New upstream version 3.0.17+dfsg
Michael Stapelberg
5 years ago
19 | 19 | It is not for support requests or questions regarding configuration/operation of the server, they |
20 | 20 | belong on the users mailing list: |
21 | 21 | |
22 | http://freeradius.org/list/users.html | |
22 | https://freeradius.org/support/ | |
23 | 23 | |
24 | 24 | Raising support requests or questions as issues will result in them being closed and locked. If you |
25 | 25 | continue to raise these questions as issues you will be banned from the FreeRADIUS project's GitHub |
46 | 46 | |
47 | 47 | 3.CONTENTS OF A DEFECT REPORT |
48 | 48 | |
49 | See doc/bugs (https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/bugs) for information | |
49 | See doc/bugs (https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/bugs) for information | |
50 | 50 | on what to include, and how to obtain it. |
51 | 51 | |
52 | 52 | When logging bug reports using the GitHub issue tracker, pay attention to formatting. You should |
61 | 61 | a member of the FreeRADIUS development team first. For simpler one or two line fixes, go ahead and |
62 | 62 | open a pull-request immediately. |
63 | 63 | |
64 | The dev team can be contacted via the devel mailing list (http://freeradius.org/list/devel.html), | |
64 | The dev team can be contacted via the devel mailing list (https://freeradius.org/support/), | |
65 | 65 | or via GitHub by using the GitHub issue tracker. |
66 | 66 | |
67 | 67 | Contacting the dev team gives us the opportunity to offer feedback. We may have a solution to your |
68 | 68 | problem that doesn't require additional code, or may have ideas as to how your problem can be solved |
69 | in a way that will better fit with the longterm vision for the server. | |
69 | in a way that will better fit with the long-term vision for the server. | |
70 | 70 | |
71 | 71 | Once you've got the go ahead, read through the coding standards document: |
72 | 72 | |
73 | http://wiki.freeradius.org/contributing/coding-standards | |
73 | https://wiki.freeradius.org/contributing/coding-standards | |
74 | 74 | |
75 | 75 | If you're creating a new module you may wish to read the module creation guide: |
76 | 76 | |
77 | http://wiki.freeradius.org/contributing/Modules3 | |
77 | https://wiki.freeradius.org/contributing/Modules3 | |
78 | 78 | |
79 | 79 | You may also wish to utilise the doxygen site to review code documentation: |
80 | 80 | |
88 | 88 | Git/GitHub knowledge is assumed. If you're wondering what the heck a pull-request is, this |
89 | 89 | document may be of some use: |
90 | 90 | |
91 | http://wiki.freeradius.org/contributing/GitHub | |
91 | https://wiki.freeradius.org/contributing/GitHub | |
92 | 92 | |
93 | 93 | |
94 | 94 | 5.CONTINUOUS INTEGRATION TESTS |
41 | 41 | files for more detailed copyright statements. |
42 | 42 | |
43 | 43 | |
44 | Copyright (C) 1999-2015 The FreeRADIUS Server Project | |
44 | Copyright (C) 1999-2018 The FreeRADIUS Server Project | |
45 | 45 | |
46 | 46 | Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Alan DeKok |
47 | 47 | <aland@deployingradius.com> |
50 | 50 | Software Foundation, Inc. |
51 | 51 | |
52 | 52 | Copyright (C) 2011-2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org> |
53 | ||
54 | Copyright (C) 2012-2018 Matthew Newton <matthew-git@newtoncomputing.co.uk> | |
53 | 55 | |
54 | 56 | Copyright (C) 2003, 2004, 2005 Kostas Kalevras <kkalev@noc.ntua.gr> |
55 | 57 |
0 | 0 | Please see: |
1 | http://wiki.freeradius.org/project/Acknowledgements | |
1 | https://wiki.freeradius.org/project/Acknowledgements |
301 | 301 | @echo "git tag release_`echo $(RADIUSD_VERSION_STRING) | tr .- __`" |
302 | 302 | |
303 | 303 | # |
304 | # Docker-related targets | |
305 | # | |
306 | .PHONY: docker | |
307 | docker: | |
308 | docker build scripts/docker/ubuntu16 --build-arg=release=release_`echo $(RADIUSD_VERSION_STRING) | tr .- __` -t freeradius/freeradius-server:$(RADIUSD_VERSION_STRING) | |
309 | docker build scripts/docker/alpine --build-arg=release=release_`echo $(RADIUSD_VERSION_STRING) | tr .- __` -t freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)-alpine | |
310 | ||
311 | .PHONY: docker-push | |
312 | docker-push: docker | |
313 | docker push freeradius/freeradius-server:$(RADIUSD_VERSION_STRING) | |
314 | docker push freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)-alpine | |
315 | ||
316 | .PHONY: docker-tag-latest | |
317 | docker-tag-latest: docker | |
318 | docker tag freeradius/freeradius-server:$(RADIUSD_VERSION_STRING) freeradius/freeradius-server:latest | |
319 | ||
320 | .PHONY: docker-push-latest | |
321 | docker-push-latest: docker-push docker-tag-latest | |
322 | docker push freeradius/freeradius-server:latest | |
323 | ||
324 | .PHONY: docker-publish | |
325 | docker-publish: docker-push-latest | |
326 | ||
327 | # | |
304 | 328 | # Build a debian package |
305 | 329 | # |
306 | 330 | .PHONY: deb |
310 | 334 | # Developer checks |
311 | 335 | .PHONY: warnings |
312 | 336 | warnings: |
313 | @(make clean all 2>&1) | egrep -v '^/|deprecated|^In file included|: In function| from |^HEADER|^CC|^LINK' > warnings.txt | |
337 | @(make clean all 2>&1) | egrep -v '^/|deprecated|^In file included|: In function| from |^HEADER|^CC|^LN' > warnings.txt | |
314 | 338 | @wc -l warnings.txt |
315 | 339 | |
316 | 340 | # |
37 | 37 | version, in order to take advantage of the new features which can |
38 | 38 | greatly simply configuration. |
39 | 39 | |
40 | Please see http://freeradius.org and http://wiki.freeradius.org for | |
40 | Please see https://freeradius.org and https://wiki.freeradius.org for | |
41 | 41 | more information. |
42 | 42 | |
43 | 43 | |
88 | 88 | which includes WARNINGs about common issues, and suggestions for how |
89 | 89 | they may be fixed. |
90 | 90 | |
91 | Read the FAQ. Many questions are answered there. See the Wiki | |
91 | Many questions are answered on the Wiki: | |
92 | 92 | |
93 | http://wiki.freeradius.org | |
93 | https://wiki.freeradius.org | |
94 | 94 | |
95 | Read the configuration files. Many parts of the server have NO | |
96 | documentation, other than comments in the configuration file. | |
95 | Read the configuration files. Many parts of the server are | |
96 | documented only with extensive comments in the configuration files. | |
97 | 97 | |
98 | Search the mailing lists. There is a Google link on the bottom of | |
99 | the page: | |
98 | Search the mailing lists. For example, using Google, searching | |
99 | "site:lists.freeradius.org <search term>" will return results from | |
100 | the FreeRADIUS mailing lists. | |
100 | 101 | |
101 | http://www.freeradius.org/list/users.html | |
102 | ||
103 | Type some key words into the search box, and you should find | |
104 | discussions about common problems and solution. | |
102 | https://freeradius.org/support/ | |
105 | 103 | |
106 | 104 | |
107 | 105 | Feedback, Defects, and Community Support |
109 | 107 | |
110 | 108 | If you have any comments, or are having difficulty getting FreeRADIUS |
111 | 109 | to do what you want, please post to the 'freeradius-users' list |
112 | (see the URL above). The FreeRADIUS mailing list is operated and | |
110 | (see the URL above). The FreeRADIUS mailing list is operated, and | |
113 | 111 | contributed to, by the FreeRADIUS community. Users of the list will be |
114 | 112 | more than happy to answer your questions, with the caveat that you've |
115 | 113 | read documentation relevant to your issue first. |
117 | 115 | If you suspect a defect in the server, would like to request a feature, |
118 | 116 | or submit a code patch, please use the GitHub issue tracker for the |
119 | 117 | freeradius-server `repository |
120 | <https://github.com/FreeRADIUS/freeradius-server>`_. | |
118 | <https://github.com/FreeRADIUS/freeradius-server>`_. However, it | |
119 | is nearly always best to raise the issue on the mailing lists | |
120 | first to determine whether it really is a defect or missing | |
121 | feature.. | |
121 | 122 | |
122 | 123 | Instructions for gathering data for defect reports can be found in |
123 | 124 | ``doc/bugs`` or on the `wiki |
124 | <http://wiki.freeradius.org/project/bug-reports>`_. | |
125 | <https://wiki.freeradius.org/project/bug-reports>`_. | |
125 | 126 | |
126 | 127 | Under no circumstances should the issue tracker be used for support |
127 | 128 | requests, those questions belong on the user's mailing list. If you |
157 | 158 | See ``doc/README`` for more information about FreeRADIUS. |
158 | 159 | |
159 | 160 | There is an O'Reilly book available. It serves as a good |
160 | introduction for anyone new to RADIUS. However, it is almost 12 years | |
161 | introduction for anyone new to RADIUS. However, it is almost 18 years | |
161 | 162 | old, and is not much more than a basic introduction to the subject. |
162 | 163 | |
163 | http://www.amazon.com/exec/obidos/ASIN/0596003226/freeradiusorg-20/ | |
164 | https://www.amazon.com/exec/obidos/ASIN/0596003226/freeradiusorg-20/ | |
164 | 165 | |
165 | 166 | Commercial support |
166 | 167 | ------------------ |
167 | 168 | |
168 | 169 | Technical support, managed systems support, custom deployments, |
169 | 170 | sponsored feature development and many other commercial services |
170 | are available from `Network RADIUS | |
171 | <http://www.networkradius.com>`_. | |
171 | are available from `Network RADIUS <http://www.networkradius.com>`_. | |
172 | 172 | |
173 | 173 | |
174 | 174 | .. |CoverityStatus| image:: https://scan.coverity.com/projects/58/badge.svg? |
4328 | 4328 | fi |
4329 | 4329 | |
4330 | 4330 | |
4331 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking or the compiler flag \"-Wno-unknown-warning-option\"" >&5 | |
4332 | $as_echo_n "checking or the compiler flag \"-Wno-unknown-warning-option\"... " >&6; } | |
4331 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the compiler flag \"-Wno-unknown-warning-option\"" >&5 | |
4332 | $as_echo_n "checking for the compiler flag \"-Wno-unknown-warning-option\"... " >&6; } | |
4333 | 4333 | if ${ax_cv_cc_no_unknown_warning_option_flag+:} false; then : |
4334 | 4334 | $as_echo_n "(cached) " >&6 |
4335 | 4335 | else |
4427 | 4427 | CFLAGS="$CFLAGS -Qunused-arguments" |
4428 | 4428 | LDFLAGS="$LDFLAGS -Qunused-arguments" |
4429 | 4429 | fi |
4430 | ||
4431 | ||
4432 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the compiler flag \"-Wno-date-time\"" >&5 | |
4433 | $as_echo_n "checking for the compiler flag \"-Wno-date-time\"... " >&6; } | |
4434 | if ${ax_cv_cc_no_date_time_flag+:} false; then : | |
4435 | $as_echo_n "(cached) " >&6 | |
4436 | else | |
4437 | ||
4438 | ||
4439 | CFLAGS_SAVED=$CFLAGS | |
4440 | CFLAGS="$CFLAGS -Werror -Wno-date-time" | |
4441 | ||
4442 | ac_ext=c | |
4443 | ac_cpp='$CPP $CPPFLAGS' | |
4444 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
4445 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
4446 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
4447 | ||
4448 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
4449 | /* end confdefs.h. */ | |
4450 | ||
4451 | int | |
4452 | main () | |
4453 | { | |
4454 | return 0; | |
4455 | ; | |
4456 | return 0; | |
4457 | } | |
4458 | _ACEOF | |
4459 | if ac_fn_c_try_compile "$LINENO"; then : | |
4460 | ax_cv_cc_no_date_time_flag="yes" | |
4461 | else | |
4462 | ax_cv_cc_no_date_time_flag="no" | |
4463 | fi | |
4464 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
4465 | ac_ext=c | |
4466 | ac_cpp='$CPP $CPPFLAGS' | |
4467 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
4468 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
4469 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
4470 | ||
4471 | ||
4472 | CFLAGS="$CFLAGS_SAVED" | |
4473 | ||
4474 | fi | |
4475 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_cc_no_date_time_flag" >&5 | |
4476 | $as_echo "$ax_cv_cc_no_date_time_flag" >&6; } | |
4477 | ||
4430 | 4478 | |
4431 | 4479 | # Check whether --enable-largefile was given. |
4432 | 4480 | if test "${enable_largefile+set}" = set; then : |
12728 | 12776 | |
12729 | 12777 | |
12730 | 12778 | |
12731 | if test "x$reproducible_builds" != "xyes"; then | |
12779 | if test "x$ax_cv_cc_no_date_time_flag" = "xyes" && test "x$reproducible_builds" != "xyes"; then | |
12732 | 12780 | CFLAGS="-Wno-date-time $CFLAGS" |
12733 | 12781 | fi |
12734 | 12782 |
162 | 162 | CFLAGS="$CFLAGS -Qunused-arguments" |
163 | 163 | LDFLAGS="$LDFLAGS -Qunused-arguments" |
164 | 164 | fi |
165 | ||
166 | dnl # | |
167 | dnl # Check for presence of -Wno-date-time warning. Older compilers | |
168 | dnl # don't have it, and newer compilers warn without it... | |
169 | dnl # | |
170 | AX_CC_NO_DATE_TIME_FLAG | |
165 | 171 | |
166 | 172 | dnl # |
167 | 173 | dnl # Compile in large (2G+) file support. |
2243 | 2249 | dnl # If reproducible builds are not enabled, disable |
2244 | 2250 | dnl # -Wdate-time so the compiler doesn't croak. |
2245 | 2251 | dnl # |
2246 | if test "x$reproducible_builds" != "xyes"; then | |
2252 | if test "x$ax_cv_cc_no_date_time_flag" = "xyes" && test "x$reproducible_builds" != "xyes"; then | |
2247 | 2253 | CFLAGS="-Wno-date-time $CFLAGS" |
2248 | 2254 | fi |
2249 | 2255 |
0 | FreeRADIUS 3.0.17 Tue 17 Apr 2018 14:00:00 EDT urgency=low | |
1 | Feature improvements | |
2 | * Add CURLOPT_CAINFO. Patch from Nicolas C. | |
3 | #2167 | |
4 | * "stats home server" now supports "src IPADDR", | |
5 | to specify home server also by source IP. Fixes #2169. | |
6 | * Add Dockerfiles for a selection of common systems. | |
7 | * Increase number of permitted file descriptors, for | |
8 | systems with many home servers. | |
9 | * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs. | |
10 | Patch from Isaac Boukris. Fixes #2205. | |
11 | * Update main READMEs. Patches from Matthew Newton. | |
12 | * Added dictionary.mimosa | |
13 | ||
14 | Bug fixes | |
15 | * Don't call post-proxy twice when proxying to | |
16 | a virtual server. Matthew Newton, #2161. | |
17 | * Use "raw" string value for shared secrets and dynamic clients. | |
18 | It now parses strings with backslashes and "special characters" | |
19 | correctly. Fixes #2168. | |
20 | * Fix RuntimeDirectory for RedHat, from Alan Buxey. | |
21 | * Relax checks in 'if' parser from Isaac Bourkis | |
22 | * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. | |
23 | * Be more aggressive about cleaning up cached certificate attributes, | |
24 | due to deficiencies in OpenSSL. Reported by Nicolas Reich. | |
25 | * Be more accepting when parsing IPv6 addresses. Bug noted | |
26 | by Klara Mall. | |
27 | * Fix double free in rlm_sql. Fixes #2180. | |
28 | * rlm_detail now writes empty Access-Accept packets. | |
29 | * rlm_python can now create tagged attributes. | |
30 | * Don't crash on duplicate realm + authhost / accthost. | |
31 | Bug found by Richard Palmer. | |
32 | * Allow partial certificate chain to trusted CA. Fixes #2162 | |
