From 7ec93ff9e4d979e4bbcf33f9c90c94dc9d3cdba9 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 13 Nov 2011 16:16:05 +1100 Subject: add new RADIUS client library --- lib/radius/LICENSE | 24 + lib/radius/Makefile | 68 ++ lib/radius/attrs.c | 1411 ++++++++++++++++++++++++++++++ lib/radius/client.h | 1408 ++++++++++++++++++++++++++++++ lib/radius/common.pl | 220 +++++ lib/radius/convert.pl | 182 ++++ lib/radius/crypto.c | 233 +++++ lib/radius/custom.c | 87 ++ lib/radius/dict.c | 172 ++++ lib/radius/dictionaries.c | 1515 +++++++++++++++++++++++++++++++++ lib/radius/doc.txt | 41 + lib/radius/doxygen.conf | 1417 ++++++++++++++++++++++++++++++ lib/radius/examples/Makefile | 54 ++ lib/radius/examples/example_1.c | 86 ++ lib/radius/examples/example_2.c | 86 ++ lib/radius/examples/example_3.c | 123 +++ lib/radius/examples/example_4.c | 94 ++ lib/radius/examples/nr_vp_create.c | 61 ++ lib/radius/header.pl | 68 ++ lib/radius/id.c | 178 ++++ lib/radius/packet.c | 918 ++++++++++++++++++++ lib/radius/parse.c | 142 +++ lib/radius/print.c | 265 ++++++ lib/radius/radius.h | 314 +++++++ lib/radius/share/dictionary.microsoft | 17 + lib/radius/share/dictionary.txt | 136 +++ lib/radius/share/dictionary.vendor | 10 + lib/radius/static.c | 37 + lib/radius/tests/Makefile | 25 + lib/radius/tests/radattr.c | 769 +++++++++++++++++ lib/radius/tests/rfc.txt | 144 ++++ lib/radius/valuepair.c | 199 +++++ 32 files changed, 10504 insertions(+) create mode 100644 lib/radius/LICENSE create mode 100644 lib/radius/Makefile create mode 100644 lib/radius/attrs.c create mode 100644 lib/radius/client.h create mode 100644 lib/radius/common.pl create mode 100755 lib/radius/convert.pl create mode 100644 lib/radius/crypto.c create mode 100644 lib/radius/custom.c create mode 100644 lib/radius/dict.c create mode 100644 lib/radius/dictionaries.c create mode 100644 lib/radius/doc.txt create mode 100644 lib/radius/doxygen.conf create mode 100644 lib/radius/examples/Makefile create mode 100644 lib/radius/examples/example_1.c create mode 100644 lib/radius/examples/example_2.c create mode 100644 lib/radius/examples/example_3.c create mode 100644 lib/radius/examples/example_4.c create mode 100644 lib/radius/examples/nr_vp_create.c create mode 100755 lib/radius/header.pl create mode 100644 lib/radius/id.c create mode 100644 lib/radius/packet.c create mode 100644 lib/radius/parse.c create mode 100644 lib/radius/print.c create mode 100644 lib/radius/radius.h create mode 100644 lib/radius/share/dictionary.microsoft create mode 100644 lib/radius/share/dictionary.txt create mode 100644 lib/radius/share/dictionary.vendor create mode 100644 lib/radius/static.c create mode 100644 lib/radius/tests/Makefile create mode 100644 lib/radius/tests/radattr.c create mode 100644 lib/radius/tests/rfc.txt create mode 100644 lib/radius/valuepair.c (limited to 'lib/radius') diff --git a/lib/radius/LICENSE b/lib/radius/LICENSE new file mode 100644 index 0000000..01dbe92 --- /dev/null +++ b/lib/radius/LICENSE @@ -0,0 +1,24 @@ +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/lib/radius/Makefile b/lib/radius/Makefile new file mode 100644 index 0000000..63eff89 --- /dev/null +++ b/lib/radius/Makefile @@ -0,0 +1,68 @@ +# +# GNU Makefile +# +.PHONY: all clean install +all: libnetworkradius-client.a + +SRCS := dict.c attrs.c packet.c valuepair.c static.c id.c \ + crypto.c custom.c print.c parse.c + +OBJS := ${SRCS:.c=.o} + +HEADERS := client.h radius.h + +CFLAGS := -I. -g -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef + +VERSION := 1.0 +NAME := networkradius-client-$(VERSION) + + +# +# The DICTIONARIES variable can be used to point to the FreeRADIUS +# dictionaries. +# +ifeq "${DICTIONARIES}" "" +DICTIONARIES := $(filter-out %~,$(wildcard share/dictionary*)) +endif + +${OBJS}: ${HEADERS} + +radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl + ./convert.pl ${DICTIONARIES} + +static.o: static.c dictionaries.c + +%.o : %.c + $(CC) $(CFLAGS) -c $< + +%.o: ${HEADERS} + +.PHONY: networkradius-devel +networkradius-devel: + @[ -e $@ ] || ln -s . $@ + +libnetworkradius-client.a: ${OBJS} + ${AR} ${ARFLAGS} $@ $^ + +LIBS := -lcrypto -lssl +LDFLAGS = -L. -lnetworkradius-client + +.PHONY: html +html: + doxygen doxygen.conf + +clean: + @rm -rf *.o *.a *~ html + +install: libnetworkradius-client.a + +.PHONY: publish +publish: + @scp -r html/* networkradius.com@liberty:www.new/site/clientapi/ + +$(NAME).tar.gz: $(wildcard Makefile *.pl *.txt *.[ch] \ + examples/*.[ch] doc/*.txt share/dictionary*) + git archive --format=tar --prefix=$(NAME)/ bsd | gzip > $@ + +.PHONY: tar +tar: $(NAME).tar.gz diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c new file mode 100644 index 0000000..4fd2bf4 --- /dev/null +++ b/lib/radius/attrs.c @@ -0,0 +1,1411 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file attrs.c + * \brief Attribute encoding and decoding routines. + */ + +#include + +/* + * Encodes the data portion of an attribute. + * Returns -1 on error, or the length of the data portion. + */ +static ssize_t vp2data_any(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + int nest, + const VALUE_PAIR **pvp, + uint8_t *start, size_t room) +{ + uint32_t lvalue; + ssize_t len; + const uint8_t *data; + uint8_t *ptr = start; + uint8_t array[4]; + const VALUE_PAIR *vp = *pvp; + +#ifdef NR_TYPE_TLV + /* + * See if we need to encode a TLV. The low portion of + * the attribute has already been placed into the packer. + * If there are still attribute bytes left, then go + * encode them as TLVs. + * + * If we cared about the stack, we could unroll the loop. + */ + if ((nest > 0) && (nest <= nr_attr_max_tlv) && + ((vp->da->attr >> nr_attr_shift[nest]) != 0)) { + return vp2data_tlvs(packet, original, nest, pvp, + start, room); + } +#else + nest = nest; /* -Wunused */ +#endif + + /* + * Set up the default sources for the data. + */ + data = vp->vp_octets; + len = vp->length; + + switch(vp->da->type) { + case NR_TYPE_IPV6PREFIX: + len = sizeof(vp->vp_ipv6prefix); + break; + + case NR_TYPE_STRING: + case NR_TYPE_OCTETS: + case NR_TYPE_IFID: + case NR_TYPE_IPV6ADDR: +#ifdef NR_TYPE_ABINARY + case NR_TYPE_ABINARY: +#endif + /* nothing more to do */ + break; + + case NR_TYPE_BYTE: + len = 1; /* just in case */ + array[0] = vp->vp_integer & 0xff; + data = array; + break; + + case NR_TYPE_SHORT: + len = 2; /* just in case */ + array[0] = (vp->vp_integer >> 8) & 0xff; + array[1] = vp->vp_integer & 0xff; + data = array; + break; + + case NR_TYPE_INTEGER: + len = 4; /* just in case */ + lvalue = htonl(vp->vp_integer); + memcpy(array, &lvalue, sizeof(lvalue)); + data = array; + break; + + case NR_TYPE_IPADDR: + data = (const uint8_t *) &vp->vp_ipaddr; + len = 4; /* just in case */ + break; + + /* + * There are no tagged date attributes. + */ + case NR_TYPE_DATE: + lvalue = htonl(vp->vp_date); + data = (const uint8_t *) &lvalue; + len = 4; /* just in case */ + break; + +#ifdef VENDORPEC_WIMAX + case NR_TYPE_SIGNED: + { + int32_t slvalue; + + len = 4; /* just in case */ + slvalue = htonl(vp->vp_signed); + memcpy(array, &slvalue, sizeof(slvalue)); + break; + } +#endif + +#ifdef NR_TYPE_TLV + case NR_TYPE_TLV: + data = vp->vp_tlv; + if (!data) { + nr_debug_error("ERROR: Cannot encode NULL TLV"); + return -NR_ERR_INVALID_ARG; + } + len = vp->length; + break; +#endif + + default: /* unknown type: ignore it */ + nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type); + return -NR_ERR_ATTR_TYPE_UNKNOWN; + } + + /* + * Bound the data to the calling size + */ + if (len > (ssize_t) room) len = room; + +#ifndef FLAG_ENCRYPT_TUNNEL_PASSWORD + original = original; /* -Wunused */ +#endif + + /* + * Encrypt the various password styles + * + * Attributes with encrypted values MUST be less than + * 128 bytes long. + */ + switch (vp->da->flags.encrypt) { + case FLAG_ENCRYPT_USER_PASSWORD: + len = nr_password_encrypt(ptr, room, data, len, + packet->secret, packet->vector); + break; + +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + case FLAG_ENCRYPT_TUNNEL_PASSWORD: + lvalue = 0; + if (vp->da->flags.has_tag) lvalue = 1; + + /* + * Check if there's enough room. If there isn't, + * we discard the attribute. + * + * This is ONLY a problem if we have multiple VSA's + * in one Vendor-Specific, though. + */ + if (room < (18 + lvalue)) { + *pvp = vp->next; + return 0; + } + + switch (packet->code) { + case PW_ACCESS_ACCEPT: + case PW_ACCESS_REJECT: + case PW_ACCESS_CHALLENGE: + default: + if (!original) { + nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name); + return -NR_ERR_REQUEST_REQUIRED; + } + + if (lvalue) ptr[0] = vp->tag; + len = nr_tunnelpw_encrypt(ptr + lvalue, + room - lvalue, data, len, + packet->secret, + original->vector); + if (len < 0) return len; + break; + case PW_ACCOUNTING_REQUEST: + case PW_DISCONNECT_REQUEST: + case PW_COA_REQUEST: + ptr[0] = vp->tag; + len = nr_tunnelpw_encrypt(ptr + 1, room, data, len - 1, + packet->secret, + packet->vector); + if (len < 0) return len; + break; + } + break; +#endif + + /* + * The code above ensures that this attribute + * always fits. + */ +#ifdef FLAG_ENCRYPT_ASCEND_SECRET + case FLAG_ENCRYPT_ASCEND_SECRET: + make_secret(ptr, packet->vector, packet->secret, data); + len = AUTH_VECTOR_LEN; + break; +#endif + + default: + if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) { + if (vp->da->type == NR_TYPE_STRING) { + if (len > ((ssize_t) (room - 1))) len = room - 1; + ptr[0] = vp->tag; + ptr++; + } else if (vp->da->type == NR_TYPE_INTEGER) { + array[0] = vp->tag; + } /* else it can't be any other type */ + } + memcpy(ptr, data, len); + break; + } /* switch over encryption flags */ + + *(pvp) = vp->next; + return len + (ptr - start);; +} + + +/* + * Encode an RFC format TLV. This could be a standard attribute, + * or a TLV data type. If it's a standard attribute, then + * vp->da->attr == attribute. Otherwise, attribute may be + * something else. + */ +static ssize_t vp2attr_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + unsigned int attribute, uint8_t *ptr, size_t room) +{ + ssize_t len; + + if (room < 2) { + *pvp = (*pvp)->next; + return 0; + } + + ptr[0] = attribute & 0xff; + ptr[1] = 2; + + if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; + + len = vp2data_any(packet, original, 0, pvp, ptr + ptr[1], room); + if (len < 0) return len; + + ptr[1] += len; + + return ptr[1]; +} + + +#ifndef WITHOUT_VSAS +/* + * Encode a VSA which is a TLV. If it's in the RFC format, call + * vp2attr_rfc. Otherwise, encode it here. + */ +static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + unsigned int attribute, unsigned int vendor, + uint8_t *ptr, size_t room) +{ + ssize_t len; + const DICT_VENDOR *dv; + + /* + * Unknown vendor: RFC format. + * Known vendor and RFC format: go do that. + */ + dv = nr_dict_vendor_byvalue(vendor); + if (!dv || + ( +#ifdef NR_TYPE_TLV + !(*pvp)->flags.is_tlv && +#endif + (dv->type == 1) && (dv->length == 1))) { + return vp2attr_rfc(packet, original, pvp, + attribute, ptr, room); + } + +#ifdef NR_TYPE_TLV + if ((*pvp)->flags.is_tlv) { + return data2vp_tlvs(packet, original, 0, pvp, + ptr, room); + } +#endif + + switch (dv->type) { + default: + nr_debug_error("vp2attr_vsa: Internal sanity check failed," + " type %u", (unsigned) dv->type); + return -NR_ERR_INTERNAL_FAILURE; + + case 4: + ptr[0] = 0; /* attr must be 24-bit */ + ptr[1] = (attribute >> 16) & 0xff; + ptr[2] = (attribute >> 8) & 0xff; + ptr[3] = attribute & 0xff; + break; + + case 2: + ptr[0] = (attribute >> 8) & 0xff; + ptr[1] = attribute & 0xff; + break; + + case 1: + ptr[0] = attribute & 0xff; + break; + } + + switch (dv->length) { + default: + nr_debug_error("vp2attr_vsa: Internal sanity check failed," + " length %u", (unsigned) dv->length); + return -NR_ERR_INTERNAL_FAILURE; + + case 0: + break; + + case 2: + ptr[dv->type] = 0; + /* FALL-THROUGH */ + + case 1: + ptr[dv->type + dv->length - 1] = dv->type + dv->length; + break; + + } + + if (room > ((unsigned) 255 - (dv->type + dv->length))) { + room = 255 - (dv->type + dv->length); + } + + len = vp2data_any(packet, original, 0, pvp, + ptr + dv->type + dv->length, room); + if (len < 0) return len; + + if (dv->length) ptr[dv->type + dv->length - 1] += len; + + return dv->type + dv->length + len; +} + + +/* + * Encode a Vendor-Specific attribute. + */ +ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *ptr, + size_t room) +{ + ssize_t len; + uint32_t lvalue; + const VALUE_PAIR *vp = *pvp; + +#ifdef VENDORPEC_WIMAX + /* + * Double-check for WiMAX + */ + if (vp->da->vendor == VENDORPEC_WIMAX) { + return nr_vp2wimax(packet, original, pvp, + ptr, room); + } +#endif + + if (vp->da->vendor > NR_MAX_VENDOR) { + nr_debug_error("nr_vp2vsa: Invalid arguments"); + return -NR_ERR_INVALID_ARG; + } + + /* + * Not enough room for: + * attr, len, vendor-id + */ + if (room < 6) { + *pvp = vp->next; + return 0; + } + + /* + * Build the Vendor-Specific header + */ + ptr[0] = PW_VENDOR_SPECIFIC; + ptr[1] = 6; + lvalue = htonl(vp->da->vendor); + memcpy(ptr + 2, &lvalue, 4); + + if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; + + len = vp2attr_vsa(packet, original, pvp, + vp->da->attr, vp->da->vendor, + ptr + ptr[1], room); + if (len < 0) return len; + + ptr[1] += len; + + return ptr[1]; +} +#endif + + +/* + * Encode an RFC standard attribute 1..255 + */ +ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *ptr, size_t room) +{ + const VALUE_PAIR *vp = *pvp; + + if (vp->da->vendor != 0) { + nr_debug_error("nr_vp2rfc called with VSA"); + return -NR_ERR_INVALID_ARG; + } + + if ((vp->da->attr == 0) || (vp->da->attr > 255)) { + nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr); + return -NR_ERR_INVALID_ARG; + } + +#ifdef PW_CHARGEABLE_USER_IDENTITY + if ((vp->length == 0) && + (vp->da != NR_DA_CHARGEABLE_USER_IDENTITY)) { + *pvp = vp->next; + return 0; + } +#endif + + return vp2attr_rfc(packet, original, pvp, vp->da->attr, + ptr, room); +} + +#ifdef PW_CHAP_PASSWORD +/* + * Encode an RFC standard attribute 1..255 + */ +static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *ptr, size_t room) +{ + ssize_t rcode; + const VALUE_PAIR *vp = *pvp; + NR_MD5_CTX ctx; + uint8_t buffer[MAX_STRING_LEN*2 + 1], *p; + VALUE_PAIR chap = { + NR_DA_CHAP_PASSWORD, + 17, + 0, + NULL, + { + .octets = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }, + }, + }; + + if ((vp->da->vendor != 0) || (vp->da != NR_DA_CHAP_PASSWORD)) { + nr_debug_error("nr_chap2rfc called with non-CHAP"); + return -NR_ERR_INVALID_ARG; + } + + p = buffer; + *(p++) = nr_rand() & 0xff; /* id */ + + memcpy(p, vp->vp_strvalue, strlen(vp->vp_strvalue)); + p += strlen(vp->vp_strvalue); + + vp = nr_vps_find(packet->vps, PW_CHAP_CHALLENGE, 0); + if (vp) { + memcpy(p, vp->vp_octets, vp->length); + p += vp->length; + } else { + memcpy(p, packet->vector, sizeof(packet->vector)); + p += sizeof(packet->vector); + } + + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, buffer, p - buffer); + nr_MD5Final(&chap.vp_octets[1], &ctx); + + chap.vp_octets[0] = buffer[0]; + vp = &chap; + + rcode = vp2attr_rfc(packet, original, &vp, chap.da->attr, + ptr, room); + if (rcode < 0) return rcode; + + *pvp = (*pvp)->next; + return rcode; +} +#endif /* PW_CHAP_PASSWORD */ + +#ifdef PW_MESSAGE_AUTHENTICATOR +/** Fake Message-Authenticator. + * + * This structure is used to replace a Message-Authenticator in the + * input list of VALUE_PAIRs when encoding a packet. If the caller + * asks us to encode a Message-Authenticator, we ignore the one given + * to us by the caller (which may have the wrong length, etc.), and + * instead use this one, which has the correct length and data. + */ +static const VALUE_PAIR fake_ma = { + NR_DA_MESSAGE_AUTHENTICATOR, + 16, + 0, + NULL, + { + .octets = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }, + } +}; +#endif /* PW_MESSAGE_AUTHENTICATOR */ + +/* + * Parse a data structure into a RADIUS attribute. + */ +ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *start, + size_t room) +{ + const VALUE_PAIR *vp = *pvp; + + /* + * RFC format attributes take the fast path. + */ + if (vp->da->vendor != 0) { +#ifdef VENDORPEC_EXTENDED + if (vp->da->vendor > NR_MAX_VENDOR) { + return nr_vp2attr_extended(packet, original, + pvp, start, room); + + } +#endif + +#ifdef VENDORPEC_WIMAX + if (vp->da->vendor == VENDORPEC_WIMAX) { + return nr_vp2attr_wimax(packet, original, + pvp, start, room); + } +#endif + +#ifndef WITHOUT_VSAS + return nr_vp2vsa(packet, original, pvp, start, room); +#else + nr_debug_error("VSAs are not supported"); + return -NR_ERR_UNSUPPORTED; +#endif + } + + /* + * Ignore non-protocol attributes. + */ + if (vp->da->attr > 255) { + *pvp = vp->next; + return 0; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + /* + * The caller wants a Message-Authenticator, but doesn't + * know how to calculate it, or what the correct values + * are. So... create one for him. + */ + if (vp->da == NR_DA_MESSAGE_AUTHENTICATOR) { + ssize_t rcode; + + vp = &fake_ma; + rcode = nr_vp2rfc(packet, original, &vp, start, room); + if (rcode <= 0) return rcode; + *pvp = (*pvp)->next; + return rcode; + } +#endif + +#ifdef PW_CHAP_PASSWORD + /* + * The caller wants a CHAP-Password, but doesn't know how + * to calculate it, or what the correct values are. To + * help, we calculate it for him. + */ + if (vp->da == NR_DA_CHAP_PASSWORD) { + int encoded = 0; + + /* + * CHAP is ID + MD5(...). If it's length is NOT + * 17, then the caller has passed us a password, + * and wants us to encode it. If the length IS + * 17, then we need to double-check if the caller + * has already encoded it. + */ + if (vp->length == 17) { + int i; + + /* + * ASCII and UTF-8 disallow values 0..31. + * If they appear, then the CHAP-Password + * has already been encoded by the + * caller. The probability of a + * CHAP-Password being all 32..256 is + * (1-32/256)^17 =~ .10 + * + * This check isn't perfect, but it + * should be pretty rare for people to + * have 17-character passwords *and* have + * them all 32..256. + */ + for (i = 0; i < 17; i++) { + if (vp->vp_octets[i] < 32) { + encoded = 1; + break; + } + } + } + + if (!encoded) { + return nr_chap2rfc(packet, original, pvp, start, room); + } + } +#endif + + return nr_vp2rfc(packet, original, pvp, + start, room); +} + + +/* + * Ignore unknown attributes, but "decoding" them into nothing. + */ +static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet, + UNUSED const RADIUS_PACKET *original, + unsigned int attribute, + unsigned int vendor, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + VALUE_PAIR *vp; + + if (length > sizeof(vp->vp_octets)) return -NR_ERR_ATTR_OVERFLOW; + + vp = nr_vp_alloc_raw(attribute, vendor); + if (!vp) return -NR_ERR_NO_MEM; + + memcpy(vp->vp_octets, data, length); + vp->length = length; + + *pvp = vp; + return length; +} + +ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + + if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; + if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; + if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + + return data2vp_raw(packet, original, data[0], 0, + data + 2, data[1] - 2, pvp); +} + +/* + * Create any kind of VP from the attribute contents. + * + * Will return -1 on error, or "length". + */ +static ssize_t data2vp_any(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + int nest, + unsigned int attribute, unsigned int vendor, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + ssize_t rcode; +#endif + int data_offset = 0; + const DICT_ATTR *da; + VALUE_PAIR *vp = NULL; + + if (length == 0) { + /* + * Hacks for CUI. The WiMAX spec says that it + * can be zero length, even though this is + * forbidden by the RADIUS specs. So... we make + * a special case for it. + */ + if ((vendor == 0) && + (attribute == PW_CHARGEABLE_USER_IDENTITY)) { + data = (const uint8_t *) ""; + length = 1; + } else { + *pvp = NULL; + return 0; + } + } + + da = nr_dict_attr_byvalue(attribute, vendor); + + /* + * Unknown attribute. Create it as a "raw" attribute. + */ + if (!da) { + raw: + if (vp) nr_vp_free(&vp); + return data2vp_raw(packet, original, + attribute, vendor, data, length, pvp); + } + +#ifdef NR_TYPE_TLV + /* + * TLVs are handled first. They can't be tagged, and + * they can't be encrypted. + */ + if (da->da->type == NR_TYPE_TLV) { + return data2vp_tlvs(packet, original, + attribute, vendor, nest, + data, length, pvp); + } +#else + nest = nest; /* -Wunused */ +#endif + + /* + * The attribute is known, and well formed. We can now + * create it. The main failure from here on in is being + * out of memory. + */ + vp = nr_vp_alloc(da); + if (!vp) return -NR_ERR_NO_MEM; + + /* + * Handle tags. + */ + if (vp->da->flags.has_tag) { + if (TAG_VALID(data[0]) +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + || (vp->da->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) +#endif + ) { + /* + * Tunnel passwords REQUIRE a tag, even + * if don't have a valid tag. + */ + vp->tag = data[0]; + + if ((vp->da->type == NR_TYPE_STRING) || + (vp->da->type == NR_TYPE_OCTETS)) { + if (length == 0) goto raw; + data_offset = 1; + } + } + } + + /* + * Copy the data to be decrypted + */ + vp->length = length - data_offset; + memcpy(&vp->vp_octets[0], data + data_offset, vp->length); + + /* + * Decrypt the attribute. + */ + switch (vp->da->flags.encrypt) { + /* + * User-Password + */ + case FLAG_ENCRYPT_USER_PASSWORD: + if (original) { + rcode = nr_password_encrypt(vp->vp_octets, + sizeof(vp->vp_strvalue), + data + data_offset, vp->length, + packet->secret, + original->vector); + } else { + rcode = nr_password_encrypt(vp->vp_octets, + sizeof(vp->vp_strvalue), + data + data_offset, vp->length, + packet->secret, + packet->vector); + } + if (rcode < 0) goto raw; + vp->vp_strvalue[128] = '\0'; + vp->length = strlen(vp->vp_strvalue); + break; + + /* + * Tunnel-Password's may go ONLY + * in response packets. + */ +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + case FLAG_ENCRYPT_TUNNEL_PASSWORD: + if (!original) goto raw; + + rcode = nr_tunnelpw_decrypt(vp->vp_octets, + sizeof(vp->vp_octets), + data + data_offset, vp->length, + packet->secret, original->vector); + if (rcode < 0) goto raw; + vp->length = rcode; + break; +#endif + + +#ifdef FLAG_ENCRYPT_ASCEND_SECRET: + /* + * Ascend-Send-Secret + * Ascend-Receive-Secret + */ + case FLAG_ENCRYPT_ASCEND_SECRET: + if (!original) { + goto raw; + } else { + uint8_t my_digest[AUTH_VECTOR_LEN]; + make_secret(my_digest, + original->vector, + packet->secret, data); + memcpy(vp->vp_strvalue, my_digest, + AUTH_VECTOR_LEN ); + vp->vp_strvalue[AUTH_VECTOR_LEN] = '\0'; + vp->length = strlen(vp->vp_strvalue); + } + break; +#endif + + default: + break; + } /* switch over encryption flags */ + + /* + * Expected a certain length, but got something else. + */ + if ((vp->da->flags.length != 0) && + (vp->length != vp->da->flags.length)) { + goto raw; + } + + switch (vp->da->type) { + case NR_TYPE_STRING: + case NR_TYPE_OCTETS: +#ifdef NR_TYPE_ABINARY + case NR_TYPE_ABINARY: +#endif + /* nothing more to do */ + break; + + case NR_TYPE_BYTE: + vp->vp_integer = vp->vp_octets[0]; + break; + + + case NR_TYPE_SHORT: + vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1]; + break; + + case NR_TYPE_INTEGER: + memcpy(&vp->vp_integer, vp->vp_octets, 4); + vp->vp_integer = ntohl(vp->vp_integer); + + if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff; + break; + + case NR_TYPE_DATE: + memcpy(&vp->vp_date, vp->vp_octets, 4); + vp->vp_date = ntohl(vp->vp_date); + break; + + + case NR_TYPE_IPADDR: + memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); + break; + + /* + * IPv6 interface ID is 8 octets long. + */ + case NR_TYPE_IFID: + /* vp->vp_ifid == vp->vp_octets */ + break; + + /* + * IPv6 addresses are 16 octets long + */ + case NR_TYPE_IPV6ADDR: + /* vp->vp_ipv6addr == vp->vp_octets */ + break; + + /* + * IPv6 prefixes are 2 to 18 octets long. + * + * RFC 3162: The first octet is unused. + * The second is the length of the prefix + * the rest are the prefix data. + * + * The prefix length can have value 0 to 128. + */ + case NR_TYPE_IPV6PREFIX: + if (vp->length < 2 || vp->length > 18) goto raw; + if (vp->vp_octets[1] > 128) goto raw; + + /* + * FIXME: double-check that + * (vp->vp_octets[1] >> 3) matches vp->length + 2 + */ + if (vp->length < 18) { + memset(vp->vp_octets + vp->length, 0, + 18 - vp->length); + } + break; + +#ifdef VENDORPEC_WIMAX + case NR_TYPE_SIGNED: + if (vp->length != 4) goto raw; + + /* + * Overload vp_integer for ntohl, which takes + * uint32_t, not int32_t + */ + memcpy(&vp->vp_integer, vp->vp_octets, 4); + vp->vp_integer = ntohl(vp->vp_integer); + memcpy(&vp->vp_signed, &vp->vp_integer, 4); + break; +#endif + +#ifdef NR_TYPE_TLV + case NR_TYPE_TLV: + nr_vp_free(&vp); + nr_debug_error("data2vp_any: Internal sanity check failed"); + return -NR_ERR_ATTR_TYPE_UNKNOWN; +#endif + +#ifdef VENDORPEC_WIMAX + case NR_TYPE_COMBO_IP: + if (vp->length == 4) { + vp->da->type = NR_TYPE_IPADDR; + memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); + break; + + } else if (vp->length == 16) { + vp->da->type = NR_TYPE_IPV6ADDR; + /* vp->vp_ipv6addr == vp->vp_octets */ + break; + + } + /* FALL-THROUGH */ +#endif + + default: + goto raw; + } + + *pvp = vp; + + return length; +} + + +/* + * Create a "standard" RFC VALUE_PAIR from the given data. + */ +ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + ssize_t rcode; + + if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; + if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; + if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + + rcode = data2vp_any(packet, original, 0, + data[0], 0, data + 2, data[1] - 2, pvp); + if (rcode < 0) return rcode; + + return data[1]; +} + +#ifndef WITHOUT_VSAS +/* + * Check if a set of RADIUS formatted TLVs are OK. + */ +int nr_tlv_ok(const uint8_t *data, size_t length, + size_t dv_type, size_t dv_length) +{ + const uint8_t *end = data + length; + + if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) { + nr_debug_error("nr_tlv_ok: Invalid arguments"); + return -NR_ERR_INVALID_ARG; + } + + while (data < end) { + size_t attrlen; + + if ((data + dv_type + dv_length) > end) { + nr_debug_error("Attribute header overflow"); + return -NR_ERR_ATTR_TOO_SMALL; + } + + switch (dv_type) { + case 4: + if ((data[0] == 0) && (data[1] == 0) && + (data[2] == 0) && (data[3] == 0)) { + zero: + nr_debug_error("Invalid attribute 0"); + return -NR_ERR_ATTR_INVALID; + } + + if (data[0] != 0) { + nr_debug_error("Invalid attribute > 2^24"); + return -NR_ERR_ATTR_INVALID; + } + break; + + case 2: + if ((data[1] == 0) && (data[1] == 0)) goto zero; + break; + + case 1: + if (data[0] == 0) goto zero; + break; + + default: + nr_debug_error("Internal sanity check failed"); + return -NR_ERR_INTERNAL_FAILURE; + } + + switch (dv_length) { + case 0: + return 0; + + case 2: + if (data[dv_type + 1] != 0) { + nr_debug_error("Attribute is longer than 256 octets"); + return -NR_ERR_ATTR_TOO_LARGE; + } + /* FALL-THROUGH */ + case 1: + attrlen = data[dv_type + dv_length - 1]; + break; + + + default: + nr_debug_error("Internal sanity check failed"); + return -NR_ERR_INTERNAL_FAILURE; + } + + if (attrlen < (dv_type + dv_length)) { + nr_debug_error("Attribute header has invalid length"); + return -NR_ERR_PACKET_TOO_SMALL; + } + + if (attrlen > length) { + nr_debug_error("Attribute overflows container"); + return -NR_ERR_ATTR_OVERFLOW; + } + + data += attrlen; + length -= attrlen; + } + + return 0; +} + + +/* + * Convert a top-level VSA to a VP. + */ +static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + unsigned int vendor, + size_t dv_type, size_t dv_length, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + unsigned int attribute; + ssize_t attrlen, my_len; + +#ifndef NDEBUG + if (length <= (dv_type + dv_length)) { + nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); + return -NR_ERR_PACKET_TOO_SMALL; + } +#endif + + switch (dv_type) { + case 4: + /* data[0] must be zero */ + attribute = data[1] << 16; + attribute |= data[2] << 8; + attribute |= data[3]; + break; + + case 2: + attribute = data[0] << 8; + attribute |= data[1]; + break; + + case 1: + attribute = data[0]; + break; + + default: + nr_debug_error("attr2vp_vsa: Internal sanity check failed"); + return -NR_ERR_INTERNAL_FAILURE; + } + + switch (dv_length) { + case 2: + /* data[dv_type] must be zero */ + attrlen = data[dv_type + 1]; + break; + + case 1: + attrlen = data[dv_type]; + break; + + case 0: + attrlen = length; + break; + + default: + nr_debug_error("attr2vp_vsa: Internal sanity check failed"); + return -NR_ERR_INTERNAL_FAILURE; + } + +#ifndef NDEBUG + if (attrlen <= (ssize_t) (dv_type + dv_length)) { + nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); + return -NR_ERR_PACKET_TOO_SMALL; + } +#endif + + attrlen -= (dv_type + dv_length); + + my_len = data2vp_any(packet, original, 0, + attribute, vendor, + data + dv_type + dv_length, attrlen, pvp); + if (my_len < 0) return my_len; + +#ifndef NDEBUG + if (my_len != attrlen) { + nr_vp_free(pvp); + nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d", + (int) my_len, (int) attrlen); + return -NR_ERR_INTERNAL_FAILURE; + } +#endif + + return dv_type + dv_length + attrlen; +} + + +/* + * Create Vendor-Specifc VALUE_PAIRs from a RADIUS attribute. + */ +ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + size_t dv_type, dv_length; + ssize_t my_len; + uint32_t lvalue; + const DICT_VENDOR *dv; + + if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; + if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; + if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + + if (data[0] != PW_VENDOR_SPECIFIC) { + nr_debug_error("nr_attr2vp_vsa: Invalid attribute"); + return -NR_ERR_INVALID_ARG; + } + + /* + * Not enough room for a Vendor-Id. + * Or the high octet of the Vendor-Id is set. + */ + if ((data[1] < 6) || (data[2] != 0)) { + return nr_attr2vp_raw(packet, original, + data, length, pvp); + } + + memcpy(&lvalue, data + 2, 4); + lvalue = ntohl(lvalue); + +#ifdef VENDORPEC_WIMAX + /* + * WiMAX gets its own set of magic. + */ + if (lvalue == VENDORPEC_WIMAX) { + return nr_attr2vp_wimax(packet, original, + data, length, pvp); + } +#endif + + dv_type = dv_length = 1; + dv = nr_dict_vendor_byvalue(lvalue); + if (!dv) { + return nr_attr2vp_rfc(packet, original, + data, length, pvp); + } + + dv_type = dv->type; + dv_length = dv->length; + + /* + * Attribute is not in the correct form. + */ + if (nr_tlv_ok(data + 6, data[1] - 6, dv_type, dv_length) < 0) { + return nr_attr2vp_raw(packet, original, + data, length, pvp); + } + + my_len = attr2vp_vsa(packet, original, + lvalue, dv_type, dv_length, + data + 6, data[1] - 6, pvp); + if (my_len < 0) return my_len; + +#ifndef NDEBUG + if (my_len != (data[1] - 6)) { + nr_vp_free(pvp); + nr_debug_error("nr_attr2vp_vsa: Incomplete decode"); + return -NR_ERR_INTERNAL_FAILURE; + } +#endif + + return data[1]; +} +#endif /* WITHOUT_VSAS */ + + +/* + * Create a "normal" VALUE_PAIR from the given data. + */ +ssize_t nr_attr2vp(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; + if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; + if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + +#ifndef WITHOUT_VSAS + /* + * VSAs get their own handler. + */ + if (data[0] == PW_VENDOR_SPECIFIC) { + return nr_attr2vp_vsa(packet, original, + data, length, pvp); + } +#endif + +#ifdef VENDORPEC_EXTENDED + /* + * Extended attribute format gets their own handler. + */ + if (nr_dict_attr_byvalue(data[0], VENDORPEC_EXTENDED) != NULL) { + return nr_attr2vp_extended(packet, original, + data, length, pvp); + } +#endif + + return nr_attr2vp_rfc(packet, original, data, length, pvp); +} + +ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, + unsigned int attribute, unsigned int vendor, + const uint8_t **pdata, size_t *plength) +{ + uint8_t *data, *attr; + const uint8_t *end; + + if (!packet || !pdata || !plength) return -NR_ERR_INVALID_ARG; + + if (!packet->data) return -NR_ERR_INVALID_ARG; + if (packet->length < 20) return -NR_ERR_INVALID_ARG; + + /* + * Too long or short, not good. + */ + if ((start < 0) || + ((start > 0) && (start < 20))) return -NR_ERR_INVALID_ARG; + + if ((size_t) start >= (packet->length - 2)) return -NR_ERR_INVALID_ARG; + + end = packet->data + packet->length; + + /* + * Loop over the packet, converting attrs to VPs. + */ + if (start == 0) { + data = packet->data + 20; + } else { + data = packet->data + start; + data += data[1]; + if (data >= end) return 0; + } + + for (attr = data; attr < end; attr += attr[1]) { + const DICT_VENDOR *dv = NULL; + +#ifndef NEBUG + /* + * This code is copied from packet_ok(). + * It could be put into a separate function. + */ + if ((attr + 2) > end) { + nr_debug_error("Attribute overflows packet"); + return -NR_ERR_ATTR_OVERFLOW; + } + + if (attr[1] < 2) { + nr_debug_error("Attribute length is too small"); + return -NR_ERR_ATTR_TOO_SMALL; + } + + if ((attr + attr[1]) > end) { + nr_debug_error("Attribute length is too large"); + return -NR_ERR_ATTR_TOO_LARGE; + } +#endif + + if ((vendor == 0) && (attr[0] == attribute)) { + *pdata = attr + 2; + *plength = attr[1] - 2; + return attr - packet->data; + } + +#ifndef WITHOUT_VSAS + if (vendor != 0) { + uint32_t vendorpec; + + if (attr[0] != PW_VENDOR_SPECIFIC) continue; + + if (attr[1] < 6) continue; + + memcpy(&vendorpec, attr + 2, 4); + vendorpec = ntohl(vendorpec); + if (vendor != vendorpec) continue; + + if (!dv) { + dv = nr_dict_vendor_byvalue(vendor); + if (dv && + ((dv->type != 1) || (dv->length != 1))) { + return -NR_ERR_VENDOR_UNKNOWN; + } + } + + /* + * No data. + */ + if (attr[1] < 9) continue; + + /* + * Malformed, or more than one VSA in + * the Vendor-Specific + */ + if (attr[7] + 6 != attr[1]) continue; + + /* + * Not the right VSA. + */ + if (attr[6] != attribute) continue; + + *pdata = attr + 8; + *plength = attr[1] - 8; + return attr - packet->data; + } +#endif + } + + return 0; /* nothing more: stop */ +} + diff --git a/lib/radius/client.h b/lib/radius/client.h new file mode 100644 index 0000000..591884f --- /dev/null +++ b/lib/radius/client.h @@ -0,0 +1,1408 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file client.h + * \brief Main header file. + */ + +/* + * System-specific header files. + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Definitions of attributes. + */ +#include + +/** \defgroup build Build Helpers + * + * These definitions give the GNU C compiler more information about + * the functions being compiled. They are used to either remove + * warnings, or to enable better warnings. + **/ + +/** \defgroup custom Portability Functions + * + * These functions and definitions should be modified for your local + * system. See the individual definitions for details. + */ + +/** \defgroup error Error handling + * + * These definitions and routines manage errors. + */ + +/** \defgroup value_pair Attribute manipulation + * + * These routines manage structures which map to attributes. + */ + +/**\defgroup dict Dictionary Lookup Functions + * + * \sa doc/dictionaries.txt + * + * The RADIUS dictionaries perform name to number mappings. The names + * are used only for administrator convenience, for parsing + * configuration files, and printing humanly-readable output. The + * numbers are used when encoding data in a packet. + * + * When attributes are decoded from a packet, the numbers are used to + * look up the associated name, which is then placed into a data + * structure. + * + * When the data structures are encoded into a packet, the numbers are + * used to create RFC and VSA format attributes. + * + * \attention The definitions, structures, and functions given below + * are useful only for implementing "low level" RADIUS + * functionality. There is usually no need to refer to them in a + * client application. The library should be used at a higher level, + * which exposes a much simpler API. + */ + +/** \defgroup packet Packet manipulation + * + * These routines perform encoding and decoding of RADIUS packets. + */ + +/** \defgroup print Print / parse functions + * + * These routines convert the internal data structures to a printable + * form, or parse them. + */ + +/** \defgroup id ID allocation and freeing + * + * These routines manage RADIUS ID allocation. + */ + +/** \defgroup attr Low-level attribute encode/decoding + * + * These routines perform "low level" encoding, decoding, sending, and + * reception of RADIUS attributes. They are called by the \ref packet + * functions. + * + * \attention The structures and functions given below are useful only + * for implementing "low level" RADIUS functionality. There is usually + * no need to refer to them in a client application. The library + * should be used at a higher level, which exposes a much simpler API. + */ + +/** \defgroup internal Internal support functions. + * + * These functions are required to perform internal or "low-level" + * data manipulation. While they are exposed for completeness, they + * should not be called by any application. + */ + +#ifdef PW_EAP_MESSAGE +#ifndef PW_MESSAGE_AUTHENTICATOR +#error EAP-Message requires Message-Authenticator +#endif +#endif + +#ifdef WITHOUT_OPENSSL +#ifndef NR_MD5_CTX +#error NR_MD5_CTX must be defined +#endif +#ifndef nr_MD5Init +#error n_rMD5Init must be defined +#endif +#ifndef nr_MD5Update +#error nr_MD5Updyae must be defined +#endif +#ifndef nr_MD5Final +#error nr_MD5Final must be defined +#endif +#ifndef nr_MD5Transform +#error nr_MD5Transform must be defined +#endif + +#else /* WITHOUT_OPENSSL */ + +#include +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define NR_MD5_CTX MD5_CTX +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define nr_MD5Init MD5_Init +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define nr_MD5Update MD5_Update +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define nr_MD5Final MD5_Final +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define nr_MD5Transform MD5_Transform +#endif + +#ifndef NR_MAX_PACKET_LEN +/** The maximum size of a packet that the library will send or receive. \ingroup custom + * + * The RFC requirement is to handle at least 4K packets. However, if + * you expect to only do username/password authentication, this value + * can be set to a smaller value, such as 256. + * + * Be warned that any packets larger than this value will be ignored + * and silently discarded. + */ +#define NR_MAX_PACKET_LEN (4096) +#endif + +#ifndef NR_MAX_ATTRIBUTES +/** The maximum number of attributes that the library will allow in a packet. \ingroup custom + * + * Packets which contain more than ::NR_MAX_ATTRIBUTES will generate + * an error. This value is configurable because there may be a need + * to accept a large mumber of attributes. + * + * This value is ignored when packets are sent. The library will + * send as many attributes as it is told to send. + */ +#define NR_MAX_ATTRIBUTES (200) +#endif + +#undef NR_MAX_PACKET_CODE +/** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict + * + * \attention This should not be changed, as it is used by other + * structures such as ::nr_packet_codes. + */ +#define NR_MAX_PACKET_CODE PW_COA_NAK + +/** The maximum vendor number which is permitted. \ingroup dict + * + * The RFCs require that the Vendor Id or Private Enterprise Number + * be encoded as 32 bits, with the upper 8 bits being zero. + */ +#define NR_MAX_VENDOR (1 << 24) + +/** The maximum length of a RADIUS attribute. + * + * The RFCs require that a RADIUS attribute transport no more than + * 253 octets of data. We add an extra byte for a trailing NUL, so + * that the VALUE_PAIR::vp_strvalue field can be handled as a C + * string. + */ +#define MAX_STRING_LEN (254) + +/** Data Type Definitions. \ingroup dict + */ +typedef enum nr_attr_type_t { + NR_TYPE_INVALID = 0, /**< Invalid data type */ + NR_TYPE_STRING, /**< printable-text */ + NR_TYPE_INTEGER, /**< a 32-bit unsigned integer */ + NR_TYPE_IPADDR, /**< an IPv4 address */ + NR_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */ + NR_TYPE_OCTETS, /**< a sequence of binary octets */ + NR_TYPE_IFID, /**< an Interface Id */ + NR_TYPE_IPV6ADDR, /**< an IPv6 address */ + NR_TYPE_IPV6PREFIX, /**< an IPv6 prefix */ + NR_TYPE_BYTE, /**< an 8-bit integer */ + NR_TYPE_SHORT, /**< a 16-bit integer */ +} nr_attr_type_t; + +#define PW_ACCESS_REQUEST 1 +#define PW_ACCESS_ACCEPT 2 +#define PW_ACCESS_REJECT 3 +#define PW_ACCOUNTING_REQUEST 4 +#define PW_ACCOUNTING_RESPONSE 5 +#define PW_ACCOUNTING_STATUS 6 +#define PW_PASSWORD_REQUEST 7 +#define PW_PASSWORD_ACK 8 +#define PW_PASSWORD_REJECT 9 +#define PW_ACCOUNTING_MESSAGE 10 +#define PW_ACCESS_CHALLENGE 11 +#define PW_STATUS_SERVER 12 +#define PW_STATUS_CLIENT 13 +#define PW_DISCONNECT_REQUEST 40 +#define PW_DISCONNECT_ACK 41 +#define PW_DISCONNECT_NAK 42 +#define PW_COA_REQUEST 43 +#define PW_COA_ACK 44 +#define PW_COA_NAK 45 + +/** Error codes \ingroup error + * + * The numerical value of these definitions may change from version + * to version of the library. + */ +typedef enum nr_error_t { + /** Invalid argument */ + NR_ERR_INVALID_ARG = 1, + /** Insufficient data to decode the packet */ + NR_ERR_PACKET_TOO_SMALL, + /** The packet header says it is larger than the received data */ + NR_ERR_PACKET_TOO_LARGE, + /** the attribute overflows the packet */ + NR_ERR_ATTR_OVERFLOW, + /** the attribute header "length" field is too small */ + NR_ERR_ATTR_TOO_SMALL, + /** the attribute is more than 256 octets long */ + NR_ERR_ATTR_TOO_LARGE, + /** the attribute is unknown */ + NR_ERR_ATTR_UNKNOWN, + /** the attribute name is improperly formatted */ + NR_ERR_ATTR_BAD_NAME, + /** the attribute value could not be parsed */ + NR_ERR_ATTR_VALUE_MALFORMED, + /** the attribute "type" is invalid */ + NR_ERR_ATTR_INVALID, + /** the packet has too many attributes */ + NR_ERR_TOO_MANY_ATTRS, + /** the attribute has an unsupported data type */ + NR_ERR_ATTR_TYPE_UNKNOWN, + /** the Message-Authenticator has the wrong length */ + NR_ERR_MSG_AUTH_LEN, + /** the Message-Authenticator is wrong */ + NR_ERR_MSG_AUTH_WRONG, + /** we need a request packet to calculate something in the response */ + NR_ERR_REQUEST_REQUIRED, + /** the request code is unsupported */ + NR_ERR_REQUEST_CODE_INVALID, + /** the Authentication Vector is wrong */ + NR_ERR_AUTH_VECTOR_WRONG, + /** the response code is unsupported */ + NR_ERR_RESPONSE_CODE_INVALID, + /** the response ID field is invalid */ + NR_ERR_RESPONSE_ID_INVALID, + /** the response is not from the correct source IP/port */ + NR_ERR_RESPONSE_SRC_INVALID, + /** Look at "errno" for the error */ + NR_ERR_SYSTEM, + /** We cannot encode the packet because of invalid arguments */ + NR_ERR_NO_PACKET_DATA, + /** the vendor is unknown */ + NR_ERR_VENDOR_UNKNOWN, + /** an internal sanity check failed */ + NR_ERR_INTERNAL_FAILURE, + /** the caller requested an unsupported featuer */ + NR_ERR_UNSUPPORTED, + /** we were unable to allocate memory */ + NR_ERR_NO_MEM, + /** Resource is in use */ + NR_ERR_IN_USE, +} nr_error_t; + +#define TAG_VALID(x) ((x) < 0x20) + +/** The attribute is not encrypted. */ +#define FLAG_ENCRYPT_NONE (0) + +/** The attribute is encrypted using the RFC 2865 User-Password method */ +#define FLAG_ENCRYPT_USER_PASSWORD (1) + +/** The attribute is encrypted using the RFC 2868 Tunnel-Password method */ +#define FLAG_ENCRYPT_TUNNEL_PASSWORD (2) + +/** A set of flags which determine how the attribute should be handled. + * + * Most attributes are "normal", and do not require special handling. + * However, some require "encryption", tagging, or have other special + * formats. This structure contains the various options for the + * attribute formats. + */ +typedef struct attr_flags { + unsigned int has_tag : 1; /**< Attribute has an RFC 2868 tag */ + unsigned int unknown : 1; /**< Attribute is unknown */ +#ifdef NR_TYPE_TLV + unsigned int has_tlv : 1; /* has sub attributes */ + unsigned int is_tlv : 1; /* is a sub attribute */ +#endif +#ifdef VENDOR_EXTENDED + unsigned int extended : 1; /* extended attribute */ + unsigned int extended_flags : 1; /* with flag */ + unsigned int evs : 1; /* extended VSA */ +#endif + + uint8_t encrypt; /**< Attribute encryption method */ + uint8_t length; /**< The expected length of the attribute */ +} ATTR_FLAGS; + + +/** Defines an dictionary mapping for an attribute. \ingroup dict + * + * The RADIUS dictionaries map humanly readable names to protocol + * numbers. The protocol numbers are used to encode/decode the + * attributes in a packet. + */ +typedef struct nr_dict_attr { + unsigned int attr; /**< Attribute number */ + nr_attr_type_t type; /**< Data type */ + unsigned int vendor; /**< Vendor-Id number */ + ATTR_FLAGS flags; + const char *name; /**< Printable name */ +} DICT_ATTR; + +/** Defines a dictionary mapping for a named enumeration. \ingroup dict + * + * This structure is currently not used. + */ +typedef struct nr_dict_value { + const DICT_ATTR *da; /**< pointer to a ::DICT_ATTR */ + int value; /**< enumerated value */ + char name[1]; /**< printable name */ +} DICT_VALUE; + +/** Defines an dictionary mapping for a vendor. \ingroup dict + * + * The RADIUS dictionaries map humanly readable vendor names to a + * Vendor-Id (or Private Enterprise Code) assigned by IANA. The + * Vendor-Id is used to encode/decode Vendor-Specific attributes in a + * packet. + */ +typedef struct nr_dict_vendor { + unsigned int vendor; /**< Vendor Private Enterprise Code */ + size_t type; /**< size of Vendor-Type field */ + size_t length; /**< size of Vendor-Length field */ + const char *name; /**< Printable name */ +} DICT_VENDOR; + +/** Union holding all possible types of data for a ::VALUE_PAIR. \ingroup value_pair + * + */ +typedef union