vcargats · vcargats · Mar 23, 2021 · Mar 23, 2021 · Mar 23, 2021 · Mar 23, 2021
diff --git a/Makefile b/Makefile
@@ -92,7 +92,8 @@ $(BUILD_DIR)/tests/radiusd-c: raddb/test.conf ${BUILD_DIR}/bin/radiusd | build.r
 	@echo "ok"
 	@touch $@
 
-test: ${BUILD_DIR}/bin/radiusd ${BUILD_DIR}/bin/radclient tests.unit tests.xlat tests.keywords tests.auth $(BUILD_DIR)/tests/radiusd-c | build.raddb
+test: ${BUILD_DIR}/bin/radiusd ${BUILD_DIR}/bin/radclient tests.unit tests.xlat \
+	tests.keywords tests.auth tests.radsec $(BUILD_DIR)/tests/radiusd-c | build.raddb
 	@$(MAKE) -C src/tests tests
 
 #  Tests specifically for CI.  We do a LOT more than just

diff --git a/doc/source/Doxyfile b/doc/source/Doxyfile
@@ -1939,6 +1939,7 @@ PREDEFINED             = WITH_PROXY \
                          WITH_STATS \
                          WITH_COMMAND_SOCKET \
                          WITH_COA \
+                         WITH_COA_SINGLE_TUNNEL \
                          WITH_TCP \
                          WITH_DHCP \
                          WITH_VMPS \

diff --git a/raddb/proxy.conf b/raddb/proxy.conf
@@ -146,12 +146,16 @@ home_server localhost {
 	#  or Accounting-Request packets.
 	#
 	#  Allowed values are:
-	#	auth	  - Handles Access-Request packets
-	#	acct	  - Handles Accounting-Request packets
-	#	auth+acct - Handles Access-Request packets at "port",
-	#		    and Accounting-Request packets at "port + 1"
-	#	coa	  - Handles CoA-Request and Disconnect-Request packets.
-	#		    See also raddb/sites-available/originate-coa
+	#	auth		- Handles Access-Request packets
+	#	acct		- Handles Accounting-Request packets
+	#	auth+acct	- Handles Access-Request packets at "port",
+	#		  	  and Accounting-Request packets at "port + 1"
+	#	auth+coa	- Handles packets as specified for auth type
+	#			  and handles incoming CoA-Request and Disconnect-Request packets
+	#	auth+acct+coa	- Handles packets as specified for auth+acct type
+	#			  and handles incoming CoA-Request and Disconnect-Request packets
+	#	coa		- Handles outgoing CoA-Request and Disconnect-Request packets.
+	#		  	  See also raddb/sites-available/originate-coa
 	type = auth
 
 	#
@@ -441,9 +445,10 @@ home_server localhost {
 	max_outstanding = 65536
 
 	#
-	#  The configuration items in the next sub-section are used ONLY
-	#  when "type = coa".  It is ignored for all other type of home
-	#  servers.
+	#  The configuration items in the next sub-section are used ONLY when
+	#  "type = coa/auth+coa/auth+acct+coa".  It is ignored for all other type of
+	#  home servers. For auth+coa/auth+acct+coa types the virtual server
+	#  configuration is relevant only.
 	#
 	#  See RFC 5080 for the definitions of the following terms.
 	#  RAND is a function (internal to FreeRADIUS) returning
@@ -477,6 +482,13 @@ home_server localhost {
 
 		# Maximum Retransmit Duration: 5..60
 		mrd = 30
+
+		#  A virtual_server may be specified here for types auth+coa and
+		#  auth+acct+coa. If the virtual server is specified, a "recv-coa"
+		#  section is called when CoA-Request or Disconnect-Request are received
+		#  and a "send-coa" section is called when the CoA-ACK/NAK or
+		#  Disconnect-ACK/NAK are sent.
+		#virtual_server = pre_post_proxy
 	}
 
 	#

diff --git a/raddb/sites-available/coa-relay b/raddb/sites-available/coa-relay
@@ -202,6 +202,9 @@ server coa-buffered-reader {
 						&COA-Packet-DST-IP-Address
 					disconnect:Packet-DST-Port := \
 						&COA-Packet-DST-Port
+					# Alternatively TCP-Session-Key may be specified
+					#disconnect:TCP-Session-Key := \
+					#	&Operator-NAS-Identifier
 					disconnect:Acct-Session-Id := \
 						&COA-Acct-Session-Id
 
