summaryrefslogtreecommitdiff
path: root/lib/radius
diff options
context:
space:
mode:
Diffstat (limited to 'lib/radius')
-rw-r--r--lib/radius/.gitignore1
-rw-r--r--lib/radius/LICENSE24
-rw-r--r--lib/radius/Makefile.am38
-rw-r--r--lib/radius/attrs.c1411
-rw-r--r--lib/radius/client.h1317
-rw-r--r--lib/radius/common.pl220
-rwxr-xr-xlib/radius/convert.pl197
-rw-r--r--lib/radius/crypto.c233
-rw-r--r--lib/radius/custom.c163
-rw-r--r--lib/radius/dict.c172
-rw-r--r--lib/radius/doc.txt41
-rw-r--r--lib/radius/doxygen.conf1417
-rw-r--r--lib/radius/examples/Makefile54
-rw-r--r--lib/radius/examples/example_1.c86
-rw-r--r--lib/radius/examples/example_2.c86
-rw-r--r--lib/radius/examples/example_3.c123
-rw-r--r--lib/radius/examples/example_4.c94
-rw-r--r--lib/radius/examples/nr_vp_create.c61
-rwxr-xr-xlib/radius/header.pl68
-rw-r--r--lib/radius/id.c181
-rw-r--r--lib/radius/parse.c149
-rw-r--r--lib/radius/print.c227
-rw-r--r--lib/radius/radpkt.c916
-rw-r--r--lib/radius/share/dictionary.juniper23
-rw-r--r--lib/radius/share/dictionary.microsoft17
-rw-r--r--lib/radius/share/dictionary.txt136
-rw-r--r--lib/radius/share/dictionary.ukerna20
-rw-r--r--lib/radius/share/dictionary.vendor10
-rw-r--r--lib/radius/static.c37
-rw-r--r--lib/radius/tests/Makefile25
-rw-r--r--lib/radius/tests/radattr.c769
-rw-r--r--lib/radius/tests/rfc.txt144
-rw-r--r--lib/radius/valuepair.c191
33 files changed, 8651 insertions, 0 deletions
diff --git a/lib/radius/.gitignore b/lib/radius/.gitignore
new file mode 100644
index 0000000..1af03df
--- /dev/null
+++ b/lib/radius/.gitignore
@@ -0,0 +1 @@
+dictionaries.c
diff --git a/lib/radius/LICENSE b/lib/radius/LICENSE
new file mode 100644
index 0000000..01dbe92
--- /dev/null
+++ b/lib/radius/LICENSE
@@ -0,0 +1,24 @@
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/lib/radius/Makefile.am b/lib/radius/Makefile.am
new file mode 100644
index 0000000..92a12cf
--- /dev/null
+++ b/lib/radius/Makefile.am
@@ -0,0 +1,38 @@
+AUTOMAKE_OPTIONS = foreign
+ACLOCAL_AMFLAGS = -I m4
+
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)
+AM_CFLAGS = -Wall -g
+
+noinst_LTLIBRARIES = libradsec-radius.la
+
+libradsec_radius_la_SOURCES = \
+ attrs.c \
+ crypto.c \
+ custom.c \
+ dict.c \
+ id.c \
+ parse.c \
+ print.c \
+ radpkt.c \
+ static.c \
+ valuepair.c
+
+libradsec_radius_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H
+
+DICTIONARIES = \
+ share/dictionary.txt \
+ share/dictionary.juniper \
+ share/dictionary.microsoft \
+ share/dictionary.ukerna
+
+$(top_srcdir)/include/radsec/radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl
+ $(srcdir)/convert.pl ${DICTIONARIES}
+
+static.$(OBJEXT): static.c dictionaries.c
+
+clean-local:
+ rm -f dictionaries.c
+
+$(libradsec_radius_la_SOURCES): $(top_srcdir)/include/radsec/radius.h
+
diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c
new file mode 100644
index 0000000..21cd3f0
--- /dev/null
+++ b/lib/radius/attrs.c
@@ -0,0 +1,1411 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file attrs.c
+ * \brief Attribute encoding and decoding routines.
+ */
+
+#include "client.h"
+
+/*
+ * Encodes the data portion of an attribute.
+ * Returns -1 on error, or the length of the data portion.
+ */
+static ssize_t vp2data_any(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ int nest,
+ const VALUE_PAIR **pvp,
+ uint8_t *start, size_t room)
+{
+ uint32_t lvalue;
+ ssize_t len;
+ const uint8_t *data;
+ uint8_t *ptr = start;
+ uint8_t array[4];
+ const VALUE_PAIR *vp = *pvp;
+
+#ifdef RS_TYPE_TLV
+ /*
+ * See if we need to encode a TLV. The low portion of
+ * the attribute has already been placed into the packer.
+ * If there are still attribute bytes left, then go
+ * encode them as TLVs.
+ *
+ * If we cared about the stack, we could unroll the loop.
+ */
+ if ((nest > 0) && (nest <= nr_attr_max_tlv) &&
+ ((vp->da->attr >> nr_attr_shift[nest]) != 0)) {
+ return vp2data_tlvs(packet, original, nest, pvp,
+ start, room);
+ }
+#else
+ nest = nest; /* -Wunused */
+#endif
+
+ /*
+ * Set up the default sources for the data.
+ */
+ data = vp->vp_octets;
+ len = vp->length;
+
+ switch(vp->da->type) {
+ case RS_TYPE_IPV6PREFIX:
+ len = sizeof(vp->vp_ipv6prefix);
+ break;
+
+ case RS_TYPE_STRING:
+ case RS_TYPE_OCTETS:
+ case RS_TYPE_IFID:
+ case RS_TYPE_IPV6ADDR:
+#ifdef RS_TYPE_ABINARY
+ case RS_TYPE_ABINARY:
+#endif
+ /* nothing more to do */
+ break;
+
+ case RS_TYPE_BYTE:
+ len = 1; /* just in case */
+ array[0] = vp->vp_integer & 0xff;
+ data = array;
+ break;
+
+ case RS_TYPE_SHORT:
+ len = 2; /* just in case */
+ array[0] = (vp->vp_integer >> 8) & 0xff;
+ array[1] = vp->vp_integer & 0xff;
+ data = array;
+ break;
+
+ case RS_TYPE_INTEGER:
+ len = 4; /* just in case */
+ lvalue = htonl(vp->vp_integer);
+ memcpy(array, &lvalue, sizeof(lvalue));
+ data = array;
+ break;
+
+ case RS_TYPE_IPADDR:
+ data = (const uint8_t *) &vp->vp_ipaddr;
+ len = 4; /* just in case */
+ break;
+
+ /*
+ * There are no tagged date attributes.
+ */
+ case RS_TYPE_DATE:
+ lvalue = htonl(vp->vp_date);
+ data = (const uint8_t *) &lvalue;
+ len = 4; /* just in case */
+ break;
+
+#ifdef VENDORPEC_WIMAX
+ case RS_TYPE_SIGNED:
+ {
+ int32_t slvalue;
+
+ len = 4; /* just in case */
+ slvalue = htonl(vp->vp_signed);
+ memcpy(array, &slvalue, sizeof(slvalue));
+ break;
+ }
+#endif
+
+#ifdef RS_TYPE_TLV
+ case RS_TYPE_TLV:
+ data = vp->vp_tlv;
+ if (!data) {
+ nr_debug_error("ERROR: Cannot encode NULL TLV");
+ return -RSE_INVAL;
+ }
+ len = vp->length;
+ break;
+#endif
+
+ default: /* unknown type: ignore it */
+ nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type);
+ return -RSE_ATTR_TYPE_UNKNOWN;
+ }
+
+ /*
+ * Bound the data to the calling size
+ */
+ if (len > (ssize_t) room) len = room;
+
+#ifndef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ original = original; /* -Wunused */
+#endif
+
+ /*
+ * Encrypt the various password styles
+ *
+ * Attributes with encrypted values MUST be less than
+ * 128 bytes long.
+ */
+ switch (vp->da->flags.encrypt) {
+ case FLAG_ENCRYPT_USER_PASSWORD:
+ len = nr_password_encrypt(ptr, room, data, len,
+ packet->secret, packet->vector);
+ break;
+
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ case FLAG_ENCRYPT_TUNNEL_PASSWORD:
+ lvalue = 0;
+ if (vp->da->flags.has_tag) lvalue = 1;
+
+ /*
+ * Check if there's enough room. If there isn't,
+ * we discard the attribute.
+ *
+ * This is ONLY a problem if we have multiple VSA's
+ * in one Vendor-Specific, though.
+ */
+ if (room < (18 + lvalue)) {
+ *pvp = vp->next;
+ return 0;
+ }
+
+ switch (packet->code) {
+ case PW_ACCESS_ACCEPT:
+ case PW_ACCESS_REJECT:
+ case PW_ACCESS_CHALLENGE:
+ default:
+ if (!original) {
+ nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name);
+ return -RSE_REQUEST_REQUIRED;
+ }
+
+ if (lvalue) ptr[0] = vp->tag;
+ len = nr_tunnelpw_encrypt(ptr + lvalue,
+ room - lvalue, data, len,
+ packet->secret,
+ original->vector);
+ if (len < 0) return len;
+ break;
+ case PW_ACCOUNTING_REQUEST:
+ case PW_DISCONNECT_REQUEST:
+ case PW_COA_REQUEST:
+ ptr[0] = vp->tag;
+ len = nr_tunnelpw_encrypt(ptr + 1, room, data, len - 1,
+ packet->secret,
+ packet->vector);
+ if (len < 0) return len;
+ break;
+ }
+ break;
+#endif
+
+ /*
+ * The code above ensures that this attribute
+ * always fits.
+ */
+#ifdef FLAG_ENCRYPT_ASCEND_SECRET
+ case FLAG_ENCRYPT_ASCEND_SECRET:
+ make_secret(ptr, packet->vector, packet->secret, data);
+ len = AUTH_VECTOR_LEN;
+ break;
+#endif
+
+ default:
+ if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) {
+ if (vp->da->type == RS_TYPE_STRING) {
+ if (len > ((ssize_t) (room - 1))) len = room - 1;
+ ptr[0] = vp->tag;
+ ptr++;
+ } else if (vp->da->type == RS_TYPE_INTEGER) {
+ array[0] = vp->tag;
+ } /* else it can't be any other type */
+ }
+ memcpy(ptr, data, len);
+ break;
+ } /* switch over encryption flags */
+
+ *(pvp) = vp->next;
+ return len + (ptr - start);;
+}
+
+
+/*
+ * Encode an RFC format TLV. This could be a standard attribute,
+ * or a TLV data type. If it's a standard attribute, then
+ * vp->da->attr == attribute. Otherwise, attribute may be
+ * something else.
+ */
+static ssize_t vp2attr_rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp,
+ unsigned int attribute, uint8_t *ptr, size_t room)
+{
+ ssize_t len;
+
+ if (room < 2) {
+ *pvp = (*pvp)->next;
+ return 0;
+ }
+
+ ptr[0] = attribute & 0xff;
+ ptr[1] = 2;
+
+ if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1];
+
+ len = vp2data_any(packet, original, 0, pvp, ptr + ptr[1], room);
+ if (len < 0) return len;
+
+ ptr[1] += len;
+
+ return ptr[1];
+}
+
+
+#ifndef WITHOUT_VSAS
+/*
+ * Encode a VSA which is a TLV. If it's in the RFC format, call
+ * vp2attr_rfc. Otherwise, encode it here.
+ */
+static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp,
+ unsigned int attribute, unsigned int vendor,
+ uint8_t *ptr, size_t room)
+{
+ ssize_t len;
+ const DICT_VENDOR *dv;
+
+ /*
+ * Unknown vendor: RFC format.
+ * Known vendor and RFC format: go do that.
+ */
+ dv = nr_dict_vendor_byvalue(vendor);
+ if (!dv ||
+ (
+#ifdef RS_TYPE_TLV
+ !(*pvp)->flags.is_tlv &&
+#endif
+ (dv->type == 1) && (dv->length == 1))) {
+ return vp2attr_rfc(packet, original, pvp,
+ attribute, ptr, room);
+ }
+
+#ifdef RS_TYPE_TLV
+ if ((*pvp)->flags.is_tlv) {
+ return data2vp_tlvs(packet, original, 0, pvp,
+ ptr, room);
+ }
+#endif
+
+ switch (dv->type) {
+ default:
+ nr_debug_error("vp2attr_vsa: Internal sanity check failed,"
+ " type %u", (unsigned) dv->type);
+ return -RSE_INTERNAL;
+
+ case 4:
+ ptr[0] = 0; /* attr must be 24-bit */
+ ptr[1] = (attribute >> 16) & 0xff;
+ ptr[2] = (attribute >> 8) & 0xff;
+ ptr[3] = attribute & 0xff;
+ break;
+
+ case 2:
+ ptr[0] = (attribute >> 8) & 0xff;
+ ptr[1] = attribute & 0xff;
+ break;
+
+ case 1:
+ ptr[0] = attribute & 0xff;
+ break;
+ }
+
+ switch (dv->length) {
+ default:
+ nr_debug_error("vp2attr_vsa: Internal sanity check failed,"
+ " length %u", (unsigned) dv->length);
+ return -RSE_INTERNAL;
+
+ case 0:
+ break;
+
+ case 2:
+ ptr[dv->type] = 0;
+ /* FALL-THROUGH */
+
+ case 1:
+ ptr[dv->type + dv->length - 1] = dv->type + dv->length;
+ break;
+
+ }
+
+ if (room > ((unsigned) 255 - (dv->type + dv->length))) {
+ room = 255 - (dv->type + dv->length);
+ }
+
+ len = vp2data_any(packet, original, 0, pvp,
+ ptr + dv->type + dv->length, room);
+ if (len < 0) return len;
+
+ if (dv->length) ptr[dv->type + dv->length - 1] += len;
+
+ return dv->type + dv->length + len;
+}
+
+
+/*
+ * Encode a Vendor-Specific attribute.
+ */
+ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp, uint8_t *ptr,
+ size_t room)
+{
+ ssize_t len;
+ uint32_t lvalue;
+ const VALUE_PAIR *vp = *pvp;
+
+#ifdef VENDORPEC_WIMAX
+ /*
+ * Double-check for WiMAX
+ */
+ if (vp->da->vendor == VENDORPEC_WIMAX) {
+ return nr_vp2wimax(packet, original, pvp,
+ ptr, room);
+ }
+#endif
+
+ if (vp->da->vendor > RS_MAX_VENDOR) {
+ nr_debug_error("nr_vp2vsa: Invalid arguments");
+ return -RSE_INVAL;
+ }
+
+ /*
+ * Not enough room for:
+ * attr, len, vendor-id
+ */
+ if (room < 6) {
+ *pvp = vp->next;
+ return 0;
+ }
+
+ /*
+ * Build the Vendor-Specific header
+ */
+ ptr[0] = PW_VENDOR_SPECIFIC;
+ ptr[1] = 6;
+ lvalue = htonl(vp->da->vendor);
+ memcpy(ptr + 2, &lvalue, 4);
+
+ if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1];
+
+ len = vp2attr_vsa(packet, original, pvp,
+ vp->da->attr, vp->da->vendor,
+ ptr + ptr[1], room);
+ if (len < 0) return len;
+
+ ptr[1] += len;
+
+ return ptr[1];
+}
+#endif
+
+
+/*
+ * Encode an RFC standard attribute 1..255
+ */
+ssize_t nr_vp2rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp,
+ uint8_t *ptr, size_t room)
+{
+ const VALUE_PAIR *vp = *pvp;
+
+ if (vp->da->vendor != 0) {
+ nr_debug_error("nr_vp2rfc called with VSA");
+ return -RSE_INVAL;
+ }
+
+ if ((vp->da->attr == 0) || (vp->da->attr > 255)) {
+ nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr);
+ return -RSE_INVAL;
+ }
+
+#ifdef PW_CHARGEABLE_USER_IDENTITY
+ if ((vp->length == 0) &&
+ (vp->da != RS_DA_CHARGEABLE_USER_IDENTITY)) {
+ *pvp = vp->next;
+ return 0;
+ }
+#endif
+
+ return vp2attr_rfc(packet, original, pvp, vp->da->attr,
+ ptr, room);
+}
+
+#ifdef PW_CHAP_PASSWORD
+/*
+ * Encode an RFC standard attribute 1..255
+ */
+static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp,
+ uint8_t *ptr, size_t room)
+{
+ ssize_t rcode;
+ const VALUE_PAIR *vp = *pvp;
+ RS_MD5_CTX ctx;
+ uint8_t buffer[RS_MAX_STRING_LEN*2 + 1], *p;
+ VALUE_PAIR chap = {
+ RS_DA_CHAP_PASSWORD,
+ 17,
+ 0,
+ NULL,
+ {
+ .octets = {
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ },
+ },
+ };
+
+ if ((vp->da->vendor != 0) || (vp->da != RS_DA_CHAP_PASSWORD)) {
+ nr_debug_error("nr_chap2rfc called with non-CHAP");
+ return -RSE_INVAL;
+ }
+
+ p = buffer;
+ *(p++) = nr_rand() & 0xff; /* id */
+
+ memcpy(p, vp->vp_strvalue, strlen(vp->vp_strvalue));
+ p += strlen(vp->vp_strvalue);
+
+ vp = nr_vps_find(packet->vps, PW_CHAP_CHALLENGE, 0);
+ if (vp) {
+ memcpy(p, vp->vp_octets, vp->length);
+ p += vp->length;
+ } else {
+ memcpy(p, packet->vector, sizeof(packet->vector));
+ p += sizeof(packet->vector);
+ }
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, buffer, p - buffer);
+ RS_MD5Final(&chap.vp_octets[1], &ctx);
+
+ chap.vp_octets[0] = buffer[0];
+ vp = &chap;
+
+ rcode = vp2attr_rfc(packet, original, &vp, chap.da->attr,
+ ptr, room);
+ if (rcode < 0) return rcode;
+
+ *pvp = (*pvp)->next;
+ return rcode;
+}
+#endif /* PW_CHAP_PASSWORD */
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+/** Fake Message-Authenticator.
+ *
+ * This structure is used to replace a Message-Authenticator in the
+ * input list of VALUE_PAIRs when encoding a packet. If the caller
+ * asks us to encode a Message-Authenticator, we ignore the one given
+ * to us by the caller (which may have the wrong length, etc.), and
+ * instead use this one, which has the correct length and data.
+ */
+static const VALUE_PAIR fake_ma = {
+ RS_DA_MESSAGE_AUTHENTICATOR,
+ 16,
+ 0,
+ NULL,
+ {
+ .octets = {
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ },
+ }
+};
+#endif /* PW_MESSAGE_AUTHENTICATOR */
+
+/*
+ * Parse a data structure into a RADIUS attribute.
+ */
+ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp, uint8_t *start,
+ size_t room)
+{
+ const VALUE_PAIR *vp = *pvp;
+
+ /*
+ * RFC format attributes take the fast path.
+ */
+ if (vp->da->vendor != 0) {
+#ifdef VENDORPEC_EXTENDED
+ if (vp->da->vendor > RS_MAX_VENDOR) {
+ return nr_vp2attr_extended(packet, original,
+ pvp, start, room);
+
+ }
+#endif
+
+#ifdef VENDORPEC_WIMAX
+ if (vp->da->vendor == VENDORPEC_WIMAX) {
+ return nr_vp2attr_wimax(packet, original,
+ pvp, start, room);
+ }
+#endif
+
+#ifndef WITHOUT_VSAS
+ return nr_vp2vsa(packet, original, pvp, start, room);
+#else
+ nr_debug_error("VSAs are not supported");
+ return -RSE_UNSUPPORTED;
+#endif
+ }
+
+ /*
+ * Ignore non-protocol attributes.
+ */
+ if (vp->da->attr > 255) {
+ *pvp = vp->next;
+ return 0;
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ /*
+ * The caller wants a Message-Authenticator, but doesn't
+ * know how to calculate it, or what the correct values
+ * are. So... create one for him.
+ */
+ if (vp->da == RS_DA_MESSAGE_AUTHENTICATOR) {
+ ssize_t rcode;
+
+ vp = &fake_ma;
+ rcode = nr_vp2rfc(packet, original, &vp, start, room);
+ if (rcode <= 0) return rcode;
+ *pvp = (*pvp)->next;
+ return rcode;
+ }
+#endif
+
+#ifdef PW_CHAP_PASSWORD
+ /*
+ * The caller wants a CHAP-Password, but doesn't know how
+ * to calculate it, or what the correct values are. To
+ * help, we calculate it for him.
+ */
+ if (vp->da == RS_DA_CHAP_PASSWORD) {
+ int encoded = 0;
+
+ /*
+ * CHAP is ID + MD5(...). If it's length is NOT
+ * 17, then the caller has passed us a password,
+ * and wants us to encode it. If the length IS
+ * 17, then we need to double-check if the caller
+ * has already encoded it.
+ */
+ if (vp->length == 17) {
+ int i;
+
+ /*
+ * ASCII and UTF-8 disallow values 0..31.
+ * If they appear, then the CHAP-Password
+ * has already been encoded by the
+ * caller. The probability of a
+ * CHAP-Password being all 32..256 is
+ * (1-32/256)^17 =~ .10
+ *
+ * This check isn't perfect, but it
+ * should be pretty rare for people to
+ * have 17-character passwords *and* have
+ * them all 32..256.
+ */
+ for (i = 0; i < 17; i++) {
+ if (vp->vp_octets[i] < 32) {
+ encoded = 1;
+ break;
+ }
+ }
+ }
+
+ if (!encoded) {
+ return nr_chap2rfc(packet, original, pvp, start, room);
+ }
+ }
+#endif
+
+ return nr_vp2rfc(packet, original, pvp,
+ start, room);
+}
+
+
+/*
+ * Ignore unknown attributes, but "decoding" them into nothing.
+ */
+static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet,
+ UNUSED const RADIUS_PACKET *original,
+ unsigned int attribute,
+ unsigned int vendor,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+ VALUE_PAIR *vp;
+
+ if (length > sizeof(vp->vp_octets)) return -RSE_ATTR_OVERFLOW;
+
+ vp = nr_vp_alloc_raw(attribute, vendor);
+ if (!vp) return -RSE_NOMEM;
+
+ memcpy(vp->vp_octets, data, length);
+ vp->length = length;
+
+ *pvp = vp;
+ return length;
+}
+
+ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+
+ if (length < 2) return -RSE_PACKET_TOO_SMALL;
+ if (data[1] < 2) return -RSE_ATTR_TOO_SMALL;
+ if (data[1] > length) return -RSE_ATTR_OVERFLOW;
+
+ return data2vp_raw(packet, original, data[0], 0,
+ data + 2, data[1] - 2, pvp);
+}
+
+/*
+ * Create any kind of VP from the attribute contents.
+ *
+ * Will return -1 on error, or "length".
+ */
+static ssize_t data2vp_any(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ int nest,
+ unsigned int attribute, unsigned int vendor,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ ssize_t rcode;
+#endif
+ int data_offset = 0;
+ const DICT_ATTR *da;
+ VALUE_PAIR *vp = NULL;
+
+ if (length == 0) {
+ /*
+ * Hacks for CUI. The WiMAX spec says that it
+ * can be zero length, even though this is
+ * forbidden by the RADIUS specs. So... we make
+ * a special case for it.
+ */
+ if ((vendor == 0) &&
+ (attribute == PW_CHARGEABLE_USER_IDENTITY)) {
+ data = (const uint8_t *) "";
+ length = 1;
+ } else {
+ *pvp = NULL;
+ return 0;
+ }
+ }
+
+ da = nr_dict_attr_byvalue(attribute, vendor);
+
+ /*
+ * Unknown attribute. Create it as a "raw" attribute.
+ */
+ if (!da) {
+ raw:
+ if (vp) nr_vp_free(&vp);
+ return data2vp_raw(packet, original,
+ attribute, vendor, data, length, pvp);
+ }
+
+#ifdef RS_TYPE_TLV
+ /*
+ * TLVs are handled first. They can't be tagged, and
+ * they can't be encrypted.
+ */
+ if (da->da->type == RS_TYPE_TLV) {
+ return data2vp_tlvs(packet, original,
+ attribute, vendor, nest,
+ data, length, pvp);
+ }
+#else
+ nest = nest; /* -Wunused */
+#endif
+
+ /*
+ * The attribute is known, and well formed. We can now
+ * create it. The main failure from here on in is being
+ * out of memory.
+ */
+ vp = nr_vp_alloc(da);
+ if (!vp) return -RSE_NOMEM;
+
+ /*
+ * Handle tags.
+ */
+ if (vp->da->flags.has_tag) {
+ if (TAG_VALID(data[0])
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ || (vp->da->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD)
+#endif
+ ) {
+ /*
+ * Tunnel passwords REQUIRE a tag, even
+ * if don't have a valid tag.
+ */
+ vp->tag = data[0];
+
+ if ((vp->da->type == RS_TYPE_STRING) ||
+ (vp->da->type == RS_TYPE_OCTETS)) {
+ if (length == 0) goto raw;
+ data_offset = 1;
+ }
+ }
+ }
+
+ /*
+ * Copy the data to be decrypted
+ */
+ vp->length = length - data_offset;
+ memcpy(&vp->vp_octets[0], data + data_offset, vp->length);
+
+ /*
+ * Decrypt the attribute.
+ */
+ switch (vp->da->flags.encrypt) {
+ /*
+ * User-Password
+ */
+ case FLAG_ENCRYPT_USER_PASSWORD:
+ if (original) {
+ rcode = nr_password_encrypt(vp->vp_octets,
+ sizeof(vp->vp_strvalue),
+ data + data_offset, vp->length,
+ packet->secret,
+ original->vector);
+ } else {
+ rcode = nr_password_encrypt(vp->vp_octets,
+ sizeof(vp->vp_strvalue),
+ data + data_offset, vp->length,
+ packet->secret,
+ packet->vector);
+ }
+ if (rcode < 0) goto raw;
+ vp->vp_strvalue[128] = '\0';
+ vp->length = strlen(vp->vp_strvalue);
+ break;
+
+ /*
+ * Tunnel-Password's may go ONLY
+ * in response packets.
+ */
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ case FLAG_ENCRYPT_TUNNEL_PASSWORD:
+ if (!original) goto raw;
+
+ rcode = nr_tunnelpw_decrypt(vp->vp_octets,
+ sizeof(vp->vp_octets),
+ data + data_offset, vp->length,
+ packet->secret, original->vector);
+ if (rcode < 0) goto raw;
+ vp->length = rcode;
+ break;
+#endif
+
+
+#ifdef FLAG_ENCRYPT_ASCEND_SECRET
+ /*
+ * Ascend-Send-Secret
+ * Ascend-Receive-Secret
+ */
+ case FLAG_ENCRYPT_ASCEND_SECRET:
+ if (!original) {
+ goto raw;
+ } else {
+ uint8_t my_digest[AUTH_VECTOR_LEN];
+ make_secret(my_digest,
+ original->vector,
+ packet->secret, data);
+ memcpy(vp->vp_strvalue, my_digest,
+ AUTH_VECTOR_LEN );
+ vp->vp_strvalue[AUTH_VECTOR_LEN] = '\0';
+ vp->length = strlen(vp->vp_strvalue);
+ }
+ break;
+#endif
+
+ default:
+ break;
+ } /* switch over encryption flags */
+
+ /*
+ * Expected a certain length, but got something else.