value_pair_data { + char strvalue[MAX_STRING_LEN]; /* +1 for NUL */ + uint8_t octets[253]; + struct in_addr ipaddr; + struct in6_addr ipv6addr; + uint32_t date; + uint32_t integer; +#ifdef NR_TYPE_SIGNED + int32_t sinteger; +#endif +#ifdef NR_TYPE_ABINARY + uint8_t filter[32]; +#endif + uint8_t ifid[8]; /* struct? */ + uint8_t ipv6prefix[18]; /* struct? */ +#ifdef NR_TYPE_TLV + uint8_t *tlv; +#endif +} VALUE_PAIR_DATA; + + +/** C structure version of a RADIUS attribute. \ingroup value_pair + * + * The library APIs use this structure to avoid depending on the + * details of the protocol. + */ +typedef struct value_pair { + const DICT_ATTR *da; /**< dictionary definition */ + size_t length; /**< number of octets in the data */ + int tag; /**< tag value if da->flags.has_tag */ + struct value_pair *next; /**< enables a linked list of values */ + VALUE_PAIR_DATA data; /**< the data of the attribute */ +} VALUE_PAIR; +#define vp_strvalue data.strvalue +#define vp_octets data.octets +#define vp_ipv6addr data.ipv6addr +#define vp_ifid data.ifid +#define vp_ipv6prefix data.ipv6prefix +#define vp_ipaddr data.ipaddr.s_addr +#define vp_date data.integer +#define vp_integer data.integer +#ifdef NR_TYPE_ABINARY +#define vp_filter data.filter +#endif +#ifdef NR_TYPE_ETHER +#define vp_ether data.ether +#endif +#ifdef NR_TYPE_SIGNED +#define vp_signed data.sinteger +#endif +#ifdef NR_TYPE_TLV +#define vp_tlv data.tlv +#endif + +#ifdef NR_TYPE_TLV +#define NR_ATTR_MAX_TLV (4) +extern const int nr_attr_shift[NR_ATTR_MAX_TLV]; +extern const int nr_attr_mask[NR_ATTR_MAX_TLV]; +extern const unsigned int nr_attr_max_tlv; +#endif + +/** A structure which describes a RADIUS packet. \ingroup packet + * + * In general, it should not be necessary to refererence the elements + * of this structure. + */ +typedef struct radius_packet { + int sockfd; /** The socket descriptor */ + struct sockaddr_storage src; /**< The packet source address */ + struct sockaddr_storage dst; /**< the packet destination address */ + const char *secret; /**< The shared secret */ + size_t sizeof_secret; /**< Length of the shared secret */ + unsigned int code; /**< The RADIUS Packet Code */ + int id; /**< The RADIUS Packet Id */ + size_t length; /**< The RADIUS Packet Length. This will be no larger than RADIUS_PACKET::sizeof_data */ + uint8_t vector[16]; /**< A copy of the authentication vector */ + int flags; /**< Internal flags. Do not modify this field. */ + int attempts; /**< The number of transmission attempt */ + uint8_t *data; /**< The raw packet data */ + size_t sizeof_data; /**< size of the data buffer */ + VALUE_PAIR *vps; /**< linked list of ::VALUE_PAIR */ +} RADIUS_PACKET; + +#define NR_PACKET_ENCODED (1 << 0) +#define NR_PACKET_HEADER (1 << 1) +#define NR_PACKET_SIGNED (1 << 2) +#define NR_PACKET_OK (1 << 3) +#define NR_PACKET_VERIFIED (1 << 4) +#define NR_PACKET_DECODED (1 << 5) + + +/** Track packets sent to a server. \ingroup id + * + * This data structure tracks Identifiers which are used to + * communicate with a particular destination server. The application + * should call nr_server_init() to initialize it. If necessary, the + * application should then call nr_server_set_ipv4() to open an IPv4 + * socket to the server. + * + * If the RADIUS packets are being transported over an encapsulation + * layer (e.g. RADIUS over TLS), then nr_server_set_ipv4() does not + * need to be called. The ::nr_server_t structure should instead be + * associated wih the TLS session / socket. + */ +typedef struct nr_server_t { + int sockfd; /**< socket for sending packets */ + int code; /**< default value for the Code */ + + struct sockaddr_storage src; /**< Source address of the packet */ + struct sockaddr_storage dst; /**< Destination address of the packet */ + + /** The shared secret. + * + * See also nr_packet_send() and nr_packet_recv(). + */ + const char *secret; + + /** The length of the shared secret. + * + * See also nr_packet_send() and nr_packet_recv(). + */ + size_t sizeof_secret; + + int used; /**< Number of used IDs */ + + void *free_list; /**< For managing packets */ + + RADIUS_PACKET *ids[256]; /**< Pointers to "in flight" packets */ +} nr_server_t; + + +/** Return a printable error message. \ingroup error + * + * This function returns a string describing the last error that + * occurred. These messages are intended for developers, and are not + * suitable for display to an end user. The application using this + * library should instead produce a "summary" message when an error + * occurs. e.g. "Failed to receive a response", is better than + * messages produced by this function, which contain text like + * "invalid response authentication vector". The first is + * understandable, the second is not. + * + * @param[in] error The error code (can be less than zero) + * @return A printable string describing the error. + */ +extern const char *nr_strerror(int error); + +/** Allocate a ::VALUE_PAIR which refers to a ::DICT_ATTR. \ingroup value_pair + * + * This returned ::VALUE_PAIR has no data associated with it. The + * nr_vp_set_data() function must be called before placing the + * ::VALUE_PAIR in a ::RADIUS_PACKET. + * + * @param[in] da The ::DICT_ATTR associated with the ::VALUE_PAIR + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da); + +/** Free a ::VALUE_PAIR. \ingroup value_pair + * + * This function frees the ::VALUE_PAIR, and sets the head pointer to NULL. + * If head refers to a ::VALUE_PAIR list, then all of the structures in the + * list are freed. + * + * @param[in,out] head The pointer to a ::VALUE_PAIR, or a ::VALUE_PAIR list. + */ +extern void nr_vp_free(VALUE_PAIR **head); + +/** Initializes a ::VALUE_PAIR from a ::DICT_ATTR \ingroup value_pair + * + * This function assumes that the ::VALUE_PAIR points to existing + * and writable memory. + * + * @param[in,out] vp The ::VALUE_PAIR to be initialized + * @param[in] da The ::DICT_ATTR used to initialize the ::VALUE_PAIR + * @return The initialized ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da); + +/** Allocate a ::VALUE_PAIR which refers to an unknown attribute. \ingroup value_pair + * + * It is used when an attribute is received, and that attribute does + * not exist in the dictionaries. + * + * The returned ::VALUE_PAIR has no data (i.e. VALUE_PAIR::length is + * zero). The nr_vp_set_data() function must be called before + * placing the ::VALUE_PAIR in a ::RADIUS_PACKET. + * + * @param[in] attr The attribute number, 0..2^16 + * @param[in] vendor The vendor number, 0..2^16 + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor); + +/** Set the data associated with a previously allocated ::VALUE_PAIR. \ingroup value_pair + * + * If this function succeeds, VALUE_PAIR::length is no longer zero, + * and the structure contains the data. + * + * @param[in,out] vp The ::VALUE_PAIR to update + * @param[in] data Data to set inside of the ::VALUE_PAIR + * @param[in] data_len Length of the data field + * @return <0 on error, 0 for "data was truncated" + * >0 for "data successfully added" + */ +extern int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t data_len); + +/** Create a ::VALUE_PAIR and set its data. \ingroup value_pair + * + * @param[in] attr The attribute number of the ::VALUE_PAIR to create + * @param[in] vendor The vendor number of the ::VALUE_PAIR to create + * @param[in] data Data to set inside of the ::VALUE_PAIR + * @param[in] data_len Length of the data field + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, + size_t data_len); + +/** Append a ::VALUE_PAIR to the end of a ::VALUE_PAIR list. \ingroup value_pair + * + * @param[in,out] head The head of the ::VALUE_PAIR list. May not be NULL. + * @param[in] vp The ::VALUE_PAIR to append to the list. + */ +extern void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *vp); + +/** Search a ::VALUE_PAIR list for one of a given number. \ingroup value_pair + * + * @param[in] head The head of the ::VALUE_PAIR list to search. + * @param[in] attr The attribute number of the ::VALUE_PAIR to find + * @param[in] vendor The vendor number of the ::VALUE_PAIR to find + * @return The found ::VALUE_PAIR, or NULL if it was not found. + */ +extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, + unsigned int attr, unsigned int vendor); + +/** Look up an attribute in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the attribute, + * such as printable name, data type (ipaddr, integer, etc), and + * various other things used to encode/decode the attribute in a + * packet. + * + * \attention There is usually no need to call this function. Use + * the NR_DA_* definitions instead. + * + * @param[in] attr Value of the attribute + * @param[in] vendor Value of the vendor + * @return NULL for "not found", or a pointer to the attribute mapping. + */ +extern const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, + unsigned int vendor); + +/** Look up an attribute in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the attribute, + * such as printable name, data type (ipaddr, integer, etc), and + * various other things used to encode/decode the attribute in a + * packet. + * + * \attention There is usually no need to call this function. + * + * @param[in] name Name of the attribute + * @return NULL for "not found", or a pointer to the attribute mapping. + */ +extern const DICT_ATTR *nr_dict_attr_byname(const char *name); + +/** Converts raw data to a ::DICT_ATTR structure. \ingroup dict + * + * It is called when the library is asked to decode an attribute + * which is not in the pre-defined dictionaries. + * + * \attention There is usually no need to call this function. + * + * @param[in,out] da The ::DICT_ATTR structure to initialize + * @param[in] attr The attribute number + * @param[in] vendor The vendor number + * @param[in] buffer The buffer where the name of the attribute is stored + * @param[in] bufsize Size of the buffer + * @return <0 for error, 0 for success + */ +extern int nr_dict_attr_2struct(DICT_ATTR *da, + unsigned int attr, unsigned int vendor, + char *buffer, size_t bufsize); + +/** Unused. \ngroup dict + * + */ +extern const DICT_VALUE *nr_dict_value_byattr(unsigned int attr, + unsigned int vendor, + int value); + +/** Unused. \ngroup dict + * + */ +const DICT_VALUE *nr_dict_value_byname(unsigned int attr, + unsigned int vendor, + const char *name); + +/** Look up a vendor in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the vendor, such + * as printable name, VSA encoding method, etc. + * + * \attention There is usually no need to call this function. + * Applications do not need access to low-level RADIUS protocol + * information. + * + * @param[in] name Name of the vendor. + * @return NULL for "not found", or a pointer to the vendor mapping. + */ +extern int nr_dict_vendor_byname(const char *name); + +/** Look up an vendor in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the vendor, such + * as printable name, VSA encoding method, etc. + * + * \attention There is usually no need to call this function. + * + * @param[in] vendor Vendor-Id (or Private Enterprise code) for the vendor. + * @return NULL for "not found", or a pointer to the vendor mapping. + */ +extern const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor); + +/** Static array of known vendors. \ingroup dict + * + * \attention This structure should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_VENDOR nr_dict_vendors[]; + +/** The number of attribute definitions in the dictionary. \ingroup dict + * + * This number is guaranteed to be at least 256, for speed. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const int nr_dict_num_attrs; + +/** The list of attribute definitions. \ingroup dict + * + * The "standard" RFC attributes are located in the first 256 + * entries. Standard attributes without a dictionary definition are + * given an empty entry. + * + * The attributes are orderd by (vendor, attribute), in increasing + * order. This allows the dictionary lookups to find attributes by a + * binary search. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_ATTR nr_dict_attrs[]; + +/** The number of attributes with names. \ingroup dict + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const int nr_dict_num_names; + +/** The list of attribute definitions, organized by name. \ingroup dict + * + * The attributes are orderd by name (case insensitive), in + * increasing order. This allows the dictionary lookups to find + * attributes by a binary search. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_ATTR const *nr_dict_attr_names[]; + +/** Static array containing names the RADIUS_PACKET::code field. \ingroup dict + * + * The names are hard-coded and not in any dictionary because they do + * not change. + * + * The names are exported because they may be useful in your + * application. Packet codes which are not handled by the library + * have NULL for their names. + */ +extern const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1]; + +/** Verifies that a packet is "well formed". \ingroup packet + * + * This function performs basic validation to see if the packet is + * well formed. It is automatically called by nr_packet_decode(). + * + * @param[in] packet A pointer to the ::RADIUS_PACKET data. + * @return <0 means malformed, >= 0 means well-formed. + */ +extern int nr_packet_ok(RADIUS_PACKET *packet); + +/** Verifies that a packet is "well formed". \ingroup packet + * + * This function performs basic validation to see if the packet is + * well formed. You should normally use nr_packet_ok() instead of + * this function. + * + * @param[in] data A pointer to the raw packet data. + * @param[in] sizeof_data The length of the raw packet data + * @return <0 means malformed, >= 0 means well-formed. + */ +extern int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data); + +/** Encodes a packet. \ingroup packet + * + * This function encodes a packet using the fields of the + * ::RADIUS_PACKET structure. The RADIUS_PACKET::code and + * RADIUS_PACKET::id fields are used to fill in the relevant fields + * of the raw (encoded) packet. The RADIUS_PACKET::vps list is + * walked to encode the attributes. The packet is signed, if + * required. + * + * The raw packet is placed into the RADIUS_PACKET::data field, up to + * RADIUS_PACKET::sizeof_data bytes. the RADIUS_PACKET::length field + * is updated with the length of the raw packet. This field is + * always less than, or equal to, the RADIUS_PACKET::size_data field. + * If there is insufficient room to store all of the attributes, then + * some attributes are silently discarded. + * + * The RADIUS_PACKET::vector field is either calculated as part of + * the signing process, or is initialized by this function to be a + * random sequence of bytes. That field should therefore be left + * alone by the caller. + * + * When the encoding has been successful, it sets the + * RADIUS_PACKET::encoded field to non-zero. + * + * In addition, all required attribute "encryption" is performed. + * + * User-Password. The vp_strvalue field is assumed to contain the + * "clear-text" version of the password. The encrypted version is + * calculated, and placed in the packet. + * + * CHAP-Password. The vp_strvalue field is assumed to contain the + * "clear-text" version of the password. The encrypted version is + * calculated, and placed in the packet. If the RADIUS_PACKET::vps + * list contains a CHAP-Challenge attribute, it is used. Otherwise + * the RADIUS_PACKET::vector field is used a the challenge. + * + * Message-Authenticator. The contents of the Message-Authenticator + * in the RADIUS_PACKET::vps list are ignored. Instead, a + * "place-holder" is put into the packt. Tthe correct value is + * calculated and placed into the packet by nr_packet_sign(). + * + * The RADIUS_PACKET::vps list is left untouched by this function, + * even when attribute encryption or signing is performed. Any + * VALUE_PAIR structures can therefore be taken from static "const" + * variables. + * + * @param[in] packet The RADIUS packet to encode. + * @param[in] original The original request, when encoding a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Decodes a packet. \ingroup packet + * + * This function decodes a packet from the RADIUS_PACKET::data field + * into a sequence of ::VALUE_PAIR structures in the + * RADIUS_PACKET::vps list. + * + * @param[in] packet The RADIUS packet to decode. + * @param[in] original The original request, when decoding a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Signs a packet so that it can be sent. \ingroup packet + * + * This function calculates the Message-Authenticator (if required), + * and signs the packet. + * + * @param[in] packet The RADIUS packet to sign. + * @param[in] original The original request, when signing a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Verifies that a packet is well-formed and contains the correct signature. \ingroup packet + * + * If "original" is specified, it also verifies that the packet is a + * response to the original request, and that it has the correct + * signature. + * + * @param[in] packet The RADIUS packet to verify. + * @param[in] original The original request, when verifying a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_verify(RADIUS_PACKET *packet, + const RADIUS_PACKET *original); + +/** Pretty-prints a hex dump of a RADIUS packet. \ingroup packet print + * + * This function is available only in debugging builds of the + * library. It is useful during development, but should not be used + * in a production system. + * + * The packet headers are printed individually, and each attribute is + * printed as "type length data..." + * + * @param[in] packet The RADIUS packet to print + */ +extern void nr_packet_print_hex(RADIUS_PACKET *packet); + + +/** Return the given number of random bytes. \ingroup custom + * + * This function should be replaced by one that is specific to your + * system. + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in] data Location where the random bytes will be stored + * @param[in] data_len Number of bytes to store + * @return <0 on error, or the total number of bytes stored. + */ +extern ssize_t nr_rand_bytes(uint8_t *data, size_t data_len); + +/** Return a random 32-bit integer. \ingroup custom + * + * This function should be replaced by one that is specific to your + * system. The version supplied here just calls nr_rand_bytes() each + * time, which is slow. + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @return An unsigned 32-bit random integer. + */ +extern uint32_t nr_rand(void); + +/** Add a time to the given ::struct timeval. \ingroup custom + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in,out] t The timeval to which the time is added. + * @param[in] seconds Time in seconds to add + * @param[in] usec Time in microseconds to add + */ +extern void nr_timeval_add(struct timeval *t, unsigned int seconds, + unsigned int usec); + +/** Compare two times. \ingroup custom + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in] a One timeval + * @param[in] b Another one + * @return a <=> b + */ +extern int nr_timeval_cmp(const struct timeval *a, const struct timeval *b); + +/** Initializes an ::nr_server_t. \ingroup id + * + * @param[in,ut] s The ::nr_server_t to initialize + * @param[in] code The packet code used for packets sent to this server + * @param[in] secret The shared secret used for packet sent to this server + * @return <0 for error, >= 0 for success + */ +extern int nr_server_init(nr_server_t *s, int code, const char *secret); + +/** Closes an ::nr_server_t data structure. \ingroup id + * + * Ensures that all IDs are free, and closes the socket. + * + * @param[in] s The server structure to close. + * @return <0 for error, 0 for success + */ +extern int nr_server_close(const nr_server_t *s); + +/** Allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id + * + * This function allocates a RADIUS_PACKET::id from the ::nr_server_t + * structure. It also fills in the RADIUS_PACKET::sockfd, + * RADIUS_PACKET::code, and RADIUS_PACKET::dst fields. + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which needs an ID + * @return <0 for error, 0 for success + */ +extern int nr_server_id_alloc(nr_server_t *id, RADIUS_PACKET *packet); + +/** Re-allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id + * + * It is used when retransmitting an Accounting-Request packet to a + * server, after updating the Acct-Delay-Time field. The "realloc" + * name means that the new ID is allocated, and is guaranteed to be + * different from the old one. + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which needs a new ID + * @return <0 for error, 0 for success + */ +extern int nr_server_id_realloc(nr_server_t *id, RADIUS_PACKET *packet); + +/** Free a RADIUS_PACKET::id value after sending a packet to a server. \ingroup id + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which has an ID, and wants to free it + * @return <0 for error, 0 for success + */ +extern int nr_server_id_free(nr_server_t *id, RADIUS_PACKET *packet); + + +/** Allocates a packet using malloc(), and initializes it. \ingroup id + * + * @param[in] s The server structure + * @param[in,out] packet_p Pointer to the ::RADIUS_PACKET to be allocated + * @return <0 for error, 0 for success + */ +extern int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p); + +/** Record a humanly readable error message. \ingroup error + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[in] fmt The format to use. + */ +extern void nr_strerror_printf(const char *fmt, ...); + +#ifndef NDEBUG +#define nr_debug_error nr_strerror_printf /** \ingroup error */ +#else +#define nr_debug_error if (0) nr_strerror_printf +#endif + +/** Encrypts or decrypts a User-Password attribute. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Encrypts a Tunnel-Password attribute. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Decrypts a Tunnel-Password attribute. \ingroup internal + * + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Calculates an HMAC-MD5. \ingroup internal + * + * @param[in] data Data to be hashed + * @param[in] data_len Length of data to be hashed + * @param[in] key Key for the HMAC + * @param[in] key_len Length of the key + * @param[out] digest + */ +extern void nr_hmac_md5(const uint8_t *data, size_t data_len, + const uint8_t *key, size_t key_len, + uint8_t digest[16]); + +/** Checks if a TLV is properly formatted. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[in] data Data to check + * @param[in] length Length of the data field + * @param[in] dv_type Length of the TLV "type" field + * @param[in] dv_length Length of the TLV "length" field + * @return <0 on error, 0 for "TLV is OK" + */ +extern int nr_tlv_ok(const uint8_t *data, size_t length, + size_t dv_type, size_t dv_length); + +/** A callback function used by nr_packet_walk(). \ingroup packet + * + * The function should return 0 on success (i.e. keep walking), and + * otherwise a negative number indicating an error code + * (::nr_error_t). That negative number will be used as the return + * code for nr_packet_walk(). + */ +typedef int (*nr_packet_walk_func_t)(void *, const DICT_ATTR *, const uint8_t *, size_t); + +/** Walks over all attributes in a packet. \ingroup packet + * + * This function is an iterator which calls a user-supplied callback + * function for each attribute in the packet. It should be used + * instead of manually walking over the attributes. There are a + * number of odd corner cases when handling Vendor-Specific + * attributes, and it is easy to get those corner cases wrong. + * + * This function iterates over *all* attributes, including nested + * VSAs. That is its main value. + * + * Encrypted attributes such as User-Password are not decrypted. + * + * @param[in] packet The packet containing the data + * @param[in] ctx A user-supplied context. May be NULL + * @param[in] callback The callback function where the information is passed. + * + * @return <0 for error, + * 0 for success. + */ +extern int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, + nr_packet_walk_func_t callback); + +/** Initialize a packet + * + * If original is specified, the packet is initialized as a response + * to the original request. + * + * @param[in,out] packet The packet to initialize + * @param[in] original The original request (if any) to use as a template + * @param[in] secret Shared secret + * @param[in] code RADIUS Code field. + * @param[in] data Buffer where packets will be stored (RADIUS_PACKET::data) + * @param[in] sizeof_data Size of buffer (RADIUS_PACKET::sizeof_data) + * @return <0 on error, 0 for success. + */ +extern int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const char *secret, int code, + void *data, size_t sizeof_data); + +/** Add one attribute to the packet. + * + * This function can be used to add "raw" data to a packet. It + * allows the caller to extend the RADIUS packet without using a + * ::VALUE_PAIR data structure. + * + * Some attributes are handled specially by this function. + * + * EAP-Message. This attribute is automatically split into 253-octet + * chunks. + * + * User-Password, CHAP-Password, and Message-Authenticator. These + * attributes are automatically encrypted, as is done by + * nr_packet_encode(). + * + * @param[in] packet The packet to edit + * @param[in] original The original request (if any) + * @param[in] da Pointer to the attribute definition + * @param[in] data Data to append to the packet + * @param[in] data_len Length of data to append to the packet + * + * @return <0 for error, >= 0 for "successfully appended data" + * The function returns the number of octets appended to the packet. + */ +extern ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const DICT_ATTR *da, + const void *data, size_t data_len); + + +/** Encodes any ::VALUE_PAIR into an attribute. \ingroup attr + * + * This function can be called for any ::VALUE_PAIR. It will examine + * that structure, and call one of nr_vp2rfc() or nr_vp2vsa() as + * necessary. + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2attr(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *data, size_t room); + +/** Encodes an RFC "standard" ::VALUE_PAIR into an attribute. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *data, size_t room); + +/** Decodes any attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes an RFC "standard" attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes a Vendor-Specific attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes an attribute with an unexpected length into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Encodes a Vendor-Specific ::VALUE_PAIR into an attribute. + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *data, + size_t room); + +/** Returns raw data from the RADIUS packet, for a given attribute. \ingroup attr + * + * This function can be called repeatedly to find all instances of a + * given attribute. The first time it is called, the "start" + * parameter should be zero. If the function returns a non-zero + * positive number, it means that there *may* be more attributes + * available. The returned value should be then passed via the + * "start" option in any subsequent calls to the function. + * + * This function should be called by an application when it wants + * access to data which is not in the pre-defined dictionaries. + * + * @param[in] packet The packet containing the attribute. + * @param[in] start Where in the packet we start searching for the attribute. + * @param[in] attr Value of the attribute to search for + * @param[in] vendor Value of the vendor (use 0 for IETF attributes) + * @param[out] pdata Pointer to the data. If no data was found, the pointer is unchanged. + * @param[out] plength Length of the data. If no data was found, the value pointed to is unchanged. + * + * @return <0 for error, + * 0 for "no attribute found, stop searching" + * >0 offset where the attribute was found. + */ +extern ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, + unsigned int attr, unsigned int vendor, + const uint8_t **pdata, size_t *plength); + +/** Pretty-print the entire ::VALUE_PAIR \ingroup print + * + * All data is printed in ASCII format. The data type of "octets" is + * printed as a hex string (e.g. 0xabcdef01...). The data type of + * "ipaddr" is printed as a dotted-quad (e.g. 192.0.2.15). + * + * The format is "Attribute-Name = value" + * + * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored + * @param[in] bufsize size of the output buffer + * @param[in] vp ::VALUE_PAIR to print + * @return length of data in buffer + */ +extern size_t nr_vp_snprintf(char *buffer, size_t bufsize, const VALUE_PAIR *vp); + +/** Pretty-print the VALUE_PAIR::data field \ingroup print + * + * Prints the value of a ::VALUE_PAIR, without the name or "=" sign. + * + * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored + * @param[in] bufsize size of the output buffer + * @param[in] vp ::VALUE_PAIR to print + * @return length of data in buffer + */ +extern size_t nr_vp_snprintf_value(char *buffer, size_t bufsize, const VALUE_PAIR *vp); + +/** Prints a list of :VALUE_PAIR structures to the given output. \ingroup print + * + * @param[in] fp Where to print the results + * @param[in] vps Linked list of ::VALUE_PAIR to print + */ +extern void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps); + +/** Scan a string into a ::VALUE_PAIR. The counterpart to + * nr_vp_snprintf_value() \ingroup print + * + * @param[in] string Printable version of the ::VALUE_PAIR + * @param[out] pvp Newly allocated ::VALUE_PAIR + * @return <0 on error, 0 for success. + */ +extern int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp); + +/** Scan the data portion of a ::VALUE_PAIR. The counterpart to + * nr_vp_snprintf_value() \ingroup print + * + * @param[in,out] vp The ::VALUE_PAIR where the data will be stored + * @param[in] value The string version of the data to be parsed + * @return <0 on error, >=0 for the number of characters parsed in value. + */ +extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value); + +#if defined(__GNUC__) +# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1))) +# define NEVER_RETURNS __attribute__ ((noreturn)) +# define UNUSED __attribute__ ((unused)) +# define BLANK_FORMAT " " /* GCC_LINT whines about empty formats */ +#else + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define PRINTF_LIKE(n) + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define NEVER_RETURNS + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define UNUSED + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define BLANK_FORMAT "" +#endif diff --git a/lib/radius/common.pl b/lib/radius/common.pl new file mode 100644 index 0000000..c08489a --- /dev/null +++ b/lib/radius/common.pl @@ -0,0 +1,220 @@ +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +our %attributes; +our %vendor; +our %vendorpec; +our $begin_vendor = 0; + +$vendorpec{'0'} = "IETF"; + +sub do_file() +{ + my $filename = shift; + my $fh; + + $dir = $filename; + $dir =~ s:/[^/]+?$::; + $lineno = 0; + + open $fh, "<$filename" or die "Failed to open $filename: $!\n"; + + while (<$fh>) { + $lineno++; + next if (/^\s*#/); + next if (/^\s*$/); + s/#.*//; + s/\s+$//; + + next if ($_ eq ""); + + # + # Remember the vendor + # + if (/^VENDOR\s+([\w-]+)\s+(\w+)(.*)/) { + my $me = $1; + + $vendor{$me}{'pec'} = $2; + $vendorpec{$2} = $me; + + $vendor{$me}{'type'} = 1; + $vendor{$me}{'length'} = 1; + + if ($3) { + $format=$3; + $format =~ s/^\s+//; + + if ($format !~ /^format=(\d+),(\d+)$/) { + die "Unknown format $format\n"; + } + $vendor{$me}{'type'} = $1; + $vendor{$me}{'length'} = $2; + } + next; + } + + # + # Remember if we did begin-vendor. + # + if (/^BEGIN-VENDOR\s+([\w-]+)/) { + if (!defined $vendor{$1}) { + die "Unknown vendor $1\n"; + } + $begin_vendor = $vendor{$1}{'pec'}; + next; + } + + # + # Remember if we did this. + # + if (/^END-VENDOR/) { + $begin_vendor = 0; + next; + } + + # + # Get attribute. + # + if (/^ATTRIBUTE\s+([\w-\/.]+)\s+(\w+)\s+(\w+)(.*)/) { + $name=$1; + $value = $2; + $type = $3; + $stuff = $4; + + $value =~ tr/[A-F]/[a-f]/; # normal form for hex + $value =~ tr/X/x/; + + if ($value =~ /^0x/) { + $index = hex $value; + } else { + $index = $value; + } + + next if (($begin_vendor == 0) && ($index > 255)); + + $index += ($begin_vendor << 16); + + $attributes{$index}{'name'} = $name; + $attributes{$index}{'value'} = $value; + if ($begin_vendor ne "") { + $attributes{$index}{'vendor'} = $begin_vendor; + } + + $type =~ tr/a-z/A-Z/; + $attributes{$index}{'type'} = "NR_TYPE_$type"; + + $stuff =~ s/^\s*//; + + if ($stuff) { + foreach $text (split /,/, $stuff) { + if ($text eq "encrypt=1") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_USER_PASSWORD"; + } elsif ($text eq "encrypt=2") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_TUNNEL_PASSWORD"; + + } elsif ($text eq "encrypt=3") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_ASCEND_SECRET"; + + } elsif ($text eq "has_tag") { + $attributes{$index}{'flags'}{'has_tag'} = "1"; + + } elsif ($text =~ /\[(\d+)\]/) { + $attributes{$index}{'flags'}{'length'} = $1; + + } else { + die "$filename: $lineno - Unknown flag $text\n"; + } + } + } + + if ($type eq "BYTE") { + $attributes{$index}{'flags'}{'length'} = "1"; + + } elsif ($type eq "SHORT") { + $attributes{$index}{'flags'}{'length'} = "2"; + + } elsif ($type eq "INTEGER") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "IPADDR") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "DATE") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "IFID") { + $attributes{$index}{'flags'}{'length'} = "8"; + + } elsif ($type eq "IPV6ADDR") { + + $attributes{$index}{'flags'}{'length'} = "16"; + } + + $name2val{$name} = $index; + next; + } + + # + # Values. + # + if (/^VALUE\s+([\d\w-\/.]+)\s+([\w-\/,.+]+)\s+(\w+)(.*)/) { + next; + + $attr = $1; + $name = $2; + $value = $3; + $stuff = $d; + + $value =~ tr/[A-F]/[a-f]/; # normal form for hex + $value =~ tr/X/x/; + + if ($value =~ /^0x/) { + $index = hex $value; + } else { + $index = $value; + } + + if (!defined $name2val{$attr}) { + print "# FIXME: FORWARD REF?\nVALUE $attr $name $value$stuff\n"; + next; + } + + $values{$name2val{$attr}}{$index} = "$attr $name $value$stuff"; + next; + } + + if (/^\$INCLUDE\s+(.*)$/) { + do_file("$dir/$1"); + next; + } + + die "unknown text in line $lineno of $filename: $_\n"; + } + + close $fh; +} + +1; diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl new file mode 100755 index 0000000..ce7cccd --- /dev/null +++ b/lib/radius/convert.pl @@ -0,0 +1,182 @@ +#!/usr/bin/env perl +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +# +# Converts dictionaries to C structures. Does not yet do "VALUE"s. +# +# Usage: ./convert.pl dictionary ... +# +# Reads input dictionaries, and outputs "radius.h" and "dictionaries.c" +# +# $Id$ +# +require "common.pl"; + +# +# Read all of the dictionaries +# +while (@ARGV) { + $filename = shift; + do_file($filename); +} + +# +# For speed, the dictionary data structures have the first 256 +# attributes at fixed offsets in the array. If the user didn't +# define them, then we set them here to be "raw" or unknown. +# +foreach $attr_val (0..255) { + next if defined $attributes{$attr_val}; + + $attributes{$attr_val}{'raw'} = 1; +} + +if (scalar keys %attributes == 0) { + die "No attributes were defined\n"; +} + + +open DICT, ">dictionaries.c" or die "Failed creating dictionaries.c: $!\n"; + +# +# Print out the data structues for the vendors. +# +if (scalar keys %vendor > 0) { + print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n"; + foreach $v (sort keys %vendor) { + print DICT " { \n"; + print DICT " .name = \"", $v, "\", \n"; + print DICT " .vendor = ", $vendor{$v}{'pec'}, ", \n"; + print DICT " .type = ", $vendor{$v}{'type'}, ",\n"; + print DICT " .length = ", $vendor{$v}{'length'}, ",\n"; + print DICT " },\n"; + } + print DICT "\n { .name = NULL, }\n"; + print DICT "};\n\n"; +} + +# needed for later. +$vendor{""}{'pec'} = 0; + +# +# Print DICT out the attributes sorted by number. +# +my $offset = 0; +my $num_names = 0; +print DICT "const DICT_ATTR nr_dict_attrs[] = {\n"; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + print DICT " { /* $offset */ \n"; + + if (defined $attributes{$attr_val}{'raw'}) { + print DICT " .name = NULL, \n"; + } else { + print DICT " .name = \"", $attributes{$attr_val}{'name'}, "\", \n"; + if ($attributes{$attr_val}{'vendor'}) { + print DICT " .vendor = ", $attributes{$attr_val}{'vendor'}, ", \n"; + } + + print DICT " .attr = ", $attributes{$attr_val}{'value'}, ", \n"; + print DICT " .type = ", $attributes{$attr_val}{'type'}, ", \n"; + + if ($attributes{$attr_val}{'flags'}) { + print DICT " .flags = {\n"; + foreach $flag (keys %{$attributes{$attr_val}{'flags'}}) { + print DICT " .$flag = $attributes{$attr_val}{'flags'}{$flag},\n"; + } + print DICT " },\n"; + } + + $num_names++; + } + + $attributes{$attr_val}{'offset'} = $offset++; + + print DICT " },\n"; + +} +print DICT "};\n\n"; + +print DICT "const int nr_dict_num_attrs = ", $offset - 1, ";\n\n"; +print DICT "const int nr_dict_num_names = ", $num_names - 1, ";\n\n"; + +my $offset = 0; +print DICT "const DICT_ATTR *nr_dict_attr_names[] = {\n"; +foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'name'})} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + print DICT " &nr_dict_attrs[", $attributes{$attr_val}{'offset'}, "], /* ", $attributes{$attr_val}{'name'}, " */\n"; +} + +print DICT "};\n\n"; +close DICT; + +open HDR, ">radius.h" or die "Failed creating radius.c: $!\n"; + +print HDR "/* Automatically generated file. Do not edit */\n\n"; + +foreach $v (sort keys %vendor) { + next if ($v eq ""); + + $name = $v; + $name =~ tr/a-z/A-Z/; # uppercase + $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ + + print HDR "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; +} +print HDR "\n"; + +$begin_vendor = -1; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { + print HDR "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; + $begin_vendor = $attributes{$attr_val}{'vendor'}; + } + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/A-Z0-9/_/c; + + print HDR "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; +} +print HDR "\n"; + +print HDR "/* Fixed offsets to dictionary definitions of attributes */\n"; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/-/_/; + + print HDR "#define NR_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n"; +} + +print HDR "/* Automatically generated file. Do not edit */\n"; + +close HDR; diff --git a/lib/radius/crypto.c b/lib/radius/crypto.c new file mode 100644 index 0000000..02a223d --- /dev/null +++ b/lib/radius/crypto.c @@ -0,0 +1,233 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file crypto.c + * \brief Data obfuscation and signing, using MD5. + * + * The "encryption" methods defined here are export-safe. The + * technical cryptography name for these functions is "obfuscation". + * They cannot properly be called "encryption", in the same way that + * DES or AES performs encryption. + */ + +/** \cond PRIVATE */ + +#include + + +ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len; + uint8_t digest[16]; + NR_MD5_CTX ctx, secret_ctx; + + if (!output || (outlen < 16) || !input || (inlen == 0) || + !secret || !vector) { + return -NR_ERR_INVALID_ARG; + } + + len = inlen; + if (len > 128) return -NR_ERR_ATTR_OVERFLOW; + + len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */ + + if (outlen < len) return -NR_ERR_ATTR_OVERFLOW; + + memcpy(output, input, len); + memset(output + len, 0, 128 - len); + + nr_MD5Init(&secret_ctx); + nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + for (j = 0; j < len; j += 16) { + ctx = secret_ctx; + + if (j == 0) { + nr_MD5Update(&ctx, vector, 16); + nr_MD5Final(digest, &ctx); + } else { + nr_MD5Update(&ctx, &output[j - 16], 16); + nr_MD5Final(digest, &ctx); + } + + for (i = 0; i < 16; i++) { + output[i + j] ^= digest[i]; + } + } + + return len; +} + +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD +ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len; + NR_MD5_CTX ctx, secret_ctx; + uint8_t digest[16]; + + if (!output || (outlen < 18) || !input || (inlen == 0) || + !secret || !vector) { + return -NR_ERR_INVALID_ARG; + } + + len = ((inlen + 1) + 0x0f) & ~0x0f; + if (len > 251) return -NR_ERR_ATTR_OVERFLOW; + + output[0] = (nr_rand() & 0xff) | 0x80; + output[1] = nr_rand() & 0xff; + output[2] = inlen; + + memcpy(output + 3, input, inlen); + memset(output + 3 + inlen, 0, len - inlen - 1); + + nr_MD5Init(&secret_ctx); + nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + for (j = 0; j < len; j += 16) { + ctx = secret_ctx; + + if (j == 0) { + nr_MD5Update(&ctx, vector, 16); + nr_MD5Update(&ctx, output, 2); + nr_MD5Final(digest, &ctx); + } else { + nr_MD5Update(&ctx, &output[j + 2 - 16], 16); + nr_MD5Final(digest, &ctx); + } + + for (i = 0; i < 16; i++) { + output[i + j + 2] ^= digest[i]; + } + } + + return len + 2; +} + +ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len, encoded_len; + NR_MD5_CTX ctx, secret_ctx; + uint8_t digest[16]; + + if (!output || (outlen < 1) || !input || (inlen < 2) || + !secret || !vector) { + return -NR_ERR_INVALID_ARG; + } + + if (inlen <= 3) { + output[0] = 0; + return 0; + } + + len = inlen - 2; + + if (outlen < (len - 1)) return -NR_ERR_ATTR_OVERFLOW; + + nr_MD5Init(&secret_ctx); + nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + ctx = secret_ctx; + + nr_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */ + nr_MD5Update(&ctx, input, 2); + nr_MD5Final(digest, &ctx); + + encoded_len = input[2] ^ digest[0]; + if (encoded_len >= len) { + return -NR_ERR_ATTR_TOO_LARGE; + } + + for (i = 0; i < 15; i++) { + output[i] = input[i + 3] ^ digest[i + 1]; + } + + for (j = 16; j < len; j += 16) { + ctx = secret_ctx; + + nr_MD5Update(&ctx, input + j - 16 + 2, 16); + nr_MD5Final(digest, &ctx); + + for (i = 0; i < 16; i++) { + output[i + j - 1] = input[i + j + 2] ^ digest[i]; + } + + + } + + output[encoded_len] = '\0'; + return encoded_len; +} +#endif + +void +nr_hmac_md5(const uint8_t *data, size_t data_len, + const uint8_t *key, size_t key_len, + uint8_t digest[16]) +{ + size_t i; + uint8_t k_ipad[64]; + uint8_t k_opad[64]; + uint8_t tk[16]; + NR_MD5_CTX ctx; + + if (key_len > 64) { + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, key, key_len); + nr_MD5Final(tk, &ctx); + + key = tk; + key_len = 16; + } + + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memcpy(k_ipad, key, key_len); + memcpy(k_opad, key, key_len); + + for (i = 0; i < sizeof(k_ipad); i++) { + k_ipad[i] ^= 0x36; + k_opad[i] ^= 0x5c; + } + + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, k_ipad, sizeof(k_ipad)); + nr_MD5Update(&ctx, data, data_len); + nr_MD5Final(digest, &ctx); + + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, k_opad, sizeof(k_opad)); + nr_MD5Update(&ctx, digest, 16); + nr_MD5Final(digest, &ctx); +} + +/** \endcond */ diff --git a/lib/radius/custom.c b/lib/radius/custom.c new file mode 100644 index 0000000..e33cf5a --- /dev/null +++ b/lib/radius/custom.c @@ -0,0 +1,87 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file custom.c + * \brief Functions which should be customized for your local system. + */ + +#include + +#include +#include + +ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) +{ + static int fd = -1; + + if (fd < 0) { + fd = open("/dev/urandom", O_RDONLY); + if (fd < 0) { + nr_strerror_printf("Error opening randomness: %s", + strerror(errno)); + return 0; + } + } + + return read(fd, data, data_len); +} + +uint32_t nr_rand(void) +{ + uint32_t lvalue; + + nr_rand_bytes((void *)&lvalue, sizeof(lvalue)); + return lvalue; +} + + +#ifndef USEC +#define USEC (1000000) +#endif + +void nr_timeval_add(struct timeval *t, unsigned int seconds, unsigned int usec) +{ + t->tv_sec += seconds; + t->tv_sec += usec / USEC; + t->tv_usec += usec % USEC; + if (t->tv_usec > USEC) { + t->tv_sec++; + t->tv_usec -= USEC; + } +} + +int nr_timeval_cmp(const struct timeval *a, const struct timeval *b) +{ + if (a->tv_sec > b->tv_sec) return +1; + if (a->tv_sec < b->tv_sec) return -1; + + if (a->tv_usec > b->tv_usec) return +1; + if (a->tv_usec < b->tv_usec) return -1; + + return 0; +} + diff --git a/lib/radius/dict.c b/lib/radius/dict.c new file mode 100644 index 0000000..26fe7d0 --- /dev/null +++ b/lib/radius/dict.c @@ -0,0 +1,172 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +/** \file dict.c + * \brief Functions for name to number, and number to name mappings. + */ + +const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor) +{ + int start, half, end; + + if (!vendor && (attr > 0) && (attr < 256)) { + if (nr_dict_attrs[attr].name) { + return &nr_dict_attrs[attr]; + } + return NULL; + } + + if (!vendor) return NULL; /* no "non-protocol" attributes */ + + start = 256; /* first 256 entries are "standard" ones */ + end = nr_dict_num_attrs; + + do { + half = (start + end) / 2; + + if ((nr_dict_attrs[half].vendor == vendor) && + (nr_dict_attrs[half].attr == attr)) { + return &nr_dict_attrs[half]; + } + + if ((vendor > nr_dict_attrs[half].vendor) && + (attr > nr_dict_attrs[half].attr)) { + start = half + 1; + } else { + end = half - 1; + } + + } while (start <= end); + + return NULL; +} + +const DICT_ATTR *nr_dict_attr_byname(const char *name) +{ + int start, half, end; + + start = 1; + end = nr_dict_num_names; + + if (!name || !