result, buffer, sizeof(buffer), &error);
#endif
#else
if (key > 0x000000ff)
return (key & 0x000000ff) | (parent_byte[key >> 8] << 8);
-
+
return parent_byte[key];
}
if (!ht->buckets[parent_entry]) {
lrad_hash_table_fixup(ht, parent_entry);
- }
+ }
/*
* Keep walking down cur, trying to find entries that
*/
last = &ht->buckets[parent_entry];
this = parent_entry;
-
+
for (cur = *last; cur != &ht->null; cur = cur->next) {
uint32_t real_entry;
static void lrad_hash_table_grow(lrad_hash_table_t *ht)
{
lrad_hash_entry_t **buckets;
-
+
buckets = malloc(sizeof(*buckets) * GROW_FACTOR * ht->num_buckets);
if (!buckets) return;
sizeof(*buckets) * ht->num_buckets);
memset(&buckets[ht->num_buckets], 0,
sizeof(*buckets) * ht->num_buckets);
-
+
free(ht->buckets);
ht->buckets = buckets;
- ht->num_buckets *= GROW_FACTOR;
+ ht->num_buckets *= GROW_FACTOR;
ht->next_grow *= GROW_FACTOR;
ht->mask = ht->num_buckets - 1;
#ifdef TESTING
node != &ht->null;
node = next) {
next = node->next;
-
+
if (!node->data) continue; /* dummy entry */
-
+
if (ht->free) ht->free(node->data);
free(node);
}
fprintf(stderr, "Failed finding %d\n", i);
exit(1);
}
-
+
#if 0
if (!lrad_hash_table_delete(ht, &i)) {
fprintf(stderr, "Failed deleting %d\n", i);
const char *p, *off;
uint8_t tmp[4];
static const char digits[] = "0123456789";
-
+
octet = 0;
p = src;
while (1) {
while (*p && ((off = strchr(digits, *p)) != NULL)) {
num *= 10;
num += (off - digits);
-
+
if (num > 255) return 0;
-
+
p++;
}
if (!*p) break;
-
+
/*
* Not a digit, MUST be a dot, else we
* die.
tmp[octet++] = num;
p++;
}
-
+
/*
* End of the string. At the fourth
* octet is OK, anything else is an
return 0;
}
tmp[3] = num;
-
+
memcpy(dst, &tmp, sizeof(tmp));
return 1;
}
const uint8_t *ipaddr = src;
if (cnt <= INET_ADDRSTRLEN) return NULL;
-
+
snprintf(dst, cnt, "%d.%d.%d.%d",
ipaddr[0], ipaddr[1],
ipaddr[2], ipaddr[3]);
*/
if (af == AF_INET6) {
const struct in6_addr *ipaddr = src;
-
+
if (cnt <= INET6_ADDRSTRLEN) return NULL;
snprintf(dst, cnt, "%x:%x:%x:%x:%x:%x:%x:%x",
switch (ai->ai_family) {
case AF_INET :
dst->af = AF_INET;
- memcpy(&dst->ipaddr,
- &((struct sockaddr_in*)ai->ai_addr)->sin_addr,
+ memcpy(&dst->ipaddr,
+ &((struct sockaddr_in*)ai->ai_addr)->sin_addr,
sizeof(struct in_addr));
break;
-
+
case AF_INET6 :
dst->af = AF_INET6;
- memcpy(&dst->ipaddr,
- &((struct sockaddr_in6*)ai->ai_addr)->sin6_addr,
+ memcpy(&dst->ipaddr,
+ &((struct sockaddr_in6*)ai->ai_addr)->sin6_addr,
sizeof(struct in6_addr));
break;
-
+
/* Flow should never reach here */
case AF_UNSPEC :
default :
freeaddrinfo(ai);
return -1;
}
-
+
freeaddrinfo(ai);
return 0;
}
static uint64_t filetime_to_unix_epoch (const FILETIME *ft)
{
uint64_t res = (uint64_t) ft->dwHighDateTime << 32;
-
+
res |= ft->dwLowDateTime;
res /= 10; /* from 100 nano-sec periods to usec */
res -= DELTA_EPOCH_IN_USEC; /* from Win epoch to Unix epoch */
{
FILETIME ft;
uint64_t tim;
-
+
if (!tv) {
errno = EINVAL;
return (-1);
uint32_t lrad_reply_packet_hash(const RADIUS_PACKET *packet)
{
uint32_t hash;
-
+
hash = lrad_hash(&packet->sockfd, sizeof(packet->sockfd));
hash = lrad_hash_update(&packet->id, sizeof(packet->id), hash);
hash = lrad_hash_update(&packet->src_port, sizeof(packet->src_port),
memset(&salocal, 0, sizeof(salocal));
if (ipaddr->af == AF_INET) {
struct sockaddr_in *sa;
-
+
sa = (struct sockaddr_in *) &salocal;
sa->sin_family = AF_INET;
sa->sin_addr = ipaddr->ipaddr.ip4addr;
sa->sin_port = htons((uint16_t) port);
salen = sizeof(*sa);
-
+
#ifdef HAVE_STRUCT_SOCKADDR_IN6
} else if (ipaddr->af == AF_INET6) {
struct sockaddr_in6 *sa;
-
+
sa = (struct sockaddr_in6 *) &salocal;
sa->sin6_family = AF_INET6;
sa->sin6_addr = ipaddr->ipaddr.ip6addr;
if (IN6_IS_ADDR_UNSPECIFIED(&ipaddr->ipaddr.ip6addr)) {
int on = 1;
-
+
setsockopt(sockfd, IPPROTO_IPV6, IPV6_V6ONLY,
(char *)&on, sizeof(on));
}
const lrad_packet_dst2id_t *pd = data;
hash = lrad_hash(&pd->dst_port, sizeof(pd->dst_port));
-
+
switch (pd->dst_ipaddr.af) {
case AF_INET:
hash = lrad_hash_update(&pd->dst_ipaddr.ipaddr.ip4addr,
my_request.dst_ipaddr = reply->src_ipaddr;
my_request.dst_port = reply->src_port;
my_request.hash = 0;
-
+
request = &my_request;
return lrad_hash_table_finddata(pl->ht, &request);
uint32_t free_mask;
lrad_packet_dst2id_t my_pd, *pd;
lrad_packet_socket_t *ps;
-
+
if (!pl || !pl->alloc_id || !request) return 0;
my_pd.dst_ipaddr = request->dst_ipaddr;
my_pd.dst_port = request->dst_port;
-
+
pd = lrad_hash_table_finddata(pl->dst2id_ht, &my_pd);
if (!pd) {
pd = malloc(sizeof(*pd) + 255 * sizeof(pd->id[0]));
return 0;
}
}
-
+
/*
* FIXME: Go to an LRU system. This prevents ID re-use
* for as long as possible. The main problem with that
my_pd.dst_ipaddr = request->dst_ipaddr;
my_pd.dst_port = request->dst_port;
-
+
pd = lrad_hash_table_finddata(pl->dst2id_ht, &my_pd);
if (!pd) return 0;
if (outlen <= (2 * (vp->length + 1))) return 0;
strcpy(buf, "0x");
-
+
lrad_bin2hex(vp->vp_octets, buf + 2, vp->length);
a = buf;
break;
s6 = (struct sockaddr_in6 *)&dst;
sizeof_dst = sizeof(struct sockaddr_in6);
-
+
s6->sin6_family = AF_INET6;
s6->sin6_addr = dst_ipaddr->ipaddr.ip6addr;
s6->sin6_port = htons(dst_port);
if ((dst_ipaddr->af == AF_INET) ||
(src_ipaddr->af != AF_UNSPEC)) {
return sendfromto(sockfd, data, data_len, flags,
- (struct sockaddr *)&src, sizeof_src,
+ (struct sockaddr *)&src, sizeof_src,
(struct sockaddr *)&dst, sizeof_dst);
}
#else
/*
* No udpfromto, OR an IPv6 socket, fail gracefully.
*/
- return sendto(sockfd, data, data_len, flags,
+ return sendto(sockfd, data, data_len, flags,
(struct sockaddr *)&dst, sizeof_dst);
}
* Anything after 4k will be discarded.
*/
} else if (packet_len > MAX_PACKET_LEN) {
- recvfrom(sockfd, header, sizeof(header), 0,
+ recvfrom(sockfd, header, sizeof(header), 0,
(struct sockaddr *)&src, &sizeof_src);
return 1;
}
#endif
} else {
- recvfrom(sockfd, header, sizeof(header), 0,
+ recvfrom(sockfd, header, sizeof(header), 0,
(struct sockaddr *)&src, &sizeof_src);
return 1;
}
* Too little data is available, discard the packet.
*/
if (data_len < 4) {
- recvfrom(sockfd, header, sizeof(header), flags,
+ recvfrom(sockfd, header, sizeof(header), flags,
(struct sockaddr *)&src, &sizeof_src);
return 0;
* a RADIUS header length: discard it.
*/
if (len < AUTH_HDR_LEN) {
- recvfrom(sockfd, header, sizeof(header), flags,
+ recvfrom(sockfd, header, sizeof(header), flags,
(struct sockaddr *)&src, &sizeof_src);
return 0;
* Anything after 4k will be discarded.
*/
} else if (len > MAX_PACKET_LEN) {
- recvfrom(sockfd, header, sizeof(header), flags,
+ recvfrom(sockfd, header, sizeof(header), flags,
(struct sockaddr *)&src, &sizeof_src);
return len;
}
#ifdef WITH_UDPFROMTO
if (dst.ss_family == AF_INET) {
data_len = recvfromto(sockfd, buf, len, flags,
- (struct sockaddr *)&src, &sizeof_src,
+ (struct sockaddr *)&src, &sizeof_src,
(struct sockaddr *)&dst, &sizeof_dst);
} else
#endif
/*
* No udpfromto, OR an IPv6 socket. Fail gracefully.
*/
- data_len = recvfrom(sockfd, buf, len, flags,
+ data_len = recvfrom(sockfd, buf, len, flags,
(struct sockaddr *)&src, &sizeof_src);
if (data_len < 0) {
free(buf);
free(buf);
return -1; /* Unknown address family, Die Die Die! */
}
-
+
/*
* Different address families should never happen.
*/
if (TAG_VALID(vp->flags.tag)) {
ptr[0] = vp->flags.tag & 0xff;
offset = 1;
-
+
} else if (vp->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) {
/*
* Tunnel passwords REQUIRE a tag, even
offset = 1;
} /* else don't write a tag */
} /* else the attribute doesn't have a tag */
-
+
/*
* Set up the default sources for the data.
*/
case PW_TYPE_ABINARY:
/* nothing more to do */
break;
-
+
case PW_TYPE_BYTE:
len = 1; /* just in case */
array[0] = vp->vp_integer & 0xff;
data = array;
offset = 0;
break;
-
+
case PW_TYPE_SHORT:
len = 2; /* just in case */
data = &array[offset];
len -= offset;
break;
-
+
case PW_TYPE_IPADDR:
data = (const uint8_t *) &vp->vp_ipaddr;
len = 4; /* just in case */
*/
if (len + offset + total_length > 255) {
len = 255 - offset - total_length;
- }
+ }
/*
* Encrypt the various password styles
data, len,
secret, packet->vector);
break;
-
+
case FLAG_ENCRYPT_TUNNEL_PASSWORD:
if (!original) {
librad_log("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->name);
len = AUTH_VECTOR_LEN;
break;
-
+
default:
/*
* Just copy the data over
VALUE_PAIR *reply;
const char *what;
char ip_buffer[128];
-
+
/*
* For simplicity in the following logic, we allow
* the attributes to "overflow" the 4k maximum
return -1;
}
break;
-
+
/*
* These packet vectors start off as all zero.
*/
case PW_COA_REQUEST:
memset(packet->vector, 0, sizeof(packet->vector));
break;
-
+
default:
break;
}
-
+
/*
* Use memory on the stack, until we know how
* large the packet will be.
*/
hdr = (radius_packet_t *) data;
-
+
/*
* Build standard header
*/
hdr->code = packet->code;
hdr->id = packet->id;
-
+
memcpy(hdr->vector, packet->vector, sizeof(hdr->vector));
total_length = AUTH_HDR_LEN;
-
+
/*
* Load up the configuration values for the user
*/
* Hmm... this may be slower than just doing a small
* memcpy.
*/
-
+
/*
* Loop over the reply attributes for the packet.
*/
((reply->attribute & 0xFFFF) > 0xff)) {
continue;
}
-
+
/*
* Set the Message-Authenticator to the correct
* length and initial value.
* them out BEFORE they're encrypted.
*/
debug_pair(reply);
-
+
len = rad_vp2attr(packet, original, secret, reply, ptr);
if (len < 0) return -1;
ptr += len;
total_length += len;
} /* done looping over all attributes */
-
+
/*
* Fill in the rest of the fields, and copy the data over
* from the local stack to the newly allocated memory.
memcpy(packet->data, data, packet->data_len);
hdr = (radius_packet_t *) packet->data;
-
+
total_length = htons(total_length);
memcpy(hdr->length, &total_length, sizeof(total_length));
*/
if (packet->offset > 0) {
uint8_t calc_auth_vector[AUTH_VECTOR_LEN];
-
+
switch (packet->code) {
case PW_ACCOUNTING_REQUEST:
case PW_ACCOUNTING_RESPONSE:
default: /* others have vector already set to zero */
break;
-
+
}
-
+
/*
* Set the authentication vector to zero,
* calculate the signature, and put it
calc_auth_vector);
memcpy(packet->data + packet->offset + 2,
calc_auth_vector, AUTH_VECTOR_LEN);
-
+
/*
* Copy the original request vector back
* to the raw packet.
*/
memcpy(hdr->vector, packet->vector, AUTH_VECTOR_LEN);
}
-
+
/*
* Switch over the packet code, deciding how to
* sign the packet.
case PW_AUTHENTICATION_REQUEST:
case PW_STATUS_SERVER:
break;
-
+
/*
* Reply packets are signed with the
* authentication vector of the request.
default:
{
uint8_t digest[16];
-
+
MD5_CTX context;
MD5Init(&context);
MD5Update(&context, packet->data, packet->data_len);
MD5Update(&context, secret, strlen(secret));
MD5Final(digest, &context);
-
+
memcpy(hdr->vector, digest, AUTH_VECTOR_LEN);
memcpy(packet->vector, digest, AUTH_VECTOR_LEN);
break;
if (rad_encode(packet, original, secret) < 0) {
return -1;
}
-
+
/*
* Re-sign it, including updating the
* Message-Authenticator.
attr[1] - 2);
return 0;
}
- seen_ma = 1;
+ seen_ma = 1;
break;
}
if ((vp = paircreate(attribute, PW_TYPE_OCTETS)) == NULL) {
return NULL;
}
-
+
/*
* If length is greater than 253, something is SERIOUSLY
* wrong.
vp->length = strlen(vp->vp_strvalue);
}
break;
-
+
/*
* Tunnel-Password's may go ONLY
* in response packets.
*/
case FLAG_ENCRYPT_TUNNEL_PASSWORD:
if (!original) goto raw;
-
+
if (rad_tunnel_pwdecode(vp->vp_octets, &vp->length,
secret, original->vector) < 0) {
goto raw;
}
break;
-
+
/*
* Ascend-Send-Secret
* Ascend-Receive-Secret
if (vp->length != 8) goto raw;
/* vp->vp_ifid == vp->vp_octets */
break;
-
+
/*
* IPv6 addresses are 16 octets long
*/
if (vp->length != 16) goto raw;
/* vp->vp_ipv6addr == vp->vp_octets */
break;
-
+
/*
* IPv6 prefixes are 2 to 18 octets long.
*
vp->type = PW_TYPE_OCTETS;
vp->length = length;
memcpy(vp->vp_octets, data, length);
-
+
/*
* Ensure there's no encryption or tag stuff,
packet_length -= 2;
if (attribute != PW_VENDOR_SPECIFIC) goto create_pair;
-
+
/*
* No vendor code, or ONLY vendor code.
*/
vendorlen = 0;
}
-
+
/*
* Handle Vendor-Specific
*/
uint8_t *subptr;
int sublen;
int myvendor;
-
+
/*
* attrlen was checked above.
*/
* Zero isn't allowed.
*/
if (myvendor == 0) goto create_pair;
-
+
/*
* This is an implementation issue.
* We currently pack vendor into the upper
* than 16 bits.
*/
if (myvendor > 65535) goto create_pair;
-
+
vsa_tlen = vsa_llen = 1;
dv = dict_vendorbyvalue(myvendor);
if (dv) {
vsa_tlen = dv->type;
vsa_llen = dv->length;
}
-
+
/*
* Sweep through the list of VSA's,
* seeing if they exactly fill the
* Don't have a type, it's bad.
*/
if (sublen < vsa_tlen) goto create_pair;
-
+
/*
* Ensure that the attribute number
* is OK.
case 1:
myattr = subptr[0];
break;
-
+
case 2:
myattr = (subptr[0] << 8) | subptr[1];
break;
-
+
case 4:
if ((subptr[0] != 0) ||
(subptr[1] != 0)) goto create_pair;
-
+
myattr = (subptr[2] << 8) | subptr[3];
break;
-
+
/*
* Our dictionary is broken.
*/
default:
goto create_pair;
}
-
+
/*
* Not enough room for one more
* attribute. Die!
case 1:
attribute = ptr[0];
break;
-
+
case 2:
attribute = (ptr[0] << 8) | ptr[1];
break;
case 1:
attrlen = ptr[0] - (vsa_tlen + vsa_llen);
break;
-
+
case 2:
attrlen = ptr[1] - (vsa_tlen + vsa_llen);
break;
* random pool.
*/
lrad_rand_seed(packet->data, AUTH_HDR_LEN);
-
+
return 0;
}
* Use the secret to setup the decryption digest
*/
secretlen = strlen(secret);
-
+
lrad_MD5Init(&context);
lrad_MD5Update(&context, secret, secretlen);
old = context; /* save intermediate work */
AUTH_PASS_LEN);
lrad_MD5Final(digest, &context);
}
-
+
for (i = 0; i < AUTH_PASS_LEN; i++) {
passwd[i + n] ^= digest[i];
}
* Use the secret to setup the decryption digest
*/
secretlen = strlen(secret);
-
+
lrad_MD5Init(&context);
lrad_MD5Update(&context, secret, secretlen);
old = context; /* save intermediate work */
context = old;
if (pwlen > (n + AUTH_PASS_LEN)) lrad_MD5Update(&context, passwd + n, AUTH_PASS_LEN);
}
-
+
for (i = 0; i < AUTH_PASS_LEN; i++) {
passwd[i + n] ^= digest[i];
}
*/
if (!lrad_rand_initialized) {
int fd;
-
+
memset(&lrad_rand_pool, 0, sizeof(lrad_rand_pool));
fd = open("/dev/urandom", O_RDONLY);
hash = lrad_rand();
if (!hash) hash = lrad_rand();
hash = lrad_hash_update(data, size, hash);
-
+
lrad_rand_pool.randmem[lrad_rand_pool.randcnt] ^= hash;
}
if (Y->Color == Black && X != NIL)
DeleteFixup(tree, X, Parent);
-
+
/*
* The user structure in Y->Data MAY include a
* pointer to Y. In that case, we CANNOT delete
}
if (Y->Left->Parent == Z) Y->Left->Parent = Y;
if (Y->Right->Parent == Z) Y->Right->Parent = Y;
-
+
free(Z);
} else {
if (tree->freeNode) tree->freeNode(Y->Data);
-
+
if (Y->Color == Black && X != NIL)
DeleteFixup(tree, X, Parent);
-
+
free(Y);
}
int rbtree_deletebydata(rbtree_t *tree, const void *data)
{
rbnode_t *node = rbtree_find(tree, data);
-
+
if (!node) return 0; /* false */
rbtree_delete(tree, node);
vp->flags = da->flags;
} else {
vp->attribute = 0;
- vp->vendor = 0;
+ vp->vendor = 0;
vp->type = PW_TYPE_OCTETS;
vp->name[0] = '\0';
memset(&vp->flags, 0, sizeof(vp->flags));
} else {
DICT_VENDOR *v;
-
+
v = dict_vendorbyvalue(VENDOR(attr));
if (v) {
sprintf(vp->name, "%s-Attr-%u",
p = NULL;
cs = value;
}
-
+
{
lrad_ipaddr_t ipaddr;
librad_log("Hex string is not an even length string.");
return NULL;
}
-
-
+
+
while (*cp &&
(vp->length < MAX_STRING_LEN)) {
unsigned int tmp;
} else {
unsigned int prefix;
char buffer[256], *eptr;
-
+
memcpy(buffer, value, p - value);
buffer[p - value] = '\0';
-
+
if (inet_pton(AF_INET6, buffer, vp->vp_strvalue + 2) <= 0) {
librad_log("failed to parse IPv6 address "
"string \"%s\"", value);
return NULL;
}
-
+
prefix = strtoul(p + 1, &eptr, 10);
if ((prefix > 128) || *eptr) {
librad_log("failed to parse IPv6 address "
{
regex_t reg;
char buffer[MAX_STRING_LEN * 4 + 1];
-
+
compare = regcomp(®, one->vp_strvalue,
REG_EXTENDED);
if (compare != 0) {
default: /* we're OK */
break;
}
-
+
/*
* After doing the previous check for special comparisons,
* do the per-type comparison here.
} else {
length = two->length;
}
-
+
p = two->vp_octets;
q = one->vp_octets;
while (length) {
one->vp_strvalue);
}
break;
-
+
case PW_TYPE_BYTE:
case PW_TYPE_SHORT:
case PW_TYPE_INTEGER:
compare = memcmp(&two->vp_ipv6addr, &one->vp_ipv6addr,
sizeof(two->vp_ipv6addr));
break;
-
+
case PW_TYPE_IPV6PREFIX:
compare = memcmp(&two->vp_ipv6prefix, &one->vp_ipv6prefix,
sizeof(two->vp_ipv6prefix));
switch (one->operator) {
case T_OP_CMP_EQ:
return (compare == 0);
-
+
case T_OP_NE:
return (compare != 0);
-
+
case T_OP_LT:
return (compare < 0);
-
+
case T_OP_GT:
return (compare > 0);
* authentication fails.
