/*
- * Copyright (C) 2006, 2007 Stig Venaas <venaas@uninett.no>
+ * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*/
+#include "tlv11.h"
+#include "radmsg.h"
+
#define DEBUG_LEVEL 3
#define CONFIG_MAIN "/etc/radsecproxy.conf"
/* MAX_REQUESTS must be 256 due to Radius' 8 bit ID field */
#define MAX_REQUESTS 256
-#define DEFAULT_TLS_SECRET "mysecret"
-#define DEFAULT_UDP_PORT "1812"
-#define DEFAULT_TLS_PORT "2083"
-#define REQUEST_EXPIRY 20
-#define REQUEST_RETRIES 3
+#define REQUEST_RETRY_INTERVAL 5
+#define REQUEST_RETRY_COUNT 2
+#define DUPLICATE_INTERVAL REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT
#define MAX_CERT_DEPTH 5
#define STATUS_SERVER_PERIOD 25
-#define RAD_Access_Request 1
-#define RAD_Access_Accept 2
-#define RAD_Access_Reject 3
-#define RAD_Accounting_Request 4
-#define RAD_Accounting_Response 5
-#define RAD_Access_Challenge 11
-#define RAD_Status_Server 12
-#define RAD_Status_Client 13
-
-#define RAD_Attr_User_Name 1
-#define RAD_Attr_User_Password 2
-#define RAD_Attr_Reply_Message 18
-#define RAD_Attr_Vendor_Specific 26
-#define RAD_Attr_Tunnel_Password 69
-#define RAD_Attr_Message_Authenticator 80
-
-#define RAD_VS_ATTR_MS_MPPE_Send_Key 16
-#define RAD_VS_ATTR_MS_MPPE_Recv_Key 17
-
-#define CONF_STR 1
-#define CONF_CBK 2
-#define CONF_MSTR 3
+#define IDLE_TIMEOUT 300
+
+/* 27262 is vendor DANTE Ltd. */
+#define DEFAULT_TTL_ATTR "27262:1"
+
+#define RAD_UDP 0
+#define RAD_TLS 1
+#define RAD_TCP 2
+#define RAD_DTLS 3
+#define RAD_PROTOCOUNT 4
struct options {
- char *listenudp;
- char *listentcp;
+ char **listenargs[RAD_PROTOCOUNT];
+ char *sourcearg[RAD_PROTOCOUNT];
char *logdestination;
+ char *ttlattr;
+ uint32_t ttlattrtype[2];
+ uint8_t addttl;
uint8_t loglevel;
+ uint8_t loopprevention;
};
-/* requests that our client will send */
struct request {
- unsigned char *buf;
- uint8_t tries;
- uint8_t received;
- struct timeval expiry;
+ struct timeval created;
+ uint32_t refcount;
+ uint8_t *buf, *replybuf;
+ struct radmsg *msg;
struct client *from;
- uint8_t origid; /* used by servwr */
- char origauth[16]; /* used by servwr */
- struct sockaddr_storage fromsa; /* used by udpservwr */
+ struct server *to;
+ char *origusername;
+ uint8_t rqid;
+ uint8_t rqauth[16];
+ uint8_t newid;
+ int udpsock; /* only for UDP */
+ uint16_t udpport; /* only for UDP */
};
-/* replies that a server will send */
-struct reply {
- unsigned char *buf;
- struct sockaddr_storage tosa; /* used by udpservwr */
+/* requests that our client will send */
+struct rqout {
+ pthread_mutex_t *lock;
+ struct request *rq;
+ uint8_t tries;
+ struct timeval expiry;
};
-struct replyq {
- struct list *replies;
+struct queue {
+ struct list *entries;
pthread_mutex_t mutex;
pthread_cond_t cond;
};
struct clsrvconf {
char *name;
- char type; /* U for UDP, T for TLS */
+ uint8_t type; /* RAD_UDP/RAD_TLS/RAD_TCP */
+ const struct protodefs *pdef;
char *host;
char *port;
char *secret;
+ char *tls;
+ char *matchcertattr;
+ regex_t *certcnregex;
regex_t *certuriregex;
+ char *confrewritein;
+ char *confrewriteout;
+ char *confrewriteusername;
+ struct modattr *rewriteusername;
+ char *dynamiclookupcommand;
uint8_t statusserver;
- SSL_CTX *ssl_ctx;
+ uint8_t retryinterval;
+ uint8_t retrycount;
+ uint8_t dupinterval;
+ uint8_t certnamecheck;
+ uint8_t addttl;
+ struct rewrite *rewritein;
+ struct rewrite *rewriteout;
struct addrinfo *addrinfo;
uint8_t prefixlen;