*name) return NULL; + + do { + int rcode; + + half = (start + end) / 2; + + rcode = strcasecmp(name, nr_dict_attr_names[half]->name); + if (rcode == 0) return nr_dict_attr_names[half]; + + if (rcode > 0) { + start = half + 1; + } else { + end = half - 1; + } + + + } while (start <= end); + + return NULL; +} + +int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor, + char *buffer, size_t bufsize) +{ + if (!da || !buffer) return -NR_ERR_INVALID_ARG; + + if (!vendor) { + if (attr > 256) return -NR_ERR_INVALID_ARG; + + } else if (vendor > (1 << 24)) { + return -NR_ERR_INVALID_ARG; + } + + memset(da, 0, sizeof(*da)); + da->attr = attr; + da->flags.unknown = 1; + da->type = NR_TYPE_OCTETS; + da->vendor = vendor; + + if (da->vendor) { + snprintf(buffer, bufsize, "Attr-26.%u.%u", + vendor, attr); + } else { + snprintf(buffer, bufsize, "Attr-%u", attr); + } + da->name = buffer; + + return 0; +} + + +const DICT_VALUE *nr_dict_value_byattr(UNUSED unsigned int attr, + UNUSED unsigned int vendor, + UNUSED int value) +{ + return NULL; +} + +const DICT_VALUE *nr_dict_value_byname(UNUSED unsigned int attr, + UNUSED unsigned int vendor, + UNUSED const char *name) +{ + return NULL; +} + +int nr_dict_vendor_byname(const char *name) +{ + const DICT_VENDOR *dv; + + if (!name || !*name) return 0; + + /* + * O(n) lookup. + */ + for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { + if (strcasecmp(dv->name, name) == 0) return dv->vendor; + } + + return 0; +} + +const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor) +{ + const DICT_VENDOR *dv; + + /* + * O(n) lookup. + */ + for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { + if (dv->vendor == vendor) return dv; + } + + return NULL; +} diff --git a/lib/radius/dictionaries.c b/lib/radius/dictionaries.c new file mode 100644 index 0000000..d1f4b6f --- /dev/null +++ b/lib/radius/dictionaries.c @@ -0,0 +1,1515 @@ +const DICT_VENDOR nr_dict_vendors[] = { + { + .name = "Microsoft", + .vendor = 311, + .type = 1, + .length = 1, + }, + { + .name = "example", + .vendor = 65535, + .type = 1, + .length = 1, + }, + + { .name = NULL, } +}; + +const DICT_ATTR nr_dict_attrs[] = { + { /* 0 */ + .name = NULL, + }, + { /* 1 */ + .name = "User-Name", + .attr = 1, + .type = NR_TYPE_STRING, + }, + { /* 2 */ + .name = "User-Password", + .attr = 2, + .type = NR_TYPE_STRING, + .flags = { + .encrypt = FLAG_ENCRYPT_USER_PASSWORD, + }, + }, + { /* 3 */ + .name = "CHAP-Password", + .attr = 3, + .type = NR_TYPE_OCTETS, + }, + { /* 4 */ + .name = "NAS-IP-Address", + .attr = 4, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, + { /* 5 */ + .name = "NAS-Port", + .attr = 5, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 6 */ + .name = "Service-Type", + .attr = 6, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 7 */ + .name = "Framed-Protocol", + .attr = 7, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 8 */ + .name = "Framed-IP-Address", + .attr = 8, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, + { /* 9 */ + .name = "Framed-IP-Netmask", + .attr = 9, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, + { /* 10 */ + .name = "Framed-Routing", + .attr = 10, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 11 */ + .name = "Filter-Id", + .attr = 11, + .type = NR_TYPE_STRING, + }, + { /* 12 */ + .name = "Framed-MTU", + .attr = 12, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 13 */ + .name = "Framed-Compression", + .attr = 13, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 14 */ + .name = "Login-IP-Host", + .attr = 14, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, + { /* 15 */ + .name = "Login-Service", + .attr = 15, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 16 */ + .name = "Login-TCP-Port", + .attr = 16, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 17 */ + .name = NULL, + }, + { /* 18 */ + .name = "Reply-Message", + .attr = 18, + .type = NR_TYPE_STRING, + }, + { /* 19 */ + .name = "Callback-Number", + .attr = 19, + .type = NR_TYPE_STRING, + }, + { /* 20 */ + .name = "Callback-Id", + .attr = 20, + .type = NR_TYPE_STRING, + }, + { /* 21 */ + .name = NULL, + }, + { /* 22 */ + .name = "Framed-Route", + .attr = 22, + .type = NR_TYPE_STRING, + }, + { /* 23 */ + .name = "Framed-IPX-Network", + .attr = 23, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, + { /* 24 */ + .name = "State", + .attr = 24, + .type = NR_TYPE_OCTETS, + }, + { /* 25 */ + .name = "Class", + .attr = 25, + .type = NR_TYPE_OCTETS, + }, + { /* 26 */ + .name = "Vendor-Specific", + .attr = 26, + .type = NR_TYPE_OCTETS, + }, + { /* 27 */ + .name = "Session-Timeout", + .attr = 27, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 28 */ + .name = "Idle-Timeout", + .attr = 28, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 29 */ + .name = "Termination-Action", + .attr = 29, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 30 */ + .name = "Called-Station-Id", + .attr = 30, + .type = NR_TYPE_STRING, + }, + { /* 31 */ + .name = "Calling-Station-Id", + .attr = 31, + .type = NR_TYPE_STRING, + }, + { /* 32 */ + .name = "NAS-Identifier", + .attr = 32, + .type = NR_TYPE_STRING, + }, + { /* 33 */ + .name = "Proxy-State", + .attr = 33, + .type = NR_TYPE_OCTETS, + }, + { /* 34 */ + .name = "Login-LAT-Service", + .attr = 34, + .type = NR_TYPE_STRING, + }, + { /* 35 */ + .name = "Login-LAT-Node", + .attr = 35, + .type = NR_TYPE_STRING, + }, + { /* 36 */ + .name = "Login-LAT-Group", + .attr = 36, + .type = NR_TYPE_OCTETS, + }, + { /* 37 */ + .name = "Framed-AppleTalk-Link", + .attr = 37, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 38 */ + .name = "Framed-AppleTalk-Network", + .attr = 38, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 39 */ + .name = "Framed-AppleTalk-Zone", + .attr = 39, + .type = NR_TYPE_STRING, + }, + { /* 40 */ + .name = "Acct-Status-Type", + .attr = 40, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 41 */ + .name = "Acct-Delay-Time", + .attr = 41, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 42 */ + .name = "Acct-Input-Octets", + .attr = 42, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 43 */ + .name = "Acct-Output-Octets", + .attr = 43, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 44 */ + .name = "Acct-Session-Id", + .attr = 44, + .type = NR_TYPE_STRING, + }, + { /* 45 */ + .name = "Acct-Authentic", + .attr = 45, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 46 */ + .name = "Acct-Session-Time", + .attr = 46, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 47 */ + .name = "Acct-Input-Packets", + .attr = 47, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 48 */ + .name = "Acct-Output-Packets", + .attr = 48, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 49 */ + .name = "Acct-Terminate-Cause", + .attr = 49, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 50 */ + .name = "Acct-Multi-Session-Id", + .attr = 50, + .type = NR_TYPE_STRING, + }, + { /* 51 */ + .name = "Acct-Link-Count", + .attr = 51, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 52 */ + .name = "Acct-Input-Gigawords", + .attr = 52, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 53 */ + .name = "Acct-Output-Gigawords", + .attr = 53, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 54 */ + .name = NULL, + }, + { /* 55 */ + .name = "Event-Timestamp", + .attr = 55, + .type = NR_TYPE_DATE, + .flags = { + .length = 4, + }, + }, + { /* 56 */ + .name = "Egress-VLANID", + .attr = 56, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 57 */ + .name = "Ingress-Filters", + .attr = 57, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 58 */ + .name = "Egress-VLAN-Name", + .attr = 58, + .type = NR_TYPE_STRING, + }, + { /* 59 */ + .name = "User-Priority-Table", + .attr = 59, + .type = NR_TYPE_OCTETS, + }, + { /* 60 */ + .name = "CHAP-Challenge", + .attr = 60, + .type = NR_TYPE_OCTETS, + }, + { /* 61 */ + .name = "NAS-Port-Type", + .attr = 61, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 62 */ + .name = "Port-Limit", + .attr = 62, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 63 */ + .name = "Login-LAT-Port", + .attr = 63, + .type = NR_TYPE_STRING, + }, + { /* 64 */ + .name = "Tunnel-Type", + .attr = 64, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + .has_tag = 1, + }, + }, + { /* 65 */ + .name = "Tunnel-Medium-Type", + .attr = 65, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + .has_tag = 1, + }, + }, + { /* 66 */ + .name = "Tunnel-Client-Endpoint", + .attr = 66, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 67 */ + .name = "Tunnel-Server-Endpoint", + .attr = 67, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 68 */ + .name = "Acct-Tunnel-Connection", + .attr = 68, + .type = NR_TYPE_STRING, + }, + { /* 69 */ + .name = "Tunnel-Password", + .attr = 69, + .type = NR_TYPE_STRING, + .flags = { + .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, + .has_tag = 1, + }, + }, + { /* 70 */ + .name = "ARAP-Password", + .attr = 70, + .type = NR_TYPE_OCTETS, + .flags = { + .length = 16, + }, + }, + { /* 71 */ + .name = "ARAP-Features", + .attr = 71, + .type = NR_TYPE_OCTETS, + .flags = { + .length = 14, + }, + }, + { /* 72 */ + .name = "ARAP-Zone-Access", + .attr = 72, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 73 */ + .name = "ARAP-Security", + .attr = 73, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 74 */ + .name = "ARAP-Security-Data", + .attr = 74, + .type = NR_TYPE_STRING, + }, + { /* 75 */ + .name = "Password-Retry", + .attr = 75, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 76 */ + .name = "Prompt", + .attr = 76, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 77 */ + .name = "Connect-Info", + .attr = 77, + .type = NR_TYPE_STRING, + }, + { /* 78 */ + .name = "Configuration-Token", + .attr = 78, + .type = NR_TYPE_STRING, + }, + { /* 79 */ + .name = "EAP-Message", + .attr = 79, + .type = NR_TYPE_OCTETS, + }, + { /* 80 */ + .name = "Message-Authenticator", + .attr = 80, + .type = NR_TYPE_OCTETS, + }, + { /* 81 */ + .name = "Tunnel-Private-Group-Id", + .attr = 81, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 82 */ + .name = "Tunnel-Assignment-Id", + .attr = 82, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 83 */ + .name = "Tunnel-Preference", + .attr = 83, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + .has_tag = 1, + }, + }, + { /* 84 */ + .name = "ARAP-Challenge-Response", + .attr = 84, + .type = NR_TYPE_OCTETS, + .flags = { + .length = 8, + }, + }, + { /* 85 */ + .name = "Acct-Interim-Interval", + .attr = 85, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 86 */ + .name = "Acct-Tunnel-Packets-Lost", + .attr = 86, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 87 */ + .name = "NAS-Port-Id", + .attr = 87, + .type = NR_TYPE_STRING, + }, + { /* 88 */ + .name = "Framed-Pool", + .attr = 88, + .type = NR_TYPE_STRING, + }, + { /* 89 */ + .name = "Chargeable-User-Identity", + .attr = 89, + .type = NR_TYPE_STRING, + }, + { /* 90 */ + .name = "Tunnel-Client-Auth-Id", + .attr = 90, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 91 */ + .name = "Tunnel-Server-Auth-Id", + .attr = 91, + .type = NR_TYPE_STRING, + .flags = { + .has_tag = 1, + }, + }, + { /* 92 */ + .name = "NAS-Filter-Rule", + .attr = 92, + .type = NR_TYPE_STRING, + }, + { /* 93 */ + .name = NULL, + }, + { /* 94 */ + .name = NULL, + }, + { /* 95 */ + .name = "NAS-IPv6-Address", + .attr = 95, + .type = NR_TYPE_IPV6ADDR, + .flags = { + .length = 16, + }, + }, + { /* 96 */ + .name = "Framed-Interface-Id", + .attr = 96, + .type = NR_TYPE_IFID, + .flags = { + .length = 8, + }, + }, + { /* 97 */ + .name = "Framed-IPv6-Prefix", + .attr = 97, + .type = NR_TYPE_IPV6PREFIX, + }, + { /* 98 */ + .name = "Login-IPv6-Host", + .attr = 98, + .type = NR_TYPE_IPV6ADDR, + .flags = { + .length = 16, + }, + }, + { /* 99 */ + .name = "Framed-IPv6-Route", + .attr = 99, + .type = NR_TYPE_STRING, + }, + { /* 100 */ + .name = "Framed-IPv6-Pool", + .attr = 100, + .type = NR_TYPE_STRING, + }, + { /* 101 */ + .name = "Error-Cause", + .attr = 101, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 102 */ + .name = "EAP-Key-Name", + .attr = 102, + .type = NR_TYPE_STRING, + }, + { /* 103 */ + .name = "Digest-Response", + .attr = 103, + .type = NR_TYPE_STRING, + }, + { /* 104 */ + .name = "Digest-Realm", + .attr = 104, + .type = NR_TYPE_STRING, + }, + { /* 105 */ + .name = "Digest-Nonce", + .attr = 105, + .type = NR_TYPE_STRING, + }, + { /* 106 */ + .name = "Digest-Response-Auth", + .attr = 106, + .type = NR_TYPE_STRING, + }, + { /* 107 */ + .name = "Digest-Nextnonce", + .attr = 107, + .type = NR_TYPE_STRING, + }, + { /* 108 */ + .name = "Digest-Method", + .attr = 108, + .type = NR_TYPE_STRING, + }, + { /* 109 */ + .name = "Digest-URI", + .attr = 109, + .type = NR_TYPE_STRING, + }, + { /* 110 */ + .name = "Digest-Qop", + .attr = 110, + .type = NR_TYPE_STRING, + }, + { /* 111 */ + .name = "Digest-Algorithm", + .attr = 111, + .type = NR_TYPE_STRING, + }, + { /* 112 */ + .name = "Digest-Entity-Body-Hash", + .attr = 112, + .type = NR_TYPE_STRING, + }, + { /* 113 */ + .name = "Digest-CNonce", + .attr = 113, + .type = NR_TYPE_STRING, + }, + { /* 114 */ + .name = "Digest-Nonce-Count", + .attr = 114, + .type = NR_TYPE_STRING, + }, + { /* 115 */ + .name = "Digest-Username", + .attr = 115, + .type = NR_TYPE_STRING, + }, + { /* 116 */ + .name = "Digest-Opaque", + .attr = 116, + .type = NR_TYPE_STRING, + }, + { /* 117 */ + .name = "Digest-Auth-Param", + .attr = 117, + .type = NR_TYPE_STRING, + }, + { /* 118 */ + .name = "Digest-AKA-Auts", + .attr = 118, + .type = NR_TYPE_STRING, + }, + { /* 119 */ + .name = "Digest-Domain", + .attr = 119, + .type = NR_TYPE_STRING, + }, + { /* 120 */ + .name = "Digest-Stale", + .attr = 120, + .type = NR_TYPE_STRING, + }, + { /* 121 */ + .name = "Digest-HA1", + .attr = 121, + .type = NR_TYPE_STRING, + }, + { /* 122 */ + .name = "SIP-AOR", + .attr = 122, + .type = NR_TYPE_STRING, + }, + { /* 123 */ + .name = "Delegated-IPv6-Prefix", + .attr = 123, + .type = NR_TYPE_IPV6PREFIX, + }, + { /* 124 */ + .name = NULL, + }, + { /* 125 */ + .name = NULL, + }, + { /* 126 */ + .name = "Operator-Name", + .attr = 126, + .type = NR_TYPE_STRING, + }, + { /* 127 */ + .name = "Location-Information", + .attr = 127, + .type = NR_TYPE_OCTETS, + }, + { /* 128 */ + .name = "Location-Data", + .attr = 128, + .type = NR_TYPE_OCTETS, + }, + { /* 129 */ + .name = "Basic-Location-Policy-Rules", + .attr = 129, + .type = NR_TYPE_OCTETS, + }, + { /* 130 */ + .name = "Extended-Location-Policy-Rules", + .attr = 130, + .type = NR_TYPE_OCTETS, + }, + { /* 131 */ + .name = "Location-Capable", + .attr = 131, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 132 */ + .name = "Requested-Location-Info", + .attr = 132, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 133 */ + .name = "Framed-Management", + .attr = 133, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 134 */ + .name = "Management-Transport-Protection", + .attr = 134, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 135 */ + .name = "Management-Policy-Id", + .attr = 135, + .type = NR_TYPE_STRING, + }, + { /* 136 */ + .name = "Management-Privilege-Level", + .attr = 136, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 137 */ + .name = "PKM-SS-Cert", + .attr = 137, + .type = NR_TYPE_OCTETS, + }, + { /* 138 */ + .name = "PKM-CA-Cert", + .attr = 138, + .type = NR_TYPE_OCTETS, + }, + { /* 139 */ + .name = "PKM-Config-Settings", + .attr = 139, + .type = NR_TYPE_OCTETS, + }, + { /* 140 */ + .name = "PKM-Cryptosuite-List", + .attr = 140, + .type = NR_TYPE_OCTETS, + }, + { /* 141 */ + .name = "PKM-SAID", + .attr = 141, + .type = NR_TYPE_SHORT, + .flags = { + .length = 2, + }, + }, + { /* 142 */ + .name = "PKM-SA-Descriptor", + .attr = 142, + .type = NR_TYPE_OCTETS, + }, + { /* 143 */ + .name = "PKM-Auth-Key", + .attr = 143, + .type = NR_TYPE_OCTETS, + }, + { /* 144 */ + .name = NULL, + }, + { /* 145 */ + .name = NULL, + }, + { /* 146 */ + .name = NULL, + }, + { /* 147 */ + .name = NULL, + }, + { /* 148 */ + .name = NULL, + }, + { /* 149 */ + .name = NULL, + }, + { /* 150 */ + .name = NULL, + }, + { /* 151 */ + .name = NULL, + }, + { /* 152 */ + .name = NULL, + }, + { /* 153 */ + .name = NULL, + }, + { /* 154 */ + .name = NULL, + }, + { /* 155 */ + .name = NULL, + }, + { /* 156 */ + .name = NULL, + }, + { /* 157 */ + .name = NULL, + }, + { /* 158 */ + .name = NULL, + }, + { /* 159 */ + .name = NULL, + }, + { /* 160 */ + .name = NULL, + }, + { /* 161 */ + .name = NULL, + }, + { /* 162 */ + .name = NULL, + }, + { /* 163 */ + .name = NULL, + }, + { /* 164 */ + .name = NULL, + }, + { /* 165 */ + .name = NULL, + }, + { /* 166 */ + .name = NULL, + }, + { /* 167 */ + .name = NULL, + }, + { /* 168 */ + .name = NULL, + }, + { /* 169 */ + .name = NULL, + }, + { /* 170 */ + .name = NULL, + }, + { /* 171 */ + .name = NULL, + }, + { /* 172 */ + .name = NULL, + }, + { /* 173 */ + .name = NULL, + }, + { /* 174 */ + .name = NULL, + }, + { /* 175 */ + .name = NULL, + }, + { /* 176 */ + .name = NULL, + }, + { /* 177 */ + .name = NULL, + }, + { /* 178 */ + .name = NULL, + }, + { /* 179 */ + .name = NULL, + }, + { /* 180 */ + .name = NULL, + }, + { /* 181 */ + .name = NULL, + }, + { /* 182 */ + .name = NULL, + }, + { /* 183 */ + .name = NULL, + }, + { /* 184 */ + .name = NULL, + }, + { /* 185 */ + .name = NULL, + }, + { /* 186 */ + .name = NULL, + }, + { /* 187 */ + .name = NULL, + }, + { /* 188 */ + .name = NULL, + }, + { /* 189 */ + .name = NULL, + }, + { /* 190 */ + .name = NULL, + }, + { /* 191 */ + .name = NULL, + }, + { /* 192 */ + .name = NULL, + }, + { /* 193 */ + .name = NULL, + }, + { /* 194 */ + .name = NULL, + }, + { /* 195 */ + .name = NULL, + }, + { /* 196 */ + .name = NULL, + }, + { /* 197 */ + .name = NULL, + }, + { /* 198 */ + .name = NULL, + }, + { /* 199 */ + .name = NULL, + }, + { /* 200 */ + .name = NULL, + }, + { /* 201 */ + .name = NULL, + }, + { /* 202 */ + .name = NULL, + }, + { /* 203 */ + .name = NULL, + }, + { /* 204 */ + .name = NULL, + }, + { /* 205 */ + .name = NULL, + }, + { /* 206 */ + .name = NULL, + }, + { /* 207 */ + .name = NULL, + }, + { /* 208 */ + .name = NULL, + }, + { /* 209 */ + .name = NULL, + }, + { /* 210 */ + .name = NULL, + }, + { /* 211 */ + .name = NULL, + }, + { /* 212 */ + .name = NULL, + }, + { /* 213 */ + .name = NULL, + }, + { /* 214 */ + .name = NULL, + }, + { /* 215 */ + .name = NULL, + }, + { /* 216 */ + .name = NULL, + }, + { /* 217 */ + .name = NULL, + }, + { /* 218 */ + .name = NULL, + }, + { /* 219 */ + .name = NULL, + }, + { /* 220 */ + .name = NULL, + }, + { /* 221 */ + .name = NULL, + }, + { /* 222 */ + .name = NULL, + }, + { /* 223 */ + .name = NULL, + }, + { /* 224 */ + .name = NULL, + }, + { /* 225 */ + .name = NULL, + }, + { /* 226 */ + .name = NULL, + }, + { /* 227 */ + .name = NULL, + }, + { /* 228 */ + .name = NULL, + }, + { /* 229 */ + .name = NULL, + }, + { /* 230 */ + .name = NULL, + }, + { /* 231 */ + .name = NULL, + }, + { /* 232 */ + .name = NULL, + }, + { /* 233 */ + .name = NULL, + }, + { /* 234 */ + .name = NULL, + }, + { /* 235 */ + .name = NULL, + }, + { /* 236 */ + .name = NULL, + }, + { /* 237 */ + .name = NULL, + }, + { /* 238 */ + .name = NULL, + }, + { /* 239 */ + .name = NULL, + }, + { /* 240 */ + .name = NULL, + }, + { /* 241 */ + .name = NULL, + }, + { /* 242 */ + .name = NULL, + }, + { /* 243 */ + .name = NULL, + }, + { /* 244 */ + .name = NULL, + }, + { /* 245 */ + .name = NULL, + }, + { /* 246 */ + .name = NULL, + }, + { /* 247 */ + .name = NULL, + }, + { /* 248 */ + .name = NULL, + }, + { /* 249 */ + .name = NULL, + }, + { /* 250 */ + .name = NULL, + }, + { /* 251 */ + .name = NULL, + }, + { /* 252 */ + .name = NULL, + }, + { /* 253 */ + .name = NULL, + }, + { /* 254 */ + .name = NULL, + }, + { /* 255 */ + .name = NULL, + }, + { /* 256 */ + .name = "MS-CHAP-Response", + .vendor = 311, + .attr = 1, + .type = NR_TYPE_OCTETS, + }, + { /* 257 */ + .name = "MS-CHAP-Error", + .vendor = 311, + .attr = 2, + .type = NR_TYPE_STRING, + }, + { /* 258 */ + .name = "MS-MPPE-Encryption-Policy", + .vendor = 311, + .attr = 7, + .type = NR_TYPE_OCTETS, + }, + { /* 259 */ + .name = "MS-MPPE-Encryption-Types", + .vendor = 311, + .attr = 8, + .type = NR_TYPE_OCTETS, + }, + { /* 260 */ + .name = "MS-CHAP-Domain", + .vendor = 311, + .attr = 10, + .type = NR_TYPE_STRING, + }, + { /* 261 */ + .name = "MS-CHAP-Challenge", + .vendor = 311, + .attr = 11, + .type = NR_TYPE_OCTETS, + }, + { /* 262 */ + .name = "MS-CHAP-MPPE-Keys", + .vendor = 311, + .attr = 12, + .type = NR_TYPE_OCTETS, + .flags = { + .encrypt = FLAG_ENCRYPT_USER_PASSWORD, + }, + }, + { /* 263 */ + .name = "MS-MPPE-Send-Key", + .vendor = 311, + .attr = 16, + .type = NR_TYPE_OCTETS, + .flags = { + .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, + }, + }, + { /* 264 */ + .name = "MS-MPPE-Recv-Key", + .vendor = 311, + .attr = 17, + .type = NR_TYPE_OCTETS, + .flags = { + .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, + }, + }, + { /* 265 */ + .name = "MS-CHAP2-Response", + .vendor = 311, + .attr = 25, + .type = NR_TYPE_OCTETS, + }, + { /* 266 */ + .name = "MS-CHAP2-Success", + .vendor = 311, + .attr = 26, + .type = NR_TYPE_OCTETS, + }, + { /* 267 */ + .name = "Example-Integer", + .vendor = 65535, + .attr = 1, + .type = NR_TYPE_INTEGER, + .flags = { + .length = 4, + }, + }, + { /* 268 */ + .name = "Example-String", + .vendor = 65535, + .attr = 2, + .type = NR_TYPE_STRING, + }, + { /* 269 */ + .name = "Example-IP-Address", + .vendor = 65535, + .attr = 3, + .type = NR_TYPE_IPADDR, + .flags = { + .length = 4, + }, + }, +}; + +const int nr_dict_num_attrs = 269; + +const int nr_dict_num_names = 149; + +const DICT_ATTR *nr_dict_attr_names[] = { + &nr_dict_attrs[45], /* Acct-Authentic */ + &nr_dict_attrs[41], /* Acct-Delay-Time */ + &nr_dict_attrs[52], /* Acct-Input-Gigawords */ + &nr_dict_attrs[42], /* Acct-Input-Octets */ + &nr_dict_attrs[47], /* Acct-Input-Packets */ + &nr_dict_attrs[85], /* Acct-Interim-Interval */ + &nr_dict_attrs[51], /* Acct-Link-Count */ + &nr_dict_attrs[50], /* Acct-Multi-Session-Id */ + &nr_dict_attrs[53], /* Acct-Output-Gigawords */ + &nr_dict_attrs[43], /* Acct-Output-Octets */ + &nr_dict_attrs[48], /* Acct-Output-Packets */ + &nr_dict_attrs[44], /* Acct-Session-Id */ + &nr_dict_attrs[46], /* Acct-Session-Time */ + &nr_dict_attrs[40], /* Acct-Status-Type */ + &nr_dict_attrs[49], /* Acct-Terminate-Cause */ + &nr_dict_attrs[68], /* Acct-Tunnel-Connection */ + &nr_dict_attrs[86], /* Acct-Tunnel-Packets-Lost */ + &nr_dict_attrs[84], /* ARAP-Challenge-Response */ + &nr_dict_attrs[71], /* ARAP-Features */ + &nr_dict_attrs[70], /* ARAP-Password */ + &nr_dict_attrs[73], /* ARAP-Security */ + &nr_dict_attrs[74], /* ARAP-Security-Data */ + &nr_dict_attrs[72], /* ARAP-Zone-Access */ + &nr_dict_attrs[129], /* Basic-Location-Policy-Rules */ + &nr_dict_attrs[20], /* Callback-Id */ + &nr_dict_attrs[19], /* Callback-Number */ + &nr_dict_attrs[30], /* Called-Station-Id */ + &nr_dict_attrs[31], /* Calling-Station-Id */ + &nr_dict_attrs[60], /* CHAP-Challenge */ + &nr_dict_attrs[3], /* CHAP-Password */ + &nr_dict_attrs[89], /* Chargeable-User-Identity */ + &nr_dict_attrs[25], /* Class */ + &nr_dict_attrs[78], /* Configuration-Token */ + &nr_dict_attrs[77], /* Connect-Info */ + &nr_dict_attrs[123], /* Delegated-IPv6-Prefix */ + &nr_dict_attrs[118], /* Digest-AKA-Auts */ + &nr_dict_attrs[111], /* Digest-Algorithm */ + &nr_dict_attrs[117], /* Digest-Auth-Param */ + &nr_dict_attrs[113], /* Digest-CNonce */ + &nr_dict_attrs[119], /* Digest-Domain */ + &nr_dict_attrs[112], /* Digest-Entity-Body-Hash */ + &nr_dict_attrs[121], /* Digest-HA1 */ + &nr_dict_attrs[108], /* Digest-Method */ + &nr_dict_attrs[107], /* Digest-Nextnonce */ + &nr_dict_attrs[105], /* Digest-Nonce */ + &nr_dict_attrs[114], /* Digest-Nonce-Count */ + &nr_dict_attrs[116], /* Digest-Opaque */ + &nr_dict_attrs[110], /* Digest-Qop */ + &nr_dict_attrs[104], /* Digest-Realm */ + &nr_dict_attrs[103], /* Digest-Response */ + &nr_dict_attrs[106], /* Digest-Response-Auth */ + &nr_dict_attrs[120], /* Digest-Stale */ + &nr_dict_attrs[109], /* Digest-URI */ + &nr_dict_attrs[115], /* Digest-Username */ + &nr_dict_attrs[102], /* EAP-Key-Name */ + &nr_dict_attrs[79], /* EAP-Message */ + &nr_dict_attrs[58], /* Egress-VLAN-Name */ + &nr_dict_attrs[56], /* Egress-VLANID */ + &nr_dict_attrs[101], /* Error-Cause */ + &nr_dict_attrs[55], /* Event-Timestamp */ + &nr_dict_attrs[267], /* Example-Integer */ + &nr_dict_attrs[269], /* Example-IP-Address */ + &nr_dict_attrs[268], /* Example-String */ + &nr_dict_attrs[130], /* Extended-Location-Policy-Rules */ + &nr_dict_attrs[11], /* Filter-Id */ + &nr_dict_attrs[37], /* Framed-AppleTalk-Link */ + &nr_dict_attrs[38], /* Framed-AppleTalk-Network */ + &nr_dict_attrs[39], /* Framed-AppleTalk-Zone */ + &nr_dict_attrs[13], /* Framed-Compression */ + &nr_dict_attrs[96], /* Framed-Interface-Id */ + &nr_dict_attrs[8], /* Framed-IP-Address */ + &nr_dict_attrs[9], /* Framed-IP-Netmask */ + &nr_dict_attrs[100], /* Framed-IPv6-Pool */ + &nr_dict_attrs[97], /* Framed-IPv6-Prefix */ + &nr_dict_attrs[99], /* Framed-IPv6-Route */ + &nr_dict_attrs[23], /* Framed-IPX-Network */ + &nr_dict_attrs[133], /* Framed-Management */ + &nr_dict_attrs[12], /* Framed-MTU */ + &nr_dict_attrs[88], /* Framed-Pool */ + &nr_dict_attrs[7], /* Framed-Protocol */ + &nr_dict_attrs[22], /* Framed-Route */ + &nr_dict_attrs[10], /* Framed-Routing */ + &nr_dict_attrs[28], /* Idle-Timeout */ + &nr_dict_attrs[57], /* Ingress-Filters */ + &nr_dict_attrs[131], /* Location-Capable */ + &nr_dict_attrs[128], /* Location-Data */ + &nr_dict_attrs[127], /* Location-Information */ + &nr_dict_attrs[14], /* Login-IP-Host */ + &nr_dict_attrs[98], /* Login-IPv6-Host */ + &nr_dict_attrs[36], /* Login-LAT-Group */ + &nr_dict_attrs[35], /* Login-LAT-Node */ + &nr_dict_attrs[63], /* Login-LAT-Port */ + &nr_dict_attrs[34], /* Login-LAT-Service */ + &nr_dict_attrs[15], /* Login-Service */ + &nr_dict_attrs[16], /* Login-TCP-Port */ + &nr_dict_attrs[135], /* Management-Policy-Id */ + &nr_dict_attrs[136], /* Management-Privilege-Level */ + &nr_dict_attrs[134], /* Management-Transport-Protection */ + &nr_dict_attrs[80], /* Message-Authenticator */ + &nr_dict_attrs[261], /* MS-CHAP-Challenge */ + &nr_dict_attrs[260], /* MS-CHAP-Domain */ + &nr_dict_attrs[257], /* MS-CHAP-Error */ + &nr_dict_attrs[262], /* MS-CHAP-MPPE-Keys */ + &nr_dict_attrs[256], /* MS-CHAP-Response */ + &nr_dict_attrs[265], /* MS-CHAP2-Response */ + &nr_dict_attrs[266], /* MS-CHAP2-Success */ + &nr_dict_attrs[258], /* MS-MPPE-Encryption-Policy */ + &nr_dict_attrs[259], /* MS-MPPE-Encryption-Types */ + &nr_dict_attrs[264], /* MS-MPPE-Recv-Key */ + &nr_dict_attrs[263], /* MS-MPPE-Send-Key */ + &nr_dict_attrs[92], /* NAS-Filter-Rule */ + &nr_dict_attrs[32], /* NAS-Identifier */ + &nr_dict_attrs[4], /* NAS-IP-Address */ + &nr_dict_attrs[95], /* NAS-IPv6-Address */ + &nr_dict_attrs[5], /* NAS-Port */ + &nr_dict_attrs[87], /* NAS-Port-Id */ + &nr_dict_attrs[61], /* NAS-Port-Type */ + &nr_dict_attrs[126], /* Operator-Name */ + &nr_dict_attrs[75], /* Password-Retry */ + &nr_dict_attrs[143], /* PKM-Auth-Key */ + &nr_dict_attrs[138], /* PKM-CA-Cert */ + &nr_dict_attrs[139], /* PKM-Config-Settings */ + &nr_dict_attrs[140], /* PKM-Cryptosuite-List */ + &nr_dict_attrs[142], /* PKM-SA-Descriptor */ + &nr_dict_attrs[141], /* PKM-SAID */ + &nr_dict_attrs[137], /* PKM-SS-Cert */ + &nr_dict_attrs[62], /* Port-Limit */ + &nr_dict_attrs[76], /* Prompt */ + &nr_dict_attrs[33], /* Proxy-State */ + &nr_dict_attrs[18], /* Reply-Message */ + &nr_dict_attrs[132], /* Requested-Location-Info */ + &nr_dict_attrs[6], /* Service-Type */ + &nr_dict_attrs[27], /* Session-Timeout */ + &nr_dict_attrs[122], /* SIP-AOR */ + &nr_dict_attrs[24], /* State */ + &nr_dict_attrs[29], /* Termination-Action */ + &nr_dict_attrs[82], /* Tunnel-Assignment-Id */ + &nr_dict_attrs[90], /* Tunnel-Client-Auth-Id */ + &nr_dict_attrs[66], /* Tunnel-Client-Endpoint */ + &nr_dict_attrs[65], /* Tunnel-Medium-Type */ + &nr_dict_attrs[69], /* Tunnel-Password */ + &nr_dict_attrs[83], /* Tunnel-Preference */ + &nr_dict_attrs[81], /* Tunnel-Private-Group-Id */ + &nr_dict_attrs[91], /* Tunnel-Server-Auth-Id */ + &nr_dict_attrs[67], /* Tunnel-Server-Endpoint */ + &nr_dict_attrs[64], /* Tunnel-Type */ + &nr_dict_attrs[1], /* User-Name */ + &nr_dict_attrs[2], /* User-Password */ + &nr_dict_attrs[59], /* User-Priority-Table */ + &nr_dict_attrs[26], /* Vendor-Specific */ +}; + diff --git a/lib/radius/doc.txt b/lib/radius/doc.txt new file mode 100644 index 0000000..09a8415 --- /dev/null +++ b/lib/radius/doc.txt @@ -0,0 +1,41 @@ +/** + +\file doc.txt +\brief The main documentation. + +\mainpage The Network RADIUS Client Library + +This client library is intended for use in embedded systems. It is +small with a simple API, yet has more functionality than most +commercial or Open Source products. + +\section License + +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +\ref dictionaries.txt "Dictionaries and dictionary formats" + +*/ diff --git a/lib/radius/doxygen.conf b/lib/radius/doxygen.conf new file mode 100644 index 0000000..e310771 --- /dev/null +++ b/lib/radius/doxygen.conf @@ -0,0 +1,1417 @@ +# Doxyfile 1.5.6 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = networkclient + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, +# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), +# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, +# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, +# and Ukrainian. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = NO + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the DETAILS_AT_TOP tag is set to YES then Doxygen +# will output the detailed description near the top, like JavaDoc. +# If set to NO, the detailed description appears after the member +# documentation. + +DETAILS_AT_TOP = YES + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen to replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = NO + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = . doc/ + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 + +FILE_PATTERNS = *.txt *.[ch] + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = examples + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = *.[ch] + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = YES + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = YES + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. Otherwise they will link to the documentstion. + +REFERENCES_LINK_SOURCE = NO + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to FRAME, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, +# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are +# probably better off using the HTML help feature. Other possible values +# for this tag are: HIERARCHIES, which will generate the Groups, Directories, +# and Class Hiererachy pages using a tree view instead of an ordered list; +# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which +# disables this behavior completely. For backwards compatibility with previous +# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE +# respectively. + +GENERATE_TREEVIEW = YES + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. This is useful +# if you want to understand what is going on. On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = YES + +# By default doxygen will write a font called FreeSans.ttf to the output +# directory and reference it in all dot files that doxygen generates. This +# font does not include all possible unicode characters however, so when you need +# these (or just want a differently looking font) you can specify the font name +# using DOT_FONTNAME. You need need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = YES + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is enabled by default, which results in a transparent +# background. Warning: Depending on the platform used, enabling this option +# may lead to badly anti-aliased labels on the edges of a graph (i.e. they +# become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to the search engine +#--------------------------------------------------------------------------- + +# The SEARCHENGINE tag specifies whether or not a search engine should be +# used. If set to NO the values of all tags below this one will be ignored. + +SEARCHENGINE = NO diff --git a/lib/radius/examples/Makefile b/lib/radius/examples/Makefile new file mode 100644 index 0000000..f39c343 --- /dev/null +++ b/lib/radius/examples/Makefile @@ -0,0 +1,54 @@ +# +# GNU Makefile +# +.PHONY: all clean install + +SRCS = example_1.c example_2.c example_3.c example_4.c + +OBJS := ${SRCS:.c=.o} +PROGRAMS := ${SRCS:.c=} + +all: ${PROGRAMS} + +HEADERS := ../client.h ../radius.h + +${OBJS}: ${HEADERS} + +$(info ${PROGRAMS} ${OBJS}) + +${PROGRAMS}: ../libnetworkradius-client.a + + +%.o : %.c + $(CC) $(CFLAGS) -I.. -I. -c $< + +%.o: ${HEADERS} + +LDFLAGS = -L.. -lnetworkradius-client -lcrypto -lssl +CFLAGS = -I.. + +../libnetworkradius-client.a: + @${MAKE} -C .. libnetworkradius-client.a + +radsample.o: radsample.c ${HEADERS} nr_vp_create.c nr_packet_send.c + +#radsample: radsample.o ../libnetworkradius-client.a +# ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +sample_chap.o: sample_chap.c ${HEADERS} + +sample_chap: sample_chap.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +radsample2.o: radsample2.c ${HEADERS} nr_vp_create.c + +radsample2: radsample2.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +radsample3.o: radsample3.c ${HEADERS} nr_transmit.c nr_server_t.c nr_vp_create.c + +radsample3: radsample3.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +clean: + @rm -rf *.o *.a *~ diff --git a/lib/radius/examples/example_1.c b/lib/radius/examples/example_1.c new file mode 100644 index 0000000..503d927 --- /dev/null +++ b/lib/radius/examples/example_1.c @@ -0,0 +1,86 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_1.c + * \brief Sample code to initialize a RADIUS packet. + * + * This example initializes a packet, and then adds User-Name and + * User-Password to it. The resulting packet is then printed to the + * standard output. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[NR_MAX_PACKET_LEN]; +static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + ssize_t rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_decode(&request, NULL); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, request.vps); + nr_vp_free(&request.vps); + + return 0; +} diff --git a/lib/radius/examples/example_2.c b/lib/radius/examples/example_2.c new file mode 100644 index 0000000..1065c8e --- /dev/null +++ b/lib/radius/examples/example_2.c @@ -0,0 +1,86 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_2.c + * \brief Sample code to initialize a RADIUS packet. + * + * This example initializes a packet, and then adds User-Name and + * CHAP-Password to it. The resulting packet is then printed to the + * standard output. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[NR_MAX_PACKET_LEN]; +static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_CHAP_PASSWORD, + password, strlen(password)); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_decode(&request, NULL); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, request.vps); + nr_vp_free(&request.vps); + + return 0; +} diff --git a/lib/radius/examples/example_3.c b/lib/radius/examples/example_3.c new file mode 100644 index 0000000..6104f6f --- /dev/null +++ b/lib/radius/examples/example_3.c @@ -0,0 +1,123 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_3.c + * \brief Sample code to initialize a RADIUS packet and a response to it. + * + * This example initializes a packet, and then adds User-Name and + * User-Password to it. The resulting packet is then printed to the + * standard output. + * + * As a next step, it then creates the response, and prints that, + * too. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[NR_MAX_PACKET_LEN]; +static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, + response_buffer, sizeof(response_buffer)); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + NR_DA_REPLY_MESSAGE, + "Success!", 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + NR_DA_TUNNEL_PASSWORD, + password, 0); + if (rcode < 0) goto error; + rcode = nr_packet_sign(&response, &request); + if (rcode < 0) goto error; + + nr_packet_print_hex(&response); + + /* + * Check that the response is well-formed. The + * nr_packet_verify() function also calls nr_packet_ok(). + * However, it is sometimes useful to separate "malformed + * packet" errors from "packet is not a response to a + * reqeust" errors. + */ + rcode = nr_packet_ok(&response); + if (rcode < 0) goto error; + + /* + * Double-check the signature of the response. + */ + rcode = nr_packet_verify(&response, &request); + if (rcode < 0) goto error; + + rcode = nr_packet_decode(&response, &request); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, response.vps); + nr_vp_free(&response.vps); + + return 0; +} diff --git a/lib/radius/examples/example_4.c b/lib/radius/examples/example_4.c new file mode 100644 index 0000000..f93764c --- /dev/null +++ b/lib/radius/examples/example_4.c @@ -0,0 +1,94 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_4.c + * \brief Allocate and manage multiple packets. + */ + +static const char *secret = "testing123"; +static nr_server_t server; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + NR_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, + response_buffer, sizeof(response_buffer)); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + NR_DA_REPLY_MESSAGE, + "Success!", 0); + if (rcode < 0) goto error; + + rcode = nr_packet_sign(&response, &request); + if (rcode < 0) goto error; + + nr_packet_print_hex(&response); + + /* + * Double-check the signature of the response. + */ + rcode = nr_packet_verify(&response, &request); + if (rcode < 0) goto error; + + return 0; +} diff --git a/lib/radius/examples/nr_vp_create.c b/lib/radius/examples/nr_vp_create.c new file mode 100644 index 0000000..bd04f17 --- /dev/null +++ b/lib/radius/examples/nr_vp_create.c @@ -0,0 +1,61 @@ +/* + * The person or persons who have associated work with this document + * (the "Dedicator" or "Certifier") hereby either (a) certifies that, + * to the best of his knowledge, the work of authorship identified is + * in the public domain of the country from which the work is + * published, or (b) hereby dedicates whatever copyright the + * dedicators holds in the work of authorship identified below (the + * "Work") to the public domain. A certifier, moreover, dedicates any + * copyright interest he may have in the associated work, and for + * these purposes, is described as a "dedicator" below. + * + * A certifier has taken reasonable steps to verify the copyright + * status of this work. Certifier recognizes that his good faith + * efforts may not shield him from liability if in fact the work + * certified is not in the public domain. + * + * Dedicator makes this dedication for the benefit of the public at + * large and to the detriment of the Dedicator's heirs and + * successors. Dedicator intends this dedication to be an overt act of + * relinquishment in perpetuity of all present and future rights under + * copyright law, whether vested or contingent, in the Work. Dedicator + * understands that such relinquishment of all rights includes the + * relinquishment of all rights to enforce (by lawsuit or otherwise) + * those copyrights in the Work. + * + * Dedicator recognizes that, once placed in the public domain, the + * Work may be freely reproduced, distributed, transmitted, used, + * modified, built upon, or otherwise exploited by anyone for any + * purpose, commercial or non-commercial, and in any way, including by + * methods that have not yet been invented or conceived. + */ + +static VALUE_PAIR *example_nr_vp_create(void) +{ + VALUE_PAIR *vp; + VALUE_PAIR *head = NULL; + + /* + * Create the request contents. + */ + vp = nr_vp_create(PW_USER_NAME, 0, "bob", 4); + if (!vp) { + fprintf(stderr, "User-Name: %s\n", nr_strerror(0)); + exit(1); + } + nr_vps_append(&head, vp); + + /* + * The User-Password attribute is automatically encrypted + * when being placed in the packet. This version stays + * untouched, and should be "plain text". + */ + vp = nr_vp_create(PW_USER_PASSWORD, 0, "hello", 6); + if (!vp) { + fprintf(stderr, "User-Password: %s\n", nr_strerror(0)); + exit(1); + } + nr_vps_append(&head, vp); + + return head; +} diff --git a/lib/radius/header.pl b/lib/radius/header.pl new file mode 100755 index 0000000..c366612 --- /dev/null +++ b/lib/radius/header.pl @@ -0,0 +1,68 @@ +#!/usr/bin/env perl +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +# +# Converts dictionaries to C defines. Does not yet do "VALUE"s. +# +# $Id$ +# +require "common.pl"; + +while (@ARGV) { + $filename = shift; + do_file($filename); +} + + +print "/* Automatically generated file. Do not edit */\n\n"; + +foreach $v (sort keys %vendor) { + $name = $v; + $name =~ tr/a-z/A-Z/; # uppercase + $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ + + print "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; +} +print "\n"; + +$begin_vendor = -1; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { + print "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; + $begin_vendor = $attributes{$attr_val}{'vendor'}; + } + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/A-Z0-9/_/c; + + print "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; +} +print "\n\n"; + +print "/* Automatically generated file. Do not edit */\n"; + diff --git a/lib/radius/id.c b/lib/radius/id.c new file mode 100644 index 0000000..4fbe631 --- /dev/null +++ b/lib/radius/id.c @@ -0,0 +1,178 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +/** \file id.c + * \brief Handling of ID allocation / freeing + * + */ + +static int find_id(nr_server_t *s) +{ + int i; + uint32_t lvalue; + + if ((s->used < 0) || (s->used > 256)) return -NR_ERR_INTERNAL_FAILURE; + + /* + * Ensure that the ID allocation is random. + */ + lvalue = nr_rand(); + + for (i = 0; i < 256; i++) { + int offset = (i + lvalue) & 0xff; + + if (!s->ids[offset]) return offset; + } + + nr_strerror_printf("Out of IDs for server"); + return -1; +} + +int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet) +{ + int new_id; + + if (!s || !packet) return -NR_ERR_INVALID_ARG; + + new_id = find_id(s); + if (new_id < 0) return -new_id; + + s->ids[new_id] = packet; + s->used++; + packet->sockfd = s->sockfd; + packet->code = s->code; + packet->src = s->src; + packet->dst = s->dst; + packet->id = new_id; + + return 0; +} + +int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet) +{ + if (!s || !packet) return -NR_ERR_INVALID_ARG; + + if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { + return -NR_ERR_INVALID_ARG; + } + + if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE; + + s->ids[packet->id] = NULL; + s->used--; + packet->sockfd = -1; + + return 0; +} + +int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet) +{ + int new_id; + + if (!s || !packet) return -NR_ERR_INVALID_ARG; + + if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { + return -NR_ERR_INVALID_ARG; + } + + if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE; + + new_id = find_id(s); + if (new_id < 0) return new_id; + + s->ids[packet->id] = NULL; + packet->id = new_id; + s->ids[packet->id] = packet; + + return 0; +} + + +int nr_server_init(nr_server_t *s, int code, const char *secret) +{ + if (!s || !secret || !