/*
* Thread wrapper for fork().
*/
pid_t rad_fork(void)
{
pid_t child_pid;
if (!pool_initialized) return fork();
reap_children(); /* be nice to non-wait thingies */
if (fr_hash_table_num_elements(thread_pool.waiters) >= 1024) {
return -1;
}
/*
* Fork & save the PID for later reaping.
*/
child_pid = fork();
if (child_pid > 0) {
int rcode;
thread_fork_t *tf;
tf = rad_malloc(sizeof(*tf));
memset(tf, 0, sizeof(*tf));
tf->pid = child_pid;
pthread_mutex_lock(&thread_pool.wait_mutex);
rcode = fr_hash_table_insert(thread_pool.waiters, tf);
pthread_mutex_unlock(&thread_pool.wait_mutex);
if (!rcode) {
radlog(L_ERR, "Failed to store PID, creating what will be a zombie process %d",
(int) child_pid);
free(tf);
}
}
/*
* Return whatever we were told.
*/
return child_pid;
}
static int getusersfile(TALLOC_CTX *ctx, char const *filename, fr_hash_table_t **pht,
char *compat_mode_str)
{
int rcode;
PAIR_LIST *users = NULL;
PAIR_LIST *entry, *next;
fr_hash_table_t *ht, *tailht;
int order = 0;
if (!filename) {
*pht = NULL;
return 0;
}
rcode = pairlist_read(ctx, filename, &users, 1);
if (rcode < 0) {
return -1;
}
/*
* Walk through the 'users' file list, if we're debugging,
* or if we're in compat_mode.
*/
if ((debug_flag) ||
(strcmp(compat_mode_str, "cistron") == 0)) {
VALUE_PAIR *vp;
int compat_mode = false;
if (strcmp(compat_mode_str, "cistron") == 0) {
compat_mode = true;
}
entry = users;
while (entry) {
vp_cursor_t cursor;
if (compat_mode) {
DEBUG("[%s]:%d Cistron compatibility checks for entry %s ...",
filename, entry->lineno,
entry->name);
}
/*
* Look for improper use of '=' in the
* check items. They should be using
* '==' for on-the-wire RADIUS attributes,
* and probably ':=' for server
* configuration items.
*/
for (vp = paircursor(&cursor, &entry->check); vp; vp = pairnext(&cursor)) {
/*
* Ignore attributes which are set
* properly.
*/
if (vp->op != T_OP_EQ) {
continue;
}
/*
* If it's a vendor attribute,
* or it's a wire protocol,
* ensure it has '=='.
*/
if ((vp->da->vendor != 0) ||
(vp->da->attr < 0x100)) {
if (!compat_mode) {
WDEBUG("[%s]:%d Changing '%s =' to '%s =='\n\tfor comparing RADIUS attribute in check item list for user %s",
filename, entry->lineno,
vp->da->name, vp->da->name,
entry->name);
} else {
DEBUG("\tChanging '%s =' to '%s =='",
vp->da->name, vp->da->name);
}
vp->op = T_OP_CMP_EQ;
continue;
}
/*
* Cistron Compatibility mode.
*
* Re-write selected attributes
* to be '+=', instead of '='.
*
* All others get set to '=='
*/
if (compat_mode) {
/*
* Non-wire attributes become +=
*
* On the write attributes
* become ==
*/
if ((vp->da->attr >= 0x100) &&
(vp->da->attr <= 0xffff) &&
(vp->da->attr != PW_HINT) &&
(vp->da->attr != PW_HUNTGROUP_NAME)) {
DEBUG("\tChanging '%s =' to '%s +='", vp->da->name, vp->da->name);
vp->op = T_OP_ADD;
} else {
DEBUG("\tChanging '%s =' to '%s =='", vp->da->name, vp->da->name);
vp->op = T_OP_CMP_EQ;
}
}
} /* end of loop over check items */
/*
* Look for server configuration items
* in the reply list.
*
* It's a common enough mistake, that it's
* worth doing.
*/
for (vp = paircursor(&cursor, &entry->reply); vp; vp = pairnext(&cursor)) {
/*
* If it's NOT a vendor attribute,
* and it's NOT a wire protocol
* and we ignore Fall-Through,
* then bitch about it, giving a
* good warning message.
