-/*
- * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- */
-
+/* Copyright (c) 2007-2009, UNINETT AS
+ * Copyright (c) 2010-2012, NORDUnet A/S */
+/* See LICENSE for licensing information. */
+
+#include <sys/time.h>
+#include <stdint.h>
+#include <pthread.h>
+#include <regex.h>
+#include "list.h"
#include "tlv11.h"
#include "radmsg.h"
+#include "gconfig.h"
-#define DEBUG_LEVEL 3
+#define DEBUG_LEVEL 2
-#define CONFIG_MAIN "/etc/radsecproxy.conf"
+#define CONFIG_MAIN SYSCONFDIR"/radsecproxy.conf"
/* MAX_REQUESTS must be 256 due to Radius' 8 bit ID field */
#define MAX_REQUESTS 256
#define STATUS_SERVER_PERIOD 25
#define IDLE_TIMEOUT 300
+/* 27262 is vendor DANTE Ltd. */
+#define DEFAULT_TTL_ATTR "27262:1"
+
#define RAD_UDP 0
#define RAD_TLS 1
#define RAD_TCP 2
#define RAD_DTLS 3
+#define RAD_PROTOCOUNT 4
+
+enum rsp_fticks_reporting_type {
+ RSP_FTICKS_REPORTING_NONE = 0, /* Default. */
+ RSP_FTICKS_REPORTING_BASIC,
+ RSP_FTICKS_REPORTING_FULL
+};
+
+enum rsp_fticks_mac_type {
+ RSP_FTICKS_MAC_STATIC = 0,
+ RSP_FTICKS_MAC_ORIGINAL,
+ RSP_FTICKS_MAC_VENDOR_HASHED,
+ RSP_FTICKS_MAC_VENDOR_KEY_HASHED, /* Default. */
+ RSP_FTICKS_MAC_FULLY_HASHED,
+ RSP_FTICKS_MAC_FULLY_KEY_HASHED
+};
struct options {
- char **listenudp;
- char **listentcp;
- char **listentls;
- char **listendtls;
- char **listenaccudp;
- char *sourceudp;
- char *sourcetcp;
- char *sourcetls;
- char *sourcedtls;
+ char *pidfile;
char *logdestination;
+ char *ftickssyslogfacility;
+ char *ttlattr;
+ uint32_t ttlattrtype[2];
+ uint8_t addttl;
uint8_t loglevel;
uint8_t loopprevention;
+ enum rsp_fticks_reporting_type fticks_reporting;
+ enum rsp_fticks_mac_type fticks_mac;
+ uint8_t *fticks_key;
+ uint8_t ipv4only;
+ uint8_t ipv6only;
+};
+
+struct commonprotoopts {
+ char **listenargs;
+ char *sourcearg;
};
struct request {
struct timeval created;
- uint8_t refcount;
- uint8_t *buf;
+ uint32_t refcount;
+ uint8_t *buf, *replybuf;
+ struct radmsg *msg;
struct client *from;
- struct sockaddr_storage fromsa; /* used by udpservwr */
- int fromudpsock; /* used by udpservwr */
+ struct server *to;
+ char *origusername;
+ uint8_t rqid;
+ uint8_t rqauth[16];
+ uint8_t newid;
+ int udpsock; /* only for UDP */
+ uint16_t udpport; /* only for UDP */
};
/* requests that our client will send */
struct rqout {
- unsigned char *buf;
- struct radmsg *msg;
+ pthread_mutex_t *lock;
+ struct request *rq;
uint8_t tries;
- uint8_t received;
struct timeval expiry;
- char *origusername;
- uint8_t origid; /* used by servwr */
- char origauth[16]; /* used by servwr */
- struct request *rq;
-};
-
-/* replies that a server will send */
-struct reply {
- unsigned char *buf;
- struct sockaddr_storage tosa; /* used by udpservwr */
- int toudpsock; /* used by udpservwr */
};
-struct queue {
+struct gqueue {
struct list *entries;
pthread_mutex_t mutex;
pthread_cond_t cond;
char *name;
uint8_t type; /* RAD_UDP/RAD_TLS/RAD_TCP */
const struct protodefs *pdef;
- char *host;
- char *port;
+ char **hostsrc;
+ int hostaf;
+ char *portsrc;
+ struct list *hostports;
char *secret;
char *tls;
char *matchcertattr;
uint8_t retrycount;
uint8_t dupinterval;
uint8_t certnamecheck;
- SSL_CTX *ssl_ctx;
+ uint8_t addttl;
+ uint8_t loopprevention;
struct rewrite *rewritein;
struct rewrite *rewriteout;
- struct addrinfo *addrinfo;
- uint8_t prefixlen;
