summaryrefslogtreecommitdiffstats
path: root/src/main/modules.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 14:11:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 14:11:00 +0000
commitaf754e596a8dbb05ed8580c342e7fe02e08b28e0 (patch)
treeb2f334c2b55ede42081aa6710a72da784547d8ea /src/main/modules.c
parentInitial commit. (diff)
downloadfreeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.tar.xz
freeradius-af754e596a8dbb05ed8580c342e7fe02e08b28e0.zip
Adding upstream version 3.2.3+dfsg.upstream/3.2.3+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/main/modules.c')
-rw-r--r--src/main/modules.c2302
1 files changed, 2302 insertions, 0 deletions
diff --git a/src/main/modules.c b/src/main/modules.c
new file mode 100644
index 0000000..fd4334d
--- /dev/null
+++ b/src/main/modules.c
@@ -0,0 +1,2302 @@
+/*
+ * modules.c Radius module support.
+ *
+ * Version: $Id$
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Copyright 2003,2006 The FreeRADIUS server project
+ * Copyright 2000 Alan DeKok <aland@ox.org>
+ * Copyright 2000 Alan Curry <pacman@world.std.com>
+ */
+
+RCSID("$Id$")
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modpriv.h>
+#include <freeradius-devel/modcall.h>
+#include <freeradius-devel/parser.h>
+#include <freeradius-devel/rad_assert.h>
+
+/** Path to search for modules in
+ *
+ */
+char const *radlib_dir = NULL;
+
+typedef struct indexed_modcallable {
+ rlm_components_t comp;
+ int idx;
+ modcallable *modulelist;
+} indexed_modcallable;
+
+typedef struct virtual_server_t {
+ char const *name;
+ time_t created;
+ int can_free;
+ CONF_SECTION *cs;
+ rbtree_t *components;
+ modcallable *mc[MOD_COUNT];
+ CONF_SECTION *subcs[MOD_COUNT];
+ struct virtual_server_t *next;
+} virtual_server_t;
+
+/*
+ * Keep a hash of virtual servers, so that we can reload them.
+ */
+#define VIRTUAL_SERVER_HASH_SIZE (256)
+static virtual_server_t *virtual_servers[VIRTUAL_SERVER_HASH_SIZE];
+
+static rbtree_t *module_tree = NULL;
+
+static rbtree_t *instance_tree = NULL;
+
+struct fr_module_hup_t {
+ module_instance_t *mi;
+ time_t when;
+ void *insthandle;
+ fr_module_hup_t *next;
+};
+
+/*
+ * Ordered by component
+ */
+const section_type_value_t section_type_value[MOD_COUNT] = {
+ { "authenticate", "Auth-Type", PW_AUTH_TYPE },
+ { "authorize", "Autz-Type", PW_AUTZ_TYPE },
+ { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
+ { "accounting", "Acct-Type", PW_ACCT_TYPE },
+ { "session", "Session-Type", PW_SESSION_TYPE },
+ { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
+ { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
+ { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE }
+#ifdef WITH_COA
+ ,
+ { "recv-coa", "Recv-CoA-Type", PW_RECV_COA_TYPE },
+ { "send-coa", "Send-CoA-Type", PW_SEND_COA_TYPE }
+#endif
+};
+
+#ifndef RTLD_NOW
+#define RTLD_NOW (0)
+#endif
+#ifndef RTLD_LOCAL
+#define RTLD_LOCAL (0)
+#endif
+
+/** Check if the magic number in the module matches the one in the library
+ *
+ * This is used to detect potential ABI issues caused by running with modules which
+ * were built for a different version of the server.
+ *
+ * @param cs being parsed.
+ * @param module being loaded.
+ * @returns 0 on success, -1 if prefix mismatch, -2 if version mismatch, -3 if commit mismatch.
+ */
+static int check_module_magic(CONF_SECTION *cs, module_t const *module)
+{
+#ifdef HAVE_DLADDR
+ Dl_info dl_info;
+ dladdr(module, &dl_info);
+#endif
+
+ if (MAGIC_PREFIX(module->magic) != MAGIC_PREFIX(RADIUSD_MAGIC_NUMBER)) {
+#ifdef HAVE_DLADDR
+ cf_log_err_cs(cs, "Failed loading module rlm_%s from file %s", module->name, dl_info.dli_fname);
+#endif
+ cf_log_err_cs(cs, "Application and rlm_%s magic number (prefix) mismatch."
+ " application: %x module: %x", module->name,
+ MAGIC_PREFIX(RADIUSD_MAGIC_NUMBER),
+ MAGIC_PREFIX(module->magic));
+ return -1;
+ }
+
+ if (MAGIC_VERSION(module->magic) != MAGIC_VERSION(RADIUSD_MAGIC_NUMBER)) {
+#ifdef HAVE_DLADDR
+ cf_log_err_cs(cs, "Failed loading module rlm_%s from file %s", module->name, dl_info.dli_fname);
+#endif
+ cf_log_err_cs(cs, "Application and rlm_%s magic number (version) mismatch."
+ " application: %lx module: %lx", module->name,
+ (unsigned long) MAGIC_VERSION(RADIUSD_MAGIC_NUMBER),
+ (unsigned long) MAGIC_VERSION(module->magic));
+ return -2;
+ }
+
+ if (MAGIC_COMMIT(module->magic) != MAGIC_COMMIT(RADIUSD_MAGIC_NUMBER)) {
+#ifdef HAVE_DLADDR
+ cf_log_err_cs(cs, "Failed loading module rlm_%s from file %s", module->name, dl_info.dli_fname);
+#endif
+ cf_log_err_cs(cs, "Application and rlm_%s magic number (commit) mismatch."
+ " application: %lx module: %lx", module->name,
+ (unsigned long) MAGIC_COMMIT(RADIUSD_MAGIC_NUMBER),
+ (unsigned long) MAGIC_COMMIT(module->magic));
+ return -3;
+ }
+
+ return 0;
+}
+
+fr_dlhandle fr_dlopenext(char const *name)
+{
+ int flags = RTLD_NOW;
+ void *handle;
+ char buffer[2048];
+ char *env;
+ char const *search_path;
+#ifdef RTLD_GLOBAL
+ if (strcmp(name, "rlm_perl") == 0) {
+ flags |= RTLD_GLOBAL;
+ } else
+#endif
+ flags |= RTLD_LOCAL;
+#if defined(RTLD_DEEPBIND) && !defined(__SANITIZE_ADDRESS__)
+ flags |= RTLD_DEEPBIND;
+#endif
+
+#ifndef NDEBUG
+ /*
+ * Bind all the symbols *NOW* so we don't hit errors later
+ */
+ flags |= RTLD_NOW;
+#endif
+
+ /*
+ * Apple removed support for DYLD_LIBRARY_PATH in rootless mode.
+ */
+ env = getenv("FR_LIBRARY_PATH");
+ if (env) {
+ DEBUG3("Ignoring libdir as FR_LIBRARY_PATH set. Module search path will be: %s", env);
+ search_path = env;
+ } else {
+ search_path = radlib_dir;
+ }
+
+ /*
+ * Prefer loading our libraries by absolute path.
+ */
+ if (search_path) {
+ char *error;
+ char *ctx, *paths, *path;
+ char *p;
+
+ fr_strerror();
+
+ ctx = paths = talloc_strdup(NULL, search_path);
+ while ((path = strsep(&paths, ":")) != NULL) {
+ /*
+ * Trim the trailing slash
+ */
+ p = strrchr(path, '/');
+ if (p && ((p[1] == '\0') || (p[1] == ':'))) *p = '\0';
+
+ path = talloc_asprintf(ctx, "%s/%s%s", path, name, LT_SHREXT);
+
+ DEBUG4("Loading %s with path: %s", name, path);
+
+ handle = dlopen(path, flags);
+ if (handle) {
+ talloc_free(ctx);
+ return handle;
+ }
+ error = dlerror();
+
+ fr_strerror_printf("%s%s\n", fr_strerror(), error);
+ DEBUG4("Loading %s failed: %s - %s", name, error,
+ (access(path, R_OK) < 0) ? fr_syserror(errno) : "No access errors");
+ talloc_free(path);
+ }
+ talloc_free(ctx);
+ }
+
+ DEBUG4("Loading library using linker search path(s)");
+ if (DEBUG_ENABLED4) {
+#ifdef __APPLE__
+ env = getenv("LD_LIBRARY_PATH");
+ if (env) {
+ DEBUG4("LD_LIBRARY_PATH : %s", env);
+ }
+ env = getenv("DYLD_LIBRARY_PATH");
+ if (env) {
+ DEBUG4("DYLB_LIBRARY_PATH : %s", env);
+ }
+ env = getenv("DYLD_FALLBACK_LIBRARY_PATH");
+ if (env) {
+ DEBUG4("DYLD_FALLBACK_LIBRARY_PATH : %s", env);
+ }
+ env = getcwd(buffer, sizeof(buffer));
+ if (env) {
+ DEBUG4("Current directory : %s", env);
+ }
+#else
+ env = getenv("LD_LIBRARY_PATH");
+ if (env) {
+ DEBUG4("LD_LIBRARY_PATH : %s", env);
+ }
+ DEBUG4("Defaults : /lib:/usr/lib");
+#endif
+ }
+
+ strlcpy(buffer, name, sizeof(buffer));
+ /*
+ * FIXME: Make this configurable...
