diff options
-rw-r--r-- | dtls.c | 24 | ||||
-rw-r--r-- | hostport.c | 17 | ||||
-rw-r--r-- | hostport.h | 1 | ||||
-rw-r--r-- | tcp.c | 15 | ||||
-rw-r--r-- | tls.c | 16 | ||||
-rw-r--r-- | tlscommon.c | 54 | ||||
-rw-r--r-- | udp.c | 19 |
7 files changed, 94 insertions, 52 deletions
@@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2008-2009 Stig Venaas <venaas@uninett.no> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -33,6 +33,7 @@ #ifdef RADPROT_DTLS #include "debug.h" #include "util.h" +#include "hostport.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); @@ -99,8 +100,7 @@ struct dtlsservernewparams { void dtlssetsrcres() { if (!srcres) - srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL); - + srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype); } int udp2bio(int s, struct gqueue *q, int cnt) { @@ -531,7 +531,8 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char * time_t elapsed; X509 *cert; SSL_CTX *ctx = NULL; - + struct hostportres *hp; + debug(DBG_DBG, "dtlsconnect: called from %s", text); pthread_mutex_lock(&server->lock); if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { @@ -541,6 +542,7 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char * return 1; } + hp = (struct hostportres *)list_first(server->conf->hostports)->data; for (;;) { gettimeofday(&now, NULL); elapsed = now.tv_sec - server->lastconnecttry.tv_sec; @@ -566,14 +568,14 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char * sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ - debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port); + debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", hp->host, hp->port); SSL_free(server->ssl); server->ssl = NULL; ctx = tlsgetctx(handle, server->conf->tlsconf); if (!ctx) continue; - server->ssl = dtlsacccon(0, ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios); + server->ssl = dtlsacccon(0, ctx, server->sock, hp->addrinfo->ai_addr, server->rbios); if (!server->ssl) continue; debug(DBG_DBG, "dtlsconnect: DTLS: ok"); @@ -587,7 +589,7 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char * X509_free(cert); } X509_free(cert); - debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port); + debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", hp->host, hp->port); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); @@ -608,7 +610,7 @@ int clientradputdtls(struct server *server, unsigned char *rad) { debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL)); return 0; } - debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host); + debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->name); return 1; } @@ -665,12 +667,12 @@ void *dtlsclientrd(void *arg) { } void addserverextradtls(struct clsrvconf *conf) { - switch (conf->addrinfo->ai_family) { + switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) { case AF_INET: if (client4_sock < 0) { client4_sock = bindtoaddr(srcres, AF_INET, 0, 1); if (client4_sock < 0) - debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host); + debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client4_sock; break; @@ -678,7 +680,7 @@ void addserverextradtls(struct clsrvconf *conf) { if (client6_sock < 0) { client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1); if (client6_sock < 0) - debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host); + debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client6_sock; break; @@ -264,3 +264,20 @@ int addressmatches(struct list *hostports, struct sockaddr *addr) { } return 0; } + +int connecttcphostlist(struct list *hostports, struct addrinfo *src) { + int s; + struct list_node *entry; + struct hostportres *hp = NULL; + + for (entry = list_first(hostports); entry; entry = list_next(entry)) { + hp = (struct hostportres *)entry->data; + debug(DBG_WARN, "connecttcphostlist: trying to open TCP connection to %s port %s", hp->host, hp->port); + if ((s = connecttcp(hp->addrinfo, src)) >= 0) { + debug(DBG_WARN, "connecttcphostlist: TCP connection to %s port %s up", hp->host, hp->port); + return s; + } + } + debug(DBG_ERR, "connecttcphostlist: failed"); + return -1; +} @@ -18,3 +18,4 @@ void freehostports(struct list *hostports); int resolvehostports(struct list *hostports, int socktype); struct addrinfo *resolvepassiveaddrinfo(char *hostport, char *default_port, int socktype); int addressmatches(struct list *hostports, struct sockaddr *addr); +int connecttcphostlist(struct list *hostports, struct addrinfo *src); @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2008-2009 Stig Venaas <venaas@uninett.no> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -25,6 +25,7 @@ #include <regex.h> #include <pthread.h> #include "list.h" +#include "hostport.h" #include "radsecproxy.h" #ifdef RADPROT_TCP @@ -78,9 +79,9 @@ static char **getlistenerargs() { void tcpsetsrcres() { if (!srcres) - srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL); + srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype); } - + int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text) { struct timeval now; time_t elapsed; @@ -117,14 +118,12 @@ int tcpconnect(struct server *server, struct timeval *when, int timeout, char *t sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ - debug(DBG_WARN, "tcpconnect: trying to open TCP connection to %s port %s", server->conf->host, server->conf->port); + if (server->sock >= 0) close(server->sock); - if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) >= 