Merging upstream version 3.2.5+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-26 10:41:53 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-08-26 10:41:53 +0000
commit: 1526b335a5a81d945e64291e2fbcf92f72d15a4e (patch)
tree: 64d3bc5d36df06664cc49d7c4d8710100e23b888 /src/include
parent: Releasing progress-linux version 3.2.3+dfsg-2~progress7.99u1. (diff)
download: freeradius-1526b335a5a81d945e64291e2fbcf92f72d15a4e.tar.xz
freeradius-1526b335a5a81d945e64291e2fbcf92f72d15a4e.zip
10 files changed, 114 insertions, 6 deletions
diff --git a/src/include/clients.h b/src/include/clients.h
index 46b5b3b..7e962b6 100644
--- a/src/include/clients.h
+++ b/src/include/clients.h
@@ -43,7 +43,11 @@ typedef struct radclient {
 
 	char const		*secret;		//!< Secret PSK.
 
-	bool			message_authenticator;	//!< Require RADIUS message authenticator in requests.
+	fr_bool_auto_t 		require_ma;		//!< Require RADIUS message authenticator in requests.
+
+	bool			dynamic_require_ma;	//!< for dynamic clients
+
+	fr_bool_auto_t 		limit_proxy_state;     	//!< Limit Proxy-State in requests
 
 	char const		*nas_type;		//!< Type of client (arbitrary).
 
diff --git a/src/include/conffile.h b/src/include/conffile.h
index b996881..237469c 100644
--- a/src/include/conffile.h
+++ b/src/include/conffile.h
@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t;
 #define PW_TYPE_MULTI		(1 << 18) //!< CONF_PAIR can have multiple copies.
 #define PW_TYPE_NOT_EMPTY	(1 << 19) //!< CONF_PAIR is required to have a non zero length value.
 #define PW_TYPE_FILE_EXISTS	((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist
+#define PW_TYPE_IGNORE_DEFAULT	(1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing
 /* @} **/
 
 #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\
diff --git a/src/include/dlist.h b/src/include/dlist.h
new file mode 100644
index 0000000..c1bc1d5
--- /dev/null
+++ b/src/include/dlist.h
@@ -0,0 +1,63 @@
+/*
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ *
+ * @file dlist.h
+ * @brief doubly linked lists
+ *
+ * @copyright 2023 Network RADIUS SAS (legal@networkradius.com)
+ */
+
+#ifndef RADIUS_DLIST_H
+#define RADIUS_DLIST_H
+
+RCSIDH(dlist_h, "$Id$")
+
+/*
+ *	We have an internal cache, keyed by (mac + ssid).
+ *
+ *	It returns the PMK and PSK for the user.
+ */
+typedef struct fr_dlist_s fr_dlist_t;
+
+struct fr_dlist_s {
+	fr_dlist_t	*prev;
+	fr_dlist_t	*next;
+};
+
+static inline void fr_dlist_entry_init(fr_dlist_t *entry)
+{
+	entry->prev = entry->next = entry;
+}
+
+static inline CC_HINT(nonnull) void fr_dlist_entry_unlink(fr_dlist_t *entry)
+{
+	entry->prev->next = entry->next;
+	entry->next->prev = entry->prev;
+	entry->prev = entry->next = entry;
+}
+
+static inline CC_HINT(nonnull) void fr_dlist_insert_tail(fr_dlist_t *head, fr_dlist_t *entry)
+{
+	entry->next = head;
+	entry->prev = head->prev;
+	head->prev->next = entry;
+	head->prev = entry;
+}
+
+#endif	/* RADIUS_DLIST_H */
diff --git a/src/include/event.h b/src/include/event.h
index 0409728..822da96 100644
--- a/src/include/event.h
+++ b/src/include/event.h
@@ -39,6 +39,8 @@ typedef void (*fr_event_fd_handler_t)(fr_event_list_t *el, int sock, void *ctx);
 
 fr_event_list_t *fr_event_list_create(TALLOC_CTX *ctx, fr_event_status_t status);
 