+ */
+ strlcat(buffer, LT_SHREXT, sizeof(buffer));
+
+ handle = dlopen(buffer, flags);
+ if (!handle) {
+ char *error = dlerror();
+
+ DEBUG4("Failed with error: %s", error);
+ /*
+ * Don't overwrite the previous message
+ * It's likely to contain a better error.
+ */
+ if (!radlib_dir) fr_strerror_printf("%s", dlerror());
+ return NULL;
+ }
+ return handle;
+}
+
+void *fr_dlsym(fr_dlhandle handle, char const *symbol)
+{
+ return dlsym(handle, symbol);
+}
+
+int fr_dlclose(fr_dlhandle handle)
+{
+ if (!handle) return 0;
+
+ return dlclose(handle);
+}
+
+char const *fr_dlerror(void)
+{
+ return dlerror();
+}
+
+static int virtual_server_idx(char const *name)
+{
+ uint32_t hash;
+
+ if (!name) return 0;
+
+ hash = fr_hash_string(name);
+
+ return hash & (VIRTUAL_SERVER_HASH_SIZE - 1);
+}
+
+static virtual_server_t *virtual_server_find(char const *name)
+{
+ rlm_rcode_t rcode;
+ virtual_server_t *server;
+
+ rcode = virtual_server_idx(name);
+ for (server = virtual_servers[rcode];
+ server != NULL;
+ server = server->next) {
+ if (!name && !server->name) break;
+
+ if ((name && server->name) &&
+ (strcmp(name, server->name) == 0)) break;
+ }
+
+ return server;
+}
+
+static int _virtual_server_free(virtual_server_t *server)
+{
+ if (server->components) rbtree_free(server->components);
+ return 0;
+}
+
+void virtual_servers_free(time_t when)
+{
+ int i;
+ virtual_server_t **last;
+
+ for (i = 0; i < VIRTUAL_SERVER_HASH_SIZE; i++) {
+ virtual_server_t *server, *next;
+
+ last = &virtual_servers[i];
+ for (server = virtual_servers[i];
+ server != NULL;
+ server = next) {
+ next = server->next;
+
+ /*
+ * If we delete it, fix the links so that
+ * we don't orphan anything. Also,
+ * delete it if it's old, AND a newer one
+ * was defined.
+ *
+ * Otherwise, the last pointer gets set to
+ * the one we didn't delete.
+ */
+ if ((when == 0) ||
+ ((server->created < when) && server->can_free)) {
+ *last = server->next;
+ talloc_free(server);
+ } else {
+ last = &(server->next);
+ }
+ }
+ }
+}
+
+static int indexed_modcallable_cmp(void const *one, void const *two)
+{
+ indexed_modcallable const *a = one;
+ indexed_modcallable const *b = two;
+
+ if (a->comp < b->comp) return -1;
+ if (a->comp > b->comp) return +1;
+
+ return a->idx - b->idx;
+}
+
+
+/*
+ * Compare two module entries
+ */
+static int module_instance_cmp(void const *one, void const *two)
+{
+ module_instance_t const *a = one;
+ module_instance_t const *b = two;
+
+ return strcmp(a->name, b->name);
+}
+
+
+static void module_instance_free_old(UNUSED CONF_SECTION *cs, module_instance_t *node, time_t when)
+{
+ fr_module_hup_t *mh, **last;
+
+ /*
+ * Walk the list, freeing up old instances.
+ */
+ last = &(node->mh);
+ while (*last) {
+ mh = *last;
+
+ /*
+ * Free only every 60 seconds.
+ */
+ if ((when - mh->when) < 60) {
+ last = &(mh->next);
+ continue;
+ }
+
+ talloc_free(mh->insthandle);
+
+ *last = mh->next;
+ talloc_free(mh);
+ }
+}
+
+
+/*
+ * Free a module instance.
+ */
+static void module_instance_free(void *data)
+{
+ module_instance_t *module = talloc_get_type_abort(data, module_instance_t);
+
+ module_instance_free_old(module->cs, module, time(NULL) + 100);
+
+#ifdef HAVE_PTHREAD_H
+ if (module->mutex) {
+ /*
+ * FIXME
+ * The mutex MIGHT be locked...
+ * we'll check for that later, I guess.
+ */
+ pthread_mutex_destroy(module->mutex);
+ talloc_free(module->mutex);
+ }
+#endif
+
+ xlat_unregister(module->name, NULL, module->insthandle);
+
+ /*
+ * Remove all xlat's registered to module instance.
+ */
+ if (module->insthandle) {
+ /*
+ * Remove any registered paircompares.
+ */
+ paircompare_unregister_instance(module->insthandle);
+
+ xlat_unregister_module(module->insthandle);
+ }
+ talloc_free(module);
+}
+
+
+/*
+ * Compare two module entries
+ */
+static int module_entry_cmp(void const *one, void const *two)
+{
+ module_entry_t const *a = one;
+ module_entry_t const *b = two;
+
+ return strcmp(a->name, b->name);
+}
+
+/*
+ * Free a module entry.
+ */
+static int _module_entry_free(module_entry_t *this)
+{
+#ifndef NDEBUG
+ /*
+ * Don't dlclose() modules if we're doing memory
+ * debugging. This removes the symbols needed by
+ * valgrind.
+ */
+ if (!main_config.debug_memory)
+#endif
+ dlclose(this->handle); /* ignore any errors */
+ return 0;
+}
+
+
+/*
+ * Remove the module lists.
+ */
+int modules_free(void)
+{
+ rbtree_free(instance_tree);
+ rbtree_free(module_tree);
+
+ return 0;
+}
+
+
+/*
+ * dlopen() a module.
+ */
+static module_entry_t *module_dlopen(CONF_SECTION *cs, char const *module_name)
+{
+ module_entry_t myentry;
+ module_entry_t *node;
+ void *handle = NULL;
+ module_t const *module;
+
+ strlcpy(myentry.name, module_name, sizeof(myentry.name));
+ node = rbtree_finddata(module_tree, &myentry);
+ if (node) return node;
+
+ /*
+ * Link to the module's rlm_FOO{} structure, the same as
+ * the module name.
+ */
+
+#if !defined(WITH_LIBLTDL) && defined(HAVE_DLFCN_H) && defined(RTLD_SELF)
+ module = dlsym(RTLD_SELF, module_name);
+ if (module) goto open_self;
+#endif
+
+ /*
+ * Keep the handle around so we can dlclose() it.
+ */
+ handle = fr_dlopenext(module_name);
+ if (!handle) {
+ cf_log_err_cs(cs, "Failed to link to module '%s': %s", module_name, fr_strerror());
+ return NULL;
+ }
+
+ DEBUG3("Loaded %s, checking if it's valid", module_name);
+
+ module = dlsym(handle, module_name);
+ if (!module) {
+ cf_log_err_cs(cs, "Failed linking to %s structure: %s", module_name, dlerror());
+ dlclose(handle);
+ return NULL;
+ }
+
+#if !defined(WITH_LIBLTDL) && defined (HAVE_DLFCN_H) && defined(RTLD_SELF)
+ open_self:
+#endif
+ /*
+ * Before doing anything else, check if it's sane.
+ */
+ if (check_module_magic(cs, module) < 0) {
+ dlclose(handle);
+ return NULL;
+ }
+
+ /* make room for the module type */
+ node = talloc_zero(cs, module_entry_t);
+ talloc_set_destructor(node, _module_entry_free);
+ strlcpy(node->name, module_name, sizeof(node->name));
+ node->module = module;
+ node->handle = handle;
+
+ cf_log_module(cs, "Loaded module %s", module_name);
+
+ /*
+ * Add the module as "rlm_foo-version" to the configuration
+ * section.
