From c11e3d84543999e75e819f806e2bead4b40e41df Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Mon, 18 Mar 2013 20:15:39 -0400 Subject: [PATCH] Convert pairmake() to talloc And add a VALUE_PAIR**vps to it. If vps != NULL, the newly created VP is added to the list. This API change cleans up the code rather substantially --- src/include/libradius.h | 2 +- src/include/radiusd.h | 10 ++- src/include/soh.h | 2 +- src/lib/dhcp.c | 7 +- src/lib/valuepair.c | 67 ++++++--------- src/main/auth.c | 9 +- src/main/cb.c | 11 +-- src/main/conffile.c | 4 +- src/main/evaluate.c | 3 +- src/main/process.c | 52 +++++------ src/main/realms.c | 6 +- src/main/soh.c | 41 ++++----- src/main/tls.c | 86 ++++++++----------- src/main/valuepair.c | 29 ------- .../rlm_attr_rewrite/rlm_attr_rewrite.c | 6 +- src/modules/rlm_chap/rlm_chap.c | 3 +- src/modules/rlm_counter/rlm_counter.c | 3 +- src/modules/rlm_digest/rlm_digest.c | 3 +- src/modules/rlm_eap/eap.c | 4 +- src/modules/rlm_eap/libeap/eap_tls.c | 1 + src/modules/rlm_eap/libeap/eapcommon.c | 3 +- src/modules/rlm_eap/mem.c | 4 +- src/modules/rlm_eap/rlm_eap.c | 27 +++--- .../rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c | 13 ++- .../rlm_eap/types/rlm_eap_leap/eap_leap.c | 5 +- .../rlm_eap/types/rlm_eap_leap/eap_leap.h | 3 +- .../rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c | 2 +- .../types/rlm_eap_mschapv2/rlm_eap_mschapv2.c | 84 ++++++++---------- src/modules/rlm_eap/types/rlm_eap_peap/peap.c | 37 ++++---- .../rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c | 3 +- .../rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c | 9 +- src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 7 +- src/modules/rlm_eap2/rlm_eap2.c | 10 +-- src/modules/rlm_example/rlm_example.c | 7 +- src/modules/rlm_expiration/rlm_expiration.c | 3 +- src/modules/rlm_expr/paircmp.c | 2 +- src/modules/rlm_ldap/ldap.c | 4 +- src/modules/rlm_logintime/rlm_logintime.c | 4 +- src/modules/rlm_mschap/mschap.h | 2 +- src/modules/rlm_mschap/rlm_mschap.c | 66 +++++++------- .../rlm_opendirectory/rlm_opendirectory.c | 4 +- src/modules/rlm_otp/otp_mppe.c | 36 ++------ src/modules/rlm_otp/rlm_otp.c | 6 +- src/modules/rlm_passwd/rlm_passwd.c | 18 ++-- src/modules/rlm_perl/rlm_perl.c | 28 +++--- src/modules/rlm_preprocess/rlm_preprocess.c | 19 ++-- src/modules/rlm_python/rlm_python.c | 9 +- src/modules/rlm_realm/rlm_realm.c | 32 +------ src/modules/rlm_ruby/rlm_ruby.c | 13 ++- src/modules/rlm_securid/mem.c | 6 +- src/modules/rlm_securid/rlm_securid.c | 14 +-- src/modules/rlm_sim_files/rlm_sim_files.c | 19 +--- src/modules/rlm_smsotp/rlm_smsotp.c | 10 +-- src/modules/rlm_soh/rlm_soh.c | 4 +- src/modules/rlm_sql/rlm_sql.c | 13 ++- src/modules/rlm_sql/rlm_sql.h | 4 +- src/modules/rlm_sql/sql.c | 9 +- src/modules/rlm_sqlcounter/rlm_sqlcounter.c | 3 +- src/modules/rlm_unix/rlm_unix.c | 4 +- src/modules/rlm_wimax/rlm_wimax.c | 2 +- src/modules/rlm_yubikey/rlm_yubikey.c | 2 +- 61 files changed, 340 insertions(+), 559 deletions(-) diff --git a/src/include/libradius.h b/src/include/libradius.h index 1e8d6c8717b..49fd0634f8a 100644 --- a/src/include/libradius.h +++ b/src/include/libradius.h @@ -443,7 +443,7 @@ VALUE_PAIR *paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor, in void pairmove(VALUE_PAIR **to, VALUE_PAIR **from); void pairmove2(VALUE_PAIR **to, VALUE_PAIR **from, unsigned int attr, unsigned int vendor, int8_t tag); int pairparsevalue(VALUE_PAIR *vp, const char *value); -VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op); +VALUE_PAIR *pairmake(TALLOC_CTX *ctx, VALUE_PAIR **vps, const char *attribute, const char *value, FR_TOKEN op); int pairmark_xlat(VALUE_PAIR *vp, const char *value); FR_TOKEN pairread(const char **ptr, VALUE_PAIR_RAW *raw); FR_TOKEN userparse(const char *buffer, VALUE_PAIR **head); diff --git a/src/include/radiusd.h b/src/include/radiusd.h index 612dc07e2fb..8185ba216b9 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -732,11 +732,15 @@ int radius_callback_compare(REQUEST *req, VALUE_PAIR *request, int radius_find_compare(unsigned int attribute); VALUE_PAIR *radius_paircreate(REQUEST *request, VALUE_PAIR **vps, unsigned int attribute, unsigned int vendor); -VALUE_PAIR *radius_pairmake(REQUEST *request, VALUE_PAIR **vps, - const char *attribute, const char *value, - FR_TOKEN op); void module_failure_msg(REQUEST *request, const char *fmt, ...); +/* + * Less code == less bugs + */ +#define pairmake_packet(_a, _b, _c) pairmake(request->packet, &request->packet->vps, _a, _b, _c) +#define pairmake_reply(_a, _b, _c) pairmake(request->reply, &request->reply->vps, _a, _b, _c) +#define pairmake_config(_a, _b, _c) pairmake(request, &request->config_items, _a, _b, _c) + /* xlat.c */ typedef size_t (*RADIUS_ESCAPE_STRING)(REQUEST *, char *out, size_t outlen, const char *in, void *arg); diff --git a/src/include/soh.h b/src/include/soh.h index 96b750b90c6..16f458aee12 100644 --- a/src/include/soh.h +++ b/src/include/soh.h @@ -31,7 +31,7 @@ RCSIDH(soh_h, "$Id$") extern "C" { #endif - int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigned int data_len); +int soh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len); uint16_t soh_pull_be_16(const uint8_t *p); uint32_t soh_pull_be_24(const uint8_t *p); uint32_t soh_pull_be_32(const uint8_t *p); diff --git a/src/lib/dhcp.c b/src/lib/dhcp.c index 56ca39c4f46..ede612a103e 100644 --- a/src/lib/dhcp.c +++ b/src/lib/dhcp.c @@ -651,7 +651,7 @@ ssize_t fr_dhcp_decode_options(RADIUS_PACKET *packet, * Loop over all of the entries, building VPs */ for (i = 0; i < num_entries; i++) { - vp = pairmake(da->name, NULL, T_OP_ADD); + vp = pairmake(packet, NULL, da->name, NULL, T_OP_ADD); if (!vp) { fr_strerror_printf("Cannot build attribute %s", fr_strerror()); @@ -718,7 +718,7 @@ int fr_dhcp_decode(RADIUS_PACKET *packet) * Decode the header. */ for (i = 0; i < 14; i++) { - vp = pairmake(dhcp_header_names[i], NULL, T_OP_EQ); + vp = pairmake(packet, NULL, dhcp_header_names[i], NULL, T_OP_EQ); if (!vp) { char buffer[256]; strlcpy(buffer, fr_strerror(), sizeof(buffer)); @@ -1285,7 +1285,8 @@ int fr_dhcp_encode(RADIUS_PACKET *packet) p = packet->data; for (i = 0; i < 14; i++) { - vp = pairmake(dhcp_header_names[i], NULL, T_OP_EQ); + vp = pairmake(packet, NULL, + dhcp_header_names[i], NULL, T_OP_EQ); if (!vp) { char buffer[256]; strlcpy(buffer, fr_strerror(), sizeof(buffer)); diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c index e7e61ce5553..7c92c9d28ba 100644 --- a/src/lib/valuepair.c +++ b/src/lib/valuepair.c @@ -1422,7 +1422,8 @@ int pairparsevalue(VALUE_PAIR *vp, const char *value) * @param op to assign to new valuepair. * @return new valuepair or NULL on error. */ -static VALUE_PAIR *pairmake_any(const char *attribute, const char *value, +static VALUE_PAIR *pairmake_any(TALLOC_CTX *ctx, + const char *attribute, const char *value, FR_TOKEN op) { VALUE_PAIR *vp; @@ -1450,10 +1451,8 @@ static VALUE_PAIR *pairmake_any(const char *attribute, const char *value, * it. This next stop also looks the attribute up in the * dictionary, and creates the appropriate type for it. */ - vp = pairalloc(NULL, da); - if (!vp) { - return NULL; - } + vp = pairalloc(ctx, da); + if (!vp) return NULL; vp->op = (op == 0) ? T_OP_EQ : op; @@ -1495,7 +1494,8 @@ static VALUE_PAIR *pairmake_any(const char *attribute, const char *value, * @param[in] op to assign to new VALUE_PAIR. * @return a new VALUE_PAIR. */ -VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) +VALUE_PAIR *pairmake(TALLOC_CTX *ctx, VALUE_PAIR **vps, + const char *attribute, const char *value, FR_TOKEN op) { const DICT_ATTR *da; VALUE_PAIR *vp; @@ -1547,16 +1547,11 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) */ da = dict_attrbyname(attrname); if (!da) { - return pairmake_any(attrname, value, op); - } - - vp = pairalloc(NULL, da); - if (!vp) { - return NULL; + vp = pairmake_any(ctx, attrname, value, op); + if (vp) pairadd(vps, vp); + return vp; } - vp->op = (op == 0) ? T_OP_EQ : op; - /* Check for a tag in the 'Merit' format of: * :Tag:Value. Print an error if we already found * a tag in the Attribute. @@ -1569,7 +1564,6 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) value, vp->da->name); DEBUG("Duplicate tag %s for attribute %s\n", value, vp->da->name); - pairbasicfree(vp); return NULL; } /* Colon found and attribute allows a tag */ @@ -1584,26 +1578,25 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) value = tc + 1; else tag = 0; } - found_tag = 1; } - if (found_tag) { - vp->tag = tag; + vp = pairalloc(ctx, da); + if (!vp) { + return NULL; } + vp->op = (op == 0) ? T_OP_EQ : op; + vp->tag = tag; + switch (vp->op) { default: break; - /* - * For =* and !* operators, the value is irrelevant - * so we return now. - */ case T_OP_CMP_TRUE: case T_OP_CMP_FALSE: vp->vp_strvalue[0] = '\0'; vp->length = 0; - return vp; + value = NULL; /* ignore it! */ break; /* @@ -1618,15 +1611,11 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) return NULL; #else - if (!value) { - /* - * Just return the vp. - * - * The value will likely be provided later by - * an xlat expansion. - */ - return vp; - } + + /* + * Someone else will fill in the value. + */ + if (!value) break; pairbasicfree(vp); @@ -1643,17 +1632,16 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) } } - vp = pairmake(attribute, NULL, op); - if (!vp) { - return NULL; - } + vp = pairmake(ctx, NULL, attribute, NULL, op); + if (!vp) return NULL; if (pairmark_xlat(vp, value) < 0) { pairbasicfree(vp); return NULL; } - - return vp; + + value = NULL; /* ignore it */ + break; #endif } @@ -1670,6 +1658,7 @@ VALUE_PAIR *pairmake(const char *attribute, const char *value, FR_TOKEN op) return NULL; } + if (vps) pairadd(vps, vp); return vp; } @@ -1932,7 +1921,7 @@ FR_TOKEN userparse(const char *buffer, VALUE_PAIR **list) last_token = pairread(&p, &raw); if (last_token == T_OP_INVALID) break; - vp = pairmake(raw.l_opand, raw.r_opand, raw.op); + vp = pairmake(NULL, NULL, raw.l_opand, raw.r_opand, raw.op); if (!vp) break; if (raw.quote == T_DOUBLE_QUOTED_STRING) { diff --git a/src/main/auth.c b/src/main/auth.c index f704a06e0c8..09dc69115c9 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -624,9 +624,8 @@ autz_redo: * Remove ALL reply attributes. */ pairfree(&request->reply->vps); - radius_pairmake(request, &request->reply->vps, - "Reply-Message", - user_msg, T_OP_SET); + pairmake_reply("Reply-Message", + user_msg, T_OP_SET); snprintf(logstr, sizeof(logstr), "Multiple logins (max %d) %s", check_item->vp_integer, @@ -686,9 +685,7 @@ int rad_virtual_server(REQUEST *request) if (request->reply->code == PW_AUTHENTICATION_REJECT) { pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY); - vp = radius_pairmake(request, &request->config_items, - "Post-Auth-Type", "Reject", - T_OP_SET); + vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET); if (vp) rad_postauth(request); } diff --git a/src/main/cb.c b/src/main/cb.c index 2a2195dece3..b2ad98402c3 100644 --- a/src/main/cb.c +++ b/src/main/cb.c @@ -73,15 +73,8 @@ void cbtls_info(const SSL *s, int where, int ret) } } - if (buffer[0]) { - radlog(L_ERR, "%s", buffer); - - if (request) { - VALUE_PAIR *vp; - - vp = pairmake("Module-Failure-Message", buffer, T_OP_ADD); - if (vp) pairadd(&request->packet->vps, vp); - } + if (buffer[0] && request) { + RDEBUGE("SSL says: %s", buffer); } } diff --git a/src/main/conffile.c b/src/main/conffile.c index f78da46583a..c2d09efa473 100644 --- a/src/main/conffile.c +++ b/src/main/conffile.c @@ -1980,7 +1980,7 @@ VALUE_PAIR *cf_pairtovp(CONF_PAIR *pair) (pair->value_type == T_BACK_QUOTED_STRING))) { VALUE_PAIR *vp; - vp = pairmake(pair->attr, NULL, pair->op); + vp = pairmake(pair, NULL, pair->attr, NULL, pair->op); if (!vp) { return NULL; } @@ -1994,7 +1994,7 @@ VALUE_PAIR *cf_pairtovp(CONF_PAIR *pair) return vp; } - return pairmake(pair->attr, pair->value, pair->op); + return pairmake(pair, NULL, pair->attr, pair->value, pair->op); } /* diff --git a/src/main/evaluate.c b/src/main/evaluate.c index 7a2771be546..c2b790896de 100644 --- a/src/main/evaluate.c +++ b/src/main/evaluate.c @@ -265,7 +265,8 @@ static int radius_do_cmp(REQUEST *request, int *presult, */ da = dict_attrbyname(pleft); if (da && (da->vendor == 0) && radius_find_compare(da->attr)) { - VALUE_PAIR *check = pairmake(pleft, pright, token); + VALUE_PAIR *check; + check = pairmake(request, NULL, pleft, pright, token); *presult = (radius_callback_compare(request, NULL, check, NULL, NULL) == 0); RDEBUG3(" Callback returns %d", *presult); diff --git a/src/main/process.c b/src/main/process.c index d557276376a..3a268bea8e8 100644 --- a/src/main/process.c +++ b/src/main/process.c @@ -1099,10 +1099,7 @@ STATE_MACHINE_DECL(request_finish) case PW_ACCESS_CHALLENGE: pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY); - vp = radius_pairmake(request, &request->config_items, - "Post-Auth-Type", "Challenge", - T_OP_SET); - + vp = pairmake_config("Post-Auth-Type", "Challenge", T_OP_SET); if (vp) rad_postauth(request); break; default: @@ -1119,9 +1116,7 @@ STATE_MACHINE_DECL(request_finish) */ if (request->reply->code == PW_AUTHENTICATION_REJECT) { pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY); - vp = radius_pairmake(request, &request->config_items, - "Post-Auth-Type", "Reject", - T_OP_SET); + vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET); if (vp) rad_postauth(request); } @@ -2192,8 +2187,7 @@ static int request_will_proxy(REQUEST *request) /* * Remember that we sent the request to a Realm. */ - if (realmname) pairadd(&request->packet->vps, - pairmake("Realm", realmname, T_OP_EQ)); + if (realmname) pairmake_packet("Realm", realmname, T_OP_EQ); /* * Strip the name, if told to. @@ -2600,41 +2594,41 @@ static void ping_home_server(void *ctx) if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) { request->proxy->code = PW_STATUS_SERVER; - radius_pairmake(request, &request->proxy->vps, - "Message-Authenticator", "0x00", T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Message-Authenticator", "0x00", T_OP_SET); } else if (home->type == HOME_TYPE_AUTH) { request->proxy->code = PW_AUTHENTICATION_REQUEST; - radius_pairmake(request, &request->proxy->vps, - "User-Name", home->ping_user_name, T_OP_SET); - radius_pairmake(request, &request->proxy->vps, - "User-Password", home->ping_user_password, T_OP_SET); - radius_pairmake(request, &request->proxy->vps, - "Service-Type", "Authenticate-Only", T_OP_SET); - radius_pairmake(request, &request->proxy->vps, - "Message-Authenticator", "0x00", T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "User-Name", home->ping_user_name, T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "User-Password", home->ping_user_password, T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Service-Type", "Authenticate-Only", T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Message-Authenticator", "0x00", T_OP_SET); } else { #ifdef WITH_ACCOUNTING request->proxy->code = PW_ACCOUNTING_REQUEST; - radius_pairmake(request, &request->proxy->vps, - "User-Name", home->ping_user_name, T_OP_SET); - radius_pairmake(request, &request->proxy->vps, - "Acct-Status-Type", "Stop", T_OP_SET); - radius_pairmake(request, &request->proxy->vps, - "Acct-Session-Id", "00000000", T_OP_SET); - vp = radius_pairmake(request, &request->proxy->vps, - "Event-Timestamp", "0", T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "User-Name", home->ping_user_name, T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Acct-Status-Type", "Stop", T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Acct-Session-Id", "00000000", T_OP_SET); + vp = pairmake(request->proxy, &request->proxy->vps, + "Event-Timestamp", "0", T_OP_SET); vp->vp_date = now.tv_sec; #else rad_assert("Internal sanity check failed"); #endif } - vp = radius_pairmake(request, &request->proxy->vps, - "NAS-Identifier", "", T_OP_SET); + vp = pairmake(request->proxy, &request->proxy->vps, + "NAS-Identifier", "", T_OP_SET); if (vp) { snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "Status Check %u. Are you alive?", diff --git a/src/main/realms.c b/src/main/realms.c index 0af49694d47..82399bfe156 100644 --- a/src/main/realms.c +++ b/src/main/realms.c @@ -2132,9 +2132,9 @@ void home_server_update_request(home_server *home, REQUEST *request) */ if ((request->packet->code == PW_AUTHENTICATION_REQUEST) && !pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY)) { - radius_pairmake(request, &request->proxy->vps, - "Message-Authenticator", "0x00", - T_OP_SET); + pairmake(request->proxy, &request->proxy->vps, + "Message-Authenticator", "0x00", + T_OP_SET); } } diff --git a/src/main/soh.c b/src/main/soh.c index a17980acded..07e8b37b1dc 100644 --- a/src/main/soh.c +++ b/src/main/soh.c @@ -142,7 +142,7 @@ uint32_t soh_pull_be_32(const uint8_t *p) { * @param data_len length of blob * @return 1 on success, 0 on failure */ -static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, unsigned int data_len) { +static int eapsoh_mstlv(REQUEST *request, const uint8_t *p, unsigned int data_len) { VALUE_PAIR *vp; uint8_t c; int t; @@ -162,45 +162,38 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u } data_len -= 18; - vp = pairmake("SoH-MS-Machine-OS-vendor", "Microsoft", T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-OS-vendor", "Microsoft", T_OP_EQ); if (!vp) return 0; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-OS-version", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-OS-version", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-OS-release", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-OS-release", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-OS-build", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-OS-build", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_32(p); p+=4; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-SP-version", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-SP-version", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-SP-release", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-SP-release", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; - pairadd(&sohvp, vp); - vp = pairmake("SoH-MS-Machine-Processor", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-Processor", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = soh_pull_be_16(p); p+=2; - pairadd(&sohvp, vp); break; case 2: @@ -252,13 +245,12 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u t = soh_pull_be_16(p); p += 2; - vp = pairmake("SoH-MS-Machine-Name", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-Name", NULL, T_OP_EQ); if (!vp) return 0; memcpy(vp->vp_strvalue, p, t); vp->vp_strvalue[t] = 0; - pairadd(&sohvp, vp); p += t; data_len -= 2 + t; break; @@ -270,12 +262,11 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u * 24 bytes opaque binary which we might, in future, have * to echo back to the client in a final SoHR */ - vp = pairmake("SoH-MS-Correlation-Id", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Correlation-Id", NULL, T_OP_EQ); if (!vp) return 0; memcpy(vp->vp_octets, p, 24); vp->length = 24; - pairadd(&sohvp, vp); p += 24; data_len -= 24; break; @@ -301,11 +292,10 @@ static int eapsoh_mstlv(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *p, u * 1 byte product type (client=1 domain_controller=2 server=3) */ p += 4; - vp = pairmake("SoH-MS-Machine-Role", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Machine-Role", NULL, T_OP_EQ); if (!vp) return 0; vp->vp_integer = *p; - pairadd(&sohvp, vp); p++; data_len -= 5; break; @@ -382,7 +372,7 @@ static const char* healthclass2str(uint8_t hc) { * @return 0 on success, -1 on failure * */ -int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigned int data_len) { +int soh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len) { VALUE_PAIR *vp; eap_soh hdr; @@ -490,7 +480,7 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne */ if (curr_shid==0x137 && curr_shid_c==0) { RDEBUG2("SoH MS type-value payload"); - eapsoh_mstlv(request, sohvp, data + 4, tlv.tlv_len - 4); + eapsoh_mstlv(request, data + 4, tlv.tlv_len - 4); } else { RDEBUG2("SoH unhandled vendor-specific TLV %08x/component=%i %i bytes payload", curr_shid, curr_shid_c, tlv.tlv_len); } @@ -537,7 +527,7 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne RDEBUG2("SoH Health-Class-Status microsoft DWORD=%08x", hcstatus); - vp = pairmake("SoH-MS-Windows-Health-Status", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Windows-Health-Status", NULL, T_OP_EQ); if (!vp) return 0; switch (curr_hc) { @@ -638,13 +628,12 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne break; } } else { - vp = pairmake("SoH-MS-Health-Other", NULL, T_OP_EQ); + vp = pairmake_packet("SoH-MS-Health-Other", NULL, T_OP_EQ); if (!vp) return 0; /* FIXME: what to do with the payload? */ snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%08x/%i ?", curr_shid, curr_shid_c); } - pairadd(&sohvp, vp); break; default: diff --git a/src/main/tls.c b/src/main/tls.c index 8ade94f410f..67fefa36ba7 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -111,8 +111,8 @@ tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd) int verify_mode; tls_session_t *ssn = NULL; - ssn = (tls_session_t *) malloc(sizeof(*ssn)); - memset(ssn, 0, sizeof(*ssn)); + ssn = talloc_zero(conf, tls_session_t); + if (!ssn) return NULL; ssn->ctx = conf->ctx; ssn->ssl = SSL_new(ssn->ctx); @@ -135,6 +135,7 @@ tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd) SSL_set_verify(ssn->ssl, verify_mode, cbtls_verify); SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); + SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); SSL_set_fd(ssn->ssl, fd); if (SSL_connect(ssn->ssl) <= 0) { int err; @@ -142,7 +143,7 @@ tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd) DEBUG("OpenSSL Err says %s", ERR_error_string(err, NULL)); } - free(ssn); + talloc_free(ssn); return NULL; } @@ -184,8 +185,7 @@ tls_session_t *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request, /* We use the SSL's "app_data" to indicate a call-back */ SSL_set_app_data(new_tls, NULL); - state = (tls_session_t *)malloc(sizeof(*state)); - memset(state, 0, sizeof(*state)); + state = talloc_zero(conf, tls_session_t); session_init(state); state->ctx = conf->ctx; @@ -238,6 +238,7 @@ tls_session_t *tls_new_session(fr_tls_server_conf_t *conf, REQUEST *request, SSL_set_verify(state->ssl, verify_mode, cbtls_verify); SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); + SSL_set_ex_data(state->ssl, FR_TLS_EX_INDEX_SSN, (void *)state); state->length_flag = conf->include_length; /* @@ -277,14 +278,8 @@ static int int_ssl_check(REQUEST *request, SSL *s, int ret, const char *text) if ((l = ERR_get_error()) != 0) { const char *p = ERR_error_string(l, NULL); - VALUE_PAIR *vp; - - radlog(L_ERR, "SSL error %s", p); - if (request) { - vp = pairmake("Module-Failure-Message", p, T_OP_ADD); - if (vp) pairadd(&request->packet->vps, vp); - } + if (request && p) RDEBUGE("SSL says: %s", p); } e = SSL_get_error(s, ret); @@ -505,7 +500,7 @@ void session_free(void *ssn) session_close(sess); - free(sess); + talloc_free(sess); } static void record_init(record_t *rec) @@ -1044,7 +1039,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) } /* alloc and convert to ASN.1 */ - sess_blob = malloc(blob_len); + sess_blob = talloc_array(conf, unsigned char, blob_len); if (!sess_blob) { DEBUG2(" SSL: could not allocate buffer len=%d to persist session", blob_len); return 0; @@ -1059,8 +1054,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) /* open output file */ rv = snprintf(filename, sizeof(filename), "%s%c%s.asn1", - conf->session_cache_path, FR_DIR_SEP, buffer - ); + conf->session_cache_path, FR_DIR_SEP, buffer); fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); if (fd < 0) { DEBUG2(" SSL: could not open session file %s: %s", filename, strerror(errno)); @@ -1084,7 +1078,7 @@ static int cbtls_new_session(SSL *ssl, SSL_SESSION *sess) } error: - if (sess_blob) free(sess_blob); + if (sess_blob) talloc_free(sess_blob); return 0; } @@ -1144,7 +1138,7 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, goto err; } - sess_data = malloc(st.st_size); + sess_data = talloc_array(conf, unsigned char, st.st_size); if (!sess_data) { DEBUG2(" SSL: could not alloc buffer for persisted session len=%d", (int) st.st_size); close(fd); @@ -1180,7 +1174,7 @@ static SSL_SESSION *cbtls_get_session(SSL *ssl, DEBUG2(" SSL: Successfully restored session %s", buffer); } err: - if (sess_data) free(sess_data); + if (sess_data) talloc_free(sess_data); if (pairlist) pairlist_free(&pairlist); *copy = 0; @@ -1492,6 +1486,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) X509_STORE *ocsp_store = NULL; X509 *issuer_cert; #endif + tls_session_t *ssn; client_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); @@ -1524,7 +1519,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) #ifdef HAVE_OPENSSL_OCSP_H ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE); #endif - + ssn = (tls_session_t *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_SSN); /* * Get the Serial Number @@ -1547,8 +1542,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) sprintf(p, "%02x", (unsigned int)sn->data[i]); p += 2; } - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_SERIAL][lookup], buf, T_OP_SET); } @@ -1561,8 +1555,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) (asn_time->length < (int) sizeof(buf))) { memcpy(buf, (char*) asn_time->data, asn_time->length); buf[asn_time->length] = '\0'; - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_EXPIRATION][lookup], buf, T_OP_SET); } /* @@ -1574,8 +1567,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) subject[sizeof(subject) - 1] = '\0'; if (identity && (lookup <= 1) && subject[0] && (strlen(subject) < MAX_STRING_LEN)) { - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET); } X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, @@ -1583,8 +1575,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) issuer[sizeof(issuer) - 1] = '\0'; if (identity && (lookup <= 1) && issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) { - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET); } /* @@ -1595,8 +1586,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) common_name[sizeof(common_name) - 1] = '\0'; if (identity && (lookup <= 1) && common_name[0] && subject[0] && (strlen(common_name) < MAX_STRING_LEN)) { - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET); } #ifdef GEN_EMAIL @@ -1619,9 +1609,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN) break; - pairadd(certs, - pairmake(cert_attr_names[FR_TLS_SAN_EMAIL][lookup], - (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET)); + pairmake(ssn, certs, cert_attr_names[FR_TLS_SAN_EMAIL][lookup], + (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET); break; default: /* XXX TODO handle other SAN types */ @@ -1647,8 +1636,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) if (!my_ok) { const char *p = X509_verify_cert_error_string(err); radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p); - radius_pairmake(request, &request->packet->vps, - "Module-Failure-Message", p, T_OP_SET); + RDEBUGE("SSL says error %d : %s", err, p); return my_ok; } @@ -1747,8 +1735,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) } fclose(fp); - if (!radius_pairmake(request, &request->packet->vps, - "TLS-Client-Cert-Filename", + if (!pairmake_packet("TLS-Client-Cert-Filename", filename, T_OP_SET)) { RDEBUG("Failed creating TLS-Client-Cert-Filename"); @@ -1945,16 +1932,16 @@ static SSL_CTX *init_tls_ctx(fr_tls_server_conf_t *conf, int client) FILE* cmd_pipe = popen(cmd, "r"); if (!cmd_pipe) { - radlog(L_ERR, "rlm_eap: %s command failed. Unable to get private_key_password", cmd); - radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file); + radlog(L_ERR, "TLS: %s command failed. Unable to get private_key_password", cmd); + radlog(L_ERR, "Error reading private_key_file %s", conf->private_key_file); return NULL; } - free(conf->private_key_password); - conf->private_key_password = malloc(max_password_len * sizeof(char)); + talloc_free(conf->private_key_password); + conf->private_key_password = talloc_array(conf, char, max_password_len); if (!conf->private_key_password) { - radlog(L_ERR, "rlm_eap: Can't malloc space for private_key_password"); - radlog(L_ERR, "rlm_eap: Error reading private_key_file %s", conf->private_key_file); + radlog(L_ERR, "TLS: Can't allocate space for private_key_password"); + radlog(L_ERR, "TLS: Error reading private_key_file %s", conf->private_key_file); pclose(cmd_pipe); return NULL; } @@ -2256,8 +2243,10 @@ static void tls_server_conf_free(fr_tls_server_conf_t *conf) conf->ocsp_store = NULL; #endif +#ifndef NDEBUG memset(conf, 0, sizeof(*conf)); - free(conf); +#endif + talloc_free(conf); } @@ -2275,12 +2264,11 @@ fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs) return conf; } - conf = malloc(sizeof(*conf)); + conf = talloc_zero(cs, fr_tls_server_conf_t); if (!conf) { radlog(L_ERR, "Out of memory"); return NULL; } - memset(conf, 0, sizeof(*conf)); if (cf_section_parse(cs, conf, tls_server_config) < 0) { error: @@ -2379,12 +2367,11 @@ fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs) return conf; } - conf = malloc(sizeof(*conf)); + conf = talloc_zero(cs, fr_tls_server_conf_t); if (!conf) { radlog(L_ERR, "Out of memory"); return NULL; } - memset(conf, 0, sizeof(*conf)); if (cf_section_parse(cs, conf, tls_client_config) < 0) { error: @@ -2573,8 +2560,7 @@ int tls_success(tls_session_t *ssn, REQUEST *request) /* * Mark the request as resumed. */ - vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET); - if (vp) pairadd(&request->packet->vps, vp); + pairmake_packet("EAP-Session-Resumed", "1", T_OP_SET); } } diff --git a/src/main/valuepair.c b/src/main/valuepair.c index 792bd76e41e..265de16ce3c 100644 --- a/src/main/valuepair.c +++ b/src/main/valuepair.c @@ -840,35 +840,6 @@ VALUE_PAIR *radius_paircreate(REQUEST *request, VALUE_PAIR **vps, return vp; } -/** Create a VALUE_PAIR from ASCII strings and add it to a list of VALUE_PAIR s - * - * Converts an attribute string identifier (with an optional tag qualifier) - * and value string into a VALUE_PAIR. - * - * The string value is parsed according to the type of VALUE_PAIR being created. - * - * @param[in] request current request. - * @param[out] vps List to add new VALUE_PAIR to, if NULL will just - * return VALUE_PAIR. - * @param[in] attribute name. - * @param[in] value attribute value. - * @param[in] op fr_tokens value. - * @return a new VALUE_PAIR. - */ -VALUE_PAIR *radius_pairmake(UNUSED REQUEST *request, VALUE_PAIR **vps, - const char *attribute, const char *value, - FR_TOKEN op) -{ - VALUE_PAIR *vp; - - vp = pairmake(attribute, value, op); - if (!vp) return NULL; - - if (vps) pairadd(vps, vp); - - return vp; -} - /** Print a single valuepair to stderr or error log. * * @param[in] vp list to print. diff --git a/src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c b/src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c index a31b5f52cf1..b7dbd278006 100644 --- a/src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c +++ b/src/modules/rlm_attr_rewrite/rlm_attr_rewrite.c @@ -191,7 +191,11 @@ static rlm_rcode_t do_attr_rewrite(void *instance, REQUEST *request) DEBUG2("%s: xlat on replace string failed.", inst->name); return rcode; } - attr_vp = pairmake(inst->attribute,replace_STR,0); + + /* + * @todo: this shouldn't really be the request. + */ + attr_vp = pairmake(request, NULL, inst->attribute,replace_STR,0); if (attr_vp == NULL){ DEBUG2("%s: Could not add new attribute %s with value '%s'", inst->name, inst->attribute,replace_STR); diff --git a/src/modules/rlm_chap/rlm_chap.c b/src/modules/rlm_chap/rlm_chap.c index e18feab2194..eb21f34dc41 100644 --- a/src/modules/rlm_chap/rlm_chap.c +++ b/src/modules/rlm_chap/rlm_chap.c @@ -40,8 +40,7 @@ static rlm_rcode_t chap_authorize(UNUSED void *instance, } RDEBUG("Setting 'Auth-Type := CHAP'"); - pairadd(&request->config_items, - pairmake("Auth-Type", "CHAP", T_OP_EQ)); + pairmake_config("Auth-Type", "CHAP", T_OP_EQ); return RLM_MODULE_OK; } diff --git a/src/modules/rlm_counter/rlm_counter.c b/src/modules/rlm_counter/rlm_counter.c index 97ca48adaed..e4ff92a99f3 100644 --- a/src/modules/rlm_counter/rlm_counter.c +++ b/src/modules/rlm_counter/rlm_counter.c @@ -880,8 +880,7 @@ static rlm_rcode_t counter_authorize(void *instance, REQUEST *request) */ sprintf(msg, "Your maximum %s usage time has been reached", inst->reset); - reply_item=pairmake("Reply-Message", msg, T_OP_EQ); - pairadd(&request->reply->vps, reply_item); + pairmake_reply("Reply-Message", msg, T_OP_EQ); RDEBUGE("Maximum %s usage time reached", inst->reset); diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c index f54740d2582..98d4d5f6f52 100644 --- a/src/modules/rlm_digest/rlm_digest.c +++ b/src/modules/rlm_digest/rlm_digest.c @@ -201,8 +201,7 @@ static rlm_rcode_t digest_authorize(void *instance, REQUEST *request) * Everything's OK, add a digest authentication type. */ RDEBUG("Adding Auth-Type = DIGEST"); - pairadd(&request->config_items, - pairmake("Auth-Type", "DIGEST", T_OP_EQ)); + pairmake_config("Auth-Type", "DIGEST", T_OP_EQ); return RLM_MODULE_OK; } diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c index 35a0ab72bf8..223a76da522 100644 --- a/src/modules/rlm_eap/eap.c +++ b/src/modules/rlm_eap/eap.c @@ -1090,7 +1090,7 @@ eap_handler_t *eap_handler(rlm_eap_t *inst, eap_packet_raw_t **eap_packet_p, * correctly */ RDEBUG2("Broken NAS did not set User-Name, setting from EAP Identity"); - vp = pairmake("User-Name", handler->identity, T_OP_EQ); + vp = pairmake(request->packet, NULL, "User-Name", handler->identity, T_OP_EQ); if (vp == NULL) { RDEBUG("Out of memory"); free(*eap_packet_p); @@ -1149,7 +1149,7 @@ eap_handler_t *eap_handler(rlm_eap_t *inst, eap_packet_raw_t **eap_packet_p, * correctly */ RDEBUG2W("NAS did not set User-Name. Setting it locally from EAP Identity"); - vp = pairmake("User-Name", handler->identity, T_OP_EQ); + vp = pairmake(request->packet, NULL, "User-Name", handler->identity, T_OP_EQ); if (vp == NULL) { RDEBUG("Out of memory"); free(*eap_packet_p); diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c index 87865315e71..f9c70c8cda1 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.c +++ b/src/modules/rlm_eap/libeap/eap_tls.c @@ -143,6 +143,7 @@ tls_session_t *eaptls_session(fr_tls_server_conf_t *tls_conf, eap_handler_t *han #ifdef HAVE_OPENSSL_OCSP_H SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp_store); #endif + SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); return ssn; } diff --git a/src/modules/rlm_eap/libeap/eapcommon.c b/src/modules/rlm_eap/libeap/eapcommon.c index dc843df3b29..def8eea8113 100644 --- a/src/modules/rlm_eap/libeap/eapcommon.c +++ b/src/modules/rlm_eap/libeap/eapcommon.c @@ -382,7 +382,7 @@ void eap_add_reply(REQUEST *request, { VALUE_PAIR *vp; - vp = pairmake(name, "", T_OP_EQ); + vp = pairmake_reply(name, "", T_OP_EQ); if (!vp) { RDEBUGE("Did not create attribute %s: %s\n", name, fr_strerror()); @@ -391,5 +391,4 @@ void eap_add_reply(REQUEST *request, memcpy(vp->vp_octets, value, len); vp->length = len; - pairadd(&request->reply->vps, vp); } diff --git a/src/modules/rlm_eap/mem.c b/src/modules/rlm_eap/mem.c index 6265b39435a..e255119f8e6 100644 --- a/src/modules/rlm_eap/mem.c +++ b/src/modules/rlm_eap/mem.c @@ -380,7 +380,7 @@ int eaplist_add(rlm_eap_t *inst, eap_handler_t *handler) * Generate State, since we've been asked to add it to * the list. */ - state = pairmake("State", "0x00", T_OP_EQ); + state = pairmake_reply("State", "0x00", T_OP_EQ); if (!state) return 0; /* @@ -512,8 +512,6 @@ int eaplist_add(rlm_eap_t *inst, eap_handler_t *handler) state->vp_octets[2], state->vp_octets[3], state->vp_octets[4], state->vp_octets[5], state->vp_octets[6], state->vp_octets[7]); - - pairadd(&(request->reply->vps), state); return 1; } diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c index eabb5aa8e94..a7e1db775d1 100644 --- a/src/modules/rlm_eap/rlm_eap.c +++ b/src/modules/rlm_eap/rlm_eap.c @@ -387,10 +387,10 @@ static rlm_rcode_t eap_authenticate(void *instance, REQUEST *request) if (vp) { vp = pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY); if (!vp) { - vp = pairmake("Message-Authenticator", - "0x00", T_OP_EQ); - rad_assert(vp != NULL); - pairadd(&(request->proxy->vps), vp); + pairmake(request->proxy, + &request->proxy->vps, + "Message-Authenticator", + "0x00", T_OP_EQ); } } @@ -469,13 +469,11 @@ static rlm_rcode_t eap_authenticate(void *instance, REQUEST *request) */ vp = pairfind(request->reply->vps, PW_USER_NAME, 0, TAG_ANY); if (!vp) { - vp = pairmake("User-Name", "", + vp = pairmake_reply("User-Name", "", T_OP_EQ); strlcpy(vp->vp_strvalue, request->username->vp_strvalue, sizeof(vp->vp_strvalue)); vp->length = request->username->length; - rad_assert(vp != NULL); - pairadd(&(request->reply->vps), vp); } /* @@ -548,13 +546,12 @@ static rlm_rcode_t eap_authorize(void *instance, REQUEST *request) */ vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY); if ((!vp) || (vp->vp_integer != PW_AUTHTYPE_REJECT)) { - vp = pairmake("Auth-Type", inst->xlat_name, T_OP_EQ); + vp = pairmake_config("Auth-Type", inst->xlat_name, T_OP_EQ); if (!vp) { RDEBUG2("Failed to create Auth-Type %s: %s\n", inst->xlat_name, fr_strerror()); return RLM_MODULE_FAIL; } - pairadd(&request->config_items, vp); } else { RDEBUG2W("Auth-Type already set. Not setting to EAP"); } @@ -652,10 +649,9 @@ static rlm_rcode_t eap_post_proxy(void *inst, REQUEST *request) */ vp = pairfind(request->reply->vps, PW_USER_NAME, 0, TAG_ANY); if (!vp) { - vp = pairmake("User-Name", request->username->vp_strvalue, - T_OP_EQ); - rad_assert(vp != NULL); - pairadd(&(request->reply->vps), vp); + pairmake_reply("User-Name", + request->username->vp_strvalue, + T_OP_EQ); } } @@ -775,10 +771,7 @@ static rlm_rcode_t eap_post_auth(void *instance, REQUEST *request) */ vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY); if (!vp) { - vp = pairmake("Message-Authenticator", - "0x00", T_OP_EQ); - rad_assert(vp != NULL); - pairadd(&(request->reply->vps), vp); + pairmake_reply("Message-Authenticator", "0x00", T_OP_EQ); } return RLM_MODULE_UPDATED; diff --git a/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c b/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c index 5a66735383f..bb388b9a6b4 100644 --- a/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c +++ b/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c @@ -140,7 +140,7 @@ static int gtc_authenticate(void *instance, eap_handler_t *handler) /* * Get the Cleartext-Password for this user. */ - rad_assert(handler->request != NULL); + rad_assert(request != NULL); rad_assert(handler->stage == AUTHENTICATE); /* @@ -174,7 +174,7 @@ static int gtc_authenticate(void *instance, eap_handler_t *handler) /* * For now, do clear-text password authentication. */ - vp = pairfind(handler->request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY); + vp = pairfind(request->config_items, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY); if (!vp) { RDEBUG2E("Cleartext-Password is required for authentication."); eap_ds->request->code = PW_EAP_FAILURE; @@ -205,9 +205,9 @@ static int gtc_authenticate(void *instance, eap_handler_t *handler) * If there was a User-Password in the request, * why the heck are they using EAP-GTC? */ - pairdelete(&handler->request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY); + pairdelete(&request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY); - vp = pairmake("User-Password", "", T_OP_EQ); + vp = pairmake_packet("User-Password", "", T_OP_EQ); if (!vp) { radlog(L_ERR, "rlm_eap_gtc: out of memory"); return 0; @@ -220,13 +220,12 @@ static int gtc_authenticate(void *instance, eap_handler_t *handler) * Add the password to the request, and allow * another module to do the work of authenticating it. */ - pairadd(&handler->request->packet->vps, vp); - handler->request->password = vp; + request->password = vp; /* * This is a wild & crazy hack. */ - rcode = module_authenticate(inst->auth_type, handler->request); + rcode = module_authenticate(inst->auth_type, request); if (rcode != RLM_MODULE_OK) { eap_ds->request->code = PW_EAP_FAILURE; return 0; diff --git a/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c b/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c index b2acc1bb0f5..b934a1d7a2e 100644 --- a/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c +++ b/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c @@ -280,7 +280,7 @@ int eapleap_stage4(leap_packet_t *packet, VALUE_PAIR* password, */ leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request, VALUE_PAIR *user_name, VALUE_PAIR* password, - leap_session_t *session, VALUE_PAIR **reply_vps) + leap_session_t *session) { size_t i; unsigned char ntpwdhash[16], ntpwdhashhash[16]; @@ -345,7 +345,7 @@ leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request, /* * Calculate the leap:session-key attribute */ - vp = pairmake("Cisco-AVPair", "leap:session-key=", T_OP_ADD); + vp = pairmake_reply("Cisco-AVPair", "leap:session-key=", T_OP_ADD); if (!vp) { radlog(L_ERR, "rlm_eap_leap: Failed to create Cisco-AVPair attribute. LEAP cancelled."); eapleap_free(&reply); @@ -379,7 +379,6 @@ leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request, rad_tunnel_pwencode(vp->vp_strvalue + vp->length, &i, request->client->secret, request->packet->vector); vp->length += i; - pairadd(reply_vps, vp); return reply; } diff --git a/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h b/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h index dbfa4eaceee..8df905bb814 100644 --- a/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h +++ b/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h @@ -71,8 +71,7 @@ int eapleap_stage4(leap_packet_t *packet, VALUE_PAIR* password, leap_session_t *session); leap_packet_t *eapleap_stage6(leap_packet_t *packet, REQUEST *request, VALUE_PAIR *user_name, VALUE_PAIR* password, - leap_session_t *session, - VALUE_PAIR **reply_vps); + leap_session_t *session); void eapleap_lmpwdhash(const unsigned char *password,unsigned char *lmhash); void eapleap_mschap(const unsigned char *win_password, diff --git a/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c b/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c index b3342fd4492..e67d38bb52c 100644 --- a/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c +++ b/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c @@ -164,7 +164,7 @@ static int leap_authenticate(UNUSED void *instance, eap_handler_t *handler) DEBUG2(" rlm_eap_leap: Stage 6"); reply = eapleap_stage6(packet, handler->request, handler->request->username, password, - session, &handler->request->reply->vps); + session); break; /* diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c index 8bfe7ed878e..602a63f4ca1 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -218,19 +218,14 @@ static int eapmschapv2_compose(eap_handler_t *handler, VALUE_PAIR *reply) /* * Initiate the EAP-MSCHAPV2 session by sending a challenge to the peer. */ -static int mschapv2_initiate(void *instance, eap_handler_t *handler) +static int mschapv2_initiate(UNUSED void *instance, eap_handler_t *handler) { int i; VALUE_PAIR *challenge; mschapv2_opaque_t *data; - instance = instance; /* -Wunused */ - - challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ); - if (!challenge) { - radlog(L_ERR, "rlm_eap_mschapv2: out of memory"); - return 0; - } + challenge = pairmake(handler, NULL, + "MS-CHAP-Challenge", "0x00", T_OP_EQ); /* * Get a random challenge. @@ -297,27 +292,29 @@ static int mschap_postproxy(eap_handler_t *handler, void *tunnel_data) { VALUE_PAIR *response = NULL; mschapv2_opaque_t *data; + REQUEST *request = handler->request; data = (mschapv2_opaque_t *) handler->opaque; rad_assert(data != NULL); tunnel_data = tunnel_data; /* -Wunused */ - DEBUG2(" rlm_eap_mschapv2: Passing reply from proxy back into the tunnel %p %d.", - handler->request, handler->request->reply->code); + RDEBUG2("Passing reply from proxy back into the tunnel %d.", + request->reply->code); /* * There is only a limited number of possibilities. */ - switch (handler->request->reply->code) { + switch (request->reply->code) { case PW_AUTHENTICATION_ACK: - DEBUG(" rlm_eap_mschapv2: Proxied authentication succeeded."); + RDEBUG2("Proxied authentication succeeded."); + /* * Move the attribute, so it doesn't go into * the reply. */ pairmove2(&response, - &handler->request->reply->vps, + &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY); break; @@ -338,7 +335,7 @@ static int mschap_postproxy(eap_handler_t *handler, void *tunnel_data) /* * Done doing EAP proxy stuff. */ - handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; + request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; eapmschapv2_compose(handler, response); data->code = PW_EAP_MSCHAPV2_SUCCESS; @@ -354,13 +351,13 @@ static int mschap_postproxy(eap_handler_t *handler, void *tunnel_data) * access-accept e.g. vlan, etc. This lets the PEAP * use_tunneled_reply code work */ - data->reply = paircopy(handler->request->reply->vps); + data->reply = paircopy(request->reply->vps); /* * And we need to challenge the user, not ack/reject them, * so we re-write the ACK to a challenge. Yuck. */ - handler->request->reply->code = PW_ACCESS_CHALLENGE; + request->reply->code = PW_ACCESS_CHALLENGE; pairfree(&response); return 1; @@ -377,8 +374,9 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) EAP_DS *eap_ds = handler->eap_ds; VALUE_PAIR *challenge, *response, *name; rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg; + REQUEST *request = handler->request; - rad_assert(handler->request != NULL); + rad_assert(request != NULL); rad_assert(handler->stage == AUTHENTICATE); data = (mschapv2_opaque_t *) handler->opaque; @@ -413,21 +411,19 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) DEBUG2(" rlm_eap_mschapv2: password change packet received"); - challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ); + challenge = pairmake_packet("MS-CHAP-Challenge", "0x00", T_OP_EQ); if (!challenge) { radlog(L_ERR, "rlm_eap_mschapv2: out of memory"); return 0; } challenge->length = MSCHAPV2_CHALLENGE_LEN; memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); - pairadd(&handler->request->packet->vps, challenge); - cpw = pairmake("MS-CHAP2-CPW", "", T_OP_EQ); + cpw = pairmake_packet("MS-CHAP2-CPW", "", T_OP_EQ); cpw->vp_octets[0] = 7; cpw->vp_octets[1] = mschap_id; memcpy(cpw->vp_octets+2, eap_ds->response->type.data + 520, 66); cpw->length = 68; - pairadd(&handler->request->packet->vps, cpw); /* * break the encoded password into VPs (3 of them) @@ -439,7 +435,7 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) if (to_copy > 243) to_copy = 243; - nt_enc = pairmake("MS-CHAP-NT-Enc-PW", "", T_OP_ADD); + nt_enc = pairmake_packet("MS-CHAP-NT-Enc-PW", "", T_OP_ADD); nt_enc->vp_octets[0] = 6; nt_enc->vp_octets[1] = mschap_id; nt_enc->vp_octets[2] = 0; @@ -448,11 +444,10 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) memcpy(nt_enc->vp_octets + 4, eap_ds->response->type.data + 4 + copied, to_copy); copied += to_copy; nt_enc->length = 4 + to_copy; - pairadd(&handler->request->packet->vps, nt_enc); } DEBUG2(" rlm_eap_mschapv2: built change password packet"); - debug_pair_list(handler->request->packet->vps); + debug_pair_list(request->packet->vps); /* * jump to "authentication" @@ -469,7 +464,7 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) } failure: - handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; + request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; eap_ds->request->code = PW_EAP_FAILURE; return 1; @@ -483,7 +478,7 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) switch (ccode) { case PW_EAP_MSCHAPV2_SUCCESS: eap_ds->request->code = PW_EAP_SUCCESS; - pairadd(&handler->request->reply->vps, data->mppe_keys); + pairadd(&request->reply->vps, data->mppe_keys); data->mppe_keys = NULL; /* fall through... */ @@ -492,9 +487,9 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) /* * It's a success. Don't proxy it. */ - handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; + request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP; #endif - pairadd(&handler->request->reply->vps, data->reply); + pairadd(&request->reply->vps, data->reply); data->reply = NULL; return 1; } @@ -566,7 +561,7 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) * to pass to the 'mschap' module. This is a little wonky, * but it works. */ - challenge = pairmake("MS-CHAP-Challenge", "0x00", T_OP_EQ); + challenge = pairmake_packet("MS-CHAP-Challenge", "0x00", T_OP_EQ); if (!challenge) { radlog(L_ERR, "rlm_eap_mschapv2: out of memory"); return 0; @@ -574,9 +569,8 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) challenge->length = MSCHAPV2_CHALLENGE_LEN; memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); - response = pairmake("MS-CHAP2-Response", "0x00", T_OP_EQ); + response = pairmake_packet("MS-CHAP2-Response", "0x00", T_OP_EQ); if (!response) { - pairfree(&challenge); radlog(L_ERR, "rlm_eap_mschapv2: out of memory"); return 0; } @@ -587,10 +581,8 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) response->vp_strvalue[0] = eap_ds->response->type.data[1]; response->vp_strvalue[1] = eap_ds->response->type.data[5 + MSCHAPV2_RESPONSE_LEN]; - name = pairmake("NTLM-User-Name", "", T_OP_EQ); + name = pairmake_packet("NTLM-User-Name", "", T_OP_EQ); if (!name) { - pairfree(&challenge); - pairfree(&response); radlog(L_ERR, "rlm_eap_mschapv2: Failed creating NTLM-User-Name: %s", fr_strerror()); return 0; } @@ -610,14 +602,6 @@ static int mschapv2_authenticate(void *arg, eap_handler_t *handler) name->length); name->vp_strvalue[name->length] = '\0'; - /* - * Add the pairs to the request, and call the 'mschap' - * module. - */ - pairadd(&handler->request->packet->vps, challenge); - pairadd(&handler->request->packet->vps, response); - pairadd(&handler->request->packet->vps, name); - packet_ready: #ifdef WITH_PROXY @@ -631,7 +615,7 @@ packet_ready: * EAP attributes, and proxy the MS-CHAP attributes to a * home server. */ - if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) { + if (request->options & RAD_REQUEST_OPTION_PROXY_EAP) { char *username = NULL; eap_tunnel_data_t *tunnel; @@ -649,8 +633,8 @@ packet_ready: /* * Associate the callback with the request. */ - rcode = request_data_add(handler->request, - handler->request->proxy, + rcode = request_data_add(request, + request->proxy, REQUEST_DATA_EAP_TUNNEL_CALLBACK, tunnel, free); rad_assert(rcode == 0); @@ -665,7 +649,7 @@ packet_ready: * the State attribute back, before passing * the handler & request back into the tunnel. */ - pairdelete(&handler->request->packet->vps, PW_STATE, 0, TAG_ANY); + pairdelete(&request->packet->vps, PW_STATE, 0, TAG_ANY); /* * Fix the User-Name when proxying, to strip off @@ -674,7 +658,7 @@ packet_ready: * in the user name, THEN discard the user name. */ if (inst->with_ntdomain_hack && - ((challenge = pairfind(handler->request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) && + ((challenge = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY)) != NULL) && ((username = strchr(challenge->vp_strvalue, '\\')) != NULL)) { /* * Wipe out the NT domain. @@ -700,7 +684,7 @@ packet_ready: /* * This is a wild & crazy hack. */ - rcode = module_authenticate(PW_AUTHTYPE_MS_CHAP, handler->request); + rcode = module_authenticate(PW_AUTHTYPE_MS_CHAP, request); /* * Delete MPPE keys & encryption policy. We don't @@ -714,12 +698,12 @@ packet_ready: */ response = NULL; if (rcode == RLM_MODULE_OK) { - pairmove2(&response, &handler->request->reply->vps, + pairmove2(&response, &request->reply->vps, PW_MSCHAP2_SUCCESS, VENDORPEC_MICROSOFT, TAG_ANY); data->code = PW_EAP_MSCHAPV2_SUCCESS; } else if (inst->send_error) { - pairmove2(&response, &handler->request->reply->vps, + pairmove2(&response, &request->reply->vps, PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT, TAG_ANY); if (response) { int n,err,retry; diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index e7bcc1b8eb0..f4625b8b96a 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -156,7 +156,8 @@ static int eappeap_soh(eap_handler_t *handler, tls_session_t *tls_session) return 1; } -static VALUE_PAIR* eapsoh_verify(REQUEST *request, const uint8_t *data, unsigned int data_len) { +static void eapsoh_verify(REQUEST *request, RADIUS_PACKET *packet, + const uint8_t *data, unsigned int data_len) { VALUE_PAIR *vp; uint8_t eap_method_base; @@ -164,44 +165,42 @@ static VALUE_PAIR* eapsoh_verify(REQUEST *request, const uint8_t *data, unsigned uint32_t eap_method; int rv; - vp = pairmake("SoH-Supported", "no", T_OP_EQ); + vp = pairmake(packet, &packet->vps, "SoH-Supported", "no", T_OP_EQ); if (data && data[0] == PW_EAP_NAK) { RDEBUG("SoH - client NAKed"); - goto done; + return; } if (!data || data_len < 8) { RDEBUG("SoH - eap payload too short"); - goto done; + return; } eap_method_base = *data++; if (eap_method_base != 254) { RDEBUG("SoH - response is not extended EAP: %i", eap_method_base); - goto done; + return; } eap_vendor = soh_pull_be_24(data); data += 3; if (eap_vendor != 0x137) { RDEBUG("SoH - extended eap vendor %08x is not Microsoft", eap_vendor); - goto done; + return; } eap_method = soh_pull_be_32(data); data += 4; if (eap_method != 0x21) { RDEBUG("SoH - response eap type %08x is not EAP-SoH", eap_method); - goto done; + return; } - rv = soh_verify(request, vp, data, data_len - 8); + rv = soh_verify(request, data, data_len - 8); if (rv<0) { RDEBUG("SoH - error decoding payload: %s", fr_strerror()); } else { vp->vp_integer = 1; } -done: - return vp; } /* @@ -800,7 +799,7 @@ int eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) /* * Save it for later. */ - t->username = pairmake("User-Name", "", T_OP_EQ); + t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ); rad_assert(t->username != NULL); memcpy(t->username->vp_strvalue, data + 1, data_len - 1); @@ -819,7 +818,7 @@ int eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) case PEAP_STATUS_WAIT_FOR_SOH_RESPONSE: fake = request_alloc_fake(request); rad_assert(fake->packet->vps == NULL); - fake->packet->vps = eapsoh_verify(request, data, data_len); + eapsoh_verify(request, fake->packet, data, data_len); setup_fake_request(request, fake, t); if (t->soh_virtual_server) { @@ -946,9 +945,8 @@ int eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) if (t->default_method != 0) { RDEBUG2("Setting default EAP type for tunneled EAP session."); - vp = pairmake("EAP-Type", "0", T_OP_EQ); + vp = pairmake(fake, &fake->config_items, "EAP-Type", "0", T_OP_EQ); vp->vp_integer = t->default_method; - pairadd(&fake->config_items, vp); } break; } @@ -986,7 +984,7 @@ int eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) * EAP-Identity packet. */ if ((data[0] == PW_EAP_IDENTITY) && (data_len > 1)) { - t->username = pairmake("User-Name", "", T_OP_EQ); + t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ); rad_assert(t->username != NULL); memcpy(t->username->vp_strvalue, data + 1, data_len - 1); @@ -1000,9 +998,8 @@ int eappeap_process(eap_handler_t *handler, tls_session_t *tls_session) */ if (t->default_method != 0) { DEBUG2(" PEAP: Setting default EAP type for tunneled EAP session."); - vp = pairmake("EAP-Type", "0", T_OP_EQ); + vp = pairmake(fake, &fake->config_items, "EAP-Type", "0", T_OP_EQ); vp->vp_integer = t->default_method; - pairadd(&fake->config_items, vp); } } } /* else there WAS a t->username */ @@ -1220,10 +1217,8 @@ static int setup_fake_request(REQUEST *request, REQUEST *fake, peap_tunnel_t *t) /* * Tell the request that it's a fake one. */ - vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); - if (vp) { - pairadd(&fake->packet->vps, vp); - } + pairmake(fake->packet, &fake->packet->vps, + "Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); if (t->username) { vp = paircopy(t->username); diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c index 64bb5957e81..96be13cba71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c @@ -421,7 +421,8 @@ eap_pwd_authenticate (void *arg, eap_handler_t *handler) RDEBUG("pwd unable to create fake request!"); return 0; } - if ((fake->username = pairmake("User-Name", "", T_OP_EQ)) == NULL) { + fake->username = pairmake_request("User-Name", "", T_OP_EQ); + if (!fake->username); RDEBUG("pwd unanable to create value pair for username!"); request_free(&fake); return 0; diff --git a/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c b/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c index 6e000325902..1b7aee259a3 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c +++ b/src/modules/rlm_eap/types/rlm_eap_tnc/rlm_eap_tnc.c @@ -316,21 +316,18 @@ static int tnc_authenticate(UNUSED void *instance, eap_handler_t *handler) break; case TNC_CONNECTION_STATE_ACCESS_NONE: code = PW_EAP_FAILURE; - pairadd(&handler->request->config_items, - pairmake("TNC-Status", "None", T_OP_SET)); + pairmake_config("TNC-Status", "None", T_OP_SET); break; case TNC_CONNECTION_STATE_ACCESS_ALLOWED: code = PW_EAP_SUCCESS; - pairadd(&handler->request->config_items, - pairmake("TNC-Status", "Access", T_OP_SET)); + pairmake_config("TNC-Status", "Access", T_OP_SET); break; case TNC_CONNECTION_STATE_ACCESS_ISOLATED: code = PW_EAP_SUCCESS; - pairadd(&handler->request->config_items, - pairmake("TNC-Status", "Isolate", T_OP_SET)); + pairmake_config("TNC-Status", "Isolate", T_OP_SET); break; default: diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index 16829aebba0..79d940e723c 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -1043,10 +1043,7 @@ int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session) /* * Tell the request that it's a fake one. */ - vp = pairmake("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); - if (vp) { - pairadd(&fake->packet->vps, vp); - } + pairmake_packet("Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); if ((debug_flag > 0) && fr_log_fp) { RDEBUG("Got tunneled request"); @@ -1078,7 +1075,7 @@ int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session) /* * Create & remember a User-Name */ - t->username = pairmake("User-Name", "", T_OP_EQ); + t->username = pairmake(t, NULL, "User-Name", "", T_OP_EQ); rad_assert(t->username != NULL); memcpy(t->username->vp_strvalue, vp->vp_strvalue + 5, diff --git a/src/modules/rlm_eap2/rlm_eap2.c b/src/modules/rlm_eap2/rlm_eap2.c index d652d7efd90..5d635459fd7 100644 --- a/src/modules/rlm_eap2/rlm_eap2.c +++ b/src/modules/rlm_eap2/rlm_eap2.c @@ -140,6 +140,7 @@ static int eaplist_add(rlm_eap_t *inst, EAP_HANDLER *handler) int i, status; uint32_t lvalue; VALUE_PAIR *state; + REQUEST *request = handler->request; rad_assert(handler != NULL); rad_assert(handler->request != NULL); @@ -148,9 +149,8 @@ static int eaplist_add(rlm_eap_t *inst, EAP_HANDLER *handler) * Generate State, since we've been asked to add it to * the list. */ - state = pairmake("State", "0x00", T_OP_EQ); + state = pairmake_reply("State", "0x00", T_OP_EQ); if (!state) return 0; - pairadd(&(handler->request->reply->vps), state); state->length = EAP_STATE_LEN; /* @@ -714,8 +714,7 @@ static int eap_example_server_step(EAP_HANDLER *handler) */ } - vp = radius_pairmake(request, &request->reply->vps, - "MS-MPPE-Recv-Key", "", T_OP_EQ); + vp = pairmake_reply("MS-MPPE-Recv-Key", "", T_OP_EQ); if (vp) { memcpy(vp->vp_octets, handler->server_ctx.eap_if->eapKeyData, @@ -723,8 +722,7 @@ static int eap_example_server_step(EAP_HANDLER *handler) vp->length = length; } - vp = radius_pairmake(request, &request->reply->vps, - "MS-MPPE-Send-Key", "", T_OP_EQ); + vp = pairmake_reply("MS-MPPE-Send-Key", "", T_OP_EQ); if (vp) { memcpy(vp->vp_octets, handler->server_ctx.eap_if->eapKeyData + length, diff --git a/src/modules/rlm_example/rlm_example.c b/src/modules/rlm_example/rlm_example.c index 4c561d4a5f4..9aa94b0906f 100644 --- a/src/modules/rlm_example/rlm_example.c +++ b/src/modules/rlm_example/rlm_example.c @@ -100,7 +100,6 @@ static int example_instantiate(CONF_SECTION *conf, void **instance) static rlm_rcode_t example_authorize(void *instance, REQUEST *request) { VALUE_PAIR *state; - VALUE_PAIR *reply; /* quiet the compiler */ instance = instance; @@ -118,10 +117,8 @@ static rlm_rcode_t example_authorize(void *instance, REQUEST *request) /* * Create the challenge, and add it to the reply. */ - reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ); - pairadd(&request->reply->vps, reply); - state = pairmake("State", "0", T_OP_EQ); - pairadd(&request->reply->vps, state); + pairmake_reply("Reply-Message", "This is a challenge", T_OP_EQ); + pairmake_reply("State", "0", T_OP_EQ); /* * Mark the packet as an Access-Challenge packet. diff --git a/src/modules/rlm_expiration/rlm_expiration.c b/src/modules/rlm_expiration/rlm_expiration.c index 960ed435b83..8e2c6a95806 100644 --- a/src/modules/rlm_expiration/rlm_expiration.c +++ b/src/modules/rlm_expiration/rlm_expiration.c @@ -82,9 +82,8 @@ static rlm_rcode_t expiration_authorize(void *instance, REQUEST *request) return RLM_MODULE_FAIL; } - vp = pairmake("Reply-Message", msg, T_OP_ADD); pairfree(&request->reply->vps); - request->reply->vps = vp; + pairmake_reply("Reply-Message", msg, T_OP_ADD); } RDEBUGE("Account has expired [Expiration %s]",check_item->vp_strvalue); diff --git a/src/modules/rlm_expr/paircmp.c b/src/modules/rlm_expr/paircmp.c index 8256f46680d..14a2edbb1b4 100644 --- a/src/modules/rlm_expr/paircmp.c +++ b/src/modules/rlm_expr/paircmp.c @@ -228,7 +228,7 @@ static int genericcmp(void *instance UNUSED, snprintf(name, sizeof(name), "%%{%s}", check->da->name); radius_xlat(value, sizeof(value), name, req, NULL, NULL); - vp = pairmake(check->da->name, value, check->op); + vp = pairmake(req, NULL, check->da->name, value, check->op); /* * Paircmp returns 0 for failed comparison, diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c index d7ed802944e..052777434d5 100644 --- a/src/modules/rlm_ldap/ldap.c +++ b/src/modules/rlm_ldap/ldap.c @@ -802,9 +802,9 @@ const char *rlm_ldap_find_user(const ldap_instance_t *inst, REQUEST *request, ld goto finish; } - vp = pairmake("LDAP-UserDn", dn, T_OP_EQ); + vp = pairmake(request, &request->config_items, + "LDAP-UserDn", dn, T_OP_EQ); if (vp) { - pairadd(&request->config_items, vp); *rcode = RLM_MODULE_OK; } diff --git a/src/modules/rlm_logintime/rlm_logintime.c b/src/modules/rlm_logintime/rlm_logintime.c index 5c0aafe34ae..e68cf74dae7 100644 --- a/src/modules/rlm_logintime/rlm_logintime.c +++ b/src/modules/rlm_logintime/rlm_logintime.c @@ -191,15 +191,13 @@ static rlm_rcode_t logintime_authorize(void *instance, REQUEST *request) DEBUG("rlm_logintime: timestr returned reject"); if (data->msg && data->msg[0]){ char msg[MAX_STRING_LEN]; - VALUE_PAIR *tmp; if (!radius_xlat(msg, sizeof(msg), data->msg, request, NULL, NULL)) { radlog(L_ERR, "rlm_logintime: xlat failed."); return RLM_MODULE_FAIL; } pairfree(&request->reply->vps); - tmp = pairmake("Reply-Message", msg, T_OP_SET); - request->reply->vps = tmp; + pairmake_reply("Reply-Message", msg, T_OP_SET); } RDEBUGE("Outside allowed timespan (time allowed %s)", diff --git a/src/modules/rlm_mschap/mschap.h b/src/modules/rlm_mschap/mschap.h index 306685a351b..3f74d1f4035 100644 --- a/src/modules/rlm_mschap/mschap.h +++ b/src/modules/rlm_mschap/mschap.h @@ -16,7 +16,7 @@ void mschap_auth_response(const char *username, uint8_t *ntresponse, uint8_t *peer_challenge, uint8_t *auth_challenge, char *response); -void mschap_add_reply(REQUEST *request, VALUE_PAIR ** vp, unsigned char ident, +void mschap_add_reply(REQUEST *request, unsigned char ident, const char* name, const char* value, int len); diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index e59913849c8..b361ae79934 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -628,20 +628,20 @@ static int mschap_instantiate(CONF_SECTION *conf, void **instance) * add_reply() adds either MS-CHAP2-Success or MS-CHAP-Error * attribute to reply packet */ -void mschap_add_reply(REQUEST *request, VALUE_PAIR** vp, unsigned char ident, +void mschap_add_reply(REQUEST *request, unsigned char ident, const char* name, const char* value, int len) { - VALUE_PAIR *reply_attr; - reply_attr = pairmake(name, "", T_OP_EQ); - if (!reply_attr) { + VALUE_PAIR *vp; + + vp = pairmake_reply(name, "", T_OP_EQ); + if (!vp) { RDEBUG("Failed to create attribute %s: %s\n", name, fr_strerror()); return; } - reply_attr->vp_octets[0] = ident; - memcpy(reply_attr->vp_octets + 1, value, len); - reply_attr->length = len + 1; - pairadd(vp, reply_attr); + vp->vp_octets[0] = ident; + memcpy(vp->vp_octets + 1, value, len); + vp->length = len + 1; } /* @@ -651,7 +651,8 @@ static void mppe_add_reply(REQUEST *request, const char* name, const uint8_t * value, int len) { VALUE_PAIR *vp; - vp = radius_pairmake(request, &request->reply->vps, name, "", T_OP_EQ); + + vp = pairmake_reply(name, "", T_OP_EQ); if (!vp) { RDEBUG("rlm_mschap: mppe_add_reply failed to create attribute %s: %s\n", name, fr_strerror()); return; @@ -911,9 +912,8 @@ ntlm_auth_err: * the new NT hash - this should be preferred over the * cleartext password as it avoids unicode hassles */ - new_hash = radius_pairmake(request, &request->packet->vps, - "MS-CHAP-New-NT-Password", "", - T_OP_EQ); + new_hash = pairmake_packet("MS-CHAP-New-NT-Password", "", + T_OP_EQ); fr_md4_calc(new_hash->vp_octets, p, passlen); new_hash->length = 16; @@ -933,9 +933,8 @@ ntlm_auth_err: * do some unpleasant vileness to turn it into * utf8 without pulling in libraries like iconv */ - new_pass = radius_pairmake(request, &request->packet->vps, - "MS-CHAP-New-Cleartext-Password", "", - T_OP_EQ); + new_pass = pairmake_packet("MS-CHAP-New-Cleartext-Password", "", + T_OP_EQ); new_pass->length = 0; i = 0; while (iconfig_items, - "Auth-Type", inst->auth_type, T_OP_EQ)) { + if (!pairmake_config("Auth-Type", inst->auth_type, T_OP_EQ)) { return RLM_MODULE_FAIL; } @@ -1347,9 +1345,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) if (!smb_ctrl) { password = pairfind(request->config_items, PW_SMB_ACCOUNT_CTRL_TEXT, 0, TAG_ANY); if (password) { - smb_ctrl = radius_pairmake(request, - &request->config_items, - "SMB-Account-CTRL", "0", + smb_ctrl = pairmake_config("SMB-Account-CTRL", "0", T_OP_SET); if (smb_ctrl) { smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue); @@ -1400,8 +1396,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) if (!do_ntlm_auth) RDEBUG2("No Cleartext-Password configured. Cannot create LM-Password."); } else { /* there is a configured Cleartext-Password */ - lm_password = radius_pairmake(request, &request->config_items, - "LM-Password", "", T_OP_EQ); + lm_password = pairmake_config("LM-Password", "", T_OP_EQ); if (!lm_password) { radlog_request(L_ERR, 0, request, "No memory"); } else { @@ -1431,8 +1426,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) if (!do_ntlm_auth) RDEBUG2("No Cleartext-Password configured. Cannot create NT-Password."); } else { /* there is a configured Cleartext-Password */ - nt_password = radius_pairmake(request, &request->config_items, - "NT-Password", "", T_OP_EQ); + nt_password = pairmake_config("NT-Password", "", T_OP_EQ); if (!nt_password) { radlog_request(L_ERR, 0, request, "No memory"); return RLM_MODULE_FAIL; @@ -1534,7 +1528,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) RDEBUG("Password change failed"); snprintf(buffer, sizeof(buffer), "E=709 R=0 M=Password change failed"); - mschap_add_reply(request, &request->reply->vps, + mschap_add_reply(request, cpw->vp_octets[1], "MS-CHAP-Error", buffer, strlen(buffer)); return RLM_MODULE_REJECT; @@ -1755,7 +1749,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) snprintf(buffer + 45, sizeof(buffer) - 45, " V=3 M=%s", inst->retry_msg); } - mschap_add_reply(request, &request->reply->vps, + mschap_add_reply(request, *response->vp_octets, "MS-CHAP-Error", buffer, strlen(buffer)); return RLM_MODULE_REJECT; @@ -1775,7 +1769,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) snprintf(buffer, sizeof(buffer), "E=648 R=0 C=%s V=3 M=Password Expired", newchal); - mschap_add_reply(request, &request->reply->vps, + mschap_add_reply(request, *response->vp_octets, "MS-CHAP-Error", buffer, strlen(buffer)); return RLM_MODULE_REJECT; @@ -1787,7 +1781,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) response->vp_octets + 2, /* peer challenge */ challenge->vp_octets, /* our challenge */ msch2resp); /* calculated MPPE key */ - mschap_add_reply(request, &request->reply->vps, *response->vp_octets, + mschap_add_reply(request, *response->vp_octets, "MS-CHAP2-Success", msch2resp, 42); chap = 2; @@ -1811,7 +1805,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) if (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) || ((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0)) { RDEBUG2("SMB-Account-Ctrl says that the account is disabled, or is not a normal or workstatin trust account."); - mschap_add_reply(request, &request->reply->vps, + mschap_add_reply(request, *response->vp_octets, "MS-CHAP-Error", "E=691 R=1", 9); return RLM_MODULE_NOTFOUND; @@ -1822,7 +1816,7 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) */ if ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0) { RDEBUG2("SMB-Account-Ctrl says that the account is locked out."); - mschap_add_reply(request, &request->reply->vps, + mschap_add_reply(request, *response->vp_octets, "MS-CHAP-Error", "E=647 R=0", 9); return RLM_MODULE_USERLOCK; @@ -1872,13 +1866,11 @@ static rlm_rcode_t mschap_authenticate(void * instance, REQUEST *request) mppe_sendkey, 16); } - radius_pairmake(request, &request->reply->vps, - "MS-MPPE-Encryption-Policy", - (inst->require_encryption)? "0x00000002":"0x00000001", - T_OP_EQ); - radius_pairmake(request, &request->reply->vps, - "MS-MPPE-Encryption-Types", - (inst->require_strong)? "0x00000004":"0x00000006", + pairmake_reply("MS-MPPE-Encryption-Policy", + (inst->require_encryption)? "0x00000002":"0x00000001", + T_OP_EQ); + pairmake_reply("MS-MPPE-Encryption-Types", + (inst->require_strong)? "0x00000004":"0x00000006", T_OP_EQ); } /* else we weren't asked to use MPPE */ diff --git a/src/modules/rlm_opendirectory/rlm_opendirectory.c b/src/modules/rlm_opendirectory/rlm_opendirectory.c index 92646bcf458..0d1fe30bb62 100644 --- a/src/modules/rlm_opendirectory/rlm_opendirectory.c +++ b/src/modules/rlm_opendirectory/rlm_opendirectory.c @@ -408,7 +408,7 @@ static rlm_rcode_t od_authorize(UNUSED void *instance, REQUEST *request) if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) { RDEBUG("no access control groups, all users allowed."); if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) { - pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ)); + pairmake_config("Auth-Type", kAuthType, T_OP_EQ); RDEBUG("Setting Auth-Type = %s", kAuthType); } return RLM_MODULE_OK; @@ -459,7 +459,7 @@ static rlm_rcode_t od_authorize(UNUSED void *instance, REQUEST *request) } if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) { - pairadd(&request->config_items, pairmake("Auth-Type", kAuthType, T_OP_EQ)); + pairmake_config("Auth-Type", kAuthType, T_OP_EQ); RDEBUG("Setting Auth-Type = %s", kAuthType); } diff --git a/src/modules/rlm_otp/otp_mppe.c b/src/modules/rlm_otp/otp_mppe.c index ad2121a586c..091b50bbefa 100644 --- a/src/modules/rlm_otp/otp_mppe.c +++ b/src/modules/rlm_otp/otp_mppe.c @@ -46,8 +46,7 @@ void otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, const char *passcode) { - VALUE_PAIR **avp = &request->reply->vps; - VALUE_PAIR *cvp, *rvp, *vp; + VALUE_PAIR *cvp, *rvp; cvp = pairfind(request->packet->vps, pwattr[pwe - 1]->attr, pwattr[pwe - 1]->vendor, TAG_ANY); rvp = pairfind(request->packet->vps, pwattr[pwe]->attr, pwattr[pwe]->vendor, TAG_ANY); @@ -61,14 +60,10 @@ otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, case PWE_MSCHAP: /* First, set some related attributes. */ - vp = pairmake("MS-MPPE-Encryption-Policy", + pairmake_reply("MS-MPPE-Encryption-Policy", otp_mppe_policy[opt->mschap_mppe_policy], T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); - vp = pairmake("MS-MPPE-Encryption-Types", + pairmake_reply("MS-MPPE-Encryption-Types", otp_mppe_types[opt->mschap_mppe_types], T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); /* If no MPPE, we're done. */ if (!opt->mschap_mppe_policy) @@ -118,9 +113,7 @@ otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, mppe_keys_string[1] = 'x'; for (i = 0; i < 32; ++i) (void) sprintf(&mppe_keys_string[i*2+2], "%02X", mppe_keys[i]); - vp = pairmake("MS-CHAP-MPPE-Keys", mppe_keys_string, T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); + pairmake_reply("MS-CHAP-MPPE-Keys", mppe_keys_string, T_OP_EQ); } /* (doing mppe) */ break; /* PWE_MSCHAP */ @@ -227,22 +220,16 @@ otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, for (i = 0; i < sizeof(auth_md_string) - 1; ++i) (void) sprintf(&auth_octet_string[i * 2 +4], "%02X", auth_md_string[i]); - vp = pairmake("MS-CHAP2-Success", auth_octet_string, T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); + pairmake_reply("MS-CHAP2-Success", auth_octet_string, T_OP_EQ); } /* Generate mutual auth info. */ /* * Now, set some MPPE related attributes. */ - vp = pairmake("MS-MPPE-Encryption-Policy", + pairmake_reply("MS-MPPE-Encryption-Policy", otp_mppe_policy[opt->mschapv2_mppe_policy], T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); - vp = pairmake("MS-MPPE-Encryption-Types", + pairmake_reply("MS-MPPE-Encryption-Types", otp_mppe_types[opt->mschapv2_mppe_types], T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); /* If no MPPE, we're done. */ if (!opt->mschapv2_mppe_policy) @@ -353,9 +340,7 @@ otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, mppe_key_string[1] = 'x'; for (i = 0; i < sizeof(MasterSendKey); ++i) (void) sprintf(&mppe_key_string[i*2+2], "%02X", MasterSendKey[i]); - vp = pairmake("MS-MPPE-Send-Key", mppe_key_string, T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); + pairmake_reply("MS-MPPE-Send-Key", mppe_key_string, T_OP_EQ); /* * Generate the MS-MPPE-Recv-Key attribute. @@ -364,10 +349,7 @@ otp_mppe(REQUEST *request, otp_pwe_t pwe, const otp_option_t *opt, mppe_key_string[1] = 'x'; for (i = 0; i < sizeof(MasterReceiveKey); ++i) (void) sprintf(&mppe_key_string[i*2+2], "%02X", MasterReceiveKey[i]); - vp = pairmake("MS-MPPE-Recv-Key", mppe_key_string, T_OP_EQ); - rad_assert(vp != NULL); - pairadd(avp, vp); - + pairmake_reply("MS-MPPE-Recv-Key", mppe_key_string, T_OP_EQ); } /* (doing mppe) */ } /* PWE_MSCHAP2 */ break; /* PWE_MSCHAP2 */ diff --git a/src/modules/rlm_otp/rlm_otp.c b/src/modules/rlm_otp/rlm_otp.c index df6042156a8..ca21fd20360 100644 --- a/src/modules/rlm_otp/rlm_otp.c +++ b/src/modules/rlm_otp/rlm_otp.c @@ -211,8 +211,7 @@ static rlm_rcode_t otp_authorize(void *instance, REQUEST *request) if (inst->allow_sync && !inst->allow_async) { /* This is the token sync response. */ if (!auth_type_found) { - pairadd(&request->config_items, - pairmake("Auth-Type", inst->name, T_OP_EQ)); + pairmake_config("Auth-Type", inst->name, T_OP_EQ); } return RLM_MODULE_OK; @@ -314,8 +313,7 @@ static rlm_rcode_t otp_authorize(void *instance, REQUEST *request) DEBUG("rlm_otp: Sending Access-Challenge."); if (!auth_type_found) { - pairadd(&request->config_items, - pairmake("Auth-Type", inst->name, T_OP_EQ)); + pairmake_config("Auth-Type", inst->name, T_OP_EQ); } return RLM_MODULE_HANDLED; diff --git a/src/modules/rlm_passwd/rlm_passwd.c b/src/modules/rlm_passwd/rlm_passwd.c index 4b567eed17f..b09ca52e3e2 