+extern int fr_ev_max_fds;	/* must be a power of 2 */
+
 int fr_event_list_num_fds(fr_event_list_t *el);
 int fr_event_list_num_elements(fr_event_list_t *el);
 
diff --git a/src/include/features-h b/src/include/features-h
index 158541f..1e2f29e 100644
--- a/src/include/features-h
+++ b/src/include/features-h
@@ -69,7 +69,7 @@
 #ifdef WITH_TLS
 #  ifdef WITH_COA
 #    ifndef WITHOUT_COA_TUNNEL
-#      define WITH_COA_TUNNEL (1)
+//#      define WITH_COA_TUNNEL (1)
 #    endif
 #  endif
 #endif
diff --git a/src/include/libradius.h b/src/include/libradius.h
index 777927e..5cb5b06 100644
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -410,6 +410,11 @@ typedef struct radius_packet {
 #ifdef WITH_RADIUSV11
 	bool			radiusv11;
 #endif
+	bool			tls;		//!< uses secure transport
+
+	bool			message_authenticator;
+	bool			proxy_state;
+	bool			eap_message;
 } RADIUS_PACKET;
 
 typedef enum {
@@ -527,6 +532,13 @@ DICT_VENDOR	*dict_vendorbyvalue(int vendor);
 /* radius.c */
 int		rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret);
 bool		rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason);
+
+/*
+ *	1 == require_ma
+ *	2 == msg_peek
+ *	4 == limit_proxy_state
+ *	8 == require_ma for Access-* replies and Protocol-Error
+ */
 RADIUS_PACKET	*rad_recv(TALLOC_CTX *ctx, int fd, int flags);
 ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code);
 void		rad_recv_discard(int sockfd);
@@ -720,7 +732,7 @@ extern bool	fr_dns_lookups;	/* do IP -> hostname lookups? */
 extern bool	fr_hostname_lookups; /* do hostname -> IP lookups? */
 extern int	fr_debug_lvl;	/* 0 = no debugging information */
 extern uint32_t	fr_max_attributes; /* per incoming packet */
-#define	FR_MAX_PACKET_CODE (52)
+#define	FR_MAX_PACKET_CODE (53)
 extern char const *fr_packet_codes[FR_MAX_PACKET_CODE];
 #define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE))
 extern FILE	*fr_log_fp;
@@ -958,6 +970,12 @@ int		fr_socket_wait_for_connect(int sockfd, struct timeval *timeout);
 }
 #endif
 
+typedef enum {
+	FR_BOOL_FALSE = 0,
+	FR_BOOL_TRUE,
+	FR_BOOL_AUTO,
+} fr_bool_auto_t;
+
 #include <freeradius-devel/packet.h>
 
 #ifdef WITH_TCP
diff --git a/src/include/radius.h b/src/include/radius.h
index 473528d..147d674 100644
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -61,6 +61,7 @@ typedef enum {
 	PW_CODE_COA_REQUEST		= 43,	//!< RFC3575/RFC5176 - CoA-Request
 	PW_CODE_COA_ACK			= 44,	//!< RFC3575/RFC5176 - CoA-Ack (positive)
 	PW_CODE_COA_NAK			= 45,	//!< RFC3575/RFC5176 - CoA-Nak (not willing to perform)
+	PW_CODE_PROTOCOL_ERROR 		= 52,	//!< RFC7930 - Protocol layer issue
 	PW_CODE_MAX			= 255,	//!< Maximum possible code
 } PW_CODE;
 
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 594a6bd..c7c03cd 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -141,6 +141,8 @@ typedef struct main_config {
 	uint32_t	cleanup_delay;			//!< How long before cleaning up cached responses.
 	uint32_t	max_requests;
 
+	uint32_t       	proxy_dedup_window;		//!< suppress duplicate retransmitssions from a NAS
+
 	bool		postauth_client_lost;		//!< Whether to run Post-Auth-Type Client-Lost section
 
 	uint32_t	debug_level;
@@ -174,6 +176,9 @@ typedef struct main_config {
 
 	bool		exiting;			//!< are we exiting?
 
+	fr_bool_auto_t 	require_ma;			//!< global configuration for all clients and home servers
+
+	fr_bool_auto_t 	limit_proxy_state;     		//!< global configuration for all clients
 
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	char const	*allow_vulnerable_openssl;	//!< The CVE number of the last security issue acknowledged.
@@ -194,9 +199,8 @@ typedef struct main_config {
 typedef enum {
 	REQUEST_ACTIVE = 1,
 	REQUEST_STOP_PROCESSING,
-	REQUEST_COUNTED
 } rad_master_state_t;
-#define REQUEST_MASTER_NUM_STATES (REQUEST_COUNTED + 1)
+#define REQUEST_MASTER_NUM_STATES (REQUEST_STOP_PROCESSING + 1)
 
 typedef enum {
 	REQUEST_QUEUED = 1,
@@ -320,6 +324,7 @@ struct rad_request {
 #define RAD_REQUEST_OPTION_COA		(1 << 0)
 #define RAD_REQUEST_OPTION_CTX 		(1 << 1)
 #define RAD_REQUEST_OPTION_CANCELLED	(1 << 2)
+#define RAD_REQUEST_OPTION_STATS	(1 << 3)
 
