Codebase list freeradius / c2d0421
New upstream version 3.0.17+dfsg Michael Stapelberg 5 years ago
92 changed file(s) with 1799 addition(s) and 427 deletion(s). Raw diff Collapse all Expand all
+7
-7
CONTRIBUTING less more
1919 It is not for support requests or questions regarding configuration/operation of the server, they
2020 belong on the users mailing list:
2121
22 http://freeradius.org/list/users.html
22 https://freeradius.org/support/
2323
2424 Raising support requests or questions as issues will result in them being closed and locked. If you
2525 continue to raise these questions as issues you will be banned from the FreeRADIUS project's GitHub
4646
4747 3.CONTENTS OF A DEFECT REPORT
4848
49 See doc/bugs (https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/bugs) for information
49 See doc/bugs (https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/bugs) for information
5050 on what to include, and how to obtain it.
5151
5252 When logging bug reports using the GitHub issue tracker, pay attention to formatting. You should
6161 a member of the FreeRADIUS development team first. For simpler one or two line fixes, go ahead and
6262 open a pull-request immediately.
6363
64 The dev team can be contacted via the devel mailing list (http://freeradius.org/list/devel.html),
64 The dev team can be contacted via the devel mailing list (https://freeradius.org/support/),
6565 or via GitHub by using the GitHub issue tracker.
6666
6767 Contacting the dev team gives us the opportunity to offer feedback. We may have a solution to your
6868 problem that doesn't require additional code, or may have ideas as to how your problem can be solved
69 in a way that will better fit with the longterm vision for the server.
69 in a way that will better fit with the long-term vision for the server.
7070
7171 Once you've got the go ahead, read through the coding standards document:
7272
73 http://wiki.freeradius.org/contributing/coding-standards
73 https://wiki.freeradius.org/contributing/coding-standards
7474
7575 If you're creating a new module you may wish to read the module creation guide:
7676
77 http://wiki.freeradius.org/contributing/Modules3
77 https://wiki.freeradius.org/contributing/Modules3
7878
7979 You may also wish to utilise the doxygen site to review code documentation:
8080
8888 Git/GitHub knowledge is assumed. If you're wondering what the heck a pull-request is, this
8989 document may be of some use:
9090
91 http://wiki.freeradius.org/contributing/GitHub
91 https://wiki.freeradius.org/contributing/GitHub
9292
9393
9494 5.CONTINUOUS INTEGRATION TESTS
+3
-1
COPYRIGHT less more
4141 files for more detailed copyright statements.
4242
4343
44 Copyright (C) 1999-2015 The FreeRADIUS Server Project
44 Copyright (C) 1999-2018 The FreeRADIUS Server Project
4545
4646 Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Alan DeKok
4747 <aland@deployingradius.com>
5050 Software Foundation, Inc.
5151
5252 Copyright (C) 2011-2015 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
53
54 Copyright (C) 2012-2018 Matthew Newton <matthew-git@newtoncomputing.co.uk>
5355
5456 Copyright (C) 2003, 2004, 2005 Kostas Kalevras <kkalev@noc.ntua.gr>
5557
+1
-1
CREDITS less more
00 Please see:
1 http://wiki.freeradius.org/project/Acknowledgements
1 https://wiki.freeradius.org/project/Acknowledgements
+25
-1
Makefile less more
301301 @echo "git tag release_`echo $(RADIUSD_VERSION_STRING) | tr .- __`"
302302
303303 #
304 # Docker-related targets
305 #
306 .PHONY: docker
307 docker:
308 docker build scripts/docker/ubuntu16 --build-arg=release=release_`echo $(RADIUSD_VERSION_STRING) | tr .- __` -t freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)
309 docker build scripts/docker/alpine --build-arg=release=release_`echo $(RADIUSD_VERSION_STRING) | tr .- __` -t freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)-alpine
310
311 .PHONY: docker-push
312 docker-push: docker
313 docker push freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)
314 docker push freeradius/freeradius-server:$(RADIUSD_VERSION_STRING)-alpine
315
316 .PHONY: docker-tag-latest
317 docker-tag-latest: docker
318 docker tag freeradius/freeradius-server:$(RADIUSD_VERSION_STRING) freeradius/freeradius-server:latest
319
320 .PHONY: docker-push-latest
321 docker-push-latest: docker-push docker-tag-latest
322 docker push freeradius/freeradius-server:latest
323
324 .PHONY: docker-publish
325 docker-publish: docker-push-latest
326
327 #
304328 # Build a debian package
305329 #
306330 .PHONY: deb
310334 # Developer checks
311335 .PHONY: warnings
312336 warnings:
313 @(make clean all 2>&1) | egrep -v '^/|deprecated|^In file included|: In function| from |^HEADER|^CC|^LINK' > warnings.txt
337 @(make clean all 2>&1) | egrep -v '^/|deprecated|^In file included|: In function| from |^HEADER|^CC|^LN' > warnings.txt
314338 @wc -l warnings.txt
315339
316340 #
+18
-18
README.rst less more
3737 version, in order to take advantage of the new features which can
3838 greatly simply configuration.
3939
40 Please see http://freeradius.org and http://wiki.freeradius.org for
40 Please see https://freeradius.org and https://wiki.freeradius.org for
4141 more information.
4242
4343
8888 which includes WARNINGs about common issues, and suggestions for how
8989 they may be fixed.
9090
91 Read the FAQ. Many questions are answered there. See the Wiki
91 Many questions are answered on the Wiki:
9292
93 http://wiki.freeradius.org
93 https://wiki.freeradius.org
9494
95 Read the configuration files. Many parts of the server have NO
96 documentation, other than comments in the configuration file.
95 Read the configuration files. Many parts of the server are
96 documented only with extensive comments in the configuration files.
9797
98 Search the mailing lists. There is a Google link on the bottom of
99 the page:
98 Search the mailing lists. For example, using Google, searching
99 "site:lists.freeradius.org <search term>" will return results from
100 the FreeRADIUS mailing lists.
100101
101 http://www.freeradius.org/list/users.html
102
103 Type some key words into the search box, and you should find
104 discussions about common problems and solution.
102 https://freeradius.org/support/
105103
106104
107105 Feedback, Defects, and Community Support
109107
110108 If you have any comments, or are having difficulty getting FreeRADIUS
111109 to do what you want, please post to the 'freeradius-users' list
112 (see the URL above). The FreeRADIUS mailing list is operated and
110 (see the URL above). The FreeRADIUS mailing list is operated, and
113111 contributed to, by the FreeRADIUS community. Users of the list will be
114112 more than happy to answer your questions, with the caveat that you've
115113 read documentation relevant to your issue first.
117115 If you suspect a defect in the server, would like to request a feature,
118116 or submit a code patch, please use the GitHub issue tracker for the
119117 freeradius-server `repository
120 <https://github.com/FreeRADIUS/freeradius-server>`_.
118 <https://github.com/FreeRADIUS/freeradius-server>`_. However, it
119 is nearly always best to raise the issue on the mailing lists
120 first to determine whether it really is a defect or missing
121 feature..
121122
122123 Instructions for gathering data for defect reports can be found in
123124 ``doc/bugs`` or on the `wiki
124 <http://wiki.freeradius.org/project/bug-reports>`_.
125 <https://wiki.freeradius.org/project/bug-reports>`_.
125126
126127 Under no circumstances should the issue tracker be used for support
127128 requests, those questions belong on the user's mailing list. If you
157158 See ``doc/README`` for more information about FreeRADIUS.
158159
159160 There is an O'Reilly book available. It serves as a good
160 introduction for anyone new to RADIUS. However, it is almost 12 years
161 introduction for anyone new to RADIUS. However, it is almost 18 years
161162 old, and is not much more than a basic introduction to the subject.
162163
163 http://www.amazon.com/exec/obidos/ASIN/0596003226/freeradiusorg-20/
164 https://www.amazon.com/exec/obidos/ASIN/0596003226/freeradiusorg-20/
164165
165166 Commercial support
166167 ------------------
167168
168169 Technical support, managed systems support, custom deployments,
169170 sponsored feature development and many other commercial services
170 are available from `Network RADIUS
171 <http://www.networkradius.com>`_.
171 are available from `Network RADIUS <http://www.networkradius.com>`_.
172172
173173
174174 .. |CoverityStatus| image:: https://scan.coverity.com/projects/58/badge.svg?
+1
-1
VERSION less more
0 3.0.16
0 3.0.17
+51
-3
configure less more
43284328 fi
43294329
43304330
4331 { $as_echo "$as_me:${as_lineno-$LINENO}: checking or the compiler flag \"-Wno-unknown-warning-option\"" >&5
4332 $as_echo_n "checking or the compiler flag \"-Wno-unknown-warning-option\"... " >&6; }
4331 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the compiler flag \"-Wno-unknown-warning-option\"" >&5
4332 $as_echo_n "checking for the compiler flag \"-Wno-unknown-warning-option\"... " >&6; }
43334333 if ${ax_cv_cc_no_unknown_warning_option_flag+:} false; then :
43344334 $as_echo_n "(cached) " >&6
43354335 else
44274427 CFLAGS="$CFLAGS -Qunused-arguments"
44284428 LDFLAGS="$LDFLAGS -Qunused-arguments"
44294429 fi
4430
4431
4432 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the compiler flag \"-Wno-date-time\"" >&5
4433 $as_echo_n "checking for the compiler flag \"-Wno-date-time\"... " >&6; }
4434 if ${ax_cv_cc_no_date_time_flag+:} false; then :
4435 $as_echo_n "(cached) " >&6
4436 else
4437
4438
4439 CFLAGS_SAVED=$CFLAGS
4440 CFLAGS="$CFLAGS -Werror -Wno-date-time"
4441
4442 ac_ext=c
4443 ac_cpp='$CPP $CPPFLAGS'
4444 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
4445 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
4446 ac_compiler_gnu=$ac_cv_c_compiler_gnu
4447
4448 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
4449 /* end confdefs.h. */
4450
4451 int
4452 main ()
4453 {
4454 return 0;
4455 ;
4456 return 0;
4457 }
4458 _ACEOF
4459 if ac_fn_c_try_compile "$LINENO"; then :
4460 ax_cv_cc_no_date_time_flag="yes"
4461 else
4462 ax_cv_cc_no_date_time_flag="no"
4463 fi
4464 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
4465 ac_ext=c
4466 ac_cpp='$CPP $CPPFLAGS'
4467 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
4468 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
4469 ac_compiler_gnu=$ac_cv_c_compiler_gnu
4470
4471
4472 CFLAGS="$CFLAGS_SAVED"
4473
4474 fi
4475 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_cc_no_date_time_flag" >&5
4476 $as_echo "$ax_cv_cc_no_date_time_flag" >&6; }
4477
44304478
44314479 # Check whether --enable-largefile was given.
44324480 if test "${enable_largefile+set}" = set; then :
1272812776
1272912777
1273012778
12731 if test "x$reproducible_builds" != "xyes"; then
12779 if test "x$ax_cv_cc_no_date_time_flag" = "xyes" && test "x$reproducible_builds" != "xyes"; then
1273212780 CFLAGS="-Wno-date-time $CFLAGS"
1273312781 fi
1273412782
+7
-1
configure.ac less more
162162 CFLAGS="$CFLAGS -Qunused-arguments"
163163 LDFLAGS="$LDFLAGS -Qunused-arguments"
164164 fi
165
166 dnl #
167 dnl # Check for presence of -Wno-date-time warning. Older compilers
168 dnl # don't have it, and newer compilers warn without it...
169 dnl #
170 AX_CC_NO_DATE_TIME_FLAG
165171
166172 dnl #
167173 dnl # Compile in large (2G+) file support.
22432249 dnl # If reproducible builds are not enabled, disable
22442250 dnl # -Wdate-time so the compiler doesn't croak.
22452251 dnl #
2246 if test "x$reproducible_builds" != "xyes"; then
2252 if test "x$ax_cv_cc_no_date_time_flag" = "xyes" && test "x$reproducible_builds" != "xyes"; then
22472253 CFLAGS="-Wno-date-time $CFLAGS"
22482254 fi
22492255
+53
-0
doc/ChangeLog less more
0 FreeRADIUS 3.0.17 Tue 17 Apr 2018 14:00:00 EDT urgency=low
1 Feature improvements
2 * Add CURLOPT_CAINFO. Patch from Nicolas C.
3 #2167
4 * "stats home server" now supports "src IPADDR",
5 to specify home server also by source IP. Fixes #2169.
6 * Add Dockerfiles for a selection of common systems.
7 * Increase number of permitted file descriptors, for
8 systems with many home servers.
9 * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs.
10 Patch from Isaac Boukris. Fixes #2205.
11 * Update main READMEs. Patches from Matthew Newton.
12 * Added dictionary.mimosa
13
14 Bug fixes
15 * Don't call post-proxy twice when proxying to
16 a virtual server. Matthew Newton, #2161.
17 * Use "raw" string value for shared secrets and dynamic clients.
18 It now parses strings with backslashes and "special characters"
19 correctly. Fixes #2168.
20 * Fix RuntimeDirectory for RedHat, from Alan Buxey.
21 * Relax checks in 'if' parser from Isaac Bourkis
22 * Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
23 * Be more aggressive about cleaning up cached certificate attributes,
24 due to deficiencies in OpenSSL. Reported by Nicolas Reich.
25 * Be more accepting when parsing IPv6 addresses. Bug noted
26 by Klara Mall.
27 * Fix double free in rlm_sql. Fixes #2180.
28 * rlm_detail now writes empty Access-Accept packets.
29 * rlm_python can now create tagged attributes.
30 * Don't crash on duplicate realm + authhost / accthost.
31 Bug found by Richard Palmer.
32 * Allow partial certificate chain to trusted CA. Fixes #2162
33 * Treat SSL_read() returning zero as error. Fixes #2164.
34 * detail writer now checks if the file was renamed or deleted.
35 * Add User-Name to Access-Accept if EAP-Message exists,
36 not Stripped-User-Name.
37 * RedHat Systemd updates. Fixes #2184
38 * Use correct API for State variable in rlm_securid.
39 * Remove broken radclient option "-i".
40 * Fix "users" file (and hints, etc). So that it does not
41 get confused about entry ordering with multiple $INCLUDEs.
42 * Fix rlm_sql to expand the un-escaped string, not the raw string.
43 * Link default and inner-tunnel only if they exist. Fixes #2206.
44 * Don't use both IP_PKTINFO and IP_SENDSRCADDR.
45 * Always install signal handler for SIGINT (needed by Docker).
46 * Fix intermediate CA flow for OCSP. Fixes #2160.
47 Intermediate certs which are not self-signed will now be
48 checked.
49 * sqlippool now returns "fail" if it fails IP allocation.
50 * Fix rlm_yubikey to look for correct attribute in replay
51 attack check.
52
053 FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low
154 Feature improvements
255 * rlm_python now supports multiple lists. From #2031.