*secret || + (code == 0) || (code > NR_MAX_PACKET_CODE)) { + return -NR_ERR_INVALID_ARG; + } + + memset(s, 0, sizeof(*s)); + + s->sockfd = -1; + s->code = code; + s->secret = secret; + s->sizeof_secret = strlen(secret); + s->src.ss_family = AF_UNSPEC; + s->dst.ss_family = AF_UNSPEC; + + return 0; +} + + +int nr_server_close(const nr_server_t *s) +{ + if (!s) return -NR_ERR_INVALID_ARG; + + if (s->used > 0) return -NR_ERR_IN_USE; + + if (s->sockfd >= 0) close(s->sockfd); + + return 0; +} + +int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p) +{ + int rcode; + RADIUS_PACKET *packet; + + if (!packet_p) return -NR_ERR_INVALID_ARG; + + packet = malloc(sizeof(*packet) + NR_MAX_PACKET_LEN); + if (!packet) return -NR_ERR_NO_MEM; + + memset(packet, 0, sizeof(*packet)); + + if (!s) { + packet->data = (uint8_t *)(packet + 1); + packet->sizeof_data = NR_MAX_PACKET_LEN; + + *packet_p = packet; + return 0; + } + + rcode = nr_packet_init(packet, NULL, s->secret, s->code, + (uint8_t *)(packet + 1), NR_MAX_PACKET_LEN); + if (rcode < 0) { + free(packet); + return rcode; + } + + *packet_p = packet; + return 0; +} diff --git a/lib/radius/packet.c b/lib/radius/packet.c new file mode 100644 index 0000000..77e3d14 --- /dev/null +++ b/lib/radius/packet.c @@ -0,0 +1,918 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file packet.c + * \brief Encoding and decoding packets + */ + +#include + +#if NR_MAX_PACKET_LEN < 64 +#error NR_MAX_PACKET_LEN is too small. It should be at least 64. +#endif + +#if NR_MAX_PACKET_LEN > 16384 +#error NR_MAX_PACKET_LEN is too large. It should be smaller than 16K. +#endif + +const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1] = { + NULL, + "Access-Request", + "Access-Accept", + "Access-Reject", + "Accounting-Request", + "Accounting-Response", + NULL, NULL, NULL, NULL, NULL, + "Access-Challenge", + "Status-Server", /* 12 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */ + "Disconnect-Request", + "Disconnect-ACK", + "Disconnect-NAK", + "CoA-Request", + "CoA-ACK", + "CoA-NAK" +}; + + +static uint64_t allowed_responses[NR_MAX_PACKET_CODE + 1] = { + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), + 0, 0, + 1 << PW_ACCOUNTING_RESPONSE, + 0, + 0, 0, 0, 0, 0, + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE), + 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */ + (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK), + 0, + 0, + (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK), + 0, + 0 +}; + + +int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) +{ + size_t packet_len; + const uint8_t *attr, *end; + + if (!data || (sizeof_data < 20)) { + nr_debug_error("Invalid argument"); + return -NR_ERR_INVALID_ARG; + } + + packet_len = (data[2] << 8) | data[3]; + if (packet_len < 20) { + nr_debug_error("Packet length is too small"); + return -NR_ERR_PACKET_TOO_SMALL; + } + + if (packet_len > sizeof_data) { + nr_debug_error("Packet length overflows received data"); + return -NR_ERR_PACKET_TOO_LARGE; + } + + /* + * If we receive 100 bytes, and the header says it's 20 bytes, + * then it's 20 bytes. + */ + end = data + packet_len; + + for (attr = data + 20; attr < end; attr += attr[1]) { + if ((attr + 2) > end) { + nr_debug_error("Attribute overflows packet"); + return -NR_ERR_ATTR_OVERFLOW; + } + + if (attr[1] < 2) { + nr_debug_error("Attribute length is too small"); + return -NR_ERR_ATTR_TOO_SMALL; + } + + if ((attr + attr[1]) > end) { + nr_debug_error("Attribute length is too large"); + return -NR_ERR_ATTR_TOO_LARGE; + } + } + + return 0; +} + +int nr_packet_ok(RADIUS_PACKET *packet) +{ + int rcode; + + if (!packet) return -NR_ERR_INVALID_ARG; + + if ((packet->flags & NR_PACKET_OK) != 0) return 0; + + rcode = nr_packet_ok_raw(packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= NR_PACKET_OK; + return 0; +} + + +/* + * Comparison function that is time-independent. Using "memcmp" + * would satisfy the "comparison" part. However, it would also + * leak information about *which* bytes are wrong. Attackers + * could use that leak to create a "correct" RADIUS packet which + * will be accepted by the client and/or server. + */ +static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length) +{ + int result = 0; + size_t i; + + for (i = 0; i < length; i++) { + result |= (a[i] ^ b[i]); + } + + return result; +} + + +#ifdef PW_MESSAGE_AUTHENTICATOR +static int msg_auth_ok(const RADIUS_PACKET *original, + uint8_t *ma, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t msg_auth_vector[sizeof(original->vector)]; + uint8_t calc_auth_vector[sizeof(original->vector)]; + + if (ma[1] != 18) { + nr_debug_error("Message-Authenticator has invalid length"); + return -NR_ERR_MSG_AUTH_LEN; + } + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector)); + memset(ma + 2, 0, sizeof(msg_auth_vector)); + + switch (data[0]) { + default: + break; + + case PW_ACCOUNTING_REQUEST: + case PW_ACCOUNTING_RESPONSE: + case PW_DISCONNECT_REQUEST: + case PW_DISCONNECT_ACK: + case PW_DISCONNECT_NAK: + case PW_COA_REQUEST: + case PW_COA_ACK: + case PW_COA_NAK: + memset(data + 4, 0, sizeof(packet_vector)); + break; + + case PW_ACCESS_ACCEPT: + case PW_ACCESS_REJECT: + case PW_ACCESS_CHALLENGE: + if (!original) { + nr_debug_error("Cannot validate response without request"); + return -NR_ERR_REQUEST_REQUIRED; + } + memcpy(data + 4, original->vector, sizeof(original->vector)); + break; + } + + nr_hmac_md5(data, length, + (const uint8_t *) original->secret, original->sizeof_secret, + calc_auth_vector); + + memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector)); + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_auth_vector, msg_auth_vector, + sizeof(calc_auth_vector)) != 0) { + nr_debug_error("Invalid Message-Authenticator"); + return -NR_ERR_MSG_AUTH_WRONG; + } + + return 1; +} +#endif + +/* + * The caller ensures that the packet codes are as expected. + */ +static int packet_auth_ok(const RADIUS_PACKET *original, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t calc_digest[sizeof(original->vector)]; + NR_MD5_CTX ctx; + + if ((data[0] == PW_ACCESS_REQUEST) || + (data[0] == PW_STATUS_SERVER)) return 1; + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + + if (!original) { + memset(data + 4, 0, sizeof(packet_vector)); + } else { + memcpy(data + 4, original->vector, sizeof(original->vector)); + } + + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, data, length); + nr_MD5Update(&ctx, original->secret, original->sizeof_secret); + nr_MD5Final(calc_digest, &ctx); + + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_digest, packet_vector, + sizeof(packet_vector)) != 0) { + nr_debug_error("Invalid authentication vector"); + return -NR_ERR_AUTH_VECTOR_WRONG; + } + + return 0; +} + + +int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode; + uint8_t *attr; +#ifdef PW_MESSAGE_AUTHENTICATOR + const uint8_t *end; +#endif + + if (!packet || !packet->data || !packet->secret) { + nr_debug_error("Invalid argument"); + return -NR_ERR_INVALID_ARG; + } + + if ((packet->flags & NR_PACKET_VERIFIED) != 0) return 0; + + /* + * Packet isn't well formed. Ignore it. + */ + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + /* + * Get rid of improper packets as early as possible. + */ + if (original) { + uint64_t mask; + + if (original->code > NR_MAX_PACKET_CODE) { + nr_debug_error("Invalid original code %u", + original->code); + return -NR_ERR_REQUEST_CODE_INVALID; + } + + if (packet->data[1] != original->id) { + nr_debug_error("Ignoring response with wrong ID %u", + packet->data[1]); + return -NR_ERR_RESPONSE_ID_INVALID; + } + + mask = 1; + mask <<= packet->data[0]; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Ignoring response with wrong code %u", + packet->data[0]); + return -NR_ERR_RESPONSE_CODE_INVALID; + } + + if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && + (sockaddr_cmp(&(packet->src), &(original->dst)) != 0)) { + nr_debug_error("Ignoring response from wrong IP/port"); + return -NR_ERR_RESPONSE_SRC_INVALID; + } + + } else if (allowed_responses[packet->data[0]] != 0) { + nr_debug_error("Ignoring response without original"); + return -NR_ERR_RESPONSE_CODE_INVALID; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + /* + * Note that the packet MUST be well-formed here. + */ + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + rcode = msg_auth_ok(original, attr, + packet->data, packet->length); + if (rcode < 0) return rcode; + } + } +#endif + + /* + * Verify the packet authenticator. + */ + rcode = packet_auth_ok(original, packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= NR_PACKET_VERIFIED; + + return 0; +} + + +int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode, num_attributes; + uint8_t *data, *attr; + const uint8_t *end; + VALUE_PAIR **tail, *vp; + + if (!packet) return -NR_ERR_INVALID_ARG; + + if ((packet->flags & NR_PACKET_DECODED) != 0) return 0; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->length; + tail = &packet->vps; + num_attributes = 0; + + /* + * Loop over the packet, converting attrs to VPs. + */ + for (attr = data + 20; attr < end; attr += attr[1]) { + rcode = nr_attr2vp(packet, original, + attr, end - attr, &vp); + if (rcode < 0) { + nr_vp_free(&packet->vps); + return -rcode; + } + + *tail = vp; + while (vp) { + num_attributes++; + tail = &(vp->next); + vp = vp->next; + } + + if (num_attributes > NR_MAX_ATTRIBUTES) { + nr_debug_error("Too many attributes"); + nr_vp_free(&packet->vps); + return -NR_ERR_TOO_MANY_ATTRS; + } + } + + packet->code = data[0]; + packet->id = data[1]; + memcpy(packet->vector, data + 4, sizeof(packet->vector)); + + packet->flags |= NR_PACKET_DECODED; + + return 0; +} + + +int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; + const uint8_t *attr, *end; +#endif + + if ((packet->flags & NR_PACKET_SIGNED) != 0) return 0; + + if ((packet->flags & NR_PACKET_ENCODED) == 0) { + int rcode; + + rcode = nr_packet_encode(packet, original); + if (rcode < 0) return rcode; + } + + if ((packet->code == PW_ACCESS_ACCEPT) || + (packet->code == PW_ACCESS_CHALLENGE) || + (packet->code == PW_ACCESS_REJECT)) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (!original) { + nr_debug_error("Original packet is required to create the Message-Authenticator"); + return -NR_ERR_REQUEST_REQUIRED; + } +#endif + + memcpy(packet->data + 4, original->vector, + sizeof(original->vector)); + } else { + memcpy(packet->data + 4, packet->vector, + sizeof(packet->vector)); + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + ma = (attr - packet->data); + break; + } + } + + /* + * Force all Access-Request packets to have a + * Message-Authenticator. + */ + if (!ma && ((packet->length + 18) <= packet->sizeof_data) && + ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + ma = packet->length; + + packet->data[ma]= PW_MESSAGE_AUTHENTICATOR; + packet->data[ma + 1] = 18; + memset(&packet->data[ma + 2], 0, 16); + packet->length += 18; + } + + /* + * Reset the length. + */ + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + /* + * Sign the Message-Authenticator && packet. + */ + if (ma) { + nr_hmac_md5(packet->data, packet->length, + (const uint8_t *) packet->secret, packet->sizeof_secret, + packet->data + ma + 2); + } +#endif + + /* + * Calculate the signature. + */ + if (!((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + NR_MD5_CTX ctx; + + nr_MD5Init(&ctx); + nr_MD5Update(&ctx, packet->data, packet->length); + nr_MD5Update(&ctx, packet->secret, packet->sizeof_secret); + nr_MD5Final(packet->vector, &ctx); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->attempts = 0; + packet->flags |= NR_PACKET_SIGNED; + + return 0; +} + + +static int can_encode_packet(RADIUS_PACKET *packet, + const RADIUS_PACKET *original) +{ + if ((packet->code == 0) || + (packet->code > NR_MAX_PACKET_CODE) || + (original && (original->code > NR_MAX_PACKET_CODE))) { + nr_debug_error("Cannot send unknown packet code"); + return -NR_ERR_REQUEST_CODE_INVALID; + } + + if (!nr_packet_codes[packet->code]) { + nr_debug_error("Cannot handle packet code %u", + packet->code); + return -NR_ERR_REQUEST_CODE_INVALID; + } + +#ifdef NR_NO_MALLOC + if (!packet->data) { + nr_debug_error("No place to put packet"); + return -NR_ERR_NO_PACKET_DATA; + } +#endif + + if (packet->sizeof_data < 20) { + nr_debug_error("The buffer is too small to encode the packet"); + return -NR_ERR_PACKET_TOO_SMALL; + } + + /* + * Enforce request / response correlation. + */ + if (original) { + uint64_t mask; + + mask = 1; + mask <<= packet->code; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Cannot encode response %u to packet %u", + packet->code, original->code); + return -NR_ERR_RESPONSE_CODE_INVALID; + } + packet->id = original->id; + + } else if (allowed_responses[packet->code] == 0) { + nr_debug_error("Cannot encode response %u without original", + packet->code); + return -NR_ERR_REQUEST_REQUIRED; + } + + return 0; +} + +static void encode_header(RADIUS_PACKET *packet) +{ + if ((packet->flags & NR_PACKET_HEADER) != 0) return; + + memset(packet->data, 0, 20); + packet->data[0] = packet->code; + packet->data[1] = packet->id; + packet->data[2] = 0; + packet->data[3] = 20; + packet->length = 20; + + /* + * Calculate a random authentication vector. + */ + if ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) { + nr_rand_bytes(packet->vector, sizeof(packet->vector)); + } else { + memset(packet->vector, 0, sizeof(packet->vector)); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->flags |= NR_PACKET_HEADER; +} + +int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; +#endif + int rcode; + ssize_t len; + const VALUE_PAIR *vp; + uint8_t *data, *end; + + if ((packet->flags & NR_PACKET_ENCODED) != 0) return 0; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->sizeof_data; + + encode_header(packet); + data += 20; + + /* + * Encode each VALUE_PAIR + */ + vp = packet->vps; + while (vp) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { + ma = (data - packet->data); + } +#endif + len = nr_vp2attr(packet, original, &vp, + data, end - data); + if (len < 0) return len; + + if (len == 0) break; /* insufficient room to encode it */ + + data += data[1]; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + /* + * Always send a Message-Authenticator. + * + * We do *not* recommend removing this code. + */ + if (((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) && + !ma && + ((data + 18) <= end)) { + ma = (data - packet->data); + data[0] = PW_MESSAGE_AUTHENTICATOR; + data[1] = 18; + memset(data + 2, 0, 16); + data += data[1]; + } +#endif + + packet->length = data - packet->data; + + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + packet->flags |= NR_PACKET_ENCODED; + + return packet->length; +} + + +/* + * Ensure that the nr_data2attr_t structure is filled in + * appropriately. This includes filling in a fake DICT_ATTR + * structure, if necessary. + */ +static int do_callback(void *ctx, nr_packet_walk_func_t callback, + int attr, int vendor, + const uint8_t *data, size_t sizeof_data) + +{ + int rcode; + const DICT_ATTR *da; + DICT_ATTR myda; + char buffer[64]; + + da = nr_dict_attr_byvalue(attr, vendor); + + /* + * The attribute is supposed to have a particular length, + * but does not. It is therefore malformed. + */ + if (da && (da->flags.length != 0) && + da->flags.length != sizeof_data) { + da = NULL; + } + + if (!da) { + rcode = nr_dict_attr_2struct(&myda, attr, vendor, + buffer, sizeof(buffer)); + + if (rcode < 0) return rcode; + da = &myda; + } + + rcode = callback(ctx, da, data, sizeof_data); + if (rcode < 0) return rcode; + + return 0; +} + + +int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, + nr_packet_walk_func_t callback) +{ + int rcode; + uint8_t *attr; + const uint8_t *end; + + if (!packet || !callback) return -NR_ERR_INVALID_ARG; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + int length, value; + int dv_type, dv_length; + uint32_t vendorpec; + const uint8_t *vsa; + const DICT_VENDOR *dv = NULL; + + vendorpec = 0; + value = attr[0]; + + if (value != PW_VENDOR_SPECIFIC) { + raw: + rcode = do_callback(ctx, callback, + attr[0], 0, + attr + 2, attr[1] - 2); + if (rcode < 0) return rcode; + continue; + } + + if (attr[1] < 6) goto raw; + memcpy(&vendorpec, attr + 2, 4); + vendorpec = ntohl(vendorpec); + + if (dv && (dv->vendor != vendorpec)) dv = NULL; + + if (!dv) dv = nr_dict_vendor_byvalue(vendorpec); + + if (dv) { + dv_type = dv->type; + dv_length = dv->length; + } else { + dv_type = 1; + dv_length = 1; + } + + /* + * Malformed: it's a raw attribute. + */ + if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) { + goto raw; + } + + for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) { + switch (dv_type) { + case 4: + value = (vsa[2] << 8) | vsa[3]; + break; + + case 2: + value = (vsa[0] << 8) | vsa[1]; + break; + + case 1: + value = vsa[0]; + break; + + default: + return -NR_ERR_INTERNAL_FAILURE; + } + + switch (dv_length) { + case 0: + length = attr[1] - 6 - dv_type; + break; + + case 2: + case 1: + length = vsa[dv_type + dv_length - 1]; + break; + + default: + return -NR_ERR_INTERNAL_FAILURE; + } + + rcode = do_callback(ctx, callback, + value, vendorpec, + vsa + dv_type + dv_length, + length - dv_type - dv_length); + if (rcode < 0) return rcode; + } + } + + return 0; +} + +int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const char *secret, int code, + void *data, size_t sizeof_data) +{ + int rcode; + + if ((code < 0) || (code > NR_MAX_PACKET_CODE)) { + return -NR_ERR_REQUEST_CODE_INVALID; + } + + if (!data || (sizeof_data < 20)) return -NR_ERR_INVALID_ARG; + + if (!secret || !*secret) return -NR_ERR_INVALID_ARG; + + memset(packet, 0, sizeof(*packet)); + packet->secret = secret; + packet->sizeof_secret = strlen(secret); + packet->code = code; + packet->id = 0; + packet->data = data; + packet->sizeof_data = sizeof_data; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + encode_header(packet); + + return 0; +} + + +static int pack_eap(RADIUS_PACKET *packet, + const void *data, size_t data_len) +{ + uint8_t *attr, *end; + const uint8_t *eap; + size_t left; + + eap = data; + left = data_len; + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + while (left > 253) { + if ((attr + 255) > end) return -NR_ERR_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 255; + memcpy(attr + 2, eap, 253); + attr += attr[1]; + eap += 253; + left -= 253; + } + + if ((attr + (2 + left)) > end) return -NR_ERR_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 2 + left; + memcpy(attr + 2, eap, left); + attr += attr[1]; + packet->length = attr - packet->data; + + return 0; +} + +ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const DICT_ATTR *da, + const void *data, size_t data_len) +{ + ssize_t rcode; + uint8_t *attr, *end; + VALUE_PAIR my_vp; + const VALUE_PAIR *vp; + + if (!packet || !da || !data) { + return -NR_ERR_INVALID_ARG; + } + + if (data_len == 0) { + if (da->type != NR_TYPE_STRING) return -NR_ERR_ATTR_TOO_SMALL; + + data_len = strlen(data); + } + + packet->flags |= NR_PACKET_ENCODED; /* ignore any VPs */ + + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + if ((attr + 2 + data_len) > end) { + return -NR_ERR_ATTR_OVERFLOW; + } + + if ((da->flags.length != 0) && + (data_len != da->flags.length)) { + return -NR_ERR_ATTR_VALUE_MALFORMED; + } + +#ifdef PW_EAP_MESSAGE + /* + * automatically split EAP-Message into multiple + * attributes. + */ + if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) { + return pack_eap(packet, data, data_len); + } +#endif + + if (data_len > 253) return -NR_ERR_ATTR_TOO_LARGE; + + vp = nr_vp_init(&my_vp, da); + rcode = nr_vp_set_data(&my_vp, data, data_len); + if (rcode < 0) return rcode; + + /* + * Note that this function packs VSAs each into their own + * Vendor-Specific attribute. If this isn't what you + * want, use the version of the library with full support + * for TLVs, WiMAX, and extended attributes. + */ + rcode = nr_vp2attr(packet, original, &vp, attr, end - attr); + if (rcode <= 0) return rcode; + + packet->length += rcode; + + return rcode; +} diff --git a/lib/radius/parse.c b/lib/radius/parse.c new file mode 100644 index 0000000..6b593a8 --- /dev/null +++ b/lib/radius/parse.c @@ -0,0 +1,142 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file parse.c + * \brief Routines to parse strings into internal data structures + */ + +#include +#include + +ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) +{ + char *end; + + switch (vp->da->type) { + case NR_TYPE_STRING: + strlcpy(vp->vp_strvalue, value, sizeof(vp->vp_strvalue)); + vp->length = strlen(vp->vp_strvalue); + return vp->length; + + case NR_TYPE_DATE: + case NR_TYPE_INTEGER: + vp->vp_integer = strtoul(value, &end, 10); + if ((value == end) || (*end != '\0')) { + nr_debug_error("Invalid value"); + return -NR_ERR_ATTR_VALUE_MALFORMED; + } + return (end - value); + + case NR_TYPE_IPADDR: + if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) { + return -NR_ERR_SYSTEM; + } + return strlen(value); + +#ifdef NR_TYPE_IPV6ADDR + case NR_TYPE_IPV6ADDR: + if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) { + return -NR_ERR_SYSTEM; + } + return strlen(value); +#endif + +#ifdef NR_TYPE_IFID + case NR_TYPE_IFID: + { + int i, array[8]; + + if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x", + &array[0], &array[1], &array[2], &array[3], + &array[4], &array[5], &array[6], &array[7]) != 8) { + return -NR_ERR_SYSTEM; + } + + for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff; + + } + break; +#endif + + default: + nr_debug_error("Invalid type"); + return -NR_ERR_ATTR_TYPE_UNKNOWN; + } + + return 0; +} + +int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp) +{ + int rcode; + const char *p; + char *q; + const DICT_ATTR *da; + VALUE_PAIR *vp; + char buffer[256]; + + if (!string || !pvp) return -NR_ERR_INVALID_ARG; + + p = string; + q = buffer; + while (*p && (*p != ' ') && (*p != '=')) { + *(q++) = *(p++); + } + *q = '\0'; + + if (q == buffer) { + nr_debug_error("No Attribute name"); + return -NR_ERR_ATTR_BAD_NAME; + } + + da = nr_dict_attr_byname(buffer); + if (!da) { + nr_debug_error("Unknown attribute \"%s\"", buffer); + return -NR_ERR_ATTR_UNKNOWN; + } + + while (*p == ' ') p++; + if (*p != '=') { + nr_debug_error("Unexpected text after attribute name"); + return -NR_ERR_ATTR_BAD_NAME; + } + + p++; + while (*p == ' ') p++; + + vp = nr_vp_alloc(da); + if (!vp) return -NR_ERR_NO_MEM; + + rcode = nr_vp_sscanf_value(vp, p); + if (rcode < 0) { + nr_vp_free(&vp); + return rcode; + } + + *pvp = vp; + return 0; +} diff --git a/lib/radius/print.c b/lib/radius/print.c new file mode 100644 index 0000000..abe4255 --- /dev/null +++ b/lib/radius/print.c @@ -0,0 +1,265 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file print.c + * \brief Functions to print things. + */ + +#include +#include +#ifdef NR_TYPE_IPV6ADDR +#include +#endif + +#ifndef NDEBUG +void nr_packet_print_hex(RADIUS_PACKET *packet) +{ + int i; + + if (!packet->data) return; + + printf(" Code:\t\t%u\n", packet->data[0]); + printf(" Id:\t\t%u\n", packet->data[1]); + printf(" Length:\t%u\n", ((packet->data[2] << 8) | + (packet->data[3]))); + printf(" Vector:\t"); + for (i = 4; i < 20; i++) { + printf("%02x", packet->data[i]); + } + printf("\n"); + if ((packet->flags & NR_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n"); + + if (packet->length > 20) { + int total; + const uint8_t *ptr; + printf(" Data:"); + + total = packet->length - 20; + ptr = packet->data + 20; + + while (total > 0) { + int attrlen; + + printf("\t\t"); + if (total < 2) { /* too short */ + printf("%02x\n", *ptr); + break; + } + + if (ptr[1] > total) { /* too long */ + for (i = 0; i < total; i++) { + printf("%02x ", ptr[i]); + } + break; + } + + printf("%02x %02x ", ptr[0], ptr[1]); + attrlen = ptr[1] - 2; + ptr += 2; + total -= 2; + + for (i = 0; i < attrlen; i++) { + if ((i > 0) && ((i & 0x0f) == 0x00)) + printf("\t\t\t"); + printf("%02x ", ptr[i]); + if ((i & 0x0f) == 0x0f) printf("\n"); + } + + if (!attrlen || ((attrlen & 0x0f) != 0x00)) printf("\n"); + + ptr += attrlen; + total -= attrlen; + } + } + printf("\n"); + fflush(stdout); +} +#endif + +size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) +{ + size_t i, len; + char *p = buffer; + + switch (vp->da->type) { + case NR_TYPE_STRING: + /* + * FIXME: escape backslash && quotes! + */ + len = snprintf(p, buflen, "\"%s\"", vp->vp_strvalue); + break; + + case NR_TYPE_DATE: + case NR_TYPE_INTEGER: + case NR_TYPE_SHORT: + case NR_TYPE_BYTE: + len = snprintf(p, buflen, "%u", vp->vp_integer); + break; + + case NR_TYPE_IPADDR: + len = snprintf(p, buflen, "%u.%u.%u.%u", + (vp->vp_ipaddr >> 24) & 0xff, + (vp->vp_ipaddr >> 16) & 0xff, + (vp->vp_ipaddr >> 8) & 0xff, + vp->vp_ipaddr & 0xff); + break; + +#ifdef NR_TYPE_IPV6ADDR + case NR_TYPE_IPV6ADDR: + if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) { + return -NR_ERR_SYSTEM; + } + break; +#endif + +#ifdef NR_TYPE_IFID + case NR_TYPE_IFID: + len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x", + vp->vp_ifid[0], vp->vp_ifid[1], + vp->vp_ifid[2], vp->vp_ifid[3], + vp->vp_ifid[4], vp->vp_ifid[5], + vp->vp_ifid[6], vp->vp_ifid[7]); + break; +#endif + + case NR_TYPE_OCTETS: + len = snprintf(p, buflen, "0x"); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + for (i = 0; i < vp->length; i++) { + len = snprintf(p, buflen, "%02x", vp->vp_octets[i]); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + } + len = 0; + break; + + default: + break; + } + + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + return p - buffer; +} + +size_t nr_vp_snprintf(char *buffer, size_t buflen, const VALUE_PAIR *vp) +{ + size_t len; + char *p = buffer; + + len = snprintf(p, buflen, "%s = ", vp->da->name); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + len = nr_vp_snprintf_value(p, buflen, vp); + if (len == 0) return 0; + + if (len >= buflen) return 0; + + p += len; + + return p - buffer; +} + +#ifndef NDEBUG +void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps) +{ + const VALUE_PAIR *vp; + char buffer[1024]; + + for (vp = vps; vp != NULL; vp = vp->next) { + nr_vp_snprintf(buffer, sizeof(buffer), vp); + fprintf(fp, "\t%s\n", buffer); + } +} +#endif + +/** \cond PRIVATE */ +#define NR_STRERROR_BUFSIZE (1024) +static char nr_strerror_buffer[NR_STRERROR_BUFSIZE]; + +void nr_strerror_printf(const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + vsnprintf(nr_strerror_buffer, sizeof(nr_strerror_buffer), fmt, ap); + va_end(ap); + + fprintf(stderr, "ERROR: %s\n", nr_strerror_buffer); +} +/** \endcond */ + +const char *nr_strerror(int error) +{ + if (error == 0) return nr_strerror_buffer; + + if (error < 0) error = -error; + + switch (error) { + default: return "Unknown error"; + case NR_ERR_SYSTEM: return strerror(errno); + + case NR_ERR_INVALID_ARG: return "Invalid argument"; + case NR_ERR_PACKET_TOO_SMALL: return "Packet is too small"; + case NR_ERR_PACKET_TOO_LARGE: return "Packet is too large"; + case NR_ERR_ATTR_OVERFLOW: return "Attribute overflows packet"; + case NR_ERR_ATTR_TOO_SMALL: return "Attribute is too small"; + case NR_ERR_ATTR_TOO_LARGE: return "Attribute is too large"; + case NR_ERR_ATTR_UNKNOWN: return "Unknown attribute"; + case NR_ERR_ATTR_BAD_NAME: return "Invalid name for attribute"; + case NR_ERR_ATTR_VALUE_MALFORMED: return "Invalid value for attribute"; + case NR_ERR_ATTR_INVALID: return "Invalid attribute"; + case NR_ERR_TOO_MANY_ATTRS: return "Too many attributes in the packet"; + case NR_ERR_ATTR_TYPE_UNKNOWN: return "Attribute type unknown"; + case NR_ERR_MSG_AUTH_LEN: return "Invalid Message-Authenticator"; + case NR_ERR_MSG_AUTH_WRONG: return "Incorrect Message-Authenticator"; + case NR_ERR_REQUEST_REQUIRED: return "Request is required"; + case NR_ERR_REQUEST_CODE_INVALID: return "Invalid request code"; + case NR_ERR_AUTH_VECTOR_WRONG: return "Incorrect Request Authenticator"; + case NR_ERR_RESPONSE_CODE_INVALID: return "Response code is unsupported"; + case NR_ERR_RESPONSE_ID_INVALID: return "Response ID is invalid"; + case NR_ERR_RESPONSE_SRC_INVALID: return "Response from the wrong src ip/port"; + case NR_ERR_NO_PACKET_DATA: return "Cannot encode the packet"; + case NR_ERR_VENDOR_UNKNOWN: return "Vendor is unknown"; + case NR_ERR_INTERNAL_FAILURE: return "Internal failure"; + case NR_ERR_UNSUPPORTED: return "Unsupported feature"; + case NR_ERR_NO_MEM: return "Out of memory"; + case NR_ERR_IN_USE: return "Resource is in use"; + + } +} diff --git a/lib/radius/radius.h b/lib/radius/radius.h new file mode 100644 index 0000000..cfc16b7 --- /dev/null +++ b/lib/radius/radius.h @@ -0,0 +1,314 @@ +/* Automatically generated file. Do not edit */ + +#define VENDORPEC_MICROSOFT 311 +#define VENDORPEC_EXAMPLE 65535 + + +/* IETF */ +#define PW_USER_NAME 1 +#define PW_USER_PASSWORD 2 +#define PW_CHAP_PASSWORD 3 +#define PW_NAS_IP_ADDRESS 4 +#define PW_NAS_PORT 5 +#define PW_SERVICE_TYPE 6 +#define PW_FRAMED_PROTOCOL 7 +#define PW_FRAMED_IP_ADDRESS 8 +#define PW_FRAMED_IP_NETMASK 9 +#define PW_FRAMED_ROUTING 10 +#define PW_FILTER_ID 11 +#define PW_FRAMED_MTU 12 +#define PW_FRAMED_COMPRESSION 13 +#define PW_LOGIN_IP_HOST 14 +#define PW_LOGIN_SERVICE 15 +#define PW_LOGIN_TCP_PORT 16 +#define PW_REPLY_MESSAGE 18 +#define PW_CALLBACK_NUMBER 19 +#define PW_CALLBACK_ID 20 +#define PW_FRAMED_ROUTE 22 +#define PW_FRAMED_IPX_NETWORK 23 +#define PW_STATE 24 +#define PW_CLASS 25 +#define PW_VENDOR_SPECIFIC 26 +#define PW_SESSION_TIMEOUT 27 +#define PW_IDLE_TIMEOUT 28 +#define PW_TERMINATION_ACTION 29 +#define PW_CALLED_STATION_ID 30 +#define PW_CALLING_STATION_ID 31 +#define PW_NAS_IDENTIFIER 32 +#define PW_PROXY_STATE 33 +#define PW_LOGIN_LAT_SERVICE 34 +#define PW_LOGIN_LAT_NODE 35 +#define PW_LOGIN_LAT_GROUP 36 +#define PW_FRAMED_APPLETALK_LINK 37 +#define PW_FRAMED_APPLETALK_NETWORK 38 +#define PW_FRAMED_APPLETALK_ZONE 39 +#define PW_ACCT_STATUS_TYPE 40 +#define PW_ACCT_DELAY_TIME 41 +#define PW_ACCT_INPUT_OCTETS 42 +#define PW_ACCT_OUTPUT_OCTETS 43 +#define PW_ACCT_SESSION_ID 44 +#define PW_ACCT_AUTHENTIC 45 +#define PW_ACCT_SESSION_TIME 46 +#define PW_ACCT_INPUT_PACKETS 47 +#define PW_ACCT_OUTPUT_PACKETS 48 +#define PW_ACCT_TERMINATE_CAUSE 49 +#define PW_ACCT_MULTI_SESSION_ID 50 +#define PW_ACCT_LINK_COUNT 51 +#define PW_ACCT_INPUT_GIGAWORDS 52 +#define PW_ACCT_OUTPUT_GIGAWORDS 53 +#define PW_EVENT_TIMESTAMP 55 +#define PW_EGRESS_VLANID 56 +#define PW_INGRESS_FILTERS 57 +#define PW_EGRESS_VLAN_NAME 58 +#define PW_USER_PRIORITY_TABLE 59 +#define PW_CHAP_CHALLENGE 60 +#define PW_NAS_PORT_TYPE 61 +#define PW_PORT_LIMIT 62 +#define PW_LOGIN_LAT_PORT 63 +#define PW_TUNNEL_TYPE 64 +#define PW_TUNNEL_MEDIUM_TYPE 65 +#define PW_TUNNEL_CLIENT_ENDPOINT 66 +#define PW_TUNNEL_SERVER_ENDPOINT 67 +#define PW_ACCT_TUNNEL_CONNECTION 68 +#define PW_TUNNEL_PASSWORD 69 +#define PW_ARAP_PASSWORD 70 +#define PW_ARAP_FEATURES 71 +#define PW_ARAP_ZONE_ACCESS 72 +#define PW_ARAP_SECURITY 73 +#define PW_ARAP_SECURITY_DATA 74 +#define PW_PASSWORD_RETRY 75 +#define PW_PROMPT 76 +#define PW_CONNECT_INFO 77 +#define PW_CONFIGURATION_TOKEN 78 +#define PW_EAP_MESSAGE 79 +#define PW_MESSAGE_AUTHENTICATOR 80 +#define PW_TUNNEL_PRIVATE_GROUP_ID 81 +#define PW_TUNNEL_ASSIGNMENT_ID 82 +#define PW_TUNNEL_PREFERENCE 83 +#define PW_ARAP_CHALLENGE_RESPONSE 84 +#define PW_ACCT_INTERIM_INTERVAL 85 +#define PW_ACCT_TUNNEL_PACKETS_LOST 86 +#define PW_NAS_PORT_ID 87 +#define PW_FRAMED_POOL 88 +#define PW_CHARGEABLE_USER_IDENTITY 89 +#define PW_TUNNEL_CLIENT_AUTH_ID 90 +#define PW_TUNNEL_SERVER_AUTH_ID 91 +#define PW_NAS_FILTER_RULE 92 +#define PW_NAS_IPV6_ADDRESS 95 +#define PW_FRAMED_INTERFACE_ID 96 +#define PW_FRAMED_IPV6_PREFIX 97 +#define PW_LOGIN_IPV6_HOST 98 +#define PW_FRAMED_IPV6_ROUTE 99 +#define PW_FRAMED_IPV6_POOL 100 +#define PW_ERROR_CAUSE 101 +#define PW_EAP_KEY_NAME 102 +#define PW_DIGEST_RESPONSE 103 +#define PW_DIGEST_REALM 104 +#define PW_DIGEST_NONCE 105 +#define PW_DIGEST_RESPONSE_AUTH 106 +#define PW_DIGEST_NEXTNONCE 107 +#define PW_DIGEST_METHOD 108 +#define PW_DIGEST_URI 109 +#define PW_DIGEST_QOP 110 +#define PW_DIGEST_ALGORITHM 111 +#define PW_DIGEST_ENTITY_BODY_HASH 112 +#define PW_DIGEST_CNONCE 113 +#define PW_DIGEST_NONCE_COUNT 114 +#define PW_DIGEST_USERNAME 115 +#define PW_DIGEST_OPAQUE 116 +#define PW_DIGEST_AUTH_PARAM 117 +#define PW_DIGEST_AKA_AUTS 118 +#define PW_DIGEST_DOMAIN 119 +#define PW_DIGEST_STALE 120 +#define PW_DIGEST_HA1 121 +#define PW_SIP_AOR 122 +#define PW_DELEGATED_IPV6_PREFIX 123 +#define PW_OPERATOR_NAME 126 +#define PW_LOCATION_INFORMATION 127 +#define PW_LOCATION_DATA 128 +#define PW_BASIC_LOCATION_POLICY_RULES 129 +#define PW_EXTENDED_LOCATION_POLICY_RULES 130 +#define PW_LOCATION_CAPABLE 131 +#define PW_REQUESTED_LOCATION_INFO 132 +#define PW_FRAMED_MANAGEMENT 133 +#define PW_MANAGEMENT_TRANSPORT_PROTECTION 134 +#define PW_MANAGEMENT_POLICY_ID 135 +#define PW_MANAGEMENT_PRIVILEGE_LEVEL 136 +#define PW_PKM_SS_CERT 137 +#define PW_PKM_CA_CERT 138 +#define PW_PKM_CONFIG_SETTINGS 139 +#define PW_PKM_CRYPTOSUITE_LIST 140 +#define PW_PKM_SAID 141 +#define PW_PKM_SA_DESCRIPTOR 142 +#define PW_PKM_AUTH_KEY 143 + +/* Microsoft */ +#define PW_MS_CHAP_RESPONSE 1 +#define PW_MS_CHAP_ERROR 2 +#define PW_MS_MPPE_ENCRYPTION_POLICY 7 +#define PW_MS_MPPE_ENCRYPTION_TYPES 8 +#define PW_MS_CHAP_DOMAIN 10 +#define PW_MS_CHAP_CHALLENGE 11 +#define PW_MS_CHAP_MPPE_KEYS 12 +#define PW_MS_MPPE_SEND_KEY 16 +#define PW_MS_MPPE_RECV_KEY 17 +#define PW_MS_CHAP2_RESPONSE 25 +#define PW_MS_CHAP2_SUCCESS 26 + +/* example */ +#define PW_EXAMPLE_INTEGER 1 +#define PW_EXAMPLE_STRING 2 +#define PW_EXAMPLE_IP_ADDRESS 3 + +/* Fixed offsets to dictionary definitions of attributes */ +#define NR_DA_USER_NAME (&nr_dict_attrs[1]) +#define NR_DA_USER_PASSWORD (&nr_dict_attrs[2]) +#define NR_DA_CHAP_PASSWORD (&nr_dict_attrs[3]) +#define NR_DA_NAS_IP_ADDRESS (&nr_dict_attrs[4]) +#define NR_DA_NAS_PORT (&nr_dict_attrs[5]) +#define NR_DA_SERVICE_TYPE (&nr_dict_attrs[6]) +#define NR_DA_FRAMED_PROTOCOL (&nr_dict_attrs[7]) +#define NR_DA_FRAMED_IP_ADDRESS (&nr_dict_attrs[8]) +#define NR_DA_FRAMED_IP_NETMASK (&nr_dict_attrs[9]) +#define NR_DA_FRAMED_ROUTING (&nr_dict_attrs[10]) +#define NR_DA_FILTER_ID (&nr_dict_attrs[11]) +#define NR_DA_FRAMED_MTU (&nr_dict_attrs[12]) +#define NR_DA_FRAMED_COMPRESSION (&nr_dict_attrs[13]) +#define NR_DA_LOGIN_IP_HOST (&nr_dict_attrs[14]) +#define NR_DA_LOGIN_SERVICE (&nr_dict_attrs[15]) +#define NR_DA_LOGIN_TCP_PORT (&nr_dict_attrs[16]) +#define NR_DA_REPLY_MESSAGE (&nr_dict_attrs[18]) +#define NR_DA_CALLBACK_NUMBER (&nr_dict_attrs[19]) +#define NR_DA_CALLBACK_ID (&nr_dict_attrs[20]) +#define NR_DA_FRAMED_ROUTE (&nr_dict_attrs[22]) +#define NR_DA_FRAMED_IPX_NETWORK (&nr_dict_attrs[23]) +#define NR_DA_STATE (&nr_dict_attrs[24]) +#define NR_DA_CLASS (&nr_dict_attrs[25]) +#define NR_DA_VENDOR_SPECIFIC (&nr_dict_attrs[26]) +#define NR_DA_SESSION_TIMEOUT (&nr_dict_attrs[27]) +#define NR_DA_IDLE_TIMEOUT (&nr_dict_attrs[28]) +#define NR_DA_TERMINATION_ACTION (&nr_dict_attrs[29]) +#define NR_DA_CALLED_STATION_ID (&nr_dict_attrs[30]) +#define NR_DA_CALLING_STATION_ID (&nr_dict_attrs[31]) +#define NR_DA_NAS_IDENTIFIER (&nr_dict_attrs[32]) +#define NR_DA_PROXY_STATE (&nr_dict_attrs[33]) +#define NR_DA_LOGIN_LAT_SERVICE (&nr_dict_attrs[34]) +#define NR_DA_LOGIN_LAT_NODE (&nr_dict_attrs[35]) +#define NR_DA_LOGIN_LAT_GROUP (&nr_dict_attrs[36]) +#define NR_DA_FRAMED_APPLETALK_LINK (&nr_dict_attrs[37]) +#define NR_DA_FRAMED_APPLETALK_NETWORK (&nr_dict_attrs[38]) +#define NR_DA_FRAMED_APPLETALK_ZONE (&nr_dict_attrs[39]) +#define NR_DA_ACCT_STATUS_TYPE (&nr_dict_attrs[40]) +#define NR_DA_ACCT_DELAY_TIME (&nr_dict_attrs[41]) +#define NR_DA_ACCT_INPUT_OCTETS (&nr_dict_attrs[42]) +#define NR_DA_ACCT_OUTPUT_OCTETS (&nr_dict_attrs[43]) +#define NR_DA_ACCT_SESSION_ID (&nr_dict_attrs[44]) +#define NR_DA_ACCT_AUTHENTIC (&nr_dict_attrs[45]) +#define NR_DA_ACCT_SESSION_TIME (&nr_dict_attrs[46]) +#define NR_DA_ACCT_INPUT_PACKETS (&nr_dict_attrs[47]) +#define NR_DA_ACCT_OUTPUT_PACKETS (&nr_dict_attrs[48]) +#define NR_DA_ACCT_TERMINATE_CAUSE (&nr_dict_attrs[49]) +#define NR_DA_ACCT_MULTI_SESSION_ID (&nr_dict_attrs[50]) +#define NR_DA_ACCT_LINK_COUNT (&nr_dict_attrs[51]) +#define NR_DA_ACCT_INPUT_GIGAWORDS (&nr_dict_attrs[52]) +#define NR_DA_ACCT_OUTPUT_GIGAWORDS (&nr_dict_attrs[53]) +#define NR_DA_EVENT_TIMESTAMP (&nr_dict_attrs[55]) +#define NR_DA_EGRESS_VLANID (&nr_dict_attrs[56]) +#define NR_DA_INGRESS_FILTERS (&nr_dict_attrs[57]) +#define NR_DA_EGRESS_VLAN_NAME (&nr_dict_attrs[58]) +#define NR_DA_USER_PRIORITY_TABLE (&nr_dict_attrs[59]) +#define NR_DA_CHAP_CHALLENGE (&nr_dict_attrs[60]) +#define NR_DA_NAS_PORT_TYPE (&nr_dict_attrs[61]) +#define NR_DA_PORT_LIMIT (&nr_dict_attrs[62]) +#define NR_DA_LOGIN_LAT_PORT (&nr_dict_attrs[63]) +#define NR_DA_TUNNEL_TYPE (&nr_dict_attrs[64]) +#define NR_DA_TUNNEL_MEDIUM_TYPE (&nr_dict_attrs[65]) +#define NR_DA_TUNNEL_CLIENT_ENDPOINT (&nr_dict_attrs[66]) +#define NR_DA_TUNNEL_SERVER_ENDPOINT (&nr_dict_attrs[67]) +#define NR_DA_ACCT_TUNNEL_CONNECTION (&nr_dict_attrs[68]) +#define NR_DA_TUNNEL_PASSWORD (&nr_dict_attrs[69]) +#define NR_DA_ARAP_PASSWORD (&nr_dict_attrs[70]) +#define NR_DA_ARAP_FEATURES (&nr_dict_attrs[71]) +#define NR_DA_ARAP_ZONE_ACCESS (&nr_dict_attrs[72]) +#define NR_DA_ARAP_SECURITY (&nr_dict_attrs[73]) +#define NR_DA_ARAP_SECURITY_DATA (&nr_dict_attrs[74]) +#define NR_DA_PASSWORD_RETRY (&nr_dict_attrs[75]) +#define NR_DA_PROMPT (&nr_dict_attrs[76]) +#define NR_DA_CONNECT_INFO (&nr_dict_attrs[77]) +#define NR_DA_CONFIGURATION_TOKEN (&nr_dict_attrs[78]) +#define NR_DA_EAP_MESSAGE (&nr_dict_attrs[79]) +#define NR_DA_MESSAGE_AUTHENTICATOR (&nr_dict_attrs[80]) +#define NR_DA_TUNNEL_PRIVATE_GROUP_ID (&nr_dict_attrs[81]) +#define NR_DA_TUNNEL_ASSIGNMENT_ID (&nr_dict_attrs[82]) +#define NR_DA_TUNNEL_PREFERENCE (&nr_dict_attrs[83]) +#define NR_DA_ARAP_CHALLENGE_RESPONSE (&nr_dict_attrs[84]) +#define NR_DA_ACCT_INTERIM_INTERVAL (&nr_dict_attrs[85]) +#define NR_DA_ACCT_TUNNEL_PACKETS_LOST (&nr_dict_attrs[86]) +#define NR_DA_NAS_PORT_ID (&nr_dict_attrs[87]) +#define NR_DA_FRAMED_POOL (&nr_dict_attrs[88]) +#define NR_DA_CHARGEABLE_USER_IDENTITY (&nr_dict_attrs[89]) +#define NR_DA_TUNNEL_CLIENT_AUTH_ID (&nr_dict_attrs[90]) +#define NR_DA_TUNNEL_SERVER_AUTH_ID (&nr_dict_attrs[91]) +#define NR_DA_NAS_FILTER_RULE (&nr_dict_attrs[92]) +#define NR_DA_NAS_IPV6_ADDRESS (&nr_dict_attrs[95]) +#define NR_DA_FRAMED_INTERFACE_ID (&nr_dict_attrs[96]) +#define NR_DA_FRAMED_IPV6_PREFIX (&nr_dict_attrs[97]) +#define NR_DA_LOGIN_IPV6_HOST (&nr_dict_attrs[98]) +#define NR_DA_FRAMED_IPV6_ROUTE (&nr_dict_attrs[99]) +#define NR_DA_FRAMED_IPV6_POOL (&nr_dict_attrs[100]) +#define NR_DA_ERROR_CAUSE (&nr_dict_attrs[101]) +#define NR_DA_EAP_KEY_NAME (&nr_dict_attrs[102]) +#define NR_DA_DIGEST_RESPONSE (&nr_dict_attrs[103]) +#define NR_DA_DIGEST_REALM (&nr_dict_attrs[104]) +#define NR_DA_DIGEST_NONCE (&nr_dict_attrs[105]) +#define NR_DA_DIGEST_RESPONSE_AUTH (&nr_dict_attrs[106]) +#define NR_DA_DIGEST_NEXTNONCE (&nr_dict_attrs[107]) +#define NR_DA_DIGEST_METHOD (&nr_dict_attrs[108]) +#define NR_DA_DIGEST_URI (&nr_dict_attrs[109]) +#define NR_DA_DIGEST_QOP (&nr_dict_attrs[110]) +#define NR_DA_DIGEST_ALGORITHM (&nr_dict_attrs[111]) +#define NR_DA_DIGEST_ENTITY_BODY_HASH (&nr_dict_attrs[112]) +#define NR_DA_DIGEST_CNONCE (&nr_dict_attrs[113]) +#define NR_DA_DIGEST_NONCE_COUNT (&nr_dict_attrs[114]) +#define NR_DA_DIGEST_USERNAME (&nr_dict_attrs[115]) +#define NR_DA_DIGEST_OPAQUE (&nr_dict_attrs[116]) +#define NR_DA_DIGEST_AUTH_PARAM (&nr_dict_attrs[117]) +#define NR_DA_DIGEST_AKA_AUTS (&nr_dict_attrs[118]) +#define NR_DA_DIGEST_DOMAIN (&nr_dict_attrs[119]) +#define NR_DA_DIGEST_STALE (&nr_dict_attrs[120]) +#define NR_DA_DIGEST_HA1 (&nr_dict_attrs[121]) +#define NR_DA_SIP_AOR (&nr_dict_attrs[122]) +#define NR_DA_DELEGATED_IPV6_PREFIX (&nr_dict_attrs[123]) +#define NR_DA_OPERATOR_NAME (&nr_dict_attrs[126]) +#define NR_DA_LOCATION_INFORMATION (&nr_dict_attrs[127]) +#define NR_DA_LOCATION_DATA (&nr_dict_attrs[128]) +#define NR_DA_BASIC_LOCATION_POLICY_RULES (&nr_dict_attrs[129]) +#define NR_DA_EXTENDED_LOCATION_POLICY_RULES (&nr_dict_attrs[130]) +#define NR_DA_LOCATION_CAPABLE (&nr_dict_attrs[131]) +#define NR_DA_REQUESTED_LOCATION_INFO (&nr_dict_attrs[132]) +#define NR_DA_FRAMED_MANAGEMENT (&nr_dict_attrs[133]) +#define NR_DA_MANAGEMENT_TRANSPORT_PROTECTION (&nr_dict_attrs[134]) +#define NR_DA_MANAGEMENT_POLICY_ID (&nr_dict_attrs[135]) +#define NR_DA_MANAGEMENT_PRIVILEGE_LEVEL (&nr_dict_attrs[136]) +#define NR_DA_PKM_SS_CERT (&nr_dict_attrs[137]) +#define NR_DA_PKM_CA_CERT (&nr_dict_attrs[138]) +#define NR_DA_PKM_CONFIG_SETTINGS (&nr_dict_attrs[139]) +#define NR_DA_PKM_CRYPTOSUITE_LIST (&nr_dict_attrs[140]) +#define NR_DA_PKM_SAID (&nr_dict_attrs[141]) +#define NR_DA_PKM_SA_DESCRIPTOR (&nr_dict_attrs[142]) +#define NR_DA_PKM_AUTH_KEY (&nr_dict_attrs[143]) +#define NR_DA_MS_CHAP_RESPONSE (&nr_dict_attrs[256]) +#define NR_DA_MS_CHAP_ERROR (&nr_dict_attrs[257]) +#define NR_DA_MS_MPPE_ENCRYPTION_POLICY (&nr_dict_attrs[258]) +#define NR_DA_MS_MPPE_ENCRYPTION_TYPES (&nr_dict_attrs[259]) +#define NR_DA_MS_CHAP_DOMAIN (&nr_dict_attrs[260]) +#define NR_DA_MS_CHAP_CHALLENGE (&nr_dict_attrs[261]) +#define NR_DA_MS_CHAP_MPPE_KEYS (&nr_dict_attrs[262]) +#define NR_DA_MS_MPPE_SEND_KEY (&nr_dict_attrs[263]) +#define NR_DA_MS_MPPE_RECV_KEY (&nr_dict_attrs[264]) +#define NR_DA_MS_CHAP2_RESPONSE (&nr_dict_attrs[265]) +#define NR_DA_MS_CHAP2_SUCCESS (&nr_dict_attrs[266]) +#define NR_DA_EXAMPLE_INTEGER (&nr_dict_attrs[267]) +#define NR_DA_EXAMPLE_STRING (&nr_dict_attrs[268]) +#define NR_DA_EXAMPLE_IP_ADDRESS (&nr_dict_attrs[269]) +/* Automatically generated file. Do not edit */ diff --git a/lib/radius/share/dictionary.microsoft b/lib/radius/share/dictionary.microsoft new file mode 100644 index 0000000..034e5f0 --- /dev/null +++ b/lib/radius/share/dictionary.microsoft @@ -0,0 +1,17 @@ +# A minimal dictionary for Microsoft VSAs +# +VENDOR Microsoft 311 + +BEGIN-VENDOR Microsoft +ATTRIBUTE MS-CHAP-Response 1 octets +ATTRIBUTE MS-CHAP-Error 2 string +ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets +ATTRIBUTE MS-MPPE-Encryption-Types 8 octets +ATTRIBUTE MS-CHAP-Domain 10 string +ATTRIBUTE MS-CHAP-Challenge 11 octets +ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1 +ATTRIBUTE MS-MPPE-Send-Key 16 octets encrypt=2 +ATTRIBUTE MS-MPPE-Recv-Key 17 octets encrypt=2 +ATTRIBUTE MS-CHAP2-Response 25 octets +ATTRIBUTE MS-CHAP2-Success 26 octets +END-VENDOR Microsoft diff --git a/lib/radius/share/dictionary.txt b/lib/radius/share/dictionary.txt new file mode 100644 index 0000000..e62f8b3 --- /dev/null +++ b/lib/radius/share/dictionary.txt @@ -0,0 +1,136 @@ +ATTRIBUTE User-Name 1 string +ATTRIBUTE User-Password 2 string encrypt=1 +ATTRIBUTE CHAP-Password 3 octets +ATTRIBUTE NAS-IP-Address 4 ipaddr +ATTRIBUTE NAS-Port 5 integer +ATTRIBUTE Service-Type 6 integer +ATTRIBUTE Framed-Protocol 7 integer +ATTRIBUTE Framed-IP-Address 8 ipaddr +ATTRIBUTE Framed-IP-Netmask 9 ipaddr +ATTRIBUTE Framed-Routing 10 integer +ATTRIBUTE Filter-Id 11 string +ATTRIBUTE Framed-MTU 12 integer +ATTRIBUTE Framed-Compression 13 integer +ATTRIBUTE Login-IP-Host 14 ipaddr +ATTRIBUTE Login-Service 15 integer +ATTRIBUTE Login-TCP-Port 16 integer +ATTRIBUTE Reply-Message 18 string +ATTRIBUTE Callback-Number 19 string +ATTRIBUTE Callback-Id 20 string +ATTRIBUTE Framed-Route 22 string +ATTRIBUTE Framed-IPX-Network 23 ipaddr +ATTRIBUTE State 24 octets +ATTRIBUTE Class 25 octets +ATTRIBUTE Vendor-Specific 26 octets +ATTRIBUTE Session-Timeout 27 integer +ATTRIBUTE Idle-Timeout 28 integer +ATTRIBUTE Termination-Action 29 integer +ATTRIBUTE Called-Station-Id 30 string +ATTRIBUTE Calling-Station-Id 31 string +ATTRIBUTE NAS-Identifier 32 string +ATTRIBUTE Proxy-State 33 octets +ATTRIBUTE Login-LAT-Service 34 string +ATTRIBUTE Login-LAT-Node 35 string +ATTRIBUTE Login-LAT-Group 36 octets +ATTRIBUTE Framed-AppleTalk-Link 37 integer +ATTRIBUTE Framed-AppleTalk-Network 38 integer +ATTRIBUTE Framed-AppleTalk-Zone 39 string +ATTRIBUTE CHAP-Challenge 60 octets +ATTRIBUTE NAS-Port-Type 61 integer +ATTRIBUTE Port-Limit 62 integer +ATTRIBUTE Login-LAT-Port 63 string +ATTRIBUTE Acct-Status-Type 40 integer +ATTRIBUTE Acct-Delay-Time 41 integer +ATTRIBUTE Acct-Input-Octets 42 integer +ATTRIBUTE Acct-Output-Octets 43 integer +ATTRIBUTE Acct-Session-Id 44 string +ATTRIBUTE Acct-Authentic 45 integer +ATTRIBUTE Acct-Session-Time 46 integer +ATTRIBUTE Acct-Input-Packets 47 integer +ATTRIBUTE Acct-Output-Packets 48 integer +ATTRIBUTE Acct-Terminate-Cause 49 integer +ATTRIBUTE Acct-Multi-Session-Id 50 string +ATTRIBUTE Acct-Link-Count 51 integer +ATTRIBUTE Acct-Tunnel-Connection 68 string +ATTRIBUTE Acct-Tunnel-Packets-Lost 86 integer +ATTRIBUTE Tunnel-Type 64 integer has_tag +ATTRIBUTE Tunnel-Medium-Type 65 integer has_tag +ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag +ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag +ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2 +ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag +ATTRIBUTE Tunnel-Assignment-Id 82 string has_tag +ATTRIBUTE Tunnel-Preference 83 integer has_tag +ATTRIBUTE Tunnel-Client-Auth-Id 90 string has_tag +ATTRIBUTE Tunnel-Server-Auth-Id 91 string has_tag +ATTRIBUTE Acct-Input-Gigawords 52 integer +ATTRIBUTE Acct-Output-Gigawords 53 integer +ATTRIBUTE Event-Timestamp 55 date +ATTRIBUTE ARAP-Password 70 octets[16] +ATTRIBUTE ARAP-Features 71 octets[14] +ATTRIBUTE ARAP-Zone-Access 72 integer +ATTRIBUTE ARAP-Security 73 integer +ATTRIBUTE ARAP-Security-Data 74 string +ATTRIBUTE Password-Retry 75 integer +ATTRIBUTE Prompt 76 integer +ATTRIBUTE Connect-Info 77 string +ATTRIBUTE Configuration-Token 78 string +ATTRIBUTE EAP-Message 79 octets +ATTRIBUTE Message-Authenticator 80 octets +ATTRIBUTE ARAP-Challenge-Response 84 octets[8] +ATTRIBUTE Acct-Interim-Interval 85 integer +ATTRIBUTE NAS-Port-Id 87 string +ATTRIBUTE Framed-Pool 88 string +ATTRIBUTE NAS-IPv6-Address 95 ipv6addr +ATTRIBUTE Framed-Interface-Id 96 ifid +ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix +ATTRIBUTE Login-IPv6-Host 98 ipv6addr +ATTRIBUTE Framed-IPv6-Route 99 string +ATTRIBUTE Framed-IPv6-Pool 100 string +ATTRIBUTE Error-Cause 101 integer +ATTRIBUTE EAP-Key-Name 102 string +ATTRIBUTE Chargeable-User-Identity 89 string +ATTRIBUTE Egress-VLANID 56 integer +ATTRIBUTE Ingress-Filters 57 integer +ATTRIBUTE Egress-VLAN-Name 58 string +ATTRIBUTE User-Priority-Table 59 octets +ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix +ATTRIBUTE NAS-Filter-Rule 92 string +ATTRIBUTE Digest-Response 103 string +ATTRIBUTE Digest-Realm 104 string +ATTRIBUTE Digest-Nonce 105 string +ATTRIBUTE Digest-Response-Auth 106 string +ATTRIBUTE Digest-Nextnonce 107 string +ATTRIBUTE Digest-Method 108 string +ATTRIBUTE Digest-URI 109 string +ATTRIBUTE Digest-Qop 110 string +ATTRIBUTE Digest-Algorithm 111 string +ATTRIBUTE Digest-Entity-Body-Hash 112 string +ATTRIBUTE Digest-CNonce 113 string +ATTRIBUTE Digest-Nonce-Count 114 string +ATTRIBUTE Digest-Username 115 string +ATTRIBUTE Digest-Opaque 116 string +ATTRIBUTE Digest-Auth-Param 117 string +ATTRIBUTE Digest-AKA-Auts 118 string +ATTRIBUTE Digest-Domain 119 string +ATTRIBUTE Digest-Stale 120 string +ATTRIBUTE Digest-HA1 121 string +ATTRIBUTE SIP-AOR 122 string +ATTRIBUTE Operator-Name 126 string +ATTRIBUTE Location-Information 127 octets +ATTRIBUTE Location-Data 128 octets +ATTRIBUTE Basic-Location-Policy-Rules 129 octets +ATTRIBUTE Extended-Location-Policy-Rules 130 octets +ATTRIBUTE Location-Capable 131 integer +ATTRIBUTE Requested-Location-Info 132 integer +ATTRIBUTE Framed-Management 133 integer +ATTRIBUTE Management-Transport-Protection 134 integer +ATTRIBUTE Management-Policy-Id 135 string +ATTRIBUTE Management-Privilege-Level 136 integer +ATTRIBUTE PKM-SS-Cert 137 octets +ATTRIBUTE PKM-CA-Cert 138 octets +ATTRIBUTE PKM-Config-Settings 139 octets +ATTRIBUTE PKM-Cryptosuite-List 140 octets +ATTRIBUTE PKM-SAID 141 short +ATTRIBUTE PKM-SA-Descriptor 142 octets +ATTRIBUTE PKM-Auth-Key 143 octets diff --git a/lib/radius/share/dictionary.vendor b/lib/radius/share/dictionary.vendor new file mode 100644 index 0000000..571dbc4 --- /dev/null +++ b/lib/radius/share/dictionary.vendor @@ -0,0 +1,10 @@ +# a sample vendor-specific dictionary + +VENDOR example 65535 + +BEGIN-VENDOR example +ATTRIBUTE Example-Integer 1 integer +ATTRIBUTE Example-String 2 string +ATTRIBUTE Example-IP-Address 3 ipaddr + +END-VENDOR example diff --git a/lib/radius/static.c b/lib/radius/static.c new file mode 100644 index 0000000..d633e5b --- /dev/null +++ b/lib/radius/static.c @@ -0,0 +1,37 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file static.c + * \brief Dummy file to include auto-generating static dictionary mappings. + */ + +#include + +/* + * Include the dynamically generated dictionaries. + */ +#include "dictionaries.c" diff --git a/lib/radius/tests/Makefile b/lib/radius/tests/Makefile new file mode 100644 index 0000000..b9d74ad --- /dev/null +++ b/lib/radius/tests/Makefile @@ -0,0 +1,25 @@ +# +# GNU Makefile +# +.PHONY: all clean +all: radattr + +HEADERS := ../client.h ../radius.h +CFLAGS := -g + +%.o : %.c + $(CC) $(CFLAGS) -I.. -I. -c $< + +%.o: ${HEADERS} + +LIBS := -lcrypto -lssl +LDFLAGS = -L.. -lnetworkradius-client + +../libnetworkradius-client.a: + @${MAKE} -C .. libnetworkradius-client.a + +radattr: radattr.