#include <regex.h>
#include <libgen.h>
#include <pthread.h>
+#include <errno.h>
#include <openssl/ssl.h>
#include <openssl/rand.h>
#include <openssl/err.h>
goto errexit;
}
if (pthread_mutex_init(conf->servers->requests[i].lock, NULL)) {
- debug(DBG_ERR, "mutex init failed");
+ debugerrno(errno, DBG_ERR, "mutex init failed");
free(conf->servers->requests[i].lock);
conf->servers->requests[i].lock = NULL;
goto errexit;
}
}
if (pthread_mutex_init(&conf->servers->lock, NULL)) {
- debug(DBG_ERR, "mutex init failed");
+ debugerrno(errno, DBG_ERR, "mutex init failed");
goto errexit;
}
conf->servers->newrq = 0;
if (pthread_mutex_init(&conf->servers->newrq_mutex, NULL)) {
- debug(DBG_ERR, "mutex init failed");
+ debugerrno(errno, DBG_ERR, "mutex init failed");
pthread_mutex_destroy(&conf->servers->lock);
goto errexit;
}
if (pthread_cond_init(&conf->servers->newrq_cond, NULL)) {
- debug(DBG_ERR, "mutex init failed");
+ debugerrno(errno, DBG_ERR, "mutex init failed");
pthread_mutex_destroy(&conf->servers->newrq_mutex);
pthread_mutex_destroy(&conf->servers->lock);
goto errexit;
pthread_mutex_unlock(&to->replyq->mutex);
}
-int pwdencrypt(uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) {
+int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) {
static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
static unsigned char first = 1;
static EVP_MD_CTX mdctx;
}
for (i = 0; i < 16; i++)
out[offset + i] = hash[i] ^ in[offset + i];
- input = out + offset - 16;
- offset += 16;
- if (offset == len)
- break;
- }
- memcpy(in, out, len);
- pthread_mutex_unlock(&lock);
- return 1;
-}
-
-int pwddecrypt(uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) {
- static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
- static unsigned char first = 1;
- static EVP_MD_CTX mdctx;
- unsigned char hash[EVP_MAX_MD_SIZE], *input;
- unsigned int md_len;
- uint8_t i, offset = 0, out[128];
-
- pthread_mutex_lock(&lock);
- if (first) {
- EVP_MD_CTX_init(&mdctx);
- first = 0;
- }
-
- input = auth;
- for (;;) {
- if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) ||
- !EVP_DigestUpdate(&mdctx, (uint8_t *)shared, sharedlen) ||
- !EVP_DigestUpdate(&mdctx, input, 16) ||
- !EVP_DigestFinal_ex(&mdctx, hash, &md_len) ||
- md_len != 16) {
- pthread_mutex_unlock(&lock);
- return 0;
- }
- for (i = 0; i < 16; i++)
- out[offset + i] = hash[i] ^ in[offset + i];
- input = in + offset;
+ if (encrypt_flag)
+ input = out + offset;
+ else
+ input = in + offset;
offset += 16;
if (offset == len)
break;
return 0;
}
- if (!pwddecrypt(pwd, len, oldsecret, strlen(oldsecret), oldauth)) {
+ if (!pwdcrypt(0, pwd, len, oldsecret, strlen(oldsecret), oldauth)) {
debug(DBG_WARN, "pwdrecrypt: cannot decrypt password");
return 0;
}
#ifdef DEBUG
printfchars(NULL, "pwdrecrypt: password", "%02x ", pwd, len);
#endif
- if (!pwdencrypt(pwd, len, newsecret, strlen(newsecret), newauth)) {
+ if (!pwdcrypt(1, pwd, len, newsecret, strlen(newsecret), newauth)) {
debug(DBG_WARN, "pwdrecrypt: cannot encrypt password");
return 0;
}
}
int dorewrite(struct radmsg *msg, struct rewrite *rewrite) {
- if (!rewrite)
- return 1;
- if (rewrite->removeattrs || rewrite->removevendorattrs)
- dorewriterm(msg, rewrite->removeattrs, rewrite->removevendorattrs);