+28
-104
doc/README less more
00 1. INTRO
11
2 The FreeRADIUS Server Project is a high performance and highly
3 configurable multi-protocol policy server, supporting RADIUS, DHCPv4
4 and VMPS. It is available under the terms of the GNU GPLv2.
5
26 All code in this server was written for this project.
3
4 The server is mostly compatible with Livingston radiusd-2.01
5 (no menus or s/key support though) but with more features, such as:
6
7 o Can limit the maximum number of simultaneous logins on a per-user basis!
8 o Multiple DEFAULT entries, that can optionally fall-through.
9 o In fact, every entry can fall-through
10 o Deny/permit access based on huntgroup users dials into
11 o Set certain parameters (such as static IP address) based on huntgroup
12 o Extra "hints" file that can select SLIP/PPP/rlogin based on
13 username pattern (Puser or user.ppp is PPP, plain "user" is rlogin etc).
14 o Can execute an external program when user has authenticated (for example
15 to run a sendmail queue).
16 o Can use `$INCLUDE filename' in radiusd.conf, users, and dictionary files
17 o Can act as a proxy server, relaying requests to a remote server
18 o Supports Vendor-Specific attributes
19 o Supports many different plug-in modules for authentication,
20 authorization, and accounting.
217
228
239 2. INSTALLATION
2713
2814 3. CONFIGURATION FILES
2915
30 For every file there is a fully commented example file included, that
31 explains what is does, and how to use it. Read those sample files too!
16 Much of the server documentation is included only in the comments in the
17 configuration files. Reading the configuration files is REQUIRED to fully
18 understand how to create complex configurations of the server.
3219
33 Again, many of the configuration files are ONLY documented in the
34 comments included in the files. Reading the configuration files is
35 REQUIRED to fully understand how to create complex configurations of
36 the server.
20 3a. 'clients.conf'
3721
38 3a. CLIENTS
22 Make sure the clients (NAS, switches, access points etc) are set up to
23 use the host radiusd is running on as authentication and accounting host.
24 Configure these clients with a "radius secret", which should also be
25 entered into the client definition in /etc/raddb/clients.conf.
26 See also the manual page for clients.conf(5).
3927
40 Make sure the clients (portmasters, Linux with portslave etc) are set up to
41 use the host radiusd is running on as authentication and accounting host.
42 Configure these clients to use a "radius secret password". For every client,
43 also enter this "secret password" into the file /etc/raddb/clients.
44 See also the manual page for clients(5).
28 3b. 'users'
4529
46 3b. NASLIST
47
48 Every NAS (Network Access Server, also known as terminal server) should have
49 an entry in this file with an abbreviated name and the type of NAS it
50 is. Currently FreeRADIUS supports the following NAS types:
51
52 Terminal Server Type in naslist
53
54 3Com/USR Hiper Arc Total Control usrhiper
55 3Com/USR NetServer netserver
56 3Com/USR TotalControl tc
57 Ascend Max 4000 family max40xx
58 Cisco Access Server family cisco
59 Cistron PortSlave portslave
60 Computone PowerRack computone
61 Cyclades PathRAS pathras
62 Livingston PortMaster livingston
63 Multitech CommPlete Server multitech
64 Patton 2800 family patton
65
66 Usually this is the same list as in the "clients" file, but not every
67 NAS is a client and not every client is a NAS (this will start to make
68 sense if you use radius proxy servers).
69
70 3c. NASPASSWD
71
72 If ``checkrad'' needs to login on your terminal server to check who
73 is online on a certain port (i.e. it's not possible to use SNMP or
74 finger) you need to define a loginname and password here.
75
76 This is normally ONLY needed for USR/3Com Total Control, NetServer and
77 Cyclades PathRAS terminal servers!
78
79 3d. HINTS
80
81 Customize the /etc/raddb/mods-config/preprocess/hints file. This file is
82 used to give users different login type based on a prefix/suffix of their
83 loginname. For example, logging in as "user" may result in a rlogin session
84 to a Unix system, and logging in as "Puser" could start a PPP session.
85
86 3e. HUNTGROUPS
87
88 This is the /etc/raddb/mods-config/preprocess/huntgroups file. Here you can
89 define different huntgroups. These can be used to:
90
91 - restrict access to certain huntgroups to certain users/groups of
92 users (define this in the huntgroups file itself)
93 - match a loginname with a huntgroup in /etc/raddb/users. One use
94 for this is to give a user a static IP address based on the
95 huntgroup / Point of Presence (s)he dials in to.
96
97 3f. USERS
98
99 With the original RADIUS server, every user had to be defined in this
100 file. There could be one default entry, where you could for example
101 define that a user not in the radius file would be checked agains the
102 UNIX password file and on successful login would get a PPP connection.
103
104 In the new style file, you can define multiple DEFAULT entries. All
105 entries are processed in the order as they appear in the users file.
30 Users may be defined in the "users" file (raddb/mods-config/files/authorize).
31 All entries are processed in the order as they appear in the file.
10632 If an entry matches the username, radiusd will stop scanning the users
107 file unless the attribute "Fall-Through = Yes" is set.
33 file (unless the attribute "Fall-Through = Yes" is set).
10834
10935 You can uses spaces in usernames by escaping them with \ or by using
11036 quotes. For example, "joe user" or joe\ user.
11137
112 The FreeRADIUS server does not trim any spaces from a username received
113 from the portmaster (Livingston does, in perl notation, $user =~ s/\s+.*//;)
38 The 'users' file is read by the "rlm_files" module.
11439
115 3g. NEW RADIUS ATTRIBUTES (to be used in the USERS file).
40 3c. NEW RADIUS ATTRIBUTES (to be used in the USERS file).
11641
11742 Name Type Descr.
11843 ---- ---- ------
207132
208133 The files in other directories are:
209134
210 debian/ Files to build a "freeradius" Debian Linux package.
135 debian/ Files to build Debian Linux packages.
211136
212137 doc/ Various snippets of documentation
213138 doc/rfc/ Copies of the RFC's. If you have Perl, do a 'make' in
214139 that directory, and look at the HTML output.
215
216 libltdl/ Libtool platform independent library system.
217140
218141 man/ Unix Manual pages for the server, configuration files,
219142 and associated utilities.
220143
221144 mibs/ SNMP Mibs for the server.
222145
223 raddb/ Sample configuration files for the server.
146 raddb/ Default configuration files for the server.
224147
225 redhat/ Additional files for a RedHat Linux system.
148 redhat/ Files to build RedHat RPM packages.
226149
227150 scripts/ Sample scripts for startup and maintenance.
151
152 share/ Attribute dictionaries.
228153
229154 src/ Source code
230155 src/main source code for the daemon and associated utilities
231156 src/lib source code for the RADIUS library
232157 src/include header files
233158 src/modules dynamic plug-in modules
159 src/tests test harness used by "make test"
234160
235 suse/ Aditional files for a SuSE (UnitedLinux) system.
236
237 todo/ TODO list and assorted files.
161 suse/ Files to build SuSE RPM packages.
238162
239163
240164 If you have ANY problems, concerns, or surprises when running
241165 the server, then run it in debugging mode, as root, from the
242166 command line:
243167
244 $ radiusd -X
168 # radiusd -X
245169
246170 It will produce a large number of messages. The answers to many
247171 questions, and the solution to many problems, can usually be found in
249173
250174 For further details, see:
251175
252 http://www.freeradius.org/faq/
176 https://freeradius.org/documentation/
253177
254178 and the 'bugs' file, in this directory.
255179
+1
-1
doc/configuration/autz_type.rst less more
3030
3131 DEFAULT Called-Station-Id == "123456789", Autz-Type := Ldap
3232
33 DEFAULT Realm == "other.company.com", Autz-Type := SQL
33 DEFAULT Realm == "other.example.com", Autz-Type := SQL
3434
3535 Autz-Type could also be used to select between multiple instances of
3636 a module (ie sql or ldap) which have been configured differently. For
+19
-1
m4/ax_cc.m4 less more
3333 ])
3434
3535 AC_DEFUN([AX_CC_NO_UNKNOWN_WARNING_OPTION_FLAG],[
36 AC_CACHE_CHECK([or the compiler flag "-Wno-unknown-warning-option"], [ax_cv_cc_no_unknown_warning_option_flag],[
36 AC_CACHE_CHECK([for the compiler flag "-Wno-unknown-warning-option"], [ax_cv_cc_no_unknown_warning_option_flag],[
3737
3838 CFLAGS_SAVED=$CFLAGS
3939 CFLAGS="-Werror -Wno-unknown-warning-option"
8989 [return 0;],
9090 [ax_cv_cc_wdocumentation_flag="yes"],
9191 [ax_cv_cc_wdocumentation_flag="no"])
92 AC_LANG_POP
93
94 CFLAGS="$CFLAGS_SAVED"
95 ])
96 ])
97
98 AC_DEFUN([AX_CC_NO_DATE_TIME_FLAG],[
99 AC_CACHE_CHECK([for the compiler flag "-Wno-date-time"], [ax_cv_cc_no_date_time_flag],[
100
101 CFLAGS_SAVED=$CFLAGS
102 CFLAGS="$CFLAGS -Werror -Wno-date-time"
103
104 AC_LANG_PUSH(C)
105 AC_TRY_COMPILE(
106 [],
107 [return 0;],
108 [ax_cv_cc_no_date_time_flag="yes"],
109 [ax_cv_cc_no_date_time_flag="no"])
92110 AC_LANG_POP
93111
94112 CFLAGS="$CFLAGS_SAVED"
+1
-1
raddb/README.rst less more
659659 Dialup_admin
660660 ------------
661661
662 The dialip_admin directory has been removed. No one stepped forward
662 The dialup_admin directory has been removed. No one stepped forward
663663 to maintain it, and the code had not been changed in many years.
664664
+6
-0
raddb/mods-available/ldap less more
437437 chase_referrals = yes
438438 rebind = yes
439439
440 # SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
441 # Note - uncomment when using GSS-API sasl mechanism along with TLS
442 # encryption against Active-Directory LDAP servers (this disables
443 # sealing and signing at the GSS level as required by AD).
444 #sasl_secprops = 'noanonymous,noplain,maxssf=0'
445
440446 # Seconds to wait for LDAP query to finish. default: 20
441447 res_timeout = 10
442448
+1
-1
raddb/mods-available/linelog less more
103103
104104 #
105105 # Reference the Packet-Type (Access-Accept, etc.) If it doesn't
106 # exist, reference the "defaukt" entry.
106 # exist, reference the "default" entry.
107107 #
108108 # This is for "linelog" being used in the post-auth section
109109 # If you want to use it in "authorize", you need to change
+6
-0
raddb/mods-available/mschap less more
5454 # attribute, and do prefix/suffix checks in order to obtain
5555 # the "best" user name for the request.
5656 #
57 # Depending on the AD / Samba configuration, you may also need to add:
58 #
59 # --allow-mschapv2
60 #
61 # to the list of command-line options.
62 #
5763 # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
5864
5965 # The default is to wait 10 seconds for ntlm_auth to
+6
-0
raddb/mods-available/ntlm_auth less more
55 #
66 # https://bugzilla.samba.org/show_bug.cgi?id=6563
77 #
8 # Depending on the AD / Samba configuration, you may also need to add:
9 #
10 # --allow-mschapv2
11 #
12 # to the list of command-line options.
13 #
814 exec ntlm_auth {
915 wait = yes
1016 program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
+12
-2
raddb/mods-available/rest less more
44 # server.
55 #
66 tls {
7 # ca_file = ${certdir}/cacert.pem
8 # ca_path = ${certdir}
7 # Certificate Authorities:
8 # "ca_file" (libcurl option CURLOPT_ISSUERCERT).
9 # File containing a single CA, which is the issuer of the server
10 # certificate.
11 # "ca_info_file" (libcurl option CURLOPT_CAINFO).
12 # File containing a bundle of certificates, which allow to handle
13 # certificate chain validation.
14 # "ca_path" (libcurl option CURLOPT_CAPATH).
15 # Directory holding CA certificates to verify the peer with.
16 # ca_file = ${certdir}/cacert.pem
17 # ca_info_file = ${certdir}/cacert_bundle.pem
18 # ca_path = ${certdir}
919
1020 # certificate_file = /path/to/radius.crt
1121 # private_key_file = /path/to/radius.key
+9
-1
raddb/mods-available/sqlippool less more
4141 # by putting IPv6 addresses into the pool, and changing the following
4242 # line to "Framed-IPv6-Prefix"
4343 #
44 # Note that you MUST use separate pools for each attribute. i.e. one pool
45 # for Framed-IP-Address, a different one for Framed-IPv6-prefix, etc.
46 #
47 # This means configuring separate "sqlippool" instances, and different
48 # "ippool_table" in SQL. Then, populate the pool with addresses and
49 # it will all just work.
50 #
4451 attribute_name = Framed-IP-Address
4552
4653 #
47 # Assign the IP address, even if the attribute already exists
54 # Assign the IP address, even if the above attribute already exists
55 # in the reply.
4856 #
4957 # allow_duplicates = no
5058
+1
-1
raddb/mods-config/sql/ippool/sqlite/schema.sql less more
00 --
11 -- Table structure for table 'radippool'
22 --
3 CREATE TABLE (
3 CREATE TABLE radippool (
44 id int(11) PRIMARY KEY,
55 pool_name varchar(30) NOT NULL,
66 framedipaddress varchar(15) NOT NULL default '',
+4
-4
raddb/proxy.conf less more
738738 # prefix or suffix. User names like "bob" will match this one.
739739 #
740740 #realm NULL {
741 # authhost = radius.company.com:1600
742 # accthost = radius.company.com:1601
741 # authhost = radius.example.com:1600
742 # accthost = radius.example.com:1601
743743 # secret = testing123
744744 #}
745745
747747 # This realm is for ALL OTHER requests.