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +clean: + @rm -rf *.o *.a *~ diff --git a/lib/radius/tests/radattr.c b/lib/radius/tests/radattr.c new file mode 100644 index 0000000..d41499a --- /dev/null +++ b/lib/radius/tests/radattr.c @@ -0,0 +1,769 @@ +/* + * Copyright (C) 2011 Network RADIUS SARL + * + * This software may not be redistributed in any form without the prior + * written consent of Network RADIUS. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#include + +#include + +static int packet_code = PW_ACCESS_REQUEST; +static int packet_id = 1; +static uint8_t packet_vector[16] = { 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0 }; +static char secret[256] = "testing123"; + +static int encode_tlv(char *buffer, uint8_t *output, size_t outlen); + +static const char *hextab = "0123456789abcdef"; + +static int encode_data_string(char *buffer, + uint8_t *output, size_t outlen) +{ + int length = 0; + char *p; + + p = buffer + 1; + + while (*p && (outlen > 0)) { + if (*p == '"') { + return length; + } + + if (*p != '\\') { + *(output++) = *(p++); + outlen--; + length++; + continue; + } + + switch (p[1]) { + default: + *(output++) = p[1]; + break; + + case 'n': + *(output++) = '\n'; + break; + + case 'r': + *(output++) = '\r'; + break; + + case 't': + *(output++) = '\t'; + break; + } + + outlen--; + length++; + } + + fprintf(stderr, "String is not terminated\n"); + return 0; +} + +static int encode_data_tlv(char *buffer, char **endptr, + uint8_t *output, size_t outlen) +{ + int depth = 0; + int length; + char *p; + + for (p = buffer; *p != '\0'; p++) { + if (*p == '{') depth++; + if (*p == '}') { + depth--; + if (depth == 0) break; + } + } + + if (*p != '}') { + fprintf(stderr, "No trailing '}' in string starting " + "with \"%s\"\n", + buffer); + return 0; + } + + *endptr = p + 1; + *p = '\0'; + + p = buffer + 1; + while (isspace((int) *p)) p++; + + length = encode_tlv(p, output, outlen); + if (length == 0) return 0; + + return length; +} + +static int encode_hex(char *p, uint8_t *output, size_t outlen) +{ + int length = 0; + while (*p) { + char *c1, *c2; + + while (isspace((int) *p)) p++; + + if (!*p) break; + + if(!(c1 = memchr(hextab, tolower((int) p[0]), 16)) || + !(c2 = memchr(hextab, tolower((int) p[1]), 16))) { + fprintf(stderr, "Invalid data starting at " + "\"%s\"\n", p); + return 0; + } + + *output = ((c1 - hextab) << 4) + (c2 - hextab); + output++; + length++; + p += 2; + + outlen--; + if (outlen == 0) { + fprintf(stderr, "Too much data\n"); + return 0; + } + } + + return length; +} + + +static int encode_data(char *p, uint8_t *output, size_t outlen) +{ + int length; + + if (!isspace((int) *p)) { + fprintf(stderr, "Invalid character following attribute " + "definition\n"); + return 0; + } + + while (isspace((int) *p)) p++; + + if (*p == '{') { + int sublen; + char *q; + + length = 0; + + do { + while (isspace((int) *p)) p++; + if (!*p) { + if (length == 0) { + fprintf(stderr, "No data\n"); + return 0; + } + + break; + } + + sublen = encode_data_tlv(p, &q, output, outlen); + if (sublen == 0) return 0; + + length += sublen; + output += sublen; + outlen -= sublen; + p = q; + } while (*q); + + return length; + } + + if (*p == '"') { + length = encode_data_string(p, output, outlen); + return length; + } + + length = encode_hex(p, output, outlen); + + if (length == 0) { + fprintf(stderr, "Empty string\n"); + return 0; + } + + return length; +} + +static int decode_attr(char *buffer, char **endptr) +{ + long attr; + + attr = strtol(buffer, endptr, 10); + if (*endptr == buffer) { + fprintf(stderr, "No valid number found in string " + "starting with \"%s\"\n", buffer); + return 0; + } + + if (!**endptr) { + fprintf(stderr, "Nothing follows attribute number\n"); + return 0; + } + + if ((attr <= 0) || (attr > 256)) { + fprintf(stderr, "Attribute number is out of valid " + "range\n"); + return 0; + } + + return (int) attr; +} + +static int decode_vendor(char *buffer, char **endptr) +{ + long vendor; + + if (*buffer != '.') { + fprintf(stderr, "Invalid separator before vendor id\n"); + return 0; + } + + vendor = strtol(buffer + 1, endptr, 10); + if (*endptr == (buffer + 1)) { + fprintf(stderr, "No valid vendor number found\n"); + return 0; + } + + if (!**endptr) { + fprintf(stderr, "Nothing follows vendor number\n"); + return 0; + } + + if ((vendor <= 0) || (vendor > (1 << 24))) { + fprintf(stderr, "Vendor number is out of valid range\n"); + return 0; + } + + if (**endptr != '.') { + fprintf(stderr, "Invalid data following vendor number\n"); + return 0; + } + (*endptr)++; + + return (int) vendor; +} + +static int encode_tlv(char *buffer, uint8_t *output, size_t outlen) +{ + int attr; + int length; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + output[0] = attr; + output[1] = 2; + + if (*p == '.') { + p++; + length = encode_tlv(p, output + 2, outlen - 2); + + } else { + length = encode_data(p, output + 2, outlen - 2); + } + + if (length == 0) return 0; + if (length > (255 - 2)) { + fprintf(stderr, "TLV data is too long\n"); + return 0; + } + + output[1] += length; + + return length + 2; +} + +static int encode_vsa(char *buffer, uint8_t *output, size_t outlen) +{ + int vendor; + int length; + char *p; + + vendor = decode_vendor(buffer, &p); + if (vendor == 0) return 0; + + output[0] = 0; + output[1] = (vendor >> 16) & 0xff; + output[2] = (vendor >> 8) & 0xff; + output[3] = vendor & 0xff; + + length = encode_tlv(p, output + 4, outlen - 4); + if (length == 0) return 0; + if (length > (255 - 6)) { + fprintf(stderr, "VSA data is too long\n"); + return 0; + } + + + return length + 4; +} + +static int encode_evs(char *buffer, uint8_t *output, size_t outlen) +{ + int vendor; + int attr; + int length; + char *p; + + vendor = decode_vendor(buffer, &p); + if (vendor == 0) return 0; + + attr = decode_attr(p, &p); + if (attr == 0) return 0; + + output[0] = 0; + output[1] = (vendor >> 16) & 0xff; + output[2] = (vendor >> 8) & 0xff; + output[3] = vendor & 0xff; + output[4] = attr; + + length = encode_data(p, output + 5, outlen - 5); + if (length == 0) return 0; + + return length + 5; +} + +static int encode_extended(char *buffer, + uint8_t *output, size_t outlen) +{ + int attr; + int length; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + output[0] = attr; + + if (attr == 26) { + length = encode_evs(p, output + 1, outlen - 1); + } else { + length = encode_data(p, output + 1, outlen - 1); + } + if (length == 0) return 0; + if (length > (255 - 3)) { + fprintf(stderr, "Extended Attr data is too long\n"); + return 0; + } + + return length + 1; +} + +static int encode_extended_flags(char *buffer, + uint8_t *output, size_t outlen) +{ + int attr; + int length, total; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + /* output[0] is the extended attribute */ + output[1] = 4; + output[2] = attr; + output[3] = 0; + + if (attr == 26) { + length = encode_evs(p, output + 4, outlen - 4); + if (length == 0) return 0; + + output[1] += 5; + length -= 5; + } else { + length = encode_data(p, output + 4, outlen - 4); + } + if (length == 0) return 0; + + total = 0; + while (1) { + int sublen = 255 - output[1]; + + if (length <= sublen) { + output[1] += length; + total += output[1]; + break; + } + + length -= sublen; + + memmove(output + 255 + 4, output + 255, length); + memcpy(output + 255, output, 4); + + output[1] = 255; + output[3] |= 0x80; + + output += 255; + output[1] = 4; + total += 255; + } + + return total; +} + +static int encode_rfc(char *buffer, uint8_t *output, size_t outlen) +{ + int attr; + int length, sublen; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + length = 2; + output[0] = attr; + output[1] = 2; + + if (attr == 26) { + sublen = encode_vsa(p, output + 2, outlen - 2); + + } else if ((attr < 241) || (attr > 246)) { + sublen = encode_data(p, output + 2, outlen - 2); + + } else { + if (*p != '.') { + fprintf(stderr, "Invalid data following " + "attribute number\n"); + return 0; + } + + if (attr < 245) { + sublen = encode_extended(p + 1, + output + 2, outlen - 2); + } else { + + /* + * Not like the others! + */ + return encode_extended_flags(p + 1, output, outlen); + } + } + if (sublen == 0) return 0; + if (sublen > (255 -2)) { + fprintf(stderr, "RFC Data is too long\n"); + return 0; + } + + output[1] += sublen; + return length + sublen; +} + +static int walk_callback(void *ctx, const DICT_ATTR *da, + const uint8_t *data, size_t sizeof_data) +{ + char **p = ctx; + + sprintf(*p, "v%u a%u l%ld,", + da->vendor, da->attr, sizeof_data); + + *p += strlen(*p); +} + +static void process_file(const char *filename) +{ + int lineno, rcode; + size_t i, outlen; + ssize_t len, data_len; + FILE *fp; + RADIUS_PACKET packet; + char input[8192], buffer[8192]; + char output[8192]; + uint8_t *attr, data[2048]; + + if (strcmp(filename, "-") == 0) { + fp = stdin; + filename = ""; + + } else { + fp = fopen(filename, "r"); + if (!fp) { + fprintf(stderr, "Error opening %s: %s\n", + filename, strerror(errno)); + exit(1); + } + } + + lineno = 0; + *output = '\0'; + data_len = 0; + + while (fgets(buffer, sizeof(buffer), fp) != NULL) { + char *p = strchr(buffer, '\n'); + VALUE_PAIR *vp, *head = NULL; + VALUE_PAIR **tail = &head; + + lineno++; + + if (!p) { + if (!feof(fp)) { + fprintf(stderr, "Line %d too long in %s\n", + lineno, filename); + exit(1); + } + } else { + *p = '\0'; + } + + p = strchr(buffer, '#'); + if (p) *p = '\0'; + + p = buffer; + while (isspace((int) *p)) p++; + if (!*p) continue; + + strcpy(input, p); + + if (strncmp(p, "raw ", 4) == 0) { + outlen = encode_rfc(p + 4, data, sizeof(data)); + if (outlen == 0) { + fprintf(stderr, "Parse error in line %d of %s\n", + lineno, filename); + exit(1); + } + + print_hex: + if (outlen == 0) { + output[0] = 0; + continue; + } + + data_len = outlen; + for (i = 0; i < outlen; i++) { + snprintf(output + 3*i, sizeof(output), + "%02x ", data[i]); + } + outlen = strlen(output); + output[outlen - 1] = '\0'; + continue; + } + + if (strncmp(p, "data ", 5) == 0) { + if (strcmp(p + 5, output) != 0) { + fprintf(stderr, "Mismatch in line %d of %s, expected: %s\n", + lineno, filename, output); + exit(1); + } + continue; + } + + head = NULL; + if (strncmp(p, "encode ", 7) == 0) { + if (strcmp(p + 7, "-") == 0) { + p = output; + } else { + p += 7; + } + + rcode = nr_vp_sscanf(p, &head); + if (rcode < 0) { + strcpy(output, nr_strerror(rcode)); + continue; + } + + attr = data; + vp = head; + while (vp != NULL) { + len = nr_vp2attr(NULL, NULL, &vp, + attr, sizeof(data) - (attr - data)); + if (len < 0) { + fprintf(stderr, "Failed encoding %s: %s\n", + vp->da->name, nr_strerror(len)); + exit(1); + } + + attr += len; + if (len == 0) break; + } + + nr_vp_free(&head); + outlen = len; + goto print_hex; + } + + if (strncmp(p, "decode ", 7) == 0) { + ssize_t my_len; + + if (strcmp(p + 7, "-") == 0) { + attr = data; + len = data_len; + } else { + attr = data; + len = encode_hex(p + 7, data, sizeof(data)); + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + } + + while (len > 0) { + vp = NULL; + my_len = nr_attr2vp(NULL, NULL, + attr, len, &vp); + if (my_len < 0) { + nr_vp_free(&head); + break; + } + + if (my_len > len) { + fprintf(stderr, "Internal sanity check failed at %d\n", __LINE__); + exit(1); + } + + *tail = vp; + while (vp) { + tail = &(vp->next); + vp = vp->next; + } + + attr += my_len; + len -= my_len; + } + + /* + * Output may be an error, and we ignore + * it if so. + */ + if (head) { + p = output; + for (vp = head; vp != NULL; vp = vp->next) { + nr_vp_snprintf(p, sizeof(output) - (p - output), vp); + p += strlen(p); + + if (vp->next) {strcpy(p, ", "); + p += 2; + } + } + + nr_vp_free(&head); + } else if (my_len < 0) { + strcpy(output, nr_strerror(my_len)); + + } else { /* zero-length attribute */ + *output = '\0'; + } + continue; + } + + if (strncmp(p, "walk ", 5) == 0) { + len = encode_hex(p + 5, data + 20, sizeof(data) - 20); + + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + + memset(data, 0, 20); + packet.data = data; + packet.length = len + 20; + packet.data[2] = ((len + 20) >> 8) & 0xff; + packet.data[3] = (len + 20) & 0xff; + + *output = '\0'; + p = output; + + rcode = nr_packet_walk(&packet, &p, walk_callback); + if (rcode < 0) { + snprintf(output, sizeof(output), "%d", rcode); + continue; + } + + if (*output) output[strlen(output) - 1] = '\0'; + continue; + } + + if (strncmp(p, "$INCLUDE ", 9) == 0) { + p += 9; + while (isspace((int) *p)) p++; + + process_file(p); + continue; + } + + if (strncmp(p, "secret ", 7) == 0) { + strlcpy(secret, p + 7, sizeof(secret)); + strlcpy(output, secret, sizeof(output)); + continue; + } + + if (strncmp(p, "code ", 5) == 0) { + packet_code = atoi(p + 5); + snprintf(output, sizeof(output), "%u", packet_code); + continue; + } + + if (strncmp(p, "sign ", 5) == 0) { + len = encode_hex(p + 5, data + 20, sizeof(data) - 20); + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + + memset(&packet, 0, sizeof(packet)); + packet.secret = secret; + packet.sizeof_secret = strlen(secret); + packet.code = packet_code; + packet.id = packet_id; + memcpy(packet.vector, packet_vector, 16); + packet.data = data; + packet.length = len + 20; + + /* + * Hack encode the packet. + */ + packet.data[0] = packet_code; + packet.data[1] = packet_id; + packet.data[2] = ((len + 20) >> 8) & 0xff; + packet.data[3] = (len + 20) & 0xff; + memcpy(packet.data + 4, packet_vector, 16); + + rcode = nr_packet_sign(&packet, NULL); + if (rcode < 0) { + snprintf(output, sizeof(output), "%d", rcode); + continue; + } + + memcpy(data, packet.vector, sizeof(packet.vector)); + outlen = sizeof(packet.vector); + goto print_hex; + } + + fprintf(stderr, "Unknown input at line %d of %s\n", + lineno, filename); + exit(1); + } + + if (fp != stdin) fclose(fp); +} + +int main(int argc, char *argv[]) +{ + int c; + + if (argc < 2) { + process_file("-"); + + } else { + process_file(argv[1]); + } + + return 0; +} diff --git a/lib/radius/tests/rfc.txt b/lib/radius/tests/rfc.txt new file mode 100644 index 0000000..d8bd613 --- /dev/null +++ b/lib/radius/tests/rfc.txt @@ -0,0 +1,144 @@ +# All attribute lengths are implicit, and are calculated automatically +# +# Input is of the form: +# +# WORD ... +# +# The WORD is a keyword which indicates the format of the following text. +# WORD is one of: +# +# raw - read the grammar defined below, and encode an attribute. +# The grammer supports a trivial way of describing RADIUS +# attributes, without reference to dictionaries or fancy +# parsers +# +# encode - reads "Attribute-Name = value", encodes it, and prints +# the result as text. +# use "-" to encode the output of the last command +# +# decode - reads hex, and decodes it "Attribute-Name = value" +# use "-" to decode the output of the last command +# +# data - the expected output of the previous command, in ASCII form. +# if the actual command output is different, an error message +# is produced, and the program terminates. +# +# +# The "raw" input satisfies the following grammar: +# +# Identifier = 1*DIGIT *( "." 1*DIGIT ) +# +# HEXCHAR = HEXDIG HEXDIG +# +# STRING = DQUOTE *CHAR DQUOTE +# +# TLV = "{" 1*DIGIT DATA "}" +# +# DATA = 1*HEXCHAR / 1*TLV / STRING +# +# LINE = Identifier DATA +# +# The "Identifier" is a RADIUS attribute identifier, as given in the draft. +# +# e.g. 1 for User-Name +# 26.9.1 Vendor-Specific, Cisco, Cisco-AVPAir +# 241.1 Extended Attribute, number 1 +# 241.2.3 Extended Attribute 2, data type TLV, TLV type 3 +# etc. +# +# The "DATA" portion is the contents of the RADIUS Attribute. +# +# 123456789abcdef hex string +# 12 34 56 ab with spaces for clarity +# "hello" Text string +# { 1 abcdef } TLV, TLV-Type 1, data "abcdef" +# +# TLVs can be nested: +# +# { tlv-type { tlv-type data } } { 3 { 4 01020304 } } +# +# TLVs can be concatencated +# +# {tlv-type data } { tlv-type data} { 3 040506 } { 8 aabbcc } +# +# The "raw" data is encoded without reference to dictionaries. Any +# valid string is parsed to a RADIUS attribute. The resulting RADIUS +# attribute *may not* be correctly formatted to the relevant RADIUS +# specifications. i.e. you can use this tool to create attribute 1 +# (User-Name), which is encoded as a series of TLVs. That's up to you. +# +# The purpose of the "raw" command is to have a simple way of encoding +# attributes which is independent of any dictionaries or packet processing +# routines. +# +# The output data is the hex version of the encoded attribute. +# + +encode User-Name = bob +data 01 05 62 6f 62 + +decode - +data User-Name = "bob" + +decode 01 05 62 6f 62 +data User-Name = "bob" + +# +# The Type/Length is OK, but the attribute data is of the wrong size. +# +decode 04 04 ab cd +data Attr-4 = 0xabcd + +# Zero-length attributes +decode 01 02 +data + +# don't encode zero-length attributes +#encode User-Name = "" +#data + +# except for CUI. Thank you, WiMAX! +decode 59 02 +data Chargeable-User-Identity = "" + +# Hah! Thought you had it figured out, didn't you? +#encode - +#data 59 02 + +encode NAS-Port = 10 +data 05 06 00 00 00 0a + +decode - +data NAS-Port = 10 + +walk 05 06 00 00 00 0a +data v0 a5 l4 + +walk 05 06 00 00 00 0a 02 06 00 00 00 0a +data v0 a5 l4,v0 a2 l4 + +walk 1a 0c 00 00 00 01 05 06 00 00 00 0a +data v1 a5 l4 + +walk 1a 12 00 00 00 01 05 06 00 00 00 0a 03 06 00 00 00 0a +data v1 a5 l4,v1 a3 l4 + +# Access-Request, code 1, authentication vector of zero +sign 05 06 00 00 00 0a +data 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +code 4 + +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 + +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 + +secret hello +sign 05 06 00 00 00 0a +data 69 20 c0 b9 e1 2f 12 54 9f 92 16 5e f4 64 9b fd + +secret testing123 +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c new file mode 100644 index 0000000..603a970 --- /dev/null +++ b/lib/radius/valuepair.c @@ -0,0 +1,199 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file valuepair.c + * \brief Functions to manipulate C structure versions of RADIUS attributes. + */ + +#include + +void nr_vp_free(VALUE_PAIR **head) +{ + VALUE_PAIR *next, *vp; + + if (!head || !*head) return; + + vp = *head; + do { + if (vp) next = vp->next; + if (vp->da->flags.encrypt) { + memset(vp, 0, sizeof(vp)); + } + free(vp); + vp = next; + } while (next); + + *head = NULL; +} + + +VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da) +{ + memset(vp, 0, sizeof(*vp)); + + vp->da = da; + vp->length = da->flags.length; + + return vp; +} + + +VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da) +{ + VALUE_PAIR *vp = NULL; + + if (!da) { + nr_strerror_printf("Unknown attribute"); + return NULL; + } + +#ifndef NR_NO_MALLOC + vp = malloc(sizeof(*vp)); +#endif + if (!vp) { + nr_strerror_printf("Out of memory"); + return NULL; + } + + return nr_vp_init(vp, da); +} + +VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor) +{ + VALUE_PAIR *vp = NULL; + DICT_ATTR *da; + +#ifndef NR_NO_MALLOC + vp = malloc(sizeof(*vp) + sizeof(*da) + 64); +#endif + if (!vp) { + nr_strerror_printf("Out of memory"); + return NULL; + } + memset(vp, 0, sizeof(*vp)); + + da = (DICT_ATTR *) (vp + 1); + + if (nr_dict_attr_2struct(da, attr, vendor, (char *) (da + 1), 64) < 0) { + free(vp); + return NULL; + } + + vp->da = da; + + return vp; +} + +int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) +{ + int rcode = 1; /* OK */ + + if (!vp || !data || (sizeof_data == 0)) return -NR_ERR_INVALID_ARG; + + switch (vp->da->type) { + case NR_TYPE_BYTE: + vp->vp_integer = *(const uint8_t *) data; + break; + + case NR_TYPE_SHORT: + vp->vp_integer = *(const uint16_t *) data; + break; + + case NR_TYPE_INTEGER: + case NR_TYPE_DATE: + case NR_TYPE_IPADDR: + vp->vp_integer = *(const uint32_t *) data; + break; + + case NR_TYPE_STRING: + if (sizeof_data >= sizeof(vp->vp_strvalue)) { + sizeof_data = sizeof(vp->vp_strvalue) - 1; + rcode = 0; /* truncated */ + } + + memcpy(vp->vp_strvalue, (const char *) data, sizeof_data); + vp->vp_strvalue[sizeof_data + 1] = '\0'; + vp->length = sizeof_data; + break; + + case NR_TYPE_OCTETS: + if (sizeof_data > sizeof(vp->vp_octets)) { + sizeof_data = sizeof(vp->vp_octets); + rcode = 0; /* truncated */ + } + memcpy(vp->vp_octets, data, sizeof_data); + vp->length = sizeof_data; + break; + + default: + return -NR_ERR_ATTR_TYPE_UNKNOWN; + } + + return rcode; +} + +VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, size_t data_len) +{ + const DICT_ATTR *da; + VALUE_PAIR *vp; + + da = nr_dict_attr_byvalue(attr, vendor); + if (!da) return NULL; + + vp = nr_vp_alloc(da); + if (!vp) return NULL; + + if (nr_vp_set_data(vp, data, data_len) < 0) { + nr_vp_free(&vp); + return NULL; + } + + return vp; +} + +void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *tail) +{ + if (!tail) return; + + while (*head) { + head = &((*head)->next); + } + + *head = tail; +} + +VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, + unsigned int attr, unsigned int vendor) +{ + while (head) { + if ((head->da->attr == attr) && + (head->da->vendor == vendor)) return head; + head = head->next; + } + + return NULL; +} -- cgit v1.1 From a13cddc1331aa1f5e7dca7d1b44482951d2757bf Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 13 Nov 2011 17:16:14 +1100 Subject: port to new RADIUS client library --- lib/radius/.gitignore | 1 + lib/radius/Makefile | 68 -- lib/radius/Makefile.am | 37 + lib/radius/attrs.c | 214 ++--- lib/radius/client.h | 202 ++--- lib/radius/common.pl | 2 +- lib/radius/convert.pl | 4 +- lib/radius/crypto.c | 88 +-- lib/radius/custom.c | 2 +- lib/radius/dict.c | 12 +- lib/radius/dictionaries.c | 1515 ------------------------------------ lib/radius/examples/example_1.c | 8 +- lib/radius/examples/example_2.c | 8 +- lib/radius/examples/example_3.c | 12 +- lib/radius/examples/example_4.c | 6 +- lib/radius/id.c | 36 +- lib/radius/packet.c | 154 ++-- lib/radius/parse.c | 38 +- lib/radius/print.c | 71 +- lib/radius/radius.h | 314 -------- lib/radius/share/dictionary.ukerna | 19 + lib/radius/static.c | 2 +- lib/radius/valuepair.c | 24 +- 23 files changed, 427 insertions(+), 2410 deletions(-) create mode 100644 lib/radius/.gitignore delete mode 100644 lib/radius/Makefile create mode 100644 lib/radius/Makefile.am delete mode 100644 lib/radius/dictionaries.c delete mode 100644 lib/radius/radius.h create mode 100644 lib/radius/share/dictionary.ukerna (limited to 'lib/radius') diff --git a/lib/radius/.gitignore b/lib/radius/.gitignore new file mode 100644 index 0000000..1af03df --- /dev/null +++ b/lib/radius/.gitignore @@ -0,0 +1 @@ +dictionaries.c diff --git a/lib/radius/Makefile b/lib/radius/Makefile deleted file mode 100644 index 63eff89..0000000 --- a/lib/radius/Makefile +++ /dev/null @@ -1,68 +0,0 @@ -# -# GNU Makefile -# -.PHONY: all clean install -all: libnetworkradius-client.a - -SRCS := dict.c attrs.c packet.c valuepair.c static.c id.c \ - crypto.c custom.c print.c parse.c - -OBJS := ${SRCS:.c=.o} - -HEADERS := client.h radius.h - -CFLAGS := -I. -g -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - -VERSION := 1.0 -NAME := networkradius-client-$(VERSION) - - -# -# The DICTIONARIES variable can be used to point to the FreeRADIUS -# dictionaries. -# -ifeq "${DICTIONARIES}" "" -DICTIONARIES := $(filter-out %~,$(wildcard share/dictionary*)) -endif - -${OBJS}: ${HEADERS} - -radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl - ./convert.pl ${DICTIONARIES} - -static.o: static.c dictionaries.c - -%.o : %.c - $(CC) $(CFLAGS) -c $< - -%.o: ${HEADERS} - -.PHONY: networkradius-devel -networkradius-devel: - @[ -e $@ ] || ln -s . $@ - -libnetworkradius-client.a: ${OBJS} - ${AR} ${ARFLAGS} $@ $^ - -LIBS := -lcrypto -lssl -LDFLAGS = -L. -lnetworkradius-client - -.PHONY: html -html: - doxygen doxygen.conf - -clean: - @rm -rf *.o *.a *~ html - -install: libnetworkradius-client.a - -.PHONY: publish -publish: - @scp -r html/* networkradius.com@liberty:www.new/site/clientapi/ - -$(NAME).tar.gz: $(wildcard Makefile *.pl *.txt *.[ch] \ - examples/*.[ch] doc/*.txt share/dictionary*) - git archive --format=tar --prefix=$(NAME)/ bsd | gzip > $@ - -.PHONY: tar -tar: $(NAME).tar.gz diff --git a/lib/radius/Makefile.am b/lib/radius/Makefile.am new file mode 100644 index 0000000..1b66ca6 --- /dev/null +++ b/lib/radius/Makefile.am @@ -0,0 +1,37 @@ +AUTOMAKE_OPTIONS = foreign +ACLOCAL_AMFLAGS = -I m4 + +INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir) +AM_CFLAGS = -Wall -g + +noinst_LTLIBRARIES = libradsec-radius.la + +libradsec_radius_la_SOURCES = \ + attrs.c \ + crypto.c \ + custom.c \ + dict.c \ + id.c \ + packet.c \ + parse.c \ + print.c \ + static.c \ + valuepair.c + +libradsec_radius_la_CFLAGS = $(AM_CFLAGS) + +DICTIONARIES = \ + share/dictionary.txt \ + share/dictionary.microsoft \ + share/dictionary.ukerna + +$(top_srcdir)/include/radsec/radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl + $(srcdir)/convert.pl ${DICTIONARIES} + +static.$(OBJEXT): static.c dictionaries.c + +clean-local: + rm -f dictionaries.c + +$(libradsec_radius_la_SOURCES): $(top_srcdir)/include/radsec/radius.h + diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c index 4fd2bf4..d096cc2 100644 --- a/lib/radius/attrs.c +++ b/lib/radius/attrs.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Attribute encoding and decoding routines. */ -#include +#include "client.h" /* * Encodes the data portion of an attribute. @@ -48,7 +48,7 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, uint8_t array[4]; const VALUE_PAIR *vp = *pvp; -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV /* * See if we need to encode a TLV. The low portion of * the attribute has already been placed into the packer. @@ -73,41 +73,41 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, len = vp->length; switch(vp->da->type) { - case NR_TYPE_IPV6PREFIX: + case RS_TYPE_IPV6PREFIX: len = sizeof(vp->vp_ipv6prefix); break; - case NR_TYPE_STRING: - case NR_TYPE_OCTETS: - case NR_TYPE_IFID: - case NR_TYPE_IPV6ADDR: -#ifdef NR_TYPE_ABINARY - case NR_TYPE_ABINARY: + case RS_TYPE_STRING: + case RS_TYPE_OCTETS: + case RS_TYPE_IFID: + case RS_TYPE_IPV6ADDR: +#ifdef RS_TYPE_ABINARY + case RS_TYPE_ABINARY: #endif /* nothing more to do */ break; - case NR_TYPE_BYTE: + case RS_TYPE_BYTE: len = 1; /* just in case */ array[0] = vp->vp_integer & 0xff; data = array; break; - case NR_TYPE_SHORT: + case RS_TYPE_SHORT: len = 2; /* just in case */ array[0] = (vp->vp_integer >> 8) & 0xff; array[1] = vp->vp_integer & 0xff; data = array; break; - case NR_TYPE_INTEGER: + case RS_TYPE_INTEGER: len = 4; /* just in case */ lvalue = htonl(vp->vp_integer); memcpy(array, &lvalue, sizeof(lvalue)); data = array; break; - case NR_TYPE_IPADDR: + case RS_TYPE_IPADDR: data = (const uint8_t *) &vp->vp_ipaddr; len = 4; /* just in case */ break; @@ -115,14 +115,14 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, /* * There are no tagged date attributes. */ - case NR_TYPE_DATE: + case RS_TYPE_DATE: lvalue = htonl(vp->vp_date); data = (const uint8_t *) &lvalue; len = 4; /* just in case */ break; #ifdef VENDORPEC_WIMAX - case NR_TYPE_SIGNED: + case RS_TYPE_SIGNED: { int32_t slvalue; @@ -133,12 +133,12 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, } #endif -#ifdef NR_TYPE_TLV - case NR_TYPE_TLV: +#ifdef RS_TYPE_TLV + case RS_TYPE_TLV: data = vp->vp_tlv; if (!data) { nr_debug_error("ERROR: Cannot encode NULL TLV"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } len = vp->length; break; @@ -146,7 +146,7 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, default: /* unknown type: ignore it */ nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type); - return -NR_ERR_ATTR_TYPE_UNKNOWN; + return -RSE_ATTR_TYPE_UNKNOWN; } /* @@ -194,7 +194,7 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, default: if (!original) { nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name); - return -NR_ERR_REQUEST_REQUIRED; + return -RSE_REQUEST_REQUIRED; } if (lvalue) ptr[0] = vp->tag; @@ -230,11 +230,11 @@ static ssize_t vp2data_any(const RADIUS_PACKET *packet, default: if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) { - if (vp->da->type == NR_TYPE_STRING) { + if (vp->da->type == RS_TYPE_STRING) { if (len > ((ssize_t) (room - 1))) len = room - 1; ptr[0] = vp->tag; ptr++; - } else if (vp->da->type == NR_TYPE_INTEGER) { + } else if (vp->da->type == RS_TYPE_INTEGER) { array[0] = vp->tag; } /* else it can't be any other type */ } @@ -300,7 +300,7 @@ static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, dv = nr_dict_vendor_byvalue(vendor); if (!dv || ( -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV !(*pvp)->flags.is_tlv && #endif (dv->type == 1) && (dv->length == 1))) { @@ -308,7 +308,7 @@ static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, attribute, ptr, room); } -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV if ((*pvp)->flags.is_tlv) { return data2vp_tlvs(packet, original, 0, pvp, ptr, room); @@ -319,7 +319,7 @@ static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, default: nr_debug_error("vp2attr_vsa: Internal sanity check failed," " type %u", (unsigned) dv->type); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; case 4: ptr[0] = 0; /* attr must be 24-bit */ @@ -342,7 +342,7 @@ static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, default: nr_debug_error("vp2attr_vsa: Internal sanity check failed," " length %u", (unsigned) dv->length); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; case 0: break; @@ -392,9 +392,9 @@ ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, } #endif - if (vp->da->vendor > NR_MAX_VENDOR) { + if (vp->da->vendor > RS_MAX_VENDOR) { nr_debug_error("nr_vp2vsa: Invalid arguments"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } /* @@ -440,17 +440,17 @@ ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, if (vp->da->vendor != 0) { nr_debug_error("nr_vp2rfc called with VSA"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } if ((vp->da->attr == 0) || (vp->da->attr > 255)) { nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } #ifdef PW_CHARGEABLE_USER_IDENTITY if ((vp->length == 0) && - (vp->da != NR_DA_CHARGEABLE_USER_IDENTITY)) { + (vp->da != RS_DA_CHARGEABLE_USER_IDENTITY)) { *pvp = vp->next; return 0; } @@ -471,10 +471,10 @@ static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, { ssize_t rcode; const VALUE_PAIR *vp = *pvp; - NR_MD5_CTX ctx; - uint8_t buffer[MAX_STRING_LEN*2 + 1], *p; + RS_MD5_CTX ctx; + uint8_t buffer[RS_MAX_STRING_LEN*2 + 1], *p; VALUE_PAIR chap = { - NR_DA_CHAP_PASSWORD, + RS_DA_CHAP_PASSWORD, 17, 0, NULL, @@ -485,9 +485,9 @@ static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, }, }; - if ((vp->da->vendor != 0) || (vp->da != NR_DA_CHAP_PASSWORD)) { + if ((vp->da->vendor != 0) || (vp->da != RS_DA_CHAP_PASSWORD)) { nr_debug_error("nr_chap2rfc called with non-CHAP"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } p = buffer; @@ -505,9 +505,9 @@ static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, p += sizeof(packet->vector); } - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, buffer, p - buffer); - nr_MD5Final(&chap.vp_octets[1], &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, buffer, p - buffer); + RS_MD5Final(&chap.vp_octets[1], &ctx); chap.vp_octets[0] = buffer[0]; vp = &chap; @@ -531,7 +531,7 @@ static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, * instead use this one, which has the correct length and data. */ static const VALUE_PAIR fake_ma = { - NR_DA_MESSAGE_AUTHENTICATOR, + RS_DA_MESSAGE_AUTHENTICATOR, 16, 0, NULL, @@ -557,7 +557,7 @@ ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, */ if (vp->da->vendor != 0) { #ifdef VENDORPEC_EXTENDED - if (vp->da->vendor > NR_MAX_VENDOR) { + if (vp->da->vendor > RS_MAX_VENDOR) { return nr_vp2attr_extended(packet, original, pvp, start, room); @@ -575,7 +575,7 @@ ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, return nr_vp2vsa(packet, original, pvp, start, room); #else nr_debug_error("VSAs are not supported"); - return -NR_ERR_UNSUPPORTED; + return -RSE_UNSUPPORTED; #endif } @@ -593,7 +593,7 @@ ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, * know how to calculate it, or what the correct values * are. So... create one for him. */ - if (vp->da == NR_DA_MESSAGE_AUTHENTICATOR) { + if (vp->da == RS_DA_MESSAGE_AUTHENTICATOR) { ssize_t rcode; vp = &fake_ma; @@ -610,7 +610,7 @@ ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, * to calculate it, or what the correct values are. To * help, we calculate it for him. */ - if (vp->da == NR_DA_CHAP_PASSWORD) { + if (vp->da == RS_DA_CHAP_PASSWORD) { int encoded = 0; /* @@ -667,10 +667,10 @@ static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet, { VALUE_PAIR *vp; - if (length > sizeof(vp->vp_octets)) return -NR_ERR_ATTR_OVERFLOW; + if (length > sizeof(vp->vp_octets)) return -RSE_ATTR_OVERFLOW; vp = nr_vp_alloc_raw(attribute, vendor); - if (!vp) return -NR_ERR_NO_MEM; + if (!vp) return -RSE_NOMEM; memcpy(vp->vp_octets, data, length); vp->length = length; @@ -685,9 +685,9 @@ ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, VALUE_PAIR **pvp) { - if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; - if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; - if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; return data2vp_raw(packet, original, data[0], 0, data + 2, data[1] - 2, pvp); @@ -741,12 +741,12 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, attribute, vendor, data, length, pvp); } -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV /* * TLVs are handled first. They can't be tagged, and * they can't be encrypted. */ - if (da->da->type == NR_TYPE_TLV) { + if (da->da->type == RS_TYPE_TLV) { return data2vp_tlvs(packet, original, attribute, vendor, nest, data, length, pvp); @@ -761,7 +761,7 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, * out of memory. */ vp = nr_vp_alloc(da); - if (!vp) return -NR_ERR_NO_MEM; + if (!vp) return -RSE_NOMEM; /* * Handle tags. @@ -778,8 +778,8 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, */ vp->tag = data[0]; - if ((vp->da->type == NR_TYPE_STRING) || - (vp->da->type == NR_TYPE_OCTETS)) { + if ((vp->da->type == RS_TYPE_STRING) || + (vp->da->type == RS_TYPE_OCTETS)) { if (length == 0) goto raw; data_offset = 1; } @@ -870,51 +870,51 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, } switch (vp->da->type) { - case NR_TYPE_STRING: - case NR_TYPE_OCTETS: -#ifdef NR_TYPE_ABINARY - case NR_TYPE_ABINARY: + case RS_TYPE_STRING: + case RS_TYPE_OCTETS: +#ifdef RS_TYPE_ABINARY + case RS_TYPE_ABINARY: #endif /* nothing more to do */ break; - case NR_TYPE_BYTE: + case RS_TYPE_BYTE: vp->vp_integer = vp->vp_octets[0]; break; - case NR_TYPE_SHORT: + case RS_TYPE_SHORT: vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1]; break; - case NR_TYPE_INTEGER: + case RS_TYPE_INTEGER: memcpy(&vp->vp_integer, vp->vp_octets, 4); vp->vp_integer = ntohl(vp->vp_integer); if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff; break; - case NR_TYPE_DATE: + case RS_TYPE_DATE: memcpy(&vp->vp_date, vp->vp_octets, 4); vp->vp_date = ntohl(vp->vp_date); break; - case NR_TYPE_IPADDR: + case RS_TYPE_IPADDR: memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); break; /* * IPv6 interface ID is 8 octets long. */ - case NR_TYPE_IFID: + case RS_TYPE_IFID: /* vp->vp_ifid == vp->vp_octets */ break; /* * IPv6 addresses are 16 octets long */ - case NR_TYPE_IPV6ADDR: + case RS_TYPE_IPV6ADDR: /* vp->vp_ipv6addr == vp->vp_octets */ break; @@ -927,7 +927,7 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, * * The prefix length can have value 0 to 128. */ - case NR_TYPE_IPV6PREFIX: + case RS_TYPE_IPV6PREFIX: if (vp->length < 2 || vp->length > 18) goto raw; if (vp->vp_octets[1] > 128) goto raw; @@ -942,7 +942,7 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, break; #ifdef VENDORPEC_WIMAX - case NR_TYPE_SIGNED: + case RS_TYPE_SIGNED: if (vp->length != 4) goto raw; /* @@ -955,22 +955,22 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, break; #endif -#ifdef NR_TYPE_TLV - case NR_TYPE_TLV: +#ifdef RS_TYPE_TLV + case RS_TYPE_TLV: nr_vp_free(&vp); nr_debug_error("data2vp_any: Internal sanity check failed"); - return -NR_ERR_ATTR_TYPE_UNKNOWN; + return -RSE_ATTR_TYPE_UNKNOWN; #endif #ifdef VENDORPEC_WIMAX - case NR_TYPE_COMBO_IP: + case RS_TYPE_COMBO_IP: if (vp->length == 4) { - vp->da->type = NR_TYPE_IPADDR; + vp->da->type = RS_TYPE_IPADDR; memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); break; } else if (vp->length == 16) { - vp->da->type = NR_TYPE_IPV6ADDR; + vp->da->type = RS_TYPE_IPV6ADDR; /* vp->vp_ipv6addr == vp->vp_octets */ break; @@ -998,9 +998,9 @@ ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, { ssize_t rcode; - if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; - if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; - if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; rcode = data2vp_any(packet, original, 0, data[0], 0, data + 2, data[1] - 2, pvp); @@ -1020,7 +1020,7 @@ int nr_tlv_ok(const uint8_t *data, size_t length, if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) { nr_debug_error("nr_tlv_ok: Invalid arguments"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } while (data < end) { @@ -1028,7 +1028,7 @@ int nr_tlv_ok(const uint8_t *data, size_t length, if ((data + dv_type + dv_length) > end) { nr_debug_error("Attribute header overflow"); - return -NR_ERR_ATTR_TOO_SMALL; + return -RSE_ATTR_TOO_SMALL; } switch (dv_type) { @@ -1037,12 +1037,12 @@ int nr_tlv_ok(const uint8_t *data, size_t length, (data[2] == 0) && (data[3] == 0)) { zero: nr_debug_error("Invalid attribute 0"); - return -NR_ERR_ATTR_INVALID; + return -RSE_ATTR_INVALID; } if (data[0] != 0) { nr_debug_error("Invalid attribute > 2^24"); - return -NR_ERR_ATTR_INVALID; + return -RSE_ATTR_INVALID; } break; @@ -1056,7 +1056,7 @@ int nr_tlv_ok(const uint8_t *data, size_t length, default: nr_debug_error("Internal sanity check failed"); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } switch (dv_length) { @@ -1066,7 +1066,7 @@ int nr_tlv_ok(const uint8_t *data, size_t length, case 2: if (data[dv_type + 1] != 0) { nr_debug_error("Attribute is longer than 256 octets"); - return -NR_ERR_ATTR_TOO_LARGE; + return -RSE_ATTR_TOO_LARGE; } /* FALL-THROUGH */ case 1: @@ -1076,17 +1076,17 @@ int nr_tlv_ok(const uint8_t *data, size_t length, default: nr_debug_error("Internal sanity check failed"); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } if (attrlen < (dv_type + dv_length)) { nr_debug_error("Attribute header has invalid length"); - return -NR_ERR_PACKET_TOO_SMALL; + return -RSE_PACKET_TOO_SMALL; } if (attrlen > length) { nr_debug_error("Attribute overflows container"); - return -NR_ERR_ATTR_OVERFLOW; + return -RSE_ATTR_OVERFLOW; } data += attrlen; @@ -1113,7 +1113,7 @@ static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, #ifndef NDEBUG if (length <= (dv_type + dv_length)) { nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); - return -NR_ERR_PACKET_TOO_SMALL; + return -RSE_PACKET_TOO_SMALL; } #endif @@ -1136,7 +1136,7 @@ static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, default: nr_debug_error("attr2vp_vsa: Internal sanity check failed"); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } switch (dv_length) { @@ -1155,13 +1155,13 @@ static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, default: nr_debug_error("attr2vp_vsa: Internal sanity check failed"); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } #ifndef NDEBUG if (attrlen <= (ssize_t) (dv_type + dv_length)) { nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); - return -NR_ERR_PACKET_TOO_SMALL; + return -RSE_PACKET_TOO_SMALL; } #endif @@ -1177,7 +1177,7 @@ static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, nr_vp_free(pvp); nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d", (int) my_len, (int) attrlen); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } #endif @@ -1198,13 +1198,13 @@ ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, uint32_t lvalue; const DICT_VENDOR *dv; - if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; - if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; - if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; if (data[0] != PW_VENDOR_SPECIFIC) { nr_debug_error("nr_attr2vp_vsa: Invalid attribute"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } /* @@ -1256,7 +1256,7 @@ ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, if (my_len != (data[1] - 6)) { nr_vp_free(pvp); nr_debug_error("nr_attr2vp_vsa: Incomplete decode"); - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } #endif @@ -1273,9 +1273,9 @@ ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const uint8_t *data, size_t length, VALUE_PAIR **pvp) { - if (length < 2) return -NR_ERR_PACKET_TOO_SMALL; - if (data[1] < 2) return -NR_ERR_ATTR_TOO_SMALL; - if (data[1] > length) return -NR_ERR_ATTR_OVERFLOW; + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; #ifndef WITHOUT_VSAS /* @@ -1307,18 +1307,18 @@ ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, uint8_t *data, *attr; const uint8_t *end; - if (!packet || !pdata || !plength) return -NR_ERR_INVALID_ARG; + if (!packet || !pdata || !plength) return -RSE_INVAL; - if (!packet->data) return -NR_ERR_INVALID_ARG; - if (packet->length < 20) return -NR_ERR_INVALID_ARG; + if (!packet->data) return -RSE_INVAL; + if (packet->length < 20) return -RSE_INVAL; /* * Too long or short, not good. */ if ((start < 0) || - ((start > 0) && (start < 20))) return -NR_ERR_INVALID_ARG; + ((start > 0) && (start < 20))) return -RSE_INVAL; - if ((size_t) start >= (packet->length - 2)) return -NR_ERR_INVALID_ARG; + if ((size_t) start >= (packet->length - 2)) return -RSE_INVAL; end = packet->data + packet->length; @@ -1343,17 +1343,17 @@ ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, */ if ((attr + 2) > end) { nr_debug_error("Attribute overflows packet"); - return -NR_ERR_ATTR_OVERFLOW; + return -RSE_ATTR_OVERFLOW; } if (attr[1] < 2) { nr_debug_error("Attribute length is too small"); - return -NR_ERR_ATTR_TOO_SMALL; + return -RSE_ATTR_TOO_SMALL; } if ((attr + attr[1]) > end) { nr_debug_error("Attribute length is too large"); - return -NR_ERR_ATTR_TOO_LARGE; + return -RSE_ATTR_TOO_LARGE; } #endif @@ -1379,7 +1379,7 @@ ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, dv = nr_dict_vendor_byvalue(vendor); if (dv && ((dv->type != 1) || (dv->length != 1))) { - return -NR_ERR_VENDOR_UNKNOWN; + return -RSE_VENDOR_UNKNOWN; } } diff --git a/lib/radius/client.h b/lib/radius/client.h index 591884f..df9f834 100644 --- a/lib/radius/client.h +++ b/lib/radius/client.h @@ -29,6 +29,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Main header file. */ +#ifndef _RADIUS_CLIENT_H_ +#define _RADIUS_CLIENT_H_ 1 + /* * System-specific header files. */ @@ -42,10 +45,12 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include +#include + /* * Definitions of attributes. */ -#include +#include /** \defgroup build Build Helpers * @@ -135,38 +140,38 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #endif #ifdef WITHOUT_OPENSSL -#ifndef NR_MD5_CTX -#error NR_MD5_CTX must be defined +#ifndef RS_MD5_CTX +#error RS_MD5_CTX must be defined #endif -#ifndef nr_MD5Init +#ifndef RS_MD5Init #error n_rMD5Init must be defined #endif -#ifndef nr_MD5Update -#error nr_MD5Updyae must be defined +#ifndef RS_MD5Update +#error RS_MD5Updyae must be defined #endif -#ifndef nr_MD5Final -#error nr_MD5Final must be defined +#ifndef RS_MD5Final +#error RS_MD5Final must be defined #endif -#ifndef nr_MD5Transform -#error nr_MD5Transform must be defined +#ifndef RS_MD5Transform +#error RS_MD5Transform must be defined #endif #else /* WITHOUT_OPENSSL */ #include /** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define NR_MD5_CTX MD5_CTX +#define RS_MD5_CTX MD5_CTX /** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define nr_MD5Init MD5_Init +#define RS_MD5Init MD5_Init /** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define nr_MD5Update MD5_Update +#define RS_MD5Update MD5_Update /** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define nr_MD5Final MD5_Final +#define RS_MD5Final MD5_Final /** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define nr_MD5Transform MD5_Transform +#define RS_MD5Transform MD5_Transform #endif -#ifndef NR_MAX_PACKET_LEN +#ifndef RS_MAX_PACKET_LEN /** The maximum size of a packet that the library will send or receive. \ingroup custom * * The RFC requirement is to handle at least 4K packets. However, if @@ -176,144 +181,39 