parse "radiusv11 = ..." for listeners, clients, and home servers

diff --git a/src/include/libradius.h b/src/include/libradius.h
index 1b9b2cd40ec403a69fcc45ab9846ed71b2a600f4..777927edb325aded5696ddfcb7fe732c91017c46 100644 (file)
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -436,6 +436,8 @@ typedef enum {
        FR_RADIUSV11_ALLOW,
        FR_RADIUSV11_REQUIRE,
 } fr_radiusv11_t;
+
+extern const FR_NAME_NUMBER radiusv11_types[];
 #endif
 
 /*

diff --git a/src/lib/radius.c b/src/lib/radius.c
index 28a0aefaf50e62526ed77021675a348a2763e2de..6447a90dabf3ea0adda0c52edf58071c82826d09 100644 (file)
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -5284,3 +5284,13 @@ RADIUS_PACKET *rad_copy_packet(TALLOC_CTX *ctx, RADIUS_PACKET const *in)
 
        return out;
 }
+
+#ifdef WITH_RADIUSV11
+const FR_NAME_NUMBER radiusv11_types[] = {
+       { "forbid",     FR_RADIUSV11_FORBID },
+       { "allow",      FR_RADIUSV11_ALLOW },
+       { "require",    FR_RADIUSV11_REQUIRE },
+       { NULL, 0 }
+
+};
+#endif

diff --git a/src/main/client.c b/src/main/client.c
index 305871260ca349e758ac7d89c2bc265536a16e59..b4dfb31ed5790526c29e83825c646c16e5468459 100644 (file)
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -1045,6 +1045,24 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
                cl_srcipaddr = NULL;
        }
 
+#ifdef WITH_RADIUSV11
+       if (c->tls_required && (cf_pair_find(cs, "radiusv11") != NULL)) {
+               int rcode;
+               char const *name = NULL;
+
+               rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid");
+               if (rcode < 0) goto error;
+
+               rcode = fr_str2int(radiusv11_types, name, -1);
+               if (rcode < 0) {
+                       cf_log_err_cs(cs, "Invalid value for 'radiusv11'");
+                       goto error;
+               }
+
+               c->radiusv11 = rcode;
+       }
+#endif
+
        /*
         *      A response_window of zero is OK, and means that it's
         *      ignored by the rest of the server timers.

diff --git a/src/main/listen.c b/src/main/listen.c
index 8041bb6b99901bb65c95d521d958afc6322db865..5c4e5baa4ab94123dec06d9ab27dc03d3d33423f 100644 (file)
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -770,6 +770,33 @@ static int dual_tcp_accept(rad_listen_t *listener)
                close(newfd);
                return 0;
        }
+
+#ifdef WITH_RADIUSV11
+       switch (listener->radiusv11) {
+       case FR_RADIUSV11_FORBID:
+               if (client->radiusv11 == FR_RADIUSV11_REQUIRE) {
+                       INFO("Ignoring new connection as client is marked as 'radiusv11 = require', and this socket has 'radiusv11 = forbid'");
+                       close(newfd);
+                       return 0;
+               }
+               break;
+
+       case FR_RADIUSV11_ALLOW:
+               /*
+                *      We negotiate it as per the client recommendations (forbid, allow, require)
+                */
+               break;
+
+       case FR_RADIUSV11_REQUIRE:
+               if (client->radiusv11 == FR_RADIUSV11_FORBID) {
+                       INFO("Ignoring new connection as client is marked as 'radiusv11 = forbid', and this socket has 'radiusv11 = require'");
+                       close(newfd);
+                       return 0;
+               }
+               break;
+       }
+#endif
+
 #endif
 
        /*
@@ -1272,6 +1299,23 @@ int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this)
 
                        rcode = cf_item_parse(cs, "check_client_connections", FR_ITEM_POINTER(PW_TYPE_BOOLEAN, &this->check_client_connections), "no");
                        if (rcode < 0) return -1;
+
+#ifdef WITH_RADIUSV11
+                       if (cf_pair_find(cs, "radiusv11")) {
+                               char const *name = NULL;
+
+                               rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid");
+                               if (rcode < 0) return -1;
+
+                               rcode = fr_str2int(radiusv11_types, name, -1);
+                               if (rcode < 0) {
+                                       cf_log_err_cs(cs, "Invalid value for 'radiusv11'");
+                                       return -1;
+                               }
+
+                               this->radiusv11 = rcode;
+                       }
+#endif
                }
 #else  /* WITH_TLS */
                /*

diff --git a/src/main/realms.c b/src/main/realms.c
index d707f085e6c2ec57f6ad77a8d4b968d416ff9b1d..0aad306e3e5e894c53d1785875aa784ecd415cd8 100644 (file)
--- a/src/main/realms.c
+++ b/src/main/realms.c
@@ -1129,6 +1129,24 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE
 
                        home->listeners = rbtree_create(home, listener_cmp, NULL, RBTREE_FLAG_LOCK);
                        if (!home->listeners) goto error;
+
+#ifdef WITH_RADIUSV11
+                       if (cf_pair_find(tls, "radiusv11")) {
+                               char const *name = NULL;
+
+                               rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid");
+                               if (rcode < 0) goto error;
+
+                               rcode = fr_str2int(radiusv11_types, name, -1);
+                               if (rcode < 0) {
+                                       cf_log_err_cs(cs, "Invalid value for 'radiusv11'");
+                                       goto error;
+                               }
+
+                               home->radiusv11 = rcode;
+                       }
+#endif
+
                }
 #endif
        } /* end of parse home server */