在FreeRADIUS C模块中以编程方式将VSA(供应商特定属性)添加到Access-Accept答复 [英] Add a VSA (Vendor Specific Attribute) to Access-Accept reply programmatically in FreeRADIUS C module

问题描述

我有一个FreeRADIUS C语言模块，该模块实现MOD_AUTHENTICATE和MOD_AUTHORIZE方法以实现自定义身份验证.我需要能够以编程方式将VSA添加到Access-Accept答复中.

I have a FreeRADIUS C language module that implements MOD_AUTHENTICATE and MOD_AUTHORIZE methods for custom auth purpose. I need the ability to programmatically add VSAs to the Access-Accept reply.

我已经使用radius_pair_create()和fr_pair_add()方法(请参见下面的代码片段)进行了一些设置，但是并没有对回复内容产生任何变化，这可能是因为我指定了一个不存在的ad-hoc值.供应商专用字典.或者是因为我没有正确使用它们.

I have toyed a bit with radius_pair_create() and fr_pair_add() methods (see snippet below) but that didn’t yield any change to the reply content, possibly because I specified ad-hoc values that don’t exist in a vendor-specific dictionary. Or because I didn’t use them correctly.

我的FreeRADIUS版本是3_0_19

My FreeRADIUS version is 3_0_19

我们将不胜感激任何信息，指针，尤其是语法示例.

Any information, pointers and, especially, syntax samples will be highly appreciated.

void test_vsa(REQUEST *request)
{
    VALUE_PAIR *vp = NULL;

    vp = radius_pair_create(request->reply, NULL, 18, 0);

    if (vp)
    {
        log("Created VALUE_PAIR");
        vp->vp_integer = 96;
        fr_pair_add(&request->reply->vps, vp);
    } 
    else
    {
        log("Failed to create VALUE_PAIR");
    }
}

推荐答案

因此，首先，您要向字符串属性写入整数值，这是错误的.服务器之所以不能SEGVing的唯一原因是因为VP的长度保留为零，因此RADIUS编码器不必费心去引用该对内的char *，该对本来包含该对的值.

So first off you're writing an integer value to a string attribute, which is wrong. The only reason why the server isn't SEGVing is because the length of the VP has been left at zero, so the RADIUS encoder doesn't bother dereferencing the char * inside the pair that's meant to contain the pair's value.

fr_pair_make是更易于在此处使用的函数，因为它同时使用属性名称和值作为字符串，因此您不必担心C类型.

fr_pair_make is the easier function to use here, as it takes both the attribute name and value as strings, so you don't need to worry about the C types.

下面的代码段应该可以满足您的要求.

The code snippet below should do what you want.

void test_avp(REQUEST *request)
{
    VALUE_PAIR *vp = NULL;

    vp = fr_pair_make(request->reply, &request->reply->vps, "Reply-Message", "Hello from FreeRADIUS", T_OP_SET);
    if (vp)
    {
        log("Created VALUE_PAIR");
    } 
    else
    {
        log("Failed to create VALUE_PAIR");
    }
}

更多解释，让我们看一下doxygen标头:

For a bit more of an explanation, lets look at the doxygen header:

/** Create a VALUE_PAIR from ASCII strings
 *
 * Converts an attribute string identifier (with an optional tag qualifier)
 * and value string into a VALUE_PAIR.
 *
 * The string value is parsed according to the type of VALUE_PAIR being created.
 *
 * @param[in] ctx for talloc
 * @param[in] vps list where the attribute will be added (optional)
 * @param[in] attribute name.
 * @param[in] value attribute value (may be NULL if value will be set later).
 * @param[in] op to assign to new VALUE_PAIR.
 * @return a new VALUE_PAIR.
 */
VALUE_PAIR *fr_pair_make(TALLOC_CTX *ctx, VALUE_PAIR **vps,
            char const *attribute, char const *value, FR_TOKEN op)

• ctx-这是vps所属的数据包或请求.如果您要向请求添加属性，则属性应为request->packet，回复应为request->reply，控制权应为request.
• vps-如果指定，它将是将新VP插入到的列表.如果为NULL，fr_pair_make会返回该对并将其插入列表中.
• 属性-字符串形式的属性名称.
• value-属性值作为字符串.对于非字符串类型，fr_pair_make将尝试执行转换.因此，例如，为整数类型传递"12345"，将导致将整数值12345写入属性中的int字段.
• op-您通常需要使用T_OP_SET，这意味着将覆盖同一属性的现有实例.如果要了解不同的运算符及其作用，请参见FR_TOKEN的T_OP_*值以及使用它们的代码.
• ctx - This is the packet or request that the vps will belong to. If you're adding attributes to the request it should be request->packet, reply would be request->reply, control would be request.
• vps - If specified, this will be which list to insert the new VP into. If this is NULL fr_pair_make will just return the pair and let you insert it into a list.
• attribute - The name of the attribute as a string.
• value - The value of the attribute as a string. For non-string types, fr_pair_make will attempt to perform a conversion. So, for example, passing "12345" for an integer type, will result in the integer value 12345 being written to an int field in the attribute.
• op - You'll usually want to us T_OP_SET which means overwrite existing instances of the same attribute. See the T_OP_* values of FR_TOKEN and the code that uses them, if you want to understand the different operators and what they do.

这篇关于在FreeRADIUS C模块中以编程方式将VSA(供应商特定属性)添加到Access-Accept答复的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！