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * Be warned that any packets larger than this value will be ignored * and silently discarded. */ -#define NR_MAX_PACKET_LEN (4096) +#define RS_MAX_PACKET_LEN (4096) #endif -#ifndef NR_MAX_ATTRIBUTES +#ifndef RS_MAX_ATTRIBUTES /** The maximum number of attributes that the library will allow in a packet. \ingroup custom * - * Packets which contain more than ::NR_MAX_ATTRIBUTES will generate + * Packets which contain more than ::RS_MAX_ATTRIBUTES will generate * an error. This value is configurable because there may be a need * to accept a large mumber of attributes. * * This value is ignored when packets are sent. The library will * send as many attributes as it is told to send. */ -#define NR_MAX_ATTRIBUTES (200) +#define RS_MAX_ATTRIBUTES (200) #endif -#undef NR_MAX_PACKET_CODE +#undef RS_MAX_PACKET_CODE /** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict * * \attention This should not be changed, as it is used by other * structures such as ::nr_packet_codes. */ -#define NR_MAX_PACKET_CODE PW_COA_NAK +#define RS_MAX_PACKET_CODE PW_COA_NAK /** The maximum vendor number which is permitted. \ingroup dict * * The RFCs require that the Vendor Id or Private Enterprise Number * be encoded as 32 bits, with the upper 8 bits being zero. */ -#define NR_MAX_VENDOR (1 << 24) - -/** The maximum length of a RADIUS attribute. - * - * The RFCs require that a RADIUS attribute transport no more than - * 253 octets of data. We add an extra byte for a trailing NUL, so - * that the VALUE_PAIR::vp_strvalue field can be handled as a C - * string. - */ -#define MAX_STRING_LEN (254) +#define RS_MAX_VENDOR (1 << 24) /** Data Type Definitions. \ingroup dict */ -typedef enum nr_attr_type_t { - NR_TYPE_INVALID = 0, /**< Invalid data type */ - NR_TYPE_STRING, /**< printable-text */ - NR_TYPE_INTEGER, /**< a 32-bit unsigned integer */ - NR_TYPE_IPADDR, /**< an IPv4 address */ - NR_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */ - NR_TYPE_OCTETS, /**< a sequence of binary octets */ - NR_TYPE_IFID, /**< an Interface Id */ - NR_TYPE_IPV6ADDR, /**< an IPv6 address */ - NR_TYPE_IPV6PREFIX, /**< an IPv6 prefix */ - NR_TYPE_BYTE, /**< an 8-bit integer */ - NR_TYPE_SHORT, /**< a 16-bit integer */ -} nr_attr_type_t; - -#define PW_ACCESS_REQUEST 1 -#define PW_ACCESS_ACCEPT 2 -#define PW_ACCESS_REJECT 3 -#define PW_ACCOUNTING_REQUEST 4 -#define PW_ACCOUNTING_RESPONSE 5 -#define PW_ACCOUNTING_STATUS 6 -#define PW_PASSWORD_REQUEST 7 -#define PW_PASSWORD_ACK 8 -#define PW_PASSWORD_REJECT 9 -#define PW_ACCOUNTING_MESSAGE 10 -#define PW_ACCESS_CHALLENGE 11 -#define PW_STATUS_SERVER 12 -#define PW_STATUS_CLIENT 13 -#define PW_DISCONNECT_REQUEST 40 -#define PW_DISCONNECT_ACK 41 -#define PW_DISCONNECT_NAK 42 -#define PW_COA_REQUEST 43 -#define PW_COA_ACK 44 -#define PW_COA_NAK 45 - -/** Error codes \ingroup error - * - * The numerical value of these definitions may change from version - * to version of the library. - */ -typedef enum nr_error_t { - /** Invalid argument */ - NR_ERR_INVALID_ARG = 1, - /** Insufficient data to decode the packet */ - NR_ERR_PACKET_TOO_SMALL, - /** The packet header says it is larger than the received data */ - NR_ERR_PACKET_TOO_LARGE, - /** the attribute overflows the packet */ - NR_ERR_ATTR_OVERFLOW, - /** the attribute header "length" field is too small */ - NR_ERR_ATTR_TOO_SMALL, - /** the attribute is more than 256 octets long */ - NR_ERR_ATTR_TOO_LARGE, - /** the attribute is unknown */ - NR_ERR_ATTR_UNKNOWN, - /** the attribute name is improperly formatted */ - NR_ERR_ATTR_BAD_NAME, - /** the attribute value could not be parsed */ - NR_ERR_ATTR_VALUE_MALFORMED, - /** the attribute "type" is invalid */ - NR_ERR_ATTR_INVALID, - /** the packet has too many attributes */ - NR_ERR_TOO_MANY_ATTRS, - /** the attribute has an unsupported data type */ - NR_ERR_ATTR_TYPE_UNKNOWN, - /** the Message-Authenticator has the wrong length */ - NR_ERR_MSG_AUTH_LEN, - /** the Message-Authenticator is wrong */ - NR_ERR_MSG_AUTH_WRONG, - /** we need a request packet to calculate something in the response */ - NR_ERR_REQUEST_REQUIRED, - /** the request code is unsupported */ - NR_ERR_REQUEST_CODE_INVALID, - /** the Authentication Vector is wrong */ - NR_ERR_AUTH_VECTOR_WRONG, - /** the response code is unsupported */ - NR_ERR_RESPONSE_CODE_INVALID, - /** the response ID field is invalid */ - NR_ERR_RESPONSE_ID_INVALID, - /** the response is not from the correct source IP/port */ - NR_ERR_RESPONSE_SRC_INVALID, - /** Look at "errno" for the error */ - NR_ERR_SYSTEM, - /** We cannot encode the packet because of invalid arguments */ - NR_ERR_NO_PACKET_DATA, - /** the vendor is unknown */ - NR_ERR_VENDOR_UNKNOWN, - /** an internal sanity check failed */ - NR_ERR_INTERNAL_FAILURE, - /** the caller requested an unsupported featuer */ - NR_ERR_UNSUPPORTED, - /** we were unable to allocate memory */ - NR_ERR_NO_MEM, - /** Resource is in use */ - NR_ERR_IN_USE, -} nr_error_t; - #define TAG_VALID(x) ((x) < 0x20) /** The attribute is not encrypted. */ @@ -335,7 +235,7 @@ typedef enum nr_error_t { typedef struct attr_flags { unsigned int has_tag : 1; /**< Attribute has an RFC 2868 tag */ unsigned int unknown : 1; /**< Attribute is unknown */ -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV unsigned int has_tlv : 1; /* has sub attributes */ unsigned int is_tlv : 1; /* is a sub attribute */ #endif @@ -358,7 +258,7 @@ typedef struct attr_flags { */ typedef struct nr_dict_attr { unsigned int attr; /**< Attribute number */ - nr_attr_type_t type; /**< Data type */ + rs_attr_type_t type; /**< Data type */ unsigned int vendor; /**< Vendor-Id number */ ATTR_FLAGS flags; const char *name; /**< Printable name */ @@ -392,21 +292,21 @@ typedef struct nr_dict_vendor { * */ typedef union value_pair_data { - char strvalue[MAX_STRING_LEN]; /* +1 for NUL */ + char strvalue[RS_MAX_STRING_LEN]; /* +1 for NUL */ uint8_t octets[253]; struct in_addr ipaddr; struct in6_addr ipv6addr; uint32_t date; uint32_t integer; -#ifdef NR_TYPE_SIGNED +#ifdef RS_TYPE_SIGNED int32_t sinteger; #endif -#ifdef NR_TYPE_ABINARY +#ifdef RS_TYPE_ABINARY uint8_t filter[32]; #endif uint8_t ifid[8]; /* struct? */ uint8_t ipv6prefix[18]; /* struct? */ -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV uint8_t *tlv; #endif } VALUE_PAIR_DATA; @@ -432,23 +332,23 @@ typedef struct value_pair { #define vp_ipaddr data.ipaddr.s_addr #define vp_date data.integer #define vp_integer data.integer -#ifdef NR_TYPE_ABINARY +#ifdef RS_TYPE_ABINARY #define vp_filter data.filter #endif -#ifdef NR_TYPE_ETHER +#ifdef RS_TYPE_ETHER #define vp_ether data.ether #endif -#ifdef NR_TYPE_SIGNED +#ifdef RS_TYPE_SIGNED #define vp_signed data.sinteger #endif -#ifdef NR_TYPE_TLV +#ifdef RS_TYPE_TLV #define vp_tlv data.tlv #endif -#ifdef NR_TYPE_TLV -#define NR_ATTR_MAX_TLV (4) -extern const int nr_attr_shift[NR_ATTR_MAX_TLV]; -extern const int nr_attr_mask[NR_ATTR_MAX_TLV]; +#ifdef RS_TYPE_TLV +#define RS_ATTR_MAX_TLV (4) +extern const int nr_attr_shift[RS_ATTR_MAX_TLV]; +extern const int nr_attr_mask[RS_ATTR_MAX_TLV]; extern const unsigned int nr_attr_max_tlv; #endif @@ -474,12 +374,12 @@ typedef struct radius_packet { VALUE_PAIR *vps; /**< linked list of ::VALUE_PAIR */ } RADIUS_PACKET; -#define NR_PACKET_ENCODED (1 << 0) -#define NR_PACKET_HEADER (1 << 1) -#define NR_PACKET_SIGNED (1 << 2) -#define NR_PACKET_OK (1 << 3) -#define NR_PACKET_VERIFIED (1 << 4) -#define NR_PACKET_DECODED (1 << 5) +#define RS_PACKET_ENCODED (1 << 0) +#define RS_PACKET_HEADER (1 << 1) +#define RS_PACKET_SIGNED (1 << 2) +#define RS_PACKET_OK (1 << 3) +#define RS_PACKET_VERIFIED (1 << 4) +#define RS_PACKET_DECODED (1 << 5) /** Track packets sent to a server. \ingroup id @@ -634,7 +534,7 @@ extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, * packet. * * \attention There is usually no need to call this function. Use - * the NR_DA_* definitions instead. + * the RS_DA_* definitions instead. * * @param[in] attr Value of the attribute * @param[in] vendor Value of the vendor @@ -773,7 +673,7 @@ extern const DICT_ATTR const *nr_dict_attr_names[]; * application. Packet codes which are not handled by the library * have NULL for their names. */ -extern const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1]; +extern const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1]; /** Verifies that a packet is "well formed". \ingroup packet * @@ -1406,3 +1306,5 @@ extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value); */ # define BLANK_FORMAT "" #endif + +#endif /* _RADIUS_CLIENT_H_ */ diff --git a/lib/radius/common.pl b/lib/radius/common.pl index c08489a..7042fe5 100644 --- a/lib/radius/common.pl +++ b/lib/radius/common.pl @@ -124,7 +124,7 @@ sub do_file() } $type =~ tr/a-z/A-Z/; - $attributes{$index}{'type'} = "NR_TYPE_$type"; + $attributes{$index}{'type'} = "RS_TYPE_$type"; $stuff =~ s/^\s*//; diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl index ce7cccd..9cf8731 100755 --- a/lib/radius/convert.pl +++ b/lib/radius/convert.pl @@ -134,7 +134,7 @@ foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'nam print DICT "};\n\n"; close DICT; -open HDR, ">radius.h" or die "Failed creating radius.c: $!\n"; +open HDR, ">../include/radsec/radius.h" or die "Failed creating radius.c: $!\n"; print HDR "/* Automatically generated file. Do not edit */\n\n"; @@ -174,7 +174,7 @@ foreach $attr_val (sort {$a <=> $b} keys %attributes) { $name =~ tr/a-z/A-Z/; $name =~ tr/-/_/; - print HDR "#define NR_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n"; + print HDR "#define RS_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n"; } print HDR "/* Automatically generated file. Do not edit */\n"; diff --git a/lib/radius/crypto.c b/lib/radius/crypto.c index 02a223d..21cc7d0 100644 --- a/lib/radius/crypto.c +++ b/lib/radius/crypto.c @@ -36,7 +36,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /** \cond PRIVATE */ -#include +#include "client.h" ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, @@ -45,35 +45,35 @@ ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, { size_t i, j, len; uint8_t digest[16]; - NR_MD5_CTX ctx, secret_ctx; + RS_MD5_CTX ctx, secret_ctx; if (!output || (outlen < 16) || !input || (inlen == 0) || !secret || !vector) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } len = inlen; - if (len > 128) return -NR_ERR_ATTR_OVERFLOW; + if (len > 128) return -RSE_ATTR_OVERFLOW; len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */ - if (outlen < len) return -NR_ERR_ATTR_OVERFLOW; + if (outlen < len) return -RSE_ATTR_OVERFLOW; memcpy(output, input, len); memset(output + len, 0, 128 - len); - nr_MD5Init(&secret_ctx); - nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); for (j = 0; j < len; j += 16) { ctx = secret_ctx; if (j == 0) { - nr_MD5Update(&ctx, vector, 16); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, vector, 16); + RS_MD5Final(digest, &ctx); } else { - nr_MD5Update(&ctx, &output[j - 16], 16); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, &output[j - 16], 16); + RS_MD5Final(digest, &ctx); } for (i = 0; i < 16; i++) { @@ -90,16 +90,16 @@ ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, const char *secret, const uint8_t *vector) { size_t i, j, len; - NR_MD5_CTX ctx, secret_ctx; + RS_MD5_CTX ctx, secret_ctx; uint8_t digest[16]; if (!output || (outlen < 18) || !input || (inlen == 0) || !secret || !vector) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } len = ((inlen + 1) + 0x0f) & ~0x0f; - if (len > 251) return -NR_ERR_ATTR_OVERFLOW; + if (len > 251) return -RSE_ATTR_OVERFLOW; output[0] = (nr_rand() & 0xff) | 0x80; output[1] = nr_rand() & 0xff; @@ -108,19 +108,19 @@ ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, memcpy(output + 3, input, inlen); memset(output + 3 + inlen, 0, len - inlen - 1); - nr_MD5Init(&secret_ctx); - nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); for (j = 0; j < len; j += 16) { ctx = secret_ctx; if (j == 0) { - nr_MD5Update(&ctx, vector, 16); - nr_MD5Update(&ctx, output, 2); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, vector, 16); + RS_MD5Update(&ctx, output, 2); + RS_MD5Final(digest, &ctx); } else { - nr_MD5Update(&ctx, &output[j + 2 - 16], 16); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, &output[j + 2 - 16], 16); + RS_MD5Final(digest, &ctx); } for (i = 0; i < 16; i++) { @@ -136,12 +136,12 @@ ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, const char *secret, const uint8_t *vector) { size_t i, j, len, encoded_len; - NR_MD5_CTX ctx, secret_ctx; + RS_MD5_CTX ctx, secret_ctx; uint8_t digest[16]; if (!output || (outlen < 1) || !input || (inlen < 2) || !secret || !vector) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } if (inlen <= 3) { @@ -151,20 +151,20 @@ ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, len = inlen - 2; - if (outlen < (len - 1)) return -NR_ERR_ATTR_OVERFLOW; + if (outlen < (len - 1)) return -RSE_ATTR_OVERFLOW; - nr_MD5Init(&secret_ctx); - nr_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); ctx = secret_ctx; - nr_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */ - nr_MD5Update(&ctx, input, 2); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */ + RS_MD5Update(&ctx, input, 2); + RS_MD5Final(digest, &ctx); encoded_len = input[2] ^ digest[0]; if (encoded_len >= len) { - return -NR_ERR_ATTR_TOO_LARGE; + return -RSE_ATTR_TOO_LARGE; } for (i = 0; i < 15; i++) { @@ -174,8 +174,8 @@ ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, for (j = 16; j < len; j += 16) { ctx = secret_ctx; - nr_MD5Update(&ctx, input + j - 16 + 2, 16); - nr_MD5Final(digest, &ctx); + RS_MD5Update(&ctx, input + j - 16 + 2, 16); + RS_MD5Final(digest, &ctx); for (i = 0; i < 16; i++) { output[i + j - 1] = input[i + j + 2] ^ digest[i]; @@ -198,12 +198,12 @@ nr_hmac_md5(const uint8_t *data, size_t data_len, uint8_t k_ipad[64]; uint8_t k_opad[64]; uint8_t tk[16]; - NR_MD5_CTX ctx; + RS_MD5_CTX ctx; if (key_len > 64) { - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, key, key_len); - nr_MD5Final(tk, &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, key, key_len); + RS_MD5Final(tk, &ctx); key = tk; key_len = 16; @@ -219,15 +219,15 @@ nr_hmac_md5(const uint8_t *data, size_t data_len, k_opad[i] ^= 0x5c; } - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, k_ipad, sizeof(k_ipad)); - nr_MD5Update(&ctx, data, data_len); - nr_MD5Final(digest, &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, k_ipad, sizeof(k_ipad)); + RS_MD5Update(&ctx, data, data_len); + RS_MD5Final(digest, &ctx); - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, k_opad, sizeof(k_opad)); - nr_MD5Update(&ctx, digest, 16); - nr_MD5Final(digest, &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, k_opad, sizeof(k_opad)); + RS_MD5Update(&ctx, digest, 16); + RS_MD5Final(digest, &ctx); } /** \endcond */ diff --git a/lib/radius/custom.c b/lib/radius/custom.c index e33cf5a..02e2463 100644 --- a/lib/radius/custom.c +++ b/lib/radius/custom.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Functions which should be customized for your local system. */ -#include +#include "client.h" #include #include diff --git a/lib/radius/dict.c b/lib/radius/dict.c index 26fe7d0..fc04ee2 100644 --- a/lib/radius/dict.c +++ b/lib/radius/dict.c @@ -25,7 +25,7 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include +#include "client.h" #include /** \file dict.c @@ -56,7 +56,7 @@ const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor) return &nr_dict_attrs[half]; } - if ((vendor > nr_dict_attrs[half].vendor) && + if ((vendor >= nr_dict_attrs[half].vendor) && (attr > nr_dict_attrs[half].attr)) { start = half + 1; } else { @@ -100,19 +100,19 @@ const DICT_ATTR *nr_dict_attr_byname(const char *name) int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor, char *buffer, size_t bufsize) { - if (!da || !buffer) return -NR_ERR_INVALID_ARG; + if (!da || !buffer) return -RSE_INVAL; if (!vendor) { - if (attr > 256) return -NR_ERR_INVALID_ARG; + if (attr > 256) return -RSE_INVAL; } else if (vendor > (1 << 24)) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } memset(da, 0, sizeof(*da)); da->attr = attr; da->flags.unknown = 1; - da->type = NR_TYPE_OCTETS; + da->type = RS_TYPE_OCTETS; da->vendor = vendor; if (da->vendor) { diff --git a/lib/radius/dictionaries.c b/lib/radius/dictionaries.c deleted file mode 100644 index d1f4b6f..0000000 --- a/lib/radius/dictionaries.c +++ /dev/null @@ -1,1515 +0,0 @@ -const DICT_VENDOR nr_dict_vendors[] = { - { - .name = "Microsoft", - .vendor = 311, - .type = 1, - .length = 1, - }, - { - .name = "example", - .vendor = 65535, - .type = 1, - .length = 1, - }, - - { .name = NULL, } -}; - -const DICT_ATTR nr_dict_attrs[] = { - { /* 0 */ - .name = NULL, - }, - { /* 1 */ - .name = "User-Name", - .attr = 1, - .type = NR_TYPE_STRING, - }, - { /* 2 */ - .name = "User-Password", - .attr = 2, - .type = NR_TYPE_STRING, - .flags = { - .encrypt = FLAG_ENCRYPT_USER_PASSWORD, - }, - }, - { /* 3 */ - .name = "CHAP-Password", - .attr = 3, - .type = NR_TYPE_OCTETS, - }, - { /* 4 */ - .name = "NAS-IP-Address", - .attr = 4, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, - { /* 5 */ - .name = "NAS-Port", - .attr = 5, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 6 */ - .name = "Service-Type", - .attr = 6, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 7 */ - .name = "Framed-Protocol", - .attr = 7, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 8 */ - .name = "Framed-IP-Address", - .attr = 8, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, - { /* 9 */ - .name = "Framed-IP-Netmask", - .attr = 9, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, - { /* 10 */ - .name = "Framed-Routing", - .attr = 10, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 11 */ - .name = "Filter-Id", - .attr = 11, - .type = NR_TYPE_STRING, - }, - { /* 12 */ - .name = "Framed-MTU", - .attr = 12, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 13 */ - .name = "Framed-Compression", - .attr = 13, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 14 */ - .name = "Login-IP-Host", - .attr = 14, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, - { /* 15 */ - .name = "Login-Service", - .attr = 15, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 16 */ - .name = "Login-TCP-Port", - .attr = 16, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 17 */ - .name = NULL, - }, - { /* 18 */ - .name = "Reply-Message", - .attr = 18, - .type = NR_TYPE_STRING, - }, - { /* 19 */ - .name = "Callback-Number", - .attr = 19, - .type = NR_TYPE_STRING, - }, - { /* 20 */ - .name = "Callback-Id", - .attr = 20, - .type = NR_TYPE_STRING, - }, - { /* 21 */ - .name = NULL, - }, - { /* 22 */ - .name = "Framed-Route", - .attr = 22, - .type = NR_TYPE_STRING, - }, - { /* 23 */ - .name = "Framed-IPX-Network", - .attr = 23, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, - { /* 24 */ - .name = "State", - .attr = 24, - .type = NR_TYPE_OCTETS, - }, - { /* 25 */ - .name = "Class", - .attr = 25, - .type = NR_TYPE_OCTETS, - }, - { /* 26 */ - .name = "Vendor-Specific", - .attr = 26, - .type = NR_TYPE_OCTETS, - }, - { /* 27 */ - .name = "Session-Timeout", - .attr = 27, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 28 */ - .name = "Idle-Timeout", - .attr = 28, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 29 */ - .name = "Termination-Action", - .attr = 29, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 30 */ - .name = "Called-Station-Id", - .attr = 30, - .type = NR_TYPE_STRING, - }, - { /* 31 */ - .name = "Calling-Station-Id", - .attr = 31, - .type = NR_TYPE_STRING, - }, - { /* 32 */ - .name = "NAS-Identifier", - .attr = 32, - .type = NR_TYPE_STRING, - }, - { /* 33 */ - .name = "Proxy-State", - .attr = 33, - .type = NR_TYPE_OCTETS, - }, - { /* 34 */ - .name = "Login-LAT-Service", - .attr = 34, - .type = NR_TYPE_STRING, - }, - { /* 35 */ - .name = "Login-LAT-Node", - .attr = 35, - .type = NR_TYPE_STRING, - }, - { /* 36 */ - .name = "Login-LAT-Group", - .attr = 36, - .type = NR_TYPE_OCTETS, - }, - { /* 37 */ - .name = "Framed-AppleTalk-Link", - .attr = 37, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 38 */ - .name = "Framed-AppleTalk-Network", - .attr = 38, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 39 */ - .name = "Framed-AppleTalk-Zone", - .attr = 39, - .type = NR_TYPE_STRING, - }, - { /* 40 */ - .name = "Acct-Status-Type", - .attr = 40, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 41 */ - .name = "Acct-Delay-Time", - .attr = 41, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 42 */ - .name = "Acct-Input-Octets", - .attr = 42, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 43 */ - .name = "Acct-Output-Octets", - .attr = 43, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 44 */ - .name = "Acct-Session-Id", - .attr = 44, - .type = NR_TYPE_STRING, - }, - { /* 45 */ - .name = "Acct-Authentic", - .attr = 45, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 46 */ - .name = "Acct-Session-Time", - .attr = 46, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 47 */ - .name = "Acct-Input-Packets", - .attr = 47, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 48 */ - .name = "Acct-Output-Packets", - .attr = 48, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 49 */ - .name = "Acct-Terminate-Cause", - .attr = 49, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 50 */ - .name = "Acct-Multi-Session-Id", - .attr = 50, - .type = NR_TYPE_STRING, - }, - { /* 51 */ - .name = "Acct-Link-Count", - .attr = 51, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 52 */ - .name = "Acct-Input-Gigawords", - .attr = 52, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 53 */ - .name = "Acct-Output-Gigawords", - .attr = 53, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 54 */ - .name = NULL, - }, - { /* 55 */ - .name = "Event-Timestamp", - .attr = 55, - .type = NR_TYPE_DATE, - .flags = { - .length = 4, - }, - }, - { /* 56 */ - .name = "Egress-VLANID", - .attr = 56, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 57 */ - .name = "Ingress-Filters", - .attr = 57, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 58 */ - .name = "Egress-VLAN-Name", - .attr = 58, - .type = NR_TYPE_STRING, - }, - { /* 59 */ - .name = "User-Priority-Table", - .attr = 59, - .type = NR_TYPE_OCTETS, - }, - { /* 60 */ - .name = "CHAP-Challenge", - .attr = 60, - .type = NR_TYPE_OCTETS, - }, - { /* 61 */ - .name = "NAS-Port-Type", - .attr = 61, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 62 */ - .name = "Port-Limit", - .attr = 62, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 63 */ - .name = "Login-LAT-Port", - .attr = 63, - .type = NR_TYPE_STRING, - }, - { /* 64 */ - .name = "Tunnel-Type", - .attr = 64, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - .has_tag = 1, - }, - }, - { /* 65 */ - .name = "Tunnel-Medium-Type", - .attr = 65, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - .has_tag = 1, - }, - }, - { /* 66 */ - .name = "Tunnel-Client-Endpoint", - .attr = 66, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 67 */ - .name = "Tunnel-Server-Endpoint", - .attr = 67, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 68 */ - .name = "Acct-Tunnel-Connection", - .attr = 68, - .type = NR_TYPE_STRING, - }, - { /* 69 */ - .name = "Tunnel-Password", - .attr = 69, - .type = NR_TYPE_STRING, - .flags = { - .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, - .has_tag = 1, - }, - }, - { /* 70 */ - .name = "ARAP-Password", - .attr = 70, - .type = NR_TYPE_OCTETS, - .flags = { - .length = 16, - }, - }, - { /* 71 */ - .name = "ARAP-Features", - .attr = 71, - .type = NR_TYPE_OCTETS, - .flags = { - .length = 14, - }, - }, - { /* 72 */ - .name = "ARAP-Zone-Access", - .attr = 72, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 73 */ - .name = "ARAP-Security", - .attr = 73, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 74 */ - .name = "ARAP-Security-Data", - .attr = 74, - .type = NR_TYPE_STRING, - }, - { /* 75 */ - .name = "Password-Retry", - .attr = 75, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 76 */ - .name = "Prompt", - .attr = 76, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 77 */ - .name = "Connect-Info", - .attr = 77, - .type = NR_TYPE_STRING, - }, - { /* 78 */ - .name = "Configuration-Token", - .attr = 78, - .type = NR_TYPE_STRING, - }, - { /* 79 */ - .name = "EAP-Message", - .attr = 79, - .type = NR_TYPE_OCTETS, - }, - { /* 80 */ - .name = "Message-Authenticator", - .attr = 80, - .type = NR_TYPE_OCTETS, - }, - { /* 81 */ - .name = "Tunnel-Private-Group-Id", - .attr = 81, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 82 */ - .name = "Tunnel-Assignment-Id", - .attr = 82, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 83 */ - .name = "Tunnel-Preference", - .attr = 83, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - .has_tag = 1, - }, - }, - { /* 84 */ - .name = "ARAP-Challenge-Response", - .attr = 84, - .type = NR_TYPE_OCTETS, - .flags = { - .length = 8, - }, - }, - { /* 85 */ - .name = "Acct-Interim-Interval", - .attr = 85, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 86 */ - .name = "Acct-Tunnel-Packets-Lost", - .attr = 86, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 87 */ - .name = "NAS-Port-Id", - .attr = 87, - .type = NR_TYPE_STRING, - }, - { /* 88 */ - .name = "Framed-Pool", - .attr = 88, - .type = NR_TYPE_STRING, - }, - { /* 89 */ - .name = "Chargeable-User-Identity", - .attr = 89, - .type = NR_TYPE_STRING, - }, - { /* 90 */ - .name = "Tunnel-Client-Auth-Id", - .attr = 90, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 91 */ - .name = "Tunnel-Server-Auth-Id", - .attr = 91, - .type = NR_TYPE_STRING, - .flags = { - .has_tag = 1, - }, - }, - { /* 92 */ - .name = "NAS-Filter-Rule", - .attr = 92, - .type = NR_TYPE_STRING, - }, - { /* 93 */ - .name = NULL, - }, - { /* 94 */ - .name = NULL, - }, - { /* 95 */ - .name = "NAS-IPv6-Address", - .attr = 95, - .type = NR_TYPE_IPV6ADDR, - .flags = { - .length = 16, - }, - }, - { /* 96 */ - .name = "Framed-Interface-Id", - .attr = 96, - .type = NR_TYPE_IFID, - .flags = { - .length = 8, - }, - }, - { /* 97 */ - .name = "Framed-IPv6-Prefix", - .attr = 97, - .type = NR_TYPE_IPV6PREFIX, - }, - { /* 98 */ - .name = "Login-IPv6-Host", - .attr = 98, - .type = NR_TYPE_IPV6ADDR, - .flags = { - .length = 16, - }, - }, - { /* 99 */ - .name = "Framed-IPv6-Route", - .attr = 99, - .type = NR_TYPE_STRING, - }, - { /* 100 */ - .name = "Framed-IPv6-Pool", - .attr = 100, - .type = NR_TYPE_STRING, - }, - { /* 101 */ - .name = "Error-Cause", - .attr = 101, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 102 */ - .name = "EAP-Key-Name", - .attr = 102, - .type = NR_TYPE_STRING, - }, - { /* 103 */ - .name = "Digest-Response", - .attr = 103, - .type = NR_TYPE_STRING, - }, - { /* 104 */ - .name = "Digest-Realm", - .attr = 104, - .type = NR_TYPE_STRING, - }, - { /* 105 */ - .name = "Digest-Nonce", - .attr = 105, - .type = NR_TYPE_STRING, - }, - { /* 106 */ - .name = "Digest-Response-Auth", - .attr = 106, - .type = NR_TYPE_STRING, - }, - { /* 107 */ - .name = "Digest-Nextnonce", - .attr = 107, - .type = NR_TYPE_STRING, - }, - { /* 108 */ - .name = "Digest-Method", - .attr = 108, - .type = NR_TYPE_STRING, - }, - { /* 109 */ - .name = "Digest-URI", - .attr = 109, - .type = NR_TYPE_STRING, - }, - { /* 110 */ - .name = "Digest-Qop", - .attr = 110, - .type = NR_TYPE_STRING, - }, - { /* 111 */ - .name = "Digest-Algorithm", - .attr = 111, - .type = NR_TYPE_STRING, - }, - { /* 112 */ - .name = "Digest-Entity-Body-Hash", - .attr = 112, - .type = NR_TYPE_STRING, - }, - { /* 113 */ - .name = "Digest-CNonce", - .attr = 113, - .type = NR_TYPE_STRING, - }, - { /* 114 */ - .name = "Digest-Nonce-Count", - .attr = 114, - .type = NR_TYPE_STRING, - }, - { /* 115 */ - .name = "Digest-Username", - .attr = 115, - .type = NR_TYPE_STRING, - }, - { /* 116 */ - .name = "Digest-Opaque", - .attr = 116, - .type = NR_TYPE_STRING, - }, - { /* 117 */ - .name = "Digest-Auth-Param", - .attr = 117, - .type = NR_TYPE_STRING, - }, - { /* 118 */ - .name = "Digest-AKA-Auts", - .attr = 118, - .type = NR_TYPE_STRING, - }, - { /* 119 */ - .name = "Digest-Domain", - .attr = 119, - .type = NR_TYPE_STRING, - }, - { /* 120 */ - .name = "Digest-Stale", - .attr = 120, - .type = NR_TYPE_STRING, - }, - { /* 121 */ - .name = "Digest-HA1", - .attr = 121, - .type = NR_TYPE_STRING, - }, - { /* 122 */ - .name = "SIP-AOR", - .attr = 122, - .type = NR_TYPE_STRING, - }, - { /* 123 */ - .name = "Delegated-IPv6-Prefix", - .attr = 123, - .type = NR_TYPE_IPV6PREFIX, - }, - { /* 124 */ - .name = NULL, - }, - { /* 125 */ - .name = NULL, - }, - { /* 126 */ - .name = "Operator-Name", - .attr = 126, - .type = NR_TYPE_STRING, - }, - { /* 127 */ - .name = "Location-Information", - .attr = 127, - .type = NR_TYPE_OCTETS, - }, - { /* 128 */ - .name = "Location-Data", - .attr = 128, - .type = NR_TYPE_OCTETS, - }, - { /* 129 */ - .name = "Basic-Location-Policy-Rules", - .attr = 129, - .type = NR_TYPE_OCTETS, - }, - { /* 130 */ - .name = "Extended-Location-Policy-Rules", - .attr = 130, - .type = NR_TYPE_OCTETS, - }, - { /* 131 */ - .name = "Location-Capable", - .attr = 131, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 132 */ - .name = "Requested-Location-Info", - .attr = 132, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 133 */ - .name = "Framed-Management", - .attr = 133, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 134 */ - .name = "Management-Transport-Protection", - .attr = 134, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 135 */ - .name = "Management-Policy-Id", - .attr = 135, - .type = NR_TYPE_STRING, - }, - { /* 136 */ - .name = "Management-Privilege-Level", - .attr = 136, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 137 */ - .name = "PKM-SS-Cert", - .attr = 137, - .type = NR_TYPE_OCTETS, - }, - { /* 138 */ - .name = "PKM-CA-Cert", - .attr = 138, - .type = NR_TYPE_OCTETS, - }, - { /* 139 */ - .name = "PKM-Config-Settings", - .attr = 139, - .type = NR_TYPE_OCTETS, - }, - { /* 140 */ - .name = "PKM-Cryptosuite-List", - .attr = 140, - .type = NR_TYPE_OCTETS, - }, - { /* 141 */ - .name = "PKM-SAID", - .attr = 141, - .type = NR_TYPE_SHORT, - .flags = { - .length = 2, - }, - }, - { /* 142 */ - .name = "PKM-SA-Descriptor", - .attr = 142, - .type = NR_TYPE_OCTETS, - }, - { /* 143 */ - .name = "PKM-Auth-Key", - .attr = 143, - .type = NR_TYPE_OCTETS, - }, - { /* 144 */ - .name = NULL, - }, - { /* 145 */ - .name = NULL, - }, - { /* 146 */ - .name = NULL, - }, - { /* 147 */ - .name = NULL, - }, - { /* 148 */ - .name = NULL, - }, - { /* 149 */ - .name = NULL, - }, - { /* 150 */ - .name = NULL, - }, - { /* 151 */ - .name = NULL, - }, - { /* 152 */ - .name = NULL, - }, - { /* 153 */ - .name = NULL, - }, - { /* 154 */ - .name = NULL, - }, - { /* 155 */ - .name = NULL, - }, - { /* 156 */ - .name = NULL, - }, - { /* 157 */ - .name = NULL, - }, - { /* 158 */ - .name = NULL, - }, - { /* 159 */ - .name = NULL, - }, - { /* 160 */ - .name = NULL, - }, - { /* 161 */ - .name = NULL, - }, - { /* 162 */ - .name = NULL, - }, - { /* 163 */ - .name = NULL, - }, - { /* 164 */ - .name = NULL, - }, - { /* 165 */ - .name = NULL, - }, - { /* 166 */ - .name = NULL, - }, - { /* 167 */ - .name = NULL, - }, - { /* 168 */ - .name = NULL, - }, - { /* 169 */ - .name = NULL, - }, - { /* 170 */ - .name = NULL, - }, - { /* 171 */ - .name = NULL, - }, - { /* 172 */ - .name = NULL, - }, - { /* 173 */ - .name = NULL, - }, - { /* 174 */ - .name = NULL, - }, - { /* 175 */ - .name = NULL, - }, - { /* 176 */ - .name = NULL, - }, - { /* 177 */ - .name = NULL, - }, - { /* 178 */ - .name = NULL, - }, - { /* 179 */ - .name = NULL, - }, - { /* 180 */ - .name = NULL, - }, - { /* 181 */ - .name = NULL, - }, - { /* 182 */ - .name = NULL, - }, - { /* 183 */ - .name = NULL, - }, - { /* 184 */ - .name = NULL, - }, - { /* 185 */ - .name = NULL, - }, - { /* 186 */ - .name = NULL, - }, - { /* 187 */ - .name = NULL, - }, - { /* 188 */ - .name = NULL, - }, - { /* 189 */ - .name = NULL, - }, - { /* 190 */ - .name = NULL, - }, - { /* 191 */ - .name = NULL, - }, - { /* 192 */ - .name = NULL, - }, - { /* 193 */ - .name = NULL, - }, - { /* 194 */ - .name = NULL, - }, - { /* 195 */ - .name = NULL, - }, - { /* 196 */ - .name = NULL, - }, - { /* 197 */ - .name = NULL, - }, - { /* 198 */ - .name = NULL, - }, - { /* 199 */ - .name = NULL, - }, - { /* 200 */ - .name = NULL, - }, - { /* 201 */ - .name = NULL, - }, - { /* 202 */ - .name = NULL, - }, - { /* 203 */ - .name = NULL, - }, - { /* 204 */ - .name = NULL, - }, - { /* 205 */ - .name = NULL, - }, - { /* 206 */ - .name = NULL, - }, - { /* 207 */ - .name = NULL, - }, - { /* 208 */ - .name = NULL, - }, - { /* 209 */ - .name = NULL, - }, - { /* 210 */ - .name = NULL, - }, - { /* 211 */ - .name = NULL, - }, - { /* 212 */ - .name = NULL, - }, - { /* 213 */ - .name = NULL, - }, - { /* 214 */ - .name = NULL, - }, - { /* 215 */ - .name = NULL, - }, - { /* 216 */ - .name = NULL, - }, - { /* 217 */ - .name = NULL, - }, - { /* 218 */ - .name = NULL, - }, - { /* 219 */ - .name = NULL, - }, - { /* 220 */ - .name = NULL, - }, - { /* 221 */ - .name = NULL, - }, - { /* 222 */ - .name = NULL, - }, - { /* 223 */ - .name = NULL, - }, - { /* 224 */ - .name = NULL, - }, - { /* 225 */ - .name = NULL, - }, - { /* 226 */ - .name = NULL, - }, - { /* 227 */ - .name = NULL, - }, - { /* 228 */ - .name = NULL, - }, - { /* 229 */ - .name = NULL, - }, - { /* 230 */ - .name = NULL, - }, - { /* 231 */ - .name = NULL, - }, - { /* 232 */ - .name = NULL, - }, - { /* 233 */ - .name = NULL, - }, - { /* 234 */ - .name = NULL, - }, - { /* 235 */ - .name = NULL, - }, - { /* 236 */ - .name = NULL, - }, - { /* 237 */ - .name = NULL, - }, - { /* 238 */ - .name = NULL, - }, - { /* 239 */ - .name = NULL, - }, - { /* 240 */ - .name = NULL, - }, - { /* 241 */ - .name = NULL, - }, - { /* 242 */ - .name = NULL, - }, - { /* 243 */ - .name = NULL, - }, - { /* 244 */ - .name = NULL, - }, - { /* 245 */ - .name = NULL, - }, - { /* 246 */ - .name = NULL, - }, - { /* 247 */ - .name = NULL, - }, - { /* 248 */ - .name = NULL, - }, - { /* 249 */ - .name = NULL, - }, - { /* 250 */ - .name = NULL, - }, - { /* 251 */ - .name = NULL, - }, - { /* 252 */ - .name = NULL, - }, - { /* 253 */ - .name = NULL, - }, - { /* 254 */ - .name = NULL, - }, - { /* 255 */ - .name = NULL, - }, - { /* 256 */ - .name = "MS-CHAP-Response", - .vendor = 311, - .attr = 1, - .type = NR_TYPE_OCTETS, - }, - { /* 257 */ - .name = "MS-CHAP-Error", - .vendor = 311, - .attr = 2, - .type = NR_TYPE_STRING, - }, - { /* 258 */ - .name = "MS-MPPE-Encryption-Policy", - .vendor = 311, - .attr = 7, - .type = NR_TYPE_OCTETS, - }, - { /* 259 */ - .name = "MS-MPPE-Encryption-Types", - .vendor = 311, - .attr = 8, - .type = NR_TYPE_OCTETS, - }, - { /* 260 */ - .name = "MS-CHAP-Domain", - .vendor = 311, - .attr = 10, - .type = NR_TYPE_STRING, - }, - { /* 261 */ - .name = "MS-CHAP-Challenge", - .vendor = 311, - .attr = 11, - .type = NR_TYPE_OCTETS, - }, - { /* 262 */ - .name = "MS-CHAP-MPPE-Keys", - .vendor = 311, - .attr = 12, - .type = NR_TYPE_OCTETS, - .flags = { - .encrypt = FLAG_ENCRYPT_USER_PASSWORD, - }, - }, - { /* 263 */ - .name = "MS-MPPE-Send-Key", - .vendor = 311, - .attr = 16, - .type = NR_TYPE_OCTETS, - .flags = { - .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, - }, - }, - { /* 264 */ - .name = "MS-MPPE-Recv-Key", - .vendor = 311, - .attr = 17, - .type = NR_TYPE_OCTETS, - .flags = { - .encrypt = FLAG_ENCRYPT_TUNNEL_PASSWORD, - }, - }, - { /* 265 */ - .name = "MS-CHAP2-Response", - .vendor = 311, - .attr = 25, - .type = NR_TYPE_OCTETS, - }, - { /* 266 */ - .name = "MS-CHAP2-Success", - .vendor = 311, - .attr = 26, - .type = NR_TYPE_OCTETS, - }, - { /* 267 */ - .name = "Example-Integer", - .vendor = 65535, - .attr = 1, - .type = NR_TYPE_INTEGER, - .flags = { - .length = 4, - }, - }, - { /* 268 */ - .name = "Example-String", - .vendor = 65535, - .attr = 2, - .type = NR_TYPE_STRING, - }, - { /* 269 */ - .name = "Example-IP-Address", - .vendor = 65535, - .attr = 3, - .type = NR_TYPE_IPADDR, - .flags = { - .length = 4, - }, - }, -}; - -const int nr_dict_num_attrs = 269; - -const int nr_dict_num_names = 149; - -const DICT_ATTR *nr_dict_attr_names[] = { - &nr_dict_attrs[45], /* Acct-Authentic */ - &nr_dict_attrs[41], /* Acct-Delay-Time */ - &nr_dict_attrs[52], /* Acct-Input-Gigawords */ - &nr_dict_attrs[42], /* Acct-Input-Octets */ - &nr_dict_attrs[47], /* Acct-Input-Packets */ - &nr_dict_attrs[85], /* Acct-Interim-Interval */ - &nr_dict_attrs[51], /* Acct-Link-Count */ - &nr_dict_attrs[50], /* Acct-Multi-Session-Id */ - &nr_dict_attrs[53], /* Acct-Output-Gigawords */ - &nr_dict_attrs[43], /* Acct-Output-Octets */ - &nr_dict_attrs[48], /* Acct-Output-Packets */ - &nr_dict_attrs[44], /* Acct-Session-Id */ - &nr_dict_attrs[46], /* Acct-Session-Time */ - &nr_dict_attrs[40], /* Acct-Status-Type */ - &nr_dict_attrs[49], /* Acct-Terminate-Cause */ - &nr_dict_attrs[68], /* Acct-Tunnel-Connection */ - &nr_dict_attrs[86], /* Acct-Tunnel-Packets-Lost */ - &nr_dict_attrs[84], /* ARAP-Challenge-Response */ - &nr_dict_attrs[71], /* ARAP-Features */ - &nr_dict_attrs[70], /* ARAP-Password */ - &nr_dict_attrs[73], /* ARAP-Security */ - &nr_dict_attrs[74], /* ARAP-Security-Data */ - &nr_dict_attrs[72], /* ARAP-Zone-Access */ - &nr_dict_attrs[129], /* Basic-Location-Policy-Rules */ - &nr_dict_attrs[20], /* Callback-Id */ - &nr_dict_attrs[19], /* Callback-Number */ - &nr_dict_attrs[30], /* Called-Station-Id */ - &nr_dict_attrs[31], /* Calling-Station-Id */ - &nr_dict_attrs[60], /* CHAP-Challenge */ - &nr_dict_attrs[3], /* CHAP-Password */ - &nr_dict_attrs[89], /* Chargeable-User-Identity */ - &nr_dict_attrs[25], /* Class */ - &nr_dict_attrs[78], /* Configuration-Token */ - &nr_dict_attrs[77], /* Connect-Info */ - &nr_dict_attrs[123], /* Delegated-IPv6-Prefix */ - &nr_dict_attrs[118], /* Digest-AKA-Auts */ - &nr_dict_attrs[111], /* Digest-Algorithm */ - &nr_dict_attrs[117], /* Digest-Auth-Param */ - &nr_dict_attrs[113], /* Digest-CNonce */ - &nr_dict_attrs[119], /* Digest-Domain */ - &nr_dict_attrs[112], /* Digest-Entity-Body-Hash */ - &nr_dict_attrs[121], /* Digest-HA1 */ - &nr_dict_attrs[108], /* Digest-Method */ - &nr_dict_attrs[107], /* Digest-Nextnonce */ - &nr_dict_attrs[105], /* Digest-Nonce */ - &nr_dict_attrs[114], /* Digest-Nonce-Count */ - &nr_dict_attrs[116], /* Digest-Opaque */ - &nr_dict_attrs[110], /* Digest-Qop */ - &nr_dict_attrs[104], /* Digest-Realm */ - &nr_dict_attrs[103], /* Digest-Response */ - &nr_dict_attrs[106], /* Digest-Response-Auth */ - &nr_dict_attrs[120], /* Digest-Stale */ - &nr_dict_attrs[109], /* Digest-URI */ - &nr_dict_attrs[115], /* Digest-Username */ - &nr_dict_attrs[102], /* EAP-Key-Name */ - &nr_dict_attrs[79], /* EAP-Message */ - &nr_dict_attrs[58], /* Egress-VLAN-Name */ - &nr_dict_attrs[56], /* Egress-VLANID */ - &nr_dict_attrs[101], /* Error-Cause */ - &nr_dict_attrs[55], /* Event-Timestamp */ - &nr_dict_attrs[267], /* Example-Integer */ - &nr_dict_attrs[269], /* Example-IP-Address */ - &nr_dict_attrs[268], /* Example-String */ - &nr_dict_attrs[130], /* Extended-Location-Policy-Rules */ - &nr_dict_attrs[11], /* Filter-Id */ - &nr_dict_attrs[37], /* Framed-AppleTalk-Link */ - &nr_dict_attrs[38], /* Framed-AppleTalk-Network */ - &nr_dict_attrs[39], /* Framed-AppleTalk-Zone */ - &nr_dict_attrs[13], /* Framed-Compression */ - &nr_dict_attrs[96], /* Framed-Interface-Id */ - &nr_dict_attrs[8], /* Framed-IP-Address */ - &nr_dict_attrs[9], /* Framed-IP-Netmask */ - &nr_dict_attrs[100], /* Framed-IPv6-Pool */ - &nr_dict_attrs[97], /* Framed-IPv6-Prefix */ - &nr_dict_attrs[99], /* Framed-IPv6-Route */ - &nr_dict_attrs[23], /* Framed-IPX-Network */ - &nr_dict_attrs[133], /* Framed-Management */ - &nr_dict_attrs[12], /* Framed-MTU */ - &nr_dict_attrs[88], /* Framed-Pool */ - &nr_dict_attrs[7], /* Framed-Protocol */ - &nr_dict_attrs[22], /* Framed-Route */ - &nr_dict_attrs[10], /* Framed-Routing */ - &nr_dict_attrs[28], /* Idle-Timeout */ - &nr_dict_attrs[57], /* Ingress-Filters */ - &nr_dict_attrs[131], /* Location-Capable */ - &nr_dict_attrs[128], /* Location-Data */ - &nr_dict_attrs[127], /* Location-Information */ - &nr_dict_attrs[14], /* Login-IP-Host */ - &nr_dict_attrs[98], /* Login-IPv6-Host */ - &nr_dict_attrs[36], /* Login-LAT-Group */ - &nr_dict_attrs[35], /* Login-LAT-Node */ - &nr_dict_attrs[63], /* Login-LAT-Port */ - &nr_dict_attrs[34], /* Login-LAT-Service */ - &nr_dict_attrs[15], /* Login-Service */ - &nr_dict_attrs[16], /* Login-TCP-Port */ - &nr_dict_attrs[135], /* Management-Policy-Id */ - &nr_dict_attrs[136], /* Management-Privilege-Level */ - &nr_dict_attrs[134], /* Management-Transport-Protection */ - &nr_dict_attrs[80], /* Message-Authenticator */ - &nr_dict_attrs[261], /* MS-CHAP-Challenge */ - &nr_dict_attrs[260], /* MS-CHAP-Domain */ - &nr_dict_attrs[257], /* MS-CHAP-Error */ - &nr_dict_attrs[262], /* MS-CHAP-MPPE-Keys */ - &nr_dict_attrs[256], /* MS-CHAP-Response */ - &nr_dict_attrs[265], /* MS-CHAP2-Response */ - &nr_dict_attrs[266], /* MS-CHAP2-Success */ - &nr_dict_attrs[258], /* MS-MPPE-Encryption-Policy */ - &nr_dict_attrs[259], /* MS-MPPE-Encryption-Types */ - &nr_dict_attrs[264], /* MS-MPPE-Recv-Key */ - &nr_dict_attrs[263], /* MS-MPPE-Send-Key */ - &nr_dict_attrs[92], /* NAS-Filter-Rule */ - &nr_dict_attrs[32], /* NAS-Identifier */ - &nr_dict_attrs[4], /* NAS-IP-Address */ - &nr_dict_attrs[95], /* NAS-IPv6-Address */ - &nr_dict_attrs[5], /* NAS-Port */ - &nr_dict_attrs[87], /* NAS-Port-Id */ - &nr_dict_attrs[61], /* NAS-Port-Type */ - &nr_dict_attrs[126], /* Operator-Name */ - &nr_dict_attrs[75], /* Password-Retry */ - &nr_dict_attrs[143], /* PKM-Auth-Key */ - &nr_dict_attrs[138], /* PKM-CA-Cert */ - &nr_dict_attrs[139], /* PKM-Config-Settings */ - &nr_dict_attrs[140], /* PKM-Cryptosuite-List */ - &nr_dict_attrs[142], /* PKM-SA-Descriptor */ - &nr_dict_attrs[141], /* PKM-SAID */ - &nr_dict_attrs[137], /* PKM-SS-Cert */ - &nr_dict_attrs[62], /* Port-Limit */ - &nr_dict_attrs[76], /* Prompt */ - &nr_dict_attrs[33], /* Proxy-State */ - &nr_dict_attrs[18], /* Reply-Message */ - &nr_dict_attrs[132], /* Requested-Location-Info */ - &nr_dict_attrs[6], /* Service-Type */ - &nr_dict_attrs[27], /* Session-Timeout */ - &nr_dict_attrs[122], /* SIP-AOR */ - &nr_dict_attrs[24], /* State */ - &nr_dict_attrs[29], /* Termination-Action */ - &nr_dict_attrs[82], /* Tunnel-Assignment-Id */ - &nr_dict_attrs[90], /* Tunnel-Client-Auth-Id */ - &nr_dict_attrs[66], /* Tunnel-Client-Endpoint */ - &nr_dict_attrs[65], /* Tunnel-Medium-Type */ - &nr_dict_attrs[69], /* Tunnel-Password */ - &nr_dict_attrs[83], /* Tunnel-Preference */ - &nr_dict_attrs[81], /* Tunnel-Private-Group-Id */ - &nr_dict_attrs[91], /* Tunnel-Server-Auth-Id */ - &nr_dict_attrs[67], /* Tunnel-Server-Endpoint */ - &nr_dict_attrs[64], /* Tunnel-Type */ - &nr_dict_attrs[1], /* User-Name */ - &nr_dict_attrs[2], /* User-Password */ - &nr_dict_attrs[59], /* User-Priority-Table */ - &nr_dict_attrs[26], /* Vendor-Specific */ -}; - diff --git a/lib/radius/examples/example_1.c b/lib/radius/examples/example_1.c index 503d927..265c880 100644 --- a/lib/radius/examples/example_1.c +++ b/lib/radius/examples/example_1.c @@ -36,8 +36,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static const char *secret = "testing123"; -static uint8_t request_buffer[NR_MAX_PACKET_LEN]; -static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; static RADIUS_PACKET request, response; int main(int argc, const char *argv[]) @@ -58,12 +58,12 @@ int main(int argc, const char *argv[]) if (argc > 2) password = argv[2]; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_NAME, + RS_DA_USER_NAME, user, 0); if (rcode < 0) goto error; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_PASSWORD, + RS_DA_USER_PASSWORD, password, 0); if (rcode < 0) goto error; diff --git a/lib/radius/examples/example_2.c b/lib/radius/examples/example_2.c index 1065c8e..0a58523 100644 --- a/lib/radius/examples/example_2.c +++ b/lib/radius/examples/example_2.c @@ -36,8 +36,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static const char *secret = "testing123"; -static uint8_t request_buffer[NR_MAX_PACKET_LEN]; -static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; static RADIUS_PACKET request, response; int main(int argc, const char *argv[]) @@ -58,12 +58,12 @@ int main(int argc, const char *argv[]) if (argc > 2) password = argv[2]; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_NAME, + RS_DA_USER_NAME, user, 0); if (rcode < 0) goto error; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_CHAP_PASSWORD, + RS_DA_CHAP_PASSWORD, password, strlen(password)); if (rcode < 0) goto error; diff --git a/lib/radius/examples/example_3.c b/lib/radius/examples/example_3.c index 6104f6f..33fc671 100644 --- a/lib/radius/examples/example_3.c +++ b/lib/radius/examples/example_3.c @@ -39,8 +39,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static const char *secret = "testing123"; -static uint8_t request_buffer[NR_MAX_PACKET_LEN]; -static uint8_t response_buffer[NR_MAX_PACKET_LEN]; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; static RADIUS_PACKET request, response; int main(int argc, const char *argv[]) @@ -61,12 +61,12 @@ int main(int argc, const char *argv[]) if (argc > 2) password = argv[2]; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_NAME, + RS_DA_USER_NAME, user, 0); if (rcode < 0) goto error; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_PASSWORD, + RS_DA_USER_PASSWORD, password, 0); if (rcode < 0) goto error; @@ -84,12 +84,12 @@ int main(int argc, const char *argv[]) if (rcode < 0) goto error; rcode = nr_packet_attr_append(&response, &request, - NR_DA_REPLY_MESSAGE, + RS_DA_REPLY_MESSAGE, "Success!", 0); if (rcode < 0) goto error; rcode = nr_packet_attr_append(&response, &request, - NR_DA_TUNNEL_PASSWORD, + RS_DA_TUNNEL_PASSWORD, password, 0); if (rcode < 0) goto error; rcode = nr_packet_sign(&response, &request); diff --git a/lib/radius/examples/example_4.c b/lib/radius/examples/example_4.c index f93764c..2dadc89 100644 --- a/lib/radius/examples/example_4.c +++ b/lib/radius/examples/example_4.c @@ -52,12 +52,12 @@ int main(int argc, const char *argv[]) if (argc > 2) password = argv[2]; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_NAME, + RS_DA_USER_NAME, user, 0); if (rcode < 0) goto error; rcode = nr_packet_attr_append(&request, NULL, - NR_DA_USER_PASSWORD, + RS_DA_USER_PASSWORD, password, 0); if (rcode < 0) goto error; @@ -75,7 +75,7 @@ int main(int argc, const char *argv[]) if (rcode < 0) goto error; rcode = nr_packet_attr_append(&response, &request, - NR_DA_REPLY_MESSAGE, + RS_DA_REPLY_MESSAGE, "Success!", 0); if (rcode < 0) goto error; diff --git a/lib/radius/id.c b/lib/radius/id.c index 4fbe631..2b956f2 100644 --- a/lib/radius/id.c +++ b/lib/radius/id.c @@ -25,7 +25,7 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include +#include "client.h" #include /** \file id.c @@ -38,7 +38,7 @@ static int find_id(nr_server_t *s) int i; uint32_t lvalue; - if ((s->used < 0) || (s->used > 256)) return -NR_ERR_INTERNAL_FAILURE; + if ((s->used < 0) || (s->used > 256)) return -RSE_INTERNAL; /* * Ensure that the ID allocation is random. @@ -59,7 +59,7 @@ int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet) { int new_id; - if (!s || !packet) return -NR_ERR_INVALID_ARG; + if (!s || !packet) return -RSE_INVAL; new_id = find_id(s); if (new_id < 0) return -new_id; @@ -77,13 +77,13 @@ int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet) int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet) { - if (!s || !packet) return -NR_ERR_INVALID_ARG; + if (!s || !packet) return -RSE_INVAL; if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } - if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE; + if (s->ids[packet->id] != packet) return -RSE_INTERNAL; s->ids[packet->id] = NULL; s->used--; @@ -96,13 +96,13 @@ int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet) { int new_id; - if (!s || !packet) return -NR_ERR_INVALID_ARG; + if (!s || !packet) return -RSE_INVAL; if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } - if (s->ids[packet->id] != packet) return -NR_ERR_INTERNAL_FAILURE; + if (s->ids[packet->id] != packet) return -RSE_INTERNAL; new_id = find_id(s); if (new_id < 0) return new_id; @@ -118,8 +118,8 @@ int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet) int nr_server_init(nr_server_t *s, int code, const char *secret) { if (!s || !secret || !