summaryrefslogtreecommitdiffstats
path: root/src/include
diff options
context:
space:
mode:
Diffstat (limited to 'src/include')
-rw-r--r--src/include/clients.h6
-rw-r--r--src/include/conffile.h1
-rw-r--r--src/include/dlist.h63
-rw-r--r--src/include/event.h2
-rw-r--r--src/include/features-h2
-rw-r--r--src/include/libradius.h20
-rw-r--r--src/include/radius.h1
-rw-r--r--src/include/radiusd.h11
-rw-r--r--src/include/realms.h4
-rw-r--r--src/include/tls-h10
10 files changed, 114 insertions, 6 deletions
diff --git a/src/include/clients.h b/src/include/clients.h
index 46b5b3b..7e962b6 100644
--- a/src/include/clients.h
+++ b/src/include/clients.h
@@ -43,7 +43,11 @@ typedef struct radclient {
char const *secret; //!< Secret PSK.
- bool message_authenticator; //!< Require RADIUS message authenticator in requests.
+ fr_bool_auto_t require_ma; //!< Require RADIUS message authenticator in requests.
+
+ bool dynamic_require_ma; //!< for dynamic clients
+
+ fr_bool_auto_t limit_proxy_state; //!< Limit Proxy-State in requests
char const *nas_type; //!< Type of client (arbitrary).
diff --git a/src/include/conffile.h b/src/include/conffile.h
index b996881..237469c 100644
--- a/src/include/conffile.h
+++ b/src/include/conffile.h
@@ -140,6 +140,7 @@ typedef struct timeval _timeval_t;
#define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies.
#define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value.
#define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist
+#define PW_TYPE_IGNORE_DEFAULT (1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing
/* @} **/
#define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\
diff --git a/src/include/dlist.h b/src/include/dlist.h
new file mode 100644
index 0000000..c1bc1d5
--- /dev/null
+++ b/src/include/dlist.h
@@ -0,0 +1,63 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ *
+ * @file dlist.h
+ * @brief doubly linked lists
+ *
+ * @copyright 2023 Network RADIUS SAS (legal@networkradius.com)
+ */
+
+#ifndef RADIUS_DLIST_H
+#define RADIUS_DLIST_H
+
+RCSIDH(dlist_h, "$Id$")
+
+/*
+ * We have an internal cache, keyed by (mac + ssid).
+ *
+ * It returns the PMK and PSK for the user.
+ */
+typedef struct fr_dlist_s fr_dlist_t;
+
+struct fr_dlist_s {
+ fr_dlist_t *prev;
+ fr_dlist_t *next;
+};
+
+static inline void fr_dlist_entry_init(fr_dlist_t *entry)
+{
+ entry->prev = entry->next = entry;
+}
+
+static inline CC_HINT(nonnull) void fr_dlist_entry_unlink(fr_dlist_t *entry)
+{
+ entry->prev->next = entry->next;
+ entry->next->prev = entry->prev;
+ entry->prev = entry->next = entry;
+}
+
+static inline CC_HINT(nonnull) void fr_dlist_insert_tail(fr_dlist_t *head, fr_dlist_t *entry)
+{
+ entry->next = head;
+ entry->prev = head->prev;
+ head->prev->next = entry;
+ head->prev = entry;
+}
+
+#endif /* RADIUS_DLIST_H */
diff --git a/src/include/event.h b/src/include/event.h
index 0409728..822da96 100644
--- a/src/include/event.h
+++ b/src/include/event.h
@@ -39,6 +39,8 @@ typedef void (*fr_event_fd_handler_t)(fr_event_list_t *el, int sock, void *ctx);
fr_event_list_t *fr_event_list_create(TALLOC_CTX *ctx, fr_event_status_t status);
+extern int fr_ev_max_fds; /* must be a power of 2 */
+
int fr_event_list_num_fds(fr_event_list_t *el);