+ pthread_mutex_t *lock; /* only used for updating clients so far */
+ struct tls *tlsconf;
struct list *clients;
struct server *servers;
};
struct client {
struct clsrvconf *conf;
+ int sock;
SSL *ssl;
- struct replyq *replyq;
- struct client *next;
+ struct request *rqs[MAX_REQUESTS];
+ struct queue *replyq;
+ struct queue *rbios; /* for dtls */
+ struct sockaddr *addr;
+ time_t expiry; /* for udp */
};
struct server {
SSL *ssl;
pthread_mutex_t lock;
pthread_t clientth;
+ uint8_t clientrdgone;
struct timeval lastconnecttry;
+ struct timeval lastreply;
uint8_t connectionok;
- uint8_t loststatsrv;
+ uint8_t lostrqs;
+ char *dynamiclookuparg;
int nextid;
- struct request *requests;
+ struct timeval lastrcv;
+ struct rqout *requests;
uint8_t newrq;
pthread_mutex_t newrq_mutex;
pthread_cond_t newrq_cond;
+ struct queue *rbios; /* for dtls */
};
struct realm {
char *name;
char *message;
+ uint8_t accresp;
regex_t regex;
+ uint32_t refcount;
+ pthread_mutex_t mutex;
+ struct realm *parent;
+ struct list *subrealms;
struct list *srvconfs;
+ struct list *accsrvconfs;
};
struct tls {
char *name;
- SSL_CTX *ctx;
- int count;
+ char *cacertfile;
+ char *cacertpath;
+ char *certfile;
+ char *certkeyfile;
+ char *certkeypwd;
+ uint8_t crlcheck;
+ char **policyoids;
+ uint32_t cacheexpiry;
+ uint32_t tlsexpiry;
+ uint32_t dtlsexpiry;
+ X509_VERIFY_PARAM *vpm;
+ SSL_CTX *tlsctx;
+ SSL_CTX *dtlsctx;
+};
+
+struct modattr {
+ uint8_t t;
+ char *replacement;
+ regex_t *regex;
+};
+
+struct rewrite {
+ uint8_t *removeattrs;
+ uint32_t *removevendorattrs;
+ struct list *addattrs;
+ struct list *modattrs;
+};
+
+struct protodefs {
+ char *name;
+ char *secretdefault;
+ int socktype;
+ char *portdefault;
+ uint8_t retrycountdefault;
+ uint8_t retrycountmax;
+ uint8_t retryintervaldefault;
+ uint8_t retryintervalmax;
+ uint8_t duplicateintervaldefault;
+ void *(*listener)(void*);
+ int (*connecter)(struct server *, struct timeval *, int, char *);
+ void *(*clientconnreader)(void*);
+ int (*clientradput)(struct server *, unsigned char *);
+ void (*addclient)(struct client *);
+ void (*addserverextra)(struct clsrvconf *);
+ void (*setsrcres)(char *source);
+ void (*initextra)();
};
#define RADLEN(x) ntohs(((uint16_t *)(x))[1])
#define ATTRVAL(x) ((x) + 2)
#define ATTRVALLEN(x) ((x)[1] - 2)
-#define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \
- sizeof(struct sockaddr_in) : \
- sizeof(struct sockaddr_in6))
-
-char *stringcopy(char *s, int len);
-char *addr2string(struct sockaddr *addr, socklen_t len);
-void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len);
-int bindport(int type, char *port);
-int connectport(int type, char *host, char *port);
+struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
+struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
+struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur);
+struct client *addclient(struct clsrvconf *conf, uint8_t lock);
+void removelockedclient(struct client *client);
+void removeclient(struct client *client);
+struct queue *newqueue();
+void freebios(struct queue *q);
+struct request *newrequest();
+void freerq(struct request *rq);
+int radsrv(struct request *rq);
+X509 *verifytlscert(SSL *ssl);
+int verifyconfcert(X509 *cert, struct clsrvconf *conf);
+void replyh(struct server *server, unsigned char *buf);
+SSL_CTX *tlsgetctx(uint8_t type, struct tls *t);
+struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport);