++<<<<<<< HEAD
+#Module for PSK authorizations from ABFAb trust router
++=======
+ # -*- text -*-
+ ##
+ ## Module for PSK authorizations from ABFAB trust router
+ ##
+ ## $Id$
+
++>>>>>>> v3.0.x
sql psksql {
driver = "rlm_sql_sqlite"
sqlite {
filename = "/var/lib/trust_router/keys"
++<<<<<<< HEAD
+ }
+
+ }
++=======
+ }
+
+ }
++>>>>>>> v3.0.x
#
+ # ABFAB Trust router policies.
+ #
+ # $Id$
+ #
+
+
+ #
# Verify rp parameters
#
psk_authorize {
- if (tls-psk-identity =* ANY) {
- # TODO: may need to check moonshot-apc as well
+ if (TLS-PSK-Identity) {
+ # TODO: may need to check trust-router-apc as well
if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") {
+ # do things here
}
else {
reject
}
abfab_pre_proxy {
- # check acceptor host name is correct
+ # check that the acceptor host name is correct
if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") {
if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
reject
}
}
- # set trust-router-coi attribute from client configuration
+
+ # set trust-router-coi attribute from the client configuration
- if ("%{client:trust-router_coi}") {
+ if ("%{client:trust_router_coi}") {
update proxy-request {
- trust-router-coi := "%{client:trust_router_coi}"
- Trust-Router-COI := "%{client:moonshot_coi}"
++ Trust-Router-COI := "%{client:trust_router_coi}"
}
}
- # set gss-acceptor-realm-name attribute from client configuration
+
+ # set gss-acceptor-realm-name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
update proxy-request {
- gss-acceptor-realm-name := "%{client:gss_acceptor_realm_name}"
+ GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
}
--#
- # A virtual server which is used to validate channel-bindings.
+ # A policy which is used to validate channel-bindings.
#
abfab_channel_bindings {
if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name)) {
reject
}
+
if (GSS-Acceptor-Host-Name && outer.request:GSS-Acceptor-Host-Name != GSS-Acceptor-Host-Name ) {
reject
}
+
if (GSS-Acceptor-Realm-Name && outer.request:GSS-Acceptor-Realm-Name != GSS-Acceptor-Realm-Name ) {
reject
}
++<<<<<<< HEAD
++=======
+ #
+ # Example configuration for ABFAB listening on TLS.
+ #
+ # $Id$
+ #
++>>>>>>> v3.0.x
listen {
ipaddr = *
port = 2083
type = auth
proto = tcp
++<<<<<<< HEAD
+ clients = radsec-abfab
+ tls {
+ private_key_password = whatever
++=======
+ tls {
+ private_key_password = whatever
+
++>>>>>>> v3.0.x
# Moonshot tends to distribute certs separate from keys
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
fragment_size = 8192
ca_path = ${cadir}
cipher_list = "DEFAULT"
++<<<<<<< HEAD
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ max_entries = 255
+ }
+
+ require_client_cert = yes
+ verify {
+ }
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{tls-psk-identity}';}"
+ }
+ virtual_server = abfab-idp
+}
+ clients radsec-abfab {
+ client default {
+ ipaddr = 0.0.0.0/0
+
+ proto = tls
+
++=======
+
+ cache {
+ enable = no
+ lifetime = 24 # hours
+ max_entries = 255
+ }
+
+ require_client_cert = yes
+ verify {
+ }
+
+ psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Udentity}'}"
+ }
+
+ virtual_server = abfab-idp
+
+ clients = radsec-abfab
+ }
+
+ clients radsec-abfab {
+ #
+ # Allow all clients, but require TLS.
+ #
+ client default {
+ ipaddr = 0.0.0.0/0
+ proto = tls
++>>>>>>> v3.0.x
}
}
}
}
+static void retrieve_tls_identity(REQUEST *request)
+{
+ /*
+ * copy tls identity from sock vps to new request
+ */
+ listen_socket_t *sock = NULL;
+#ifdef WITH_ACCOUNTING
+ if (request->listener->type != RAD_LISTEN_DETAIL)
+#endif
+ {
+ sock = request->listener->data;
+ }
+
+ if (sock && sock->ssn && sock->ssn->ssl) {
+ const char *identity = SSL_get_psk_identity(sock->ssn->ssl);
+ if (identity) {
+ RDEBUG("Retrieved psk identity: %s", identity);
+ VALUE_PAIR *vp = pairmake_packet("TLS-PSK-Identity", identity, T_OP_SET);
+ if (vp) {
+ RDEBUG("Set tls-psk-identity: %s", identity);
+ }
+ }
+ }
+}
+
static int CC_HINT(nonnull) request_pre_handler(REQUEST *request, UNUSED int action)
{
}
if (!request->packet->vps) { /* FIXME: check for correct state */
+ retrieve_tls_identity(request);
+
rcode = request->listener->decode(request->listener, request);
#ifdef WITH_UNLANG
}
request = request_setup(listener, packet, client, fun);
+
if (!request) return 1;
/*
/*
* There may be a proxy reply, but it may be too late.