int fr_event_list_num_elements(fr_event_list_t *el);
diff --git a/src/include/features-h b/src/include/features-h
index 158541f..1e2f29e 100644
--- a/src/include/features-h
+++ b/src/include/features-h
@@ -69,7 +69,7 @@
#ifdef WITH_TLS
# ifdef WITH_COA
# ifndef WITHOUT_COA_TUNNEL
-# define WITH_COA_TUNNEL (1)
+//# define WITH_COA_TUNNEL (1)
# endif
# endif
#endif
diff --git a/src/include/libradius.h b/src/include/libradius.h
index 777927e..5cb5b06 100644
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -410,6 +410,11 @@ typedef struct radius_packet {
#ifdef WITH_RADIUSV11
bool radiusv11;
#endif
+ bool tls; //!< uses secure transport
+
+ bool message_authenticator;
+ bool proxy_state;
+ bool eap_message;
} RADIUS_PACKET;
typedef enum {
@@ -527,6 +532,13 @@ DICT_VENDOR *dict_vendorbyvalue(int vendor);
/* radius.c */
int rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret);
bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason);
+
+/*
+ * 1 == require_ma
+ * 2 == msg_peek
+ * 4 == limit_proxy_state
+ * 8 == require_ma for Access-* replies and Protocol-Error
+ */
RADIUS_PACKET *rad_recv(TALLOC_CTX *ctx, int fd, int flags);
ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code);
void rad_recv_discard(int sockfd);
@@ -720,7 +732,7 @@ extern bool fr_dns_lookups; /* do IP -> hostname lookups? */
extern bool fr_hostname_lookups; /* do hostname -> IP lookups? */
extern int fr_debug_lvl; /* 0 = no debugging information */
extern uint32_t fr_max_attributes; /* per incoming packet */
-#define FR_MAX_PACKET_CODE (52)
+#define FR_MAX_PACKET_CODE (53)
extern char const *fr_packet_codes[FR_MAX_PACKET_CODE];
#define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE))
extern FILE *fr_log_fp;
@@ -958,6 +970,12 @@ int fr_socket_wait_for_connect(int sockfd, struct timeval *timeout);
}
#endif
+typedef enum {
+ FR_BOOL_FALSE = 0,
+ FR_BOOL_TRUE,
+ FR_BOOL_AUTO,
+} fr_bool_auto_t;
+
#include <freeradius-devel/packet.h>
#ifdef WITH_TCP
diff --git a/src/include/radius.h b/src/include/radius.h
index 473528d..147d674 100644
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -61,6 +61,7 @@ typedef enum {
PW_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request
PW_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive)
PW_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform)
+ PW_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol layer issue
PW_CODE_MAX = 255, //!< Maximum possible code
} PW_CODE;
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 594a6bd..c7c03cd 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -141,6 +141,8 @@ typedef struct main_config {
uint32_t cleanup_delay; //!< How long before cleaning up cached responses.
uint32_t max_requests;
+ uint32_t proxy_dedup_window; //!< suppress duplicate retransmitssions from a NAS
+
bool postauth_client_lost; //!< Whether to run Post-Auth-Type Client-Lost section
uint32_t debug_level;
@@ -174,6 +176,9 @@ typedef struct main_config {
bool exiting; //!< are we exiting?
+ fr_bool_auto_t require_ma; //!< global configuration for all clients and home servers
+
+ fr_bool_auto_t limit_proxy_state; //!< global configuration for all clients
#ifdef ENABLE_OPENSSL_VERSION_CHECK
char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged.