@@ -224,6 +227,9 @@ server coa-buffered-reader {
 						&COA-Packet-DST-IP-Address
 					coa:Packet-DST-Port := \
 						&COA-Packet-DST-Port
+					# Alternatively TCP-Session-Key may be specified
+					#coa:TCP-Session-Key := \
+					#	&Operator-NAS-Identifier
 					coa:Acct-Session-Id := \
 						&COA-Acct-Session-Id
 

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
@@ -61,7 +61,7 @@ listen {
 	#  Allowed values are:
 	#	auth	listen for authentication packets
 	#	acct	listen for accounting packets
-	#       auth+acct listen for both authentication and accounting packets
+	#	auth+acct listen for both authentication and accounting packets
 	#	proxy   IP to use for sending proxied packets
 	#	detail  Read from the detail file.  For examples, see
 	#               raddb/sites-available/copy-acct-to-home-server
@@ -463,9 +463,12 @@ authorize {
 	#  through the following section, and ONLY the following section.
 	#  This permits you to do DB queries, for example.  If the modules
 	#  listed here return "fail", then NO response is sent.
+	#  For auth+coa and auth+acct+coa listeners we may set up TCP-Session-Key.
 	#
 #	Autz-Type Status-Server {
-#
+#		update control {
+#			TCP-Session-Key := &Operator-NAS-Identifier
+#		}
 #	}
 }
 

diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
@@ -46,13 +46,20 @@ listen {
 	port = 2083
 
 	#
-	#  TCP and TLS sockets can accept Access-Request and
-	#  Accounting-Request on the same socket.
+	#  TCP and TLS sockets can accept Access-Request, Accounting-Request.
+	#  TLS socket may also send CoA-Request, Disconnect-Request and accept
+	#  CoA-ACK/NAK, Disconnect-ACK/NAK on the same socket.
 	#
-	#	auth	  = only Access-Request
-	#	acct	  = only Accounting-Request
-	#	auth+acct = both
-	*	coa	  = only CoA / Disconnect requests
+	#	auth		= only Access-Request
+	#	auth+coa	= Access-Request and
+	#			  send CoA-Requet and Disconnect-Request, and
+	#			  accept CoA-ACK/NAK, Disconnect-ACK/NAK
+	#	acct		= only Accounting-Request
+	#	auth+acct	= both Access-Request and Accounting-Request
+	#	auth+acct+coa	= all: Access-Request, Accounting-Request, and
+	#			  send CoA-Requet and Disconnect-Request, and
+	#			  accept CoA-ACK/NAK, Disconnect-ACK/NAK
+	#	coa		= only CoA / Disconnect requests
 	#
 	type = auth+acct
 
@@ -391,6 +398,15 @@ listen {
 	#    		client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
 		}
 	}
+
+	#  CoA specific parameters for auth+coa and auth+acct+coa types.  See
+	#  raddb/proxy.conf for details.
+	coa {
+		irt = 2
+		mrt = 16
+		mrc = 5
+		mrd = 30
+	}
 }
 
 clients radsec {
@@ -443,7 +459,7 @@ home_server tls {
 	port = 2083
 
 	# type can be the same types as for the "listen" section/
-	# e.g. auth, acct, auth+acct, coa
+	# e.g. auth, acct, auth+acct, auth+coa, auth+acct+coa, coa
 	type = auth
 	secret = radsec
 	proto = tcp

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
@@ -287,6 +287,8 @@ ATTRIBUTE	SSHA3-512-Password			1185	octets
 ATTRIBUTE	MS-CHAP-Peer-Challenge			1192	octets
 ATTRIBUTE	Home-Server-Name			1193	string
 
+ATTRIBUTE	TCP-Session-Key				1194	string
+
 #
 #	Range:	1200-1279
 #		EAP-SIM (and other EAP type) weirdness.