+ */
+ if (!rbtree_insert(module_tree, node)) {
+ ERROR("Failed to cache module %s", module_name);
+ dlclose(handle);
+ talloc_free(node);
+ return NULL;
+ }
+
+ return node;
+}
+
+/** Parse module's configuration section and setup destructors
+ *
+ */
+static int module_conf_parse(module_instance_t *node, void **handle)
+{
+ *handle = NULL;
+
+ /*
+ * If there is supposed to be instance data, allocate it now.
+ * Also parse the configuration data, if required.
+ */
+ if (node->entry->module->inst_size) {
+ *handle = talloc_zero_array(node, uint8_t, node->entry->module->inst_size);
+ rad_assert(*handle);
+
+ talloc_set_name(*handle, "rlm_%s_t",
+ node->entry->module->name ? node->entry->module->name : "config");
+
+ if (node->entry->module->config &&
+ (cf_section_parse(node->cs, *handle, node->entry->module->config) < 0)) {
+ cf_log_err_cs(node->cs,"Invalid configuration for module \"%s\"", node->name);
+ talloc_free(*handle);
+
+ return -1;
+ }
+
+ /*
+ * Set the destructor.
+ */
+ if (node->entry->module->detach) {
+ talloc_set_destructor(*handle, node->entry->module->detach);
+ }
+ }
+
+ return 0;
+}
+
+/** Bootstrap a module.
+ *
+ * Load the module shared library, allocate instance memory for it,
+ * parse the module configuration, and call the modules "bootstrap" method.
+ */
+static module_instance_t *module_bootstrap(CONF_SECTION *cs)
+{
+ char const *name1, *name2, *askedname;
+ module_instance_t *node, myNode;
+ char module_name[256];
+
+ /*
+ * Figure out which module we want to load.
+ */
+ name1 = cf_section_name1(cs);
+ askedname = name2 = cf_section_name2(cs);
+ if (!askedname) {
+ askedname = name1;
+ name2 = "";
+ }
+
+ strlcpy(myNode.name, askedname, sizeof(myNode.name));
+
+ /*
+ * See if the module already exists.
+ */
+ node = rbtree_finddata(instance_tree, &myNode);
+ if (node) {
+ ERROR("Duplicate module \"%s %s { ... }\", in file %s:%d and file %s:%d",
+ name1, name2,
+ cf_section_filename(cs),
+ cf_section_lineno(cs),
+ cf_section_filename(node->cs),
+ cf_section_lineno(node->cs));
+ return NULL;
+ }
+
+ /*
+ * Hang the node struct off of the configuration
+ * section. If the CS is free'd the instance will be
+ * free'd, too.
+ */
+ node = talloc_zero(instance_tree, module_instance_t);
+ node->cs = cs;
+ strlcpy(node->name, askedname, sizeof(node->name));
+
+ /*
+ * Names in the "modules" section aren't prefixed
+ * with "rlm_", so we add it here.
+ */
+ snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
+
+ /*
+ * Load the module shared library.
+ */
+ node->entry = module_dlopen(cs, module_name);
+ if (!node->entry) {
+ talloc_free(node);
+ return NULL;
+ }
+
+ cf_log_module(cs, "Loading module \"%s\" from file %s", node->name,
+ cf_section_filename(cs));
+
+ /*
+ * Parse the modules configuration.
+ */
+ if (module_conf_parse(node, &node->insthandle) < 0) {
+ talloc_free(node);
+ return NULL;
+ }
+
+ /*
+ * Bootstrap the module.
+ */
+ if (node->entry->module->bootstrap &&
+ ((node->entry->module->bootstrap)(cs, node->insthandle) < 0)) {
+ cf_log_err_cs(cs, "Instantiation failed for module \"%s\"", node->name);
+ talloc_free(node);
+ return NULL;
+ }
+
+ /*
+ * Remember the module for later.
+ */
+ rbtree_insert(instance_tree, node);
+
+ return node;
+}
+
+
+/** Find an existing module instance.
+ *
+ */
+module_instance_t *module_find(CONF_SECTION *modules, char const *askedname)
+{
+ char const *instname;
+ module_instance_t myNode;
+
+ if (!modules) return NULL;
+
+ /*
+ * Look for the real name. Ignore the first character,
+ * which tells the server "it's OK for this module to not
+ * exist."
+ */
+ instname = askedname;
+ if (instname[0] == '-') instname++;
+
+ strlcpy(myNode.name, instname, sizeof(myNode.name));
+
+ return rbtree_finddata(instance_tree, &myNode);
+}
+
+
+/** Load a module, and instantiate it.
+ *
+ */
+module_instance_t *module_instantiate(CONF_SECTION *modules, char const *askedname)
+{
+ module_instance_t *node;
+
+ /*
+ * Find the module. If it's not there, do nothing.
+ */
+ node = module_find(modules, askedname);
+ if (!node) {
+ ERROR("Cannot find module \"%s\"", askedname);
+ return NULL;
+ }
+
+ /*
+ * The module is already instantiated. Return it.
+ */
+ if (node->instantiated) return node;
+
+ /*
+ * Now that ALL modules are instantiated, and ALL xlats
+ * are defined, go compile the config items marked as XLAT.
+ */
+ if (node->entry->module->config &&
+ (cf_section_parse_pass2(node->cs, node->insthandle,
+ node->entry->module->config) < 0)) {
+ return NULL;
+ }
+
+ /*
+ * Call the instantiate method, if any.
+ */
+ if (node->entry->module->instantiate) {
+ cf_log_module(node->cs, "Instantiating module \"%s\" from file %s", node->name,
+ cf_section_filename(node->cs));
+
+ /*
+ * Call the module's instantiation routine.
+ */
+ if ((node->entry->module->instantiate)(node->cs, node->insthandle) < 0) {
+ cf_log_err_cs(node->cs, "Instantiation failed for module \"%s\"", node->name);
+
+ return NULL;
+ }
+ }
+
+#ifdef HAVE_PTHREAD_H
+ /*
+ * If we're threaded, check if the module is thread-safe.
+ *
+ * If it isn't, we create a mutex.
+ */
+ if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
+ node->mutex = talloc_zero(node, pthread_mutex_t);
+
+ /*
+ * Initialize the mutex.
+ */
+ pthread_mutex_init(node->mutex, NULL);
+ }
+#endif
+
+ node->instantiated = true;
+ node->last_hup = time(NULL); /* don't let us load it, then immediately hup it */
+
+ return node;
+}
+
+
+module_instance_t *module_instantiate_method(CONF_SECTION *modules, char const *name, rlm_components_t *method)
+{
+ char *p;
+ rlm_components_t i;
+ module_instance_t *mi;
+
+ /*
+ * If the module exists, ensure it's instantiated.
+ *
+ * Doing it this way avoids complaints from
+ * module_instantiate()
+ */
+ mi = module_find(modules, name);
+ if (mi) return module_instantiate(modules, name);
+
+ /*
+ * Find out which method is being used.
+ */
+ p = strrchr(name, '.');
+ if (!p) return NULL;
+
+ p++;
+
+ /*
+ * Find the component.
+ */
+ for (i = MOD_AUTHENTICATE; i < MOD_COUNT; i++) {
+ if (strcmp(p, section_type_value[i].section) == 0) {
+ char buffer[256];
+
+ strlcpy(buffer, name, sizeof(buffer));
+ buffer[p - name - 1] = '\0';
+
+ mi = module_find(modules, buffer);
+ if (mi) {
+ if (method) *method = i;
+ return module_instantiate(modules, buffer);
+ }
+ }
+ }
+
+ /*
+ * Not found.
+ */
+ return NULL;
+}
+
+
+/** Resolve polymorphic item's from a module's CONF_SECTION to a subsection in another module
+ *
+ * This allows certain module sections to reference module sections in other instances
+ * of the same module and share CONF_DATA associated with them.
+ *
+ * @verbatim
+example {
+ data {
+ ...
+ }
+}
+
+example inst {
+ data = example
+}
+ * @endverbatim
+ *
+ * @param out where to write the pointer to a module's config section. May be NULL on success, indicating the config
+ * item was not found within the module CONF_SECTION, or the chain of module references was followed and the
+ * module at the end of the chain did not a subsection.