+ */
+ if ((vp->da->flags.length != 0) &&
+ (vp->length != vp->da->flags.length)) {
+ goto raw;
+ }
+
+ switch (vp->da->type) {
+ case RS_TYPE_STRING:
+ case RS_TYPE_OCTETS:
+#ifdef RS_TYPE_ABINARY
+ case RS_TYPE_ABINARY:
+#endif
+ /* nothing more to do */
+ break;
+
+ case RS_TYPE_BYTE:
+ vp->vp_integer = vp->vp_octets[0];
+ break;
+
+
+ case RS_TYPE_SHORT:
+ vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1];
+ break;
+
+ case RS_TYPE_INTEGER:
+ memcpy(&vp->vp_integer, vp->vp_octets, 4);
+ vp->vp_integer = ntohl(vp->vp_integer);
+
+ if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff;
+ break;
+
+ case RS_TYPE_DATE:
+ memcpy(&vp->vp_date, vp->vp_octets, 4);
+ vp->vp_date = ntohl(vp->vp_date);
+ break;
+
+
+ case RS_TYPE_IPADDR:
+ memcpy(&vp->vp_ipaddr, vp->vp_octets, 4);
+ break;
+
+ /*
+ * IPv6 interface ID is 8 octets long.
+ */
+ case RS_TYPE_IFID:
+ /* vp->vp_ifid == vp->vp_octets */
+ break;
+
+ /*
+ * IPv6 addresses are 16 octets long
+ */
+ case RS_TYPE_IPV6ADDR:
+ /* vp->vp_ipv6addr == vp->vp_octets */
+ break;
+
+ /*
+ * IPv6 prefixes are 2 to 18 octets long.
+ *
+ * RFC 3162: The first octet is unused.
+ * The second is the length of the prefix
+ * the rest are the prefix data.
+ *
+ * The prefix length can have value 0 to 128.
+ */
+ case RS_TYPE_IPV6PREFIX:
+ if (vp->length < 2 || vp->length > 18) goto raw;
+ if (vp->vp_octets[1] > 128) goto raw;
+
+ /*
+ * FIXME: double-check that
+ * (vp->vp_octets[1] >> 3) matches vp->length + 2
+ */
+ if (vp->length < 18) {
+ memset(vp->vp_octets + vp->length, 0,
+ 18 - vp->length);
+ }
+ break;
+
+#ifdef VENDORPEC_WIMAX
+ case RS_TYPE_SIGNED:
+ if (vp->length != 4) goto raw;
+
+ /*
+ * Overload vp_integer for ntohl, which takes
+ * uint32_t, not int32_t
+ */
+ memcpy(&vp->vp_integer, vp->vp_octets, 4);
+ vp->vp_integer = ntohl(vp->vp_integer);
+ memcpy(&vp->vp_signed, &vp->vp_integer, 4);
+ break;
+#endif
+
+#ifdef RS_TYPE_TLV
+ case RS_TYPE_TLV:
+ nr_vp_free(&vp);
+ nr_debug_error("data2vp_any: Internal sanity check failed");
+ return -RSE_ATTR_TYPE_UNKNOWN;
+#endif
+
+#ifdef VENDORPEC_WIMAX
+ case RS_TYPE_COMBO_IP:
+ if (vp->length == 4) {
+ vp->da->type = RS_TYPE_IPADDR;
+ memcpy(&vp->vp_ipaddr, vp->vp_octets, 4);
+ break;
+
+ } else if (vp->length == 16) {
+ vp->da->type = RS_TYPE_IPV6ADDR;
+ /* vp->vp_ipv6addr == vp->vp_octets */
+ break;
+
+ }
+ /* FALL-THROUGH */
+#endif
+
+ default:
+ goto raw;
+ }
+
+ *pvp = vp;
+
+ return length;
+}
+
+
+/*
+ * Create a "standard" RFC VALUE_PAIR from the given data.
+ */
+ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+ ssize_t rcode;
+
+ if (length < 2) return -RSE_PACKET_TOO_SMALL;
+ if (data[1] < 2) return -RSE_ATTR_TOO_SMALL;
+ if (data[1] > length) return -RSE_ATTR_OVERFLOW;
+
+ rcode = data2vp_any(packet, original, 0,
+ data[0], 0, data + 2, data[1] - 2, pvp);
+ if (rcode < 0) return rcode;
+
+ return data[1];
+}
+
+#ifndef WITHOUT_VSAS
+/*
+ * Check if a set of RADIUS formatted TLVs are OK.
+ */
+int nr_tlv_ok(const uint8_t *data, size_t length,
+ size_t dv_type, size_t dv_length)
+{
+ const uint8_t *end = data + length;
+
+ if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) {
+ nr_debug_error("nr_tlv_ok: Invalid arguments");
+ return -RSE_INVAL;
+ }
+
+ while (data < end) {
+ size_t attrlen;
+
+ if ((data + dv_type + dv_length) > end) {
+ nr_debug_error("Attribute header overflow");
+ return -RSE_ATTR_TOO_SMALL;
+ }
+
+ switch (dv_type) {
+ case 4:
+ if ((data[0] == 0) && (data[1] == 0) &&
+ (data[2] == 0) && (data[3] == 0)) {
+ zero:
+ nr_debug_error("Invalid attribute 0");
+ return -RSE_ATTR_INVALID;
+ }
+
+ if (data[0] != 0) {
+ nr_debug_error("Invalid attribute > 2^24");
+ return -RSE_ATTR_INVALID;
+ }
+ break;
+
+ case 2:
+ if ((data[1] == 0) && (data[1] == 0)) goto zero;
+ break;
+
+ case 1:
+ if (data[0] == 0) goto zero;
+ break;
+
+ default:
+ nr_debug_error("Internal sanity check failed");
+ return -RSE_INTERNAL;
+ }
+
+ switch (dv_length) {
+ case 0:
+ return 0;
+
+ case 2:
+ if (data[dv_type + 1] != 0) {
+ nr_debug_error("Attribute is longer than 256 octets");
+ return -RSE_ATTR_TOO_LARGE;
+ }
+ /* FALL-THROUGH */
+ case 1:
+ attrlen = data[dv_type + dv_length - 1];
+ break;
+
+
+ default:
+ nr_debug_error("Internal sanity check failed");
+ return -RSE_INTERNAL;
+ }
+
+ if (attrlen < (dv_type + dv_length)) {
+ nr_debug_error("Attribute header has invalid length");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+
+ if (attrlen > length) {
+ nr_debug_error("Attribute overflows container");
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ data += attrlen;
+ length -= attrlen;
+ }
+
+ return 0;
+}
+
+
+/*
+ * Convert a top-level VSA to a VP.
+ */
+static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ unsigned int vendor,
+ size_t dv_type, size_t dv_length,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+ unsigned int attribute;
+ ssize_t attrlen, my_len;
+
+#ifndef NDEBUG
+ if (length <= (dv_type + dv_length)) {
+ nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+#endif
+
+ switch (dv_type) {
+ case 4:
+ /* data[0] must be zero */
+ attribute = data[1] << 16;
+ attribute |= data[2] << 8;
+ attribute |= data[3];
+ break;
+
+ case 2:
+ attribute = data[0] << 8;
+ attribute |= data[1];
+ break;
+
+ case 1:
+ attribute = data[0];
+ break;
+
+ default:
+ nr_debug_error("attr2vp_vsa: Internal sanity check failed");
+ return -RSE_INTERNAL;
+ }
+
+ switch (dv_length) {
+ case 2:
+ /* data[dv_type] must be zero */
+ attrlen = data[dv_type + 1];
+ break;
+
+ case 1:
+ attrlen = data[dv_type];
+ break;
+
+ case 0:
+ attrlen = length;
+ break;
+
+ default:
+ nr_debug_error("attr2vp_vsa: Internal sanity check failed");
+ return -RSE_INTERNAL;
+ }
+
+#ifndef NDEBUG
+ if (attrlen <= (ssize_t) (dv_type + dv_length)) {
+ nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+#endif
+
+ attrlen -= (dv_type + dv_length);
+
+ my_len = data2vp_any(packet, original, 0,
+ attribute, vendor,
+ data + dv_type + dv_length, attrlen, pvp);
+ if (my_len < 0) return my_len;
+
+#ifndef NDEBUG
+ if (my_len != attrlen) {
+ nr_vp_free(pvp);
+ nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d",
+ (int) my_len, (int) attrlen);
+ return -RSE_INTERNAL;
+ }
+#endif
+
+ return dv_type + dv_length + attrlen;
+}
+
+
+/*
+ * Create Vendor-Specifc VALUE_PAIRs from a RADIUS attribute.
+ */
+ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+ size_t dv_type, dv_length;
+ ssize_t my_len;
+ uint32_t lvalue;
+ const DICT_VENDOR *dv;
+
+ if (length < 2) return -RSE_PACKET_TOO_SMALL;
+ if (data[1] < 2) return -RSE_ATTR_TOO_SMALL;
+ if (data[1] > length) return -RSE_ATTR_OVERFLOW;
+
+ if (data[0] != PW_VENDOR_SPECIFIC) {
+ nr_debug_error("nr_attr2vp_vsa: Invalid attribute");
+ return -RSE_INVAL;
+ }
+
+ /*
+ * Not enough room for a Vendor-Id.
+ * Or the high octet of the Vendor-Id is set.
+ */
+ if ((data[1] < 6) || (data[2] != 0)) {
+ return nr_attr2vp_raw(packet, original,
+ data, length, pvp);
+ }
+
+ memcpy(&lvalue, data + 2, 4);
+ lvalue = ntohl(lvalue);
+
+#ifdef VENDORPEC_WIMAX
+ /*
+ * WiMAX gets its own set of magic.
+ */
+ if (lvalue == VENDORPEC_WIMAX) {
+ return nr_attr2vp_wimax(packet, original,
+ data, length, pvp);
+ }
+#endif
+
+ dv_type = dv_length = 1;
+ dv = nr_dict_vendor_byvalue(lvalue);
+ if (!dv) {
+ return nr_attr2vp_rfc(packet, original,
+ data, length, pvp);
+ }
+
+ dv_type = dv->type;
+ dv_length = dv->length;
+
+ /*
+ * Attribute is not in the correct form.
+ */
+ if (nr_tlv_ok(data + 6, data[1] - 6, dv_type, dv_length) < 0) {
+ return nr_attr2vp_raw(packet, original,
+ data, length, pvp);
+ }
+
+ my_len = attr2vp_vsa(packet, original,
+ lvalue, dv_type, dv_length,
+ data + 6, data[1] - 6, pvp);
+ if (my_len < 0) return my_len;
+
+#ifndef NDEBUG
+ if (my_len != (data[1] - 6)) {
+ nr_vp_free(pvp);
+ nr_debug_error("nr_attr2vp_vsa: Incomplete decode");
+ return -RSE_INTERNAL;
+ }
+#endif
+
+ return data[1];
+}
+#endif /* WITHOUT_VSAS */
+
+
+/*
+ * Create a "normal" VALUE_PAIR from the given data.
+ */
+ssize_t nr_attr2vp(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp)
+{
+ if (length < 2) return -RSE_PACKET_TOO_SMALL;
+ if (data[1] < 2) return -RSE_ATTR_TOO_SMALL;
+ if (data[1] > length) return -RSE_ATTR_OVERFLOW;
+
+#ifndef WITHOUT_VSAS
+ /*
+ * VSAs get their own handler.
+ */
+ if (data[0] == PW_VENDOR_SPECIFIC) {
+ return nr_attr2vp_vsa(packet, original,
+ data, length, pvp);
+ }
+#endif
+
+#ifdef VENDORPEC_EXTENDED
+ /*
+ * Extended attribute format gets their own handler.
+ */
+ if (nr_dict_attr_byvalue(data[0], VENDORPEC_EXTENDED) != NULL) {
+ return nr_attr2vp_extended(packet, original,
+ data, length, pvp);
+ }
+#endif
+
+ return nr_attr2vp_rfc(packet, original, data, length, pvp);
+}
+
+ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start,
+ unsigned int attribute, unsigned int vendor,
+ const uint8_t **pdata, size_t *plength)
+{
+ uint8_t *data, *attr;
+ const uint8_t *end;
+
+ if (!packet || !pdata || !plength) return -RSE_INVAL;
+
+ if (!packet->data) return -RSE_INVAL;
+ if (packet->length < 20) return -RSE_INVAL;
+
+ /*
+ * Too long or short, not good.
+ */
+ if ((start < 0) ||
+ ((start > 0) && (start < 20))) return -RSE_INVAL;
+
+ if ((size_t) start >= (packet->length - 2)) return -RSE_INVAL;
+
+ end = packet->data + packet->length;
+
+ /*
+ * Loop over the packet, converting attrs to VPs.
+ */
+ if (start == 0) {
+ data = packet->data + 20;
+ } else {
+ data = packet->data + start;
+ data += data[1];
+ if (data >= end) return 0;
+ }
+
+ for (attr = data; attr < end; attr += attr[1]) {
+ const DICT_VENDOR *dv = NULL;
+
+#ifndef NEBUG
+ /*
+ * This code is copied from packet_ok().
+ * It could be put into a separate function.
+ */
+ if ((attr + 2) > end) {
+ nr_debug_error("Attribute overflows packet");
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ if (attr[1] < 2) {
+ nr_debug_error("Attribute length is too small");
+ return -RSE_ATTR_TOO_SMALL;
+ }
+
+ if ((attr + attr[1]) > end) {
+ nr_debug_error("Attribute length is too large");
+ return -RSE_ATTR_TOO_LARGE;
+ }
+#endif
+
+ if ((vendor == 0) && (attr[0] == attribute)) {
+ *pdata = attr + 2;
+ *plength = attr[1] - 2;
+ return attr - packet->data;
+ }
+
+#ifndef WITHOUT_VSAS
+ if (vendor != 0) {
+ uint32_t vendorpec;
+
+ if (attr[0] != PW_VENDOR_SPECIFIC) continue;
+
+ if (attr[1] < 6) continue;
+
+ memcpy(&vendorpec, attr + 2, 4);
+ vendorpec = ntohl(vendorpec);
+ if (vendor != vendorpec) continue;
+
+ if (!dv) {
+ dv = nr_dict_vendor_byvalue(vendor);
+ if (dv &&
+ ((dv->type != 1) || (dv->length != 1))) {
+ return -RSE_VENDOR_UNKNOWN;
+ }
+ }
+
+ /*
+ * No data.
+ */
+ if (attr[1] < 9) continue;
+
+ /*
+ * Malformed, or more than one VSA in
+ * the Vendor-Specific
+ */
+ if (attr[7] + 6 != attr[1]) continue;
+
+ /*
+ * Not the right VSA.
+ */
+ if (attr[6] != attribute) continue;
+
+ *pdata = attr + 8;
+ *plength = attr[1] - 8;
+ return attr - packet->data;
+ }
+#endif
+ }
+
+ return 0; /* nothing more: stop */
+}
+
diff --git a/lib/radius/client.h b/lib/radius/client.h
new file mode 100644
index 0000000..aefb40d
--- /dev/null
+++ b/lib/radius/client.h
@@ -0,0 +1,1317 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file client.h
+ * \brief Main header file.
+ */
+
+#ifndef _RADIUS_CLIENT_H_
+#define _RADIUS_CLIENT_H_ 1
+
+/*
+ * System-specific header files.
+ */
+#include <config.h>
+#include <errno.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+#include <stdarg.h>
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
+#include <radsec/radsec.h>
+#include <radsec/radsec-impl.h>
+#include <radsec/radius.h>
+
+/** \defgroup build Build Helpers
+ *
+ * These definitions give the GNU C compiler more information about
+ * the functions being compiled. They are used to either remove
+ * warnings, or to enable better warnings.
+ **/
+
+/** \defgroup custom Portability Functions
+ *
+ * These functions and definitions should be modified for your local
+ * system. See the individual definitions for details.
+ */
+
+/** \defgroup error Error handling
+ *
+ * These definitions and routines manage errors.
+ */
+
+/** \defgroup value_pair Attribute manipulation
+ *
+ * These routines manage structures which map to attributes.
+ */
+
+/**\defgroup dict Dictionary Lookup Functions
+ *
+ * \sa doc/dictionaries.txt
+ *
+ * The RADIUS dictionaries perform name to number mappings. The names
+ * are used only for administrator convenience, for parsing
+ * configuration files, and printing humanly-readable output. The
+ * numbers are used when encoding data in a packet.
+ *
+ * When attributes are decoded from a packet, the numbers are used to
+ * look up the associated name, which is then placed into a data
+ * structure.
+ *
+ * When the data structures are encoded into a packet, the numbers are
+ * used to create RFC and VSA format attributes.
+ *
+ * \attention The definitions, structures, and functions given below
+ * are useful only for implementing "low level" RADIUS
+ * functionality. There is usually no need to refer to them in a
+ * client application. The library should be used at a higher level,
+ * which exposes a much simpler API.
+ */
+
+/** \defgroup packet Packet manipulation
+ *
+ * These routines perform encoding and decoding of RADIUS packets.
+ */
+
+/** \defgroup print Print / parse functions
+ *
+ * These routines convert the internal data structures to a printable
+ * form, or parse them.
+ */
+
+/** \defgroup id ID allocation and freeing
+ *
+ * These routines manage RADIUS ID allocation.
+ */
+
+/** \defgroup attr Low-level attribute encode/decoding
+ *
+ * These routines perform "low level" encoding, decoding, sending, and
+ * reception of RADIUS attributes. They are called by the \ref packet
+ * functions.
+ *
+ * \attention The structures and functions given below are useful only
+ * for implementing "low level" RADIUS functionality. There is usually
+ * no need to refer to them in a client application. The library
+ * should be used at a higher level, which exposes a much simpler API.
+ */
+
+/** \defgroup internal Internal support functions.
+ *
+ * These functions are required to perform internal or "low-level"
+ * data manipulation. While they are exposed for completeness, they
+ * should not be called by any application.
+ */
+
+#ifdef PW_EAP_MESSAGE
+#ifndef PW_MESSAGE_AUTHENTICATOR
+#error EAP-Message requires Message-Authenticator
+#endif
+#endif
+
+#ifdef WITHOUT_OPENSSL
+#ifndef RS_MD5_CTX
+#error RS_MD5_CTX must be defined
+#endif
+#ifndef RS_MD5Init
+#error n_rMD5Init must be defined
+#endif
+#ifndef RS_MD5Update
+#error RS_MD5Updyae must be defined
+#endif
+#ifndef RS_MD5Final
+#error RS_MD5Final must be defined
+#endif
+#ifndef RS_MD5Transform
+#error RS_MD5Transform must be defined
+#endif
+
+#else /* WITHOUT_OPENSSL */
+
+#include <openssl/md5.h>
+/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */
+#define RS_MD5_CTX MD5_CTX
+/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */
+#define RS_MD5Init MD5_Init
+/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */
+#define RS_MD5Update MD5_Update
+/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */
+#define RS_MD5Final MD5_Final
+/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */
+#define RS_MD5Transform MD5_Transform
+#endif
+
+#ifndef RS_MAX_PACKET_LEN
+/** The maximum size of a packet that the library will send or receive. \ingroup custom
+ *
+ * The RFC requirement is to handle at least 4K packets. However, if
+ * you expect to only do username/password authentication, this value
+ * can be set to a smaller value, such as 256.
+ *
+ * Be warned that any packets larger than this value will be ignored
+ * and silently discarded.
+ */
+#define RS_MAX_PACKET_LEN (4096)
+#endif
+
+#ifndef RS_MAX_ATTRIBUTES
+/** The maximum number of attributes that the library will allow in a packet. \ingroup custom
+ *
+ * Packets which contain more than ::RS_MAX_ATTRIBUTES will generate
+ * an error. This value is configurable because there may be a need
+ * to accept a large mumber of attributes.
+ *
+ * This value is ignored when packets are sent. The library will
+ * send as many attributes as it is told to send.
+ */
+#define RS_MAX_ATTRIBUTES (200)
+#endif
+
+#undef RS_MAX_PACKET_CODE
+/** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict
+ *
+ * \attention This should not be changed, as it is used by other
+ * structures such as ::nr_packet_codes.
+ */
+#define RS_MAX_PACKET_CODE PW_COA_NAK
+
+/** The maximum vendor number which is permitted. \ingroup dict
+ *
+ * The RFCs require that the Vendor Id or Private Enterprise Number
+ * be encoded as 32 bits, with the upper 8 bits being zero.
+ */
+#define RS_MAX_VENDOR (1 << 24)
+
+/** Data Type Definitions. \ingroup dict
+ */
+#define TAG_VALID(x) ((x) < 0x20)
+
+/** The attribute is not encrypted. */
+#define FLAG_ENCRYPT_NONE (0)
+
+/** The attribute is encrypted using the RFC 2865 User-Password method */
+#define FLAG_ENCRYPT_USER_PASSWORD (1)
+
+/** The attribute is encrypted using the RFC 2868 Tunnel-Password method */
+#define FLAG_ENCRYPT_TUNNEL_PASSWORD (2)
+
+/** A set of flags which determine how the attribute should be handled.
+ *
+ * Most attributes are "normal", and do not require special handling.
+ * However, some require "encryption", tagging, or have other special
+ * formats. This structure contains the various options for the
+ * attribute formats.
+ */
+typedef struct attr_flags {
+ unsigned int has_tag : 1; /**< Attribute has an RFC 2868 tag */
+ unsigned int unknown : 1; /**< Attribute is unknown */
+#ifdef RS_TYPE_TLV
+ unsigned int has_tlv : 1; /* has sub attributes */
+ unsigned int is_tlv : 1; /* is a sub attribute */
+#endif
+ unsigned int extended : 1; /* extended attribute */
+ unsigned int extended_flags : 1; /* with flag */
+ unsigned int evs : 1; /* extended VSA */
+ uint8_t encrypt; /**< Attribute encryption method */
+ uint8_t length; /**< The expected length of the attribute */
+} ATTR_FLAGS;
+
+
+/** Defines an dictionary mapping for an attribute. \ingroup dict
+ *
+ * The RADIUS dictionaries map humanly readable names to protocol
+ * numbers. The protocol numbers are used to encode/decode the
+ * attributes in a packet.
+ */
+typedef struct nr_dict_attr {
+ unsigned int attr; /**< Attribute number */
+ rs_attr_type_t type; /**< Data type */
+ unsigned int vendor; /**< Vendor-Id number */
+ ATTR_FLAGS flags;
+ const char *name; /**< Printable name */
+} DICT_ATTR;
+
+/** Defines a dictionary mapping for a named enumeration. \ingroup dict
+ *
+ * This structure is currently not used.
+ */
+typedef struct nr_dict_value {
+ const DICT_ATTR *da; /**< pointer to a ::DICT_ATTR */
+ int value; /**< enumerated value */
+ char name[1]; /**< printable name */
+} DICT_VALUE;
+
+/** Defines an dictionary mapping for a vendor. \ingroup dict
+ *
+ * The RADIUS dictionaries map humanly readable vendor names to a
+ * Vendor-Id (or Private Enterprise Code) assigned by IANA. The
+ * Vendor-Id is used to encode/decode Vendor-Specific attributes in a
+ * packet.
+ */
+typedef struct nr_dict_vendor {
+ unsigned int vendor; /**< Vendor Private Enterprise Code */
+ size_t type; /**< size of Vendor-Type field */
+ size_t length; /**< size of Vendor-Length field */
+ const char *name; /**< Printable name */
+} DICT_VENDOR;
+
+/** Union holding all possible types of data for a ::VALUE_PAIR. \ingroup value_pair
+ *
+ */
+typedef union value_pair_data {
+ char strvalue[RS_MAX_STRING_LEN]; /* +1 for NUL */
+ uint8_t octets[253];
+ struct in_addr ipaddr;
+ struct in6_addr ipv6addr;
+ uint32_t date;
+ uint32_t integer;
+#ifdef RS_TYPE_SIGNED
+ int32_t sinteger;
+#endif
+#ifdef RS_TYPE_ABINARY
+ uint8_t filter[32];
+#endif
+ uint8_t ifid[8]; /* struct? */
+ uint8_t ipv6prefix[18]; /* struct? */
+#ifdef RS_TYPE_TLV
+ uint8_t *tlv;
+#endif
+} VALUE_PAIR_DATA;
+
+
+/** C structure version of a RADIUS attribute. \ingroup value_pair
+ *
+ * The library APIs use this structure to avoid depending on the
+ * details of the protocol.
+ */
+typedef struct value_pair {
+ const DICT_ATTR *da; /**< dictionary definition */
+ size_t length; /**< number of octets in the data */
+ int tag; /**< tag value if da->flags.has_tag */
+ struct value_pair *next; /**< enables a linked list of values */
+ VALUE_PAIR_DATA data; /**< the data of the attribute */
+} VALUE_PAIR;
+#define vp_strvalue data.strvalue
+#define vp_octets data.octets
+#define vp_ipv6addr data.ipv6addr
+#define vp_ifid data.ifid
+#define vp_ipv6prefix data.ipv6prefix
+#define vp_ipaddr data.ipaddr.s_addr
+#define vp_date data.integer
+#define vp_integer data.integer
+#ifdef RS_TYPE_ABINARY
+#define vp_filter data.filter
+#endif
+#ifdef RS_TYPE_ETHER
+#define vp_ether data.ether
+#endif
+#ifdef RS_TYPE_SIGNED
+#define vp_signed data.sinteger
+#endif
+#ifdef RS_TYPE_TLV
+#define vp_tlv data.tlv
+#endif
+
+#ifdef RS_TYPE_TLV
+#define RS_ATTR_MAX_TLV (4)
+extern const int nr_attr_shift[RS_ATTR_MAX_TLV];
+extern const int nr_attr_mask[RS_ATTR_MAX_TLV];
+extern const unsigned int nr_attr_max_tlv;
+#endif
+
+/** A structure which describes a RADIUS packet. \ingroup packet
+ *
+ * In general, it should not be necessary to refererence the elements
+ * of this structure.
+ */
+typedef struct radius_packet {
+ int sockfd; /** The socket descriptor */
+ struct sockaddr_storage src; /**< The packet source address */
+ struct sockaddr_storage dst; /**< the packet destination address */
+ const char *secret; /**< The shared secret */
+ size_t sizeof_secret; /**< Length of the shared secret */
+ unsigned int code; /**< The RADIUS Packet Code */
+ int id; /**< The RADIUS Packet Id */
+ size_t length; /**< The RADIUS Packet Length. This will be no larger than RADIUS_PACKET::sizeof_data */
+ uint8_t vector[16]; /**< A copy of the authentication vector */
+ int flags; /**< Internal flags. Do not modify this field. */
+ int attempts; /**< The number of transmission attempt */
+ uint8_t *data; /**< The raw packet data */
+ size_t sizeof_data; /**< size of the data buffer */
+ VALUE_PAIR *vps; /**< linked list of ::VALUE_PAIR */
+} RADIUS_PACKET;
+
+#define RS_PACKET_ENCODED (1 << 0)
+#define RS_PACKET_HEADER (1 << 1)
+#define RS_PACKET_SIGNED (1 << 2)
+#define RS_PACKET_OK (1 << 3)
+#define RS_PACKET_VERIFIED (1 << 4)
+#define RS_PACKET_DECODED (1 << 5)
+
+
+/** Track packets sent to a server. \ingroup id
+ *
+ * This data structure tracks Identifiers which are used to
+ * communicate with a particular destination server. The application
+ * should call nr_server_init() to initialize it. If necessary, the
+ * application should then call nr_server_set_ipv4() to open an IPv4
+ * socket to the server.
+ *
+ * If the RADIUS packets are being transported over an encapsulation
+ * layer (e.g. RADIUS over TLS), then nr_server_set_ipv4() does not
+ * need to be called. The ::nr_server_t structure should instead be
+ * associated wih the TLS session / socket.
+ */
+typedef struct nr_server_t {
+ int sockfd; /**< socket for sending packets */
+ int code; /**< default value for the Code */
+
+ struct sockaddr_storage src; /**< Source address of the packet */
+ struct sockaddr_storage dst; /**< Destination address of the packet */
+
+ /** The shared secret.
+ *
+ * See also nr_packet_send() and nr_packet_recv().
+ */
+ const char *secret;
+
+ /** The length of the shared secret.
+ *
+ * See also nr_packet_send() and nr_packet_recv().