748748 #
749749 #realm DEFAULT {
750 # authhost = radius.company.com:1600
751 # accthost = radius.company.com:1601
750 # authhost = radius.example.com:1600
751 # accthost = radius.example.com:1601
752752 # secret = testing123
753753 #}
754754
+1
-0
redhat/freeradius-tmpfiles-conf less more
0 D /var/run/radiusd 0710 radiusd radiusd -
+7
-4
redhat/freeradius.spec less more
2525
2626 Summary: High-performance and highly configurable free RADIUS server
2727 Name: freeradius
28 Version: 3.0.16
28 Version: 3.0.17
2929 Release: 2%{?dist}
3030 License: GPLv2+ and LGPLv2+
3131 Group: System Environment/Daemons
3434 Source0: ftp://ftp.freeradius.org/pub/radius/freeradius-server-%{version}.tar.bz2
3535 %if %{?_unitdir:1}%{!?_unitdir:0}
3636 Source100: radiusd.service
37 Source104: freeradius-tmpfiles-conf
3738 %else
3839 Source100: freeradius-radiusd-init
3940 %define initddir %{?_initddir:%{_initddir}}%{!?_initddir:%{_initrddir}}
5758 BuildRequires: zlib-devel
5859 BuildRequires: net-snmp-devel
5960 BuildRequires: net-snmp-utils
60 %{?el7:BuildRequires: samba-winbind-devel}
61 %{?el7:BuildRequires: libwbclient-devel}
62 %{?el7:BuildRequires: samba-devel}
6163 %{?el6:BuildRequires: samba4-devel}
6264 BuildRequires: readline-devel
6365 BuildRequires: libpcap-devel
7375 Requires: readline
7476 Requires: libtalloc
7577 Requires: net-snmp
76 %{?el7:Requires: samba-libs}
77 %{?el7:Requires: samba-winbind-clients}
78 %{?el7:Requires: libwbclient}
7879 %{?el6:Requires: samba4-libs}
7980 %{?el6:Requires: samba4-winbind-clients}
8081 Requires: zlib
387388 # For systemd based systems, that define _unitdir, install the radiusd unit
388389 %if %{?_unitdir:1}%{!?_unitdir:0}
389390 install -D -m 755 redhat/radiusd.service $RPM_BUILD_ROOT/%{_unitdir}/radiusd.service
391 install -D -m 644 %{SOURCE104} $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d/radiusd.conf
390392 # For SystemV install the init script
391393 %else
392394 install -D -m 755 redhat/freeradius-radiusd-init $RPM_BUILD_ROOT/%{initddir}/radiusd
498500
499501 %if %{?_unitdir:1}%{!?_unitdir:0}
500502 %{_unitdir}/radiusd.service
503 %config(noreplace) %{_prefix}/lib/tmpfiles.d/radiusd.conf
501504 %else
502505 %{initddir}/radiusd
503506 %endif
+1
-1
redhat/radiusd.service less more
1515 # We provide HOSTNAME here for convenience.
1616 Environment=HOSTNAME=%H
1717
18 RuntimeDirectory=/var/run/radiusd
18 RuntimeDirectory=radiusd
1919 RuntimeDirectoryMode=0775
2020 ExecStartPre=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout
2121 ExecStartPre=/usr/bin/chown radiusd:radiusd /var/run/radiusd
+183
-0
scripts/docker/README.md less more
0 # What is FreeRADIUS?
1
2 The FreeRADIUS Server Project is a high performance and highly
3 configurable multi-protocol policy server, supporting RADIUS, DHCPv4
4 and VMPS. Using RADIUS allows authentication and authorization for a network
5 to be centralized, and minimizes the number of changes that have to
6 be done when adding or deleting new users to a network.
7
8 FreeRADIUS can authenticate users on systems such as 802.1x
9 (WiFi), dialup, PPPoE, VPN's, VoIP, and many others. It supports
10 back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft
11 Active Directory, Redis, OpenLDAP. It is used daily to
12 authenticate the Internet access for hundreds of millions of
13 people, in sites ranging from 10 to 10 million+ users.
14
15 > [wikipedia.org/wiki/FreeRADIUS](https://en.wikipedia.org/wiki/FreeRADIUS)
16
17
18 # How to use this image
19
20 ## Starting the server
21
22 ```console
23 $ docker run --name my-radius -d freeradius/freeradius-server
24 ```
25
26 The image contains only the default FreeRADIUS configuration which
27 has no users, and accepts test clients on 127.0.0.1. In order to
28 use it in production, you will need to add clients to the
29 `clients.conf` file, and users to the "users" file in
30 `mods-config/files/authorize`.
31
32
33 ## Defining the configuration
34
35 Create a local `Dockerfile` based on the required image and
36 COPY in the server configuration.
37
38 ```Dockerfile
39 FROM freeradius/freeradius-server:latest
40 COPY raddb/ /etc/raddb/
41 ```
42
43 The `raddb` directory could contain, for example:
44
45 ```
46 clients.conf
47 mods-config/
48 mods-config/files/
49 mods-config/files/authorize
50 ```
51
52 Where `clients.conf` contains a simple client definition
53
54 ```
55 client dockernet {
56 ipaddr = 172.17.0.0/16
57 secret = testing123
58 }
59 ```
60
61 and the `authorise` "users" file contains a test user:
62
63 ```
64 bob Cleartext-Password := "test"
65 ```
66
67
68 ## Forwarding ports
69
70 To forward external ports to the server, typically 1812/udp and/or
71 1813/udp, start the server with
72
73 ```console
74 $ docker run --name my-radius -p 1812-1813:1812-1813/udp freeradius/freeradius-server
75 ```
76
77
78 ## Testing the configuration
79
80 It should now be possible to test authentication against the
81 server from the host machine, using the `radtest` utility supplied
82 with FreeRADIUS and the credentials defined above:
83
84 ```console
85 $ radtest bob test 127.0.0.1 0 testing123
86 ```
87
88 which should return an "Access-Accept".
89
90
91 ## Running in debug mode
92
93 FreeRADIUS should always be tested in debug mode, using option
94 `-X`. Coloured debug output also requres `-t` be passed to docker.
95
96 ```console
97 $ docker run --name my-radius -t -d freeradius/freeradius-server -X
98 ```
99
100 Guidelines for how to read and interpret the debug output are on the
101 [FreeRADIUS Wiki](https://wiki.freeradius.org/radiusd-X).
102
103 ## Security notes
104
105 The configuration in the docker image comes with self-signed
106 certificates for convenience. These should not be used in a
107 production environment, but replaced with new certificates. See
108 the file `raddb/certs/README` for more information.
109
110 ## Debugging
111
112 By default if you try to use `gdb` in a Docker container, the
113 pattach call will fail, and you will not be able to trace
114 processes.
115
116 In order to allow tracing, the ``--privileged`` flag must be
117 passed to ``docker run``, this restores any Linux ``cap``
118 privileges that would not ordinarily be given.
119
120
121 # Image variants
122
123 ## `freeradius/freeradius-server:<version>`
124
125 The de facto image which should be used unless you know you need
126 another image. It is based on
127 [Ubuntu Linux](https://hub.docker.com/_/ubuntu/) Docker images.
128
129
130 ## `freeradius/freeradius-server:<version>-alpine`
131
132 Image based on the [Alpine Linux](https://hub.docker.com/_/alpine/)
133 Docker images, which are much smaller than most Linux
134 distributions. To keep the basic size as small as possible, this
135 image does not include libraries for all modules that have been
136 built (especially the languages such as Perl or Python). Therefore
137 these extra libraries will need to be installed with `apk add` in
138 your own Dockerfile if you intend on using modules that require
139 them.
140
141
142 # Building Docker images
143
144 The FreeRADIUS source contains Dockerfiles for several Linux
145 distributions. They are in
146 [`freeradius-server/scripts/docker/<os_name>`](https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/scripts/docker).
147
148 Build an image with
149
150 ```bash
151 $ cd scripts/docker/<os_name>
152 $ docker build . -t freeradius-<os_name>
153 ```
154
155 This will download the OS base image, install/build any dependencies
156 as necessary, perform a shallow clone of the FreeRADIUS source and
157 build the server.
158
159 Once built, running ``docker images`` should show the image.
160
161 ```bash
162 $ docker images
163 REPOSITORY TAG IMAGE ID CREATED SIZE
164 freeradius-ubuntu16 latest 289b3c7aca94 4 minutes ago 218MB
165 freeradius-alpine latest d7fb3041bea2 2 hours ago 88.6MB
166 ```
167
168 ## Build args
169
170 Two ARGs are defined in the Dockerfiles that specify the source
171 repository and git tag that the release will be built from. These
172 are
173
174 - source: the git repository URL
175 - release: the git commit/tag
176
177 To build the image from a specific repository and git tag, set one
178 or both of these args:
179
180 ```console
181 $ docker build . --build-arg=release=v3.0.x --build-arg=source=https://github.com/FreeRADIUS/freeradius-server.git -t freeradius-<os_name>
182 ```
+82
-0
scripts/docker/alpine/Dockerfile less more
0 ARG from=alpine:latest
1 FROM ${from} as build
2
3 #
4 # Install build tools
5 #
6 RUN apk update
7 RUN apk add git gcc make
8
9 #
10 # Create build directory
11 #
12 RUN mkdir -p /usr/local/src/repositories
13 WORKDIR /usr/local/src/repositories
14
15 #
16 # Shallow clone the FreeRADIUS source
17 #
18 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
19 ARG release=v3.0.x
20
21 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
22 WORKDIR freeradius-server
23
24 #
25 # Install build dependencies
26 #
27 # essential
28 RUN apk add libc-dev talloc-dev
29 RUN apk add libressl libressl-dev
30 RUN apk add linux-headers
31 # general
32 RUN apk add pcre-dev libidn-dev krb5-dev samba-dev curl-dev json-c-dev
33 RUN apk add openldap-dev unbound-dev
34 # languages
35 RUN apk add ruby-dev perl-dev python2-dev
36 # databases
37 RUN apk add hiredis-dev libmemcached-dev gdbm-dev libcouchbase-dev
38 # sql
39 RUN apk add postgresql-dev mariadb-dev unixodbc-dev sqlite-dev
40
41 #
42 # Build the server
43 #
44 RUN ./configure --prefix=/opt
45 RUN make -j2
46 RUN make install
47 RUN rm /opt/lib/*.a
48
49 #
50 # Clean environment and run the server
51 #
52 FROM ${from}
53 COPY --from=build /opt /opt
54
55 #
56 # These are needed for the server to start
57 #
58 RUN apk update \
59 && apk add talloc libressl pcre libwbclient \
60 \
61 #
62 # Libraries that are needed dependent on which modules are used
63 # Some of these (especially the languages) are huge. A reasonable
64 # selection has been enabled here. If you use modules needing
65 # other dependencies then install any others required in your
66 # local Dockerfile.
67 #
68 && apk add libcurl json-c libldap hiredis sqlite-dev \
69 #RUN apk add libidn krb5
70 #RUN apk add unbound-libs
71 #RUN apk add ruby-libs perl python2
72 #RUN apk add libmemcached gdbm libcouchbase
73 #RUN apk add postgresql-dev mariadb-dev unixodbc-dev
74 \
75 && ln -s /opt/etc/raddb /etc/raddb
76
77 COPY docker-entrypoint.sh /
78
79 EXPOSE 1812/udp 1813/udp
80 ENTRYPOINT ["/docker-entrypoint.sh"]
81 CMD ["radiusd"]
+27
-0
scripts/docker/alpine/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 PATH=/opt/sbin:/opt/bin:$PATH
4 export PATH
5
6 # this if will check if the first argument is a flag
7 # but only works if all arguments require a hyphenated flag
8 # -v; -SL; -f arg; etc will work, but not arg1 arg2
9 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
10 set -- radiusd "$@"
11 fi
12
13 # check for the expected command
14 if [ "$1" = 'radiusd' ]; then
15 shift
16 exec radiusd -f "$@"
17 fi
18
19 # debian people are likely to call "freeradius" as well, so allow that
20 if [ "$1" = 'freeradius' ]; then
21 shift
22 exec radiusd -f "$@"
23 fi
24
25 # else default to run whatever the user wanted like "bash" or "sh"
26 exec "$@"
+95
-0
scripts/docker/centos7/Dockerfile less more
0 ARG from=centos:centos7
1 FROM ${from} as build
2
3 #
4 # Install build tools
5 #
6 RUN yum groupinstall -y "Development Tools"
7 RUN yum install -y rpmdevtools
8 RUN yum install -y openssl
9
10 #
11 # Create build directory
12 #
13 RUN mkdir -p /usr/local/src/repositories
14 WORKDIR /usr/local/src/repositories
15
16 #
17 # Shallow clone the FreeRADIUS source
18 #
19 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
20 ARG release=v3.0.x
21
22 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
23 WORKDIR freeradius-server
24
25 #
26 # Other requirements
27 #
28
29 # Use LTB's openldap packages intead of the distribution version to avoid linking against NSS
30 RUN echo $'[ltb-project]\n\
31 name=LTB project packages\n\
32 baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\
33 enabled=1\n\
34 gpgcheck=1\n\
35 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\
36 > /etc/yum.repos.d/ltb-project.repo
37 RUN rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project
38
39 # EPEL repository for freetds and hiredis
40 RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
41
42 #
43 # Install build dependencies
44 #
45 RUN [ -e redhat/freeradius.spec ] && yum-builddep -y redhat/freeradius.spec
46
47 #
48 # Create RPM build environment
49 #
50 ENV BUILDDIR=/root/rpmbuild
51 RUN rpmdev-setuptree
52
53 RUN ./configure
54 RUN make freeradius-server-$(cat VERSION).tar.bz2
55 RUN cp freeradius-server-$(cat VERSION).tar.bz2 $BUILDDIR/SOURCES/
56 RUN cp -r redhat/* $BUILDDIR/SOURCES/
57 RUN cp -r redhat/freeradius.spec $BUILDDIR/SPECS/
58 WORKDIR $BUILDDIR
59
60 #
61 # Build the server
62 #
63 ENV QA_RPATHS=0x0003
64 RUN rpmbuild -bb --define '_release $release' "$BUILDDIR/SPECS/freeradius.spec"
65
66 RUN mkdir /root/rpms
67 RUN mv $BUILDDIR/RPMS/*/*.rpm /root/rpms/
68
69 #
70 # Clean environment and run the server
71 #
72 FROM ${from}
73 COPY --from=build /root/rpms /tmp/
74
75 # Use LTB's openldap packages intead of the distribution version to avoid linking against NSS
76 RUN echo $'[ltb-project]\n\
77 name=LTB project packages\n\
78 baseurl=https://ltb-project.org/rpm/$releasever/$basearch\n\
79 enabled=1\n\
80 gpgcheck=1\n\
81 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project'\
82 > /etc/yum.repos.d/ltb-project.repo \
83 && rpm --import https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project \
84 \
85 # EPEL repository for freetds and hiredis
86 && yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
87 \
88 && yum install -y /tmp/*.rpm
89
90 COPY docker-entrypoint.sh /
91
92 EXPOSE 1812/udp 1813/udp
93 ENTRYPOINT ["/docker-entrypoint.sh"]
94 CMD ["radiusd"]
+24
-0
scripts/docker/centos7/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- radiusd "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'radiusd' ]; then
12 shift
13 exec radiusd -f "$@"
14 fi
15
16 # debian people are likely to call "freeradius" as well, so allow that
17 if [ "$1" = 'freeradius' ]; then
18 shift
19 exec radiusd -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+59
-0
scripts/docker/debian8/Dockerfile less more
0 ARG from=debian:jessie
1 FROM ${from} as build
2
3 ARG gccver=4.9
4
5 #
6 # Install build tools
7 #
8 RUN apt-get update
9 RUN apt-get install -y devscripts equivs git quilt g++-${gccver}
10
11 #
12 # Create build directory
13 #
14 RUN mkdir -p /usr/local/src/repositories
15 WORKDIR /usr/local/src/repositories
16
17 #
18 # Shallow clone the FreeRADIUS source
19 #
20 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
21 ARG release=v3.0.x
22
23 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
24 WORKDIR freeradius-server
25
26 #
27 # Install build dependencies
28 #
29 RUN git checkout ${release}; \
30 if [ -e ./debian/control.in ]; then \
31 debian/rules debian/control; \
32 fi; \