+ * @param module CONF_SECTION.
+ * @param name of the polymorphic sub-section.
+ * @return 0 on success with referenced section, 1 on success with local section, or -1 on failure.
+ */
+int find_module_sibling_section(CONF_SECTION **out, CONF_SECTION *module, char const *name)
+{
+ static bool loop = true; /* not used, we just need a valid pointer to quiet static analysis */
+
+ CONF_PAIR *cp;
+ CONF_SECTION *cs;
+
+ module_instance_t *inst;
+ char const *inst_name;
+
+#define FIND_SIBLING_CF_KEY "find_sibling"
+
+ *out = NULL;
+
+ /*
+ * Is a real section (not referencing sibling module).
+ */
+ cs = cf_section_sub_find(module, name);
+ if (cs) {
+ *out = cs;
+
+ return 0;
+ }
+
+ /*
+ * Item omitted completely from module config.
+ */
+ cp = cf_pair_find(module, name);
+ if (!cp) return 0;
+
+ if (cf_data_find(module, FIND_SIBLING_CF_KEY)) {
+ cf_log_err_cp(cp, "Module reference loop found");
+
+ return -1;
+ }
+ cf_data_add(module, FIND_SIBLING_CF_KEY, &loop, NULL);
+
+ /*
+ * Item found, resolve it to a module instance.
+ * This triggers module loading, so we don't have
+ * instantiation order issues.
+ */
+ inst_name = cf_pair_value(cp);
+ inst = module_instantiate(cf_item_parent(cf_section_to_item(module)), inst_name);
+
+ /*
+ * Remove the config data we added for loop
+ * detection.
+ */
+ cf_data_remove(module, FIND_SIBLING_CF_KEY);
+ if (!inst) {
+ cf_log_err_cp(cp, "Unknown module instance \"%s\"", inst_name);
+
+ return -1;
+ }
+
+ /*
+ * Check the module instances are of the same type.
+ */
+ if (strcmp(cf_section_name1(inst->cs), cf_section_name1(module)) != 0) {
+ cf_log_err_cp(cp, "Referenced module is a rlm_%s instance, must be a rlm_%s instance",
+ cf_section_name1(inst->cs), cf_section_name1(module));
+
+ return -1;
+ }
+
+ *out = cf_section_sub_find(inst->cs, name);
+
+ return 1;
+}
+
+static indexed_modcallable *lookup_by_index(rbtree_t *components,
+ rlm_components_t comp, int idx)
+{
+ indexed_modcallable myc;
+
+ myc.comp = comp;
+ myc.idx = idx;
+
+ return rbtree_finddata(components, &myc);
+}
+
+/*
+ * Create a new sublist.
+ */
+static indexed_modcallable *new_sublist(CONF_SECTION *cs,
+ rbtree_t *components, rlm_components_t comp, int idx)
+{
+ indexed_modcallable *c;
+
+ c = lookup_by_index(components, comp, idx);
+
+ /* It is an error to try to create a sublist that already
+ * exists. It would almost certainly be caused by accidental
+ * duplication in the config file.
+ *
+ * index 0 is the exception, because it is used when we want
+ * to collect _all_ listed modules under a single index by
+ * default, which is currently the case in all components
+ * except authenticate. */
+ if (c) {
+ if (idx == 0) {
+ return c;
+ }
+ return NULL;
+ }
+
+ c = talloc_zero(cs, indexed_modcallable);
+ c->modulelist = NULL;
+ c->comp = comp;
+ c->idx = idx;
+
+ if (!rbtree_insert(components, c)) {
+ talloc_free(c);
+ return NULL;
+ }
+
+ return c;
+}
+
+rlm_rcode_t indexed_modcall(rlm_components_t comp, int idx, REQUEST *request)
+{
+ rlm_rcode_t rcode;
+ modcallable *list = NULL;
+ virtual_server_t *server;
+
+ /*
+ * Hack to find the correct virtual server.
+ */
+ server = virtual_server_find(request->server);
+ if (!server) {
+ RDEBUG("No such virtual server \"%s\"", request->server);
+ return RLM_MODULE_FAIL;
+ }
+
+ if (idx == 0) {
+ list = server->mc[comp];
+ if (!list) {
+ if (server->name) {
+ RDEBUG3("Empty %s section in virtual server \"%s\". Using default return values.",
+ section_type_value[comp].section, server->name);
+ } else {
+ RDEBUG3("Empty %s section. Using default return values.", section_type_value[comp].section);
+ }
+ }
+ } else {
+ indexed_modcallable *this;
+
+ this = lookup_by_index(server->components, comp, idx);
+ if (this) {
+ list = this->modulelist;
+ } else {
+ RDEBUG2("%s sub-section not found. Ignoring.", section_type_value[comp].typename);
+ }
+ }
+
+ if (server->subcs[comp]) {
+ if (idx == 0) {
+ RDEBUG("# Executing section %s from file %s",
+ section_type_value[comp].section,
+ cf_section_filename(server->subcs[comp]));
+ } else {
+ RDEBUG("# Executing group from file %s",
+ cf_section_filename(server->subcs[comp]));
+ }
+ }
+ request->component = section_type_value[comp].section;
+ rcode = modcall(comp, list, request);
+ request->component = "<core>";
+
+ return rcode;
+}
+
+/*
+ * Load a sub-module list, as found inside an Auth-Type foo {}
+ * block
+ */
+static int load_subcomponent_section(CONF_SECTION *cs,
+ rbtree_t *components,
+ DICT_ATTR const *da, rlm_components_t comp)
+{
+ indexed_modcallable *subcomp;
+ modcallable *ml;
+ DICT_VALUE *dval;
+ char const *name2 = cf_section_name2(cs);
+
+ /*
+ * Sanity check.
+ */
+ if (!name2) {
+ return 1;
+ }
+
+ DEBUG("Compiling %s %s for attr %s", cf_section_name1(cs), name2, da->name);
+
+ /*
+ * Compile the group.
+ */
+ ml = compile_modgroup(NULL, comp, cs);
+ if (!ml) {
+ return 0;
+ }
+
+ /*
+ * We must assign a numeric index to this subcomponent.
+ * It is generated and placed in the dictionary
+ * automatically. If it isn't found, it's a serious
+ * error.
+ */
+ dval = dict_valbyname(da->attr, da->vendor, name2);
+ if (!dval) {
+ talloc_free(ml);
+ cf_log_err_cs(cs,
+ "The %s attribute has no VALUE defined for %s",
+ section_type_value[comp].typename, name2);
+ return 0;
+ }
+
+ subcomp = new_sublist(cs, components, comp, dval->value);
+ if (!subcomp) {
+ talloc_free(ml);
+ return 1;
+ }
+
+ /*
+ * Link it into the talloc hierarchy.
+ */
+ subcomp->modulelist = talloc_steal(subcomp, ml);
+ return 1; /* OK */
+}
+
+/*
+ * Don't complain too often.
+ */
+#define MAX_IGNORED (32)
+static int last_ignored = -1;
+static char const *ignored[MAX_IGNORED];
+
+static int load_component_section(CONF_SECTION *cs,
+ rbtree_t *components, rlm_components_t comp)
+{
+ modcallable *this;
+ CONF_ITEM *modref;
+ int idx;
+ indexed_modcallable *subcomp;
+ char const *modname;
+ DICT_ATTR const *da;
+
+ /*
+ * Find the attribute used to store VALUEs for this section.
+ */
+ da = dict_attrbyvalue(section_type_value[comp].attr, 0);
+ if (!da) {
+ cf_log_err_cs(cs,
+ "No such attribute %s",
+ section_type_value[comp].typename);
+ return -1;
+ }
+
+ /*
+ * Loop over the entries in the named section, loading
+ * the sections this time.
+ */
+ for (modref = cf_item_find_next(cs, NULL);
+ modref != NULL;
+ modref = cf_item_find_next(cs, modref)) {
+ char const *name1;
+ CONF_PAIR *cp = NULL;
+ CONF_SECTION *scs = NULL;
+
+ if (cf_item_is_section(modref)) {
+ scs = cf_item_to_section(modref);
+
+ name1 = cf_section_name1(scs);
+
+ if (strcmp(name1,
+ section_type_value[comp].typename) == 0) {
+ if (!load_subcomponent_section(scs,
+ components,
+ da,
+ comp)) {
+
+ return -1; /* FIXME: memleak? */
+ }
+ continue;
+ }
+
+ cp = NULL;
+
+ } else if (cf_item_is_pair(modref)) {
+ cp = cf_item_to_pair(modref);
+
+ } else {
+ continue; /* ignore it */
+ }
+
+ /*
+ * Look for Auth-Type foo {}, which are special
+ * cases of named sections, and allowable ONLY
+ * at the top-level.