- if (rewrite->addattrs && !dorewriteadd(msg, rewrite->addattrs))
- return 0;
- if (rewrite->modattrs && !dorewritemod(msg, rewrite->modattrs))
- return 0;
- return 1;
+ int rv = 1; /* Success. */
+
+ if (rewrite) {
+ if (rewrite->removeattrs || rewrite->removevendorattrs)
+ dorewriterm(msg, rewrite->removeattrs, rewrite->removevendorattrs);
+ if (rewrite->modattrs)
+ if (!dorewritemod(msg, rewrite->modattrs))
+ rv = 0;
+ if (rewrite->addattrs)
+ if (!dorewriteadd(msg, rewrite->addattrs))
+ rv = 0;
+ }
+ return rv;
}
int rewriteusername(struct request *rq, struct tlv *attr) {
return 1;
}
-int addvendorattr(struct radmsg *msg, uint32_t vendor, struct tlv *attr) {
- struct tlv *vattr;
+/** Create vendor specific tlv with ATTR. ATTR is consumed (freed) if
+ * all is well with the new tlv, i.e. if the function returns
+ * !NULL. */
+static struct tlv *
+makevendortlv(uint32_t vendor, struct tlv *attr)
+{
+ struct tlv *newtlv = NULL;
uint8_t l, *v;
+ if (!attr)
+ return NULL;
l = attr->l + 6;
v = malloc(l);
if (v) {
- vendor = htonl(vendor);
+ vendor = htonl(vendor & 0x00ffffff); /* MSB=0 according to RFC 2865. */
memcpy(v, &vendor, 4);
tlv2buf(v + 4, attr);
- v[5] += 2;
- vattr = maketlv(RAD_Attr_Vendor_Specific, l, v);
- if (vattr && radmsg_add(msg, vattr))
- return 1;
+ v[5] += 2; /* Vendor length increased for type and length fields. */
+ newtlv = maketlv(RAD_Attr_Vendor_Specific, l, v);
+ if (newtlv == NULL)
+ free(v);
+ else
+ freetlv(attr);
+ }
+ return newtlv;
+}
+
+/** Ad vendor attribute with VENDOR + ATTR and push it on MSG. ATTR
+ * is consumed. */
+int addvendorattr(struct radmsg *msg, uint32_t vendor, struct tlv *attr) {
+ struct tlv *vattr;
+
+ vattr = makevendortlv(vendor, attr);
+ if (!vattr) {
+ freetlv(attr);
+ return 0;
+ }
+ if (!radmsg_add(msg, vattr)) {
freetlv(vattr);
+ return 0;
}
- return 0;
+ return 1;
}
void addttlattr(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) {
freetlv(attr);
} else {
attr = maketlv(attrtype[1], 4, ttl);
- if (attr) {
+ if (attr)
addvendorattr(msg, attrtype[0], attr);
- freetlv(attr);
- }
}
}
goto exit;
}
- if (options.loopprevention && !strcmp(from->conf->name, to->conf->name)) {
+ if ((to->conf->loopprevention == 1
+ || (to->conf->loopprevention == UCHAR_MAX && options.loopprevention == 1))
+ && !strcmp(from->conf->name, to->conf->name)) {
debug(DBG_INFO, "radsrv: Loop prevented, not forwarding request from client %s (%s) to server %s, discarding",
from->conf->name, addr2string(from->addr), to->conf->name);
goto exit;
replymsg = radattr2ascii(radmsg_gettype(msg, RAD_Attr_Reply_Message));
if (stationid) {
if (replymsg) {
- debug(DBG_WARN, "%s for user %s stationid %s from %s (%s) to %s (%s)",
- radmsgtype2string(msg->code), username, stationid, server->conf->name, replymsg, from->conf->name, addr2string(from->addr));
+ debug(DBG_NOTICE,
+ "%s for user %s stationid %s from %s (%s) to %s (%s)",
+ radmsgtype2string(msg->code), username, stationid,
+ server->conf->name, replymsg, from->conf->name,
+ addr2string(from->addr));
free(replymsg);
} else
- debug(DBG_WARN, "%s for user %s stationid %s from %s to %s (%s)",
- radmsgtype2string(msg->code), username, stationid, server->conf->name, from->conf->name, addr2string(from->addr));
+ debug(DBG_NOTICE,
+ "%s for user %s stationid %s from %s to %s (%s)",
+ radmsgtype2string(msg->code), username, stationid,
+ server->conf->name, from->conf->name,
+ addr2string(from->addr));
free(stationid);
} else {
if (replymsg) {
- debug(DBG_WARN, "%s for user %s from %s (%s) to %s (%s)",
- radmsgtype2string(msg->code), username, server->conf->name, replymsg, from->conf->name, addr2string(from->addr));
+ debug(DBG_NOTICE, "%s for user %s from %s (%s) to %s (%s)",
+ radmsgtype2string(msg->code), username,
+ server->conf->name, replymsg, from->conf->name,
+ addr2string(from->addr));
free(replymsg);
} else
- debug(DBG_WARN, "%s for user %s from %s to %s (%s)",
- radmsgtype2string(msg->code), username, server->conf->name, from->conf->name, addr2string(from->addr));
+ debug(DBG_NOTICE, "%s for user %s from %s to %s (%s)",
+ radmsgtype2string(msg->code), username,
+ server->conf->name, from->conf->name,
+ addr2string(from->addr));
}
free(username);
}
}
server->connectionok = 1;
if (pthread_create(&clientrdth, NULL, conf->pdef->clientconnreader, (void *)server)) {
- debug(DBG_ERR, "clientwr: pthread_create failed");
+ debugerrno(errno, DBG_ERR, "clientwr: pthread_create failed");
goto errexit;
}
} else
for (res = hp->addrinfo; res; res = res->ai_next) {
s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
if (s < 0) {
- debug(DBG_WARN, "createlistener: socket failed");
+ debugerrno(errno, DBG_WARN, "createlistener: socket failed");
continue;
}
setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on));
#endif
if (bind(s, res->ai_addr, res->ai_addrlen)) {
- debug(DBG_WARN, "createlistener: bind failed");
+ debugerrno(errno, DBG_WARN, "createlistener: bind failed");
close(s);
s = -1;
continue;
debugx(1, DBG_ERR, "malloc failed");
*sp = s;
if (pthread_create(&th, NULL, protodefs[type]->listener, (void *)sp))
- debugx(1, DBG_ERR, "pthread_create failed");
+ debugerrnox(errno, DBG_ERR, "pthread_create failed");
pthread_detach(th);
}
if (!sp)
memset(realm, 0, sizeof(struct realm));
if (pthread_mutex_init(&realm->mutex, NULL)) {
- debug(DBG_ERR, "mutex init failed");
+ debugerrno(errno, DBG_ERR, "mutex init failed");
free(realm);
realm = NULL;
goto exit;
srvconf->servers->dynamiclookuparg = stringcopy(realm->name, 0);
srvconf->servers->dynstartup = 1;
if (pthread_create(&clientth, NULL, clientwr, (void *)(srvconf->servers))) {
- debug(DBG_ERR, "pthread_create failed");
+ debugerrno(errno, DBG_ERR, "pthread_create failed");
freeserver(srvconf->servers, 1);
srvconf->servers = NULL;
} else
debug(DBG_DBG, "dynamicconfig: need dynamic server config for %s", server->dynamiclookuparg);
if (pipe(fd) > 0) {
- debug(DBG_ERR, "dynamicconfig: pipe error");
+ debugerrno(errno, DBG_ERR, "dynamicconfig: pipe error");
goto errexit;
}
pid = fork();
if (pid < 0) {
- debug(DBG_ERR, "dynamicconfig: fork error");
+ debugerrno(errno, DBG_ERR, "dynamicconfig: fork error");
close(fd[0]);
close(fd[1]);
goto errexit;
freegconf(&cf);
if (waitpid(pid, &status, 0) < 0) {
- debug(DBG_ERR, "dynamicconfig: wait error");
+ debugerrno(errno, DBG_ERR, "dynamicconfig: wait error");
goto errexit;
}
return val > 0 && val < 256 ? val : 0;
}
+/* ATTRNAME is on the form vendor[:type].
+ If only vendor is found, TYPE is set to 256 and 1 is returned.
+ If type is >= 256, 1 is returned.
+ Otherwise, 0 is returned.
