summaryrefslogtreecommitdiffstats
path: root/lib/libradius/radlib.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libradius/radlib.c')
-rw-r--r--lib/libradius/radlib.c202
1 files changed, 166 insertions, 36 deletions
diff --git a/lib/libradius/radlib.c b/lib/libradius/radlib.c
index 46a9b58..0b67b0f 100644
--- a/lib/libradius/radlib.c
+++ b/lib/libradius/radlib.c
@@ -43,6 +43,8 @@ __FBSDID("$FreeBSD$");
#include <md5.h>
#endif
+#define MAX_FIELDS 7
+
/* We need the MPPE_KEY_LEN define */
#include <netgraph/ng_mppc.h>
@@ -379,6 +381,18 @@ int
rad_add_server(struct rad_handle *h, const char *host, int port,
const char *secret, int timeout, int tries)
{
+ struct in_addr bindto;
+ bindto.s_addr = INADDR_ANY;
+
+ return rad_add_server_ex(h, host, port, secret, timeout, tries,
+ DEAD_TIME, &bindto);
+}
+
+int
+rad_add_server_ex(struct rad_handle *h, const char *host, int port,
+ const char *secret, int timeout, int tries, int dead_time,
+ struct in_addr *bindto)
+{
struct rad_server *srvp;
if (h->num_servers >= MAXSERVERS) {
@@ -421,6 +435,10 @@ rad_add_server(struct rad_handle *h, const char *host, int port,
srvp->timeout = timeout;
srvp->max_tries = tries;
srvp->num_tries = 0;
+ srvp->is_dead = 0;
+ srvp->dead_time = dead_time;
+ srvp->next_probe = 0;
+ srvp->bindto = bindto->s_addr;
h->num_servers++;
return 0;
}
@@ -441,6 +459,13 @@ rad_close(struct rad_handle *h)
free(h);
}
+void
+rad_bind_to(struct rad_handle *h, in_addr_t addr)
+{
+
+ h->bindto = addr;
+}
+
int
rad_config(struct rad_handle *h, const char *path)
{
@@ -468,11 +493,15 @@ rad_config(struct rad_handle *h, const char *path)
char *secret;
char *timeout_str;
char *maxtries_str;
+ char *dead_time_str;
+ char *bindto_str;
char *end;
char *wanttype;
unsigned long timeout;
unsigned long maxtries;
+ unsigned long dead_time;
int port;
+ struct in_addr bindto;
int i;
linenum++;
@@ -491,7 +520,7 @@ rad_config(struct rad_handle *h, const char *path)
buf[len - 1] = '\0';
/* Extract the fields from the line. */
- nfields = split(buf, fields, 5, msg, sizeof msg);
+ nfields = split(buf, fields, MAX_FIELDS, msg, sizeof msg);
if (nfields == -1) {
generr(h, "%s:%d: %s", path, linenum, msg);
retval = -1;
@@ -507,7 +536,7 @@ rad_config(struct rad_handle *h, const char *path)
*/
if (strcmp(fields[0], "auth") != 0 &&
strcmp(fields[0], "acct") != 0) {
- if (nfields >= 5) {
+ if (nfields >= MAX_FIELDS) {
generr(h, "%s:%d: invalid service type", path,
linenum);
retval = -1;
@@ -529,6 +558,8 @@ rad_config(struct rad_handle *h, const char *path)
secret = fields[2];
timeout_str = fields[3];
maxtries_str = fields[4];
+ dead_time_str = fields[5];
+ bindto_str = fields[6];
/* Ignore the line if it is for the wrong service type. */
wanttype = h->type == RADIUS_AUTH ? "auth" : "acct";
@@ -570,8 +601,30 @@ rad_config(struct rad_handle *h, const char *path)
} else
maxtries = MAXTRIES;
- if (rad_add_server(h, host, port, secret, timeout, maxtries) ==
- -1) {
+ if (dead_time_str != NULL) {
+ dead_time = strtoul(dead_time_str, &end, 10);
+ if (*end != '\0') {
+ generr(h, "%s:%d: invalid dead_time", path,
+ linenum);
+ retval = -1;
+ break;
+ }
+ } else
+ dead_time = DEAD_TIME;
+
+ if (bindto_str != NULL) {
+ bindto.s_addr = inet_addr(bindto_str);
+ if (bindto.s_addr == INADDR_NONE) {
+ generr(h, "%s:%d: invalid bindto", path,
+ linenum);
+ retval = -1;
+ break;
+ }
+ } else
+ bindto.s_addr = INADDR_ANY;
+
+ if (rad_add_server_ex(h, host, port, secret, timeout, maxtries,
+ dead_time, &bindto) == -1) {
strcpy(msg, h->errmsg);
generr(h, "%s:%d: %s", path, linenum, msg);
retval = -1;
@@ -596,7 +649,9 @@ int
rad_continue_send_request(struct rad_handle *h, int selected, int *fd,
struct timeval *tv)
{
- int n;
+ int n, cur_srv;
+ time_t now;
+ struct sockaddr_in sin;
if (h->type == RADIUS_SERVER) {
generr(h, "denied function call");
@@ -621,19 +676,61 @@ rad_continue_send_request(struct rad_handle *h, int selected, int *fd,
}
}
- if (h->try == h->total_tries) {
- generr(h, "No valid RADIUS responses received");
- return -1;
- }
-
/*
* Scan round-robin to the next server that has some
* tries left. There is guaranteed to be one, or we
* would have exited this loop by now.
*/
- while (h->servers[h->srv].num_tries >= h->servers[h->srv].max_tries)
- if (++h->srv >= h->num_servers)
- h->srv = 0;
+ cur_srv = h->srv;
+ now = time(NULL);
+ if (h->servers[h->srv].num_tries >= h->servers[h->srv].max_tries) {
+ /* Set next probe time for this server */
+ if (h->servers[h->srv].dead_time) {
+ h->servers[h->srv].is_dead = 1;
+ h->servers[h->srv].next_probe = now +
+ h->servers[h->srv].dead_time;
+ }
+ do {
+ h->srv++;
+ if (h->srv >= h->num_servers)
+ h->srv = 0;
+ if (h->servers[h->srv].is_dead == 0)
+ break;
+ if (h->servers[h->srv].dead_time &&
+ h->servers[h->srv].next_probe <= now) {
+ h->servers[h->srv].is_dead = 0;
+ h->servers[h->srv].num_tries = 0;
+ break;
+ }
+ } while (h->srv != cur_srv);
+
+ if (h->srv == cur_srv) {
+ generr(h, "No valid RADIUS responses received");
+ return (-1);
+ }
+ }
+
+ /* Rebind */
+ if (h->bindto != h->servers[h->srv].bindto) {
+ h->bindto = h->servers[h->srv].bindto;
+ close(h->fd);
+ if ((h->fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+ generr(h, "Cannot create socket: %s", strerror(errno));
+ return -1;
+ }
+ memset(&sin, 0, sizeof sin);
+ sin.sin_len = sizeof sin;
+ sin.sin_family = AF_INET;
+ sin.sin_addr.s_addr = h->bindto;
+ sin.sin_port = 0;
+ if (bind(h->fd, (const struct sockaddr *)&sin,
+ sizeof sin) == -1) {
+ generr(h, "bind: %s", strerror(errno));
+ close(h->fd);
+ h->fd = -1;
+ return (-1);
+ }
+ }
if (h->out[POS_CODE] == RAD_ACCESS_REQUEST) {
/* Insert the scrambled password into the request */
@@ -641,9 +738,11 @@ rad_continue_send_request(struct rad_handle *h, int selected, int *fd,
insert_scrambled_password(h, h->srv);
}
insert_message_authenticator(h, 0);
+
if (h->out[POS_CODE] != RAD_ACCESS_REQUEST) {
/* Insert the request authenticator into the request */
- insert_request_authenticator(h, h->srv);
+ memset(&h->out[POS_AUTH], 0, LEN_AUTH);
+ insert_request_authenticator(h, 0);
}
/* Send the request */
@@ -654,7 +753,6 @@ rad_continue_send_request(struct rad_handle *h, int selected, int *fd,
tv->tv_sec = 1; /* Do not wait full timeout if send failed. */
else
tv->tv_sec = h->servers[h->srv].timeout;
- h->try++;
h->servers[h->srv].num_tries++;
tv->tv_usec = 0;
*fd = h->fd;
@@ -740,6 +838,10 @@ rad_create_request(struct rad_handle *h, int code)
generr(h, "denied function call");
return (-1);
}
+ if (h->num_servers == 0) {
+ generr(h, "No RADIUS servers specified");
+ return (-1);
+ }
h->out[POS_CODE] = code;
h->out[POS_IDENT] = ++h->ident;
if (code == RAD_ACCESS_REQUEST) {
@@ -756,16 +858,9 @@ rad_create_request(struct rad_handle *h, int code)
clear_password(h);
h->authentic_pos = 0;
h->out_created = 1;
- h->bindto = INADDR_ANY;
return 0;
}
-void
-rad_bind_to(struct rad_handle *h, in_addr_t addr)
-{
- h->bindto = addr;
-}
-
int
rad_create_response(struct rad_handle *h, int code)
{
@@ -793,6 +888,15 @@ rad_cvt_addr(const void *data)
return value;
}
+struct in6_addr
+rad_cvt_addr6(const void *data)
+{
+ struct in6_addr value;
+
+ memcpy(&value.s6_addr, data, sizeof value.s6_addr);
+ return value;
+}
+
u_int32_t
rad_cvt_int(const void *data)
{
@@ -848,6 +952,8 @@ int
rad_init_send_request(struct rad_handle *h, int *fd, struct timeval *tv)
{
int srv;
+ time_t now;
+ struct sockaddr_in sin;
if (h->type == RADIUS_SERVER) {
generr(h, "denied function call");
@@ -855,8 +961,6 @@ rad_init_send_request(struct rad_handle *h, int *fd, struct timeval *tv)
}
/* Make sure we have a socket to use */
if (h->fd == -1) {
- struct sockaddr_in sin;
-
if ((h->fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
generr(h, "Cannot create socket: %s", strerror(errno));
return -1;
@@ -902,21 +1006,30 @@ rad_init_send_request(struct rad_handle *h, int *fd, struct timeval *tv)
h->out[POS_LENGTH] = h->out_len >> 8;
h->out[POS_LENGTH+1] = h->out_len;
- /*
- * Count the total number of tries we will make, and zero the
- * counter for each server.
- */
- h->total_tries = 0;
- for (srv = 0; srv < h->num_servers; srv++) {
- h->total_tries += h->servers[srv].max_tries;
+ h->srv = 0;
+ now = time(NULL);
+ for (srv = 0; srv < h->num_servers; srv++)
h->servers[srv].num_tries = 0;
- }
- if (h->total_tries == 0) {
- generr(h, "No RADIUS servers specified");
- return -1;
+ /* Find a first good server. */
+ for (srv = 0; srv < h->num_servers; srv++) {
+ if (h->servers[srv].is_dead == 0)
+ break;
+ if (h->servers[srv].dead_time &&
+ h->servers[srv].next_probe <= now) {
+ h->servers[srv].is_dead = 0;
+ break;
+ }
+ h->srv++;
}
- h->try = h->srv = 0;
+ /* If all servers was dead on the last probe, try from beginning */
+ if (h->srv == h->num_servers) {
+ for (srv = 0; srv < h->num_servers; srv++) {
+ h->servers[srv].is_dead = 0;
+ h->servers[srv].next_probe = 0;
+ }
+ h->srv = 0;
+ }
return rad_continue_send_request(h, 0, fd, tv);
}
@@ -946,6 +1059,7 @@ rad_auth_open(void)
h->type = RADIUS_AUTH;
h->out_created = 0;
h->eap_msg = 0;
+ h->bindto = INADDR_ANY;
}
return h;
}
@@ -987,6 +1101,13 @@ rad_put_addr(struct rad_handle *h, int type, struct in_addr addr)
}
int
+rad_put_addr6(struct rad_handle *h, int type, struct in6_addr addr)
+{
+
+ return rad_put_attr(h, type, &addr.s6_addr, sizeof addr.s6_addr);
+}
+
+int
rad_put_attr(struct rad_handle *h, int type, const void *value, size_t len)
{
int result;
@@ -1229,6 +1350,15 @@ rad_put_vendor_addr(struct rad_handle *h, int vendor, int type,
}
int
+rad_put_vendor_addr6(struct rad_handle *h, int vendor, int type,
+ struct in6_addr addr)
+{
+
+ return (rad_put_vendor_attr(h, vendor, type, &addr.s6_addr,
+ sizeof addr.s6_addr));
+}
+
+int
rad_put_vendor_attr(struct rad_handle *h, int vendor, int type,
const void *value, size_t len)
{
OpenPOWER on IntegriCloud