*/
if ((vp->da->vendor == 0) &&
(vp->da->attr > 0xff) &&
(vp->da->attr > 1000)) {
WDEBUG("[%s]:%d Check item \"%s\"\n"
"\tfound in reply item list for user \"%s\".\n"
"\tThis attribute MUST go on the first line"
" with the other check items", filename, entry->lineno, vp->da->name,
entry->name);
}
}
entry = entry->next;
}
}
ht = fr_hash_table_create(pairlist_hash, pairlist_cmp,
my_pairlist_free);
if (!ht) {
pairlist_free(&users);
return -1;
}
tailht = fr_hash_table_create(pairlist_hash, pairlist_cmp,
NULL);
if (!tailht) {
fr_hash_table_free(ht);
pairlist_free(&users);
return -1;
}
/*
* Now that we've read it in, put the entries into a hash
* for faster access.
*/
for (entry = users; entry != NULL; entry = next) {
PAIR_LIST *tail;
next = entry->next;
entry->next = NULL;
entry->order = order++;
/*
* Insert it into the hash table, and remember
* the tail of the linked list.
*/
tail = fr_hash_table_finddata(tailht, entry);
if (!tail) {
/*
* Insert it into the head & tail.
*/
if (!fr_hash_table_insert(ht, entry) ||
!fr_hash_table_insert(tailht, entry)) {
pairlist_free(&next);
fr_hash_table_free(ht);
fr_hash_table_free(tailht);
return -1;
}
} else {
tail->next = entry;
if (!fr_hash_table_replace(tailht, entry)) {
pairlist_free(&next);
fr_hash_table_free(ht);
fr_hash_table_free(tailht);
return -1;
}
}
}
fr_hash_table_free(tailht);
*pht = ht;
return 0;
}
/*
* Add a value for an attribute to the dictionary.
*/
int dict_addvalue(const char *namestr, const char *attrstr, int value)
{
size_t length;
DICT_ATTR *dattr;
DICT_VALUE *dval;
static DICT_ATTR *last_attr = NULL;
if (!*namestr) {
fr_strerror_printf("dict_addvalue: empty names are not permitted");
return -1;
}
if ((length = strlen(namestr)) >= DICT_VALUE_MAX_NAME_LEN) {
fr_strerror_printf("dict_addvalue: value name too long");
return -1;
}
if ((dval = fr_pool_alloc(sizeof(*dval) + length)) == NULL) {
fr_strerror_printf("dict_addvalue: out of memory");
return -1;
}
memset(dval, 0, sizeof(*dval));
strcpy(dval->name, namestr);
dval->value = value;
/*
* Most VALUEs are bunched together by ATTRIBUTE. We can
* save a lot of lookups on dictionary initialization by
* caching the last attribute.
*/
if (last_attr && (strcasecmp(attrstr, last_attr->name) == 0)) {
dattr = last_attr;
} else {
dattr = dict_attrbyname(attrstr);
last_attr = dattr;
}
/*
* Remember which attribute is associated with this
* value, if possible.
*/
if (dattr) {
if (dattr->flags.has_value_alias) {
fr_strerror_printf("dict_addvalue: Cannot add VALUE for ATTRIBUTE \"%s\": It already has a VALUE-ALIAS", attrstr);
return -1;
}
dval->attr = dattr->attr;
/*
* Enforce valid values
*
* Don't worry about fixups...
*/
switch (dattr->type) {
case PW_TYPE_BYTE:
if (value > 255) {
fr_pool_free(dval);
fr_strerror_printf("dict_addvalue: ATTRIBUTEs of type 'byte' cannot have VALUEs larger than 255");
return -1;
}
break;
case PW_TYPE_SHORT:
if (value > 65535) {
fr_pool_free(dval);
fr_strerror_printf("dict_addvalue: ATTRIBUTEs of type 'short' cannot have VALUEs larger than 65535");
return -1;
}
break;
/*
* Allow octets for now, because
* of dictionary.cablelabs
*/
case PW_TYPE_OCTETS:
case PW_TYPE_INTEGER:
break;
default:
fr_pool_free(dval);
fr_strerror_printf("dict_addvalue: VALUEs cannot be defined for attributes of type '%s'",
fr_int2str(type_table, dattr->type, "?Unknown?"));
return -1;
}
dattr->flags.has_value = 1;
} else {
value_fixup_t *fixup;
fixup = (value_fixup_t *) malloc(sizeof(*fixup));
if (!fixup) {
fr_pool_free(dval);
fr_strerror_printf("dict_addvalue: out of memory");
return -1;
}
memset(fixup, 0, sizeof(*fixup));
strlcpy(fixup->attrstr, attrstr, sizeof(fixup->attrstr));
fixup->dval = dval;
/*
* Insert to the head of the list.