*/
auth_item = request->password;
- if (!auth_item)
+ if (!auth_item)
auth_item = pairfind(request->packet->vps,
PW_CHAP_PASSWORD);
if (!auth_item) {
$rusers = "@RUSERS@";
$naspass = "$raddbdir/naspasswd";
-# Community string. Change this if yours isn't "public".
+# Community string. Change this if yours isn't "public".
$cmmty_string = "public";
# path to finger command
$finger = "/usr/bin/finger";
close NFD;
if ($password eq "" && !$emptyok) {
print LOG "checkrad: password for $ARGV[1] is null; " .
- "possible match for $ARGV[3] on " .
+ "possible match for $ARGV[3] on " .
"port $ARGV[2]\n" if ($debug);
print STDERR "checkrad: password for $ARGV[1] is null; " .
- "possible match for $ARGV[3] on port $ARGV[2]\n";
+ "possible match for $ARGV[3] on port $ARGV[2]\n";
}
($login, $password);
}
#
# Strip domains, prefixes and suffixes from username
-#
+#
# Known prefixes: (P)PP, (S)LIP e (C)SLIP
# Known suffixes: .ppp, .slip e .cslip
#
# (this routine by Alexis C. Villalon <alexisv@compass.com.ph>).
# You must have the Net::Telnet module from CPAN for this to work.
# You must also have your /etc/raddb/naspasswd made up.
-#
+#
sub tc_tccheck {
#
# Localize all variables first.
$user =~ s/^[PSC]//;
$user =~ s/\.(ppp|slip|cslip)$//;
$port =~ s/^S//;
- #
+ #
# HACK: because "show sessions" shows max. 15 characters
# we only compare up to the length of $user if the
# unstripped name had 15 chars.
#
my ($pr, $pr_login, $pr_passwd, $pr_prompt, $endlist, @list, $port, $user);
#
- # This variable must match PathRAS' command prompt
+ # This variable must match PathRAS' command prompt
# string as entered in menu option 6.2.
# The value below matches the default command prompt.
#
return 2 unless (check_net_telnet());
#
- # Get login name and password for NAS
+ # Get login name and password for NAS
# from $naspass file.
#
($pr_login, $pr_passwd) = naspasswd($ARGV[1], 1);
#
if ($pr->waitfor(Match => '/login : $/i') == 1) {
$pr->print($pr_login);
- } else {
+ } else {
print LOG " Error: sending login name to PathRAS\n" if ($debug);
$pr->close;
- return 2;
+ return 2;
}
if ($pr->waitfor(Match => '/password : $/i') == 1) {
$pr->print($pr_passwd);
- } else {
+ } else {
print LOG " Error: sending password to PathRAS.\n" if ($debug);
$pr->close;
- return 2;
+ return 2;
}
$pr->print();
#
if ($pr->waitfor(Match => $pr_prompt) == 1) {
$pr->print('6');
- } else {
+ } else {
print LOG " Error: acessing menu option '6'.\n" if ($debug);
$pr->close;
return 2;
#
if ($pr->waitfor(Match => $pr_prompt) == 1) {
@list = $pr->cmd(String => '8', Prompt => $endlist);
- } else {
+ } else {
print LOG " Error: acessing menu option '8'.\n" if ($debug);
$pr->close;
return 2;
}
#
- # Since we got the info we want, let's close
+ # Since we got the info we want, let's close
# the telnet session
#
$pr->close;
$oid = '.1.3.6.1.4.1.1768.5.100.1.56.' . hex $ARGV[4];
#
# Check if the session still active
- #
+ #
if (snmpget($ARGV[1], "monitor", "$oid") == 0) {
- print LOG " Session $ARGV[4] still active on NAS " .
+ print LOG " Session $ARGV[4] still active on NAS " .
"$ARGV[1], port $ARGV[2], for user $ARGV[3].\n" if ($debug);
return 1;
}
sub cyclades_snmp {
my ($oid, $ret);
local $_;
-
+
$oid = ".1.3.6.1.4.1.2925.3.3.6.1.1.2";
$_ = snmpwalk($ARGV[1],"$cmmty_string",$oid);
# 3Com/USR HiPer Arc Total Control.
# This works with HiPer Arc 4.0.30
# (this routine by Igor Brezac <igor@ipass.net>)
-#
+#
# This routine modified by Dan Halverson <danh@tbc.net>
# to suport additional versions of Hiper Arc
# If password is defined in naspasswd file, use it as community, otherwise use $cmmty_string
if ($password eq '') {
$password = "$cmmty_string";
- }
+ }
}
my ($ver) = get_hiper_ver(usrm=>$usrm, target=>$ARGV[1], community=>$password);
$oidext = get_oidext(ver=>$ver, tty=>$ARGV[2]);
return($ver);
}
-#
+#
# Add additional OID checks below before the else.
# Else is for 4.0.30
#
#
# Communicate with Netserver using Net::Telnet, then access
- # list connectionsto see who are logged in.
- #
+ # list connectionsto see who are logged in.
+ #
$telnet = new Net::Telnet (Timeout => 5,
Prompt => '/\>/');
$telnet->open($terminalserver);
if ( /mod\:/ ) {
($port, $user, $dummy) = split;
#
- # Strip out any prefixes and suffixes
+ # Strip out any prefixes and suffixes
# from the username
#
# uncomment this if you use the standard
};
};
};
- print LOG
+ print LOG
" $ARGV[3] not found on Netserver logged users list " if ($debug);
0;
}
#
# ___ versanet_snmp 1.0 by support@versanetcomm.com ___ July 1999
# Versanet Enterprise MIB Base: 1.3.6.1.4.1.2180
-#
+#
# VN2001/2002 use slot/port number to locate modems. To use snmp get we
# have to translate the original port number into a slot/port pair.
#
$vsm = '.iso.org.dod.internet.private.enterprises.2180';
sub versanet_snmp {
-
+
print LOG "argv[2] = $ARGV[2] " if ($debug);
$port = $ARGV[2]%8;
- $port = 8 if ($port eq 0);
+ $port = 8 if ($port eq 0);
print LOG "port = $port " if ($debug);
$slot = (($ARGV[2]-$port)/8)+1;
print LOG "slot = $slot" if ($debug);
# Note: the "$cmmty_string" string above could be replaced by the public
# community string defined in Versanet VN2001/VN2002.
#
- print LOG " user at slot $slot port $port: $loginname\n" if ($debug); ($loginname eq $ARGV[3]) ? 1 : 0;
+ print LOG " user at slot $slot port $port: $loginname\n" if ($debug); ($loginname eq $ARGV[3]) ? 1 : 0;
}
# 1999/08/24 Chris Shenton <chris@shenton.org>
-# Check Bay8000 NAS (aka: Annex) using finger.
+# Check Bay8000 NAS (aka: Annex) using finger.
# Returns from "finger @bay" like:
# Port What User Location When Idle Address
# asy2 PPP bill --- 9:33am :08 192.168.1.194
# Set SNMP version
# MikroTik only supports version 1
$snmp_version = "1";
-
+
# Look up community string in naspasswd file.
($login, $password) = naspasswd($ARGV[1], 1);
if ($login && $login ne 'SNMP') {
print LOG "Error: Need SNMP community string for $ARGV[1]\n";
}
return 2;
- } else {
+ } else {
# If password is defined in naspasswd file, use it as community,
# otherwise use $cmmty_string
if ($password eq '') {
$password = "$cmmty_string";
}
}
-
+
# We want interface descriptions
$oid = "ifDescr";
# Dont just exit when there is error
$t->errmode('return');
-
+
# Telnet to terminal server
$t->open($terminalserver) or return 2;
if( $output =~ /name="$user"/ ) {
$username_seen++;
- }
+ }
#lets return something
if ($username_seen > 0) {
print LOG " Error: No context defined\n" if ($debug);
return 2;
}
-
+
# Get loggin information
($root, $password) = naspasswd($terminalserver, 1);
return 2 if ($password eq "");
-
+
$operprompt = '/\[.*\].*>$/';
$adminprompt = '/\[.*\].*#$/';
-
+
# Logging to the RedBack NAS
$t = new Net::Telnet (Timeout => 5, Prompt => $operprompt);
$t->input_log("./debug");
$t->open($terminalserver);
$t->login($root, $password);
-
+
#Enable us
$t->print('ena');
$t->waitfor('/Password/');
$t->print($password);
$t->waitfor($adminprompt);
$t->prompt($adminprompt);
-
+
#Switch context
$t->cmd(String => "context $context");
-
+
#Ask the question
@lines = $t->cmd(String => "show subscribers active
$user\@$context");
/*
* Allow clients to be NULL if mainconfig.clients is NULL.
*/
-
+
if (!client || (!clients && (mainconfig.clients != NULL))) {
return 0;
}
-
+
if (!clients) {
clients = clients_init();
if (!clients) return 0;
if (tree_num) {
RADCLIENT myclient;
-
+
myclient.number = number;
-
+
return rbtree_finddata(tree_num, &myclient);
}
#endif
client_sane(&myclient); /* clean up the ipaddress */
if (!clients->trees[i]) continue;
-
+
data = rbtree_finddata(clients->trees[i], &myclient);
if (data) {
return data;
}
static const CONF_PARSER client_config[] = {
- { "secret", PW_TYPE_STRING_PTR,
+ { "secret", PW_TYPE_STRING_PTR,
offsetof(RADCLIENT, secret), 0, NULL },
- { "shortname", PW_TYPE_STRING_PTR,
+ { "shortname", PW_TYPE_STRING_PTR,
offsetof(RADCLIENT, shortname), 0, NULL },
- { "nastype", PW_TYPE_STRING_PTR,
+ { "nastype", PW_TYPE_STRING_PTR,
offsetof(RADCLIENT, nastype), 0, NULL },
- { "login", PW_TYPE_STRING_PTR,
+ { "login", PW_TYPE_STRING_PTR,
offsetof(RADCLIENT, login), 0, NULL },
- { "password", PW_TYPE_STRING_PTR,
+ { "password", PW_TYPE_STRING_PTR,
offsetof(RADCLIENT, password), 0, NULL },
{ NULL, -1, 0, NULL, NULL }
break;
case CONF_ITEM_SECTION: {
-
+
CONF_SECTION *section = cf_itemtosection(ci);
cf_section_free(§ion);
}
cf_section_free(&cs);
return NULL;
}
-
+
if (name2 && *name2) {
cs->name2 = strdup(name2);
if (!cs->name2) {
case CONF_ITEM_PAIR:
rbtree_insert(cs->pair_tree, ci);
break;
-
+
case CONF_ITEM_SECTION: {
const CONF_SECTION *cs_new = cf_itemtosection(ci);
-
+
if (!cs->section_tree) {
cs->section_tree = rbtree_create(section_cmp, NULL, 0);
/* ignore any errors */
}
-
+
if (cs->section_tree) {
rbtree_insert(cs->section_tree, cs_new); }
-
+
/*
* Two names: find the named instance.
*/
if (cs_new->name2) {
CONF_SECTION *old_cs;
-
+
/*
* Find the FIRST
* CONF_SECTION having
*/
old_cs = rbtree_finddata(cs->section_tree, cs_new);
if (!old_cs) return; /* this is a bad error! */
-
+
if (!old_cs->name2_tree) {
old_cs->name2_tree = rbtree_create(name2_cmp,
NULL, 0);
}
DEBUG2("\t%s = %s", name, value);
break;
-
+
case PW_TYPE_INTEGER:
*(int *)data = strtol(value, 0, 0);
DEBUG2("\t%s = %d", name, *(int *)data);
break;
-
+
case PW_TYPE_STRING_PTR:
q = (char **) data;
if (*q != NULL) {
free(*q);
}
-
+
/*
* Expand variables which haven't already been
* expanded automagically when the configuration
cs, buffer, value);
if (!value) return -1;
}
-
+
DEBUG2("\t%s = \"%s\"", name, value ? value : "(null)");
*q = value ? strdup(value) : NULL;
break;
-
+
/*
* This is the same as PW_TYPE_STRING_PTR,
* except that we also "stat" the file, and
if (*q != NULL) {
free(*q);
}
-
+
/*
* Expand variables which haven't already been
* expanded automagically when the configuration
cs, buffer, value);
if (!value) return -1;
}
-
+
DEBUG2("\t%s = \"%s\"", name, value ? value : "(null)");
*q = value ? strdup(value) : NULL;
ip_ntoh(&ipaddr, ipbuf, sizeof(ipbuf)));
*(uint32_t *) data = ipaddr.ipaddr.ip4addr.s_addr;
break;
-
+
case PW_TYPE_IPV6ADDR:
if (ip_hton(value, AF_INET6, &ipaddr) < 0) {
radlog(L_ERR, "Can't find IPv6 address for host %s", value);
memcpy(data, &ipaddr.ipaddr.ip6addr,
sizeof(ipaddr.ipaddr.ip6addr));
break;
-
+
default:
radlog(L_ERR, "type %d not supported yet", type);
return -1;
break;
} /* switch over variable type */
-
+
return rcode;
}
if (variables[i].type == PW_TYPE_SUBSECTION) {
const CONF_SECTION *subcs;
subcs = cf_section_sub_find(cs, variables[i].name);
-
+
/*
* If the configuration section is NOT there,
* then ignore it.
DEBUG2("Internal sanity check 1 failed in cf_section_parse");
goto error;
}
-
+
if (cf_section_parse(subcs, base,
(const CONF_PARSER *) variables[i].dflt) < 0) {
goto error;
}
continue;
} /* else it's a CONF_PAIR */
-
+
if (variables[i].data) {
data = variables[i].data; /* prefer this. */
} else if (base) {
radlog(L_ERR, "%s[%d]: Too many closing braces",
file, *lineno);
return -1;
-
+
}
this = this->item.parent;
continue;
if (name1 && (cs->section_tree)) {
CONF_SECTION mycs, *master_cs;
-
+
mycs.name1 = name1;
mycs.name2 = name2;
-
+
master_cs = rbtree_finddata(cs->section_tree, &mycs);
if (master_cs) {
return rbtree_finddata(master_cs->name2_tree, &mycs);
int flag)
{
if (!cs || !name) return NULL;
-
+
/*
* Find the name in the tree, for speed.
*/
*/
static void cf_section_copy_data(CONF_SECTION *s, CONF_SECTION *d)
{
-
+
CONF_ITEM *cd, *next, **last;
/*
rad_assert(d->data_tree == NULL);
d->data_tree = s->data_tree;
s->data_tree = NULL;
-
+
/*
* Walk through src, moving CONF_ITEM_DATA
* to dst, by hand.
last = &(s->children);
for (cd = s->children; cd != NULL; cd = next) {
next = cd->next;
-
+
/*
* Recursively copy data from child sections.
*/
if (cd->type == CONF_ITEM_SECTION) {
CONF_SECTION *s1, *d1;
-
+
s1 = cf_itemtosection(cd);
d1 = cf_section_sub_find_name2(d, s1->name1, s1->name2);
if (d1) {
last = &(cd->next);
continue;
}
-
+
/*
* Remove it from the src list
*/
*last = cd->next;
cd->next = NULL;
-
+
/*
* Add it to the dst list
*/
*/
if ((strcmp(pa->attr, pb->attr) != 0) ||
(strcmp(pa->value, pb->value) != 0)) return 0;
-
+
/*
* And go to the next element.
rad_snmp.auth.total_access_rejects++;
if (request->client) request->client->auth->rejects++;
break;
-
+
case PW_ACCESS_CHALLENGE:
rad_snmp.auth.total_responses++;
rad_snmp.auth.total_access_challenges++;
if (request->client) request->client->auth->challenges++;
break;
-
+
case PW_ACCOUNTING_RESPONSE:
rad_snmp.acct.total_responses++;
if (request->client) request->client->auth->responses++;
if (request->client) request->client->auth->bad_authenticators++;
}
break;
-
+
default:
break;
}
}
request = lrad_packet2myptr(REQUEST, proxy, proxy_p);
-
+
if (!request) {
PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
return NULL;
PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
DEBUG2("ERROR: Failed to create a new socket for proxying requests.");
return 0; /* leak proxy_listener */
-
+
}
-
+
if (!lrad_packet_list_id_alloc(proxy_list, request->proxy)) {
PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
DEBUG2("ERROR: Failed to create a new socket for proxying requests.");
DEBUG2("ERROR: Failed to insert entry into proxy list");
return 0;
}
-
+
PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
DEBUG3(" proxy: allocating destination %s port %d - Id %d",
&request->proxy->dst_ipaddr.ipaddr, buf, sizeof(buf)),
request->proxy->dst_port,
request->proxy->id);
-
+
request->in_proxy_hash = TRUE;
return 1;
(request->child_state == REQUEST_RUNNING)) {
request->delay += (request->delay >> 1);
tv_add(&request->when, request->delay);
-
+
DEBUG2("Child is still stuck for request %d", request->number);
INSERT_EVENT(wait_for_child_to_die, request);
return;
}
-
+
DEBUG2("Child is finally responsive for request %d", request->number);
remove_from_request_hash(request);
(unsigned int) (request->timestamp - start_time));
lrad_event_delete(el, &request->ev);
- request_free(&request);
+ request_free(&request);
}
buffer, sizeof(buffer)),
request->proxy->dst_port);
- wait_for_proxy_id_to_expire(request);
+ wait_for_proxy_id_to_expire(request);
}
home->state = HOME_STATE_IS_DEAD;
home->num_received_pings = 0;
home->when = request->when;
-
+
if (home->ping_check != HOME_PING_CHECK_NONE) {
rad_assert((home->ping_check == HOME_PING_CHECK_STATUS_SERVER) ||
(home->ping_user_name != NULL));
* Re-queue the request.
*/
request->child_state = REQUEST_QUEUED;
-
+
wait_a_bit(request);
/*
REQUEST *request = ctx;
home_server *home;
char buffer[128];
-
+
rad_assert(request->magic == REQUEST_MAGIC);
rad_assert(request->child_state == REQUEST_PROXIED);
radlog(L_ERR, "WARNING: Unresponsive child (id %lu) for request %d, in module %s component %s",
(unsigned long)request->child_pid, request->number,
request->module ? request->module : "<server core>",
- request->component ? request->component : "<server core>");
+ request->component ? request->component : "<server core>");
request->master_state = REQUEST_STOP_PROCESSING;
* Delete any reply we had accumulated until now.
*/
pairfree(&request->reply->vps);
-
+
/*
* Run the packet through the post-proxy stage,
* BEFORE playing games with the attributes.
post_proxy_type = vp->vp_integer;
}
rcode = module_post_proxy(post_proxy_type, request);
-
+
/*
* There may NOT be a proxy reply, as we may be
* running Post-Proxy-Type = Fail.
* attributes from us and remote server.
*/
pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE);
-
+
/*
* Add the attributes left in the proxy
* reply to the reply list.
*/
pairadd(&request->reply->vps, request->proxy_reply->vps);
request->proxy_reply->vps = NULL;
-
+
/*
* Free proxy request pairs.
*/
* Do NOT delete Stripped-User-Name.
*/
}
-
+
/*
* If there is no PW_CHAP_CHALLENGE attribute but
* there is a PW_CHAP_PASSWORD we need to add it
request->home_server = NULL;
return 1;
}
-
+
if (!insert_into_proxy_hash(request)) {
DEBUG("ERROR: Failed to proxy request %d", request->number);
return -1;
when = request->received;
when.tv_sec += mainconfig.max_request_time;
-
+
gettimeofday(&request->proxy_when, NULL);
request->next_when = request->proxy_when;
request->next_when.tv_sec += home->response_window;
rad_assert(home->response_window > 0);
-
+
if (timercmp(&when, &request->next_when, <)) {
request->next_when = when;
}
&request->proxy->dst_ipaddr.ipaddr,
buffer, sizeof(buffer)),
request->proxy->dst_port);
-
+
/*
* Note that we set proxied BEFORE sending the packet.
*
*/
if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
gettimeofday(&request->next_when, NULL);
-
+
if (request->reply->code == 0) {
DEBUG2("There was no response configured: rejecting request %d",
request->number);
request->reply->code = PW_AUTHENTICATION_REJECT;
}
-
+
/*
* Run rejected packets through
*
*/
when = request->received;
when.tv_sec += mainconfig.reject_delay;
-
+
if (timercmp(&when, &request->next_when, >)) {
DEBUG2("Delaying reject of request %d for %d seconds",
request->number,
post_proxy_fail_handler(request);
return;
}
-
+
request->proxy->code = request->packet->code;
request->proxy->dst_ipaddr = home->ipaddr;
request->proxy->dst_port = home->port;
&request->proxy->dst_ipaddr.ipaddr,
buffer, sizeof(buffer)),
request->proxy->dst_port);
-
+
/*
* Restart timers. Note that we leave
* the old timeout in place, as that is a
*/
if (mainconfig.max_requests) {
int request_count = lrad_packet_list_num_elements(pl);
-
+
/*
* This is a new request. Let's see if
* it makes us go over our configured
* We increment the counters here, and decrement them
* when the response is sent... somewhere in this file.
*/
-
+
/*
* FUTURE: Add checks for system load. If the system is
* busy, start dropping requests...
* there are more requests coming in than we can handle,
* start dropping some.
*/
-
+
return 1;
}
* Create and initialize the new request.
*/
request = request_alloc(); /* never fails */
-
+
if ((request->reply = rad_alloc(0)) == NULL) {
radlog(L_ERR, "No memory");
exit(1);
request->packet->timestamp = request->timestamp;
request->number = request_num_counter++;
request->priority = listener->type;
-
+
/*
* Remember the request in the list.
*/
return 0;
}
request->in_request_hash = TRUE;
-
+
/*
* The request passes many of our sanity checks.
* From here on in, if anything goes wrong, we
/* assert that there's an event queued for request? */
rad_free(&packet);
return NULL;
-
+
case REQUEST_PROXIED:
break;
}
if (mainconfig.proxy_requests) {
int i;
rad_listen_t *listener;
-
+
/*
* Create the tree for managing proxied requests and
* responses.
*/
proxy_list = lrad_packet_list_create(1);
if (!proxy_list) return 0;
-
+
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_init(&proxy_mutex, NULL) != 0) {
radlog(L_ERR, "FATAL: Failed to initialize proxy mutex: %s",
* Mark the Fd's as unused.
*/
for (i = 0; i < 32; i++) proxy_fds[i] = -1;
-
+
i = -1;
for (listener = mainconfig.listen;
return 1;
}
rad_panic("Internal sanity check failed");
-
+
} else if (timercmp(&now, &when, >)) {
DEBUG3("Event in the past... compensating");
when.tv_sec = 0;
DEBUG2("Going to the next request");
return;
}
-
+
rad_assert(fun != NULL);
rad_assert(request != NULL);
-
+
fun(request);
-
+
request_post_handler(request);
DEBUG2("Going to the next request");
return;
int delay_time;
struct timeval last_packet;
} listen_detail_t;
-
+
/*
* Find a per-socket client.
if (!clients) clients = mainconfig.clients;
rad_assert(clients != NULL);
-
+
return client_find(clients, ipaddr);
}
rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
&ipaddr.ipaddr.ip4addr, NULL);
if (rcode < 0) return -1;
-
+
if (rcode == 0) { /* successfully parsed IPv4 */
ipaddr.af = AF_INET;
-
+
} else { /* maybe IPv6? */
rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
&ipaddr.ipaddr.ip6addr, NULL);
if (rcode < 0) return -1;
-
+
if (rcode == 1) {
radlog(L_ERR, "%s[%d]: No address specified in listen section",
filename, lineno);
}
ipaddr.af = AF_INET6;
}
-
+
rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
&listen_port, "0");
if (rcode < 0) return -1;
-
+
sock->ipaddr = ipaddr;
sock->port = listen_port;
rad_assert(cp != NULL);
value = cf_pair_value(cp);
rad_assert(value != NULL);
-
+
strcpy(ifreq.ifr_name, value);
-
+
if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
(char *)&ifreq, sizeof(ifreq)) < 0) {
radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
&src_ipaddr)) == NULL) {
rad_recv_discard(listener->fd);
RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
-
+
/*
* This is debugging rather than logging, so that
* DoS attacks don't affect us.
RAD_SNMP_CLIENT_INC(listener, client, requests);
fun = rad_authenticate;
break;
-
+
case PW_STATUS_SERVER:
if (!mainconfig.status_server) {
rad_recv_discard(listener->fd);
rad_recv_discard(listener->fd);
RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
RAD_SNMP_CLIENT_INC(listener, client, unknown_types);
-
+
DEBUG("Invalid packet code %d sent to authentication port from client %s port %d : IGNORED",
code, client->shortname, src_port);
return 0;
break;
} /* switch over packet types */
-
+
/*
* Now that we've sanity checked everything, receive the
* packet.
radlog(L_ERR, "%s", librad_errstr);
return 0;
}
-
+
if (!received_request(listener, packet, prequest, client)) {
RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
RAD_SNMP_CLIENT_INC(listener, client, packets_dropped);
char buffer[128];
RADCLIENT *client;
lrad_ipaddr_t src_ipaddr;
-
+
rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
if (rcode < 0) return 0;
&src_ipaddr)) == NULL) {
rad_recv_discard(listener->fd);
RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
-
+
/*
* This is debugging rather than logging, so that
* DoS attacks don't affect us.
RAD_SNMP_CLIENT_INC(listener, client, requests);
fun = rad_accounting;
break;
-
+
case PW_STATUS_SERVER:
if (!mainconfig.status_server) {
rad_recv_discard(listener->fd);
radlog(L_ERR, "%s", librad_errstr);
return 0;
}
-
+
/*
* There can be no duplicate accounting packets.
*/
RADIUS_PACKET *packet;
RAD_REQUEST_FUNP fun = NULL;
char buffer[128];
-
+
packet = rad_recv(listener->fd);
if (!packet) {
radlog(L_ERR, "%s", librad_errstr);
case PW_AUTHENTICATION_REJECT:
fun = rad_authenticate;
break;
-
+
case PW_ACCOUNTING_RESPONSE:
fun = rad_accounting;
break;
-
+
default:
/*
* FIXME: Update MIB for packet types?
data->has_rtt = TRUE;
data->srtt = rtt;
data->rttvar = rtt / 2;
-
+
} else {
data->rttvar -= data->rttvar >> 2;
data->rttvar += (data->srtt - rtt);
data->srtt -= data->srtt >> 3;
data->srtt += rtt >> 3;
}
-
+
/*
* Calculate the time we wait before sending the next
* packet.
*
* rtt / (rtt + delay) = load_factor / 100
*/
- data->delay_time = (data->srtt * (100 - data->load_factor)) / (data->load_factor);
+ data->delay_time = (data->srtt * (100 - data->load_factor)) / (data->load_factor);
/*
* FIXME: Push this delay to the event handler!
rad_assert(data->state == STATE_UNOPENED);
snprintf(buffer, sizeof(buffer), "%s.work", data->filename);
-
+
/*
* Open detail.work first, so we don't lose
* accounting packets. It's probably better to
if (stat(data->filename, &st) < 0) {
return 0;
}
-
+
/*
* Open it BEFORE we rename it, just to
* be safe...
data->filename, strerror(errno));
return 0;
}
-
+
/*
* Rename detail to detail.work
*/
return 0;
}
} /* else detail.work existed, and we opened it */
-
+
rad_assert(data->vps == NULL);
-
+
rad_assert(data->fp == NULL);
data->fp = fdopen(this->fd, "r");
if (!data->fp) {
data->client_ip.af = AF_UNSPEC;
data->timestamp = 0;
-
+
return 1;
}
*/
if (data->state == STATE_HEADER) {
int y;
-
+
if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
data->state = STATE_READING;
}
(vp != NULL)) {
*tail = vp;
tail = &(vp->next);
- }
+ }
}
/*
filename, lineno);
return -1;
}
-
+
if ((data->load_factor < 1) || (data->load_factor > 100)) {
radlog(L_ERR, "%s[%d]: Load factor must be between 1 and 100",
filename, lineno);
return -1;
}
-
+
data->vps = NULL;
data->fp = NULL;
data->state = STATE_UNOPENED;
(rad_snmp.smux_event == SMUX_READ)) {
smux_read();
}
-
+
/*
* If we've got to re-connect, then do so now,
* before calling select again.
#if 0
#ifdef O_NONBLOCK
- if ((flags = fcntl(this->fd, F_GETFL, NULL)) < 0) {
- radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
+ if ((flags = fcntl(this->fd, F_GETFL, NULL)) < 0) {
+ radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
return -1;
}
- flags |= O_NONBLOCK;
- if( fcntl(this->fd, F_SETFL, flags) < 0) {
- radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
+ flags |= O_NONBLOCK;
+ if( fcntl(this->fd, F_SETFL, flags) < 0) {
+ radlog(L_ERR, "Failure in fcntl: %s)\n", strerror(errno));
return -1;
}
#endif
case RAD_LISTEN_DETAIL:
this->data = rad_malloc(sizeof(listen_detail_t));
memset(this->data, 0, sizeof(listen_detail_t));
-
+
default:
break;
}
* We shouldn't be called with a pre-existing list.
*/
rad_assert(head && (*head == NULL));
-
+
last = head;
server_ipaddr.af = AF_UNSPEC;
PW_TYPE_IPADDR,
&server_ipaddr.ipaddr.ip4addr, NULL);
if (rcode < 0) return -1; /* error parsing it */
-
+
if (rcode == 0) { /* successfully parsed IPv4 */
listen_socket_t *sock;
server_ipaddr.af = AF_INET;
sock->ipaddr = server_ipaddr;
sock->port = auth_port;
-
+
if (listen_bind(this) < 0) {
listen_free(&this);
listen_free(head);
auth_port = sock->port; /* may have been updated in listen_bind */
*last = this;
last = &(this->next);
-
+
/*
* Open Accounting Socket.
*
*/
this = listen_alloc(RAD_LISTEN_ACCT);
sock = this->data;
-
+
/*
* Create the accounting socket.
*
*/
sock->ipaddr = server_ipaddr;
sock->port = auth_port + 1;
-
+
if (listen_bind(this) < 0) {
listen_free(&this);
listen_free(head);
int lineno = cf_section_lineno(cs);
listen_type = identity = NULL;
-
+
DEBUG2(" listen {");
rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
this = listen_alloc(type);
this->identity = identity;
this->fd = -1;
-
+
/*
* Call per-type parser.
*/
DEBUG2(" }");
*last = this;
- last = &(this->next);
+ last = &(this->next);
}
/*
return -1;
}
}
-
+
do_snmp:
#ifdef WITH_SNMP
if (mainconfig.do_snmp) {
this = rad_malloc(sizeof(*this));
memset(this, 0, sizeof(*this));
-
+
this->type = RAD_LISTEN_SNMP;
this->fd = rad_snmp.smux_fd;
-
+
this->recv = radius_snmp_recv;
this->print = radius_snmp_print;
this = *head;
while (this) {
rad_listen_t *next = this->next;
-
+
free(this->identity);
/*
}
free(this->data);
free(this);
-
+
this = next;
}
if (mainconfig.radlog_dest == RADLOG_NULL) {
return 0;
}
-
+
/*
* Don't print timestamps to syslog, it does that for us.
* Don't print timestamps for low levels of debugging.
} else if ((fp = fopen(mainconfig.log_file, "a")) == NULL) {
fprintf(stderr, "%s: Couldn't open %s for logging: %s\n",
progname, mainconfig.log_file, strerror(errno));
-
+
fprintf(stderr, " (");
vfprintf(stderr, fmt, ap); /* the message that caused the log */
fprintf(stderr, ")\n");
static const LRAD_NAME_NUMBER str2fac[] = {
#ifdef LOG_KERN
{ "kern", LOG_KERN },
-#endif
+#endif
#ifdef LOG_USER
{ "user", LOG_USER },
#endif
* Copied from exec.c
*/
from = fmt;
- to = myfmt;
+ to = myfmt;
argc = 0;
while (*from) {
int flag, length;
-
+
flag = 0;
argv[argc] = to;
argc++;
-
+
if (argc >= (MAX_ARGV - 1)) break;
-
+
/*
* Copy the argv over to our buffer.
*/
case '%':
if (from[1] == '{') {
*(to++) = *(from++);
-
+
length = rad_copy_variable(to, from);
if (length < 0) {
return -1;
*/
sublen = 0;
}
-
+
argv[i] = to;
to += sublen;
*(to++) = '\0';
PW_TYPE_STRING_PTR, &radlog_dest,
"files");
if (rcode < 0) return -1;
-
+
mainconfig.radlog_dest = lrad_str2int(str2dest, radlog_dest, RADLOG_NUM_DEST);
if (mainconfig.radlog_dest == RADLOG_NUM_DEST) {
fprintf(stderr, "radiusd: Error: Unknown log_destination %s\n",
cf_section_free(&cs);
return -1;
}
-
+
if (mainconfig.radlog_dest == RADLOG_SYSLOG) {
static const CONF_PARSER syslog_config[] = {
{ "log", PW_TYPE_SUBSECTION, 0, NULL, (const void *) log_config},
}
} else if (debug_flag == 0) {
-
+
/*
* Starting the server, WITHOUT "-x" on the
* command-line: use whatever's in the config
else if (strspn(value, "0123456789")==strlen(value)) {
action = atoi(value);
-
+
/*
* Don't allow priority zero, for future use.
*/
int count = 1;
modcallable *p, *q;
modgroup *g = mod_callabletogroup(child);
-
+
stack.pointer++;
/*
case MOD_GROUP:
stack.children[stack.pointer] = g->children;
break;
-
+
/*
* See the "camel book" for why
* this works.
count = 1;
continue;
}
-
+
count++;
-
+
if ((count * (lrad_rand() & 0xffff)) < (uint32_t) 0x10000) {
q = p;
}
}
stack.children[stack.pointer] = q;
break;
-
+
default:
exit(1); /* internal sanity check failure */
break;
}
-
-
+
+
stack.start[stack.pointer] = stack.children[stack.pointer];
DEBUG2("%.*s- entering %s %s",
* to dealing with it's parent.
*/
sp = mod_callabletosingle(child);
-
+
myresult = call_modsingle(component, sp, request,
default_component_results[component]);
DEBUG2("%.*s[%s] returns %s",
stack.children[stack.pointer] = NULL;
goto do_return;
}
-
+
/*
* If "reject", break out of the loop and return
* reject.
stack.children[stack.pointer] = child->next;
} else {
modgroup *g = mod_callabletogroup(parent);
-
+
stack.children[stack.pointer] = g->children;
}
if (stack.children[stack.pointer] == stack.start[stack.pointer]) {
stack.children[stack.pointer] = NULL;
}
break;
- default:
+ default:
exit(1);
}
/*
* As it's sole configuration, the
* virtual module takes a section which
- * contains the
+ * contains the
*/
return do_compile_modsingle(parent,
component,
int component, const char *name)
{
modgroup *g;
-
+
rad_assert(this != NULL);
if (*parent == NULL) {
radlog(L_ERR|L_CONS, "%s[%d] Invalid version in module '%s'",
cffilename, cflineno, module_name);
return NULL;
-
+
}
/* make room for the module type */
ml = compile_modgroup(parent, comp, cs, filename);
if (!ml) {
return 0;
- }
+ }
/*
* We must assign a numeric index to this subcomponent.
if (cf_item_find_next(cs, NULL) == NULL) {
continue; /* section is empty */
}
-
+
DEBUG2(" Module: Instantiating section %s", section_type_value[comp].section);
if (load_component_section(NULL, cs, comp, mainconfig.radiusd_conf) < 0) {
printf("%02x", packet->data[i]);
}
printf("\n");
-
+
if (packet->data_len > 20) {
int total;
const uint8_t *ptr;
if (!lrad_packet_list_insert(pl, &radclient->request)) {
assert(0 == 1);
}
-
+
} else { /* radclient->request->id >= 0 */
time_t now = time(NULL);
*/
if (radclient->tries == retries) {
assert(radclient->request->id >= 0);
-
+
/*
* Delete the request from the tree of
* outstanding requests.
fprintf(stderr, "radclient: no response from server for ID %d socket %d\n", radclient->request->id, radclient->request->sockfd);
deallocate_id(radclient);
-
+
/*
* Normally we mark it "done" when we've received
* the response, but this is a special case.
if ((p - argv[1]) >= sizeof(buffer)) {
usage();
}
-
+
memcpy(buffer, argv[1] + 1, p - argv[1] - 1);
buffer[p - argv[1] - 1] = '\0';
tv.tv_sec = 0;
tv.tv_usec = 1000000/persec;
}
-
+
/*
* Sleep for milliseconds,
* portably.
* Initialize the RADIUS SNMP data structure.
*/
memset(&rad_snmp, 0, sizeof(rad_snmp));
-
+
rad_snmp.auth.ident = radiusd_version;
rad_snmp.acct.ident = radiusd_version;
-
+
rad_snmp.smux_event = SMUX_NONE;
rad_snmp.smux_password = NULL;
rad_snmp.snmp_write_access = FALSE;
/* do nothing */
}
#endif
-
+
/*
* Before doing anything else, check the self pipe.
*/
for (i = 1; i < rcode; i++) {
buffer[0] |= buffer[i];
}
-
+
if ((buffer[0] & (RADIUS_SIGNAL_SELF_EXIT | RADIUS_SIGNAL_SELF_TERM)) != 0) {
DEBUG("Exiting...");
-
+
/*
* Ignore the TERM signal: we're
* about to die.
*/
signal(SIGTERM, SIG_IGN);
-
+
/*
* Send a TERM signal to all
* associated processes
* ignored.)
*/
kill(-radius_pid, SIGTERM);
-
+
/*
* FIXME: Kill child threads, and
* clean up?
*/
-
+
/*
* FIXME: clean up any active REQUEST
* handles.
*/
-
+
/*
* We're exiting, so we can delete the PID
* file. (If it doesn't exist, we can ignore
if (dont_fork == FALSE) {
unlink(mainconfig.pid_file);
}
-
+
radius_event_free();
-
+
/*
* Free the configuration items.
*/
free_mainconfig();
-
+
/*
* Detach any modules.
*/
detach_modules();
-
+
free(radius_dir);
-
+
/*
* SIGTERM gets do_exit=0,
* and we want to exit cleanly.
if (!listener->recv(listener, &fun, &request)) {
continue;
}
-
+
/*
* Drop the request into the thread pool,
* and let the thread pool take care of
/*
* Only clean the thread pool if we're spawning
- * child threads.
+ * child threads.
*
* FIXME: Move this to the event handler!
*/
printf("Acct-Delay-Time = 0\n");
exit(0); /* don't bother printing anything else */
}
-
+
/*
* Initialize mainconfig
*/
if (nas_ip_address != INADDR_NONE) {
if (rt.nas_address != nas_ip_address) continue;
}
-
+
memcpy(session_id, rt.session_id, sizeof(rt.session_id));
session_id[sizeof(rt.session_id)] = 0;
-
+
if (!rawoutput && rt.nas_port > (showname ? 999 : 99999)) {
portind = ">";
portno = (showname ? 999 : 99999);
hostname(buffer, sizeof(buffer),
rt.framed_address));
}
-
+
/*
* Some sanity checks on the time
*/
memcpy(nasname, rt.caller_id,
sizeof(rt.caller_id));
nasname[sizeof(rt.caller_id)] = '\0';
-
+
librad_safeprint(nasname, -1, buffer,
sizeof(buffer));
printf("Calling-Station-Id = \"%s\"\n", buffer);
offsetof(home_server,ping_user_name), NULL, NULL},
{ "password", PW_TYPE_STRING_PTR,
offsetof(home_server,ping_user_password), NULL, NULL},
-
+
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
memset(home, 0, sizeof(*home));
home->name = name2;
-
+
memset(&hs_ip4addr, 0, sizeof(hs_ip4addr));
memset(&hs_ip6addr, 0, sizeof(hs_ip6addr));
cf_section_parse(cs, home, home_server_config);
return 0;
}
- if ((home->type == HOME_TYPE_AUTH) &&
- !home->ping_user_password) {
+ if ((home->type == HOME_TYPE_AUTH) &&
+ !home->ping_user_password) {
radlog(L_INFO, "%s[%d]: You must supply a password to enable ping checks",
filename, cf_section_lineno(cs));
free(home);
filename, cf_pair_lineno(cp), value);
return 0;
}
-
+
if (!home_server_add(filename, server_cs)) {
return 0;
}
DEBUG2(" }");
rad_assert(pool->server_type != 0);
-
+
return 1;
error:
radlog(L_ERR, "%s[%d]: Inconsistent type for home server \"%s\"", filename, lineno, name);
return 0;
}
-
+
/*
* See if the home server is already listed
* in the pool. If so, do nothing else.
/*
* No home server, allocate one.
*/
- if (!home) {
+ if (!home) {
const char *p;
char *q;
free(home);
return 0;
}
-
+
if (!rbtree_insert(home_servers_byaddr, home)) {
rbtree_deletebydata(home_servers_byname, home);
radlog(L_ERR, "%s[%d]: Internal error adding home server %s.",
if (secret) DEBUG2("\tsecret = %s", secret);
return 1;
-
+
}
if (!server_pool_add(filename, pool_cs)) {
return 0;
}
-
+
pool = rbtree_finddata(home_pools_byname, &mypool);
if (!pool) {
rad_assert("Internal sanity check failed");
if (auth_pool_name) DEBUG2("\tauth_pool = %s", auth_pool_name);
if (acct_pool_name) DEBUG2("\tacct_pool = %s", acct_pool_name);
-
+
if ((cf_section_value_find(cs, "nostrip")) != NULL) {
r->striprealm = 0;
DEBUG2("\tnostrip", name2);
pool = NULL;
if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
pool = rd->auth_pool;
-
+
} else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
pool = rd->acct_pool;
}
mytf.pid = pid;
tf = lrad_hash_table_finddata(thread_pool.waiters, &mytf);
if (!tf) continue;
-
+
tf->status = status;
tf->exited = 1;
} while (lrad_hash_table_num_elements(thread_pool.waiters) > 0);
if (thread_pool.num_queued >= thread_pool.max_queue_size) {
pthread_mutex_unlock(&thread_pool.queue_mutex);
-
+
/*
* Mark the request as done.
*/
radlog(L_ERR, "FATAL: Failed to initialize wait mutex: %s",
strerror(errno));
exit(1);
- }
-
+ }
+
/*
* Create the hash table of child PID's
*/
*/
if (!thread_pool.spawn_flag) {
radius_handle_request(request, fun);
-
+
/*
* Requests that care about child process exit
* codes have already either called
tf = rad_malloc(sizeof(*tf));
memset(tf, 0, sizeof(*tf));
-
+
tf->pid = child_pid;
pthread_mutex_lock(&thread_pool.wait_mutex);
pthread_mutex_unlock(&thread_pool.wait_mutex);
if (!tf) return -1;
-
+
for (i = 0; i < 100; i++) {
reap_children();
-
+
if (tf->exited) {
*status = tf->status;
}
usleep(100000); /* sleep for 1/10 of a second */
}
-
+
/*
* 10 seconds have passed, give up on the child.
*/
if (from[1] == '{') {
*(to++) = *(from++);
length++;
-
+
sublen = rad_copy_variable(to, from);
if (sublen < 0) return sublen;
from += sublen;
compare = regexec(®, value, REQUEST_MAX_REGEX + 1,
rxmatch, 0);
regfree(®);
-
+
/*
* Add %{0}, %{1}, etc.
*/
free(p);
continue;
}
-
+
/*
* No previous match
* to delete, stop.
*/
break;
}
-
+
/*
* Copy substring into buffer.
*/
memcpy(buffer, value + rxmatch[i].rm_so,
rxmatch[i].rm_eo - rxmatch[i].rm_so);
buffer[rxmatch[i].rm_eo - rxmatch[i].rm_so] = '\0';
-
+
/*
* Copy substring, and add it to
* the request.
compare = regexec(®, value, REQUEST_MAX_REGEX + 1,
rxmatch, 0);
regfree(®);
-
+
if (compare != 0) return 0;
return -1;
ret = memcmp(&vp->vp_ipv6addr, &check->vp_ipv6addr,
sizeof(vp->vp_ipv6addr));
break;
-
+
case PW_TYPE_IPV6PREFIX:
ret = memcmp(&vp->vp_ipv6prefix, &check->vp_ipv6prefix,
sizeof(vp->vp_ipv6prefix));
break;
-
+
case PW_TYPE_IFID:
ret = memcmp(&vp->vp_ifid, &check->vp_ifid,
sizeof(vp->vp_ifid));
/*
* %{Attribute-Name[*]} returns ALL of the
* the attributes, separated by a newline.
- */
+ */
if ((p[1] == '*') && (p[2] == ']')) {
int total = 0;
total += count + 1;
outlen -= (count + 1);
out += count;
-
+
*(out++) = '\n';
if (outlen == 0) break;
return total;
}
-
+
count = atoi(p + 1);
/*
case PW_PACKET_TYPE:
{
DICT_VALUE *dval;
-
+
dval = dict_valbyattr(da->attr, packet->code);
if (dval) {
snprintf(out, outlen, "%s", dval->name);
localvp.attribute = da->attr;
localvp.vp_ipaddr = packet->src_ipaddr.ipaddr.ip4addr.s_addr;
break;
-
+
case PW_PACKET_DST_IP_ADDRESS:
if (packet->dst_ipaddr.af != AF_INET) {
return 0;
localvp.attribute = da->attr;
localvp.vp_ipaddr = packet->dst_ipaddr.ipaddr.ip4addr.s_addr;
break;
-
+
case PW_PACKET_SRC_PORT:
localvp.attribute = da->attr;
localvp.vp_integer = packet->src_port;
break;
-
+
case PW_PACKET_DST_PORT:
localvp.attribute = da->attr;
localvp.vp_integer = packet->dst_port;
strlcpy(out, "server_core", outlen);
}
return strlen(out);
-
+
case PW_PACKET_SRC_IPV6_ADDRESS:
if (packet->src_ipaddr.af != AF_INET6) {
return 0;
&packet->src_ipaddr.ipaddr.ip6addr,
sizeof(packet->src_ipaddr.ipaddr.ip6addr));
break;
-
+
case PW_PACKET_DST_IPV6_ADDRESS:
if (packet->dst_ipaddr.af != AF_INET6) {
return 0;
&packet->dst_ipaddr.ipaddr.ip6addr,
sizeof(packet->dst_ipaddr.ipaddr.ip6addr));
break;
-
+
case PW_SERVER_IDENTITY:
if (!request->listener || !request->listener->identity) return 0;
snprintf(out, outlen, "%s", request->listener->identity);
return strlen(out);
break;
-
+
default:
return 0; /* not found */
break;
*/
fmt = fmt; /* -Wunused */
func = func; /* -Wunused FIXME: do escaping? */
-
+
regex = request_data_reference(request, request,
REQUEST_DATA_REGEX | *(int *)instance);
if (!regex) return 0;
p += 2;
xlat_string = xlat_name;
goto do_xlat;
-
+
} else { /* module name, followed by per-module string */
int stop = 0;
int delimitbrace = *open_p;
openbraces++;
p++;
}
-
+
xlat_string = rad_malloc(strlen(p) + 1); /* always returns */
free_xlat_string = TRUE;
pa = xlat_string;
-
+
/*
* Copy over the rest of the string, which is per-module
* data.
*pa++ = *p++;
}
break;
-
+
case ' ':
case '\t':
spaces = TRUE;
p += 2;
}
}
-
+
/*
* Look up almost everything in the new tree of xlat
* functions. This makes it a little quicker...
p++; /* skip the character */
}
}
-
+
done:
if (free_xlat_string) free(xlat_string);
AC_PREREQ([2.53])
AC_INIT(rlm_acctlog.c)
AC_REVISION(0.1)
-AC_DEFUN(modname,[rlm_acctlog])
+AC_DEFUN(modname,[rlm_acctlog])
if test x$with_[]modname != xno; then
[ fail=$fail" stdio.h" ]
)
- targetname=modname
+ targetname=modname
else
- targetname=
- echo \*\*\* module modname is disabled.
+ targetname=
+ echo \*\*\* module modname is disabled.
fi
dnl Don't change this section.
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
-AC_SUBST(acctlog_cflags)
+AC_SUBST(acctlog_cflags)
AC_SUBST(acctlog_ldflags)
-AC_SUBST(targetname)
-AC_OUTPUT(Makefile)
+AC_SUBST(targetname)
+AC_OUTPUT(Makefile)
static int acctlog_detach(void *instance)
-{
+{
rlm_acctlog_t *inst = instance;
-
-
+
+
free(inst);
return 0;
}
case PW_STATUS_ACCOUNTING_OFF:
radius_xlat(logstr, sizeof(logstr), inst->acctoff, request, NULL);
break;
-
+
}
if (strlen(logstr))
{
VALUE_PAIR *tmp;
tmp = radius_paircreate(request, to, item->attribute, item->type);
-
+
/*
* Copy EVERYTHING.
*/
for (vp = *input; vp != NULL; vp = vp->next ) {
/* reset the pass,fail vars for each reply item */
pass = fail = 0;
-
+
/*
* reset the check_item pointer to
* beginning of the list
&pass, &fail);
}
}
-
+
/* only move attribute if it passed all rules */
if (fail == 0 && pass > 0) {
if (mypairappend(request, vp, output_tail) < 0) {
output_tail = &((*output_tail)->next);
}
}
-
+
/* If we shouldn't fall through, break */
if (!fall_through)
break;
if test "$ac_cv_header_regex_h" != "yes"; then
AC_MSG_RESULT(no regex.h)
[ fail=$fail" regex.h" ]
- fi
+ fi
targetname=modname
else
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
DEBUG2("rlm_attr_rewrite: regcomp() returned error: %s",err_msg);
return ret;
}
-
+
if ((attr_vp->type == PW_TYPE_IPADDR) &&
(attr_vp->vp_strvalue[0] == '\0')) {
inet_ntop(AF_INET, &(attr_vp->vp_ipaddr),
typedef struct rlm_caching_t {
char *filename; /* name of the database file */
char *key; /* An xlated string to use as key for the records */
- char *post_auth; /* If set and we find a cached entry, set Post-Auth to this value */
+ char *post_auth; /* If set and we find a cached entry, set Post-Auth to this value */
char *cache_ttl_str; /* The string represantation of the TTL */
int cache_ttl; /* The cache TTL */
int hit_ratio; /* Show cache hit ratio every so many queries */
VALUE_PAIR *auth_type;
rlm_caching_data cache_data;
int count = 0;
- int ret = 0;
+ int ret = 0;
int size = 0;
int rcode = 0;
}
if (delete_cache){
DEBUG("rlm_caching: Deleting record");
-
+
pthread_mutex_lock(&data->mutex);
gdbm_delete(data->gdbm, key_datum);
pthread_mutex_unlock(&data->mutex);
else{
DEBUG("rlm_caching: No reply items found. Returning NOOP");
return RLM_MODULE_NOOP;
- }
+ }
if (cache_data.auth_type){
DEBUG("rlm_caching: Adding Auth-Type '%s'",cache_data.auth_type);
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
not found. this version must use sync by default.
#endif
], [
- AC_DEFINE(NEED_GDBM_SYNC, yes, [do we need GDBM_SYNC])
+ AC_DEFINE(NEED_GDBM_SYNC, yes, [do we need GDBM_SYNC])
AC_MSG_RESULT(needs it.)
], [
AC_MSG_RESULT(SYNCs by default.)
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
print $user, "\t\t", "Counter reset to ", $reset * $divisor, "\n";
}
}else{
- print $user, "\t\t", "Not found\n";
+ print $user, "\t\t", "Not found\n";
}
undef $db;
}
data->reply_attr = dattr->attr;
}
-
+
/*
* Create a new attribute for the counter.
fi
if test x"$fail" != x""; then
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
if test x"${enable_strict_dependencies}" = x"yes"; then
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
char buffer[1024];
while (vp != NULL) {
vp_prints(buffer, sizeof(buffer), vp);
-
+
printf("\t%s\n", buffer);
vp = vp -> next;
}
DICT_ATTR *da;
if (!cf_item_is_pair(ci)) continue;
-
+
attr = cf_pair_attr(cf_itemtopair(ci));
if (!attr) continue; /* pair-anoia */
dst_vp.vp_ipaddr = packet->dst_ipaddr.ipaddr.ip4addr.s_addr;
break;
case AF_INET6:
- src_vp.type = PW_TYPE_IPV6ADDR;
+ src_vp.type = PW_TYPE_IPV6ADDR;
src_vp.attribute = PW_PACKET_SRC_IPV6_ADDRESS;
memcpy(src_vp.vp_strvalue,
&packet->src_ipaddr.ipaddr.ip6addr,
sizeof(packet->src_ipaddr.ipaddr.ip6addr));
- dst_vp.type = PW_TYPE_IPV6ADDR;
+ dst_vp.type = PW_TYPE_IPV6ADDR;
dst_vp.attribute = PW_PACKET_DST_IPV6_ADDRESS;
memcpy(dst_vp.vp_strvalue,
&packet->dst_ipaddr.ipaddr.ip6addr,
* Assume MD5 if no Digest-Algorithm attribute received
*/
algo = pairfind(request->packet->vps, PW_DIGEST_ALGORITHM);
- if ((algo == NULL) ||
+ if ((algo == NULL) ||
(strcasecmp(algo->vp_strvalue, "MD5") == 0)) {
/*
* Set A1 to Digest-HA1 if no User-Password found
* Compute MD5 if Digest-Algorithm == "MD5-Sess",
* or if we found a User-Password.
*/
- if (((algo != NULL) &&
+ if (((algo != NULL) &&
(strcasecmp(algo->vp_strvalue, "MD5-Sess") == 0)) ||
(passwd->attribute == PW_CLEARTEXT_PASSWORD)) {
a1[a1_len] = '\0';
AC_CONFIG_SUBDIRS($eapsubdirs)
rm install-sh
- dnl #
+ dnl #
dnl # Don't bother looking for errors in the child directories
- dnl #
+ dnl #
targetname=modname
else
AC_MSG_WARN([silently not building ]modname[.])
AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.])
if test x"$headersuggestion" != x; then
- AC_MSG_WARN([$headersuggestion])
+ AC_MSG_WARN([$headersuggestion])
fi
if test x"$libsuggestion" != x; then
- AC_MSG_WARN([$libsuggestion])
+ AC_MSG_WARN([$libsuggestion])
fi
targetname=""
eapsubdirs=""
DEBUG2(" rlm_eap: Request is supposed to be proxied to Realm %s. Not doing EAP.", proxy->vp_strvalue);
return EAP_NOOP;
}
-
+
DEBUG2(" rlm_eap: Got EAP_START message");
if ((eap_ds = eap_ds_alloc()) == NULL) {
DEBUG2(" rlm_eap: EAP Start failed in allocation");
return EAP_FAIL;
}
-
+
/*
* It's an EAP-Start packet. Tell them to stop wasting
* our time, and give us an EAP-Identity packet.
*/
eap_ds->request->code = PW_EAP_REQUEST;
eap_ds->request->type.type = PW_EAP_IDENTITY;
-
+
/*
* We don't have a handler, but eap_compose needs one,
* (for various reasons), so we fake it out here.
memset(&handler, 0, sizeof(handler));
handler.request = request;
handler.eap_ds = eap_ds;
-
+
eap_compose(&handler);
-
+
eap_ds_free(&eap_ds);
return EAP_FOUND;
} /* end of handling EAP-Start */
DEBUG2(" rlm_eap: Ignoring Unknown EAP type");
return EAP_NOOP;
}
-
+
/*
* They're NAKing the EAP type we wanted to use, and
* asking for one which we don't support.
#define ATTRIBUTE_EAP_SIM_RAND1 1201
#define ATTRIBUTE_EAP_SIM_RAND2 1202
#define ATTRIBUTE_EAP_SIM_RAND3 1203
-
+
#define ATTRIBUTE_EAP_SIM_SRES1 1204
#define ATTRIBUTE_EAP_SIM_SRES2 1205
#define ATTRIBUTE_EAP_SIM_SRES3 1206
-
+
#define ATTRIBUTE_EAP_SIM_STATE 1207
#define ATTRIBUTE_EAP_SIM_IMSI 1208
#define ATTRIBUTE_EAP_SIM_HMAC 1209
#define ATTRIBUTE_EAP_SIM_KEY 1210
#define ATTRIBUTE_EAP_SIM_EXTRA 1211
-
+
#define ATTRIBUTE_EAP_SIM_KC1 1212
#define ATTRIBUTE_EAP_SIM_KC2 1213
#define ATTRIBUTE_EAP_SIM_KC3 1214
unsigned int size);
unsigned int (*record_minus)(record_t *buf, void *ptr,
unsigned int size);
-
+
/*
* Framed-MTU attribute in RADIUS,
{
int status;
VALUE_PAIR *state;
-
+
rad_assert(handler != NULL);
rad_assert(handler->request != NULL);
node = rbtree_find(inst->session_tree, handler);
rad_assert(node != NULL);
rbtree_delete(inst->session_tree, node);
-
+
inst->session_head = handler->next;
if (handler->next) handler->next->prev = NULL;
eap_handler_free(handler);
eap_ds_free(&(handler->prev_eapds));
handler->prev_eapds = handler->eap_ds;
handler->eap_ds = NULL;
-
+
return handler;
}
pairadd(&(request->proxy->vps), vp);
}
}
-
+
/*
* Delete the "proxied to" attribute, as it's
* set to 127.0.0.1 for tunneled requests, and
* The MS-Length field is 5 + value_size + length
* of name, which is put after the response.
*/
- if (((eap_ds->response->type.data[2] << 8) |
+ if (((eap_ds->response->type.data[2] << 8) |
eap_ds->response->type.data[3]) < (5 + 49)) {
radlog(L_ERR, "rlm_eap_mschapv2: Response contains contradictory length %d %d",
- (eap_ds->response->type.data[2] << 8) |
+ (eap_ds->response->type.data[2] << 8) |
eap_ds->response->type.data[3], 5 + 49);
return 0;
}
char *username = NULL;
eap_tunnel_data_t *tunnel;
rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg;
-
+
/*
* Set up the callbacks for the tunnel
*/
tunnel = rad_malloc(sizeof(*tunnel));
memset(tunnel, 0, sizeof(*tunnel));
-
+
tunnel->tls_session = arg;
tunnel->callback = mschap_postproxy;
-
+
/*
* Associate the callback with the request.
*/
* FIXME: Check the return code.
*/
tls_handshake_send(tls_session);
-
+
return 1;
}
if (debug_flag > 0) {
printf(" PEAP: Processing from tunneled session code %p %d\n",
reply, reply->code);
-
+
for (vp = reply->vps; vp != NULL; vp = vp->next) {
putchar('\t');vp_print(stdout, vp);putchar('\n');
}
*/
pairdelete(&reply->vps, PW_PROXY_STATE);
pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR);
-
+
t->accept_vps = reply->vps;
reply->vps = NULL;
}
fake = (REQUEST *) request_data_get(handler->request,
handler->request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK);
-
+
/*
* Do the callback, if it exists, and if it was a success.
*/
if (debug_flag > 0) {
printf(" PEAP: Final reply from tunneled session code %d\n",
fake->reply->code);
-
+
for (vp = fake->reply->vps; vp != NULL; vp = vp->next) {
putchar('\t');vp_print(stdout, vp);putchar('\n');
}
eaptls_fail(handler->eap_ds, 0);
return 0;
break;
-
+
default: /* Don't Do Anything */
DEBUG2(" PEAP: Got reply %d",
request->proxy_reply->code);
break;
- }
+ }
}
request_free(&fake); /* robust if fake == NULL */
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK,
fake, my_request_free);
rad_assert(rcode == 0);
-
+
/*
* Do NOT free the fake request!
*/
(tls_session->record_plus)(&tls_session->clean_in,
&eap_packet, sizeof(eap_packet));
-
+
tls_handshake_send(tls_session);
(tls_session->record_init)(&tls_session->clean_in);
}
/**
*@memo Implementation of the modified counter mode
- *@doc
- *@author A. MAGNIEZ (FT R&D - DTL/SSR)
+ *@doc
+ *@author A. MAGNIEZ (FT R&D - DTL/SSR)
*
* Copyright 2006 The FreeRADIUS server project
*/
int i; // iterator
char hexstr[1024];
byte buf[16];
-
+
sizeBlock=E->blockSize();
nbOutputBlocks=nb;
-
+
// allocate memory for the output blocks
outputBlocks=(byte *)malloc(sizeBlock*nbOutputBlocks);
if(outputBlocks==NULL){
return 0;
}
-
+
// debug traces
pskConvertHex((char *)K, (char *)&hexstr, sizeBlock);
DEBUG2("SOBMMO::initialize: K=");
DEBUG2((char *)&hexstr);
-
+
pskConvertHex((char *)inputBlock, (char *)&hexstr, sizeBlock);
DEBUG2("SOBMMO::initialize: inputBlock=");
DEBUG2((char *)&hexstr);
-
+
pskConvertHex((char *)counterValues, (char *)&hexstr, sizeBlock*nbOutputBlocks);
DEBUG2("SOBMMO::initialize: counterValues=");
DEBUG2((char *)&hexstr);
-
+
E->makeKey(K,sizeBlock,DIR_ENCRYPT);
E->encrypt(inputBlock,outputBlocks);
-
+
// duplicate the first result
for(i=1;i<nbOutputBlocks;i++)
{
memcpy(outputBlocks+i*sizeBlock,outputBlocks,sizeBlock);
}
-
+
pskConvertHex((char *)outputBlocks, (char *)&hexstr, nbOutputBlocks*sizeBlock);
DEBUG2("SOBMMO::initialize: outputBlocks before XOR=");
DEBUG2((char *)&hexstr);
-
+
// XOR counter values
for(i=0;i<(nbOutputBlocks*sizeBlock);i++)
{
*(outputBlocks+i)=(*(outputBlocks+i))^(*(counterValues+i));
}
-
+
pskConvertHex((char *)outputBlocks, (char *)&hexstr, nbOutputBlocks*sizeBlock);
DEBUG2("SOBMMO::initialize: outputBlocks after XOR=");
DEBUG2((char *)&hexstr);
-
+
// in order to check that AES(K,M) is valid
E->encrypt(outputBlocks,buf);
pskConvertHex((char *)buf, (char *)&hexstr, 16);
DEBUG2("SOBMMO::initialize: buf=");
DEBUG2((char *)&hexstr);
-
+
// produce each output block
for(i=0;i<nbOutputBlocks;i++)
{
E->encrypt(outputBlocks+i*sizeBlock,outputBlocks+i*sizeBlock); // Be careful, pt=ct !!! TBTested
}
-
+
pskConvertHex((char *)outputBlocks, (char *)&hexstr, nbOutputBlocks*sizeBlock);
DEBUG2("SOBMMO::initialize: produced output blocks=");
DEBUG2((char *)&hexstr);
-
+
return 1;
-
+
}
*/
byte* SOBMMO::getOutputBlock(int id){
byte* output=NULL;
-
+
if(id<1 || id>nbOutputBlocks) {
return NULL;
}
-
+
output=(byte*)malloc(sizeBlock);
if(output==NULL){
return NULL;
*
* Implementation of the EAP-PSK packet management
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
/*
*
- * PSK Packet Format in EAP
+ * PSK Packet Format in EAP
* --- ------ ------ -- ---
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
int pskGetRandomBytes(void *buf, int nbytes){
FILE *fptr=NULL;
int written=0;
-
+
if((fptr = fopen("/dev/urandom","r")) == NULL) {
radlog(L_ERR,"pskGetRandomBytes: urandom device not accessible");
return 0;
}
-
+
if((written = fread(buf,1,nbytes,fptr)) != nbytes) {
radlog(L_ERR,"pskGetRandomBytes: number not generated");
return 0;
- }
-
+ }
+
fclose(fptr);
-
+
return 1;
}
*
* Implementation of the EAP-PSK packet management
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
unsigned int maxDelay; // the maximum interval in seconds between two correct responses
} PSK_CONF;
-
+
// data format of the first EAP-PSK message
typedef struct psk_message_1 {
unsigned char rand_s[PSK_RANDOM_NUMBER_SIZE];
}psk_message_4;
-/**
+/**
*@memo this function converts a string into hexa
*@param inbytes, pointer to a string
*@param outstr, pointer to the hexa conversion
int pskHex2Bin(const char *hex, unsigned char *bin, int numbytes);
-/**
+/**
*@memo this function delivers random bytes
*@param buf, pointer to the buffer to fill
*@param nbytes, number of bytes to generate
*@return 0 if an error has occured
*/
int pskGetRandomBytes(void *buf, int nbytes);
-
+
#if defined(__cplusplus)
}
*
* Implementation of the Server State Machine (SSM)
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
#include "userinfo.h"
-/* PSK Packet Format in EAP
+/* PSK Packet Format in EAP
* --- ------ ------ -- ---
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Code | Identifier | Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * | Type | Data
+ * | Type | Data
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-
*/
radlog(L_ERR,"rlm_eap_psk: Cannot authenticate without EAP-PSK configuration and session information");
return 0;
}
-
+
if(recvPacket && (recvPacket->code!=PW_EAP_RESPONSE || recvPacket->type.type!=EAPPSK_TYPE))
{
radlog(L_ERR,"pskProcess: EAP-PSK Response expected");
return 0;
- }
+ }
switch(session->state)
{
case INIT: return pskInit(conf,session,sentPacket);
case RANDSENT:
if(recvPacket) return pskRandSent(conf,session, recvPacket,sentPacket);
- case PCHANNEL:
+ case PCHANNEL:
if(recvPacket) return pskPChannel(conf,session,recvPacket,sentPacket);
default:
radlog(L_ERR,"pskProcess: Impossible to process the EAP-PSK authentication");
int pskInit(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *sentPacket){
char hexstr[1024];
-
+
session->nbRetry=0;
session->pChannelReplayCounter=0;
session->authStatus=PSK_STATUS_CONT;
session->isSupportedExt=1;
session->extType=0;
-
+
sentPacket->code=PW_EAP_REQUEST;
sentPacket->length=PSK_RANDOM_NUMBER_SIZE+EAP_HEADER_SIZE;
sentPacket->type.type=EAPPSK_TYPE;
sentPacket->type.length=PSK_RANDOM_NUMBER_SIZE;
sentPacket->type.data=NULL;
sentPacket->type.data=(unsigned char*)malloc(PSK_RANDOM_NUMBER_SIZE);
-
+
if(sentPacket->type.data==NULL)
{
radlog(L_ERR,"pskInit: Out of memory");
return 0;
}
-
+
// generate a 128-bit random value and put this value in session->rand_s
if(!pskGetRandomBytes(sentPacket->type.data,PSK_RANDOM_NUMBER_SIZE)) {
radlog(L_ERR,"pskInit: problem during random number generation");
return 0;
}
-
+
pskConvertHex((char *)sentPacket->type.data, (char *)hexstr,PSK_RANDOM_NUMBER_SIZE);
DEBUG2("pskInit: random number RA :");
DEBUG2((char *)hexstr);
-
+
// save this value in session information
memcpy(session->rand_s,sentPacket->type.data,PSK_RANDOM_NUMBER_SIZE);
-
+
session->state=RANDSENT;
-
+
return 1;
-
+
}
int pskRandSent(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *recvPacket, EAP_PACKET *sentPacket){
-
+
/* the received packet is shown below
- *
+ *
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
psk_message_3 *psk_msg_3;
int identitySize;
char hexstr[1024];
-
+
unsigned char buffer[PSK_MAC_SIZE];
unsigned char *data;
unsigned char *ptr;
unsigned char buftmp[PSK_AK_SIZE+PSK_KDK_SIZE];
-
+
//user profile
userinfo_t* uinfo = NULL;
-
+
char **psk_vals;
char *psk_val;
int i=0;
// for the mac calculation
OMAC om;
AES c;
-
+
// for the key derivation
SOBMMO sob;
unsigned char *block;
// counter values
- unsigned char counterValues[]={
+ unsigned char counterValues[]={
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x07,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x08,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09};
-
+
// for the pchannel
unsigned char nn[PSK_RANDOM_NUMBER_SIZE];
// the packet is malformed
DEBUG2("pskPChannel: the packet is malformed: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
+
return 1;
}
-
+
// retrieve the identity of the peer, ID_P
identitySize=recvPacket->length-(EAP_HEADER_SIZE+PSK_RANDOM_NUMBER_SIZE+PSK_MAC_SIZE);
session->id_p=(unsigned char *)malloc(identitySize+1);
}
psk_msg_2=(psk_message_2*)recvPacket->type.data;
memcpy(session->id_p,&(psk_msg_2->id_p),identitySize);
- session->id_p[identitySize]='\0';
+ session->id_p[identitySize]='\0';
// search the peer identity in the user file whose path is conf->usersFilePath
-
+
uinfo = pskGetUserInfo((char*)conf->usersFilePath, (char*)session->id_p);
if (uinfo)
{
-
+
DEBUG2("pskRandSent: identity successfully checked");
DEBUG2("pskRandSent: saving peer information");
-
- // save keys
+
+ // save keys
memcpy(session->ak,uinfo->AK,PSK_AK_SIZE);
memcpy(session->kdk,uinfo->KDK,PSK_KDK_SIZE);
-
+
DEBUG2("pskRandSent: found user %s in %s",session->id_p, conf->usersFilePath);
-
+
free(uinfo);
-
+
} else {
-
+
// the peer identity wasn't found
DEBUG2("pskRandSent: the peer identity isn't valid");
DEBUG2("pskRandSent: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
- return 1;
+
+ return 1;
}
-
+
// calculate the following MAC: MAC(session->ak, ID_P || conf->id_s || session->rand_s || RAND_P)
-
+
// making the formula
data=(unsigned char *)malloc(strlen((char*)session->id_p)+strlen((char*)conf->id_s)+2*PSK_RANDOM_NUMBER_SIZE);
if(data==NULL) {
memcpy(ptr,session->rand_s,PSK_RANDOM_NUMBER_SIZE);
ptr+=PSK_RANDOM_NUMBER_SIZE;
memcpy(ptr,psk_msg_2->rand_p,PSK_RANDOM_NUMBER_SIZE);
-
+
pskConvertHex((char *)data, (char *)hexstr,strlen((char*)session->id_p)+strlen((char*)conf->id_s)+2*PSK_RANDOM_NUMBER_SIZE);
DEBUG2("pskRandSent: [B||A||RA||RB] :");
DEBUG2((char *)hexstr);
-
+
pskConvertHex((char *)(session->ak), (char *)hexstr,PSK_AK_SIZE);
DEBUG2("pskRandSent: AK :");
DEBUG2((char *)hexstr);
om.update(data,strlen((char*)session->id_p)+strlen((char*)conf->id_s)+2*PSK_RANDOM_NUMBER_SIZE);
om.final(buffer);
free(data);
-
+
pskConvertHex((char *)buffer, (char *)hexstr,PSK_MAC_SIZE);
DEBUG2("pskRandSent: MAC of [B||A||RA||RB] :");
DEBUG2((char *)hexstr);
-
+
if(memcmp(buffer,psk_msg_2->mac_p,PSK_MAC_SIZE))
{
DEBUG2("pskRandSent: the received MAC attribute isn't correct");
DEBUG2("pskRandSent: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
+
return 1;
}
-
+
DEBUG2("pskRandSent: the received MAC attribute is correct");
-
+
// KEY DERIVATION
-
+
// initialize the sobmmo
sob.initialize(session->kdk,&c,psk_msg_2->rand_p,9,counterValues);
-
+
// get the TEK
block=sob.getOutputBlock(1);
memcpy(session->tek,block,PSK_TEK_SIZE);
free(block);
-
+
pskConvertHex((char *)session->tek, (char *)hexstr, PSK_TEK_SIZE);
DEBUG2("pskRandSent: TEK :");
DEBUG2((char *)hexstr);
-
+
// get the MSK
for(int i=0;i<4;i++)
{
memcpy(&session->msk[i*16],block,16);
free(block);
}
-
+
pskConvertHex((char *)session->msk, (char *)hexstr, PSK_MSK_SIZE);
DEBUG2("pskRandSent: MSK :");
DEBUG2((char *)hexstr);
-
+
// get the EMSK
for(int i=0;i<4;i++)
{
memcpy(&session->emsk[i*16],block,16);
free(block);
}
-
+
pskConvertHex((char *)session->emsk, (char *)hexstr, PSK_EMSK_SIZE);
DEBUG2("pskRandSent: EMSK :");
DEBUG2((char *)hexstr);
-
-
+
+
// obtain the mac of [A||RB]
data=(unsigned char *)malloc(strlen((char*)conf->id_s)+PSK_RANDOM_NUMBER_SIZE);
if(data==NULL) {
}
memcpy(data,conf->id_s,strlen((char*)conf->id_s));
memcpy(data+strlen((char*)conf->id_s),psk_msg_2->rand_p,PSK_RANDOM_NUMBER_SIZE);
-
+
pskConvertHex((char *)data, (char *)hexstr,strlen((char*)conf->id_s)+PSK_RANDOM_NUMBER_SIZE);
DEBUG2("pskRandSent: [A||RB] :");
DEBUG2((char *)hexstr);
-
+
c.makeKey(session->ak,PSK_AK_SIZE,DIR_ENCRYPT);
om.init(&c);
om.update(data,strlen((char*)conf->id_s)+PSK_RANDOM_NUMBER_SIZE);
om.final(buffer);
free(data);
-
+
pskConvertHex((char *)&buffer, (char *)hexstr,16);
DEBUG2("pskRandSent: MAC of [A||RB] :");
DEBUG2((char *)hexstr);
-
+
if(session->extType==0)
{
// standard authentication
-
+
sentPacket->code=PW_EAP_REQUEST;
sentPacket->length=EAP_HEADER_SIZE+2*PSK_MAC_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+1;
sentPacket->type.type=EAPPSK_TYPE;
sentPacket->type.length=2*PSK_MAC_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+1;
sentPacket->type.data=NULL;
sentPacket->type.data=(unsigned char*)malloc(2*PSK_MAC_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+1);
-
+
if(sentPacket->type.data==NULL)
{
radlog(L_ERR,"pskRandSent: Out of memory");
// add to sentPacket the following MAC: MAC(session->AK, conf->id_s || RAND_P)
memcpy(psk_msg_3->mac_s,buffer,PSK_MAC_SIZE);
- // add to sentPacket the following information:
+ // add to sentPacket the following information:
// R = DONE_SUCCESS (the R flag is equal to session->authStatus)
// E=0
psk_msg_3->nonce=htonl(session->pChannelReplayCounter);
-
+
// calculate the EAP header
eapHeader[0]=sentPacket->code;
eapHeader[1]=(recvPacket->id)+1; // we suppose that the identifier is incremented by 1
pskConvertHex((char *)eapHeader, (char *)hexstr,EAP_HEADER_SIZE);
DEBUG2("pskRandSent: eapHeader :");
DEBUG2((char *)hexstr);
-
+
// the replay counter is the least significant bytes of the nonce !
memset(nn,0,PSK_RANDOM_NUMBER_SIZE);
memcpy(&nn[PSK_RANDOM_NUMBER_SIZE-PSK_PCHANNEL_REPLAY_COUNTER_SIZE],&(psk_msg_3->nonce),PSK_PCHANNEL_REPLAY_COUNTER_SIZE);
session->authStatus=PSK_STATUS_DONE_SUCCESS;
// EAX encryption
-
+
eax.initialize(session->tek, PSK_TEK_SIZE, AES_BLOCKSIZE, &c);
eax.provideNonce((byte*)nn,PSK_RANDOM_NUMBER_SIZE);
eax.provideHeader((byte*)eapHeader,EAP_HEADER_SIZE);
eax.computeCiphertext((byte*)&(session->authStatus),sizeof(session->authStatus),(byte*)&(psk_msg_3->flags));
eax.computeTag((byte*)psk_msg_3->tag);
-
- // !!! BE CAREFUL !!!
+
+ // !!! BE CAREFUL !!!
// the authorization isn't taken into account in this implementation
// that's why R=DONE_SUCCESS
-
+
} else {
// extended authentication
-
+
// !!!!! NOT IMPLEMENTED !!!!!!
return 0;
// the sentPacket must be a EAP_Failure packet
return 1;
}
-
+
// add to sentPacket the following information:
// R = CONT or DONE_FAILURE or DONE_SUCCESS thanks to session->authStatus
// E = 1
// EXT_Type=session->extType
// EXT_payload=payloadOut
-
+
*/
-
- }
+
+ }
session->pChannelReplayCounter++;
session->state=PCHANNEL;
-
+
return 1;
-
+
}
AES c;
bool st;
unsigned char flags;
-
+
if(recvPacket->length<(EAP_HEADER_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+PSK_MAC_SIZE+1))
- {
+ {
// the packet is malformed
// the session->nbRetry isn't incremented
// sentPacket must be the previous request sent by the server ###### PB TIMER ########
-
+
DEBUG2("pskPChannel: receiving a invalid EAP-PSK packet: the packet is malformed");
DEBUG2("pskPChannel: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
- return 1;
+
+ return 1;
}
-
-
+
+
psk_msg_4=(psk_message_4*)recvPacket->type.data;
DEBUG2("pskPChannel: receiving a invalid EAP-PSK packet: the replay counter isn't valid");
DEBUG2("pskPChannel: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
- return 1;
+
+ return 1;
}
-
+
// decrypt the received packet with the EAX mode and check the EAP header
// calculate the EAP header
eapHeader[0]=recvPacket->code;
eapHeader[1]=recvPacket->id;
-
+
recvPacket->length=htons(recvPacket->length);
memcpy(&(eapHeader[2]),&(recvPacket->length),2);
recvPacket->length=ntohs(recvPacket->length);
-
+
eapHeader[4]=recvPacket->type.type;
-
+
// the replay counter is the least significant bytes of the nonce !
memset(nn,0,PSK_RANDOM_NUMBER_SIZE);
memcpy(&nn[PSK_RANDOM_NUMBER_SIZE-PSK_PCHANNEL_REPLAY_COUNTER_SIZE],&(psk_msg_4->nonce),PSK_PCHANNEL_REPLAY_COUNTER_SIZE);
// EAX encryption
-
+
eax.initialize(session->tek, PSK_TEK_SIZE, AES_BLOCKSIZE, &c);
-
+
eax.provideNonce((byte*)nn,PSK_RANDOM_NUMBER_SIZE);
eax.provideHeader((byte*)eapHeader,EAP_HEADER_SIZE);
eax.provideCiphertext((byte*)&(psk_msg_4->flags),sizeof(psk_msg_4->flags));
st=eax.checkTag((byte*)psk_msg_4->tag);
-
+
if(!st){
// the decryption ends by a failure
-
+
DEBUG2("pskPChannel: receiving a invalid EAP-PSK packet: the decryption fails");
DEBUG2("pskPChannel: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
- return 1;
+
+ return 1;
}
-
+
eax.computePlaintext((byte*)&(psk_msg_4->flags),sizeof(psk_msg_4->flags),(byte*)&flags);
-
+
if((((flags & PSK_IS_EXT)==PSK_IS_EXT) && recvPacket->length<(EAP_HEADER_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+PSK_MAC_SIZE+2)) || (((flags & PSK_IS_EXT)==0) && recvPacket->length!=(EAP_HEADER_SIZE+PSK_PCHANNEL_REPLAY_COUNTER_SIZE+PSK_MAC_SIZE+1)))
{
// the packet is malformed
DEBUG2("pskPChannel: the packet is malformed: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
+
return 1;
}
-
+
if(session->extType==0 && ((flags & PSK_IS_EXT)==PSK_IS_EXT))
{
// error: standard authentication awaited
// the authentication must fail
// the sentPacket must be a EAP_Failure packet
-
+
DEBUG2("pskPChannel: the packet is malformed: the authentication must fail");
sentPacket->code=PW_EAP_FAILURE;
-
+
return 1;
}
if((flags & PSK_IS_EXT)==0)
{
// standard authentication
-
+
if(((flags & PSK_STATUS_DONE_SUCCESS)==PSK_STATUS_DONE_SUCCESS) && session->authStatus==PSK_STATUS_DONE_SUCCESS)
{
// sentPacket must be an EAP_Success packet
sentPacket->code=PW_EAP_FAILURE;
}
-
+
} else {
// extended authentication
return 0;
- /*
+ /*
if(session->isSupportedExt)
{
-
+
if(recvPacket->data.EXT_Payload)
{
int sizePayloadOut=0;
int sizePayloadIn=recvPacket->length-27; // (27=5+16+4+1+1)
int resul;
- resul=pskExtension(conf,session,recvPacket->data.R,recvPacket->data.EXT_Payload,sizePayloadIn,&payloadOut,&sizePayloadOut);
-
+ resul=pskExtension(conf,session,recvPacket->data.R,recvPacket->data.EXT_Payload,sizePayloadIn,&payloadOut,&sizePayloadOut);
+
if(!resul || (sizePayloadOut<1) || (sizePayloadOut>EXT_PAYLOAD_MAX_LEN))
{
//the extension has failed
// the sentPacket must be a EAP_Failure packet
return 1;
}
-
+
if(recvPacket->data.R != CONT) {
// sentPacket must be an EAP_Success packet or an EAP_Failure packet thanks to the server policy and the received R flag
// indicate to the lower layer that the MSK and the EMSK are ready in case an EAP_Success packet must be sent
// the EAP-PSK authentication will end after sending sentPacket
return 1;
}
-
+
// add to sentPacket the following information:
// R = CONT or DONE_FAILURE or DONE_SUCCESS thanks to session->authStatus
// E = 1
// EXT_Type=session->extType
// EXT_payload=payloadOut
-
+
} else {
// the peer doesn't support the specified extension
// the EAP-PSK authentication will end after sending sentPacket
return 1;
}
-
+
// add to sentPacket the following information:
// R = DONE_FAILURE or DONE_SUCCESS thanks to the server policy
// E = 1
// EXT_Type=session->extType
}
-
+
} else {
-
+
if(recvPacket->data.R != CONT && recvPacket->data.EXT_Payload==NULL) {
// sentPacket must be an EAP_Success packet or an EAP_Failure packet thanks to the server policy and the received R flag
// indicate to the lower layer that the MSK and the EMSK are ready in case of an EAP_Success packet must be sent
// the sentPacket must be a EAP_Failure packet
return 1;
}
-
+
}
*/
-
+
session->pChannelReplayCounter++;
// use the EAX mode to encrypt the EXT_Payload and protect the EAP header
-
+
// !!!! NOT IMPLEMENTED !!!!
// only standard authentication supported
session->pChannelReplayCounter++;
-
+
}
-
+
// stay in this state
return 1;
-
-}
+
+}
int pskExtension(PSK_CONF *conf, PSK_SESSION *session, unsigned short receivedStatus, void *dataIn, int sizeDataIn, void **dataOut, int *sizeDataOut){
-
+
// this functionality makes it possible to do authorization, account refilling...
// this function must update the session->authStatus variable thanks to its policy, the received R flag, i.e. the receivedStatus variable, and the received data
-
+
// !!! Be careful !!!
// dataOut mustn't be NULL
-/**
+/**
*@memo this function frees the session data
*@param opaque, pointer to a structure which contains information session
*/
void pskFreeSession(void *opaque){
PSK_SESSION *session;
-
+
DEBUG2("pskFreeSession:");
-
+
if(!opaque) return;
-
+
session=(PSK_SESSION *)opaque;
if(!session) return;
-
+
if(session->id_p) {
free(session->id_p);
}
free(session);
-
+
opaque=NULL;
-
+
DEBUG2("pskFreeSession: finished");
}
*
* Implementation of the Server State Machine (SSM)
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
typedef enum {
INIT, // the server state machine starts in the INIT state
RANDSENT,
- PCHANNEL
+ PCHANNEL
}PSK_STATE;
}PSK_SESSION;
-/**
+/**
*@memo this function is the entry point of the server state machine
*@param conf, pointer to the current configuration of EAP-PSK
*@param session, pointer to a structure which contains information session
int pskProcess(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *recvPacket, EAP_PACKET *sentPacket);
-/**
+/**
*@memo this function corresponds to the first state of the server state machine
*@param conf, pointer to the current configuration of EAP-PSK
*@param session, pointer to a structure which contains information session
int pskInit(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *sentPacket);
-/**
+/**
*@memo this function corresponds to the second state of the server state machine
*@param conf, pointer to the current configuration of EAP-PSK
*@param session, pointer to a structure which contains information session
int pskRandSent(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *recvPacket, EAP_PACKET *sentPacket);
-/**
+/**
*@memo this function corresponds to the third state of the server state machine
*@param conf, pointer to the current configuration of EAP-PSK
*@param session, pointer to a structure which contains information session
*@param sentPacket, pointer to the EAP_PACKET to send
*@return 0 if no error has occured
*/
- int pskPChannel(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *recvPacket, EAP_PACKET *sentPacket);
+ int pskPChannel(PSK_CONF *conf, PSK_SESSION *session, EAP_PACKET *recvPacket, EAP_PACKET *sentPacket);
-/**
+/**
*@memo this function contains the extension to EAP-PSK
*@param conf, pointer to the current configuration of EAP-PSK
*@param session, pointer to a structure which contains information session
int pskExtension(PSK_CONF *conf, PSK_SESSION *session, unsigned short receivedStatus, void *dataIn, int sizeDataIn, void **dataOut, int *sizeDataOut);
-/**
+/**
*@memo this function frees an existing session from memory
*@param opaque, pointer to a structure which contains information session
*/
void pskFreeSession(void *opaque);
-
+
#if defined(__cplusplus)
/*
* rlm_eap_psk.cpp
*
- * Implementation of the interface between the radius server and
+ * Implementation of the interface between the radius server and
* the eap-psk protocol
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
};
-/**
+/**
*@memo this function add value pair to reply
*/
-static void addReply(VALUE_PAIR** vp,
+static void addReply(VALUE_PAIR** vp,
const char* name, unsigned char* value, int len)
{
VALUE_PAIR *reply_attr;
reply_attr = pairmake(name, "", T_OP_EQ);
if (!reply_attr) {
DEBUG("rlm_eap_psk: "
- "add_reply failed to create attribute %s: %s\n",
+ "add_reply failed to create attribute %s: %s\n",
name, librad_errstr);
return;
}
pskDetach(inst);
return -1;
}
-
+
*instance = inst;
return 0;
}
-/**
+/**
*@memo this function begins the conversation when the EAP-Identity response is received
* send an initial eap-psk request, ie IDREQ
*@param handler, pointer to specific information about the eap-psk protocol
// initializing session information
memset(session,0,sizeof(PSK_SESSION));
session->state=INIT;
-
+
handler->stage=AUTHENTICATE;
// initiate the eap-psk protocol
return pskProcess(conf,session,NULL,handler->eap_ds->request);
-
+
}
-/**
+/**
*@memo this function uses specific EAP-Type authentication mechanism to authenticate the user
* may be called many times
*@param handler, pointer to specific information about the eap-psk protocol
PSK_SESSION *session;
PSK_CONF *conf=(PSK_CONF*)arg;
int resul;
-
+
if(conf==NULL)
{
radlog(L_ERR,"rlm_eap_psk: Cannot authenticate without having EAP-PSK configuration");
return 0;
}
-
+
if(!handler->opaque) {
radlog(L_ERR,"rlm_eap_psk: Cannot authenticate without EAP-PSK session information");
return 0;
}
-
+
// find the session information
session=(PSK_SESSION *)handler->opaque;
resul=pskProcess(conf,session,handler->eap_ds->response,handler->eap_ds->request);
-
+
if(handler->eap_ds->request->code==PW_EAP_SUCCESS) {
// sending keys
addReply(&handler->request->reply->vps,"MS-MPPE-Recv-Key",session->msk,32);
addReply(&handler->request->reply->vps,"MS-MPPE-Send-Key",&session->msk[32],32);
}
-
+
return resul;
-
+
}
*
* Implementation of the user management
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
userinfo_t* pskGetUserInfo(char* path, char* peerID)
{
FILE* fp;
- char buff[1024]; //FIXME: give the buffer a proper size
+ char buff[1024]; //FIXME: give the buffer a proper size
//when we know more about ID length
userinfo_t* uinfo = NULL;
int found = 0;
radlog(L_ERR, "pskGetUserInfo: failed to open PSK users file");
return NULL;
}
-
- while (!found && fgets(buff, sizeof(buff), fp))
+
+ while (!found && fgets(buff, sizeof(buff), fp))
{
unsigned int i = 0;
// read this login name
while (! isspace(buff[i]))
i++;
-
+
// is it the one we looking for?