+ */
+ size_t sizeof_secret;
+
+ int used; /**< Number of used IDs */
+
+ void *free_list; /**< For managing packets */
+
+ RADIUS_PACKET *ids[256]; /**< Pointers to "in flight" packets */
+} nr_server_t;
+
+
+/** Return a printable error message. \ingroup error
+ *
+ * This function returns a string describing the last error that
+ * occurred. These messages are intended for developers, and are not
+ * suitable for display to an end user. The application using this
+ * library should instead produce a "summary" message when an error
+ * occurs. e.g. "Failed to receive a response", is better than
+ * messages produced by this function, which contain text like
+ * "invalid response authentication vector". The first is
+ * understandable, the second is not.
+ *
+ * @param[in] error The error code (can be less than zero)
+ * @return A printable string describing the error.
+ */
+extern const char *nr_strerror(int error);
+
+/** Allocate a ::VALUE_PAIR which refers to a ::DICT_ATTR. \ingroup value_pair
+ *
+ * This returned ::VALUE_PAIR has no data associated with it. The
+ * nr_vp_set_data() function must be called before placing the
+ * ::VALUE_PAIR in a ::RADIUS_PACKET.
+ *
+ * @param[in] da The ::DICT_ATTR associated with the ::VALUE_PAIR
+ * @return The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da);
+
+/** Free a ::VALUE_PAIR. \ingroup value_pair
+ *
+ * This function frees the ::VALUE_PAIR, and sets the head pointer to NULL.
+ * If head refers to a ::VALUE_PAIR list, then all of the structures in the
+ * list are freed.
+ *
+ * @param[in,out] head The pointer to a ::VALUE_PAIR, or a ::VALUE_PAIR list.
+ */
+extern void nr_vp_free(VALUE_PAIR **head);
+
+/** Initializes a ::VALUE_PAIR from a ::DICT_ATTR \ingroup value_pair
+ *
+ * This function assumes that the ::VALUE_PAIR points to existing
+ * and writable memory.
+ *
+ * @param[in,out] vp The ::VALUE_PAIR to be initialized
+ * @param[in] da The ::DICT_ATTR used to initialize the ::VALUE_PAIR
+ * @return The initialized ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da);
+
+/** Allocate a ::VALUE_PAIR which refers to an unknown attribute. \ingroup value_pair
+ *
+ * It is used when an attribute is received, and that attribute does
+ * not exist in the dictionaries.
+ *
+ * The returned ::VALUE_PAIR has no data (i.e. VALUE_PAIR::length is
+ * zero). The nr_vp_set_data() function must be called before
+ * placing the ::VALUE_PAIR in a ::RADIUS_PACKET.
+ *
+ * @param[in] attr The attribute number, 0..2^16
+ * @param[in] vendor The vendor number, 0..2^16
+ * @return The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor);
+
+/** Set the data associated with a previously allocated ::VALUE_PAIR. \ingroup value_pair
+ *
+ * If this function succeeds, VALUE_PAIR::length is no longer zero,
+ * and the structure contains the data.
+ *
+ * @param[in,out] vp The ::VALUE_PAIR to update
+ * @param[in] data Data to set inside of the ::VALUE_PAIR
+ * @param[in] data_len Length of the data field
+ * @return <0 on error, 0 for "data was truncated"
+ * >0 for "data successfully added"
+ */
+extern int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t data_len);
+
+/** Create a ::VALUE_PAIR and set its data. \ingroup value_pair
+ *
+ * @param[in] attr The attribute number of the ::VALUE_PAIR to create
+ * @param[in] vendor The vendor number of the ::VALUE_PAIR to create
+ * @param[in] data Data to set inside of the ::VALUE_PAIR
+ * @param[in] data_len Length of the data field
+ * @return The created ::VALUE_PAIR, or NULL on error.
+ */
+extern VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data,
+ size_t data_len);
+
+/** Append a ::VALUE_PAIR to the end of a ::VALUE_PAIR list. \ingroup value_pair
+ *
+ * @param[in,out] head The head of the ::VALUE_PAIR list. May not be NULL.
+ * @param[in] vp The ::VALUE_PAIR to append to the list.
+ */
+extern void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *vp);
+
+/** Search a ::VALUE_PAIR list for one of a given number. \ingroup value_pair
+ *
+ * @param[in] head The head of the ::VALUE_PAIR list to search.
+ * @param[in] attr The attribute number of the ::VALUE_PAIR to find
+ * @param[in] vendor The vendor number of the ::VALUE_PAIR to find
+ * @return The found ::VALUE_PAIR, or NULL if it was not found.
+ */
+extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head,
+ unsigned int attr, unsigned int vendor);
+
+/** Look up an attribute in the dictionaries. \ingroup dict
+ *
+ * The dictionary mapping contains information about the attribute,
+ * such as printable name, data type (ipaddr, integer, etc), and
+ * various other things used to encode/decode the attribute in a
+ * packet.
+ *
+ * \attention There is usually no need to call this function. Use
+ * the RS_DA_* definitions instead.
+ *
+ * @param[in] attr Value of the attribute
+ * @param[in] vendor Value of the vendor
+ * @return NULL for "not found", or a pointer to the attribute mapping.
+ */
+extern const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr,
+ unsigned int vendor);
+
+/** Look up an attribute in the dictionaries. \ingroup dict
+ *
+ * The dictionary mapping contains information about the attribute,
+ * such as printable name, data type (ipaddr, integer, etc), and
+ * various other things used to encode/decode the attribute in a
+ * packet.
+ *
+ * \attention There is usually no need to call this function.
+ *
+ * @param[in] name Name of the attribute
+ * @return NULL for "not found", or a pointer to the attribute mapping.
+ */
+extern const DICT_ATTR *nr_dict_attr_byname(const char *name);
+
+/** Converts raw data to a ::DICT_ATTR structure. \ingroup dict
+ *
+ * It is called when the library is asked to decode an attribute
+ * which is not in the pre-defined dictionaries.
+ *
+ * \attention There is usually no need to call this function.
+ *
+ * @param[in,out] da The ::DICT_ATTR structure to initialize
+ * @param[in] attr The attribute number
+ * @param[in] vendor The vendor number
+ * @param[in] buffer The buffer where the name of the attribute is stored
+ * @param[in] bufsize Size of the buffer
+ * @return <0 for error, 0 for success
+ */
+extern int nr_dict_attr_2struct(DICT_ATTR *da,
+ unsigned int attr, unsigned int vendor,
+ char *buffer, size_t bufsize);
+
+/** Unused. \ngroup dict
+ *
+ */
+extern const DICT_VALUE *nr_dict_value_byattr(unsigned int attr,
+ unsigned int vendor,
+ int value);
+
+/** Unused. \ngroup dict
+ *
+ */
+const DICT_VALUE *nr_dict_value_byname(unsigned int attr,
+ unsigned int vendor,
+ const char *name);
+
+/** Look up a vendor in the dictionaries. \ingroup dict
+ *
+ * The dictionary mapping contains information about the vendor, such
+ * as printable name, VSA encoding method, etc.
+ *
+ * \attention There is usually no need to call this function.
+ * Applications do not need access to low-level RADIUS protocol
+ * information.
+ *
+ * @param[in] name Name of the vendor.
+ * @return NULL for "not found", or a pointer to the vendor mapping.
+ */
+extern int nr_dict_vendor_byname(const char *name);
+
+/** Look up an vendor in the dictionaries. \ingroup dict
+ *
+ * The dictionary mapping contains information about the vendor, such
+ * as printable name, VSA encoding method, etc.
+ *
+ * \attention There is usually no need to call this function.
+ *
+ * @param[in] vendor Vendor-Id (or Private Enterprise code) for the vendor.
+ * @return NULL for "not found", or a pointer to the vendor mapping.
+ */
+extern const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor);
+
+/** Static array of known vendors. \ingroup dict
+ *
+ * \attention This structure should only be accessed by internal RADIUS library
+ * functions.
+ */
+extern const DICT_VENDOR nr_dict_vendors[];
+
+/** The number of attribute definitions in the dictionary. \ingroup dict
+ *
+ * This number is guaranteed to be at least 256, for speed.
+ *
+ * \attention This variable should only be accessed by internal RADIUS library
+ * functions.
+ */
+extern const int nr_dict_num_attrs;
+
+/** The list of attribute definitions. \ingroup dict
+ *
+ * The "standard" RFC attributes are located in the first 256
+ * entries. Standard attributes without a dictionary definition are
+ * given an empty entry.
+ *
+ * The attributes are orderd by (vendor, attribute), in increasing
+ * order. This allows the dictionary lookups to find attributes by a
+ * binary search.
+ *
+ * \attention This variable should only be accessed by internal RADIUS library
+ * functions.
+ */
+extern const DICT_ATTR nr_dict_attrs[];
+
+/** The number of attributes with names. \ingroup dict
+ *
+ * \attention This variable should only be accessed by internal RADIUS library
+ * functions.
+ */
+extern const int nr_dict_num_names;
+
+/** The list of attribute definitions, organized by name. \ingroup dict
+ *
+ * The attributes are orderd by name (case insensitive), in
+ * increasing order. This allows the dictionary lookups to find
+ * attributes by a binary search.
+ *
+ * \attention This variable should only be accessed by internal RADIUS library
+ * functions.
+ */
+extern const DICT_ATTR const *nr_dict_attr_names[];
+
+/** Static array containing names the RADIUS_PACKET::code field. \ingroup dict
+ *
+ * The names are hard-coded and not in any dictionary because they do
+ * not change.
+ *
+ * The names are exported because they may be useful in your
+ * application. Packet codes which are not handled by the library
+ * have NULL for their names.
+ */
+extern const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1];
+
+/** Verifies that a packet is "well formed". \ingroup packet
+ *
+ * This function performs basic validation to see if the packet is
+ * well formed. It is automatically called by nr_packet_decode().
+ *
+ * @param[in] packet A pointer to the ::RADIUS_PACKET data.
+ * @return <0 means malformed, >= 0 means well-formed.
+ */
+extern int nr_packet_ok(RADIUS_PACKET *packet);
+
+/** Verifies that a packet is "well formed". \ingroup packet
+ *
+ * This function performs basic validation to see if the packet is
+ * well formed. You should normally use nr_packet_ok() instead of
+ * this function.
+ *
+ * @param[in] data A pointer to the raw packet data.
+ * @param[in] sizeof_data The length of the raw packet data
+ * @return <0 means malformed, >= 0 means well-formed.
+ */
+extern int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data);
+
+/** Encodes a packet. \ingroup packet
+ *
+ * This function encodes a packet using the fields of the
+ * ::RADIUS_PACKET structure. The RADIUS_PACKET::code and
+ * RADIUS_PACKET::id fields are used to fill in the relevant fields
+ * of the raw (encoded) packet. The RADIUS_PACKET::vps list is
+ * walked to encode the attributes. The packet is signed, if
+ * required.
+ *
+ * The raw packet is placed into the RADIUS_PACKET::data field, up to
+ * RADIUS_PACKET::sizeof_data bytes. the RADIUS_PACKET::length field
+ * is updated with the length of the raw packet. This field is
+ * always less than, or equal to, the RADIUS_PACKET::size_data field.
+ * If there is insufficient room to store all of the attributes, then
+ * some attributes are silently discarded.
+ *
+ * The RADIUS_PACKET::vector field is either calculated as part of
+ * the signing process, or is initialized by this function to be a
+ * random sequence of bytes. That field should therefore be left
+ * alone by the caller.
+ *
+ * When the encoding has been successful, it sets the
+ * RADIUS_PACKET::encoded field to non-zero.
+ *
+ * In addition, all required attribute "encryption" is performed.
+ *
+ * User-Password. The vp_strvalue field is assumed to contain the
+ * "clear-text" version of the password. The encrypted version is
+ * calculated, and placed in the packet.
+ *
+ * CHAP-Password. The vp_strvalue field is assumed to contain the
+ * "clear-text" version of the password. The encrypted version is
+ * calculated, and placed in the packet. If the RADIUS_PACKET::vps
+ * list contains a CHAP-Challenge attribute, it is used. Otherwise
+ * the RADIUS_PACKET::vector field is used a the challenge.
+ *
+ * Message-Authenticator. The contents of the Message-Authenticator
+ * in the RADIUS_PACKET::vps list are ignored. Instead, a
+ * "place-holder" is put into the packt. Tthe correct value is
+ * calculated and placed into the packet by nr_packet_sign().
+ *
+ * The RADIUS_PACKET::vps list is left untouched by this function,
+ * even when attribute encryption or signing is performed. Any
+ * VALUE_PAIR structures can therefore be taken from static "const"
+ * variables.
+ *
+ * @param[in] packet The RADIUS packet to encode.
+ * @param[in] original The original request, when encoding a response.
+ * @return <0 on error, >= 0 on success.
+ */
+extern int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Decodes a packet. \ingroup packet
+ *
+ * This function decodes a packet from the RADIUS_PACKET::data field
+ * into a sequence of ::VALUE_PAIR structures in the
+ * RADIUS_PACKET::vps list.
+ *
+ * @param[in] packet The RADIUS packet to decode.
+ * @param[in] original The original request, when decoding a response.
+ * @return <0 on error, >= 0 on success.
+ */
+extern int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Signs a packet so that it can be sent. \ingroup packet
+ *
+ * This function calculates the Message-Authenticator (if required),
+ * and signs the packet.
+ *
+ * @param[in] packet The RADIUS packet to sign.
+ * @param[in] original The original request, when signing a response.
+ * @return <0 on error, >= 0 on success.
+ */
+extern int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original);
+
+/** Verifies that a packet is well-formed and contains the correct signature. \ingroup packet
+ *
+ * If "original" is specified, it also verifies that the packet is a
+ * response to the original request, and that it has the correct
+ * signature.
+ *
+ * @param[in] packet The RADIUS packet to verify.
+ * @param[in] original The original request, when verifying a response.
+ * @return <0 on error, >= 0 on success.
+ */
+extern int nr_packet_verify(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original);
+
+/** Pretty-prints a hex dump of a RADIUS packet. \ingroup packet print
+ *
+ * This function is available only in debugging builds of the
+ * library. It is useful during development, but should not be used
+ * in a production system.
+ *
+ * The packet headers are printed individually, and each attribute is
+ * printed as "type length data..."
+ *
+ * @param[in] packet The RADIUS packet to print
+ */
+extern void nr_packet_print_hex(RADIUS_PACKET *packet);
+
+
+/** Return the given number of random bytes. \ingroup custom
+ *
+ * This function should be replaced by one that is specific to your
+ * system.
+ *
+ * This is a wrapper function which enables the library to be more
+ * portable.
+ *
+ * @param[in] data Location where the random bytes will be stored
+ * @param[in] data_len Number of bytes to store
+ * @return <0 on error, or the total number of bytes stored.
+ */
+extern ssize_t nr_rand_bytes(uint8_t *data, size_t data_len);
+
+/** Return a random 32-bit integer. \ingroup custom
+ *
+ * This function should be replaced by one that is specific to your
+ * system. The version supplied here just calls nr_rand_bytes() each
+ * time, which is slow.
+ *
+ * This is a wrapper function which enables the library to be more
+ * portable.
+ *
+ * @return An unsigned 32-bit random integer.
+ */
+extern uint32_t nr_rand(void);
+
+/** Add a time to the given ::struct timeval. \ingroup custom
+ *
+ * This is a wrapper function which enables the library to be more
+ * portable.
+ *
+ * @param[in,out] t The timeval to which the time is added.
+ * @param[in] seconds Time in seconds to add
+ * @param[in] usec Time in microseconds to add
+ */
+extern void nr_timeval_add(struct timeval *t, unsigned int seconds,
+ unsigned int usec);
+
+/** Compare two times. \ingroup custom
+ *
+ * This is a wrapper function which enables the library to be more
+ * portable.
+ *
+ * @param[in] a One timeval
+ * @param[in] b Another one
+ * @return a <=> b
+ */
+extern int nr_timeval_cmp(const struct timeval *a, const struct timeval *b);
+
+/** Initializes an ::nr_server_t. \ingroup id
+ *
+ * @param[in,ut] s The ::nr_server_t to initialize
+ * @param[in] code The packet code used for packets sent to this server
+ * @param[in] secret The shared secret used for packet sent to this server
+ * @return <0 for error, >= 0 for success
+ */
+extern int nr_server_init(nr_server_t *s, int code, const char *secret);
+
+/** Closes an ::nr_server_t data structure. \ingroup id
+ *
+ * Ensures that all IDs are free, and closes the socket.
+ *
+ * @param[in] s The server structure to close.
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_close(const nr_server_t *s);
+
+/** Allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id
+ *
+ * This function allocates a RADIUS_PACKET::id from the ::nr_server_t
+ * structure. It also fills in the RADIUS_PACKET::sockfd,
+ * RADIUS_PACKET::code, and RADIUS_PACKET::dst fields.
+ *
+ * @param[in] s The server structure which tracks the ID
+ * @param[in] packet The packet which needs an ID
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_alloc(nr_server_t *id, RADIUS_PACKET *packet);
+
+/** Re-allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id
+ *
+ * It is used when retransmitting an Accounting-Request packet to a
+ * server, after updating the Acct-Delay-Time field. The "realloc"
+ * name means that the new ID is allocated, and is guaranteed to be
+ * different from the old one.
+ *
+ * @param[in] s The server structure which tracks the ID
+ * @param[in] packet The packet which needs a new ID
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_realloc(nr_server_t *id, RADIUS_PACKET *packet);
+
+/** Free a RADIUS_PACKET::id value after sending a packet to a server. \ingroup id
+ *
+ * @param[in] s The server structure which tracks the ID
+ * @param[in] packet The packet which has an ID, and wants to free it
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_id_free(nr_server_t *id, RADIUS_PACKET *packet);
+
+
+/** Allocates a packet using malloc(), and initializes it. \ingroup id
+ *
+ * @param[in] s The server structure
+ * @param[in,out] packet_p Pointer to the ::RADIUS_PACKET to be allocated
+ * @return <0 for error, 0 for success
+ */
+extern int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p);
+
+/** Record a humanly readable error message. \ingroup error
+ *
+ * \attention This structure should only be accessed by internal
+ * RADIUS library functions.
+ *
+ * @param[in] fmt The format to use.
+ */
+extern void nr_strerror_printf(const char *fmt, ...);
+
+#ifndef NDEBUG
+#define nr_debug_error nr_strerror_printf /** \ingroup error */
+#else
+#define nr_debug_error if (0) nr_strerror_printf
+#endif
+
+/** Encrypts or decrypts a User-Password attribute. \ingroup internal
+ *
+ * \attention This structure should only be accessed by internal
+ * RADIUS library functions.
+ *
+ * @param[out] output Buffer where the password is stored
+ * @param[out] outlen Size of the output buffer
+ * @param[in] input Input buffer with password
+ * @param[in] inlen Length of the input buffer
+ * @param[in] secret The shared secret
+ * @param[in] vector Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_password_encrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector);
+
+/** Encrypts a Tunnel-Password attribute. \ingroup internal
+ *
+ * \attention This structure should only be accessed by internal
+ * RADIUS library functions.
+ *
+ * @param[out] output Buffer where the password is stored
+ * @param[out] outlen Size of the output buffer
+ * @param[in] input Input buffer with password
+ * @param[in] inlen Length of the input buffer
+ * @param[in] secret The shared secret
+ * @param[in] vector Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector);
+
+/** Decrypts a Tunnel-Password attribute. \ingroup internal
+ *
+ *
+ * \attention This structure should only be accessed by internal
+ * RADIUS library functions.
+ *
+ * @param[out] output Buffer where the password is stored
+ * @param[out] outlen Size of the output buffer
+ * @param[in] input Input buffer with password
+ * @param[in] inlen Length of the input buffer
+ * @param[in] secret The shared secret
+ * @param[in] vector Authentication vector
+ * @return <0 on error, or the length of data in "output"
+ */
+extern ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector);
+
+/** Calculates an HMAC-MD5. \ingroup internal
+ *
+ * @param[in] data Data to be hashed
+ * @param[in] data_len Length of data to be hashed
+ * @param[in] key Key for the HMAC
+ * @param[in] key_len Length of the key
+ * @param[out] digest
+ */
+extern void nr_hmac_md5(const uint8_t *data, size_t data_len,
+ const uint8_t *key, size_t key_len,
+ uint8_t digest[16]);
+
+/** Checks if a TLV is properly formatted. \ingroup internal
+ *
+ * \attention This structure should only be accessed by internal
+ * RADIUS library functions.
+ *
+ * @param[in] data Data to check
+ * @param[in] length Length of the data field
+ * @param[in] dv_type Length of the TLV "type" field
+ * @param[in] dv_length Length of the TLV "length" field
+ * @return <0 on error, 0 for "TLV is OK"
+ */
+extern int nr_tlv_ok(const uint8_t *data, size_t length,
+ size_t dv_type, size_t dv_length);
+
+/** A callback function used by nr_packet_walk(). \ingroup packet
+ *
+ * The function should return 0 on success (i.e. keep walking), and
+ * otherwise a negative number indicating an error code
+ * (::nr_error_t). That negative number will be used as the return
+ * code for nr_packet_walk().
+ */
+typedef int (*nr_packet_walk_func_t)(void *, const DICT_ATTR *, const uint8_t *, size_t);
+
+/** Walks over all attributes in a packet. \ingroup packet
+ *
+ * This function is an iterator which calls a user-supplied callback
+ * function for each attribute in the packet. It should be used
+ * instead of manually walking over the attributes. There are a
+ * number of odd corner cases when handling Vendor-Specific
+ * attributes, and it is easy to get those corner cases wrong.
+ *
+ * This function iterates over *all* attributes, including nested
+ * VSAs. That is its main value.
+ *
+ * Encrypted attributes such as User-Password are not decrypted.
+ *
+ * @param[in] packet The packet containing the data
+ * @param[in] ctx A user-supplied context. May be NULL
+ * @param[in] callback The callback function where the information is passed.
+ *
+ * @return <0 for error,
+ * 0 for success.
+ */
+extern int nr_packet_walk(RADIUS_PACKET *packet, void *ctx,
+ nr_packet_walk_func_t callback);
+
+/** Initialize a packet
+ *
+ * If original is specified, the packet is initialized as a response
+ * to the original request.
+ *
+ * @param[in,out] packet The packet to initialize
+ * @param[in] original The original request (if any) to use as a template
+ * @param[in] secret Shared secret
+ * @param[in] code RADIUS Code field.
+ * @param[in] data Buffer where packets will be stored (RADIUS_PACKET::data)
+ * @param[in] sizeof_data Size of buffer (RADIUS_PACKET::sizeof_data)
+ * @return <0 on error, 0 for success.
+ */
+extern int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const char *secret, int code,
+ void *data, size_t sizeof_data);
+
+/** Add one attribute to the packet.
+ *
+ * This function can be used to add "raw" data to a packet. It
+ * allows the caller to extend the RADIUS packet without using a
+ * ::VALUE_PAIR data structure.
+ *
+ * Some attributes are handled specially by this function.
+ *
+ * EAP-Message. This attribute is automatically split into 253-octet
+ * chunks.
+ *
+ * User-Password, CHAP-Password, and Message-Authenticator. These
+ * attributes are automatically encrypted, as is done by
+ * nr_packet_encode().
+ *
+ * @param[in] packet The packet to edit
+ * @param[in] original The original request (if any)
+ * @param[in] da Pointer to the attribute definition
+ * @param[in] data Data to append to the packet
+ * @param[in] data_len Length of data to append to the packet
+ *
+ * @return <0 for error, >= 0 for "successfully appended data"
+ * The function returns the number of octets appended to the packet.
+ */
+extern ssize_t nr_packet_attr_append(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const DICT_ATTR *da,
+ const void *data, size_t data_len);
+
+
+/** Encodes any ::VALUE_PAIR into an attribute. \ingroup attr
+ *
+ * This function can be called for any ::VALUE_PAIR. It will examine
+ * that structure, and call one of nr_vp2rfc() or nr_vp2vsa() as
+ * necessary.
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] room How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2attr(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp, uint8_t *data, size_t room);
+
+/** Encodes an RFC "standard" ::VALUE_PAIR into an attribute. \ingroup attr
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] room How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp,
+ uint8_t *data, size_t room);
+
+/** Decodes any attribute into a ::VALUE_PAIR. \ingroup attr
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] length How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp);
+
+/** Decodes an RFC "standard" attribute into a ::VALUE_PAIR. \ingroup attr
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] length How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp);
+
+/** Decodes a Vendor-Specific attribute into a ::VALUE_PAIR. \ingroup attr
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] length How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp);
+
+/** Decodes an attribute with an unexpected length into a ::VALUE_PAIR. \ingroup attr
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet The packet containing the attribute to be decoded.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] length How many octets are available for attribute decoding.
+ *
+ * @return <0 for error, or the number of octets used to decode the attribute.
+ */
+extern ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const uint8_t *data, size_t length,
+ VALUE_PAIR **pvp);
+
+/** Encodes a Vendor-Specific ::VALUE_PAIR into an attribute.
+ *
+ * \attention This function should not be called.
+ *
+ * @param[in] packet Where to place the encoded attribute.
+ * @param[in] original The original request (optional), if "packet" is a response
+ * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded.
+ * @param[in] data Where the attribute is to be encoded.
+ * @param[in] room How many octets are available for attribute encoding.
+ *
+ * @return <0 for error, or the number of octets used to encode the attribute.
+ */
+extern ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const VALUE_PAIR **pvp, uint8_t *data,
+ size_t room);
+
+/** Returns raw data from the RADIUS packet, for a given attribute. \ingroup attr
+ *
+ * This function can be called repeatedly to find all instances of a
+ * given attribute. The first time it is called, the "start"
+ * parameter should be zero. If the function returns a non-zero
+ * positive number, it means that there *may* be more attributes
+ * available. The returned value should be then passed via the
+ * "start" option in any subsequent calls to the function.
+ *
+ * This function should be called by an application when it wants
+ * access to data which is not in the pre-defined dictionaries.
+ *
+ * @param[in] packet The packet containing the attribute.
+ * @param[in] start Where in the packet we start searching for the attribute.
+ * @param[in] attr Value of the attribute to search for
+ * @param[in] vendor Value of the vendor (use 0 for IETF attributes)
+ * @param[out] pdata Pointer to the data. If no data was found, the pointer is unchanged.
+ * @param[out] plength Length of the data. If no data was found, the value pointed to is unchanged.
+ *
+ * @return <0 for error,
+ * 0 for "no attribute found, stop searching"
+ * >0 offset where the attribute was found.
+ */
+extern ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start,
+ unsigned int attr, unsigned int vendor,
+ const uint8_t **pdata, size_t *plength);
+
+/** Pretty-print the entire ::VALUE_PAIR \ingroup print
+ *
+ * All data is printed in ASCII format. The data type of "octets" is
+ * printed as a hex string (e.g. 0xabcdef01...). The data type of
+ * "ipaddr" is printed as a dotted-quad (e.g. 192.0.2.15).
+ *
+ * The format is "Attribute-Name = value"
+ *
+ * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored
+ * @param[in] bufsize size of the output buffer
+ * @param[in] vp ::VALUE_PAIR to print
+ * @return length of data in buffer
+ */
+extern size_t nr_vp_snprintf(char *buffer, size_t bufsize, const VALUE_PAIR *vp);
+
+/** Pretty-print the VALUE_PAIR::data field \ingroup print
+ *
+ * Prints the value of a ::VALUE_PAIR, without the name or "=" sign.
+ *
+ * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored
+ * @param[in] bufsize size of the output buffer
+ * @param[in] vp ::VALUE_PAIR to print
+ * @return length of data in buffer
+ */
+extern size_t nr_vp_snprintf_value(char *buffer, size_t bufsize, const VALUE_PAIR *vp);
+
+/** Prints a list of :VALUE_PAIR structures to the given output. \ingroup print
+ *
+ * @param[in] fp Where to print the results
+ * @param[in] vps Linked list of ::VALUE_PAIR to print
+ */
+extern void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps);
+
+/** Scan a string into a ::VALUE_PAIR. The counterpart to
+ * nr_vp_snprintf_value() \ingroup print
+ *
+ * @param[in] string Printable version of the ::VALUE_PAIR
+ * @param[out] pvp Newly allocated ::VALUE_PAIR
+ * @return <0 on error, 0 for success.