+ *
+ * i.e. They're not allowed in a "group" or "redundant"
+ * subsection.
+ */
+ if (comp == MOD_AUTHENTICATE) {
+ DICT_VALUE *dval;
+ char const *modrefname = NULL;
+
+ if (cp) {
+ modrefname = cf_pair_attr(cp);
+ } else {
+ modrefname = cf_section_name2(scs);
+ if (!modrefname) {
+ cf_log_err_cs(cs,
+ "Errors parsing %s sub-section.\n",
+ cf_section_name1(scs));
+ return -1;
+ }
+ }
+ if (*modrefname == '-') modrefname++;
+
+ dval = dict_valbyname(PW_AUTH_TYPE, 0, modrefname);
+ if (!dval) {
+ /*
+ * It's a section, but nothing we
+ * recognize. Die!
+ */
+ cf_log_err_cs(cs,
+ "Unknown Auth-Type \"%s\" in %s sub-section.",
+ modrefname, section_type_value[comp].section);
+ return -1;
+ }
+ idx = dval->value;
+ } else {
+ /* See the comment in new_sublist() for explanation
+ * of the special index 0 */
+ idx = 0;
+ }
+
+ subcomp = new_sublist(cs, components, comp, idx);
+ if (!subcomp) continue;
+
+ /*
+ * Try to compile one entry.
+ */
+ this = compile_modsingle(subcomp, &subcomp->modulelist, comp, modref, &modname);
+
+ /*
+ * It's OK for the module to not exist.
+ */
+ if (!this && modname && (modname[0] == '-')) {
+ int i;
+
+ if (last_ignored < 0) {
+ save_complain:
+ last_ignored++;
+ ignored[last_ignored] = modname;
+
+ complain:
+ WARN("Ignoring \"%s\" (see raddb/mods-available/README.rst)", modname + 1);
+ continue;
+ }
+
+ if (last_ignored >= MAX_IGNORED) goto complain;
+
+ for (i = 0; i <= last_ignored; i++) {
+ if (strcmp(ignored[i], modname) == 0) {
+ break;
+ }
+ }
+
+ if (i > last_ignored) goto save_complain;
+ continue;
+ }
+
+ if (!this) {
+ cf_log_err_cs(cs,
+ "Errors parsing %s section.\n",
+ cf_section_name1(cs));
+ return -1;
+ }
+
+ if (rad_debug_lvl > 2) modcall_debug(this, 2);
+
+ add_to_modcallable(subcomp->modulelist, this);
+ }
+
+
+ return 0;
+}
+
+static int load_byserver(CONF_SECTION *cs)
+{
+ rlm_components_t comp;
+ bool found;
+ char const *name = cf_section_name2(cs);
+ rbtree_t *components;
+ virtual_server_t *server = NULL;
+ indexed_modcallable *c;
+ bool is_bare;
+
+ if (name) {
+ cf_log_info(cs, "server %s { # from file %s",
+ name, cf_section_filename(cs));
+ } else {
+ cf_log_info(cs, "server { # from file %s",
+ cf_section_filename(cs));
+ }
+
+ is_bare = (cf_item_parent(cf_section_to_item(cs)) == NULL);
+
+ server = talloc_zero(cs, virtual_server_t);
+ server->name = name;
+ server->created = time(NULL);
+ server->cs = cs;
+ server->components = components = rbtree_create(server, indexed_modcallable_cmp, NULL, 0);
+ if (!components) {
+ ERROR("Failed to initialize components");
+
+ error:
+ if (rad_debug_lvl == 0) {
+ ERROR("Failed to load virtual server %s",
+ (name != NULL) ? name : "<default>");
+ }
+ return -1;
+ }
+ talloc_set_destructor(server, _virtual_server_free);
+
+ /*
+ * Loop over all of the known components, finding their
+ * configuration section, and loading it.
+ */
+ found = false;
+ for (comp = 0; comp < MOD_COUNT; ++comp) {
+ CONF_SECTION *subcs;
+
+ subcs = cf_section_sub_find(cs,
+ section_type_value[comp].section);
+ if (!subcs) continue;
+
+ if (is_bare) {
+ cf_log_err_cs(subcs, "The %s section should be inside of a 'server { ... }' block!",
+ section_type_value[comp].section);
+ }
+
+ if (cf_item_find_next(subcs, NULL) == NULL) continue;
+
+ /*
+ * Skip pre/post-proxy sections if we're not
+ * proxying.
+ */
+ if (
+#ifdef WITH_PROXY
+ !main_config.proxy_requests &&
+#endif
+ ((comp == MOD_PRE_PROXY) ||
+ (comp == MOD_POST_PROXY))) {
+ continue;
+ }
+
+#ifndef WITH_ACCOUNTING
+ if (comp == MOD_ACCOUNTING) continue;
+#endif
+
+#ifndef WITH_SESSION_MGMT
+ if (comp == MOD_SESSION) continue;
+#endif
+
+ if (rad_debug_lvl <= 3) {
+ cf_log_module(cs, "Loading %s {...}",
+ section_type_value[comp].section);
+ } else {
+ DEBUG(" %s {", section_type_value[comp].section);
+ }
+
+ if (load_component_section(subcs, components, comp) < 0) {
+ goto error;
+ }
+
+ if (rad_debug_lvl > 3) {
+ DEBUG(" } # %s", section_type_value[comp].section);
+ }
+
+ /*
+ * Cache a default, if it exists. Some people
+ * put empty sections for some reason...
+ */
+ c = lookup_by_index(components, comp, 0);
+ if (c) server->mc[comp] = c->modulelist;
+
+ server->subcs[comp] = subcs;
+
+ found = true;
+ } /* loop over components */
+
+ /*
+ * We haven't loaded any of the normal sections. Maybe we're
+ * supposed to load the vmps section.
+ *
+ * This is a bit of a hack...
+ */
+ if (!found) do {
+#if defined(WITH_VMPS) || defined(WITH_DHCP) || defined(WITH_TLS)
+ CONF_SECTION *subcs;
+#endif
+#if defined(WITH_DHCP) || defined(WITH_TLS)
+ DICT_ATTR const *da;
+#endif
+
+#ifdef WITH_VMPS
+ subcs = cf_section_sub_find(cs, "vmps");
+ if (subcs) {
+ cf_log_module(cs, "Loading vmps {...}");
+ if (load_component_section(subcs, components,
+ MOD_POST_AUTH) < 0) {
+ goto error;
+ }
+ c = lookup_by_index(components,
+ MOD_POST_AUTH, 0);
+ if (c) server->mc[MOD_POST_AUTH] = c->modulelist;
+ break;
+ }
+#endif
+
+#ifdef WITH_TLS
+ /*
+ * It's OK to not have TLS cache sections.
+ */
+ da = dict_attrbyname("TLS-Cache-Method");
+ subcs = cf_section_sub_find_name2(cs, "cache", "load");
+ if (subcs && !load_subcomponent_section(subcs,
+ components,
+ da,
+ MOD_POST_AUTH)) {
+ goto error; /* FIXME: memleak? */
+ }
+
+ subcs = cf_section_sub_find_name2(cs, "cache", "save");
+ if (subcs && !load_subcomponent_section(subcs,
+ components,
+ da,
+ MOD_POST_AUTH)) {
+ goto error; /* FIXME: memleak? */
+ }
+
+ subcs = cf_section_sub_find_name2(cs, "cache", "clear");
+ if (subcs && !load_subcomponent_section(subcs,
+ components,
+ da,
+ MOD_POST_AUTH)) {
+ goto error; /* FIXME: memleak? */
+ }
+
+ subcs = cf_section_sub_find_name2(cs, "cache", "refresh");
+ if (subcs && !load_subcomponent_section(subcs,
+ components,
+ da,
+ MOD_POST_AUTH)) {
+ goto error; /* FIXME: memleak? */
+ }
+#endif
+
+#ifdef WITH_DHCP
+ /*
+ * It's OK to not have DHCP.
