@section client_intro Introduction
*/
-~
+~
@subsection dev_list FreeRADIUS-devel
-This list is for development of the server, including patches, and
+This list is for development of the server, including patches, and
new features. PLEASE DO NOT post questions related to the operation
of the server here - use the "users" list. Most of the developers
read both, and will answer your questions there if they have the time.
#ifdef GEN_EXPORTS
-/** Returns a file's name without path or extension
+/** Returns a file's name without path or extension
*
* @param path to check
* @return pointer in path.
strcat(tmp, "=");
#endif
strcat(tmp, path);
-
+
push_count_chars(cc, tmp);
}
* install, we're most likely getting the .la
* file that we want to install as.
*
- * The problem is that we need to add it as the
+ * The problem is that we need to add it as the
* directory, not the .la file itself.
* Otherwise, we'll do odd things.
*/
/*
* Stop if we get another magic method
*/
- if ((a == 1) &&
+ if ((a == 1) &&
((strncmp(arg, "LINK", 4) == 0) ||
(strcmp(arg, "CC") == 0) ||
(strcmp(arg, "CXX") == 0))) {
} else if (!strcmp(arg + 1, "undefined")) {
cmd->undefined_flag = argv[++a];
arg_used = 1;
- /*
+ /*
* Add dir to runtime library search path.
*/
} else if ((arg[1] == 'R') && !arg[2]) {
* Ok.. the argument doesn't begin with a dash
* maybe it's an input file.
*
- * Check its extension to see if it's a known input
+ * Check its extension to see if it's a known input
* file and verify it exists.
*/
} else {
/*
- * If were building a module we may have local PACKAGE_* defines if
- * AC_INIT() was called with full arguments.
+ * If were building a module we may have local PACKAGE_* defines if
+ * AC_INIT() was called with full arguments.
*/
#ifdef IS_MODULE
# undef PACKAGE_BUGREPORT
*/
#ifndef FR_CONNECTION_H
#define FR_CONNECTION_H
-/*
+/*
* $Id$
*
* @file connection.h
* @copyright 2012 The FreeRADIUS server project
* @copyright 2012 Alan DeKok <aland@deployingradius.com>
*/
-
+
#include <freeradius-devel/ident.h>
RCSIDH(connection_h, "$Id$")
#endif
typedef struct attr_flags {
- unsigned int is_unknown : 1; //!< Attribute number or
+ unsigned int is_unknown : 1; //!< Attribute number or
//!< vendor is unknown.
unsigned int is_tlv : 1; //!< Is a sub attribute.
- unsigned int vp_free : 1; //!< Should be freed when
+ unsigned int vp_free : 1; //!< Should be freed when
//!< VALUE_PAIR is freed.
unsigned int has_tag : 1; //!< Tagged attribute.
typedef enum value_type {
VT_NONE = 0, //!< VALUE_PAIR has no value.
VT_SET, //!< VALUE_PAIR has children.
- VT_LIST, //!< VALUE_PAIR has multiple
+ VT_LIST, //!< VALUE_PAIR has multiple
//!< values.
VT_DATA, //!< VALUE_PAIR has a single
//!< value.
- VT_XLAT //!< valuepair value must be
- //!< xlat expanded when it's
+ VT_XLAT //!< valuepair value must be
+ //!< xlat expanded when it's
//!< added to VALUE_PAIR tree.
} value_type_t;
struct value_pair *next;
- FR_TOKEN op; //!< Operator to use when
- //!< moving or inserting
+ FR_TOKEN op; //!< Operator to use when
+ //!< moving or inserting
//!< valuepair into a list.
int8_t tag; //!< Tag value used to group
union {
// VALUE_SET *set; //!< Set of child attributes.
- // VLAUE_LIST *list; //!< List of values for
+ // VLAUE_LIST *list; //!< List of values for
//!< multivalued attribute.
- // VALUE_DATA *data; //!< Value data for this
+ // VALUE_DATA *data; //!< Value data for this
//!< attribute.
const char *xlat; //!< Source string for xlat
typedef struct value_pair_raw {
- char l_opand[64]; //!< Left hand side of the
+ char l_opand[64]; //!< Left hand side of the
//!< pair.
- char r_opand[1024]; //!< Right hand side of the
+ char r_opand[1024]; //!< Right hand side of the
//!< pair.
- FR_TOKEN quote; //!< Type of quoting around
+ FR_TOKEN quote; //!< Type of quoting around
//!< the r_opand.
FR_TOKEN op; //!< Operator.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/*
* $Id$
*
/** The different section components of the server
*
- * Used as indexes in the methods array in the module_t struct.
+ * Used as indexes in the methods array in the module_t struct.
*/
typedef enum rlm_components {
RLM_COMPONENT_AUTH = 0, //!< 0 methods index for authenticate section.
} rlm_components_t;
/** Map a section name, to a section typename, to an attribute number
- *
+ *
* Used by modules.c to define the mappings between names, types and control
* attributes.
*/
extern const section_type_value_t section_type_value[];
#define RLM_TYPE_THREAD_SAFE (0 << 0) //!< Module is threadsafe.
-#define RLM_TYPE_THREAD_UNSAFE (1 << 0) //!< Module is not threadsafe.
- //!< Server will protect calls
+#define RLM_TYPE_THREAD_UNSAFE (1 << 0) //!< Module is not threadsafe.
+ //!< Server will protect calls
//!< with mutex.
#define RLM_TYPE_CHECK_CONFIG_SAFE (1 << 1) //!< Instantiate module on -C.
//!< Module will be
//!< check mode.
#define RLM_TYPE_HUP_SAFE (1 << 2) //!< Will be restarted on HUP.
//!< Server will instantiated
- //!< new instance, and then
+ //!< new instance, and then
//!< destroy old instance.
#define RLM_MODULE_MAGIC_NUMBER ((uint32_t) (0xf4ee4ad3))
#define RLM_MODULE_INIT RLM_MODULE_MAGIC_NUMBER
/** Module section callback
- *
+ *
* Is called when the module is listed in a particular section of a virtual
* server, and the request has reached the module call.
*
typedef rlm_rcode_t (*packetmethod)(void *instance, REQUEST *request);
/** Module instantiation callback
- *
+ *
* Is called once per module instance. Is not called when new threads are
* spawned. Modules that require separate thread contexts should use the
* connection pool API.
typedef int (*instantiate_t)(CONF_SECTION *mod_cs, void **instance);
/** Module detach callback
- *
+ *
* Is called just before the server exits, and after re-instantiation on HUP,
* to free the old module instance.
*
typedef int (*detach_t)(void *instance);
/** Metadata exported by the module
- *
+ *
* This determines the capabilities of the module, and maps internal functions
* within the module to different sections.
*/
typedef struct module_t {
uint32_t magic; //!< Used to validate module struct.
- const char *name; //!< The name of the module (without rlm_
+ const char *name; //!< The name of the module (without rlm_
//!< prefix).
int type; //!< One or more of the RLM_TYPE_* constants.
instantiate_t instantiate; //!< Function to use for instantiation.
//!< various section functions, ordering
//!< determines which function is mapped to
//!< which section.
-
+
} module_t;
int setup_modules(int, CONF_SECTION *);
PW_TYPE_SHORT, //!< 16 Bit unsigned integer.
PW_TYPE_ETHERNET, //!< 48 Bit Mac-Address.
PW_TYPE_SIGNED, //!< 32 Bit signed integer.
- PW_TYPE_COMBO_IP, //!< WiMAX IPv4 or IPv6 address depending
+ PW_TYPE_COMBO_IP, //!< WiMAX IPv4 or IPv6 address depending
//!< on length.
PW_TYPE_TLV, //!< Contains nested attributes.
PW_TYPE_EXTENDED, //!< Extended attribute space attribute.
struct request {
#ifndef NDEBUG
- uint32_t magic; //!< Magic number used to
+ uint32_t magic; //!< Magic number used to
//!< detect memory corruption,
//!< or request structs that
//!< have not been properly
#endif
VALUE_PAIR *config_items; //!< VALUE_PAIR s used to set
//!< per request parameters for
- //!< modules and the server
+ //!< modules and the server
//!< core at runtime.
VALUE_PAIR *username; //!< Cached username VALUE_PAIR.
VALUE_PAIR *password; //!< Cached password VALUE_PAIR.
struct main_config_t *root; //!< Pointer to the main config
//!< hack to try and deal with
- //!< hup.
+ //!< hup.
request_data_t *data; //!< Request metadata.
pthread_t child_pid; //!< Current thread handling
//!< the request.
#endif
- time_t timestamp; //!< When the request was
+ time_t timestamp; //!< When the request was
//!< received.
unsigned int number; //!< Monotonically increasing
- //!< request number. Reset on
+ //!< request number. Reset on
//!< server restart.
rad_listen_t *listener; //!< The listener that received
//!< the request.
#ifdef WITH_PROXY
- rad_listen_t *proxy_listener;//!< Listener for outgoing
+ rad_listen_t *proxy_listener;//!< Listener for outgoing
//!< requests.
#endif
- int simul_max; //!< Maximum number of
+ int simul_max; //!< Maximum number of
//!< concurrent sessions for
//!< this user.
#ifdef WITH_SESSION_MGMT
#endif
int options; //!< Request options, currently
- //!< just holds the debug level
+ //!< just holds the debug level
//!< for the request.
const char *module; //!< Module the request is
const char *server;
REQUEST *parent;
- radlog_func_t radlog; //!< Function to call to output
+ radlog_func_t radlog; //!< Function to call to output
//!< log messages about this
//!< request.
#ifdef WITH_COA
const char *auth_badpass_msg;
const char *auth_goodpass_msg;
int colourise; //!< Messages output to stderr and
- //!< stdout may be formatted using
+ //!< stdout may be formatted using
//!< VT100 escape sequences.
int debug_memory;
} MAIN_CONFIG_T;
REQUEST_FAIL_DECODE, //!< Rad_decode didn't like it.
REQUEST_FAIL_PROXY, //!< Call to proxy modules failed.
REQUEST_FAIL_PROXY_SEND, //!< Proxy_send didn't like it.
- REQUEST_FAIL_NO_RESPONSE, //!< We weren't told to respond,
+ REQUEST_FAIL_NO_RESPONSE, //!< We weren't told to respond,
//!< so we reject.
REQUEST_FAIL_HOME_SERVER, //!< The home server didn't respond.
REQUEST_FAIL_HOME_SERVER2, //!< Another case of the above.
REQUEST_FAIL_HOME_SERVER3, //!< Another case of the above.
REQUEST_FAIL_NORMAL_REJECT, //!< Authentication failure.
- REQUEST_FAIL_SERVER_TIMEOUT //!< The server took too long to
+ REQUEST_FAIL_SERVER_TIMEOUT //!< The server took too long to
//!< process the request.
} request_fail_t;
extern const FR_NAME_NUMBER vpt_types[];
/** A pre-parsed template attribute
- *
+ *
* Value pair template, used when processing various mappings sections
* to create a real valuepair later.
*
request_refs_t request; //!< Request to search or insert in.
pair_lists_t list; //!< List to search or insert in.
-
+
const DICT_ATTR *da; //!< Resolved dictionary attribute.
vpt_type_t type; //!< What type of value tmpl refers to.
} value_pair_tmpl_t;
FR_TOKEN op; //!< The operator that controls
//!< insertion of the dst attribute.
- CONF_ITEM *ci; //!< Config item that the map was
- //!< created from. Mainly used for
+ CONF_ITEM *ci; //!< Config item that the map was
+ //!< created from. Mainly used for
//!< logging validation errors.
struct value_pair_map *next; //!< The next valuepair map.
value_pair_tmpl_t *radius_attr2tmpl(const char *name,
request_refs_t request_def,
pair_lists_t list_def);
-
+
value_pair_tmpl_t *radius_str2tmpl(const char *name, FR_TOKEN type);
int radius_attrmap(CONF_SECTION *cs, value_pair_map_t **head,
pair_lists_t dst_list_def, pair_lists_t src_list_def,
/**
* @brief Encode/decode binary data using printable characters.
- * @author Simon Josefsson.
+ * @author Simon Josefsson.
* @see RFC 3548 <http://www.ietf.org/rfc/rfc3548.txt>.
*/
#include <freeradius-devel/ident.h>
*p++ = b64str[((in[0] << 4) +
(--inlen ? in[1] >> 4 : 0)) & 0x3f];
-
+
*p++ = (inlen ? b64str[((in[1] << 2) +
(--inlen ? in[2] >> 6 : 0)) & 0x3f] : '=');
-
+
*p++ = inlen ? b64str[in[2] & 0x3f] : '=';
if (inlen) inlen--;
* Allocate a buffer and store zero terminated base64 encoded data from array
* IN of size INLEN, returning FR_BASE64_ENC_LENGTH(INLEN), i.e.,
* the length of the encoded data, excluding the terminating zero.
- *
- * On return, the OUT variable will hold a pointer to newly allocated memory
+ *
+ * On return, the OUT variable will hold a pointer to newly allocated memory
* that must be deallocated by the caller.
- *
+ *
* If output string length would overflow, 0 is returned and OUT is set to NULL.
*
* @param[in] in Binary data in.
* Note that '=' is padding and not considered to be part of the alphabet.
*
* @param c char to check.
- * @return TRUE if CH is a character from the Base64 alphabet, and FALSE
+ * @return TRUE if CH is a character from the Base64 alphabet, and FALSE
* otherwise.
*/
int fr_isbase64(char c)
} else {
if (!fr_isbase64(in[2])) break;
- *p++ = ((b64[us(in[1])] << 4) & 0xf0) |
+ *p++ = ((b64[us(in[1])] << 4) & 0xf0) |
(b64[us(in[2])] >> 2);
if (inlen == 3) break;
/** Allocate a buffer and store decoded data.
*
- * Allocate an output buffer in *OUT, and decode the base64 encoded data stored
+ * Allocate an output buffer in *OUT, and decode the base64 encoded data stored
* in IN of size INLEN to the *OUT buffer.
- *
+ *
* On return, the size of the decoded data is stored in *OUTLEN.
* OUTLEN may be NULL, if the caller is not interested in the decoded length.
* *OUT may be NULL to indicate an out of memory error, in which case *OUTLEN
* contains the size of the memory block needed.
- *
- * The function returns TRUE on successful decoding and memory allocation
- * errors. (Use the *OUT and *OUTLEN parameters to differentiate between
+ *
+ * The function returns TRUE on successful decoding and memory allocation
+ * errors. (Use the *OUT and *OUTLEN parameters to differentiate between
* successful decoding and memory error.)
*
- * The function returns FALSE if the input was invalid, in which case *OUT is
+ * The function returns FALSE if the input was invalid, in which case *OUT is
* NULL and *OUTLEN is undefined.
*
* @param[in] in Base64 string to decode.
ssize_t fr_base64_decode_alloc(const char *in, size_t inlen, uint8_t **out)
{
ssize_t ret;
- /*
+ /*
* This may allocate a few bytes too much, depending on input,
* but it's not worth the extra CPU time to compute the exact amount.
* The exact amount is 3 * inlen / 4, minus 1 if the input ends
/*
* Loop over the options.
*/
-
+
/*
- * Nothing uses tail after this call, if it does in the future
+ * Nothing uses tail after this call, if it does in the future
* it'll need to find the new tail...
*/
if (fr_dhcp_decode_options(packet,
packet->data + 240, packet->data_len - 240,
- tail) < 0) {
+ tail) < 0) {
return -1;
}
}
/** Free dynamically allocated (unknown attributes)
- *
+ *
* If the da was dynamically allocated it will be freed, else the function
* will return without doing anything.
*
vendor = (int) strtol(p + 7, &q, 10);
if ((vendor == 0) || (vendor > FR_MAX_VENDOR)) {
fr_strerror_printf("Invalid vendor value in "
- "attribute name \"%s\"",
+ "attribute name \"%s\"",
attribute);
return NULL;
}
if (!el) return NULL;
memset(el, 0, sizeof(*el));
- el->times = fr_heap_create(fr_event_list_time_cmp,
+ el->times = fr_heap_create(fr_event_list_time_cmp,
offsetof(fr_event_t, heap));
if (!el->times) {
fr_event_list_free(el);
}
return 0;
-}
+}
void fr_event_loop_exit(fr_event_list_t *el, int code)
}
fr_heap_t *fr_heap_create(fr_heap_cmp_t cmp, size_t offset)
-{
+{
fr_heap_t *fh;
if (!cmp) return NULL;
*((int *)(((uint8_t *)heap->p[node]) + heap->offset)) = -1
int fr_heap_insert(fr_heap_t *hp, void *data)
-{
+{
int child = hp->num_elements;
/*
* Remove the top element, or object.
*/
int fr_heap_extract(fr_heap_t *hp, void *data)
-{
+{
int child, parent;
int max;
fr_strerror_printf("Failed setting sockopt "
"IPPROTO_IPV6 - IPV6_V6ONLY"
": %s", strerror(errno));
- return -1;
+ return -1;
}
}
#endif /* IPV6_V6ONLY */
fr_strerror_printf("Failed setting sockopt "
"IPPROTO_IP - IP_MTU_DISCOVER: %s",
strerror(errno));
- return -1;
+ return -1;
}
#endif
fr_strerror_printf("Failed setting sockopt "
"IPPROTO_IP - IP_DONTFRAG: %s",
strerror(errno));
- return -1;
+ return -1;
}
#endif
}
/*
* MUST match dst port, if we have one.
*/
- if ((ps->dst_port != 0) &&
+ if ((ps->dst_port != 0) &&
(ps->dst_port != request->dst_port)) continue;
/*
* MUST match requested src port, if one has been given.
*/
- if ((request->src_port != 0) &&
+ if ((request->src_port != 0) &&
(ps->src_port != request->src_port)) continue;
/*
int len;
char *p = buffer;
const char *q;
-
+
if (!vp->da->flags.has_tag) {
switch (vp->da->type) {
case PW_TYPE_INTEGER:
*p++ = 'n';
} else if (*q == '\r') {
*p++ = 'r';
- } else if (*q == '\t'){
+ } else if (*q == '\t'){
*p++ = 't';
} else {
if(s < 8) return -1;
#define AUTH_PASS_LEN (AUTH_VECTOR_LEN)
/**
* @brief Build an encrypted secret value to return in a reply packet
- *
+ *
* The secret is hidden by xoring with a MD5 digest
* created from the shared secret and the authentication
* vector. We put them into MD5 in the reverse order from
(char *)&on, sizeof(on)) < 0) {
fr_strerror_printf("Failed in setsockopt(): %s",
strerror(errno));
- close(sockfd);
+ close(sockfd);
return -1;
- }
+ }
}
#endif /* IPV6_V6ONLY */
}
close(sockfd);
return -1;
}
-
+
if (bind(sockfd, (struct sockaddr *) &salocal, salen) < 0) {
fr_strerror_printf("Failed in bind(): %s", strerror(errno));
close(sockfd);
size_t max;
for (this = table; this->name != NULL; this++) {
- /*
+ /*
* Match up to the length of the table entry if len is < 0.
*/
max = (len < 0) ? strlen(this->name) : (unsigned)len;
}
/** Create a new valuepair
- *
+ *
* If attr and vendor match a dictionary entry then a VP with that DICT_ATTR
* will be returned.
*
*
* Which type of DICT_ATTR the VALUE_PAIR was created with can be determined by
* checking @verbatim vp->da->flags.is_unknown @endverbatim.
- *
+ *
* @param[in] ctx for allocated memory, usually a pointer to a RADIUS_PACKET
* @param[in] attr number.
* @param[in] vendor number.
}
/** Free memory used by a single valuepair.
- *
+ *
* @todo TLV: needs to die in fire.
*/
void pairbasicfree(VALUE_PAIR *pair)
}
/** Free memory used by a valuepair list.
- *
+ *
* @todo TLV: needs to free all dependents of each VP freed.
*/
void pairfree(VALUE_PAIR **pair_ptr)
/** Delete matching pairs
*
* Delete matching pairs from the attribute list.
- *
+ *
* @param[in,out] first VP in list.
* @param[in] attr to match.
* @param[in] vendor to match.
/** Add a VP to the end of the list.
*
* Locates the end of 'first', and links an additional VP 'add' at the end.
- *
+ *
* @param[in] first VP in linked list. Will add new VP to the end of this list.
* @param[in] add VP to add to list.
* @return a copy of the input VP
/** Replace all matching VPs
*
* Walks over 'first', and replaces the first VP that matches 'replace'.
- *
+ *
* @note Memory used by the VP being replaced will be freed.
* @note Will not work with unknown attributes.
- *
+ *
* @param[in,out] first VP in linked list. Will search and replace in this list.
* @param[in] replace VP to replace.
* @return a copy of the input vp
* vp.
*
* @todo Should be able to do type conversions.
- *
+ *
* @param[in] da of new attribute to alloc.
* @param[in] vp to copy data from.
* @return the new valuepair.
*
* Copy pairs of a matching attribute number, vendor number and tag from the
* the input list to a new list, and returns the head of this list.
- *
+ *
* @param[in] vp which is head of the input list.
* @param[in] attr to match, if 0 input list will not be filtered by attr.
* @param[in] vendor to match.
* in most places. Consider using radius_pairmove in server code.
*
* @note pairfree should be called on the head of the source list to free
- * unmoved attributes (if they're no longer needed).
+ * unmoved attributes (if they're no longer needed).
*
* @note Does not respect tags when matching.
- *
+ *
* @param[in,out] to destination list.
* @param[in,out] from source list.
*
found = pairfind(*to, i->da->attr, i->da->vendor,
TAG_ANY);
-
+
switch (i->op) {
/*
* the input list to the output list.
*
* @note pairfree should be called on the head of the old list to free unmoved
- attributes (if they're no longer needed).
- *
+ attributes (if they're no longer needed).
+ *
* @param[in,out] to destination list.
* @param[in,out] from source list.
* @param[in] attr to match, if PW_VENDOR_SPECIFIC and vendor 0, only VSAs will
vp->length = 6;
break;
- /*
+ /*
* Crazy polymorphic (IPv4/IPv6) attribute type for WiMAX.
*
* We try and make is saner by replacing the original
/*
* Just return the vp.
*
- * The value will likely be provided later by
+ * The value will likely be provided later by
* an xlat expansion.
*/
return vp;
vp->vp_strvalue[0] = '\0';
vp->length = 0;
- return 0;
+ return 0;
}
/** Read a single valuepair from a buffer, and advance the pointer
return T_OP_INVALID;
}
- /*
+ /*
* Read value. Note that empty string values are allowed
*/
quote = gettoken(ptr, raw->r_opand, sizeof(raw->r_opand));
if ((dst_ipaddr->af == AF_INET) &&
(src_ipaddr->af != AF_UNSPEC)) {
return sendfromto(sockfd, data, data_len, flags,
- (struct sockaddr *)&src, sizeof_src,
+ (struct sockaddr *)&src, sizeof_src,
(struct sockaddr *)&dst, sizeof_dst);
}
#else
/*
* No udpfromto, OR an IPv6 socket, fail gracefully.
*/
- return sendto(sockfd, data, data_len, flags,
+ return sendto(sockfd, data, data_len, flags,
(struct sockaddr *)&dst, sizeof_dst);
}
(header[1] > 4) ||
(header[3] > VQP_MAX_ATTRIBUTES)) {
rad_recv_discard(sockfd);
-
+
return 0;
} else { /* we got 4 bytes of data. */
#ifdef WITH_UDPFROMTO
if (dst.ss_family == AF_INET) {
data_len = recvfromto(sockfd, buf, len, flags,
- (struct sockaddr *)&src, &sizeof_src,
+ (struct sockaddr *)&src, &sizeof_src,
(struct sockaddr *)&dst, &sizeof_dst);
} else
#endif
/*
* No udpfromto, OR an IPv6 socket. Fail gracefully.
*/
- data_len = recvfrom(sockfd, buf, len, flags,
+ data_len = recvfrom(sockfd, buf, len, flags,
(struct sockaddr *)&src, &sizeof_src);
if (data_len < 0) {
free(buf);
fprintf(stderr, "%02x ", ptr[i]);
if ((i & 0x0f) == 0x0f) fprintf(stderr, "\n");
}
-
+
}
if (ptr[3] > VQP_MAX_ATTRIBUTES) {
{ "src_ipaddr", PW_TYPE_STRING_PTR,
0, &cl_srcipaddr, NULL },
-
+
{ "require_message_authenticator", PW_TYPE_BOOLEAN,
offsetof(RADCLIENT, message_authenticator), 0, "no" },
ip_ntoh(&request->packet->src_ipaddr,
buffer, sizeof(buffer)),
ip_ntoh(&c->ipaddr,
- buf2, sizeof(buf2)));
+ buf2, sizeof(buf2)));
goto error;
}
) {
radlog(L_ERR, "Cannot turn %s into socket", path);
close(sockfd);
- return -1;
+ return -1;
}
/*
*/
static void cprint_conf_parser(rad_listen_t *listener, int indent, CONF_SECTION *cs,
const void *base)
-
+
{
int i;
const void *data;
case PW_TYPE_BOOLEAN:
cprintf(listener, "%.*s%s = %s\n", indent, tabs,
- variables[i].name,
+ variables[i].name,
((*(const int *) data) == 0) ? "no" : "yes");
break;
"set module <command> - set module commands",
NULL, command_table_set_module },
#ifdef WITH_PROXY
- { "home_server", FR_WRITE,
+ { "home_server", FR_WRITE,
"set home_server <command> - set home server commands",
NULL, command_table_set_home },
#endif
sock->gid_name, strerror(errno));
return -1;
}
- sock->gid = gr->gr_gid;
+ sock->gid = gr->gr_gid;
} else {
sock->gid = -1;
}
/*
* FIXME: check for absolute pathnames?
- * check for uid/gid on the other end...
+ * check for uid/gid on the other end...
*/
this->fd = fr_server_domain_socket(sock->path);
if (sock->uid_name && (sock->uid != uid)) {
radlog(L_ERR, "Unauthorized connection to %s from uid %ld",
-
+
sock->path, (long int) uid);
close(newfd);
return 0;
*/
if (stat(value, &stat_buf) < 0) {
radlog(L_ERR, "%s[%d]: Failed reading directory %s: %s",
- filename, *lineno,
+ filename, *lineno,
value, strerror(errno));
return -1;
}
filename, *lineno, buf2);
return -1;
}
-
+
if (this->template) {
radlog(L_ERR, "%s[%d]: Section already has a template",
filename, *lineno);
((pair->value_type == T_DOUBLE_QUOTED_STRING) ||
(pair->value_type == T_BACK_QUOTED_STRING))) {
VALUE_PAIR *vp;
-
+
vp = pairmake(pair->attr, NULL, pair->op);
if (!vp) {
return NULL;
//!< has been reserved.
int in_use; //!< Whether the connection is currently
//!< reserved.
- int number; //!< Unique ID assigned when the
+ int number; //!< Unique ID assigned when the
//!< connection is created, these will
- //!< monotonically increase over the
+ //!< monotonically increase over the
//!< lifetime of the connection pool.
void *connection; //!< Pointer to whatever the module
//!< uses for a connection handle.
*
* Defines the configuration of the connection pool, all the counters and
* timestamps related to the connection pool, the mutex that stops multiple
- * threads leaving the pool in an inconsistent state, and the callbacks
+ * threads leaving the pool in an inconsistent state, and the callbacks
* required to open, close and check the status of connections within the pool.
*
* @see fr_connection
*/
struct fr_connection_pool_t {
int start; //!< Number of initial connections
- int min; //!< Minimum number of concurrent
+ int min; //!< Minimum number of concurrent
//!< connections to keep open.
int max; //!< Maximum number of concurrent
//!< connections to allow.
//!< connection can be used before being
//!< closed.
int lifetime; //!< How long a connection can be open
- //!< before being closed (irrespective
+ //!< before being closed (irrespective
//!< of whether it's idle or not).
int idle_timeout; //!< How long a connection can be idle
//!< before being closed.
int trigger; //!< If TRUE execute connection triggers
//!< associated with the connection
- //!< pool.
+ //!< pool.
time_t last_checked; //!< Last time we pruned the connection
//!< pool.
//!< a connection but failed.
time_t last_complained;//!< Last time we complained about
//!< configuration parameters.
- time_t last_throttled; //!< Last time we refused to spawn a
+ time_t last_throttled; //!< Last time we refused to spawn a
//!< connection because the last
- //!< connection failed, or we were
+ //!< connection failed, or we were
//!< already spawning a connection.
time_t last_at_max; //!< Last time we hit the maximum number
//!< of allowed connections.
#ifdef HAVE_PTHREAD_H
pthread_mutex_t mutex; //!< Mutex used to keep consistent state
- //!< when making modifications in
+ //!< when making modifications in
//!< threaded mode.
#endif
if (!conn) {
radlog(L_ERR, "%s: Opening connection failed (%i)",
pool->log_prefix, pool->count);
-
+
pool->last_failed = now;
free(this);
pool->spawning = FALSE; /* atomic, so no lock is needed */
*
* Walks over the list of connections searching for a specified connection
* handle and returns the first connection that contains that pointer.
- *
+ *
* @note Will lock mutex and only release mutex if connection handle
* is not found, so will usually return will mutex held.
* @note Must be called with the mutex free.
*
* @param[in] pool to search in.
* @param[in] conn handle to search for.
- * @return the connection containing the specified handle, or NULL if non is
+ * @return the connection containing the specified handle, or NULL if non is
* found.
*/
static fr_connection_t *fr_connection_find(fr_connection_pool_t *pool, void *conn)
*
* Resolves the connection handle to a connection, then (if found)
* closes, unlinks and frees that connection.
- *
+ *
* @note Must be called with the mutex free.
*
* @param[in,out] pool Connection pool to modify.
*
* Closes, unlinks and frees all connections in the connection pool, then frees
* all memory used by the connection pool.
- *
+ *
* @note Will call the 'stop' trigger.
* @note Must be called with the mutex free.
*
(pool->last_complained < now)) {
radlog(L_INFO, "%s: WARNING: You probably need to "
"lower \"min\"", pool->log_prefix);
-
+
pool->last_complained = now;
}
fr_connection_close(pool, this);
* If no free connections are found will attempt to spawn a new one, conditional
* on a connection spawning not already being in progress, and not being at the
* 'max' connection limit.
- *
+ *
* @note fr_connection_release must be called once the caller has finished
* using the connection.
*
radlog(L_ERR, "%s: Failed to reconnect (%i), and no other "
"connections available", pool->log_prefix, conn_number);
-
+
return NULL;
}
if (ip_hton(value, AF_INET, &data->client_ip) < 0) {
radlog(L_ERR,
"Failed parsing Client-IP-Address");
-
+
pairfree(&data->vps);
goto cleanup;
}
*/
if (data->state != STATE_QUEUED) {
radlog(L_ERR, "Truncated record: treating it as EOF for detail file %s", data->filename_work);
- goto cleanup;
+ goto cleanup;
}
/*
*/
if (!data->vps) {
data->state = STATE_HEADER;
- if (!data->fp || feof(data->fp)) goto cleanup;
+ if (!data->fp || feof(data->fp)) goto cleanup;
return 0;
}
}
/* Packet from client, and we have DHCP-Relay-To-IP-Address */
- if (pairfind(request->config_items, 270, DHCP_MAGIC_VENDOR, TAG_ANY)) {
+ if (pairfind(request->config_items, 270, DHCP_MAGIC_VENDOR, TAG_ANY)) {
return dhcprelay_process_client_request(request);
}
}
/*
- * ( EXPR )
+ * ( EXPR )
*/
if (!found_condition && (*p == '(')) {
const char *end = p + 1;
return RLM_MODULE_INVALID;
}
- /*
+ /*
* Qualifiers not valid for this request
*/
if (radius_request(&update_request, request_name) < 0) {
RDEBUGW("List name refers to outer request"
" but not in a tunnel.");
- return RLM_MODULE_NOOP;
+ return RLM_MODULE_NOOP;
}
list = fr_str2int(pair_lists, name, PAIR_LIST_UNKNOWN);
-
- /*
+
+ /*
* Bad list name name
*/
if (list == PAIR_LIST_UNKNOWN) {
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/*
* $Id$
*
* to close your program (_P_OVERLAY), to wait
* until the new process is finished (_P_WAIT) or
* for the two to run concurrently (_P_NOWAIT).
-
+
* _spawn and _exec are useful for instances in
* which you have simple requirements for running
* the program, don't want the overhead of the
*/
if (nonblock) {
status = read(fd, answer + done, left);
- } else
+ } else
#endif
/*
* There's at least 1 byte ready: read it.
(char *)&on, sizeof(on)) < 0) {
radlog(L_ERR, "Failed setting socket to IPv6 "
"only: %s", strerror(errno));
-
+
close(this->fd);
- return -1;
+ return -1;
}
}
#endif /* IPV6_V6ONLY */
&flag, sizeof(flag)) < 0) {
radlog(L_ERR, "Failed disabling PMTU discovery: %s",
strerror(errno));
-
+
close(this->fd);
- return -1;
+ return -1;
}
#endif
if (setsockopt(this->fd, IPPROTO_IP, IP_DONTFRAG,
&flag, sizeof(flag)) < 0) {
radlog(L_ERR, "Failed setting don't fragment flag: %s",
- strerror(errno));
-
+ strerror(errno));
+
close(this->fd);
- return -1;
+ return -1;
}
#endif
}
if (colourise && (len < sizeof(buffer))) {
len += strlcpy(buffer + len, VTC_RESET, sizeof(buffer) - len);
- }
+ }
if (len < (sizeof(buffer) - 2)) {
buffer[len] = '\n';
p[1] = '\0';
}
- len += strlcpy(buffer + len,
+ len += strlcpy(buffer + len,
fr_int2str(levels, lvl, ": "),
sizeof(buffer) - len);
-
+
if (len >= sizeof(buffer)) goto finish;
}
if (request && request->module[0]) {
len = snprintf(buffer + len, sizeof(buffer) - len, "%s : ",
request->module);
-
+
if (len >= sizeof(buffer)) goto finish;
}
fr_set_dumpable();
}
#endif /* HAVE_SETUID */
-
+
#ifdef HAVE_SETUID
/*
}
if (chown(mainconfig.log_file, server_uid, server_gid) < 0) {
- fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
+ fprintf(stderr, "%s: Cannot change ownership of log file %s: %s\n",
progname, mainconfig.log_file, strerror(errno));
return 0;
}
request->packet->vps,
NULL, 1);
}
-
+
goto skip; /* don't change anything on the stack */
}
vp_name = name2;
if (strncmp(vp_name, "outer.", 6) == 0) {
vp_name += 6;
- }
+ }
for (i = 0; attrlist_names[i] != NULL; i++) {
if (strcmp(vp_name, attrlist_names[i]) == 0) {
if (!this) do {
int i;
char *p;
-
+
/*
* Maybe it's module.method
*/
if ((request->reply->code == PW_AUTHENTICATION_REJECT) &&
(request->root->reject_delay)) {
- when = request->reply->timestamp;
+ when = request->reply->timestamp;
when.tv_sec += request->root->reject_delay;
/*
*/
if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
/*
- * Override the response code if a
+ * Override the response code if a
* control:Response-Packet-Type attribute is present.