+ */
+extern int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp);
+
+/** Scan the data portion of a ::VALUE_PAIR. The counterpart to
+ * nr_vp_snprintf_value() \ingroup print
+ *
+ * @param[in,out] vp The ::VALUE_PAIR where the data will be stored
+ * @param[in] value The string version of the data to be parsed
+ * @return <0 on error, >=0 for the number of characters parsed in value.
+ */
+extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value);
+
+#if defined(__GNUC__)
+# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1)))
+# define NEVER_RETURNS __attribute__ ((noreturn))
+# define UNUSED __attribute__ ((unused))
+# define BLANK_FORMAT " " /* GCC_LINT whines about empty formats */
+#else
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define PRINTF_LIKE(n)
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define NEVER_RETURNS
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define UNUSED
+
+/** Macro used to quiet compiler warnings inside of the library. \ingroup build
+ *
+ */
+# define BLANK_FORMAT ""
+#endif
+
+#endif /* _RADIUS_CLIENT_H_ */
diff --git a/lib/radius/common.pl b/lib/radius/common.pl
new file mode 100644
index 0000000..7042fe5
--- /dev/null
+++ b/lib/radius/common.pl
@@ -0,0 +1,220 @@
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of the <organization> nor the
+# names of its contributors may be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+our %attributes;
+our %vendor;
+our %vendorpec;
+our $begin_vendor = 0;
+
+$vendorpec{'0'} = "IETF";
+
+sub do_file()
+{
+ my $filename = shift;
+ my $fh;
+
+ $dir = $filename;
+ $dir =~ s:/[^/]+?$::;
+ $lineno = 0;
+
+ open $fh, "<$filename" or die "Failed to open $filename: $!\n";
+
+ while (<$fh>) {
+ $lineno++;
+ next if (/^\s*#/);
+ next if (/^\s*$/);
+ s/#.*//;
+ s/\s+$//;
+
+ next if ($_ eq "");
+
+ #
+ # Remember the vendor
+ #
+ if (/^VENDOR\s+([\w-]+)\s+(\w+)(.*)/) {
+ my $me = $1;
+
+ $vendor{$me}{'pec'} = $2;
+ $vendorpec{$2} = $me;
+
+ $vendor{$me}{'type'} = 1;
+ $vendor{$me}{'length'} = 1;
+
+ if ($3) {
+ $format=$3;
+ $format =~ s/^\s+//;
+
+ if ($format !~ /^format=(\d+),(\d+)$/) {
+ die "Unknown format $format\n";
+ }
+ $vendor{$me}{'type'} = $1;
+ $vendor{$me}{'length'} = $2;
+ }
+ next;
+ }
+
+ #
+ # Remember if we did begin-vendor.
+ #
+ if (/^BEGIN-VENDOR\s+([\w-]+)/) {
+ if (!defined $vendor{$1}) {
+ die "Unknown vendor $1\n";
+ }
+ $begin_vendor = $vendor{$1}{'pec'};
+ next;
+ }
+
+ #
+ # Remember if we did this.
+ #
+ if (/^END-VENDOR/) {
+ $begin_vendor = 0;
+ next;
+ }
+
+ #
+ # Get attribute.
+ #
+ if (/^ATTRIBUTE\s+([\w-\/.]+)\s+(\w+)\s+(\w+)(.*)/) {
+ $name=$1;
+ $value = $2;
+ $type = $3;
+ $stuff = $4;
+
+ $value =~ tr/[A-F]/[a-f]/; # normal form for hex
+ $value =~ tr/X/x/;
+
+ if ($value =~ /^0x/) {
+ $index = hex $value;
+ } else {
+ $index = $value;
+ }
+
+ next if (($begin_vendor == 0) && ($index > 255));
+
+ $index += ($begin_vendor << 16);
+
+ $attributes{$index}{'name'} = $name;
+ $attributes{$index}{'value'} = $value;
+ if ($begin_vendor ne "") {
+ $attributes{$index}{'vendor'} = $begin_vendor;
+ }
+
+ $type =~ tr/a-z/A-Z/;
+ $attributes{$index}{'type'} = "RS_TYPE_$type";
+
+ $stuff =~ s/^\s*//;
+
+ if ($stuff) {
+ foreach $text (split /,/, $stuff) {
+ if ($text eq "encrypt=1") {
+ $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_USER_PASSWORD";
+ } elsif ($text eq "encrypt=2") {
+ $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_TUNNEL_PASSWORD";
+
+ } elsif ($text eq "encrypt=3") {
+ $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_ASCEND_SECRET";
+
+ } elsif ($text eq "has_tag") {
+ $attributes{$index}{'flags'}{'has_tag'} = "1";
+
+ } elsif ($text =~ /\[(\d+)\]/) {
+ $attributes{$index}{'flags'}{'length'} = $1;
+
+ } else {
+ die "$filename: $lineno - Unknown flag $text\n";
+ }
+ }
+ }
+
+ if ($type eq "BYTE") {
+ $attributes{$index}{'flags'}{'length'} = "1";
+
+ } elsif ($type eq "SHORT") {
+ $attributes{$index}{'flags'}{'length'} = "2";
+
+ } elsif ($type eq "INTEGER") {
+ $attributes{$index}{'flags'}{'length'} = "4";
+
+ } elsif ($type eq "IPADDR") {
+ $attributes{$index}{'flags'}{'length'} = "4";
+
+ } elsif ($type eq "DATE") {
+ $attributes{$index}{'flags'}{'length'} = "4";
+
+ } elsif ($type eq "IFID") {
+ $attributes{$index}{'flags'}{'length'} = "8";
+
+ } elsif ($type eq "IPV6ADDR") {
+
+ $attributes{$index}{'flags'}{'length'} = "16";
+ }
+
+ $name2val{$name} = $index;
+ next;
+ }
+
+ #
+ # Values.
+ #
+ if (/^VALUE\s+([\d\w-\/.]+)\s+([\w-\/,.+]+)\s+(\w+)(.*)/) {
+ next;
+
+ $attr = $1;
+ $name = $2;
+ $value = $3;
+ $stuff = $d;
+
+ $value =~ tr/[A-F]/[a-f]/; # normal form for hex
+ $value =~ tr/X/x/;
+
+ if ($value =~ /^0x/) {
+ $index = hex $value;
+ } else {
+ $index = $value;
+ }
+
+ if (!defined $name2val{$attr}) {
+ print "# FIXME: FORWARD REF?\nVALUE $attr $name $value$stuff\n";
+ next;
+ }
+
+ $values{$name2val{$attr}}{$index} = "$attr $name $value$stuff";
+ next;
+ }
+
+ if (/^\$INCLUDE\s+(.*)$/) {
+ do_file("$dir/$1");
+ next;
+ }
+
+ die "unknown text in line $lineno of $filename: $_\n";
+ }
+
+ close $fh;
+}
+
+1;
diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl
new file mode 100755
index 0000000..7ca424e
--- /dev/null
+++ b/lib/radius/convert.pl
@@ -0,0 +1,197 @@
+#!/usr/bin/env perl
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of the <organization> nor the
+# names of its contributors may be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+#
+# Converts dictionaries to C structures. Does not yet do "VALUE"s.
+#
+# Usage: ./convert.pl dictionary ...
+#
+# Reads input dictionaries, and outputs "radius.h" and "dictionaries.c"
+#
+# $Id$
+#
+require "common.pl";
+
+#
+# Read all of the dictionaries
+#
+while (@ARGV) {
+ $filename = shift;
+ do_file($filename);
+}
+
+#
+# For speed, the dictionary data structures have the first 256
+# attributes at fixed offsets in the array. If the user didn't
+# define them, then we set them here to be "raw" or unknown.
+#
+foreach $attr_val (0..255) {
+ next if defined $attributes{$attr_val};
+
+ $attributes{$attr_val}{'raw'} = 1;
+}
+
+if (scalar keys %attributes == 0) {
+ die "No attributes were defined\n";
+}
+
+
+open DICT, ">dictionaries.c" or die "Failed creating dictionaries.c: $!\n";
+
+#
+# Print out the data structues for the vendors.
+#
+if (scalar keys %vendor > 0) {
+ print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n";
+ foreach $v (sort keys %vendor) {
+ print DICT " { \n";
+ print DICT " " . $vendor{$v}{'pec'} . ", \n";
+ print DICT " " . $vendor{$v}{'type'} . ",\n";
+ print DICT " " . $vendor{$v}{'length'} . ",\n";
+ print DICT " \"" . $v, "\"\n";
+ print DICT " },\n";
+ }
+ print DICT " { \n";
+ print DICT " 0,\n";
+ print DICT " 0,\n";
+ print DICT " 0,\n";
+ print DICT " NULL\n";
+ print DICT " },\n";
+ print DICT "};\n\n";
+}
+
+# needed for later.
+$vendor{""}{'pec'} = 0;
+
+sub printAttrFlag
+{
+ my $tmp = $attributes{$attr_val}{'flags'}{$_[0]};
+
+ if (!$tmp) {
+ $tmp = 0;
+ }
+
+ print DICT $tmp . ", ";
+}
+
+#
+# Print DICT out the attributes sorted by number.
+#
+my $offset = 0;
+my $num_names = 0;
+print DICT "const DICT_ATTR nr_dict_attrs[] = {\n";
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+ print DICT " { /* $offset */ \n";
+
+ if (defined $attributes{$attr_val}{'raw'}) {
+ print DICT " 0\n",
+ } else {
+ print DICT " ", $attributes{$attr_val}{'value'}, ", \n";
+ print DICT " ", $attributes{$attr_val}{'type'}, ", \n";
+ print DICT " ", $attributes{$attr_val}{'vendor'}, ", \n";
+ print DICT " { ";
+ &printAttrFlag('has_tag');
+ &printAttrFlag('unknown');
+# &printAttrFlag('has_tlv');
+# &printAttrFlag('is_tlv');
+ &printAttrFlag('extended');
+ &printAttrFlag('extended_flags');
+ &printAttrFlag('evs');
+ &printAttrFlag('encrypt');
+ &printAttrFlag('length');
+ print DICT "},\n";
+ print DICT " \"", $attributes{$attr_val}{'name'}, "\", \n";
+ $num_names++;
+ }
+
+ $attributes{$attr_val}{'offset'} = $offset++;
+
+ print DICT " },\n";
+
+}
+print DICT "};\n\n";
+
+print DICT "const int nr_dict_num_attrs = ", $offset - 1, ";\n\n";
+print DICT "const int nr_dict_num_names = ", $num_names - 1, ";\n\n";
+
+my $offset = 0;
+print DICT "const DICT_ATTR *nr_dict_attr_names[] = {\n";
+foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'name'})} keys %attributes) {
+ next if (defined $attributes{$attr_val}{'raw'});
+
+ print DICT " &nr_dict_attrs[", $attributes{$attr_val}{'offset'}, "], /* ", $attributes{$attr_val}{'name'}, " */\n";
+}
+
+print DICT "};\n\n";
+close DICT;
+
+open HDR, ">../include/radsec/radius.h" or die "Failed creating radius.c: $!\n";
+
+print HDR "/* Automatically generated file. Do not edit */\n\n";
+
+foreach $v (sort keys %vendor) {
+ next if ($v eq "");
+
+ $name = $v;
+ $name =~ tr/a-z/A-Z/; # uppercase
+ $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _
+
+ print HDR "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n";
+}
+print HDR "\n";
+
+$begin_vendor = -1;
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+ next if (defined $attributes{$attr_val}{'raw'});
+
+ if ($attributes{$attr_val}{'vendor'} != $begin_vendor) {
+ print HDR "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n";
+ $begin_vendor = $attributes{$attr_val}{'vendor'};
+ }
+
+ $name = $attributes{$attr_val}{'name'};
+ $name =~ tr/a-z/A-Z/;
+ $name =~ tr/A-Z0-9/_/c;
+
+ print HDR "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n";
+}
+print HDR "\n";
+
+print HDR "/* Fixed offsets to dictionary definitions of attributes */\n";
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+ next if (defined $attributes{$attr_val}{'raw'});
+
+ $name = $attributes{$attr_val}{'name'};
+ $name =~ tr/a-z/A-Z/;
+ $name =~ tr/-/_/;
+
+ print HDR "#define RS_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n";
+}
+
+print HDR "/* Automatically generated file. Do not edit */\n";
+
+close HDR;
diff --git a/lib/radius/crypto.c b/lib/radius/crypto.c
new file mode 100644
index 0000000..21cc7d0
--- /dev/null
+++ b/lib/radius/crypto.c
@@ -0,0 +1,233 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file crypto.c
+ * \brief Data obfuscation and signing, using MD5.
+ *
+ * The "encryption" methods defined here are export-safe. The
+ * technical cryptography name for these functions is "obfuscation".
+ * They cannot properly be called "encryption", in the same way that
+ * DES or AES performs encryption.
+ */
+
+/** \cond PRIVATE */
+
+#include "client.h"
+
+
+ssize_t nr_password_encrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector)
+{
+ size_t i, j, len;
+ uint8_t digest[16];
+ RS_MD5_CTX ctx, secret_ctx;
+
+ if (!output || (outlen < 16) || !input || (inlen == 0) ||
+ !secret || !vector) {
+ return -RSE_INVAL;
+ }
+
+ len = inlen;
+ if (len > 128) return -RSE_ATTR_OVERFLOW;
+
+ len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */
+
+ if (outlen < len) return -RSE_ATTR_OVERFLOW;
+
+ memcpy(output, input, len);
+ memset(output + len, 0, 128 - len);
+
+ RS_MD5Init(&secret_ctx);
+ RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+ for (j = 0; j < len; j += 16) {
+ ctx = secret_ctx;
+
+ if (j == 0) {
+ RS_MD5Update(&ctx, vector, 16);
+ RS_MD5Final(digest, &ctx);
+ } else {
+ RS_MD5Update(&ctx, &output[j - 16], 16);
+ RS_MD5Final(digest, &ctx);
+ }
+
+ for (i = 0; i < 16; i++) {
+ output[i + j] ^= digest[i];
+ }
+ }
+
+ return len;
+}
+
+#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD
+ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector)
+{
+ size_t i, j, len;
+ RS_MD5_CTX ctx, secret_ctx;
+ uint8_t digest[16];
+
+ if (!output || (outlen < 18) || !input || (inlen == 0) ||
+ !secret || !vector) {
+ return -RSE_INVAL;
+ }
+
+ len = ((inlen + 1) + 0x0f) & ~0x0f;
+ if (len > 251) return -RSE_ATTR_OVERFLOW;
+
+ output[0] = (nr_rand() & 0xff) | 0x80;
+ output[1] = nr_rand() & 0xff;
+ output[2] = inlen;
+
+ memcpy(output + 3, input, inlen);
+ memset(output + 3 + inlen, 0, len - inlen - 1);
+
+ RS_MD5Init(&secret_ctx);
+ RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+ for (j = 0; j < len; j += 16) {
+ ctx = secret_ctx;
+
+ if (j == 0) {
+ RS_MD5Update(&ctx, vector, 16);
+ RS_MD5Update(&ctx, output, 2);
+ RS_MD5Final(digest, &ctx);
+ } else {
+ RS_MD5Update(&ctx, &output[j + 2 - 16], 16);
+ RS_MD5Final(digest, &ctx);
+ }
+
+ for (i = 0; i < 16; i++) {
+ output[i + j + 2] ^= digest[i];
+ }
+ }
+
+ return len + 2;
+}
+
+ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen,
+ const uint8_t *input, size_t inlen,
+ const char *secret, const uint8_t *vector)
+{
+ size_t i, j, len, encoded_len;
+ RS_MD5_CTX ctx, secret_ctx;
+ uint8_t digest[16];
+
+ if (!output || (outlen < 1) || !input || (inlen < 2) ||
+ !secret || !vector) {
+ return -RSE_INVAL;
+ }
+
+ if (inlen <= 3) {
+ output[0] = 0;
+ return 0;
+ }
+
+ len = inlen - 2;
+
+ if (outlen < (len - 1)) return -RSE_ATTR_OVERFLOW;
+
+ RS_MD5Init(&secret_ctx);
+ RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret));
+
+ ctx = secret_ctx;
+
+ RS_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */
+ RS_MD5Update(&ctx, input, 2);
+ RS_MD5Final(digest, &ctx);
+
+ encoded_len = input[2] ^ digest[0];
+ if (encoded_len >= len) {
+ return -RSE_ATTR_TOO_LARGE;
+ }
+
+ for (i = 0; i < 15; i++) {
+ output[i] = input[i + 3] ^ digest[i + 1];
+ }
+
+ for (j = 16; j < len; j += 16) {
+ ctx = secret_ctx;
+
+ RS_MD5Update(&ctx, input + j - 16 + 2, 16);
+ RS_MD5Final(digest, &ctx);
+
+ for (i = 0; i < 16; i++) {
+ output[i + j - 1] = input[i + j + 2] ^ digest[i];
+ }
+
+
+ }
+
+ output[encoded_len] = '\0';
+ return encoded_len;
+}
+#endif
+
+void
+nr_hmac_md5(const uint8_t *data, size_t data_len,
+ const uint8_t *key, size_t key_len,
+ uint8_t digest[16])
+{
+ size_t i;
+ uint8_t k_ipad[64];
+ uint8_t k_opad[64];
+ uint8_t tk[16];
+ RS_MD5_CTX ctx;
+
+ if (key_len > 64) {
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, key, key_len);
+ RS_MD5Final(tk, &ctx);
+
+ key = tk;
+ key_len = 16;
+ }
+
+ memset(k_ipad, 0, sizeof(k_ipad));
+ memset(k_opad, 0, sizeof(k_opad));
+ memcpy(k_ipad, key, key_len);
+ memcpy(k_opad, key, key_len);
+
+ for (i = 0; i < sizeof(k_ipad); i++) {
+ k_ipad[i] ^= 0x36;
+ k_opad[i] ^= 0x5c;
+ }
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, k_ipad, sizeof(k_ipad));
+ RS_MD5Update(&ctx, data, data_len);
+ RS_MD5Final(digest, &ctx);
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, k_opad, sizeof(k_opad));
+ RS_MD5Update(&ctx, digest, 16);
+ RS_MD5Final(digest, &ctx);
+}
+
+/** \endcond */
diff --git a/lib/radius/custom.c b/lib/radius/custom.c
new file mode 100644
index 0000000..917939a
--- /dev/null
+++ b/lib/radius/custom.c
@@ -0,0 +1,163 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Copyright (c) 2006 Kungliga Tekniska HAÎåÎÝgskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/** \file custom.c
+ * \brief Functions which should be customized for your local system.
+ */
+
+#include "client.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#ifdef WIN32
+#include <wincrypt.h>
+
+volatile static HCRYPTPROV nr_cryptprovider = 0;
+
+static HCRYPTPROV
+nr_CryptProvider(void)
+{
+ BOOL rv;
+ HCRYPTPROV cryptprovider = 0;
+
+ if (nr_cryptprovider != 0)
+ return nr_cryptprovider;
+
+ rv = CryptAcquireContext(&cryptprovider, NULL,
+ MS_ENHANCED_PROV, PROV_RSA_FULL,
+ 0);
+
+ if (GetLastError() == NTE_BAD_KEYSET) {
+ if(!rv)
+ rv = CryptAcquireContext(&cryptprovider, NULL,
+ MS_ENHANCED_PROV, PROV_RSA_FULL,
+ CRYPT_NEWKEYSET);
+ }
+
+ if (rv &&
+ InterlockedCompareExchangePointer((PVOID *) &nr_cryptprovider,
+ (PVOID) cryptprovider, 0) != 0) {
+
+ CryptReleaseContext(cryptprovider, 0);
+ cryptprovider = nr_cryptprovider;
+ }
+
+ return cryptprovider;
+}
+
+ssize_t nr_rand_bytes(uint8_t *data, size_t data_len)
+{
+ if (CryptGenRandom(nr_CryptProvider(), data_len, data))
+ return 0;
+ return data_len;
+}
+#else
+ssize_t nr_rand_bytes(uint8_t *data, size_t data_len)
+{
+ static int fd = -1;
+
+ if (fd < 0) {
+ fd = open("/dev/urandom", O_RDONLY);
+ if (fd < 0) {
+ nr_strerror_printf("Error opening randomness: %s",
+ strerror(errno));
+ return 0;
+ }
+ }
+
+ return read(fd, data, data_len);
+}
+#endif /* WIN32 */
+
+uint32_t nr_rand(void)
+{
+ uint32_t lvalue;
+
+ nr_rand_bytes((void *)&lvalue, sizeof(lvalue));
+ return lvalue;
+}
+
+
+#ifndef USEC
+#define USEC (1000000)
+#endif
+
+void nr_timeval_add(struct timeval *t, unsigned int seconds, unsigned int usec)
+{
+ t->tv_sec += seconds;
+ t->tv_sec += usec / USEC;
+ t->tv_usec += usec % USEC;
+ if (t->tv_usec > USEC) {
+ t->tv_sec++;
+ t->tv_usec -= USEC;
+ }
+}
+
+int nr_timeval_cmp(const struct timeval *a, const struct timeval *b)
+{
+ if (a->tv_sec > b->tv_sec) return +1;
+ if (a->tv_sec < b->tv_sec) return -1;
+
+ if (a->tv_usec > b->tv_usec) return +1;
+ if (a->tv_usec < b->tv_usec) return -1;
+
+ return 0;
+}
+
diff --git a/lib/radius/dict.c b/lib/radius/dict.c
new file mode 100644
index 0000000..fc04ee2
--- /dev/null
+++ b/lib/radius/dict.c
@@ -0,0 +1,172 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "client.h"
+#include <ctype.h>
+
+/** \file dict.c
+ * \brief Functions for name to number, and number to name mappings.
+ */
+
+const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor)
+{
+ int start, half, end;
+
+ if (!vendor && (attr > 0) && (attr < 256)) {
+ if (nr_dict_attrs[attr].name) {
+ return &nr_dict_attrs[attr];
+ }
+ return NULL;
+ }
+
+ if (!vendor) return NULL; /* no "non-protocol" attributes */
+
+ start = 256; /* first 256 entries are "standard" ones */
+ end = nr_dict_num_attrs;
+
+ do {
+ half = (start + end) / 2;
+
+ if ((nr_dict_attrs[half].vendor == vendor) &&
+ (nr_dict_attrs[half].attr == attr)) {
+ return &nr_dict_attrs[half];
+ }
+
+ if ((vendor >= nr_dict_attrs[half].vendor) &&
+ (attr > nr_dict_attrs[half].attr)) {
+ start = half + 1;
+ } else {
+ end = half - 1;
+ }
+
+ } while (start <= end);
+
+ return NULL;
+}
+
+const DICT_ATTR *nr_dict_attr_byname(const char *name)
+{
+ int start, half, end;
+
+ start = 1;
+ end = nr_dict_num_names;
+
+ if (!name || !*name) return NULL;
+
+ do {
+ int rcode;
+
+ half = (start + end) / 2;
+
+ rcode = strcasecmp(name, nr_dict_attr_names[half]->name);
+ if (rcode == 0) return nr_dict_attr_names[half];
+
+ if (rcode > 0) {
+ start = half + 1;
+ } else {
+ end = half - 1;
+ }
+
+
+ } while (start <= end);
+
+ return NULL;
+}
+
+int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor,
+ char *buffer, size_t bufsize)
+{
+ if (!da || !buffer) return -RSE_INVAL;
+
+ if (!vendor) {
+ if (attr > 256) return -RSE_INVAL;
+
+ } else if (vendor > (1 << 24)) {
+ return -RSE_INVAL;
+ }
+
+ memset(da, 0, sizeof(*da));
+ da->attr = attr;
+ da->flags.unknown = 1;
+ da->type = RS_TYPE_OCTETS;
+ da->vendor = vendor;
+
+ if (da->vendor) {
+ snprintf(buffer, bufsize, "Attr-26.%u.%u",
+ vendor, attr);
+ } else {
+ snprintf(buffer, bufsize, "Attr-%u", attr);
+ }
+ da->name = buffer;
+
+ return 0;
+}
+
+
+const DICT_VALUE *nr_dict_value_byattr(UNUSED unsigned int attr,
+ UNUSED unsigned int vendor,
+ UNUSED int value)
+{
+ return NULL;
+}
+
+const DICT_VALUE *nr_dict_value_byname(UNUSED unsigned int attr,
+ UNUSED unsigned int vendor,
+ UNUSED const char *name)
+{
+ return NULL;
+}
+
+int nr_dict_vendor_byname(const char *name)
+{
+ const DICT_VENDOR *dv;
+
+ if (!name || !*name) return 0;
+
+ /*
+ * O(n) lookup.
+ */
+ for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) {
+ if (strcasecmp(dv->name, name) == 0) return dv->vendor;
+ }
+
+ return 0;
+}
+
+const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor)
+{
+ const DICT_VENDOR *dv;
+
+ /*
+ * O(n) lookup.
+ */
+ for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) {
+ if (dv->vendor == vendor) return dv;
+ }
+
+ return NULL;
+}
diff --git a/lib/radius/doc.txt b/lib/radius/doc.txt
new file mode 100644
index 0000000..09a8415
--- /dev/null
+++ b/lib/radius/doc.txt
@@ -0,0 +1,41 @@
+/**
+
+\file doc.txt
+\brief The main documentation.
+
+\mainpage The Network RADIUS Client Library
+
+This client library is intended for use in embedded systems. It is
+small with a simple API, yet has more functionality than most
+commercial or Open Source products.
+
+\section License
+
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+\ref dictionaries.txt "Dictionaries and dictionary formats"
+
+*/
diff --git a/lib/radius/doxygen.conf b/lib/radius/doxygen.conf
new file mode 100644
index 0000000..e310771
--- /dev/null
+++ b/lib/radius/doxygen.conf
@@ -0,0 +1,1417 @@
+# Doxyfile 1.5.6
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+# TAG = value [value, ...]
+# For lists items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file
+# that follow. The default is UTF-8 which is also the encoding used for all
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the
+# iconv built into libc) for the transcoding. See
+# http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+DOXYFILE_ENCODING = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded
+# by quotes) that should identify the project.
+
+PROJECT_NAME = networkclient
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number.
+# This could be handy for archiving the generated documentation or
+# if some version control system is used.
+
+PROJECT_NUMBER =
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
+# base path where the generated documentation will be put.
+# If a relative path is entered, it will be relative to the location
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY =
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create
+# 4096 sub-directories (in 2 levels) under the output directory of each output
+# format and will distribute the generated files over these directories.
+# Enabling this option can be useful when feeding doxygen a huge amount of
+# source files, where putting all generated files in the same directory would
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# The default language is English, other supported languages are:
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional,
+# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek,
+# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish,
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish,
+# and Ukrainian.
+
+OUTPUT_LANGUAGE = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will
+# include brief member descriptions after the members that are listed in
+# the file and class documentation (similar to JavaDoc).
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend
+# the brief description of a member or function before the detailed description.
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator
+# that is used to form the text in various listings. Each string
+# in this list, if found as the leading text of the brief description, will be
+# stripped from the text and the result after processing the whole list, is
+# used as the annotated text. Otherwise, the brief description is used as-is.
+# If left blank, the following values are used ("$name" is automatically
+# replaced with the name of the entity): "The $name class" "The $name widget"
+# "The $name file" "is" "provides" "specifies" "contains"
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF =
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# Doxygen will generate a detailed section even if there is only a brief
+# description.