33 echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control
34
35 #
36 # Build the server
37 #
38 RUN make -j2 deb
39
40 #
41 # Clean environment and run the server
42 #
43 FROM ${from}
44 COPY --from=build /usr/local/src/repositories/*.deb /tmp/
45
46 RUN apt-get update \
47 && dpkg -i /tmp/*.deb || true \
48 && apt-get -y -f install \
49 && apt-get clean \
50 && rm -r /var/lib/apt/lists/* /tmp/*.deb \
51 \
52 && ln -s /etc/freeradius /etc/raddb
53
54 COPY docker-entrypoint.sh /
55
56 EXPOSE 1812/udp 1813/udp
57 ENTRYPOINT ["/docker-entrypoint.sh"]
58 CMD ["freeradius"]
+24
-0
scripts/docker/debian8/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- freeradius "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'freeradius' ]; then
12 shift
13 exec freeradius -f "$@"
14 fi
15
16 # many people are likely to call "radiusd" as well, so allow that
17 if [ "$1" = 'radiusd' ]; then
18 shift
19 exec freeradius -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+58
-0
scripts/docker/debian9/Dockerfile less more
0 ARG from=debian:stretch
1 FROM ${from} as build
2
3 ARG gccver=6
4
5 #
6 # Install build tools
7 #
8 RUN apt-get update
9 RUN apt-get install -y devscripts equivs git quilt g++-${gccver}
10
11 #
12 # Create build directory
13 #
14 RUN mkdir -p /usr/local/src/repositories
15 WORKDIR /usr/local/src/repositories
16
17 #
18 # Shallow clone the FreeRADIUS source
19 #
20 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
21 ARG release=v3.0.x
22
23 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
24 WORKDIR freeradius-server
25
26 #
27 # Install build dependencies
28 #
29 RUN git checkout ${release}; \
30 if [ -e ./debian/control.in ]; then \
31 debian/rules debian/control; \
32 fi; \
33 echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control
34
35 #
36 # Build the server
37 #
38 RUN make -j2 deb
39
40 #
41 # Clean environment and run the server
42 #
43 FROM ${from}
44 COPY --from=build /usr/local/src/repositories/*.deb /tmp/
45
46 RUN apt-get update \
47 && apt-get install -y /tmp/*.deb \
48 && apt-get clean \
49 && rm -r /var/lib/apt/lists/* /tmp/*.deb \
50 \
51 && ln -s /etc/freeradius /etc/raddb
52
53 COPY docker-entrypoint.sh /
54
55 EXPOSE 1812/udp 1813/udp
56 ENTRYPOINT ["/docker-entrypoint.sh"]
57 CMD ["freeradius"]
+24
-0
scripts/docker/debian9/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- freeradius "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'freeradius' ]; then
12 shift
13 exec freeradius -f "$@"
14 fi
15
16 # many people are likely to call "radiusd" as well, so allow that
17 if [ "$1" = 'radiusd' ]; then
18 shift
19 exec freeradius -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+58
-0
scripts/docker/debiansid/Dockerfile less more
0 ARG from=debian:sid
1 FROM ${from} as build
2
3 ARG gccver=7
4
5 #
6 # Install build tools
7 #
8 RUN apt-get update
9 RUN apt-get install -y devscripts equivs git quilt g++-${gccver}
10
11 #
12 # Create build directory
13 #
14 RUN mkdir -p /usr/local/src/repositories
15 WORKDIR /usr/local/src/repositories
16
17 #
18 # Shallow clone the FreeRADIUS source
19 #
20 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
21 ARG release=v3.0.x
22
23 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
24 WORKDIR freeradius-server
25
26 #
27 # Install build dependencies
28 #
29 RUN git checkout ${release}; \
30 if [ -e ./debian/control.in ]; then \
31 debian/rules debian/control; \
32 fi; \
33 echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control
34
35 #
36 # Build the server
37 #
38 RUN make -j2 deb
39
40 #
41 # Clean environment and run the server
42 #
43 FROM ${from}
44 COPY --from=build /usr/local/src/repositories/*.deb /tmp/
45
46 RUN apt-get update \
47 && apt-get install -y /tmp/*.deb \
48 && apt-get clean \
49 && rm -r /var/lib/apt/lists/* /tmp/*.deb \
50 \
51 && ln -s /etc/freeradius /etc/raddb
52
53 COPY docker-entrypoint.sh /
54
55 EXPOSE 1812/udp 1813/udp
56 ENTRYPOINT ["/docker-entrypoint.sh"]
57 CMD ["freeradius"]
+24
-0
scripts/docker/debiansid/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- freeradius "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'freeradius' ]; then
12 shift
13 exec freeradius -f "$@"
14 fi
15
16 # many people are likely to call "radiusd" as well, so allow that
17 if [ "$1" = 'radiusd' ]; then
18 shift
19 exec freeradius -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+57
-0
scripts/docker/ubuntu14/Dockerfile less more
0 ARG from=ubuntu:14.04
1 FROM ${from} as build
2
3 #
4 # Install build tools
5 #
6 RUN apt-get update
7 RUN apt-get install -y devscripts equivs git quilt gcc
8
9 #
10 # Create build directory
11 #
12 RUN mkdir -p /usr/local/src/repositories
13 WORKDIR /usr/local/src/repositories
14
15 #
16 # Shallow clone the FreeRADIUS source
17 #
18 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
19 ARG release=v3.0.x
20
21 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
22 WORKDIR freeradius-server
23
24 #
25 # Install build dependencies
26 #
27 RUN git checkout ${release}; \
28 if [ -e ./debian/control.in ]; then \
29 debian/rules debian/control; \
30 fi; \
31 echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control
32
33 #
34 # Build the server
35 #
36 RUN make -j2 deb
37
38 #
39 # Clean environment and run the server
40 #
41 FROM ${from}
42 COPY --from=build /usr/local/src/repositories/*.deb /tmp/
43
44 RUN apt-get update \
45 && dpkg -i /tmp/*.deb || true \
46 && apt-get -y -f install \
47 && apt-get clean \
48 && rm -r /var/lib/apt/lists/* /tmp/*.deb \
49 \
50 && ln -s /etc/freeradius /etc/raddb
51
52 COPY docker-entrypoint.sh /
53
54 EXPOSE 1812/udp 1813/udp
55 ENTRYPOINT ["/docker-entrypoint.sh"]
56 CMD ["freeradius"]
+24
-0
scripts/docker/ubuntu14/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- freeradius "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'freeradius' ]; then
12 shift
13 exec freeradius -f "$@"
14 fi
15
16 # many people are likely to call "radiusd" as well, so allow that
17 if [ "$1" = 'radiusd' ]; then
18 shift
19 exec freeradius -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+56
-0
scripts/docker/ubuntu16/Dockerfile less more
0 ARG from=ubuntu:16.04
1 FROM ${from} as build
2
3 #
4 # Install build tools
5 #
6 RUN apt-get update
7 RUN apt-get install -y devscripts equivs git quilt gcc
8
9 #
10 # Create build directory
11 #
12 RUN mkdir -p /usr/local/src/repositories
13 WORKDIR /usr/local/src/repositories
14
15 #
16 # Shallow clone the FreeRADIUS source
17 #
18 ARG source=https://github.com/FreeRADIUS/freeradius-server.git
19 ARG release=v3.0.x
20
21 RUN git clone --depth 1 --single-branch --branch ${release} ${source}
22 WORKDIR freeradius-server
23
24 #
25 # Install build dependencies
26 #
27 RUN git checkout ${release}; \
28 if [ -e ./debian/control.in ]; then \
29 debian/rules debian/control; \
30 fi; \
31 echo 'y' | mk-build-deps -irt'apt-get -yV' debian/control
32
33 #
34 # Build the server
35 #
36 RUN make -j2 deb
37
38 #
39 # Clean environment and run the server
40 #
41 FROM ${from}
42 COPY --from=build /usr/local/src/repositories/*.deb /tmp/
43
44 RUN apt-get update \
45 && apt-get install -y /tmp/*.deb \
46 && apt-get clean \
47 && rm -r /var/lib/apt/lists/* /tmp/*.deb \
48 \
49 && ln -s /etc/freeradius /etc/raddb
50
51 COPY docker-entrypoint.sh /
52
53 EXPOSE 1812/udp 1813/udp
54 ENTRYPOINT ["/docker-entrypoint.sh"]
55 CMD ["freeradius"]
+24
-0
scripts/docker/ubuntu16/docker-entrypoint.sh less more
0 #!/bin/sh
1 set -e
2
3 # this if will check if the first argument is a flag
4 # but only works if all arguments require a hyphenated flag
5 # -v; -SL; -f arg; etc will work, but not arg1 arg2
6 if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
7 set -- freeradius "$@"
8 fi
9
10 # check for the expected command
11 if [ "$1" = 'freeradius' ]; then
12 shift
13 exec freeradius -f "$@"
14 fi
15
16 # many people are likely to call "radiusd" as well, so allow that
17 if [ "$1" = 'radiusd' ]; then
18 shift
19 exec freeradius -f "$@"
20 fi
21
22 # else default to run whatever the user wanted like "bash" or "sh"
23 exec "$@"
+3
-0
share/dictionary less more
221221 $INCLUDE dictionary.microsemi
222222 $INCLUDE dictionary.microsoft
223223 $INCLUDE dictionary.mikrotik
224 $INCLUDE dictionary.mimosa
224225 $INCLUDE dictionary.motorola
225226 $INCLUDE dictionary.motorola.wimax
226227 $INCLUDE dictionary.navini
261262 $INCLUDE dictionary.shiva
262263 $INCLUDE dictionary.siemens
263264 $INCLUDE dictionary.slipstream
265 $INCLUDE dictionary.sofaware
266 $INCLUDE dictionary.softbank
264267 $INCLUDE dictionary.sonicwall
265268 $INCLUDE dictionary.springtide
266269 $INCLUDE dictionary.starent
+8
-0
share/dictionary.cnergee less more
3030 ATTRIBUTE BELRAS-TORRENT-Speed 21 integer
3131 ATTRIBUTE BELRAS-BELCACHE-Speed 22 integer
3232 ATTRIBUTE BELRAS-DHCP-Lease-Time 23 integer
33 ATTRIBUTE BELRAS-Group 24 integer
34 ATTRIBUTE BELRAS-LIMIT 25 string
35 ATTRIBUTE BELRAS-Auth 26 string
36 ATTRIBUTE BELRAS-Acct 27 string
37 ATTRIBUTE BELRAS-Framed-IP-Address 28 string
38 ATTRIBUTE BELRAS-BL 29 string
39 ATTRIBUTE BELRAS-IN 30 string
40 ATTRIBUTE BELRAS-CO 31 string
3341
3442 VALUE BELRAS-redirect-Pool Deleted 1
3543 VALUE BELRAS-redirect-Pool Disabled 2
+55
-0
share/dictionary.erx less more
1313 # have been given new names on JUNOS:
1414 # http://www.juniper.net/techpubs/software/junos/junos112/radius-dictionary/unisphereDictionary_for_JUNOS_v11-2.dct
1515 # http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/general/aaa-subscriber-access-radius-vsa.html
16 #
17 # Juniper now publishes a single 'current' document for the latest OS with all supported VSAs here:
18 # https://www.juniper.net/documentation/en_US/junos/topics/reference/general/aaa-subscriber-access-radius-vsa.html
1619 #
1720 # In this file, we keep the ERX prefix and the JUNOSe attribute names
1821 # for backwards compatibility
221224 ATTRIBUTE ERX-Rx-Connect-Speed 163 integer
222225
223226 # ATTRIBUTE 164 - 173 RESERVED
227 ATTRIBUTE ERX-Service-Activate-Type 173 integer
224228 ATTRIBUTE ERX-Client-Profile-Name 174 string
225229 ATTRIBUTE ERX-Redirect-GW-Address 175 ipaddr
226230 ATTRIBUTE ERX-APN-Name 176 string
231
232 ATTRIBUTE ERX-Service-Volume-Gigawords 179 integer
233 ATTRIBUTE ERX-Update-Service 180 string
234 ATTRIBUTE ERX-DHCPv6-Guided-Relay-Server 181 ipv6addr
235 ATTRIBUTE ERX-Acc-Loop-Remote-Id 182 string
236 ATTRIBUTE ERX-Acc-Loop-Encap 183 octets
237 ATTRIBUTE ERX-Inner-Vlan-Map-Id 184 integer
238 ATTRIBUTE ERX-Core-Facing-Interface 185 string
239 ATTRIBUTE ERX-DHCP-First-Relay-IPv4-Address 189 ipaddr
240 ATTRIBUTE ERX-DHCP-First-Relay-IPv6-Address 190 ipv6addr
241 ATTRIBUTE ERX-Input-Interface-Filter 191 string
242 ATTRIBUTE ERX-Output-Interface-Filter 192 string
243 ATTRIBUTE ERX-Pim-Enable 193 integer
244 ATTRIBUTE ERX-Bulk-CoA-Transaction-Id 194 integer
245 ATTRIBUTE ERX-Bulk-CoA-Identifier 195 integer
246 ATTRIBUTE ERX-IPv4-Input-Service-Set 196 string
247 ATTRIBUTE ERX-IPv4-Output-Service-Set 197 string
248 ATTRIBUTE ERX-IPv4-Input-Service-Filter 198 string
249 ATTRIBUTE ERX-IPv4-Output-Service-Filter 199 string
250 ATTRIBUTE ERX-IPv6-Input-Service-Set 200 string
251 ATTRIBUTE ERX-IPv6-Output-Service-Set 201 string
252 ATTRIBUTE ERX-IPv6-Input-Service-Filter 202 string
253 ATTRIBUTE ERX-IPv6-Output-Service-Filter 203 string
254 ATTRIBUTE ERX-Adv-Pcef-Profile-Name 204 string
255 ATTRIBUTE ERX-Adv-Pcef-Rule-Name 205 string
256 ATTRIBUTE ERX-Re-Authentication-Catalyst 206 integer
257 ATTRIBUTE ERX-DHCPv6-Options 207 octets
258 ATTRIBUTE ERX-DHCP-Header 208 octets
259 ATTRIBUTE ERX-DHCPv6-Header 209 octets
260 ATTRIBUTE ERX-Acct-Request-Reason 210 octets
227261
228262 #
229263 # Values Attribute Name Number
338372 VALUE ERX-PPP-Monitor-Ingress-Only disabled 0
339373 VALUE ERX-PPP-Monitor-Ingress-Only enabled 1
340374
375 VALUE ERX-Service-Activate-Type dynamic 1
376 VALUE ERX-Service-Activate-Type opscript 1
377
378 VALUE ERX-Pim-Enable disabled 0
379 VALUE ERX-Pim-Enable enabled 1
380
381 VALUE ERX-Re-Authentication-Catalyst disabled 0
382 VALUE ERX-Re-Authentication-Catalyst client-renew 1
383
384 VALUE ERX-Acct-Request-Reason Acct-Start-Ack 1
385 VALUE ERX-Acct-Request-Reason Periodic 2
386 VALUE ERX-Acct-Request-Reason IP-Active 4
387 VALUE ERX-Acct-Request-Reason IP-Inactive 8
388 VALUE ERX-Acct-Request-Reason IPv6-Active 16
389 VALUE ERX-Acct-Request-Reason IPv6-Inactive 32
390 VALUE ERX-Acct-Request-Reason Session-Active 64
391 VALUE ERX-Acct-Request-Reason Session-Inactive 128
392 VALUE ERX-Acct-Request-Reason Line-Speed-Change 256
393 VALUE ERX-Acct-Request-Reason Address-Assignment-Change 512
394 VALUE ERX-Acct-Request-Reason CoA-Complete 1024
395
341396 END-VENDOR ERX
+3
-2
share/dictionary.freeradius.internal less more
532532 ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Dns 1931 string
533533 ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Upn 1932 string
534534 ATTRIBUTE TLS-PSK-Identity 1933 string
535
536 # 1934 - 1939: reserved for future cert attributes
535 ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string
536
537 # 1937 - 1939: reserved for future cert attributes
537538
538539 # 1940 - 1949: reserved for TLS session caching, mostly in 3.1
539540
+38
-0
share/dictionary.mimosa less more
0 # -*- text -*-
1 # Copyright (C) 2018 The FreeRADIUS Server project and contributors
2
3 VENDOR Mimosa 43356
4
5 BEGIN-VENDOR Mimosa
6
7 ATTRIBUTE Mimosa-Device-Configuration-Parameter 1 string
8 ATTRIBUTE Mimosa-FirmwareVersion-Parameter 2 string
9 ATTRIBUTE Mimosa-FirmwareLocation-Parameter 3 string
10 ATTRIBUTE Mimosa-WirelessProtocol-Parameter 4 string
11 ATTRIBUTE Mimosa-ManagementIPAddressMode-Parameter 5 string
12 ATTRIBUTE Mimosa-ManagementIPAddress-Parameter 6 ipaddr
13 ATTRIBUTE Mimosa-ManagementIPNetmask-Parameter 7 ipaddr
14 ATTRIBUTE Mimosa-ManagementIPGateway-Parameter 8 ipaddr
15 ATTRIBUTE Mimosa-ManagementVlanStatus-Parameter 9 byte
16 ATTRIBUTE Mimosa-ManagementVlan-Parameter 10 string
17 ATTRIBUTE Mimosa-ManagementPassword-Parameter 11 string
18 ATTRIBUTE Mimosa-DeviceName-Parameter 12 string
19 ATTRIBUTE Mimosa-TrafficShapingPeak-Parameter 13 string
20 ATTRIBUTE Mimosa-TrafficShapingCommitted-Parameter 14 string
21 ATTRIBUTE Mimosa-EthernetPortSpeed-Parameter 15 string
22 ATTRIBUTE Mimosa-DNS1-Parameter 16 ipaddr
23 ATTRIBUTE Mimosa-DNS2-Parameter 17 ipaddr
24 ATTRIBUTE Mimosa-HTTPPort-Parameter 18 integer
25 ATTRIBUTE Mimosa-EnableHTTPS-Parameter 19 byte
26 ATTRIBUTE Mimosa-HTTPSPort-Parameter 20 integer
27 ATTRIBUTE Mimosa-CloudManagement-Parameter 21 byte
28 ATTRIBUTE Mimosa-EnableSNMP-Parameter 22 byte
29 ATTRIBUTE Mimosa-SNMPCommunityString-Parameter 23 string
30 ATTRIBUTE Mimosa-SNMPTrapServer-Parameter 24 ipaddr
31 ATTRIBUTE Mimosa-NTPServerAddress-Parameter 25 string
32 ATTRIBUTE Mimosa-EnableSyslog-Parameter 26 byte
33 ATTRIBUTE Mimosa-SyslogServerAddress-Parameter 27 ipaddr
34 ATTRIBUTE Mimosa-SyslogPort-Parameter 28 integer
35 ATTRIBUTE Mimosa-SyslogProtocol-Parameter 29 string
36
37 END-VENDOR Mimosa
+4
-0
share/dictionary.rfc4679 less more
1515 # DHCP options.