*/
fixup->next = value_fixup;
value_fixup = fixup;
return 0;
}
/*
* Add the value into the dictionary.
*/
if (!fr_hash_table_insert(values_byname, dval)) {
if (dattr) {
DICT_VALUE *old;
/*
* Suppress duplicates with the same
* name and value. There are lots in
* dictionary.ascend.
*/
old = dict_valbyname(dattr->attr, namestr);
if (old && (old->value == dval->value)) {
fr_pool_free(dval);
return 0;
}
}
fr_pool_free(dval);
fr_strerror_printf("dict_addvalue: Duplicate value name %s for attribute %s", namestr, attrstr);
return -1;
}
/*
* There are multiple VALUE's, keyed by attribute, so we
* take care of that here.
*/
if (!fr_hash_table_replace(values_byvalue, dval)) {
fr_strerror_printf("dict_addvalue: Failed inserting value %s",
namestr);
return -1;
}
return 0;
}
/*
* Add an attribute to the dictionary.
*/
int dict_addattr(const char *name, int vendor, int type, int value,
ATTR_FLAGS flags)
{
size_t namelen;
static int max_attr = 0;
DICT_ATTR *attr;
namelen = strlen(name);
if (namelen >= DICT_ATTR_MAX_NAME_LEN) {
fr_strerror_printf("dict_addattr: attribute name too long");
return -1;
}
/*
* If the value is '-1', that means use a pre-existing
* one (if it already exists). If one does NOT already exist,
* then create a new attribute, with a non-conflicting value,
* and use that.
*/
if (value == -1) {
if (dict_attrbyname(name)) {
return 0; /* exists, don't add it again */
}
value = ++max_attr;
} else if (vendor == 0) {
/*
* Update 'max_attr'
*/
if (value > max_attr) {
max_attr = value;
}
}
if (value < 0) {
fr_strerror_printf("dict_addattr: ATTRIBUTE has invalid number (less than zero)");
return -1;
}
if (value >= 65536) {
fr_strerror_printf("dict_addattr: ATTRIBUTE has invalid number (larger than 65535).");
return -1;
}
if (vendor) {
DICT_VENDOR *dv;
static DICT_VENDOR *last_vendor = NULL;
if (flags.is_tlv && (flags.encrypt != FLAG_ENCRYPT_NONE)) {
fr_strerror_printf("Sub-TLV's cannot be encrypted");
return -1;
}
if (flags.has_tlv && (flags.encrypt != FLAG_ENCRYPT_NONE)) {
fr_strerror_printf("TLV's cannot be encrypted");
return -1;
}
if (flags.is_tlv && flags.has_tag) {
fr_strerror_printf("Sub-TLV's cannot have a tag");
return -1;
}
if (flags.has_tlv && flags.has_tag) {
fr_strerror_printf("TLV's cannot have a tag");
return -1;
}
/*
* Most ATTRIBUTEs are bunched together by
* VENDOR. We can save a lot of lookups on
* dictionary initialization by caching the last
* vendor.
*/
if (last_vendor && (vendor == last_vendor->vendorpec)) {
dv = last_vendor;
} else {
dv = dict_vendorbyvalue(vendor);
last_vendor = dv;
}
/*
* If the vendor isn't defined, die.
*/
if (!dv) {
fr_strerror_printf("dict_addattr: Unknown vendor");
return -1;
}
/*
* FIXME: Switch over dv->type, and limit things
* properly.