+
+ALWAYS_DETAILED_SEC = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full
+# path before files name in the file list and in the header files. If set
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag
+# can be used to strip a user-defined part of the path. Stripping is
+# only done if one of the specified strings matches the left-hand part of
+# the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the
+# path to strip.
+
+STRIP_FROM_PATH =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of
+# the path mentioned in the documentation of a class, which tells
+# the reader which header file to include in order to use a class.
+# If left blank only the name of the header file containing the class
+# definition is used. Otherwise one should specify the include paths that
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter
+# (but less readable) file names. This can be useful is your file systems
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen
+# will interpret the first line (until the first dot) of a JavaDoc-style
+# comment as the brief description. If set to NO, the JavaDoc
+# comments will behave just like regular Qt-style comments
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will
+# interpret the first line (until the first dot) of a Qt-style
+# comment as the brief description. If set to NO, the comments
+# will behave just like regular Qt-style comments (thus requiring
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen
+# treat a multi-line C++ special comment block (i.e. a block of //! or ///
+# comments) as a brief description. This used to be the default behaviour.
+# The new default is to treat a multi-line C++ comment block as a detailed
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member
+# documentation.
+
+DETAILS_AT_TOP = YES
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented
+# member inherits the documentation from any documented member that it
+# re-implements.
+
+INHERIT_DOCS = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce
+# a new page for each member. If set to NO, the documentation of a member will
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab.
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE = 8
+
+# This tag can be used to specify a number of aliases that acts
+# as commands in the documentation. An alias has the form "name=value".
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to
+# put the command \sideeffect (or @sideeffect) in the documentation, which
+# will result in a user-defined paragraph with heading "Side Effects:".
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C
+# sources only. Doxygen will then generate output that is more tailored for C.
+# For instance, some of the names that are used will be different. The list
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java
+# sources only. Doxygen will then generate output that is more tailored for
+# Java. For instance, namespaces will be presented as packages, qualified
+# scopes will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources only. Doxygen will then generate output that is more tailored for
+# Fortran.
+
+OPTIMIZE_FOR_FORTRAN = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for
+# VHDL.
+
+OPTIMIZE_OUTPUT_VHDL = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should
+# set this tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s.
+# func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only.
+# Doxygen will parse them like normal C++ but will assume all classes use public
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate getter
+# and setter methods for a property. Setting this option to YES (the default)
+# will make doxygen to replace the get and set methods by a property in the
+# documentation. This will only work if the methods are indeed getting or
+# setting a simple type. If this is not the case, or you want to show the
+# methods anyway, you should set this option to NO.
+
+IDL_PROPERTY_SUPPORT = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES, then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of
+# the same type (for instance a group of public functions) to be put as a
+# subgroup of that type (e.g. under the Public Functions section). Set it to
+# NO to prevent subgrouping. Alternatively, this can be done per class using
+# the \nosubgrouping command.
+
+SUBGROUPING = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum
+# is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically
+# be useful for C code in case the coding convention dictates that all compound
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+
+TYPEDEF_HIDES_STRUCT = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in
+# documentation are documented, even if no documentation was available.
+# Private class members and static file members will be hidden unless
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class
+# will be included in the documentation.
+
+EXTRACT_PRIVATE = NO
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file
+# will be included in the documentation.
+
+EXTRACT_STATIC = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs)
+# defined locally in source files will be included in the documentation.
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES = YES
+
+# This flag is only useful for Objective-C code. When set to YES local
+# methods, which are defined in the implementation section but not in
+# the interface are included in the documentation.
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base
+# name of the file that contains the anonymous namespace. By default
+# anonymous namespace are hidden.
+
+EXTRACT_ANON_NSPACES = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all
+# undocumented members of documented classes, files or namespaces.
+# If set to NO (the default) these members will be included in the
+# various overviews, but no documentation section is generated.
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy.
+# If set to NO (the default) these classes will be included in the various
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all
+# friend (class|struct|union) declarations.
+# If set to NO (the default) these declarations will be included in the
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any
+# documentation blocks found inside the body of a function.
+# If set to NO (the default) these blocks will be appended to the
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS = NO
+
+# The INTERNAL_DOCS tag determines if documentation
+# that is typed after a \internal command is included. If the tag is set
+# to NO (the default) then the documentation will be excluded.
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate
+# file names in lower-case letters. If set to YES upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES = NO
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen
+# will show members with their full class and namespace scopes in the
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen
+# will put a list of the files that are included by a file in the documentation
+# of that file.
+
+SHOW_INCLUDE_FILES = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline]
+# is inserted in the documentation for inline members.
+
+INLINE_INFO = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen
+# will sort the (detailed) documentation of file and class members
+# alphabetically by member name. If set to NO the members will appear in
+# declaration order.
+
+SORT_MEMBER_DOCS = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the
+# brief documentation of file, namespace and class members alphabetically
+# by member name. If set to NO (the default) the members will appear in
+# declaration order.
+
+SORT_BRIEF_DOCS = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the
+# hierarchy of group names into alphabetical order. If set to NO (the default)
+# the group names will appear in their defined order.
+
+SORT_GROUP_NAMES = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be
+# sorted by fully-qualified names, including namespaces. If set to
+# NO (the default), the class list will be sorted only by class name,
+# not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or
+# disable (NO) the todo list. This list is created by putting \todo
+# commands in the documentation.
+
+GENERATE_TODOLIST = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or
+# disable (NO) the test list. This list is created by putting \test
+# commands in the documentation.
+
+GENERATE_TESTLIST = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or
+# disable (NO) the bug list. This list is created by putting \bug
+# commands in the documentation.
+
+GENERATE_BUGLIST = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or
+# disable (NO) the deprecated list. This list is created by putting
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines
+# the initial value of a variable or define consists of for it to appear in
+# the documentation. If the initializer consists of more lines than specified
+# here it will be hidden. Use a value of 0 to hide initializers completely.
+# The appearance of the initializer of individual variables and defines in the
+# documentation can be controlled using \showinitializer or \hideinitializer
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated
+# at the bottom of the documentation of classes and structs. If set to YES the
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES = YES
+
+# If the sources in your project are distributed over multiple directories
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES = NO
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page.
+# This will remove the Files entry from the Quick Index and from the
+# Folder Tree View (if specified). The default is YES.
+
+SHOW_FILES = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the
+# Namespaces page. This will remove the Namespaces entry from the Quick Index
+# and from the Folder Tree View (if specified). The default is YES.
+
+SHOW_NAMESPACES = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command <command> <input-file>, where <command> is the value of
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file
+# provided by doxygen. Whatever the program writes to standard output
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER =
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated by doxygen. Possible values are YES and NO. If left blank
+# NO is used.
+
+WARNINGS = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some
+# parameters in a documented function, or documenting parameters that
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for
+# functions that are documented, but have no documentation for their parameters
+# or return value. If set to NO (the default) doxygen will only warn about
+# wrong or incomplete parameter documentation, but not about the absence of
+# documentation.
+
+WARN_NO_PARAMDOC = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that
+# doxygen can produce. The string should contain the $file, $line, and $text
+# tags, which will be replaced by the file and line number from which the
+# warning originated and the warning text. Optionally the format may contain
+# $version, which will be replaced by the version of the file (if it could
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning
+# and error messages should be written. If left blank the output is written
+# to stderr.
+
+WARN_LOGFILE =
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain
+# documented source files. You may enter file names like "myfile.cpp" or
+# directories like "/usr/src/myproject". Separate the files or directories
+# with spaces.
+
+INPUT = . doc/
+
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is
+# also the default input encoding. Doxygen uses libiconv (or the iconv built
+# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for
+# the list of possible encodings.
+
+INPUT_ENCODING = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
+# blank the following patterns are tested:
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+
+FILE_PATTERNS = *.txt *.[ch]
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories
+# should be searched for input files as well. Possible values are YES and NO.
+# If left blank NO is used.
+
+RECURSIVE = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE =
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or
+# directories that are symbolic links (a Unix filesystem feature) are excluded
+# from the input.
+
+EXCLUDE_SYMLINKS = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories. Note that the wildcards are matched
+# against the file with absolute path, so to exclude all test directories
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
+# AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or
+# directories that contain example code fragments that are included (see
+# the \include command).
+
+EXAMPLE_PATH = examples
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp
+# and *.h) to filter out the source-files in the directories. If left
+# blank all files are included.
+
+EXAMPLE_PATTERNS = *.[ch]
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude
+# commands irrespective of the value of the RECURSIVE tag.
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or
+# directories that contain image that are included in the documentation (see
+# the \image command).
+
+IMAGE_PATH =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command <filter> <input-file>, where <filter>
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an
+# input file. Doxygen will then use the output that the filter program writes
+# to standard output. If FILTER_PATTERNS is specified, this tag will be
+# ignored.
+
+INPUT_FILTER =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form:
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER
+# is applied to all files.
+
+FILTER_PATTERNS =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will be used to filter the input files when producing source
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will
+# be generated. Documented entities will be cross-referenced with these sources.
+# Note: To get rid of all source code in the generated output, make sure also
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER = NO
+
+# Setting the INLINE_SOURCES tag to YES will include the body
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct
+# doxygen to hide any special comment blocks from generated source code
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES
+# then for each documented function all documented
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES
+# then for each documented function all documented entities
+# called/used by that function will be listed.
+
+REFERENCES_RELATION = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code. Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = NO
+
+# If the USE_HTAGS tag is set to YES then the references to source code
+# will point to the HTML generated by the htags(1) tool instead of doxygen
+# built-in source browser. The htags tool is part of GNU's global source
+# tagging system (see http://www.gnu.org/software/global/global.html). You
+# will need version 4.8.6 or higher.
+
+USE_HTAGS = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen
+# will generate a verbatim copy of the header file for each class for
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index
+# of all compounds will be generated. Enable this if the project
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX = NO
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX = 5
+
+# In case all classes in a project start with a common prefix, all
+# classes will be put under the same header in the alphabetical index.
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX =
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will
+# generate HTML output.
+
+GENERATE_HTML = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for
+# each generated HTML page. If it is left blank doxygen will generate a
+# standard header.
+
+HTML_HEADER =
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for
+# each generated HTML page. If it is left blank doxygen will generate a
+# standard footer.
+
+HTML_FOOTER =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading
+# style sheet that is used by each HTML page. It can be used to
+# fine-tune the look of the HTML output. If the tag is left blank doxygen
+# will generate a default style sheet. Note that doxygen will try to copy
+# the style sheet file to the HTML output directory, so don't put your own
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET =
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes,
+# files or namespaces will be aligned in HTML using tables. If set to
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files
+# will be generated that can be used as input for tools like the
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm)
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP = NO
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files
+# will be generated that can be used as input for Apple's Xcode 3
+# integrated development environment, introduced with OSX 10.5 (Leopard).
+# To create a documentation set, doxygen will generate a Makefile in the
+# HTML output directory. Running make will produce the docset in that
+# directory and running "make install" will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find
+# it at startup.
+
+GENERATE_DOCSET = NO
+
+# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the
+# feed. A documentation feed provides an umbrella under which multiple
+# documentation sets from a single provider (such as a company or product suite)
+# can be grouped.
+
+DOCSET_FEEDNAME = "Doxygen generated docs"
+
+# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that
+# should uniquely identify the documentation set bundle. This should be a
+# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen
+# will append .docset to the name.
+
+DOCSET_BUNDLE_ID = org.doxygen.Project
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded. For this to work a browser that supports
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+
+HTML_DYNAMIC_SECTIONS = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can
+# be used to specify the file name of the resulting .chm file. You
+# can add a path in front of the file if the result should not be
+# written to the html output directory.
+
+CHM_FILE =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can
+# be used to specify the location (absolute path including file name) of
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag
+# controls if a separate .chi index file is generated (YES) or that
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING
+# is used to encode HtmlHelp index (hhk), content (hhc) and project file
+# content.
+
+CHM_INDEX_ENCODING =
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag
+# controls whether a binary table of contents is generated (YES) or a
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at
+# top of each HTML page. The value NO (the default) enables the index and
+# the value YES disables it.
+
+DISABLE_INDEX = NO
+
+# This tag can be used to set the number of enum values (range [1..20])
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE = 4
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information.
+# If the tag value is set to FRAME, a side panel will be generated
+# containing a tree-like index structure (just like the one that
+# is generated for HTML Help). For this to work a browser that supports
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+,
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are
+# probably better off using the HTML help feature. Other possible values
+# for this tag are: HIERARCHIES, which will generate the Groups, Directories,
+# and Class Hiererachy pages using a tree view instead of an ordered list;
+# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which
+# disables this behavior completely. For backwards compatibility with previous
+# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE
+# respectively.
+
+GENERATE_TREEVIEW = YES
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be
+# used to set the initial width (in pixels) of the frame in which the tree
+# is shown.
+
+TREEVIEW_WIDTH = 250
+
+# Use this tag to change the font size of Latex formulas included
+# as images in the HTML documentation. The default is 10. Note that
+# when you change the font size after a successful doxygen run you need
+# to manually remove any form_*.png images from the HTML output directory
+# to force them to be regenerated.
+
+FORMULA_FONTSIZE = 10
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will
+# generate Latex output.
+
+GENERATE_LATEX = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to
+# generate index for LaTeX. If left blank `makeindex' will be used as the
+# default command name.
+
+MAKEINDEX_CMD_NAME = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact
+# LaTeX documents. This may be useful for small projects and may help to
+# save some trees in general.
+
+COMPACT_LATEX = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used
+# by the printer. Possible values are: a4, a4wide, letter, legal and
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE = a4wide
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for
+# the generated latex document. The header should contain everything until
+# the first chapter. If it is left blank doxygen will generate a
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will
+# contain links (just like the HTML output) instead of page references
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS = YES
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of
+# plain latex in the generated Makefile. Set this option to YES to get a
+# higher quality PDF documentation.
+
+USE_PDFLATEX = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode.
+# command to the generated LaTeX files. This will instruct LaTeX to keep
+# running if errors occur, instead of asking the user for help.
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE = NO
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not
+# include the index chapters (such as File Index, Compound Index, etc.)
+# in the output.
+
+LATEX_HIDE_INDICES = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output
+# The RTF output is optimized for Word 97 and may not look very pretty with
+# other RTF readers or editors.
+
+GENERATE_RTF = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact
+# RTF documents. This may be useful for small projects and may help to
+# save some trees in general.
+
+COMPACT_RTF = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated
+# will contain hyperlink fields. The RTF file will
+# contain links (just like the HTML output) instead of page references.
+# This makes the output suitable for online browsing using WORD or other
+# programs which support those fields.
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# config file, i.e. a series of assignments. You only have to provide
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE =
+
+# Set optional variables used in the generation of an rtf document.
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE =
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will
+# generate man pages
+
+GENERATE_MAN = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT = man
+
+# The MAN_EXTENSION tag determines the extension that is added to
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output,
+# then it will generate one additional man file for each entity
+# documented in the real man page(s). These additional files
+# only source the real man page, but without them the man command
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will
+# generate an XML file that captures the structure of
+# the code including all documentation.
+
+GENERATE_XML = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_SCHEMA =
+
+# The XML_DTD tag can be used to specify an XML DTD,
+# which can be used by a validating XML parser to check the
+# syntax of the XML files.
+
+XML_DTD =
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will
+# dump the program listings (including syntax highlighting
+# and cross-referencing information) to the XML output. Note that
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will
+# generate an AutoGen Definitions (see autogen.sf.net) file
+# that captures the structure of the code including all
+# documentation. Note that this feature is still experimental
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will
+# generate a Perl module file that captures the structure of
+# the code including all documentation. Note that this
+# feature is still experimental and incomplete at the
+# moment.
+
+GENERATE_PERLMOD = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be
+# nicely formatted so it can be parsed by a human reader. This is useful
+# if you want to understand what is going on. On the other hand, if this
+# tag is set to NO the size of the Perl module output will be much smaller
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY = YES
+
+# The names of the make variables in the generated doxyrules.make file
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX.
+# This is useful so different doxyrules.make files included by the same
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will
+# evaluate all C-preprocessor directives found in the sources and include
+# files.
+
+ENABLE_PREPROCESSING = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro
+# names in the source code. If set to NO (the default) only conditional
+# compilation will be performed. Macro expansion can be done in a controlled
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES
+# then the macro expansion is limited to the macros specified with the
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by
+# the preprocessor.
+
+INCLUDE_PATH =
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will
+# be used.
+
+INCLUDE_FILE_PATTERNS =
+
+# The PREDEFINED tag can be used to specify one or more macro names that
+# are defined before the preprocessor is started (similar to the -D option of
+# gcc). The argument of the tag is a list of macros of the form: name
+# or name=definition (no spaces). If the definition and the = are
+# omitted =1 is assumed. To prevent a macro definition from being
+# undefined via #undef or recursively expanded use the := operator
+# instead of the = operator.
+
+PREDEFINED =
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
+# this tag can be used to specify a list of macro names that should be expanded.
+# The macro definition that is found in the sources will be used.
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then
+# doxygen's preprocessor will remove all function-like macros that are alone
+# on a line, have an all uppercase name, and do not end with a semicolon. Such
+# function macros are typically used for boiler-plate code, and will confuse
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles.
+# Optionally an initial location of the external documentation
+# can be added for each tagfile. The format of a tag file without
+# this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where "loc1" and "loc2" can be relative or absolute paths or
+# URLs. If a location is present for each tag, the installdox tool
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE =
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed
+# in the class index. If set to NO only the inherited external classes
+# will be listed.
+
+ALLEXTERNALS = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will
+# be listed.
+
+EXTERNAL_GROUPS = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base
+# or super classes. Setting the tag to NO turns the diagrams off. Note that
+# this option is superseded by the HAVE_DOT option below. This is only a
+# fallback. It is recommended to install and use dot, since it yields more
+# powerful graphs.
+
+CLASS_DIAGRAMS = YES
+
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see
+# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where
+# the mscgen tool resides. If left empty the tool is assumed to be found in the
+# default search path.
+
+MSCGEN_PATH =
+
+# If set to YES, the inheritance and collaboration graphs will hide
+# inheritance and usage relations if the target is undocumented
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz, a graph visualization
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT = YES
+
+# By default doxygen will write a font called FreeSans.ttf to the output
+# directory and reference it in all dot files that doxygen generates. This
+# font does not include all possible unicode characters however, so when you need
+# these (or just want a differently looking font) you can specify the font name
+# using DOT_FONTNAME. You need need to make sure dot is able to find the font,
+# which can be done by putting it in a standard location or by setting the
+# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory
+# containing the font.
+
+DOT_FONTNAME = FreeSans
+
+# By default doxygen will tell dot to use the output directory to look for the
+# FreeSans.ttf font (which doxygen will put there itself). If you specify a
+# different font using DOT_FONTNAME you can set the path where dot
+# can find it using this tag.
+
+DOT_FONTPATH =
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect inheritance relations. Setting this tag to YES will force the
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for each documented class showing the direct and
+# indirect implementation dependencies (inheritance, containment, and
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+
+UML_LOOK = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT
+# tags are set to YES then doxygen will generate a graph for each documented
+# file showing the direct and indirect include dependencies of the file with
+# other documented files.
+
+INCLUDE_GRAPH = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each
+# documented header file showing the documented files that directly or
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH = YES
+
+# If the CALL_GRAPH and HAVE_DOT options are set to YES then
+# doxygen will generate a call dependency graph for every global function
+# or class method. Note that enabling this option will significantly increase
+# the time of a run. So in most cases it will be better to enable call graphs
+# for selected functions only using the \callgraph command.
+
+CALL_GRAPH = YES
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then
+# doxygen will generate a caller dependency graph for every global function
+# or class method. Note that enabling this option will significantly increase
+# the time of a run. So in most cases it will be better to enable caller
+# graphs for selected functions only using the \callergraph command.
+
+CALLER_GRAPH = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES
+# then doxygen will show the dependencies a directory has on other directories
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the
+# \dotfile command).
+
+DOTFILE_DIRS =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of
+# nodes that will be shown in the graph. If the number of nodes in a graph
+# becomes larger than this value, doxygen will truncate the graph, which is
+# visualized by representing a node as a red box. Note that doxygen if the
+# number of direct children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the
+# graphs generated by dot. A depth value of 3 means that only nodes reachable
+# from the root by following a path via at most 3 edges will be shown. Nodes
+# that lay further from the root node will be omitted. Note that setting this
+# option to 1 or 2 may greatly reduce the computation time needed for large
+# code bases. Also note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is enabled by default, which results in a transparent
+# background. Warning: Depending on the platform used, enabling this option
+# may lead to badly anti-aliased labels on the edges of a graph (i.e. they
+# become hard to read).
+
+DOT_TRANSPARENT = YES
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10)
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will
+# generate a legend page explaining the meaning of the various boxes and
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will
+# remove the intermediate dot files that are used to generate
+# the various graphs.
+
+DOT_CLEANUP = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE = NO
diff --git a/lib/radius/examples/Makefile b/lib/radius/examples/Makefile
new file mode 100644
index 0000000..f39c343
--- /dev/null
+++ b/lib/radius/examples/Makefile
@@ -0,0 +1,54 @@
+#
+# GNU Makefile
+#
+.PHONY: all clean install
+
+SRCS = example_1.c example_2.c example_3.c example_4.c
+
+OBJS := ${SRCS:.c=.o}
+PROGRAMS := ${SRCS:.c=}
+
+all: ${PROGRAMS}
+
+HEADERS := ../client.h ../radius.h
+
+${OBJS}: ${HEADERS}
+
+$(info ${PROGRAMS} ${OBJS})
+
+${PROGRAMS}: ../libnetworkradius-client.a
+
+
+%.o : %.c
+ $(CC) $(CFLAGS) -I.. -I. -c $<
+
+%.o: ${HEADERS}
+
+LDFLAGS = -L.. -lnetworkradius-client -lcrypto -lssl
+CFLAGS = -I..
+
+../libnetworkradius-client.a:
+ @${MAKE} -C .. libnetworkradius-client.a
+
+radsample.o: radsample.c ${HEADERS} nr_vp_create.c nr_packet_send.c
+
+#radsample: radsample.o ../libnetworkradius-client.a
+# ${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+sample_chap.o: sample_chap.c ${HEADERS}
+
+sample_chap: sample_chap.o ../libnetworkradius-client.a
+ ${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+radsample2.o: radsample2.c ${HEADERS} nr_vp_create.c
+
+radsample2: radsample2.o ../libnetworkradius-client.a
+ ${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+radsample3.o: radsample3.c ${HEADERS} nr_transmit.c nr_server_t.c nr_vp_create.c
+
+radsample3: radsample3.o ../libnetworkradius-client.a
+ ${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+clean:
+ @rm -rf *.o *.a *~
diff --git a/lib/radius/examples/example_1.c b/lib/radius/examples/example_1.c
new file mode 100644
index 0000000..265c880
--- /dev/null
+++ b/lib/radius/examples/example_1.c
@@ -0,0 +1,86 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_1.c
+ * \brief Sample code to initialize a RADIUS packet.
+ *
+ * This example initializes a packet, and then adds User-Name and
+ * User-Password to it. The resulting packet is then printed to the
+ * standard output.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[RS_MAX_PACKET_LEN];
+static uint8_t response_buffer[RS_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+ ssize_t rcode;
+ const char *user = "bob";
+ const char *password = "password";
+
+ rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+ request_buffer, sizeof(request_buffer));
+ if (rcode < 0) {
+ error:
+ fprintf(stderr, "Error: %s\n", nr_strerror(rcode));
+ return 1;
+ }
+
+ if (argc > 1) user = argv[1];
+ if (argc > 2) password = argv[2];
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_NAME,
+ user, 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_PASSWORD,
+ password, 0);
+ if (rcode < 0) goto error;
+
+ /*
+ * ALWAYS call nr_packet_sign() before sending the packet
+ * to anyone else!
+ */
+ rcode = nr_packet_sign(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&request);
+
+ rcode = nr_packet_decode(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_vp_fprintf_list(stdout, request.vps);
+ nr_vp_free(&request.vps);
+
+ return 0;
+}
diff --git a/lib/radius/examples/example_2.c b/lib/radius/examples/example_2.c
new file mode 100644
index 0000000..0a58523
--- /dev/null
+++ b/lib/radius/examples/example_2.c
@@ -0,0 +1,86 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_2.c
+ * \brief Sample code to initialize a RADIUS packet.
+ *
+ * This example initializes a packet, and then adds User-Name and
+ * CHAP-Password to it. The resulting packet is then printed to the
+ * standard output.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[RS_MAX_PACKET_LEN];
+static uint8_t response_buffer[RS_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+ int rcode;
+ const char *user = "bob";
+ const char *password = "password";
+
+ rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+ request_buffer, sizeof(request_buffer));
+ if (rcode < 0) {
+ error:
+ fprintf(stderr, "Error: %s\n", nr_strerror(rcode));
+ return 1;
+ }
+
+ if (argc > 1) user = argv[1];
+ if (argc > 2) password = argv[2];
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_NAME,
+ user, 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_CHAP_PASSWORD,
+ password, strlen(password));
+ if (rcode < 0) goto error;
+
+ /*
+ * ALWAYS call nr_packet_sign() before sending the packet
+ * to anyone else!
+ */
+ rcode = nr_packet_sign(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&request);
+
+ rcode = nr_packet_decode(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_vp_fprintf_list(stdout, request.vps);
+ nr_vp_free(&request.vps);
+
+ return 0;
+}
diff --git a/lib/radius/examples/example_3.c b/lib/radius/examples/example_3.c
new file mode 100644
index 0000000..33fc671
--- /dev/null
+++ b/lib/radius/examples/example_3.c
@@ -0,0 +1,123 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_3.c
+ * \brief Sample code to initialize a RADIUS packet and a response to it.
+ *
+ * This example initializes a packet, and then adds User-Name and
+ * User-Password to it. The resulting packet is then printed to the
+ * standard output.
+ *
+ * As a next step, it then creates the response, and prints that,
+ * too.
+ */
+
+static const char *secret = "testing123";
+static uint8_t request_buffer[RS_MAX_PACKET_LEN];
+static uint8_t response_buffer[RS_MAX_PACKET_LEN];
+static RADIUS_PACKET request, response;
+
+int main(int argc, const char *argv[])
+{
+ int rcode;
+ const char *user = "bob";
+ const char *password = "password";
+
+ rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+ request_buffer, sizeof(request_buffer));
+ if (rcode < 0) {
+ error:
+ fprintf(stderr, "Error :%s\n", nr_strerror(rcode));
+ return 1;
+ }
+
+ if (argc > 1) user = argv[1];
+ if (argc > 2) password = argv[2];
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_NAME,
+ user, 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_PASSWORD,
+ password, 0);
+ if (rcode < 0) goto error;
+
+ /*
+ * ALWAYS call nr_packet_sign() before sending the packet
+ * to anyone else!
+ */
+ rcode = nr_packet_sign(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&request);
+
+ rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT,
+ response_buffer, sizeof(response_buffer));
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&response, &request,
+ RS_DA_REPLY_MESSAGE,
+ "Success!", 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&response, &request,
+ RS_DA_TUNNEL_PASSWORD,
+ password, 0);
+ if (rcode < 0) goto error;
+ rcode = nr_packet_sign(&response, &request);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&response);
+
+ /*
+ * Check that the response is well-formed. The
+ * nr_packet_verify() function also calls nr_packet_ok().
+ * However, it is sometimes useful to separate "malformed
+ * packet" errors from "packet is not a response to a
+ * reqeust" errors.
+ */
+ rcode = nr_packet_ok(&response);
+ if (rcode < 0) goto error;
+
+ /*
+ * Double-check the signature of the response.