1616 #
1717 ATTRIBUTE ADSL-Forum-DHCP-Vendor-Specific 0 tlv
18 ATTRIBUTE ADSL-Forum-Device-Manufacturer-OUI 0.1 octets
19 ATTRIBUTE ADSL-Forum-Device-Serial-Number 0.2 string
20 ATTRIBUTE ADSL-Forum-Device-Product-Class 0.3 string
21 ATTRIBUTE ADSL-Forum-Gateway-Manufacturer-OUI 0.4 octets
1822
1923 #
2024 # The first two attributes are prefixed with "ADSL-" because of
+30
-0
share/dictionary.softbank less more
0 # -*- text -*-
1 # Copyright (C) 2018 The FreeRADIUS Server project and contributors
2 ##############################################################################
3 #
4 # Softbank VSAs
5 #
6 # $Id$
7 #
8 ##############################################################################
9
10 VENDOR SoftBank 22197
11
12 BEGIN-VENDOR SoftBank
13
14 ATTRIBUTE SoftBank-BB-Unit-MAC 1 string
15 ATTRIBUTE SoftBank-BB-Unit-Manufacturer 2 string
16 ATTRIBUTE SoftBank-BB-Unit-Model 3 string
17 ATTRIBUTE SoftBank-BB-Unit-HW-Revision 4 string
18
19 ATTRIBUTE SoftBank-TFTP-Config-Server 185 ipaddr
20 ATTRIBUTE SoftBank-TFTP-Config-File 186 string
21 ATTRIBUTE SoftBank-DNS-IPv6-Primary 198 ipv6addr
22 ATTRIBUTE SoftBank-DNS-IPv6-Secondary 199 ipv6addr
23 ATTRIBUTE SoftBank-Syslog-Server 201 ipv6addr
24 ATTRIBUTE SoftBank-SNTP-Server 203 ipv6addr
25 ATTRIBUTE SoftBank-IPv4-Tunnel-Local-Address 204 ipaddr
26 ATTRIBUTE SoftBank-IPv4-Tunnel-Endpoint 207 ipv6addr
27 ATTRIBUTE SoftBank-RouteInfo-Server 215 string
28
29 END-VENDOR SoftBank
+2
-2
share/dictionary.zte less more
1010 VENDOR ZTE 3902
1111 BEGIN-VENDOR ZTE
1212
13 ATTRIBUTE ZTE-Client-DNS-Pri 1 integer
14 ATTRIBUTE ZTE-Client-DNS-Sec 2 integer
13 ATTRIBUTE ZTE-Client-DNS-Pri 1 string
14 ATTRIBUTE ZTE-Client-DNS-Sec 2 string
1515 ATTRIBUTE ZTE-Context-Name 4 string
1616 ATTRIBUTE ZTE-Tunnel-Max-Sessions 21 integer
1717 ATTRIBUTE ZTE-Tunnel-Max-Tunnels 22 integer
+6
-0
share/format.pl less more
6666 $blank = 0;
6767
6868 s/\s*$/\n/;
69
70 #
71 # Suppress leading whitespace, so long as it's
72 # not followed by a comment..
73 #
74 s/^\s*([^#])/$1/;
6975
7076 #
7177 # Remember the vendor
+1
-0
src/include/realms.h less more
192192 void home_server_update_request(home_server_t *home, REQUEST *request);
193193 home_server_t *home_server_ldb(char const *realmname, home_pool_t *pool, REQUEST *request);
194194 home_server_t *home_server_find(fr_ipaddr_t *ipaddr, uint16_t port, int proto);
195 home_server_t *home_server_find_bysrc(fr_ipaddr_t *ipaddr, uint16_t port, int proto, fr_ipaddr_t *src_ipaddr);
195196 home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SECTION *cs);
196197 CONF_SECTION *home_server_cs_afrom_client(CONF_SECTION *client);
197198 #ifdef WITH_COA
+1
-0
src/include/tmpl.h less more
120120 char const *name;
121121 VALUE_PAIR *check;
122122 VALUE_PAIR *reply;
123 int order; /* for ordering! */
123124 int lineno;
124125 struct pair_list *next;
125126 } PAIR_LIST;
+1
-1
src/lib/event.c less more
4242 void *ctx;
4343 } fr_event_fd_t;
4444
45 #define FR_EV_MAX_FDS (256)
45 #define FR_EV_MAX_FDS (512)
4646
4747 #undef USEC
4848 #define USEC (1000000)
+2
-2
src/lib/log.c less more
179179
180180 ret = fr_thread_local_set(fr_strerror_buffer, buffer);
181181 if (ret != 0) {
182 fr_perror("Failed setting up TLS for libradius error buffer: %s", fr_syserror(ret));
182 fr_perror("Failed setting up thread-local storage for libradius error buffer: %s", fr_syserror(ret));
183183 free(buffer);
184184 return;
185185 }
262262
263263 ret = fr_thread_local_set(fr_syserror_buffer, buffer);
264264 if (ret != 0) {
265 fr_perror("Failed setting up TLS for system error buffer: %s", fr_syserror(ret));
265 fr_perror("Failed setting up thread-local storage for system error buffer");
266266 free(buffer);
267267 return NULL;
268268 }
+126
-43
src/lib/misc.c less more
519519 int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool resolve)
520520 {
521521 size_t len, i;
522 bool hostname = true;
523 bool ipv4 = true;
524 bool ipv6 = true;
522525
523526 len = (inlen >= 0) ? (size_t)inlen : strlen(value);
524 for (i = 0; i < len; i++) switch (value[i]) {
525 /*
526 * ':' is illegal in domain names and IPv4 addresses.
527 * Must be v6 and cannot be a domain.
528 */
529 case ':':
530 return fr_pton6(out, value, inlen, false, false);
531
532 /*
533 * Chars which don't really tell us anything
534 */
535 case '.':
536 case '/':
537 continue;
527
528 for (i = 0; i < len; i++) {
529 /*
530 * These are valid for IPv4, IPv6, and host names.
531 */
532 if ((value[i] >= '0') && (value[i] <= '9')) {
533 continue;
534 }
535
536 /*
537 * These are invalid for IPv4, but OK for IPv6
538 * and host names.
539 */
540 if ((value[i] >= 'a') && (value[i] <= 'f')) {
541 ipv4 = false;
542 continue;
543 }
544
545 /*
546 * These are invalid for IPv4, but OK for IPv6
547 * and host names.
548 */
549 if ((value[i] >= 'A') && (value[i] <= 'F')) {
550 ipv4 = false;
551 continue;
552 }
553
554 /*
555 * This is only valid for IPv6 addresses.
556 */
557 if (value[i] == ':') {
558 ipv4 = false;
559 hostname = false;
560 continue;
561 }
562
563 /*
564 * Valid for IPv4 and host names, not for IPv6.
565 */
566 if (value[i] == '.') {
567 ipv6 = false;
568 continue;
569 }
570
571 /*
572 * Netmasks are allowed by us, and MUST come at
573 * the end of the address.
574 */
575 if (value[i] == '/') {
576 break;
577 }
578
579 /*
580 * Any characters other than what are checked for
581 * above can't be IPv4 or IPv6 addresses.
582 */
583 ipv4 = false;
584 ipv6 = false;
585 }
586
587 /*
588 * It's not an IPv4 or IPv6 address. It MUST be a host
589 * name.
590 */
591 if (!ipv4 && !ipv6) {
592 /*
593 * Not an IPv4 or IPv6 address, and we weren't
594 * asked to do DNS resolution, we can't do it.
595 */
596 if (!resolve) {
597 fr_strerror_printf("Not IPv4/6 address, and asked not to resolve");
598 return -1;
599 }
600
601 /*
602 * It's not a hostname, either, so bail out
603 * early.
604 */
605 if (!hostname) {
606 fr_strerror_printf("Invalid address");
607 return -1;
608 }
609
610 /*
611 * Fall through to resolving the address, using
612 * whatever address family they prefer. If they
613 * don't specify an address family, force IPv4.
614 */
615 if (af == AF_UNSPEC) af = AF_INET;
616 }
617
618 /*
619 * The name has a ':' in it. Therefore it must be an
620 * IPv6 address. Error out if the caller specified IPv4.
621 * Otherwise, force IPv6.
622 */
623 if (ipv6 && !hostname) {
624 if (af == AF_INET) {
625 fr_strerror_printf("Invalid address");
626 return -1;
627 }
628
629 af = AF_INET6;
630 }
631
632 /*
633 * Use whatever the caller specified, OR what we
634 * insinuated above from looking at the name string.
635 */
636 switch (af) {
637 case AF_UNSPEC:
638 return fr_pton4(out, value, inlen, resolve, true);
639
640 case AF_INET:
641 return fr_pton4(out, value, inlen, resolve, false);
642
643 case AF_INET6:
644 return fr_pton6(out, value, inlen, resolve, false);
538645
539646 default:
540 /*
541 * Outside the range of IPv4 chars, must be a domain
542 * Use A record in preference to AAAA record.
543 */
544 if ((value[i] < '0') || (value[i] > '9')) {
545 if (!resolve) {
546 fr_strerror_printf("Not IPv4/6 address, and asked not to resolve");
547 return -1;
548 }
549 switch (af) {
550 case AF_UNSPEC:
551 return fr_pton4(out, value, inlen, resolve, true);
552
553 case AF_INET:
554 return fr_pton4(out, value, inlen, resolve, false);
555
556 case AF_INET6:
557 return fr_pton6(out, value, inlen, resolve, false);
558
559 default:
560 fr_strerror_printf("Invalid address family %i", af);
561 return -1;
562 }
563 }
564647 break;
565648 }
566649
567 /*
568 * All chars were in the IPv4 set [0-9/.], must be an IPv4
569 * address.
570 */
571 return fr_pton4(out, value, inlen, false, false);
650 /*
651 * No idea what it is...
652 */
653 fr_strerror_printf("Invalid address family %i", af);
654 return -1;
572655 }
573656
574657 /** Parses IPv4/6 address + port, to fr_ipaddr_t and integer
+17
-0
src/lib/packet.c less more
924924 #ifdef WITH_TCP
925925 if (pl->sockets[start].proto == IPPROTO_TCP) {
926926 packet = fr_tcp_recv(pl->sockets[start].sockfd, 0);
927
928 /*
929 * We always know src/dst ip/port for TCP
930 * sockets. So just fill them in. Since
931 * we read the packet from the TCP
932 * socket, we invert src/dst.
933 */
934 packet->dst_ipaddr = pl->sockets[start].src_ipaddr;
935 packet->dst_port = pl->sockets[start].src_port;
936 packet->src_ipaddr = pl->sockets[start].dst_ipaddr;
937 packet->src_port = pl->sockets[start].dst_port;
938
927939 } else
928940 #endif
941
942 /*
943 * Rely on rad_recv() to fill in the required
944 * fields.
