From: Arran Cudbard-Bell Date: Sun, 21 Mar 2021 15:57:38 +0000 (+0000) Subject: Fixup RADIUS enums/macros and radius_process type names X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=13d543230984017e4fb18171de9cc1dbdaef4e15;p=thirdparty%2Ffreeradius-server.git Fixup RADIUS enums/macros and radius_process type names --- diff --git a/src/bin/collectd.c b/src/bin/collectd.c index adc0c6f6448..b38f9d13279 100644 --- a/src/bin/collectd.c +++ b/src/bin/collectd.c @@ -237,7 +237,7 @@ error: * */ rs_stats_tmpl_t *rs_stats_collectd_init_latency(TALLOC_CTX *ctx, rs_stats_tmpl_t **out, rs_t *conf, - char const *type, rs_latency_t *stats, FR_CODE code) + char const *type, rs_latency_t *stats, fr_radius_packet_code_t code) { rs_stats_tmpl_t **tmpl, *last; char *p; diff --git a/src/bin/radclient.c b/src/bin/radclient.c index 91b09b16992..3f552e604d2 100644 --- a/src/bin/radclient.c +++ b/src/bin/radclient.c @@ -59,7 +59,7 @@ static bool do_output = true; static rc_stats_t stats; static uint16_t server_port = 0; -static int packet_code = FR_CODE_UNDEFINED; +static int packet_code = FR_RADIUS_CODE_UNDEFINED; static fr_ipaddr_t server_ipaddr; static int resend_count = 1; static bool done = true; @@ -241,31 +241,31 @@ static int getport(char const *name) /* * Set a port from the request type if we don't already have one */ -static void radclient_get_port(FR_CODE type, uint16_t *port) +static void radclient_get_port(fr_radius_packet_code_t type, uint16_t *port) { switch (type) { default: - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_ACCESS_CHALLENGE: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_STATUS_SERVER: if (*port == 0) *port = getport("radius"); if (*port == 0) *port = FR_AUTH_UDP_PORT; return; - case FR_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: if (*port == 0) *port = getport("radacct"); if (*port == 0) *port = FR_ACCT_UDP_PORT; return; - case FR_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: if (*port == 0) *port = FR_POD_UDP_PORT; return; - case FR_CODE_COA_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: if (*port == 0) *port = FR_COA_UDP_PORT; return; - case FR_CODE_UNDEFINED: + case FR_RADIUS_CODE_UNDEFINED: if (*port == 0) *port = 0; return; } @@ -274,24 +274,24 @@ static void radclient_get_port(FR_CODE type, uint16_t *port) /* * Resolve a port to a request type */ -static FR_CODE radclient_get_code(uint16_t port) +static fr_radius_packet_code_t radclient_get_code(uint16_t port) { /* * getport returns 0 if the service doesn't exist * so we need to return early, to avoid incorrect * codes. */ - if (port == 0) return FR_CODE_UNDEFINED; + if (port == 0) return FR_RADIUS_CODE_UNDEFINED; if ((port == getport("radius")) || (port == FR_AUTH_UDP_PORT) || (port == FR_AUTH_UDP_PORT_ALT)) { - return FR_CODE_ACCESS_REQUEST; + return FR_RADIUS_CODE_ACCESS_REQUEST; } if ((port == getport("radacct")) || (port == FR_ACCT_UDP_PORT) || (port == FR_ACCT_UDP_PORT_ALT)) { - return FR_CODE_ACCOUNTING_REQUEST; + return FR_RADIUS_CODE_ACCOUNTING_REQUEST; } - if (port == FR_COA_UDP_PORT) return FR_CODE_COA_REQUEST; + if (port == FR_COA_UDP_PORT) return FR_RADIUS_CODE_COA_REQUEST; - return FR_CODE_UNDEFINED; + return FR_RADIUS_CODE_UNDEFINED; } @@ -550,7 +550,7 @@ static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files) /* * Use the default set on the command line */ - if (request->packet->code == FR_CODE_UNDEFINED) request->packet->code = packet_code; + if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) request->packet->code = packet_code; /* * Default to the filename @@ -561,41 +561,41 @@ static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files) * Automatically set the response code from the request code * (if one wasn't already set). */ - if (request->filter_code == FR_CODE_UNDEFINED) { + if (request->filter_code == FR_RADIUS_CODE_UNDEFINED) { switch (request->packet->code) { - case FR_CODE_ACCESS_REQUEST: - request->filter_code = FR_CODE_ACCESS_ACCEPT; + case FR_RADIUS_CODE_ACCESS_REQUEST: + request->filter_code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; - case FR_CODE_ACCOUNTING_REQUEST: - request->filter_code = FR_CODE_ACCOUNTING_RESPONSE; + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + request->filter_code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE; break; - case FR_CODE_COA_REQUEST: - request->filter_code = FR_CODE_COA_ACK; + case FR_RADIUS_CODE_COA_REQUEST: + request->filter_code = FR_RADIUS_CODE_COA_ACK; break; - case FR_CODE_DISCONNECT_REQUEST: - request->filter_code = FR_CODE_DISCONNECT_ACK; + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + request->filter_code = FR_RADIUS_CODE_DISCONNECT_ACK; break; - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_STATUS_SERVER: switch (radclient_get_code(request->packet->socket.inet.dst_port)) { - case FR_CODE_ACCESS_REQUEST: - request->filter_code = FR_CODE_ACCESS_ACCEPT; + case FR_RADIUS_CODE_ACCESS_REQUEST: + request->filter_code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; - case FR_CODE_ACCOUNTING_REQUEST: - request->filter_code = FR_CODE_ACCOUNTING_RESPONSE; + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + request->filter_code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE; break; default: - request->filter_code = FR_CODE_UNDEFINED; + request->filter_code = FR_RADIUS_CODE_UNDEFINED; break; } break; - case FR_CODE_UNDEFINED: + case FR_RADIUS_CODE_UNDEFINED: REDEBUG("Packet-Type must be defined," "or a well known RADIUS port"); goto error; @@ -609,25 +609,25 @@ static int radclient_init(TALLOC_CTX *ctx, rc_file_pair_t *files) * Automatically set the request code from the response code * (if one wasn't already set). */ - } else if (request->packet->code == FR_CODE_UNDEFINED) { + } else if (request->packet->code == FR_RADIUS_CODE_UNDEFINED) { switch (request->filter_code) { - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_REJECT: - request->packet->code = FR_CODE_ACCESS_REQUEST; + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_REJECT: + request->packet->code = FR_RADIUS_CODE_ACCESS_REQUEST; break; - case FR_CODE_ACCOUNTING_RESPONSE: - request->packet->code = FR_CODE_ACCOUNTING_REQUEST; + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + request->packet->code = FR_RADIUS_CODE_ACCOUNTING_REQUEST; break; - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_DISCONNECT_NAK: - request->packet->code = FR_CODE_DISCONNECT_REQUEST; + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: + request->packet->code = FR_RADIUS_CODE_DISCONNECT_REQUEST; break; - case FR_CODE_COA_ACK: - case FR_CODE_COA_NAK: - request->packet->code = FR_CODE_COA_REQUEST; + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_COA_NAK: + request->packet->code = FR_RADIUS_CODE_COA_REQUEST; break; default: @@ -1050,14 +1050,14 @@ static int recv_one_packet(fr_time_t wait_time) * Increment counters... */ switch (request->reply->code) { - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_COA_ACK: - case FR_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_DISCONNECT_ACK: stats.accepted++; break; - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: break; default: @@ -1070,7 +1070,7 @@ static int recv_one_packet(fr_time_t wait_time) * If we had an expected response code, check to see if the * packet matched that. */ - if ((request->filter_code != FR_CODE_UNDEFINED) && (request->reply->code != request->filter_code)) { + if ((request->filter_code != FR_RADIUS_CODE_UNDEFINED) && (request->reply->code != request->filter_code)) { if (is_radius_code(request->reply->code)) { REDEBUG("%s: Expected %s got %s", request->name, fr_packet_codes[request->filter_code], fr_packet_codes[request->reply->code]); @@ -1391,7 +1391,7 @@ int main(int argc, char **argv) /* * Work backwards from the port to determine the packet type */ - if (packet_code == FR_CODE_UNDEFINED) packet_code = radclient_get_code(server_port); + if (packet_code == FR_RADIUS_CODE_UNDEFINED) packet_code = radclient_get_code(server_port); } radclient_get_port(packet_code, &server_port); diff --git a/src/bin/radclient.h b/src/bin/radclient.h index 44ccc57fd24..45f3f967e7c 100644 --- a/src/bin/radclient.h +++ b/src/bin/radclient.h @@ -85,7 +85,7 @@ struct rc_request { fr_pair_list_t reply_list; fr_pair_list_t filter; //!< If the reply passes the filter, then the request passes. - FR_CODE filter_code; //!< Expected code of the response packet. + fr_radius_packet_code_t filter_code; //!< Expected code of the response packet. int resend; int tries; diff --git a/src/bin/radsniff.c b/src/bin/radsniff.c index e2f4c70b74c..a07fcd38cee 100644 --- a/src/bin/radsniff.c +++ b/src/bin/radsniff.c @@ -62,20 +62,20 @@ typedef int (*rbcmp)(void const *, void const *); static char const *radsniff_version = RADIUSD_VERSION_STRING_BUILD("radsniff"); static int rs_useful_codes[] = { - FR_CODE_ACCESS_REQUEST, //!< RFC2865 - Authentication request - FR_CODE_ACCESS_ACCEPT, //!< RFC2865 - Access-Accept - FR_CODE_ACCESS_REJECT, //!< RFC2865 - Access-Reject - FR_CODE_ACCOUNTING_REQUEST, //!< RFC2866 - Accounting-Request - FR_CODE_ACCOUNTING_RESPONSE, //!< RFC2866 - Accounting-Response - FR_CODE_ACCESS_CHALLENGE, //!< RFC2865 - Access-Challenge - FR_CODE_STATUS_SERVER, //!< RFC2865/RFC5997 - Status Server (request) - FR_CODE_STATUS_CLIENT, //!< RFC2865/RFC5997 - Status Server (response) - FR_CODE_DISCONNECT_REQUEST, //!< RFC3575/RFC5176 - Disconnect-Request - FR_CODE_DISCONNECT_ACK, //!< RFC3575/RFC5176 - Disconnect-Ack (positive) - FR_CODE_DISCONNECT_NAK, //!< RFC3575/RFC5176 - Disconnect-Nak (not willing to perform) - FR_CODE_COA_REQUEST, //!< RFC3575/RFC5176 - CoA-Request - FR_CODE_COA_ACK, //!< RFC3575/RFC5176 - CoA-Ack (positive) - FR_CODE_COA_NAK, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) + FR_RADIUS_CODE_ACCESS_REQUEST, //!< RFC2865 - Authentication request + FR_RADIUS_CODE_ACCESS_ACCEPT, //!< RFC2865 - Access-Accept + FR_RADIUS_CODE_ACCESS_REJECT, //!< RFC2865 - Access-Reject + FR_RADIUS_CODE_ACCOUNTING_REQUEST, //!< RFC2866 - Accounting-Request + FR_RADIUS_CODE_ACCOUNTING_RESPONSE, //!< RFC2866 - Accounting-Response + FR_RADIUS_CODE_ACCESS_CHALLENGE, //!< RFC2865 - Access-Challenge + FR_RADIUS_CODE_STATUS_SERVER, //!< RFC2865/RFC5997 - Status Server (request) + FR_RADIUS_CODE_STATUS_CLIENT, //!< RFC2865/RFC5997 - Status Server (response) + FR_RADIUS_CODE_DISCONNECT_REQUEST, //!< RFC3575/RFC5176 - Disconnect-Request + FR_RADIUS_CODE_DISCONNECT_ACK, //!< RFC3575/RFC5176 - Disconnect-Ack (positive) + FR_RADIUS_CODE_DISCONNECT_NAK, //!< RFC3575/RFC5176 - Disconnect-Nak (not willing to perform) + FR_RADIUS_CODE_COA_REQUEST, //!< RFC3575/RFC5176 - CoA-Request + FR_RADIUS_CODE_COA_ACK, //!< RFC3575/RFC5176 - CoA-Ack (positive) + FR_RADIUS_CODE_COA_NAK, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) }; static fr_table_num_sorted_t const rs_events[] = { @@ -578,7 +578,7 @@ static void rs_stats_process_counters(rs_latency_t *stats) } } -static void rs_stats_print_code_fancy(rs_latency_t *stats, FR_CODE code) +static void rs_stats_print_code_fancy(rs_latency_t *stats, fr_radius_packet_code_t code) { int i; bool have_rt = false; @@ -1378,15 +1378,15 @@ static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkt } switch (packet->code) { - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_ACCESS_REJECT: - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_CHALLENGE: - case FR_CODE_COA_NAK: - case FR_CODE_COA_ACK: - case FR_CODE_DISCONNECT_NAK: - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_STATUS_CLIENT: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_COA_NAK: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_STATUS_CLIENT: { /* look for a matching request and use it for decoding */ search.expect = packet; @@ -1512,11 +1512,11 @@ static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkt break; } - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_COA_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: { /* * Verify this code is allowed @@ -1532,9 +1532,9 @@ static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkt if (conf->verify_radius_authenticator) { switch (packet->code) { - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_COA_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: { int ret; FILE *log_fp = fr_log_fp; @@ -1783,7 +1783,7 @@ static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkt * CoA and Disconnect Messages, as we get the average latency across both * response types. * - * It also justifies allocating FR_CODE_RADIUS_MAX instances of rs_latency_t. + * It also justifies allocating FR_RADIUS_CODE_MAXinstances of rs_latency_t. */ rs_stats_update_latency(&stats->exchange[packet->code], &latency); rs_stats_update_latency(&stats->exchange[original->expect->code], &latency); diff --git a/src/bin/radsniff.h b/src/bin/radsniff.h index b53db01e528..aeba3083209 100644 --- a/src/bin/radsniff.h +++ b/src/bin/radsniff.h @@ -95,7 +95,7 @@ typedef struct rs_stats_value_tmpl rs_stats_value_tmpl_t; #endif typedef struct { - uint64_t type[FR_CODE_RADIUS_MAX + 1]; + uint64_t type[FR_RADIUS_CODE_MAX+ 1]; } rs_counters_t; typedef struct CC_HINT(__packed__) { @@ -163,7 +163,7 @@ typedef struct { typedef struct { int intervals; //!< Number of stats intervals. - rs_latency_t exchange[FR_CODE_RADIUS_MAX + 1]; //!< We end up allocating ~16K, but memory is cheap so + rs_latency_t exchange[FR_RADIUS_CODE_MAX+ 1]; //!< We end up allocating ~16K, but memory is cheap so //!< what the hell. This is required because instances of //!< FreeRADIUS delay Access-Rejects, which would artificially //!< increase latency stats for Access-Requests. @@ -294,8 +294,8 @@ struct rs { fr_pair_list_t filter_request_vps; //!< Sorted filter vps. fr_pair_list_t filter_response_vps; //!< Sorted filter vps. - FR_CODE filter_request_code; //!< Filter request packets by code. - FR_CODE filter_response_code; //!< Filter response packets by code. + fr_radius_packet_code_t filter_request_code; //!< Filter request packets by code. + fr_radius_packet_code_t filter_response_code; //!< Filter response packets by code. rs_status_t event_flags; //!< Events we log and capture on. rs_packet_logger_t logger; //!