33 | * Treat SSL_read() returning zero as error. Fixes #2164. | |
34 | * detail writer now checks if the file was renamed or deleted. | |
35 | * Add User-Name to Access-Accept if EAP-Message exists, | |
36 | not Stripped-User-Name. | |
37 | * RedHat Systemd updates. Fixes #2184 | |
38 | * Use correct API for State variable in rlm_securid. | |
39 | * Remove broken radclient option "-i". | |
40 | * Fix "users" file (and hints, etc). So that it does not | |
41 | get confused about entry ordering with multiple $INCLUDEs. | |
42 | * Fix rlm_sql to expand the un-escaped string, not the raw string. | |
43 | * Link default and inner-tunnel only if they exist. Fixes #2206. | |
44 | * Don't use both IP_PKTINFO and IP_SENDSRCADDR. | |
45 | * Always install signal handler for SIGINT (needed by Docker). | |
46 | * Fix intermediate CA flow for OCSP. Fixes #2160. | |
47 | Intermediate certs which are not self-signed will now be | |
48 | checked. | |
49 | * sqlippool now returns "fail" if it fails IP allocation. | |
50 | * Fix rlm_yubikey to look for correct attribute in replay | |
51 | attack check. | |
52 | ||
0 | 53 | FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low |
1 | 54 | Feature improvements |
2 | 55 | * rlm_python now supports multiple lists. From #2031. |
0 | 0 | 1. INTRO |
1 | 1 | |
2 | The FreeRADIUS Server Project is a high performance and highly | |
3 | configurable multi-protocol policy server, supporting RADIUS, DHCPv4 | |
4 | and VMPS. It is available under the terms of the GNU GPLv2. | |
5 | ||
2 | 6 | All code in this server was written for this project. |
3 | ||
4 | The server is mostly compatible with Livingston radiusd-2.01 | |
5 | (no menus or s/key support though) but with more features, such as: | |
6 | ||
7 | o Can limit the maximum number of simultaneous logins on a per-user basis! | |
8 | o Multiple DEFAULT entries, that can optionally fall-through. | |
9 | o In fact, every entry can fall-through | |
10 | o Deny/permit access based on huntgroup users dials into | |
11 | o Set certain parameters (such as static IP address) based on huntgroup | |
12 | o Extra "hints" file that can select SLIP/PPP/rlogin based on | |
13 | username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc). | |
14 | o Can execute an external program when user has authenticated (for example | |
15 | to run a sendmail queue). | |
16 | o Can use `$INCLUDE filename' in radiusd.conf, users, and dictionary files | |
17 | o Can act as a proxy server, relaying requests to a remote server | |
18 | o Supports Vendor-Specific attributes | |
19 | o Supports many different plug-in modules for authentication, | |
20 | authorization, and accounting. | |
21 | 7 | |
22 | 8 | |
23 | 9 | 2. INSTALLATION |
27 | 13 | |
28 | 14 | 3. CONFIGURATION FILES |
29 | 15 | |
30 | For every file there is a fully commented example file included, that | |
31 | explains what is does, and how to use it. Read those sample files too! | |
16 | Much of the server documentation is included only in the comments in the | |
17 | configuration files. Reading the configuration files is REQUIRED to fully | |
18 | understand how to create complex configurations of the server. | |
32 | 19 | |
33 | Again, many of the configuration files are ONLY documented in the | |
34 | comments included in the files. Reading the configuration files is | |
35 | REQUIRED to fully understand how to create complex configurations of | |
36 | the server. | |
20 | 3a. 'clients.conf' | |
37 | 21 | |
38 | 3a. CLIENTS | |
22 | Make sure the clients (NAS, switches, access points etc) are set up to | |
23 | use the host radiusd is running on as authentication and accounting host. | |
24 | Configure these clients with a "radius secret", which should also be | |
25 | entered into the client definition in /etc/raddb/clients.conf. | |
26 | See also the manual page for clients.conf(5). | |
39 | 27 | |
40 | Make sure the clients (portmasters, Linux with portslave etc) are set up to | |
41 | use the host radiusd is running on as authentication and accounting host. | |
42 | Configure these clients to use a "radius secret password". For every client, | |
43 | also enter this "secret password" into the file /etc/raddb/clients. | |
44 | See also the manual page for clients(5). | |
28 | 3b. 'users' | |
45 | 29 | |
46 | 3b. NASLIST | |
47 | ||
48 | Every NAS (Network Access Server, also known as terminal server) should have | |
49 | an entry in this file with an abbreviated name and the type of NAS it | |
50 | is. Currently FreeRADIUS supports the following NAS types: | |
51 | ||
52 | Terminal Server Type in naslist | |
53 | ||
54 | 3Com/USR Hiper Arc Total Control usrhiper | |
55 | 3Com/USR NetServer netserver | |
56 | 3Com/USR TotalControl tc | |
57 | Ascend Max 4000 family max40xx | |
58 | Cisco Access Server family cisco | |
59 | Cistron PortSlave portslave | |
60 | Computone PowerRack computone | |
61 | Cyclades PathRAS pathras | |
62 | Livingston PortMaster livingston | |
63 | Multitech CommPlete Server multitech | |
64 | Patton 2800 family patton | |
65 | ||
66 | Usually this is the same list as in the "clients" file, but not every | |
67 | NAS is a client and not every client is a NAS (this will start to make | |
68 | sense if you use radius proxy servers). | |
69 | ||
70 | 3c. NASPASSWD | |
71 | ||
72 | If ``checkrad'' needs to login on your terminal server to check who | |
73 | is online on a certain port (i.e. it's not possible to use SNMP or | |
74 | finger) you need to define a loginname and password here. | |
75 | ||
76 | This is normally ONLY needed for USR/3Com Total Control, NetServer and | |
77 | Cyclades PathRAS terminal servers! | |
78 | ||
79 | 3d. HINTS | |
80 | ||
81 | Customize the /etc/raddb/mods-config/preprocess/hints file. This file is | |
82 | used to give users different login type based on a prefix/suffix of their | |
83 | loginname. For example, logging in as "user" may result in a rlogin session | |
84 | to a Unix system, and logging in as "Puser" could start a PPP session. | |
85 | ||
86 | 3e. HUNTGROUPS | |
87 | ||
88 | This is the /etc/raddb/mods-config/preprocess/huntgroups file. Here you can | |
89 | define different huntgroups. These can be used to: | |
90 | ||
91 | - restrict access to certain huntgroups to certain users/groups of | |
92 | users (define this in the huntgroups file itself) | |
93 | - match a loginname with a huntgroup in /etc/raddb/users. One use | |
94 | for this is to give a user a static IP address based on the | |
95 | huntgroup / Point of Presence (s)he dials in to. | |
96 | ||
97 | 3f. USERS | |
98 | ||
99 | With the original RADIUS server, every user had to be defined in this | |
100 | file. There could be one default entry, where you could for example | |
101 | define that a user not in the radius file would be checked agains the | |
102 | UNIX password file and on successful login would get a PPP connection. | |
103 | ||
104 | In the new style file, you can define multiple DEFAULT entries. All | |
105 | entries are processed in the order as they appear in the users file. | |
30 | Users may be defined in the "users" file (raddb/mods-config/files/authorize). | |
31 | All entries are processed in the order as they appear in the file. | |
106 | 32 | If an entry matches the username, radiusd will stop scanning the users |
107 | file unless the attribute "Fall-Through = Yes" is set. | |
33 | file (unless the attribute "Fall-Through = Yes" is set). | |
108 | 34 | |
109 | 35 | You can uses spaces in usernames by escaping them with \ or by using |
110 | 36 | quotes. For example, "joe user" or joe\ user. |
111 | 37 | |
112 | The FreeRADIUS server does not trim any spaces from a username received | |
113 | from the portmaster (Livingston does, in perl notation, $user =~ s/\s+.*//;) | |
38 | The 'users' file is read by the "rlm_files" module. | |
114 | 39 | |
115 | 3g. NEW RADIUS ATTRIBUTES (to be used in the USERS file). | |
40 | 3c. NEW RADIUS ATTRIBUTES (to be used in the USERS file). | |
116 | 41 | |
117 | 42 | Name Type Descr. |
118 | 43 | ---- ---- ------ |
207 | 132 | |
208 | 133 | The files in other directories are: |
209 | 134 | |
210 | debian/ Files to build a "freeradius" Debian Linux package. | |
135 | debian/ Files to build Debian Linux packages. | |
211 | 136 | |
212 | 137 | doc/ Various snippets of documentation |
213 | 138 | doc/rfc/ Copies of the RFC's. If you have Perl, do a 'make' in |
214 | 139 | that directory, and look at the HTML output. |
215 | ||
216 | libltdl/ Libtool platform independent library system. | |
217 | 140 | |
218 | 141 | man/ Unix Manual pages for the server, configuration files, |
219 | 142 | and associated utilities. |
220 | 143 | |
221 | 144 | mibs/ SNMP Mibs for the server. |
222 | 145 | |
223 | raddb/ Sample configuration files for the server. | |
146 | raddb/ Default configuration files for the server. | |
224 | 147 | |
225 | redhat/ Additional files for a RedHat Linux system. | |
148 | redhat/ Files to build RedHat RPM packages. | |
226 | 149 | |
227 | 150 | scripts/ Sample scripts for startup and maintenance. |
151 | ||
152 | share/ Attribute dictionaries. | |
228 | 153 | |
229 | 154 | src/ Source code |
230 | 155 | src/main source code for the daemon and associated utilities |
231 | 156 | src/lib source code for the RADIUS library |
232 | 157 | src/include header files |
233 | 158 | src/modules dynamic plug-in modules |
159 | src/tests test harness used by "make test" | |
234 | 160 | |
235 | suse/ Aditional files for a SuSE (UnitedLinux) system. | |
236 | ||
237 | todo/ TODO list and assorted files. | |
161 | suse/ Files to build SuSE RPM packages. | |
238 | 162 | |
239 | 163 | |
240 | 164 | If you have ANY problems, concerns, or surprises when running |
241 | 165 | the server, then run it in debugging mode, as root, from the |
242 | 166 | command line: |
243 | 167 | |
244 | $ radiusd -X | |
168 | # radiusd -X | |
245 | 169 | |
246 | 170 | It will produce a large number of messages. The answers to many |
247 | 171 | questions, and the solution to many problems, can usually be found in |
249 | 173 | |
250 | 174 | For further details, see: |
251 | 175 | |
252 | http://www.freeradius.org/faq/ | |
176 | https://freeradius.org/documentation/ | |
253 | 177 | |
254 | 178 | and the 'bugs' file, in this directory. |
255 | 179 |
30 | 30 | |
31 | 31 | DEFAULT Called-Station-Id == "123456789", Autz-Type := Ldap |
32 | 32 | |
33 | DEFAULT Realm == "other.company.com", Autz-Type := SQL | |
33 | DEFAULT Realm == "other.example.com", Autz-Type := SQL | |
34 | 34 | |
35 | 35 | Autz-Type could also be used to select between multiple instances of |
36 | 36 | a module (ie sql or ldap) which have been configured differently. For |
33 | 33 | ]) |
34 | 34 | |
35 | 35 | AC_DEFUN([AX_CC_NO_UNKNOWN_WARNING_OPTION_FLAG],[ |
36 | AC_CACHE_CHECK([or the compiler flag "-Wno-unknown-warning-option"], [ax_cv_cc_no_unknown_warning_option_flag],[ | |
36 | AC_CACHE_CHECK([for the compiler flag "-Wno-unknown-warning-option"], [ax_cv_cc_no_unknown_warning_option_flag],[ | |
37 | 37 | |
38 | 38 | CFLAGS_SAVED=$CFLAGS |
39 | 39 | CFLAGS="-Werror -Wno-unknown-warning-option" |
89 | 89 | [return 0;], |
90 | 90 | [ax_cv_cc_wdocumentation_flag="yes"], |
91 | 91 | [ax_cv_cc_wdocumentation_flag="no"]) |
92 | AC_LANG_POP | |
93 | ||
94 | CFLAGS="$CFLAGS_SAVED" | |
95 | ]) | |
96 | ]) | |
97 | ||
98 | AC_DEFUN([AX_CC_NO_DATE_TIME_FLAG],[ | |
99 | AC_CACHE_CHECK([for the compiler flag "-Wno-date-time"], [ax_cv_cc_no_date_time_flag],[ | |
100 | ||
101 | CFLAGS_SAVED=$CFLAGS | |
102 | CFLAGS="$CFLAGS -Werror -Wno-date-time" | |
103 | ||
104 | AC_LANG_PUSH(C) | |
105 | AC_TRY_COMPILE( | |
106 | [], | |
107 | [return 0;], | |
108 | [ax_cv_cc_no_date_time_flag="yes"], | |
109 | [ax_cv_cc_no_date_time_flag="no"]) | |
92 | 110 | AC_LANG_POP |
93 | 111 | |
94 | 112 | CFLAGS="$CFLAGS_SAVED" |
659 | 659 | Dialup_admin |
660 | 660 | ------------ |
661 | 661 | |
662 | The dialip_admin directory has been removed. No one stepped forward | |
662 | The dialup_admin directory has been removed. No one stepped forward | |
663 | 663 | to maintain it, and the code had not been changed in many years. |
664 | 664 |
437 | 437 | chase_referrals = yes |
438 | 438 | rebind = yes |
439 | 439 | |
440 | # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page). | |
441 | # Note - uncomment when using GSS-API sasl mechanism along with TLS | |
442 | # encryption against Active-Directory LDAP servers (this disables | |
443 | # sealing and signing at the GSS level as required by AD). | |
444 | #sasl_secprops = 'noanonymous,noplain,maxssf=0' | |
445 | ||
440 | 446 | # Seconds to wait for LDAP query to finish. default: 20 |
441 | 447 | res_timeout = 10 |
442 | 448 |
103 | 103 | |
104 | 104 | # |
105 | 105 | # Reference the Packet-Type (Access-Accept, etc.) If it doesn't |
106 | # exist, reference the "defaukt" entry. | |
106 | # exist, reference the "default" entry. | |
107 | 107 | # |
108 | 108 | # This is for "linelog" being used in the post-auth section |
109 | 109 | # If you want to use it in "authorize", you need to change |
54 | 54 | # attribute, and do prefix/suffix checks in order to obtain |
55 | 55 | # the "best" user name for the request. |
56 | 56 | # |
57 | # Depending on the AD / Samba configuration, you may also need to add: | |
58 | # | |
59 | # --allow-mschapv2 | |
60 | # | |
61 | # to the list of command-line options. | |
62 | # | |
57 | 63 | # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" |
58 | 64 | |
59 | 65 | # The default is to wait 10 seconds for ntlm_auth to |
5 | 5 | # |
6 | 6 | # https://bugzilla.samba.org/show_bug.cgi?id=6563 |
7 | 7 | # |
8 | # Depending on the AD / Samba configuration, you may also need to add: | |
9 | # | |
10 | # --allow-mschapv2 | |
11 | # | |
12 | # to the list of command-line options. | |
13 | # | |
8 | 14 | exec ntlm_auth { |
9 | 15 | wait = yes |
10 | 16 | program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" |
4 | 4 | # server. |
5 | 5 | # |
6 | 6 | tls { |
7 | # ca_file = ${certdir}/cacert.pem | |
8 | # ca_path = ${certdir} | |
7 | # Certificate Authorities: | |
8 | # "ca_file" (libcurl option CURLOPT_ISSUERCERT). | |
9 | # File containing a single CA, which is the issuer of the server | |
10 | # certificate. | |
11 | # "ca_info_file" (libcurl option CURLOPT_CAINFO). | |
12 | # File containing a bundle of certificates, which allow to handle | |
13 | # certificate chain validation. | |
14 | # "ca_path" (libcurl option CURLOPT_CAPATH). | |
15 | # Directory holding CA certificates to verify the peer with. | |
16 | # ca_file = ${certdir}/cacert.pem | |
17 | # ca_info_file = ${certdir}/cacert_bundle.pem | |
18 | # ca_path = ${certdir} | |
9 | 19 | |
10 | 20 | # certificate_file = /path/to/radius.crt |
11 | 21 | # private_key_file = /path/to/radius.key |