*secret || - (code == 0) || (code > NR_MAX_PACKET_CODE)) { - return -NR_ERR_INVALID_ARG; + (code == 0) || (code > RS_MAX_PACKET_CODE)) { + return -RSE_INVAL; } memset(s, 0, sizeof(*s)); @@ -137,9 +137,9 @@ int nr_server_init(nr_server_t *s, int code, const char *secret) int nr_server_close(const nr_server_t *s) { - if (!s) return -NR_ERR_INVALID_ARG; + if (!s) return -RSE_INVAL; - if (s->used > 0) return -NR_ERR_IN_USE; + if (s->used > 0) return -RSE_INUSE; if (s->sockfd >= 0) close(s->sockfd); @@ -151,23 +151,23 @@ int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p) int rcode; RADIUS_PACKET *packet; - if (!packet_p) return -NR_ERR_INVALID_ARG; + if (!packet_p) return -RSE_INVAL; - packet = malloc(sizeof(*packet) + NR_MAX_PACKET_LEN); - if (!packet) return -NR_ERR_NO_MEM; + packet = malloc(sizeof(*packet) + RS_MAX_PACKET_LEN); + if (!packet) return -RSE_NOMEM; memset(packet, 0, sizeof(*packet)); if (!s) { packet->data = (uint8_t *)(packet + 1); - packet->sizeof_data = NR_MAX_PACKET_LEN; + packet->sizeof_data = RS_MAX_PACKET_LEN; *packet_p = packet; return 0; } rcode = nr_packet_init(packet, NULL, s->secret, s->code, - (uint8_t *)(packet + 1), NR_MAX_PACKET_LEN); + (uint8_t *)(packet + 1), RS_MAX_PACKET_LEN); if (rcode < 0) { free(packet); return rcode; diff --git a/lib/radius/packet.c b/lib/radius/packet.c index 77e3d14..c5d3bc4 100644 --- a/lib/radius/packet.c +++ b/lib/radius/packet.c @@ -29,17 +29,17 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Encoding and decoding packets */ -#include +#include "client.h" -#if NR_MAX_PACKET_LEN < 64 -#error NR_MAX_PACKET_LEN is too small. It should be at least 64. +#if RS_MAX_PACKET_LEN < 64 +#error RS_MAX_PACKET_LEN is too small. It should be at least 64. #endif -#if NR_MAX_PACKET_LEN > 16384 -#error NR_MAX_PACKET_LEN is too large. It should be smaller than 16K. +#if RS_MAX_PACKET_LEN > 16384 +#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K. #endif -const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1] = { +const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = { NULL, "Access-Request", "Access-Accept", @@ -61,7 +61,7 @@ const char *nr_packet_codes[NR_MAX_PACKET_CODE + 1] = { }; -static uint64_t allowed_responses[NR_MAX_PACKET_CODE + 1] = { +static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = { 0, (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), 0, 0, @@ -89,18 +89,18 @@ int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) if (!data || (sizeof_data < 20)) { nr_debug_error("Invalid argument"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } packet_len = (data[2] << 8) | data[3]; if (packet_len < 20) { nr_debug_error("Packet length is too small"); - return -NR_ERR_PACKET_TOO_SMALL; + return -RSE_PACKET_TOO_SMALL; } if (packet_len > sizeof_data) { nr_debug_error("Packet length overflows received data"); - return -NR_ERR_PACKET_TOO_LARGE; + return -RSE_PACKET_TOO_LARGE; } /* @@ -112,17 +112,17 @@ int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) for (attr = data + 20; attr < end; attr += attr[1]) { if ((attr + 2) > end) { nr_debug_error("Attribute overflows packet"); - return -NR_ERR_ATTR_OVERFLOW; + return -RSE_ATTR_OVERFLOW; } if (attr[1] < 2) { nr_debug_error("Attribute length is too small"); - return -NR_ERR_ATTR_TOO_SMALL; + return -RSE_ATTR_TOO_SMALL; } if ((attr + attr[1]) > end) { nr_debug_error("Attribute length is too large"); - return -NR_ERR_ATTR_TOO_LARGE; + return -RSE_ATTR_TOO_LARGE; } } @@ -133,14 +133,14 @@ int nr_packet_ok(RADIUS_PACKET *packet) { int rcode; - if (!packet) return -NR_ERR_INVALID_ARG; + if (!packet) return -RSE_INVAL; - if ((packet->flags & NR_PACKET_OK) != 0) return 0; + if ((packet->flags & RS_PACKET_OK) != 0) return 0; rcode = nr_packet_ok_raw(packet->data, packet->length); if (rcode < 0) return rcode; - packet->flags |= NR_PACKET_OK; + packet->flags |= RS_PACKET_OK; return 0; } @@ -176,7 +176,7 @@ static int msg_auth_ok(const RADIUS_PACKET *original, if (ma[1] != 18) { nr_debug_error("Message-Authenticator has invalid length"); - return -NR_ERR_MSG_AUTH_LEN; + return -RSE_MSG_AUTH_LEN; } memcpy(packet_vector, data + 4, sizeof(packet_vector)); @@ -203,7 +203,7 @@ static int msg_auth_ok(const RADIUS_PACKET *original, case PW_ACCESS_CHALLENGE: if (!original) { nr_debug_error("Cannot validate response without request"); - return -NR_ERR_REQUEST_REQUIRED; + return -RSE_REQUEST_REQUIRED; } memcpy(data + 4, original->vector, sizeof(original->vector)); break; @@ -219,7 +219,7 @@ static int msg_auth_ok(const RADIUS_PACKET *original, if (digest_cmp(calc_auth_vector, msg_auth_vector, sizeof(calc_auth_vector)) != 0) { nr_debug_error("Invalid Message-Authenticator"); - return -NR_ERR_MSG_AUTH_WRONG; + return -RSE_MSG_AUTH_WRONG; } return 1; @@ -234,7 +234,7 @@ static int packet_auth_ok(const RADIUS_PACKET *original, { uint8_t packet_vector[sizeof(original->vector)]; uint8_t calc_digest[sizeof(original->vector)]; - NR_MD5_CTX ctx; + RS_MD5_CTX ctx; if ((data[0] == PW_ACCESS_REQUEST) || (data[0] == PW_STATUS_SERVER)) return 1; @@ -247,17 +247,17 @@ static int packet_auth_ok(const RADIUS_PACKET *original, memcpy(data + 4, original->vector, sizeof(original->vector)); } - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, data, length); - nr_MD5Update(&ctx, original->secret, original->sizeof_secret); - nr_MD5Final(calc_digest, &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, data, length); + RS_MD5Update(&ctx, original->secret, original->sizeof_secret); + RS_MD5Final(calc_digest, &ctx); memcpy(data + 4, packet_vector, sizeof(packet_vector)); if (digest_cmp(calc_digest, packet_vector, sizeof(packet_vector)) != 0) { nr_debug_error("Invalid authentication vector"); - return -NR_ERR_AUTH_VECTOR_WRONG; + return -RSE_AUTH_VECTOR_WRONG; } return 0; @@ -274,10 +274,10 @@ int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) if (!packet || !packet->data || !packet->secret) { nr_debug_error("Invalid argument"); - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } - if ((packet->flags & NR_PACKET_VERIFIED) != 0) return 0; + if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0; /* * Packet isn't well formed. Ignore it. @@ -291,16 +291,16 @@ int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) if (original) { uint64_t mask; - if (original->code > NR_MAX_PACKET_CODE) { + if (original->code > RS_MAX_PACKET_CODE) { nr_debug_error("Invalid original code %u", original->code); - return -NR_ERR_REQUEST_CODE_INVALID; + return -RSE_INVALID_REQUEST_CODE; } if (packet->data[1] != original->id) { nr_debug_error("Ignoring response with wrong ID %u", packet->data[1]); - return -NR_ERR_RESPONSE_ID_INVALID; + return -RSE_INVALID_RESPONSE_CODE; } mask = 1; @@ -309,18 +309,18 @@ int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) if ((allowed_responses[original->code] & mask) == 0) { nr_debug_error("Ignoring response with wrong code %u", packet->data[0]); - return -NR_ERR_RESPONSE_CODE_INVALID; + return -RSE_INVALID_RESPONSE_CODE; } if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && - (sockaddr_cmp(&(packet->src), &(original->dst)) != 0)) { + (evutil_sockaddr_cmp(&(packet->src), &(original->dst)) != 0)) { nr_debug_error("Ignoring response from wrong IP/port"); - return -NR_ERR_RESPONSE_SRC_INVALID; + return -RSE_INVALID_RESPONSE_SRC; } } else if (allowed_responses[packet->data[0]] != 0) { nr_debug_error("Ignoring response without original"); - return -NR_ERR_RESPONSE_CODE_INVALID; + return -RSE_INVALID_RESPONSE_CODE; } #ifdef PW_MESSAGE_AUTHENTICATOR @@ -344,7 +344,7 @@ int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) rcode = packet_auth_ok(original, packet->data, packet->length); if (rcode < 0) return rcode; - packet->flags |= NR_PACKET_VERIFIED; + packet->flags |= RS_PACKET_VERIFIED; return 0; } @@ -357,9 +357,9 @@ int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) const uint8_t *end; VALUE_PAIR **tail, *vp; - if (!packet) return -NR_ERR_INVALID_ARG; + if (!packet) return -RSE_INVAL; - if ((packet->flags & NR_PACKET_DECODED) != 0) return 0; + if ((packet->flags & RS_PACKET_DECODED) != 0) return 0; rcode = nr_packet_ok(packet); if (rcode < 0) return rcode; @@ -387,10 +387,10 @@ int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) vp = vp->next; } - if (num_attributes > NR_MAX_ATTRIBUTES) { + if (num_attributes > RS_MAX_ATTRIBUTES) { nr_debug_error("Too many attributes"); nr_vp_free(&packet->vps); - return -NR_ERR_TOO_MANY_ATTRS; + return -RSE_TOO_MANY_ATTRS; } } @@ -398,7 +398,7 @@ int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) packet->id = data[1]; memcpy(packet->vector, data + 4, sizeof(packet->vector)); - packet->flags |= NR_PACKET_DECODED; + packet->flags |= RS_PACKET_DECODED; return 0; } @@ -411,9 +411,9 @@ int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) const uint8_t *attr, *end; #endif - if ((packet->flags & NR_PACKET_SIGNED) != 0) return 0; + if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0; - if ((packet->flags & NR_PACKET_ENCODED) == 0) { + if ((packet->flags & RS_PACKET_ENCODED) == 0) { int rcode; rcode = nr_packet_encode(packet, original); @@ -426,7 +426,7 @@ int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) #ifdef PW_MESSAGE_AUTHENTICATOR if (!original) { nr_debug_error("Original packet is required to create the Message-Authenticator"); - return -NR_ERR_REQUEST_REQUIRED; + return -RSE_REQUEST_REQUIRED; } #endif @@ -483,18 +483,18 @@ int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) */ if (!((packet->code == PW_ACCESS_REQUEST) || (packet->code == PW_STATUS_SERVER))) { - NR_MD5_CTX ctx; + RS_MD5_CTX ctx; - nr_MD5Init(&ctx); - nr_MD5Update(&ctx, packet->data, packet->length); - nr_MD5Update(&ctx, packet->secret, packet->sizeof_secret); - nr_MD5Final(packet->vector, &ctx); + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, packet->data, packet->length); + RS_MD5Update(&ctx, packet->secret, packet->sizeof_secret); + RS_MD5Final(packet->vector, &ctx); } memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); packet->attempts = 0; - packet->flags |= NR_PACKET_SIGNED; + packet->flags |= RS_PACKET_SIGNED; return 0; } @@ -504,28 +504,28 @@ static int can_encode_packet(RADIUS_PACKET *packet, const RADIUS_PACKET *original) { if ((packet->code == 0) || - (packet->code > NR_MAX_PACKET_CODE) || - (original && (original->code > NR_MAX_PACKET_CODE))) { + (packet->code > RS_MAX_PACKET_CODE) || + (original && (original->code > RS_MAX_PACKET_CODE))) { nr_debug_error("Cannot send unknown packet code"); - return -NR_ERR_REQUEST_CODE_INVALID; + return -RSE_INVALID_REQUEST_CODE; } if (!nr_packet_codes[packet->code]) { nr_debug_error("Cannot handle packet code %u", packet->code); - return -NR_ERR_REQUEST_CODE_INVALID; + return -RSE_INVALID_REQUEST_CODE; } #ifdef NR_NO_MALLOC if (!packet->data) { nr_debug_error("No place to put packet"); - return -NR_ERR_NO_PACKET_DATA; + return -RSE_NO_PACKET_DATA; } #endif if (packet->sizeof_data < 20) { nr_debug_error("The buffer is too small to encode the packet"); - return -NR_ERR_PACKET_TOO_SMALL; + return -RSE_PACKET_TOO_SMALL; } /* @@ -540,14 +540,14 @@ static int can_encode_packet(RADIUS_PACKET *packet, if ((allowed_responses[original->code] & mask) == 0) { nr_debug_error("Cannot encode response %u to packet %u", packet->code, original->code); - return -NR_ERR_RESPONSE_CODE_INVALID; + return -RSE_INVALID_RESPONSE_CODE; } packet->id = original->id; } else if (allowed_responses[packet->code] == 0) { nr_debug_error("Cannot encode response %u without original", packet->code); - return -NR_ERR_REQUEST_REQUIRED; + return -RSE_REQUEST_REQUIRED; } return 0; @@ -555,7 +555,7 @@ static int can_encode_packet(RADIUS_PACKET *packet, static void encode_header(RADIUS_PACKET *packet) { - if ((packet->flags & NR_PACKET_HEADER) != 0) return; + if ((packet->flags & RS_PACKET_HEADER) != 0) return; memset(packet->data, 0, 20); packet->data[0] = packet->code; @@ -576,7 +576,7 @@ static void encode_header(RADIUS_PACKET *packet) memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); - packet->flags |= NR_PACKET_HEADER; + packet->flags |= RS_PACKET_HEADER; } int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) @@ -589,7 +589,7 @@ int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) const VALUE_PAIR *vp; uint8_t *data, *end; - if ((packet->flags & NR_PACKET_ENCODED) != 0) return 0; + if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0; rcode = can_encode_packet(packet, original); if (rcode < 0) return rcode; @@ -642,7 +642,7 @@ int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) packet->data[2] = (packet->length >> 8) & 0xff; packet->data[3] = packet->length & 0xff; - packet->flags |= NR_PACKET_ENCODED; + packet->flags |= RS_PACKET_ENCODED; return packet->length; } @@ -696,7 +696,7 @@ int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, uint8_t *attr; const uint8_t *end; - if (!packet || !callback) return -NR_ERR_INVALID_ARG; + if (!packet || !callback) return -RSE_INVAL; rcode = nr_packet_ok(packet); if (rcode < 0) return rcode; @@ -760,7 +760,7 @@ int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, break; default: - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } switch (dv_length) { @@ -774,7 +774,7 @@ int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, break; default: - return -NR_ERR_INTERNAL_FAILURE; + return -RSE_INTERNAL; } rcode = do_callback(ctx, callback, @@ -794,17 +794,15 @@ int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, { int rcode; - if ((code < 0) || (code > NR_MAX_PACKET_CODE)) { - return -NR_ERR_REQUEST_CODE_INVALID; + if ((code < 0) || (code > RS_MAX_PACKET_CODE)) { + return -RSE_INVALID_REQUEST_CODE; } - if (!data || (sizeof_data < 20)) return -NR_ERR_INVALID_ARG; - - if (!secret || !*secret) return -NR_ERR_INVALID_ARG; + if (!data || (sizeof_data < 20)) return -RSE_INVAL; memset(packet, 0, sizeof(*packet)); packet->secret = secret; - packet->sizeof_secret = strlen(secret); + packet->sizeof_secret = secret ? strlen(secret) : 0; packet->code = code; packet->id = 0; packet->data = data; @@ -832,7 +830,7 @@ static int pack_eap(RADIUS_PACKET *packet, end = attr + packet->sizeof_data; while (left > 253) { - if ((attr + 255) > end) return -NR_ERR_ATTR_OVERFLOW; + if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW; attr[0] = PW_EAP_MESSAGE; attr[1] = 255; @@ -842,7 +840,7 @@ static int pack_eap(RADIUS_PACKET *packet, left -= 253; } - if ((attr + (2 + left)) > end) return -NR_ERR_ATTR_OVERFLOW; + if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW; attr[0] = PW_EAP_MESSAGE; attr[1] = 2 + left; @@ -864,27 +862,27 @@ ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, const VALUE_PAIR *vp; if (!packet || !da || !data) { - return -NR_ERR_INVALID_ARG; + return -RSE_INVAL; } if (data_len == 0) { - if (da->type != NR_TYPE_STRING) return -NR_ERR_ATTR_TOO_SMALL; + if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL; data_len = strlen(data); } - packet->flags |= NR_PACKET_ENCODED; /* ignore any VPs */ + packet->flags |= RS_PACKET_ENCODED; /* ignore any VPs */ attr = packet->data + packet->length; end = attr + packet->sizeof_data; if ((attr + 2 + data_len) > end) { - return -NR_ERR_ATTR_OVERFLOW; + return -RSE_ATTR_OVERFLOW; } if ((da->flags.length != 0) && (data_len != da->flags.length)) { - return -NR_ERR_ATTR_VALUE_MALFORMED; + return -RSE_ATTR_VALUE_MALFORMED; } #ifdef PW_EAP_MESSAGE @@ -897,7 +895,7 @@ ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, } #endif - if (data_len > 253) return -NR_ERR_ATTR_TOO_LARGE; + if (data_len > 253) return -RSE_ATTR_TOO_LARGE; vp = nr_vp_init(&my_vp, da); rcode = nr_vp_set_data(&my_vp, data, data_len); diff --git a/lib/radius/parse.c b/lib/radius/parse.c index 6b593a8..cd7491a 100644 --- a/lib/radius/parse.c +++ b/lib/radius/parse.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Routines to parse strings into internal data structures */ -#include +#include "client.h" #include ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) @@ -37,43 +37,43 @@ ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) char *end; switch (vp->da->type) { - case NR_TYPE_STRING: + case RS_TYPE_STRING: strlcpy(vp->vp_strvalue, value, sizeof(vp->vp_strvalue)); vp->length = strlen(vp->vp_strvalue); return vp->length; - case NR_TYPE_DATE: - case NR_TYPE_INTEGER: + case RS_TYPE_DATE: + case RS_TYPE_INTEGER: vp->vp_integer = strtoul(value, &end, 10); if ((value == end) || (*end != '\0')) { nr_debug_error("Invalid value"); - return -NR_ERR_ATTR_VALUE_MALFORMED; + return -RSE_ATTR_VALUE_MALFORMED; } return (end - value); - case NR_TYPE_IPADDR: + case RS_TYPE_IPADDR: if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) { - return -NR_ERR_SYSTEM; + return -RSE_NOSYS; } return strlen(value); -#ifdef NR_TYPE_IPV6ADDR - case NR_TYPE_IPV6ADDR: +#ifdef RS_TYPE_IPV6ADDR + case RS_TYPE_IPV6ADDR: if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) { - return -NR_ERR_SYSTEM; + return -RSE_NOSYS; } return strlen(value); #endif -#ifdef NR_TYPE_IFID - case NR_TYPE_IFID: +#ifdef RS_TYPE_IFID + case RS_TYPE_IFID: { int i, array[8]; if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x", &array[0], &array[1], &array[2], &array[3], &array[4], &array[5], &array[6], &array[7]) != 8) { - return -NR_ERR_SYSTEM; + return -RSE_SYSTEM; } for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff; @@ -84,7 +84,7 @@ ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) default: nr_debug_error("Invalid type"); - return -NR_ERR_ATTR_TYPE_UNKNOWN; + return -RSE_ATTR_TYPE_UNKNOWN; } return 0; @@ -99,7 +99,7 @@ int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp) VALUE_PAIR *vp; char buffer[256]; - if (!string || !pvp) return -NR_ERR_INVALID_ARG; + if (!string || !pvp) return -RSE_INVAL; p = string; q = buffer; @@ -110,26 +110,26 @@ int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp) if (q == buffer) { nr_debug_error("No Attribute name"); - return -NR_ERR_ATTR_BAD_NAME; + return -RSE_ATTR_BAD_NAME; } da = nr_dict_attr_byname(buffer); if (!da) { nr_debug_error("Unknown attribute \"%s\"", buffer); - return -NR_ERR_ATTR_UNKNOWN; + return -RSE_ATTR_UNKNOWN; } while (*p == ' ') p++; if (*p != '=') { nr_debug_error("Unexpected text after attribute name"); - return -NR_ERR_ATTR_BAD_NAME; + return -RSE_ATTR_BAD_NAME; } p++; while (*p == ' ') p++; vp = nr_vp_alloc(da); - if (!vp) return -NR_ERR_NO_MEM; + if (!vp) return -RSE_NOMEM; rcode = nr_vp_sscanf_value(vp, p); if (rcode < 0) { diff --git a/lib/radius/print.c b/lib/radius/print.c index abe4255..28dd0a6 100644 --- a/lib/radius/print.c +++ b/lib/radius/print.c @@ -29,9 +29,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Functions to print things. */ -#include +#include "client.h" #include -#ifdef NR_TYPE_IPV6ADDR +#ifdef RS_TYPE_IPV6ADDR #include #endif @@ -51,7 +51,7 @@ void nr_packet_print_hex(RADIUS_PACKET *packet) printf("%02x", packet->data[i]); } printf("\n"); - if ((packet->flags & NR_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n"); + if ((packet->flags & RS_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n"); if (packet->length > 20) { int total; @@ -106,21 +106,21 @@ size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) char *p = buffer; switch (vp->da->type) { - case NR_TYPE_STRING: + case RS_TYPE_STRING: /* * FIXME: escape backslash && quotes! */ - len = snprintf(p, buflen, "\"%s\"", vp->vp_strvalue); + len = snprintf(p, buflen, "%s", vp->vp_strvalue); break; - case NR_TYPE_DATE: - case NR_TYPE_INTEGER: - case NR_TYPE_SHORT: - case NR_TYPE_BYTE: + case RS_TYPE_DATE: + case RS_TYPE_INTEGER: + case RS_TYPE_SHORT: + case RS_TYPE_BYTE: len = snprintf(p, buflen, "%u", vp->vp_integer); break; - case NR_TYPE_IPADDR: + case RS_TYPE_IPADDR: len = snprintf(p, buflen, "%u.%u.%u.%u", (vp->vp_ipaddr >> 24) & 0xff, (vp->vp_ipaddr >> 16) & 0xff, @@ -128,16 +128,16 @@ size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) vp->vp_ipaddr & 0xff); break; -#ifdef NR_TYPE_IPV6ADDR - case NR_TYPE_IPV6ADDR: +#ifdef RS_TYPE_IPV6ADDR + case RS_TYPE_IPV6ADDR: if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) { - return -NR_ERR_SYSTEM; + return -RSE_SYSTEM; } break; #endif -#ifdef NR_TYPE_IFID - case NR_TYPE_IFID: +#ifdef RS_TYPE_IFID + case RS_TYPE_IFID: len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x", vp->vp_ifid[0], vp->vp_ifid[1], vp->vp_ifid[2], vp->vp_ifid[3], @@ -146,7 +146,7 @@ size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) break; #endif - case NR_TYPE_OCTETS: + case RS_TYPE_OCTETS: len = snprintf(p, buflen, "0x"); if (len >= buflen) return 0; @@ -224,42 +224,3 @@ void nr_strerror_printf(const char *fmt, ...) } /** \endcond */ -const char *nr_strerror(int error) -{ - if (error == 0) return nr_strerror_buffer; - - if (error < 0) error = -error; - - switch (error) { - default: return "Unknown error"; - case NR_ERR_SYSTEM: return strerror(errno); - - case NR_ERR_INVALID_ARG: return "Invalid argument"; - case NR_ERR_PACKET_TOO_SMALL: return "Packet is too small"; - case NR_ERR_PACKET_TOO_LARGE: return "Packet is too large"; - case NR_ERR_ATTR_OVERFLOW: return "Attribute overflows packet"; - case NR_ERR_ATTR_TOO_SMALL: return "Attribute is too small"; - case NR_ERR_ATTR_TOO_LARGE: return "Attribute is too large"; - case NR_ERR_ATTR_UNKNOWN: return "Unknown attribute"; - case NR_ERR_ATTR_BAD_NAME: return "Invalid name for attribute"; - case NR_ERR_ATTR_VALUE_MALFORMED: return "Invalid value for attribute"; - case NR_ERR_ATTR_INVALID: return "Invalid attribute"; - case NR_ERR_TOO_MANY_ATTRS: return "Too many attributes in the packet"; - case NR_ERR_ATTR_TYPE_UNKNOWN: return "Attribute type unknown"; - case NR_ERR_MSG_AUTH_LEN: return "Invalid Message-Authenticator"; - case NR_ERR_MSG_AUTH_WRONG: return "Incorrect Message-Authenticator"; - case NR_ERR_REQUEST_REQUIRED: return "Request is required"; - case NR_ERR_REQUEST_CODE_INVALID: return "Invalid request code"; - case NR_ERR_AUTH_VECTOR_WRONG: return "Incorrect Request Authenticator"; - case NR_ERR_RESPONSE_CODE_INVALID: return "Response code is unsupported"; - case NR_ERR_RESPONSE_ID_INVALID: return "Response ID is invalid"; - case NR_ERR_RESPONSE_SRC_INVALID: return "Response from the wrong src ip/port"; - case NR_ERR_NO_PACKET_DATA: return "Cannot encode the packet"; - case NR_ERR_VENDOR_UNKNOWN: return "Vendor is unknown"; - case NR_ERR_INTERNAL_FAILURE: return "Internal failure"; - case NR_ERR_UNSUPPORTED: return "Unsupported feature"; - case NR_ERR_NO_MEM: return "Out of memory"; - case NR_ERR_IN_USE: return "Resource is in use"; - - } -} diff --git a/lib/radius/radius.h b/lib/radius/radius.h deleted file mode 100644 index cfc16b7..0000000 --- a/lib/radius/radius.h +++ /dev/null @@ -1,314 +0,0 @@ -/* Automatically generated file. Do not edit */ - -#define VENDORPEC_MICROSOFT 311 -#define VENDORPEC_EXAMPLE 65535 - - -/* IETF */ -#define PW_USER_NAME 1 -#define PW_USER_PASSWORD 2 -#define PW_CHAP_PASSWORD 3 -#define PW_NAS_IP_ADDRESS 4 -#define PW_NAS_PORT 5 -#define PW_SERVICE_TYPE 6 -#define PW_FRAMED_PROTOCOL 7 -#define PW_FRAMED_IP_ADDRESS 8 -#define PW_FRAMED_IP_NETMASK 9 -#define PW_FRAMED_ROUTING 10 -#define PW_FILTER_ID 11 -#define PW_FRAMED_MTU 12 -#define PW_FRAMED_COMPRESSION 13 -#define PW_LOGIN_IP_HOST 14 -#define PW_LOGIN_SERVICE 15 -#define PW_LOGIN_TCP_PORT 16 -#define PW_REPLY_MESSAGE 18 -#define PW_CALLBACK_NUMBER 19 -#define PW_CALLBACK_ID 20 -#define PW_FRAMED_ROUTE 22 -#define PW_FRAMED_IPX_NETWORK 23 -#define PW_STATE 24 -#define PW_CLASS 25 -#define PW_VENDOR_SPECIFIC 26 -#define PW_SESSION_TIMEOUT 27 -#define PW_IDLE_TIMEOUT 28 -#define PW_TERMINATION_ACTION 29 -#define PW_CALLED_STATION_ID 30 -#define PW_CALLING_STATION_ID 31 -#define PW_NAS_IDENTIFIER 32 -#define PW_PROXY_STATE 33 -#define PW_LOGIN_LAT_SERVICE 34 -#define PW_LOGIN_LAT_NODE 35 -#define PW_LOGIN_LAT_GROUP 36 -#define PW_FRAMED_APPLETALK_LINK 37 -#define PW_FRAMED_APPLETALK_NETWORK 38 -#define PW_FRAMED_APPLETALK_ZONE 39 -#define PW_ACCT_STATUS_TYPE 40 -#define PW_ACCT_DELAY_TIME 41 -#define PW_ACCT_INPUT_OCTETS 42 -#define PW_ACCT_OUTPUT_OCTETS 43 -#define PW_ACCT_SESSION_ID 44 -#define PW_ACCT_AUTHENTIC 45 -#define PW_ACCT_SESSION_TIME 46 -#define PW_ACCT_INPUT_PACKETS 47 -#define PW_ACCT_OUTPUT_PACKETS 48 -#define PW_ACCT_TERMINATE_CAUSE 49 -#define PW_ACCT_MULTI_SESSION_ID 50 -#define PW_ACCT_LINK_COUNT 51 -#define PW_ACCT_INPUT_GIGAWORDS 52 -#define PW_ACCT_OUTPUT_GIGAWORDS 53 -#define PW_EVENT_TIMESTAMP 55 -#define PW_EGRESS_VLANID 56 -#define PW_INGRESS_FILTERS 57 -#define PW_EGRESS_VLAN_NAME 58 -#define PW_USER_PRIORITY_TABLE 59 -#define PW_CHAP_CHALLENGE 60 -#define PW_NAS_PORT_TYPE 61 -#define PW_PORT_LIMIT 62 -#define PW_LOGIN_LAT_PORT 63 -#define PW_TUNNEL_TYPE 64 -#define PW_TUNNEL_MEDIUM_TYPE 65 -#define PW_TUNNEL_CLIENT_ENDPOINT 66 -#define PW_TUNNEL_SERVER_ENDPOINT 67 -#define PW_ACCT_TUNNEL_CONNECTION 68 -#define PW_TUNNEL_PASSWORD 69 -#define PW_ARAP_PASSWORD 70 -#define PW_ARAP_FEATURES 71 -#define PW_ARAP_ZONE_ACCESS 72 -#define PW_ARAP_SECURITY 73 -#define PW_ARAP_SECURITY_DATA 74 -#define PW_PASSWORD_RETRY 75 -#define PW_PROMPT 76 -#define PW_CONNECT_INFO 77 -#define PW_CONFIGURATION_TOKEN 78 -#define PW_EAP_MESSAGE 79 -#define PW_MESSAGE_AUTHENTICATOR 80 -#define PW_TUNNEL_PRIVATE_GROUP_ID 81 -#define PW_TUNNEL_ASSIGNMENT_ID 82 -#define PW_TUNNEL_PREFERENCE 83 -#define PW_ARAP_CHALLENGE_RESPONSE 84 -#define PW_ACCT_INTERIM_INTERVAL 85 -#define PW_ACCT_TUNNEL_PACKETS_LOST 86 -#define PW_NAS_PORT_ID 87 -#define PW_FRAMED_POOL 88 -#define PW_CHARGEABLE_USER_IDENTITY 89 -#define PW_TUNNEL_CLIENT_AUTH_ID 90 -#define PW_TUNNEL_SERVER_AUTH_ID 91 -#define PW_NAS_FILTER_RULE 92 -#define PW_NAS_IPV6_ADDRESS 95 -#define PW_FRAMED_INTERFACE_ID 96 -#define PW_FRAMED_IPV6_PREFIX 97 -#define PW_LOGIN_IPV6_HOST 98 -#define PW_FRAMED_IPV6_ROUTE 99 -#define PW_FRAMED_IPV6_POOL 100 -#define PW_ERROR_CAUSE 101 -#define PW_EAP_KEY_NAME 102 -#define PW_DIGEST_RESPONSE 103 -#define PW_DIGEST_REALM 104 -#define PW_DIGEST_NONCE 105 -#define PW_DIGEST_RESPONSE_AUTH 106 -#define PW_DIGEST_NEXTNONCE 107 -#define PW_DIGEST_METHOD 108 -#define PW_DIGEST_URI 109 -#define PW_DIGEST_QOP 110 -#define PW_DIGEST_ALGORITHM 111 -#define PW_DIGEST_ENTITY_BODY_HASH 112 -#define PW_DIGEST_CNONCE 113 -#define PW_DIGEST_NONCE_COUNT 114 -#define PW_DIGEST_USERNAME 115 -#define PW_DIGEST_OPAQUE 116 -#define PW_DIGEST_AUTH_PARAM 117 -#define PW_DIGEST_AKA_AUTS 118 -#define PW_DIGEST_DOMAIN 119 -#define PW_DIGEST_STALE 120 -#define PW_DIGEST_HA1 121 -#define PW_SIP_AOR 122 -#define PW_DELEGATED_IPV6_PREFIX 123 -#define PW_OPERATOR_NAME 126 -#define PW_LOCATION_INFORMATION 127 -#define PW_LOCATION_DATA 128 -#define PW_BASIC_LOCATION_POLICY_RULES 129 -#define PW_EXTENDED_LOCATION_POLICY_RULES 130 -#define PW_LOCATION_CAPABLE 131 -#define PW_REQUESTED_LOCATION_INFO 132 -#define PW_FRAMED_MANAGEMENT 133 -#define PW_MANAGEMENT_TRANSPORT_PROTECTION 134 -#define PW_MANAGEMENT_POLICY_ID 135 -#define PW_MANAGEMENT_PRIVILEGE_LEVEL 136 -#define PW_PKM_SS_CERT 137 -#define PW_PKM_CA_CERT 138 -#define PW_PKM_CONFIG_SETTINGS 139 -#define PW_PKM_CRYPTOSUITE_LIST 140 -#define PW_PKM_SAID 141 -#define PW_PKM_SA_DESCRIPTOR 142 -#define PW_PKM_AUTH_KEY 143 - -/* Microsoft */ -#define PW_MS_CHAP_RESPONSE 1 -#define PW_MS_CHAP_ERROR 2 -#define PW_MS_MPPE_ENCRYPTION_POLICY 7 -#define PW_MS_MPPE_ENCRYPTION_TYPES 8 -#define PW_MS_CHAP_DOMAIN 10 -#define PW_MS_CHAP_CHALLENGE 11 -#define PW_MS_CHAP_MPPE_KEYS 12 -#define PW_MS_MPPE_SEND_KEY 16 -#define PW_MS_MPPE_RECV_KEY 17 -#define PW_MS_CHAP2_RESPONSE 25 -#define PW_MS_CHAP2_SUCCESS 26 - -/* example */ -#define PW_EXAMPLE_INTEGER 1 -#define PW_EXAMPLE_STRING 2 -#define PW_EXAMPLE_IP_ADDRESS 3 - -/* Fixed offsets to dictionary definitions of attributes */ -#define NR_DA_USER_NAME (&nr_dict_attrs[1]) -#define NR_DA_USER_PASSWORD (&nr_dict_attrs[2]) -#define NR_DA_CHAP_PASSWORD (&nr_dict_attrs[3]) -#define NR_DA_NAS_IP_ADDRESS (&nr_dict_attrs[4]) -#define NR_DA_NAS_PORT (&nr_dict_attrs[5]) -#define NR_DA_SERVICE_TYPE (&nr_dict_attrs[6]) -#define NR_DA_FRAMED_PROTOCOL (&nr_dict_attrs[7]) -#define NR_DA_FRAMED_IP_ADDRESS (&nr_dict_attrs[8]) -#define NR_DA_FRAMED_IP_NETMASK (&nr_dict_attrs[9]) -#define NR_DA_FRAMED_ROUTING (&nr_dict_attrs[10]) -#define NR_DA_FILTER_ID (&nr_dict_attrs[11]) -#define NR_DA_FRAMED_MTU (&nr_dict_attrs[12]) -#define NR_DA_FRAMED_COMPRESSION (&nr_dict_attrs[13]) -#define NR_DA_LOGIN_IP_HOST (&nr_dict_attrs[14]) -#define NR_DA_LOGIN_SERVICE (&nr_dict_attrs[15]) -#define NR_DA_LOGIN_TCP_PORT (&nr_dict_attrs[16]) -#define NR_DA_REPLY_MESSAGE (&nr_dict_attrs[18]) -#define NR_DA_CALLBACK_NUMBER (&nr_dict_attrs[19]) -#define NR_DA_CALLBACK_ID (&nr_dict_attrs[20]) -#define NR_DA_FRAMED_ROUTE (&nr_dict_attrs[22]) -#define NR_DA_FRAMED_IPX_NETWORK (&nr_dict_attrs[23]) -#define NR_DA_STATE (&nr_dict_attrs[24]) -#define NR_DA_CLASS (&nr_dict_attrs[25]) -#define NR_DA_VENDOR_SPECIFIC (&nr_dict_attrs[26]) -#define NR_DA_SESSION_TIMEOUT (&nr_dict_attrs[27]) -#define NR_DA_IDLE_TIMEOUT (&nr_dict_attrs[28]) -#define NR_DA_TERMINATION_ACTION (&nr_dict_attrs[29]) -#define NR_DA_CALLED_STATION_ID (&nr_dict_attrs[30]) -#define NR_DA_CALLING_STATION_ID (&nr_dict_attrs[31]) -#define NR_DA_NAS_IDENTIFIER (&nr_dict_attrs[32]) -#define NR_DA_PROXY_STATE (&nr_dict_attrs[33]) -#define NR_DA_LOGIN_LAT_SERVICE (&nr_dict_attrs[34]) -#define NR_DA_LOGIN_LAT_NODE (&nr_dict_attrs[35]) -#define NR_DA_LOGIN_LAT_GROUP (&nr_dict_attrs[36]) -#define NR_DA_FRAMED_APPLETALK_LINK (&nr_dict_attrs[37]) -#define NR_DA_FRAMED_APPLETALK_NETWORK (&nr_dict_attrs[38]) -#define NR_DA_FRAMED_APPLETALK_ZONE (&nr_dict_attrs[39]) -#define NR_DA_ACCT_STATUS_TYPE (&nr_dict_attrs[40]) -#define NR_DA_ACCT_DELAY_TIME (&nr_dict_attrs[41]) -#define NR_DA_ACCT_INPUT_OCTETS (&nr_dict_attrs[42]) -#define NR_DA_ACCT_OUTPUT_OCTETS (&nr_dict_attrs[43]) -#define NR_DA_ACCT_SESSION_ID (&nr_dict_attrs[44]) -#define NR_DA_ACCT_AUTHENTIC (&nr_dict_attrs[45]) -#define NR_DA_ACCT_SESSION_TIME (&nr_dict_attrs[46]) -#define NR_DA_ACCT_INPUT_PACKETS (&nr_dict_attrs[47]) -#define NR_DA_ACCT_OUTPUT_PACKETS (&nr_dict_attrs[48]) -#define NR_DA_ACCT_TERMINATE_CAUSE (&nr_dict_attrs[49]) -#define NR_DA_ACCT_MULTI_SESSION_ID (&nr_dict_attrs[50]) -#define NR_DA_ACCT_LINK_COUNT (&nr_dict_attrs[51]) -#define NR_DA_ACCT_INPUT_GIGAWORDS (&nr_dict_attrs[52]) -#define NR_DA_ACCT_OUTPUT_GIGAWORDS (&nr_dict_attrs[53]) -#define NR_DA_EVENT_TIMESTAMP (&nr_dict_attrs[55]) -#define NR_DA_EGRESS_VLANID (&nr_dict_attrs[56]) -#define NR_DA_INGRESS_FILTERS (&nr_dict_attrs[57]) -#define NR_DA_EGRESS_VLAN_NAME (&nr_dict_attrs[58]) -#define NR_DA_USER_PRIORITY_TABLE (&nr_dict_attrs[59]) -#define NR_DA_CHAP_CHALLENGE (&nr_dict_attrs[60]) -#define NR_DA_NAS_PORT_TYPE (&nr_dict_attrs[61]) -#define NR_DA_PORT_LIMIT (&nr_dict_attrs[62]) -#define NR_DA_LOGIN_LAT_PORT (&nr_dict_attrs[63]) -#define NR_DA_TUNNEL_TYPE (&nr_dict_attrs[64]) -#define NR_DA_TUNNEL_MEDIUM_TYPE (&nr_dict_attrs[65]) -#define NR_DA_TUNNEL_CLIENT_ENDPOINT (&nr_dict_attrs[66]) -#define NR_DA_TUNNEL_SERVER_ENDPOINT (&nr_dict_attrs[67]) -#define NR_DA_ACCT_TUNNEL_CONNECTION (&nr_dict_attrs[68]) -#define NR_DA_TUNNEL_PASSWORD (&nr_dict_attrs[69]) -#define NR_DA_ARAP_PASSWORD (&nr_dict_attrs[70]) -#define NR_DA_ARAP_FEATURES (&nr_dict_attrs[71]) -#define NR_DA_ARAP_ZONE_ACCESS (&nr_dict_attrs[72]) -#define NR_DA_ARAP_SECURITY (&nr_dict_attrs[73]) -#define NR_DA_ARAP_SECURITY_DATA (&nr_dict_attrs[74]) -#define NR_DA_PASSWORD_RETRY (&nr_dict_attrs[75]) -#define NR_DA_PROMPT (&nr_dict_attrs[76]) -#define NR_DA_CONNECT_INFO (&nr_dict_attrs[77]) -#define NR_DA_CONFIGURATION_TOKEN (&nr_dict_attrs[78]) -#define NR_DA_EAP_MESSAGE (&nr_dict_attrs[79]) -#define NR_DA_MESSAGE_AUTHENTICATOR (&nr_dict_attrs[80]) -#define NR_DA_TUNNEL_PRIVATE_GROUP_ID (&nr_dict_attrs[81]) -#define NR_DA_TUNNEL_ASSIGNMENT_ID (&nr_dict_attrs[82]) -#define NR_DA_TUNNEL_PREFERENCE (&nr_dict_attrs[83]) -#define NR_DA_ARAP_CHALLENGE_RESPONSE (&nr_dict_attrs[84]) -#define NR_DA_ACCT_INTERIM_INTERVAL (&nr_dict_attrs[85]) -#define NR_DA_ACCT_TUNNEL_PACKETS_LOST (&nr_dict_attrs[86]) -#define NR_DA_NAS_PORT_ID (&nr_dict_attrs[87]) -#define NR_DA_FRAMED_POOL (&nr_dict_attrs[88]) -#define NR_DA_CHARGEABLE_USER_IDENTITY (&nr_dict_attrs[89]) -#define NR_DA_TUNNEL_CLIENT_AUTH_ID (&nr_dict_attrs[90]) -#define NR_DA_TUNNEL_SERVER_AUTH_ID (&nr_dict_attrs[91]) -#define NR_DA_NAS_FILTER_RULE (&nr_dict_attrs[92]) -#define NR_DA_NAS_IPV6_ADDRESS (&nr_dict_attrs[95]) -#define NR_DA_FRAMED_INTERFACE_ID (&nr_dict_attrs[96]) -#define NR_DA_FRAMED_IPV6_PREFIX (&nr_dict_attrs[97]) -#define NR_DA_LOGIN_IPV6_HOST (&nr_dict_attrs[98]) -#define NR_DA_FRAMED_IPV6_ROUTE (&nr_dict_attrs[99]) -#define NR_DA_FRAMED_IPV6_POOL (&nr_dict_attrs[100]) -#define NR_DA_ERROR_CAUSE (&nr_dict_attrs[101]) -#define NR_DA_EAP_KEY_NAME (&nr_dict_attrs[102]) -#define NR_DA_DIGEST_RESPONSE (&nr_dict_attrs[103]) -#define NR_DA_DIGEST_REALM (&nr_dict_attrs[104]) -#define NR_DA_DIGEST_NONCE (&nr_dict_attrs[105]) -#define NR_DA_DIGEST_RESPONSE_AUTH (&nr_dict_attrs[106]) -#define NR_DA_DIGEST_NEXTNONCE (&nr_dict_attrs[107]) -#define NR_DA_DIGEST_METHOD (&nr_dict_attrs[108]) -#define NR_DA_DIGEST_URI (&nr_dict_attrs[109]) -#define NR_DA_DIGEST_QOP (&nr_dict_attrs[110]) -#define NR_DA_DIGEST_ALGORITHM (&nr_dict_attrs[111]) -#define NR_DA_DIGEST_ENTITY_BODY_HASH (&nr_dict_attrs[112]) -#define NR_DA_DIGEST_CNONCE (&nr_dict_attrs[113]) -#define NR_DA_DIGEST_NONCE_COUNT (&nr_dict_attrs[114]) -#define NR_DA_DIGEST_USERNAME (&nr_dict_attrs[115]) -#define NR_DA_DIGEST_OPAQUE (&nr_dict_attrs[116]) -#define NR_DA_DIGEST_AUTH_PARAM (&nr_dict_attrs[117]) -#define NR_DA_DIGEST_AKA_AUTS (&nr_dict_attrs[118]) -#define NR_DA_DIGEST_DOMAIN (&nr_dict_attrs[119]) -#define NR_DA_DIGEST_STALE (&nr_dict_attrs[120]) -#define NR_DA_DIGEST_HA1 (&nr_dict_attrs[121]) -#define NR_DA_SIP_AOR (&nr_dict_attrs[122]) -#define NR_DA_DELEGATED_IPV6_PREFIX (&nr_dict_attrs[123]) -#define NR_DA_OPERATOR_NAME (&nr_dict_attrs[126]) -#define NR_DA_LOCATION_INFORMATION (&nr_dict_attrs[127]) -#define NR_DA_LOCATION_DATA (&nr_dict_attrs[128]) -#define NR_DA_BASIC_LOCATION_POLICY_RULES (&nr_dict_attrs[129]) -#define NR_DA_EXTENDED_LOCATION_POLICY_RULES (&nr_dict_attrs[130]) -#define NR_DA_LOCATION_CAPABLE (&nr_dict_attrs[131]) -#define NR_DA_REQUESTED_LOCATION_INFO (&nr_dict_attrs[132]) -#define NR_DA_FRAMED_MANAGEMENT (&nr_dict_attrs[133]) -#define NR_DA_MANAGEMENT_TRANSPORT_PROTECTION (&nr_dict_attrs[134]) -#define NR_DA_MANAGEMENT_POLICY_ID (&nr_dict_attrs[135]) -#define NR_DA_MANAGEMENT_PRIVILEGE_LEVEL (&nr_dict_attrs[136]) -#define NR_DA_PKM_SS_CERT (&nr_dict_attrs[137]) -#define NR_DA_PKM_CA_CERT (&nr_dict_attrs[138]) -#define NR_DA_PKM_CONFIG_SETTINGS (&nr_dict_attrs[139]) -#define NR_DA_PKM_CRYPTOSUITE_LIST (&nr_dict_attrs[140]) -#define NR_DA_PKM_SAID (&nr_dict_attrs[141]) -#define NR_DA_PKM_SA_DESCRIPTOR (&nr_dict_attrs[142]) -#define NR_DA_PKM_AUTH_KEY (&nr_dict_attrs[143]) -#define NR_DA_MS_CHAP_RESPONSE (&nr_dict_attrs[256]) -#define NR_DA_MS_CHAP_ERROR (&nr_dict_attrs[257]) -#define NR_DA_MS_MPPE_ENCRYPTION_POLICY (&nr_dict_attrs[258]) -#define NR_DA_MS_MPPE_ENCRYPTION_TYPES (&nr_dict_attrs[259]) -#define NR_DA_MS_CHAP_DOMAIN (&nr_dict_attrs[260]) -#define NR_DA_MS_CHAP_CHALLENGE (&nr_dict_attrs[261]) -#define NR_DA_MS_CHAP_MPPE_KEYS (&nr_dict_attrs[262]) -#define NR_DA_MS_MPPE_SEND_KEY (&nr_dict_attrs[263]) -#define NR_DA_MS_MPPE_RECV_KEY (&nr_dict_attrs[264]) -#define NR_DA_MS_CHAP2_RESPONSE (&nr_dict_attrs[265]) -#define NR_DA_MS_CHAP2_SUCCESS (&nr_dict_attrs[266]) -#define NR_DA_EXAMPLE_INTEGER (&nr_dict_attrs[267]) -#define NR_DA_EXAMPLE_STRING (&nr_dict_attrs[268]) -#define NR_DA_EXAMPLE_IP_ADDRESS (&nr_dict_attrs[269]) -/* Automatically generated file. Do not edit */ diff --git a/lib/radius/share/dictionary.ukerna b/lib/radius/share/dictionary.ukerna new file mode 100644 index 0000000..1694566 --- /dev/null +++ b/lib/radius/share/dictionary.ukerna @@ -0,0 +1,19 @@ +# -*- text -*- +# +# GSS-EAP VSAs +# +# $Id$ +# + +VENDOR UKERNA 25622 + +BEGIN-VENDOR UKERNA + +ATTRIBUTE GSS-Acceptor-Service-Name 128 string +ATTRIBUTE GSS-Acceptor-Host-Name 129 string +ATTRIBUTE GSS-Acceptor-Service-Specific 130 string +ATTRIBUTE GSS-Acceptor-Realm-Name 131 string +ATTRIBUTE SAML-AAA-Assertion 132 string +ATTRIBUTE MS-Windows-Auth-Data 133 octets + +END-VENDOR UKERNA diff --git a/lib/radius/static.c b/lib/radius/static.c index d633e5b..bd87272 100644 --- a/lib/radius/static.c +++ b/lib/radius/static.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Dummy file to include auto-generating static dictionary mappings. */ -#include +#include "client.h" /* * Include the dynamically generated dictionaries. diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c index 603a970..b374fdd 100644 --- a/lib/radius/valuepair.c +++ b/lib/radius/valuepair.c @@ -29,7 +29,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * \brief Functions to manipulate C structure versions of RADIUS attributes. */ -#include +#include "client.h" void nr_vp_free(VALUE_PAIR **head) { @@ -71,9 +71,7 @@ VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da) return NULL; } -#ifndef NR_NO_MALLOC vp = malloc(sizeof(*vp)); -#endif if (!vp) { nr_strerror_printf("Out of memory"); return NULL; @@ -87,9 +85,7 @@ VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor) VALUE_PAIR *vp = NULL; DICT_ATTR *da; -#ifndef NR_NO_MALLOC vp = malloc(sizeof(*vp) + sizeof(*da) + 64); -#endif if (!vp) { nr_strerror_printf("Out of memory"); return NULL; @@ -112,24 +108,24 @@ int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) { int rcode = 1; /* OK */ - if (!vp || !data || (sizeof_data == 0)) return -NR_ERR_INVALID_ARG; + if (!vp || !data || (sizeof_data == 0)) return -RSE_INVAL; switch (vp->da->type) { - case NR_TYPE_BYTE: + case RS_TYPE_BYTE: vp->vp_integer = *(const uint8_t *) data; break; - case NR_TYPE_SHORT: + case RS_TYPE_SHORT: vp->vp_integer = *(const uint16_t *) data; break; - case NR_TYPE_INTEGER: - case NR_TYPE_DATE: - case NR_TYPE_IPADDR: + case RS_TYPE_INTEGER: + case RS_TYPE_DATE: + case RS_TYPE_IPADDR: vp->vp_integer = *(const uint32_t *) data; break; - case NR_TYPE_STRING: + case RS_TYPE_STRING: if (sizeof_data >= sizeof(vp->vp_strvalue)) { sizeof_data = sizeof(vp->vp_strvalue) - 1; rcode = 0; /* truncated */ @@ -140,7 +136,7 @@ int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) vp->length = sizeof_data; break; - case NR_TYPE_OCTETS: + case RS_TYPE_OCTETS: if (sizeof_data > sizeof(vp->vp_octets)) { sizeof_data = sizeof(vp->vp_octets); rcode = 0; /* truncated */ @@ -150,7 +146,7 @@ int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) break; default: - return -NR_ERR_ATTR_TYPE_UNKNOWN; + return -RSE_ATTR_TYPE_UNKNOWN; } return rcode; -- cgit v1.1 From 718bb36ae58944ea6eaa86a3df646e0797ce615c Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 14 Nov 2011 13:42:10 +1100 Subject: don't use GCC extensions in generated code --- lib/radius/client.h | 3 --- lib/radius/convert.pl | 59 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 37 insertions(+), 25 deletions(-) (limited to 'lib/radius') diff --git a/lib/radius/client.h b/lib/radius/client.h index df9f834..6c1526d 100644 --- a/lib/radius/client.h +++ b/lib/radius/client.h @@ -239,12 +239,9 @@ typedef struct attr_flags { unsigned int has_tlv : 1; /* has sub attributes */ unsigned int is_tlv : 1; /* is a sub attribute */ #endif -#ifdef VENDOR_EXTENDED unsigned int extended : 1; /* extended attribute */ unsigned int extended_flags : 1; /* with flag */ unsigned int evs : 1; /* extended VSA */ -#endif - uint8_t encrypt; /**< Attribute encryption method */ uint8_t length; /**< The expected length of the attribute */ } ATTR_FLAGS; diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl index 9cf8731..7ca424e 100755 --- a/lib/radius/convert.pl +++ b/lib/radius/convert.pl @@ -69,19 +69,35 @@ if (scalar keys %vendor > 0) { print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n"; foreach $v (sort keys %vendor) { print DICT " { \n"; - print DICT " .name = \"", $v, "\", \n"; - print DICT " .vendor = ", $vendor{$v}{'pec'}, ", \n"; - print DICT " .type = ", $vendor{$v}{'type'}, ",\n"; - print DICT " .length = ", $vendor{$v}{'length'}, ",\n"; + print DICT " " . $vendor{$v}{'pec'} . ", \n"; + print DICT " " . $vendor{$v}{'type'} . ",\n"; + print DICT " " . $vendor{$v}{'length'} . ",\n"; + print DICT " \"" . $v, "\"\n"; print DICT " },\n"; } - print DICT "\n { .name = NULL, }\n"; + print DICT " { \n"; + print DICT " 0,\n"; + print DICT " 0,\n"; + print DICT " 0,\n"; + print DICT " NULL\n"; + print DICT " },\n"; print DICT "};\n\n"; } # needed for later. $vendor{""}{'pec'} = 0; +sub printAttrFlag +{ + my $tmp = $attributes{$attr_val}{'flags'}{$_[0]}; + + if (!$tmp) { + $tmp = 0; + } + + print DICT $tmp . ", "; +} + # # Print DICT out the attributes sorted by number. # @@ -92,24 +108,23 @@ foreach $attr_val (sort {$a <=> $b} keys %attributes) { print DICT " { /* $offset */ \n"; if (defined $attributes{$attr_val}{'raw'}) { - print DICT " .name = NULL, \n"; + print DICT " 0\n", } else { - print DICT " .name = \"", $attributes{$attr_val}{'name'}, "\", \n"; - if ($attributes{$attr_val}{'vendor'}) { - print DICT " .vendor = ", $attributes{$attr_val}{'vendor'}, ", \n"; - } - - print DICT " .attr = ", $attributes{$attr_val}{'value'}, ", \n"; - print DICT " .type = ", $attributes{$attr_val}{'type'}, ", \n"; - - if ($attributes{$attr_val}{'flags'}) { - print DICT " .flags = {\n"; - foreach $flag (keys %{$attributes{$attr_val}{'flags'}}) { - print DICT " .