 #define SECONDS_PER_DAY		86400
 #define MAX_REQUEST_TIME	30
@@ -565,6 +570,8 @@ int main_config_free(void);
 void main_config_hup(void);
 void hup_logfile(void);
 
+int	fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str);
+
 /* listen.c */
 void listen_free(rad_listen_t **head);
 int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag);
diff --git a/src/include/realms.h b/src/include/realms.h
index 23806f4..cc5d4c1 100644
--- a/src/include/realms.h
+++ b/src/include/realms.h
@@ -58,6 +58,8 @@ typedef struct fr_socket_limit_t {
 	uint32_t	num_requests;
 	uint32_t	lifetime;
 	uint32_t	idle_timeout;
+	uint32_t	read_timeout;
+	uint32_t	write_timeout;
 } fr_socket_limit_t;
 
 typedef struct home_server {
@@ -69,6 +71,8 @@ typedef struct home_server {
 	bool			dual;			//!< One of a pair of homeservers on consecutive ports.
 	bool			dynamic;		//!< is this a dynamically added home server?
 	bool			nonblock;		//!< Enable a socket non-blocking to the home server.
+	fr_bool_auto_t	       	require_ma;		//!< for all replies to Access-Request and Status-Server
+
 #ifdef WITH_COA_TUNNEL
 	bool			recv_coa;		//!< receive CoA packets, too
 #endif
diff --git a/src/include/tls-h b/src/include/tls-h
index 4bf1665..506fb19 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -152,6 +152,9 @@ typedef struct _tls_session_t {
 							//!< If set to no then only the first fragment contains length.
 	int		peap_flag;
 
+	VALUE_PAIR	*outer_tlvs;			//!< only for TEAP, and only for the first fragment.
+	uint8_t		*outer_tlvs_octets;		//!< only for TEAP, needed for Crypto-Binding TLV
+
 	size_t		tls_record_in_total_len;	//!< How long the peer indicated the complete tls record
 							//!< would be.
 	size_t		tls_record_in_recvd_len;	//!< How much of the record we've received so far.
@@ -176,17 +179,19 @@ typedef struct _tls_session_t {
  *
  *      0 1 2 3 4 5 6 7 8
  *      +-+-+-+-+-+-+-+-+
- *      |L M S R R R R R|
+ *      |L M S O R R R R|
  *      +-+-+-+-+-+-+-+-+
  *
  *      L = Length included
  *      M = More fragments
  *      S = EAP-TLS start
+ *	O = outer TLV length included (4 octets, only for TEAP)
  *      R = Reserved
  */
 #define TLS_START(x) 		(((x) & 0x20) != 0)
 #define TLS_MORE_FRAGMENTS(x) 	(((x) & 0x40) != 0)
 #define TLS_LENGTH_INCLUDED(x) 	(((x) & 0x80) != 0)
+#define TLS_OUTER_TLV_INCLUDED(x) (((x) & 0x10) != 0)
 
 #define TLS_CHANGE_CIPHER_SPEC(x) 	(((x) & 0x0014) == 0x0014)
 #define TLS_ALERT(x) 			(((x) & 0x0015) == 0x0015)
@@ -195,6 +200,7 @@ typedef struct _tls_session_t {
 #define SET_START(x) 		((x) | (0x20))
 #define SET_MORE_FRAGMENTS(x) 	((x) | (0x40))
 #define SET_LENGTH_INCLUDED(x) 	((x) | (0x80))
+#define SET_OUTER_TLV_INCLUDED(x) ((x) | (0x10))
 
 /*
  *	Following enums from rfc2246
@@ -351,6 +357,8 @@ struct fr_tls_server_conf_t {
 	SSL_CTX		*ctx;
 	CONF_SECTION	*cs;
 
+	char const	*name;				//!< name of the thing doing TLS.
+
 	char const	*private_key_password;
 	char const	*private_key_file;
 	char const	*certificate_file;
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-26 10:41:53 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-08-26 10:41:53 +0000
commit	1526b335a5a81d945e64291e2fbcf92f72d15a4e (patch)
tree	64d3bc5d36df06664cc49d7c4d8710100e23b888 /src/include
parent	Releasing progress-linux version 3.2.3+dfsg-2~progress7.99u1. (diff)
download	freeradius-1526b335a5a81d945e64291e2fbcf92f72d15a4e.tar.xz freeradius-1526b335a5a81d945e64291e2fbcf92f72d15a4e.zip