@@ -194,9 +199,8 @@ typedef struct main_config {
typedef enum {
REQUEST_ACTIVE = 1,
REQUEST_STOP_PROCESSING,
- REQUEST_COUNTED
} rad_master_state_t;
-#define REQUEST_MASTER_NUM_STATES (REQUEST_COUNTED + 1)
+#define REQUEST_MASTER_NUM_STATES (REQUEST_STOP_PROCESSING + 1)
typedef enum {
REQUEST_QUEUED = 1,
@@ -320,6 +324,7 @@ struct rad_request {
#define RAD_REQUEST_OPTION_COA (1 << 0)
#define RAD_REQUEST_OPTION_CTX (1 << 1)
#define RAD_REQUEST_OPTION_CANCELLED (1 << 2)
+#define RAD_REQUEST_OPTION_STATS (1 << 3)
#define SECONDS_PER_DAY 86400
#define MAX_REQUEST_TIME 30
@@ -565,6 +570,8 @@ int main_config_free(void);
void main_config_hup(void);
void hup_logfile(void);
+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str);
+
/* listen.c */
void listen_free(rad_listen_t **head);
int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag);
diff --git a/src/include/realms.h b/src/include/realms.h
index 23806f4..cc5d4c1 100644
--- a/src/include/realms.h
+++ b/src/include/realms.h
@@ -58,6 +58,8 @@ typedef struct fr_socket_limit_t {
uint32_t num_requests;
uint32_t lifetime;
uint32_t idle_timeout;
+ uint32_t read_timeout;
+ uint32_t write_timeout;
} fr_socket_limit_t;
typedef struct home_server {
@@ -69,6 +71,8 @@ typedef struct home_server {
bool dual; //!< One of a pair of homeservers on consecutive ports.
bool dynamic; //!< is this a dynamically added home server?
bool nonblock; //!< Enable a socket non-blocking to the home server.
+ fr_bool_auto_t require_ma; //!< for all replies to Access-Request and Status-Server
+
#ifdef WITH_COA_TUNNEL
bool recv_coa; //!< receive CoA packets, too
#endif
diff --git a/src/include/tls-h b/src/include/tls-h
index 4bf1665..506fb19 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -152,6 +152,9 @@ typedef struct _tls_session_t {
//!< If set to no then only the first fragment contains length.
int peap_flag;
+ VALUE_PAIR *outer_tlvs; //!< only for TEAP, and only for the first fragment.
+ uint8_t *outer_tlvs_octets; //!< only for TEAP, needed for Crypto-Binding TLV
+
size_t tls_record_in_total_len; //!< How long the peer indicated the complete tls record
//!< would be.
size_t tls_record_in_recvd_len; //!< How much of the record we've received so far.
@@ -176,17 +179,19 @@ typedef struct _tls_session_t {
*
* 0 1 2 3 4 5 6 7 8
* +-+-+-+-+-+-+-+-+
- * |L M S R R R R R|
+ * |L M S O R R R R|
* +-+-+-+-+-+-+-+-+
*
* L = Length included
* M = More fragments
* S = EAP-TLS start
+ * O = outer TLV length included (4 octets, only for TEAP)
* R = Reserved
*/
#define TLS_START(x) (((x) & 0x20) != 0)
#define TLS_MORE_FRAGMENTS(x) (((x) & 0x40) != 0)
#define TLS_LENGTH_INCLUDED(x) (((x) & 0x80) != 0)
+#define TLS_OUTER_TLV_INCLUDED(x) (((x) & 0x10) != 0)
#define TLS_CHANGE_CIPHER_SPEC(x) (((x) & 0x0014) == 0x0014)
#define TLS_ALERT(x) (((x) & 0x0015) == 0x0015)
@@ -195,6 +200,7 @@ typedef struct _tls_session_t {
#define SET_START(x) ((x) | (0x20))
#define SET_MORE_FRAGMENTS(x) ((x) | (0x40))
#define SET_LENGTH_INCLUDED(x) ((x) | (0x80))
+#define SET_OUTER_TLV_INCLUDED(x) ((x) | (0x10))
/*
* Following enums from rfc2246
@@ -351,6 +357,8 @@ struct fr_tls_server_conf_t {
SSL_CTX *ctx;
CONF_SECTION *cs;
+ char const *name; //!< name of the thing doing TLS.
+
char const *private_key_password;
char const *private_key_file;
char const *certificate_file;