< Packet logger @@ -350,7 +350,7 @@ struct rs_stats_tmpl * collectd.c - Registration and processing functions */ rs_stats_tmpl_t *rs_stats_collectd_init_latency(TALLOC_CTX *ctx, rs_stats_tmpl_t **out, rs_t *conf, - char const *type, rs_latency_t *stats, FR_CODE code); + char const *type, rs_latency_t *stats, fr_radius_packet_code_t code); void rs_stats_collectd_do_stats(rs_t *conf, rs_stats_tmpl_t *tmpls, struct timeval *now); int rs_stats_collectd_open(rs_t *conf); int rs_stats_collectd_close(rs_t *conf); diff --git a/src/lib/eap/chbind.c b/src/lib/eap/chbind.c index 708a6e560eb..6d489cbf302 100644 --- a/src/lib/eap/chbind.c +++ b/src/lib/eap/chbind.c @@ -168,9 +168,9 @@ static size_t chbind_get_data(chbind_packet_t const *packet, } -FR_CODE chbind_process(request_t *request, CHBIND_REQ *chbind) +fr_radius_packet_code_t chbind_process(request_t *request, CHBIND_REQ *chbind) { - FR_CODE code; + fr_radius_packet_code_t code; rlm_rcode_t rcode; request_t *fake = NULL; uint8_t const *attr_data; @@ -223,7 +223,7 @@ FR_CODE chbind_process(request_t *request, CHBIND_REQ *chbind) talloc_free(packet_ctx.tmp_ctx); talloc_free(packet_ctx.tags); - return FR_CODE_ACCESS_ACCEPT; + return FR_RADIUS_CODE_ACCESS_ACCEPT; } attr_data += attr_len; data_len -= attr_len; @@ -239,7 +239,7 @@ FR_CODE chbind_process(request_t *request, CHBIND_REQ *chbind) * bindings, this is hard-coded for now. */ fake->server_cs = virtual_server_find("channel_bindings"); - fake->packet->code = FR_CODE_ACCESS_REQUEST; + fake->packet->code = FR_RADIUS_CODE_ACCESS_REQUEST; rad_virtual_server(&rcode, fake); switch (rcode) { @@ -247,14 +247,14 @@ FR_CODE chbind_process(request_t *request, CHBIND_REQ *chbind) case RLM_MODULE_OK: case RLM_MODULE_HANDLED: if (chbind_build_response(fake, chbind)) { - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; } FALL_THROUGH; /* If we got any other response from the virtual server, it maps to a reject */ default: - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; } diff --git a/src/lib/eap/chbind.h b/src/lib/eap/chbind.h index e1a958c1957..484a2f46879 100644 --- a/src/lib/eap/chbind.h +++ b/src/lib/eap/chbind.h @@ -57,7 +57,7 @@ typedef struct { #define CHBIND_CODE_FAILURE 3 /* Channel binding function prototypes */ -FR_CODE chbind_process(request_t *request, CHBIND_REQ *chbind_req); +fr_radius_packet_code_t chbind_process(request_t *request, CHBIND_REQ *chbind_req); fr_pair_t *eap_chbind_packet2vp(TALLOC_CTX *ctx, chbind_packet_t *chbind); chbind_packet_t *eap_chbind_vp2packet(TALLOC_CTX *ctx, fr_pair_list_t *vps); diff --git a/src/lib/eap/compose.c b/src/lib/eap/compose.c index 5bda3142251..f5497aae55e 100644 --- a/src/lib/eap/compose.c +++ b/src/lib/eap/compose.c @@ -251,22 +251,22 @@ rlm_rcode_t eap_compose(eap_session_t *eap_session) rcode = RLM_MODULE_OK; if (!request->reply->code) switch (reply->code) { case FR_EAP_CODE_RESPONSE: - request->reply->code = FR_CODE_ACCESS_ACCEPT; + request->reply->code = FR_RADIUS_CODE_ACCESS_ACCEPT; rcode = RLM_MODULE_HANDLED; break; case FR_EAP_CODE_SUCCESS: - request->reply->code = FR_CODE_ACCESS_ACCEPT; + request->reply->code = FR_RADIUS_CODE_ACCESS_ACCEPT; rcode = RLM_MODULE_OK; break; case FR_EAP_CODE_FAILURE: - request->reply->code = FR_CODE_ACCESS_REJECT; + request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT; rcode = RLM_MODULE_REJECT; break; case FR_EAP_CODE_REQUEST: - request->reply->code = FR_CODE_ACCESS_CHALLENGE; + request->reply->code = FR_RADIUS_CODE_ACCESS_CHALLENGE; rcode = RLM_MODULE_HANDLED; break; @@ -280,7 +280,7 @@ rlm_rcode_t eap_compose(eap_session_t *eap_session) /* Should never enter here */ REDEBUG("Reply code %d is unknown, rejecting the request", reply->code); - request->reply->code = FR_CODE_ACCESS_REJECT; + request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT; reply->code = FR_EAP_CODE_FAILURE; rcode = RLM_MODULE_REJECT; break; diff --git a/src/lib/server/auth.c b/src/lib/server/auth.c index 8d5c138d581..e61534197ca 100644 --- a/src/lib/server/auth.c +++ b/src/lib/server/auth.c @@ -169,11 +169,11 @@ runit: fr_cond_assert(final == RLM_MODULE_OK); if (!request->reply->code || - (request->reply->code == FR_CODE_ACCESS_REJECT)) { + (request->reply->code == FR_RADIUS_CODE_ACCESS_REJECT)) { RETURN_MODULE_REJECT; } - if (request->reply->code == FR_CODE_ACCESS_CHALLENGE) { + if (request->reply->code == FR_RADIUS_CODE_ACCESS_CHALLENGE) { RETURN_MODULE_HANDLED; } diff --git a/src/lib/server/process.h b/src/lib/server/process.h index 9e3503ee968..c0e252a2019 100644 --- a/src/lib/server/process.h +++ b/src/lib/server/process.h @@ -43,6 +43,12 @@ typedef struct fr_process_module_s { fr_dict_t const **dict; //!< pointer to local fr_dict_t * } fr_process_module_t; +#ifndef NDEBUG +# define PROCESS_TRACE RDEBUG3("Entered state %s", __FUNCTION__) +#else +# define PROCESS_TRACE +#endif + #ifdef __cplusplus } #endif diff --git a/src/lib/server/request.c b/src/lib/server/request.c index cc4f909d390..eecbb4dfe12 100644 --- a/src/lib/server/request.c +++ b/src/lib/server/request.c @@ -656,7 +656,7 @@ void request_verify(char const *file, int line, request_t const *request) * @todo - a multi-protocol server shouldn't have * hard-coded RADIUS. */ - if ((request->packet->code == FR_CODE_ACCESS_REQUEST) && + if ((request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) && (request->reply && !request->reply->code)) { fr_assert(request->session_state_ctx != NULL); } diff --git a/src/lib/server/stats.c b/src/lib/server/stats.c index 240c93ea276..8a55b0f6cea 100644 --- a/src/lib/server/stats.c +++ b/src/lib/server/stats.c @@ -61,7 +61,7 @@ void request_stats_final(request_t *request) (request->listener->type != RAD_LISTEN_AUTH)) return; #endif /* don't count statistic requests */ - if (request->packet->code == FR_CODE_STATUS_SERVER) + if (request->packet->code == FR_RADIUS_CODE_STATUS_SERVER) return; #undef INC_AUTH @@ -78,8 +78,8 @@ void request_stats_final(request_t *request) * deleted, because only the main server thread calls * this function, which makes it thread-safe. */ - if (request->reply && (request->packet->code != FR_CODE_STATUS_SERVER)) switch (request->reply->code) { - case FR_CODE_ACCESS_ACCEPT: + if (request->reply && (request->packet->code != FR_RADIUS_CODE_STATUS_SERVER)) switch (request->reply->code) { + case FR_RADIUS_CODE_ACCESS_ACCEPT: INC_AUTH(total_access_accepts); auth_stats: @@ -96,15 +96,15 @@ void request_stats_final(request_t *request) request->reply->timestamp); break; - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: INC_AUTH(total_access_rejects); goto auth_stats; - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: INC_AUTH(total_access_challenges); goto auth_stats; - case FR_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: INC_ACCT(total_responses); fr_stats_bins(&radius_acct_stats, request->packet->timestamp, @@ -117,7 +117,7 @@ void request_stats_final(request_t *request) */ case 0: switch (request->packet->code) { - case FR_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_ACCESS_REQUEST: if (request->reply->id == -1) { INC_AUTH(total_bad_authenticators); } else { @@ -126,7 +126,7 @@ void request_stats_final(request_t *request) break; - case FR_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: if (request->reply->id == -1) { INC_ACCT(total_bad_authenticators); } else { diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c index 0d1c5e6438d..321bcfc8908 100644 --- a/src/listen/radius/proto_radius.c +++ b/src/listen/radius/proto_radius.c @@ -54,15 +54,15 @@ static CONF_PARSER const limit_config[] = { }; static const CONF_PARSER priority_config[] = { - { FR_CONF_OFFSET("Access-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_CODE_ACCESS_REQUEST]), + { FR_CONF_OFFSET("Access-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_RADIUS_CODE_ACCESS_REQUEST]), .func = cf_table_parse_uint32, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" }, - { FR_CONF_OFFSET("Accounting-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_CODE_ACCOUNTING_REQUEST]), + { FR_CONF_OFFSET("Accounting-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_RADIUS_CODE_ACCOUNTING_REQUEST]), .func = cf_table_parse_uint32, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" }, - { FR_CONF_OFFSET("CoA-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_CODE_COA_REQUEST]), + { FR_CONF_OFFSET("CoA-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_RADIUS_CODE_COA_REQUEST]), .func = cf_table_parse_uint32, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "normal" }, - { FR_CONF_OFFSET("Disconnect-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_CODE_DISCONNECT_REQUEST]), + { FR_CONF_OFFSET("Disconnect-Request", FR_TYPE_UINT32, proto_radius_t, priorities[FR_RADIUS_CODE_DISCONNECT_REQUEST]), .func = cf_table_parse_uint32, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" }, - { FR_CONF_OFFSET("Status-Server", FR_TYPE_UINT32, proto_radius_t, priorities[FR_CODE_STATUS_SERVER]), + { FR_CONF_OFFSET("Status-Server", FR_TYPE_UINT32, proto_radius_t, priorities[FR_RADIUS_CODE_STATUS_SERVER]), .func = cf_table_parse_uint32, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "now" }, CONF_PARSER_TERMINATOR @@ -132,7 +132,7 @@ static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM value = cf_pair_value(cp); dv = fr_dict_enum_by_name(attr_packet_type, value, -1); - if (!dv || (dv->value->vb_uint32 >= FR_RADIUS_MAX_PACKET_CODE)) { + if (!dv || (dv->value->vb_uint32 >= FR_RADIUS_CODE_MAX)) { cf_log_err(ci, "Unknown RADIUS packet type '%s'", value); return -1; } @@ -197,7 +197,7 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d RADCLIENT const *client; fr_dcursor_t cursor; - fr_assert(data[0] < FR_RADIUS_MAX_PACKET_CODE); + fr_assert(data[0] < FR_RADIUS_CODE_MAX); /* * Set the request dictionary so that we can do @@ -315,8 +315,8 @@ static ssize_t mod_encode(void const *instance, request_t *request, uint8_t *buf * Process layer NAK, or "Do not respond". */ if ((buffer_len == 1) || - (request->reply->code == FR_CODE_DO_NOT_RESPOND) || - (request->reply->code == 0) || (request->reply->code >= FR_RADIUS_MAX_PACKET_CODE)) { + (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) || + (request->reply->code == 0) || (request->reply->code >= FR_RADIUS_CODE_MAX)) { track->do_not_respond = true; return 1; } @@ -336,7 +336,7 @@ static ssize_t mod_encode(void const *instance, request_t *request, uint8_t *buf * We don't accept the new client, so don't do * anything. */ - if (request->reply->code != FR_CODE_ACCESS_ACCEPT) { + if (request->reply->code != FR_RADIUS_CODE_ACCESS_ACCEPT) { *buffer = true; return 1; } @@ -417,7 +417,7 @@ static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED proto_radius_t const *inst = talloc_get_type_abort_const(instance, proto_radius_t); fr_assert(buffer[0] > 0); - fr_assert(buffer[0] < FR_RADIUS_MAX_PACKET_CODE); + fr_assert(buffer[0] < FR_RADIUS_CODE_MAX); /* * Disallowed packet @@ -542,7 +542,7 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf) /* * No Access-Request packets, then no cleanup delay. */ - if (!inst->allowed[FR_CODE_ACCESS_REQUEST]) { + if (!inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) { inst->io.cleanup_delay = 0; } #endif diff --git a/src/listen/radius/proto_radius.h b/src/listen/radius/proto_radius.h index 90cbb1e2f2f..d48ca8f44a5 100644 --- a/src/listen/radius/proto_radius.h +++ b/src/listen/radius/proto_radius.h @@ -37,9 +37,9 @@ typedef struct { bool tunnel_password_zeros; //!< check for trailing zeroes in Tunnel-Password. - uint32_t priorities[FR_RADIUS_MAX_PACKET_CODE]; //!< priorities for individual packets + uint32_t priorities[FR_RADIUS_CODE_MAX]; //!< priorities for individual packets char **allowed_types; //!< names for for 'type = ...' - bool allowed[FR_RADIUS_MAX_PACKET_CODE]; + bool allowed[FR_RADIUS_CODE_MAX]; } proto_radius_t; diff --git a/src/listen/radius/proto_radius_load.c b/src/listen/radius/proto_radius_load.c index a869fa403be..b0adc0ff53e 100644 --- a/src/listen/radius/proto_radius_load.c +++ b/src/listen/radius/proto_radius_load.c @@ -375,7 +375,7 @@ static int mod_instantiate(void *instance, CONF_SECTION *cs) fr_pair_t *vp; fr_pair_list_t vps; ssize_t packet_len; - int code = FR_CODE_ACCESS_REQUEST; + int code = FR_RADIUS_CODE_ACCESS_REQUEST; fr_pair_list_init(&vps); inst->client = client = talloc_zero(inst, RADCLIENT); diff --git a/src/listen/radius/proto_radius_tcp.c b/src/listen/radius/proto_radius_tcp.c index 4d27a9c8dd6..f36193797f8 100644 --- a/src/listen/radius/proto_radius_tcp.c +++ b/src/listen/radius/proto_radius_tcp.c @@ -135,7 +135,7 @@ static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *re /* * We MUST always start with a known RADIUS packet. */ - if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_MAX_PACKET_CODE)) { + if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_CODE_MAX)) { DEBUG("proto_radius_tcp got invalid packet code %d", buffer[0]); thread->stats.total_unknown_types++; return -1; @@ -253,7 +253,7 @@ static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t req * connection-level negotiation data, but only the first * time the packet is being written. */ - if ((written == 0) && (track->packet[0] == FR_CODE_STATUS_SERVER)) { + if ((written == 0) && (track->packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) { // status_check_reply(inst, buffer, buffer_len); } diff --git a/src/listen/radius/proto_radius_udp.c b/src/listen/radius/proto_radius_udp.c index 033d6569c7f..bd648f45b7d 100644 --- a/src/listen/radius/proto_radius_udp.c +++ b/src/listen/radius/proto_radius_udp.c @@ -159,7 +159,7 @@ static ssize_t mod_read(fr_listen_t *li, void **packet_ctx, fr_time_t *recv_time return 0; } - if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_MAX_PACKET_CODE)) { + if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_CODE_MAX)) { DEBUG("proto_radius_udp got invalid packet code %d", buffer[0]); thread->stats.total_unknown_types++; return 0; @@ -261,7 +261,7 @@ static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t req * Root through the reply to determine any * connection-level negotiation data. */ - if (track->packet[0] == FR_CODE_STATUS_SERVER) { + if (track->packet[0] == FR_RADIUS_CODE_STATUS_SERVER) { // status_check_reply(inst, buffer, buffer_len); } diff --git a/src/listen/vmps/proto_vmps.c b/src/listen/vmps/proto_vmps.c index 04077c11876..04844826aec 100644 --- a/src/listen/vmps/proto_vmps.c +++ b/src/listen/vmps/proto_vmps.c @@ -247,7 +247,7 @@ static ssize_t mod_encode(void const *instance, request_t *request, uint8_t *buf * Process layer NAK, never respond, or "Do not respond". */ if ((buffer_len == 1) || - (request->reply->code == FR_CODE_DO_NOT_RESPOND) || + (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) || (request->reply->code >= FR_VQP_MAX_CODE)) { track->do_not_respond = true; return 1; diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c index 4dacb49372c..1c07b966245 100644 --- a/src/modules/rlm_eap/rlm_eap.c +++ b/src/modules/rlm_eap/rlm_eap.c @@ -868,7 +868,7 @@ static unlang_action_t mod_post_proxy(rlm_rcode_t *p_result, module_ctx_t const * says that we MUST include a User-Name attribute in the * Access-Accept. */ - if ((request->reply->code == FR_CODE_ACCESS_ACCEPT) && username) { + if ((request->reply->code == FR_RADIUS_CODE_ACCESS_ACCEPT) && username) { MEM(pair_update_reply(&vp, attr_user_name) >= 0); fr_pair_value_copy(vp, username); } @@ -900,7 +900,7 @@ static unlang_action_t mod_post_auth(rlm_rcode_t *p_result, module_ctx_t const * * Access-Accept. */ username = fr_pair_find_by_da(&request->request_pairs, attr_user_name); - if ((request->reply->code == FR_CODE_ACCESS_ACCEPT) && username) { + if ((request->reply->code == FR_RADIUS_CODE_ACCESS_ACCEPT) && username) { /* * Doesn't exist, add it in. */ @@ -927,7 +927,7 @@ static unlang_action_t mod_post_auth(rlm_rcode_t *p_result, module_ctx_t const * * Only synthesize a failure message if something * previously rejected the request. */ - if (request->reply->code != FR_CODE_ACCESS_REJECT) RETURN_MODULE_NOOP; + if (request->reply->code != FR_RADIUS_CODE_ACCESS_REJECT) RETURN_MODULE_NOOP; if (!fr_pair_find_by_da(&request->request_pairs, attr_eap_message)) { RDEBUG3("Request didn't contain an EAP-Message, not inserting EAP-Failure"); diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c