*/
vp = pairfind(request->config_items, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY);
vp = radius_pairmake(request, &request->config_items,
"Post-Auth-Type", "Challenge",
T_OP_SET);
-
+
if (vp) rad_postauth(request);
break;
default:
case PW_ACCOUNTING_REQUEST:
FR_STATS_INC(acct, total_dup_requests);
break;
-#endif
+#endif
#ifdef WITH_COA
case PW_COA_REQUEST:
FR_STATS_INC(coa, total_dup_requests);
case FR_ACTION_TIMER:
request_coa_timer(request);
break;
-
+
case FR_ACTION_PROXY_REPLY:
request_common(request, action);
break;
this, &when, &sock->ev)) {
rad_panic("Failed to insert event");
}
-
+
return 1;
}
exit(1);
}
fr_log_fp = fdopen(mainconfig.radlog_fd, "a");
- break;
+ break;
case 'i':
if (ip_hton(optarg, AF_UNSPEC, &mainconfig.myip) < 0) {
}
/*
- * Now we have logging check that the OpenSSL
+ * Now we have logging check that the OpenSSL
*/
/*
fflush(stdout);
}
- fr_hmac_md5((const uint8_t *) secret, strlen(secret),
+ fr_hmac_md5((const uint8_t *) secret, strlen(secret),
challenge, sizeof(challenge), challenge);
write(sockfd, challenge, sizeof(challenge));
*/
p = strstr(buffer, "radmin> ");
if (p &&
- ((p == buffer) ||
+ ((p == buffer) ||
(p[-1] == '\n') ||
(p[-1] == '\r'))) {
*p = '\0';
for (i = 0; i < size - 1; i++) {
for (j = 0; j < size - 1 - i; j++) {
if (array[j + 1]->da->attr < array[j]->da->attr) {
- tmp = array[j];
+ tmp = array[j];
array[j] = array[j + 1];
array[j + 1] = tmp;
}
INFO(log_dst, "\t+%u.%03u", (unsigned int) elapsed.tv_sec,
(unsigned int) elapsed.tv_usec / 1000);
-
+
if (fr_debug_flag > 1) {
DEBUG(log_dst, "\n");
if (packet->vps) {
offsetof(realm_config_t, fallback),
NULL, "no" },
- { "dead_time", PW_TYPE_INTEGER,
+ { "dead_time", PW_TYPE_INTEGER,
offsetof(realm_config_t, dead_time),
NULL, Stringify(DEAD_TIME) },
}
if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
-
+
cf_log_err(cf_sectiontoitem(cs),
"No such server %s", home->server);
goto error;
ipaddr.af = AF_INET;
ipaddr.ipaddr.ip4addr.s_addr = server_ip->vp_ipaddr;
cl = listener_find_client_list(&ipaddr, server_port->vp_integer);
-
+
/*
* Not found: don't do anything
*/
* Throw away accounting requests if we're too busy.
*/
if ((request->packet->code == PW_ACCOUNTING_REQUEST) &&
- (fr_fifo_num_elements(thread_pool.fifo[RAD_LISTEN_ACCT]) > 0) &&
+ (fr_fifo_num_elements(thread_pool.fifo[RAD_LISTEN_ACCT]) > 0) &&
(thread_pool.num_queued > (thread_pool.max_queue_size / 2)) &&
(thread_pool.pps_in.pps_now > thread_pool.pps_out.pps_now)) {
last_complained = now;
complain = TRUE;
}
-
+
pthread_mutex_unlock(&thread_pool.queue_mutex);
/*
}
}
- snprintf(tls_session->info.info_description,
+ snprintf(tls_session->info.info_description,
sizeof(tls_session->info.info_description),
"%s %s%s [length %04lx]%s%s\n",
str_write_p, str_version, str_content_type,
BIO_set_conn_port(cbio, port);
#if OPENSSL_VERSION_NUMBER < 0x1000003f
BIO_do_connect(cbio);
-
+
/* Send OCSP request and wait for response */
resp = OCSP_sendreq_bio(cbio, path, req);
if (!resp) {
* have a user identity. i.e. we don't create the
* attributes for RadSec connections.
*/
- if (identity &&
+ if (identity &&
(lookup <= 1) && sn && ((size_t) sn->length < (sizeof(buf) / 2))) {
char *p = buf;
int i;
#ifndef OPENSSL_NO_ECDH
static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve)
{
- int nid;
- EC_KEY *ecdh;
+ int nid;
+ EC_KEY *ecdh;
if (!ecdh_curve || !*ecdh_curve) return 0;
- nid = OBJ_sn2nid(ecdh_curve);
- if (!nid) {
+ nid = OBJ_sn2nid(ecdh_curve);
+ if (!nid) {
radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve);
return -1;
}
- ecdh = EC_KEY_new_by_curve_name(nid);
- if (!ecdh) {
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (!ecdh) {
radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve);
return -1;
- }
+ }
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
- SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
EC_KEY_free(ecdh);
/*
* We don't want to put the private key password in eap.conf, so check
* for our special string which indicates we should get the password
- * programmatically.
+ * programmatically.
*/
const char* special_string = "Apple:UseCertAdmin";
if (strncmp(conf->private_key_password,
if (strlen(conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
radlog(L_ERR, "psk_hexphrase is too long (max %d)",
PSK_MAX_PSK_LEN);
- return NULL;
+ return NULL;
}
hex_len = fr_hex2bin(conf->psk_password,
(uint8_t *) buffer, psk_len);
if (psk_len != (2 * hex_len)) {
radlog(L_ERR, "psk_hexphrase is not all hex");
- return NULL;
+ return NULL;
}
goto post_ca;
/*
* Callbacks, etc. for session resumption.
- */
+ */
if (conf->session_cache_enable) {
SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
/*
* If we're in a resumed session and it's
- * not allowed,
+ * not allowed,
*/
if (SSL_session_reused(ssn->ssl)) {
RDEBUG("FAIL: Forcibly stopping session resumption as it is not allowed.");
fr_bin2hex(ssn->ssl->session->session_id, buffer, size);
-
+
vps = SSL_SESSION_get_ex_data(ssn->ssl->session,
FR_TLS_EX_INDEX_VPS);
if (!vps) {
fr_tls_status_t tls_application_data(tls_session_t *ssn,
REQUEST *request)
-
+
{
int err;
(ssn->dirty_out.used == 0)) {
RDEBUG2("ACK handshake is finished");
- /*
+ /*
* From now on all the content is
* application data set it here as nobody else
* sets it.
fake->packet->id = fake->number & 0xff;
fake->packet->code = request->packet->code;
fake->timestamp = request->timestamp;
-
+
/*
* Required for new identity support
*/
* @param check
* @param check_pairs
* @param reply_pairs value pairs in the reply
- * @return
+ * @return
*/
int radius_callback_compare(REQUEST *req, VALUE_PAIR *request,
VALUE_PAIR *check, VALUE_PAIR *check_pairs,
* @param instance argument to comparison function
* @return 0
*/
-int paircompare_register(unsigned int attribute, int other_attr,
+int paircompare_register(unsigned int attribute, int other_attr,
RAD_COMPARE_FUNC func, void *instance)
{
struct cmp *c;
try_again:
if (other >= 0) {
while (auth_item != NULL) {
- if ((auth_item->da->attr ==
+ if ((auth_item->da->attr ==
(unsigned int) other) ||
(other == 0)) {
break;
}
/** Print a list of valuepairs to the request list.
- *
+ *
* @param[in] level Debug level (1-4).
* @param[in] request to read logging params from.
* @param[in] vp to print.
}
/** Resolve attribute pair_lists_t value to an attribute list.
- *
+ *
* The value returned is a pointer to the pointer of the HEAD of the list
* in the REQUEST. If the head of the list changes, the pointer will still
* be valid.
* an pair_lists_t value for that list. This value may be passed to
* radius_list, along with the current request, to get a pointer to the
* actual list in the request.
- *
+ *
* If qualifiers were consumed, write a new pointer into name to the
* char after the last qualifier to be consumed.
*
/*
* We couldn't determine the list if:
*
- * A colon delimiter was found, but the next char was a
+ * A colon delimiter was found, but the next char was a
* number, indicating a tag, not a list qualifier.
*
- * No colon was found and the first char was upper case
+ * No colon was found and the first char was upper case
* indicating an attribute.
*
*/
}
/** Resolve request to a request.
- *
+ *
* Resolve name to a current request.
*
* @see radius_list
}
/** Resolve attribute name to a request.
- *
+ *
* Check the name string for qualifiers that reference a parent request and
* write the pointer to this request to 'request'.
*
/** Parse qualifiers to convert attrname into a value_pair_tmpl_t.
*
- * VPTs are used in various places where we need to pre-parse configuration
+ * VPTs are used in various places where we need to pre-parse configuration
* sections into attribute mappings.
*
* Note: name field is just a copy of the input pointer, if you know that
* string might be freed before you're done with the vpt use radius_attr2tmpl
* instead.
- *
+ *
* @param[in] name attribute name including qualifiers.
* @param[out] vpt to modify.
- * @param[in] request_def The default request to insert unqualified
+ * @param[in] request_def The default request to insert unqualified
* attributes into.
* @param[in] list_def The default list to insert unqualified attributes into.
* @return -1 on error or 0 on success.
/** Parse qualifiers to convert attrname into a value_pair_tmpl_t.
*
- * VPTs are used in various places where we need to pre-parse configuration
+ * VPTs are used in various places where we need to pre-parse configuration
* sections into attribute mappings.
*
* @param[in] name attribute name including qualifiers.
- * @param[in] request_def The default request to insert unqualified
+ * @param[in] request_def The default request to insert unqualified
* attributes into.
* @param[in] list_def The default list to insert unqualified attributes into.
- * @return pointer to a value_pair_tmpl_t struct (must be freed with
+ * @return pointer to a value_pair_tmpl_t struct (must be freed with
* radius_tmplfree) or NULL on error.
*/
value_pair_tmpl_t *radius_attr2tmpl(const char *name,
/** Convert CONFIG_PAIR (which may contain refs) to value_pair_map_t.
*
* Treats the left operand as an attribute reference
- * @verbatim<request>.<list>.<attribute>@endverbatim
+ * @verbatim<request>.<list>.<attribute>@endverbatim
*
* Treatment of left operand depends on quotation, barewords are treated as
* attribute references, double quoted values are treated as expandable strings,
const char *attr;
const char *value;
FR_TOKEN type;
- CONF_ITEM *ci = cf_pairtoitem(cp);
+ CONF_ITEM *ci = cf_pairtoitem(cp);
if (!cp) return NULL;
/*
* Lots of sanity checks for insane people...
*/
-
+
/*
* We don't support implicit type conversion
*/
goto error;
}
- switch (map->src->type)
+ switch (map->src->type)
{
/*
*
* @param[in] parent to convert to map.
* @param[out] head Where to store the head of the map.
- * @param[in] dst_list_def The default destination list, usually dictated by
+ * @param[in] dst_list_def The default destination list, usually dictated by
* the section the module is being called in.
* @param[in] src_list_def The default source list, usually dictated by the
* section the module is being called in.
RDEBUGW("Mapping \"%s\" -> \"%s\" "
"invalid in this context, skipping!",
map->src->name, map->dst->name);
-
+
return -1;
}
vp_prints_value(buffer, sizeof(buffer), vp, 1);
RDEBUG("\t%s %s %s (%s)", map->dst->name,
- fr_int2str(fr_tokens, vp->op, "¿unknown?"),
+ fr_int2str(fr_tokens, vp->op, "¿unknown?"),
buffer, src ? src : map->src->name);
}
}
*
* @param request current request.
* @param name attribute name including qualifiers.
- * @param vp_p where to write the pointer to the resolved VP.
+ * @param vp_p where to write the pointer to the resolved VP.
* Will be NULL if the attribute couldn't be resolved.
* @return -1 if either the attribute or qualifier were invalid, else 0
*/
}
vps = radius_list(request, vpt.list);
- if (!vps) {
+ if (!vps) {
return 0;
}
*/
const char *ssl_version(void)
{
- return SSLeay_version(SSLEAY_VERSION);
+ return SSLeay_version(SSLEAY_VERSION);
}
#else
int ssl_check_Version(void) {
case PW_TYPE_STRING:
if (vp->length > 8) {
break;
- }
+ }
memcpy(&integer, &(vp->vp_octets), vp->length);
{
int level = 0;
- /*
+ /*
* Expand to previous (or current) level
*/
snprintf(out, outlen, "%d", request->options & RAD_REQUEST_OPTION_DEBUG4);
- /*
+ /*
* Assume we just want to get the current value and NOT set it to 0
*/
if (!*fmt)
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
-
-/**
+
+/**
* $Id$
* @file rlm_always.c
* @brief Return preconfigured fixed rcodes.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_attr_filter.c
* @brief Filter the contents of a list, allowing only certain attributes.
- *
+ *
* @copyright (C) 2001,2006 The FreeRADIUS server project
* @copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
*/
}
}
- /*
+ /*
* Only move attribute if it passed all rules,
* or if the config says we should copy unmatched
* attributes ('relaxed' mode).
if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
request->username = pairfind(request->packet->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY);
- if (!request->username)
+ if (!request->username)
request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_attr_rewrite.c
* @brief Rewrite attribute values.
- *
+ *
* @copyright 2001,2006 The FreeRADIUS server project
* @copyright 2002 Kostas Kalevras <kkalev@noc.ntua.gr>
*/
const DICT_ATTR *da; //!< The attribute definition.
char *search; //!< The pattern to search for.
int search_len; //!< The length of the search pattern.
- char *searchin_str; //!< The VALUE_PAIR list to search in.
- //!< Can be either packet, reply, proxy,
- //!< proxy_reply or control (plus it's alias
+ char *searchin_str; //!< The VALUE_PAIR list to search in.
+ //!< Can be either packet, reply, proxy,
+ //!< proxy_reply or control (plus it's alias
//!< 'config').
- char searchin; //!< The same as above just coded as a number
+ char searchin; //!< The same as above just coded as a number
//!< for speed.
char *replace; //!< The replacement.
int replace_len; //!< The length of the replacement string.
int append; //!< Switch to control append mode (1,0).
int nocase; //!< Ignore case.
- int new_attr; //!< Boolean. Whether we need to create a new
+ int new_attr; //!< Boolean. Whether we need to create a new
//!< attr.
int num_matches; //!< Maximum number of matches.
const char *name; //!< The module name.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_cache.c
* @brief Cache values and merge them back into future requests.
- *
+ *
* @copyright 2012-2013 The FreeRADIUS server project
*/
#include <freeradius-devel/ident.h>
rbtree_t *cache;
fr_heap_t *heap;
- value_pair_map_t *maps; //!< Attribute map applied to users
+ value_pair_map_t *maps; //!< Attribute map applied to users
//!< and profiles.
#ifdef HAVE_PTHREAD_H
pthread_mutex_t cache_mutex;
for (map = inst->maps; map != NULL; map = map->next) {
rad_assert(map->dst && map->src);
- /*
+ /*
* Specifying inner/outer request doesn't work here
* but there's no easy fix...
*/
break;
default:
- rad_assert(0);
+ rad_assert(0);
return NULL;
}
* - Map src and dst attributes differ
*/
to_req = NULL;
- if (merge && ( !map->src->da ||
+ if (merge && ( !map->src->da ||
(map->src->list != map->dst->list) ||
(map->src->da != map->dst->da))) {
context = request;
/*
* It's ok if the list isn't valid here...
- * It might be valid later when we merge
+ * It might be valid later when we merge
* the cache entry.
*/
if (radius_request(&context, map->dst->request) == 0) {
* We infer that src was an attribute ref from the fact
* it contains a da.
*/
- RDEBUG4(":: dst is \"%s\" src is \"%s\"",
+ RDEBUG4(":: dst is \"%s\" src is \"%s\"",
fr_int2str(vpt_types, map->dst->type, "¿unknown?"),
fr_int2str(vpt_types, map->src->type, "¿unknown?"));
RDEBUG("\t%s %s '%s'", map->dst->name,
fr_int2str(fr_tokens, map->op, "¿unknown?"),
map->src->name);
-
+
vp = pairalloc(NULL, map->dst->da);
if (!vp) continue;
if (radius_attrmap(inst->cs, head, PAIR_LIST_REQUEST,
PAIR_LIST_REQUEST, MAX_ATTRMAP) < 0) {
- return -1;
+ return -1;
}
if (!*head) {
(map->dst->type != VPT_TYPE_LIST)) {
cf_log_err(map->ci, "Left operand must be an attribute "
"ref or a list");
-
+
return -1;
}
- switch (map->src->type)
+ switch (map->src->type)
{
/*
* Only =, :=, += and -= operators are supported for
offsetof(rlm_cache_t, epoch), NULL, "0" },
{ "add_stats", PW_TYPE_BOOLEAN,
offsetof(rlm_cache_t, stats), NULL, "no" },
-
+
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_chap.c
* @brief Process chap authentication requests.
- *
+ *
* @copyright 2001,2006 The FreeRADIUS server project
* @copyright 2001 Kostas Kalevras <kkalev@noc.ntua.gr>
*/
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_checkval.c
* @brief Enables simple value checking.
- *
+ *
* @copyright 2003,2006 The FreeRADIUS server project
* @copyright 2003 Kostas Kalevras <kkalev@noc.ntua.gr>
*/
* be used as the instance handle.
*/
typedef struct rlm_checkval_t {
- char *item_name; //!< The attribute inside
+ char *item_name; //!< The attribute inside
//!< Access-Request i.e.
//!< Calling-Station-Id.
- char *check_name; //!< The attribute to check it with ie
+ char *check_name; //!< The attribute to check it with ie
//!< Allowed-Calling-Station-Id.
- char *data_type; //!< String, integer, ipaddr, date,
+ char *data_type; //!< String, integer, ipaddr, date,
//!< abinary,octets.
PW_TYPE type; //!< Resolved data type.
const DICT_ATTR *item;
const DICT_ATTR *check;
- int notfound_reject; //!< If we don't find the
- //!< item_name in the request
+ int notfound_reject; //!< If we don't find the
+ //!< item_name in the request
//!< send back a reject.
} rlm_checkval_t;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_counter.c
* @brief Provides a packet counter to track data usage and other values.
- *
+ *
* @copyright 2001,2006 The FreeRADIUS server project
* @copyright 2001 Alan DeKok <aland@ox.org>
* @copyright 2001-2003 Kostas Kalevras <kkalev@noc.ntua.gr>
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_cram.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_detail.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_dhcp.c
if ((radius_get_vp(request, fmt, &vp) < 0) || !vp) {
*out = '\0';
-
+
return 0;
}
fail:
snprintf(out, freespace, "%i", decoded);
-
+
return strlen(out);
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_digest.c
/*
* Double-check and fix the attributes.
- */
+ */
rcode = digest_fix(request);
if (rcode != RLM_MODULE_OK) return rcode;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_dynamic_clients.c
((inst->type->attach)(inst->cs, &(inst->instance)) < 0)) {
radlog(L_ERR, "rlm_eap: Failed to initialise %s",
mod_name);
-
+
talloc_steal(inst, inst->instance);
return -1;
*
*/
static eap_type_t eap_process_nak(rlm_eap_t *inst, REQUEST *request,
- eap_type_t type,
+ eap_type_t type,
eap_type_data_t *nak)
{
unsigned int i;
if (nak->data[i] == 0) {
RDEBUG("Peer NAK'd indicating it is not willing to "
"continue ");
-
+
return PW_EAP_INVALID;
}
nak->data[i],
eap_type2name(nak->data[i]),
nak->data[i]);
-
+
continue;
}
/** Select the correct callback based on a response
*
- * Based on the EAP response from the supplicant, call the appropriate
+ * Based on the EAP response from the supplicant, call the appropriate
* method callback.
*
* Default to the configured EAP-Type for all Unsupported EAP-Types.
"type %s (%d)",
eap_type2name(type->num),
type->num);
-
+
return EAP_INVALID;
}
(eap_packet->data[0] <= 0) ||
(eap_packet->data[0] >= PW_EAP_MAX_TYPES)) {
- radlog_request(L_AUTH, 0, request,
+ radlog_request(L_AUTH, 0, request,
"Badly formatted EAP Message: Ignoring the packet");
return EAP_INVALID;
}
return FR_TLS_HANDLED;
}
- /*
+ /*
* If there is no data to send i.e
* dirty_out.used <=0 and if the SSL
* handshake is finished, then return a
* Init is finished. The rest is
* application data.
*/
- tls_session->info.content_type = application_data;
+ tls_session->info.content_type = application_data;
return FR_TLS_SUCCESS;
}
handler->opaque = NULL;
}
else if ((handler->opaque) && (handler->free_opaque == NULL))
- radlog(L_ERR, "rlm_eap (%s): Possible memory leak ...",
+ radlog(L_ERR, "rlm_eap (%s): Possible memory leak ...",
inst->xlat_name);
handler->opaque = NULL;
"sessions. Try increasing "
"\"max_sessions\" in the EAP module "
"configuration", inst->xlat_name);
- }
+ }
} else {
radlog(L_ERR, "rlm_eap (%s): Internal error: "
"failed to store handler", inst->xlat_name);
state->vp_octets[2], state->vp_octets[3],
state->vp_octets[4], state->vp_octets[5],
state->vp_octets[6], state->vp_octets[7]);
-
+
pairadd(&(request->reply->vps), state);
return 1;
state->vp_octets[2], state->vp_octets[3],
state->vp_octets[4], state->vp_octets[5],
state->vp_octets[6], state->vp_octets[7]);
-
+
eap_handler_free(inst, handler);
return NULL;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_eap.c
method = eap_name2type(name);
if (method == PW_EAP_INVALID) {
radlog(L_ERR, "rlm_eap: Unknown EAP method %s",
- name);
+ name);
eap_detach(inst);
return -1;
eap_detach(inst);
return -1;
- }
+ }
#ifndef HAVE_OPENSSL_SSL_H
/*
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
- * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
- * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
- * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
+ * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
+ * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
+ * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
+ * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
* Copyright 1999-2007 The FreeRADIUS server project
- *
+ *
*/
#include <freeradius-devel/radiusd.h>
{"encryption", IKEv2_TRT_ENCRYPTION_ALGORITHM, OPT_ENCRYPTION},
{"dhgroup", IKEv2_TRT_DIFFIE_HELLMAN_GROUP, OPT_DHGROUP },
{NULL,0,0} /* end of list */
-
+
};
* Load all proposals from 'propsals' subsection
*/
-int rad_load_proposals(ikev2_ctx *i2,CONF_SECTION *cf)
+int rad_load_proposals(ikev2_ctx *i2,CONF_SECTION *cf)
{
rad_assert(i2!=NULL && cf!=NULL);
-
+
CONF_SECTION *cf_prop=NULL;
cf=cf_subsection_find_next(cf,NULL,"proposals");
if(!cf) {
}
-void rad_update_shared_seclist(struct sharedSecList **list,char *id,VALUE_PAIR *items,int default_client_authtype)
+void rad_update_shared_seclist(struct sharedSecList **list,char *id,VALUE_PAIR *items,int default_client_authtype)
{
rad_assert(list && id);
radlog(L_ERR,IKEv2_LOG_PREFIX "Unsupported 'EAP-IKEv2-AuthType' value (%s),using 'both'",vp->vp_strvalue);
authtype=IKEv2_AUTH_BOTH;
}
-
+
}
AddSharedSec(list,id_type,id,secret,authtype);
} else {
radlog(L_ERR,IKEv2_LOG_PREFIX "Unsupported 'default_auth_type' value (%s), using both",authtype_name);
authtype=IKEv2_AUTH_BOTH;
}
-
+
PAIR_LIST *users=NULL;
if(getusersfile(filename,&users,"no")!=0) {
radlog(L_ERR,IKEv2_LOG_PREFIX "Error while loading %s userfile",filename);
return IKEv2_AUTH_SK;
}
-int file_exists(char *filename)
+int file_exists(char *filename)
{
int result=0;
FILE *fp=fopen(filename,"r");
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
- * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
- * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
- * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
- *
+ * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
+ * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
+ * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
+ * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
+ *
*/
#ifndef IKE_CONF_H
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
- * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
- * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
- * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
- *
+ * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
+ * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
+ * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
+ * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
+ *
*/
#include <freeradius-devel/radiusd.h>
{
int level;
switch(iklevel) {
- case I2L_DBG:
+ case I2L_DBG:
level=L_DBG;
break;
- case I2L_INFO:
+ case I2L_INFO:
level=L_INFO;
break;
- case I2L_ERR:
+ case I2L_ERR:
level=L_ERR;
break;
default:
- level=L_DBG;
+ level=L_DBG;
}
vradlog(level, fmt, ap);
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
- * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
- * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
- * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
- *
+ * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
+ * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
+ * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
+ * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
+ *
*/
#ifndef LOGGING_IMPL_H
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
- * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
- * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
- * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
- * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
+ * Copyright (C) 2005-2006 Krzysztof Rzecki <krzysztof.rzecki@ccns.pl>
+ * Copyright (C) 2005-2006 Rafal Mijal <rafal.mijal@ccns.pl>
+ * Copyright (C) 2005-2006 Piotr Marnik <piotr.marnik@ccns.pl>
+ * Copyright (C) 2005-2006 Pawel Matejski <pawel.matejski@ccns.pl>
* Copyright 1999-2007 The FreeRADIUS server project
- *
+ *
*/
#include <freeradius-devel/radiusd.h>
if(eap_ds->request->code<=PW_EAP_REQUEST && olen>4) {
int lenn=(int)ntohs(((struct EAPHeader *)out)->Length);
eap_ds->request->type.data = malloc(lenn);
- if (eap_ds->request->type.data == NULL) {
+ if (eap_ds->request->type.data == NULL) {
radlog(L_ERR, IKEv2_LOG_PREFIX "out of memory");
return 1;
- }
+ }
memcpy(eap_ds->request->type.data,out+5,lenn-5);
eap_ds->request->type.length = lenn-5;
} else {
{ "DH_counter_max", PW_TYPE_INTEGER,
offsetof(ikev2_ctx,DHCounterMax),NULL,IKEv2_DEFAULT_DH_COUNTER_MAX_STR},
{ "default_authtype",PW_TYPE_STRING_PTR,
- 0,&default_authtype,"both" },
+ 0,&default_authtype,"both" },
{ "usersfile",PW_TYPE_STRING_PTR,
- 0,&usersfilename,"${confdir}/users" },
+ 0,&usersfilename,"${confdir}/users" },
{ "server_authtype",PW_TYPE_STRING_PTR,
- 0,&server_authtype,"secret" },
+ 0,&server_authtype,"secret" },
{ "idtype",PW_TYPE_STRING_PTR,
- 0,&server_idtype,IKEv2_DEFAULT_IDTYPE_STR},
+ 0,&server_idtype,IKEv2_DEFAULT_IDTYPE_STR},
{ "certreq",PW_TYPE_BOOLEAN,
offsetof(ikev2_ctx,sendCertReq),NULL,"no"},
{ "fast_DH_exchange",PW_TYPE_BOOLEAN,
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
-
+
ikev2_set_log_callback(vxlogf);
struct ikev2_ctx *i2;
radlog(L_ERR,IKEv2_LOG_PREFIX "Can not open 'private_key_file' %s",i2->pkfile);
return -1;
}
-
+
break;
}
if(!i2->trusted) {
return -1;
}
}
-
+
i2->idtype=IdTypeFromName(server_idtype);
if(i2->idtype<=0) {
radlog(L_ERR,IKEv2_LOG_PREFIX "Unsupported 'idtype': %s",server_idtype);
radlog(L_ERR,IKEv2_LOG_PREFIX "Error while loading users credentials");
return -1;
}
-
+
i2->x509_store = NULL;
if(CertInit(i2)){
radlog(L_ERR,IKEv2_LOG_PREFIX "Error while loading certs/crl");
}
return 0;
-}
+}
static int ikev2_initiate(void *instance, eap_handler_t *handler)
{
radlog( L_INFO,IKEv2_LOG_PREFIX "Initiate connection!");
-// This is the way for silent discarding behavior
+// This is the way for silent discarding behavior
// handler->request->options|=RAD_REQUEST_OPTION_FAKE_REQUEST;
// handler->request->options|=RAD_REQUEST_OPTION_DONT_CACHE;
// handler->request->reply->code=0;
// return 0;
-
+
struct ikev2_ctx *i2=(struct ikev2_ctx*)instance;
struct IKEv2Session *session;
handler->free_opaque=ikev2_free_opaque;
-
+
// try get respondent FASTID
uint8_t *eap_username=handler->request->username->vp_strvalue;
radlog(L_DBG, IKEv2_LOG_PREFIX "Fast reconnect procedure start");
}
session->timestamp=time(NULL);
-
+
struct IKEv2Data *ikev2_data=IKEv2Data_new(i2,session);
handler->opaque=ikev2_data;
radlog(L_ERR,"XXX: session list contains:%d",session_count);
}
#endif
-
+
uint8_t *sikemsg=NULL;
u_int32_t slen=0;
!eap_ds->response ||
(eap_ds->response->code != PW_IKEV2_RESPONSE) ||
eap_ds->response->type.num != PW_EAP_IKEV2 ||
- !eap_ds->response->type.data){
+ !eap_ds->response->type.data){
radlog(L_ERR, IKEv2_LOG_PREFIX "corrupted data");
return -1;
}
}
rad_assert(in!=NULL);
- struct EAPHeader *hdr = (struct EAPHeader *)in;
+ struct EAPHeader *hdr = (struct EAPHeader *)in;
hdr->Code=eap_ds->response->code;
hdr->Id=eap_ds->response->id;
if( !ikemsg || !len ) // send fragment ack
{
if(session->SK_ready) session->include_integ=1;
- olen = CreateFragmentAck( in, &out, session ); // confirm fragment
+ olen = CreateFragmentAck( in, &out, session ); // confirm fragment
free(in);
in=NULL;
if(ComposeRadMsg(out,olen,handler->eap_ds)){
}
free(in);
in=NULL;
-
+
uint8_t *sikemsg=NULL; //out message
u_int32_t slen=0;
free( ikemsg );
- if( slen != 0 ) //if there is there is something to send
+ if( slen != 0 ) //if there is there is something to send
{
olen = CreateIKEv2Message(i2, sikemsg, slen, false, 0, session, &out );
//bobo: a to co ?
olen = CreateResultMessage( true, session, &out );
session->fFastReconnect=i2->enableFastReconnect;
-
+
//bobo:session->eapKeyData jest zle zainicjalizowane tutaj !!!!!!!!!!!!!! nie jest NULL!!!!!!!!!!1!!!!!!!!!!!!!!!!!!!!!!!11
GenEapKeys(session,EAP_IKEv2_KEY_LEN);
set_mppe_keys(handler);
/*
* Copyright (c) Dan Harkins, 2012
*
- * Copyright holder grants permission for redistribution and use in source
- * and binary forms, with or without modification, provided that the
+ * Copyright holder grants permission for redistribution and use in source
+ * and binary forms, with or without modification, provided that the
* following conditions are met:
* 1. Redistribution of source code must retain the above copyright
* notice, this list of conditions, and the following disclaimer
* distribution.
*
* "DISCLAIMER OF LIABILITY
- *
+ *
* THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
#include <freeradius-devel/modules.h>
/* The random function H(x) = HMAC-SHA256(0^32, x) */
-static void
+static void
H_Init(HMAC_CTX *ctx)
{
uint8_t allzero[SHA256_DIGEST_LENGTH];
HMAC_Init(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256());
}
-static void
+static void
H_Update(HMAC_CTX *ctx, const uint8_t *data, int len)
{
HMAC_Update(ctx, data, len);
}
-static void
+static void
H_Final(HMAC_CTX *ctx, uint8_t *digest)
{
unsigned int mdlen = SHA256_DIGEST_LENGTH;
}
/* a counter-based KDF based on NIST SP800-108 */
-static void
+static void
eap_pwd_kdf(uint8_t *key, int keylen, const char *label, int labellen,
uint8_t *result, int resultbitlen)
{
compute_password_element (pwd_session_t *sess, uint16_t grp_num,
char *password, int password_len,
char *id_server, int id_server_len,
- char *id_peer, int id_peer_len,
+ char *id_peer, int id_peer_len,
uint32_t *token)
{
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
uint8_t *cruft = NULL;
int offset, req = -1;
- /*
- * Each component of the cruft will be at most as big as the prime
+ /*
+ * Each component of the cruft will be at most as big as the prime
*/
if (((cruft = malloc(BN_num_bytes(sess->prime))) == NULL) ||
((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
BN_bn2bin(sess->k, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * next is server element: x, y
+ /*
+ * next is server element: x, y
*/
if (!EC_POINT_get_affine_coordinates_GFp(sess->group,
sess->my_element, x, y,
BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * and server scalar
+ /*
+ * and server scalar
*/
memset(cruft, 0, BN_num_bytes(sess->prime));
offset = BN_num_bytes(sess->order) - BN_num_bytes(sess->my_scalar);
BN_bn2bin(sess->my_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->order));
- /*
- * next is peer element: x, y
+ /*
+ * next is peer element: x, y
*/
if (!EC_POINT_get_affine_coordinates_GFp(sess->group,
sess->peer_element, x, y,
BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * and peer scalar
+ /*
+ * and peer scalar
*/
memset(cruft, 0, BN_num_bytes(sess->prime));
offset = BN_num_bytes(sess->order) - BN_num_bytes(sess->peer_scalar);
BN_bn2bin(sess->peer_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->order));
- /*
- * finally, ciphersuite
+ /*
+ * finally, ciphersuite
*/
H_Update(&ctx, (uint8_t *)&sess->ciphersuite, sizeof(sess->ciphersuite));
uint8_t *cruft = NULL;
int offset, req = -1;
- /*
- * Each component of the cruft will be at most as big as the prime
+ /*
+ * Each component of the cruft will be at most as big as the prime
*/
if (((cruft = malloc(BN_num_bytes(sess->prime))) == NULL) ||
((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
BN_bn2bin(sess->k, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * then peer element: x, y
+ /*
+ * then peer element: x, y
*/
if (!EC_POINT_get_affine_coordinates_GFp(sess->group,
sess->peer_element, x, y,
BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * and peer scalar
+ /*
+ * and peer scalar
*/
memset(cruft, 0, BN_num_bytes(sess->prime));
offset = BN_num_bytes(sess->order) - BN_num_bytes(sess->peer_scalar);
BN_bn2bin(sess->peer_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->order));
- /*
- * then server element: x, y
+ /*
+ * then server element: x, y
*/
if (!EC_POINT_get_affine_coordinates_GFp(sess->group,
sess->my_element, x, y,
BN_bn2bin(y, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->prime));
- /*
- * and server scalar
+ /*
+ * and server scalar
*/
memset(cruft, 0, BN_num_bytes(sess->prime));
offset = BN_num_bytes(sess->order) - BN_num_bytes(sess->my_scalar);
BN_bn2bin(sess->my_scalar, cruft + offset);
H_Update(&ctx, cruft, BN_num_bytes(sess->order));
- /*
- * finally, ciphersuite
+ /*
+ * finally, ciphersuite
*/
H_Update(&ctx, (uint8_t *)&sess->ciphersuite, sizeof(sess->ciphersuite));
}
int
-compute_keys (pwd_session_t *sess, uint8_t *peer_confirm,
+compute_keys (pwd_session_t *sess, uint8_t *peer_confirm,
uint8_t *msk, uint8_t *emsk)
{
HMAC_CTX ctx;
/*
* Copyright (c) Dan Harkins, 2012
*
- * Copyright holder grants permission for redistribution and use in source
- * and binary forms, with or without modification, provided that the
+ * Copyright holder grants permission for redistribution and use in source
+ * and binary forms, with or without modification, provided that the
* following conditions are met:
* 1. Redistribution of source code must retain the above copyright
* notice, this list of conditions, and the following disclaimer
* distribution.