+ */
+ subcs = cf_subsection_find_next(cs, NULL, "dhcp");
+ if (!subcs) break;
+
+ da = dict_attrbyname("DHCP-Message-Type");
+
+ /*
+ * Handle each DHCP Message type separately.
+ */
+ while (subcs) {
+ char const *name2 = cf_section_name2(subcs);
+
+ if (name2) {
+ cf_log_module(cs, "Loading dhcp %s {...}", name2);
+ } else {
+ cf_log_module(cs, "Loading dhcp {...}");
+ }
+ if (!load_subcomponent_section(subcs,
+ components,
+ da,
+ MOD_POST_AUTH)) {
+ goto error; /* FIXME: memleak? */
+ }
+ c = lookup_by_index(components,
+ MOD_POST_AUTH, 0);
+ if (c) server->mc[MOD_POST_AUTH] = c->modulelist;
+
+ subcs = cf_subsection_find_next(cs, subcs, "dhcp");
+ }
+#endif
+
+
+ } while (0);
+
+ if (name) {
+ cf_log_info(cs, "} # server %s", name);
+ } else {
+ cf_log_info(cs, "} # server");
+ }
+
+ if (rad_debug_lvl == 0) {
+ INFO("Loaded virtual server %s",
+ (name != NULL) ? name : "<default>");
+ }
+
+ /*
+ * Now that it is OK, insert it into the list.
+ *
+ * This is thread-safe...
+ */
+ comp = virtual_server_idx(name);
+ server->next = virtual_servers[comp];
+ virtual_servers[comp] = server;
+
+ /*
+ * Mark OLDER ones of the same name as being unused.
+ */
+ server = server->next;
+ while (server) {
+ if ((!name && !server->name) ||
+ (name && server->name &&
+ (strcmp(server->name, name) == 0))) {
+ server->can_free = true;
+ break;
+ }
+ server = server->next;
+ }
+
+ return 0;
+}
+
+
+static int pass2_cb(UNUSED void *ctx, void *data)
+{
+ indexed_modcallable *this = data;
+
+ if (!modcall_pass2(this->modulelist)) return -1;
+
+ return 0;
+}
+
+
+/*
+ * Load all of the virtual servers.
+ */
+int virtual_servers_load(CONF_SECTION *config)
+{
+ CONF_SECTION *cs;
+ virtual_server_t *server;
+ static bool first_time = true;
+
+ DEBUG2("%s: #### Loading Virtual Servers ####", main_config.name);
+
+ /*
+ * If we have "server { ...}", then there SHOULD NOT be
+ * bare "authorize", etc. sections. if there is no such
+ * server, then try to load the old-style sections first.
+ *
+ * In either case, load the "default" virtual server first.
+ * this matches better with users expectations.
+ */
+ cs = cf_section_find_name2(cf_subsection_find_next(config, NULL,
+ "server"),
+ "server", NULL);
+ if (cs) {
+ if (load_byserver(cs) < 0) {
+ return -1;
+ }
+ } else {
+ if (load_byserver(config) < 0) {
+ return -1;
+ }
+ }
+
+ /*
+ * Load all of the virtual servers.
+ */
+ for (cs = cf_subsection_find_next(config, NULL, "server");
+ cs != NULL;
+ cs = cf_subsection_find_next(config, cs, "server")) {
+ char const *name2;
+
+ name2 = cf_section_name2(cs);
+ if (!name2) continue; /* handled above */
+
+ server = virtual_server_find(name2);
+ if (server &&
+ (cf_top_section(server->cs) == config)) {
+ ERROR("Duplicate virtual server \"%s\" in file %s:%d and file %s:%d",
+ server->name,
+ cf_section_filename(server->cs),
+ cf_section_lineno(server->cs),
+ cf_section_filename(cs),
+ cf_section_lineno(cs));
+ return -1;
+ }
+
+ if (load_byserver(cs) < 0) {
+ /*
+ * Once we successfully started once,
+ * continue loading the OTHER servers,
+ * even if one fails.
+ */
+ if (!first_time) continue;
+ return -1;
+ }
+ }
+
+ /*
+ * Try to compile the "authorize", etc. sections which
+ * aren't in a virtual server.
+ */
+ server = virtual_server_find(NULL);
+ if (server) {
+ int i;
+
+ for (i = MOD_AUTHENTICATE; i < MOD_COUNT; i++) {
+ if (!modcall_pass2(server->mc[i])) return -1;
+ }
+
+ if (server->components &&
+ (rbtree_walk(server->components, RBTREE_IN_ORDER,
+ pass2_cb, NULL) != 0)) {
+ return -1;
+ }
+ }
+
+ /*
+ * Now that we've loaded everything, run pass 2 over the
+ * conditions and xlats.
+ */
+ for (cs = cf_subsection_find_next(config, NULL, "server");
+ cs != NULL;
+ cs = cf_subsection_find_next(config, cs, "server")) {
+ int i;
+ char const *name2;
+
+ name2 = cf_section_name2(cs);
+
+ server = virtual_server_find(name2);
+ if (!server) continue;
+
+ for (i = MOD_AUTHENTICATE; i < MOD_COUNT; i++) {
+ if (!modcall_pass2(server->mc[i])) return -1;
+ }
+
+ if (server->components &&
+ (rbtree_walk(server->components, RBTREE_IN_ORDER,
+ pass2_cb, NULL) != 0)) {
+ return -1;
+ }
+ }
+
+ /*
+ * If we succeed the first time around, remember that.
+ */
+ first_time = false;
+
+ return 0;
+}
+
+int module_hup_module(CONF_SECTION *cs, module_instance_t *node, time_t when)
+{
+ void *insthandle;
+ fr_module_hup_t *mh;
+
+ if (!node ||
+ node->entry->module->bootstrap ||
+ !node->entry->module->instantiate ||
+ ((node->entry->module->type & RLM_TYPE_HUP_SAFE) == 0)) {
+ return 1;
+ }
+
+ /*
+ * Silently ignore multiple HUPs within a short time period.
+ */
+ if ((node->last_hup + 2) >= when) return 1;
+ node->last_hup = when;
+
+ /*
+ * Clear any old instances before attempting to reload
+ */
+ module_instance_free_old(cs, node, when);
+
+ cf_log_module(cs, "Trying to reload module \"%s\"", node->name);
+
+ /*
+ * Parse the module configuration, and setup destructors so the
+ * module's detach method is called when it's instance data is
+ * about to be freed.
+ */
+ if (module_conf_parse(node, &insthandle) < 0) {
+ cf_log_err_cs(cs, "HUP failed for module \"%s\" (parsing config failed). "
+ "Using old configuration", node->name);
+
+ return 0;
+ }
+
+ if ((node->entry->module->instantiate)(cs, insthandle) < 0) {
+ cf_log_err_cs(cs, "HUP failed for module \"%s\". Using old configuration.", node->name);
+ talloc_free(insthandle);
+
+ return 0;
+ }
+
+ INFO(" Module: Reloaded module \"%s\"", node->name);
+
+ /*
+ * Save the old instance handle for later deletion.
+ */
+ mh = talloc_zero(cs, fr_module_hup_t);
+ mh->mi = node;
+ mh->when = when;
+ mh->insthandle = node->insthandle;
+ mh->next = node->mh;
+ node->mh = mh;
+
+ /*
+ * Replace the instance handle while the module is running.
+ */
+ node->insthandle = insthandle;
+
+ /*
+ * FIXME: Set a timeout to come back in 60s, so that
+ * we can pro-actively clean up the old instances.
+ */
+
+ return 1;
+}
+
+
+int modules_hup(CONF_SECTION *modules)
+{
+ time_t when;
+ CONF_ITEM *ci;
+ CONF_SECTION *cs;
+ module_instance_t *node;
+
+ if (!modules) return 0;
+
+ when = time(NULL);
+
+ /*
+ * Loop over the modules
+ */
+ for (ci=cf_item_find_next(modules, NULL);
+ ci != NULL;
+ ci=cf_item_find_next(modules, ci)) {
+ char const *instname;
+ module_instance_t myNode;
+
+ /*
+ * If it's not a section, ignore it.
