From: Alan T. DeKok Date: Mon, 10 Apr 2023 13:25:06 +0000 (-0400) Subject: parse "radiusv11 = ..." for listeners, clients, and home servers X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=311d28e3b95614352badc2bd613b83bf2089077c;p=thirdparty%2Ffreeradius-server.git parse "radiusv11 = ..." for listeners, clients, and home servers --- diff --git a/src/include/libradius.h b/src/include/libradius.h index 1b9b2cd40e..777927edb3 100644 --- a/src/include/libradius.h +++ b/src/include/libradius.h @@ -436,6 +436,8 @@ typedef enum { FR_RADIUSV11_ALLOW, FR_RADIUSV11_REQUIRE, } fr_radiusv11_t; + +extern const FR_NAME_NUMBER radiusv11_types[]; #endif /* diff --git a/src/lib/radius.c b/src/lib/radius.c index 28a0aefaf5..6447a90dab 100644 --- a/src/lib/radius.c +++ b/src/lib/radius.c @@ -5284,3 +5284,13 @@ RADIUS_PACKET *rad_copy_packet(TALLOC_CTX *ctx, RADIUS_PACKET const *in) return out; } + +#ifdef WITH_RADIUSV11 +const FR_NAME_NUMBER radiusv11_types[] = { + { "forbid", FR_RADIUSV11_FORBID }, + { "allow", FR_RADIUSV11_ALLOW }, + { "require", FR_RADIUSV11_REQUIRE }, + { NULL, 0 } + +}; +#endif diff --git a/src/main/client.c b/src/main/client.c index 305871260c..b4dfb31ed5 100644 --- a/src/main/client.c +++ b/src/main/client.c @@ -1045,6 +1045,24 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo cl_srcipaddr = NULL; } +#ifdef WITH_RADIUSV11 + if (c->tls_required && (cf_pair_find(cs, "radiusv11") != NULL)) { + int rcode; + char const *name = NULL; + + rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid"); + if (rcode < 0) goto error; + + rcode = fr_str2int(radiusv11_types, name, -1); + if (rcode < 0) { + cf_log_err_cs(cs, "Invalid value for 'radiusv11'"); + goto error; + } + + c->radiusv11 = rcode; + } +#endif + /* * A response_window of zero is OK, and means that it's * ignored by the rest of the server timers. diff --git a/src/main/listen.c b/src/main/listen.c index 8041bb6b99..5c4e5baa4a 100644 --- a/src/main/listen.c +++ b/src/main/listen.c @@ -770,6 +770,33 @@ static int dual_tcp_accept(rad_listen_t *listener) close(newfd); return 0; } + +#ifdef WITH_RADIUSV11 + switch (listener->radiusv11) { + case FR_RADIUSV11_FORBID: + if (client->radiusv11 == FR_RADIUSV11_REQUIRE) { + INFO("Ignoring new connection as client is marked as 'radiusv11 = require', and this socket has 'radiusv11 = forbid'"); + close(newfd); + return 0; + } + break; + + case FR_RADIUSV11_ALLOW: + /* + * We negotiate it as per the client recommendations (forbid, allow, require) + */ + break; + + case FR_RADIUSV11_REQUIRE: + if (client->radiusv11 == FR_RADIUSV11_FORBID) { + INFO("Ignoring new connection as client is marked as 'radiusv11 = forbid', and this socket has 'radiusv11 = require'"); + close(newfd); + return 0; + } + break; + } +#endif + #endif /* @@ -1272,6 +1299,23 @@ int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this) rcode = cf_item_parse(cs, "check_client_connections", FR_ITEM_POINTER(PW_TYPE_BOOLEAN, &this->check_client_connections), "no"); if (rcode < 0) return -1; + +#ifdef WITH_RADIUSV11 + if (cf_pair_find(cs, "radiusv11")) { + char const *name = NULL; + + rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid"); + if (rcode < 0) return -1; + + rcode = fr_str2int(radiusv11_types, name, -1); + if (rcode < 0) { + cf_log_err_cs(cs, "Invalid value for 'radiusv11'"); + return -1; + } + + this->radiusv11 = rcode; + } +#endif } #else /* WITH_TLS */ /* diff --git a/src/main/realms.c b/src/main/realms.c index d707f085e6..0aad306e3e 100644 --- a/src/main/realms.c +++ b/src/main/realms.c @@ -1129,6 +1129,24 @@ home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SE home->listeners = rbtree_create(home, listener_cmp, NULL, RBTREE_FLAG_LOCK); if (!home->listeners) goto error; + +#ifdef WITH_RADIUSV11 + if (cf_pair_find(tls, "radiusv11")) { + char const *name = NULL; + + rcode = cf_item_parse(cs, "radiusv11", FR_ITEM_POINTER(PW_TYPE_STRING, &name), "forbid"); + if (rcode < 0) goto error; + + rcode = fr_str2int(radiusv11_types, name, -1); + if (rcode < 0) { + cf_log_err_cs(cs, "Invalid value for 'radiusv11'"); + goto error; + } + + home->radiusv11 = rcode; + } +#endif + } #endif } /* end of parse home server */