41 | 41 | # by putting IPv6 addresses into the pool, and changing the following |
42 | 42 | # line to "Framed-IPv6-Prefix" |
43 | 43 | # |
44 | # Note that you MUST use separate pools for each attribute. i.e. one pool | |
45 | # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc. | |
46 | # | |
47 | # This means configuring separate "sqlippool" instances, and different | |
48 | # "ippool_table" in SQL. Then, populate the pool with addresses and | |
49 | # it will all just work. | |
50 | # | |
44 | 51 | attribute_name = Framed-IP-Address |
45 | 52 | |
46 | 53 | # |
47 | # Assign the IP address, even if the attribute already exists | |
54 | # Assign the IP address, even if the above attribute already exists | |
55 | # in the reply. | |
48 | 56 | # |
49 | 57 | # allow_duplicates = no |
50 | 58 |
0 | 0 | -- |
1 | 1 | -- Table structure for table 'radippool' |
2 | 2 | -- |
3 | CREATE TABLE ( | |
3 | CREATE TABLE radippool ( | |
4 | 4 | id int(11) PRIMARY KEY, |
5 | 5 | pool_name varchar(30) NOT NULL, |
6 | 6 | framedipaddress varchar(15) NOT NULL default '', |
738 | 738 | # prefix or suffix. User names like "bob" will match this one. |
739 | 739 | # |
740 | 740 | #realm NULL { |
741 | # authhost = radius.company.com:1600 | |
742 | # accthost = radius.company.com:1601 | |
741 | # authhost = radius.example.com:1600 | |
742 | # accthost = radius.example.com:1601 | |
743 | 743 | # secret = testing123 |
744 | 744 | #} |
745 | 745 | |
747 | 747 | # This realm is for ALL OTHER requests. |
748 | 748 | # |
749 | 749 | #realm DEFAULT { |
750 | # authhost = radius.company.com:1600 | |
751 | # accthost = radius.company.com:1601 | |
750 | # authhost = radius.example.com:1600 | |
751 | # accthost = radius.example.com:1601 | |
752 | 752 | # secret = testing123 |
753 | 753 | #} |
754 | 754 |
0 | D /var/run/radiusd 0710 radiusd radiusd - |
25 | 25 | |
26 | 26 | Summary: High-performance and highly configurable free RADIUS server |
27 | 27 | Name: freeradius |
28 | Version: 3.0.16 | |
28 | Version: 3.0.17 | |
29 | 29 | Release: 2%{?dist} |
30 | 30 | License: GPLv2+ and LGPLv2+ |
31 | 31 | Group: System Environment/Daemons |
34 | 34 | Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2 |
35 | 35 | %if %{?_unitdir:1}%{!?_unitdir:0} |
36 | 36 | Source100: radiusd.service |
37 | Source104: freeradius-tmpfiles-conf | |
37 | 38 | %else |
38 | 39 | Source100: freeradius-radiusd-init |
39 | 40 | %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}} |
57 | 58 | BuildRequires: zlib-devel |
58 | 59 | BuildRequires: net-snmp-devel |
59 | 60 | BuildRequires: net-snmp-utils |
60 | %{?el7:BuildRequires: samba-winbind-devel} | |
61 | %{?el7:BuildRequires: libwbclient-devel} | |
62 | %{?el7:BuildRequires: samba-devel} | |
61 | 63 | %{?el6:BuildRequires: samba4-devel} |
62 | 64 | BuildRequires: readline-devel |
63 | 65 | BuildRequires: libpcap-devel |
73 | 75 | Requires: readline |
74 | 76 | Requires: libtalloc |
75 | 77 | Requires: net-snmp |
76 | %{?el7:Requires: samba-libs} | |
77 | %{?el7:Requires: samba-winbind-clients} | |
78 | %{?el7:Requires: libwbclient} | |
78 | 79 | %{?el6:Requires: samba4-libs} |
79 | 80 | %{?el6:Requires: samba4-winbind-clients} |
80 | 81 | Requires: zlib |
387 | 388 | # For systemd based systems, that define _unitdir, install the radiusd unit |
388 | 389 | %if %{?_unitdir:1}%{!?_unitdir:0} |
389 | 390 | install -D -m 755 redhat/radiusd.service $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service |
391 | install -D -m 644 %{SOURCE104} $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d/radiusd.conf | |
390 | 392 | # For SystemV install the init script |
391 | 393 | %else |
392 | 394 | install -D -m 755 redhat/freeradius-radiusd-init $RPM_BUILD_ROOT/%{initddir}/radiusd |
498 | 500 | |
499 | 501 | %if %{?_unitdir:1}%{!?_unitdir:0} |
500 | 502 | %{_unitdir}/radiusd.service |
503 | %config(noreplace) %{_prefix}/lib/tmpfiles.d/radiusd.conf | |
501 | 504 | %else |
502 | 505 | %{initddir}/radiusd |
503 | 506 | %endif |
15 | 15 | # We provide HOSTNAME here for convenience. |
16 | 16 | Environment=HOSTNAME=%H |
17 | 17 | |
18 | RuntimeDirectory=/var/run/radiusd | |
18 | RuntimeDirectory=radiusd | |
19 | 19 | RuntimeDirectoryMode=0775 |
20 | 20 | ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout |
21 | 21 | ExecStartPre=/usr/bin/chown radiusd:radiusd /var/run/radiusd |
0 | # What is FreeRADIUS? | |
1 | ||
2 | The FreeRADIUS Server Project is a high performance and highly | |
3 | configurable multi-protocol policy server, supporting RADIUS, DHCPv4 | |
4 | and VMPS. Using RADIUS allows authentication and authorization for a network | |
5 | to be centralized, and minimizes the number of changes that have to | |
6 | be done when adding or deleting new users to a network. | |
7 | ||
8 | FreeRADIUS can authenticate users on systems such as 802.1x | |
9 | (WiFi), dialup, PPPoE, VPN's, VoIP, and many others. It supports | |
10 | back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft | |
11 | Active Directory, Redis, OpenLDAP. It is used daily to | |
12 | authenticate the Internet access for hundreds of millions of | |
13 | people, in sites ranging from 10 to 10 million+ users. | |
14 | ||
15 | > [wikipedia.org/wiki/FreeRADIUS](https://en.wikipedia.org/wiki/FreeRADIUS) | |
16 | ||
17 | ||
18 | # How to use this image | |
19 | ||
20 | ## Starting the server | |
21 | ||
22 | ```console | |
23 | $ docker run --name my-radius -d freeradius/freeradius-server | |
24 | ``` | |
25 | ||
26 | The image contains only the default FreeRADIUS configuration which | |
27 | has no users, and accepts test clients on 127.0.0.1. In order to | |
28 | use it in production, you will need to add clients to the | |
29 | `clients.conf` file, and users to the "users" file in | |
30 | `mods-config/files/authorize`. | |
31 | ||
32 | ||
33 | ## Defining the configuration | |
34 | ||
35 | Create a local `Dockerfile` based on the required image and | |
36 | COPY in the server configuration. | |
37 | ||
38 | ```Dockerfile | |
39 | FROM freeradius/freeradius-server:latest | |
40 | COPY raddb/ /etc/raddb/ | |
41 | ``` | |
42 | ||
43 | The `raddb` directory could contain, for example: | |
44 | ||
45 | ``` | |
46 | clients.conf | |
47 | mods-config/ | |
48 | mods-config/files/ | |
49 | mods-config/files/authorize | |
50 | ``` | |
51 | ||
52 | Where `clients.conf` contains a simple client definition | |
53 | ||
54 | ``` | |
55 | client dockernet { | |
56 | ipaddr = 172.17.0.0/16 | |
57 | secret = testing123 | |
58 | } | |
59 | ``` | |
60 | ||
61 | and the `authorise` "users" file contains a test user: | |
62 | ||
63 | ``` | |
64 | bob Cleartext-Password := "test" | |
65 | ``` | |
66 | ||
67 | ||
68 | ## Forwarding ports | |
69 | ||
70 | To forward external ports to the server, typically 1812/udp and/or | |
71 | 1813/udp, start the server with | |
72 | ||
73 | ```console | |
74 | $ docker run --name my-radius -p 1812-1813:1812-1813/udp freeradius/freeradius-server | |
75 | ``` | |
76 | ||
77 | ||
78 | ## Testing the configuration | |
79 | ||
80 | It should now be possible to test authentication against the | |
81 | server from the host machine, using the `radtest` utility supplied | |
82 | with FreeRADIUS and the credentials defined above: | |
83 | ||
84 | ```console | |
85 | $ radtest bob test 127.0.0.1 0 testing123 | |
86 | ``` | |
87 | ||
88 | which should return an "Access-Accept". | |
89 | ||
90 | ||
91 | ## Running in debug mode | |
92 | ||
93 | FreeRADIUS should always be tested in debug mode, using option | |
94 | `-X`. Coloured debug output also requres `-t` be passed to docker. | |
95 | ||
96 | ```console | |
97 | $ docker run --name my-radius -t -d freeradius/freeradius-server -X | |
98 | ``` | |
99 | ||
100 | Guidelines for how to read and interpret the debug output are on the | |
101 | [FreeRADIUS Wiki](https://wiki.freeradius.org/radiusd-X). | |
102 | ||
103 | ## Security notes | |
104 | ||
105 | The configuration in the docker image comes with self-signed | |
106 | certificates for convenience. These should not be used in a | |
107 | production environment, but replaced with new certificates. See | |
108 | the file `raddb/certs/README` for more information. | |
109 | ||
110 | ## Debugging | |
111 | ||
112 | By default if you try to use `gdb` in a Docker container, the | |
113 | pattach call will fail, and you will not be able to trace | |
114 | processes. | |
115 | ||
116 | In order to allow tracing, the ``--privileged`` flag must be | |
117 | passed to ``docker run``, this restores any Linux ``cap`` | |
118 | privileges that would not ordinarily be given. | |
119 | ||
120 | ||
121 | # Image variants | |
122 | ||
123 | ## `freeradius/freeradius-server:<version>` | |
124 | ||
125 | The de facto image which should be used unless you know you need | |
126 | another image. It is based on | |
127 | [Ubuntu Linux](https://hub.docker.com/_/ubuntu/) Docker images. | |
128 | ||
129 | ||
130 | ## `freeradius/freeradius-server:<version>-alpine` | |
131 | ||
132 | Image based on the [Alpine Linux](https://hub.docker.com/_/alpine/) | |
133 | Docker images, which are much smaller than most Linux | |
134 | distributions. To keep the basic size as small as possible, this | |
135 | image does not include libraries for all modules that have been | |
136 | built (especially the languages such as Perl or Python). Therefore | |
137 | these extra libraries will need to be installed with `apk add` in | |
138 | your own Dockerfile if you intend on using modules that require | |
139 | them. | |
140 | ||
141 | ||
142 | # Building Docker images | |
143 | ||
144 | The FreeRADIUS source contains Dockerfiles for several Linux | |
145 | distributions. They are in | |
146 | [`freeradius-server/scripts/docker/<os_name>`](https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker). | |
147 | ||
148 | Build an image with | |
149 | ||
150 | ```bash | |
151 | $ cd scripts/docker/<os_name> | |
152 | $ docker build . -t freeradius-<os_name> | |
153 | ``` | |
154 | ||
155 | This will download the OS base image, install/build any dependencies | |
156 | as necessary, perform a shallow clone of the FreeRADIUS source and | |
157 | build the server. | |
158 | ||
159 | Once built, running ``docker images`` should show the image. | |
160 | ||
161 | ```bash | |
162 | $ docker images | |
163 | REPOSITORY TAG IMAGE ID CREATED SIZE | |
164 | freeradius-ubuntu16 latest 289b3c7aca94 4 minutes ago 218MB | |
165 | freeradius-alpine latest d7fb3041bea2 2 hours ago 88.6MB | |
166 | ``` | |
167 | ||
168 | ## Build args | |
169 | ||
170 | Two ARGs are defined in the Dockerfiles that specify the source | |
171 | repository and git tag that the release will be built from. These | |
172 | are | |
173 | ||
174 | - source: the git repository URL | |
175 | - release: the git commit/tag | |
176 | ||
177 | To build the image from a specific repository and git tag, set one | |
178 | or both of these args: | |
179 | ||
180 | ```console | |
181 | $ docker build . --build-arg=release=v3.0.x --build-arg=source=https://github.com/FreeRADIUS/freeradius-server.git -t freeradius-<os_name> | |
182 | ``` |
0 | ARG from=alpine:latest | |
1 | FROM ${from} as build | |
2 | ||
3 | # | |
4 | # Install build tools | |
5 | # | |
6 | RUN apk update | |
7 | RUN apk add git gcc make | |
8 | ||
9 | # | |
10 | # Create build directory | |
11 | # | |
12 | RUN mkdir -p /usr/local/src/repositories | |
13 | WORKDIR /usr/local/src/repositories | |
14 | ||
15 | # | |
16 | # Shallow clone the FreeRADIUS source | |
17 | # | |
18 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
19 | ARG release=v3.0.x | |
20 | ||
21 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
22 | WORKDIR freeradius-server | |
23 | ||
24 | # | |
25 | # Install build dependencies | |
26 | # | |
27 | # essential | |
28 | RUN apk add libc-dev talloc-dev | |
29 | RUN apk add libressl libressl-dev | |
30 | RUN apk add linux-headers | |
31 | # general | |
32 | RUN apk add pcre-dev libidn-dev krb5-dev samba-dev curl-dev json-c-dev | |
33 | RUN apk add openldap-dev unbound-dev | |
34 | # languages | |
35 | RUN apk add ruby-dev perl-dev python2-dev | |
36 | # databases | |
37 | RUN apk add hiredis-dev libmemcached-dev gdbm-dev libcouchbase-dev | |
38 | # sql | |
39 | RUN apk add postgresql-dev mariadb-dev unixodbc-dev sqlite-dev | |
40 | ||
41 | # | |
42 | # Build the server | |
43 | # | |
44 | RUN ./configure --prefix=/opt | |
45 | RUN make -j2 | |
46 | RUN make install | |
47 | RUN rm /opt/lib/*.a | |
48 | ||
49 | # | |
50 | # Clean environment and run the server | |
51 | # | |
52 | FROM ${from} | |
53 | COPY --from=build /opt /opt | |
54 | ||
55 | # | |
56 | # These are needed for the server to start | |
57 | # | |
58 | RUN apk update \ | |
59 | && apk add talloc libressl pcre libwbclient \ | |
60 | \ | |
61 | # | |
62 | # Libraries that are needed dependent on which modules are used | |
63 | # Some of these (especially the languages) are huge. A reasonable | |
64 | # selection has been enabled here. If you use modules needing | |
65 | # other dependencies then install any others required in your | |
66 | # local Dockerfile. | |
67 | # | |
68 | && apk add libcurl json-c libldap hiredis sqlite-dev \ | |
69 | #RUN apk add libidn krb5 | |
70 | #RUN apk add unbound-libs | |
71 | #RUN apk add ruby-libs perl python2 | |
72 | #RUN apk add libmemcached gdbm libcouchbase | |
73 | #RUN apk add postgresql-dev mariadb-dev unixodbc-dev | |
74 | \ | |
75 | && ln -s /opt/etc/raddb /etc/raddb | |
76 | ||
77 | COPY docker-entrypoint.sh / | |
78 | ||
79 | EXPOSE 1812/udp 1813/udp | |
80 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
81 | CMD ["radiusd"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | PATH=/opt/sbin:/opt/bin:$PATH | |
4 | export PATH | |
5 | ||
6 | # this if will check if the first argument is a flag | |
7 | # but only works if all arguments require a hyphenated flag | |
8 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
9 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
10 | set -- radiusd "$@" | |
11 | fi | |
12 | ||
13 | # check for the expected command | |
14 | if [ "$1" = 'radiusd' ]; then | |
15 | shift | |
16 | exec radiusd -f "$@" | |
17 | fi | |
18 | ||
19 | # debian people are likely to call "freeradius" as well, so allow that | |
20 | if [ "$1" = 'freeradius' ]; then | |
21 | shift | |
22 | exec radiusd -f "$@" | |
23 | fi | |
24 | ||
25 | # else default to run whatever the user wanted like "bash" or "sh" | |
26 | exec "$@" |
0 | ARG from=centos:centos7 | |
1 | FROM ${from} as build | |
2 | ||
3 | # | |
4 | # Install build tools | |
5 | # | |
6 | RUN yum groupinstall -y "Development Tools" | |
7 | RUN yum install -y rpmdevtools | |
8 | RUN yum install -y openssl | |
9 | ||
10 | # | |
11 | # Create build directory | |
12 | # | |
13 | RUN mkdir -p /usr/local/src/repositories | |
14 | WORKDIR /usr/local/src/repositories | |
15 | ||
16 | # | |