+ */
+ if (!cf_item_is_section(ci)) continue;
+
+ cs = cf_item_to_section(ci);
+ instname = cf_section_name2(cs);
+ if (!instname) instname = cf_section_name1(cs);
+
+ strlcpy(myNode.name, instname, sizeof(myNode.name));
+ node = rbtree_finddata(instance_tree, &myNode);
+
+ module_hup_module(cs, node, when);
+ }
+
+ return 1;
+}
+
+
+static int define_type(CONF_SECTION *cs, DICT_ATTR const *da, char const *name)
+{
+ uint32_t value;
+ DICT_VALUE *dval;
+
+ /*
+ * Allow for conditionally loaded types
+ */
+ if (*name == '-') name++;
+
+ /*
+ * If the value already exists, don't
+ * create it again.
+ */
+ dval = dict_valbyname(da->attr, da->vendor, name);
+ if (dval) {
+ if (dval->value == 0) {
+ ERROR("The dictionaries must not define VALUE %s %s 0",
+ da->name, name);
+ return 0;
+ }
+ return 1;
+ }
+
+ /*
+ * Create a new unique value with a
+ * meaningless number. You can't look at
+ * it from outside of this code, so it
+ * doesn't matter. The only requirement
+ * is that it's unique.
+ */
+ do {
+ value = (fr_rand() & 0x00ffffff) + 1;
+ } while (dict_valbyattr(da->attr, da->vendor, value));
+
+ cf_log_module(cs, "Creating %s = %s", da->name, name);
+ if (dict_addvalue(name, da->name, value) < 0) {
+ ERROR("%s", fr_strerror());
+ return 0;
+ }
+
+ return 1;
+}
+
+/*
+ * Define Auth-Type, etc. in a server.
+ */
+static bool server_define_types(CONF_SECTION *cs)
+{
+ rlm_components_t comp;
+
+ /*
+ * Loop over all of the components
+ */
+ for (comp = 0; comp < MOD_COUNT; ++comp) {
+ CONF_SECTION *subcs, *type_cs;
+ DICT_ATTR const *da;
+
+ subcs = cf_section_sub_find(cs,
+ section_type_value[comp].section);
+ if (!subcs) continue;
+
+ if (cf_item_find_next(subcs, NULL) == NULL) continue;
+
+ /*
+ * Find the attribute used to store VALUEs for this section.
+ */
+ da = dict_attrbyvalue(section_type_value[comp].attr, 0);
+ if (!da) {
+ cf_log_err_cs(subcs,
+ "No such attribute %s",
+ section_type_value[comp].typename);
+ return false;
+ }
+
+ /*
+ * Define dynamic types, so that others can reference
+ * them.
+ *
+ * First, bare modules for 'authenticate'.
+ * Second, Auth-Type, etc.
+ */
+ if (section_type_value[comp].attr == PW_AUTH_TYPE) {
+ CONF_ITEM *modref;
+
+ for (modref = cf_item_find_next(subcs, NULL);
+ modref != NULL;
+ modref = cf_item_find_next(subcs, modref)) {
+ CONF_PAIR *cp;
+
+ if (!cf_item_is_pair(modref)) continue;
+
+ cp = cf_item_to_pair(modref);
+ if (!define_type(cs, da, cf_pair_attr(cp))) {
+ return false;
+ }
+
+ /*
+ * Check for duplicates
+ */
+ if (rad_debug_lvl) {
+ CONF_PAIR *cp2;
+ CONF_SECTION *cs2;
+
+ cp2 = cf_pair_find(subcs, cf_pair_attr(cp));
+ rad_assert(cp2 != NULL);
+ if (cp2 != cp) {
+ WARN("%s[%d]: Duplicate module '%s'",
+ cf_pair_filename(cp2),
+ cf_pair_lineno(cp2),
+ cf_pair_attr(cp));
+ }
+
+ cs2 = cf_section_sub_find_name2(subcs, section_type_value[comp].typename, cf_pair_attr(cp));
+ if (cs2) {
+ WARN("%s[%d]: Duplicate Auth-Type '%s'",
+ cf_section_filename(cs2),
+ cf_section_lineno(cs2),
+ cf_pair_attr(cp));
+ }
+ }
+
+ }
+ }
+
+ /*
+ * And loop over the type names
+ */
+ for (type_cs = cf_subsection_find_next(subcs, NULL, section_type_value[comp].typename);
+ type_cs != NULL;
+ type_cs = cf_subsection_find_next(subcs, type_cs, section_type_value[comp].typename)) {
+ if (!define_type(cs, da, cf_section_name2(type_cs))) {
+ return false;
+ }
+
+ if (rad_debug_lvl) {
+ CONF_SECTION *cs2;
+
+ cs2 = cf_section_sub_find_name2(subcs, section_type_value[comp].typename, cf_section_name2(type_cs));
+ rad_assert(cs2 != NULL);
+ if (cs2 != type_cs) {
+ WARN("%s[%d]: Duplicate Auth-Type '%s'",
+ cf_section_filename(cs2),
+ cf_section_lineno(cs2),
+ cf_section_name2(cs2));
+ }
+ }
+ }
+ } /* loop over components */
+
+ return true;
+}
+
+extern char const *unlang_keyword[];
+
+static bool is_reserved_word(const char *name)
+{
+ int i;
+
+ if (!name || !*name) return false;
+
+ for (i = 1; unlang_keyword[i] != NULL; i++) {
+ if (strcmp(name, unlang_keyword[i]) == 0) return true;
+ }
+
+ return false;
+}
+
+
+/*
+ * Parse the module config sections, and load
+ * and call each module's init() function.
+ */
+int modules_init(CONF_SECTION *config)
+{
+ CONF_ITEM *ci, *next;
+ CONF_SECTION *cs, *modules;
+
+ /*
+ * Set up the internal module struct.
+ */
+ module_tree = rbtree_create(NULL, module_entry_cmp, NULL, 0);
+ if (!module_tree) {
+ ERROR("Failed to initialize modules\n");
+ return -1;
+ }
+
+ instance_tree = rbtree_create(NULL, module_instance_cmp,
+ module_instance_free, 0);
+ if (!instance_tree) {
+ ERROR("Failed to initialize modules\n");
+ return -1;
+ }
+
+ memset(virtual_servers, 0, sizeof(virtual_servers));
+
+ /*
+ * Remember where the modules were stored.
+ */
+ modules = cf_section_sub_find(config, "modules");
+ if (!modules) {
+ WARN("Cannot find a \"modules\" section in the configuration file!");
+ }
+
+ /*
+ * Load dictionaries.
+ */
+ for (cs = cf_subsection_find_next(config, NULL, "server");
+ cs != NULL;
+ cs = cf_subsection_find_next(config, cs, "server")) {
+#if defined(WITH_DHCP) || defined(WITH_VMPS)
+ CONF_SECTION *subcs;
+ DICT_ATTR const *da;
+#endif
+
+#ifdef WITH_VMPS
+ /*
+ * Auto-load the VMPS/VQP dictionary.
+ */
+ subcs = cf_section_sub_find(cs, "vmps");
+ if (subcs) {
+ da = dict_attrbyname("VQP-Packet-Type");
+ if (!da) {
+ if (dict_read(main_config.dictionary_dir, "dictionary.vqp") < 0) {
+ ERROR("Failed reading dictionary.vqp: %s",
+ fr_strerror());
+ return -1;
+ }
+ cf_log_module(cs, "Loading dictionary.vqp");
+
+ da = dict_attrbyname("VQP-Packet-Type");
+ if (!da) {
+ ERROR("No VQP-Packet-Type in dictionary.vqp");
+ return -1;
+ }
+ }
+ }
+#endif
+
+#ifdef WITH_DHCP
+ /*
+ * Auto-load the DHCP dictionary.
+ */
+ subcs = cf_subsection_find_next(cs, NULL, "dhcp");
+ if (subcs) {
+ da = dict_attrbyname("DHCP-Message-Type");
+ if (!da) {
+ cf_log_module(cs, "Loading dictionary.dhcp");
+ if (dict_read(main_config.dictionary_dir, "dictionary.dhcp") < 0) {
+ ERROR("Failed reading dictionary.dhcp: %s",
+ fr_strerror());
+ return -1;
+ }
+
+ da = dict_attrbyname("DHCP-Message-Type");
+ if (!da) {
+ ERROR("No DHCP-Message-Type in dictionary.dhcp");
+ return -1;
+ }
+ }
+ }
+#endif
+ /*
+ * Else it's a RADIUS virtual server, and the
+ * dictionaries are already loaded.
+ */
+
+ /*
+ * Root through each virtual server, defining
+ * Autz-Type and Auth-Type. This is so that the
+ * modules can reference a particular type.