+*/
/* should accept both names and numeric values, only numeric right now */
int vattrname2val(char *attrname, uint32_t *vendor, uint32_t *type) {
char *s;
*vendor = atoi(attrname);
s = strchr(attrname, ':');
- if (!s) {
+ if (!s) { /* Only vendor was found. */
*type = 256;
return 1;
}
return *type < 256;
}
-/* should accept both names and numeric values, only numeric right now */
-struct tlv *extractattr(char *nameval) {
+/** Extract attributes from string NAMEVAL, create a struct tlv and
+ * return the tlv. If VENDOR_FLAG, NAMEVAL is on the form
+ * "<vendor>:<name>:<val>" and otherwise it's "<name>:<val>". Return
+ * NULL if fields are missing or if conversion fails.
+ *
+ * FIXME: Should accept both names and numeric values, only numeric
+ * right now */
+struct tlv *extractattr(char *nameval, char vendor_flag) {
int len, name = 0;
- char *s;
+ int vendor = 0; /* Vendor 0 is reserved, see RFC 1700. */
+ char *s, *s2;
struct tlv *a;
s = strchr(nameval, ':');
- name = atoi(nameval);
- if (!s || name < 1 || name > 255)
+ if (!s)
return NULL;
+ name = atoi(nameval);
+
+ if (vendor_flag) {
+ s2 = strchr(s + 1, ':');
+ if (!s2)
+ return NULL;
+ vendor = name;
+ name = atoi(s + 1);
+ s = s2;
+ }
len = strlen(s + 1);
if (len > 253)
return NULL;
+
+ if (name < 1 || name > 255)
+ return NULL;
a = malloc(sizeof(struct tlv));
if (!a)
return NULL;
+
a->v = (uint8_t *)stringcopy(s + 1, 0);
if (!a->v) {
free(a);
}
a->t = name;
a->l = len;
+
+ if (vendor_flag)
+ a = makevendortlv(vendor, a);
+
return a;
}
return NULL;
}
-void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs, char **modattrs) {
+void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs, char **addvattrs, char **modattrs)
+{
struct rewrite *rewrite = NULL;
int i, n;
uint8_t *rma = NULL;
for (i = 0; i < n; i++)
if (!(rma[i] = attrname2val(rmattrs[i])))
- debugx(1, DBG_ERR, "addrewrite: invalid attribute %s", rmattrs[i]);
+ debugx(1, DBG_ERR, "addrewrite: removing invalid attribute %s", rmattrs[i]);
freegconfmstr(rmattrs);
rma[i] = 0;
}
for (p = rmva, i = 0; i < n; i++, p += 2)
if (!vattrname2val(rmvattrs[i], p, p + 1))
- debugx(1, DBG_ERR, "addrewrite: invalid vendor attribute %s", rmvattrs[i]);
+ debugx(1, DBG_ERR, "addrewrite: removing invalid vendor attribute %s", rmvattrs[i]);
freegconfmstr(rmvattrs);
*p = 0;
}
if (!adda)
debugx(1, DBG_ERR, "malloc failed");
for (i = 0; addattrs[i]; i++) {
- a = extractattr(addattrs[i]);
+ a = extractattr(addattrs[i], 0);
if (!a)
- debugx(1, DBG_ERR, "addrewrite: invalid attribute %s", addattrs[i]);
+ debugx(1, DBG_ERR, "addrewrite: adding invalid attribute %s", addattrs[i]);
if (!list_push(adda, a))
debugx(1, DBG_ERR, "malloc failed");
}
freegconfmstr(addattrs);
}
+ if (addvattrs) {
+ if (!adda)
+ adda = list_create();
+ if (!adda)
+ debugx(1, DBG_ERR, "malloc failed");
+ for (i = 0; addvattrs[i]; i++) {
+ a = extractattr(addvattrs[i], 1);
+ if (!a)
+ debugx(1, DBG_ERR, "addrewrite: adding invalid vendor attribute %s", addvattrs[i]);
+ if (!list_push(adda, a))
+ debugx(1, DBG_ERR, "malloc failed");
+ }
+ freegconfmstr(addvattrs);
+ }
+
if (modattrs) {