index de38b890c49..b69f42cc3c6 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c @@ -122,7 +122,7 @@ static void eap_fast_send_error(fr_tls_session_t *tls_session, int error) eap_fast_tlv_append(tls_session, attr_eap_fast_error, true, sizeof(value), &value); } -static void eap_fast_append_result(fr_tls_session_t *tls_session, FR_CODE code) +static void eap_fast_append_result(fr_tls_session_t *tls_session, fr_radius_packet_code_t code) { eap_fast_tunnel_t *t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t); uint16_t state; @@ -130,7 +130,7 @@ static void eap_fast_append_result(fr_tls_session_t *tls_session, FR_CODE code) da = (t->result_final) ? attr_eap_fast_result : attr_eap_fast_intermediate_result; - state = htons((code == FR_CODE_ACCESS_REJECT) ? EAP_FAST_TLV_RESULT_FAILURE : EAP_FAST_TLV_RESULT_SUCCESS); + state = htons((code == FR_RADIUS_CODE_ACCESS_REJECT) ? EAP_FAST_TLV_RESULT_FAILURE : EAP_FAST_TLV_RESULT_SUCCESS); eap_fast_tlv_append(tls_session, da, true, sizeof(state), &state); } @@ -491,7 +491,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(UNUSED eap_session_t *eap_sess * NOT 'eap start', so we should check for that.... */ switch (reply->code) { - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: RDEBUG2("Got tunneled Access-Accept"); rcode = RLM_MODULE_OK; @@ -535,12 +535,12 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(UNUSED eap_session_t *eap_sess RHEXDUMP3((uint8_t *)&t->isk, 2 * RADIUS_CHAP_CHALLENGE_LENGTH, "ISK[j]"); /* FIXME (part of above) */ break; - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: REDEBUG("Got tunneled Access-Reject"); rcode = RLM_MODULE_REJECT; break; - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: RDEBUG2("Got tunneled Access-Challenge"); /* @@ -565,10 +565,10 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(UNUSED eap_session_t *eap_sess return rcode; } -static FR_CODE eap_fast_eap_payload(request_t *request, eap_session_t *eap_session, +static fr_radius_packet_code_t eap_fast_eap_payload(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session, fr_pair_t *tlv_eap_payload) { - FR_CODE code = FR_CODE_ACCESS_REJECT; + fr_radius_packet_code_t code = FR_RADIUS_CODE_ACCESS_REJECT; rlm_rcode_t rcode; fr_pair_t *vp; eap_fast_tunnel_t *t; @@ -732,13 +732,13 @@ static FR_CODE eap_fast_eap_payload(request_t *request, eap_session_t *eap_sessi /* * Didn't authenticate the packet, but we're proxying it. */ - code = FR_CODE_STATUS_CLIENT; + code = FR_RADIUS_CODE_STATUS_CLIENT; } else #endif /* WITH_PROXY */ { REDEBUG("No tunneled reply was found, and the request was not proxied: rejecting the user"); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; } break; @@ -749,19 +749,19 @@ static FR_CODE eap_fast_eap_payload(request_t *request, eap_session_t *eap_sessi rcode = process_reply(eap_session, tls_session, request, fake->reply, &fake->reply_pairs); switch (rcode) { case RLM_MODULE_REJECT: - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; case RLM_MODULE_HANDLED: - code = FR_CODE_ACCESS_CHALLENGE; + code = FR_RADIUS_CODE_ACCESS_CHALLENGE; break; case RLM_MODULE_OK: - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; default: - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; } break; @@ -772,7 +772,7 @@ static FR_CODE eap_fast_eap_payload(request_t *request, eap_session_t *eap_sessi return code; } -static FR_CODE eap_fast_crypto_binding(request_t *request, UNUSED eap_session_t *eap_session, +static fr_radius_packet_code_t eap_fast_crypto_binding(request_t *request, UNUSED eap_session_t *eap_session, fr_tls_session_t *tls_session, eap_tlv_crypto_binding_tlv_t *binding) { uint8_t cmac[sizeof(binding->compound_mac)]; @@ -789,13 +789,13 @@ static FR_CODE eap_fast_crypto_binding(request_t *request, UNUSED eap_session_t RDEBUG2("Crypto-Binding TLV mis-match"); RHEXDUMP3((uint8_t const *) binding->compound_mac, sizeof(binding->compound_mac), "Calculated Compound MAC"); - return FR_CODE_ACCESS_REJECT; + return FR_RADIUS_CODE_ACCESS_REJECT; } - return FR_CODE_ACCESS_ACCEPT; + return FR_RADIUS_CODE_ACCESS_ACCEPT; } -static FR_CODE eap_fast_process_tlvs(request_t *request, eap_session_t *eap_session, +static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session, fr_pair_list_t *fast_vps) { eap_fast_tunnel_t *t = talloc_get_type_abort(tls_session->opaque, eap_fast_tunnel_t); @@ -807,14 +807,14 @@ static FR_CODE eap_fast_process_tlvs(request_t *request, eap_session_t *eap_sess for (vp = fr_pair_list_head(fast_vps); vp; vp = fr_pair_list_next(fast_vps, vp)) { - FR_CODE code = FR_CODE_ACCESS_REJECT; + fr_radius_packet_code_t code = FR_RADIUS_CODE_ACCESS_REJECT; if (vp->da->parent == attr_eap_fast_tlv) { if (vp->da == attr_eap_fast_eap_payload) { code = eap_fast_eap_payload(request, eap_session, tls_session, vp); - if (code == FR_CODE_ACCESS_ACCEPT) t->stage = EAP_FAST_CRYPTOBIND_CHECK; + if (code == FR_RADIUS_CODE_ACCESS_ACCEPT) t->stage = EAP_FAST_CRYPTOBIND_CHECK; } else if ((vp->da == attr_eap_fast_result) || (vp->da == attr_eap_fast_intermediate_result)) { - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; t->stage = EAP_FAST_PROVISIONING; } else { RDEBUG2("ignoring unknown %pP", vp); @@ -854,7 +854,7 @@ static FR_CODE eap_fast_process_tlvs(request_t *request, eap_session_t *eap_sess } else if (vp->da->parent == attr_eap_fast_pac_tlv) { if (vp->da == attr_eap_fast_pac_acknowledge) { if (vp->vp_uint32 == EAP_FAST_TLV_RESULT_SUCCESS) { - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; t->pac.expires = UINT32_MAX; t->pac.expired = false; t->stage = EAP_FAST_COMPLETE; @@ -875,27 +875,27 @@ static FR_CODE eap_fast_process_tlvs(request_t *request, eap_session_t *eap_sess continue; } - if (code == FR_CODE_ACCESS_REJECT) return FR_CODE_ACCESS_REJECT; + if (code == FR_RADIUS_CODE_ACCESS_REJECT) return FR_RADIUS_CODE_ACCESS_REJECT; } if (binding) { - FR_CODE code = eap_fast_crypto_binding(request, eap_session, tls_session, binding); - if (code == FR_CODE_ACCESS_ACCEPT) { + fr_radius_packet_code_t code = eap_fast_crypto_binding(request, eap_session, tls_session, binding); + if (code == FR_RADIUS_CODE_ACCESS_ACCEPT) { t->stage = EAP_FAST_PROVISIONING; } return code; } - return FR_CODE_ACCESS_ACCEPT; + return FR_RADIUS_CODE_ACCESS_ACCEPT; } /* * Process the inner tunnel data */ -FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) +fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) { - FR_CODE code; + fr_radius_packet_code_t code; fr_pair_list_t fast_vps; uint8_t const *data; size_t data_len; @@ -915,7 +915,7 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ /* * See if the tunneled data is well formed. */ - if (!eap_fast_verify(request, tls_session, data, data_len)) return FR_CODE_ACCESS_REJECT; + if (!eap_fast_verify(request, tls_session, data, data_len)) return FR_RADIUS_CODE_ACCESS_REJECT; if (t->stage == EAP_FAST_TLS_SESSION_HANDSHAKE) { fr_assert(t->mode == EAP_FAST_UNKNOWN); @@ -946,22 +946,22 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ eap_fast_send_identity_request(request, tls_session, eap_session); t->stage = EAP_FAST_AUTHENTICATION; - return FR_CODE_ACCESS_CHALLENGE; + return FR_RADIUS_CODE_ACCESS_CHALLENGE; } if (eap_fast_decode_pair(request, &fast_vps, attr_eap_fast_tlv, - data, data_len, NULL) < 0) return FR_CODE_ACCESS_REJECT; + data, data_len, NULL) < 0) return FR_RADIUS_CODE_ACCESS_REJECT; RDEBUG2("Got Tunneled FAST TLVs"); log_request_pair_list(L_DBG_LVL_1, request, NULL, &fast_vps, NULL); code = eap_fast_process_tlvs(request, eap_session, tls_session, &fast_vps); fr_pair_list_free(&fast_vps); - if (code == FR_CODE_ACCESS_REJECT) return FR_CODE_ACCESS_REJECT; + if (code == FR_RADIUS_CODE_ACCESS_REJECT) return FR_RADIUS_CODE_ACCESS_REJECT; switch (t->stage) { case EAP_FAST_AUTHENTICATION: - code = FR_CODE_ACCESS_CHALLENGE; + code = FR_RADIUS_CODE_ACCESS_CHALLENGE; break; case EAP_FAST_CRYPTOBIND_CHECK: @@ -974,7 +974,7 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ eap_fast_update_icmk(request, tls_session, (uint8_t *)&t->isk); eap_fast_append_crypto_binding(request, tls_session); - code = FR_CODE_ACCESS_CHALLENGE; + code = FR_RADIUS_CODE_ACCESS_CHALLENGE; break; } case EAP_FAST_PROVISIONING: @@ -985,7 +985,7 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ if (t->pac.send) { RDEBUG2("Peer requires new PAC"); eap_fast_send_pac_tunnel(request, tls_session); - code = FR_CODE_ACCESS_CHALLENGE; + code = FR_RADIUS_CODE_ACCESS_CHALLENGE; break; } @@ -998,13 +998,13 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ */ if (t->pac.type && t->pac.expired) { REDEBUG("Rejecting expired PAC."); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; } if (t->mode == EAP_FAST_PROVISIONING_ANON) { REDEBUG("Rejecting unauthenticated provisioning"); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; } @@ -1022,7 +1022,7 @@ FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_ default: RERROR("Internal sanity check failed in EAP-FAST at %d", t->stage); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; } return code; diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h index 06f09398db2..d94d1a5883d 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h +++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h @@ -253,7 +253,7 @@ extern fr_dict_attr_t const *attr_eap_fast_vendor_specific; */ void eap_fast_tlv_append(fr_tls_session_t *tls_session, fr_dict_attr_t const *da, bool mandatory, int length, const void *data) CC_HINT(nonnull); -FR_CODE eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) CC_HINT(nonnull); +fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) CC_HINT(nonnull); /* * A bunch of EAP-FAST helper functions. diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c index 2f02cae6eb1..51c8c749d53 100644 --- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c +++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c @@ -517,14 +517,14 @@ static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mc * Process the FAST portion of the request. */ switch (eap_fast_process(request, eap_session, tls_session)) { - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: eap_tls_fail(request, eap_session); RETURN_MODULE_FAIL; /* * Access-Challenge, continue tunneled conversation. */ - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: fr_tls_session_send(request, tls_session); eap_tls_request(request, eap_session); RETURN_MODULE_HANDLED; @@ -532,7 +532,7 @@ static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mc /* * Success: Automatically return MPPE keys. */ - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: if (eap_tls_success(request, eap_session, NULL, 0, NULL, 0) < 0) RETURN_MODULE_FAIL; RETURN_MODULE_OK; @@ -542,7 +542,7 @@ static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mc * that the request now has a "proxy" packet, and * will proxy it, rather than returning an EAP packet. */ - case FR_CODE_STATUS_CLIENT: + case FR_RADIUS_CODE_STATUS_CLIENT: RETURN_MODULE_OK; default: diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c index 53559644ff8..5f0e5f77cce 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -286,7 +286,7 @@ static int CC_HINT(nonnull) mschap_postproxy(eap_session_t *eap_session, UNUSED * There is only a limited number of possibilities. */ switch (request->reply->code) { - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: RDEBUG2("Proxied authentication succeeded"); /* @@ -297,7 +297,7 @@ static int CC_HINT(nonnull) mschap_postproxy(eap_session_t *eap_session, UNUSED break; default: - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: REDEBUG("Proxied authentication was rejected"); RETURN_MODULE_REJECT; } @@ -336,7 +336,7 @@ static int CC_HINT(nonnull) mschap_postproxy(eap_session_t *eap_session, UNUSED * And we need to challenge the user, not ack/reject them, * so we re-write the ACK to a challenge. Yuck. */ - request->reply->code = FR_CODE_ACCESS_CHALLENGE; + request->reply->code = FR_RADIUS_CODE_ACCESS_CHALLENGE; fr_pair_list_free(&response); RETURN_MODULE_HANDLED; diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 1f4ad9b8597..59c108ff2c0 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -386,21 +386,21 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_session_t *eap_session, fr } switch (reply->code) { - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: RDEBUG2("Tunneled authentication was successful"); t->status = PEAP_STATUS_SENT_TLV_SUCCESS; eap_peap_success(request, eap_session, tls_session); rcode = RLM_MODULE_HANDLED; break; - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: RDEBUG2("Tunneled authentication was rejected"); t->status = PEAP_STATUS_SENT_TLV_FAILURE; eap_peap_failure(request, eap_session, tls_session); rcode = RLM_MODULE_HANDLED; break; - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: RDEBUG2("Got tunneled Access-Challenge"); /* @@ -559,7 +559,7 @@ unlang_action_t eap_peap_process(rlm_rcode_t *p_result, request_t *request, fake->server_cs ? cf_section_name2(fake->server_cs) : "NULL"); rad_virtual_server(&rcode, fake); - if (fake->reply->code != FR_CODE_ACCESS_ACCEPT) { + if (fake->reply->code != FR_RADIUS_CODE_ACCESS_ACCEPT) { RDEBUG2("SoH was rejected"); TALLOC_FREE(fake); t->status = PEAP_STATUS_SENT_TLV_FAILURE; diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h b/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h index 3862fc876e0..fff42c84bc2 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h @@ -51,4 +51,4 @@ typedef struct { /* * Process the TTLS portion of an EAP-TTLS request. */ -FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) CC_HINT(nonnull); +fr_radius_packet_code_t eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) CC_HINT(nonnull); diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c index 77c841273eb..9b9607d523f 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c @@ -222,21 +222,21 @@ static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mc * Process the TTLS portion of the request. */ switch (eap_ttls_process(request, eap_session, tls_session)) { - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: eap_tls_fail(request, eap_session); RETURN_MODULE_REJECT; /* * Access-Challenge, continue tunneled conversation. */ - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: eap_tls_request(request, eap_session); RETURN_MODULE_OK; /* * Success: Automatically return MPPE keys. */ - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: goto do_keys; /* @@ -245,7 +245,7 @@ static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mc * that the request now has a "proxy" packet, and * will proxy it, rather than returning an EAP packet. */ - case FR_CODE_STATUS_CLIENT: + case FR_RADIUS_CODE_STATUS_CLIENT: RETURN_MODULE_OK; default: diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index ca4fca73e24..7fd35bdc3ac 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -497,7 +497,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(NDEBUG_UNUSED eap_session_t *e * NOT 'eap start', so we should check for that.... */ switch (reply->code) { - case FR_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_ACCEPT: { RDEBUG2("Got tunneled Access-Accept"); @@ -525,7 +525,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(NDEBUG_UNUSED eap_session_t *e } break; - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: REDEBUG("Got tunneled Access-Reject"); rcode = RLM_MODULE_REJECT; break; @@ -536,7 +536,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(NDEBUG_UNUSED eap_session_t *e * an Access-Challenge means that we MUST tunnel * a Reply-Message to the client. */ - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: RDEBUG2("Got tunneled Access-Challenge"); /* @@ -581,9 +581,9 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(NDEBUG_UNUSED eap_session_t *e /* * Process the "diameter" contents of the tunneled data. */ -FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) +fr_radius_packet_code_t eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_session_t *tls_session) { - FR_CODE code = FR_CODE_ACCESS_REJECT; + fr_radius_packet_code_t code = FR_RADIUS_CODE_ACCESS_REJECT; rlm_rcode_t rcode; fr_pair_t *vp = NULL; fr_dcursor_t cursor; @@ -610,7 +610,7 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ if (data_len == 0) { if (t->authenticated) { RDEBUG2("Got ACK, and the user was already authenticated"); - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; goto finish; } /* else no session, no data, die. */ @@ -619,12 +619,12 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ * wrong. */ RDEBUG2("SSL_read Error"); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; goto finish; } if (!diameter_verify(request, data, data_len)) { - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; goto finish; } @@ -635,7 +635,7 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ if (eap_ttls_decode_pair(request->request_ctx, &cursor, fr_dict_root(fr_dict_internal()), data, data_len, tls_session->ssl) < 0) { RPEDEBUG("Decoding TTLS TLVs failed"); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; goto finish; } @@ -690,7 +690,7 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ */ chbind = eap_chbind_vp2packet(request, &request->request_pairs); if (chbind) { - FR_CODE chbind_code; + fr_radius_packet_code_t chbind_code; CHBIND_REQ *req = talloc_zero(request, CHBIND_REQ); RDEBUG2("received chbind request"); @@ -714,7 +714,7 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ /* clean up chbind req */ talloc_free(req); - if (chbind_code != FR_CODE_ACCESS_ACCEPT) { + if (chbind_code != FR_RADIUS_CODE_ACCESS_ACCEPT) { code = chbind_code; goto finish; } @@ -732,7 +732,7 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ if (!request->reply->code) { RDEBUG2("No tunneled reply was found for request %" PRIu64 ", and the request was not " "proxied: rejecting the user", request->number); - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; } else { /* * Returns RLM_MODULE_FOO, and we want to return FR_FOO @@ -740,19 +740,19 @@ FR_CODE eap_ttls_process(request_t *request, eap_session_t *eap_session, fr_tls_ rcode = process_reply(eap_session, tls_session, request, request->reply, &request->reply_pairs); switch (rcode) { case RLM_MODULE_REJECT: - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; case RLM_MODULE_HANDLED: - code = FR_CODE_ACCESS_CHALLENGE; + code = FR_RADIUS_CODE_ACCESS_CHALLENGE; break; case RLM_MODULE_OK: - code = FR_CODE_ACCESS_ACCEPT; + code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; default: - code = FR_CODE_ACCESS_REJECT; + code = FR_RADIUS_CODE_ACCESS_REJECT; break; } } diff --git a/src/modules/rlm_radius/rlm_radius.c b/src/modules/rlm_radius/rlm_radius.c index 41f755179ad..745956de0e5 100644 --- a/src/modules/rlm_radius/rlm_radius.c +++ b/src/modules/rlm_radius/rlm_radius.c @@ -57,42 +57,42 @@ static CONF_PARSER const status_check_update_config[] = { * Retransmission intervals for the packets we support. */ static CONF_PARSER auth_config[] = { - { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCESS_REQUEST].irt), .dflt = STRINGIFY(2) }, - { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCESS_REQUEST].mrt), .dflt = STRINGIFY(16) }, - { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_CODE_ACCESS_REQUEST].mrc), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCESS_REQUEST].mrd), .dflt = STRINGIFY(30) }, + { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt), .dflt = STRINGIFY(2) }, + { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt), .dflt = STRINGIFY(16) }, + { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd), .dflt = STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; static CONF_PARSER acct_config[] = { - { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCOUNTING_REQUEST].irt), .dflt = STRINGIFY(2) }, - { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCOUNTING_REQUEST].mrt), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_CODE_ACCOUNTING_REQUEST].mrc), .dflt = STRINGIFY(1) }, - { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_ACCOUNTING_REQUEST].mrd), .dflt = STRINGIFY(30) }, + { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt), .dflt = STRINGIFY(2) }, + { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc), .dflt = STRINGIFY(1) }, + { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd), .dflt = STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; static CONF_PARSER status_config[] = { - { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_STATUS_SERVER].irt), .dflt = STRINGIFY(2) }, - { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_STATUS_SERVER].mrt), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_CODE_STATUS_SERVER].mrc), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_STATUS_SERVER].mrd), .dflt = STRINGIFY(30) }, + { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].irt), .dflt = STRINGIFY(2) }, + { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrt), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrc), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_STATUS_SERVER].mrd), .dflt = STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; static CONF_PARSER coa_config[] = { - { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_COA_REQUEST].irt), .dflt = STRINGIFY(2) }, - { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_COA_REQUEST].mrt), .dflt = STRINGIFY(16) }, - { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_CODE_COA_REQUEST].mrc), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_COA_REQUEST].mrd), .dflt = STRINGIFY(30) }, + { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].irt), .dflt = STRINGIFY(2) }, + { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrt), .dflt = STRINGIFY(16) }, + { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrc), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_COA_REQUEST].mrd), .dflt = STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; static CONF_PARSER disconnect_config[] = { - { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_DISCONNECT_REQUEST].irt), .dflt = STRINGIFY(2) }, - { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_DISCONNECT_REQUEST].mrt), .dflt = STRINGIFY(16) }, - { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_CODE_DISCONNECT_REQUEST].mrc), .dflt = STRINGIFY(5) }, - { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_CODE_DISCONNECT_REQUEST].mrd), .dflt = STRINGIFY(30) }, + { FR_CONF_OFFSET("initial_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt), .dflt = STRINGIFY(2) }, + { FR_CONF_OFFSET("max_rtx_time", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt), .dflt = STRINGIFY(16) }, + { FR_CONF_OFFSET("max_rtx_count", FR_TYPE_UINT32, rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc), .dflt = STRINGIFY(5) }, + { FR_CONF_OFFSET("max_rtx_duration", FR_TYPE_TIME_DELTA, rlm_radius_t, retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd), .dflt = STRINGIFY(30) }, CONF_PARSER_TERMINATOR }; @@ -126,13 +126,13 @@ static CONF_PARSER const module_config[] = { CONF_PARSER_TERMINATOR }; -static CONF_PARSER const type_interval_config[FR_RADIUS_MAX_PACKET_CODE] = { - [FR_CODE_ACCESS_REQUEST] = { FR_CONF_POINTER("Access-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) auth_config }, +static CONF_PARSER const type_interval_config[FR_RADIUS_CODE_MAX] = { + [FR_RADIUS_CODE_ACCESS_REQUEST] = { FR_CONF_POINTER("Access-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) auth_config }, - [FR_CODE_ACCOUNTING_REQUEST] = { FR_CONF_POINTER("Accounting-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) acct_config }, - [FR_CODE_STATUS_SERVER] = { FR_CONF_POINTER("Status-Server", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) status_config }, - [FR_CODE_COA_REQUEST] = { FR_CONF_POINTER("CoA-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) coa_config }, - [FR_CODE_DISCONNECT_REQUEST] = { FR_CONF_POINTER("Disconnect-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) disconnect_config }, + [FR_RADIUS_CODE_ACCOUNTING_REQUEST] = { FR_CONF_POINTER("Accounting-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) acct_config }, + [FR_RADIUS_CODE_STATUS_SERVER] = { FR_CONF_POINTER("Status-Server", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) status_config }, + [FR_RADIUS_CODE_COA_REQUEST] = { FR_CONF_POINTER("CoA-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) coa_config }, + [FR_RADIUS_CODE_DISCONNECT_REQUEST] = { FR_CONF_POINTER("Disconnect-Request", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) disconnect_config }, }; static fr_dict_t const *dict_radius; @@ -197,13 +197,13 @@ static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, /* * Status-Server packets cannot be proxied. */ - if (code == FR_CODE_STATUS_SERVER) { + if (code == FR_RADIUS_CODE_STATUS_SERVER) { cf_log_err(ci, "Invalid setting of 'type = Status-Server'. Status-Server packets cannot be proxied."); return -1; } if (!code || - (code >= FR_RADIUS_MAX_PACKET_CODE) || + (code >= FR_RADIUS_CODE_MAX) || (!type_interval_config[code].name)) goto invalid_code; /* @@ -288,7 +288,7 @@ static int status_check_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED voi * types. */ if (!code || - (code >= FR_RADIUS_MAX_PACKET_CODE) || + (code >= FR_RADIUS_CODE_MAX) || (!type_interval_config[code].name)) goto invalid_code; /* @@ -302,7 +302,7 @@ static int status_check_type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED voi /* * Nothing more to do here, so we stop. */ - if (code == FR_CODE_STATUS_SERVER) return 0; + if (code == FR_RADIUS_CODE_STATUS_SERVER) return 0; cf_section_rule_push(cs, status_check_update_config); @@ -416,7 +416,7 @@ static void radius_fixups(rlm_radius_t const *inst, request_t *request) } } - if (request->packet->code != FR_CODE_ACCESS_REQUEST) return; + if (request->packet->code != FR_RADIUS_CODE_ACCESS_REQUEST) return; if (fr_pair_find_by_da(&request->request_pairs, attr_chap_password) && !fr_pair_find_by_da(&request->request_pairs, attr_chap_challenge)) { @@ -447,12 +447,12 @@ static unlang_action_t CC_HINT(nonnull) mod_process(rlm_rcode_t *p_result, modul * Reserve Status-Server for ourselves, for link-specific * signaling. */ - if (request->packet->code == FR_CODE_STATUS_SERVER) { + if (request->packet->code == FR_RADIUS_CODE_STATUS_SERVER) { REDEBUG("Cannot proxy Status-Server packets"); RETURN_MODULE_FAIL; } - if ((request->packet->code >= FR_RADIUS_MAX_PACKET_CODE) || + if ((request->packet->code >= FR_RADIUS_CODE_MAX) || !inst->retry[request->packet->code].irt) { /* can't be zero */ REDEBUG("Invalid packet code %d", request->packet->code); RETURN_MODULE_FAIL; @@ -609,12 +609,12 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf) code = inst->types[i]; fr_assert(code > 0); - fr_assert(code < FR_RADIUS_MAX_PACKET_CODE); + fr_assert(code < FR_RADIUS_CODE_MAX); inst->allowed[code] = true; } - fr_assert(inst->status_check < FR_RADIUS_MAX_PACKET_CODE); + fr_assert(inst->status_check < FR_RADIUS_CODE_MAX); /* * If we're replicating, we don't care if the other end @@ -634,7 +634,7 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf) * packets. */ if (inst->status_check) { - if (inst->status_check == FR_CODE_STATUS_SERVER) { + if (inst->status_check == FR_RADIUS_CODE_STATUS_SERVER) { inst->allowed[inst->status_check] = true; } else if (!inst->allowed[inst->status_check]) { @@ -659,16 +659,16 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf) /* * Set limits on retransmission timers */ - if (inst->allowed[FR_CODE_ACCESS_REQUEST]) { - FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_CODE_ACCESS_REQUEST].irt, >=, fr_time_delta_from_sec(1)); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_CODE_ACCESS_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); - FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_CODE_ACCESS_REQUEST].mrc, >=, 1); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); - - FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); - FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_CODE_ACCESS_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); + if (inst->allowed[FR_RADIUS_CODE_ACCESS_REQUEST]) { + FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, >=, fr_time_delta_from_sec(1)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); + FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); + + FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); + FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); } /* @@ -678,63 +678,63 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf) * the server core will automatically free the request at * max_request_time. */ - if (inst->allowed[FR_CODE_ACCOUNTING_REQUEST]) { - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_CODE_ACCOUNTING_REQUEST].irt, >=, fr_time_delta_from_sec(1)); + if (inst->allowed[FR_RADIUS_CODE_ACCOUNTING_REQUEST]) { + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, >=, fr_time_delta_from_sec(1)); #if 0 - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); - FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrc, >=, 0); - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrd, >=, fr_time_delta_from_sec(0)); + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); + FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, >=, 0); + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, >=, fr_time_delta_from_sec(0)); #endif - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_CODE_ACCOUNTING_REQUEST].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); - FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_CODE_ACCOUNTING_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); + FR_INTEGER_BOUND_CHECK("Accounting-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrc, <=, 10); + FR_TIME_DELTA_BOUND_CHECK("Accounting-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCOUNTING_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); } /* * Status-Server */ - if (inst->allowed[FR_CODE_STATUS_SERVER]) { - FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_CODE_STATUS_SERVER].irt, >=, fr_time_delta_from_sec(1)); - FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_CODE_STATUS_SERVER].mrt, >=, fr_time_delta_from_sec(5)); - FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_CODE_STATUS_SERVER].mrc, >=, 1); - FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_CODE_STATUS_SERVER].mrd, >=, fr_time_delta_from_sec(5)); - - FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_CODE_STATUS_SERVER].