- if ((i != strlen(peerID))
+ if ((i != strlen(peerID))
|| (strncmp(peerID, buff, i) != 0))
continue;
else
found = 1;
-
- // skip spaces
+
+ // skip spaces
while (isspace(buff[i]))
i++;
-
+
// prepare to store user info
uinfo = (userinfo_t*) malloc(sizeof(userinfo_t));
if (uinfo == NULL)
return NULL;
}
- //get AK
+ //get AK
AK = strndup(buff + i, PSK_AK_STRLEN);
if (AK == NULL) {
radlog(L_ERR, "pskGetUserInfo: out of memory");
free(AK);
return NULL;
}
-
+
//get KDK
KDK = strndup(buff + i + PSK_AK_STRLEN, PSK_KDK_STRLEN);
if (KDK == NULL) {
}
//FIXME: shouldnt we check the key size?
/*
- else if (strlen(KDK) != 32) {
+ else if (strlen(KDK) != 32) {
log();
return NULL;
- }
+ }
*/
res=pskHex2Bin(KDK, &(uinfo->KDK),PSK_KDK_SIZE);
free(KDK);
return NULL;
}
-
+
free(AK);
free(KDK);
}
-
-
+
+
// if user was not found, NULL is returned
fclose(fp);
return uinfo;
*
* Implementation of the user management
*
- *
+ *
* Copyright (C) France Télécom R&D (DR&D/MAPS/NSS)
*
* This program is free software; you can redistribute it and/or
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
# usernames and keys are supposed to be on the same line, separated by
-# white spaces or tabs
+# white spaces or tabs
# reading stops after EOF or white line
#
* against the specified value and fail
* verification if they don't match.
*/
- if (conf->check_cert_issuer &&
+ if (conf->check_cert_issuer &&
(strcmp(issuer, conf->check_cert_issuer) != 0)) {
radlog(L_AUTH, "rlm_eap_tls: Certificate issuer (%s) does not match specified value (%s)!", issuer, conf->check_cert_issuer);
my_ok = 0;
*/
ctx_options |= SSL_OP_SINGLE_DH_USE;
- /*
+ /*
* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
* in Windows Vista client.
* http://www.openssl.org/~bodo/tls-cbc.txt
*/
if (conf->make_cert_command && (debug_flag >= 2)) {
struct stat buf;
-
+
if ((stat(conf->make_cert_command, &buf) == 0) &&
(stat(conf->certificate_file, &buf) < 0) &&
(errno == ENOENT) &&
DEBUG2(" rlm_eap_ttls: Tunneled attribute %d is too long (%d) to pack into a RADIUS attribute.", attr, length);
return 0;
}
-
+
if (length > data_left) {
DEBUG2(" rlm_eap_ttls: Tunneled attribute %d is longer than room left in the packet (%d > %d).", attr, length, data_left);
return 0;
DEBUG2(" rlm_eap_ttls: ERROR! Diameter attribute overflows packet!");
return 0;
}
-
+
/*
* Check again for equality, now that we're padded
* length to a multiple of 4 octets.
return NULL;
}
memcpy(&vp->vp_integer, data, vp->length);
-
+
/*
* Stored in host byte order: change it.
*/
vp->vp_integer = ntohl(vp->vp_integer);
break;
-
+
case PW_TYPE_IPADDR:
if (size != vp->length) {
DEBUG2(" rlm_eap_ttls: Invalid length attribute %d",
return NULL;
}
memcpy(&vp->vp_ipaddr, data, vp->length);
-
+
/*
* Stored in network byte order: don't change it.
*/
DEBUG2(" TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
rcode = RLM_MODULE_HANDLED;
t->authenticated = TRUE;
-
+
/*
* Delete MPPE keys & encryption policy. We don't
* want these here.
pairdelete(&reply->vps, ((311 << 16) | 8));
pairdelete(&reply->vps, ((311 << 16) | 16));
pairdelete(&reply->vps, ((311 << 16) | 17));
-
+
/*
* Use the tunneled reply, but not now.
*/
fake = (REQUEST *) request_data_get(handler->request,
handler->request->proxy,
REQUEST_DATA_EAP_MSCHAP_TUNNEL_CALLBACK);
-
+
/*
* Do the callback, if it exists, and if it was a success.
*/
if (debug_flag > 0) {
printf(" TTLS: Final reply from tunneled session code %d\n",
fake->reply->code);
-
+
for (vp = fake->reply->vps; vp != NULL; vp = vp->next) {
putchar('\t');vp_print(stdout, vp);putchar('\n');
}
eaptls_fail(handler->eap_ds, 0);
return 0;
break;
-
+
default: /* Don't Do Anything */
DEBUG2(" TTLS: Got reply %d",
request->proxy_reply->code);
break;
- }
+ }
}
request_free(&fake); /* robust if fake == NULL */
#ifndef NDEBUG
if (debug_flag > 0) {
printf(" TTLS: Got tunneled request\n");
-
+
for (vp = fake->packet->vps; vp != NULL; vp = vp->next) {
putchar('\t');vp_print(stdout, vp);putchar('\n');
}
REQUEST_DATA_EAP_TUNNEL_CALLBACK,
tunnel, free);
rad_assert(rcode == 0);
-
+
/*
* rlm_eap.c has taken care of associating
* the handler with the fake request.
case RLM_MODULE_REJECT:
rcode = PW_AUTHENTICATION_REJECT;
break;
-
+
case RLM_MODULE_HANDLED:
rcode = PW_ACCESS_CHALLENGE;
break;
-
+
case RLM_MODULE_OK:
rcode = PW_AUTHENTICATION_ACK;
break;
-
+
default:
rcode = PW_AUTHENTICATION_REJECT;
break;
AC_PROG_CC
AC_PROG_CPP
- dnl put configuration checks here.
+ dnl put configuration checks here.
dnl set $fail to what's missing, on fatal errors.
dnl use AC_MSG_WARN() on important messages.
AC_CHECK_LIB(c, printf,
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
*/
tmp = pairmake("Reply-Message", "Access denied (external check failed)", T_OP_SET);
pairadd(&request->reply->vps, tmp);
-
+
DEBUG2("Login incorrect (external check failed)");
request->reply->code = PW_AUTHENTICATION_REJECT;
{ NULL, -1, 0, NULL, NULL }
};
-/*
+/*
* Check if account has expired, and if user may login now.
- */
+ */
static int expiration_authorize(void *instance, REQUEST *request)
{
rlm_expiration_t *data = (rlm_expiration_t *)instance;
reply_pairs = reply_pairs;
now = (req) ? req->timestamp : time(NULL);
-
+
if (now <= ((time_t) check->vp_date))
return 0;
return +1;
char name[1024];
char value[1024];
VALUE_PAIR *vp;
-
+
snprintf(name, sizeof(name), "%%{%s}", check->name);
-
+
rcode = radius_xlat(value, sizeof(value), name, req, NULL);
vp = pairmake(check->name, value, T_OP_EQ);
not found. this version must use sync by default.
#endif
], [
- AC_DEFINE(NEED_GDBM_SYNC, yes, [do we need GDBM_SYNC])
+ AC_DEFINE(NEED_GDBM_SYNC, yes, [do we need GDBM_SYNC])
AC_MSG_RESULT(needs it.)
], [
AC_MSG_RESULT(SYNCs by default.)
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
* Find an entry with active == 0
* or an entry that has expired
*/
- if (entry.active == 0 || (entry.timestamp && ((entry.timeout &&
+ if (entry.active == 0 || (entry.timestamp && ((entry.timeout &&
request->timestamp >= (entry.timestamp + entry.timeout)) ||
(data->max_timeout && request->timestamp >= (entry.timestamp + data->max_timeout))))){
datum tmp;
free(key_datum.dptr);
entry.active = 1;
entry.timestamp = request->timestamp;
- if ((vp = pairfind(request->reply->vps, PW_SESSION_TIMEOUT)) != NULL)
+ if ((vp = pairfind(request->reply->vps, PW_SESSION_TIMEOUT)) != NULL)
entry.timeout = (time_t) vp->vp_integer;
else
entry.timeout = 0;
key_datum.dptr = (char *) &key;
key_datum.dsize = sizeof(ippool_key);
}
-
+
data_datum = gdbm_fetch(sessiondb, key_datum);
if (data_datum.dptr != NULL){
FR_SMART_CHECK_LIB(com_err, set_com_err_hook)
if test "x$ac_cv_lib_com_err_set_com_err_hook" != "xyes"; then
- AC_MSG_WARN([the comm_err library isn't found!])
+ AC_MSG_WARN([the comm_err library isn't found!])
fi
FR_SMART_CHECK_LIB(krb5, krb5_init_context)
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
-/*
+/*
* Copyright (C) 2002-2004 Novell, Inc.
*
* edir_ldapext.c LDAP extension for reading eDirectory universal password
- *
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of version 2 of the GNU General Public License as published
* by the Free Software Foundation.
* find current contact information at www.novell.com.
*
* Copyright 2006 The FreeRADIUS Server Project.
- */
+ */
#include <freeradius-devel/ident.h>
RCSID("$Id$")
/* OID of LDAP extension call to perform NMAS authentication */
#define RADAUTH_OID_NMAS_AUTH_REQUEST "2.16.840.1.113719.1.510.100.1"
#define RADAUTH_OID_NMAS_AUTH_REPLY "2.16.840.1.113719.1.510.100.2"
-
+
#define RADAUTH_LDAP_EXT_VERSION 1
-
+
#define REQUEST_CHALLENGED 1
err = 0;
}
- /*
- * Convert the BER we just built to a berval that we'll send with the extended request.
+ /*
+ * Convert the BER we just built to a berval that we'll send with the extended request.
*/
if(ber_flatten(requestBer, requestBV) == LBER_ERROR)
{
memcpy(retData, retOctStr, retOctStrLen);
}
else if (!err)
- {
+ {
err = NMAS_E_BUFFER_OVERFLOW;
}
/* Do we have a good returned berval? */
if(!replyBV)
{
- /*
+ /*
* No; returned berval means we experienced a rather drastic error.
* Return operations error.
*/
{
int err = 0, rc=0;
BerElement *requestBer = NULL;
-
+
char * utf8ObjPtr = NULL;
int utf8ObjSize = 0;
char * utf8PwdPtr = NULL;
char * utf8SeqPtr = NULL;
int utf8SeqSize = 0;
int state_present = 0;
-
+
utf8ObjSize = strlen(objectDN)+1;
utf8ObjPtr = objectDN;
-
+
utf8PwdSize = strlen(pwd);
utf8PwdPtr = pwd;
-
+
utf8SeqSize = strlen(sequence)+1;
utf8SeqPtr = sequence;
-
+
utf8NasIPSize = strlen(NasIP)+1;
utf8NasIPPtr = NasIP;
-
+
/* Allocate a BerElement for the request parameters.*/
if((requestBer = ber_alloc()) == NULL)
{
err = NMAS_E_FRAG_FAILURE;
goto Cleanup;
}
-
+
/* BER encode the NMAS Version, the objectDN, and the password */
rc = ber_printf(requestBer, "{ioooo", RADAUTH_LDAP_EXT_VERSION, utf8ObjPtr, utf8ObjSize, utf8PwdPtr, utf8PwdSize, utf8SeqPtr, utf8SeqSize, utf8NasIPPtr, utf8NasIPSize);
-
+
if( *auth_state == -2)
{
utf8StateSize = strlen(state)+1;
{
rc = ber_printf(requestBer, "i}", state_present);
}
-
+
if (rc < 0)
{
err = NMAS_E_FRAG_FAILURE;
err = NMAS_E_FRAG_FAILURE;
goto Cleanup;
}
-
+
Cleanup:
-
+
if(requestBer)
{
ber_free(requestBer, 1);
}
-
+
return err;
} /* End of berEncodeAuthData */
int rc=0, err = 0;
BerElement *replyBer = NULL;
struct berval challenge = {0};
-
+
if((replyBer = ber_init(replyBV)) == NULL)
{
err = NMAS_E_SYSTEM_RESOURCES; // fix err code
}
}
}
-
+
Cleanup:
if(replyBer)
{
ber_free(replyBer, 1);
}
-
+
return err;
}/* End of berDecodeLoginData */
-
+
/* -----------------------------------------------------------------------
* radLdapXtnNMASAuth()
* ==============================
)
{
int err = 0;
-
+
struct berval *requestBV = NULL;
char *replyOID = NULL;
struct berval *replyBV = NULL;
int errCode;
char *challenge;
size_t challengesize;
-
+
challengesize = *statesize;
challenge = (char *)malloc(challengesize+2);
if(challenge == NULL)
{
return NMAS_E_INSUFFICIENT_MEMORY;
}
-
+
/* Validate char parameters. */
if(objectDN == NULL || (strlen(objectDN) == 0) || statesize == NULL || NasIPaddr == NULL || ld == NULL)
{
return NMAS_E_INVALID_PARAMETER;
}
-
+
err = berEncodeAuthData(&requestBV, objectDN, pwd, sequence, NasIPaddr, state, auth_state);
-
+
if(err)
{
goto Cleanup;
}
-
+
/* Call the ldap_extended_operation (synchronously) */
if((err = ldap_extended_operation_s(ld, RADAUTH_OID_NMAS_AUTH_REQUEST, requestBV, NULL, NULL, &replyOID, &replyBV))!=0)
{
err = NMAS_E_NOT_SUPPORTED; // change error values
goto Cleanup;
}
-
+
/* Is this what we were expecting to get back. */
if(strcmp(replyOID, RADAUTH_OID_NMAS_AUTH_REPLY))
{
err = NMAS_E_NOT_SUPPORTED; // change return value
goto Cleanup;
}
-
+
/* Do we have a good returned berval? */
if(!replyBV)
{
goto Cleanup;
}
err = berDecodeAuthData(replyBV, &errCode, &challengesize, challenge, auth_state);
-
+
/* errCode return error in case of AUTH-REJECT */
if (!err && challengesize!= 0)
{
}
*statesize = challengesize; /* does not include null termination */
}
-
+
Cleanup:
/* Free memory allocated for challenge */
if(challenge)
{
free(challenge);
}
-
+
if(replyBV)
{
ber_bvfree(replyBV);
}
-
+
/* Free the return OID string if one was returned. */
if(replyOID)
{
ldap_memfree(replyOID);
}
-
+
/* Free memory allocated while building the request ber and berval. */
if(requestBV)
{
ber_bvfree(requestBV);
}
-
+
#ifdef NOT_N_PLAT_NLM
SetThreadGroupID(currentThreadGroupID);
#endif
-
+
/* Return the appropriate error/success code. */
return err;
}/* End of radLdapXtnNMASAuth */
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
#include <freeradius-devel/rad_assert.h>
-
+
#include <pwd.h>
#include <ctype.h>
#endif
#ifdef NOVELL
-
+
#define REQUEST_ACCEPTED 0
#define REQUEST_CHALLENGED 1
#define REQUEST_REJECTED 2
#define MAX_CHALLENGE_LEN 128
int radLdapXtnNMASAuth( LDAP *, char *, char *, char *, char *, size_t *, char *, int * );
-
+
#endif
/* linked list of mappings between RADIUS attributes and LDAP attributes */
/*
* ('eDir-APC', '1') in config items list
* Do not perform eDirectory account policy check (APC)
- *
+ *
* ('eDir-APC', '2') in config items list
* Perform eDirectory APC
*
operator = T_OP_INVALID; /* use defaults */
} else {
char *ptr;
-
+
ptr = opstring;
operator = gettoken(&ptr, buf, sizeof(buf));
if ((operator < T_OP_ADD) || (operator > T_OP_CMP_EQ)) {
char **passwd_vals;
char *value = NULL;
int i;
-
+
/*
* Read the password from the DB, and
* add it to the request.
passwd_vals[i] != NULL;
i++) {
int attr = PW_USER_PASSWORD;
-
+
if (strlen(passwd_vals[i]) == 0)
continue;
-
+
value = passwd_vals[i];
if (inst->auto_header) {
continue; /* paranoia */
memcpy(autobuf, value, p - value + 1);
autobuf[p - value + 1] = '\0';
-
+
attr = lrad_str2int(header_names,
autobuf, 0);
if (!attr) continue;
}
}
if (!value) continue;
-
+
create_attr:
passwd_item = radius_paircreate(request,
&request->config_items,
res = 0;
if ((passwd_item = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD)) == NULL){
-
+
universal_password = rad_malloc(universal_password_len);
memset(universal_password, 0, universal_password_len);
memset(universal_password, 0, universal_password_len);
free(universal_password);
}
- }
+ }
#endif
}
DEBUG("rlm_ldap: Attribute for user FDN not found in dictionary. Unable to proceed");
return RLM_MODULE_FAIL;
}
-
+
vp_fdn = pairfind(request->packet->vps, da->attr);
if (vp_fdn == NULL) {
DEBUG("rlm_ldap: User's FQDN not in config items list.");
return RLM_MODULE_FAIL;
}
-
+
if ((conn_id = ldap_get_conn(inst->apc_conns, &conn, inst)) == -1){
radlog(L_ERR, "rlm_ldap: All ldap connections are in use");
return RLM_MODULE_FAIL;
}
if ((conn->ld = ldap_connect(instance, (char *)vp_fdn->vp_strvalue, password, 0, &res, &error_msg)) == NULL) {
radlog(L_ERR, "rlm_ldap: eDirectory account policy check failed.");
-
+
if (error_msg != NULL) {
DEBUG("rlm_ldap: %s", error_msg);
pairadd(&request->reply->vps, pairmake("Reply-Message", error_msg, T_OP_EQ));
ldap_memfree((void *)error_msg);
}
-
+
vp_apc->vp_strvalue[0] = '3';
ldap_release_conn(conn_id, inst->apc_conns);
return RLM_MODULE_REJECT;
"LDAP_OPT_X_TLS_CACERTFILE option to %s", inst->tls_cacertfile);
}
}
-
+
if (inst->tls_cacertdir != NULL) {
DEBUG("rlm_ldap: setting TLS CACert Directory to %s", inst->tls_cacertdir);
-
+
if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR,
(void *) inst->tls_cacertdir )
!= LDAP_OPT_SUCCESS) {
inst->tls_certfile);
}
}
-
+
if (inst->tls_keyfile != NULL) {
DEBUG("rlm_ldap: setting TLS Key File to %s",
inst->tls_keyfile);
-
+
if ( ldap_set_option( NULL, LDAP_OPT_X_TLS_KEYFILE,
(void *) inst->tls_keyfile )
!= LDAP_OPT_SUCCESS) {
inst->tls_keyfile);
}
}
-
+
if (inst->tls_randfile != NULL) {
DEBUG("rlm_ldap: setting TLS Key File to %s",
inst->tls_randfile);
-
+
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
(void *) inst->tls_randfile)
!= LDAP_OPT_SUCCESS) {
if (inst->conns) {
int i;
-
+
for (i = 0;i < inst->num_conns; i++) {
if (inst->conns[i].ld){
ldap_unbind_s(inst->conns[i].ld);
}
#ifdef NOVELL
- if (inst->apc_conns){
+ if (inst->apc_conns){
int i;
for (i = 0; i < inst->num_conns; i++) {
{
rlm_linelog_t *inst = instance;
-
+
free(inst);
return 0;
}
radius_xlat(line, sizeof(line) - 1, inst->line, request,
linelog_escape_func);
strcat(line, "\n");
-
+
write(fd, line, strlen(line));
close(fd);
* be used as the instance handle.
*/
typedef struct rlm_logintime_t {
- char *msg; /* The Reply-Message passed back to the user
+ char *msg; /* The Reply-Message passed back to the user
* if the account is outside allowed timestamp */
int min_time;
} rlm_logintime_t;
* buffer over-flows.
