- Application runs its own event loop, using fd's for select and
performs I/O using the libradsec send/receive calls
(a.k.a. on-your-own mode)
- - Fully reentrant (FIXME: issues with libfreeradius-radius?)
- User chooses allocation regime
+Note that as of 0.0.2.dev libradsec suffers from way too much focus on
+the behaviour of a blocking client and is totally useless as a server.
+Not only does it lack most of the functions needed for writing a
+server but it also contains at least one architectural mishap which
+kills the server idea. A connection timeout (TCP) or a retransmit
+timeout (UDP) will result in the event loop being broken. The same is
+thing will happen if there's an error on a TCP connection, f.ex. a
+failing certificate validation (TLS).
* Dependencies
Details apply to Ubuntu 10.10.
AUTOMAKE_OPTIONS = foreign
ACLOCAL_AMFLAGS = -I m4
- SUBDIRS = . examples include
+# Shared library interface version, i.e. -version-info to Libtool,
+# expressed as three integers CURRENT:REVISION:AGE.
+
+# CURRENT is the version number of the current interface. Increment
+# CURRENT when the library interface changes.
+
+# REVISION is the version number of the _implementation_ of the
+# CURRENT interface. Set REVISION to 0 when CURRENT changes,
+# else increment.
+
+# AGE is the number of interfaces this library implements, i.e. how
+# many versions before CURRENT that are supported. Increment AGE
+# when the library interface is _extended_. Set AGE to 0 when the
+# library interface is _changed_.
+
+
+ SUBDIRS = radius . include examples
INCLUDES = -I$(srcdir)/include
AM_CFLAGS = -Wall -g
#endif
#include <confuse.h>
+ #include <stdlib.h>
#include <string.h>
+#include <assert.h>
#include <radsec/radsec.h>
#include <radsec/radsec-impl.h>
#include "peer.h"
AC_MSG_ERROR([required library libconfuse not found]))
AC_CHECK_LIB([event_core], [event_get_version],,
AC_MSG_ERROR([required library libevent_core not found]))
- AC_CHECK_LIB([freeradius-radius], [rad_alloc],,
- AC_MSG_ERROR([required library libfreeradius-radius not found]))
# Enable-knobs.
+## Enable TLS (RadSec).
AH_TEMPLATE([RS_ENABLE_TLS], [TLS (RadSec) enabled])
-AH_TEMPLATE([RADPROT_TLS], [])
+AH_TEMPLATE([RADPROT_TLS], []) dnl Legacy.
AC_ARG_ENABLE([tls], AS_HELP_STRING([--enable-tls], [enable TLS (RadSec)]),
[AC_CHECK_LIB([event_openssl], [bufferevent_openssl_socket_new],,
AC_MSG_ERROR([required library event_openssl not found]))
#include <radsec/radsec-impl.h>
static const char *_errtxt[] = {
- "SUCCESS", /* 0 RSE_OK */
- "out of memory", /* 1 RSE_NOMEM */
- "not yet implemented", /* 2 RSE_NOSYS */
- "invalid handle", /* 3 RSE_INVALID_CTX */
- "invalid connection", /* 4 RSE_INVALID_CONN */
- "connection type mismatch", /* 5 RSE_CONN_TYPE_MISMATCH */
- "FreeRadius error", /* 6 RSE_FR */
- "bad hostname or port", /* 7 RSE_BADADDR */
- "no peer configured", /* 8 RSE_NOPEER */
- "libevent error", /* 9 RSE_EVENT */
- "socket error", /* 10 RSE_SOCKERR */
- "invalid configuration file", /* 11 RSE_CONFIG */
- "authentication failed", /* 12 RSE_BADAUTH */
- "internal error", /* 13 RSE_INTERNAL */
- "SSL error", /* 14 RSE_SSLERR */
- "invalid packet", /* 15 RSE_INVALID_PKT */
- "connect timeout", /* 16 RSE_TIMEOUT_CONN */
- "invalid argument", /* 17 RSE_INVAL */
- "I/O timeout", /* 18 RSE_TIMEOUT_IO */
- "timeout", /* 19 RSE_TIMEOUT */