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_CODE_STATUS_SERVER].mrt, <=, fr_time_delta_from_sec(30)); - FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_CODE_STATUS_SERVER].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_CODE_STATUS_SERVER].mrd, <=, fr_time_delta_from_sec(30)); + if (inst->allowed[FR_RADIUS_CODE_STATUS_SERVER]) { + FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, >=, fr_time_delta_from_sec(1)); + FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, >=, fr_time_delta_from_sec(5)); + FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, >=, 1); + FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, >=, fr_time_delta_from_sec(5)); + + FR_TIME_DELTA_BOUND_CHECK("Status-Server.initial_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_time", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrt, <=, fr_time_delta_from_sec(30)); + FR_INTEGER_BOUND_CHECK("Status-Server.max_rtx_count", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrc, <=, 10); + FR_TIME_DELTA_BOUND_CHECK("Status-Server.max_rtx_duration", inst->retry[FR_RADIUS_CODE_STATUS_SERVER].mrd, <=, fr_time_delta_from_sec(30)); } /* * CoA */ - if (inst->allowed[FR_CODE_COA_REQUEST]) { - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_CODE_COA_REQUEST].irt, >=, fr_time_delta_from_sec(1)); - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_CODE_COA_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); - FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_CODE_COA_REQUEST].mrc, >=, 1); - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_CODE_COA_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); - - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_CODE_COA_REQUEST].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_CODE_COA_REQUEST].mrt, <=, fr_time_delta_from_sec(60)); - FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_CODE_COA_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_CODE_COA_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); + if (inst->allowed[FR_RADIUS_CODE_COA_REQUEST]) { + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, >=, fr_time_delta_from_sec(1)); + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); + FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, >=, 1); + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); + + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrt, <=, fr_time_delta_from_sec(60)); + FR_INTEGER_BOUND_CHECK("CoA-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrc, <=, 10); + FR_TIME_DELTA_BOUND_CHECK("CoA-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_COA_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); } /* * Disconnect */ - if (inst->allowed[FR_CODE_DISCONNECT_REQUEST]) { - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_CODE_DISCONNECT_REQUEST].irt, >=, fr_time_delta_from_sec(1)); - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); - FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrc, >=, 1); - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); - - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_CODE_DISCONNECT_REQUEST].irt, <=, fr_time_delta_from_sec(3)); - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); - FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_CODE_DISCONNECT_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); + if (inst->allowed[FR_RADIUS_CODE_DISCONNECT_REQUEST]) { + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, >=, fr_time_delta_from_sec(1)); + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, >=, fr_time_delta_from_sec(5)); + FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, >=, 1); + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); + + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); + FR_INTEGER_BOUND_CHECK("Disconnect-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrc, <=, 10); + FR_TIME_DELTA_BOUND_CHECK("Disconnect-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_DISCONNECT_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); } setup_io_submodule: diff --git a/src/modules/rlm_radius/rlm_radius.h b/src/modules/rlm_radius/rlm_radius.h index d917fdb5a29..f199c19758c 100644 --- a/src/modules/rlm_radius/rlm_radius.h +++ b/src/modules/rlm_radius/rlm_radius.h @@ -74,8 +74,8 @@ struct rlm_radius_s { uint32_t num_answers_to_alive; //!< How many status check responses we need to ///< mark the connection as alive. - bool allowed[FR_RADIUS_MAX_PACKET_CODE]; - fr_retry_config_t retry[FR_RADIUS_MAX_PACKET_CODE]; + bool allowed[FR_RADIUS_CODE_MAX]; + fr_retry_config_t retry[FR_RADIUS_CODE_MAX]; fr_trunk_conf_t trunk_conf; //!< trunk configuration }; diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c index 902c8e0918f..0a1037a8cad 100644 --- a/src/modules/rlm_radius/rlm_radius_udp.c +++ b/src/modules/rlm_radius/rlm_radius_udp.c @@ -225,39 +225,39 @@ fr_dict_attr_autoload_t rlm_radius_udp_dict_attr[] = { /** If we get a reply, the request must come from one of a small * number of packet types. */ -static FR_CODE allowed_replies[FR_RADIUS_MAX_PACKET_CODE] = { - [FR_CODE_ACCESS_ACCEPT] = FR_CODE_ACCESS_REQUEST, - [FR_CODE_ACCESS_CHALLENGE] = FR_CODE_ACCESS_REQUEST, - [FR_CODE_ACCESS_REJECT] = FR_CODE_ACCESS_REQUEST, +static fr_radius_packet_code_t allowed_replies[FR_RADIUS_CODE_MAX] = { + [FR_RADIUS_CODE_ACCESS_ACCEPT] = FR_RADIUS_CODE_ACCESS_REQUEST, + [FR_RADIUS_CODE_ACCESS_CHALLENGE] = FR_RADIUS_CODE_ACCESS_REQUEST, + [FR_RADIUS_CODE_ACCESS_REJECT] = FR_RADIUS_CODE_ACCESS_REQUEST, - [FR_CODE_ACCOUNTING_RESPONSE] = FR_CODE_ACCOUNTING_REQUEST, + [FR_RADIUS_CODE_ACCOUNTING_RESPONSE] = FR_RADIUS_CODE_ACCOUNTING_REQUEST, - [FR_CODE_COA_ACK] = FR_CODE_COA_REQUEST, - [FR_CODE_COA_NAK] = FR_CODE_COA_REQUEST, + [FR_RADIUS_CODE_COA_ACK] = FR_RADIUS_CODE_COA_REQUEST, + [FR_RADIUS_CODE_COA_NAK] = FR_RADIUS_CODE_COA_REQUEST, - [FR_CODE_DISCONNECT_ACK] = FR_CODE_DISCONNECT_REQUEST, - [FR_CODE_DISCONNECT_NAK] = FR_CODE_DISCONNECT_REQUEST, + [FR_RADIUS_CODE_DISCONNECT_ACK] = FR_RADIUS_CODE_DISCONNECT_REQUEST, + [FR_RADIUS_CODE_DISCONNECT_NAK] = FR_RADIUS_CODE_DISCONNECT_REQUEST, - [FR_CODE_PROTOCOL_ERROR] = FR_CODE_PROTOCOL_ERROR, /* Any */ + [FR_RADIUS_CODE_PROTOCOL_ERROR] = FR_RADIUS_CODE_PROTOCOL_ERROR, /* Any */ }; /** Turn a reply code into a module rcode; * */ -static rlm_rcode_t radius_code_to_rcode[FR_RADIUS_MAX_PACKET_CODE] = { - [FR_CODE_ACCESS_ACCEPT] = RLM_MODULE_OK, - [FR_CODE_ACCESS_CHALLENGE] = RLM_MODULE_UPDATED, - [FR_CODE_ACCESS_REJECT] = RLM_MODULE_REJECT, +static rlm_rcode_t radius_code_to_rcode[FR_RADIUS_CODE_MAX] = { + [FR_RADIUS_CODE_ACCESS_ACCEPT] = RLM_MODULE_OK, + [FR_RADIUS_CODE_ACCESS_CHALLENGE] = RLM_MODULE_UPDATED, + [FR_RADIUS_CODE_ACCESS_REJECT] = RLM_MODULE_REJECT, - [FR_CODE_ACCOUNTING_RESPONSE] = RLM_MODULE_OK, + [FR_RADIUS_CODE_ACCOUNTING_RESPONSE] = RLM_MODULE_OK, - [FR_CODE_COA_ACK] = RLM_MODULE_OK, - [FR_CODE_COA_NAK] = RLM_MODULE_REJECT, + [FR_RADIUS_CODE_COA_ACK] = RLM_MODULE_OK, + [FR_RADIUS_CODE_COA_NAK] = RLM_MODULE_REJECT, - [FR_CODE_DISCONNECT_ACK] = RLM_MODULE_OK, - [FR_CODE_DISCONNECT_NAK] = RLM_MODULE_REJECT, + [FR_RADIUS_CODE_DISCONNECT_ACK] = RLM_MODULE_OK, + [FR_RADIUS_CODE_DISCONNECT_NAK] = RLM_MODULE_REJECT, - [FR_CODE_PROTOCOL_ERROR] = RLM_MODULE_HANDLED, + [FR_RADIUS_CODE_PROTOCOL_ERROR] = RLM_MODULE_HANDLED, }; static void conn_writable_status_check(UNUSED fr_event_list_t *el, UNUSED int fd, @@ -392,7 +392,7 @@ static void CC_HINT(nonnull) status_check_alloc(fr_event_list_t *el, udp_handle_ /* * Allow passwords only in Access-Request packets. */ - if ((inst->parent->status_check != FR_CODE_ACCESS_REQUEST) && + if ((inst->parent->status_check != FR_RADIUS_CODE_ACCESS_REQUEST) && (tmpl_da(map->lhs) == attr_user_password)) continue; (void) map_to_request(request, map, map_to_vp, NULL); @@ -587,7 +587,7 @@ static void conn_readable_status_check(fr_event_list_t *el, UNUSED int fd, UNUSE * This is usually used for dynamic configuration * on startup. */ - if (code == FR_CODE_PROTOCOL_ERROR) protocol_error_reply(u, NULL, h); + if (code == FR_RADIUS_CODE_PROTOCOL_ERROR) protocol_error_reply(u, NULL, h); /* * Last trunk event was a failure, be more careful about @@ -1211,7 +1211,7 @@ static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *res } code = data[0]; - if (!code || (code >= FR_RADIUS_MAX_PACKET_CODE)) { + if (!code || (code >= FR_RADIUS_CODE_MAX)) { REDEBUG("Unknown reply code %d", code); return DECODE_FAIL_UNKNOWN_PACKET_CODE; } @@ -1228,8 +1228,8 @@ static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *res * * Status checks accept any response code. */ - if (!u->status_check && (code != FR_CODE_PROTOCOL_ERROR)) { - if (allowed_replies[code] != (FR_CODE) u->code) { + if (!u->status_check && (code != FR_RADIUS_CODE_PROTOCOL_ERROR)) { + if (allowed_replies[code] != (fr_radius_packet_code_t) u->code) { REDEBUG("%s packet received invalid reply code %s", fr_packet_codes[u->code], fr_packet_codes[code]); return DECODE_FAIL_UNKNOWN_PACKET_CODE; @@ -1300,8 +1300,8 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ * number... */ switch (u->code) { - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: { size_t i; uint32_t hash, base; @@ -1333,7 +1333,7 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ vp = fr_pair_find_by_da(&request->request_pairs, attr_event_timestamp); if (vp) vp->vp_date = fr_time_to_unix_time(u->retry.updated); - if (u->code == FR_CODE_STATUS_SERVER) u->can_retransmit = false; + if (u->code == FR_RADIUS_CODE_STATUS_SERVER) u->can_retransmit = false; } else if (inst->parent->originate) { /* @@ -1462,7 +1462,7 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ * time difference between now, and when we originally * received the request. */ - if ((u->code == FR_CODE_ACCOUNTING_REQUEST) && + if ((u->code == FR_RADIUS_CODE_ACCOUNTING_REQUEST) && (fr_pair_find_by_da(&request->request_pairs, attr_acct_delay_time) != NULL)) { uint8_t *attr, *end; uint32_t delay; @@ -1507,9 +1507,9 @@ static int encode(rlm_radius_udp_t const *inst, request_t *request, udp_request_ */ if (message_authenticator) goto sign; switch (u->code) { - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: - case FR_CODE_COA_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: sign: /* * Now that we're done mangling the packet, sign it. @@ -2272,7 +2272,7 @@ static void status_check_reply(fr_trunk_request_t *treq, fr_time_t now) /* * @todo - do other negotiation and signaling. */ - if (h->buffer[0] == FR_CODE_PROTOCOL_ERROR) protocol_error_reply(u, NULL, h); + if (h->buffer[0] == FR_RADIUS_CODE_PROTOCOL_ERROR) protocol_error_reply(u, NULL, h); if (u->num_replies < inst->num_answers_to_alive) { DEBUG("Received %d / %u replies for status check, on connection - %s", @@ -2414,7 +2414,7 @@ static void request_demux(fr_trunk_connection_t *tconn, fr_connection_t *conn, U * packet. */ switch (code) { - case FR_CODE_PROTOCOL_ERROR: + case FR_RADIUS_CODE_PROTOCOL_ERROR: protocol_error_reply(u, r, h); break; @@ -2431,13 +2431,13 @@ static void request_demux(fr_trunk_connection_t *tconn, fr_connection_t *conn, U * automatically result in it the parent request * returning an ok/fail packet code. */ - if ((u->code == FR_CODE_ACCESS_REQUEST) && (code == FR_CODE_ACCESS_CHALLENGE)) { + if ((u->code == FR_RADIUS_CODE_ACCESS_REQUEST) && (code == FR_RADIUS_CODE_ACCESS_CHALLENGE)) { fr_pair_t *vp; vp = fr_pair_find_by_da(&request->reply_pairs, attr_packet_type); if (!vp) { MEM(vp = fr_pair_afrom_da(request->reply_ctx, attr_packet_type)); - vp->vp_uint32 = FR_CODE_ACCESS_CHALLENGE; + vp->vp_uint32 = FR_RADIUS_CODE_ACCESS_CHALLENGE; fr_pair_append(&request->reply_pairs, vp); } } @@ -2700,9 +2700,9 @@ static unlang_action_t mod_enqueue(rlm_rcode_t *p_result, void **rctx_out, void fr_trunk_request_t *treq; fr_assert(request->packet->code > 0); - fr_assert(request->packet->code < FR_RADIUS_MAX_PACKET_CODE); + fr_assert(request->packet->code < FR_RADIUS_CODE_MAX); - if (request->packet->code == FR_CODE_STATUS_SERVER) { + if (request->packet->code == FR_RADIUS_CODE_STATUS_SERVER) { RWDEBUG("Status-Server is reserved for internal use, and cannot be sent manually."); RETURN_MODULE_NOOP; } diff --git a/src/modules/rlm_securid/rlm_securid.c b/src/modules/rlm_securid/rlm_securid.c index 09bfa6438b4..6721d9bd831 100644 --- a/src/modules/rlm_securid/rlm_securid.c +++ b/src/modules/rlm_securid/rlm_securid.c @@ -520,7 +520,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authenticate(rlm_rcode_t *p_result, vp->vp_uint32 = 0; /* no echo */ /* Mark the packet as a Acceess-Challenge Packet */ - request->reply->code = FR_CODE_ACCESS_CHALLENGE; + request->reply->code = FR_RADIUS_CODE_ACCESS_CHALLENGE; RDEBUG2("Sending Access-Challenge"); rcode = RLM_MODULE_HANDLED; break; diff --git a/src/modules/rlm_sometimes/rlm_sometimes.c b/src/modules/rlm_sometimes/rlm_sometimes.c index 9a0dba23ded..480fa9a78a6 100644 --- a/src/modules/rlm_sometimes/rlm_sometimes.c +++ b/src/modules/rlm_sometimes/rlm_sometimes.c @@ -118,20 +118,20 @@ static unlang_action_t sometimes_return(rlm_rcode_t *p_result, void const *insta */ if ((inst->rcode == RLM_MODULE_HANDLED) && reply) { switch (packet->code) { - case FR_CODE_ACCESS_REQUEST: - reply->code = FR_CODE_ACCESS_ACCEPT; + case FR_RADIUS_CODE_ACCESS_REQUEST: + reply->code = FR_RADIUS_CODE_ACCESS_ACCEPT; break; - case FR_CODE_ACCOUNTING_REQUEST: - reply->code = FR_CODE_ACCOUNTING_RESPONSE; + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + reply->code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE; break; - case FR_CODE_COA_REQUEST: - reply->code = FR_CODE_COA_ACK; + case FR_RADIUS_CODE_COA_REQUEST: + reply->code = FR_RADIUS_CODE_COA_ACK; break; - case FR_CODE_DISCONNECT_REQUEST: - reply->code = FR_CODE_DISCONNECT_ACK; + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + reply->code = FR_RADIUS_CODE_DISCONNECT_ACK; break; default: diff --git a/src/modules/rlm_stats/rlm_stats.c b/src/modules/rlm_stats/rlm_stats.c index 4a0c2f6fbcc..5e7e66229f1 100644 --- a/src/modules/rlm_stats/rlm_stats.c +++ b/src/modules/rlm_stats/rlm_stats.c @@ -53,7 +53,7 @@ typedef struct { fr_dict_attr_t const *ipv6_da; //!< FreeRADIUS-Stats4-IPv6-Address fr_dlist_head_t list; //!< for threads to know about each other - uint64_t stats[FR_RADIUS_MAX_PACKET_CODE]; + uint64_t stats[FR_RADIUS_CODE_MAX]; } rlm_stats_t; typedef struct { @@ -62,7 +62,7 @@ typedef struct { fr_ipaddr_t ipaddr; //!< IP address of this thing fr_time_t created; //!< when it was created fr_time_t last_packet; //!< when we last saw a packet - uint64_t stats[FR_RADIUS_MAX_PACKET_CODE]; //!< actual statistic + uint64_t stats[FR_RADIUS_CODE_MAX]; //!< actual statistic } rlm_stats_data_t; typedef struct { @@ -76,7 +76,7 @@ typedef struct { rbtree_t *src; //!< stats by source rbtree_t *dst; //!