17 | # Shallow clone the FreeRADIUS source | |
18 | # | |
19 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
20 | ARG release=v3.0.x | |
21 | ||
22 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
23 | WORKDIR freeradius-server | |
24 | ||
25 | # | |
26 | # Other requirements | |
27 | # | |
28 | ||
29 | # Use LTB's openldap packages intead of the distribution version to avoid linking against NSS | |
30 | RUN echo $'[ltb-project]\n\ | |
31 | name=LTB project packages\n\ | |
32 | baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ | |
33 | enabled=1\n\ | |
34 | gpgcheck=1\n\ | |
35 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ | |
36 | > /etc/yum.repos.d/ltb-project.repo | |
37 | RUN rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project | |
38 | ||
39 | # EPEL repository for freetds and hiredis | |
40 | RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm | |
41 | ||
42 | # | |
43 | # Install build dependencies | |
44 | # | |
45 | RUN [ -e redhat/freeradius.spec ] && yum-builddep -y redhat/freeradius.spec | |
46 | ||
47 | # | |
48 | # Create RPM build environment | |
49 | # | |
50 | ENV BUILDDIR=/root/rpmbuild | |
51 | RUN rpmdev-setuptree | |
52 | ||
53 | RUN ./configure | |
54 | RUN make freeradius-server-$(cat VERSION).tar.bz2 | |
55 | RUN cp freeradius-server-$(cat VERSION).tar.bz2 $BUILDDIR/SOURCES/ | |
56 | RUN cp -r redhat/* $BUILDDIR/SOURCES/ | |
57 | RUN cp -r redhat/freeradius.spec $BUILDDIR/SPECS/ | |
58 | WORKDIR $BUILDDIR | |
59 | ||
60 | # | |
61 | # Build the server | |
62 | # | |
63 | ENV QA_RPATHS=0x0003 | |
64 | RUN rpmbuild -bb --define '_release $release' "$BUILDDIR/SPECS/freeradius.spec" | |
65 | ||
66 | RUN mkdir /root/rpms | |
67 | RUN mv $BUILDDIR/RPMS/*/*.rpm /root/rpms/ | |
68 | ||
69 | # | |
70 | # Clean environment and run the server | |
71 | # | |
72 | FROM ${from} | |
73 | COPY --from=build /root/rpms /tmp/ | |
74 | ||
75 | # Use LTB's openldap packages intead of the distribution version to avoid linking against NSS | |
76 | RUN echo $'[ltb-project]\n\ | |
77 | name=LTB project packages\n\ | |
78 | baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\ | |
79 | enabled=1\n\ | |
80 | gpgcheck=1\n\ | |
81 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\ | |
82 | > /etc/yum.repos.d/ltb-project.repo \ | |
83 | && rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project \ | |
84 | \ | |
85 | # EPEL repository for freetds and hiredis | |
86 | && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ | |
87 | \ | |
88 | && yum install -y /tmp/*.rpm | |
89 | ||
90 | COPY docker-entrypoint.sh / | |
91 | ||
92 | EXPOSE 1812/udp 1813/udp | |
93 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
94 | CMD ["radiusd"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- radiusd "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'radiusd' ]; then | |
12 | shift | |
13 | exec radiusd -f "$@" | |
14 | fi | |
15 | ||
16 | # debian people are likely to call "freeradius" as well, so allow that | |
17 | if [ "$1" = 'freeradius' ]; then | |
18 | shift | |
19 | exec radiusd -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
0 | ARG from=debian:jessie | |
1 | FROM ${from} as build | |
2 | ||
3 | ARG gccver=4.9 | |
4 | ||
5 | # | |
6 | # Install build tools | |
7 | # | |
8 | RUN apt-get update | |
9 | RUN apt-get install -y devscripts equivs git quilt g++-${gccver} | |
10 | ||
11 | # | |
12 | # Create build directory | |
13 | # | |
14 | RUN mkdir -p /usr/local/src/repositories | |
15 | WORKDIR /usr/local/src/repositories | |
16 | ||
17 | # | |
18 | # Shallow clone the FreeRADIUS source | |
19 | # | |
20 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
21 | ARG release=v3.0.x | |
22 | ||
23 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
24 | WORKDIR freeradius-server | |
25 | ||
26 | # | |
27 | # Install build dependencies | |
28 | # | |
29 | RUN git checkout ${release}; \ | |
30 | if [ -e ./debian/control.in ]; then \ | |
31 | debian/rules debian/control; \ | |
32 | fi; \ | |
33 | echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control | |
34 | ||
35 | # | |
36 | # Build the server | |
37 | # | |
38 | RUN make -j2 deb | |
39 | ||
40 | # | |
41 | # Clean environment and run the server | |
42 | # | |
43 | FROM ${from} | |
44 | COPY --from=build /usr/local/src/repositories/*.deb /tmp/ | |
45 | ||
46 | RUN apt-get update \ | |
47 | && dpkg -i /tmp/*.deb || true \ | |
48 | && apt-get -y -f install \ | |
49 | && apt-get clean \ | |
50 | && rm -r /var/lib/apt/lists/* /tmp/*.deb \ | |
51 | \ | |
52 | && ln -s /etc/freeradius /etc/raddb | |
53 | ||
54 | COPY docker-entrypoint.sh / | |
55 | ||
56 | EXPOSE 1812/udp 1813/udp | |
57 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
58 | CMD ["freeradius"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- freeradius "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'freeradius' ]; then | |
12 | shift | |
13 | exec freeradius -f "$@" | |
14 | fi | |
15 | ||
16 | # many people are likely to call "radiusd" as well, so allow that | |
17 | if [ "$1" = 'radiusd' ]; then | |
18 | shift | |
19 | exec freeradius -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
0 | ARG from=debian:stretch | |
1 | FROM ${from} as build | |
2 | ||
3 | ARG gccver=6 | |
4 | ||
5 | # | |
6 | # Install build tools | |
7 | # | |
8 | RUN apt-get update | |
9 | RUN apt-get install -y devscripts equivs git quilt g++-${gccver} | |
10 | ||
11 | # | |
12 | # Create build directory | |
13 | # | |
14 | RUN mkdir -p /usr/local/src/repositories | |
15 | WORKDIR /usr/local/src/repositories | |
16 | ||
17 | # | |
18 | # Shallow clone the FreeRADIUS source | |
19 | # | |
20 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
21 | ARG release=v3.0.x | |
22 | ||
23 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
24 | WORKDIR freeradius-server | |
25 | ||
26 | # | |
27 | # Install build dependencies | |
28 | # | |
29 | RUN git checkout ${release}; \ | |
30 | if [ -e ./debian/control.in ]; then \ | |
31 | debian/rules debian/control; \ | |
32 | fi; \ | |
33 | echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control | |
34 | ||
35 | # | |
36 | # Build the server | |
37 | # | |
38 | RUN make -j2 deb | |
39 | ||
40 | # | |
41 | # Clean environment and run the server | |
42 | # | |
43 | FROM ${from} | |
44 | COPY --from=build /usr/local/src/repositories/*.deb /tmp/ | |
45 | ||
46 | RUN apt-get update \ | |
47 | && apt-get install -y /tmp/*.deb \ | |
48 | && apt-get clean \ | |
49 | && rm -r /var/lib/apt/lists/* /tmp/*.deb \ | |
50 | \ | |
51 | && ln -s /etc/freeradius /etc/raddb | |
52 | ||
53 | COPY docker-entrypoint.sh / | |
54 | ||
55 | EXPOSE 1812/udp 1813/udp | |
56 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
57 | CMD ["freeradius"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- freeradius "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'freeradius' ]; then | |
12 | shift | |
13 | exec freeradius -f "$@" | |
14 | fi | |
15 | ||
16 | # many people are likely to call "radiusd" as well, so allow that | |
17 | if [ "$1" = 'radiusd' ]; then | |
18 | shift | |
19 | exec freeradius -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
0 | ARG from=debian:sid | |
1 | FROM ${from} as build | |
2 | ||
3 | ARG gccver=7 | |
4 | ||
5 | # | |
6 | # Install build tools | |
7 | # | |
8 | RUN apt-get update | |
9 | RUN apt-get install -y devscripts equivs git quilt g++-${gccver} | |
10 | ||
11 | # | |
12 | # Create build directory | |
13 | # | |
14 | RUN mkdir -p /usr/local/src/repositories | |
15 | WORKDIR /usr/local/src/repositories | |
16 | ||
17 | # | |
18 | # Shallow clone the FreeRADIUS source | |
19 | # | |
20 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
21 | ARG release=v3.0.x | |
22 | ||
23 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
24 | WORKDIR freeradius-server | |
25 | ||
26 | # | |
27 | # Install build dependencies | |
28 | # | |
29 | RUN git checkout ${release}; \ | |
30 | if [ -e ./debian/control.in ]; then \ | |
31 | debian/rules debian/control; \ | |
32 | fi; \ | |
33 | echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control | |
34 | ||
35 | # | |
36 | # Build the server | |
37 | # | |
38 | RUN make -j2 deb | |
39 | ||
40 | # | |
41 | # Clean environment and run the server | |
42 | # | |
43 | FROM ${from} | |
44 | COPY --from=build /usr/local/src/repositories/*.deb /tmp/ | |
45 | ||
46 | RUN apt-get update \ | |
47 | && apt-get install -y /tmp/*.deb \ | |
48 | && apt-get clean \ | |
49 | && rm -r /var/lib/apt/lists/* /tmp/*.deb \ | |
50 | \ | |
51 | && ln -s /etc/freeradius /etc/raddb | |
52 | ||
53 | COPY docker-entrypoint.sh / | |
54 | ||
55 | EXPOSE 1812/udp 1813/udp | |
56 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
57 | CMD ["freeradius"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- freeradius "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'freeradius' ]; then | |
12 | shift | |
13 | exec freeradius -f "$@" | |
14 | fi | |
15 | ||
16 | # many people are likely to call "radiusd" as well, so allow that | |
17 | if [ "$1" = 'radiusd' ]; then | |
18 | shift | |
19 | exec freeradius -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
0 | ARG from=ubuntu:14.04 | |
1 | FROM ${from} as build | |
2 | ||
3 | # | |
4 | # Install build tools | |
5 | # | |
6 | RUN apt-get update | |
7 | RUN apt-get install -y devscripts equivs git quilt gcc | |
8 | ||
9 | # | |
10 | # Create build directory | |
11 | # | |
12 | RUN mkdir -p /usr/local/src/repositories | |
13 | WORKDIR /usr/local/src/repositories | |
14 | ||
15 | # | |
16 | # Shallow clone the FreeRADIUS source | |
17 | # | |
18 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
19 | ARG release=v3.0.x | |
20 | ||
21 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
22 | WORKDIR freeradius-server | |
23 | ||
24 | # | |
25 | # Install build dependencies | |
26 | # | |
27 | RUN git checkout ${release}; \ | |
28 | if [ -e ./debian/control.in ]; then \ | |
29 | debian/rules debian/control; \ | |
30 | fi; \ | |
31 | echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control | |
32 | ||
33 | # | |
34 | # Build the server | |
35 | # | |
36 | RUN make -j2 deb | |
37 | ||
38 | # | |
39 | # Clean environment and run the server | |
40 | # | |
41 | FROM ${from} | |
42 | COPY --from=build /usr/local/src/repositories/*.deb /tmp/ | |
43 | ||
44 | RUN apt-get update \ | |
45 | && dpkg -i /tmp/*.deb || true \ | |
46 | && apt-get -y -f install \ | |
47 | && apt-get clean \ | |
48 | && rm -r /var/lib/apt/lists/* /tmp/*.deb \ | |
49 | \ | |
50 | && ln -s /etc/freeradius /etc/raddb | |
51 | ||
52 | COPY docker-entrypoint.sh / | |
53 | ||
54 | EXPOSE 1812/udp 1813/udp | |
55 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
56 | CMD ["freeradius"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- freeradius "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'freeradius' ]; then | |
12 | shift | |
13 | exec freeradius -f "$@" | |
14 | fi | |
15 | ||
16 | # many people are likely to call "radiusd" as well, so allow that | |
17 | if [ "$1" = 'radiusd' ]; then | |
18 | shift | |
19 | exec freeradius -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
0 | ARG from=ubuntu:16.04 | |
1 | FROM ${from} as build | |
2 | ||
3 | # | |
4 | # Install build tools | |
5 | # | |
6 | RUN apt-get update | |
7 | RUN apt-get install -y devscripts equivs git quilt gcc | |
8 | ||
9 | # | |
10 | # Create build directory | |
11 | # | |
12 | RUN mkdir -p /usr/local/src/repositories | |
13 | WORKDIR /usr/local/src/repositories | |
14 | ||
15 | # | |
16 | # Shallow clone the FreeRADIUS source | |
17 | # | |
18 | ARG source=https://github.com/FreeRADIUS/freeradius-server.git | |
19 | ARG release=v3.0.x | |
20 | ||
21 | RUN git clone --depth 1 --single-branch --branch ${release} ${source} | |
22 | WORKDIR freeradius-server | |
23 | ||
24 | # | |
25 | # Install build dependencies | |
26 | # | |
27 | RUN git checkout ${release}; \ | |
28 | if [ -e ./debian/control.in ]; then \ | |
29 | debian/rules debian/control; \ | |
30 | fi; \ | |
31 | echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control | |
32 | ||
33 | # | |
34 | # Build the server | |
35 | # | |
36 | RUN make -j2 deb | |
37 | ||
38 | # | |
39 | # Clean environment and run the server | |
40 | # | |
41 | FROM ${from} | |
42 | COPY --from=build /usr/local/src/repositories/*.deb /tmp/ | |
43 | ||
44 | RUN apt-get update \ | |
45 | && apt-get install -y /tmp/*.deb \ | |
46 | && apt-get clean \ | |
47 | && rm -r /var/lib/apt/lists/* /tmp/*.deb \ | |
48 | \ | |
49 | && ln -s /etc/freeradius /etc/raddb | |
50 | ||
51 | COPY docker-entrypoint.sh / | |
52 | ||
53 | EXPOSE 1812/udp 1813/udp | |
54 | ENTRYPOINT ["/docker-entrypoint.sh"] | |
55 | CMD ["freeradius"] |
0 | #!/bin/sh | |
1 | set -e | |
2 | ||
3 | # this if will check if the first argument is a flag | |
4 | # but only works if all arguments require a hyphenated flag | |
5 | # -v; -SL; -f arg; etc will work, but not arg1 arg2 | |
6 | if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then | |
7 | set -- freeradius "$@" | |
8 | fi | |
9 | ||
10 | # check for the expected command | |
11 | if [ "$1" = 'freeradius' ]; then | |
12 | shift | |
13 | exec freeradius -f "$@" | |
14 | fi | |
15 | ||
16 | # many people are likely to call "radiusd" as well, so allow that | |
17 | if [ "$1" = 'radiusd' ]; then | |
18 | shift | |
19 | exec freeradius -f "$@" | |
20 | fi | |
21 | ||
22 | # else default to run whatever the user wanted like "bash" or "sh" | |
23 | exec "$@" |
221 | 221 | $INCLUDE dictionary.microsemi |
222 | 222 | $INCLUDE dictionary.microsoft |
223 | 223 | $INCLUDE dictionary.mikrotik |
224 | $INCLUDE dictionary.mimosa | |
224 | 225 | $INCLUDE dictionary.motorola |
225 | 226 | $INCLUDE dictionary.motorola.wimax |
226 | 227 | $INCLUDE dictionary.navini |
261 | 262 | $INCLUDE dictionary.shiva |
262 | 263 | $INCLUDE dictionary.siemens |
263 | 264 | $INCLUDE dictionary.slipstream |
265 | $INCLUDE dictionary.sofaware | |
266 | $INCLUDE dictionary.softbank | |
264 | 267 | $INCLUDE dictionary.sonicwall |
265 | 268 | $INCLUDE dictionary.springtide |
266 | 269 | $INCLUDE dictionary.starent |
30 | 30 | ATTRIBUTE BELRAS-TORRENT-Speed 21 integer |
31 | 31 | ATTRIBUTE BELRAS-BELCACHE-Speed 22 integer |
32 | 32 | ATTRIBUTE BELRAS-DHCP-Lease-Time 23 integer |
33 | ATTRIBUTE BELRAS-Group 24 integer | |
34 | ATTRIBUTE BELRAS-LIMIT 25 string | |
35 | ATTRIBUTE BELRAS-Auth 26 string | |
36 | ATTRIBUTE BELRAS-Acct 27 string | |
37 | ATTRIBUTE BELRAS-Framed-IP-Address 28 string | |
38 | ATTRIBUTE BELRAS-BL 29 string | |
39 | ATTRIBUTE BELRAS-IN 30 string | |
40 | ATTRIBUTE BELRAS-CO 31 string | |
33 | 41 | |
34 | 42 | VALUE BELRAS-redirect-Pool Deleted 1 |
35 | 43 | VALUE BELRAS-redirect-Pool Disabled 2 |
13 | 13 | # have been given new names on JUNOS: |
14 | 14 | # http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct |
15 | 15 | # http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/general/aaa-subscriber-access-radius-vsa.html |
16 | # | |
17 | # Juniper now publishes a single 'current' document for the latest OS with all supported VSAs here: | |
18 | # https://www.juniper.net/documentation/en_US/junos/topics/reference/general/aaa-subscriber-access-radius-vsa.html | |
16 | 19 | # |
17 | 20 | # In this file, we keep the ERX prefix and the JUNOSe attribute names |
18 | 21 | # for backwards compatibility |
221 | 224 | ATTRIBUTE ERX-Rx-Connect-Speed 163 integer |
222 | 225 | |
223 | 226 | # ATTRIBUTE 164 - 173 RESERVED |
227 | ATTRIBUTE ERX-Service-Activate-Type 173 integer | |
224 | 228 | ATTRIBUTE ERX-Client-Profile-Name 174 string |
225 | 229 | ATTRIBUTE ERX-Redirect-GW-Address 175 ipaddr |
226 | 230 | ATTRIBUTE ERX-APN-Name 176 string |
231 | ||
232 | ATTRIBUTE ERX-Service-Volume-Gigawords 179 integer | |
233 | ATTRIBUTE ERX-Update-Service 180 string | |
234 | ATTRIBUTE ERX-DHCPv6-Guided-Relay-Server 181 ipv6addr | |
235 | ATTRIBUTE ERX-Acc-Loop-Remote-Id 182 string | |
236 | ATTRIBUTE ERX-Acc-Loop-Encap 183 octets | |
237 | ATTRIBUTE ERX-Inner-Vlan-Map-Id 184 integer | |
238 | ATTRIBUTE ERX-Core-Facing-Interface 185 string | |
239 | ATTRIBUTE ERX-DHCP-First-Relay-IPv4-Address 189 ipaddr | |
240 | ATTRIBUTE ERX-DHCP-First-Relay-IPv6-Address 190 ipv6addr | |
241 | ATTRIBUTE ERX-Input-Interface-Filter 191 string | |
242 | ATTRIBUTE ERX-Output-Interface-Filter 192 string | |
243 | ATTRIBUTE ERX-Pim-Enable 193 integer | |
244 | ATTRIBUTE ERX-Bulk-CoA-Transaction-Id 194 integer | |
245 | ATTRIBUTE ERX-Bulk-CoA-Identifier 195 integer | |
246 | ATTRIBUTE ERX-IPv4-Input-Service-Set 196 string | |
247 | ATTRIBUTE ERX-IPv4-Output-Service-Set 197 string | |
248 | ATTRIBUTE ERX-IPv4-Input-Service-Filter 198 string | |
249 | ATTRIBUTE ERX-IPv4-Output-Service-Filter 199 string | |
250 | ATTRIBUTE ERX-IPv6-Input-Service-Set 200 string | |
251 | ATTRIBUTE ERX-IPv6-Output-Service-Set 201 string | |
252 | ATTRIBUTE ERX-IPv6-Input-Service-Filter 202 string | |
253 | ATTRIBUTE ERX-IPv6-Output-Service-Filter 203 string | |
254 | ATTRIBUTE ERX-Adv-Pcef-Profile-Name 204 string | |
255 | ATTRIBUTE ERX-Adv-Pcef-Rule-Name 205 string | |
256 | ATTRIBUTE ERX-Re-Authentication-Catalyst 206 integer | |
257 | ATTRIBUTE ERX-DHCPv6-Options 207 octets | |
258 | ATTRIBUTE ERX-DHCP-Header 208 octets | |
259 | ATTRIBUTE ERX-DHCPv6-Header 209 octets | |
260 | ATTRIBUTE ERX-Acct-Request-Reason 210 octets | |
227 | 261 | |
228 | 262 | # |
229 | 263 | # Values Attribute Name Number |
338 | 372 | VALUE ERX-PPP-Monitor-Ingress-Only disabled 0 |
339 | 373 | VALUE ERX-PPP-Monitor-Ingress-Only enabled 1 |
340 | 374 | |
375 | VALUE ERX-Service-Activate-Type dynamic 1 | |
376 | VALUE ERX-Service-Activate-Type opscript 1 | |
377 | ||
378 | VALUE ERX-Pim-Enable disabled 0 | |
379 | VALUE ERX-Pim-Enable enabled 1 | |
380 | ||
381 | VALUE ERX-Re-Authentication-Catalyst disabled 0 | |
382 | VALUE ERX-Re-Authentication-Catalyst client-renew 1 | |
383 | ||
384 | VALUE ERX-Acct-Request-Reason Acct-Start-Ack 1 | |
385 | VALUE ERX-Acct-Request-Reason Periodic 2 | |
386 | VALUE ERX-Acct-Request-Reason IP-Active 4 | |
387 | VALUE ERX-Acct-Request-Reason IP-Inactive 8 | |
388 | VALUE ERX-Acct-Request-Reason IPv6-Active 16 | |
389 | VALUE ERX-Acct-Request-Reason IPv6-Inactive 32 | |
390 | VALUE ERX-Acct-Request-Reason Session-Active 64 | |
391 | VALUE ERX-Acct-Request-Reason Session-Inactive 128 | |
392 | VALUE ERX-Acct-Request-Reason Line-Speed-Change 256 | |
393 | VALUE ERX-Acct-Request-Reason Address-Assignment-Change 512 | |
394 | VALUE ERX-Acct-Request-Reason CoA-Complete 1024 | |
395 | ||
341 | 396 | END-VENDOR ERX |
532 | 532 | ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Dns 1931 string |
533 | 533 | ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Upn 1932 string |
534 | 534 | ATTRIBUTE TLS-PSK-Identity 1933 string |
535 | ||
536 | # 1934 - 1939: reserved for future cert attributes | |
535 | ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string | |
536 | ||
537 | # 1937 - 1939: reserved for future cert attributes | |
537 | 538 | |
538 | 539 | # 1940 - 1949: reserved for TLS session caching, mostly in 3.1 |
539 | 540 |
0 | # -*- text -*- | |
1 | # Copyright (C) 2018 The FreeRADIUS Server project and contributors | |
2 | ||
3 | VENDOR Mimosa 43356 | |
4 | ||
5 | BEGIN-VENDOR Mimosa | |
6 | ||
7 | ATTRIBUTE Mimosa-Device-Configuration-Parameter 1 string | |
8 | ATTRIBUTE Mimosa-FirmwareVersion-Parameter 2 string | |
9 | ATTRIBUTE Mimosa-FirmwareLocation-Parameter 3 string | |
10 | ATTRIBUTE Mimosa-WirelessProtocol-Parameter 4 string | |
11 | ATTRIBUTE Mimosa-ManagementIPAddressMode-Parameter 5 string | |
12 | ATTRIBUTE Mimosa-ManagementIPAddress-Parameter 6 ipaddr | |
13 | ATTRIBUTE Mimosa-ManagementIPNetmask-Parameter 7 ipaddr | |
14 | ATTRIBUTE Mimosa-ManagementIPGateway-Parameter 8 ipaddr | |
15 | ATTRIBUTE Mimosa-ManagementVlanStatus-Parameter 9 byte | |
16 | ATTRIBUTE Mimosa-ManagementVlan-Parameter 10 string | |
17 | ATTRIBUTE Mimosa-ManagementPassword-Parameter 11 string | |
18 | ATTRIBUTE Mimosa-DeviceName-Parameter 12 string | |
19 | ATTRIBUTE Mimosa-TrafficShapingPeak-Parameter 13 string | |
20 | ATTRIBUTE Mimosa-TrafficShapingCommitted-Parameter 14 string | |
21 | ATTRIBUTE Mimosa-EthernetPortSpeed-Parameter 15 string | |
22 | ATTRIBUTE Mimosa-DNS1-Parameter 16 ipaddr | |
23 | ATTRIBUTE Mimosa-DNS2-Parameter 17 ipaddr | |
24 | ATTRIBUTE Mimosa-HTTPPort-Parameter 18 integer | |
25 | ATTRIBUTE Mimosa-EnableHTTPS-Parameter 19 byte | |
26 | ATTRIBUTE Mimosa-HTTPSPort-Parameter 20 integer | |
27 | ATTRIBUTE Mimosa-CloudManagement-Parameter 21 byte | |
28 | ATTRIBUTE Mimosa-EnableSNMP-Parameter 22 byte | |
29 | ATTRIBUTE Mimosa-SNMPCommunityString-Parameter 23 string | |
30 | ATTRIBUTE Mimosa-SNMPTrapServer-Parameter 24 ipaddr | |
31 | ATTRIBUTE Mimosa-NTPServerAddress-Parameter 25 string | |
32 | ATTRIBUTE Mimosa-EnableSyslog-Parameter 26 byte | |
33 | ATTRIBUTE Mimosa-SyslogServerAddress-Parameter 27 ipaddr | |
34 | ATTRIBUTE Mimosa-SyslogPort-Parameter 28 integer | |
35 | ATTRIBUTE Mimosa-SyslogProtocol-Parameter 29 string | |
36 | ||
37 | END-VENDOR Mimosa |
15 | 15 | # DHCP options. |
16 | 16 | # |
17 | 17 | ATTRIBUTE ADSL-Forum-DHCP-Vendor-Specific 0 tlv |
18 | ATTRIBUTE ADSL-Forum-Device-Manufacturer-OUI 0.1 octets | |
19 | ATTRIBUTE ADSL-Forum-Device-Serial-Number 0.2 string | |
20 | ATTRIBUTE ADSL-Forum-Device-Product-Class 0.3 string | |
21 | ATTRIBUTE ADSL-Forum-Gateway-Manufacturer-OUI 0.4 octets | |
18 | 22 | |
19 | 23 | # |
20 | 24 | # The first two attributes are prefixed with "ADSL-" because of |
0 | # -*- text -*- | |
1 | # Copyright (C) 2018 The FreeRADIUS Server project and contributors | |
2 | ############################################################################## | |
3 | # | |
4 | # Softbank VSAs | |
5 | # | |
6 | # $Id$ | |
7 | # | |
8 | ############################################################################## | |
9 | ||
10 | VENDOR SoftBank 22197 | |
11 | ||
12 | BEGIN-VENDOR SoftBank | |
13 | ||
14 | ATTRIBUTE SoftBank-BB-Unit-MAC 1 string | |
15 | ATTRIBUTE SoftBank-BB-Unit-Manufacturer 2 string | |
16 | ATTRIBUTE SoftBank-BB-Unit-Model 3 string | |
17 | ATTRIBUTE SoftBank-BB-Unit-HW-Revision 4 string | |
18 | ||
19 | ATTRIBUTE SoftBank-TFTP-Config-Server 185 ipaddr | |
20 | ATTRIBUTE SoftBank-TFTP-Config-File 186 string | |
21 | ATTRIBUTE SoftBank-DNS-IPv6-Primary 198 ipv6addr | |
22 | ATTRIBUTE SoftBank-DNS-IPv6-Secondary 199 ipv6addr | |
23 | ATTRIBUTE SoftBank-Syslog-Server 201 ipv6addr | |
24 | ATTRIBUTE SoftBank-SNTP-Server 203 ipv6addr | |
25 | ATTRIBUTE SoftBank-IPv4-Tunnel-Local-Address 204 ipaddr | |
26 | ATTRIBUTE SoftBank-IPv4-Tunnel-Endpoint 207 ipv6addr | |
27 | ATTRIBUTE SoftBank-RouteInfo-Server 215 string | |
28 | ||
29 | END-VENDOR SoftBank |
10 | 10 | VENDOR ZTE 3902 |
11 | 11 | BEGIN-VENDOR ZTE |
12 | 12 | |
13 | ATTRIBUTE ZTE-Client-DNS-Pri 1 integer | |
14 | ATTRIBUTE ZTE-Client-DNS-Sec 2 integer | |
13 | ATTRIBUTE ZTE-Client-DNS-Pri 1 string | |
14 | ATTRIBUTE ZTE-Client-DNS-Sec 2 string | |
15 | 15 | ATTRIBUTE ZTE-Context-Name 4 string |
16 | 16 | ATTRIBUTE ZTE-Tunnel-Max-Sessions 21 integer |
17 | 17 | ATTRIBUTE ZTE-Tunnel-Max-Tunnels 22 integer |
66 | 66 | $blank = 0; |
67 | 67 | |
68 | 68 | s/\s*$/\n/; |
69 | ||
70 | # | |
71 | # Suppress leading whitespace, so long as it's | |
72 | # not followed by a comment.. | |
73 | # | |
74 | s/^\s*([^#])/$1/; | |
69 | 75 | |
70 | 76 | # |
71 | 77 | # Remember the vendor |
192 | 192 | void home_server_update_request(home_server_t *home, REQUEST *request); |
193 | 193 | home_server_t *home_server_ldb(char const *realmname, home_pool_t *pool, REQUEST *request); |
194 | 194 | home_server_t *home_server_find(fr_ipaddr_t *ipaddr, uint16_t port, int proto); |
195 | home_server_t *home_server_find_bysrc(fr_ipaddr_t *ipaddr, uint16_t port, int proto, fr_ipaddr_t *src_ipaddr); | |
195 | 196 | home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SECTION *cs); |
196 | 197 | CONF_SECTION *home_server_cs_afrom_client(CONF_SECTION *client); |
197 | 198 | #ifdef WITH_COA |
120 | 120 | char const *name; |
121 | 121 | VALUE_PAIR *check; |
122 | 122 | VALUE_PAIR *reply; |
123 | int order; /* for ordering! */ | |
123 | 124 | int lineno; |
124 | 125 | struct pair_list *next; |
125 | 126 | } PAIR_LIST; |
42 | 42 | void *ctx; |
43 | 43 | } fr_event_fd_t; |
44 | 44 | |
45 | #define FR_EV_MAX_FDS (256) | |
45 | #define FR_EV_MAX_FDS (512) | |
46 | 46 | |
47 | 47 | #undef USEC |
48 | 48 | #define USEC (1000000) |
179 | 179 | |
180 | 180 | ret = fr_thread_local_set(fr_strerror_buffer, buffer); |
181 | 181 | if (ret != 0) { |
182 | fr_perror("Failed setting up TLS for libradius error buffer: %s", fr_syserror(ret)); | |
182 | fr_perror("Failed setting up thread-local storage for libradius error buffer: %s", fr_syserror(ret)); | |
183 | 183 | free(buffer); |
184 | 184 | return; |
185 | 185 | } |
262 | 262 | |
263 | 263 | ret = fr_thread_local_set(fr_syserror_buffer, buffer); |
264 | 264 | if (ret != 0) { |
265 | fr_perror("Failed setting up TLS for system error buffer: %s", fr_syserror(ret)); | |
265 | fr_perror("Failed setting up thread-local storage for system error buffer"); | |
266 | 266 | free(buffer); |
267 | 267 | return NULL; |
268 | 268 | } |
519 | 519 | int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool resolve) |
520 | 520 | { |
521 | 521 | size_t len, i; |
522 | bool hostname = true; | |
523 | bool ipv4 = true; | |
524 | bool ipv6 = true; | |
522 | 525 | |
523 | 526 | len = (inlen >= 0) ? (size_t)inlen : strlen(value); |
524 | for (i = 0; i < len; i++) switch (value[i]) { | |
525 | /* | |
526 | * ':' is illegal in domain names and IPv4 addresses. | |
527 | * Must be v6 and cannot be a domain. | |
528 | */ | |
529 | case ':': | |
530 | return fr_pton6(out, value, inlen, false, false); | |
531 | ||
532 | /* | |
533 | * Chars which don't really tell us anything | |
534 | */ | |
535 | case '.': | |
536 | case '/': | |
537 | continue; | |
527 | ||
528 | for (i = 0; i < len; i++) { | |
529 | /* | |
530 | * These are valid for IPv4, IPv6, and host names. | |
531 | */ | |
532 | if ((value[i] >= '0') && (value[i] <= '9')) { | |
533 | continue; | |
534 | } | |
535 | ||
536 | /* | |
537 | * These are invalid for IPv4, but OK for IPv6 | |
538 | * and host names. | |
539 | */ | |
540 | if ((value[i] >= 'a') && (value[i] <= 'f')) { | |
541 | ipv4 = false; | |
542 | continue; | |
543 | } | |
544 | ||
545 | /* | |
546 | * These are invalid for IPv4, but OK for IPv6 | |
547 | * and host names. | |
548 | */ | |
549 | if ((value[i] >= 'A') && (value[i] <= 'F')) { | |
550 | ipv4 = false; | |
551 | continue; | |
552 | } | |
553 | ||
554 | /* | |
555 | * This is only valid for IPv6 addresses. | |
556 | */ | |
557 | if (value[i] == ':') { | |
558 | ipv4 = false; | |
559 | hostname = false; | |
560 | continue; | |
561 | } | |
562 | ||
563 | /* | |
564 | * Valid for IPv4 and host names, not for IPv6. | |
565 | */ | |
566 | if (value[i] == '.') { | |
567 | ipv6 = false; | |
568 | continue; | |
569 | } | |
570 | ||
571 | /* | |
572 | * Netmasks are allowed by us, and MUST come at | |
573 | * the end of the address. | |
574 | */ | |
575 | if (value[i] == '/') { | |
576 | break; | |
577 | } | |
578 | ||
579 | /* | |
580 | * Any characters other than what are checked for | |
581 | * above can't be IPv4 or IPv6 addresses. | |
582 | */ | |
583 | ipv4 = false; | |
584 | ipv6 = false; | |
585 | } | |
586 | ||
587 | /* | |
588 | * It's not an IPv4 or IPv6 address. It MUST be a host | |
589 | * name. | |
590 | */ | |
591 | if (!ipv4 && !ipv6) { | |
592 | /* | |
593 | * Not an IPv4 or IPv6 address, and we weren't | |
594 | * asked to do DNS resolution, we can't do it. | |
595 | */ | |
596 | if (!resolve) { | |
597 | fr_strerror_printf("Not IPv4/6 address, and asked not to resolve"); | |
598 | return -1; | |
599 | } | |
600 | ||
601 | /* | |
602 | * It's not a hostname, either, so bail out | |
603 | * early. | |
604 | */ | |
605 | if (!hostname) { | |
606 | fr_strerror_printf("Invalid address"); | |
607 | return -1; | |
608 | } | |
609 | ||
610 | /* | |
611 | * Fall through to resolving the address, using | |
612 | * whatever address family they prefer. If they | |
613 | * don't specify an address family, force IPv4. | |
614 | */ | |
615 | if (af == AF_UNSPEC) af = AF_INET; | |
616 | } | |
617 | ||
618 | /* | |
619 | * The name has a ':' in it. Therefore it must be an | |
620 | * IPv6 address. Error out if the caller specified IPv4. | |
621 | * Otherwise, force IPv6. | |
622 | */ | |
623 | if (ipv6 && !hostname) { | |
624 | if (af == AF_INET) { | |
625 | fr_strerror_printf("Invalid address"); | |
626 | return -1; | |
627 | } | |
628 | ||
629 | af = AF_INET6; | |
630 | } | |
631 | ||
632 | /* | |
633 | * Use whatever the caller specified, OR what we | |
634 | * insinuated above from looking at the name string. | |
635 | */ | |
636 | switch (af) { | |
637 | case AF_UNSPEC: | |
638 | return fr_pton4(out, value, inlen, resolve, true); | |
639 | ||
640 | case AF_INET: | |
641 | return fr_pton4(out, value, inlen, resolve, false); | |
642 | ||
643 | case AF_INET6: | |
644 | return fr_pton6(out, value, inlen, resolve, false); | |
538 | 645 | |
539 | 646 | default: |
540 | /* | |
541 | * Outside the range of IPv4 chars, must be a domain | |
542 | * Use A record in preference to AAAA record. | |
543 | */ | |
544 | if ((value[i] < '0') || (value[i] > '9')) { | |
545 | if (!resolve) { | |
546 | fr_strerror_printf("Not IPv4/6 address, and asked not to resolve"); | |
547 | return -1; | |
548 | } | |
549 | switch (af) { | |
550 | case AF_UNSPEC: | |
551 | return fr_pton4(out, value, inlen, resolve, true); | |
552 | ||
553 | case AF_INET: | |
554 | return fr_pton4(out, value, inlen, resolve, false); | |
555 | ||