- "peer disconnected", /* 20 RSE_DISCO */
- "invalid credentials", /* 21 RSE_CRED */
- "certificate validation error", /* 22 RSE_CERT */
+ "SUCCESS", /* 0 RSE_OK */
+ "out of memory", /* 1 RSE_NOMEM */
+ "not yet implemented", /* 2 RSE_NOSYS */
+ "invalid handle", /* 3 RSE_INVALID_CTX */
+ "invalid connection", /* 4 RSE_INVALID_CONN */
+ "connection type mismatch", /* 5 RSE_CONN_TYPE_MISMATCH */
+ "FreeRadius error", /* 6 RSE_FR */
+ "bad hostname or port", /* 7 RSE_BADADDR */
+ "no peer configured", /* 8 RSE_NOPEER */
+ "libevent error", /* 9 RSE_EVENT */
+ "socket error", /* 10 RSE_SOCKERR */
+ "invalid configuration file", /* 11 RSE_CONFIG */
+ "authentication failed", /* 12 RSE_BADAUTH */
+ "internal error", /* 13 RSE_INTERNAL */
+ "SSL error", /* 14 RSE_SSLERR */
+ "invalid packet", /* 15 RSE_INVALID_PKT */
+ "connect timeout", /* 16 RSE_TIMEOUT_CONN */
+ "invalid argument", /* 17 RSE_INVAL */
+ "I/O timeout", /* 18 RSE_TIMEOUT_IO */
+ "timeout", /* 19 RSE_TIMEOUT */
+ "peer disconnected", /* 20 RSE_DISCO */
+ "resource is in use", /* 21 RSE_INUSE */
+ "packet is too small", /* 22 RSE_PACKET_TOO_SMALL */
+ "packet is too large", /* 23 RSE_PACKET_TOO_LARGE */
+ "attribute overflows packet", /* 24 RSE_ATTR_OVERFLOW */
+ "attribute is too small", /* 25 RSE_ATTR_TOO_SMALL */
+ "attribute is too large", /* 26 RSE_ATTR_TOO_LARGE */
+ "unknown attribute", /* 27 RSE_ATTR_UNKNOWN */
+ "invalid name for attribute", /* 28 RSE_ATTR_BAD_NAME */
+ "invalid value for attribute", /* 29 RSE_ATTR_VALUE_MALFORMED */
+ "invalid attribute", /* 30 RSE_ATTR_INVALID */
+ "too many attributes in the packet", /* 31 RSE_TOO_MANY_ATTRS */
+ "attribute type unknown", /* 32 RSE_ATTR_TYPE_UNKNOWN */
+ "invalid message authenticator", /* 33 RSE_MSG_AUTH_LEN */
+ "incorrect message authenticator", /* 34 RSE_MSG_AUTH_WRONG */
+ "request is required", /* 35 RSE_REQUEST_REQUIRED */
+ "invalid request code", /* 36 RSE_REQUEST_CODE_INVALID */
+ "incorrect request authenticator", /* 37 RSE_AUTH_VECTOR_WRONG */
+ "response code is unsupported", /* 38 RSE_INVALID_RESPONSE_CODE */
+ "response ID is invalid", /* 39 RSE_INVALID_RESPONSE_ID */
+ "response from the wrong source address", /* 40 RSE_INVALID_RESPONSE_SRC */
+ "no packet data", /* 41 RSE_NO_PACKET_DATA */
+ "vendor is unknown", /* 42 RSE_VENDOR_UNKNOWN */
++ "invalid credentials", /* 43 RSE_CRED */
++ "certificate validation error", /* 44 RSE_CERT */
};
#define ERRTXT_SIZE (sizeof(_errtxt) / sizeof(*_errtxt))
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
+#include <assert.h>
#include <event2/event.h>
- #include <freeradius/libradius.h>
#include <radsec/radsec.h>
+ #include <radsec/radsec-impl.h>
#include <radsec/request.h>
+#include "err.h"
#include "debug.h" /* For rs_dump_packet(). */
#define SECRET "sikrit"
goto cleanup;
}
#else /* defined (USE_CONFIG_FILE) */
- if (rs_context_read_config (h, av1))
+ if (rs_context_read_config (h, config_fn))
goto cleanup;
- if (rs_context_init_freeradius_dict (h, NULL))
- goto cleanup;
- if (rs_conn_create (h, &conn, av2))
+ if (rs_conn_create (h, &conn, configuration))
goto cleanup;
#endif /* defined (USE_CONFIG_FILE) */
RSE_TIMEOUT_CONN = 16, /* Connection timeout. */
RSE_INVAL = 17, /* Invalid argument. */
RSE_TIMEOUT_IO = 18, /* I/O timeout. */
- RSE_TIMEOUT= 19, /* High level timeout. */