*
* "DISCLAIMER OF LIABILITY
- *
+ *
* THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
int compute_password_element(pwd_session_t *sess, uint16_t grp_num,
char *password, int password_len,
char *id_server, int id_server_len,
- char *id_peer, int id_peer_len,
+ char *id_peer, int id_peer_len,
uint32_t *token);
int compute_scalar_element(pwd_session_t *sess, BN_CTX *bnctx);
int process_peer_commit (pwd_session_t *sess, uint8_t *commit, BN_CTX *bnctx);
/*
* Copyright (c) Dan Harkins, 2012
*
- * Copyright holder grants permission for redistribution and use in source
- * and binary forms, with or without modification, provided that the
+ * Copyright holder grants permission for redistribution and use in source
+ * and binary forms, with or without modification, provided that the
* following conditions are met:
* 1. Redistribution of source code must retain the above copyright
* notice, this list of conditions, and the following disclaimer
* distribution.
*
* "DISCLAIMER OF LIABILITY
- *
+ *
* THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
}
} else {
/*
- * either it's not a fragment or it's the last fragment.
+ * either it's not a fragment or it's the last fragment.
* The out buffer isn't needed anymore though so get rid of it.
*/
- memcpy(hdr->data, sess->out_buf + sess->out_buf_pos,
+ memcpy(hdr->data, sess->out_buf + sess->out_buf_pos,
(sess->out_buf_len - sess->out_buf_pos));
free(sess->out_buf);
sess->out_buf = NULL;
eap_pwd_t *inst = (eap_pwd_t *)instance;
VALUE_PAIR *vp;
pwd_id_packet *pack;
-
+
if (!inst || !handler) {
radlog(L_ERR, "rlm_eap_pwd: initiate, NULL data provided");
return -1;
uint8_t peer_confirm[SHA256_DIGEST_LENGTH];
BIGNUM *x = NULL, *y = NULL;
- if ((handler == NULL) ||
+ if ((handler == NULL) ||
((eap_ds = handler->eap_ds) == NULL) ||
(inst == NULL)) {
return 0;
*ptr = EAP_PWD_DEF_RAND_FUN;
ptr += sizeof(uint8_t);
*ptr = EAP_PWD_DEF_PRF;
-
+
pwd_session->peer_id_len = len - sizeof(pwd_id_packet);
if (pwd_session->peer_id_len >= sizeof(pwd_session->peer_id)) {
RDEBUG2("pwd id response is malformed");
request_free(&fake);
return 0;
}
- memcpy(fake->username->vp_strvalue, pwd_session->peer_id,
+ memcpy(fake->username->vp_strvalue, pwd_session->peer_id,
pwd_session->peer_id_len);
fake->username->length = pwd_session->peer_id_len;
fake->username->vp_strvalue[fake->username->length] = 0;
if ((vp = pairfind(request->config_items, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
fake->server = vp->vp_strvalue;
-
+
} else if (inst->conf->virtual_server) {
fake->server = inst->conf->virtual_server;
-
+
} /* else fake->server == request->server */
-
+
if ((debug_flag > 0) && fr_log_fp) {
RDEBUG("Sending tunneled request");
-
+
debug_pair_list(fake->packet->vps);
-
+
fprintf(fr_log_fp, "server %s {\n",
(fake->server == NULL) ? "" : fake->server);
}
-
+
/*
* Call authorization recursively, which will
* get the password.
*/
module_authorize(0, fake);
-
+
/*
* Note that we don't do *anything* with the reply
* attributes.
if ((debug_flag > 0) && fr_log_fp) {
fprintf(fr_log_fp, "} # server %s\n",
(fake->server == NULL) ? "" : fake->server);
-
+
RDEBUG("Got tunneled reply code %d", fake->reply->code);
-
+
debug_pair_list(fake->reply->vps);
}
/*
* construct request
*/
- pwd_session->out_buf_len = BN_num_bytes(pwd_session->order) +
+ pwd_session->out_buf_len = BN_num_bytes(pwd_session->order) +
(2 * BN_num_bytes(pwd_session->prime));
if ((pwd_session->out_buf = malloc(pwd_session->out_buf_len)) == NULL) {
radlog(L_ERR, "rlm_eap_pwd: out of memory to send commit");
ptr += BN_num_bytes(pwd_session->prime);
offset = BN_num_bytes(pwd_session->prime) - BN_num_bytes(y);
BN_bn2bin(y, ptr + offset);
-
+
ptr += BN_num_bytes(pwd_session->prime);
offset = BN_num_bytes(pwd_session->order) - BN_num_bytes(pwd_session->my_scalar);
BN_bn2bin(pwd_session->my_scalar, ptr + offset);
/*
* Copyright (c) Dan Harkins, 2012
*
- * Copyright holder grants permission for redistribution and use in source
- * and binary forms, with or without modification, provided that the
+ * Copyright holder grants permission for redistribution and use in source
+ * and binary forms, with or without modification, provided that the
* following conditions are met:
* 1. Redistribution of source code must retain the above copyright
* notice, this list of conditions, and the following disclaimer
* distribution.
*
* "DISCLAIMER OF LIABILITY
- *
+ *
* THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
-
+
/**
* $Id$
* @file rlm_eap_tnc.c
static CONF_PARSER module_config[] = {
{ "connection_string", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_tnc_t, connection_string), NULL,
+ offsetof(rlm_eap_tnc_t, connection_string), NULL,
"NAS Port: %{NAS-Port} NAS IP: %{NAS-IP-Address} NAS_PORT_TYPE: %{NAS-Port-Type}"},
{ NULL, -1, 0, NULL, NULL } /* end the list */
if (result != TNC_RESULT_SUCCESS) {
radlog(L_ERR, "rlm_eap_tnc: NAA-EAP initializeDefault returned an "
"error code");
-
+
return -1;
}
TNC_Result result;
TNC_ConnectionID conn_id;
- TNC_BufferReference eap_tnc_request;
+ TNC_BufferReference eap_tnc_request;
TNC_BufferReference eap_tnc_user;
VALUE_PAIR *username;
/*
* Previous code manually parsed the EAP identity response
- * this was wrong. rlm_eap will *always* create the Username
+ * this was wrong. rlm_eap will *always* create the Username
* from the EAP Identity response.
*
* Something has gone very wrong if the User-Name doesn't exist.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_eap2.c
/*
* For EAP-FAST
*/
- char *pac_opaque_encr_key;
- char *eap_fast_a_id;
- char *eap_fast_a_id_info;
- int eap_fast_prov;
- int pac_key_lifetime;
- int pac_key_refresh_time;
- int backend_auth;
+ char *pac_opaque_encr_key;
+ char *eap_fast_a_id;
+ char *eap_fast_a_id_info;
+ int eap_fast_prov;
+ int pac_key_lifetime;
+ int pac_key_refresh_time;
+ int backend_auth;
int num_types;
EapType methods[EAP_MAX_METHODS];
offsetof(rlm_eap_t, tparams.private_key_passwd),
NULL, "whatever" },
- { "dh_file", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_t, tparams.dh_file), NULL, "whatever" },
+ { "dh_file", PW_TYPE_STRING_PTR,
+ offsetof(rlm_eap_t, tparams.dh_file), NULL, "whatever" },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
-static CONF_PARSER fast_config[] = {
- { "pac_opaque_encr_key", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_t, pac_opaque_encr_key), NULL, NULL },
- { "eap_fast_a_id", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_t, eap_fast_a_id), NULL, NULL },
- { "eap_fast_a_id_info", PW_TYPE_STRING_PTR,
- offsetof(rlm_eap_t, eap_fast_a_id_info), NULL, NULL },
- { "eap_fast_prov", PW_TYPE_INTEGER,
- offsetof(rlm_eap_t, eap_fast_prov), NULL, "3"},
- { "pac_key_lifetime", PW_TYPE_INTEGER,
- offsetof(rlm_eap_t, pac_key_lifetime), NULL, "604800"},
- { "pac_key_refresh_time", PW_TYPE_INTEGER,
- offsetof(rlm_eap_t, pac_key_refresh_time), NULL, "86400"},
- { NULL, -1, 0, NULL, NULL } /* end the list */
-};
+static CONF_PARSER fast_config[] = {
+ { "pac_opaque_encr_key", PW_TYPE_STRING_PTR,
+ offsetof(rlm_eap_t, pac_opaque_encr_key), NULL, NULL },
+ { "eap_fast_a_id", PW_TYPE_STRING_PTR,
+ offsetof(rlm_eap_t, eap_fast_a_id), NULL, NULL },
+ { "eap_fast_a_id_info", PW_TYPE_STRING_PTR,
+ offsetof(rlm_eap_t, eap_fast_a_id_info), NULL, NULL },
+ { "eap_fast_prov", PW_TYPE_INTEGER,
+ offsetof(rlm_eap_t, eap_fast_prov), NULL, "3"},
+ { "pac_key_lifetime", PW_TYPE_INTEGER,
+ offsetof(rlm_eap_t, pac_key_lifetime), NULL, "604800"},
+ { "pac_key_refresh_time", PW_TYPE_INTEGER,
+ offsetof(rlm_eap_t, pac_key_refresh_time), NULL, "86400"},
+ { NULL, -1, 0, NULL, NULL } /* end the list */
+};
static const CONF_PARSER module_config[] = {
{ "timer_expire", PW_TYPE_INTEGER,
{ "cisco_accounting_username_bug", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_t, cisco_accounting_username_bug), NULL, "no" },
- { "backend_auth", PW_TYPE_BOOLEAN,
- offsetof(rlm_eap_t, backend_auth), NULL, "yes" },
+ { "backend_auth", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_t, backend_auth), NULL, "yes" },
{ "tls", PW_TYPE_SUBSECTION, 0, NULL, (const void *) tls_config },
- { "fast", PW_TYPE_SUBSECTION, 0, NULL, (const void *) fast_config },
+ { "fast", PW_TYPE_SUBSECTION, 0, NULL, (const void *) fast_config },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
/*
* Copy EAP-FAST parameters.
*/
- handler->eap_conf.pac_opaque_encr_key = inst->pac_opaque_encr_key;
- handler->eap_conf.eap_fast_a_id = inst->eap_fast_a_id;
- handler->eap_conf.eap_fast_a_id_len = strlen(inst->eap_fast_a_id);
- handler->eap_conf.eap_fast_a_id_info = inst->eap_fast_a_id_info;
- handler->eap_conf.eap_fast_prov = inst->eap_fast_prov;
- handler->eap_conf.pac_key_lifetime = inst->pac_key_lifetime;
- handler->eap_conf.pac_key_refresh_time = inst->pac_key_refresh_time;
- handler->eap_conf.backend_auth = inst->backend_auth;
+ handler->eap_conf.pac_opaque_encr_key = inst->pac_opaque_encr_key;
+ handler->eap_conf.eap_fast_a_id = inst->eap_fast_a_id;
+ handler->eap_conf.eap_fast_a_id_len = strlen(inst->eap_fast_a_id);
+ handler->eap_conf.eap_fast_a_id_info = inst->eap_fast_a_id_info;
+ handler->eap_conf.eap_fast_prov = inst->eap_fast_prov;
+ handler->eap_conf.pac_key_lifetime = inst->pac_key_lifetime;
+ handler->eap_conf.pac_key_refresh_time = inst->pac_key_refresh_time;
+ handler->eap_conf.backend_auth = inst->backend_auth;
handler->server_ctx.eap = eap_server_sm_init(handler,
&handler->eap_cb,
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_example.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_exec.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_expiration.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_expr.c
break;
/*
- * Binary data as hexits (we don't really support
+ * Binary data as hexits (we don't really support
* non printable chars).
*/
case 'h':
radlog(L_ERR,
"rlm_expr: invalid character class '%c'",
*p);
-
+
return 0;
break;
}
}
/**
- * @brief URLencode special characters
+ * @brief URLencode special characters
*
* Example: "%{urlquote:http://example.org/}" == "http%3A%47%47example.org%47"
*/
len = radius_xlat(buffer, sizeof(buffer), fmt, request, NULL, NULL);
- /*
+ /*
* We can accurately calculate the length of the output string
* if it's larger than outlen, the output would be useless so abort.
*/
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_files.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_ippool.c
void addip(char *sessiondbname, char *indexdbname, char *ipaddress,
char *NASname, char *NASport, int old);
-
+
void viewdb(char *sessiondbname, char *indexdbname, char *ipaddress, int old);
void tonewformat(char *sessiondbname, char *newsessiondbname);
if ((key_datum.dsize != sizeof(struct ippool_key)) &&
(key_datum.dsize != sizeof(struct old_ippool_key))) {
- goto next;
+ goto next;
}
-
+
if (old) {
memcpy(&old_key, key_datum.dptr, sizeof(struct old_ippool_key));
} else {
typedef struct rlm_krb5_t {
const char *xlat_name; //!< This module's instance name.
const char *keytabname; //!< The keytab to resolve the service in.
- const char *service_princ; //!< The service name provided by the
+ const char *service_princ; //!< The service name provided by the
//!< config parser.
- char *hostname; //!< The hostname component of
+ char *hostname; //!< The hostname component of
//!< service_princ, or NULL.
- char *service; //!< The service component of
+ char *service; //!< The service component of
//!< service_princ, or NULL.
krb5_context *context; //!< The kerberos context (cloned once per
krb5_get_init_creds_opt *gic_options; //!< Options to pass to the
//!< get_initial_credentials.
//!< function.
- krb5_verify_init_creds_opt *vic_options; //!< Options to pass to the
+ krb5_verify_init_creds_opt *vic_options; //!< Options to pass to the
//!< validate_initial_creds
//!< function.
if (!krb5_is_thread_safe()) {
radlog(L_ERR, "rlm_krb5 (*): krb5 library is not threadsafe, "
"please recompile it with thread support enabled");
-
+
return -1;
}
if (ret) {
radlog(L_ERR, "rlm_krb5 (%s): Context initialisation "
"failed: %s", inst->xlat_name, error_message(ret));
-
+
goto error;
} else {
radlog(L_DBG, "rlm_krb5 (%s): Context initialised "
*/
radlog(L_DBG, "rlm_krb5 (%s): Using service principal \"%s\"",
inst->xlat_name, princ_name);
-
+
krb5_free_unparsed_name(*context, princ_name);
/*
* Setup options for getting credentials and verifying them
*/
-
+
/* For some reason the 'init' version of this function is deprecated */
ret = krb5_get_init_creds_opt_alloc(*context, &(inst->gic_options));
if (ret) {
"Heimdal", inst->xlat_name, hostname);
}
#endif
-
+
return 0;
error:
if (ret) {
RDEBUG("Failed parsing username as principal: %s",
error_message(ret));
-
+
return RLM_MODULE_FAIL;
}
#ifndef HEIMDAL_KRB5
-/*
+/*
* Validate userid/passwd (MIT)
*/
static rlm_rcode_t krb5_auth(void *instance, REQUEST *request)
RDEBUG("Successfully retrieved and decrypted TGT");
memset(&keytab, 0, sizeof(keytab));
- ret = inst->keytabname ?
+ ret = inst->keytabname ?
krb5_kt_resolve(*context, inst->keytabname, &keytab) :
krb5_kt_default(*context, &keytab);
if (ret) {
ret = krb5_verify_init_creds(*context, &init_creds, inst->server,
keytab, NULL, inst->vic_options);
if (ret) goto error;
-
+
cleanup:
if (context) {
/*
* Setup krb5_verify_user options
*
- * Not entirely sure this is necessary, but as we use context
+ * Not entirely sure this is necessary, but as we use context
* to get the cache handle, we probably do have to do this with
* the cloned context.
*/
krb5_verify_opt_set_ccache(&options, ccache);
memset(&keytab, 0, sizeof(keytab));
- ret = inst->keytabname ?