*/
- if (!request->proxy_listener) return 0;
+ if (!request->home_server->server && !request->proxy_listener) return 0;
/*
* Delete any reply we had accumulated until now.
if (reply) {
VERIFY_PACKET(reply);
- /*
- * Decode the packet.
- */
- rcode = request->proxy_listener->decode(request->proxy_listener, request);
- DEBUG_PACKET(request, reply, 0);
/*
- * Pro-actively remove it from the proxy hash.
- * This is later than in 2.1.x, but it means that
- * the replies are authenticated before being
- * removed from the hash.
+ * Decode the packet if required.
*/
- if ((rcode == 0) &&
- (request->num_proxied_requests <= request->num_proxied_responses)) {
- remove_from_proxy_hash(request);
+ if (request->proxy_listener) {
+ rcode = request->proxy_listener->decode(request->proxy_listener, request);
+ DEBUG_PACKET(request, reply, 0);
+
+ /*
+ * Pro-actively remove it from the proxy hash.
+ * This is later than in 2.1.x, but it means that
+ * the replies are authenticated before being
+ * removed from the hash.
+ */
+ if ((rcode == 0) &&
+ (request->num_proxied_requests <= request->num_proxied_responses)) {
+ remove_from_proxy_hash(request);
+ }
+ } else {
+ rad_assert(!request->in_proxy_hash);
}
} else {
remove_from_proxy_hash(request);
if (this->status == RAD_LISTEN_STATUS_INIT) {
listen_socket_t *sock = this->data;
+ rad_assert(sock != NULL);
if (just_started) {
DEBUG("Listening on %s", buffer);
*/
case RAD_LISTEN_PROXY:
#ifdef WITH_TCP
+ rad_assert(sock->home != NULL);
+
/*
* Add timers to outgoing child sockets, if necessary.
*/
bool home_servers_udp = false;
#endif
- #ifdef HAVE_REGEX_H
+ #ifdef HAVE_REGEX
typedef struct realm_regex_t {
REALM *realm;
struct realm_regex_t *next;
static realm_regex_t *realms_regex = NULL;
- #endif /* HAVE_REGEX_H */
+ #endif /* HAVE_REGEX */
typedef struct realm_config_t {
CONF_SECTION *cs;
rbtree_free(realms_byname);
realms_byname = NULL;
- #ifdef HAVE_REGEX_H
+ #ifdef HAVE_REGEX
if (realms_regex) {
realm_regex_t *this, *next;
return realm_home_server_add(home, cs, dual);
}
-
int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual)
{
const char *name2 = home->name;
return 0;
}
-
+ #ifdef HAVE_REGEX
int realm_realm_add(REALM *r, CONF_SECTION *cs)
+ #else
+ int realm_realm_add(REALM *r, UNUSED CONF_SECTION *cs)
+ #endif
{
/*
* The structs aren't mutex protected. Refuse to destroy
return 0;
}
- #ifdef HAVE_REGEX_H
+ #ifdef HAVE_REGEX
/*
* It's a regex. Sanity check it, and add it to a
* separate list.
realm = rbtree_finddata(realms_byname, &myrealm);
if (realm) return realm;
- #ifdef HAVE_REGEX_H
+ #ifdef HAVE_REGEX
if (realms_regex) {
realm_regex_t *this;
realm = rbtree_finddata(realms_byname, &myrealm);
if (realm) return realm;
- #ifdef HAVE_REGEX_H
+ #ifdef HAVE_REGEX
if (realms_regex) {
realm_regex_t *this;
request->proxy->proto = home->proto;
#endif
request->home_server = home;
+ talloc_reference(request, request->home_server);
/*
* Access-Requests have a Message-Authenticator added,