*/
if ((dv->type == 1) && (value >= 256) && !flags.is_tlv) {
fr_strerror_printf("dict_addattr: ATTRIBUTE has invalid number (larger than 255).");
return -1;
} /* else 256..65535 are allowed */
}
/*
* Create a new attribute for the list
*/
if ((attr = fr_pool_alloc(sizeof(*attr) + namelen)) == NULL) {
fr_strerror_printf("dict_addattr: out of memory");
return -1;
}
memcpy(attr->name, name, namelen);
attr->name[namelen] = '\0';
attr->attr = value;
attr->attr |= (vendor << 16); /* FIXME: hack */
attr->vendor = vendor;
attr->type = type;
attr->flags = flags;
attr->vendor = vendor;
/*
* Insert the attribute, only if it's not a duplicate.
*/
if (!fr_hash_table_insert(attributes_byname, attr)) {
DICT_ATTR *a;
/*
* If the attribute has identical number, then
* ignore the duplicate.
*/
a = fr_hash_table_finddata(attributes_byname, attr);
if (a && (strcasecmp(a->name, attr->name) == 0)) {
if (a->attr != attr->attr) {
fr_strerror_printf("dict_addattr: Duplicate attribute name %s", name);
fr_pool_free(attr);
return -1;
}
/*
* Same name, same vendor, same attr,
* maybe the flags and/or type is
* different. Let the new value
* over-ride the old one.
*/
}
fr_hash_table_delete(attributes_byvalue, a);
if (!fr_hash_table_replace(attributes_byname, attr)) {
fr_strerror_printf("dict_addattr: Internal error storing attribute %s", name);
fr_pool_free(attr);
return -1;
}
}
/*
* Insert the SAME pointer (not free'd when this entry is
* deleted), into another table.
*
* We want this behaviour because we want OLD names for
* the attributes to be read from the configuration
* files, but when we're printing them, (and looking up
* by value) we want to use the NEW name.
*/
if (!fr_hash_table_replace(attributes_byvalue, attr)) {
fr_strerror_printf("dict_addattr: Failed inserting attribute name %s", name);
return -1;
}
if (!vendor && (value > 0) && (value < 256)) {
dict_base_attrs[value] = attr;
}
return 0;
}
/*
* Add vendor to the list.
*/
int dict_addvendor(const char *name, int value)
{
size_t length;
DICT_VENDOR *dv;
if (value > 65535) {
fr_strerror_printf("dict_addvendor: Cannot handle vendor ID larger than 65535");
return -1;
}
if ((length = strlen(name)) >= DICT_VENDOR_MAX_NAME_LEN) {
fr_strerror_printf("dict_addvendor: vendor name too long");
return -1;
}
if ((dv = fr_pool_alloc(sizeof(*dv) + length)) == NULL) {
fr_strerror_printf("dict_addvendor: out of memory");
return -1;
}
strcpy(dv->name, name);
dv->vendorpec = value;
dv->type = dv->length = 1; /* defaults */
if (!fr_hash_table_insert(vendors_byname, dv)) {
DICT_VENDOR *old_dv;
old_dv = fr_hash_table_finddata(vendors_byname, dv);
if (!old_dv) {
fr_strerror_printf("dict_addvendor: Failed inserting vendor name %s", name);
return -1;
}
if (old_dv->vendorpec != dv->vendorpec) {
fr_strerror_printf("dict_addvendor: Duplicate vendor name %s", name);
return -1;
}
/*
* Already inserted. Discard the duplicate entry.
*/
fr_pool_free(dv);
return 0;
}
/*
* Insert the SAME pointer (not free'd when this table is
* deleted), into another table.
*
* We want this behaviour because we want OLD names for
* the attributes to be read from the configuration
* files, but when we're printing them, (and looking up
* by value) we want to use the NEW name.
*/
if (!fr_hash_table_replace(vendors_byvalue, dv)) {
fr_strerror_printf("dict_addvendor: Failed inserting vendor %s",
name);
return -1;
}
return 0;
}
/*
* Process the VALUE-ALIAS command
*
* This allows VALUE mappings to be shared among multiple
* attributes.