100644 --- a/src/modules/rlm_passwd/rlm_passwd.c +++ b/src/modules/rlm_passwd/rlm_passwd.c @@ -503,20 +503,18 @@ static int passwd_detach (void *instance) { #undef inst } -static void addresult (struct passwd_instance * inst, REQUEST *request, VALUE_PAIR ** vp, struct mypasswd * pw, char when, const char *listname) +static void addresult (struct passwd_instance * inst, REQUEST *request, TALLOC_CTX *ctx, VALUE_PAIR **vps, struct mypasswd * pw, char when, const char *listname) { int i; - VALUE_PAIR *newpair; + VALUE_PAIR *vp; for (i=0; infields; i++) { if (inst->pwdfmt->field[i] && *inst->pwdfmt->field[i] && pw->field[i] && i != inst->keyfield && inst->pwdfmt->listflag[i] == when) { if ( !inst->ignoreempty || pw->field[i][0] != 0 ) { /* if value in key/value pair is not empty */ - if (! (newpair = pairmake (inst->pwdfmt->field[i], pw->field[i], T_OP_EQ))) { - radlog(L_AUTH, "rlm_passwd: Unable to create %s: %s", inst->pwdfmt->field[i], pw->field[i]); - return; + vp = pairmake(ctx, vps, inst->pwdfmt->field[i], pw->field[i], T_OP_EQ); + if (vp) { + RDEBUG("Added %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname); } - RDEBUG("Added %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname); - pairadd (vp, newpair); } else RDEBUG("NOOP %s: '%s' to %s ", inst->pwdfmt->field[i], pw->field[i], listname); } @@ -542,9 +540,9 @@ static rlm_rcode_t passwd_map(void *instance, REQUEST *request) continue; } do { - addresult(inst, request, &request->config_items, pw, 0, "config_items"); - addresult(inst, request, &request->reply->vps, pw, 1, "reply_items"); - addresult(inst, request, &request->packet->vps, pw, 2, "request_items"); + addresult(inst, request, request, &request->config_items, pw, 0, "config_items"); + addresult(inst, request, request->reply, &request->reply->vps, pw, 1, "reply_items"); + addresult(inst, request, request->packet, &request->packet->vps, pw, 2, "request_items"); } while ( (pw = get_next(buffer, inst->ht, &last_found)) ); found++; if (!inst->allowmultiple) break; diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c index 5f4e456376d..e7798c3f2d7 100644 --- a/src/modules/rlm_perl/rlm_perl.c +++ b/src/modules/rlm_perl/rlm_perl.c @@ -594,15 +594,15 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv) * Value Pair Format * */ -static int pairadd_sv(VALUE_PAIR **vp, char *key, SV *sv, FR_TOKEN op) { +static int pairadd_sv(TALLOC_CTX *ctx, VALUE_PAIR **vps, char *key, SV *sv, FR_TOKEN op) +{ char *val; - VALUE_PAIR *vpp; + VALUE_PAIR *vp; if (SvOK(sv)) { val = SvPV_nolen(sv); - vpp = pairmake(key, val, op); - if (vpp != NULL) { - pairadd(vp, vpp); + vp = pairmake(ctx, vps, key, val, op); + if (vp != NULL) { radlog(L_DBG, "rlm_perl: Added pair %s = %s", key, val); return 1; @@ -619,7 +619,7 @@ static int pairadd_sv(VALUE_PAIR **vp, char *key, SV *sv, FR_TOKEN op) { * Boyan : * Gets the content from hashes */ -static int get_hv_content(HV *my_hv, VALUE_PAIR **vp) +static int get_hv_content(TALLOC_CTX *ctx, HV *my_hv, VALUE_PAIR **vps) { SV *res_sv, **av_sv; AV *av; @@ -627,7 +627,7 @@ static int get_hv_content(HV *my_hv, VALUE_PAIR **vp) I32 key_len, len, i, j; int ret=0; - *vp = NULL; + *vps = NULL; for (i = hv_iterinit(my_hv); i > 0; i--) { res_sv = hv_iternextsv(my_hv,&key,&key_len); if (SvROK(res_sv) && (SvTYPE(SvRV(res_sv)) == SVt_PVAV)) { @@ -635,9 +635,9 @@ static int get_hv_content(HV *my_hv, VALUE_PAIR **vp) len = av_len(av); for (j = 0; j <= len; j++) { av_sv = av_fetch(av, j, 0); - ret = pairadd_sv(vp, key, *av_sv, T_OP_ADD) + ret; + ret = pairadd_sv(ctx, vps, key, *av_sv, T_OP_ADD) + ret; } - } else ret = pairadd_sv(vp, key, res_sv, T_OP_EQ) + ret; + } else ret = pairadd_sv(ctx, vps, key, res_sv, T_OP_EQ) + ret; } return ret; @@ -757,7 +757,7 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) LEAVE; vp = NULL; - if ((get_hv_content(rad_request_hv, &vp)) > 0 ) { + if ((get_hv_content(request->packet, rad_request_hv, &vp)) > 0 ) { pairfree(&request->packet->vps); request->packet->vps = vp; vp = NULL; @@ -771,13 +771,13 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) request->password = pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY); } - if ((get_hv_content(rad_reply_hv, &vp)) > 0 ) { + if ((get_hv_content(request->reply, rad_reply_hv, &vp)) > 0 ) { pairfree(&request->reply->vps); request->reply->vps = vp; vp = NULL; } - if ((get_hv_content(rad_check_hv, &vp)) > 0 ) { + if ((get_hv_content(request, rad_check_hv, &vp)) > 0 ) { pairfree(&request->config_items); request->config_items = vp; vp = NULL; @@ -785,14 +785,14 @@ static int rlmperl_call(void *instance, REQUEST *request, char *function_name) #ifdef WITH_PROXY if (request->proxy && - (get_hv_content(rad_request_proxy_hv, &vp) > 0)) { + (get_hv_content(request->proxy, rad_request_proxy_hv, &vp) > 0)) { pairfree(&request->proxy->vps); request->proxy->vps = vp; vp = NULL; } if (request->proxy_reply && - (get_hv_content(rad_request_proxy_reply_hv, &vp) > 0)) { + (get_hv_content(request->proxy_reply, rad_request_proxy_reply_hv, &vp) > 0)) { pairfree(&request->proxy_reply->vps); request->proxy_reply->vps = vp; vp = NULL; diff --git a/src/modules/rlm_preprocess/rlm_preprocess.c b/src/modules/rlm_preprocess/rlm_preprocess.c index e1af716da5b..f470171f033 100644 --- a/src/modules/rlm_preprocess/rlm_preprocess.c +++ b/src/modules/rlm_preprocess/rlm_preprocess.c @@ -114,13 +114,14 @@ static void ascend_nasport_hack(VALUE_PAIR *nas_port, int channels_per_line) * in the string, like: H323-Attribute = "h323-attribute=value". * This sort of behaviour is nonsense. */ -static void cisco_vsa_hack(VALUE_PAIR *vp) +static void cisco_vsa_hack(REQUEST *request) { int vendorcode; char *ptr; char newattr[MAX_STRING_LEN]; + VALUE_PAIR *vp; - for ( ; vp != NULL; vp = vp->next) { + for (vp = request->packet->vps; vp != NULL; vp = vp->next) { vendorcode = vp->da->vendor; if (!((vendorcode == 9) || (vendorcode == 6618))) continue; /* not a Cisco or Quintum VSA, continue */ @@ -150,15 +151,7 @@ static void cisco_vsa_hack(VALUE_PAIR *vp) gettoken(&p, newattr, sizeof(newattr)); if (dict_attrbyname(newattr) != NULL) { - VALUE_PAIR *newvp; - - /* - * Make a new attribute. - */ - newvp = pairmake(newattr, ptr + 1, T_OP_EQ); - if (newvp) { - pairadd(&vp, newvp); - } + pairmake_packet(newattr, ptr + 1, T_OP_EQ); } } else { /* h322-foo-bar = "h323-foo-bar = baz" */ /* @@ -602,7 +595,7 @@ static rlm_rcode_t preprocess_authorize(void *instance, REQUEST *request) * We need to run this hack because the h323-conf-id * attribute should be used. */ - cisco_vsa_hack(request->packet->vps); + cisco_vsa_hack(request); } if (data->with_alvarion_vsa_hack) { @@ -680,7 +673,7 @@ static rlm_rcode_t preprocess_preaccounting(void *instance, REQUEST *request) * We need to run this hack because the h323-conf-id * attribute should be used. */ - cisco_vsa_hack(request->packet->vps); + cisco_vsa_hack(request); } if (data->with_alvarion_vsa_hack) { diff --git a/src/modules/rlm_python/rlm_python.c b/src/modules/rlm_python/rlm_python.c index e1e846cb148..338244adaea 100644 --- a/src/modules/rlm_python/rlm_python.c +++ b/src/modules/rlm_python/rlm_python.c @@ -249,7 +249,7 @@ static int python_destroy(void) /* TODO: Convert this function to accept any iterable objects? */ -static void python_vptuple(VALUE_PAIR **vpp, PyObject *pValue, +static void python_vptuple(TALLOC_CTX *ctx, VALUE_PAIR **vps, PyObject *pValue, const char *funcname) { int i; @@ -308,9 +308,8 @@ static void python_vptuple(VALUE_PAIR **vpp, PyObject *pValue, } s1 = PyString_AsString(pStr1); s2 = PyString_AsString(pStr2); - vp = pairmake(s1, s2, op); + vp = pairmake(ctx, vps, s1, s2, op); if (vp != NULL) { - pairadd(vpp, vp); radlog(L_DBG, "rlm_python:%s: '%s' = '%s'", funcname, s1, s2); } else { radlog(L_DBG, "rlm_python:%s: Failed: '%s' = '%s'", funcname, s1, s2); @@ -455,10 +454,10 @@ static int python_function(REQUEST *request, PyObject *pFunc, /* Now have the return value */ ret = PyInt_AsLong(pTupleInt); /* Reply item tuple */ - python_vptuple(&request->reply->vps, + python_vptuple(request->reply, &request->reply->vps, PyTuple_GET_ITEM(pRet, 1), funcname); /* Config item tuple */ - python_vptuple(&request->config_items, + python_vptuple(request, &request->config_items, PyTuple_GET_ITEM(pRet, 2), funcname); } else if (PyInt_CheckExact(pRet)) { diff --git a/src/modules/rlm_realm/rlm_realm.c b/src/modules/rlm_realm/rlm_realm.c index 3bb6657d2f4..d1aebf91194 100644 --- a/src/modules/rlm_realm/rlm_realm.c +++ b/src/modules/rlm_realm/rlm_realm.c @@ -204,8 +204,7 @@ static int check_for_realm(void *instance, REQUEST *request, REALM **returnrealm * entered. */ if (realm->name[0] != '~') realmname = realm->name; - pairadd(&request->packet->vps, pairmake("Realm", realmname, - T_OP_EQ)); + pairmake_packet("Realm", realmname, T_OP_EQ); RDEBUG2("Adding Realm = \"%s\"", realmname); /* @@ -323,29 +322,6 @@ static int check_for_realm(void *instance, REQUEST *request, REALM **returnrealm return RLM_MODULE_UPDATED; } -/* - * Add a "Proxy-To-Realm" attribute to the request. - */ -static void add_proxy_to_realm(VALUE_PAIR **vps, REALM *realm) -{ - VALUE_PAIR *vp; - - /* - * Tell the server to proxy this request to another - * realm. - */ - vp = pairmake("Proxy-To-Realm", realm->name, T_OP_EQ); - if (!vp) { - radlog(L_ERR, "no memory"); - exit(1); - } - - /* - * Add it, even if it's already present. - */ - pairadd(vps, vp); -} - /* * Perform the realm module instantiation. Configuration info is * stored in *instance for later use. @@ -408,7 +384,7 @@ static rlm_rcode_t realm_authorize(void *instance, REQUEST *request) */ RDEBUG2("Preparing to proxy authentication request to realm \"%s\"\n", realm->name); - add_proxy_to_realm(&request->config_items, realm); + pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ); return RLM_MODULE_UPDATED; /* try the next module */ } @@ -441,7 +417,7 @@ static rlm_rcode_t realm_preacct(void *instance, REQUEST *request) */ RDEBUG2("Preparing to proxy accounting request to realm \"%s\"\n", realm->name); - add_proxy_to_realm(&request->config_items, realm); + pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ); return RLM_MODULE_UPDATED; /* try the next module */ } @@ -492,7 +468,7 @@ static rlm_rcode_t realm_coa(UNUSED void *instance, REQUEST *request) */ RDEBUG2("Preparing to proxy authentication request to realm \"%s\"\n", realm->name); - add_proxy_to_realm(&request->config_items, realm); + pairmake_config("Proxy-To-Realm", realm->name, T_OP_EQ); return RLM_MODULE_UPDATED; /* try the next module */ } diff --git a/src/modules/rlm_ruby/rlm_ruby.c b/src/modules/rlm_ruby/rlm_ruby.c index ad6369e50ca..bb1249e8e89 100644 --- a/src/modules/rlm_ruby/rlm_ruby.c +++ b/src/modules/rlm_ruby/rlm_ruby.c @@ -103,7 +103,7 @@ static VALUE radlog_rb(UNUSED VALUE self, VALUE msg_type, VALUE rb_msg) { /* Tuple to value pair conversion */ -static void add_vp_tuple(VALUE_PAIR **vpp, VALUE rb_value, +static void add_vp_tuple(TALLOC_CTX *ctx, VALUE_PAIR **vpp, VALUE rb_value, const char *function_name) { int i, outertuplesize; VALUE_PAIR *vp; @@ -158,9 +158,8 @@ static void add_vp_tuple(VALUE_PAIR **vpp, VALUE rb_value, function_name, s1, s2); /* xxx Might need to support other T_OP */ - vp = pairmake(s1, s2, T_OP_EQ); + vp = pairmake(ctx, vpp, s1, s2, T_OP_EQ); if (vp != NULL) { - pairadd(vpp, vp); radlog(L_DBG, "%s: s1, s2 OK\n", function_name); } else { @@ -272,10 +271,10 @@ static rlm_rcode_t ruby_function(REQUEST *request, int func, rb_reply_items = rb_ary_entry(rb_result, 1); rb_config_items = rb_ary_entry(rb_result, 2); - add_vp_tuple(&request->reply->vps, rb_reply_items, - function_name); - add_vp_tuple(&request->config_items, rb_config_items, - function_name); + add_vp_tuple(request->reply, &request->reply->vps, + rb_reply_items, function_name); + add_vp_tuple(request, &request->config_items, + rb_config_items, function_name); } } else if (FIXNUM_P(rb_result)) { rcode = FIX2INT(rb_result); diff --git a/src/modules/rlm_securid/mem.c b/src/modules/rlm_securid/mem.c index 7ecf67a20ec..8a39d9edc91 100644 --- a/src/modules/rlm_securid/mem.c +++ b/src/modules/rlm_securid/mem.c @@ -137,12 +137,10 @@ int securid_sessionlist_add(rlm_securid_t *inst,REQUEST *request, * Generate State, since we've been asked to add it to * the list. */ - state = pairmake("State", session->state, T_OP_EQ); + state = pairmake_reply("State", session->state, T_OP_EQ); if (!state) return -1; state->length = SECURID_STATE_LEN; - - status = rbtree_insert(inst->session_tree, session); if (status) { /* tree insert SUCCESS */ @@ -176,8 +174,6 @@ int