moda = list_create();
if (!moda)
for (i = 0; modattrs[i]; i++) {
m = extractmodattr(modattrs[i]);
if (!m)
- debugx(1, DBG_ERR, "addrewrite: invalid attribute %s", modattrs[i]);
+ debugx(1, DBG_ERR, "addrewrite: modifying invalid attribute %s", modattrs[i]);
if (!list_push(moda, m))
debugx(1, DBG_ERR, "malloc failed");
}
return 0;
}
memset(conf, 0, sizeof(struct clsrvconf));
+ conf->loopprevention = UCHAR_MAX; /* Uninitialized. */
resconf = (struct clsrvconf *)arg;
if (resconf) {
conf->statusserver = resconf->statusserver;
"RetryInterval", CONF_LINT, &retryinterval,
"RetryCount", CONF_LINT, &retrycount,
"DynamicLookupCommand", CONF_STR, &conf->dynamiclookupcommand,
+ "LoopPrevention", CONF_BLN, &conf->loopprevention,
NULL
)) {
debug(DBG_ERR, "configuration error");
}
int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
- char **rmattrs = NULL, **rmvattrs = NULL, **addattrs = NULL, **modattrs = NULL;
+ char **rmattrs = NULL, **rmvattrs = NULL;
+ char **addattrs = NULL, **addvattrs = NULL;
+ char **modattrs = NULL;
debug(DBG_DBG, "confrewrite_cb called for %s", block);
"removeAttribute", CONF_MSTR, &rmattrs,
"removeVendorAttribute", CONF_MSTR, &rmvattrs,
"addAttribute", CONF_MSTR, &addattrs,
+ "addVendorAttribute", CONF_MSTR, &addvattrs,
"modifyAttribute", CONF_MSTR, &modattrs,
NULL
))
debugx(1, DBG_ERR, "configuration error");
- addrewrite(val, rmattrs, rmvattrs, addattrs, modattrs);
+ addrewrite(val, rmattrs, rmvattrs, addattrs, addvattrs, modattrs);
return 1;
}
debugx(1, DBG_ERR, "configuration error");
if (loglevel != LONG_MIN) {
- if (loglevel < 1 || loglevel > 4)
- debugx(1, DBG_ERR, "error in %s, value of option LogLevel is %d, must be 1, 2, 3 or 4", configfile, loglevel);
+ if (loglevel < 1 || loglevel > 5)
+ debugx(1, DBG_ERR, "error in %s, value of option LogLevel is %d, must be 1, 2, 3, 4 or 5", configfile, loglevel);
options.loglevel = (uint8_t)loglevel;
}
if (addttl != LONG_MIN) {
*configfile = optarg;
break;
case 'd':
- if (strlen(optarg) != 1 || *optarg < '1' || *optarg > '4')
- debugx(1, DBG_ERR, "Debug level must be 1, 2, 3 or 4, not %s", optarg);
+ if (strlen(optarg) != 1 || *optarg < '1' || *optarg > '5')
+ debugx(1, DBG_ERR, "Debug level must be 1, 2, 3, 4 or 5, not %s", optarg);
*loglevel = *optarg - '0';
break;
case 'f':
*pretend = 1;
break;
case 'v':
- debug(DBG_ERR, "radsecproxy revision $Rev$");
+ debug(DBG_ERR, "radsecproxy revision %s", PACKAGE_VERSION);
debug(DBG_ERR, "This binary was built with support for the following transports:");
#ifdef RADPROT_UDP
debug(DBG_ERR, " UDP");
}
int createpidfile(const char *pidfile) {
- int r;
+ int r = 0;
FILE *f = fopen(pidfile, "w");
if (f)
- r = fprintf(f, "%d\n", getpid());
+ r = fprintf(f, "%ld\n", (long) getpid());
return f && !fclose(f) && r >= 0;
}
debugx(1, DBG_ERR, "daemon() failed: %s", strerror(errno));
debug_timestamp_on();
- debug(DBG_INFO, "radsecproxy revision $Rev$ starting");
+ debug(DBG_INFO, "radsecproxy revision %s starting", PACKAGE_VERSION);
if (pidfile && !createpidfile(pidfile))
debugx(1, DBG_ERR, "failed to create pidfile %s: %s", pidfile, strerror(errno));