556 | case AF_INET6: | |
557 | return fr_pton6(out, value, inlen, resolve, false); | |
558 | ||
559 | default: | |
560 | fr_strerror_printf("Invalid address family %i", af); | |
561 | return -1; | |
562 | } | |
563 | } | |
564 | 647 | break; |
565 | 648 | } |
566 | 649 | |
567 | /* | |
568 | * All chars were in the IPv4 set [0-9/.], must be an IPv4 | |
569 | * address. | |
570 | */ | |
571 | return fr_pton4(out, value, inlen, false, false); | |
650 | /* | |
651 | * No idea what it is... | |
652 | */ | |
653 | fr_strerror_printf("Invalid address family %i", af); | |
654 | return -1; | |
572 | 655 | } |
573 | 656 | |
574 | 657 | /** Parses IPv4/6 address + port, to fr_ipaddr_t and integer |
924 | 924 | #ifdef WITH_TCP |
925 | 925 | if (pl->sockets[start].proto == IPPROTO_TCP) { |
926 | 926 | packet = fr_tcp_recv(pl->sockets[start].sockfd, 0); |
927 | ||
928 | /* | |
929 | * We always know src/dst ip/port for TCP | |
930 | * sockets. So just fill them in. Since | |
931 | * we read the packet from the TCP | |
932 | * socket, we invert src/dst. | |
933 | */ | |
934 | packet->dst_ipaddr = pl->sockets[start].src_ipaddr; | |
935 | packet->dst_port = pl->sockets[start].src_port; | |
936 | packet->src_ipaddr = pl->sockets[start].dst_ipaddr; | |
937 | packet->src_port = pl->sockets[start].dst_port; | |
938 | ||
927 | 939 | } else |
928 | 940 | #endif |
941 | ||
942 | /* | |
943 | * Rely on rad_recv() to fill in the required | |
944 | * fields. | |
945 | */ | |
929 | 946 | packet = rad_recv(NULL, pl->sockets[start].sockfd, 0); |
930 | 947 | if (!packet) continue; |
931 | 948 |
404 | 404 | pkt = (struct in_pktinfo *) CMSG_DATA(cmsg); |
405 | 405 | memset(pkt, 0, sizeof(*pkt)); |
406 | 406 | pkt->ipi_spec_dst = s4->sin_addr; |
407 | # endif | |
408 | ||
409 | # ifdef IP_SENDSRCADDR | |
407 | ||
408 | # elif defined(IP_SENDSRCADDR) | |
410 | 409 | struct cmsghdr *cmsg; |
411 | 410 | struct in_addr *in; |
412 | 411 |
971 | 971 | /** Performs byte order reversal for types that need it |
972 | 972 | * |
973 | 973 | */ |
974 | static void value_data_hton(value_data_t *dst, PW_TYPE type, void const *src, size_t src_len) | |
974 | static ssize_t value_data_hton(value_data_t *dst, PW_TYPE dst_type, void const *src, size_t src_len) | |
975 | 975 | { |
976 | size_t dst_len; | |
977 | uint8_t *dst_ptr; | |
978 | ||
976 | 979 | /* 8 byte integers */ |
977 | switch (type) { | |
980 | switch (dst_type) { | |
978 | 981 | case PW_TYPE_INTEGER64: |
982 | dst_len = sizeof(dst->integer64); | |
983 | ||
984 | if (src_len < dst_len) return -1; | |
985 | ||
979 | 986 | dst->integer64 = htonll(*(uint64_t const *)src); |
980 | 987 | break; |
981 | 988 | |
983 | 990 | case PW_TYPE_INTEGER: |
984 | 991 | case PW_TYPE_DATE: |
985 | 992 | case PW_TYPE_SIGNED: |
993 | dst_len = sizeof(dst->integer); | |
994 | ||
995 | if (src_len < dst_len) return -1; | |
996 | ||
986 | 997 | dst->integer = htonl(*(uint32_t const *)src); |
987 | 998 | break; |
988 | 999 | |
989 | 1000 | /* 2 byte integers */ |
990 | 1001 | case PW_TYPE_SHORT: |
1002 | dst_len = sizeof(dst->ushort); | |
1003 | ||
1004 | if (src_len < dst_len) return -1; | |
1005 | ||
991 | 1006 | dst->ushort = htons(*(uint16_t const *)src); |
992 | 1007 | break; |
993 | 1008 | |
994 | case PW_TYPE_OCTETS: | |
995 | case PW_TYPE_STRING: | |
996 | fr_assert(0); | |
997 | return; /* shouldn't happen */ | |
1009 | /* 1 byte integer */ | |
1010 | case PW_TYPE_BYTE: | |
1011 | dst_len = sizeof(dst->byte); | |
1012 | ||
1013 | if (src_len < dst_len) return -1; | |
1014 | ||
1015 | dst->byte = *(uint8_t const *)src; | |
1016 | break; | |
1017 | ||
1018 | case PW_TYPE_IPV4_ADDR: | |
1019 | dst_len = 4; | |
1020 | dst_ptr = (uint8_t *) &dst->ipaddr.s_addr; | |
1021 | ||
1022 | copy: | |
1023 | /* | |
1024 | * Not enough information, die. | |
1025 | */ | |
1026 | if (src_len < dst_len) return -1; | |
1027 | ||
1028 | /* | |
1029 | * Copy only as much as we need from the source. | |
1030 | */ | |
1031 | memcpy(dst_ptr, src, dst_len); | |
1032 | break; | |
1033 | ||
1034 | case PW_TYPE_ABINARY: | |
1035 | dst_len = sizeof(dst->filter); | |
1036 | dst_ptr = (uint8_t *) dst->filter; | |
1037 | ||
1038 | /* | |
1039 | * Too little data is OK here. | |
1040 | */ | |
1041 | if (src_len < dst_len) { | |
1042 | memcpy(dst_ptr, src, src_len); | |
1043 | memset(dst_ptr + src_len, 0, dst_len - src_len); | |
1044 | break; | |
1045 | } | |
1046 | goto copy; | |
1047 | ||
1048 | case PW_TYPE_IFID: | |
1049 | dst_len = sizeof(dst->ifid); | |
1050 | dst_ptr = (uint8_t *) dst->ifid; | |
1051 | goto copy; | |
1052 | ||
1053 | case PW_TYPE_IPV6_ADDR: | |
1054 | dst_len = sizeof(dst->ipv6addr); | |
1055 | dst_ptr = (uint8_t *) dst->ipv6addr.s6_addr; | |
1056 | goto copy; | |
1057 | ||
1058 | case PW_TYPE_IPV4_PREFIX: | |
1059 | dst_len = sizeof(dst->ipv4prefix); | |
1060 | dst_ptr = (uint8_t *) dst->ipv4prefix; | |
1061 | ||
1062 | if (src_len < dst_len) return -1; | |
1063 | if ((((uint8_t const *)src)[1] & 0x3f) > 32) return -1; | |
1064 | goto copy; | |
1065 | ||
1066 | case PW_TYPE_IPV6_PREFIX: | |
1067 | dst_len = sizeof(dst->ipv6prefix); | |
1068 | dst_ptr = (uint8_t *) dst->ipv6prefix; | |
1069 | ||
1070 | /* | |
1071 | * Smaller IPv6 prefixes are OK, too, so long as | |
1072 | * they're not too short. | |
1073 | */ | |
1074 | if (src_len < 2) return -1; | |
1075 | ||
1076 | /* | |
1077 | * Prefix is too long. | |
1078 | */ | |
1079 | if (((uint8_t const *)src)[1] > 128) return -1; | |
1080 | ||
1081 | if (src_len < dst_len) { | |
1082 | memcpy(dst_ptr, src, src_len); | |
1083 | memset(dst_ptr + src_len, 0, dst_len - src_len); | |
1084 | break; | |
1085 | } | |
1086 | ||
1087 | goto copy; | |
1088 | ||
1089 | case PW_TYPE_ETHERNET: | |
1090 | dst_len = sizeof(dst->ether); | |
1091 | dst_ptr = (uint8_t *) dst->ether; | |
1092 | goto copy; | |
998 | 1093 | |
999 | 1094 | default: |
1000 | memcpy(dst, src, src_len); | |
1001 | } | |
1095 | return -1; /* can't do it */ | |
1096 | } | |
1097 | ||
1098 | return dst_len; | |
1002 | 1099 | } |
1003 | 1100 | |
1004 | 1101 | /** Convert one type of value_data_t to another |
1020 | 1117 | PW_TYPE src_type, DICT_ATTR const *src_enumv, |
1021 | 1118 | value_data_t const *src, size_t src_len) |
1022 | 1119 | { |
1120 | ssize_t dst_len; | |
1121 | ||
1023 | 1122 | if (!fr_assert(dst_type != src_type)) return -1; |
1024 | 1123 | |
1025 | 1124 | /* |
1033 | 1132 | * Converts the src data to octets with no processing. |
1034 | 1133 | */ |
1035 | 1134 | if (dst_type == PW_TYPE_OCTETS) { |
1036 | value_data_hton(dst, src_type, src, src_len); | |
1037 | dst->octets = talloc_memdup(ctx, dst, src_len); | |
1135 | dst_len = value_data_hton(dst, src_type, src, src_len); | |
1136 | if (dst_len < 0) return -1; | |
1137 | ||
1138 | dst->octets = talloc_memdup(ctx, dst, dst_len); | |
1038 | 1139 | talloc_set_type(dst->octets, uint8_t); |
1039 | return talloc_array_length(dst->strvalue); | |
1140 | return dst_len; | |
1040 | 1141 | } |
1041 | 1142 | |
1042 | 1143 | /* |
1120 | 1221 | |
1121 | 1222 | case PW_TYPE_SHORT: |
1122 | 1223 | dst->integer = src->ushort; |
1224 | break; | |
1225 | ||
1226 | case PW_TYPE_DATE: | |
1227 | dst->integer = src->date; | |
1123 | 1228 | break; |
1124 | 1229 | |
1125 | 1230 | case PW_TYPE_OCTETS: |
1380 | 1485 | |
1381 | 1486 | if (src_type == PW_TYPE_OCTETS) { |
1382 | 1487 | do_octets: |
1383 | value_data_hton(dst, dst_type, src->octets, src_len); | |
1384 | return src_len; | |
1488 | return value_data_hton(dst, dst_type, src->octets, src_len); | |
1385 | 1489 | } |
1386 | 1490 | |
1387 | 1491 | /* |
1539 | 1643 | |
1540 | 1644 | t = data->date; |
1541 | 1645 | |
1542 | p = talloc_array(ctx, char, 64); | |
1543 | strftime(p, 64, "%b %e %Y %H:%M:%S %Z", | |
1646 | p = talloc_zero_array(ctx, char, 64); | |
1647 | strftime(p, 63, "%b %e %Y %H:%M:%S %Z", | |
1544 | 1648 | localtime_r(&t, &s_tm)); |
1545 | 1649 | break; |
1546 | 1650 | } |
1340 | 1340 | * We could reuse the CONF_PAIR buff, this just keeps things |
1341 | 1341 | * consistent between client_afrom_cs, and client_afrom_query. |
1342 | 1342 | */ |
1343 | *p = talloc_strdup(c, strvalue); | |
1343 | *p = talloc_strdup(c, vp->vp_strvalue); | |
1344 | 1344 | |
1345 | 1345 | /* |
1346 | 1346 | * This is fairly nasty... In order to figure out the CONF_PAIR |
1485 | 1485 | home_server_t *home; |
1486 | 1486 | uint16_t port; |
1487 | 1487 | int proto = IPPROTO_UDP; |
1488 | fr_ipaddr_t ipaddr; | |
1488 | fr_ipaddr_t ipaddr, src_ipaddr; | |
1489 | 1489 | |
1490 | 1490 | if (argc < 2) { |
1491 | 1491 | cprintf_error(listener, "Must specify <ipaddr> <port> [udp|tcp]\n"); |
1497 | 1497 | fr_strerror()); |
1498 | 1498 | return NULL; |
1499 | 1499 | } |
1500 | ||
1501 | memset(&src_ipaddr, 0, sizeof(src_ipaddr)); | |
1502 | src_ipaddr.af = ipaddr.af; | |
1500 | 1503 | |
1501 | 1504 | port = atoi(argv[1]); |
1502 | 1505 | |
1518 | 1521 | #endif |
1519 | 1522 | |
1520 | 1523 | /* |
1524 | * Allow the caller to specify src, too. | |
1525 | */ | |
1526 | if (strcmp(argv[myarg], "src") == 0) { | |
1527 | if ((myarg + 2) < argc) { | |
1528 | cprintf_error(listener, "You must specify an address after 'src' \n"); | |
1529 | return NULL; | |
1530 | } | |
1531 | ||
1532 | if (ip_hton(&src_ipaddr, ipaddr.af, argv[myarg + 1], false) < 0) { | |
1533 | cprintf_error(listener, "Failed parsing IP address; %s\n", | |
1534 | fr_strerror()); | |
1535 | return NULL; | |
1536 | } | |
1537 | ||
1538 | myarg += 2; | |
1539 | continue; | |
1540 | } | |
1541 | ||
1542 | /* | |
1521 | 1543 | * Unknown argument. Leave it for the caller. |
1522 | 1544 | */ |
1523 | 1545 | break; |
1524 | 1546 | } |
1525 | 1547 | |
1526 | home = home_server_find(&ipaddr, port, proto); | |
1548 | home = home_server_find_bysrc(&ipaddr, port, proto, &src_ipaddr); | |
1527 | 1549 | if (!home) { |
1528 | 1550 | cprintf_error(listener, "No such home server\n"); |
1529 | 1551 | return NULL; |
1961 | 1983 | "show home_server list - shows list of home servers", |
1962 | 1984 | command_show_home_servers, NULL }, |
1963 | 1985 | { "state", FR_READ, |
1964 | "show home_server state <ipaddr> <port> [udp|tcp] - shows state of given home server", | |
1986 | "show home_server state <ipaddr> <port> [udp|tcp] [src <ipaddr>] - shows state of given home server", | |
1965 | 1987 | command_show_home_server_state, NULL }, |
1966 | 1988 | |
1967 | 1989 | { NULL, 0, NULL, NULL, NULL } |
2553 | 2575 | #ifdef WITH_PROXY |
2554 | 2576 | static fr_command_table_t command_table_set_home[] = { |
2555 | 2577 | { "state", FR_WRITE, |
2556 | "set home_server state <ipaddr> <port> [udp|tcp] [alive|dead] - set state for given home server", | |
2578 | "set home_server state <ipaddr> <port> [udp|tcp] [src <ipaddr>] [alive|dead] - set state for given home server", | |
2557 | 2579 | command_set_home_server_state, NULL }, |
2558 | 2580 | |
2559 | 2581 | { NULL, 0, NULL, NULL, NULL } |
2602 | 2624 | |
2603 | 2625 | #ifdef WITH_PROXY |
2604 | 2626 | { "home_server", FR_READ, |
2605 | "stats home_server [<ipaddr>|auth|acct|coa|disconnect] <port> [udp|tcp] - show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)", | |
2627 | "stats home_server [<ipaddr>|auth|acct|coa|disconnect] <port> [udp|tcp] [src <ipaddr>] - show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)", | |
2606 | 2628 | command_stats_home_server, NULL }, |
2607 | 2629 | #endif |
2608 | 2630 |
32 | 32 | int fd; //!< File descriptor associated with an entry. |
33 | 33 | uint32_t hash; //!< Hash for cheap comparison. |
34 | 34 | time_t last_used; //!< Last time the entry was used. |
35 | dev_t st_dev; //!< device inode | |
36 | ino_t st_ino; //!< inode number | |
35 | 37 | char *filename; //!< Filename. |
36 | 38 | } exfile_entry_t; |
37 | 39 | |
324 | 326 | PTHREAD_MUTEX_UNLOCK(&(ef->mutex)); |
325 | 327 | return -1; |
326 | 328 | } |
329 | ||
330 | if (fstat(ef->entries[i].fd, &st) < 0) goto error; | |
331 | ||
332 | /* | |
333 | * Remember which device and inode this file is | |
334 | * for. | |
335 | */ | |
336 | ef->entries[i].st_dev = st.st_dev; | |
337 | ef->entries[i].st_ino = st.st_ino; | |
338 | ||
327 | 339 | } else { |
328 | 340 | i = found; |
341 | ||
342 | /* | |
343 | * Stat the *filename*, not the file we opened. | |
344 | * If that's not the file we opened, then go back | |
345 | * and re-open the file. | |
346 | */ | |
347 | if (stat(ef->entries[i].filename, &st) == 0) { | |
348 | if ((st.st_dev != ef->entries[i].st_dev) || | |
349 | (st.st_ino != ef->entries[i].st_ino)) { | |
350 | /* | |
351 | * No longer the same file; reopen. | |
352 | */ | |
353 | close(ef->entries[i].fd); | |
354 | goto reopen; | |
355 | } | |
356 | } else { | |
357 | /* | |
358 | * Error calling stat, likely the | |
359 | * file has been moved. Reopen it. | |
360 | */ | |
361 | close(ef->entries[i].fd); | |
362 | goto reopen; | |
363 | } | |
329 | 364 | } |
330 | 365 | |
331 | 366 | /* |
377 | 412 | } |
378 | 413 | |
379 | 414 | /* |
380 | * Maybe someone deleted the file while we were waiting | |
381 | * for the lock. If so, re-open it. | |
415 | * See which file it really is. | |
382 | 416 | */ |
383 | 417 | if (fstat(ef->entries[i].fd, &st) < 0) { |
384 | 418 | fr_strerror_printf("Failed to stat file %s: %s", filename, strerror(errno)); |
386 | 420 | } |
387 | 421 | |
388 | 422 | /* |
389 | * It's unlinked from the file system, close the FD and | |
390 | * try to re-open it. | |
391 | */ | |
392 | if (st.st_nlink == 0) { | |
423 | * Maybe the file was unlinked from the file system, OR | |
424 | * the file we opened is NOT the one we had cached. If | |
425 | * so, close the file and re-open it from scratch. | |
426 | */ | |
427 | if ((st.st_nlink == 0) || | |
428 | (st.st_dev != ef->entries[i].st_dev) || | |
429 | (st.st_ino != ef->entries[i].st_ino)) { | |
393 | 430 | close(ef->entries[i].fd); |
394 | 431 | goto reopen; |
395 | 432 | } |
396 | 433 | |
397 | 434 | /* |
398 | * If we're appending, eek to the end of the file before | |
435 | * If we're appending, seek to the end of the file before | |
399 | 436 | * returning the FD to the caller. |
400 | 437 | */ |
401 | 438 | (void) lseek(ef->entries[i].fd, 0, SEEK_END); |
87 | 87 | VALUE_PAIR *reply_tmp = NULL; |
88 | 88 | PAIR_LIST *pl = NULL, *t; |
89 | 89 | PAIR_LIST **last = &pl; |
90 | int order = 0; | |
90 | 91 | int lineno = 0; |
91 | 92 | int entry_lineno = 0; |
92 | 93 | FR_TOKEN parsecode; |
198 | 199 | * of entries. Go to the end of the |
199 | 200 | * list. |
200 | 201 | */ |
201 | while (*last) | |
202 | while (*last) { | |
203 | (*last)->order = order++; | |
202 | 204 | last = &((*last)->next); |
205 | } | |
203 | 206 | continue; |
204 | 207 | } /* $INCLUDE ... */ |
205 | 208 | |
315 | 318 | t->check = check_tmp; |
316 | 319 | t->reply = reply_tmp; |
317 | 320 | t->lineno = entry_lineno; |
321 | t->order = order++; | |
318 | 322 | check_tmp = NULL; |
319 | 323 | reply_tmp = NULL; |
320 | 324 |