945 */
929946 packet = rad_recv(NULL, pl->sockets[start].sockfd, 0);
930947 if (!packet) continue;
931948
+2
-3
src/lib/udpfromto.c less more
404404 pkt = (struct in_pktinfo *) CMSG_DATA(cmsg);
405405 memset(pkt, 0, sizeof(*pkt));
406406 pkt->ipi_spec_dst = s4->sin_addr;
407 # endif
408
409 # ifdef IP_SENDSRCADDR
407
408 # elif defined(IP_SENDSRCADDR)
410409 struct cmsghdr *cmsg;
411410 struct in_addr *in;
412411
+119
-15
src/lib/value.c less more
971971 /** Performs byte order reversal for types that need it
972972 *
973973 */
974 static void value_data_hton(value_data_t *dst, PW_TYPE type, void const *src, size_t src_len)
974 static ssize_t value_data_hton(value_data_t *dst, PW_TYPE dst_type, void const *src, size_t src_len)
975975 {
976 size_t dst_len;
977 uint8_t *dst_ptr;
978
976979 /* 8 byte integers */
977 switch (type) {
980 switch (dst_type) {
978981 case PW_TYPE_INTEGER64:
982 dst_len = sizeof(dst->integer64);
983
984 if (src_len < dst_len) return -1;
985
979986 dst->integer64 = htonll(*(uint64_t const *)src);
980987 break;
981988
983990 case PW_TYPE_INTEGER:
984991 case PW_TYPE_DATE:
985992 case PW_TYPE_SIGNED:
993 dst_len = sizeof(dst->integer);
994
995 if (src_len < dst_len) return -1;
996
986997 dst->integer = htonl(*(uint32_t const *)src);
987998 break;
988999
9891000 /* 2 byte integers */
9901001 case PW_TYPE_SHORT:
1002 dst_len = sizeof(dst->ushort);
1003
1004 if (src_len < dst_len) return -1;
1005
9911006 dst->ushort = htons(*(uint16_t const *)src);
9921007 break;
9931008
994 case PW_TYPE_OCTETS:
995 case PW_TYPE_STRING:
996 fr_assert(0);
997 return; /* shouldn't happen */
1009 /* 1 byte integer */
1010 case PW_TYPE_BYTE:
1011 dst_len = sizeof(dst->byte);
1012
1013 if (src_len < dst_len) return -1;
1014
1015 dst->byte = *(uint8_t const *)src;
1016 break;
1017
1018 case PW_TYPE_IPV4_ADDR:
1019 dst_len = 4;
1020 dst_ptr = (uint8_t *) &dst->ipaddr.s_addr;
1021
1022 copy:
1023 /*
1024 * Not enough information, die.
1025 */
1026 if (src_len < dst_len) return -1;
1027
1028 /*
1029 * Copy only as much as we need from the source.
1030 */
1031 memcpy(dst_ptr, src, dst_len);
1032 break;
1033
1034 case PW_TYPE_ABINARY:
1035 dst_len = sizeof(dst->filter);
1036 dst_ptr = (uint8_t *) dst->filter;
1037
1038 /*
1039 * Too little data is OK here.
1040 */
1041 if (src_len < dst_len) {
1042 memcpy(dst_ptr, src, src_len);
1043 memset(dst_ptr + src_len, 0, dst_len - src_len);
1044 break;
1045 }
1046 goto copy;
1047
1048 case PW_TYPE_IFID:
1049 dst_len = sizeof(dst->ifid);
1050 dst_ptr = (uint8_t *) dst->ifid;
1051 goto copy;
1052
1053 case PW_TYPE_IPV6_ADDR:
1054 dst_len = sizeof(dst->ipv6addr);
1055 dst_ptr = (uint8_t *) dst->ipv6addr.s6_addr;
1056 goto copy;
1057
1058 case PW_TYPE_IPV4_PREFIX:
1059 dst_len = sizeof(dst->ipv4prefix);
1060 dst_ptr = (uint8_t *) dst->ipv4prefix;
1061
1062 if (src_len < dst_len) return -1;
1063 if ((((uint8_t const *)src)[1] & 0x3f) > 32) return -1;
1064 goto copy;
1065
1066 case PW_TYPE_IPV6_PREFIX:
1067 dst_len = sizeof(dst->ipv6prefix);
1068 dst_ptr = (uint8_t *) dst->ipv6prefix;
1069
1070 /*
1071 * Smaller IPv6 prefixes are OK, too, so long as
1072 * they're not too short.
1073 */
1074 if (src_len < 2) return -1;
1075
1076 /*
1077 * Prefix is too long.
1078 */
1079 if (((uint8_t const *)src)[1] > 128) return -1;
1080
1081 if (src_len < dst_len) {
1082 memcpy(dst_ptr, src, src_len);
1083 memset(dst_ptr + src_len, 0, dst_len - src_len);
1084 break;
1085 }
1086
1087 goto copy;
1088
1089 case PW_TYPE_ETHERNET:
1090 dst_len = sizeof(dst->ether);
1091 dst_ptr = (uint8_t *) dst->ether;
1092 goto copy;
9981093
9991094 default:
1000 memcpy(dst, src, src_len);
1001 }
1095 return -1; /* can't do it */
1096 }
1097
1098 return dst_len;
10021099 }
10031100
10041101 /** Convert one type of value_data_t to another
10201117 PW_TYPE src_type, DICT_ATTR const *src_enumv,
10211118 value_data_t const *src, size_t src_len)
10221119 {
1120 ssize_t dst_len;
1121
10231122 if (!fr_assert(dst_type != src_type)) return -1;
10241123
10251124 /*
10331132 * Converts the src data to octets with no processing.
10341133 */
10351134 if (dst_type == PW_TYPE_OCTETS) {
1036 value_data_hton(dst, src_type, src, src_len);
1037 dst->octets = talloc_memdup(ctx, dst, src_len);
1135 dst_len = value_data_hton(dst, src_type, src, src_len);
1136 if (dst_len < 0) return -1;
1137
1138 dst->octets = talloc_memdup(ctx, dst, dst_len);
10381139 talloc_set_type(dst->octets, uint8_t);
1039 return talloc_array_length(dst->strvalue);
1140 return dst_len;
10401141 }
10411142
10421143 /*
11201221
11211222 case PW_TYPE_SHORT:
11221223 dst->integer = src->ushort;
1224 break;
1225
1226 case PW_TYPE_DATE:
1227 dst->integer = src->date;
11231228 break;
11241229
11251230 case PW_TYPE_OCTETS:
13801485
13811486 if (src_type == PW_TYPE_OCTETS) {
13821487 do_octets:
1383 value_data_hton(dst, dst_type, src->octets, src_len);
1384 return src_len;
1488 return value_data_hton(dst, dst_type, src->octets, src_len);
13851489 }
13861490
13871491 /*
15391643
15401644 t = data->date;
15411645
1542 p = talloc_array(ctx, char, 64);
1543 strftime(p, 64, "%b %e %Y %H:%M:%S %Z",
1646 p = talloc_zero_array(ctx, char, 64);
1647 strftime(p, 63, "%b %e %Y %H:%M:%S %Z",
15441648 localtime_r(&t, &s_tm));
15451649 break;
15461650 }
+1
-1
src/main/client.c less more
13401340 * We could reuse the CONF_PAIR buff, this just keeps things
13411341 * consistent between client_afrom_cs, and client_afrom_query.
13421342 */
1343 *p = talloc_strdup(c, strvalue);
1343 *p = talloc_strdup(c, vp->vp_strvalue);
13441344
13451345 /*
13461346 * This is fairly nasty... In order to figure out the CONF_PAIR
+27
-5
src/main/command.c less more
14851485 home_server_t *home;
14861486 uint16_t port;
14871487 int proto = IPPROTO_UDP;
1488 fr_ipaddr_t ipaddr;
1488 fr_ipaddr_t ipaddr, src_ipaddr;
14891489
14901490 if (argc < 2) {
14911491 cprintf_error(listener, "Must specify <ipaddr> <port> [udp|tcp]\n");
14971497 fr_strerror());
14981498 return NULL;
14991499 }
1500
1501 memset(&src_ipaddr, 0, sizeof(src_ipaddr));
1502 src_ipaddr.af = ipaddr.af;
15001503
15011504 port = atoi(argv[1]);
15021505
15181521 #endif
15191522
15201523 /*
1524 * Allow the caller to specify src, too.
1525 */
1526 if (strcmp(argv[myarg], "src") == 0) {
1527 if ((myarg + 2) < argc) {
1528 cprintf_error(listener, "You must specify an address after 'src' \n");
1529 return NULL;
1530 }
1531
1532 if (ip_hton(&src_ipaddr, ipaddr.af, argv[myarg + 1], false) < 0) {
1533 cprintf_error(listener, "Failed parsing IP address; %s\n",
1534 fr_strerror());
1535 return NULL;
1536 }
1537
1538 myarg += 2;
1539 continue;
1540 }
1541
1542 /*
15211543 * Unknown argument. Leave it for the caller.
15221544 */
15231545 break;
15241546 }
15251547
1526 home = home_server_find(&ipaddr, port, proto);
1548 home = home_server_find_bysrc(&ipaddr, port, proto, &src_ipaddr);
15271549 if (!home) {
15281550 cprintf_error(listener, "No such home server\n");
15291551 return NULL;
19611983 "show home_server list - shows list of home servers",
19621984 command_show_home_servers, NULL },
19631985 { "state", FR_READ,
1964 "show home_server state <ipaddr> <port> [udp|tcp] - shows state of given home server",
1986 "show home_server state <ipaddr> <port> [udp|tcp] [src <ipaddr>] - shows state of given home server",
19651987 command_show_home_server_state, NULL },
19661988
19671989 { NULL, 0, NULL, NULL, NULL }
25532575 #ifdef WITH_PROXY
25542576 static fr_command_table_t command_table_set_home[] = {
25552577 { "state", FR_WRITE,
2556 "set home_server state <ipaddr> <port> [udp|tcp] [alive|dead] - set state for given home server",
2578 "set home_server state <ipaddr> <port> [udp|tcp] [src <ipaddr>] [alive|dead] - set state for given home server",
25572579 command_set_home_server_state, NULL },
25582580
25592581 { NULL, 0, NULL, NULL, NULL }
26022624
26032625 #ifdef WITH_PROXY
26042626 { "home_server", FR_READ,
2605 "stats home_server [<ipaddr>|auth|acct|coa|disconnect] <port> [udp|tcp] - show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)",
2627 "stats home_server [<ipaddr>|auth|acct|coa|disconnect] <port> [udp|tcp] [src <ipaddr>] - show statistics for given home server (ipaddr and port), or for all home servers (auth or acct)",
26062628 command_stats_home_server, NULL },
26072629 #endif
26082630
+44
-7
src/main/exfile.c less more
3232 int fd; //!< File descriptor associated with an entry.
3333 uint32_t hash; //!< Hash for cheap comparison.
3434 time_t last_used; //!< Last time the entry was used.
35 dev_t st_dev; //!< device inode
36 ino_t st_ino; //!< inode number
3537 char *filename; //!< Filename.
3638 } exfile_entry_t;
3739
324326 PTHREAD_MUTEX_UNLOCK(&(ef->mutex));
325327 return -1;
326328 }
329
330 if (fstat(ef->entries[i].fd, &st) < 0) goto error;
331
332 /*
333 * Remember which device and inode this file is
334 * for.
335 */
336 ef->entries[i].st_dev = st.st_dev;
337 ef->entries[i].st_ino = st.st_ino;
338
327339 } else {
328340 i = found;
341
342 /*
343 * Stat the *filename*, not the file we opened.
344 * If that's not the file we opened, then go back
345 * and re-open the file.
346 */
347 if (stat(ef->entries[i].filename, &st) == 0) {
348 if ((st.st_dev != ef->entries[i].st_dev) ||
349 (st.st_ino != ef->entries[i].st_ino)) {
350 /*
351 * No longer the same file; reopen.
352 */
353 close(ef->entries[i].fd);
354 goto reopen;
355 }
356 } else {
357 /*
358 * Error calling stat, likely the
359 * file has been moved. Reopen it.
360 */
361 close(ef->entries[i].fd);
362 goto reopen;
363 }
329364 }
330365
331366 /*
377412 }
378413
379414 /*
380 * Maybe someone deleted the file while we were waiting
381 * for the lock. If so, re-open it.
415 * See which file it really is.
382416 */
383417 if (fstat(ef->entries[i].fd, &st) < 0) {
384418 fr_strerror_printf("Failed to stat file %s: %s", filename, strerror(errno));
386420 }
387421
388422 /*
389 * It's unlinked from the file system, close the FD and
390 * try to re-open it.
391 */
392 if (st.st_nlink == 0) {
423 * Maybe the file was unlinked from the file system, OR
424 * the file we opened is NOT the one we had cached. If
425 * so, close the file and re-open it from scratch.
426 */
427 if ((st.st_nlink == 0) ||
428 (st.st_dev != ef->entries[i].st_dev) ||
429 (st.st_ino != ef->entries[i].st_ino)) {
393430 close(ef->entries[i].fd);
394431 goto reopen;
395432 }
396433
397434 /*
398 * If we're appending, eek to the end of the file before
435 * If we're appending, seek to the end of the file before
399436 * returning the FD to the caller.
400437 */
401438 (void) lseek(ef->entries[i].fd, 0, SEEK_END);
+5
-1
src/main/files.c less more
8787 VALUE_PAIR *reply_tmp = NULL;
8888 PAIR_LIST *pl = NULL, *t;
8989 PAIR_LIST **last = &pl;
90 int order = 0;
9091 int lineno = 0;
9192 int entry_lineno = 0;
9293 FR_TOKEN parsecode;
198199 * of entries. Go to the end of the
199200 * list.
200201 */
201 while (*last)
202 while (*last) {
203 (*last)->order = order++;
202204 last = &((*last)->next);
205 }
203206 continue;
204207 } /* $INCLUDE ... */
205208
315318 t->check = check_tmp;
316319 t->reply = reply_tmp;
317320 t->lineno = entry_lineno;
321 t->order = order++;
318322 check_tmp = NULL;
319323 reply_tmp = NULL;
320324
+0
-4
src/main/parser.c less more
12131213
12141214 if (c->data.map->lhs->name[i] == '-') {
12151215 hyphens++;
1216 if (hyphens > 1) {
1217 may_be_attr = false;
1218 break;
1219 }
12201216 }
12211217 }
12221218
+10
-8
src/main/process.c less more
15501550 * handler.
15511551 */
15521552 if (request_proxy(request) < 0) {
1553 if (request->home_server && request->home_server->server) goto req_finished;
1554
15531555 (void) setup_post_proxy_fail(request);
15541556 process_proxy_reply(request, NULL);
15551557 goto req_finished;
48804882 /*
48814883 * All sockets: add the FD to the event handler.