$flag = $attributes{$attr_val}{'flags'}{$flag},\n"; - } - print DICT " },\n"; - } - + print DICT " ", $attributes{$attr_val}{'value'}, ", \n"; + print DICT " ", $attributes{$attr_val}{'type'}, ", \n"; + print DICT " ", $attributes{$attr_val}{'vendor'}, ", \n"; + print DICT " { "; + &printAttrFlag('has_tag'); + &printAttrFlag('unknown'); +# &printAttrFlag('has_tlv'); +# &printAttrFlag('is_tlv'); + &printAttrFlag('extended'); + &printAttrFlag('extended_flags'); + &printAttrFlag('evs'); + &printAttrFlag('encrypt'); + &printAttrFlag('length'); + print DICT "},\n"; + print DICT " \"", $attributes{$attr_val}{'name'}, "\", \n"; $num_names++; } -- cgit v1.1 From ac17a556bd50969c8157d50761449b702afa4af8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 14 Nov 2011 16:59:55 +1100 Subject: port new RADIUS library to Windows Conflicts: lib/configure.ac lib/include/radsec/radsec.h lib/radius/client.h --- lib/radius/Makefile.am | 4 +- lib/radius/attrs.c | 2 +- lib/radius/client.h | 18 +- lib/radius/custom.c | 76 ++++ lib/radius/id.c | 5 +- lib/radius/packet.c | 916 ------------------------------------------------- lib/radius/parse.c | 15 +- lib/radius/print.c | 1 + lib/radius/radpkt.c | 916 +++++++++++++++++++++++++++++++++++++++++++++++++ lib/radius/valuepair.c | 10 +- 10 files changed, 1028 insertions(+), 935 deletions(-) delete mode 100644 lib/radius/packet.c create mode 100644 lib/radius/radpkt.c (limited to 'lib/radius') diff --git a/lib/radius/Makefile.am b/lib/radius/Makefile.am index 1b66ca6..b57ef16 100644 --- a/lib/radius/Makefile.am +++ b/lib/radius/Makefile.am @@ -12,13 +12,13 @@ libradsec_radius_la_SOURCES = \ custom.c \ dict.c \ id.c \ - packet.c \ parse.c \ print.c \ + radpkt.c \ static.c \ valuepair.c -libradsec_radius_la_CFLAGS = $(AM_CFLAGS) +libradsec_radius_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H DICTIONARIES = \ share/dictionary.txt \ diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c index d096cc2..21cd3f0 100644 --- a/lib/radius/attrs.c +++ b/lib/radius/attrs.c @@ -836,7 +836,7 @@ static ssize_t data2vp_any(const RADIUS_PACKET *packet, #endif -#ifdef FLAG_ENCRYPT_ASCEND_SECRET: +#ifdef FLAG_ENCRYPT_ASCEND_SECRET /* * Ascend-Send-Secret * Ascend-Receive-Secret diff --git a/lib/radius/client.h b/lib/radius/client.h index 6c1526d..aefb40d 100644 --- a/lib/radius/client.h +++ b/lib/radius/client.h @@ -35,21 +35,31 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. /* * System-specific header files. */ +#include #include #include +#ifdef HAVE_STDINT_H #include +#endif +#ifdef HAVE_STDLIB_H #include +#endif +#ifdef HAVE_STRING_H #include +#endif #include +#ifdef HAVE_NETDB_H #include +#endif +#ifdef HAVE_NETINET_IN_H #include +#endif +#ifdef HAVE_SYS_TIME_H #include +#endif #include - -/* - * Definitions of attributes. - */ +#include #include /** \defgroup build Build Helpers diff --git a/lib/radius/custom.c b/lib/radius/custom.c index 02e2463..917939a 100644 --- a/lib/radius/custom.c +++ b/lib/radius/custom.c @@ -24,6 +24,38 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* + * Copyright (c) 2006 Kungliga Tekniska HAÎåÎÝgskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ /** \file custom.c * \brief Functions which should be customized for your local system. @@ -34,6 +66,49 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #include #include +#ifdef WIN32 +#include + +volatile static HCRYPTPROV nr_cryptprovider = 0; + +static HCRYPTPROV +nr_CryptProvider(void) +{ + BOOL rv; + HCRYPTPROV cryptprovider = 0; + + if (nr_cryptprovider != 0) + return nr_cryptprovider; + + rv = CryptAcquireContext(&cryptprovider, NULL, + MS_ENHANCED_PROV, PROV_RSA_FULL, + 0); + + if (GetLastError() == NTE_BAD_KEYSET) { + if(!rv) + rv = CryptAcquireContext(&cryptprovider, NULL, + MS_ENHANCED_PROV, PROV_RSA_FULL, + CRYPT_NEWKEYSET); + } + + if (rv && + InterlockedCompareExchangePointer((PVOID *) &nr_cryptprovider, + (PVOID) cryptprovider, 0) != 0) { + + CryptReleaseContext(cryptprovider, 0); + cryptprovider = nr_cryptprovider; + } + + return cryptprovider; +} + +ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) +{ + if (CryptGenRandom(nr_CryptProvider(), data_len, data)) + return 0; + return data_len; +} +#else ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) { static int fd = -1; @@ -49,6 +124,7 @@ ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) return read(fd, data, data_len); } +#endif /* WIN32 */ uint32_t nr_rand(void) { diff --git a/lib/radius/id.c b/lib/radius/id.c index 2b956f2..4ccd032 100644 --- a/lib/radius/id.c +++ b/lib/radius/id.c @@ -26,7 +26,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "client.h" + +#ifdef HAVE_UNISTD_H #include +#endif /** \file id.c * \brief Handling of ID allocation / freeing @@ -141,7 +144,7 @@ int nr_server_close(const nr_server_t *s) if (s->used > 0) return -RSE_INUSE; - if (s->sockfd >= 0) close(s->sockfd); + if (s->sockfd >= 0) evutil_closesocket(s->sockfd); return 0; } diff --git a/lib/radius/packet.c b/lib/radius/packet.c deleted file mode 100644 index c5d3bc4..0000000 --- a/lib/radius/packet.c +++ /dev/null @@ -1,916 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file packet.c - * \brief Encoding and decoding packets - */ - -#include "client.h" - -#if RS_MAX_PACKET_LEN < 64 -#error RS_MAX_PACKET_LEN is too small. It should be at least 64. -#endif - -#if RS_MAX_PACKET_LEN > 16384 -#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K. -#endif - -const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = { - NULL, - "Access-Request", - "Access-Accept", - "Access-Reject", - "Accounting-Request", - "Accounting-Response", - NULL, NULL, NULL, NULL, NULL, - "Access-Challenge", - "Status-Server", /* 12 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */ - "Disconnect-Request", - "Disconnect-ACK", - "Disconnect-NAK", - "CoA-Request", - "CoA-ACK", - "CoA-NAK" -}; - - -static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = { - 0, - (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), - 0, 0, - 1 << PW_ACCOUNTING_RESPONSE, - 0, - 0, 0, 0, 0, 0, - 0, - (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE), - 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */ - (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK), - 0, - 0, - (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK), - 0, - 0 -}; - - -int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) -{ - size_t packet_len; - const uint8_t *attr, *end; - - if (!data || (sizeof_data < 20)) { - nr_debug_error("Invalid argument"); - return -RSE_INVAL; - } - - packet_len = (data[2] << 8) | data[3]; - if (packet_len < 20) { - nr_debug_error("Packet length is too small"); - return -RSE_PACKET_TOO_SMALL; - } - - if (packet_len > sizeof_data) { - nr_debug_error("Packet length overflows received data"); - return -RSE_PACKET_TOO_LARGE; - } - - /* - * If we receive 100 bytes, and the header says it's 20 bytes, - * then it's 20 bytes. - */ - end = data + packet_len; - - for (attr = data + 20; attr < end; attr += attr[1]) { - if ((attr + 2) > end) { - nr_debug_error("Attribute overflows packet"); - return -RSE_ATTR_OVERFLOW; - } - - if (attr[1] < 2) { - nr_debug_error("Attribute length is too small"); - return -RSE_ATTR_TOO_SMALL; - } - - if ((attr + attr[1]) > end) { - nr_debug_error("Attribute length is too large"); - return -RSE_ATTR_TOO_LARGE; - } - } - - return 0; -} - -int nr_packet_ok(RADIUS_PACKET *packet) -{ - int rcode; - - if (!packet) return -RSE_INVAL; - - if ((packet->flags & RS_PACKET_OK) != 0) return 0; - - rcode = nr_packet_ok_raw(packet->data, packet->length); - if (rcode < 0) return rcode; - - packet->flags |= RS_PACKET_OK; - return 0; -} - - -/* - * Comparison function that is time-independent. Using "memcmp" - * would satisfy the "comparison" part. However, it would also - * leak information about *which* bytes are wrong. Attackers - * could use that leak to create a "correct" RADIUS packet which - * will be accepted by the client and/or server. - */ -static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length) -{ - int result = 0; - size_t i; - - for (i = 0; i < length; i++) { - result |= (a[i] ^ b[i]); - } - - return result; -} - - -#ifdef PW_MESSAGE_AUTHENTICATOR -static int msg_auth_ok(const RADIUS_PACKET *original, - uint8_t *ma, - uint8_t *data, size_t length) -{ - uint8_t packet_vector[sizeof(original->vector)]; - uint8_t msg_auth_vector[sizeof(original->vector)]; - uint8_t calc_auth_vector[sizeof(original->vector)]; - - if (ma[1] != 18) { - nr_debug_error("Message-Authenticator has invalid length"); - return -RSE_MSG_AUTH_LEN; - } - - memcpy(packet_vector, data + 4, sizeof(packet_vector)); - memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector)); - memset(ma + 2, 0, sizeof(msg_auth_vector)); - - switch (data[0]) { - default: - break; - - case PW_ACCOUNTING_REQUEST: - case PW_ACCOUNTING_RESPONSE: - case PW_DISCONNECT_REQUEST: - case PW_DISCONNECT_ACK: - case PW_DISCONNECT_NAK: - case PW_COA_REQUEST: - case PW_COA_ACK: - case PW_COA_NAK: - memset(data + 4, 0, sizeof(packet_vector)); - break; - - case PW_ACCESS_ACCEPT: - case PW_ACCESS_REJECT: - case PW_ACCESS_CHALLENGE: - if (!original) { - nr_debug_error("Cannot validate response without request"); - return -RSE_REQUEST_REQUIRED; - } - memcpy(data + 4, original->vector, sizeof(original->vector)); - break; - } - - nr_hmac_md5(data, length, - (const uint8_t *) original->secret, original->sizeof_secret, - calc_auth_vector); - - memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector)); - memcpy(data + 4, packet_vector, sizeof(packet_vector)); - - if (digest_cmp(calc_auth_vector, msg_auth_vector, - sizeof(calc_auth_vector)) != 0) { - nr_debug_error("Invalid Message-Authenticator"); - return -RSE_MSG_AUTH_WRONG; - } - - return 1; -} -#endif - -/* - * The caller ensures that the packet codes are as expected. - */ -static int packet_auth_ok(const RADIUS_PACKET *original, - uint8_t *data, size_t length) -{ - uint8_t packet_vector[sizeof(original->vector)]; - uint8_t calc_digest[sizeof(original->vector)]; - RS_MD5_CTX ctx; - - if ((data[0] == PW_ACCESS_REQUEST) || - (data[0] == PW_STATUS_SERVER)) return 1; - - memcpy(packet_vector, data + 4, sizeof(packet_vector)); - - if (!original) { - memset(data + 4, 0, sizeof(packet_vector)); - } else { - memcpy(data + 4, original->vector, sizeof(original->vector)); - } - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, data, length); - RS_MD5Update(&ctx, original->secret, original->sizeof_secret); - RS_MD5Final(calc_digest, &ctx); - - memcpy(data + 4, packet_vector, sizeof(packet_vector)); - - if (digest_cmp(calc_digest, packet_vector, - sizeof(packet_vector)) != 0) { - nr_debug_error("Invalid authentication vector"); - return -RSE_AUTH_VECTOR_WRONG; - } - - return 0; -} - - -int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ - int rcode; - uint8_t *attr; -#ifdef PW_MESSAGE_AUTHENTICATOR - const uint8_t *end; -#endif - - if (!packet || !packet->data || !packet->secret) { - nr_debug_error("Invalid argument"); - return -RSE_INVAL; - } - - if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0; - - /* - * Packet isn't well formed. Ignore it. - */ - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - /* - * Get rid of improper packets as early as possible. - */ - if (original) { - uint64_t mask; - - if (original->code > RS_MAX_PACKET_CODE) { - nr_debug_error("Invalid original code %u", - original->code); - return -RSE_INVALID_REQUEST_CODE; - } - - if (packet->data[1] != original->id) { - nr_debug_error("Ignoring response with wrong ID %u", - packet->data[1]); - return -RSE_INVALID_RESPONSE_CODE; - } - - mask = 1; - mask <<= packet->data[0]; - - if ((allowed_responses[original->code] & mask) == 0) { - nr_debug_error("Ignoring response with wrong code %u", - packet->data[0]); - return -RSE_INVALID_RESPONSE_CODE; - } - - if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && - (evutil_sockaddr_cmp(&(packet->src), &(original->dst)) != 0)) { - nr_debug_error("Ignoring response from wrong IP/port"); - return -RSE_INVALID_RESPONSE_SRC; - } - - } else if (allowed_responses[packet->data[0]] != 0) { - nr_debug_error("Ignoring response without original"); - return -RSE_INVALID_RESPONSE_CODE; - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - end = packet->data + packet->length; - - /* - * Note that the packet MUST be well-formed here. - */ - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { - rcode = msg_auth_ok(original, attr, - packet->data, packet->length); - if (rcode < 0) return rcode; - } - } -#endif - - /* - * Verify the packet authenticator. - */ - rcode = packet_auth_ok(original, packet->data, packet->length); - if (rcode < 0) return rcode; - - packet->flags |= RS_PACKET_VERIFIED; - - return 0; -} - - -int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ - int rcode, num_attributes; - uint8_t *data, *attr; - const uint8_t *end; - VALUE_PAIR **tail, *vp; - - if (!packet) return -RSE_INVAL; - - if ((packet->flags & RS_PACKET_DECODED) != 0) return 0; - - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - data = packet->data; - end = data + packet->length; - tail = &packet->vps; - num_attributes = 0; - - /* - * Loop over the packet, converting attrs to VPs. - */ - for (attr = data + 20; attr < end; attr += attr[1]) { - rcode = nr_attr2vp(packet, original, - attr, end - attr, &vp); - if (rcode < 0) { - nr_vp_free(&packet->vps); - return -rcode; - } - - *tail = vp; - while (vp) { - num_attributes++; - tail = &(vp->next); - vp = vp->next; - } - - if (num_attributes > RS_MAX_ATTRIBUTES) { - nr_debug_error("Too many attributes"); - nr_vp_free(&packet->vps); - return -RSE_TOO_MANY_ATTRS; - } - } - - packet->code = data[0]; - packet->id = data[1]; - memcpy(packet->vector, data + 4, sizeof(packet->vector)); - - packet->flags |= RS_PACKET_DECODED; - - return 0; -} - - -int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ -#ifdef PW_MESSAGE_AUTHENTICATOR - size_t ma = 0; - const uint8_t *attr, *end; -#endif - - if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0; - - if ((packet->flags & RS_PACKET_ENCODED) == 0) { - int rcode; - - rcode = nr_packet_encode(packet, original); - if (rcode < 0) return rcode; - } - - if ((packet->code == PW_ACCESS_ACCEPT) || - (packet->code == PW_ACCESS_CHALLENGE) || - (packet->code == PW_ACCESS_REJECT)) { -#ifdef PW_MESSAGE_AUTHENTICATOR - if (!original) { - nr_debug_error("Original packet is required to create the Message-Authenticator"); - return -RSE_REQUEST_REQUIRED; - } -#endif - - memcpy(packet->data + 4, original->vector, - sizeof(original->vector)); - } else { - memcpy(packet->data + 4, packet->vector, - sizeof(packet->vector)); - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - end = packet->data + packet->length; - - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { - ma = (attr - packet->data); - break; - } - } - - /* - * Force all Access-Request packets to have a - * Message-Authenticator. - */ - if (!ma && ((packet->length + 18) <= packet->sizeof_data) && - ((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER))) { - ma = packet->length; - - packet->data[ma]= PW_MESSAGE_AUTHENTICATOR; - packet->data[ma + 1] = 18; - memset(&packet->data[ma + 2], 0, 16); - packet->length += 18; - } - - /* - * Reset the length. - */ - packet->data[2] = (packet->length >> 8) & 0xff; - packet->data[3] = packet->length & 0xff; - - /* - * Sign the Message-Authenticator && packet. - */ - if (ma) { - nr_hmac_md5(packet->data, packet->length, - (const uint8_t *) packet->secret, packet->sizeof_secret, - packet->data + ma + 2); - } -#endif - - /* - * Calculate the signature. - */ - if (!((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER))) { - RS_MD5_CTX ctx; - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, packet->data, packet->length); - RS_MD5Update(&ctx, packet->secret, packet->sizeof_secret); - RS_MD5Final(packet->vector, &ctx); - } - - memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); - - packet->attempts = 0; - packet->flags |= RS_PACKET_SIGNED; - - return 0; -} - - -static int can_encode_packet(RADIUS_PACKET *packet, - const RADIUS_PACKET *original) -{ - if ((packet->code == 0) || - (packet->code > RS_MAX_PACKET_CODE) || - (original && (original->code > RS_MAX_PACKET_CODE))) { - nr_debug_error("Cannot send unknown packet code"); - return -RSE_INVALID_REQUEST_CODE; - } - - if (!nr_packet_codes[packet->code]) { - nr_debug_error("Cannot handle packet code %u", - packet->code); - return -RSE_INVALID_REQUEST_CODE; - } - -#ifdef NR_NO_MALLOC - if (!packet->data) { - nr_debug_error("No place to put packet"); - return -RSE_NO_PACKET_DATA; - } -#endif - - if (packet->sizeof_data < 20) { - nr_debug_error("The buffer is too small to encode the packet"); - return -RSE_PACKET_TOO_SMALL; - } - - /* - * Enforce request / response correlation. - */ - if (original) { - uint64_t mask; - - mask = 1; - mask <<= packet->code; - - if ((allowed_responses[original->code] & mask) == 0) { - nr_debug_error("Cannot encode response %u to packet %u", - packet->code, original->code); - return -RSE_INVALID_RESPONSE_CODE; - } - packet->id = original->id; - - } else if (allowed_responses[packet->code] == 0) { - nr_debug_error("Cannot encode response %u without original", - packet->code); - return -RSE_REQUEST_REQUIRED; - } - - return 0; -} - -static void encode_header(RADIUS_PACKET *packet) -{ - if ((packet->flags & RS_PACKET_HEADER) != 0) return; - - memset(packet->data, 0, 20); - packet->data[0] = packet->code; - packet->data[1] = packet->id; - packet->data[2] = 0; - packet->data[3] = 20; - packet->length = 20; - - /* - * Calculate a random authentication vector. - */ - if ((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER)) { - nr_rand_bytes(packet->vector, sizeof(packet->vector)); - } else { - memset(packet->vector, 0, sizeof(packet->vector)); - } - - memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); - - packet->flags |= RS_PACKET_HEADER; -} - -int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ -#ifdef PW_MESSAGE_AUTHENTICATOR - size_t ma = 0; -#endif - int rcode; - ssize_t len; - const VALUE_PAIR *vp; - uint8_t *data, *end; - - if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0; - - rcode = can_encode_packet(packet, original); - if (rcode < 0) return rcode; - - data = packet->data; - end = data + packet->sizeof_data; - - encode_header(packet); - data += 20; - - /* - * Encode each VALUE_PAIR - */ - vp = packet->vps; - while (vp) { -#ifdef PW_MESSAGE_AUTHENTICATOR - if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { - ma = (data - packet->data); - } -#endif - len = nr_vp2attr(packet, original, &vp, - data, end - data); - if (len < 0) return len; - - if (len == 0) break; /* insufficient room to encode it */ - - data += data[1]; - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - /* - * Always send a Message-Authenticator. - * - * We do *not* recommend removing this code. - */ - if (((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER)) && - !ma && - ((data + 18) <= end)) { - ma = (data - packet->data); - data[0] = PW_MESSAGE_AUTHENTICATOR; - data[1] = 18; - memset(data + 2, 0, 16); - data += data[1]; - } -#endif - - packet->length = data - packet->data; - - packet->data[2] = (packet->length >> 8) & 0xff; - packet->data[3] = packet->length & 0xff; - - packet->flags |= RS_PACKET_ENCODED; - - return packet->length; -} - - -/* - * Ensure that the nr_data2attr_t structure is filled in - * appropriately. This includes filling in a fake DICT_ATTR - * structure, if necessary. - */ -static int do_callback(void *ctx, nr_packet_walk_func_t callback, - int attr, int vendor, - const uint8_t *data, size_t sizeof_data) - -{ - int rcode; - const DICT_ATTR *da; - DICT_ATTR myda; - char buffer[64]; - - da = nr_dict_attr_byvalue(attr, vendor); - - /* - * The attribute is supposed to have a particular length, - * but does not. It is therefore malformed. - */ - if (da && (da->flags.length != 0) && - da->flags.length != sizeof_data) { - da = NULL; - } - - if (!da) { - rcode = nr_dict_attr_2struct(&myda, attr, vendor, - buffer, sizeof(buffer)); - - if (rcode < 0) return rcode; - da = &myda; - } - - rcode = callback(ctx, da, data, sizeof_data); - if (rcode < 0) return rcode; - - return 0; -} - - -int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, - nr_packet_walk_func_t callback) -{ - int rcode; - uint8_t *attr; - const uint8_t *end; - - if (!packet || !callback) return -RSE_INVAL; - - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - end = packet->data + packet->length; - - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - int length, value; - int dv_type, dv_length; - uint32_t vendorpec; - const uint8_t *vsa; - const DICT_VENDOR *dv = NULL; - - vendorpec = 0; - value = attr[0]; - - if (value != PW_VENDOR_SPECIFIC) { - raw: - rcode = do_callback(ctx, callback, - attr[0], 0, - attr + 2, attr[1] - 2); - if (rcode < 0) return rcode; - continue; - } - - if (attr[1] < 6) goto raw; - memcpy(&vendorpec, attr + 2, 4); - vendorpec = ntohl(vendorpec); - - if (dv && (dv->vendor != vendorpec)) dv = NULL; - - if (!dv) dv = nr_dict_vendor_byvalue(vendorpec); - - if (dv) { - dv_type = dv->type; - dv_length = dv->length; - } else { - dv_type = 1; - dv_length = 1; - } - - /* - * Malformed: it's a raw attribute. - */ - if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) { - goto raw; - } - - for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) { - switch (dv_type) { - case 4: - value = (vsa[2] << 8) | vsa[3]; - break; - - case 2: - value = (vsa[0] << 8) | vsa[1]; - break; - - case 1: - value = vsa[0]; - break; - - default: - return -RSE_INTERNAL; - } - - switch (dv_length) { - case 0: - length = attr[1] - 6 - dv_type; - break; - - case 2: - case 1: - length = vsa[dv_type + dv_length - 1]; - break; - - default: - return -RSE_INTERNAL; - } - - rcode = do_callback(ctx, callback, - value, vendorpec, - vsa + dv_type + dv_length, - length - dv_type - dv_length); - if (rcode < 0) return rcode; - } - } - - return 0; -} - -int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const char *secret, int code, - void *data, size_t sizeof_data) -{ - int rcode; - - if ((code < 0) || (code > RS_MAX_PACKET_CODE)) { - return -RSE_INVALID_REQUEST_CODE; - } - - if (!data || (sizeof_data < 20)) return -RSE_INVAL; - - memset(packet, 0, sizeof(*packet)); - packet->secret = secret; - packet->sizeof_secret = secret ? strlen(secret) : 0; - packet->code = code; - packet->id = 0; - packet->data = data; - packet->sizeof_data = sizeof_data; - - rcode = can_encode_packet(packet, original); - if (rcode < 0) return rcode; - - encode_header(packet); - - return 0; -} - - -static int pack_eap(RADIUS_PACKET *packet, - const void *data, size_t data_len) -{ - uint8_t *attr, *end; - const uint8_t *eap; - size_t left; - - eap = data; - left = data_len; - attr = packet->data + packet->length; - end = attr + packet->sizeof_data; - - while (left > 253) { - if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW; - - attr[0] = PW_EAP_MESSAGE; - attr[1] = 255; - memcpy(attr + 2, eap, 253); - attr += attr[1]; - eap += 253; - left -= 253; - } - - if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW; - - attr[0] = PW_EAP_MESSAGE; - attr[1] = 2 + left; - memcpy(attr + 2, eap, left); - attr += attr[1]; - packet->length = attr - packet->data; - - return 0; -} - -ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const DICT_ATTR *da, - const void *data, size_t data_len) -{ - ssize_t rcode; - uint8_t *attr, *end; - VALUE_PAIR my_vp; - const VALUE_PAIR *vp; - - if (!packet || !da || !data) { - return -RSE_INVAL; - } - - if (data_len == 0) { - if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL; - - data_len = strlen(data); - } - - packet->flags |= RS_PACKET_ENCODED; /* ignore any VPs */ - - attr = packet->data + packet->length; - end = attr + packet->sizeof_data; - - if ((attr + 2 + data_len) > end) { - return -RSE_ATTR_OVERFLOW; - } - - if ((da->flags.length != 0) && - (data_len != da->flags.length)) { - return -RSE_ATTR_VALUE_MALFORMED; - } - -#ifdef PW_EAP_MESSAGE - /* - * automatically split EAP-Message into multiple - * attributes. - */ - if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) { - return pack_eap(packet, data, data_len); - } -#endif - - if (data_len > 253) return -RSE_ATTR_TOO_LARGE; - - vp = nr_vp_init(&my_vp, da); - rcode = nr_vp_set_data(&my_vp, data, data_len); - if (rcode < 0) return rcode; - - /* - * Note that this function packs VSAs each into their own - * Vendor-Specific attribute. If this isn't what you - * want, use the version of the library with full support - * for TLVs, WiMAX, and extended attributes. - */ - rcode = nr_vp2attr(packet, original, &vp, attr, end - attr); - if (rcode <= 0) return rcode; - - packet->length += rcode; - - return rcode; -} diff --git a/lib/radius/parse.c b/lib/radius/parse.c index cd7491a..8446306 100644 --- a/lib/radius/parse.c +++ b/lib/radius/parse.c @@ -30,18 +30,25 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "client.h" + +#ifdef HAVE_ARPA_INET_H #include +#endif ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) { char *end; switch (vp->da->type) { - case RS_TYPE_STRING: - strlcpy(vp->vp_strvalue, value, sizeof(vp->vp_strvalue)); - vp->length = strlen(vp->vp_strvalue); - return vp->length; + case RS_TYPE_STRING: { + size_t len = strlen(value); + if (len >= RS_MAX_STRING_LEN) + return -RSE_ATTR_TOO_LARGE; + + memcpy(vp->vp_strvalue, value, len + 1); + return (vp->length = len); + } case RS_TYPE_DATE: case RS_TYPE_INTEGER: vp->vp_integer = strtoul(value, &end, 10); diff --git a/lib/radius/print.c b/lib/radius/print.c index 28dd0a6..6fa06d7 100644 --- a/lib/radius/print.c +++ b/lib/radius/print.c @@ -164,6 +164,7 @@ size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) break; default: + len = 0; break; } diff --git a/lib/radius/radpkt.c b/lib/radius/radpkt.c new file mode 100644 index 0000000..bb8f75e --- /dev/null +++ b/lib/radius/radpkt.c @@ -0,0 +1,916 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file packet.c + * \brief Encoding and decoding packets + */ + +#include "client.h" + +#if RS_MAX_PACKET_LEN < 64 +#error RS_MAX_PACKET_LEN is too small. It should be at least 64. +#endif + +#if RS_MAX_PACKET_LEN > 16384 +#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K. +#endif + +const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = { + NULL, + "Access-Request", + "Access-Accept", + "Access-Reject", + "Accounting-Request", + "Accounting-Response", + NULL, NULL, NULL, NULL, NULL, + "Access-Challenge", + "Status-Server", /* 12 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */ + "Disconnect-Request", + "Disconnect-ACK", + "Disconnect-NAK", + "CoA-Request", + "CoA-ACK", + "CoA-NAK" +}; + + +static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = { + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), + 0, 0, + 1 << PW_ACCOUNTING_RESPONSE, + 0, + 0, 0, 0, 0, 0, + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE), + 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */ + (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK), + 0, + 0, + (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK), + 0, + 0 +}; + + +int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) +{ + size_t packet_len; + const uint8_t *attr, *end; + + if (!data || (sizeof_data < 20)) { + nr_debug_error("Invalid argument"); + return -RSE_INVAL; + } + + packet_len = (data[2] << 8) | data[3]; + if (packet_len < 20) { + nr_debug_error("Packet length is too small"); + return -RSE_PACKET_TOO_SMALL; + } + + if (packet_len > sizeof_data) { + nr_debug_error("Packet length overflows received data"); + return -RSE_PACKET_TOO_LARGE; + } + + /* + * If we receive 100 bytes, and the header says it's 20 bytes, + * then it's 20 bytes. + */ + end = data + packet_len; + + for (attr = data + 20; attr < end; attr += attr[1]) { + if ((attr + 2) > end) { + nr_debug_error("Attribute overflows packet"); + return -RSE_ATTR_OVERFLOW; + } + + if (attr[1] < 2) { + nr_debug_error("Attribute length is too small"); + return -RSE_ATTR_TOO_SMALL; + } + + if ((attr + attr[1]) > end) { + nr_debug_error("Attribute length is too large"); + return -RSE_ATTR_TOO_LARGE; + } + } + + return 0; +} + +int nr_packet_ok(RADIUS_PACKET *packet) +{ + int rcode; + + if (!packet) return -RSE_INVAL; + + if ((packet->flags & RS_PACKET_OK) != 0) return 0; + + rcode = nr_packet_ok_raw(packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= RS_PACKET_OK; + return 0; +} + + +/* + * Comparison function that is time-independent. Using "memcmp" + * would satisfy the "comparison" part. However, it would also + * leak information about *which* bytes are wrong. Attackers + * could use that leak to create a "correct" RADIUS packet which + * will be accepted by the client and/or server. + */ +static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length) +{ + int result = 0; + size_t i; + + for (i = 0; i < length; i++) { + result |= (a[i] ^ b[i]); + } + + return result; +} + + +#ifdef PW_MESSAGE_AUTHENTICATOR +static int msg_auth_ok(const RADIUS_PACKET *original, + uint8_t *ma, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t msg_auth_vector[sizeof(original->vector)]; + uint8_t calc_auth_vector[sizeof(original->vector)]; + + if (ma[1] != 18) { + nr_debug_error("Message-Authenticator has invalid length"); + return -RSE_MSG_AUTH_LEN; + } + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector)); + memset(ma + 2, 0, sizeof(msg_auth_vector)); + + switch (data[0]) { + default: + break; + + case PW_ACCOUNTING_REQUEST: + case PW_ACCOUNTING_RESPONSE: + case PW_DISCONNECT_REQUEST: + case PW_DISCONNECT_ACK: + case PW_DISCONNECT_NAK: + case PW_COA_REQUEST: + case PW_COA_ACK: + case PW_COA_NAK: + memset(data + 4, 0, sizeof(packet_vector)); + break; + + case PW_ACCESS_ACCEPT: + case PW_ACCESS_REJECT: + case PW_ACCESS_CHALLENGE: + if (!original) { + nr_debug_error("Cannot validate response without request"); + return -RSE_REQUEST_REQUIRED; + } + memcpy(data + 4, original->vector, sizeof(original->vector)); + break; + } + + nr_hmac_md5(data, length, + (const uint8_t *) original->secret, original->sizeof_secret, + calc_auth_vector); + + memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector)); + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_auth_vector, msg_auth_vector, + sizeof(calc_auth_vector)) != 0) { + nr_debug_error("Invalid Message-Authenticator"); + return -RSE_MSG_AUTH_WRONG; + } + + return 1; +} +#endif + +/* + * The caller ensures that the packet codes are as expected. + */ +static int packet_auth_ok(const RADIUS_PACKET *original, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t calc_digest[sizeof(original->vector)]; + RS_MD5_CTX ctx; + + if ((data[0] == PW_ACCESS_REQUEST) || + (data[0] == PW_STATUS_SERVER)) return 1; + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + + if (!original) { + memset(data + 4, 0, sizeof(packet_vector)); + } else { + memcpy(data + 4, original->vector, sizeof(original->vector)); + } + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, data, length); + RS_MD5Update(&ctx, (const unsigned char *)original->secret, original->sizeof_secret); + RS_MD5Final(calc_digest, &ctx); + + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_digest, packet_vector, + sizeof(packet_vector)) != 0) { + nr_debug_error("Invalid authentication vector"); + return -RSE_AUTH_VECTOR_WRONG; + } + + return 0; +} + + +int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode; + uint8_t *attr; +#ifdef PW_MESSAGE_AUTHENTICATOR + const uint8_t *end; +#endif + + if (!packet || !packet->data || !packet->secret) { + nr_debug_error("Invalid argument"); + return -RSE_INVAL; + } + + if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0; + + /* + * Packet isn't well formed. Ignore it. + */ + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + /* + * Get rid of improper packets as early as possible. + */ + if (original) { + uint64_t mask; + + if (original->code > RS_MAX_PACKET_CODE) { + nr_debug_error("Invalid original code %u", + original->code); + return -RSE_INVALID_REQUEST_CODE; + } + + if (packet->data[1] != original->id) { + nr_debug_error("Ignoring response with wrong ID %u", + packet->data[1]); + return -RSE_INVALID_RESPONSE_CODE; + } + + mask = 1; + mask <<= packet->data[0]; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Ignoring response with wrong code %u", + packet->data[0]); + return -RSE_INVALID_RESPONSE_CODE; + } + + if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && + (evutil_sockaddr_cmp((struct sockaddr *)&packet->src, (struct sockaddr *)&original->dst, 1) != 0)) { + nr_debug_error("Ignoring response from wrong IP/port"); + return -RSE_INVALID_RESPONSE_SRC; + } + + } else if (allowed_responses[packet->data[0]] != 0) { + nr_debug_error("Ignoring response without original"); + return -RSE_INVALID_RESPONSE_CODE; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + /* + * Note that the packet MUST be well-formed here. + */ + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + rcode = msg_auth_ok(original, attr, + packet->data, packet->length); + if (rcode < 0) return rcode; + } + } +#endif + + /* + * Verify the packet authenticator. + */ + rcode = packet_auth_ok(original, packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= RS_PACKET_VERIFIED; + + return 0; +} + + +int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode, num_attributes; + uint8_t *data, *attr; + const uint8_t *end; + VALUE_PAIR **tail, *vp; + + if (!packet) return -RSE_INVAL; + + if ((packet->flags & RS_PACKET_DECODED) != 0) return 0; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->length; + tail = &packet->vps; + num_attributes = 0; + + /* + * Loop over the packet, converting attrs to VPs. + */ + for (attr = data + 20; attr < end; attr += attr[1]) { + rcode = nr_attr2vp(packet, original, + attr, end - attr, &vp); + if (rcode < 0) { + nr_vp_free(&packet->vps); + return -rcode; + } + + *tail = vp; + while (vp) { + num_attributes++; + tail = &(vp->next); + vp = vp->next; + } + + if (num_attributes > RS_MAX_ATTRIBUTES) { + nr_debug_error("Too many attributes"); + nr_vp_free(&packet->vps); + return -RSE_TOO_MANY_ATTRS; + } + } + + packet->code = data[0]; + packet->id = data[1]; + memcpy(packet->vector, data + 4, sizeof(packet->vector)); + + packet->flags |= RS_PACKET_DECODED; + + return 0; +} + + +int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; + const uint8_t *attr, *end; +#endif + + if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0; + + if ((packet->flags & RS_PACKET_ENCODED) == 0) { + int rcode; + + rcode = nr_packet_encode(packet, original); + if (rcode < 0) return rcode; + } + + if ((packet->code == PW_ACCESS_ACCEPT) || + (packet->code == PW_ACCESS_CHALLENGE) || + (packet->code == PW_ACCESS_REJECT)) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (!original) { + nr_debug_error("Original packet is required to create the Message-Authenticator"); + return -RSE_REQUEST_REQUIRED; + } +#endif + + memcpy(packet->data + 4, original->vector, + sizeof(original->vector)); + } else { + memcpy(packet->data + 4, packet->vector, + sizeof(packet->vector)); + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + ma = (attr - packet->data); + break; + } + } + + /* + * Force all Access-Request packets to have a + * Message-Authenticator. + */ + if (!ma && ((packet->length + 18) <= packet->sizeof_data) && + ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + ma = packet->length; + + packet->data[ma]= PW_MESSAGE_AUTHENTICATOR; + packet->data[ma + 1] = 18; + memset(&packet->data[ma + 2], 0, 16); + packet->length += 18; + } + + /* + * Reset the length. + */ + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + /* + * Sign the Message-Authenticator && packet. + */ + if (ma) { + nr_hmac_md5(packet->data, packet->length, + (const uint8_t *) packet->secret, packet->sizeof_secret, + packet->data + ma + 2); + } +#endif + + /* + * Calculate the signature. + */ + if (!((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + RS_MD5_CTX ctx; + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, packet->data, packet->length); + RS_MD5Update(&ctx, (const unsigned char *)packet->secret, packet->sizeof_secret); + RS_MD5Final(packet->vector, &ctx); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->attempts = 0; + packet->flags |= RS_PACKET_SIGNED; + + return 0; +} + + +static int can_encode_packet(RADIUS_PACKET *packet, + const RADIUS_PACKET *original) +{ + if ((packet->code == 0) || + (packet->code > RS_MAX_PACKET_CODE) || + (original && (original->code > RS_MAX_PACKET_CODE))) { + nr_debug_error("Cannot send unknown packet code"); + return -RSE_INVALID_REQUEST_CODE; + } + + if (!nr_packet_codes[packet->code]) { + nr_debug_error("Cannot handle packet code %u", + packet->code); + return -RSE_INVALID_REQUEST_CODE; + } + +#ifdef NR_NO_MALLOC + if (!packet->data) { + nr_debug_error("No place to put packet"); + return -RSE_NO_PACKET_DATA; + } +#endif + + if (packet->sizeof_data < 20) { + nr_debug_error("The buffer is too small to encode the packet"); + return -RSE_PACKET_TOO_SMALL; + } + + /* + * Enforce request / response correlation. + */ + if (original) { + uint64_t mask; + + mask = 1; + mask <<= packet->code; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Cannot encode response %u to packet %u", + packet->code, original->code); + return -RSE_INVALID_RESPONSE_CODE; + } + packet->id = original->id; + + } else if (allowed_responses[packet->code] == 0) { + nr_debug_error("Cannot encode response %u without original", + packet->code); + return -RSE_REQUEST_REQUIRED; + } + + return 0; +} + +static void encode_header(RADIUS_PACKET *packet) +{ + if ((packet->flags & RS_PACKET_HEADER) != 0) return; + + memset(packet->data, 0, 20); + packet->data[0] = packet->code; + packet->data[1] = packet->id; + packet->data[2] = 0; + packet->data[3] = 20; + packet->length = 20; + + /* + * Calculate a random authentication vector. + */ + if ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) { + nr_rand_bytes(packet->vector, sizeof(packet->vector)); + } else { + memset(packet->vector, 0, sizeof(packet->vector)); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->flags |= RS_PACKET_HEADER; +} + +int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; +#endif + int rcode; + ssize_t len; + const VALUE_PAIR *vp; + uint8_t *data, *end; + + if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->sizeof_data; + + encode_header(packet); + data += 20; + + /* + * Encode each VALUE_PAIR + */ + vp = packet->vps; + while (vp) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { + ma = (data - packet->data); + } +#endif + len = nr_vp2attr(packet, original, &vp, + data, end - data); + if (len < 0) return len; + + if (len == 0) break; /* insufficient room to encode it */ + + data += data[1]; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + /* + * Always send a Message-Authenticator. + * + * We do *not* recommend removing this code. + */ + if (((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) && + !ma && + ((data + 18) <= end)) { + ma = (data - packet->data); + data[0] = PW_MESSAGE_AUTHENTICATOR; + data[1] = 18; + memset(data + 2, 0, 16); + data += data[1]; + } +#endif + + packet->length = data - packet->data; + + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + packet->flags |= RS_PACKET_ENCODED; + + return packet->length; +} + + +/* + * Ensure that the nr_data2attr_t structure is filled in + * appropriately. This includes filling in a fake DICT_ATTR + * structure, if necessary. + */ +static int do_callback(void *ctx, nr_packet_walk_func_t callback, + int attr, int vendor, + const uint8_t *data, size_t sizeof_data) + +{ + int rcode; + const DICT_ATTR *da; + DICT_ATTR myda; + char buffer[64]; + + da = nr_dict_attr_byvalue(attr, vendor); + + /* + * The attribute is supposed to have a particular length, + * but does not. It is therefore malformed. + */ + if (da && (da->flags.length != 0) && + da->flags.length != sizeof_data) { + da = NULL; + } + + if (!da) { + rcode = nr_dict_attr_2struct(&myda, attr, vendor, + buffer, sizeof(buffer)); + + if (rcode < 0) return rcode; + da = &myda; + } + + rcode = callback(ctx, da, data, sizeof_data); + if (rcode < 0) return rcode; + + return 0; +} + + +int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, + nr_packet_walk_func_t callback) +{ + int rcode; + uint8_t *attr; + const uint8_t *end; + + if (!packet || !callback) return -RSE_INVAL; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + int length, value; + int dv_type, dv_length; + uint32_t vendorpec; + const uint8_t *vsa; + const DICT_VENDOR *dv = NULL; + + vendorpec = 0; + value = attr[0]; + + if (value != PW_VENDOR_SPECIFIC) { + raw: + rcode = do_callback(ctx, callback, + attr[0], 0, + attr + 2, attr[1] - 2); + if (rcode < 0) return rcode; + continue; + } + + if (attr[1] < 6) goto raw; + memcpy(&vendorpec, attr + 2, 4); + vendorpec = ntohl(vendorpec); + + if (dv && (dv->vendor != vendorpec)) dv = NULL; + + if (!dv) dv = nr_dict_vendor_byvalue(vendorpec); + + if (dv) { + dv_type = dv->type; + dv_length = dv->length; + } else { + dv_type = 1; + dv_length = 1; + } + + /* + * Malformed: it's a raw attribute. + */ + if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) { + goto raw; + } + + for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) { + switch (dv_type) { + case 4: + value = (vsa[2] << 8) | vsa[3]; + break; + + case 2: + value = (vsa[0] << 8) | vsa[1]; + break; + + case 1: + value = vsa[0]; + break; + + default: + return -RSE_INTERNAL; + } + + switch (dv_length) { + case 0: + length = attr[1] - 6 - dv_type; + break; + + case 2: + case 1: + length = vsa[dv_type + dv_length - 1]; + break; + + default: + return -RSE_INTERNAL; + } + + rcode = do_callback(ctx, callback, + value, vendorpec, + vsa + dv_type + dv_length, + length - dv_type - dv_length); + if (rcode < 0) return rcode; + } + } + + return 0; +} + +int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const char *secret, int code, + void *data, size_t sizeof_data) +{ + int rcode; + + if ((code < 0) || (code > RS_MAX_PACKET_CODE)) { + return -RSE_INVALID_REQUEST_CODE; + } + + if (!data || (sizeof_data < 20)) return -RSE_INVAL; + + memset(packet, 0, sizeof(*packet)); + packet->secret = secret; + packet->sizeof_secret = secret ? strlen(secret) : 0; + packet->code = code; + packet->id = 0; + packet->data = data; + packet->sizeof_data = sizeof_data; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + encode_header(packet); + + return 0; +} + + +static int pack_eap(RADIUS_PACKET *packet, + const void *data, size_t data_len) +{ + uint8_t *attr, *end; + const uint8_t *eap; + size_t left; + + eap = data; + left = data_len; + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + while (left > 253) { + if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 255; + memcpy(attr + 2, eap, 253); + attr += attr[1]; + eap += 253; + left -= 253; + } + + if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 2 + left; + memcpy(attr + 2, eap, left); + attr += attr[1]; + packet->length = attr - packet->data; + + return 0; +} + +ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const DICT_ATTR *da, + const void *data, size_t data_len) +{ + ssize_t rcode; + uint8_t *attr, *end; + VALUE_PAIR my_vp; + const VALUE_PAIR *vp; + + if (!packet || !da || !data) { + return -RSE_INVAL; + } + + if (data_len == 0) { + if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL; + + data_len = strlen(data); + } + + packet->flags |= RS_PACKET_ENCODED; /* ignore any VPs */ + + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + if ((attr + 2 + data_len) > end) { + return -RSE_ATTR_OVERFLOW; + } + + if ((da->flags.length != 0) && + (data_len != da->flags.length)) { + return -RSE_ATTR_VALUE_MALFORMED; + } + +#ifdef PW_EAP_MESSAGE + /* + * automatically split EAP-Message into multiple + * attributes. + */ + if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) { + return pack_eap(packet, data, data_len); + } +#endif + + if (data_len > 253) return -RSE_ATTR_TOO_LARGE; + + vp = nr_vp_init(&my_vp, da); + rcode = nr_vp_set_data(&my_vp, data, data_len); + if (rcode < 0) return rcode; + + /* + * Note that this function packs VSAs each into their own + * Vendor-Specific attribute. If this isn't what you + * want, use the version of the library with full support + * for TLVs, WiMAX, and extended attributes. + */ + rcode = nr_vp2attr(packet, original, &vp, attr, end - attr); + if (rcode <= 0) return rcode; + + packet->length += rcode; + + return rcode; +} diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c index b374fdd..6277f7d 100644 --- a/lib/radius/valuepair.c +++ b/lib/radius/valuepair.c @@ -35,17 +35,13 @@ void nr_vp_free(VALUE_PAIR **head) { VALUE_PAIR *next, *vp; - if (!head || !*head) return; - - vp = *head; - do { - if (vp) next = vp->next; + for (vp = *head; vp != NULL; vp = next) { + next = vp->next; if (vp->da->flags.encrypt) { memset(vp, 0, sizeof(vp)); } free(vp); - vp = next; - } while (next); + } *head = NULL; } -- cgit v1.1 From d9ae6534eed05639403584b7b2733ec36c08f1a4 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 14 Nov 2011 18:54:44 +1100 Subject: add rs_attr_display_name/rs_attr_parse_name --- lib/radius/Makefile.am | 1 + lib/radius/share/dictionary.juniper | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 lib/radius/share/dictionary.juniper (limited to 'lib/radius') diff --git a/lib/radius/Makefile.am b/lib/radius/Makefile.am index b57ef16..92a12cf 100644 --- a/lib/radius/Makefile.am +++ b/lib/radius/Makefile.am @@ -22,6 +22,7 @@ libradsec_radius_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H DICTIONARIES = \ share/dictionary.txt \ + share/dictionary.juniper \ share/dictionary.microsoft \ share/dictionary.ukerna diff --git a/lib/radius/share/dictionary.juniper b/lib/radius/share/dictionary.juniper new file mode 100644 index 0000000..9aa5df4 --- /dev/null +++ b/lib/radius/share/dictionary.juniper @@ -0,0 +1,23 @@ +# -*- text -*- +# +# dictionary.juniper +# +# As posted to the list by Eric Kilfoil +# +# Version: $Id$ +# + +VENDOR Juniper 2636 + +BEGIN-VENDOR Juniper + +ATTRIBUTE Juniper-Local-User-Name 1 string +ATTRIBUTE Juniper-Allow-Commands 2 string +ATTRIBUTE Juniper-Deny-Commands 3 string +ATTRIBUTE Juniper-Allow-Configuration 4 string +ATTRIBUTE Juniper-Deny-Configuration 5 string +ATTRIBUTE Juniper-Interactive-Command 8 string +ATTRIBUTE Juniper-Configuration-Change 9 string +ATTRIBUTE Juniper-User-Permissions 10 string + +END-VENDOR Juniper -- cgit v1.1 From 42ec70d2b6c2a8a63250111e4a81b75ca554ddfa Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 1 Dec 2011 14:19:46 +1100 Subject: add MS-Windows-Group-Sid --- lib/radius/share/dictionary.ukerna | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/radius') diff --git a/lib/radius/share/dictionary.ukerna b/lib/radius/share/dictionary.ukerna index 1694566..0e35d43 100644 --- a/lib/radius/share/dictionary.ukerna +++ b/lib/radius/share/dictionary.ukerna @@ -15,5 +15,6 @@ ATTRIBUTE GSS-Acceptor-Service-Specific 130 string ATTRIBUTE GSS-Acceptor-Realm-Name 131 string ATTRIBUTE SAML-AAA-Assertion 132 string ATTRIBUTE MS-Windows-Auth-Data 133 octets +ATTRIBUTE MS-Windows-Group-Sid 134 string END-VENDOR UKERNA -- cgit v1.1