1213 | 1213 | |
1214 | 1214 | if (c->data.map->lhs->name[i] == '-') { |
1215 | 1215 | hyphens++; |
1216 | if (hyphens > 1) { | |
1217 | may_be_attr = false; | |
1218 | break; | |
1219 | } | |
1220 | 1216 | } |
1221 | 1217 | } |
1222 | 1218 |
1550 | 1550 | * handler. |
1551 | 1551 | */ |
1552 | 1552 | if (request_proxy(request) < 0) { |
1553 | if (request->home_server && request->home_server->server) goto req_finished; | |
1554 | ||
1553 | 1555 | (void) setup_post_proxy_fail(request); |
1554 | 1556 | process_proxy_reply(request, NULL); |
1555 | 1557 | goto req_finished; |
4880 | 4882 | /* |
4881 | 4883 | * All sockets: add the FD to the event handler. |
4882 | 4884 | */ |
4883 | if (!fr_event_fd_insert(el, 0, this->fd, | |
4884 | event_socket_handler, this)) { | |
4885 | ERROR("Failed adding event handler for socket: %s", fr_strerror()); | |
4886 | fr_exit(1); | |
4887 | } | |
4888 | ||
4889 | this->status = RAD_LISTEN_STATUS_KNOWN; | |
4890 | return 1; | |
4885 | if (fr_event_fd_insert(el, 0, this->fd, | |
4886 | event_socket_handler, this)) { | |
4887 | this->status = RAD_LISTEN_STATUS_KNOWN; | |
4888 | return 1; | |
4889 | } | |
4890 | ||
4891 | ERROR("Failed adding event handler for socket: %s", fr_strerror()); | |
4892 | this->status = RAD_LISTEN_STATUS_REMOVE_NOW; | |
4891 | 4893 | } /* end of INIT */ |
4892 | 4894 | |
4893 | 4895 | #ifdef WITH_TCP |
25 | 25 | |
26 | 26 | #include <freeradius-devel/radclient.h> |
27 | 27 | #include <freeradius-devel/radpaths.h> |
28 | #include <freeradius-devel/udpfromto.h> | |
28 | 29 | #include <freeradius-devel/conf.h> |
29 | 30 | #include <ctype.h> |
30 | 31 | |
57 | 58 | static uint16_t client_port = 0; |
58 | 59 | |
59 | 60 | static int sockfd; |
60 | static int last_used_id = -1; | |
61 | 61 | |
62 | 62 | #ifdef WITH_TCP |
63 | 63 | static char const *proto = NULL; |
95 | 95 | fprintf(stderr, " If a second file is provided, it will be used to verify responses\n"); |
96 | 96 | fprintf(stderr, " -F Print the file name, packet number and reply code.\n"); |
97 | 97 | fprintf(stderr, " -h Print usage help information.\n"); |
98 | fprintf(stderr, " -i <id> Set request id to 'id'. Values may be 0..255\n"); | |
99 | 98 | fprintf(stderr, " -n <num> Send N requests/s\n"); |
100 | 99 | fprintf(stderr, " -p <num> Send 'num' packets from a file in parallel.\n"); |
101 | 100 | fprintf(stderr, " -q Do not print anything out.\n"); |
858 | 857 | mysockfd = fr_socket_client_tcp(NULL, |
859 | 858 | &request->packet->dst_ipaddr, |
860 | 859 | request->packet->dst_port, false); |
860 | if (mysockfd < 0) { | |
861 | ERROR("Failed opening socket"); | |
862 | exit(1); | |
863 | } | |
861 | 864 | } else |
862 | 865 | #endif |
863 | mysockfd = fr_socket(&client_ipaddr, 0); | |
864 | if (mysockfd < 0) { | |
865 | ERROR("Failed opening socket"); | |
866 | exit(1); | |
866 | { | |
867 | mysockfd = fr_socket(&client_ipaddr, 0); | |
868 | if (mysockfd < 0) { | |
869 | ERROR("Failed opening socket"); | |
870 | exit(1); | |
871 | } | |
872 | ||
873 | #ifdef WITH_UDPFROMTO | |
874 | if (udpfromto_init(mysockfd) < 0) { | |
875 | ERROR("Failed initializing socket"); | |
876 | exit(1); | |
877 | } | |
878 | #endif | |
867 | 879 | } |
868 | 880 | if (!fr_packet_list_socket_add(pl, mysockfd, ipproto, |
869 | 881 | &request->packet->dst_ipaddr, |
1028 | 1040 | #endif |
1029 | 1041 | return -1; /* bad packet */ |
1030 | 1042 | } |
1031 | ||
1032 | /* | |
1033 | * We don't use udpfromto. So if we bind to "*", we want | |
1034 | * to find replies sent to 192.0.2.4. Therefore, we | |
1035 | * force all replies to have the one address we know | |
1036 | * about, no matter what real address they were sent to. | |
1037 | * | |
1038 | * This only works if were not using any of the | |
1039 | * Packet-* attributes, or running with 'auto'. | |
1040 | */ | |
1041 | reply->dst_ipaddr = client_ipaddr; | |
1042 | reply->dst_port = client_port; | |
1043 | ||
1044 | #ifdef WITH_TCP | |
1045 | ||
1046 | /* | |
1047 | * TCP sockets don't use recvmsg(), and thus don't get | |
1048 | * the source IP/port. However, since they're TCP, we | |
1049 | * know what the source IP/port is, because that's where | |
1050 | * we connected to. | |
1051 | */ | |
1052 | if (ipproto == IPPROTO_TCP) { | |
1053 | reply->src_ipaddr = server_ipaddr; | |
1054 | reply->src_port = server_port; | |
1055 | } | |
1056 | #endif | |
1057 | 1043 | |
1058 | 1044 | packet_p = fr_packet_list_find_byreply(pl, reply); |
1059 | 1045 | if (!packet_p) { |
1194 | 1180 | exit(1); |
1195 | 1181 | } |
1196 | 1182 | |
1197 | while ((c = getopt(argc, argv, "46c:d:D:f:Fhi:n:p:qr:sS:t:vx" | |
1183 | while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx" | |
1198 | 1184 | #ifdef WITH_TCP |
1199 | 1185 | "P:" |
1200 | 1186 | #endif |
1244 | 1230 | |
1245 | 1231 | case 'F': |
1246 | 1232 | print_filename = true; |
1247 | break; | |
1248 | ||
1249 | case 'i': /* currently broken */ | |
1250 | if (!isdigit((int) *optarg)) | |
1251 | usage(); | |
1252 | last_used_id = atoi(optarg); | |
1253 | if ((last_used_id < 0) || (last_used_id > 255)) { | |
1254 | usage(); | |
1255 | } | |
1256 | 1233 | break; |
1257 | 1234 | |
1258 | 1235 | case 'n': |
1457 | 1434 | #ifdef WITH_TCP |
1458 | 1435 | if (proto) { |
1459 | 1436 | sockfd = fr_socket_client_tcp(NULL, &server_ipaddr, server_port, false); |
1437 | if (sockfd < 0) { | |
1438 | ERROR("Error opening socket"); | |
1439 | exit(1); | |
1440 | } | |
1460 | 1441 | } else |
1461 | 1442 | #endif |
1462 | sockfd = fr_socket(&client_ipaddr, client_port); | |
1463 | if (sockfd < 0) { | |
1464 | ERROR("Error opening socket"); | |
1465 | exit(1); | |
1443 | { | |
1444 | sockfd = fr_socket(&client_ipaddr, client_port); | |
1445 | if (sockfd < 0) { | |
1446 | ERROR("Error opening socket"); | |
1447 | exit(1); | |
1448 | } | |
1449 | ||
1450 | #ifdef WITH_UDPFROMTO | |
1451 | if (udpfromto_init(sockfd) < 0) { | |
1452 | ERROR("Failed initializing socket"); | |
1453 | exit(1); | |
1454 | } | |
1455 | #endif | |
1466 | 1456 | } |
1467 | 1457 | |
1468 | 1458 | pl = fr_packet_list_create(1); |
500 | 500 | |
501 | 501 | if ((fr_set_signal(SIGHUP, sig_hup) < 0) || |
502 | 502 | (fr_set_signal(SIGTERM, sig_fatal) < 0)) { |
503 | set_signal_error: | |
503 | 504 | ERROR("%s", fr_strerror()); |
504 | 505 | exit(EXIT_FAILURE); |
505 | 506 | } |
509 | 510 | * immediately. Use SIGTERM to shut down the server cleanly in |
510 | 511 | * that case. |
511 | 512 | */ |
513 | if (fr_set_signal(SIGINT, sig_fatal) < 0) goto set_signal_error; | |
514 | ||
515 | #ifdef SIGQUIT | |
512 | 516 | if (main_config.debug_memory || (rad_debug_lvl == 0)) { |
513 | if ((fr_set_signal(SIGINT, sig_fatal) < 0) | |
514 | #ifdef SIGQUIT | |
515 | || (fr_set_signal(SIGQUIT, sig_fatal) < 0) | |
516 | #endif | |
517 | ) { | |
518 | ERROR("%s", fr_strerror()); | |
519 | exit(EXIT_FAILURE); | |
520 | } | |
521 | } | |
517 | if (fr_set_signal(SIGQUIT, sig_fatal) < 0) goto set_signal_error; | |
518 | } | |
519 | #endif | |
522 | 520 | |
523 | 521 | /* |
524 | 522 | * Everything seems to have loaded OK, exit gracefully. |
1446 | 1446 | } |
1447 | 1447 | |
1448 | 1448 | /* |
1449 | * See if the home server is already listed | |
1450 | * in the pool. If so, do nothing else. | |
1449 | * Don't check for duplicate home servers. If | |
1450 | * the user specifies that, well, they can do it. | |
1451 | * | |
1452 | * Allowing duplicates means that all of the | |
1453 | * realm->server[] entries are filled, which is | |
1454 | * what the rest of the code assumes. | |
1451 | 1455 | */ |
1452 | if (pool) for (i = 0; i < pool->num_home_servers; i++) { | |
1453 | if (pool->servers[i] == home) { | |
1454 | return 1; | |
1455 | } | |
1456 | } | |
1457 | 1456 | } |
1458 | 1457 | |
1459 | 1458 | /* |
2741 | 2740 | return rbtree_finddata(home_servers_byaddr, &myhome); |
2742 | 2741 | } |
2743 | 2742 | |
2743 | home_server_t *home_server_find_bysrc(fr_ipaddr_t *ipaddr, uint16_t port, | |
2744 | int proto, | |
2745 | fr_ipaddr_t *src_ipaddr) | |
2746 | { | |
2747 | home_server_t myhome; | |
2748 | ||
2749 | if (!src_ipaddr) return home_server_find(ipaddr, port, proto); | |
2750 | ||
2751 | if (src_ipaddr->af != ipaddr->af) return NULL; | |
2752 | ||
2753 | memset(&myhome, 0, sizeof(myhome)); | |
2754 | myhome.ipaddr = *ipaddr; | |
2755 | myhome.src_ipaddr = *src_ipaddr; | |
2756 | myhome.port = port; | |
2757 | #ifdef WITH_TCP | |
2758 | myhome.proto = proto; | |
2759 | #else | |
2760 | myhome.proto = IPPROTO_UDP; | |
2761 | #endif | |
2762 | myhome.server = NULL; /* we're not called for internal proxying */ | |
2763 | ||
2764 | return rbtree_finddata(home_servers_byaddr, &myhome); | |
2765 | } | |
2766 | ||
2744 | 2767 | #ifdef WITH_COA |
2745 | 2768 | home_server_t *home_server_byname(char const *name, int type) |
2746 | 2769 | { |
1749 | 1749 | #endif |
1750 | 1750 | VALUE_PAIR *vp; |
1751 | 1751 | |
1752 | if (issuer_cert == NULL) { | |
1753 | RWDEBUG("Could not get issuer certificate"); | |
1754 | goto skipped; | |
1755 | } | |
1756 | ||
1752 | 1757 | /* |
1753 | 1758 | * Create OCSP Request |
1754 | 1759 | */ |
2273 | 2278 | */ |
2274 | 2279 | if (certs && (sk_X509_EXTENSION_num(ext_list) > 0)) { |
2275 | 2280 | int i, len; |
2281 | EXTENDED_KEY_USAGE *eku; | |
2276 | 2282 | char *p; |
2277 | 2283 | BIO *out; |
2278 | 2284 | |
2318 | 2324 | } |
2319 | 2325 | |
2320 | 2326 | BIO_free_all(out); |
2327 | ||
2328 | /* Export raw EKU OIDs to allow matching a single OID regardless of its name */ | |
2329 | eku = X509_get_ext_d2i(client_cert, NID_ext_key_usage, NULL, NULL); | |
2330 | if (eku != NULL) { | |
2331 | for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) { | |
2332 | len = OBJ_obj2txt(value, sizeof(value), sk_ASN1_OBJECT_value(eku, i), 1); | |
2333 | if ((len > 0) && ((unsigned) len < sizeof(value))) { | |
2334 | vp = fr_pair_make(talloc_ctx, certs, | |
2335 | "TLS-Client-Cert-X509v3-Extended-Key-Usage-OID", | |
2336 | value, T_OP_ADD); | |
2337 | rdebug_pair(L_DBG_LVL_2, request, vp, NULL); | |
2338 | } | |
2339 | else { | |
2340 | RDEBUG("Failed to get EKU OID at index %d", i); | |
2341 | } | |
2342 | } | |
2343 | EXTENDED_KEY_USAGE_free(eku); | |
2344 | } | |
2321 | 2345 | } |
2322 | 2346 | |
2323 | 2347 | REXDENT(); |
2390 | 2414 | |
2391 | 2415 | } else { |
2392 | 2416 | RDEBUG2("Starting OCSP Request"); |
2393 | if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) || | |
2394 | !issuer_cert) { | |
2395 | /* | |
2396 | * Allow for external verify. | |
2397 | */ | |
2398 | RERROR("Couldn't get issuer_cert for %s", common_name); | |
2399 | do_verify = true; | |
2400 | ||
2401 | } else { | |
2402 | /* | |
2403 | * Do the full OCSP checks. | |
2404 | * | |
2405 | * If they fail, don't run the external verify. We don't want | |
2406 | * to allow admins to force authentication success for bad | |
2407 | * certificates. | |
2408 | * | |
2409 | * If the OCSP checks succeed, check whether we still want to | |
2410 | * run the external verification routine. If it's marked as | |
2411 | * "skip verify on OK", then we don't do verify. | |
2412 | */ | |
2413 | my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf); | |
2414 | if (my_ok != OCSP_STATUS_FAILED) { | |
2415 | do_verify = !conf->verify_skip_if_ocsp_ok; | |
2416 | } | |
2417 | ||
2418 | /* | |
2419 | * If we don't have an issuer, then we can't send | |
2420 | * and OCSP request, but pass the NULL issuer in | |
2421 | * so ocsp_check can decide on the correct | |
2422 | * return code. | |
2423 | */ | |
2424 | issuer_cert = X509_STORE_CTX_get0_current_issuer(ctx); | |
2425 | ||
2426 | /* | |
2427 | * Do the full OCSP checks. | |
2428 | * | |
2429 | * If they fail, don't run the external verify. We don't want | |
2430 | * to allow admins to force authentication success for bad | |
2431 | * certificates. | |
2432 | * | |
2433 | * If the OCSP checks succeed, check whether we still want to | |
2434 | * run the external verification routine. If it's marked as | |
2435 | * "skip verify on OK", then we don't do verify. | |
2436 | */ | |
2437 | my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf); | |
2438 | if (my_ok != OCSP_STATUS_FAILED) { | |
2439 | do_verify = !conf->verify_skip_if_ocsp_ok; | |
2417 | 2440 | } |
2418 | 2441 | } |
2419 | 2442 | } |
2562 | 2585 | #endif |
2563 | 2586 | #endif |
2564 | 2587 | |
2565 | /* | |
2566 | * DIE OPENSSL DIE DIE DIE | |
2567 | * | |
2568 | * What a palaver, just to free some data attached the | |
2569 | * session. We need to do this because the "remove" callback | |
2570 | * is called when refcount > 0 sometimes, if another thread | |
2571 | * is using the session | |
2572 | */ | |
2573 | static void sess_free_vps(UNUSED void *parent, void *data_ptr, | |
2574 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2575 | UNUSED long argl, UNUSED void *argp) | |
2576 | { | |
2577 | VALUE_PAIR *vp = data_ptr; | |
2578 | if (!vp) return; | |
2579 | ||
2580 | DEBUG2(LOG_PREFIX ": Freeing cached session VPs"); | |
2581 | ||
2582 | fr_pair_list_free(&vp); | |
2583 | } | |
2584 | ||
2585 | static void sess_free_certs(UNUSED void *parent, void *data_ptr, | |
2586 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2587 | UNUSED long argl, UNUSED void *argp) | |
2588 | { | |
2589 | VALUE_PAIR **certs = data_ptr; | |
2590 | if (!certs) return; | |
2591 | ||
2592 | DEBUG2(LOG_PREFIX ": Freeing cached session Certificates"); | |
2593 | ||
2594 | fr_pair_list_free(certs); | |
2595 | } | |
2596 | ||
2597 | 2588 | /** Add all the default ciphers and message digests reate our context. |
2598 | 2589 | * |
2599 | 2590 | * This should be called exactly once from main, before reading the main config |
2609 | 2600 | /* |
2610 | 2601 | * Initialize the index for the certificates. |
2611 | 2602 | */ |
2612 | fr_tls_ex_index_certs = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_certs); | |
2603 | fr_tls_ex_index_certs = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, NULL); | |
2613 | 2604 | |
2614 | 2605 | /* |
2615 | 2606 | * If we're linking with OpenSSL too, then we need |
2913 | 2904 | |
2914 | 2905 | /* Load the CAs we trust */ |
2915 | 2906 | load_ca: |
2907 | #if defined(X509_V_FLAG_PARTIAL_CHAIN) | |
2908 | X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); | |
2909 | #endif | |
2916 | 2910 | if (conf->ca_file || conf->ca_path) { |
2917 | 2911 | if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) { |
2918 | 2912 | tls_error_log(NULL, "Failed reading Trusted root CA list \"%s\"", |
3162 | 3156 | |
3163 | 3157 | SSL_CTX_set_quiet_shutdown(ctx, 1); |
3164 | 3158 | if (fr_tls_ex_index_vps < 0) |
3165 | fr_tls_ex_index_vps = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_vps); | |
3159 | fr_tls_ex_index_vps = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, NULL); | |
3166 | 3160 | } |
3167 | 3161 | |
3168 | 3162 | /* |
3684 | 3678 | * data buffer. |
3685 | 3679 | */ |