+ ret = inst->keytabname ?
krb5_kt_resolve(*context, inst->keytabname, &keytab) :
krb5_kt_default(*context, &keytab);
if (ret) {
rcode = krb5_parse_user(inst, request, &client);
if (rcode != RLM_MODULE_OK) goto cleanup;
- /*
+ /*
* Verify the user, using the options we set in instantiate
*/
ret = krb5_verify_user_opt(*context, client,
}
object_len = strlen(object_dn) + 1;
-
+
rc = ber_printf(requestBer, "{io}", NMAS_LDAP_EXT_VERSION,
object_dn, object_len);
if (rc < 0) {
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_ldap.c
offsetof(ldap_instance,keepalive_probes), NULL, "3"},
#endif
#ifdef LDAP_OPT_ERROR_NUMBER
- {"interval", PW_TYPE_INTEGER,
+ {"interval", PW_TYPE_INTEGER,
offsetof(ldap_instance,keepalive_interval), NULL, "30"},
#endif
{ NULL, -1, 0, NULL, NULL }
/* turn off the annoying warning if we don't expect a password */
{"expect_password", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,expect_password), NULL, "yes"},
-
+
#ifdef WITH_EDIR
/* support for eDirectory Universal Password */
{"edir", PW_TYPE_BOOLEAN,
LDAP_PROC_REJECT = -4
} ldap_rcode_t;
-static ldap_rcode_t process_ldap_errno(ldap_instance *inst,
- const LDAP_CONN *conn,
+static ldap_rcode_t process_ldap_errno(ldap_instance *inst,
+ const LDAP_CONN *conn,
const char **error)
{
int ldap_errno;
exec_trigger(NULL, inst->cs, "modules.ldap.timeout", TRUE);
*error = "Timed out while waiting for server to respond";
-
+
return LDAP_PROC_ERROR;
case LDAP_FILTER_ERROR:
}
-static int ldap_bind_wrapper(REQUEST *request, LDAP_CONN **pconn,
+static int ldap_bind_wrapper(REQUEST *request, LDAP_CONN **pconn,
const char *user, const char *password,
int retry)
{
case LDAP_PROC_NOTPERMITTED:
if (request) {
RDEBUGE("Bind was not permitted (%s): %s", error,
- ext_error ? ext_error :
+ ext_error ? ext_error :
"no additional information");
} else {
radlog(L_ERR, "rlm_ldap (%s): Bind was not permitted "
- "(%s): %s", inst->xlat_name,
- error, ext_error ? ext_error :
+ "(%s): %s", inst->xlat_name,
+ error, ext_error ? ext_error :
"no additional information");
}
case LDAP_PROC_REJECT:
if (request) {
RDEBUGE("Bind credentials incorrect (%s): %s", error,
- ext_error ? ext_error :
+ ext_error ? ext_error :
"no additional information");
} else {
radlog(L_ERR, "rlm_ldap (%s): Bind credentials "
- "incorrect (%s): %s", inst->xlat_name,
- error, ext_error ? ext_error :
+ "incorrect (%s): %s", inst->xlat_name,
+ error, ext_error ? ext_error :
"no additional information");
}
-
+
module_rcode = RLM_MODULE_REJECT;
break;
ldap_get_option(handle, LDAP_OPT_ERROR_NUMBER, &ldap_errno);
radlog(L_ERR, "rlm_ldap (%s): could not set "
"LDAP_OPT_X_TLS_REQUIRE_CERT option to %s: %s",
- inst->xlat_name,
+ inst->xlat_name,
inst->tls_require_cert,
ldap_err2string(ldap_errno));
}
*/
static int perform_search(ldap_instance *inst, REQUEST *request,
LDAP_CONN **pconn, const char *search_basedn,
- int scope, const char *filter,
+ int scope, const char *filter,
const char * const *attrs, LDAPMessage **presult)
{
int ldap_errno;
radlog(L_ERR, "rlm_ldap (%s): Failed "
"performing search, reconnecting: %s",
inst->xlat_name, error);
-
+
*pconn = fr_connection_reconnect(inst->pool,
*pconn);
if (*pconn) goto retry;
if (count != 1) {
ldap_msgfree(*presult);
RDEBUGE("Got ambiguous search result (%d results)", count);
-
+
return -2;
}
if (!radius_xlat(buffer, sizeof(buffer), fmt, request,
ldap_escape_func, NULL)) {
radlog(L_ERR,
- "rlm_ldap (%s): Unable to create LDAP URL",
+ "rlm_ldap (%s): Unable to create LDAP URL",
inst->xlat_name);
return 0;
}
"URL. URL must specify exactly one attribute to "
"retrieve",
inst->xlat_name);
-
+
goto free_urldesc;
}
memcpy(&attrs, &ldap_url->lud_attrs, sizeof(attrs));
- rcode = perform_search(inst, request, &conn, ldap_url->lud_dn,
+ rcode = perform_search(inst, request, &conn, ldap_url->lud_dn,
ldap_url->lud_scope, ldap_url->lud_filter, attrs,
&result);
if (rcode < 0) {
if (!entry) {
ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE,
&ldap_errno);
- radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
+ radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
goto free_result;
if ((entry = ldap_first_entry((*pconn)->handle, result)) == NULL) {
ldap_get_option((*pconn)->handle, LDAP_OPT_RESULT_CODE,
&ldap_errno);
- radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
+ radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
ldap_msgfree(result);
radlog(L_ERR, "rlm_ldap (%s): ldap_get_dn() failed: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
-
+
ldap_msgfree(result);
return NULL;
}
if (!entry) {
ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE,
&ldap_errno);
- radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
+ radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
-
+
ldap_release_socket(inst, conn);
ldap_msgfree(result);
return 1;
if (strcmp(vals[i], check->vp_strvalue) == 0){
RDEBUG("User found (membership value matches "
"check value)");
-
+
found = TRUE;
break;
}
if (strcasecmp(vals[i], check->vp_strvalue) == 0){
RDEBUG("User found (membership DN matches "
"check DN)");
-
+
found = TRUE;
break;
}
rcode = perform_search(inst, request, &conn, vals[i],
LDAP_SCOPE_BASE, filter, attrs,
&gr_result);
-
+
ldap_msgfree(gr_result);
/* Error occurred */
return 0;
}
-static int parse_sub_section(CONF_SECTION *parent,
+static int parse_sub_section(CONF_SECTION *parent,
ldap_instance *inst,
ldap_acct_section_t **config,
rlm_components_t comp)
return -1;
}
- switch (map->src->type)
+ switch (map->src->type)
{
/*
* Only =, :=, += and -= operators are supported for
buffer = rad_malloc(MAX_ATTR_STR_LEN);
len = radius_xlat(buffer, MAX_ATTR_STR_LEN,
map->src->name, request, NULL, NULL);
-
+
if (len <= 0) {
RDEBUG("Expansion of LDAP attribute "
"\"%s\" failed", map->src->name);
-
+
goto error;
}
if (!entry) {
ldap_get_option(handle, LDAP_OPT_RESULT_CODE,
&ldap_errno);
- radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
+ radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
-
+
goto free_result;
}
if (!entry) {
ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE,
&ldap_errno);
- radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
+ radlog(L_ERR, "rlm_ldap (%s): Failed retrieving entry: %s",
inst->xlat_name,
ldap_err2string(ldap_errno));
-
+
goto free_result;
}
radlog(L_ERR, "rlm_ldap (%s): Entry is not in "
"\"ldap-attribute = value\" format",
inst->xlat_name);
-
+
goto error;
}
if (radius_xlat(p, 1024, value, request, NULL, NULL) <= 0) {
RDEBUG("xlat failed or empty value string, "
"skipping attribute \"%s\"", attr);
-
+
free(p);
continue;
expanded[last_exp++] = p;
passed[last_pass] = p;
- /*
+ /*
* Static strings
*/
} else {
"is not supported for LDAP modify "
"operations", inst->xlat_name,
fr_int2str(fr_tokens, op, "¿unknown?"));
-
+
goto error;
}
* Now we know the value is ok, copy the pointers into
* the ldapmod struct.
*/
- memcpy(&(mod_s[total].mod_type), &(attr),
+ memcpy(&(mod_s[total].mod_type), &(attr),
sizeof(mod_s[total].mod_type));
mod_p[total] = &(mod_s[total]);
goto error;
}
}
-
+
DEBUG3("rlm_ldap (%s): Waiting for modify result...", inst->xlat_name);
tv.tv_sec = inst->timeout;
ldap_instance *inst = instance;
if (inst->accounting) {
- return user_modify(inst, request, inst->accounting);
+ return user_modify(inst, request, inst->accounting);
}
return RLM_MODULE_NOOP;
ldap_instance *inst = instance;
if (inst->postauth) {
- return user_modify(inst, request, inst->postauth);
+ return user_modify(inst, request, inst->postauth);
}
return RLM_MODULE_NOOP;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_logintime.c
radlog(L_ERR, "rlm_mschap: getUserNodeRef(): no username");
return RLM_MODULE_FAIL;
}
-
+
tDataBuff = dsDataBufferAllocate(dsRef, 4096);
if (tDataBuff == NULL) {
- radlog(L_ERR, "rlm_mschap: getUserNodeRef(): dsDataBufferAllocate() status = %ld", status);
+ radlog(L_ERR, "rlm_mschap: getUserNodeRef(): dsDataBufferAllocate() status = %ld", status);
return RLM_MODULE_FAIL;
}
eDSAuthenticationSearchNodeName,
&nodeCount, &context);
if (status != eDSNoErr) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): no node found? status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): no node found? status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
if (nodeCount < 1) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): nodeCount < 1, status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): nodeCount < 1, status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
status = dsGetDirNodeName(dsRef, tDataBuff, 1, &nodeName);
if (status != eDSNoErr) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsGetDirNodeName() status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsGetDirNodeName() status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
nodeName = NULL;
if (status != eDSNoErr) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsOpenDirNode() status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsOpenDirNode() status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
status = dsGetRecordEntry(nodeRef, tDataBuff, 1,
&attrListRef, &pRecEntry);
if (status != eDSNoErr) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsGetRecordEntry() status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsGetRecordEntry() status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
result = RLM_MODULE_NOOP;
break;
}
-
+
pUserNode = dsBuildFromPath(dsRef, pUserLocation, "/");
if (pUserNode == NULL) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsBuildFromPath() returned NULL");
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsBuildFromPath() returned NULL");
result = RLM_MODULE_FAIL;
break;
}
free(pUserNode);
if (status != eDSNoErr) {
- radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsOpenDirNode() status = %ld", status);
+ radlog(L_ERR,"rlm_mschap: getUserNodeRef(): dsOpenDirNode() status = %ld", status);
result = RLM_MODULE_FAIL;
break;
}
radlog(L_ERR,"rlm_mschap: od_mschap_auth(): dsOpenDirService = %d", status);
return RLM_MODULE_FAIL;
}
-
+
status = getUserNodeRef(username_string, &shortUserName, &userNodeRef, dsRef);
if(status != RLM_MODULE_OK) {
if (status != RLM_MODULE_NOOP) {
return status;
}
- /* We got a node; fill the stepBuffer
+ /* We got a node; fill the stepBuffer
kDSStdAuthMSCHAP2
- MS-CHAPv2 authentication method. The Open Directory plug-in generates the reply data for the client.
- The input buffer format consists of
- a four byte length specifying the length of the user name that follows, the user name,
- a four byte value specifying the length of the server challenge that follows, the server challenge,
- a four byte value specifying the length of the peer challenge that follows, the peer challenge,
- a four byte value specifying the length of the client's digest that follows, and the client's digest.
+ MS-CHAPv2 authentication method. The Open Directory plug-in generates the reply data for the client.
+ The input buffer format consists of
+ a four byte length specifying the length of the user name that follows, the user name,
+ a four byte value specifying the length of the server challenge that follows, the server challenge,
+ a four byte value specifying the length of the peer challenge that follows, the peer challenge,
+ a four byte value specifying the length of the client's digest that follows, and the client's digest.
The output buffer consists of a four byte value specifying the length of the return digest for the client's challenge.
r = FillAuthBuff(pAuthBuff, 5,
strlen(inName), inName, // Directory Services long or short name
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_mschap.c
char *retry_msg;
#ifdef WITH_OPEN_DIRECTORY
int open_directory;
-#endif
+#endif
} rlm_mschap_t;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_opendirectory.c
typedef struct otp_option {
const char *name; //!< Instance name for otp_token_authorize().
char *otpd_rp; //!< Otpd rendezvous point.
- char *chal_prompt; //!< Text to present challenge to user
+ char *chal_prompt; //!< Text to present challenge to user
//!< must have %s.
int challenge_len; //!< Challenge length, min 5 digits.
int challenge_delay; //!< Max delay time for response, in seconds.
- int allow_sync; //!< Useful to override pwdfile
+ int allow_sync; //!< Useful to override pwdfile
//!< card_type settings.
int allow_async; //!< C/R mode allowed?
- int mschapv2_mppe_policy; //!< Whether or not do to mppe for
+ int mschapv2_mppe_policy; //!< Whether or not do to mppe for
//!< mschapv2.
int mschapv2_mppe_types; //!< Key type/length for mschapv2/mppe.
- int mschap_mppe_policy; //!< Whether or not do to mppe for
+ int mschap_mppe_policy; //!< Whether or not do to mppe for
//!< mschap .
int mschap_mppe_types; //!< key type/length for mschap/mppe.
} otp_option_t;
int allow_async; //!< Async auth allowed?
int allow_sync; //!< Sync auth allowed?
- unsigned challenge_delay; //!< Min delay between async
+ unsigned challenge_delay; //!< Min delay between async
//!< auths.
int resync; //!< Resync on async auth?
} otp_request_t;
* NB: The returned passcode will contain the PIN! DO NOT LOG!
*/
int otp_pw_valid(REQUEST *request, int pwe, const char *challenge,
- const otp_option_t *opt,
+ const otp_option_t *opt,
char passcode[OTP_MAX_PASSCODE_LEN + 1])
{
otp_request_t otp_request;
otp_request.pwe.pwe = pwe;
- /*
+ /*
* otp_pwe_present() (done by caller) guarantees that both of
* these exist
*/
if (cvp->length > 16) {
radlog(L_AUTH, "rlm_otp: CHAP challenge for [%s] "
"too long", username);
-
+
return RLM_MODULE_INVALID;
}
if (rvp->length != 17) {
radlog(L_AUTH, "rlm_otp: CHAP response for [%s] "
"wrong size", username);
-
+
return RLM_MODULE_INVALID;
}
(void) memcpy(otp_request.pwe.u.chap.challenge, cvp->vp_octets,
cvp->length);
-
+
otp_request.pwe.u.chap.clen = cvp->length;
(void) memcpy(otp_request.pwe.u.chap.response, rvp->vp_octets,
rvp->length);
-
+
otp_request.pwe.u.chap.rlen = rvp->length;
break;
if (cvp->length != 8) {
radlog(L_AUTH, "rlm_otp: MS-CHAP challenge for "
"[%s] wrong size", username);
-
+
return RLM_MODULE_INVALID;
}
if (rvp->length != 50) {
radlog(L_AUTH, "rlm_otp: MS-CHAP response for [%s] "
"wrong size", username);
-
+
return RLM_MODULE_INVALID;
}
(void) memcpy(otp_request.pwe.u.chap.challenge,
if (cvp->length != 16) {
(void) radlog(L_AUTH, "rlm_otp: MS-CHAP2 challenge for "
"[%s] wrong size", username);
-
+
return RLM_MODULE_INVALID;
}
if (rvp->length != 50) {
radlog(L_AUTH, "rlm_otp: MS-CHAP2 response for [%s] "
"wrong size", username);
-
+
return RLM_MODULE_INVALID;
}
} /* switch (otp_request.pwe.pwe) */
/*
- * last byte must also be a terminator so otpd can verify
+ * last byte must also be a terminator so otpd can verify
* length easily.
*/
otp_request.username[OTP_MAX_USERNAME_LEN] = '\0';
} else {
radlog(L_ERR, "rlm_otp: %s: write to otpd: %s",
__func__, strerror(errno));
-
+
otp_putfd(fdp, 1);
return errno;
if (sp_len > sizeof(sa.sun_path) - 1) {
radlog(L_ERR, "rlm_otp: %s: rendezvous point name too long",
__func__);
-
+
return -1;
}
sa.sun_family = AF_UNIX;
radlog(L_ERR, "rlm_otp: %s: connect(%s): %s",
__func__, path, strerror(errno));
-
+
(void) close(fd);
return -1;
}
if (pairfind(request->packet->vps, pwattr[i]->attr,
- pwattr[i]->vendor, TAG_ANY) &&
- pairfind(request->packet->vps, pwattr[i + 1]->attr,
+ pwattr[i]->vendor, TAG_ANY) &&
+ pairfind(request->packet->vps, pwattr[i + 1]->attr,
pwattr[i + 1]->vendor, TAG_ANY)) {
DEBUG("rlm_otp: %s: password attributes %s, %s",
__func__, pwattr[i]->name, pwattr[i + 1]->name);
-
+
return i + 1; /* Can't return 0 (indicates failure) */
}
}
* as an ASCII string (they only return data up to the first NUL byte).
* So we must handle state as an ASCII string (0x00 -> 0x3030).
*/
-
+
/*
* OTP_MAX_RADSTATE_LEN is composed of:
*
* sizeof(hmac) * 2 + hmac
* 1 \0'
*/
-
+
/** Generate an OTP state value
*
* Generates an OTP state value (an string of ASCII hexits in an opaque binary
* string).
*
- * @param[out] state buffer in which to write the generated state value.
+ * @param[out] state buffer in which to write the generated state value.
* @param[in] challenge The challenge value.
* @param[in] clen The length of the challenge data.
* @param[in] flags to remember.
*/
p = state;
- /*
+ /*
* Add the challenge (which is already ASCII encoded)
*/
p += fr_bin2hex((const uint8_t *) challenge, p, clen);
}
/** Generate a random challenge (ascii chars 0-9)
- *
+ *
* @note This is really cryptocard-specific (automatic ASCII conversion
* @note and null termination).
*
if (rc) {
radlog(L_ERR, "rlm_otp: %s: pthread_mutex_init: %s",
caller, strerror(rc));
-
+
exit(1);
}
}
if (rc) {
radlog(L_ERR, "rlm_otp: %s: pthread_mutex_lock: %s",
caller, strerror(rc));
-
+
exit(1);
}
}
if (rc && rc != EBUSY) {
radlog(L_ERR, "rlm_otp: %s: pthread_mutex_trylock: %s",
caller, strerror(rc));
-
+
exit(1);
}
if (rc) {
radlog(L_ERR, "rlm_otp: %s: pthread_mutex_unlock: %s",
caller, strerror(rc));
-
+
exit(1);
}
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_otp.c
return 0;
}
-/*
+/*
* Generate a challenge to be presented to the user.
*/
static rlm_rcode_t otp_authorize(void *instance, REQUEST *request)
if (!request->username) {
radlog(L_AUTH, "rlm_otp: %s: Attribute \"User-Name\" "
"required for authentication.", __func__);
-
+
return RLM_MODULE_INVALID;
}
radlog(L_AUTH, "rlm_otp: %s: Attribute "
"\"User-Password\" or equivalent required "
"for authentication.", __func__);
-
+
return RLM_MODULE_INVALID;
}
* here, but these are complicated to explain and application is
* limited. More importantly, since we've removed all actual OTP
* code (now we ask otpd), it's awkward for us to support them.
- * Should the need arise to reinstate these options, the most
+ * Should the need arise to reinstate these options, the most
* likely choice is to duplicate some otpd code here.
*/
if (inst->allow_sync && !inst->allow_async) {
/*
* Create the State attribute, which will be returned to
- * us along with the response.
+ * us along with the response.
*
- * We will need this to verify the response.
+ * We will need this to verify the response.
*
* It must be hmac protected to prevent insertion of arbitrary
* State by an inside attacker.
*
- * If we won't actually use the State (server config doesn't
+ * If we won't actually use the State (server config doesn't
* allow async), we just use a trivial State.