*/
static const CONF_PARSER module_config[] = {
- { "reply-message", PW_TYPE_STRING_PTR, offsetof(rlm_logintime_t,msg), NULL,
+ { "reply-message", PW_TYPE_STRING_PTR, offsetof(rlm_logintime_t,msg), NULL,
"You are calling outside your allowed timespan\r\n"},
{ "minimum-timeout", PW_TYPE_INTEGER, offsetof(rlm_logintime_t,min_time), NULL, "60" },
{ NULL, -1, 0, NULL, NULL }
REQUEST *req,
VALUE_PAIR *request, VALUE_PAIR *check,
VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
-{
+{
instance = instance;
request = request; /* shut the compiler up */
check_pairs = check_pairs;
reply_pairs = reply_pairs;
-
+
/*
- * If there's a request, use that timestamp.
+ * If there's a request, use that timestamp.
*/
if (timestr_match((char *)check->vp_strvalue,
req ? req->timestamp : time(NULL)) >= 0)
* Must be called with a request pointer.
*/
if (!req) return -1;
-
+
if (strspn(check->vp_strvalue, "0123456789: ") != strlen(check->vp_strvalue)) {
DEBUG("rlm_logintime: Bad Time-Of-Day value \"%s\"",
check->vp_strvalue);
fprintf(stderr, "returning %d - %d\n",
hhmmss, when);
-
+
return hhmmss - when;
}
-/*
+/*
* Check if account has expired, and if user may login now.
- */
+ */
static int logintime_authorize(void *instance, REQUEST *request)
{
rlm_logintime_t *data = (rlm_logintime_t *)instance;
int r;
if ((check_item = pairfind(request->config_items, PW_LOGIN_TIME)) != NULL) {
-
+
/*
* Authentication is OK. Now see if this
* user may login at this time of the day.
/*
* User called outside allowed time interval.
*/
-
+
DEBUG("rlm_logintime: timestr returned reject");
if (data->msg && data->msg[0]){
char msg[MAX_STRING_LEN];
DEBUG2(" rlm_mschap: Invalid MS-CHAP challenge length");
return 0;
}
-
+
/*
* Get the MS-CHAPv1 response, or the MS-CHAPv2
* response.
*/
data = response->vp_octets + 26;
data_len = 24;
-
+
/*
* LM-Response is deprecated, and exists only
* in MS-CHAPv1, and not often there.
DEBUG2(" rlm_mschap: No User-Name was found in the request.");
return 0;
}
-
+
/*
* First check to see if this is a host/ style User-Name
* (a la Kerberos host principal)
DEBUG2(" rlm_mschap: No User-Name was found in the request.");
return 0;
}
-
+
/*
* First check to see if this is a host/ style User-Name
* (a la Kerberos host principal)
p = fmt + 8; /* 7 is the length of 'LM-Hash' */
if ((p == '\0') || (outlen <= 32))
return 0;
-
+
DEBUG("rlm_mschap: LM-Hash: %s",p);
smbdes_lmpwdhash(p,buffer);
lrad_bin2hex(buffer, out, 16);
}
/*
- *
+ *
*/
for (i = 0; i < data_len; i++) {
sprintf(out + (2 * i), "%02x", data[i]);
}
out[data_len * 2] = '\0';
-
+
return data_len * 2;
}
DEBUG2(" rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.");
return -1;
}
-
+
smbdes_mschap(password->vp_strvalue, challenge, calculated);
if (memcmp(response, calculated, 24) != 0) {
return -1;
}
-
+
/*
* If the password exists, and is an NT-Password,
* then calculate the hash of the NT hash. Doing this
memset(nthashhash, 0, 16);
/*
- * Run the program, and expect that we get 16
+ * Run the program, and expect that we get 16
*/
result = radius_exec_program(inst->ntlm_auth, request,
TRUE, /* wait */
challenge->vp_octets, /* our challenge */
username_string, /* user name */
mschapv1_challenge); /* resulting challenge */
-
+
DEBUG2(" rlm_mschap: Told to do MS-CHAPv2 for %s with NT-Password",
username_string);
mppe_chap2_gen_keys128(nthashhash,
response->vp_octets + 26,
mppe_sendkey, mppe_recvkey);
-
+
mppe_add_reply(&request->reply->vps,
"MS-MPPE-Recv-Key",
mppe_recvkey, 16);
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
+
Copyright 2006 The FreeRADIUS server project
*/
}
sa.sun_family = AF_UNIX;
(void) strcpy(sa.sun_path, path);
-
+
/* connect to otpd */
if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) {
(void) radlog(L_ERR, "rlm_otp: %s: socket: %s", __func__, strerror(errno));
[ pam_ldflags="-ldl" ]
)
- AC_CHECK_LIB(pam, pam_start,
+ AC_CHECK_LIB(pam, pam_start,
[ pam_ldflags="-lpam $pam_ldflags" ],
[ fail=$fail" libpam" ],
[ $pam_ldflags ]
)
-dnl #
+dnl #
dnl # Yes, these DO have to be on seperate lines,
dnl # otherwise autoheader won't pick them up.
-dnl #
+dnl #
AC_CHECK_HEADERS( \
security/pam_appl.h \
pam/pam_appl.h \
)
pam_cflags="-I."
-
+
targetname=modname
else
targetname=
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
RLM_MODULE_INIT,
"pam",
RLM_TYPE_THREAD_UNSAFE, /* The PAM libraries are not thread-safe */
- pam_instantiate, /* instantiation */
+ pam_instantiate, /* instantiation */
pam_detach, /* detach */
{
pam_auth, /* authenticate */
x = (x << 6) + (unsigned int)(src[i] - 'A' + 0);
else if (src[i] >= 'a' && src[i] <= 'z')
x = (x << 6) + (unsigned int)(src[i] - 'a' + 26);
- else if(src[i] >= '0' && src[i] <= '9')
+ else if(src[i] >= '0' && src[i] <= '9')
x = (x << 6) + (unsigned int)(src[i] - '0' + 52);
else if(src[i] == '+')
x = (x << 6) + 62;
x = (x << 6);
else return 0;
}
-
+
dst[2] = (unsigned char)(x & 255); x >>= 8;
dst[1] = (unsigned char)(x & 255); x >>= 8;
dst[0] = (unsigned char)(x & 255); x >>= 8;
-
+
return 1;
}
while (src[length + equals] == '=') equals++;
num = (length + equals) / 4;
-
+
for (i = 0; i < num - 1; i++) {
if (!decode_it(src, dst)) return 0;
src += 4;
{
int decoded;
char buffer[64];
-
+
if ((size_t) min_length >= sizeof(buffer)) return; /* paranoia */
/*
uint8_t *p, *q;
char buffer[64];
VALUE_PAIR *new_vp;
-
+
found_pw = TRUE;
q = vp->vp_strvalue;
p = strchr(q + 1, '}');
*/
break;
}
-
+
if ((size_t) (p - q) > sizeof(buffer)) break;
-
+
memcpy(buffer, q, p - q + 1);
buffer[p - q + 1] = '\0';
-
+
attr = lrad_str2int(header_names, buffer, 0);
if (!attr) {
DEBUG2("rlm_pap: Found unknown header {%s}: Not doing anything", buffer);
break;
}
-
+
new_vp = radius_paircreate(request,
&request->config_items,
attr, PW_TYPE_STRING);
default:
break; /* ignore it */
-
+
}
}
* The TLS types don't need passwords.
*/
vp = pairfind(request->packet->vps, PW_EAP_TYPE);
- if (vp &&
+ if (vp &&
((vp->vp_integer == 13) || /* EAP-TLS */
(vp->vp_integer == 21) || /* EAP-TTLS */
(vp->vp_integer == 25))) { /* PEAP */
if (auth_type) {
DEBUG2("rlm_pap: Found existing Auth-Type, not changing it.");
return RLM_MODULE_NOOP;
- }
+ }
/*
* Can't do PAP if there's no password.
case PW_USER_PASSWORD: /* deprecated */
case PW_CLEARTEXT_PASSWORD: /* preferred */
goto do_clear;
-
+
case PW_CRYPT_PASSWORD:
goto do_crypt;
-
+
case PW_MD5_PASSWORD:
goto do_md5;
-
+
case PW_SHA_PASSWORD:
goto do_sha;
-
+
case PW_NT_PASSWORD:
goto do_nt;
default:
break; /* ignore it */
-
+
}
}
} else {
vp = NULL;
-
+
if (inst->sch == PAP_ENC_CRYPT) {
vp = pairfind(request->config_items, PW_CRYPT_PASSWORD);
}
DEBUG("rlm_pap: User authenticated successfully");
return RLM_MODULE_OK;
break;
-
+
case PAP_ENC_CRYPT:
do_crypt:
DEBUG("rlm_pap: Using CRYPT encryption.");
}
goto done;
break;
-
+
case PW_MD5_PASSWORD:
do_md5:
DEBUG("rlm_pap: Using MD5 encryption.");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured MD5 password has incorrect length");
goto make_msg;
}
-
+
MD5Init(&md5_context);
MD5Update(&md5_context, request->password->vp_strvalue,
request->password->length);
}
goto done;
break;
-
+
case PW_SMD5_PASSWORD:
do_smd5:
DEBUG("rlm_pap: Using SMD5 encryption.");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SMD5 password has incorrect length");
goto make_msg;
}
-
+
MD5Init(&md5_context);
MD5Update(&md5_context, request->password->vp_strvalue,
request->password->length);
}
goto done;
break;
-
+
case PW_SHA_PASSWORD:
do_sha:
DEBUG("rlm_pap: Using SHA1 encryption.");
-
+
normify(vp, 20);
if (vp->length != 20) {
DEBUG("rlm_pap: Configured SHA1 password has incorrect length");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured SHA1 password has incorrect length");
goto make_msg;
}
-
+
SHA1Init(&sha1_context);
SHA1Update(&sha1_context, request->password->vp_strvalue,
request->password->length);
}
goto done;
break;
-
+
case PW_SSHA_PASSWORD:
do_ssha:
DEBUG("rlm_pap: Using SSHA encryption.");
-
+
normify(vp, 20);
if (vp->length <= 20) {
DEBUG("rlm_pap: Configured SSHA password has incorrect length");
goto make_msg;
}
-
+
SHA1Init(&sha1_context);
SHA1Update(&sha1_context, request->password->vp_strvalue,
request->password->length);
}
goto done;
break;
-
+
case PW_NT_PASSWORD:
do_nt:
DEBUG("rlm_pap: Using NT encryption.");
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: Configured NT-Password has incorrect length");
goto make_msg;
}
-
+
sprintf(buff2,"%%{mschap:NT-Hash %s}",
request->password->vp_strvalue);
if (!radius_xlat(digest,sizeof(digest),buff2,request,NULL)){
}
goto done;
break;
-
+
case PW_LM_PASSWORD:
do_lm:
DEBUG("rlm_pap: Using LM encryption.");
-
+
normify(vp, 16);
if (vp->length != 16) {
DEBUG("rlm_pap: Configured LM-Password has incorrect length");
AC_PROG_CC
AC_PROG_CPP
- dnl put configuration checks here.
+ dnl put configuration checks here.
dnl set $fail to what's missing, on fatal errors.
dnl use AC_MSG_WARN() on important messages.
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
perl_cflags=""
perl_ldflags=""
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
-#
+#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
-#
+#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
-#
+#
# Copyright 2002 The FreeRADIUS server project
# Copyright 2002 Boian Jordanov <bjordanov@orbitel.bg>
-#
+#
#
# Example code for use with rlm_perl
#my %RAD_CHECK;
#
-# This the remapping of return values
+# This the remapping of return values
#
use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */
sub preacct {
# For debugging purposes only
# &log_request_attributes;
-
+
return RLM_MODULE_OK;
}
# For debugging purposes only
# &log_request_attributes;
- # You can call another subroutine from here
+ # You can call another subroutine from here
&test_call;
-
+
return RLM_MODULE_OK;
}
#
sub test_call {
- # Some code goes here
+ # Some code goes here
}
sub log_request_attributes {
#ifdef USE_ITHREADS
inst->perl = interp;
-
+
if ((inst->perl = perl_alloc()) == NULL) {
radlog(L_DBG, "rlm_perl: No memory for allocating new perl !");
return (-1);
}
-
+
perl_construct(inst->perl);
PL_perl_destruct_level = 2;
perl_store_vps(request->config_items, rad_check_hv);
perl_store_vps(request->packet->vps, rad_request_hv);
perl_store_vps(request->config_items, rad_config_hv);
-
+
if (request->proxy != NULL) {
perl_store_vps(request->proxy->vps, rad_request_proxy_hv);
} else {
perl_store_vps(request->proxy_reply->vps, rad_request_proxy_reply_hv);
} else {
hv_undef(rad_request_proxy_reply_hv);
- }
-
+ }
+
PUSHMARK(SP);
/*
* This way %RAD_xx can be pushed onto stack as sub parameters.
exitstatus = RLM_MODULE_FAIL;
}
}
-
+
PUTBACK;
FREETMPS;
LEAVE;
-
+
vp = NULL;
if ((get_hv_content(rad_request_hv, &vp)) > 0 ) {
pairfree(&request->packet->vps);
request->config_items = vp;
vp = NULL;
}
-
+
if (request->proxy &&
(get_hv_content(rad_request_proxy_hv, &vp) > 0)) {
pairfree(&request->proxy->vps);
printf("[NULL]\n");
return;
}
-
+
while (item) {
switch (item->type) {
case POLICY_TYPE_BAD:
if (indent) printf("%*s", indent, " ");
printf("[BAD STATEMENT]");
break;
-
+
case POLICY_TYPE_PRINT:
if (indent) printf("%*s", indent, " ");
{
const policy_print_t *this;
this = (const policy_print_t *) item;
-
+
if (this->rhs_type == POLICY_LEX_BARE_WORD) {
printf("print %s\n", this->rhs);
} else {
}
}
break;
-
+
case POLICY_TYPE_ASSIGNMENT:
{
const policy_assignment_t *assign;
-
+
assign = (const policy_assignment_t *) item;
if (indent) printf("%*s", indent, " ");
printf("\"%s\"", condition->rhs);
}
printf(")");
-
+
if ((condition->child_condition != POLICY_LEX_BAD) &&
(condition->child_condition != POLICY_LEX_BARE_WORD)) {
printf(" %s ", lrad_int2str(rlm_policy_tokens, condition->child_condition, "?"));
if (indent) printf("%*s", indent, " ");
printf("[HUH?]\n");
break;
-
+
}
item = item->next;
}
}
}
-
+
switch (this->compare) {
case POLICY_LEX_L_BRACKET: /* nested brackets are a special case */
rcode = evaluate_condition(state, this->child);
compare = radius_callback_compare(state->request,
vp, myvp, NULL, NULL);
pairfree(&myvp);
-
+
} else {
/*
* FIXME: Do something for RHS type?
}
debug_evaluate("CONDITION COMPARE %d\n", compare);
-
+
switch (this->compare) {
case POLICY_LEX_CMP_EQUALS:
rcode = (compare == 0);
break;
-
+
case POLICY_LEX_CMP_NOT_EQUALS:
rcode = (compare != 0);
break;
-
+
case POLICY_LEX_LT:
rcode = (compare < 0);
break;
-
+
case POLICY_LEX_GT:
rcode = (compare > 0);
break;
-
+
case POLICY_LEX_LE:
rcode =(compare <= 0);
break;
-
+
case POLICY_LEX_GE:
rcode = (compare >= 0);
break;
-
+
#ifdef HAVE_REGEX_H
case POLICY_LEX_RX_EQUALS:
{ /* FIXME: copied from src/main/valuepair.c */
int i;
regmatch_t rxmatch[REQUEST_MAX_REGEX + 1];
-
+
/*
* Include substring matches.
*/
rxmatch, 0);
rcode = (rcode == 0);
regfree(®);
-
+
/*
* Add %{0}, %{1}, etc.
*/
for (i = 0; i <= REQUEST_MAX_REGEX; i++) {
char *p;
char rxbuffer[256];
-
+
/*
* Didn't match: delete old
* match, if it existed.
free(p);
continue;
}
-
+
/*
* No previous match
* to delete, stop.
*/
break;
}
-
+
/*
* Copy substring into buffer.
*/
data + rxmatch[i].rm_so,
rxmatch[i].rm_eo - rxmatch[i].rm_so);
rxbuffer[rxmatch[i].rm_eo - rxmatch[i].rm_so] = '\0';
-
+
/*
* Copy substring, and add it to
* the request.
REQUEST_DATA_REGEX | i,
p, free);
}
-
+
}
break;
-
+
case POLICY_LEX_RX_NOT_EQUALS:
regcomp(®, this->rhs, REG_EXTENDED|REG_NOSUB);
rad_assert(data != NULL);
case POLICY_LEX_SET_EQUALS:
operator = T_OP_SET;
break;
-
+
case POLICY_LEX_PLUS_EQUALS:
operator = T_OP_ADD;
break;
-
+
default:
fprintf(stderr, "Expected '=' for operator, not '%s' at line %d\n",
lrad_int2str(rlm_policy_tokens,
assign->item.lineno);
return NULL;
}
-
+
vp = pairmake(assign->lhs, value, operator);
if (!vp) {
fprintf(stderr, "SHIT: %s %s\n", value, librad_errstr);
policy = rlm_policy_find(state->inst->policies, this->name);
if (!policy) return 0; /* not found... */
-
+
DEBUG2("rlm_policy: Evaluating policy %s", this->name);
-
+
rad_assert(policy->policy->type != POLICY_TYPE_BAD);
rad_assert(policy->policy->type < POLICY_TYPE_NUM_TYPES);
this = (const policy_return_t *) item;
state->rcode = this->rcode;
-
+
return 1; /* we succeeded */
}
DEBUG2("rlm_policy: begin nested call");
state->rcode = modcall(this->component, this->mc, state->request);
DEBUG2("rlm_policy: end nested call");
-
+
return 1; /* we succeeded */
}
int rcode;
const policy_item_t *this;
policy_named_t mypolicy, *policy;
-
+
mypolicy.name = name;
policy = rbtree_finddata(state->inst->policies, &mypolicy);
if (!policy) return RLM_MODULE_FAIL;
-
+
DEBUG2("rlm_policy: Evaluating policy %s", name);
-
+
rad_assert(policy->item.type != POLICY_TYPE_BAD);
rad_assert(policy->item.type < POLICY_TYPE_NUM_TYPES);
-
+
rcode = policy_stack_push(state, policy->policy);
if (!rcode) {
return RLM_MODULE_FAIL;
rad_assert(this != NULL);
rad_assert(this->type != POLICY_TYPE_BAD);
rad_assert(this->type < POLICY_TYPE_NUM_TYPES);
-
+
debug_evaluate("Evaluating at line %d\n",
this->lineno);
rcode = (*evaluate_functions[this->type])(state,
rad_assert(input != NULL);
if (buffer) *buffer = '\0';
-
+
switch (*input) {
case '\0':
*token = POLICY_LEX_EOL;
return NULL; /* nothing more to do */
-
+
case ' ':
case '\t':
case '\r':
while ((*input == ' ') || (*input == '\t') ||
(*input == '\r') || (*input == '\n')) input++;
return input; /* point to next non-whitespace character */
-
+
case '#': /* ignore everything to the end of the line */
*token = POLICY_LEX_EOL;
return NULL;
case '(':
*token = POLICY_LEX_L_BRACKET;
return input + 1;
-
+
case ')':
*token = POLICY_LEX_R_BRACKET;
return input + 1;
-
+
case '{':
*token = POLICY_LEX_LC_BRACKET;
return input + 1;
-
+
case '}':
*token = POLICY_LEX_RC_BRACKET;
return input + 1;
-
+
case ',':
*token = POLICY_LEX_COMMA;
return input + 1;
*token = POLICY_LEX_AND;
}
return input + 1;
-
+
case '|':
switch (input[1]) {
case '|':
*token = POLICY_LEX_OR;
}
return input + 1;
-
+
case '!':
switch (input[1]) {
case '=':
*token = POLICY_LEX_L_NOT;
}
return input + 1;
-
+
case '=':
switch (input[1]) {
case '=':
*token = POLICY_LEX_ASSIGN;
}
return input + 1;
-
+
case '<':
if (input[1] == '=') {
input++;
*token = POLICY_LEX_LT;
}
return input + 1;
-
+
case '>':
if (input[1] == '=') {
input++;
*token = POLICY_LEX_BAD;
return input + 1;
}
-
+
input++;
while (*input != '"') {
/*
*/
*(buffer++) = *(input++);
buflen--;
-
+
/*
* FIXME: Print more warnings?
*/
}
}
*buffer = '\0';
-
+
*token = POLICY_LEX_DOUBLE_QUOTED_STRING;
return input + 1; /* skip trailing '"' */
*token = POLICY_LEX_BAD;
return input + 1;
}
-
+
/*
* Getting one character is stupid.
*/
*token = POLICY_LEX_BAD;
return input + 1;
}
-
+
/*
* Bare words are [-a-zA-Z0-9.]+
*/
}
*(buffer++) = *(input++);
buflen--;
-
+
/*
* FIXME: Print more warnings?
*/
}
}
*buffer = '\0';
-
+
*token = POLICY_LEX_BARE_WORD;
return input;
}
lexer->parse = fgets(lexer->buffer,
sizeof(lexer->buffer),
lexer->fp);
-
+
if (!lexer->parse) {
return POLICY_LEX_EOF;
}
this->rhs = strdup(mystring);
*tail = (policy_item_t *) this;
-
+
return 1;
}
rlm_policy_free_item((policy_item_t *) this);
return 0;
}
-
+
this->compare = POLICY_LEX_L_BRACKET;
this->child_condition = POLICY_LEX_L_BRACKET;
rcode = parse_condition(lexer, &(this->child));
lhs);
rlm_policy_free_item((policy_item_t *) this);
return 0;
-
+
}
-
+
/*
* this->lhs set up below, after "check"
*/
lrad_int2str(rlm_policy_tokens, token, "?"));
return 0;
}
-
+
token = policy_lex_file(lexer, 0, NULL, 0);
if (token != POLICY_LEX_R_BRACKET) {
fprintf(stderr, "%s[%d]: Expected right bracket, got \"%s\"\n",
}
*tail = (policy_item_t *) this;
-
+
return 1;
}
policy_lex_t token;
policy_attributes_t *this;
char buffer[32];
-
+
token = policy_lex_file(lexer, 0, buffer, sizeof(buffer));
switch (token) {
case POLICY_LEX_ASSIGN:
lrad_int2str(rlm_policy_tokens, token, "?"));
return 0; /* unknown */
}
-
+
this = rad_malloc(sizeof(*this));
memset(this, 0, sizeof(*this));
snprintf(buffer, sizeof(buffer), "%s/%s",
radius_dir, filename);
}
-
+
/*
* Include section calling a module.