+ */
+ rcode = nr_packet_verify(&response, &request);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_decode(&response, &request);
+ if (rcode < 0) goto error;
+
+ nr_vp_fprintf_list(stdout, response.vps);
+ nr_vp_free(&response.vps);
+
+ return 0;
+}
diff --git a/lib/radius/examples/example_4.c b/lib/radius/examples/example_4.c
new file mode 100644
index 0000000..2dadc89
--- /dev/null
+++ b/lib/radius/examples/example_4.c
@@ -0,0 +1,94 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+/** \file example_4.c
+ * \brief Allocate and manage multiple packets.
+ */
+
+static const char *secret = "testing123";
+static nr_server_t server;
+
+int main(int argc, const char *argv[])
+{
+ int rcode;
+ const char *user = "bob";
+ const char *password = "password";
+
+ rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST,
+ request_buffer, sizeof(request_buffer));
+ if (rcode < 0) {
+ error:
+ fprintf(stderr, "Error :%s\n", nr_strerror(rcode));
+ return 1;
+ }
+
+ if (argc > 1) user = argv[1];
+ if (argc > 2) password = argv[2];
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_NAME,
+ user, 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&request, NULL,
+ RS_DA_USER_PASSWORD,
+ password, 0);
+ if (rcode < 0) goto error;
+
+ /*
+ * ALWAYS call nr_packet_sign() before sending the packet
+ * to anyone else!
+ */
+ rcode = nr_packet_sign(&request, NULL);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&request);
+
+ rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT,
+ response_buffer, sizeof(response_buffer));
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_attr_append(&response, &request,
+ RS_DA_REPLY_MESSAGE,
+ "Success!", 0);
+ if (rcode < 0) goto error;
+
+ rcode = nr_packet_sign(&response, &request);
+ if (rcode < 0) goto error;
+
+ nr_packet_print_hex(&response);
+
+ /*
+ * Double-check the signature of the response.
+ */
+ rcode = nr_packet_verify(&response, &request);
+ if (rcode < 0) goto error;
+
+ return 0;
+}
diff --git a/lib/radius/examples/nr_vp_create.c b/lib/radius/examples/nr_vp_create.c
new file mode 100644
index 0000000..bd04f17
--- /dev/null
+++ b/lib/radius/examples/nr_vp_create.c
@@ -0,0 +1,61 @@
+/*
+ * The person or persons who have associated work with this document
+ * (the "Dedicator" or "Certifier") hereby either (a) certifies that,
+ * to the best of his knowledge, the work of authorship identified is
+ * in the public domain of the country from which the work is
+ * published, or (b) hereby dedicates whatever copyright the
+ * dedicators holds in the work of authorship identified below (the
+ * "Work") to the public domain. A certifier, moreover, dedicates any
+ * copyright interest he may have in the associated work, and for
+ * these purposes, is described as a "dedicator" below.
+ *
+ * A certifier has taken reasonable steps to verify the copyright
+ * status of this work. Certifier recognizes that his good faith
+ * efforts may not shield him from liability if in fact the work
+ * certified is not in the public domain.
+ *
+ * Dedicator makes this dedication for the benefit of the public at
+ * large and to the detriment of the Dedicator's heirs and
+ * successors. Dedicator intends this dedication to be an overt act of
+ * relinquishment in perpetuity of all present and future rights under
+ * copyright law, whether vested or contingent, in the Work. Dedicator
+ * understands that such relinquishment of all rights includes the
+ * relinquishment of all rights to enforce (by lawsuit or otherwise)
+ * those copyrights in the Work.
+ *
+ * Dedicator recognizes that, once placed in the public domain, the
+ * Work may be freely reproduced, distributed, transmitted, used,
+ * modified, built upon, or otherwise exploited by anyone for any
+ * purpose, commercial or non-commercial, and in any way, including by
+ * methods that have not yet been invented or conceived.
+ */
+
+static VALUE_PAIR *example_nr_vp_create(void)
+{
+ VALUE_PAIR *vp;
+ VALUE_PAIR *head = NULL;
+
+ /*
+ * Create the request contents.
+ */
+ vp = nr_vp_create(PW_USER_NAME, 0, "bob", 4);
+ if (!vp) {
+ fprintf(stderr, "User-Name: %s\n", nr_strerror(0));
+ exit(1);
+ }
+ nr_vps_append(&head, vp);
+
+ /*
+ * The User-Password attribute is automatically encrypted
+ * when being placed in the packet. This version stays
+ * untouched, and should be "plain text".
+ */
+ vp = nr_vp_create(PW_USER_PASSWORD, 0, "hello", 6);
+ if (!vp) {
+ fprintf(stderr, "User-Password: %s\n", nr_strerror(0));
+ exit(1);
+ }
+ nr_vps_append(&head, vp);
+
+ return head;
+}
diff --git a/lib/radius/header.pl b/lib/radius/header.pl
new file mode 100755
index 0000000..c366612
--- /dev/null
+++ b/lib/radius/header.pl
@@ -0,0 +1,68 @@
+#!/usr/bin/env perl
+######################################################################
+# Copyright (c) 2011, Network RADIUS SARL
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of the <organization> nor the
+# names of its contributors may be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+######################################################################
+#
+# Converts dictionaries to C defines. Does not yet do "VALUE"s.
+#
+# $Id$
+#
+require "common.pl";
+
+while (@ARGV) {
+ $filename = shift;
+ do_file($filename);
+}
+
+
+print "/* Automatically generated file. Do not edit */\n\n";
+
+foreach $v (sort keys %vendor) {
+ $name = $v;
+ $name =~ tr/a-z/A-Z/; # uppercase
+ $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _
+
+ print "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n";
+}
+print "\n";
+
+$begin_vendor = -1;
+foreach $attr_val (sort {$a <=> $b} keys %attributes) {
+ if ($attributes{$attr_val}{'vendor'} != $begin_vendor) {
+ print "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n";
+ $begin_vendor = $attributes{$attr_val}{'vendor'};
+ }
+
+ $name = $attributes{$attr_val}{'name'};
+ $name =~ tr/a-z/A-Z/;
+ $name =~ tr/A-Z0-9/_/c;
+
+ print "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n";
+}
+print "\n\n";
+
+print "/* Automatically generated file. Do not edit */\n";
+
diff --git a/lib/radius/id.c b/lib/radius/id.c
new file mode 100644
index 0000000..4ccd032
--- /dev/null
+++ b/lib/radius/id.c
@@ -0,0 +1,181 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "client.h"
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/** \file id.c
+ * \brief Handling of ID allocation / freeing
+ *
+ */
+
+static int find_id(nr_server_t *s)
+{
+ int i;
+ uint32_t lvalue;
+
+ if ((s->used < 0) || (s->used > 256)) return -RSE_INTERNAL;
+
+ /*
+ * Ensure that the ID allocation is random.
+ */
+ lvalue = nr_rand();
+
+ for (i = 0; i < 256; i++) {
+ int offset = (i + lvalue) & 0xff;
+
+ if (!s->ids[offset]) return offset;
+ }
+
+ nr_strerror_printf("Out of IDs for server");
+ return -1;
+}
+
+int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet)
+{
+ int new_id;
+
+ if (!s || !packet) return -RSE_INVAL;
+
+ new_id = find_id(s);
+ if (new_id < 0) return -new_id;
+
+ s->ids[new_id] = packet;
+ s->used++;
+ packet->sockfd = s->sockfd;
+ packet->code = s->code;
+ packet->src = s->src;
+ packet->dst = s->dst;
+ packet->id = new_id;
+
+ return 0;
+}
+
+int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet)
+{
+ if (!s || !packet) return -RSE_INVAL;
+
+ if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) {
+ return -RSE_INVAL;
+ }
+
+ if (s->ids[packet->id] != packet) return -RSE_INTERNAL;
+
+ s->ids[packet->id] = NULL;
+ s->used--;
+ packet->sockfd = -1;
+
+ return 0;
+}
+
+int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet)
+{
+ int new_id;
+
+ if (!s || !packet) return -RSE_INVAL;
+
+ if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) {
+ return -RSE_INVAL;
+ }
+
+ if (s->ids[packet->id] != packet) return -RSE_INTERNAL;
+
+ new_id = find_id(s);
+ if (new_id < 0) return new_id;
+
+ s->ids[packet->id] = NULL;
+ packet->id = new_id;
+ s->ids[packet->id] = packet;
+
+ return 0;
+}
+
+
+int nr_server_init(nr_server_t *s, int code, const char *secret)
+{
+ if (!s || !secret || !*secret ||
+ (code == 0) || (code > RS_MAX_PACKET_CODE)) {
+ return -RSE_INVAL;
+ }
+
+ memset(s, 0, sizeof(*s));
+
+ s->sockfd = -1;
+ s->code = code;
+ s->secret = secret;
+ s->sizeof_secret = strlen(secret);
+ s->src.ss_family = AF_UNSPEC;
+ s->dst.ss_family = AF_UNSPEC;
+
+ return 0;
+}
+
+
+int nr_server_close(const nr_server_t *s)
+{
+ if (!s) return -RSE_INVAL;
+
+ if (s->used > 0) return -RSE_INUSE;
+
+ if (s->sockfd >= 0) evutil_closesocket(s->sockfd);
+
+ return 0;
+}
+
+int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p)
+{
+ int rcode;
+ RADIUS_PACKET *packet;
+
+ if (!packet_p) return -RSE_INVAL;
+
+ packet = malloc(sizeof(*packet) + RS_MAX_PACKET_LEN);
+ if (!packet) return -RSE_NOMEM;
+
+ memset(packet, 0, sizeof(*packet));
+
+ if (!s) {
+ packet->data = (uint8_t *)(packet + 1);
+ packet->sizeof_data = RS_MAX_PACKET_LEN;
+
+ *packet_p = packet;
+ return 0;
+ }
+
+ rcode = nr_packet_init(packet, NULL, s->secret, s->code,
+ (uint8_t *)(packet + 1), RS_MAX_PACKET_LEN);
+ if (rcode < 0) {
+ free(packet);
+ return rcode;
+ }
+
+ *packet_p = packet;
+ return 0;
+}
diff --git a/lib/radius/parse.c b/lib/radius/parse.c
new file mode 100644
index 0000000..8446306
--- /dev/null
+++ b/lib/radius/parse.c
@@ -0,0 +1,149 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file parse.c
+ * \brief Routines to parse strings into internal data structures
+ */
+
+#include "client.h"
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value)
+{
+ char *end;
+
+ switch (vp->da->type) {
+ case RS_TYPE_STRING: {
+ size_t len = strlen(value);
+
+ if (len >= RS_MAX_STRING_LEN)
+ return -RSE_ATTR_TOO_LARGE;
+
+ memcpy(vp->vp_strvalue, value, len + 1);
+ return (vp->length = len);
+ }
+ case RS_TYPE_DATE:
+ case RS_TYPE_INTEGER:
+ vp->vp_integer = strtoul(value, &end, 10);
+ if ((value == end) || (*end != '\0')) {
+ nr_debug_error("Invalid value");
+ return -RSE_ATTR_VALUE_MALFORMED;
+ }
+ return (end - value);
+
+ case RS_TYPE_IPADDR:
+ if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) {
+ return -RSE_NOSYS;
+ }
+ return strlen(value);
+
+#ifdef RS_TYPE_IPV6ADDR
+ case RS_TYPE_IPV6ADDR:
+ if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) {
+ return -RSE_NOSYS;
+ }
+ return strlen(value);
+#endif
+
+#ifdef RS_TYPE_IFID
+ case RS_TYPE_IFID:
+ {
+ int i, array[8];
+
+ if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x",
+ &array[0], &array[1], &array[2], &array[3],
+ &array[4], &array[5], &array[6], &array[7]) != 8) {
+ return -RSE_SYSTEM;
+ }
+
+ for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff;
+
+ }
+ break;
+#endif
+
+ default:
+ nr_debug_error("Invalid type");
+ return -RSE_ATTR_TYPE_UNKNOWN;
+ }
+
+ return 0;
+}
+
+int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp)
+{
+ int rcode;
+ const char *p;
+ char *q;
+ const DICT_ATTR *da;
+ VALUE_PAIR *vp;
+ char buffer[256];
+
+ if (!string || !pvp) return -RSE_INVAL;
+
+ p = string;
+ q = buffer;
+ while (*p && (*p != ' ') && (*p != '=')) {
+ *(q++) = *(p++);
+ }
+ *q = '\0';
+
+ if (q == buffer) {
+ nr_debug_error("No Attribute name");
+ return -RSE_ATTR_BAD_NAME;
+ }
+
+ da = nr_dict_attr_byname(buffer);
+ if (!da) {
+ nr_debug_error("Unknown attribute \"%s\"", buffer);
+ return -RSE_ATTR_UNKNOWN;
+ }
+
+ while (*p == ' ') p++;
+ if (*p != '=') {
+ nr_debug_error("Unexpected text after attribute name");
+ return -RSE_ATTR_BAD_NAME;
+ }
+
+ p++;
+ while (*p == ' ') p++;
+
+ vp = nr_vp_alloc(da);
+ if (!vp) return -RSE_NOMEM;
+
+ rcode = nr_vp_sscanf_value(vp, p);
+ if (rcode < 0) {
+ nr_vp_free(&vp);
+ return rcode;
+ }
+
+ *pvp = vp;
+ return 0;
+}
diff --git a/lib/radius/print.c b/lib/radius/print.c
new file mode 100644
index 0000000..6fa06d7
--- /dev/null
+++ b/lib/radius/print.c
@@ -0,0 +1,227 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file print.c
+ * \brief Functions to print things.
+ */
+
+#include "client.h"
+#include <string.h>
+#ifdef RS_TYPE_IPV6ADDR
+#include <arpa/inet.h>
+#endif
+
+#ifndef NDEBUG
+void nr_packet_print_hex(RADIUS_PACKET *packet)
+{
+ int i;
+
+ if (!packet->data) return;
+
+ printf(" Code:\t\t%u\n", packet->data[0]);
+ printf(" Id:\t\t%u\n", packet->data[1]);
+ printf(" Length:\t%u\n", ((packet->data[2] << 8) |
+ (packet->data[3])));
+ printf(" Vector:\t");
+ for (i = 4; i < 20; i++) {
+ printf("%02x", packet->data[i]);
+ }
+ printf("\n");
+ if ((packet->flags & RS_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n");
+
+ if (packet->length > 20) {
+ int total;
+ const uint8_t *ptr;
+ printf(" Data:");
+
+ total = packet->length - 20;
+ ptr = packet->data + 20;
+
+ while (total > 0) {
+ int attrlen;
+
+ printf("\t\t");
+ if (total < 2) { /* too short */
+ printf("%02x\n", *ptr);
+ break;
+ }
+
+ if (ptr[1] > total) { /* too long */
+ for (i = 0; i < total; i++) {
+ printf("%02x ", ptr[i]);
+ }
+ break;
+ }
+
+ printf("%02x %02x ", ptr[0], ptr[1]);
+ attrlen = ptr[1] - 2;
+ ptr += 2;
+ total -= 2;
+
+ for (i = 0; i < attrlen; i++) {
+ if ((i > 0) && ((i & 0x0f) == 0x00))
+ printf("\t\t\t");
+ printf("%02x ", ptr[i]);
+ if ((i & 0x0f) == 0x0f) printf("\n");
+ }
+
+ if (!attrlen || ((attrlen & 0x0f) != 0x00)) printf("\n");
+
+ ptr += attrlen;
+ total -= attrlen;
+ }
+ }
+ printf("\n");
+ fflush(stdout);
+}
+#endif
+
+size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp)
+{
+ size_t i, len;
+ char *p = buffer;
+
+ switch (vp->da->type) {
+ case RS_TYPE_STRING:
+ /*
+ * FIXME: escape backslash && quotes!
+ */
+ len = snprintf(p, buflen, "%s", vp->vp_strvalue);
+ break;
+
+ case RS_TYPE_DATE:
+ case RS_TYPE_INTEGER:
+ case RS_TYPE_SHORT:
+ case RS_TYPE_BYTE:
+ len = snprintf(p, buflen, "%u", vp->vp_integer);
+ break;
+
+ case RS_TYPE_IPADDR:
+ len = snprintf(p, buflen, "%u.%u.%u.%u",
+ (vp->vp_ipaddr >> 24) & 0xff,
+ (vp->vp_ipaddr >> 16) & 0xff,
+ (vp->vp_ipaddr >> 8) & 0xff,
+ vp->vp_ipaddr & 0xff);
+ break;
+
+#ifdef RS_TYPE_IPV6ADDR
+ case RS_TYPE_IPV6ADDR:
+ if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) {
+ return -RSE_SYSTEM;
+ }
+ break;
+#endif
+
+#ifdef RS_TYPE_IFID
+ case RS_TYPE_IFID:
+ len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x",
+ vp->vp_ifid[0], vp->vp_ifid[1],
+ vp->vp_ifid[2], vp->vp_ifid[3],
+ vp->vp_ifid[4], vp->vp_ifid[5],
+ vp->vp_ifid[6], vp->vp_ifid[7]);
+ break;
+#endif
+
+ case RS_TYPE_OCTETS:
+ len = snprintf(p, buflen, "0x");
+ if (len >= buflen) return 0;
+
+ p += len;
+ buflen -= len;
+
+ for (i = 0; i < vp->length; i++) {
+ len = snprintf(p, buflen, "%02x", vp->vp_octets[i]);
+ if (len >= buflen) return 0;
+
+ p += len;
+ buflen -= len;
+ }
+ len = 0;
+ break;
+
+ default:
+ len = 0;
+ break;
+ }
+
+ if (len >= buflen) return 0;
+
+ p += len;
+ buflen -= len;
+
+ return p - buffer;
+}
+
+size_t nr_vp_snprintf(char *buffer, size_t buflen, const VALUE_PAIR *vp)
+{
+ size_t len;
+ char *p = buffer;
+
+ len = snprintf(p, buflen, "%s = ", vp->da->name);
+ if (len >= buflen) return 0;
+
+ p += len;
+ buflen -= len;
+
+ len = nr_vp_snprintf_value(p, buflen, vp);
+ if (len == 0) return 0;
+
+ if (len >= buflen) return 0;
+
+ p += len;
+
+ return p - buffer;
+}
+
+#ifndef NDEBUG
+void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps)
+{
+ const VALUE_PAIR *vp;
+ char buffer[1024];
+
+ for (vp = vps; vp != NULL; vp = vp->next) {
+ nr_vp_snprintf(buffer, sizeof(buffer), vp);
+ fprintf(fp, "\t%s\n", buffer);
+ }
+}
+#endif
+
+/** \cond PRIVATE */
+#define NR_STRERROR_BUFSIZE (1024)
+static char nr_strerror_buffer[NR_STRERROR_BUFSIZE];
+
+void nr_strerror_printf(const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ vsnprintf(nr_strerror_buffer, sizeof(nr_strerror_buffer), fmt, ap);
+ va_end(ap);
+
+ fprintf(stderr, "ERROR: %s\n", nr_strerror_buffer);
+}
+/** \endcond */
+
diff --git a/lib/radius/radpkt.c b/lib/radius/radpkt.c
new file mode 100644
index 0000000..bb8f75e
--- /dev/null
+++ b/lib/radius/radpkt.c
@@ -0,0 +1,916 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file packet.c
+ * \brief Encoding and decoding packets
+ */
+
+#include "client.h"
+
+#if RS_MAX_PACKET_LEN < 64
+#error RS_MAX_PACKET_LEN is too small. It should be at least 64.
+#endif
+
+#if RS_MAX_PACKET_LEN > 16384
+#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K.
+#endif
+
+const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = {
+ NULL,
+ "Access-Request",
+ "Access-Accept",
+ "Access-Reject",
+ "Accounting-Request",
+ "Accounting-Response",
+ NULL, NULL, NULL, NULL, NULL,
+ "Access-Challenge",
+ "Status-Server", /* 12 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */
+ "Disconnect-Request",
+ "Disconnect-ACK",
+ "Disconnect-NAK",
+ "CoA-Request",
+ "CoA-ACK",
+ "CoA-NAK"
+};
+
+
+static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = {
+ 0,
+ (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE),
+ 0, 0,
+ 1 << PW_ACCOUNTING_RESPONSE,
+ 0,
+ 0, 0, 0, 0, 0,
+ 0,
+ (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE),
+ 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */
+ (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK),
+ 0,
+ 0,
+ (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK),
+ 0,
+ 0
+};
+
+
+int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data)
+{
+ size_t packet_len;
+ const uint8_t *attr, *end;
+
+ if (!data || (sizeof_data < 20)) {
+ nr_debug_error("Invalid argument");
+ return -RSE_INVAL;
+ }
+
+ packet_len = (data[2] << 8) | data[3];
+ if (packet_len < 20) {
+ nr_debug_error("Packet length is too small");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+
+ if (packet_len > sizeof_data) {
+ nr_debug_error("Packet length overflows received data");
+ return -RSE_PACKET_TOO_LARGE;
+ }
+
+ /*
+ * If we receive 100 bytes, and the header says it's 20 bytes,
+ * then it's 20 bytes.
+ */
+ end = data + packet_len;
+
+ for (attr = data + 20; attr < end; attr += attr[1]) {
+ if ((attr + 2) > end) {
+ nr_debug_error("Attribute overflows packet");
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ if (attr[1] < 2) {
+ nr_debug_error("Attribute length is too small");
+ return -RSE_ATTR_TOO_SMALL;
+ }
+
+ if ((attr + attr[1]) > end) {
+ nr_debug_error("Attribute length is too large");
+ return -RSE_ATTR_TOO_LARGE;
+ }
+ }
+
+ return 0;
+}
+
+int nr_packet_ok(RADIUS_PACKET *packet)
+{
+ int rcode;
+
+ if (!packet) return -RSE_INVAL;
+
+ if ((packet->flags & RS_PACKET_OK) != 0) return 0;
+
+ rcode = nr_packet_ok_raw(packet->data, packet->length);
+ if (rcode < 0) return rcode;
+
+ packet->flags |= RS_PACKET_OK;
+ return 0;
+}
+
+
+/*
+ * Comparison function that is time-independent. Using "memcmp"
+ * would satisfy the "comparison" part. However, it would also
+ * leak information about *which* bytes are wrong. Attackers
+ * could use that leak to create a "correct" RADIUS packet which
+ * will be accepted by the client and/or server.
+ */
+static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length)
+{
+ int result = 0;
+ size_t i;
+
+ for (i = 0; i < length; i++) {
+ result |= (a[i] ^ b[i]);
+ }
+
+ return result;
+}
+
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+static int msg_auth_ok(const RADIUS_PACKET *original,
+ uint8_t *ma,
+ uint8_t *data, size_t length)
+{
+ uint8_t packet_vector[sizeof(original->vector)];
+ uint8_t msg_auth_vector[sizeof(original->vector)];
+ uint8_t calc_auth_vector[sizeof(original->vector)];
+
+ if (ma[1] != 18) {
+ nr_debug_error("Message-Authenticator has invalid length");
+ return -RSE_MSG_AUTH_LEN;
+ }
+
+ memcpy(packet_vector, data + 4, sizeof(packet_vector));
+ memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector));
+ memset(ma + 2, 0, sizeof(msg_auth_vector));
+
+ switch (data[0]) {
+ default:
+ break;
+
+ case PW_ACCOUNTING_REQUEST:
+ case PW_ACCOUNTING_RESPONSE:
+ case PW_DISCONNECT_REQUEST:
+ case PW_DISCONNECT_ACK:
+ case PW_DISCONNECT_NAK:
+ case PW_COA_REQUEST:
+ case PW_COA_ACK:
+ case PW_COA_NAK:
+ memset(data + 4, 0, sizeof(packet_vector));
+ break;
+
+ case PW_ACCESS_ACCEPT:
+ case PW_ACCESS_REJECT:
+ case PW_ACCESS_CHALLENGE:
+ if (!original) {
+ nr_debug_error("Cannot validate response without request");
+ return -RSE_REQUEST_REQUIRED;
+ }
+ memcpy(data + 4, original->vector, sizeof(original->vector));
+ break;
+ }
+
+ nr_hmac_md5(data, length,
+ (const uint8_t *) original->secret, original->sizeof_secret,
+ calc_auth_vector);
+
+ memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector));
+ memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+ if (digest_cmp(calc_auth_vector, msg_auth_vector,
+ sizeof(calc_auth_vector)) != 0) {
+ nr_debug_error("Invalid Message-Authenticator");
+ return -RSE_MSG_AUTH_WRONG;
+ }
+
+ return 1;
+}
+#endif
+
+/*
+ * The caller ensures that the packet codes are as expected.
+ */
+static int packet_auth_ok(const RADIUS_PACKET *original,
+ uint8_t *data, size_t length)
+{
+ uint8_t packet_vector[sizeof(original->vector)];
+ uint8_t calc_digest[sizeof(original->vector)];
+ RS_MD5_CTX ctx;
+
+ if ((data[0] == PW_ACCESS_REQUEST) ||
+ (data[0] == PW_STATUS_SERVER)) return 1;
+
+ memcpy(packet_vector, data + 4, sizeof(packet_vector));
+
+ if (!original) {
+ memset(data + 4, 0, sizeof(packet_vector));
+ } else {
+ memcpy(data + 4, original->vector, sizeof(original->vector));
+ }
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, data, length);
+ RS_MD5Update(&ctx, (const unsigned char *)original->secret, original->sizeof_secret);
+ RS_MD5Final(calc_digest, &ctx);
+
+ memcpy(data + 4, packet_vector, sizeof(packet_vector));
+
+ if (digest_cmp(calc_digest, packet_vector,
+ sizeof(packet_vector)) != 0) {
+ nr_debug_error("Invalid authentication vector");
+ return -RSE_AUTH_VECTOR_WRONG;
+ }
+
+ return 0;
+}
+
+
+int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+ int rcode;
+ uint8_t *attr;
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ const uint8_t *end;
+#endif
+
+ if (!packet || !packet->data || !packet->secret) {
+ nr_debug_error("Invalid argument");
+ return -RSE_INVAL;
+ }
+
+ if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0;
+
+ /*
+ * Packet isn't well formed. Ignore it.
+ */
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ /*
+ * Get rid of improper packets as early as possible.
+ */
+ if (original) {
+ uint64_t mask;
+
+ if (original->code > RS_MAX_PACKET_CODE) {
+ nr_debug_error("Invalid original code %u",
+ original->code);
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (packet->data[1] != original->id) {
+ nr_debug_error("Ignoring response with wrong ID %u",
+ packet->data[1]);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+ mask = 1;
+ mask <<= packet->data[0];
+
+ if ((allowed_responses[original->code] & mask) == 0) {
+ nr_debug_error("Ignoring response with wrong code %u",
+ packet->data[0]);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+ if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) &&
+ (evutil_sockaddr_cmp((struct sockaddr *)&packet->src, (struct sockaddr *)&original->dst, 1) != 0)) {
+ nr_debug_error("Ignoring response from wrong IP/port");
+ return -RSE_INVALID_RESPONSE_SRC;
+ }
+
+ } else if (allowed_responses[packet->data[0]] != 0) {
+ nr_debug_error("Ignoring response without original");
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ end = packet->data + packet->length;
+
+ /*
+ * Note that the packet MUST be well-formed here.
+ */
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+ rcode = msg_auth_ok(original, attr,
+ packet->data, packet->length);
+ if (rcode < 0) return rcode;
+ }
+ }
+#endif
+
+ /*
+ * Verify the packet authenticator.
+ */
+ rcode = packet_auth_ok(original, packet->data, packet->length);
+ if (rcode < 0) return rcode;
+
+ packet->flags |= RS_PACKET_VERIFIED;
+
+ return 0;
+}
+
+
+int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+ int rcode, num_attributes;
+ uint8_t *data, *attr;
+ const uint8_t *end;
+ VALUE_PAIR **tail, *vp;
+
+ if (!packet) return -RSE_INVAL;
+
+ if ((packet->flags & RS_PACKET_DECODED) != 0) return 0;
+
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ data = packet->data;
+ end = data + packet->length;
+ tail = &packet->vps;
+ num_attributes = 0;
+
+ /*
+ * Loop over the packet, converting attrs to VPs.