*
* We always create at least a trivial State, so otp_authorize()
if (!request->username) {
radlog(L_AUTH, "rlm_otp: %s: Attribute \"User-Name\" required "
"for authentication.", __func__);
-
+
return RLM_MODULE_INVALID;
}
if (pwe == 0) {
radlog(L_AUTH, "rlm_otp: %s: Attribute \"User-Password\" "
"or equivalent required for authentication.", __func__);
-
+
return RLM_MODULE_INVALID;
}
size_t len;
/*
- * Set expected State length (see otp_gen_state())
+ * Set expected State length (see otp_gen_state())
*/
elen = (inst->challenge_len * 2) + 8 + 8 + 32;
if (len != (vp->length / 2)) {
radlog(L_AUTH, "rlm_otp: %s: bad radstate for [%s]: "
"not hex", __func__, username);
-
+
return RLM_MODULE_INVALID;
}
then, hmac_key);
/*
- * Compare generated state (in hex form)
- * against generated state (in hex form)
+ * Compare generated state (in hex form)
+ * against generated state (in hex form)
* to verify hmac.
*/
if (memcmp(gen_state, vp->vp_octets, vp->length)) {
radlog(L_AUTH, "rlm_otp: %s: bad radstate for [%s]: "
"hmac", __func__, username);
-
+
return RLM_MODULE_REJECT;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_pam.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_pap.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_passwd.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_perl.c
if (ret != 0) {
radlog(L_DBG,"rlm_perl: Failed associating interpretor "
"with thread %s", strerror(ret));
-
+
rlm_perl_destruct(interp);
return NULL;
}
while (nvp) {
/*
- * Tagged attributes are added to the hash with name
+ * Tagged attributes are added to the hash with name
* <attribute>:<tag>, others just use the normal attribute
* name as the key.
*/
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_preprocess.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_python.c
char *module_name;
char *function_name;
-};
+};
struct rlm_python_t {
- struct py_function_def
+ struct py_function_def
instantiate,
authorize,
authenticate,
}
static PyMethodDef radiusd_methods[] = {
- { "radlog", &python_radlog, METH_VARARGS,
+ { "radlog", &python_radlog, METH_VARARGS,
"radiusd.radlog(level, msg)\n\n" \
"Print a message using radiusd logging system. level should be one of the\n" \
"constants L_DBG, L_AUTH, L_INFO, L_ERR, L_PROXY\n"
static void python_error(void)
{
- PyObject
+ PyObject
*pType = NULL,
*pValue = NULL,
*pTraceback = NULL,
Py_Initialize();
PyEval_InitThreads(); /* This also grabs a lock */
- if ((radiusd_module = Py_InitModule3("radiusd", radiusd_methods,
+ if ((radiusd_module = Py_InitModule3("radiusd", radiusd_methods,
"FreeRADIUS Module.")) == NULL)
goto failed;
for (i = 0; radiusd_constants[i].name; i++)
if ((PyModule_AddIntConstant(radiusd_module,
- radiusd_constants[i].name,
+ radiusd_constants[i].name,
radiusd_constants[i].value)) < 0)
goto failed;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_radutmp.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_radutmp2.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_realm.c
|| (request->proxy != NULL)
#endif
) {
-
+
RDEBUG2("Proxy reply, or no User-Name. Ignoring.");
return RLM_MODULE_OK;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_redis.c
if (!dissocket) {
radlog(L_ERR, "rlm_redis (%s): redis_get_socket() failed",
inst->xlat_name);
-
+
return 0;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_rediswho.c
/*
* expiry time in seconds if no updates are received for a user
*/
- int expiry_time;
+ int expiry_time;
/*
* How many session updates to keep track of per user
*/
- int trim_count;
+ int trim_count;
} rlm_rediswho_t;
static CONF_PARSER module_config[] = {
*/
*instance = inst = talloc_zero(conf, rlm_rediswho_t);
if (!inst) return -1;
-
+
/*
* If the configuration parameters can't be parsed, then
* fail.
inst->xlat_name = cf_section_name2(conf);
- if (!inst->xlat_name)
+ if (!inst->xlat_name)
inst->xlat_name = cf_section_name1(conf);
inst->cs = conf;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_replicate.c
* Create a duplicate of the packet and send it to a list of realms
* defined by the presence of the Replicate-To-Realm VP in the control
* list of the current request.
- *
+ *
* This is pretty hacky and is 100% fire and forget. If you're looking
* to forward authentication requests to multiple realms and process
* the responses, this function will not allow you to do that.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/*
* $Id$
*
/** Conversion table for method config values.
- *
+ *
* HTTP verb strings for http_method_t enum values. Used by libcurl in the
* status line of the outgoing HTTP header, by rest_write_header for decoding
* incoming HTTP responses, and by the configuration parser.
* which hold the context data required for generating requests and parsing
* responses. Calling rest_socket_delete will free this memory.
*
- * If instance->connect_uri is not NULL libcurl will attempt to open a
+ * If instance->connect_uri is not NULL libcurl will attempt to open a
* TCP socket to the server specified in the URI. This is done so that when the
* socket is first used, there will already be a cached TCP connection to the
- * REST server associated with the curl handle.
+ * REST server associated with the curl handle.
*
* @see rest_socket_delete
* @see fr_connection_pool_init
* @return connection handle or NULL if the connection failed or couldn't
* be initialised.
*/
-void *rest_socket_create(void *instance)
+void *rest_socket_create(void *instance)
{
rlm_rest_t *inst = instance;
CURLcode ret;
if (!candle) {
- radlog(L_ERR, "rlm_rest (%s): Failed to create CURL handle",
+ radlog(L_ERR, "rlm_rest (%s): Failed to create CURL handle",
inst->xlat_name);
return NULL;
}
goto connection_error;
}
- /*
+ /*
* Malloc memory for the connection handle abstraction.
*/
randle = malloc(sizeof(*randle));
inst->xlat_name,
ret, curl_easy_strerror(ret));
- /*
+ /*
* So we don't leak CURL handles.
*/
connection_error:
}
/** Frees a libcurl handle, and any additional memory used by context data.
- *
+ *
* @param[in] instance configuration data.
* @param[in] handle rlm_rest_handle_t to close and free.
* @return returns TRUE.
*/
int rest_socket_delete(UNUSED void *instance, void *handle)
-{
+{
rlm_rest_handle_t *randle = handle;
CURL *candle = randle->handle;
/** Encodes VALUE_PAIR linked list in POST format
*
* This is a stream function matching the rest_read_t prototype. Multiple
- * successive calls will return additional encoded VALUE_PAIRs.
+ * successive calls will return additional encoded VALUE_PAIRs.
* Only complete attribute headers @verbatim '<name>=' @endverbatim and values
* will be written to the ptr buffer.
*
p += len;
s -= len;
- /*
+ /*
* We wrote the attribute header, record progress.
*/
f = p;
*p++ = '&';
}
- /*
+ /*
* We wrote one full attribute value pair, record progress.
*/
f = p;
/*
* Cleanup for error conditions
- */
+ */
no_space:
*f = '\0';
* The buffer wasn't big enough to encode a single attribute chunk.
*/
if (!len) {
- radlog(L_ERR, "rlm_rest (%s): AVP exceeds buffer length"
+ radlog(L_ERR, "rlm_rest (%s): AVP exceeds buffer length"
" or chunk", ctx->instance->xlat_name);
} else {
RDEBUG2("Returning %i bytes of POST data"
RDEBUG2("\tType : %s", type);
- /*
+ /*
* We wrote the attribute header, record progress
*/
f = p;
p += len;
s -= len;
- /*
+ /*
* Multivalued attribute
*/
if (current[1] &&
*p++ = ',';
current++;
- /*
+ /*
* We wrote one attribute value, record
* progress.
*/
*p++ = ',';
}
- /*
+ /*
* We wrote one full attribute value pair, record progress.
*/
f = p;
return len;
- /*
+ /*
* Were out of buffer space
- */
+ */
no_space:
*f = '\0';
* This function is used when the request will be sent to the HTTP server as one
* contiguous entity. A buffer of REST_BODY_INCR bytes is allocated and passed
* to the stream encoding function.
- *
+ *
* If the stream function does not return 0, a new buffer is allocated which is
* the size of the previous buffer + REST_BODY_INCR bytes, the data from the
* previous buffer is copied, and freed, and another call is made to the stream
* function, passing a pointer into the new buffer at the end of the previously
* written data.
- *
+ *
* This process continues until the stream function signals (by returning 0)
* that it has no more data to write.
*
/** (Re-)Initialises the data in a rlm_rest_read_t.
*
* Resets the values of a rlm_rest_read_t to their defaults.
- *
+ *
* Must be called between encoding sessions.
*
* As part of initialisation all VALUE_PAIR pointers in the REQUEST packet are
* Accepts VALUE_PAIRS in the same format as rest_encode_post, but with the
* addition of optional attribute list qualifiers as part of the attribute name
* string.
- *
+ *
* If no qualifiers are specified, will default to the request list.
*
* POST response format is:
value = curl_easy_unescape(candle, p, len, &curl_len);
- /*
+ /*
* If we found a delimiter we want to skip over it,
* if we didn't we do *NOT* want to skip over the end
* of the buffer...
}
vp->op = T_OP_SET;
-
+
/*
* Check to see if we've already processed an
* attribute of the same type if we have, change the op
}
/** Processes JSON response and converts it into multiple VALUE_PAIRs
- *
+ *
* Processes JSON attribute declarations in the format below. Will recurse when
* processing nested attributes. When processing nested attributes flags and
* operators from previous attributes are not inherited.
"<attributeN>":"[<value0>,<value1>,<valueN>]"
}
@endverbatim
- *
+ *
* JSON valuepair flags (bools):
* - do_xlat (optional) Controls xlat expansion of values. Defaults to TRUE.
* - is_json (optional) If TRUE, any nested JSON data will be copied to the
json_object_get_type(object));
return NULL;
}
-
+
/*
* Process VP container
*/
name = (char*)entry->k;
/* Fix the compiler warnings regarding const... */
- memcpy(&value, &entry->v, sizeof(value));
+ memcpy(&value, &entry->v, sizeof(value));
entry = entry->next;
-
+
/*
* For people handcrafting JSON responses
*/
attribute = name;
reference = request;
-
+
/*
* Resolve attribute name to a dictionary entry and
* pairlist.
}
/** Converts JSON response into VALUE_PAIRs and adds them to the request.
- *
+ *
* Converts the raw JSON string into a json-c object tree and passes it to
* json_pairmake. After the tree has been parsed json_object_put is called
* which decrements the reference count of the root node by one, and frees
case WRITE_STATE_INIT:
RDEBUG("Processing header");
- /*
+ /*
* HTTP/<version> <reason_code>[ <reason_phrase>]\r\n
*
* "HTTP/1.1 " (8) + "100 " (4) + "\r\n" (2) = 14
*/
if (s < 14) goto malformed;
- /*
+ /*
* Check start of header matches...
*/
if (strncasecmp("HTTP/", p, 5) != 0) goto malformed;
s -= (q - p);
p = q;
- /*
+ /*
* Process reason_code.
*
* " 100" (4) + "\r\n" (2) = 6
p += 14;
s -= 14;
- /*
+ /*
* Check to see if there's a parameter
* separator.
*/
*
* @see rest_write_body
* @see rest_write_header
- *
+ *
* @param[in] request Current request.
* @param[in] ctx data to initialise.
* @param[in] type Default http_body_type to use when decoding raw data, may be
}
/** Configures body specific curlopts.
- *
+ *
* Configures libcurl handle to use either chunked mode, where the request
* data will be sent using multiple HTTP requests, or contiguous mode where
* the request data will be sent in a single HTTP request.
}
/** Configures request curlopts.
- *
+ *
* Configures libcurl handle setting various curlopts for things like local
* client time, Content-Type, and other FreeRADIUS custom headers.
- *
+ *
* Current FreeRADIUS custom headers are:
* - X-FreeRADIUS-Section The module section being processed.
* - X-FreeRADIUS-Server The current virtual server the REQUEST is
ret = curl_easy_setopt(candle, CURLOPT_USERAGENT, "FreeRADIUS");
if (ret != CURLE_OK) goto error;
-
+
snprintf(buffer, (sizeof(buffer) - 1), "Content-Type: %s",
fr_int2str(http_content_type_table, type, "¿Unknown?"));
ctx->headers = curl_slist_append(ctx->headers, buffer);
if (section->username) {
radius_xlat(buffer, sizeof(buffer),
section->username, request, NULL, NULL);
-
+
ret = curl_easy_setopt(candle, CURLOPT_USERNAME,
buffer);
if (ret != CURLE_OK) goto error;
if (section->password) {
radius_xlat(buffer, sizeof(buffer),
section->password, request, NULL, NULL);
-
+
ret = curl_easy_setopt(candle, CURLOPT_PASSWORD,
buffer);
if (ret != CURLE_OK) goto error;
if (section->username) {
radius_xlat(buffer, sizeof(buffer),
section->username, request, NULL, NULL);
-
+
ret = curl_easy_setopt(candle,
CURLOPT_TLSAUTH_USERNAME,
buffer);
if (section->password) {
radius_xlat(buffer, sizeof(buffer),
section->password, request, NULL, NULL);
-
+
ret = curl_easy_setopt(candle,
CURLOPT_TLSAUTH_PASSWORD,
buffer);
}
/** Sends a REST (HTTP) request.
- *
+ *
* Send the actual REST request to the server. The response will be handled by
* the numerous callbacks configured in rest_request_config.
*
}
/** Sends the response to the correct decode function.
- *
+ *
* Uses the Content-Type information written in rest_write_header to
* determine the correct decode function to use. The decode function will
* then convert the raw received data into VALUE_PAIRs.
* @param[in] handle to use.
* @return TRUE on success or FALSE on error.
*/
-int rest_request_decode(rlm_rest_t *instance,
+int rest_request_decode(rlm_rest_t *instance,
UNUSED rlm_rest_section_t *section,
REQUEST *request, void *handle)
{
}
/** Cleans up after a REST request.
- *
+ *
* Resets all options associated with a CURL handle, and frees any headers
* associated with it.
*
* Free body data (only used if chunking is disabled)
*/
if (ctx->body != NULL) free(ctx->body);
-
+
/*
* Free other context info
*/
}
/** URL encodes a string.
- *
+ *
* Encode special chars as per RFC 3986 section 4.
*
* @param[in] request Current request.
}
/** Builds URI; performs XLAT expansions and encoding.
- *
+ *
* Splits the URI into "http://example.org" and "/%{xlat}/query/?bar=foo"
* Both components are expanded, but values expanded for the second component
* are also url encoded.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/*
* $Id$
*
*
* @copyright 2012-2013 Arran Cudbard-Bell <a.cudbard-bell@freeradius.org>
*/
-
+
#include <freeradius-devel/ident.h>
RCSIDH(other_h, "$Id$")
char *buffer; /* HTTP incoming raw data */
size_t alloc; /* Space allocated for buffer */
- size_t used; /* Space used in buffer */
+ size_t used; /* Space used in buffer */
int code; /* HTTP Status Code */
http_body_type_t type; /* HTTP Content Type */
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_rest.c
offsetof(rlm_rest_section_t, method_str), NULL, "GET" },
{ "body", PW_TYPE_STRING_PTR,
offsetof(rlm_rest_section_t, body_str), NULL, "post" },
-
+
/* User authentication */
{ "auth", PW_TYPE_STRING_PTR,
offsetof(rlm_rest_section_t, auth_str), NULL, "none" },
offsetof(rlm_rest_section_t, require_auth), NULL, "no"},
/* Transfer configuration */
- { "timeout", PW_TYPE_INTEGER,
+ { "timeout", PW_TYPE_INTEGER,
offsetof(rlm_rest_section_t, timeout), NULL, "0" },
{ "chunk", PW_TYPE_INTEGER,
offsetof(rlm_rest_section_t, chunk), NULL, "0" },
{ NULL, -1, 0, NULL, NULL }
};
-
+
static const CONF_PARSER module_config[] = {
{ "connect_uri", PW_TYPE_STRING_PTR,
offsetof(rlm_rest_t, connect_uri), NULL, "http://localhost/" },
rest_request_cleanup(instance, section, handle);
};
-static int parse_sub_section(CONF_SECTION *parent,
+static int parse_sub_section(CONF_SECTION *parent,
rlm_rest_t *instance, rlm_rest_section_t *config,
rlm_components_t comp)
{
*/
config->auth = fr_str2int(http_auth_table, config->auth_str,
HTTP_AUTH_UNKNOWN);
-
+
if (config->auth == HTTP_AUTH_UNKNOWN) {
radlog(L_ERR, "rlm_rest (%s): Unknown HTTP auth type \"%s\"",
instance->xlat_name, config->auth_str);
if (!http_curl_auth[config->auth]) {
radlog(L_ERR, "rlm_rest (%s): Unsupported HTTP auth type \"%s\""
- ", check libcurl version, OpenSSL build configuration,"
+ ", check libcurl version, OpenSSL build configuration,"
" then recompile this module",
instance->xlat_name, config->auth_str);
return -1;
}
-
+
config->method = fr_str2int(http_method_table, config->method_str,
HTTP_METHOD_CUSTOM);
if (!handle) return RLM_MODULE_FAIL;
ret = rlm_rest_perform(instance, section, handle, request);
- if (ret < 0) {
+ if (ret < 0) {
rcode = RLM_MODULE_FAIL;
goto end;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_ruby.c
* xxx We're not checking the errors. If we have errors, what do we do?
*/
-#define BUF_SIZE 1024
+#define BUF_SIZE 1024
static rlm_rcode_t ruby_function(REQUEST *request, int func,
VALUE module, const char *function_name) {
-
+
rlm_rcode_t rcode = RLM_MODULE_OK;
-
+
char buf[BUF_SIZE]; /* same size as vp_print buffer */
VALUE_PAIR *vp;
int n_tuple;
radlog(L_DBG, "Calling ruby function %s which has id: %d\n", function_name, func);
- /* Return with "OK, continue" if the function is not defined.