3686 | 3680 | err = SSL_read(ssn->ssl, ssn->clean_out.data, sizeof(ssn->clean_out.data)); |
3687 | if (err < 0) { | |
3681 | if (err <= 0) { | |
3688 | 3682 | int code; |
3689 | 3683 | |
3690 | 3684 | RDEBUG("SSL_read Error"); |
3707 | 3701 | } |
3708 | 3702 | return FR_TLS_FAIL; |
3709 | 3703 | } |
3710 | ||
3711 | if (err == 0) RWDEBUG("No data inside of the tunnel"); | |
3712 | 3704 | |
3713 | 3705 | /* |
3714 | 3706 | * Passed all checks, successfully decrypted data |
173 | 173 | |
174 | 174 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request); |
175 | 175 | SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs); |
176 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL); | |
176 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock); | |
177 | 177 | |
178 | 178 | doing_init = true; |
179 | 179 | } |
1221 | 1221 | return -1; |
1222 | 1222 | } |
1223 | 1223 | |
1224 | /* | |
1225 | * Copy over any additional fields needed... | |
1226 | */ | |
1227 | if ((vpt->type == TMPL_TYPE_ATTR) && vp->da->flags.has_tag) { | |
1228 | vp->tag = vpt->tmpl_tag; | |
1229 | } | |
1230 | ||
1224 | 1231 | *out = vp; |
1225 | 1232 | return 0; |
1226 | 1233 | } |
66 | 66 | vp_tmpl_t attr; //!< An attribute template. |
67 | 67 | xlat_t const *xlat; //!< The xlat expansion to expand format with. |
68 | 68 | }; |
69 | ||
70 | typedef struct xlat_out { | |
71 | char const *out; //!< Output data. | |
72 | size_t len; //!< Length of the output string. | |
73 | } xlat_out_t; | |
74 | 69 | |
75 | 70 | static rbtree_t *xlat_root = NULL; |
76 | 71 | |
483 | 478 | RINDENT(); |
484 | 479 | RDEBUG2("as %s%*s: %s", type->name, pad, " ", value); |
485 | 480 | REXDENT(); |
481 | talloc_free(value); | |
486 | 482 | |
487 | 483 | next_type: |
488 | 484 | talloc_free(dst); |
223 | 223 | VALUE_PAIR *vp; |
224 | 224 | char timestamp[256]; |
225 | 225 | |
226 | if (!packet->vps) { | |
226 | if ((packet->code == PW_CODE_ACCOUNTING_REQUEST) && !packet->vps) { | |
227 | 227 | RWDEBUG("Skipping empty packet"); |
228 | 228 | return 0; |
229 | 229 | } |
95 | 95 | SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store); |
96 | 96 | #endif |
97 | 97 | SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); |
98 | SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL); | |
98 | SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC, handler); | |
99 | 99 | |
100 | 100 | return talloc_steal(handler, ssn); /* ssn */ |
101 | 101 | } |
146 | 146 | ep->type.length = 3; |
147 | 147 | ep->type.data = encodedmsg; |
148 | 148 | |
149 | return 0; | |
149 | return 1; | |
150 | 150 | } |
151 | 151 | |
152 | 152 |
452 | 452 | */ |
453 | 453 | vp = fr_pair_find_by_num(request->reply->vps, PW_USER_NAME, 0, TAG_ANY); |
454 | 454 | if (!vp) { |
455 | vp = fr_pair_copy(request->reply, request->username); | |
456 | fr_pair_add(&request->reply->vps, vp); | |
455 | vp = request->username; | |
456 | if (vp->da->attr != PW_USER_NAME) { | |
457 | vp = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); | |
458 | } | |
459 | if (vp) { | |
460 | vp = fr_pair_copy(request->reply, vp); | |
461 | fr_pair_add(&request->reply->vps, vp); | |
462 | } | |
457 | 463 | } |
458 | 464 | |
459 | 465 | /* |
465 | 471 | * vp->vp_strvalue is still a NUL-terminated C |
466 | 472 | * string. |
467 | 473 | */ |
468 | if (inst->mod_accounting_username_bug) { | |
474 | if (vp && inst->mod_accounting_username_bug) { | |
469 | 475 | char const *old = vp->vp_strvalue; |
470 | 476 | char *new; |
471 | 477 |
0 | 0 | TARGETNAME := @targetname@ |
1 | 1 | |
2 | 2 | ifneq "$(OPENSSL_LIBS)" "" |
3 | ifneq "$(TARGETNAME)" "" | |
3 | 4 | TARGET := $(TARGETNAME).a |
5 | endif | |
4 | 6 | endif |
5 | 7 | |
6 | 8 | SOURCES := $(TARGETNAME).c eap_fast.c eap_fast_crypto.c |
41 | 41 | struct eapsim_keys keys; |
42 | 42 | int sim_id; |
43 | 43 | } eap_sim_state_t; |
44 | ||
45 | /* | |
46 | * build a reply to be sent. | |
47 | */ | |
48 | static void eap_sim_compose(REQUEST *request, eap_handler_t *handler) | |
49 | { | |
50 | /* we will set the ID on requests, since we have to HMAC it */ | |
51 | handler->eap_ds->set_request_id = 1; | |
52 | ||
53 | if (!map_eapsim_basictypes(handler->request->reply, | |
54 | handler->eap_ds->request)) { | |
55 | REDEBUG("Failed decoding EAP-SIM packet: %s", fr_strerror()); | |
56 | } | |
57 | } | |
58 | 44 | |
59 | 45 | static int eap_sim_sendstart(eap_handler_t *handler) |
60 | 46 | { |
453 | 439 | ess->state = newstate; |
454 | 440 | |
455 | 441 | /* build the target packet */ |
456 | eap_sim_compose(request, handler); | |
442 | /* we will set the ID on requests, since we have to HMAC it */ | |
443 | handler->eap_ds->set_request_id = 1; | |
444 | ||
445 | if (!map_eapsim_basictypes(handler->request->reply, | |
446 | handler->eap_ds->request)) { | |
447 | REDEBUG("Failed encoding EAP-SIM packet"); | |
448 | } | |
457 | 449 | } |
458 | 450 | |
459 | 451 | /* |
344 | 344 | static rlm_rcode_t file_common(rlm_files_t *inst, REQUEST *request, char const *filename, rbtree_t *tree, |
345 | 345 | RADIUS_PACKET *request_packet, RADIUS_PACKET *reply_packet) |
346 | 346 | { |
347 | char const *name, *match; | |
347 | char const *name; | |
348 | 348 | VALUE_PAIR *check_tmp; |
349 | 349 | VALUE_PAIR *reply_tmp; |
350 | 350 | PAIR_LIST const *user_pl, *default_pl; |
386 | 386 | /* |
387 | 387 | * Figure out which entry to match on. |
388 | 388 | */ |
389 | ||
390 | 389 | if (!default_pl && user_pl) { |
391 | 390 | pl = user_pl; |
392 | match = name; | |
393 | 391 | user_pl = user_pl->next; |
394 | 392 | |
395 | 393 | } else if (!user_pl && default_pl) { |
396 | 394 | pl = default_pl; |
397 | match = "DEFAULT"; | |
398 | 395 | default_pl = default_pl->next; |
399 | 396 | |
400 | } else if (user_pl->lineno < default_pl->lineno) { | |
397 | } else if (user_pl->order < default_pl->order) { | |
401 | 398 | pl = user_pl; |
402 | match = name; | |
403 | 399 | user_pl = user_pl->next; |
404 | 400 | |
405 | 401 | } else { |
406 | 402 | pl = default_pl; |
407 | match = "DEFAULT"; | |
408 | 403 | default_pl = default_pl->next; |
409 | 404 | } |
410 | 405 | |
420 | 415 | } |
421 | 416 | |
422 | 417 | if (paircompare(request, request_packet->vps, check_tmp, &reply_packet->vps) == 0) { |
423 | RDEBUG2("%s: Matched entry %s at line %d", filename, match, pl->lineno); | |
418 | RDEBUG2("%s: Matched entry %s at line %d", filename, pl->name, pl->lineno); | |
424 | 419 | found = true; |
425 | 420 | |
426 | 421 | /* ctx may be reply or proxy */ |
1550 | 1550 | } |
1551 | 1551 | #endif /* HAVE_LDAP_START_TLS_S */ |
1552 | 1552 | |
1553 | if (inst->sasl_secprops) { | |
1554 | do_ldap_option(LDAP_OPT_X_SASL_SECPROPS, "SASL_SECPROPS", inst->sasl_secprops); | |
1555 | } | |
1556 | ||
1553 | 1557 | status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, |
1554 | 1558 | &(conn->inst->admin_sasl), false); |
1555 | 1559 | if (status != LDAP_PROC_SUCCESS) { |
121 | 121 | char const *admin_password; //!< Password used in administrative bind. |
122 | 122 | |
123 | 123 | ldap_sasl admin_sasl; //!< SASL parameters used when binding as the admin. |
124 | ||
125 | const char *sasl_secprops; //!< SASL Security Properties to set. | |
124 | 126 | |
125 | 127 | char const *dereference_str; //!< When to dereference (never, searching, finding, always) |
126 | 128 | int dereference; //!< libldap value specifying dereferencing behaviour. |
186 | 186 | { "chase_referrals", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, chase_referrals), NULL }, |
187 | 187 | |
188 | 188 | { "rebind", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, rebind), NULL }, |
189 | ||
190 | { "sasl_secprops", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, sasl_secprops), NULL }, | |
189 | 191 | |
190 | 192 | #ifdef LDAP_OPT_NETWORK_TIMEOUT |
191 | 193 | /* timeout on network activity */ |
189 | 189 | else ht->delimiter = ':'; |
190 | 190 | if(!tablesize) return ht; |
191 | 191 | if(!(ht->fp = fopen(file,"r"))) { |
192 | ERROR("Failed opening %s - %s", file, fr_strerror()); | |
192 | 193 | free(ht->filename); |
193 | 194 | free(ht); |
194 | 195 | return NULL; |
458 | 459 | return -1; |
459 | 460 | } |
460 | 461 | if (! (inst->ht = build_hash_table (inst->filename, nfields, keyfield, listable, inst->hash_size, inst->ignore_nislike, *inst->delimiter)) ){ |
461 | ERROR("rlm_passwd: can't build hashtable from passwd file"); | |
462 | ERROR("rlm_passwd: failed reading file."); | |
462 | 463 | return -1; |
463 | 464 | } |
464 | 465 | if (! (inst->pwdfmt = mypasswd_malloc(inst->format, nfields, &len)) ){ |
329 | 329 | } |
330 | 330 | |
331 | 331 | vp->op = op; |
332 | ||
333 | /* | |
334 | * @todo - use tmpl_cast_to_vp() instead ??? | |
335 | */ | |
336 | if (vp->da->flags.has_tag) vp->tag = dst.tmpl_tag; | |
337 | ||
332 | 338 | if (fr_pair_value_from_str(vp, s2, -1) < 0) { |
333 | 339 | DEBUG("%s - Failed: '%s:%s' %s '%s'", funcname, list_name, s1, |
334 | 340 | fr_int2str(fr_tokens, op, "="), s2); |
2147 | 2147 | SET_OPTION(CURLOPT_ISSUERCERT, section->tls_ca_file); |
2148 | 2148 | } |
2149 | 2149 | |
2150 | if (section->tls_ca_info_file) { | |
2151 | SET_OPTION(CURLOPT_CAINFO, section->tls_ca_info_file); | |
2152 | } | |
2153 | ||
2150 | 2154 | if (section->tls_ca_path) { |
2151 | 2155 | SET_OPTION(CURLOPT_CAPATH, section->tls_ca_path); |
2152 | 2156 | } |
130 | 130 | char const *tls_private_key_file; |
131 | 131 | char const *tls_private_key_password; |
132 | 132 | char const *tls_ca_file; |
133 | char const *tls_ca_info_file; | |
133 | 134 | char const *tls_ca_path; |
134 | 135 | char const *tls_random_file; |
135 | 136 | bool tls_check_cert; |
35 | 35 | */ |
36 | 36 | static CONF_PARSER tls_config[] = { |
37 | 37 | { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_file), NULL }, |
38 | { "ca_info_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_info_file), NULL }, | |
38 | 39 | { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_path), NULL }, |
39 | 40 | { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_certificate_file), NULL }, |
40 | 41 | { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_private_key_file), NULL }, |
122 | 122 | session->session_id = inst->last_session_id; |
123 | 123 | RDEBUG2("Creating a new session with id=%d\n",session->session_id); |
124 | 124 | } |
125 | ||
126 | memset(session->state, 0, sizeof(session->state)); | |
125 | 127 | snprintf(session->state,sizeof(session->state)-1,"FRR-CH %d|%d",session->session_id,session->trips+1); |
126 | 128 | RDEBUG2("Inserting session id=%d identity='%s' state='%s' to the session list", |
127 | 129 | session->session_id,SAFE_STR(session->identity),session->state); |
131 | 133 | * Generate State, since we've been asked to add it to |
132 | 134 | * the list. |
133 | 135 | */ |
134 | state = pair_make_reply("State", session->state, T_OP_EQ); | |
136 | state = fr_pair_make(request->reply, &request->reply->vps, "State", NULL, T_OP_EQ); | |
135 | 137 | if (!state) return -1; |
136 | state->vp_length = SECURID_STATE_LEN; | |
138 | ||
139 | fr_pair_value_memcpy(state, session->state, sizeof(session->state)); | |
137 | 140 | |
138 | 141 | status = rbtree_insert(inst->session_tree, session); |
139 | 142 | if (status) { |
1438 | 1438 | if (!*expanded) { |
1439 | 1439 | RDEBUG("Ignoring null query"); |
1440 | 1440 | rcode = RLM_MODULE_NOOP; |
1441 | talloc_free(expanded); | |
1442 | 1441 | |
1443 | 1442 | goto finish; |
1444 | 1443 | } |
117 | 117 | token = gettoken(&value, buf, sizeof(buf), false); |
118 | 118 | switch (token) { |
119 | 119 | /* |
120 | * Mark the pair to be allocated later. | |
121 | */ | |
122 | case T_BACK_QUOTED_STRING: | |
123 | do_xlat = 1; | |
124 | /* FALL-THROUGH */ | |
125 | ||
126 | /* | |
120 | 127 | * Take the unquoted string. |
121 | 128 | */ |
122 | 129 | case T_SINGLE_QUOTED_STRING: |
123 | 130 | case T_DOUBLE_QUOTED_STRING: |
124 | 131 | value = buf; |
125 | 132 | break; |
126 | ||
127 | /* | |
128 | * Mark the pair to be allocated later. | |
129 | */ | |
130 | case T_BACK_QUOTED_STRING: | |
131 | do_xlat = 1; | |
132 | ||
133 | /* FALL-THROUGH */ | |
134 | 133 | |
135 | 134 | /* |
136 | 135 | * Keep the original string. |
330 | 330 | * Don't repeat yourself |
331 | 331 | */ |
332 | 332 | #undef DO |
333 | #define DO(_x) sqlippool_command(inst->_x, handle, inst, request, NULL, 0) | |
334 | #define DO_PART(_x) sqlippool_command(inst->_x, &handle, inst, request, NULL, 0) | |
333 | #define DO(_x) if (sqlippool_command(inst->_x, handle, inst, request, NULL, 0) < 0) return RLM_MODULE_FAIL | |
334 | #define DO_PART(_x) if (sqlippool_command(inst->_x, &handle, inst, request, NULL, 0) < 0) goto error | |
335 | 335 | |
336 | 336 | /* |
337 | 337 | * Query the database expecting a single result row |
626 | 626 | /* |
627 | 627 | * UPDATE |
628 | 628 | */ |
629 | sqlippool_command(inst->allocate_update, &handle, inst, request, | |
630 | allocation, allocation_len); | |
629 | if (sqlippool_command(inst->allocate_update, &handle, inst, request, | |
630 | allocation, allocation_len) < 0) { | |
631 | error: | |
632 | fr_connection_release(inst->sql_inst->pool, handle); | |
633 | return RLM_MODULE_FAIL; | |
634 | } | |
631 | 635 | |
632 | 636 | DO_PART(allocate_commit); |
633 | 637 |
119 | 119 | /* |
120 | 120 | * Now we check for replay attacks |
121 | 121 | */ |
122 | vp = fr_pair_find_by_da(request->config, da, TAG_ANY); | |
122 | vp = fr_pair_find_by_da(request->config, vp->da, TAG_ANY); | |
123 | 123 | if (!vp) { |
124 | 124 | RWDEBUG("Yubikey-Counter not found in control list, skipping replay attack checks"); |
125 | 125 | return RLM_MODULE_OK; |
85 | 85 | # Otherwise, check the log file for a parse error which matches the |
86 | 86 | # ERROR line in the input. |
87 | 87 | # |
88 | $(BUILD_DIR)/tests/keywords/%: $(DIR)/% $(BUILD_DIR)/tests/keywords/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/keywords $(KEYWORD_RADDB) $(KEYWORD_LIBS) build.raddb rlm_cache_rbtree.la rlm_test.la rlm_unix.la | |
88 | $(BUILD_DIR)/tests/keywords/%: ${DIR}/% $(BUILD_DIR)/tests/keywords/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/keywords $(KEYWORD_RADDB) $(KEYWORD_LIBS) build.raddb rlm_cache_rbtree.la rlm_test.la rlm_unix.la | |
89 | 89 | @echo UNIT-TEST $(notdir $@) |
90 | 90 | @if ! KEYWORD=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/keywords/ -i $@.attrs -f $@.attrs -xx > $@.log 2>&1; then \ |
91 | 91 | if ! grep ERROR $< 2>&1 > /dev/null; then \ |
100 | 100 | # byte |
101 | 101 | if (Tmp-String-9 != '3a') { |
102 | 102 | update reply { |
103 | Filter-ID += 'fail 10' | |
103 | Filter-ID += "fail 10 - expected 3a got %{Tmp-String-9}" | |
104 | 104 | } |
105 | 105 | } |
106 | 106 | |
135 | 135 | # ipv4prefix |
136 | 136 | if (Tmp-String-3 != '00203938373e') { |
137 | 137 | update reply { |
138 | Filter-Id += 'fail 14' | |
138 | Filter-Id += 'fail 14 expected 00203938373e got %{Tmp-String-3}' | |
139 | 139 | } |
140 | 140 | } |