*/
static int process_value_alias(const char* fn, const int line, char **argv,
int argc)
{
DICT_ATTR *my_da, *da;
DICT_VALUE *dval;
if (argc != 2) {
fr_strerror_printf("dict_init: %s[%d]: invalid VALUE-ALIAS line",
fn, line);
return -1;
}
my_da = dict_attrbyname(argv[0]);
if (!my_da) {
fr_strerror_printf("dict_init: %s[%d]: ATTRIBUTE \"%s\" does not exist",
fn, line, argv[1]);
return -1;
}
if (my_da->flags.has_value) {
fr_strerror_printf("dict_init: %s[%d]: Cannot add VALUE-ALIAS to ATTRIBUTE \"%s\" with pre-existing VALUE",
fn, line, argv[0]);
return -1;
}
if (my_da->flags.has_value_alias) {
fr_strerror_printf("dict_init: %s[%d]: Cannot add VALUE-ALIAS to ATTRIBUTE \"%s\" with pre-existing VALUE-ALIAS",
fn, line, argv[0]);
return -1;
}
da = dict_attrbyname(argv[1]);
if (!da) {
fr_strerror_printf("dict_init: %s[%d]: Cannot find ATTRIBUTE \"%s\" for alias",
fn, line, argv[1]);
return -1;
}
if (!da->flags.has_value) {
fr_strerror_printf("dict_init: %s[%d]: VALUE-ALIAS cannot refer to ATTRIBUTE %s: It has no values",
fn, line, argv[1]);
return -1;
}
if (da->flags.has_value_alias) {
fr_strerror_printf("dict_init: %s[%d]: Cannot add VALUE-ALIAS to ATTRIBUTE \"%s\" which itself has a VALUE-ALIAS",
fn, line, argv[1]);
return -1;
}
if (my_da->type != da->type) {
fr_strerror_printf("dict_init: %s[%d]: Cannot add VALUE-ALIAS between attributes of differing type",
fn, line);
return -1;
}
if ((dval = fr_pool_alloc(sizeof(*dval))) == NULL) {
fr_strerror_printf("dict_addvalue: out of memory");
return -1;
}
dval->name[0] = '\0'; /* empty name */
dval->attr = my_da->attr;
dval->value = da->attr;
if (!fr_hash_table_insert(values_byname, dval)) {
fr_strerror_printf("dict_init: %s[%d]: Error create alias",
fn, line);
fr_pool_free(dval);
return -1;
}
return 0;
}
/*
* (Re-)read radiusd.conf into memory.
*/
static int mod_instantiate(CONF_SECTION *conf, void *instance)
{
detail_instance_t *inst = instance;
CONF_SECTION *cs;
inst->name = cf_section_name2(conf);
if (!inst->name) {
inst->name = cf_section_name1(conf);
}
inst->lf= fr_logfile_init(inst);
if (!inst->lf) {
cf_log_err_cs(conf, "Failed creating log file context");
return -1;
}
/*
* Suppress certain attributes.
*/
cs = cf_section_sub_find(conf, "suppress");
if (cs) {
CONF_ITEM *ci;
inst->ht = fr_hash_table_create(detail_hash, detail_cmp, NULL);
for (ci = cf_item_find_next(cs, NULL);
ci != NULL;
ci = cf_item_find_next(cs, ci)) {
char const *attr;
DICT_ATTR const *da;
if (!cf_item_is_pair(ci)) continue;
attr = cf_pair_attr(cf_itemtopair(ci));
if (!attr) continue; /* pair-anoia */
da = dict_attrbyname(attr);
if (!da) {
cf_log_err_cs(conf, "No such attribute '%s'", attr);
return -1;
}
/*
* Be kind to minor mistakes.
*/
if (fr_hash_table_finddata(inst->ht, da)) {
WARN("rlm_detail (%s): Ignoring duplicate entry '%s'", inst->name, attr);
continue;
}
if (!fr_hash_table_insert(inst->ht, da)) {
ERROR("rlm_detail (%s): Failed inserting '%s' into suppression table",
inst->name, attr);
return -1;
}
DEBUG("rlm_detail (%s): '%s' suppressed, will not appear in detail output", inst->name, attr);
}
/*
* If we didn't suppress anything, delete the hash table.
*/
if (fr_hash_table_num_elements(inst->ht) == 0) {
fr_hash_table_free(inst->ht);
inst->ht = NULL;
}
}
return 0;
}
/*
* 1 == ID was allocated & assigned
* 0 == error allocating memory
* -1 == all ID's are used, caller should open a new socket.