+ */
+ if (!server_define_types(cs)) return -1;
+ }
+
+ DEBUG2("%s: #### Instantiating modules ####", main_config.name);
+
+ cf_log_info(config, " modules {");
+
+ /*
+ * Loop over module definitions, looking for duplicates.
+ *
+ * This is O(N^2) in the number of modules, but most
+ * systems should have less than 100 modules.
+ */
+ for (ci = cf_item_find_next(modules, NULL);
+ ci != NULL;
+ ci = next) {
+ char const *name1;
+ CONF_SECTION *subcs;
+ module_instance_t *node;
+
+ next = cf_item_find_next(modules, ci);
+
+ if (!cf_item_is_section(ci)) continue;
+
+ subcs = cf_item_to_section(ci);
+
+ node = module_bootstrap(subcs);
+ if (!node) return -1;
+
+ if (!next || !cf_item_is_section(next)) continue;
+
+ name1 = cf_section_name1(subcs);
+
+ if (is_reserved_word(name1)) {
+ cf_log_err_cs(subcs, "Module cannot be named for an 'unlang' keyword");
+ return -1;
+ }
+ }
+
+ /*
+ * Look for the 'instantiate' section, which tells us
+ * the instantiation order of the modules, and also allows
+ * us to load modules with no authorize/authenticate/etc.
+ * sections.
+ */
+ cs = cf_section_sub_find(config, "instantiate");
+ if (cs) {
+ CONF_PAIR *cp;
+ module_instance_t *module;
+ char const *name;
+
+ cf_log_info(cs, " instantiate {");
+
+ /*
+ * Loop over the items in the 'instantiate' section.
+ */
+ for (ci=cf_item_find_next(cs, NULL);
+ ci != NULL;
+ ci=cf_item_find_next(cs, ci)) {
+ /*
+ * Skip sections and "other" stuff.
+ * Sections will be handled later, if
+ * they're referenced at all...
+ */
+ if (cf_item_is_pair(ci)) {
+ cp = cf_item_to_pair(ci);
+ name = cf_pair_attr(cp);
+
+ module = module_instantiate(modules, name);
+ if (!module && (name[0] != '-')) {
+ return -1;
+ }
+ }
+
+ /*
+ * Can only be "redundant" or
+ * "load-balance" or
+ * "redundant-load-balance"
+ */
+ if (cf_item_is_section(ci)) {
+ bool all_same = true;
+ module_t const *last = NULL;
+ CONF_SECTION *subcs;
+ CONF_ITEM *subci;
+
+ subcs = cf_item_to_section(ci);
+ name = cf_section_name1(subcs);
+
+ /*
+ * Groups, etc. must have a name.
+ */
+ if (((strcmp(name, "group") == 0) ||
+ (strcmp(name, "redundant") == 0) ||
+ (strcmp(name, "redundant-load-balance") == 0) ||
+ strcmp(name, "load-balance") == 0)) {
+ name = cf_section_name2(subcs);
+ if (!name) {
+ cf_log_err_cs(subcs, "Subsection must have a name");
+ return -1;
+ }
+
+ if (is_reserved_word(name)) {
+ cf_log_err_cs(subcs, "Instantiate sections cannot be named for an 'unlang' keyword");
+ return -1;
+ }
+ } else {
+ if (is_reserved_word(name)) {
+ cf_log_err_cs(subcs, "Instantiate sections cannot be named for an 'unlang' keyword");
+ return -1;
+ }
+ }
+
+ /*
+ * Ensure that the modules we reference here exist.
+ */
+ for (subci=cf_item_find_next(subcs, NULL);
+ subci != NULL;
+ subci=cf_item_find_next(subcs, subci)) {
+ if (cf_item_is_pair(subci)) {
+ cp = cf_item_to_pair(subci);
+ if (cf_pair_value(cp)) {
+ cf_log_err(subci, "Cannot set return codes in a %s block",
+ cf_section_name1(subcs));
+ return -1;
+ }
+
+ /*
+ * Allow "foo.authorize" in subsections.
+ */
+ module = module_instantiate_method(modules, cf_pair_attr(cp), NULL);
+ if (!module) {
+ return -1;
+ }
+
+ if (all_same) {
+ if (!last) {
+ last = module->entry->module;
+ } else if (last != module->entry->module) {
+ last = NULL;
+ all_same = false;
+ }
+ }
+ } else {
+ all_same = false;
+ }
+
+ /*
+ * Don't check subsections for now.
+ */
+ } /* loop over modules in a "redundant foo" section */
+
+ /*
+ * Register a redundant xlat
+ */
+ if (all_same) {
+ if (!xlat_register_redundant(cf_item_to_section(ci))) {
+ WARN("%s[%d] Not registering expansions for %s",
+ cf_section_filename(subcs), cf_section_lineno(subcs),
+ cf_section_name2(subcs));
+ }
+ }
+ } /* handle subsections */
+ } /* loop over the "instantiate" section */
+
+ cf_log_info(cs, " }");
+ } /* if there's an 'instantiate' section. */
+
+ /*
+ * Now that we've loaded the explicitly ordered modules,
+ * load everything in the "modules" section. This is
+ * because we've now split up the modules into
+ * mods-enabled.
+ */
+ for (ci=cf_item_find_next(modules, NULL);
+ ci != NULL;
+ ci=next) {
+ char const *name;
+ module_instance_t *module;
+ CONF_SECTION *subcs;
+
+ next = cf_item_find_next(modules, ci);
+
+ if (!cf_item_is_section(ci)) continue;
+
+ subcs = cf_item_to_section(ci);
+ name = cf_section_name2(subcs);
+ if (!name) name = cf_section_name1(subcs);
+
+ module = module_instantiate(modules, name);
+ if (!module) return -1;
+ }
+ cf_log_info(config, " } # modules");
+
+ if (virtual_servers_load(config) < 0) return -1;
+
+ return 0;
+}
+
+/*
+ * Call all authorization modules until one returns
+ * somethings else than RLM_MODULE_OK
+ */
+rlm_rcode_t process_authorize(int autz_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_AUTHORIZE, autz_type, request);
+}
+
+/*
+ * Authenticate a user/password with various methods.
+ */
+rlm_rcode_t process_authenticate(int auth_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_AUTHENTICATE, auth_type, request);
+}
+
+#ifdef WITH_ACCOUNTING
+/*
+ * Do pre-accounting for ALL configured sessions
+ */
+rlm_rcode_t module_preacct(REQUEST *request)
+{
+ return indexed_modcall(MOD_PREACCT, 0, request);
+}
+
+/*
+ * Do accounting for ALL configured sessions
+ */
+rlm_rcode_t process_accounting(int acct_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_ACCOUNTING, acct_type, request);
+}
+#endif
+
+#ifdef WITH_SESSION_MGMT
+/*
+ * See if a user is already logged in.
+ *
+ * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
+ */
+int process_checksimul(int sess_type, REQUEST *request, int maxsimul)
+{
+ rlm_rcode_t rcode;
+
+ if(!request->username)
+ return 0;
+
+ request->simul_count = 0;
+ request->simul_max = maxsimul;
+ request->simul_mpp = 1;
+
+ rcode = indexed_modcall(MOD_SESSION, sess_type, request);
+
+ if (rcode != RLM_MODULE_OK) {
+ /* FIXME: Good spot for a *rate-limited* warning to the log */
+ return 0;
+ }
+
+ return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
+}
+#endif
+
+#ifdef WITH_PROXY
+/*
+ * Do pre-proxying for ALL configured sessions
+ */
+rlm_rcode_t process_pre_proxy(int type, REQUEST *request)
+{
+ return indexed_modcall(MOD_PRE_PROXY, type, request);
+}
+
+/*
+ * Do post-proxying for ALL configured sessions
+ */
+rlm_rcode_t process_post_proxy(int type, REQUEST *request)
+{
+ return indexed_modcall(MOD_POST_PROXY, type, request);
+}
+#endif
+
+/*
+ * Do post-authentication for ALL configured sessions
+ */
+rlm_rcode_t process_post_auth(int postauth_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_POST_AUTH, postauth_type, request);
+}
+
+#ifdef WITH_COA
+rlm_rcode_t process_recv_coa(int recv_coa_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_RECV_COA, recv_coa_type, request);
+}
+
+rlm_rcode_t process_send_coa(int send_coa_type, REQUEST *request)
+{
+ return indexed_modcall(MOD_SEND_COA, send_coa_type, request);
+}
+#endif