+ /* Return with "OK, continue" if the function is not defined.
* TODO: Should check with rb_respond_to each time, just because ruby can define function dynamicly?
*/
if (func == 0) {
return rcode;
}
-
+
n_tuple = 0;
if (request) {
n_tuple++;
}
}
-
-
+
+
/*
Creating ruby array, that contains arrays of [name,value]
Maybe we should use hash instead? Can this names repeat?
/* Calling corresponding ruby function, passing request and catching result */
rb_result = rb_funcall(module, func, 1, rb_request);
- /*
- * Checking result, it can be array of type [result,
+ /*
+ * Checking result, it can be array of type [result,
* [array of reply pairs],[array of config pairs]],
* It can also be just a fixnum, which is a result itself.
*/
if (!FIXNUM_P(rb_ary_entry(rb_result, 0))) {
radlog(L_ERR, "rlm_ruby: First element of an array was not a "
"FIXNUM (Which has to be a return_value)");
-
+
rcode = RLM_MODULE_FAIL;
goto finish;
}
-
+
rcode = FIX2INT(rb_ary_entry(rb_result, 0));
-
+
/*
* Only process the results if we were passed a request.
*/
} else if (FIXNUM_P(rb_result)) {
rcode = FIX2INT(rb_result);
}
-
+
finish:
return rcode;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_securid.c
static SECURID_AUTH_RC securidAuth(void *instance, REQUEST *request,
- const char* username,
+ const char* username,
const char* passcode,
char* replyMsgBuffer,int replyMsgBufferSize)
{
return RC_SECURID_AUTH_SUCCESS;
- case ACM_ACCESS_DENIED:
+ case ACM_ACCESS_DENIED:
/* not this time */
RDEBUG("SecurID Access denied for %s", username);
SD_Close(sdiHandle);
pSecurid_session->sdiHandle = sdiHandle; /* save ACE handle for future use */
pSecurid_session->securidSessionState = NEW_PIN_REQUIRED_STATE;
pSecurid_session->identity = strdup(username);
-
+
/* Get PIN requirements */
acmRet = AceGetPinParams(sdiHandle, &pinParams);
-
+
/* If a system-generated PIN is required */
if (pinParams.Selectable == CANNOT_CHOOSE_PIN) {
/* Prompt user to accept a system generated PIN */
/* insert new session in the session list */
securid_sessionlist_add(inst,request,pSecurid_session);
-
+
return RC_SECURID_AUTH_CHALLENGE;
case ACM_NEXT_CODE_REQUIRED:
/* insert new session in the session list */
securid_sessionlist_add(inst,request,pSecurid_session);
-
+
strlcpy(replyMsgBuffer, "\r\nPlease Enter the Next Code from Your Token:", replyMsgBufferSize);
return RC_SECURID_AUTH_CHALLENGE;
default:
radlog(L_ERR,"SecurID: Unexpected error from ACE/Agent API acmRet=%d",acmRet);
return RC_SECURID_AUTH_FAILURE;
-
+
}
} else {
/* insert the updated session in the session list */
securid_sessionlist_add(inst,request,pSecurid_session);
return RC_SECURID_AUTH_CHALLENGE;
-
+
case NEW_PIN_USER_CONFIRM_STATE:
RDEBUG2("SecurID NEW_PIN_USER_CONFIRM_STATE: User [%s]",username);
/* compare previous pin and current pin */
pSecurid_session);
}
}
- return rc;
+ return rc;
case NEW_PIN_AUTH_VALIDATE_STATE:
acmRet = SD_Check(pSecurid_session->sdiHandle, (SD_CHAR*)passcode, (SD_CHAR*)username);
if (acmRet == ACM_OK) {
}
return rc;
-
+
case NEW_PIN_SYSTEM_CONFIRM_STATE:
acmRet = SD_Pin(pSecurid_session->sdiHandle, (SD_CHAR*)pSecurid_session->pin);
if (acmRet == ACM_NEW_PIN_ACCEPTED) {
}
return rc;
-
+
/* USER_SELECTABLE state should be implemented to preserve compatibility with AM 6.x servers, which can return this state */
case NEW_PIN_USER_SELECT_STATE:
if (!strcmp(passcode, "y")) {
#define SAFE_STR(s) s==NULL?"EMPTY":s
-typedef enum {
+typedef enum {
INITIAL_STATE = 0,
- NEXT_CODE_REQUIRED_STATE = 100,
+ NEXT_CODE_REQUIRED_STATE = 100,
NEW_PIN_REQUIRED_STATE = 200,
NEW_PIN_USER_CONFIRM_STATE = 201,
NEW_PIN_AUTH_VALIDATE_STATE = 202,
} SECURID_SESSION_STATE;
/*
- * SECURID_SESSION is used to identify existing securID sessions
+ * SECURID_SESSION is used to identify existing securID sessions
* to continue Next-Token code and New-Pin conversations with a client
*
* next = pointer to next
fr_ipaddr_t src_ipaddr;
time_t timestamp;
unsigned int session_id;
- int trips;
+ int trips;
char *pin; /* previous pin if user entered it during NEW-PIN mode process */
- char *identity; /* save user's identity name for future use */
+ char *identity; /* save user's identity name for future use */
} SECURID_SESSION;
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
*
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_smsotp.c
}
DEBUG("rlm_smsotp: Generate OTP");
-
+
/* set username */
smsotp_write(fdp, "generate otp for ", 17);
smsotp_write(fdp, (const char *) request->username->vp_strvalue, sizeof(request->username->vp_strvalue));
{
ssize_t n;
size_t nread = 0; /* bytes read into buf */
-
+
fd_set rfds;
struct timeval tv;
int retval;
}
nread += n;
// DEBUG("smsotp_read ... read more ?");
-
+
// check if more data is avalible
retval = select(1, &rfds, NULL, NULL, &tv);
if (!retval) {
* a lot cleaner to do so, and a pointer to the structure can
* be used as the instance handle.
*/
-
+
typedef struct smsotp_fd_t {
pthread_mutex_t mutex;
const char *path; /* allows diff instances to use diff sockets */
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_soh.c
static const CONF_PARSER module_config[] = {
/*
- * Do SoH over DHCP?
+ * Do SoH over DHCP?
*/
{ "dhcp", PW_TYPE_BOOLEAN, offsetof(rlm_soh_t,dhcp), NULL, "no" },
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sometimes.c
if(retval != SQL_SUCCESS) {
radlog(L_ERR, "could not connect to DB2 server %s\n",
config->sql_server);
-
+
return -1;
}
if (fb_connect(conn,config)) {
radlog(L_ERR, "rlm_sql_firebird: Connection failed %s\n",
conn->lasterror);
-
+
return SQL_DOWN;
}
#endif
try_again:
- /*
+ /*
* Try again query when deadlock, beacuse in any case it
* will be retried.
*/
querystr);
/*
- * @todo For non READ_COMMITED transactions put
+ * @todo For non READ_COMMITED transactions put
* rollback here
* fb_rollback(conn);
*/
if (res) {
radlog(L_ERR, "rlm_sql_firebird. Fetch problem:'%s'",
conn->lasterror);
-
+
return -1;
}
} else {
*/
static int sql_finish_select_query(rlm_sql_handle_t *handle,
UNUSED rlm_sql_config_t *config) {
-
+
rlm_sql_firebird_conn_t *conn = (rlm_sql_firebird_conn_t *) handle->conn;
fb_commit(conn);
radlog(L_DBG,"Init mutex %p\n",&conn->mut);
#endif
- /*
+ /*
* Set tpb to read_committed/wait/no_rec_version
*/
fb_set_tpb(conn, 5, isc_tpb_version3, isc_tpb_wait, isc_tpb_write,
short l;
if (!conn->trh) {
- isc_start_transaction(conn->status, &conn->trh, 1, &conn->dbh,
+ isc_start_transaction(conn->status, &conn->trh, 1, &conn->dbh,
conn->tpb_len,conn->tpb);
if (!conn->trh) {
return -4;
isc_dsql_sql_info(conn->status, &conn->stmt,
sizeof (count_info), count_info,
sizeof (info_buffer), info_buffer);
-
+
if (IS_ISC_ERROR(conn->status)) {
return fb_lasterror(conn);
}
DBSETLPWD(login, config->sql_password);
if ((conn->dbproc = dbopen(login, config->sql_server)) == FAIL) {
- radlog(L_ERR, "rlm_sql_freetds (%s): Unable to connect to FreeTDS/MSSQL server %s@%s",
+ radlog(L_ERR, "rlm_sql_freetds (%s): Unable to connect to FreeTDS/MSSQL server %s@%s",
config->xlat_name, config->sql_login, config->sql_server);
dbloginfree(login);
return -1;
dbloginfree(login);
if ((dbuse(conn->dbproc, config->sql_db)) == FAIL) {
- radlog(L_ERR, "rlm_sql_freetds (%s): Unable to select database on FreeTDS/MSSQL server %s@%s:%s",
+ radlog(L_ERR, "rlm_sql_freetds (%s): Unable to select database on FreeTDS/MSSQL server %s@%s:%s",
config->xlat_name, config->sql_login, config->sql_server, config->sql_db);
return -1;
}
static int sql_num_fields(rlm_sql_handle_t * handle, UNUSED rlm_sql_config_t *config)
{
rlm_sql_postgres_conn_t *conn = handle->conn;
-
+
conn->affected_rows = PQntuples(conn->result);
if (conn->result)
return PQnfields(conn->result);
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sql_sqlite.c
radlog(L_ERR, "rlm_sql_sqlite: Failed stating SQL "
"file \"%s\": %s", filename,
strerror(errno));
-
+
fclose(f);
- return -1;
+ return -1;
}
if (finfo.st_size > BOOTSTRAP_MAX) {
radlog(L_ERR, "rlm_sql_sqlite: Size of SQL "
"(%zu) file exceeds limit (%uk)", (size_t) finfo.st_size / 1024,
BOOTSTRAP_MAX / 1024);
-
+
fclose(f);
- return -1;
+ return -1;
}
MEM(buffer = talloc_array(NULL, char, finfo.st_size + 1));
if (len > finfo.st_size) {
talloc_free(buffer);
goto too_big;
- }
+ }
if (!len) {
if (ferror(f)) {
radlog(L_ERR, "rlm_sql_sqlite: Error reading SQL "
"file: %s", strerror(errno));
-
+
fclose(f);
talloc_free(buffer);
(void) sqlite3_prepare_v2(db, s, len, &statement, &z_tail);
if (sql_check_error(db)) {
talloc_free(buffer);
- return -1;
+ return -1;
}
(void) sqlite3_step(statement);
(void) sqlite3_finalize(statement);
if (status || sql_check_error(db)) {
talloc_free(buffer);
- return -1;
+ return -1;
}
p = s = q + 1;
radlog(L_ERR, "rlm_sql_sqlite: Failed creating "
"opening/creating SQLite database, error "
"code (%u)", status);
-
+
goto unlink;
}
status = sqlite3_close(db);
if (status != SQLITE_OK) {
radlog(L_ERR, "rlm_sql_sqlite: Error closing SQLite "
- "handle, error code (%u)", status);
+ "handle, error code (%u)", status);
goto unlink;
}
if (ret < 0) {
unlink:
if (unlink(driver->filename) < 0) {
- radlog(L_ERR, "rlm_sql_sqlite: Error removing "
+ radlog(L_ERR, "rlm_sql_sqlite: Error removing "
"partially initialised database: %s",
strerror(errno));
}
radlog(L_ERR, "rlm_sql_sqlite: Failed creating "
"opening/creating SQLite database error "
"code (%u)", status);
-
+
return -1;
}
strlen(querystr), &conn->statement,
&z_tail);
#endif
-
+
conn->col_count = 0;
return sql_check_error(conn->db);
status = sqlite3_prepare(conn->db, querystr,
strlen(querystr), &conn->statement,
&z_tail);
-#endif
+#endif
status = sqlite3_step(conn->statement);
return sql_check_error(conn->db);
{
switch (sqlite3_column_type(conn->statement, i))
{
- case SQLITE_INTEGER:
+ case SQLITE_INTEGER:
row[i] = talloc_asprintf(row, "%d",
sqlite3_column_int(conn->statement, i));
break;
len = sqlite3_column_bytes(conn->statement, i);
MEM(row[i] = talloc_zero_array(row, char, len + 1));
- memcpy(row[i], p, len);
+ memcpy(row[i], p, len);
}
}
break;
UNUSED rlm_sql_config_t *config)
{
rlm_sql_sqlite_conn_t *conn = handle->conn;
-
+
if (conn->db) {
return sqlite3_changes(conn->db);
- }
+ }
return -1;
}
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sql.c
static const CONF_PARSER acct_section_config[] = {
{"reference", PW_TYPE_STRING_PTR,
- offsetof(sql_acct_section_t, reference), NULL, ".query"},
+ offsetof(sql_acct_section_t, reference), NULL, ".query"},
{"logfile", PW_TYPE_STRING_PTR,
offsetof(sql_acct_section_t, logfile), NULL, NULL},
-
+
{NULL, -1, 0, NULL, NULL}
};
*/
{"query_timeout", PW_TYPE_INTEGER,
offsetof(rlm_sql_config_t,query_timeout), NULL, NULL},
-
+
{NULL, -1, 0, NULL, NULL}
};
return 0;
}
-
+
numaffected = (inst->module->sql_affected_rows)(handle,
inst->config);
if (numaffected < 1) {
return 0;
}
-static int parse_sub_section(CONF_SECTION *parent,
+static int parse_sub_section(CONF_SECTION *parent,
rlm_sql_t *inst,
sql_acct_section_t **config,
rlm_components_t comp)
return -1;
}
- if (inst->config->groupmemb_query &&
+ if (inst->config->groupmemb_query &&
inst->config->groupmemb_query[0]) {
DEBUG("rlm_sql (%s): Registering sql_groupcmp for %s",
xlat_name, group_name);
*/
radlog(L_INFO, "rlm_sql (%s): Attempting to connect to database \"%s\"",
inst->config->xlat_name, inst->config->sql_db);
-
+
if (sql_socket_pool_init(inst) < 0) return -1;
- if (inst->config->groupmemb_query &&
+ if (inst->config->groupmemb_query &&
inst->config->groupmemb_query[0]) {
paircompare_register(PW_SQL_GROUP, PW_USER_NAME, sql_groupcmp, inst);
}
return RLM_MODULE_FAIL;
/*
- * Reserve a socket
+ * Reserve a socket
*
* After this point use goto error or goto release to cleanup sockets
* temporary pairlists and temporary attributes.
goto error;
/*
- * Query the check table to find any conditions associated with
+ * Query the check table to find any conditions associated with
* this user/realm/whatever...
*/
if (inst->config->authorize_check_query &&
/*
* Only do this if *some* check pairs were returned
*/
- if ((rows > 0) &&
+ if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0)) {
RDEBUG2("User found in radcheck table");
*
* If the reference matches multiple config items, and a query fails or
* doesn't update any rows, the next matching config item is used.
- *
+ *
*/
-static int acct_redundant(rlm_sql_t *inst, REQUEST *request,
+static int acct_redundant(rlm_sql_t *inst, REQUEST *request,
sql_acct_section_t *section)
{
int ret = RLM_MODULE_OK;
/*
* If rlm_sql_query cannot use the socket it'll try and
- * reconnect. Reconnecting will automatically release
+ * reconnect. Reconnecting will automatically release
* the current socket, and try to select a new one.
*
* If we get SQL_DOWN it means all connections in the pool
rad_assert(handle);
- /*
+ /*
* Assume all other errors are incidental, and just meant our
* operation failed and its not a client or SQL syntax error.
*/
rlm_sql_t *inst = instance;
if (inst->config->accounting) {
- return acct_redundant(inst, request, inst->config->accounting);
+ return acct_redundant(inst, request, inst->config->accounting);
}
return RLM_MODULE_NOOP;
return acct_redundant(inst, request, inst->config->postauth);
}
- return RLM_MODULE_NOOP;
+ return RLM_MODULE_NOOP;
}
/*
return -1;
}
- /*
+ /*
* We can't implement reconnect logic here, because the caller may require
* the original connection to free up queries or result sets associated with
* that connection.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sqlcounter.c
char *check_name; //!< Max-Daily-Session.
char *reply_name; //!< Session-Timeout.
char *key_name; //!< User-Name.
- char *sqlmod_inst; //!< Instance of SQL module to use,
+ char *sqlmod_inst; //!< Instance of SQL module to use,
//!< usually just 'sql'.
- char *query; //!< SQL query to retrieve current
+ char *query; //!< SQL query to retrieve current
//!< session time.
char *reset; //!< Daily, weekly, monthly,
//!< never or user defined.
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sqlhpwippool.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_sqlippool.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_unix.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_utf8.c
* IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
-
+
/**
* $Id$
* @file rlm_wimax.c
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*/
-
+
/**
* $Id$
* @file rlm_yubikey.c
* We only deal with whole bytes
*/
if (hex[(i << 1) + 1] == '\0')
- return -1;
+ return -1;
if (!(c1 = memchr(modhextab, tolower((int) hex[i << 1]), 16)) ||
!(c2 = memchr(modhextab, tolower((int) hex[(i << 1) + 1]), 16)))
}
key = pairfind(request->config_items, PW_YUBIKEY_KEY, 0,
- TAG_ANY);
+ TAG_ANY);
if (!key) {
RDEBUGE("Yubikey-Key attribute not found in control "
"list, can't decrypt OTP data");
RDEBUG2("Private ID : 0x%s", private_id);
RDEBUG2("Session counter : %u", yubikey_counter(token.ctr));
RDEBUG2("# used in session : %u", token.use);
- RDEBUG2("Token timetamp : %u",
+ RDEBUG2("Token timetamp : %u",
(token.tstph << 16) | token.tstpl);
RDEBUG2("Random data : %u", token.rnd);
RDEBUG2("CRC data : 0x%x", token.crc);