*
* Note that this ALSO assigns a socket to use, and updates
* packet->request->src_ipaddr && packet->request->src_port
*
* In multi-threaded systems, the calls to id_alloc && id_free
* should be protected by a mutex. This does NOT have to be
* the same mutex as the one protecting the insert/find/yank
* calls!
*/
int fr_packet_list_id_alloc(fr_packet_list_t *pl,
RADIUS_PACKET *request)
{
int i, id, start;
int src_any = 0;
uint32_t free_mask;
fr_packet_dst2id_t my_pd, *pd;
fr_packet_socket_t *ps;
bzero(&my_pd,sizeof(my_pd));
if (!pl || !pl->alloc_id || !request) {
fr_strerror_printf("Invalid arguments");
return 0;
}
/*
* Error out if no destination is specified.
*/
if ((request->dst_ipaddr.af == AF_UNSPEC) ||
(request->dst_port == 0)) {
fr_strerror_printf("No destination address/port specified");
return 0;
}
/*
* Special case: unspec == "don't care"
*/
if (request->src_ipaddr.af == AF_UNSPEC) {
memset(&request->src_ipaddr, 0, sizeof(request->src_ipaddr));
request->src_ipaddr.af = request->dst_ipaddr.af;
}
src_any = fr_inaddr_any(&request->src_ipaddr);
if (src_any < 0) {
fr_strerror_printf("Error checking src IP address");
return 0;
}
/*
* MUST specify a destination address.
*/
if (fr_inaddr_any(&request->dst_ipaddr) != 0) {
fr_strerror_printf("Error checking dst IP address");
return 0;
}
my_pd.dst_ipaddr = request->dst_ipaddr;
my_pd.dst_port = request->dst_port;
pd = fr_hash_table_finddata(pl->dst2id_ht, &my_pd);
if (!pd) {
pd = malloc(sizeof(*pd) + 255 * sizeof(pd->id[0]));
if (!pd) return 0;
memset(pd, 0, sizeof(*pd) + 255 * sizeof(pd->id[0]));
pd->dst_ipaddr = request->dst_ipaddr;
pd->dst_port = request->dst_port;
if (!fr_hash_table_insert(pl->dst2id_ht, pd)) {
free(pd);
fr_strerror_printf("Failed inserting into hash");
return 0;
}
}
/*
* FIXME: Go to an LRU system. This prevents ID re-use
* for as long as possible. The main problem with that
* approach is that it requires us to populate the
* LRU/FIFO when we add a new socket, or a new destination,
* which can be expensive.
*
* The LRU can be avoided if the caller takes care to free
* Id's only when all responses have been received, OR after
* a timeout.
*/
id = start = (int) fr_rand() & 0xff;
while (pd->id[id] == pl->mask) { /* all sockets are using this ID */
id++;
id &= 0xff;
if (id == start) {
fr_strerror_printf("All IDs are being used");
return 0;
}
}
free_mask = ~((~pd->id[id]) & pl->mask);
start = -1;
for (i = 0; i < MAX_SOCKETS; i++) {
if (pl->sockets[i].sockfd == -1) continue; /* paranoia */
ps = &(pl->sockets[i]);
/*
* Address families don't match, skip it.
*/
if (ps->ipaddr.af != request->dst_ipaddr.af) continue;
/*
* We're sourcing from *, and they asked for a
* specific source address: ignore it.
*/
if (ps->inaddr_any && !src_any) continue;
/*
* We're sourcing from a specific IP, and they
* asked for a source IP that isn't us: ignore
* it.
*/
if (!ps->inaddr_any && !src_any &&
(fr_ipaddr_cmp(&request->src_ipaddr,
&ps->ipaddr) != 0)) continue;
if ((free_mask & (1 << i)) == 0) {
start = i;
break;
}
}
if (start < 0) {
fr_strerror_printf("Internal sanity check failed");
return 0; /* bad error */
}
pd->id[id] |= (1 << start);
ps = &pl->sockets[start];
pd->num_outgoing++;
ps->num_outgoing++;
pl->num_outgoing++;
/*
* Set the ID, source IP, and source port.
*/
request->id = id;
request->sockfd = ps->sockfd;
request->src_ipaddr = ps->ipaddr;
request->src_port = ps->port;
return 1;
}