1 files changed, 104 insertions, 0 deletions
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 227ae4a..2b2dda8 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -73,6 +73,8 @@ static char const *gid_name = NULL;
 static char const *chroot_dir = NULL;
 static bool allow_core_dumps = false;
 static char const *radlog_dest = NULL;
+static char const *require_message_authenticator = NULL;
+static char const *limit_proxy_state = NULL;
 
 /*
  *	These are not used anywhere else..
@@ -87,6 +89,56 @@ static bool		do_colourise = false;
 
 static char const	*radius_dir = NULL;	//!< Path to raddb directory
 
+#ifndef HAVE_KQUEUE
+static uint32_t		max_fds = 0;
+#endif
+
+static const FR_NAME_NUMBER fr_bool_auto_names[] = {
+	{ "false",	FR_BOOL_FALSE     },
+	{ "no",		FR_BOOL_FALSE     },
+	{ "0",		FR_BOOL_FALSE     },
+
+	{ "true",	FR_BOOL_TRUE      },
+	{ "yes",       	FR_BOOL_TRUE      },
+	{ "1",		FR_BOOL_TRUE      },
+
+	{ "auto",	FR_BOOL_AUTO      },
+
+	{ NULL,	0 }
+};
+
+/*
+ *	Get decent values for false / true / auto
+ */
+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str)
+{
+	int value;
+
+	/*
+	 *	Don't change anything.
+	 */
+	if (!str) return 0;
+
+	value = fr_str2int(fr_bool_auto_names, str, -1);
+	if (value >= 0) {
+		*out = value;
+		return 0;
+	}
+
+	/*
+	 *	This should never happen, as the defaults are in the
+	 *	source code.  If there's no CONF_PAIR, and there's a
+	 *	parse error, then the source code is wrong.
+	 */
+	if (!cp) {
+		fprintf(stderr, "%s: Error - Invalid value in configuration", main_config.name);
+		return -1;
+	}
+
+	cf_log_err(cf_pair_to_item(cp), "Invalid value for \"%s\"", cf_pair_attr(cp));
+	return -1;
+}
+
 /**********************************************************************
  *
  *	We need to figure out where the logs go, before doing anything
@@ -160,6 +212,8 @@ static const CONF_PARSER security_config[] = {
 	{ "max_attributes",  FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
 	{ "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
 	{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+	{ "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"},
+	{ "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
 	{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif
@@ -195,8 +249,12 @@ static const CONF_PARSER server_config[] = {
 	{ "panic_action", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.panic_action), NULL},
 	{ "hostname_lookups", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &fr_dns_lookups), "no" },
 	{ "max_request_time", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_request_time), STRINGIFY(MAX_REQUEST_TIME) },
+	{ "proxy_dedup_window", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.proxy_dedup_window), "1" },
 	{ "cleanup_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.cleanup_delay), STRINGIFY(CLEANUP_DELAY) },
 	{ "max_requests", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_requests), STRINGIFY(MAX_REQUESTS) },
+#ifndef HAVE_KQUEUE
+	{ "max_fds", FR_CONF_POINTER(PW_TYPE_INTEGER, &max_fds), "512" },
+#endif
 	{ "postauth_client_lost", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.postauth_client_lost), "no" },
 	{ "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
 	{ "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
@@ -864,6 +922,8 @@ int main_config_init(void)
 	if (!main_config.dictionary_dir) {
 		main_config.dictionary_dir = DICTDIR;
 	}
+	main_config.require_ma = FR_BOOL_AUTO;
+	main_config.limit_proxy_state = FR_BOOL_AUTO;
 
 	/*
 	 *	About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400
@@ -1144,6 +1204,10 @@ do {\
 	if ((main_config.reject_delay.tv_sec != 0) || (main_config.reject_delay.tv_usec != 0)) {
 		FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, >=, 1, 0);
 	}
+
+	FR_INTEGER_BOUND_CHECK("proxy_dedup_window", main_config.proxy_dedup_window, <=, 10);
+	FR_INTEGER_BOUND_CHECK("proxy_dedup_window", main_config.proxy_dedup_window, >=, 1);
+
 	FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, <=, 10, 0);
 
 	FR_INTEGER_BOUND_CHECK("cleanup_delay", main_config.cleanup_delay, <=, 30);
@@ -1159,6 +1223,46 @@ do {\
 	main_config.init_delay.tv_sec = 0;
 	main_config.init_delay.tv_usec = 2* (1000000 / 3);
 
+	{
+		CONF_PAIR *cp = NULL;
+
+		subcs = cf_section_sub_find(cs, "security");
+		if (subcs) cp = cf_pair_find(subcs, "require_message_authenticator");
+		if (fr_bool_auto_parse(cp, &main_config.require_ma, require_message_authenticator) < 0) {
+			cf_file_free(cs);
+			return -1;
+		}
+
+		if (subcs) cp = cf_pair_find(subcs, "limit_proxy_state");
+		if (fr_bool_auto_parse(cp, &main_config.limit_proxy_state, limit_proxy_state) < 0) {
+			cf_file_free(cs);
+			return -1;
+		}
+	}
+
+#ifndef HAVE_KQUEUE
+	/*
+	 *	select() is limited to 1024 file descriptors. :(
+	 */
+	if (max_fds) {
+		if (max_fds > FD_SETSIZE) {
+			fr_ev_max_fds = FD_SETSIZE;
+		} else {
+			/*
+			 *	Round up to the next highest power of 2.
+			 */
+			max_fds--;
+			max_fds |= max_fds >> 1;
+			max_fds |= max_fds >> 2;
+			max_fds |= max_fds >> 4;
+			max_fds |= max_fds >> 8;
+			max_fds |= max_fds >> 16;
+			max_fds++;
+			fr_ev_max_fds = max_fds;
+		}
+	}
+#endif
+
 	/*
 	 *	Free the old configuration items, and replace them
 	 *	with the new ones.