< stats by destination - uint64_t stats[FR_RADIUS_MAX_PACKET_CODE]; + uint64_t stats[FR_RADIUS_CODE_MAX]; } rlm_stats_thread_t; static const CONF_PARSER module_config[] = { @@ -103,13 +103,13 @@ fr_dict_attr_autoload_t rlm_stats_dict_attr[] = { { NULL } }; -static void coalesce(uint64_t final_stats[FR_RADIUS_MAX_PACKET_CODE], rlm_stats_thread_t *t, +static void coalesce(uint64_t final_stats[FR_RADIUS_CODE_MAX], rlm_stats_thread_t *t, size_t tree_offset, rlm_stats_data_t *mydata) { rlm_stats_data_t *stats; rlm_stats_thread_t *other; rbtree_t **tree; - uint64_t local_stats[FR_RADIUS_MAX_PACKET_CODE]; + uint64_t local_stats[FR_RADIUS_CODE_MAX]; tree = (rbtree_t **) (((uint8_t *) t) + tree_offset); @@ -119,7 +119,7 @@ static void coalesce(uint64_t final_stats[FR_RADIUS_MAX_PACKET_CODE], rlm_stats_ */ stats = rbtree_find_data(*tree, mydata); if (!stats) { - memset(final_stats, 0, sizeof(uint64_t) * FR_RADIUS_MAX_PACKET_CODE); + memset(final_stats, 0, sizeof(uint64_t) * FR_RADIUS_CODE_MAX); } else { memcpy(final_stats, stats->stats, sizeof(stats->stats)); } @@ -142,7 +142,7 @@ static void coalesce(uint64_t final_stats[FR_RADIUS_MAX_PACKET_CODE], rlm_stats_ } memcpy(&local_stats, stats->stats, sizeof(stats->stats)); - for (i = 0; i < FR_RADIUS_MAX_PACKET_CODE; i++) { + for (i = 0; i < FR_RADIUS_CODE_MAX; i++) { final_stats[i] += local_stats[i]; } } @@ -174,10 +174,10 @@ static unlang_action_t CC_HINT(nonnull) mod_stats(rlm_rcode_t *p_result, module_ int src_code, dst_code; src_code = request->packet->code; - if (src_code >= FR_RADIUS_MAX_PACKET_CODE) src_code = 0; + if (src_code >= FR_RADIUS_CODE_MAX) src_code = 0; dst_code = request->reply->code; - if (dst_code >= FR_RADIUS_MAX_PACKET_CODE) dst_code = 0; + if (dst_code >= FR_RADIUS_CODE_MAX) dst_code = 0; t->stats[src_code]++; t->stats[dst_code]++; @@ -229,7 +229,7 @@ static unlang_action_t CC_HINT(nonnull) mod_stats(rlm_rcode_t *p_result, module_ t->last_global_update = request->async->recv_time; pthread_mutex_lock(&inst->mutex); - for (i = 0; i < FR_RADIUS_MAX_PACKET_CODE; i++) { + for (i = 0; i < FR_RADIUS_CODE_MAX; i++) { inst->stats[i] += t->stats[i]; t->stats[i] = 0; } @@ -242,7 +242,7 @@ static unlang_action_t CC_HINT(nonnull) mod_stats(rlm_rcode_t *p_result, module_ * Ignore "authenticate" and anything other than Status-Server */ if ((request->request_state != REQUEST_RECV) || - (request->packet->code != FR_CODE_STATUS_SERVER)) { + (request->packet->code != FR_RADIUS_CODE_STATUS_SERVER)) { RETURN_MODULE_NOOP; } @@ -268,7 +268,7 @@ static unlang_action_t CC_HINT(nonnull) mod_stats(rlm_rcode_t *p_result, module_ * The copy helps minimize mutex contention. */ pthread_mutex_lock(&inst->mutex); - for (i = 0; i < FR_RADIUS_MAX_PACKET_CODE; i++) { + for (i = 0; i < FR_RADIUS_CODE_MAX; i++) { inst->stats[i] += t->stats[i]; t->stats[i] = 0; } @@ -309,7 +309,7 @@ static unlang_action_t CC_HINT(nonnull) mod_stats(rlm_rcode_t *p_result, module_ strcpy(buffer, "FreeRADIUS-Stats4-"); - for (i = 0; i < FR_RADIUS_MAX_PACKET_CODE; i++) { + for (i = 0; i < FR_RADIUS_CODE_MAX; i++) { fr_dict_attr_t const *da; if (!local_stats[i]) continue; @@ -369,7 +369,7 @@ static int mod_thread_detach(UNUSED fr_event_list_t *el, void *thread) int i; pthread_mutex_lock(&inst->mutex); - for (i = 0; i < FR_RADIUS_MAX_PACKET_CODE; i++) { + for (i = 0; i < FR_RADIUS_CODE_MAX; i++) { inst->stats[i] += t->stats[i]; } fr_dlist_remove(&inst->list, t); diff --git a/src/modules/rlm_yubikey/rlm_yubikey.c b/src/modules/rlm_yubikey/rlm_yubikey.c index 73673462c5e..16501014706 100644 --- a/src/modules/rlm_yubikey/rlm_yubikey.c +++ b/src/modules/rlm_yubikey/rlm_yubikey.c @@ -264,7 +264,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod * Don't print out debugging messages if we know * they're useless. */ - if ((request->dict == dict_radius) && request->packet->code != FR_CODE_ACCESS_CHALLENGE) { + if ((request->dict == dict_radius) && request->packet->code != FR_RADIUS_CODE_ACCESS_CHALLENGE) { RDEBUG2("No cleartext password in the request. Can't do Yubikey authentication"); } diff --git a/src/process/radius/base.c b/src/process/radius/base.c index 250aae88663..d1401c3130e 100644 --- a/src/process/radius/base.c +++ b/src/process/radius/base.c @@ -17,7 +17,7 @@ /** * $Id$ * @file src/process/radius/base.c - * @brief RADIUS handler + * @brief RADIUS process module * * @copyright 2021 The FreeRADIUS server project. * @copyright 2021 Network RADIUS SARL (legal@networkradius.com) @@ -43,19 +43,16 @@ fr_dict_autoload_t process_radius_dict[] = { { NULL } }; - -static fr_dict_attr_t const *attr_packet_type; - -static fr_dict_attr_t const *attr_acct_status_type; - static fr_dict_attr_t const *attr_auth_type; -static fr_dict_attr_t const *attr_calling_station_id; -static fr_dict_attr_t const *attr_chap_password; static fr_dict_attr_t const *attr_module_failure_message; static fr_dict_attr_t const *attr_module_success_message; static fr_dict_attr_t const *attr_stripped_user_name; +static fr_dict_attr_t const *attr_acct_status_type; +static fr_dict_attr_t const *attr_calling_station_id; +static fr_dict_attr_t const *attr_chap_password; static fr_dict_attr_t const *attr_nas_port; +static fr_dict_attr_t const *attr_packet_type; static fr_dict_attr_t const *attr_service_type; static fr_dict_attr_t const *attr_state; static fr_dict_attr_t const *attr_user_name; @@ -63,17 +60,17 @@ static fr_dict_attr_t const *attr_user_password; extern fr_dict_attr_autoload_t process_radius_dict_attr[]; fr_dict_attr_autoload_t process_radius_dict_attr[] = { - { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - { .out = &attr_acct_status_type, .name = "Acct-Status-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius }, { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, + { .out = &attr_acct_status_type, .name = "Acct-Status-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, { .out = &attr_calling_station_id, .name = "Calling-Station-Id", .type = FR_TYPE_STRING, .dict = &dict_radius }, { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_radius }, { .out = &attr_nas_port, .name = "NAS-Port", .type = FR_TYPE_UINT32, .dict = &dict_radius }, + { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, { .out = &attr_service_type, .name = "Service-Type", .type = FR_TYPE_UINT32, .dict = &dict_radius }, { .out = &attr_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_radius }, { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius }, @@ -85,73 +82,74 @@ fr_dict_attr_autoload_t process_radius_dict_attr[] = { /* * RADIUS state machine configuration */ -typedef struct radius_unlang_packets_s { +typedef struct { uint64_t nothing; // so that "access_request" isn't at offset 0 - CONF_SECTION *access_request; - CONF_SECTION *access_accept; - CONF_SECTION *access_reject; - CONF_SECTION *access_challenge; + CONF_SECTION *access_request; + CONF_SECTION *access_accept; + CONF_SECTION *access_reject; + CONF_SECTION *access_challenge; - CONF_SECTION *accounting_request; - CONF_SECTION *accounting_response; + CONF_SECTION *accounting_request; + CONF_SECTION *accounting_response; - CONF_SECTION *status_server; + CONF_SECTION *status_server; - CONF_SECTION *coa_request; - CONF_SECTION *coa_ack; - CONF_SECTION *coa_nak; + CONF_SECTION *coa_request; + CONF_SECTION *coa_ack; + CONF_SECTION *coa_nak; - CONF_SECTION *disconnect_request; - CONF_SECTION *disconnect_ack; - CONF_SECTION *disconnect_nak; + CONF_SECTION *disconnect_request; + CONF_SECTION *disconnect_ack; + CONF_SECTION *disconnect_nak; - CONF_SECTION *do_not_respond; - CONF_SECTION *protocol_error; /* @todo - allow protocol error as a reject reply? */ -} radius_unlang_packets_t; + CONF_SECTION *do_not_respond; + CONF_SECTION *protocol_error; /* @todo - allow protocol error as a reject reply? */ +} process_radius_sections_t; typedef struct { bool log_stripped_names; - bool log_auth; //!< Log authentication attempts. - bool log_auth_badpass; //!< Log successful authentications. - bool log_auth_goodpass; //!< Log failed authentications. - char const *auth_badpass_msg; //!< Additional text to append to successful auth messages. - char const *auth_goodpass_msg; //!< Additional text to append to failed auth messages. + bool log_auth; //!< Log authentication attempts. + bool log_auth_badpass; //!< Log successful authentications. + bool log_auth_goodpass; //!< Log failed authentications. + char const *auth_badpass_msg; //!< Additional text to append to successful auth messages. + char const *auth_goodpass_msg; //!< Additional text to append to failed auth messages. - char const *denied_msg; //!< Additional text to append if the user is already logged - //!< in (simultaneous use check failed). + char const *denied_msg; //!< Additional text to append if the user is already logged + //!< in (simultaneous use check failed). - uint32_t session_timeout; //!< Maximum time between the last response and next request. - uint32_t max_session; //!< Maximum ongoing session allowed. + uint32_t session_timeout; //!< Maximum time between the last response and next request. + uint32_t max_session; //!< Maximum ongoing session allowed. - uint8_t state_server_id; //!< Sets a specific byte in the state to allow the - //!< authenticating server to be identified in packet - //!< captures. + uint8_t state_server_id; //!< Sets a specific byte in the state to allow the + //!< authenticating server to be identified in packet + //!_x->code]; \ - cs = *(CONF_SECTION **) (((uint8_t *) &inst->packets) + state->offset); \ + cs = *(CONF_SECTION **) (((uint8_t *) &inst->sections) + state->section_offset); \ } while (0) #define UPDATE_STATE(_x) state = &radius_state[request->_x->code] @@ -329,7 +320,6 @@ static void CC_HINT(format (printf, 4, 5)) auth_message(radius_auth_t const *ins #define SEND(_x) static unlang_action_t send_ ## _x(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request, UNUSED void *rctx) #define RESUME(_x) static unlang_action_t resume_ ## _x(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request, UNUSED void *rctx) -#define RADIUS_PACKET_CODE_VALID(_code) (((_code) > 0) && ((_code) < FR_RADIUS_MAX_PACKET_CODE)) #if 0 RECV(access_request) { @@ -341,14 +331,14 @@ RESUME(auth_type); RESUME(access_request) { - rlm_rcode_t rcode = request->rcode; - fr_pair_t *vp; - CONF_SECTION *cs; - fr_dict_enum_t const *dv; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + fr_pair_t *vp; + CONF_SECTION *cs; + fr_dict_enum_t const *dv; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; fr_assert(rcode < RLM_MODULE_NUMCODES); @@ -358,7 +348,7 @@ RESUME(access_request) request->reply->code = state->packet_type[rcode]; UPDATE_STATE_CS(reply); - if (request->reply->code == FR_CODE_DO_NOT_RESPOND) { + if (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) { RDEBUG("The 'recv Access-Request' section returned %s - not sending a response", fr_table_str_by_value(rcode_table, rcode, "???")); @@ -396,29 +386,29 @@ RESUME(access_request) RESUME(auth_type) { - static const uint32_t auth_type_rcode[RLM_MODULE_NUMCODES] = { - [RLM_MODULE_OK] = FR_CODE_ACCESS_ACCEPT, - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_NOOP] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_NOTFOUND] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_UPDATED] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT, + static const fr_radius_packet_code_t auth_type_rcode[RLM_MODULE_NUMCODES] = { + [RLM_MODULE_OK] = FR_RADIUS_CODE_ACCESS_ACCEPT, + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT, }; - rlm_rcode_t rcode = request->rcode; - fr_pair_t *vp; - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + fr_pair_t *vp; + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; fr_assert(rcode < RLM_MODULE_NUMCODES); - fr_assert(RADIUS_PACKET_CODE_VALID(request->reply->code)); + fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code)); - if (auth_type_rcode[rcode] == FR_CODE_DO_NOT_RESPOND) { + if (auth_type_rcode[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND) { request->reply->code = auth_type_rcode[rcode]; UPDATE_STATE_CS(reply); @@ -437,13 +427,13 @@ RESUME(auth_type) request->reply->code = auth_type_rcode[rcode]; if (!request->reply->code) { RDEBUG("No reply code was set. Forcing to Access-Reject"); - request->reply->code = FR_CODE_ACCESS_REJECT; + request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT; } else switch (request->reply->code) { /* * Print complaints before running "send Access-Reject" */ - case FR_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_REJECT: RDEBUG2("Failed to authenticate the user"); /* @@ -472,12 +462,12 @@ RESUME(auth_type) break; /* - * Access-Challenge packets require a State. If there is + * Access-Challenge sections require a State. If there is * none, create one here. This is so that the State * attribute is accessible in the "send Access-Challenge" * section. */ - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: if ((vp = fr_pair_find_by_da(&request->reply_pairs, attr_state)) != NULL) { uint8_t buffer[16]; @@ -502,10 +492,10 @@ RESUME(auth_type) RESUME(access_accept) { - fr_pair_t *vp; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + fr_pair_t *vp; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; vp = fr_pair_find_by_da(&request->request_pairs, attr_module_success_message); if (vp){ @@ -520,10 +510,10 @@ RESUME(access_accept) RESUME(access_reject) { - fr_pair_t *vp; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + fr_pair_t *vp; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; vp = fr_pair_find_by_da(&request->request_pairs, attr_module_failure_message); if (vp) { @@ -538,11 +528,11 @@ RESUME(access_reject) RESUME(access_challenge) { - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; /* * Cache the state context. @@ -550,39 +540,39 @@ RESUME(access_challenge) * If this fails, don't respond to the request. */ if (fr_request_to_state(inst->auth.state_tree, request) < 0) { - request->reply->code = FR_CODE_DO_NOT_RESPOND; + request->reply->code = FR_RADIUS_CODE_DO_NOT_RESPOND; UPDATE_STATE_CS(reply); return unlang_module_yield_to_section(p_result, request, cs, state->rcode, state->send, NULL, NULL); } - fr_assert(request->reply->code == FR_CODE_ACCESS_CHALLENGE); + fr_assert(request->reply->code == FR_RADIUS_CODE_ACCESS_CHALLENGE); RETURN_MODULE_OK; } RESUME(acct_type) { - static const uint32_t acct_type_rcode[RLM_MODULE_NUMCODES] = { - [RLM_MODULE_FAIL] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_INVALID] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_NOTFOUND] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_REJECT] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_DISALLOW] = FR_CODE_DO_NOT_RESPOND, + static const fr_radius_packet_code_t acct_type_rcode[RLM_MODULE_NUMCODES] = { + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DO_NOT_RESPOND, }; - rlm_rcode_t rcode = request->rcode; - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; fr_assert(rcode < RLM_MODULE_NUMCODES); - fr_assert(RADIUS_PACKET_CODE_VALID(request->reply->code)); + fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code)); if (acct_type_rcode[rcode]) { - fr_assert(acct_type_rcode[rcode] == FR_CODE_DO_NOT_RESPOND); + fr_assert(acct_type_rcode[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND); request->reply->code = acct_type_rcode[rcode]; UPDATE_STATE_CS(reply); @@ -596,7 +586,7 @@ RESUME(acct_type) NULL, NULL); } - request->reply->code = FR_CODE_ACCOUNTING_RESPONSE; + request->reply->code = FR_RADIUS_CODE_ACCOUNTING_RESPONSE; UPDATE_STATE_CS(reply); fr_assert(state->send != NULL); @@ -607,14 +597,14 @@ RESUME(acct_type) RESUME(accounting_request) { - rlm_rcode_t rcode = request->rcode; - fr_pair_t *vp; - CONF_SECTION *cs; - fr_dict_enum_t const *dv; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + fr_pair_t *vp; + CONF_SECTION *cs; + fr_dict_enum_t const *dv; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; fr_assert(rcode < RLM_MODULE_NUMCODES); @@ -624,7 +614,7 @@ RESUME(accounting_request) request->reply->code = state->packet_type[rcode]; UPDATE_STATE_CS(reply); - if (request->reply->code == FR_CODE_DO_NOT_RESPOND) { + if (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) { RDEBUG("The 'recv Accounting-Request' section returned %s - not sending a response", fr_table_str_by_value(rcode_table, rcode, "???")); @@ -675,11 +665,11 @@ RESUME(status_server) RECV(generic) { - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; if (request->parent && RDEBUG_ENABLED) { RDEBUG("Received %s ID %i", fr_packet_codes[request->packet->code], request->packet->id); @@ -704,12 +694,12 @@ RECV(generic) RESUME(recv_generic) { - rlm_rcode_t rcode = request->rcode; - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; fr_assert(rcode < RLM_MODULE_NUMCODES); @@ -727,14 +717,14 @@ RESUME(recv_generic) SEND(generic) { - fr_pair_t *vp; - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + fr_pair_t *vp; + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; - fr_assert(RADIUS_PACKET_CODE_VALID(request->reply->code)); + fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code)); UPDATE_STATE_CS(reply); @@ -755,7 +745,7 @@ SEND(generic) &request->reply_pairs, attr_packet_type) >= 0); vp->vp_uint32 = request->reply->code; - } else if (RADIUS_PACKET_CODE_VALID(vp->vp_uint32)) { + } else if ((vp->vp_uint32 != FR_RADIUS_CODE_MAX) && FR_RADIUS_PACKET_CODE_VALID(vp->vp_uint32)) { request->reply->code = vp->vp_uint32; UPDATE_STATE_CS(reply); @@ -771,14 +761,14 @@ SEND(generic) RESUME(send_generic) { - rlm_rcode_t rcode = request->rcode; - CONF_SECTION *cs; - radius_state_t const *state; - process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); + rlm_rcode_t rcode = request->rcode; + CONF_SECTION *cs; + process_radius_state_t const *state; + process_radius_t *inst = talloc_get_type_abort_const(mctx->instance, process_radius_t); - TRACE; + PROCESS_TRACE; - fr_assert(RADIUS_PACKET_CODE_VALID(request->reply->code)); + fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->reply->code)); /* * If they delete &reply.Packet-Type, tough for them. @@ -797,7 +787,7 @@ RESUME(send_generic) * And anything can say "don't respond". */ if ((state->packet_type[rcode] != request->reply->code) && - ((state->packet_type[rcode] == state->reject) || (state->packet_type[rcode] == FR_CODE_DO_NOT_RESPOND))) { + ((state->packet_type[rcode] == state->reject) || (state->packet_type[rcode] == FR_RADIUS_CODE_DO_NOT_RESPOND))) { char const *old = cf_section_name2(cs); request->reply->code = state->packet_type[rcode]; @@ -813,11 +803,11 @@ RESUME(send_generic) fr_assert(!state->packet_type[rcode] || (state->packet_type[rcode] == request->reply->code)); break; - case FR_CODE_DO_NOT_RESPOND: + case FR_RADIUS_CODE_DO_NOT_RESPOND: RDEBUG("The 'send %s' section returned %s - not sending a response", fr_table_str_by_value(rcode_table, rcode, "???"), cf_section_name2(cs)); - request->reply->code = FR_CODE_DO_NOT_RESPOND; + request->reply->code = FR_RADIUS_CODE_DO_NOT_RESPOND; break; } @@ -826,7 +816,7 @@ RESUME(send_generic) /* * Check for "do not respond". */ - if (request->reply->code == FR_CODE_DO_NOT_RESPOND) { + if (request->reply->code == FR_RADIUS_CODE_DO_NOT_RESPOND) { RDEBUG("Not sending reply to client."); RETURN_MODULE_OK; } @@ -841,11 +831,11 @@ RESUME(send_generic) static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) { - radius_state_t const *state; + process_radius_state_t const *state; - TRACE; + PROCESS_TRACE; - fr_assert(RADIUS_PACKET_CODE_VALID(request->packet->code)); + fr_assert(FR_RADIUS_PACKET_CODE_VALID(request->packet->code)); UPDATE_STATE(packet); @@ -879,201 +869,201 @@ static int mod_bootstrap(UNUSED void *instance, CONF_SECTION *cs) return 0; } -static const radius_state_t radius_state[FR_RADIUS_MAX_PACKET_CODE] = { - [ FR_CODE_ACCESS_REQUEST ] = { +static process_radius_state_t const radius_state[FR_RADIUS_CODE_MAX] = { + [ FR_RADIUS_CODE_ACCESS_REQUEST ] = { .packet_type = { - [RLM_MODULE_NOOP] = FR_CODE_ACCESS_ACCEPT, - [RLM_MODULE_OK] = FR_CODE_ACCESS_ACCEPT, - [RLM_MODULE_UPDATED] = FR_CODE_ACCESS_ACCEPT, - [RLM_MODULE_HANDLED] = FR_CODE_ACCESS_ACCEPT, - - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_ACCESS_ACCEPT, + [RLM_MODULE_OK] = FR_RADIUS_CODE_ACCESS_ACCEPT, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_ACCESS_ACCEPT, + [RLM_MODULE_HANDLED] = FR_RADIUS_CODE_ACCESS_ACCEPT, + + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT }, .rcode = RLM_MODULE_REJECT, .recv = recv_generic, .resume = resume_access_request, - .offset = offsetof(radius_unlang_packets_t, access_request), + .section_offset = offsetof(process_radius_sections_t, access_request), }, - [ FR_CODE_ACCESS_ACCEPT ] = { + [ FR_RADIUS_CODE_ACCESS_ACCEPT ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT }, .rcode = RLM_MODULE_NOOP, - .reject = FR_CODE_ACCESS_REJECT, + .reject = FR_RADIUS_CODE_ACCESS_REJECT, .send = send_generic, .resume = resume_access_accept, - .offset = offsetof(radius_unlang_packets_t, access_accept), + .section_offset = offsetof(process_radius_sections_t, access_accept), }, - [ FR_CODE_ACCESS_REJECT ] = { + [ FR_RADIUS_CODE_ACCESS_REJECT ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT }, .rcode = RLM_MODULE_NOOP, .send = send_generic, .resume = resume_access_reject, - .offset = offsetof(radius_unlang_packets_t, access_reject), + .section_offset = offsetof(process_radius_sections_t, access_reject), }, - [ FR_CODE_ACCESS_CHALLENGE ] = { + [ FR_RADIUS_CODE_ACCESS_CHALLENGE ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT }, .rcode = RLM_MODULE_NOOP, - .reject = FR_CODE_ACCESS_REJECT, + .reject = FR_RADIUS_CODE_ACCESS_REJECT, .send = send_generic, .resume = resume_access_challenge, - .offset = offsetof(radius_unlang_packets_t, access_challenge), + .section_offset = offsetof(process_radius_sections_t, access_challenge), }, - [ FR_CODE_ACCOUNTING_REQUEST ] = { + [ FR_RADIUS_CODE_ACCOUNTING_REQUEST ] = { .packet_type = { - [RLM_MODULE_NOOP] = FR_CODE_ACCOUNTING_RESPONSE, - [RLM_MODULE_OK] = FR_CODE_ACCOUNTING_RESPONSE, - [RLM_MODULE_UPDATED] = FR_CODE_ACCOUNTING_RESPONSE, - [RLM_MODULE_HANDLED] = FR_CODE_ACCOUNTING_RESPONSE, - - [RLM_MODULE_FAIL] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_INVALID] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_NOTFOUND] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_REJECT] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_DISALLOW] = FR_CODE_DO_NOT_RESPOND + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_ACCOUNTING_RESPONSE, + [RLM_MODULE_OK] = FR_RADIUS_CODE_ACCOUNTING_RESPONSE, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_ACCOUNTING_RESPONSE, + [RLM_MODULE_HANDLED] = FR_RADIUS_CODE_ACCOUNTING_RESPONSE, + + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DO_NOT_RESPOND }, .rcode = RLM_MODULE_NOOP, .recv = recv_generic, .resume = resume_accounting_request, - .offset = offsetof(radius_unlang_packets_t, accounting_request), + .section_offset = offsetof(process_radius_sections_t, accounting_request), }, - [ FR_CODE_ACCOUNTING_RESPONSE ] = { + [ FR_RADIUS_CODE_ACCOUNTING_RESPONSE ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_INVALID] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_NOTFOUND] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_REJECT] = FR_CODE_DO_NOT_RESPOND, - [RLM_MODULE_DISALLOW] = FR_CODE_DO_NOT_RESPOND, + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DO_NOT_RESPOND, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DO_NOT_RESPOND, }, .rcode = RLM_MODULE_NOOP, .send = send_generic, .resume = resume_send_generic, - .offset = offsetof(radius_unlang_packets_t, accounting_response), + .section_offset = offsetof(process_radius_sections_t, accounting_response), }, - [ FR_CODE_STATUS_SERVER ] = { + [ FR_RADIUS_CODE_STATUS_SERVER ] = { .packet_type = { - [RLM_MODULE_OK] = FR_CODE_ACCESS_ACCEPT, - [RLM_MODULE_UPDATED] = FR_CODE_ACCESS_ACCEPT, - - [RLM_MODULE_FAIL] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_INVALID] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_NOTFOUND] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_REJECT] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_NOOP] = FR_CODE_ACCESS_REJECT, - [RLM_MODULE_DISALLOW] = FR_CODE_ACCESS_REJECT + [RLM_MODULE_OK] = FR_RADIUS_CODE_ACCESS_ACCEPT, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_ACCESS_ACCEPT, + + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_ACCESS_REJECT, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_ACCESS_REJECT }, .rcode = RLM_MODULE_NOOP, .recv = recv_generic, .resume = resume_recv_generic, - .offset = offsetof(radius_unlang_packets_t, status_server), + .section_offset = offsetof(process_radius_sections_t, status_server), }, - [ FR_CODE_COA_REQUEST ] = { + [ FR_RADIUS_CODE_COA_REQUEST ] = { .packet_type = { - [RLM_MODULE_NOOP] = FR_CODE_COA_ACK, - [RLM_MODULE_OK] = FR_CODE_COA_ACK, - [RLM_MODULE_UPDATED] = FR_CODE_COA_ACK, - [RLM_MODULE_NOTFOUND] = FR_CODE_COA_ACK, - - [RLM_MODULE_FAIL] = FR_CODE_COA_NAK, - [RLM_MODULE_INVALID] = FR_CODE_COA_NAK, - [RLM_MODULE_REJECT] = FR_CODE_COA_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_COA_NAK + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_COA_ACK, + [RLM_MODULE_OK] = FR_RADIUS_CODE_COA_ACK, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_COA_ACK, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_COA_ACK, + + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_COA_NAK }, .rcode = RLM_MODULE_NOOP, .recv = recv_generic, .resume = resume_recv_generic, - .offset = offsetof(radius_unlang_packets_t, coa_request), + .section_offset = offsetof(process_radius_sections_t, coa_request), }, - [ FR_CODE_COA_ACK ] = { + [ FR_RADIUS_CODE_COA_ACK ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_COA_NAK, - [RLM_MODULE_INVALID] = FR_CODE_COA_NAK, - [RLM_MODULE_REJECT] = FR_CODE_COA_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_COA_NAK + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_COA_NAK }, .rcode = RLM_MODULE_NOOP, - .reject = FR_CODE_COA_NAK, + .reject = FR_RADIUS_CODE_COA_NAK, .send = send_generic, .resume = resume_send_generic, - .offset = offsetof(radius_unlang_packets_t, coa_ack), + .section_offset = offsetof(process_radius_sections_t, coa_ack), }, - [ FR_CODE_COA_NAK ] = { + [ FR_RADIUS_CODE_COA_NAK ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_COA_NAK, - [RLM_MODULE_INVALID] = FR_CODE_COA_NAK, - [RLM_MODULE_REJECT] = FR_CODE_COA_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_COA_NAK + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_COA_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_COA_NAK }, .rcode = RLM_MODULE_NOOP, .send = send_generic, .resume = resume_send_generic, - .offset = offsetof(radius_unlang_packets_t, coa_nak), + .section_offset = offsetof(process_radius_sections_t, coa_nak), }, - [ FR_CODE_DISCONNECT_REQUEST ] = { + [ FR_RADIUS_CODE_DISCONNECT_REQUEST ] = { .packet_type = { - [RLM_MODULE_NOOP] = FR_CODE_DISCONNECT_ACK, - [RLM_MODULE_OK] = FR_CODE_DISCONNECT_ACK, - [RLM_MODULE_UPDATED] = FR_CODE_DISCONNECT_ACK, - [RLM_MODULE_NOTFOUND] = FR_CODE_DISCONNECT_ACK, - - [RLM_MODULE_FAIL] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_INVALID] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_REJECT] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_DISCONNECT_NAK + [RLM_MODULE_NOOP] = FR_RADIUS_CODE_DISCONNECT_ACK, + [RLM_MODULE_OK] = FR_RADIUS_CODE_DISCONNECT_ACK, + [RLM_MODULE_UPDATED] = FR_RADIUS_CODE_DISCONNECT_ACK, + [RLM_MODULE_NOTFOUND] = FR_RADIUS_CODE_DISCONNECT_ACK, + + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DISCONNECT_NAK }, .rcode = RLM_MODULE_NOOP, .recv = recv_generic, .resume = resume_recv_generic, - .offset = offsetof(radius_unlang_packets_t, disconnect_request), + .section_offset = offsetof(process_radius_sections_t, disconnect_request), }, - [ FR_CODE_DISCONNECT_ACK ] = { + [ FR_RADIUS_CODE_DISCONNECT_ACK ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_INVALID] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_REJECT] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_DISCONNECT_NAK + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DISCONNECT_NAK }, .rcode = RLM_MODULE_NOOP, - .reject = FR_CODE_DISCONNECT_NAK, + .reject = FR_RADIUS_CODE_DISCONNECT_NAK, .send = send_generic, .resume = resume_send_generic, - .offset = offsetof(radius_unlang_packets_t, disconnect_ack), + .section_offset = offsetof(process_radius_sections_t, disconnect_ack), }, - [ FR_CODE_DISCONNECT_NAK ] = { + [ FR_RADIUS_CODE_DISCONNECT_NAK ] = { .packet_type = { - [RLM_MODULE_FAIL] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_INVALID] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_REJECT] = FR_CODE_DISCONNECT_NAK, - [RLM_MODULE_DISALLOW] = FR_CODE_DISCONNECT_NAK + [RLM_MODULE_FAIL] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_INVALID] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_REJECT] = FR_RADIUS_CODE_DISCONNECT_NAK, + [RLM_MODULE_DISALLOW] = FR_RADIUS_CODE_DISCONNECT_NAK }, .rcode = RLM_MODULE_NOOP, .send = send_generic, .resume = resume_send_generic, - .offset = offsetof(radius_unlang_packets_t, disconnect_nak), + .section_offset = offsetof(process_radius_sections_t, disconnect_nak), }, }; #undef CONF -#define CONF(_x) .offset = offsetof(process_radius_t, packets._x) +#define CONF(_x) .offset = offsetof(process_radius_t, sections._x) -static const virtual_server_compile_t compile_list[] = { +static virtual_server_compile_t const compile_list[] = { { .name = "recv", .name2 = "Access-Request", diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c index d3d54c2c650..9765f1774f2 100644 --- a/src/protocols/radius/base.c +++ b/src/protocols/radius/base.c @@ -126,17 +126,17 @@ size_t const fr_radius_attr_sizes[FR_TYPE_MAX + 1][2] = { #define FR_DEBUG_STRERROR_PRINTF if (fr_debug_lvl) fr_strerror_printf_push fr_table_num_sorted_t const fr_request_types[] = { - { L("acct"), FR_CODE_ACCOUNTING_REQUEST }, - { L("auth"), FR_CODE_ACCESS_REQUEST }, - { L("auto"), FR_CODE_UNDEFINED }, - { L("challenge"), FR_CODE_ACCESS_CHALLENGE }, - { L("coa"), FR_CODE_COA_REQUEST }, - { L("disconnect"), FR_CODE_DISCONNECT_REQUEST }, - { L("status"), FR_CODE_STATUS_SERVER } + { L("acct"), FR_RADIUS_CODE_ACCOUNTING_REQUEST }, + { L("auth"), FR_RADIUS_CODE_ACCESS_REQUEST }, + { L("auto"), FR_RADIUS_CODE_UNDEFINED }, + { L("challenge"), FR_RADIUS_CODE_ACCESS_CHALLENGE }, + { L("coa"), FR_RADIUS_CODE_COA_REQUEST }, + { L("disconnect"), FR_RADIUS_CODE_DISCONNECT_REQUEST }, + { L("status"), FR_RADIUS_CODE_STATUS_SERVER } }; size_t fr_request_types_len = NUM_ELEMENTS(fr_request_types); -char const *fr_packet_codes[FR_RADIUS_MAX_PACKET_CODE] = { +char const *fr_packet_codes[FR_RADIUS_CODE_MAX] = { "", //!