diff --git a/src/include/features-h b/src/include/features-h
@@ -65,3 +65,17 @@
 #    endif
 #  endif
 #endif
+
+#ifndef WITHOUT_COA_SINGLE_TUNNEL
+#  define WITH_COA_SINGLE_TUNNEL (1)
+#  ifndef WITH_COA
+#    error WITH_COA_SINGLE_TUNNEL requires WITH_COA
+#  endif
+#  ifndef WITH_TCP
+#    error WITH_COA_SINGLE_TUNNEL requires WITH_TCP
+#  endif
+#  ifndef WITH_TLS
+#    error WITH_COA_SINGLE_TUNNEL requires WITH_TLS
+#  endif
+#endif
+
diff --git a/src/include/listen.h b/src/include/listen.h
@@ -73,6 +73,16 @@ struct rad_listen {
 	bool		dual;
 	rbtree_t	*children;
 	rad_listen_t	*parent;
+#   ifdef WITH_COA_SINGLE_TUNNEL
+	bool		with_coa;
+	char const	*key;	/* TCP-Session-Key */
+
+	uint32_t	coa_irt;
+	uint32_t	coa_mrc;
+	uint32_t	coa_mrt;
+	uint32_t	coa_mrd;
+#   endif /* WITH_COA_SINGLE_TUNNEL */
+
 #endif
 	bool		nodup;
 	bool		synchronous;
@@ -83,9 +93,16 @@ struct rad_listen {
 #endif
 
 	rad_listen_recv_t recv;
+
 	rad_listen_send_t send;
+	rad_listen_send_t send_proxy;
+
 	rad_listen_encode_t encode;
+	rad_listen_encode_t encode_proxy;
+
 	rad_listen_decode_t decode;
+	rad_listen_decode_t decode_proxy;
+
 	rad_listen_print_t print;
 
 	CONF_SECTION const *cs;
@@ -118,7 +135,8 @@ typedef struct listen_socket_t {
 	uint32_t	rate_pps_now;
 	uint32_t	max_rate;
 
-	/* for outgoing sockets */
+	/* for outgoing sockets,
+	 * home is used for incoming socket as well if type is auth+coa/auth+acct+coa */
 	home_server_t	*home;
 	fr_ipaddr_t	other_ipaddr;
 	uint16_t	other_port;
@@ -134,6 +152,7 @@ typedef struct listen_socket_t {
 	fr_socket_limit_t limit;
 
 	struct listen_socket_t *parent;
+	/* for outgoing sockets as well if type is auth+coa/auth+acct+coa */
 	RADCLIENT	*client;
 
 	RADIUS_PACKET   *packet; /* for reading partial packets */

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
@@ -562,6 +562,7 @@ void hup_logfile(void);
 
 /* listen.c */
 void listen_free(rad_listen_t **head);
+void listen_destroy(void);
 int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag);
 rad_listen_t *proxy_new_listener(TALLOC_CTX *ctx, home_server_t *home, uint16_t src_port);
 RADCLIENT *client_listener_find(rad_listen_t *listener, fr_ipaddr_t const *ipaddr, uint16_t src_port);
@@ -570,6 +571,11 @@ RADCLIENT *client_listener_find(rad_listen_t *listener, fr_ipaddr_t const *ipadd
 RADCLIENT_LIST *listener_find_client_list(fr_ipaddr_t const *ipaddr, uint16_t port, int proto);
 #endif
 rad_listen_t *listener_find_byipaddr(fr_ipaddr_t const *ipaddr, uint16_t port, int proto);
+#ifdef WITH_COA_SINGLE_TUNNEL
+void listener_store_bykey(rad_listen_t *listener, const char *newkey);
+rad_listen_t *listener_find_bykey(char const *key, size_t *listcount);
+rad_listen_t *listener_find_byaddr(fr_ipaddr_t const *ipaddr, uint16_t port, size_t *listcount);
+#endif
 int rad_status_server(REQUEST *request);
 
 /* event.c */
@@ -605,6 +611,10 @@ int dual_tls_recv(rad_listen_t *listener);
 int dual_tls_send(rad_listen_t *listener, REQUEST *request);
 int proxy_tls_recv(rad_listen_t *listener);
 int proxy_tls_send(rad_listen_t *listener, REQUEST *request);
+#ifdef WITH_COA_SINGLE_TUNNEL
+int dual_tls_send_req(rad_listen_t *listener, REQUEST *request);
+int proxy_tls_send_reply(rad_listen_t *listener, REQUEST *request);
+#endif
 #endif
 
 /*

diff --git a/src/include/realms.h b/src/include/realms.h
@@ -19,11 +19,15 @@ extern bool home_servers_udp;	//!< Whether there are any UDP home servers
 
 typedef enum {
 	HOME_TYPE_INVALID = 0,
-	HOME_TYPE_AUTH,		//!< Authentication server
-	HOME_TYPE_ACCT,		//!< Accounting server
-	HOME_TYPE_AUTH_ACCT	//!< Authentication and accounting server
+	HOME_TYPE_AUTH,		    //!< Authentication server
+	HOME_TYPE_ACCT,		    //!< Accounting server
+	HOME_TYPE_AUTH_ACCT	    //!< Authentication and accounting server
 
 #ifdef WITH_COA
+#ifdef WITH_COA_SINGLE_TUNNEL
+	,HOME_TYPE_AUTH_COA	    //!< Authentication server and CoA client
+	,HOME_TYPE_AUTH_ACCT_COA    //!< Authentication, accounting server and CoA client
+#endif
 	,HOME_TYPE_COA		//!< CoA destination (NAS or Proxy)
 #endif
 } home_type_t;
@@ -59,6 +63,9 @@ typedef struct home_server {
 							//!< stats or when specifying home servers for a pool.
 
 	bool			dual;			//!< One of a pair of homeservers on consecutive ports.
+#ifdef WITH_COA_SINGLE_TUNNEL
+	bool			with_coa;		//!< Accept CoA requests from the home server
+#endif
 	bool			dynamic;		//!< is this a dynamically added home server?
 	char const		*server;		//!< For internal proxying
 	char const		*parent_server;
@@ -120,6 +127,9 @@ typedef struct home_server {
 	uint32_t		coa_mrc;
 	uint32_t		coa_mrt;
 	uint32_t		coa_mrd;
+#   ifdef WITH_COA_SINGLE_TUNNEL
+	char const		*coa_server;		//!< For accepting incoming coa requests
+#   endif
 #endif
 #ifdef WITH_TLS
 	fr_tls_server_conf_t	*tls;

diff --git a/src/lib/packet.c b/src/lib/packet.c
@@ -697,6 +697,14 @@ bool fr_packet_list_id_alloc(fr_packet_list_t *pl, int proto,
 		 */
 		if (ps->num_outgoing == 256) continue;
 
+#ifdef WITH_COA_SINGLE_TUNNEL
+		if(pctx && *pctx) {
+			if(ps->ctx == *pctx) goto skip_search;
+
+			continue;
+		}
+#endif
+
 #ifdef WITH_TCP
 		if (ps->proto != proto) continue;
 #endif
@@ -760,6 +768,9 @@ bool fr_packet_list_id_alloc(fr_packet_list_t *pl, int proto,
 		 *	Otherwise, this socket is OK to use.
 		 */
 
+#ifdef WITH_COA_SINGLE_TUNNEL
+skip_search:
+#endif
 		/*
 		 *	Look for a free Id, starting from a random number.
 		 */

diff --git a/src/main/auth.c b/src/main/auth.c
@@ -596,6 +596,18 @@ int rad_authenticate(REQUEST *request)
 authenticate:
 #endif
 
+#ifdef WITH_COA_SINGLE_TUNNEL
+	if(request->listener->with_coa &&
+	    (tmp = fr_pair_find_by_num(request->config, PW_TCP_SESSION_KEY, 0, TAG_ANY))) {
+		char const *key = tmp->vp_strvalue;
+		/* do not overwrite */
+		if(!request->listener->key) {
+			RDEBUG2("Set current tunnel with key %s", key);
+			listener_store_bykey(request->listener, key);
+		}
+	}
+#endif
+
 	/*
 	 *	Validate the user
 	 */

diff --git a/src/main/command.c b/src/main/command.c
@@ -1989,8 +1989,11 @@ static int command_inject_file(rad_listen_t *listener, int argc, char *argv[])
 	 *	Re-write the IO for the listener.
 	 */
 	fake->encode = null_socket_dencode;
+	fake->encode_proxy = null_socket_dencode;
 	fake->decode = null_socket_dencode;
+	fake->decode_proxy = null_socket_dencode;
 	fake->send = null_socket_send;
+	fake->send_proxy = null_socket_send;
 
 	packet = rad_alloc(NULL, false);
 	packet->src_ipaddr = sock->src_ipaddr;