*/
}
return 0;
break;
-
+
case POLICY_RESERVED_CONTROL:
case POLICY_RESERVED_REQUEST:
case POLICY_RESERVED_REPLY:
return 1;
return 0;
break;
-
+
case POLICY_RESERVED_PRINT:
if (parse_print(lexer, tail)) {
return 1;
}
return 0;
break;
-
+
case POLICY_RESERVED_RETURN:
if (parse_return(lexer, tail)) {
return 1;
}
return 0;
break;
-
+
case POLICY_RESERVED_MODULE:
if (parse_module(lexer, tail)) {
return 1;
{
const DICT_ATTR *dattr;
-
+
/*
* Bare words MUST be dictionary attributes
*/
-
+
dattr = dict_attrbyname(lhs);
if (!dattr) {
fprintf(stderr, "%s[%d]: Expected attribute name, got \"%s\"\n",
lhs);
}
break;
-
+
default:
fprintf(stderr, "%s[%d]: Unexpected reserved word \"%s\"\n",
lexer->filename, lexer->lineno, lhs);
return 0;
} /* switch over reserved words */
break;
-
+
/*
* Return from nested blocks.
*/
if (p) {
strlcpy(p + 1, filename, sizeof(buffer) - 1 - (p - buffer));
-#ifdef HAVE_DIRENT_H
+#ifdef HAVE_DIRENT_H
p = strrchr(p + 1, '/');
if (p && !p[1]) {
DIR *dir;
struct dirent *dp;
-
+
p++;
dir = opendir(buffer);
buffer, strerror(errno));
return 0;
}
-
+
/*
* Read the directory, ignoring "." files.
*/
snprintf(buffer, sizeof(buffer), "%s/%s",
radius_dir, filename);
}
-
+
/*
* Handle one include file.
*/
return 0;
}
break;
-
+
case POLICY_RESERVED_INCLUDE:
if (!parse_include(lexer)) {
return 0;
}
break;
-
+
case POLICY_RESERVED_DEBUG:
if (!parse_debug(lexer)) {
return 0;
}
break;
-
+
default:
fprintf(stderr, "%s[%d]: Unexpected word \"%s\"\n",
lexer->filename, lexer->lineno,
default:
case POLICY_TYPE_BAD:
break;
-
+
case POLICY_TYPE_ASSIGNMENT:
{
policy_assignment_t *this;
-
+
this = (policy_assignment_t *) item;
if (this->lhs) free(this->lhs);
if (this->rhs) free(this->rhs);
}
break;
-
+
case POLICY_TYPE_CONDITIONAL:
{
policy_condition_t *this;
-
+
this = (policy_condition_t *) item;
if (this->lhs) free(this->lhs);
if (this->rhs) free(this->rhs);
}
}
break;
-
+
case POLICY_TYPE_IF:
{
policy_if_t *this;
-
+
this = (policy_if_t *) item;
if (this->condition) {
rlm_policy_free_item(this->condition);
case POLICY_TYPE_ATTRIBUTE_LIST:
{
policy_attributes_t *this;
-
+
this = (policy_attributes_t *) item;
rlm_policy_free_item(this->attributes);
}
case POLICY_TYPE_NAMED_POLICY:
{
policy_named_t *this;
-
+
this = (policy_named_t *) item;
rad_assert(this->name != NULL);
free(this->name);
case POLICY_TYPE_CALL:
{
policy_call_t *this;
-
+
this = (policy_call_t *) item;
if (this->name) free(this->name);
}
break;
-
+
case POLICY_TYPE_RETURN:
break; /* do nothing */
case POLICY_TYPE_MODULE:
{
policy_module_t *this;
-
+
this = (policy_module_t *) item;
if (this->cs) cf_section_free(&this->cs);
if (this->mc) modcallable_free(&this->mc);
}
/* globally exported name */
-module_t rlm_preprocess = {
+module_t rlm_preprocess = {
RLM_MODULE_INIT,
"preprocess",
0, /* type: reserved */
{ "key", PW_TYPE_STRING_PTR,
offsetof(rlm_protocol_filter_t,key), NULL, "%{Realm:-DEFAULT}"},
-
+
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
CONF_PAIR *cp;
const char *value;
char keybuf[256];
-
+
DEBUG2(" rlm_protocol_filter: Found subsection %s", name);
-
+
cp = cf_pair_find(cs, "key");
if (!cp) {
radlog(L_ERR, "rlm_protocol_filter: %s[%d]: No key defined in subsection %s",
inst->filename, cf_section_lineno(cs), name);
return RLM_MODULE_FAIL;
}
-
+
radius_xlat(keybuf, sizeof(keybuf),
cf_pair_value(cp), request, NULL);
if (!*keybuf) {
DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, using key %s",
inst->filename, cf_section_lineno(cs), name, keybuf);
-
+
/*
* And repeat some of the above code.
*/
inst->filename, cf_section_lineno(cs), name);
return RLM_MODULE_NOOP;
}
-
+
value = cf_pair_value(cp);
sense = str2sense(value);
if (sense < 0) {
inst->filename, cf_pair_lineno(cp), value);
return RLM_MODULE_FAIL;
}
-
+
if (!sense) return RLM_MODULE_REJECT;
return RLM_MODULE_OK;
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
} else if (request->packet->src_ipaddr.ipaddr.ip4addr.s_addr == nas_address) { /* might be a client, might not be. */
RADCLIENT *cl;
-
+
/*
* Hack like 'client_name()', but with sane
* fall-back.
static int cache_reset(rlm_radutmp_t *inst, radutmp_cache_t *cache)
{
NAS_PORT *this, *next;
-
+
/*
* Cache is already reset, do nothing.
*/
rbtree_free(inst->user_tree);
rbtree_free(cache->nas_ports);
-
+
for (this = cache->free_offsets;
this != NULL;
this = next) {
radlog(L_ERR, "rlm_radutmp: No memory");
return 0;
}
-
+
cache->max_offset = 0;
-
+
cache->cached_file = 1;
if (inst->case_sensitive) {
if (read(walk->fd, &utmp, sizeof(utmp)) != sizeof(utmp)) {
rad_assert(0 == 1);
}
-
+
/*
* If the entry in the file is NEWER than the reboot
* packet, don't re-write it, and don't delete it.
radlog(L_ERR, "rlm_radutmp: Out of memory");
return 0;
}
-
+
pthread_mutex_lock(&cache->mutex);
/*
*/
if (rbtree_num_elements(cache->nas_ports) == 0) {
NAS_PORT *this, *next; /* too many copies of code */
-
+
for (this = inst->cache.free_offsets;
this != NULL;
this = next) {
next = this->next;
free(this);
}
-
+
truncate(cache->filename, 0);
rad_assert(rbtree_num_elements(inst->user_tree) == 0);
}
pthread_mutex_unlock(&cache->mutex);
-
+
return 1;
}
}
/*
- * It's a login record,
+ * It's a login record,
*/
nas_port->nas_address = utmp.nas_address;
nas_port->nas_port = utmp.nas_port;
}
continue;
}
-
+
/*
* We've read a partial record. WTF?
*/
if (errno == ENOENT) {
DEBUG2(" rlm_radutmp: File %s doesn't exist, creating it.", cache->filename);
if (!cache_reset(inst, cache)) return RLM_MODULE_FAIL;
-
+
/*
* Try to create the file.
*/
strlcpy(user->login, utmp.login,
sizeof(user->login));
user->simul_count = 1;
-
+
if (!rbtree_insert(inst->user_tree, user)) {
rad_assert(0 == 1);
}
pthread_mutex_unlock(&cache->mutex);
}
-
+
/*
* Entry was found, or newly created in the cache.
* Seek to the place in the file.
rad_assert(u.type == P_LOGIN);
rad_assert(u.nas_address == utmp.nas_address);
rad_assert(u.nas_port == utmp.nas_port);
-
+
/*
* An update for the same session.
*/
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
AC_CONFIG_SUBDIRS($mysubdirs)
rm install-sh
- dnl #
+ dnl #
dnl # Don't bother looking for errors in the child directories
- dnl #
+ dnl #
targetname=modname
else
AC_MSG_WARN([silently not building ]modname[.])
AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.])
if test x"$headersuggestion" != x; then
- AC_MSG_WARN([$headersuggestion])
+ AC_MSG_WARN([$headersuggestion])
fi
if test x"$libsuggestion" != x; then
- AC_MSG_WARN([$libsuggestion])
+ AC_MSG_WARN([$libsuggestion])
fi
targetname=""
fi
else
sql_ibmdb2_cflags="${sql_ibmdb2_cflags} ${IBMDB2_INCLUDE}"
AC_MSG_RESULT(yes)
-
+
AC_MSG_CHECKING([for SQLConnect in -ldb2])
old_LIBS="$LIBS"
AC_MSG_WARN([ibmdb2 libraries not found. Use --with-ibmdb2-lib-dir=<path>.])
targetname= # disabled module
else
- AC_MSG_RESULT(yes)
+ AC_MSG_RESULT(yes)
sql_ibmdb2_ldflags="$sql_ibmdb2_ldflags $IBMDB2_LIBS"
fi
fi
else
sql_firebird_cflags="${sql_firebird_cflags} ${FIREBIRD_INCLUDE}"
AC_MSG_RESULT(yes)
-
+
AC_MSG_CHECKING([for isc_attach_database -l$GDS])
old_LIBS="$LIBS"
AC_MSG_WARN([firebird libraries not found. Use --with-firebird-lib-dir=<path>.])
targetname= # disabled module
else
- AC_MSG_RESULT(yes)
+ AC_MSG_RESULT(yes)
sql_firebird_ldflags="$sql_firebird_ldflags $FIREBIRD_LIBS"
fi
fi
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_IODBC_H)
-
+
AC_MSG_CHECKING([for SQLConnect in -liodbc])
old_LIBS="$LIBS"
AC_MSG_WARN([iodbc libraries not found. Use --with-iodbc-lib-dir=<path>.])
targetname= # disabled module
else
- AC_MSG_RESULT(yes)
+ AC_MSG_RESULT(yes)
sql_iodbc_ldflags="$sql_iodbc_ldflags $IODBC_LIBS"
fi
fi
AC_MSG_WARN([silently not building ]modname[.])
AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.])
if test x"$headersuggestion" != x; then
- AC_MSG_WARN([$headersuggestion])
+ AC_MSG_WARN([$headersuggestion])
fi
if test x"$libsuggestion" != x; then
- AC_MSG_WARN([$libsuggestion])
+ AC_MSG_WARN([$libsuggestion])
fi
targetname=""
fi
/*************************************************************************
* Function: check_fatal_error
-*
+*
* Purpose: Check error type and behave accordingly
*
*************************************************************************/
{
int x = 0;
- /*
+ /*
Check the error code to see if we should reconnect or not
Error Code table taken from
http://www.postgresql.org/docs/8.1/interactive/errcodes-appendix.html
return SQL_DOWN;
else
return -1;
- }
+ }
x++;
}
- radlog(L_DBG, "rlm_sql_postgresql: Postgresql Fatal Error: [%s] Occurred!!", errorcode);
+ radlog(L_DBG, "rlm_sql_postgresql: Postgresql Fatal Error: [%s] Occurred!!", errorcode);
/* We don't seem to have a matching error class/code */
return -1;
}
rlm_sql_postgres_sock *pg_sock = sqlsocket->conn;
int numfields = 0;
- char *errorcode;
+ char *errorcode;
char *errormsg;
if (config->sqltrace)
switch (status){
- case PGRES_COMMAND_OK:
+ case PGRES_COMMAND_OK:
/*Successful completion of a command returning no data.*/
- /*affected_rows function only returns
- the number of affected rows of a command
- returning no data...
+ /*affected_rows function only returns
+ the number of affected rows of a command
+ returning no data...
*/
- pg_sock->affected_rows = affected_rows(pg_sock->result);
+ pg_sock->affected_rows = affected_rows(pg_sock->result);
radlog(L_DBG, "rlm_sql_postgresql: query affected rows = %i", pg_sock->affected_rows);
return 0;
break;
- }
-
+ }
+
/*
Note to self ... sql_store_result returns 0 anyway
- after setting the sqlsocket->affected_rows..
+ after setting the sqlsocket->affected_rows..
sql_num_fields returns 0 at worst case which means the check below
has a really small chance to return false..
lets remove it then .. yuck!!
#include <freeradius-devel/ident.h>
RCSIDH(sql_postgresql_h, "$Id$")
-/**************************************************
+/**************************************************
* Error Codes and required information Lookup table
-* Does this shite ever needed? Lets c..
+* Does this shite ever needed? Lets c..
***************************************************/
typedef struct pgsql_error{
char *errorcode;
"2000", "NO DATA", 0,
"2001", "NO ADDITIONAL DYNAMIC RESULT SETS RETURNED", 0,
-
+
"3000", "SQL STATEMENT NOT YET COMPLETE", 0,
"8000", "CONNECTION EXCEPTION", 0,
"2B000", "DEPENDENT PRIVILEGE DESCRIPTORS STILL EXIST", 0,
"2BP01", "DEPENDENT OBJECTS STILL EXIST", 0,
-
+
"2D000", "INVALID TRANSACTION TERMINATION", 0,
-
+
"2F000", "SQL ROUTINE EXCEPTION", 0,
"2F005", "FUNCTION EXECUTED NO RETURN STATEMENT", 0,
"2F002", "MODIFYING SQL DATA NOT PERMITTED", 0,
"2F004", "READING SQL DATA NOT PERMITTED", 0,
"34000", "INVALID CURSOR NAME", 0,
-
+
"38000", "EXTERNAL ROUTINE EXCEPTION", 0,
"38001", "CONTAINING SQL NOT PERMITTED", 0,
"38002", "MODIFYING SQL DATA NOT PERMITTED", 0,
"53100", "DISK FULL", 0,
"53200", "OUT OF MEMORY", 0,
"53300", "TOO MANY CONNECTIONS", 0,
-
+
"54000", "PROGRAM LIMIT EXCEEDED", 0,
"54001", "STATEMENT TOO COMPLEX", 0,
"54011", "TOO MANY COLUMNS", 0,
"55000", "OBJECT NOT IN PREREQUISITE STATE", 0,
"55006", "OBJECT IN USE", 0,
- "55P02", "CANT CHANGE RUNTIME PARAM", 0,
+ "55P02", "CANT CHANGE RUNTIME PARAM", 0,
"55P03", "LOCK NOT AVAILABLE", 0,
-
+
"57000", "OPERATOR INTERVENTION", 1,
"57014", "QUERY CANCELED", 1,
"57P01", "ADMIN SHUTDOWN", 1,
"42P01", "UNDEFINED TABLE", 0,
"42P02", "UNDEFINED PARAMETER", 0,
"42704", "UNDEFINED OBJECT", 0,
- "42701", "DUPLICATE COLUMN", 0,
+ "42701", "DUPLICATE COLUMN", 0,
"42P03", "DUPLICATE CURSOR", 0,
"42P04", "DUPLICATE DATABASE", 0,
"42723", "DUPLICATE FUNCTION", 0,
else
sql_unixodbc_cflags="${sql_unixodbc_cflags} ${UNIXODBC_INCLUDE}"
AC_MSG_RESULT(yes)
-
+
AC_MSG_CHECKING([for SQLConnect in -lodbc])
old_LIBS="$LIBS"
AC_MSG_WARN([unixODBC libraries not found. Use --with-unixODBC-lib-dir=<path>.])
targetname= # disabled module
else
- AC_MSG_RESULT(yes)
+ AC_MSG_RESULT(yes)
sql_unixodbc_ldflags="$sql_unixodbc_ldflags $UNIXODBC_LIBS"
fi
fi
SQLINTEGER errornum = 0;
SQLSMALLINT length = 255;
static char result[1024]; /* NOT thread-safe! */
-
+
rlm_sql_unixodbc_sock *unixodbc_sock = sqlsocket->conn;
error[0] = state[0] = '\0';
-
+
SQLError(
unixodbc_sock->env_handle,
unixodbc_sock->dbc_handle,
rlm_sql_unixodbc_sock *unixodbc_sock = sqlsocket->conn;
- if(SQL_SUCCEEDED(err_handle))
+ if(SQL_SUCCEEDED(err_handle))
return 0; /* on success, just return 0 */
error[0] = state[0] = '\0';
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
char *pool_name;
- /* We ended up removing the init
+ /* We ended up removing the init
queries so that its up to user
to create the db structure and put the required
- information in there
+ information in there
*/
/* Allocation sequence */
char *allocate_begin; /* SQL query to begin */
char *off_clear; /* SQL query to clear an entire NAS */
char *off_commit; /* SQL query to commit */
char *off_rollback; /* SQL query to rollback */
-
+
/* Logging Section */
char *log_exists; /* There was an ip address already assigned */
char *log_success; /* We successfully allocated ip address from pool */
/*
* We check if we're inside an open brace. If we are
* then we assume this brace is NOT literal, but is
- * a closing brace and apply it
+ * a closing brace and apply it
*/
if((c == '}') && openbraces) {
openbraces--;
*q++ = *p;
break;
case 'P': /* pool name */
- strlcpy(q, data->pool_name, freespace);
+ strlcpy(q, data->pool_name, freespace);
q += strlen(q);
break;
case 'I': /* IP address */
break;
case 'J': /* lease duration */
sprintf(tmp, "%d", data->lease_duration);
- strlcpy(q, tmp, freespace);
+ strlcpy(q, tmp, freespace);
q += strlen(q);
break;
default:
/*
* if we have something to log, then we log it
- * otherwise we return the retcode as soon as possible
+ * otherwise we return the retcode as soon as possible
*/
static int do_logging(char *str, int retcode)
{
if (strlen(str))
- radlog(L_INFO,"%s", str);
+ radlog(L_INFO,"%s", str);
return retcode;
}
return do_logging(logstr, RLM_MODULE_NOOP);
}
-
+
if (pairfind(request->packet->vps, PW_NAS_IP_ADDRESS) == NULL) {
DEBUG("rlm_sqlippool: unknown NAS-IP-Address");
return RLM_MODULE_NOOP;
(char *) NULL, 0);
if (allocation_len == 0)
- {
+ {
/*
* COMMIT
*/
/*
* Should we perform pool-check ?
- */
+ */
if (data->pool_check && *data->pool_check) {
/*
/*
* Pool exists after all... So, the failure to allocate
- * the IP address was most likely due to the depletion
+ * the IP address was most likely due to the depletion
* of the pool. In that case, we should return NOTFOUND
*/
DEBUG("rlm_sqlippool: IP address could not be allocated.");
}
/*
- * Pool doesn't exist in the table. It may be handled by some
+ * Pool doesn't exist in the table. It may be handled by some
* other instance of sqlippool, so we should just ignore
* this allocation failure and return NOOP
*/
DEBUG("rlm_sqlippool: IP address could not be allocated as not pool exists with that name.");
return RLM_MODULE_NOOP;
-
+
}
-
+
sql_release_socket(data->sql_inst, sqlsocket);
DEBUG("rlm_sqlippool: IP address could not be allocated.");
return do_logging(logstr, RLM_MODULE_NOOP);
}
-
+
/*
* FIXME: Make it work with the ipv6 addresses
*/
DEBUG("rlm_sqlippool: Invalid IP number [%s] returned from database query.", allocation);
sql_release_socket(data->sql_inst, sqlsocket);
- radius_xlat(logstr, sizeof(logstr), data->log_failed, request, NULL);
-
+ radius_xlat(logstr, sizeof(logstr), data->log_failed, request, NULL);
+
return do_logging(logstr, RLM_MODULE_NOOP);
}
/*
* Check for an Accounting-Stop
- * If we find one and we have allocated an IP to this nas/port combination, deallocate it.
+ * If we find one and we have allocated an IP to this nas/port combination, deallocate it.
*/
static int sqlippool_accounting(void * instance, REQUEST * request)
{
*/
module_t rlm_sqlippool = {
RLM_MODULE_INIT,
- "SQL IP Pool",
+ "SQL IP Pool",
RLM_TYPE_THREAD_SAFE, /* type */
sqlippool_instantiate, /* instantiation */
sqlippool_detach, /* detach */
if test "$ac_cv_header_pwd_h" != "yes"; then
AC_MSG_RESULT(no pwd.h)
[ fail=$fail" pwd.h" ]
- fi
+ fi
- AC_CHECK_LIB(shadow, getspnam,
- [
+ AC_CHECK_LIB(shadow, getspnam,
+ [
unix_ldflags="${unix_ldflags} -lshadow"
- AC_DEFINE(HAVE_GETSPNAM)
+ AC_DEFINE(HAVE_GETSPNAM)
]
)
AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
else
AC_MSG_WARN([silently not building ]modname[.])
- AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+ AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
targetname=""
fi
fi
if (nas_address == 0) {
RADCLIENT *cl;
nas_address = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
-
+
if ((cl = client_find_old(&request->packet->src_ipaddr)) != NULL)
s = cl->shortname;
}
if (!s || s[0] == 0) s = uue(&(nas_address));
-
+
#ifdef __linux__
/*
* Linux has a field for the client address.
projects / freeradius.git / commitdiff