< 0 "Access-Request", "Access-Accept", @@ -192,12 +192,12 @@ char const *fr_packet_codes[FR_RADIUS_MAX_PACKET_CODE] = { "Protocol-Error", }; -bool const fr_request_packets[FR_RADIUS_MAX_PACKET_CODE + 1] = { - [FR_CODE_ACCESS_REQUEST] = true, - [FR_CODE_ACCOUNTING_REQUEST] = true, - [FR_CODE_STATUS_SERVER] = true, - [FR_CODE_COA_REQUEST] = true, - [FR_CODE_DISCONNECT_REQUEST] = true, +bool const fr_request_packets[FR_RADIUS_CODE_MAX + 1] = { + [FR_RADIUS_CODE_ACCESS_REQUEST] = true, + [FR_RADIUS_CODE_ACCOUNTING_REQUEST] = true, + [FR_RADIUS_CODE_STATUS_SERVER] = true, + [FR_RADIUS_CODE_COA_REQUEST] = true, + [FR_RADIUS_CODE_DISCONNECT_REQUEST] = true, }; @@ -389,31 +389,31 @@ int fr_radius_sign(uint8_t *packet, uint8_t const *original, } switch (packet[0]) { - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_DISCONNECT_NAK: - case FR_CODE_COA_ACK: - case FR_CODE_COA_NAK: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_COA_NAK: if (!original) goto need_original; - if (original[0] == FR_CODE_STATUS_SERVER) goto do_ack; + if (original[0] == FR_RADIUS_CODE_STATUS_SERVER) goto do_ack; FALL_THROUGH; - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: - case FR_CODE_COA_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH); break; - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_REJECT: - case FR_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: do_ack: if (!original) goto need_original; memcpy(packet + 4, original + 4, RADIUS_AUTH_VECTOR_LENGTH); break; - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: /* packet + 4 MUST be the Request Authenticator filled with random data */ break; @@ -435,21 +435,21 @@ int fr_radius_sign(uint8_t *packet, uint8_t const *original, * Initialize the request authenticator. */ switch (packet[0]) { - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: - case FR_CODE_COA_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: memset(packet + 4, 0, RADIUS_AUTH_VECTOR_LENGTH); break; - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_REJECT: - case FR_CODE_ACCESS_CHALLENGE: - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_DISCONNECT_NAK: - case FR_CODE_COA_ACK: - case FR_CODE_COA_NAK: - case FR_CODE_PROTOCOL_ERROR: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_COA_NAK: + case FR_RADIUS_CODE_PROTOCOL_ERROR: if (!original) { need_original: fr_strerror_const("Cannot sign response packet without a request packet"); @@ -463,8 +463,8 @@ int fr_radius_sign(uint8_t *packet, uint8_t const *original, * We don't need to sign anything else, so * return. */ - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: return 0; default: @@ -538,7 +538,7 @@ bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, * Code of 16 or greate is not understood. */ if ((packet[0] == 0) || - (packet[0] >= FR_RADIUS_MAX_PACKET_CODE)) { + (packet[0] >= FR_RADIUS_CODE_MAX)) { FR_DEBUG_STRERROR_PRINTF("unknown packet code %d", packet[0]); failure = DECODE_FAIL_UNKNOWN_PACKET_CODE; goto finish; @@ -548,7 +548,7 @@ bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, * Message-Authenticator is required in Status-Server * packets, otherwise they can be trivially forged. */ - if (packet[0] == FR_CODE_STATUS_SERVER) require_ma = true; + if (packet[0] == FR_RADIUS_CODE_STATUS_SERVER) require_ma = true; /* * Repeat the length checks. This time, instead of @@ -852,7 +852,7 @@ int fr_radius_verify(uint8_t *packet, uint8_t const *original, * These are random numbers, so there's no point in * comparing them. */ - if ((packet[0] == FR_CODE_ACCESS_REQUEST) || (packet[0] == FR_CODE_STATUS_SERVER)) { + if ((packet[0] == FR_RADIUS_CODE_ACCESS_REQUEST) || (packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) { return 0; } @@ -926,23 +926,23 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original, FR_DBUFF_IN_RETURN(&work_dbuff, (uint16_t) RADIUS_HEADER_LENGTH); switch (code) { - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: /* * Callers in these cases have preloaded the buffer with the authentication vector. */ FR_DBUFF_OUT_MEMCPY_RETURN(packet_ctx.vector, &work_dbuff, sizeof(packet_ctx.vector)); break; - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_REJECT: - case FR_CODE_ACCESS_CHALLENGE: - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_COA_ACK: - case FR_CODE_COA_NAK: - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_DISCONNECT_NAK: - case FR_CODE_PROTOCOL_ERROR: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_COA_NAK: + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: + case FR_RADIUS_CODE_PROTOCOL_ERROR: if (!original) { fr_strerror_const("Cannot encode response without request"); return -1; @@ -951,9 +951,9 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original, FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, packet_ctx.vector, RADIUS_AUTH_VECTOR_LENGTH); break; - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_COA_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: memset(packet_ctx.vector, 0, sizeof(packet_ctx.vector)); FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, RADIUS_AUTH_VECTOR_LENGTH); break; @@ -968,7 +968,7 @@ ssize_t fr_radius_encode_dbuff(fr_dbuff_t *dbuff, uint8_t const *original, * Original-Packet-Code manually. If the user adds it * later themselves, well, too bad. */ - if (code == FR_CODE_PROTOCOL_ERROR) { + if (code == FR_RADIUS_CODE_PROTOCOL_ERROR) { FR_DBUFF_IN_BYTES_RETURN(&work_dbuff, FR_EXTENDED_ATTRIBUTE_1, 0x07, 0x04 /* Original-Packet-Code */, 0x00, 0x00, 0x00, original[0]); } diff --git a/src/protocols/radius/defs.h b/src/protocols/radius/defs.h index fd91cf63ead..746f00fd1dd 100644 --- a/src/protocols/radius/defs.h +++ b/src/protocols/radius/defs.h @@ -29,36 +29,32 @@ RCSIDH(radius_h, "$Id$") * */ typedef enum { - FR_CODE_UNDEFINED = 0, //!< Packet code has not been set - FR_CODE_ACCESS_REQUEST = 1, //!< RFC2865 - Access-Request - FR_CODE_ACCESS_ACCEPT = 2, //!< RFC2865 - Access-Accept - FR_CODE_ACCESS_REJECT = 3, //!< RFC2865 - Access-Reject - FR_CODE_ACCOUNTING_REQUEST = 4, //!< RFC2866 - Accounting-Request - FR_CODE_ACCOUNTING_RESPONSE = 5, //!< RFC2866 - Accounting-Response - FR_CODE_ACCOUNTING_STATUS = 6, //!< RFC3575 - Reserved - FR_CODE_PASSWORD_REQUEST = 7, //!< RFC3575 - Reserved - FR_CODE_PASSWORD_ACK = 8, //!< RFC3575 - Reserved - FR_CODE_PASSWORD_REJECT = 9, //!< RFC3575 - Reserved - FR_CODE_ACCOUNTING_MESSAGE = 10, //!< RFC3575 - Reserved - FR_CODE_ACCESS_CHALLENGE = 11, //!< RFC2865 - Access-Challenge - FR_CODE_STATUS_SERVER = 12, //!< RFC2865/RFC5997 - Status Server (request) - FR_CODE_STATUS_CLIENT = 13, //!< RFC2865/RFC5997 - Status Server (response) - FR_CODE_DISCONNECT_REQUEST = 40, //!< RFC3575/RFC5176 - Disconnect-Request - FR_CODE_DISCONNECT_ACK = 41, //!< RFC3575/RFC5176 - Disconnect-Ack (positive) - FR_CODE_DISCONNECT_NAK = 42, //!< RFC3575/RFC5176 - Disconnect-Nak (not willing to perform) - FR_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request - FR_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive) - FR_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) - FR_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol-Error (generic NAK) - FR_CODE_RADIUS_MAX = 255, //!< Maximum possible code -} FR_CODE; - -/* - * Maximum code that we accept - */ -#define FR_RADIUS_MAX_PACKET_CODE (53) - -#define FR_CODE_DO_NOT_RESPOND (256) + FR_RADIUS_CODE_UNDEFINED = 0, //!< Packet code has not been set + FR_RADIUS_CODE_ACCESS_REQUEST = 1, //!< RFC2865 - Access-Request + FR_RADIUS_CODE_ACCESS_ACCEPT = 2, //!< RFC2865 - Access-Accept + FR_RADIUS_CODE_ACCESS_REJECT = 3, //!< RFC2865 - Access-Reject + FR_RADIUS_CODE_ACCOUNTING_REQUEST = 4, //!< RFC2866 - Accounting-Request + FR_RADIUS_CODE_ACCOUNTING_RESPONSE = 5, //!< RFC2866 - Accounting-Response + FR_RADIUS_CODE_ACCOUNTING_STATUS = 6, //!< RFC3575 - Reserved + FR_RADIUS_CODE_PASSWORD_REQUEST = 7, //!< RFC3575 - Reserved + FR_RADIUS_CODE_PASSWORD_ACK = 8, //!< RFC3575 - Reserved + FR_RADIUS_CODE_PASSWORD_REJECT = 9, //!< RFC3575 - Reserved + FR_RADIUS_CODE_ACCOUNTING_MESSAGE = 10, //!< RFC3575 - Reserved + FR_RADIUS_CODE_ACCESS_CHALLENGE = 11, //!< RFC2865 - Access-Challenge + FR_RADIUS_CODE_STATUS_SERVER = 12, //!< RFC2865/RFC5997 - Status Server (request) + FR_RADIUS_CODE_STATUS_CLIENT = 13, //!< RFC2865/RFC5997 - Status Server (response) + FR_RADIUS_CODE_DISCONNECT_REQUEST = 40, //!< RFC3575/RFC5176 - Disconnect-Request + FR_RADIUS_CODE_DISCONNECT_ACK = 41, //!< RFC3575/RFC5176 - Disconnect-Ack (positive) + FR_RADIUS_CODE_DISCONNECT_NAK = 42, //!< RFC3575/RFC5176 - Disconnect-Nak (not willing to perform) + FR_RADIUS_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request + FR_RADIUS_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive) + FR_RADIUS_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) + FR_RADIUS_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol-Error (generic NAK) + FR_RADIUS_CODE_MAX = 53, //!< Maximum possible protocol code + FR_RADIUS_CODE_DO_NOT_RESPOND = 256 //!< Special rcode to indicate we will not respond. +} fr_radius_packet_code_t; + +#define FR_RADIUS_PACKET_CODE_VALID(_code) (((_code) > 0) && ((_code) < FR_RADIUS_CODE_MAX)) #define FR_AUTH_UDP_PORT 1812 #define FR_AUTH_UDP_PORT_ALT 1645 diff --git a/src/protocols/radius/encode.c b/src/protocols/radius/encode.c index 3c586ed9e90..22a37187554 100644 --- a/src/protocols/radius/encode.c +++ b/src/protocols/radius/encode.c @@ -1513,14 +1513,14 @@ static int encode_test_ctx(void **out, TALLOC_CTX *ctx) static ssize_t fr_radius_encode_proto(UNUSED TALLOC_CTX *ctx, fr_pair_list_t *vps, uint8_t *data, size_t data_len, void *proto_ctx) { fr_radius_ctx_t *test_ctx = talloc_get_type_abort(proto_ctx, fr_radius_ctx_t); - int packet_type = FR_CODE_ACCESS_REQUEST; + int packet_type = FR_RADIUS_CODE_ACCESS_REQUEST; fr_pair_t *vp; ssize_t slen; vp = fr_pair_find_by_da(vps, attr_packet_type); if (vp) packet_type = vp->vp_uint32; - if ((packet_type == FR_CODE_ACCESS_REQUEST) || (packet_type == FR_CODE_STATUS_SERVER)) { + if ((packet_type == FR_RADIUS_CODE_ACCESS_REQUEST) || (packet_type == FR_RADIUS_CODE_STATUS_SERVER)) { vp = fr_pair_find_by_da(vps, attr_packet_authentication_vector); if (vp && (vp->vp_length == RADIUS_AUTH_VECTOR_LENGTH)) { memcpy(data + 4, vp->vp_octets, RADIUS_AUTH_VECTOR_LENGTH); diff --git a/src/protocols/radius/packet.c b/src/protocols/radius/packet.c index d440888a4e6..0fab3e16970 100644 --- a/src/protocols/radius/packet.c +++ b/src/protocols/radius/packet.c @@ -136,19 +136,19 @@ int fr_radius_packet_decode(fr_radius_packet_t *packet, fr_pair_list_t *list, #endif switch (packet->code) { - case FR_CODE_ACCESS_REQUEST: - case FR_CODE_STATUS_SERVER: + case FR_RADIUS_CODE_ACCESS_REQUEST: + case FR_RADIUS_CODE_STATUS_SERVER: memcpy(packet_ctx.vector, packet->vector, sizeof(packet_ctx.vector)); break; - case FR_CODE_ACCESS_ACCEPT: - case FR_CODE_ACCESS_REJECT: - case FR_CODE_ACCESS_CHALLENGE: - case FR_CODE_ACCOUNTING_RESPONSE: - case FR_CODE_COA_ACK: - case FR_CODE_COA_NAK: - case FR_CODE_DISCONNECT_ACK: - case FR_CODE_DISCONNECT_NAK: + case FR_RADIUS_CODE_ACCESS_ACCEPT: + case FR_RADIUS_CODE_ACCESS_REJECT: + case FR_RADIUS_CODE_ACCESS_CHALLENGE: + case FR_RADIUS_CODE_ACCOUNTING_RESPONSE: + case FR_RADIUS_CODE_COA_ACK: + case FR_RADIUS_CODE_COA_NAK: + case FR_RADIUS_CODE_DISCONNECT_ACK: + case FR_RADIUS_CODE_DISCONNECT_NAK: /* * radsniff doesn't always have a response */ @@ -160,9 +160,9 @@ int fr_radius_packet_decode(fr_radius_packet_t *packet, fr_pair_list_t *list, } break; - case FR_CODE_ACCOUNTING_REQUEST: - case FR_CODE_COA_REQUEST: - case FR_CODE_DISCONNECT_REQUEST: + case FR_RADIUS_CODE_ACCOUNTING_REQUEST: + case FR_RADIUS_CODE_COA_REQUEST: + case FR_RADIUS_CODE_DISCONNECT_REQUEST: memset(packet->vector, 0, sizeof(packet->vector)); memset(packet_ctx.vector, 0, sizeof(packet_ctx.vector)); break; @@ -334,8 +334,8 @@ int fr_radius_packet_sign(fr_radius_packet_t *packet, fr_radius_packet_t const * * codes have the Request Authenticator be the packet * signature. */ - if ((packet->code == FR_CODE_ACCESS_REQUEST) || - (packet->code == FR_CODE_STATUS_SERVER)) { + if ((packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) || + (packet->code == FR_RADIUS_CODE_STATUS_SERVER)) { memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); } @@ -536,7 +536,7 @@ void _fr_radius_packet_log_hex(fr_log_t const *log, fr_radius_packet_t const *pa fr_log(log, L_DBG, file, line, " Dst Port : %u", packet->socket.inet.dst_port); } - if ((packet->data[0] > 0) && (packet->data[0] < FR_RADIUS_MAX_PACKET_CODE)) { + if ((packet->data[0] > 0) && (packet->data[0] < FR_RADIUS_CODE_MAX)) { fr_log(log, L_DBG, file, line, " Code : %s", fr_packet_codes[packet->data[0]]); } else { fr_log(log, L_DBG, file, line, " Code : %u", packet->data[0]); diff --git a/src/protocols/radius/radius.h b/src/protocols/radius/radius.h index cd25e078ab1..d0baf972cd3 100644 --- a/src/protocols/radius/radius.h +++ b/src/protocols/radius/radius.h @@ -48,8 +48,8 @@ * protocols/radius/base.c */ -extern char const *fr_packet_codes[FR_RADIUS_MAX_PACKET_CODE]; -#define is_radius_code(_x) ((_x > 0) && (_x < FR_RADIUS_MAX_PACKET_CODE)) +extern char const *fr_packet_codes[FR_RADIUS_CODE_MAX]; +#define is_radius_code(_x) ((_x > 0) && (_x < FR_RADIUS_CODE_MAX)) #define AUTH_PASS_LEN (RADIUS_AUTH_VECTOR_LENGTH) @@ -57,7 +57,7 @@ extern char const *fr_packet_codes[FR_RADIUS_MAX_PACKET_CODE]; extern size_t const fr_radius_attr_sizes[FR_TYPE_MAX + 1][2]; extern fr_table_num_sorted_t const fr_request_types[]; extern size_t fr_request_types_len; -extern bool const fr_request_packets[FR_RADIUS_MAX_PACKET_CODE + 1]; +extern bool const fr_request_packets[FR_RADIUS_CODE_MAX + 1]; typedef enum { DECODE_FAIL_NONE = 0, diff --git a/src/protocols/vmps/vmps.h b/src/protocols/vmps/vmps.h index 04562a0ed42..a246051ba2e 100644 --- a/src/protocols/vmps/vmps.h +++ b/src/protocols/vmps/vmps.h @@ -32,7 +32,7 @@ extern "C" { #endif #define FR_VQP_MAX_CODE (5) -#define FR_CODE_DO_NOT_RESPOND (0) +#define FR_RADIUS_CODE_DO_NOT_RESPOND (0) #define FR_VQP_HDR_LEN (8) #define FR_VQP_VERSION (1) diff --git a/src/tests/util/radius1_test.c b/src/tests/util/radius1_test.c index 2fb4ce529a4..b0906ae9e35 100644 --- a/src/tests/util/radius1_test.c +++ b/src/tests/util/radius1_test.c @@ -121,7 +121,7 @@ static ssize_t test_encode(UNUSED void const *instance, request_t *request, uint MPRINT1("\t\tENCODE >>> request %"PRIu64" - data %p %p room %zd\n", request->number, pc, buffer, buffer_len); - buffer[0] = FR_CODE_ACCESS_ACCEPT; + buffer[0] = FR_RADIUS_CODE_ACCESS_ACCEPT; buffer[1] = pc->id; buffer[2] = 0; buffer[3] = 20; @@ -369,7 +369,7 @@ static void master_process(TALLOC_CTX *ctx) * Verify the packet before doing anything more with it. */ packet = cd->m.data; - if (packet[0] != FR_CODE_ACCESS_REQUEST) { + if (packet[0] != FR_RADIUS_CODE_ACCESS_REQUEST) { MPRINT1("Master ignoring packet code %u\n", packet[0]); goto discard; } diff --git a/src/tests/util/radius_schedule_test.c b/src/tests/util/radius_schedule_test.c index 33dd3e16a83..ae601aa8be3 100644 --- a/src/tests/util/radius_schedule_test.c +++ b/src/tests/util/radius_schedule_test.c @@ -87,7 +87,7 @@ static ssize_t test_encode(void const *instance, request_t *request, uint8_t *bu MPRINT1("\t\tENCODE >>> request %"PRIu64"- data %p %p room %zd\n", request->number, pc, buffer, buffer_len); - buffer[0] = FR_CODE_ACCESS_ACCEPT; + buffer[0] = FR_RADIUS_CODE_ACCESS_ACCEPT; buffer[1] = tpc.id; buffer[2] = 0; buffer[3] = 20;