+ */
+ for (attr = data + 20; attr < end; attr += attr[1]) {
+ rcode = nr_attr2vp(packet, original,
+ attr, end - attr, &vp);
+ if (rcode < 0) {
+ nr_vp_free(&packet->vps);
+ return -rcode;
+ }
+
+ *tail = vp;
+ while (vp) {
+ num_attributes++;
+ tail = &(vp->next);
+ vp = vp->next;
+ }
+
+ if (num_attributes > RS_MAX_ATTRIBUTES) {
+ nr_debug_error("Too many attributes");
+ nr_vp_free(&packet->vps);
+ return -RSE_TOO_MANY_ATTRS;
+ }
+ }
+
+ packet->code = data[0];
+ packet->id = data[1];
+ memcpy(packet->vector, data + 4, sizeof(packet->vector));
+
+ packet->flags |= RS_PACKET_DECODED;
+
+ return 0;
+}
+
+
+int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ size_t ma = 0;
+ const uint8_t *attr, *end;
+#endif
+
+ if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0;
+
+ if ((packet->flags & RS_PACKET_ENCODED) == 0) {
+ int rcode;
+
+ rcode = nr_packet_encode(packet, original);
+ if (rcode < 0) return rcode;
+ }
+
+ if ((packet->code == PW_ACCESS_ACCEPT) ||
+ (packet->code == PW_ACCESS_CHALLENGE) ||
+ (packet->code == PW_ACCESS_REJECT)) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ if (!original) {
+ nr_debug_error("Original packet is required to create the Message-Authenticator");
+ return -RSE_REQUEST_REQUIRED;
+ }
+#endif
+
+ memcpy(packet->data + 4, original->vector,
+ sizeof(original->vector));
+ } else {
+ memcpy(packet->data + 4, packet->vector,
+ sizeof(packet->vector));
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ end = packet->data + packet->length;
+
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ if (attr[0] == PW_MESSAGE_AUTHENTICATOR) {
+ ma = (attr - packet->data);
+ break;
+ }
+ }
+
+ /*
+ * Force all Access-Request packets to have a
+ * Message-Authenticator.
+ */
+ if (!ma && ((packet->length + 18) <= packet->sizeof_data) &&
+ ((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER))) {
+ ma = packet->length;
+
+ packet->data[ma]= PW_MESSAGE_AUTHENTICATOR;
+ packet->data[ma + 1] = 18;
+ memset(&packet->data[ma + 2], 0, 16);
+ packet->length += 18;
+ }
+
+ /*
+ * Reset the length.
+ */
+ packet->data[2] = (packet->length >> 8) & 0xff;
+ packet->data[3] = packet->length & 0xff;
+
+ /*
+ * Sign the Message-Authenticator && packet.
+ */
+ if (ma) {
+ nr_hmac_md5(packet->data, packet->length,
+ (const uint8_t *) packet->secret, packet->sizeof_secret,
+ packet->data + ma + 2);
+ }
+#endif
+
+ /*
+ * Calculate the signature.
+ */
+ if (!((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER))) {
+ RS_MD5_CTX ctx;
+
+ RS_MD5Init(&ctx);
+ RS_MD5Update(&ctx, packet->data, packet->length);
+ RS_MD5Update(&ctx, (const unsigned char *)packet->secret, packet->sizeof_secret);
+ RS_MD5Final(packet->vector, &ctx);
+ }
+
+ memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+ packet->attempts = 0;
+ packet->flags |= RS_PACKET_SIGNED;
+
+ return 0;
+}
+
+
+static int can_encode_packet(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original)
+{
+ if ((packet->code == 0) ||
+ (packet->code > RS_MAX_PACKET_CODE) ||
+ (original && (original->code > RS_MAX_PACKET_CODE))) {
+ nr_debug_error("Cannot send unknown packet code");
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (!nr_packet_codes[packet->code]) {
+ nr_debug_error("Cannot handle packet code %u",
+ packet->code);
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+#ifdef NR_NO_MALLOC
+ if (!packet->data) {
+ nr_debug_error("No place to put packet");
+ return -RSE_NO_PACKET_DATA;
+ }
+#endif
+
+ if (packet->sizeof_data < 20) {
+ nr_debug_error("The buffer is too small to encode the packet");
+ return -RSE_PACKET_TOO_SMALL;
+ }
+
+ /*
+ * Enforce request / response correlation.
+ */
+ if (original) {
+ uint64_t mask;
+
+ mask = 1;
+ mask <<= packet->code;
+
+ if ((allowed_responses[original->code] & mask) == 0) {
+ nr_debug_error("Cannot encode response %u to packet %u",
+ packet->code, original->code);
+ return -RSE_INVALID_RESPONSE_CODE;
+ }
+ packet->id = original->id;
+
+ } else if (allowed_responses[packet->code] == 0) {
+ nr_debug_error("Cannot encode response %u without original",
+ packet->code);
+ return -RSE_REQUEST_REQUIRED;
+ }
+
+ return 0;
+}
+
+static void encode_header(RADIUS_PACKET *packet)
+{
+ if ((packet->flags & RS_PACKET_HEADER) != 0) return;
+
+ memset(packet->data, 0, 20);
+ packet->data[0] = packet->code;
+ packet->data[1] = packet->id;
+ packet->data[2] = 0;
+ packet->data[3] = 20;
+ packet->length = 20;
+
+ /*
+ * Calculate a random authentication vector.
+ */
+ if ((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER)) {
+ nr_rand_bytes(packet->vector, sizeof(packet->vector));
+ } else {
+ memset(packet->vector, 0, sizeof(packet->vector));
+ }
+
+ memcpy(packet->data + 4, packet->vector, sizeof(packet->vector));
+
+ packet->flags |= RS_PACKET_HEADER;
+}
+
+int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original)
+{
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ size_t ma = 0;
+#endif
+ int rcode;
+ ssize_t len;
+ const VALUE_PAIR *vp;
+ uint8_t *data, *end;
+
+ if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0;
+
+ rcode = can_encode_packet(packet, original);
+ if (rcode < 0) return rcode;
+
+ data = packet->data;
+ end = data + packet->sizeof_data;
+
+ encode_header(packet);
+ data += 20;
+
+ /*
+ * Encode each VALUE_PAIR
+ */
+ vp = packet->vps;
+ while (vp) {
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) {
+ ma = (data - packet->data);
+ }
+#endif
+ len = nr_vp2attr(packet, original, &vp,
+ data, end - data);
+ if (len < 0) return len;
+
+ if (len == 0) break; /* insufficient room to encode it */
+
+ data += data[1];
+ }
+
+#ifdef PW_MESSAGE_AUTHENTICATOR
+ /*
+ * Always send a Message-Authenticator.
+ *
+ * We do *not* recommend removing this code.
+ */
+ if (((packet->code == PW_ACCESS_REQUEST) ||
+ (packet->code == PW_STATUS_SERVER)) &&
+ !ma &&
+ ((data + 18) <= end)) {
+ ma = (data - packet->data);
+ data[0] = PW_MESSAGE_AUTHENTICATOR;
+ data[1] = 18;
+ memset(data + 2, 0, 16);
+ data += data[1];
+ }
+#endif
+
+ packet->length = data - packet->data;
+
+ packet->data[2] = (packet->length >> 8) & 0xff;
+ packet->data[3] = packet->length & 0xff;
+
+ packet->flags |= RS_PACKET_ENCODED;
+
+ return packet->length;
+}
+
+
+/*
+ * Ensure that the nr_data2attr_t structure is filled in
+ * appropriately. This includes filling in a fake DICT_ATTR
+ * structure, if necessary.
+ */
+static int do_callback(void *ctx, nr_packet_walk_func_t callback,
+ int attr, int vendor,
+ const uint8_t *data, size_t sizeof_data)
+
+{
+ int rcode;
+ const DICT_ATTR *da;
+ DICT_ATTR myda;
+ char buffer[64];
+
+ da = nr_dict_attr_byvalue(attr, vendor);
+
+ /*
+ * The attribute is supposed to have a particular length,
+ * but does not. It is therefore malformed.
+ */
+ if (da && (da->flags.length != 0) &&
+ da->flags.length != sizeof_data) {
+ da = NULL;
+ }
+
+ if (!da) {
+ rcode = nr_dict_attr_2struct(&myda, attr, vendor,
+ buffer, sizeof(buffer));
+
+ if (rcode < 0) return rcode;
+ da = &myda;
+ }
+
+ rcode = callback(ctx, da, data, sizeof_data);
+ if (rcode < 0) return rcode;
+
+ return 0;
+}
+
+
+int nr_packet_walk(RADIUS_PACKET *packet, void *ctx,
+ nr_packet_walk_func_t callback)
+{
+ int rcode;
+ uint8_t *attr;
+ const uint8_t *end;
+
+ if (!packet || !callback) return -RSE_INVAL;
+
+ rcode = nr_packet_ok(packet);
+ if (rcode < 0) return rcode;
+
+ end = packet->data + packet->length;
+
+ for (attr = packet->data + 20; attr < end; attr += attr[1]) {
+ int length, value;
+ int dv_type, dv_length;
+ uint32_t vendorpec;
+ const uint8_t *vsa;
+ const DICT_VENDOR *dv = NULL;
+
+ vendorpec = 0;
+ value = attr[0];
+
+ if (value != PW_VENDOR_SPECIFIC) {
+ raw:
+ rcode = do_callback(ctx, callback,
+ attr[0], 0,
+ attr + 2, attr[1] - 2);
+ if (rcode < 0) return rcode;
+ continue;
+ }
+
+ if (attr[1] < 6) goto raw;
+ memcpy(&vendorpec, attr + 2, 4);
+ vendorpec = ntohl(vendorpec);
+
+ if (dv && (dv->vendor != vendorpec)) dv = NULL;
+
+ if (!dv) dv = nr_dict_vendor_byvalue(vendorpec);
+
+ if (dv) {
+ dv_type = dv->type;
+ dv_length = dv->length;
+ } else {
+ dv_type = 1;
+ dv_length = 1;
+ }
+
+ /*
+ * Malformed: it's a raw attribute.
+ */
+ if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) {
+ goto raw;
+ }
+
+ for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) {
+ switch (dv_type) {
+ case 4:
+ value = (vsa[2] << 8) | vsa[3];
+ break;
+
+ case 2:
+ value = (vsa[0] << 8) | vsa[1];
+ break;
+
+ case 1:
+ value = vsa[0];
+ break;
+
+ default:
+ return -RSE_INTERNAL;
+ }
+
+ switch (dv_length) {
+ case 0:
+ length = attr[1] - 6 - dv_type;
+ break;
+
+ case 2:
+ case 1:
+ length = vsa[dv_type + dv_length - 1];
+ break;
+
+ default:
+ return -RSE_INTERNAL;
+ }
+
+ rcode = do_callback(ctx, callback,
+ value, vendorpec,
+ vsa + dv_type + dv_length,
+ length - dv_type - dv_length);
+ if (rcode < 0) return rcode;
+ }
+ }
+
+ return 0;
+}
+
+int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
+ const char *secret, int code,
+ void *data, size_t sizeof_data)
+{
+ int rcode;
+
+ if ((code < 0) || (code > RS_MAX_PACKET_CODE)) {
+ return -RSE_INVALID_REQUEST_CODE;
+ }
+
+ if (!data || (sizeof_data < 20)) return -RSE_INVAL;
+
+ memset(packet, 0, sizeof(*packet));
+ packet->secret = secret;
+ packet->sizeof_secret = secret ? strlen(secret) : 0;
+ packet->code = code;
+ packet->id = 0;
+ packet->data = data;
+ packet->sizeof_data = sizeof_data;
+
+ rcode = can_encode_packet(packet, original);
+ if (rcode < 0) return rcode;
+
+ encode_header(packet);
+
+ return 0;
+}
+
+
+static int pack_eap(RADIUS_PACKET *packet,
+ const void *data, size_t data_len)
+{
+ uint8_t *attr, *end;
+ const uint8_t *eap;
+ size_t left;
+
+ eap = data;
+ left = data_len;
+ attr = packet->data + packet->length;
+ end = attr + packet->sizeof_data;
+
+ while (left > 253) {
+ if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW;
+
+ attr[0] = PW_EAP_MESSAGE;
+ attr[1] = 255;
+ memcpy(attr + 2, eap, 253);
+ attr += attr[1];
+ eap += 253;
+ left -= 253;
+ }
+
+ if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW;
+
+ attr[0] = PW_EAP_MESSAGE;
+ attr[1] = 2 + left;
+ memcpy(attr + 2, eap, left);
+ attr += attr[1];
+ packet->length = attr - packet->data;
+
+ return 0;
+}
+
+ssize_t nr_packet_attr_append(RADIUS_PACKET *packet,
+ const RADIUS_PACKET *original,
+ const DICT_ATTR *da,
+ const void *data, size_t data_len)
+{
+ ssize_t rcode;
+ uint8_t *attr, *end;
+ VALUE_PAIR my_vp;
+ const VALUE_PAIR *vp;
+
+ if (!packet || !da || !data) {
+ return -RSE_INVAL;
+ }
+
+ if (data_len == 0) {
+ if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL;
+
+ data_len = strlen(data);
+ }
+
+ packet->flags |= RS_PACKET_ENCODED; /* ignore any VPs */
+
+ attr = packet->data + packet->length;
+ end = attr + packet->sizeof_data;
+
+ if ((attr + 2 + data_len) > end) {
+ return -RSE_ATTR_OVERFLOW;
+ }
+
+ if ((da->flags.length != 0) &&
+ (data_len != da->flags.length)) {
+ return -RSE_ATTR_VALUE_MALFORMED;
+ }
+
+#ifdef PW_EAP_MESSAGE
+ /*
+ * automatically split EAP-Message into multiple
+ * attributes.
+ */
+ if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) {
+ return pack_eap(packet, data, data_len);
+ }
+#endif
+
+ if (data_len > 253) return -RSE_ATTR_TOO_LARGE;
+
+ vp = nr_vp_init(&my_vp, da);
+ rcode = nr_vp_set_data(&my_vp, data, data_len);
+ if (rcode < 0) return rcode;
+
+ /*
+ * Note that this function packs VSAs each into their own
+ * Vendor-Specific attribute. If this isn't what you
+ * want, use the version of the library with full support
+ * for TLVs, WiMAX, and extended attributes.
+ */
+ rcode = nr_vp2attr(packet, original, &vp, attr, end - attr);
+ if (rcode <= 0) return rcode;
+
+ packet->length += rcode;
+
+ return rcode;
+}
diff --git a/lib/radius/share/dictionary.juniper b/lib/radius/share/dictionary.juniper
new file mode 100644
index 0000000..9aa5df4
--- /dev/null
+++ b/lib/radius/share/dictionary.juniper
@@ -0,0 +1,23 @@
+# -*- text -*-
+#
+# dictionary.juniper
+#
+# As posted to the list by Eric Kilfoil <ekilfoil@uslec.net>
+#
+# Version: $Id$
+#
+
+VENDOR Juniper 2636
+
+BEGIN-VENDOR Juniper
+
+ATTRIBUTE Juniper-Local-User-Name 1 string
+ATTRIBUTE Juniper-Allow-Commands 2 string
+ATTRIBUTE Juniper-Deny-Commands 3 string
+ATTRIBUTE Juniper-Allow-Configuration 4 string
+ATTRIBUTE Juniper-Deny-Configuration 5 string
+ATTRIBUTE Juniper-Interactive-Command 8 string
+ATTRIBUTE Juniper-Configuration-Change 9 string
+ATTRIBUTE Juniper-User-Permissions 10 string
+
+END-VENDOR Juniper
diff --git a/lib/radius/share/dictionary.microsoft b/lib/radius/share/dictionary.microsoft
new file mode 100644
index 0000000..034e5f0
--- /dev/null
+++ b/lib/radius/share/dictionary.microsoft
@@ -0,0 +1,17 @@
+# A minimal dictionary for Microsoft VSAs
+#
+VENDOR Microsoft 311
+
+BEGIN-VENDOR Microsoft
+ATTRIBUTE MS-CHAP-Response 1 octets
+ATTRIBUTE MS-CHAP-Error 2 string
+ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets
+ATTRIBUTE MS-MPPE-Encryption-Types 8 octets
+ATTRIBUTE MS-CHAP-Domain 10 string
+ATTRIBUTE MS-CHAP-Challenge 11 octets
+ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1
+ATTRIBUTE MS-MPPE-Send-Key 16 octets encrypt=2
+ATTRIBUTE MS-MPPE-Recv-Key 17 octets encrypt=2
+ATTRIBUTE MS-CHAP2-Response 25 octets
+ATTRIBUTE MS-CHAP2-Success 26 octets
+END-VENDOR Microsoft
diff --git a/lib/radius/share/dictionary.txt b/lib/radius/share/dictionary.txt
new file mode 100644
index 0000000..e62f8b3
--- /dev/null
+++ b/lib/radius/share/dictionary.txt
@@ -0,0 +1,136 @@
+ATTRIBUTE User-Name 1 string
+ATTRIBUTE User-Password 2 string encrypt=1
+ATTRIBUTE CHAP-Password 3 octets
+ATTRIBUTE NAS-IP-Address 4 ipaddr
+ATTRIBUTE NAS-Port 5 integer
+ATTRIBUTE Service-Type 6 integer
+ATTRIBUTE Framed-Protocol 7 integer
+ATTRIBUTE Framed-IP-Address 8 ipaddr
+ATTRIBUTE Framed-IP-Netmask 9 ipaddr
+ATTRIBUTE Framed-Routing 10 integer
+ATTRIBUTE Filter-Id 11 string
+ATTRIBUTE Framed-MTU 12 integer
+ATTRIBUTE Framed-Compression 13 integer
+ATTRIBUTE Login-IP-Host 14 ipaddr
+ATTRIBUTE Login-Service 15 integer
+ATTRIBUTE Login-TCP-Port 16 integer
+ATTRIBUTE Reply-Message 18 string
+ATTRIBUTE Callback-Number 19 string
+ATTRIBUTE Callback-Id 20 string
+ATTRIBUTE Framed-Route 22 string
+ATTRIBUTE Framed-IPX-Network 23 ipaddr
+ATTRIBUTE State 24 octets
+ATTRIBUTE Class 25 octets
+ATTRIBUTE Vendor-Specific 26 octets
+ATTRIBUTE Session-Timeout 27 integer
+ATTRIBUTE Idle-Timeout 28 integer
+ATTRIBUTE Termination-Action 29 integer
+ATTRIBUTE Called-Station-Id 30 string
+ATTRIBUTE Calling-Station-Id 31 string
+ATTRIBUTE NAS-Identifier 32 string
+ATTRIBUTE Proxy-State 33 octets
+ATTRIBUTE Login-LAT-Service 34 string
+ATTRIBUTE Login-LAT-Node 35 string
+ATTRIBUTE Login-LAT-Group 36 octets
+ATTRIBUTE Framed-AppleTalk-Link 37 integer
+ATTRIBUTE Framed-AppleTalk-Network 38 integer
+ATTRIBUTE Framed-AppleTalk-Zone 39 string
+ATTRIBUTE CHAP-Challenge 60 octets
+ATTRIBUTE NAS-Port-Type 61 integer
+ATTRIBUTE Port-Limit 62 integer
+ATTRIBUTE Login-LAT-Port 63 string
+ATTRIBUTE Acct-Status-Type 40 integer
+ATTRIBUTE Acct-Delay-Time 41 integer
+ATTRIBUTE Acct-Input-Octets 42 integer
+ATTRIBUTE Acct-Output-Octets 43 integer
+ATTRIBUTE Acct-Session-Id 44 string
+ATTRIBUTE Acct-Authentic 45 integer
+ATTRIBUTE Acct-Session-Time 46 integer
+ATTRIBUTE Acct-Input-Packets 47 integer
+ATTRIBUTE Acct-Output-Packets 48 integer
+ATTRIBUTE Acct-Terminate-Cause 49 integer
+ATTRIBUTE Acct-Multi-Session-Id 50 string
+ATTRIBUTE Acct-Link-Count 51 integer
+ATTRIBUTE Acct-Tunnel-Connection 68 string
+ATTRIBUTE Acct-Tunnel-Packets-Lost 86 integer
+ATTRIBUTE Tunnel-Type 64 integer has_tag
+ATTRIBUTE Tunnel-Medium-Type 65 integer has_tag
+ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag
+ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag
+ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2
+ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag
+ATTRIBUTE Tunnel-Assignment-Id 82 string has_tag
+ATTRIBUTE Tunnel-Preference 83 integer has_tag
+ATTRIBUTE Tunnel-Client-Auth-Id 90 string has_tag
+ATTRIBUTE Tunnel-Server-Auth-Id 91 string has_tag
+ATTRIBUTE Acct-Input-Gigawords 52 integer
+ATTRIBUTE Acct-Output-Gigawords 53 integer
+ATTRIBUTE Event-Timestamp 55 date
+ATTRIBUTE ARAP-Password 70 octets[16]
+ATTRIBUTE ARAP-Features 71 octets[14]
+ATTRIBUTE ARAP-Zone-Access 72 integer
+ATTRIBUTE ARAP-Security 73 integer
+ATTRIBUTE ARAP-Security-Data 74 string
+ATTRIBUTE Password-Retry 75 integer
+ATTRIBUTE Prompt 76 integer
+ATTRIBUTE Connect-Info 77 string
+ATTRIBUTE Configuration-Token 78 string
+ATTRIBUTE EAP-Message 79 octets
+ATTRIBUTE Message-Authenticator 80 octets
+ATTRIBUTE ARAP-Challenge-Response 84 octets[8]
+ATTRIBUTE Acct-Interim-Interval 85 integer
+ATTRIBUTE NAS-Port-Id 87 string
+ATTRIBUTE Framed-Pool 88 string
+ATTRIBUTE NAS-IPv6-Address 95 ipv6addr
+ATTRIBUTE Framed-Interface-Id 96 ifid
+ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix
+ATTRIBUTE Login-IPv6-Host 98 ipv6addr
+ATTRIBUTE Framed-IPv6-Route 99 string
+ATTRIBUTE Framed-IPv6-Pool 100 string
+ATTRIBUTE Error-Cause 101 integer
+ATTRIBUTE EAP-Key-Name 102 string
+ATTRIBUTE Chargeable-User-Identity 89 string
+ATTRIBUTE Egress-VLANID 56 integer
+ATTRIBUTE Ingress-Filters 57 integer
+ATTRIBUTE Egress-VLAN-Name 58 string
+ATTRIBUTE User-Priority-Table 59 octets
+ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix
+ATTRIBUTE NAS-Filter-Rule 92 string
+ATTRIBUTE Digest-Response 103 string
+ATTRIBUTE Digest-Realm 104 string
+ATTRIBUTE Digest-Nonce 105 string
+ATTRIBUTE Digest-Response-Auth 106 string
+ATTRIBUTE Digest-Nextnonce 107 string
+ATTRIBUTE Digest-Method 108 string
+ATTRIBUTE Digest-URI 109 string
+ATTRIBUTE Digest-Qop 110 string
+ATTRIBUTE Digest-Algorithm 111 string
+ATTRIBUTE Digest-Entity-Body-Hash 112 string
+ATTRIBUTE Digest-CNonce 113 string
+ATTRIBUTE Digest-Nonce-Count 114 string
+ATTRIBUTE Digest-Username 115 string
+ATTRIBUTE Digest-Opaque 116 string
+ATTRIBUTE Digest-Auth-Param 117 string
+ATTRIBUTE Digest-AKA-Auts 118 string
+ATTRIBUTE Digest-Domain 119 string
+ATTRIBUTE Digest-Stale 120 string
+ATTRIBUTE Digest-HA1 121 string
+ATTRIBUTE SIP-AOR 122 string
+ATTRIBUTE Operator-Name 126 string
+ATTRIBUTE Location-Information 127 octets
+ATTRIBUTE Location-Data 128 octets
+ATTRIBUTE Basic-Location-Policy-Rules 129 octets
+ATTRIBUTE Extended-Location-Policy-Rules 130 octets
+ATTRIBUTE Location-Capable 131 integer
+ATTRIBUTE Requested-Location-Info 132 integer
+ATTRIBUTE Framed-Management 133 integer
+ATTRIBUTE Management-Transport-Protection 134 integer
+ATTRIBUTE Management-Policy-Id 135 string
+ATTRIBUTE Management-Privilege-Level 136 integer
+ATTRIBUTE PKM-SS-Cert 137 octets
+ATTRIBUTE PKM-CA-Cert 138 octets
+ATTRIBUTE PKM-Config-Settings 139 octets
+ATTRIBUTE PKM-Cryptosuite-List 140 octets
+ATTRIBUTE PKM-SAID 141 short
+ATTRIBUTE PKM-SA-Descriptor 142 octets
+ATTRIBUTE PKM-Auth-Key 143 octets
diff --git a/lib/radius/share/dictionary.ukerna b/lib/radius/share/dictionary.ukerna
new file mode 100644
index 0000000..0e35d43
--- /dev/null
+++ b/lib/radius/share/dictionary.ukerna
@@ -0,0 +1,20 @@
+# -*- text -*-
+#
+# GSS-EAP VSAs
+#
+# $Id$
+#
+
+VENDOR UKERNA 25622
+
+BEGIN-VENDOR UKERNA
+
+ATTRIBUTE GSS-Acceptor-Service-Name 128 string
+ATTRIBUTE GSS-Acceptor-Host-Name 129 string
+ATTRIBUTE GSS-Acceptor-Service-Specific 130 string
+ATTRIBUTE GSS-Acceptor-Realm-Name 131 string
+ATTRIBUTE SAML-AAA-Assertion 132 string
+ATTRIBUTE MS-Windows-Auth-Data 133 octets
+ATTRIBUTE MS-Windows-Group-Sid 134 string
+
+END-VENDOR UKERNA
diff --git a/lib/radius/share/dictionary.vendor b/lib/radius/share/dictionary.vendor
new file mode 100644
index 0000000..571dbc4
--- /dev/null
+++ b/lib/radius/share/dictionary.vendor
@@ -0,0 +1,10 @@
+# a sample vendor-specific dictionary
+
+VENDOR example 65535
+
+BEGIN-VENDOR example
+ATTRIBUTE Example-Integer 1 integer
+ATTRIBUTE Example-String 2 string
+ATTRIBUTE Example-IP-Address 3 ipaddr
+
+END-VENDOR example
diff --git a/lib/radius/static.c b/lib/radius/static.c
new file mode 100644
index 0000000..bd87272
--- /dev/null
+++ b/lib/radius/static.c
@@ -0,0 +1,37 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file static.c
+ * \brief Dummy file to include auto-generating static dictionary mappings.
+ */
+
+#include "client.h"
+
+/*
+ * Include the dynamically generated dictionaries.