pthread_mutex_t *lock; /* only used for updating clients so far */
+ struct tls *tlsconf;
struct list *clients;
struct server *servers;
+ char *fticks_viscountry;
+ char *fticks_visinst;
};
+#include "tlscommon.h"
+
struct client {
struct clsrvconf *conf;
- int sock; /* for tcp/dtls */
+ int sock;
SSL *ssl;
- pthread_mutex_t lock; /* used for updating rqs */
struct request *rqs[MAX_REQUESTS];
- struct queue *replyq;
- struct queue *rbios; /* for dtls */
- struct sockaddr *addr; /* for udp */
+ struct gqueue *replyq;
+ struct gqueue *rbios; /* for dtls */
+ struct sockaddr *addr;
+ time_t expiry; /* for udp */
};
struct server {
struct timeval lastreply;
uint8_t connectionok;
uint8_t lostrqs;
+ uint8_t dynstartup;
+ uint8_t dynfailing;
+#if defined ENABLE_EXPERIMENTAL_DYNDISC
+ uint8_t in_use;
+#endif
char *dynamiclookuparg;
int nextid;
struct timeval lastrcv;
uint8_t newrq;
pthread_mutex_t newrq_mutex;
pthread_cond_t newrq_cond;
- struct queue *rbios; /* for dtls */
+ struct gqueue *rbios; /* for dtls */
};
struct realm {
char *message;
uint8_t accresp;
regex_t regex;
- pthread_mutex_t subrealms_mutex;
+ uint32_t refcount;
+ pthread_mutex_t mutex;
+ struct realm *parent;
struct list *subrealms;
struct list *srvconfs;
struct list *accsrvconfs;
};
-struct tls {
- char *name;
- char *cacertfile;
- char *cacertpath;
- char *certfile;
- char *certkeyfile;
- char *certkeypwd;
- uint8_t crlcheck;
- SSL_CTX *tlsctx;
- SSL_CTX *dtlsctx;
-};
-
struct modattr {
uint8_t t;
char *replacement;
struct protodefs {
char *name;
char *secretdefault;
- uint8_t socktype;
+ int socktype;
char *portdefault;
uint8_t retrycountdefault;
uint8_t retrycountmax;
uint8_t retryintervaldefault;
uint8_t retryintervalmax;
uint8_t duplicateintervaldefault;
+ void (*setprotoopts)(struct commonprotoopts *);
+ char **(*getlistenerargs)();
void *(*listener)(void*);
- char **srcaddrport;
int (*connecter)(struct server *, struct timeval *, int, char *);
void *(*clientconnreader)(void*);
int (*clientradput)(struct server *, unsigned char *);
void (*addclient)(struct client *);
void (*addserverextra)(struct clsrvconf *);
+ void (*setsrcres)();
void (*initextra)();
};
#define ATTRVAL(x) ((x) + 2)
#define ATTRVALLEN(x) ((x)[1] - 2)
-#define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \
- sizeof(struct sockaddr_in) : \
- sizeof(struct sockaddr_in6))
-
-struct addrinfo *getsrcprotores(uint8_t type);
struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur);
struct client *addclient(struct clsrvconf *conf, uint8_t lock);
+void removelockedclient(struct client *client);
void removeclient(struct client *client);
-void removeclientrqs(struct client *client);
-struct queue *newqueue();
-void removequeue(struct queue *q);
-void freebios(struct queue *q);
+struct gqueue *newqueue();
+void freebios(struct gqueue *q);
struct request *newrequest();
void freerq(struct request *rq);
int radsrv(struct request *rq);
-X509 *verifytlscert(SSL *ssl);
-int verifyconfcert(X509 *cert, struct clsrvconf *conf);
void replyh(struct server *server, unsigned char *buf);
-int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src);
-int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only);
+struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport);
+uint8_t *radattr2ascii(struct tlv *attr);
+
+/* Local Variables: */
+/* c-file-style: "stroustrup" */
+/* End: */