48824884 */
4883 if (!fr_event_fd_insert(el, 0, this->fd,
4884 event_socket_handler, this)) {
4885 ERROR("Failed adding event handler for socket: %s", fr_strerror());
4886 fr_exit(1);
4887 }
4888
4889 this->status = RAD_LISTEN_STATUS_KNOWN;
4890 return 1;
4885 if (fr_event_fd_insert(el, 0, this->fd,
4886 event_socket_handler, this)) {
4887 this->status = RAD_LISTEN_STATUS_KNOWN;
4888 return 1;
4889 }
4890
4891 ERROR("Failed adding event handler for socket: %s", fr_strerror());
4892 this->status = RAD_LISTEN_STATUS_REMOVE_NOW;
48914893 } /* end of INIT */
48924894
48934895 #ifdef WITH_TCP
+36
-46
src/main/radclient.c less more
2525
2626 #include <freeradius-devel/radclient.h>
2727 #include <freeradius-devel/radpaths.h>
28 #include <freeradius-devel/udpfromto.h>
2829 #include <freeradius-devel/conf.h>
2930 #include <ctype.h>
3031
5758 static uint16_t client_port = 0;
5859
5960 static int sockfd;
60 static int last_used_id = -1;
6161
6262 #ifdef WITH_TCP
6363 static char const *proto = NULL;
9595 fprintf(stderr, " If a second file is provided, it will be used to verify responses\n");
9696 fprintf(stderr, " -F Print the file name, packet number and reply code.\n");
9797 fprintf(stderr, " -h Print usage help information.\n");
98 fprintf(stderr, " -i <id> Set request id to 'id'. Values may be 0..255\n");
9998 fprintf(stderr, " -n <num> Send N requests/s\n");
10099 fprintf(stderr, " -p <num> Send 'num' packets from a file in parallel.\n");
101100 fprintf(stderr, " -q Do not print anything out.\n");
858857 mysockfd = fr_socket_client_tcp(NULL,
859858 &request->packet->dst_ipaddr,
860859 request->packet->dst_port, false);
860 if (mysockfd < 0) {
861 ERROR("Failed opening socket");
862 exit(1);
863 }
861864 } else
862865 #endif
863 mysockfd = fr_socket(&client_ipaddr, 0);
864 if (mysockfd < 0) {
865 ERROR("Failed opening socket");
866 exit(1);
866 {
867 mysockfd = fr_socket(&client_ipaddr, 0);
868 if (mysockfd < 0) {
869 ERROR("Failed opening socket");
870 exit(1);
871 }
872
873 #ifdef WITH_UDPFROMTO
874 if (udpfromto_init(mysockfd) < 0) {
875 ERROR("Failed initializing socket");
876 exit(1);
877 }
878 #endif
867879 }
868880 if (!fr_packet_list_socket_add(pl, mysockfd, ipproto,
869881 &request->packet->dst_ipaddr,
10281040 #endif
10291041 return -1; /* bad packet */
10301042 }
1031
1032 /*
1033 * We don't use udpfromto. So if we bind to "*", we want
1034 * to find replies sent to 192.0.2.4. Therefore, we
1035 * force all replies to have the one address we know
1036 * about, no matter what real address they were sent to.
1037 *
1038 * This only works if were not using any of the
1039 * Packet-* attributes, or running with 'auto'.
1040 */
1041 reply->dst_ipaddr = client_ipaddr;
1042 reply->dst_port = client_port;
1043
1044 #ifdef WITH_TCP
1045
1046 /*
1047 * TCP sockets don't use recvmsg(), and thus don't get
1048 * the source IP/port. However, since they're TCP, we
1049 * know what the source IP/port is, because that's where
1050 * we connected to.
1051 */
1052 if (ipproto == IPPROTO_TCP) {
1053 reply->src_ipaddr = server_ipaddr;
1054 reply->src_port = server_port;
1055 }
1056 #endif
10571043
10581044 packet_p = fr_packet_list_find_byreply(pl, reply);
10591045 if (!packet_p) {
11941180 exit(1);
11951181 }
11961182
1197 while ((c = getopt(argc, argv, "46c:d:D:f:Fhi:n:p:qr:sS:t:vx"
1183 while ((c = getopt(argc, argv, "46c:d:D:f:Fhn:p:qr:sS:t:vx"
11981184 #ifdef WITH_TCP
11991185 "P:"
12001186 #endif
12441230
12451231 case 'F':
12461232 print_filename = true;
1247 break;
1248
1249 case 'i': /* currently broken */
1250 if (!isdigit((int) *optarg))
1251 usage();
1252 last_used_id = atoi(optarg);
1253 if ((last_used_id < 0) || (last_used_id > 255)) {
1254 usage();
1255 }
12561233 break;
12571234
12581235 case 'n':
14571434 #ifdef WITH_TCP
14581435 if (proto) {
14591436 sockfd = fr_socket_client_tcp(NULL, &server_ipaddr, server_port, false);
1437 if (sockfd < 0) {
1438 ERROR("Error opening socket");
1439 exit(1);
1440 }
14601441 } else
14611442 #endif
1462 sockfd = fr_socket(&client_ipaddr, client_port);
1463 if (sockfd < 0) {
1464 ERROR("Error opening socket");
1465 exit(1);
1443 {
1444 sockfd = fr_socket(&client_ipaddr, client_port);
1445 if (sockfd < 0) {
1446 ERROR("Error opening socket");
1447 exit(1);
1448 }
1449
1450 #ifdef WITH_UDPFROMTO
1451 if (udpfromto_init(sockfd) < 0) {
1452 ERROR("Failed initializing socket");
1453 exit(1);
1454 }
1455 #endif
14661456 }
14671457
14681458 pl = fr_packet_list_create(1);
+7
-9
src/main/radiusd.c less more
500500
501501 if ((fr_set_signal(SIGHUP, sig_hup) < 0) ||
502502 (fr_set_signal(SIGTERM, sig_fatal) < 0)) {
503 set_signal_error:
503504 ERROR("%s", fr_strerror());
504505 exit(EXIT_FAILURE);
505506 }
509510 * immediately. Use SIGTERM to shut down the server cleanly in
510511 * that case.
511512 */
513 if (fr_set_signal(SIGINT, sig_fatal) < 0) goto set_signal_error;
514
515 #ifdef SIGQUIT
512516 if (main_config.debug_memory || (rad_debug_lvl == 0)) {
513 if ((fr_set_signal(SIGINT, sig_fatal) < 0)
514 #ifdef SIGQUIT
515 || (fr_set_signal(SIGQUIT, sig_fatal) < 0)
516 #endif
517 ) {
518 ERROR("%s", fr_strerror());
519 exit(EXIT_FAILURE);
520 }
521 }
517 if (fr_set_signal(SIGQUIT, sig_fatal) < 0) goto set_signal_error;
518 }
519 #endif
522520
523521 /*
524522 * Everything seems to have loaded OK, exit gracefully.
+30
-7
src/main/realms.c less more
14461446 }
14471447
14481448 /*
1449 * See if the home server is already listed
1450 * in the pool. If so, do nothing else.
1449 * Don't check for duplicate home servers. If
1450 * the user specifies that, well, they can do it.
1451 *
1452 * Allowing duplicates means that all of the
1453 * realm->server[] entries are filled, which is
1454 * what the rest of the code assumes.
14511455 */
1452 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
1453 if (pool->servers[i] == home) {
1454 return 1;
1455 }
1456 }
14571456 }
14581457
14591458 /*
27412740 return rbtree_finddata(home_servers_byaddr, &myhome);
27422741 }
27432742
2743 home_server_t *home_server_find_bysrc(fr_ipaddr_t *ipaddr, uint16_t port,
2744 int proto,
2745 fr_ipaddr_t *src_ipaddr)
2746 {
2747 home_server_t myhome;
2748
2749 if (!src_ipaddr) return home_server_find(ipaddr, port, proto);
2750
2751 if (src_ipaddr->af != ipaddr->af) return NULL;
2752
2753 memset(&myhome, 0, sizeof(myhome));
2754 myhome.ipaddr = *ipaddr;
2755 myhome.src_ipaddr = *src_ipaddr;
2756 myhome.port = port;
2757 #ifdef WITH_TCP
2758 myhome.proto = proto;
2759 #else
2760 myhome.proto = IPPROTO_UDP;
2761 #endif
2762 myhome.server = NULL; /* we're not called for internal proxying */
2763
2764 return rbtree_finddata(home_servers_byaddr, &myhome);
2765 }
2766
27442767 #ifdef WITH_COA
27452768 home_server_t *home_server_byname(char const *name, int type)
27462769 {
+53
-61
src/main/tls.c less more
17491749 #endif
17501750 VALUE_PAIR *vp;
17511751
1752 if (issuer_cert == NULL) {
1753 RWDEBUG("Could not get issuer certificate");
1754 goto skipped;
1755 }
1756
17521757 /*
17531758 * Create OCSP Request
17541759 */
22732278 */
22742279 if (certs && (sk_X509_EXTENSION_num(ext_list) > 0)) {
22752280 int i, len;
2281 EXTENDED_KEY_USAGE *eku;
22762282 char *p;
22772283 BIO *out;
22782284
23182324 }
23192325
23202326 BIO_free_all(out);
2327
2328 /* Export raw EKU OIDs to allow matching a single OID regardless of its name */
2329 eku = X509_get_ext_d2i(client_cert, NID_ext_key_usage, NULL, NULL);
2330 if (eku != NULL) {
2331 for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
2332 len = OBJ_obj2txt(value, sizeof(value), sk_ASN1_OBJECT_value(eku, i), 1);
2333 if ((len > 0) && ((unsigned) len < sizeof(value))) {
2334 vp = fr_pair_make(talloc_ctx, certs,
2335 "TLS-Client-Cert-X509v3-Extended-Key-Usage-OID",
2336 value, T_OP_ADD);
2337 rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
2338 }
2339 else {
2340 RDEBUG("Failed to get EKU OID at index %d", i);
2341 }
2342 }
2343 EXTENDED_KEY_USAGE_free(eku);
2344 }
23212345 }
23222346
23232347 REXDENT();
23902414
23912415 } else {
23922416 RDEBUG2("Starting OCSP Request");
2393 if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) ||
2394 !issuer_cert) {
2395 /*
2396 * Allow for external verify.
2397 */
2398 RERROR("Couldn't get issuer_cert for %s", common_name);
2399 do_verify = true;
2400
2401 } else {
2402 /*
2403 * Do the full OCSP checks.
2404 *
2405 * If they fail, don't run the external verify. We don't want
2406 * to allow admins to force authentication success for bad
2407 * certificates.
2408 *
2409 * If the OCSP checks succeed, check whether we still want to
2410 * run the external verification routine. If it's marked as
2411 * "skip verify on OK", then we don't do verify.
2412 */
2413 my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
2414 if (my_ok != OCSP_STATUS_FAILED) {
2415 do_verify = !conf->verify_skip_if_ocsp_ok;
2416 }
2417
2418 /*
2419 * If we don't have an issuer, then we can't send
2420 * and OCSP request, but pass the NULL issuer in
2421 * so ocsp_check can decide on the correct
2422 * return code.
2423 */
2424 issuer_cert = X509_STORE_CTX_get0_current_issuer(ctx);
2425
2426 /*
2427 * Do the full OCSP checks.
2428 *
2429 * If they fail, don't run the external verify. We don't want
2430 * to allow admins to force authentication success for bad
2431 * certificates.
2432 *
2433 * If the OCSP checks succeed, check whether we still want to
2434 * run the external verification routine. If it's marked as
2435 * "skip verify on OK", then we don't do verify.
2436 */
2437 my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
2438 if (my_ok != OCSP_STATUS_FAILED) {
2439 do_verify = !conf->verify_skip_if_ocsp_ok;
24172440 }
24182441 }
24192442 }
25622585 #endif
25632586 #endif
25642587
2565 /*
2566 * DIE OPENSSL DIE DIE DIE
2567 *
2568 * What a palaver, just to free some data attached the
2569 * session. We need to do this because the "remove" callback
2570 * is called when refcount > 0 sometimes, if another thread
2571 * is using the session
2572 */
2573 static void sess_free_vps(UNUSED void *parent, void *data_ptr,
2574 UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx,
2575 UNUSED long argl, UNUSED void *argp)
2576 {
2577 VALUE_PAIR *vp = data_ptr;
2578 if (!vp) return;
2579
2580 DEBUG2(LOG_PREFIX ": Freeing cached session VPs");
2581
2582 fr_pair_list_free(&vp);
2583 }
2584
2585 static void sess_free_certs(UNUSED void *parent, void *data_ptr,
2586 UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx,
2587 UNUSED long argl, UNUSED void *argp)
2588 {
2589 VALUE_PAIR **certs = data_ptr;
2590 if (!certs) return;
2591
2592 DEBUG2(LOG_PREFIX ": Freeing cached session Certificates");
2593
2594 fr_pair_list_free(certs);
2595 }
2596
25972588 /** Add all the default ciphers and message digests reate our context.
25982589 *
25992590 * This should be called exactly once from main, before reading the main config
26092600 /*
26102601 * Initialize the index for the certificates.
26112602 */
2612 fr_tls_ex_index_certs = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_certs);
2603 fr_tls_ex_index_certs = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, NULL);
26132604
26142605 /*
26152606 * If we're linking with OpenSSL too, then we need
29132904
29142905 /* Load the CAs we trust */
29152906 load_ca:
2907 #if defined(X509_V_FLAG_PARTIAL_CHAIN)
2908 X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
2909 #endif
29162910 if (conf->ca_file || conf->ca_path) {
29172911 if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
29182912 tls_error_log(NULL, "Failed reading Trusted root CA list \"%s\"",
31623156
31633157 SSL_CTX_set_quiet_shutdown(ctx, 1);
31643158 if (fr_tls_ex_index_vps < 0)
3165 fr_tls_ex_index_vps = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, sess_free_vps);
3159 fr_tls_ex_index_vps = SSL_SESSION_get_ex_new_index(0, NULL, NULL, NULL, NULL);
31663160 }
31673161
31683162 /*
36843678 * data buffer.
36853679 */
36863680 err = SSL_read(ssn->ssl, ssn->clean_out.data, sizeof(ssn->clean_out.data));
3687 if (err < 0) {
3681 if (err <= 0) {
36883682 int code;
36893683
36903684 RDEBUG("SSL_read Error");
37073701 }
37083702 return FR_TLS_FAIL;
37093703 }
3710
3711 if (err == 0) RWDEBUG("No data inside of the tunnel");
37123704
37133705 /*
37143706 * Passed all checks, successfully decrypted data
+1
-1
src/main/tls_listen.c less more
173173
174174 SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request);
175175 SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs);
176 SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL);
176 SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock);
177177
178178 doing_init = true;
179179 }
+7
-0
src/main/tmpl.c less more
12211221 return -1;
12221222 }
12231223
1224 /*
1225 * Copy over any additional fields needed...
1226 */
1227 if ((vpt->type == TMPL_TYPE_ATTR) && vp->da->flags.has_tag) {
1228 vp->tag = vpt->tmpl_tag;
1229 }
1230
12241231 *out = vp;
12251232 return 0;
12261233 }
+1
-5
src/main/xlat.c less more
6666 vp_tmpl_t attr; //!< An attribute template.