+ */
+#include "dictionaries.c"
diff --git a/lib/radius/tests/Makefile b/lib/radius/tests/Makefile
new file mode 100644
index 0000000..b9d74ad
--- /dev/null
+++ b/lib/radius/tests/Makefile
@@ -0,0 +1,25 @@
+#
+# GNU Makefile
+#
+.PHONY: all clean
+all: radattr
+
+HEADERS := ../client.h ../radius.h
+CFLAGS := -g
+
+%.o : %.c
+ $(CC) $(CFLAGS) -I.. -I. -c $<
+
+%.o: ${HEADERS}
+
+LIBS := -lcrypto -lssl
+LDFLAGS = -L.. -lnetworkradius-client
+
+../libnetworkradius-client.a:
+ @${MAKE} -C .. libnetworkradius-client.a
+
+radattr: radattr.o ../libnetworkradius-client.a
+ ${CC} ${LFDLAGS} ${LIBS} -o $@ $^
+
+clean:
+ @rm -rf *.o *.a *~
diff --git a/lib/radius/tests/radattr.c b/lib/radius/tests/radattr.c
new file mode 100644
index 0000000..d41499a
--- /dev/null
+++ b/lib/radius/tests/radattr.c
@@ -0,0 +1,769 @@
+/*
+ * Copyright (C) 2011 Network RADIUS SARL <info@networkradius.com>
+ *
+ * This software may not be redistributed in any form without the prior
+ * written consent of Network RADIUS.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <networkradius-devel/client.h>
+
+#include <ctype.h>
+
+#include <assert.h>
+
+static int packet_code = PW_ACCESS_REQUEST;
+static int packet_id = 1;
+static uint8_t packet_vector[16] = { 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0 };
+static char secret[256] = "testing123";
+
+static int encode_tlv(char *buffer, uint8_t *output, size_t outlen);
+
+static const char *hextab = "0123456789abcdef";
+
+static int encode_data_string(char *buffer,
+ uint8_t *output, size_t outlen)
+{
+ int length = 0;
+ char *p;
+
+ p = buffer + 1;
+
+ while (*p && (outlen > 0)) {
+ if (*p == '"') {
+ return length;
+ }
+
+ if (*p != '\\') {
+ *(output++) = *(p++);
+ outlen--;
+ length++;
+ continue;
+ }
+
+ switch (p[1]) {
+ default:
+ *(output++) = p[1];
+ break;
+
+ case 'n':
+ *(output++) = '\n';
+ break;
+
+ case 'r':
+ *(output++) = '\r';
+ break;
+
+ case 't':
+ *(output++) = '\t';
+ break;
+ }
+
+ outlen--;
+ length++;
+ }
+
+ fprintf(stderr, "String is not terminated\n");
+ return 0;
+}
+
+static int encode_data_tlv(char *buffer, char **endptr,
+ uint8_t *output, size_t outlen)
+{
+ int depth = 0;
+ int length;
+ char *p;
+
+ for (p = buffer; *p != '\0'; p++) {
+ if (*p == '{') depth++;
+ if (*p == '}') {
+ depth--;
+ if (depth == 0) break;
+ }
+ }
+
+ if (*p != '}') {
+ fprintf(stderr, "No trailing '}' in string starting "
+ "with \"%s\"\n",
+ buffer);
+ return 0;
+ }
+
+ *endptr = p + 1;
+ *p = '\0';
+
+ p = buffer + 1;
+ while (isspace((int) *p)) p++;
+
+ length = encode_tlv(p, output, outlen);
+ if (length == 0) return 0;
+
+ return length;
+}
+
+static int encode_hex(char *p, uint8_t *output, size_t outlen)
+{
+ int length = 0;
+ while (*p) {
+ char *c1, *c2;
+
+ while (isspace((int) *p)) p++;
+
+ if (!*p) break;
+
+ if(!(c1 = memchr(hextab, tolower((int) p[0]), 16)) ||
+ !(c2 = memchr(hextab, tolower((int) p[1]), 16))) {
+ fprintf(stderr, "Invalid data starting at "
+ "\"%s\"\n", p);
+ return 0;
+ }
+
+ *output = ((c1 - hextab) << 4) + (c2 - hextab);
+ output++;
+ length++;
+ p += 2;
+
+ outlen--;
+ if (outlen == 0) {
+ fprintf(stderr, "Too much data\n");
+ return 0;
+ }
+ }
+
+ return length;
+}
+
+
+static int encode_data(char *p, uint8_t *output, size_t outlen)
+{
+ int length;
+
+ if (!isspace((int) *p)) {
+ fprintf(stderr, "Invalid character following attribute "
+ "definition\n");
+ return 0;
+ }
+
+ while (isspace((int) *p)) p++;
+
+ if (*p == '{') {
+ int sublen;
+ char *q;
+
+ length = 0;
+
+ do {
+ while (isspace((int) *p)) p++;
+ if (!*p) {
+ if (length == 0) {
+ fprintf(stderr, "No data\n");
+ return 0;
+ }
+
+ break;
+ }
+
+ sublen = encode_data_tlv(p, &q, output, outlen);
+ if (sublen == 0) return 0;
+
+ length += sublen;
+ output += sublen;
+ outlen -= sublen;
+ p = q;
+ } while (*q);
+
+ return length;
+ }
+
+ if (*p == '"') {
+ length = encode_data_string(p, output, outlen);
+ return length;
+ }
+
+ length = encode_hex(p, output, outlen);
+
+ if (length == 0) {
+ fprintf(stderr, "Empty string\n");
+ return 0;
+ }
+
+ return length;
+}
+
+static int decode_attr(char *buffer, char **endptr)
+{
+ long attr;
+
+ attr = strtol(buffer, endptr, 10);
+ if (*endptr == buffer) {
+ fprintf(stderr, "No valid number found in string "
+ "starting with \"%s\"\n", buffer);
+ return 0;
+ }
+
+ if (!**endptr) {
+ fprintf(stderr, "Nothing follows attribute number\n");
+ return 0;
+ }
+
+ if ((attr <= 0) || (attr > 256)) {
+ fprintf(stderr, "Attribute number is out of valid "
+ "range\n");
+ return 0;
+ }
+
+ return (int) attr;
+}
+
+static int decode_vendor(char *buffer, char **endptr)
+{
+ long vendor;
+
+ if (*buffer != '.') {
+ fprintf(stderr, "Invalid separator before vendor id\n");
+ return 0;
+ }
+
+ vendor = strtol(buffer + 1, endptr, 10);
+ if (*endptr == (buffer + 1)) {
+ fprintf(stderr, "No valid vendor number found\n");
+ return 0;
+ }
+
+ if (!**endptr) {
+ fprintf(stderr, "Nothing follows vendor number\n");
+ return 0;
+ }
+
+ if ((vendor <= 0) || (vendor > (1 << 24))) {
+ fprintf(stderr, "Vendor number is out of valid range\n");
+ return 0;
+ }
+
+ if (**endptr != '.') {
+ fprintf(stderr, "Invalid data following vendor number\n");
+ return 0;
+ }
+ (*endptr)++;
+
+ return (int) vendor;
+}
+
+static int encode_tlv(char *buffer, uint8_t *output, size_t outlen)
+{
+ int attr;
+ int length;
+ char *p;
+
+ attr = decode_attr(buffer, &p);
+ if (attr == 0) return 0;
+
+ output[0] = attr;
+ output[1] = 2;
+
+ if (*p == '.') {
+ p++;
+ length = encode_tlv(p, output + 2, outlen - 2);
+
+ } else {
+ length = encode_data(p, output + 2, outlen - 2);
+ }
+
+ if (length == 0) return 0;
+ if (length > (255 - 2)) {
+ fprintf(stderr, "TLV data is too long\n");
+ return 0;
+ }
+
+ output[1] += length;
+
+ return length + 2;
+}
+
+static int encode_vsa(char *buffer, uint8_t *output, size_t outlen)
+{
+ int vendor;
+ int length;
+ char *p;
+
+ vendor = decode_vendor(buffer, &p);
+ if (vendor == 0) return 0;
+
+ output[0] = 0;
+ output[1] = (vendor >> 16) & 0xff;
+ output[2] = (vendor >> 8) & 0xff;
+ output[3] = vendor & 0xff;
+
+ length = encode_tlv(p, output + 4, outlen - 4);
+ if (length == 0) return 0;
+ if (length > (255 - 6)) {
+ fprintf(stderr, "VSA data is too long\n");
+ return 0;
+ }
+
+
+ return length + 4;
+}
+
+static int encode_evs(char *buffer, uint8_t *output, size_t outlen)
+{
+ int vendor;
+ int attr;
+ int length;
+ char *p;
+
+ vendor = decode_vendor(buffer, &p);
+ if (vendor == 0) return 0;
+
+ attr = decode_attr(p, &p);
+ if (attr == 0) return 0;
+
+ output[0] = 0;
+ output[1] = (vendor >> 16) & 0xff;
+ output[2] = (vendor >> 8) & 0xff;
+ output[3] = vendor & 0xff;
+ output[4] = attr;
+
+ length = encode_data(p, output + 5, outlen - 5);
+ if (length == 0) return 0;
+
+ return length + 5;
+}
+
+static int encode_extended(char *buffer,
+ uint8_t *output, size_t outlen)
+{
+ int attr;
+ int length;
+ char *p;
+
+ attr = decode_attr(buffer, &p);
+ if (attr == 0) return 0;
+
+ output[0] = attr;
+
+ if (attr == 26) {
+ length = encode_evs(p, output + 1, outlen - 1);
+ } else {
+ length = encode_data(p, output + 1, outlen - 1);
+ }
+ if (length == 0) return 0;
+ if (length > (255 - 3)) {
+ fprintf(stderr, "Extended Attr data is too long\n");
+ return 0;
+ }
+
+ return length + 1;
+}
+
+static int encode_extended_flags(char *buffer,
+ uint8_t *output, size_t outlen)
+{
+ int attr;
+ int length, total;
+ char *p;
+
+ attr = decode_attr(buffer, &p);
+ if (attr == 0) return 0;
+
+ /* output[0] is the extended attribute */
+ output[1] = 4;
+ output[2] = attr;
+ output[3] = 0;
+
+ if (attr == 26) {
+ length = encode_evs(p, output + 4, outlen - 4);
+ if (length == 0) return 0;
+
+ output[1] += 5;
+ length -= 5;
+ } else {
+ length = encode_data(p, output + 4, outlen - 4);
+ }
+ if (length == 0) return 0;
+
+ total = 0;
+ while (1) {
+ int sublen = 255 - output[1];
+
+ if (length <= sublen) {
+ output[1] += length;
+ total += output[1];
+ break;
+ }
+
+ length -= sublen;
+
+ memmove(output + 255 + 4, output + 255, length);
+ memcpy(output + 255, output, 4);
+
+ output[1] = 255;
+ output[3] |= 0x80;
+
+ output += 255;
+ output[1] = 4;
+ total += 255;
+ }
+
+ return total;
+}
+
+static int encode_rfc(char *buffer, uint8_t *output, size_t outlen)
+{
+ int attr;
+ int length, sublen;
+ char *p;
+
+ attr = decode_attr(buffer, &p);
+ if (attr == 0) return 0;
+
+ length = 2;
+ output[0] = attr;
+ output[1] = 2;
+
+ if (attr == 26) {
+ sublen = encode_vsa(p, output + 2, outlen - 2);
+
+ } else if ((attr < 241) || (attr > 246)) {
+ sublen = encode_data(p, output + 2, outlen - 2);
+
+ } else {
+ if (*p != '.') {
+ fprintf(stderr, "Invalid data following "
+ "attribute number\n");
+ return 0;
+ }
+
+ if (attr < 245) {
+ sublen = encode_extended(p + 1,
+ output + 2, outlen - 2);
+ } else {
+
+ /*
+ * Not like the others!
+ */
+ return encode_extended_flags(p + 1, output, outlen);
+ }
+ }
+ if (sublen == 0) return 0;
+ if (sublen > (255 -2)) {
+ fprintf(stderr, "RFC Data is too long\n");
+ return 0;
+ }
+
+ output[1] += sublen;
+ return length + sublen;
+}
+
+static int walk_callback(void *ctx, const DICT_ATTR *da,
+ const uint8_t *data, size_t sizeof_data)
+{
+ char **p = ctx;
+
+ sprintf(*p, "v%u a%u l%ld,",
+ da->vendor, da->attr, sizeof_data);
+
+ *p += strlen(*p);
+}
+
+static void process_file(const char *filename)
+{
+ int lineno, rcode;
+ size_t i, outlen;
+ ssize_t len, data_len;
+ FILE *fp;
+ RADIUS_PACKET packet;
+ char input[8192], buffer[8192];
+ char output[8192];
+ uint8_t *attr, data[2048];
+
+ if (strcmp(filename, "-") == 0) {
+ fp = stdin;
+ filename = "<stdin>";
+
+ } else {
+ fp = fopen(filename, "r");
+ if (!fp) {
+ fprintf(stderr, "Error opening %s: %s\n",
+ filename, strerror(errno));
+ exit(1);
+ }
+ }
+
+ lineno = 0;
+ *output = '\0';
+ data_len = 0;
+
+ while (fgets(buffer, sizeof(buffer), fp) != NULL) {
+ char *p = strchr(buffer, '\n');
+ VALUE_PAIR *vp, *head = NULL;
+ VALUE_PAIR **tail = &head;
+
+ lineno++;
+
+ if (!p) {
+ if (!feof(fp)) {
+ fprintf(stderr, "Line %d too long in %s\n",
+ lineno, filename);
+ exit(1);
+ }
+ } else {
+ *p = '\0';
+ }
+
+ p = strchr(buffer, '#');
+ if (p) *p = '\0';
+
+ p = buffer;
+ while (isspace((int) *p)) p++;
+ if (!*p) continue;
+
+ strcpy(input, p);
+
+ if (strncmp(p, "raw ", 4) == 0) {
+ outlen = encode_rfc(p + 4, data, sizeof(data));
+ if (outlen == 0) {
+ fprintf(stderr, "Parse error in line %d of %s\n",
+ lineno, filename);
+ exit(1);
+ }
+
+ print_hex:
+ if (outlen == 0) {
+ output[0] = 0;
+ continue;
+ }
+
+ data_len = outlen;
+ for (i = 0; i < outlen; i++) {
+ snprintf(output + 3*i, sizeof(output),
+ "%02x ", data[i]);
+ }
+ outlen = strlen(output);
+ output[outlen - 1] = '\0';
+ continue;
+ }
+
+ if (strncmp(p, "data ", 5) == 0) {
+ if (strcmp(p + 5, output) != 0) {
+ fprintf(stderr, "Mismatch in line %d of %s, expected: %s\n",
+ lineno, filename, output);
+ exit(1);
+ }
+ continue;
+ }
+
+ head = NULL;
+ if (strncmp(p, "encode ", 7) == 0) {
+ if (strcmp(p + 7, "-") == 0) {
+ p = output;
+ } else {
+ p += 7;
+ }
+
+ rcode = nr_vp_sscanf(p, &head);
+ if (rcode < 0) {
+ strcpy(output, nr_strerror(rcode));
+ continue;
+ }
+
+ attr = data;
+ vp = head;
+ while (vp != NULL) {
+ len = nr_vp2attr(NULL, NULL, &vp,
+ attr, sizeof(data) - (attr - data));
+ if (len < 0) {
+ fprintf(stderr, "Failed encoding %s: %s\n",
+ vp->da->name, nr_strerror(len));
+ exit(1);
+ }
+
+ attr += len;
+ if (len == 0) break;
+ }
+
+ nr_vp_free(&head);
+ outlen = len;
+ goto print_hex;
+ }
+
+ if (strncmp(p, "decode ", 7) == 0) {
+ ssize_t my_len;
+
+ if (strcmp(p + 7, "-") == 0) {
+ attr = data;
+ len = data_len;
+ } else {
+ attr = data;
+ len = encode_hex(p + 7, data, sizeof(data));
+ if (len == 0) {
+ fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+ exit(1);
+ }
+ }
+
+ while (len > 0) {
+ vp = NULL;
+ my_len = nr_attr2vp(NULL, NULL,
+ attr, len, &vp);
+ if (my_len < 0) {
+ nr_vp_free(&head);
+ break;
+ }
+
+ if (my_len > len) {
+ fprintf(stderr, "Internal sanity check failed at %d\n", __LINE__);
+ exit(1);
+ }
+
+ *tail = vp;
+ while (vp) {
+ tail = &(vp->next);
+ vp = vp->next;
+ }
+
+ attr += my_len;
+ len -= my_len;
+ }
+
+ /*
+ * Output may be an error, and we ignore
+ * it if so.
+ */
+ if (head) {
+ p = output;
+ for (vp = head; vp != NULL; vp = vp->next) {
+ nr_vp_snprintf(p, sizeof(output) - (p - output), vp);
+ p += strlen(p);
+
+ if (vp->next) {strcpy(p, ", ");
+ p += 2;
+ }
+ }
+
+ nr_vp_free(&head);
+ } else if (my_len < 0) {
+ strcpy(output, nr_strerror(my_len));
+
+ } else { /* zero-length attribute */
+ *output = '\0';
+ }
+ continue;
+ }
+
+ if (strncmp(p, "walk ", 5) == 0) {
+ len = encode_hex(p + 5, data + 20, sizeof(data) - 20);
+
+ if (len == 0) {
+ fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+ exit(1);
+ }
+
+ memset(data, 0, 20);
+ packet.data = data;
+ packet.length = len + 20;
+ packet.data[2] = ((len + 20) >> 8) & 0xff;
+ packet.data[3] = (len + 20) & 0xff;
+
+ *output = '\0';
+ p = output;
+
+ rcode = nr_packet_walk(&packet, &p, walk_callback);
+ if (rcode < 0) {
+ snprintf(output, sizeof(output), "%d", rcode);
+ continue;
+ }
+
+ if (*output) output[strlen(output) - 1] = '\0';
+ continue;
+ }
+
+ if (strncmp(p, "$INCLUDE ", 9) == 0) {
+ p += 9;
+ while (isspace((int) *p)) p++;
+
+ process_file(p);
+ continue;
+ }
+
+ if (strncmp(p, "secret ", 7) == 0) {
+ strlcpy(secret, p + 7, sizeof(secret));
+ strlcpy(output, secret, sizeof(output));
+ continue;
+ }
+
+ if (strncmp(p, "code ", 5) == 0) {
+ packet_code = atoi(p + 5);
+ snprintf(output, sizeof(output), "%u", packet_code);
+ continue;
+ }
+
+ if (strncmp(p, "sign ", 5) == 0) {
+ len = encode_hex(p + 5, data + 20, sizeof(data) - 20);
+ if (len == 0) {
+ fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename);
+ exit(1);
+ }
+
+ memset(&packet, 0, sizeof(packet));
+ packet.secret = secret;
+ packet.sizeof_secret = strlen(secret);
+ packet.code = packet_code;
+ packet.id = packet_id;
+ memcpy(packet.vector, packet_vector, 16);
+ packet.data = data;
+ packet.length = len + 20;
+
+ /*
+ * Hack encode the packet.
+ */
+ packet.data[0] = packet_code;
+ packet.data[1] = packet_id;
+ packet.data[2] = ((len + 20) >> 8) & 0xff;
+ packet.data[3] = (len + 20) & 0xff;
+ memcpy(packet.data + 4, packet_vector, 16);
+
+ rcode = nr_packet_sign(&packet, NULL);
+ if (rcode < 0) {
+ snprintf(output, sizeof(output), "%d", rcode);
+ continue;
+ }
+
+ memcpy(data, packet.vector, sizeof(packet.vector));
+ outlen = sizeof(packet.vector);
+ goto print_hex;
+ }
+
+ fprintf(stderr, "Unknown input at line %d of %s\n",
+ lineno, filename);
+ exit(1);
+ }
+
+ if (fp != stdin) fclose(fp);
+}
+
+int main(int argc, char *argv[])
+{
+ int c;
+
+ if (argc < 2) {
+ process_file("-");
+
+ } else {
+ process_file(argv[1]);
+ }
+
+ return 0;
+}
diff --git a/lib/radius/tests/rfc.txt b/lib/radius/tests/rfc.txt
new file mode 100644
index 0000000..d8bd613
--- /dev/null
+++ b/lib/radius/tests/rfc.txt
@@ -0,0 +1,144 @@
+# All attribute lengths are implicit, and are calculated automatically
+#
+# Input is of the form:
+#
+# WORD ...
+#
+# The WORD is a keyword which indicates the format of the following text.
+# WORD is one of:
+#
+# raw - read the grammar defined below, and encode an attribute.
+# The grammer supports a trivial way of describing RADIUS
+# attributes, without reference to dictionaries or fancy
+# parsers
+#
+# encode - reads "Attribute-Name = value", encodes it, and prints
+# the result as text.
+# use "-" to encode the output of the last command
+#
+# decode - reads hex, and decodes it "Attribute-Name = value"
+# use "-" to decode the output of the last command
+#
+# data - the expected output of the previous command, in ASCII form.
+# if the actual command output is different, an error message
+# is produced, and the program terminates.
+#
+#
+# The "raw" input satisfies the following grammar:
+#
+# Identifier = 1*DIGIT *( "." 1*DIGIT )
+#
+# HEXCHAR = HEXDIG HEXDIG
+#
+# STRING = DQUOTE *CHAR DQUOTE
+#
+# TLV = "{" 1*DIGIT DATA "}"
+#
+# DATA = 1*HEXCHAR / 1*TLV / STRING
+#
+# LINE = Identifier DATA
+#
+# The "Identifier" is a RADIUS attribute identifier, as given in the draft.
+#
+# e.g. 1 for User-Name
+# 26.9.1 Vendor-Specific, Cisco, Cisco-AVPAir
+# 241.1 Extended Attribute, number 1
+# 241.2.3 Extended Attribute 2, data type TLV, TLV type 3
+# etc.
+#
+# The "DATA" portion is the contents of the RADIUS Attribute.
+#
+# 123456789abcdef hex string
+# 12 34 56 ab with spaces for clarity
+# "hello" Text string
+# { 1 abcdef } TLV, TLV-Type 1, data "abcdef"
+#
+# TLVs can be nested:
+#
+# { tlv-type { tlv-type data } } { 3 { 4 01020304 } }
+#
+# TLVs can be concatencated
+#
+# {tlv-type data } { tlv-type data} { 3 040506 } { 8 aabbcc }
+#
+# The "raw" data is encoded without reference to dictionaries. Any
+# valid string is parsed to a RADIUS attribute. The resulting RADIUS
+# attribute *may not* be correctly formatted to the relevant RADIUS
+# specifications. i.e. you can use this tool to create attribute 1
+# (User-Name), which is encoded as a series of TLVs. That's up to you.
+#
+# The purpose of the "raw" command is to have a simple way of encoding
+# attributes which is independent of any dictionaries or packet processing
+# routines.
+#
+# The output data is the hex version of the encoded attribute.
+#
+
+encode User-Name = bob
+data 01 05 62 6f 62
+
+decode -
+data User-Name = "bob"
+
+decode 01 05 62 6f 62
+data User-Name = "bob"
+
+#
+# The Type/Length is OK, but the attribute data is of the wrong size.
+#
+decode 04 04 ab cd
+data Attr-4 = 0xabcd
+
+# Zero-length attributes
+decode 01 02
+data
+
+# don't encode zero-length attributes
+#encode User-Name = ""
+#data
+
+# except for CUI. Thank you, WiMAX!
+decode 59 02
+data Chargeable-User-Identity = ""
+
+# Hah! Thought you had it figured out, didn't you?
+#encode -
+#data 59 02
+
+encode NAS-Port = 10
+data 05 06 00 00 00 0a
+
+decode -
+data NAS-Port = 10
+
+walk 05 06 00 00 00 0a
+data v0 a5 l4
+
+walk 05 06 00 00 00 0a 02 06 00 00 00 0a
+data v0 a5 l4,v0 a2 l4
+
+walk 1a 0c 00 00 00 01 05 06 00 00 00 0a
+data v1 a5 l4
+
+walk 1a 12 00 00 00 01 05 06 00 00 00 0a 03 06 00 00 00 0a
+data v1 a5 l4,v1 a3 l4
+
+# Access-Request, code 1, authentication vector of zero
+sign 05 06 00 00 00 0a
+data 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+code 4
+
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
+
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
+
+secret hello
+sign 05 06 00 00 00 0a
+data 69 20 c0 b9 e1 2f 12 54 9f 92 16 5e f4 64 9b fd
+
+secret testing123
+sign 05 06 00 00 00 0a
+data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68
diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c
new file mode 100644
index 0000000..6277f7d
--- /dev/null
+++ b/lib/radius/valuepair.c
@@ -0,0 +1,191 @@
+/*
+Copyright (c) 2011, Network RADIUS SARL
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the <organization> nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/** \file valuepair.c
+ * \brief Functions to manipulate C structure versions of RADIUS attributes.
+ */
+
+#include "client.h"
+
+void nr_vp_free(VALUE_PAIR **head)
+{
+ VALUE_PAIR *next, *vp;
+
+ for (vp = *head; vp != NULL; vp = next) {
+ next = vp->next;
+ if (vp->da->flags.encrypt) {
+ memset(vp, 0, sizeof(vp));
+ }
+ free(vp);
+ }
+
+ *head = NULL;
+}
+
+
+VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da)
+{
+ memset(vp, 0, sizeof(*vp));
+
+ vp->da = da;
+ vp->length = da->flags.length;
+
+ return vp;
+}
+
+
+VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da)
+{
+ VALUE_PAIR *vp = NULL;
+
+ if (!da) {
+ nr_strerror_printf("Unknown attribute");
+ return NULL;
+ }
+
+ vp = malloc(sizeof(*vp));
+ if (!vp) {
+ nr_strerror_printf("Out of memory");
+ return NULL;
+ }
+
+ return nr_vp_init(vp, da);
+}
+
+VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor)
+{
+ VALUE_PAIR *vp = NULL;
+ DICT_ATTR *da;
+
+ vp = malloc(sizeof(*vp) + sizeof(*da) + 64);
+ if (!vp) {
+ nr_strerror_printf("Out of memory");
+ return NULL;
+ }
+ memset(vp, 0, sizeof(*vp));
+
+ da = (DICT_ATTR *) (vp + 1);
+
+ if (nr_dict_attr_2struct(da, attr, vendor, (char *) (da + 1), 64) < 0) {
+ free(vp);
+ return NULL;
+ }
+
+ vp->da = da;
+
+ return vp;
+}
+
+int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data)
+{
+ int rcode = 1; /* OK */
+
+ if (!vp || !data || (sizeof_data == 0)) return -RSE_INVAL;
+
+ switch (vp->da->type) {
+ case RS_TYPE_BYTE:
+ vp->vp_integer = *(const uint8_t *) data;
+ break;
+
+ case RS_TYPE_SHORT:
+ vp->vp_integer = *(const uint16_t *) data;
+ break;
+
+ case RS_TYPE_INTEGER:
+ case RS_TYPE_DATE:
+ case RS_TYPE_IPADDR:
+ vp->vp_integer = *(const uint32_t *) data;
+ break;
+
+ case RS_TYPE_STRING:
+ if (sizeof_data >= sizeof(vp->vp_strvalue)) {
+ sizeof_data = sizeof(vp->vp_strvalue) - 1;
+ rcode = 0; /* truncated */
+ }
+
+ memcpy(vp->vp_strvalue, (const char *) data, sizeof_data);
+ vp->vp_strvalue[sizeof_data + 1] = '\0';
+ vp->length = sizeof_data;
+ break;
+
+ case RS_TYPE_OCTETS:
+ if (sizeof_data > sizeof(vp->vp_octets)) {
+ sizeof_data = sizeof(vp->vp_octets);
+ rcode = 0; /* truncated */
+ }
+ memcpy(vp->vp_octets, data, sizeof_data);
+ vp->length = sizeof_data;
+ break;
+
+ default:
+ return -RSE_ATTR_TYPE_UNKNOWN;
+ }
+
+ return rcode;
+}
+
+VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, size_t data_len)
+{
+ const DICT_ATTR *da;
+ VALUE_PAIR *vp;
+
+ da = nr_dict_attr_byvalue(attr, vendor);
+ if (!da) return NULL;
+
+ vp = nr_vp_alloc(da);
+ if (!vp) return NULL;
+
+ if (nr_vp_set_data(vp, data, data_len) < 0) {
+ nr_vp_free(&vp);
+ return NULL;
+ }
+
+ return vp;
+}
+
+void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *tail)
+{
+ if (!tail) return;
+
+ while (*head) {
+ head = &((*head)->next);
+ }
+
+ *head = tail;
+}
+
+VALUE_PAIR *nr_vps_find(VALUE_PAIR *head,
+ unsigned int attr, unsigned int vendor)
+{
+ while (head) {
+ if ((head->da->attr == attr) &&
+ (head->da->vendor == vendor)) return head;
+ head = head->next;
+ }
+
+ return NULL;
+}