securid_sessionlist_add(rlm_securid_t *inst,REQUEST *request, return -1; } - pairadd(&(request->reply->vps), state); - return 0; } diff --git a/src/modules/rlm_securid/rlm_securid.c b/src/modules/rlm_securid/rlm_securid.c index f353c0d67a8..b317244da51 100644 --- a/src/modules/rlm_securid/rlm_securid.c +++ b/src/modules/rlm_securid/rlm_securid.c @@ -466,7 +466,6 @@ static int securid_authenticate(void *instance, REQUEST *request) { int rcode; rlm_securid_t *inst = instance; - VALUE_PAIR *vp; char buffer[MAX_STRING_LEN]=""; const char *username=NULL, *password=NULL; @@ -541,17 +540,8 @@ static int securid_authenticate(void *instance, REQUEST *request) break; } - if (*buffer) { - /* Generate Reply-Message attribute with reply message data */ - vp = pairmake("Reply-Message", buffer, T_OP_EQ); - - /* make sure message ends with '\0' */ - if (vp->length < (int) sizeof(vp->vp_strvalue)) { - vp->vp_strvalue[vp->length] = '\0'; - vp->length++; - } - pairadd(&request->reply->vps,vp); - } + if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ); + return rcode; } diff --git a/src/modules/rlm_sim_files/rlm_sim_files.c b/src/modules/rlm_sim_files/rlm_sim_files.c index 95ecb47152d..e1b823959ab 100644 --- a/src/modules/rlm_sim_files/rlm_sim_files.c +++ b/src/modules/rlm_sim_files/rlm_sim_files.c @@ -95,11 +95,9 @@ static int sim_file_instantiate(CONF_SECTION *conf, void **instance) static rlm_rcode_t sim_file_authorize(void *instance, REQUEST *request) { VALUE_PAIR *namepair; - VALUE_PAIR *reply_tmp; const char *name; struct sim_file_instance *inst = instance; VALUE_PAIR **reply_pairs; - VALUE_PAIR **config_pairs; FILE *triplets; char tripbuf[sizeof("232420100000015,30000000000000000000000000000000,30112233,445566778899AABB")*2]; char imsi[128], chal[256], kc[128], sres[128]; @@ -108,7 +106,6 @@ static rlm_rcode_t sim_file_authorize(void *instance, REQUEST *request) int lineno; reply_pairs = &request->reply->vps; - config_pairs = &request->config_items; /* * Grab the canonical user name. @@ -185,7 +182,7 @@ static rlm_rcode_t sim_file_authorize(void *instance, REQUEST *request) continue; } - + /* @todo: Fix this code to use pairmake? */ r = paircreate(request->reply, ATTRIBUTE_EAP_SIM_RAND1 + imsicount, 0); pairparsevalue(r, chal); pairadd(reply_pairs, r); @@ -219,19 +216,7 @@ static rlm_rcode_t sim_file_authorize(void *instance, REQUEST *request) * and it will add the Autz-Type entry. */ - if((reply_tmp = pairmake ("EAP-Type", "SIM", T_OP_EQ))) - { - radlog(L_INFO, "rlm_sim_files: Adding EAP-Type: eap-sim"); - pairadd (config_pairs, reply_tmp); - } - -#if 0 - DEBUG("rlm_sim_files: saw config"); - debug_pair_list(*config_pairs); - - DEBUG("rlm_sim_files: saw reply"); - debug_pair_list(*reply_pairs); -#endif + pairmake_config("EAP-Type", "SIM", T_OP_EQ); return RLM_MODULE_OK; } diff --git a/src/modules/rlm_smsotp/rlm_smsotp.c b/src/modules/rlm_smsotp/rlm_smsotp.c index e561da8756b..7664ce4c2ee 100644 --- a/src/modules/rlm_smsotp/rlm_smsotp.c +++ b/src/modules/rlm_smsotp/rlm_smsotp.c @@ -216,7 +216,6 @@ static rlm_rcode_t smsotp_authenticate(void *instance, REQUEST *request) { rlm_smsotp_t *inst = instance; VALUE_PAIR *state; - VALUE_PAIR *reply; int bufsize; int *fdp; rlm_rcode_t rcode = RLM_MODULE_FAIL; @@ -304,11 +303,8 @@ static rlm_rcode_t smsotp_authenticate(void *instance, REQUEST *request) * Create the challenge, and add it to the reply. */ - reply = pairmake("Reply-Message", inst->challenge, T_OP_EQ); - pairadd(&request->reply->vps, reply); - - state = pairmake("State", buffer, T_OP_EQ); - pairadd(&request->reply->vps, state); + pairmake_reply("Reply-Message", inst->challenge, T_OP_EQ); + pairmake_reply("State", buffer, T_OP_EQ); /* * Mark the packet as an Access-Challenge packet. @@ -348,7 +344,7 @@ static rlm_rcode_t smsotp_authorize(void *instance, REQUEST *request) DEBUG("rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type '%s'",inst->authtype); pairdelete(&request->config_items, PW_AUTH_TYPE, 0, TAG_ANY); /* delete old auth-type */ - pairadd(&request->config_items, pairmake("Auth-Type", inst->authtype, T_OP_SET)); + pairmake_config("Auth-Type", inst->authtype, T_OP_SET); } return RLM_MODULE_OK; diff --git a/src/modules/rlm_soh/rlm_soh.c b/src/modules/rlm_soh/rlm_soh.c index c2baf348d4c..6300bcef5d3 100644 --- a/src/modules/rlm_soh/rlm_soh.c +++ b/src/modules/rlm_soh/rlm_soh.c @@ -175,7 +175,7 @@ static rlm_rcode_t soh_postauth(UNUSED void * instance, REQUEST *request) } else { RDEBUG("SoH decoding NAP from DHCP request"); /* SoH payload */ - rcode = soh_verify(request, request->packet->vps, data, vlen); + rcode = soh_verify(request, data, vlen); if (rcode < 0) { return RLM_MODULE_FAIL; } @@ -207,7 +207,7 @@ static rlm_rcode_t soh_authorize(UNUSED void * instance, REQUEST *request) RDEBUG("SoH radius VP found"); /* decode it */ - rv = soh_verify(request, request->packet->vps, vp->vp_octets, vp->length); + rv = soh_verify(request, vp->vp_octets, vp->length); if (rv < 0) { return RLM_MODULE_FAIL; } diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c index 2bb02207581..896bd2d4a29 100644 --- a/src/modules/rlm_sql/rlm_sql.c +++ b/src/modules/rlm_sql/rlm_sql.c @@ -632,14 +632,13 @@ static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_han * Add the Sql-Group attribute to the request list so we know * which group we're retrieving attributes for */ - sql_group = pairmake("Sql-Group", entry->name, T_OP_EQ); + sql_group = pairmake_packet("Sql-Group", entry->name, T_OP_EQ); if (!sql_group) { radlog_request(L_ERR, 0, request, "Error creating Sql-Group attribute"); talloc_free(head); return -1; } - pairadd(&request->packet->vps, sql_group); if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func, inst)) { radlog_request(L_ERR, 0, request, "Error generating query; rejecting user"); @@ -648,7 +647,7 @@ static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_han talloc_free(head); return -1; } - rows = sql_getvpdata(inst, &handle, &check_tmp, querystr); + rows = sql_getvpdata(inst, &handle, request, &check_tmp, querystr); if (rows < 0) { radlog_request(L_ERR, 0, request, "Error retrieving check pairs for group %s", entry->name); @@ -676,7 +675,7 @@ static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_han talloc_free(head); return -1; } - if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) { + if (sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr) < 0) { radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s", entry->name); /* Remove the grouup we added above */ @@ -711,7 +710,7 @@ static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_han talloc_free(head); return -1; } - if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) { + if (sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr) < 0) { radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s", entry->name); /* Remove the grouup we added above */ @@ -1020,7 +1019,7 @@ static rlm_rcode_t rlm_sql_authorize(void *instance, REQUEST * request) goto error; } - rows = sql_getvpdata(inst, &handle, &check_tmp, querystr); + rows = sql_getvpdata(inst, &handle, request, &check_tmp, querystr); if (rows < 0) { radlog_request(L_ERR, 0, request, "SQL query error; rejecting user"); @@ -1058,7 +1057,7 @@ static rlm_rcode_t rlm_sql_authorize(void *instance, REQUEST * request) goto error; } - rows = sql_getvpdata(inst, &handle, &reply_tmp, querystr); + rows = sql_getvpdata(inst, &handle, request->reply, &reply_tmp, querystr); if (rows < 0) { radlog_request(L_ERR, 0, request, "SQL query error; rejecting user"); diff --git a/src/modules/rlm_sql/rlm_sql.h b/src/modules/rlm_sql/rlm_sql.h index 1dfe0102453..555ab75544a 100644 --- a/src/modules/rlm_sql/rlm_sql.h +++ b/src/modules/rlm_sql/rlm_sql.h @@ -136,9 +136,9 @@ void sql_poolfree(rlm_sql_t *inst); int sql_close_socket(rlm_sql_t *inst, rlm_sql_handle_t *handle); rlm_sql_handle_t *sql_get_socket(rlm_sql_t *inst); int sql_release_socket(rlm_sql_t *inst, rlm_sql_handle_t *handle); -int sql_userparse(VALUE_PAIR **first_pair, rlm_sql_row_t row); +int sql_userparse(TALLOC_CTX *ctx, VALUE_PAIR **first_pair, rlm_sql_row_t row); int sql_read_realms(rlm_sql_handle_t *handle); -int sql_getvpdata(rlm_sql_t *inst, rlm_sql_handle_t **handle, VALUE_PAIR **pair, char *query); +int sql_getvpdata(rlm_sql_t *inst, rlm_sql_handle_t **handle, TALLOC_CTX *ctx, VALUE_PAIR **pair, char *query); int sql_read_naslist(rlm_sql_handle_t *handle); int sql_read_clients(rlm_sql_handle_t *handle); int sql_dict_init(rlm_sql_handle_t *handle); diff --git a/src/modules/rlm_sql/sql.c b/src/modules/rlm_sql/sql.c index c68b32d1e02..a66d383d0ff 100644 --- a/src/modules/rlm_sql/sql.c +++ b/src/modules/rlm_sql/sql.c @@ -162,7 +162,7 @@ int sql_release_socket(rlm_sql_t * inst, rlm_sql_handle_t * handle) * Purpose: Read entries from the database and fill VALUE_PAIR structures * *************************************************************************/ -int sql_userparse(VALUE_PAIR **head, rlm_sql_row_t row) +int sql_userparse(TALLOC_CTX *ctx, VALUE_PAIR **head, rlm_sql_row_t row) { VALUE_PAIR *vp; const char *ptr, *value; @@ -241,7 +241,7 @@ int sql_userparse(VALUE_PAIR **head, rlm_sql_row_t row) /* * Create the pair */ - vp = pairmake(row[2], NULL, operator); + vp = pairmake(ctx, NULL, row[2], NULL, operator); if (!vp) { radlog(L_ERR, "rlm_sql: Failed to create the pair: %s", fr_strerror()); @@ -412,7 +412,8 @@ int rlm_sql_select_query(rlm_sql_handle_t **handle, rlm_sql_t *inst, char *query * Purpose: Get any group check or reply pairs * *************************************************************************/ -int sql_getvpdata(rlm_sql_t * inst, rlm_sql_handle_t **handle, VALUE_PAIR **pair, char *query) +int sql_getvpdata(rlm_sql_t * inst, rlm_sql_handle_t **handle, + TALLOC_CTX *ctx, VALUE_PAIR **pair, char *query) { rlm_sql_row_t row; int rows = 0; @@ -425,7 +426,7 @@ int sql_getvpdata(rlm_sql_t * inst, rlm_sql_handle_t **handle, VALUE_PAIR **pair row = (*handle)->row; if (!row) break; - if (sql_userparse(pair, row) != 0) { + if (sql_userparse(ctx, pair, row) != 0) { radlog(L_ERR, "rlm_sql (%s): Error getting data from database", inst->config->xlat_name); (inst->module->sql_finish_select_query)(*handle, inst->config); diff --git a/src/modules/rlm_sqlcounter/rlm_sqlcounter.c b/src/modules/rlm_sqlcounter/rlm_sqlcounter.c index c9cd06e4503..009401fa1b2 100644 --- a/src/modules/rlm_sqlcounter/rlm_sqlcounter.c +++ b/src/modules/rlm_sqlcounter/rlm_sqlcounter.c @@ -629,8 +629,7 @@ static rlm_rcode_t sqlcounter_authorize(void *instance, REQUEST *request) * User is denied access, send back a reply message */ snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", data->reset); - reply_item=pairmake("Reply-Message", msg, T_OP_EQ); - pairadd(&request->reply->vps, reply_item); + pairmake_reply("Reply-Message", msg, T_OP_EQ); RDEBUGE("Maximum %s usage time reached", data->reset); diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c index ce6f1e3f4db..307985305ac 100644 --- a/src/modules/rlm_unix/rlm_unix.c +++ b/src/modules/rlm_unix/rlm_unix.c @@ -300,11 +300,9 @@ static rlm_rcode_t unix_authorize(UNUSED void *instance, REQUEST *request) if (encrypted_pass[0] == 0) return RLM_MODULE_NOOP; - vp = pairmake("Crypt-Password", encrypted_pass, T_OP_SET); + vp = pairmake_config("Crypt-Password", encrypted_pass, T_OP_SET); if (!vp) return RLM_MODULE_FAIL; - pairadd(&request->config_items, vp); - return RLM_MODULE_UPDATED; } diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c index 9e2f3f8c276..fb029157594 100644 --- a/src/modules/rlm_wimax/rlm_wimax.c +++ b/src/modules/rlm_wimax/rlm_wimax.c @@ -176,7 +176,7 @@ static rlm_rcode_t wimax_postauth(void *instance, REQUEST *request) pairdelete(&request->reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY); pairdelete(&request->reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY); - vp = radius_pairmake(request, &request->reply->vps, "WiMAX-MSK", "0x00", T_OP_EQ); + vp = pairmake_reply("WiMAX-MSK", "0x00", T_OP_EQ); if (vp) { memcpy(vp->vp_octets, msk->vp_octets, msk->length); vp->length = msk->length; diff --git a/src/modules/rlm_yubikey/rlm_yubikey.c b/src/modules/rlm_yubikey/rlm_yubikey.c index 193718ff4e1..010dc56da49 100644 --- a/src/modules/rlm_yubikey/rlm_yubikey.c +++ b/src/modules/rlm_yubikey/rlm_yubikey.c @@ -412,7 +412,7 @@ static rlm_rcode_t yubikey_authenticate(void *instance, REQUEST *request) vp->vp_integer = counter; vp->length = 4; - radius_pairmake(request, &request->packet->vps, "Yubikey-Trigger", + pairmake_packet("Yubikey-Trigger", yubikey_capslock(token.ctr) ? "keyboard" : "button", T_OP_SET); /* -- 2.47.3