6767 xlat_t const *xlat; //!< The xlat expansion to expand format with.
6868 };
69
70 typedef struct xlat_out {
71 char const *out; //!< Output data.
72 size_t len; //!< Length of the output string.
73 } xlat_out_t;
7469
7570 static rbtree_t *xlat_root = NULL;
7671
483478 RINDENT();
484479 RDEBUG2("as %s%*s: %s", type->name, pad, " ", value);
485480 REXDENT();
481 talloc_free(value);
486482
487483 next_type:
488484 talloc_free(dst);
+1
-1
src/modules/rlm_detail/rlm_detail.c less more
223223 VALUE_PAIR *vp;
224224 char timestamp[256];
225225
226 if (!packet->vps) {
226 if ((packet->code == PW_CODE_ACCOUNTING_REQUEST) && !packet->vps) {
227227 RWDEBUG("Skipping empty packet");
228228 return 0;
229229 }
+1
-1
src/modules/rlm_eap/libeap/eap_tls.c less more
9595 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store);
9696 #endif
9797 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn);
98 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL);
98 SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_TALLOC, handler);
9999
100100 return talloc_steal(handler, ssn); /* ssn */
101101 }
+1
-1
src/modules/rlm_eap/libeap/eapsimlib.c less more
146146 ep->type.length = 3;
147147 ep->type.data = encodedmsg;
148148
149 return 0;
149 return 1;
150150 }
151151
152152
+9
-3
src/modules/rlm_eap/rlm_eap.c less more
452452 */
453453 vp = fr_pair_find_by_num(request->reply->vps, PW_USER_NAME, 0, TAG_ANY);
454454 if (!vp) {
455 vp = fr_pair_copy(request->reply, request->username);
456 fr_pair_add(&request->reply->vps, vp);
455 vp = request->username;
456 if (vp->da->attr != PW_USER_NAME) {
457 vp = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
458 }
459 if (vp) {
460 vp = fr_pair_copy(request->reply, vp);
461 fr_pair_add(&request->reply->vps, vp);
462 }
457463 }
458464
459465 /*
465471 * vp->vp_strvalue is still a NUL-terminated C
466472 * string.
467473 */
468 if (inst->mod_accounting_username_bug) {
474 if (vp && inst->mod_accounting_username_bug) {
469475 char const *old = vp->vp_strvalue;
470476 char *new;
471477
+2
-0
src/modules/rlm_eap/types/rlm_eap_fast/all.mk.in less more
00 TARGETNAME := @targetname@
11
22 ifneq "$(OPENSSL_LIBS)" ""
3 ifneq "$(TARGETNAME)" ""
34 TARGET := $(TARGETNAME).a
5 endif
46 endif
57
68 SOURCES := $(TARGETNAME).c eap_fast.c eap_fast_crypto.c
+7
-15
src/modules/rlm_eap/types/rlm_eap_sim/rlm_eap_sim.c less more
4141 struct eapsim_keys keys;
4242 int sim_id;
4343 } eap_sim_state_t;
44
45 /*
46 * build a reply to be sent.
47 */
48 static void eap_sim_compose(REQUEST *request, eap_handler_t *handler)
49 {
50 /* we will set the ID on requests, since we have to HMAC it */
51 handler->eap_ds->set_request_id = 1;
52
53 if (!map_eapsim_basictypes(handler->request->reply,
54 handler->eap_ds->request)) {
55 REDEBUG("Failed decoding EAP-SIM packet: %s", fr_strerror());
56 }
57 }
5844
5945 static int eap_sim_sendstart(eap_handler_t *handler)
6046 {
453439 ess->state = newstate;
454440
455441 /* build the target packet */
456 eap_sim_compose(request, handler);
442 /* we will set the ID on requests, since we have to HMAC it */
443 handler->eap_ds->set_request_id = 1;
444
445 if (!map_eapsim_basictypes(handler->request->reply,
446 handler->eap_ds->request)) {
447 REDEBUG("Failed encoding EAP-SIM packet");
448 }
457449 }
458450
459451 /*
+3
-8
src/modules/rlm_files/rlm_files.c less more
344344 static rlm_rcode_t file_common(rlm_files_t *inst, REQUEST *request, char const *filename, rbtree_t *tree,
345345 RADIUS_PACKET *request_packet, RADIUS_PACKET *reply_packet)
346346 {
347 char const *name, *match;
347 char const *name;
348348 VALUE_PAIR *check_tmp;
349349 VALUE_PAIR *reply_tmp;
350350 PAIR_LIST const *user_pl, *default_pl;
386386 /*
387387 * Figure out which entry to match on.
388388 */
389
390389 if (!default_pl && user_pl) {
391390 pl = user_pl;
392 match = name;
393391 user_pl = user_pl->next;
394392
395393 } else if (!user_pl && default_pl) {
396394 pl = default_pl;
397 match = "DEFAULT";
398395 default_pl = default_pl->next;
399396
400 } else if (user_pl->lineno < default_pl->lineno) {
397 } else if (user_pl->order < default_pl->order) {
401398 pl = user_pl;
402 match = name;
403399 user_pl = user_pl->next;
404400
405401 } else {
406402 pl = default_pl;
407 match = "DEFAULT";
408403 default_pl = default_pl->next;
409404 }
410405
420415 }
421416
422417 if (paircompare(request, request_packet->vps, check_tmp, &reply_packet->vps) == 0) {
423 RDEBUG2("%s: Matched entry %s at line %d", filename, match, pl->lineno);
418 RDEBUG2("%s: Matched entry %s at line %d", filename, pl->name, pl->lineno);
424419 found = true;
425420
426421 /* ctx may be reply or proxy */
+4
-0
src/modules/rlm_ldap/ldap.c less more
15501550 }
15511551 #endif /* HAVE_LDAP_START_TLS_S */
15521552
1553 if (inst->sasl_secprops) {
1554 do_ldap_option(LDAP_OPT_X_SASL_SECPROPS, "SASL_SECPROPS", inst->sasl_secprops);
1555 }
1556
15531557 status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password,
15541558 &(conn->inst->admin_sasl), false);
15551559 if (status != LDAP_PROC_SUCCESS) {
+2
-0
src/modules/rlm_ldap/ldap.h less more
121121 char const *admin_password; //!< Password used in administrative bind.
122122
123123 ldap_sasl admin_sasl; //!< SASL parameters used when binding as the admin.
124
125 const char *sasl_secprops; //!< SASL Security Properties to set.
124126
125127 char const *dereference_str; //!< When to dereference (never, searching, finding, always)
126128 int dereference; //!< libldap value specifying dereferencing behaviour.
+2
-0
src/modules/rlm_ldap/rlm_ldap.c less more
186186 { "chase_referrals", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, chase_referrals), NULL },
187187
188188 { "rebind", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_ldap_t, rebind), NULL },
189
190 { "sasl_secprops", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_ldap_t, sasl_secprops), NULL },
189191
190192 #ifdef LDAP_OPT_NETWORK_TIMEOUT
191193 /* timeout on network activity */
+2
-1
src/modules/rlm_passwd/rlm_passwd.c less more
189189 else ht->delimiter = ':';
190190 if(!tablesize) return ht;
191191 if(!(ht->fp = fopen(file,"r"))) {
192 ERROR("Failed opening %s - %s", file, fr_strerror());
192193 free(ht->filename);
193194 free(ht);
194195 return NULL;
458459 return -1;
459460 }
460461 if (! (inst->ht = build_hash_table (inst->filename, nfields, keyfield, listable, inst->hash_size, inst->ignore_nislike, *inst->delimiter)) ){
461 ERROR("rlm_passwd: can't build hashtable from passwd file");
462 ERROR("rlm_passwd: failed reading file.");
462463 return -1;
463464 }
464465 if (! (inst->pwdfmt = mypasswd_malloc(inst->format, nfields, &len)) ){
+6
-0
src/modules/rlm_python/rlm_python.c less more
329329 }
330330
331331 vp->op = op;
332
333 /*
334 * @todo - use tmpl_cast_to_vp() instead ???
335 */
336 if (vp->da->flags.has_tag) vp->tag = dst.tmpl_tag;
337
332338 if (fr_pair_value_from_str(vp, s2, -1) < 0) {
333339 DEBUG("%s - Failed: '%s:%s' %s '%s'", funcname, list_name, s1,
334340 fr_int2str(fr_tokens, op, "="), s2);
+4
-0
src/modules/rlm_rest/rest.c less more
21472147 SET_OPTION(CURLOPT_ISSUERCERT, section->tls_ca_file);
21482148 }
21492149
2150 if (section->tls_ca_info_file) {
2151 SET_OPTION(CURLOPT_CAINFO, section->tls_ca_info_file);
2152 }
2153
21502154 if (section->tls_ca_path) {
21512155 SET_OPTION(CURLOPT_CAPATH, section->tls_ca_path);
21522156 }
+1
-0
src/modules/rlm_rest/rest.h less more
130130 char const *tls_private_key_file;
131131 char const *tls_private_key_password;
132132 char const *tls_ca_file;
133 char const *tls_ca_info_file;
133134 char const *tls_ca_path;
134135 char const *tls_random_file;
135136 bool tls_check_cert;
+1
-0
src/modules/rlm_rest/rlm_rest.c less more
3535 */
3636 static CONF_PARSER tls_config[] = {
3737 { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_file), NULL },
38 { "ca_info_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_info_file), NULL },
3839 { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_path), NULL },
3940 { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_certificate_file), NULL },
4041 { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_private_key_file), NULL },
+5
-2
src/modules/rlm_securid/mem.c less more
122122 session->session_id = inst->last_session_id;
123123 RDEBUG2("Creating a new session with id=%d\n",session->session_id);
124124 }
125
126 memset(session->state, 0, sizeof(session->state));
125127 snprintf(session->state,sizeof(session->state)-1,"FRR-CH %d|%d",session->session_id,session->trips+1);
126128 RDEBUG2("Inserting session id=%d identity='%s' state='%s' to the session list",
127129 session->session_id,SAFE_STR(session->identity),session->state);
131133 * Generate State, since we've been asked to add it to
132134 * the list.
133135 */
134 state = pair_make_reply("State", session->state, T_OP_EQ);
136 state = fr_pair_make(request->reply, &request->reply->vps, "State", NULL, T_OP_EQ);
135137 if (!state) return -1;
136 state->vp_length = SECURID_STATE_LEN;
138
139 fr_pair_value_memcpy(state, session->state, sizeof(session->state));
137140
138141 status = rbtree_insert(inst->session_tree, session);
139142 if (status) {
+0
-1
src/modules/rlm_sql/rlm_sql.c less more
14381438 if (!*expanded) {
14391439 RDEBUG("Ignoring null query");
14401440 rcode = RLM_MODULE_NOOP;
1441 talloc_free(expanded);
14421441
14431442 goto finish;
14441443 }
+7
-8
src/modules/rlm_sql/sql.c less more
117117 token = gettoken(&value, buf, sizeof(buf), false);
118118 switch (token) {
119119 /*
120 * Mark the pair to be allocated later.
121 */
122 case T_BACK_QUOTED_STRING:
123 do_xlat = 1;
124 /* FALL-THROUGH */
125
126 /*
120127 * Take the unquoted string.
121128 */
122129 case T_SINGLE_QUOTED_STRING:
123130 case T_DOUBLE_QUOTED_STRING:
124131 value = buf;
125132 break;
126
127 /*
128 * Mark the pair to be allocated later.
129 */
130 case T_BACK_QUOTED_STRING:
131 do_xlat = 1;
132
133 /* FALL-THROUGH */
134133
135134 /*
136135 * Keep the original string.
+8
-4
src/modules/rlm_sqlippool/rlm_sqlippool.c less more
330330 * Don't repeat yourself
331331 */
332332 #undef DO
333 #define DO(_x) sqlippool_command(inst->_x, handle, inst, request, NULL, 0)
334 #define DO_PART(_x) sqlippool_command(inst->_x, &handle, inst, request, NULL, 0)
333 #define DO(_x) if (sqlippool_command(inst->_x, handle, inst, request, NULL, 0) < 0) return RLM_MODULE_FAIL
334 #define DO_PART(_x) if (sqlippool_command(inst->_x, &handle, inst, request, NULL, 0) < 0) goto error
335335
336336 /*
337337 * Query the database expecting a single result row
626626 /*
627627 * UPDATE
628628 */
629 sqlippool_command(inst->allocate_update, &handle, inst, request,
630 allocation, allocation_len);
629 if (sqlippool_command(inst->allocate_update, &handle, inst, request,
630 allocation, allocation_len) < 0) {
631 error:
632 fr_connection_release(inst->sql_inst->pool, handle);
633 return RLM_MODULE_FAIL;
634 }
631635
632636 DO_PART(allocate_commit);
633637
+1
-1
src/modules/rlm_yubikey/decrypt.c less more
119119 /*
120120 * Now we check for replay attacks
121121 */
122 vp = fr_pair_find_by_da(request->config, da, TAG_ANY);
122 vp = fr_pair_find_by_da(request->config, vp->da, TAG_ANY);
123123 if (!vp) {
124124 RWDEBUG("Yubikey-Counter not found in control list, skipping replay attack checks");
125125 return RLM_MODULE_OK;
+1
-1
src/tests/keywords/all.mk less more
8585 # Otherwise, check the log file for a parse error which matches the
8686 # ERROR line in the input.
8787 #
88 $(BUILD_DIR)/tests/keywords/%: $(DIR)/% $(BUILD_DIR)/tests/keywords/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/keywords $(KEYWORD_RADDB) $(KEYWORD_LIBS) build.raddb rlm_cache_rbtree.la rlm_test.la rlm_unix.la
88 $(BUILD_DIR)/tests/keywords/%: ${DIR}/% $(BUILD_DIR)/tests/keywords/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/keywords $(KEYWORD_RADDB) $(KEYWORD_LIBS) build.raddb rlm_cache_rbtree.la rlm_test.la rlm_unix.la
8989 @echo UNIT-TEST $(notdir $@)
9090 @if ! KEYWORD=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/keywords/ -i $@.attrs -f $@.attrs -xx > $@.log 2>&1; then \
9191 if ! grep ERROR $< 2>&1 > /dev/null; then \
+2
-2
src/tests/keywords/hex less more
100100 # byte
101101 if (Tmp-String-9 != '3a') {
102102 update reply {
103 Filter-ID += 'fail 10'
103 Filter-ID += "fail 10 - expected 3a got %{Tmp-String-9}"
104104 }
105105 }
106106
135135 # ipv4prefix
136136 if (Tmp-String-3 != '00203938373e') {
137137 update reply {
138 Filter-Id += 'fail 14'
138 Filter-Id += 'fail 14 expected 00203938373e got %{Tmp-String-3}'
139139 }
140140 }
+1
-1
suse/freeradius.spec less more
00 Name: freeradius-server
1 Version: 3.0.16
1 Version: 3.0.17
22 Release: 0
33 License: GPLv2 ; LGPLv2.1
44 Group: Productivity/Networking/Radius/Servers