+ RSE_TIMEOUT = 19, /* High level timeout. */
RSE_DISCO = 20,
- RSE_CRED = 21, /* Credentials. */
- RSE_CERT = 22, /* Cert validation. */
+ RSE_INUSE = 21,
+ RSE_PACKET_TOO_SMALL = 22,
+ RSE_PACKET_TOO_LARGE = 23,
+ RSE_ATTR_OVERFLOW = 24,
+ RSE_ATTR_TOO_SMALL = 25,
+ RSE_ATTR_TOO_LARGE = 26,
+ RSE_ATTR_UNKNOWN = 27,
+ RSE_ATTR_BAD_NAME = 28,
+ RSE_ATTR_VALUE_MALFORMED = 29,
+ RSE_ATTR_INVALID = 30,
+ RSE_TOO_MANY_ATTRS = 31,
+ RSE_ATTR_TYPE_UNKNOWN = 32,
+ RSE_MSG_AUTH_LEN = 33,
+ RSE_MSG_AUTH_WRONG = 34,
+ RSE_REQUEST_REQUIRED = 35,
+ RSE_INVALID_REQUEST_CODE = 36,
+ RSE_AUTH_VECTOR_WRONG = 37,
+ RSE_INVALID_RESPONSE_CODE = 38,
+ RSE_INVALID_RESPONSE_ID = 39,
+ RSE_INVALID_RESPONSE_SRC = 40,
+ RSE_NO_PACKET_DATA = 41,
+ RSE_VENDOR_UNKNOWN = 42,
- RSE_MAX = RSE_VENDOR_UNKNOWN
++ RSE_CRED = 43,
++ RSE_CERT = 44,
++ RSE_MAX = RSE_CERT
};
enum rs_conn_type {
return RSE_OK;
}
- /** Initialize freeradius dictionary. */
- int
- rs_context_init_freeradius_dict (struct rs_context *ctx, const char *dict)
- {
- int r = RSE_OK;
- size_t dictlen;
- char *dir = NULL;
- char *fn = NULL;
-
- if (dict == NULL)
- if (ctx->config != NULL && ctx->config->dictionary)
- dict = ctx->config->dictionary;
-
- if (dict == NULL)
- dict = RS_FREERADIUS_DICT;
-
- dictlen = strlen (dict);
- dir = rs_calloc (ctx, 1, dictlen + 1);
- fn = rs_calloc (ctx, 1, dictlen + 1);
- if (dir == NULL || fn == NULL)
- {
- r = rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
- goto out;
- }
- strncpy (dir, dict, dictlen);
- strncpy (fn, dict, dictlen);
-
- if (dict_init (dirname (dir), basename (fn)) < 0)
- {
- r = rs_err_ctx_push_fl (ctx, RSE_FR, __FILE__, __LINE__,
- "failing dict_init(\"%s\")", dict);
- goto out;
- }
-
- out:
- if (dir)
- rs_free (ctx, dir);
- if (fn)
- rs_free (ctx, fn);
- return r;
- }
-
struct rs_error *
-rs_resolv (struct evutil_addrinfo **addr,
- rs_conn_type_t type,
- const char *hostname,
- const char *service)
+rs_resolve (struct evutil_addrinfo **addr,
+ rs_conn_type_t type,
+ const char *hostname,
+ const char *service)
{
int err;
struct evutil_addrinfo hints, *res = NULL;
* copyright notice and this permission notice appear in all copies.
*/
++#include <netinet/in.h>
#include <openssl/ssl.h>
#if defined (__cplusplus)
assert_true (rs_packet_send (msg1, NULL) == 0);
}
++#if 0
static void
send_large_packet (struct rs_connection *conn)
{
/* 16 chunks --> heap corruption in evbuffer_drain detected by free() */
for (f = 0; f < 15; f++)
{
- VALUE_PAIR *vp = NULL;
memset (buf, 'a' + f, 252);
- vp = pairmake ("EAP-Message", buf, T_OP_EQ);
- assert_true (vp != NULL);
- pairadd (&frpkt->vps, vp);
- rs_attr_create (conn, &attr_x, "EAP-Message", buf);
- rs_packet_add_attr (msg0, attr_x);
++ //vp = pairmake ("EAP-Message", buf, T_OP_EQ);
++ assert_true (rs_packet_append_avp (msg0, fixme...) == RSE_OK);
}
assert_true (rs_packet_send (msg0, NULL) == 0);
}
++#endif /* 0 */
/* ************************************************************ */
static struct setup {
struct timeval timeout;
struct polldata *polldata;
- assert_true (rs_context_create (&ctx, NULL) == 0);
+ assert_true (rs_context_create (&ctx) == 0);
assert_true (rs_context_read_config (ctx, "test.conf") == 0);
- assert_true (rs_context_init_freeradius_dict (ctx, NULL) == 0);
assert_true (rs_conn_create (ctx, &conn, "test-udp-buffering") == 0);
timeout.tv_sec = 0;