0) + if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) >= 0) break; - debug(DBG_ERR, "tcpconnect: connecttcp failed"); } - debug(DBG_WARN, "tcpconnect: TCP connection to %s port %s up", server->conf->host, server->conf->port); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); @@ -210,7 +209,7 @@ int clientradputtcp(struct server *server, unsigned char *rad) { debug(DBG_ERR, "clientradputtcp: write error"); return 0; } - debug(DBG_DBG, "clientradputtcp: Sent %d bytes, Radius packet of length %d to TCP peer %s", cnt, len, conf->host); + debug(DBG_DBG, "clientradputtcp: Sent %d bytes, Radius packet of length %d to TCP peer %s", cnt, len, conf->name); return 1; } @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -27,6 +27,7 @@ #include <openssl/ssl.h> #include <openssl/err.h> #include "list.h" +#include "hostport.h" #include "radsecproxy.h" #ifdef RADPROT_TLS @@ -82,8 +83,7 @@ static char **getlistenerargs() { void tlssetsrcres() { if (!srcres) - srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL); - + srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype); } int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { @@ -127,13 +127,11 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ - debug(DBG_WARN, "tlsconnect: trying to open TLS connection to %s port %s", server->conf->host, server->conf->port); + if (server->sock >= 0) close(server->sock); - if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) < 0) { - debug(DBG_ERR, "tlsconnect: connecttcp failed"); + if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) < 0) continue; - } SSL_free(server->ssl); server->ssl = NULL; @@ -159,7 +157,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t } X509_free(cert); } - debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port); + debug(DBG_WARN, "tlsconnect: TLS connection to %s up", server->conf->name); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); @@ -260,7 +258,7 @@ int clientradputtls(struct server *server, unsigned char *rad) { return 0; } - debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host); + debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->name); return 1; } diff --git a/tlscommon.c b/tlscommon.c index 0389f21..6260e37 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -35,6 +35,7 @@ #include "list.h" #include "hash.h" #include "util.h" +#include "hostport.h" #include "radsecproxy.h" static struct hash *tlsconfs = NULL; @@ -461,31 +462,52 @@ static int cnregexp(X509 *cert, char *exact, regex_t *regex) { return 0; } -int verifyconfcert(X509 *cert, struct clsrvconf *conf) { +/* this is a bit sloppy, should not always accept match to any */ +int certnamecheck(X509 *cert, struct list *hostports) { + struct list_node *entry; + struct hostportres *hp; int r; uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */ struct in6_addr addr; - - if (conf->certnamecheck && conf->prefixlen == 255) { - if (inet_pton(AF_INET, conf->host, &addr)) + + for (entry = list_first(hostports); entry; entry = list_next(entry)) { + hp = (struct hostportres *)entry->data; + if (hp->prefixlen != 255) { + /* we disable the check for prefixes */ + return 1; + } + if (inet_pton(AF_INET, hp->host, &addr)) type = AF_INET; - else if (inet_pton(AF_INET6, conf->host, &addr)) + else if (inet_pton(AF_INET6, hp->host, &addr)) type = AF_INET6; + else + type = 0; - r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL); + r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, hp->host, NULL); if (r) { - if (r < 0) { - debug(DBG_WARN, "verifyconfcert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host); - return 0; + if (r > 0) { + debug(DBG_DBG, "certnamecheck: Found subjectaltname matching %s %s", type ? "address" : "host", hp->host); + return 1; } - debug(DBG_DBG, "verifyconfcert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host); + debug(DBG_WARN, "certnamecheck: No subjectaltname matching %s %s", type ? "address" : "host", hp->host); } else { - if (!cnregexp(cert, conf->host, NULL)) { - debug(DBG_WARN, "verifyconfcert: cn not matching host %s", conf->host); - return 0; - } - debug(DBG_DBG, "verifyconfcert: Found cn matching host %s", conf->host); + if (cnregexp(cert, hp->host, NULL)) { + debug(DBG_DBG, "certnamecheck: Found cn matching host %s", hp->host); + return 1; + } + debug(DBG_WARN, "certnamecheck: cn not matching host %s", hp->host); + } + } + return 0; +} + +int verifyconfcert(X509 *cert, struct clsrvconf *conf) { + if (conf->certnamecheck) { + if (!certnamecheck(cert, conf->hostports)) { + debug(DBG_WARN, "verifyconfcert: certificate name check failed"); + return 0; } + debug(DBG_WARN, "verifyconfcert: certificate name check ok"); } if (conf->certcnregex) { if (cnregexp(cert, NULL, conf->certcnregex) < 1) { @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -25,6 +25,7 @@ #include <regex.h> #include <pthread.h> #include "list.h" +#include "hostport.h" #include "radsecproxy.h" #ifdef RADPROT_UDP @@ -85,7 +86,7 @@ static char **getlistenerargs() { void udpsetsrcres() { if (!srcres) - srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL); + srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype); } void removeudpclientfromreplyq(struct client *c) { @@ -243,10 +244,12 @@ unsigned char *radudpget(int s, struct client **client, struct server **server, int clientradputudp(struct server *server, unsigned char *rad) { size_t len; struct clsrvconf *conf = server->conf; - + struct addrinfo *ai; + len = RADLEN(rad); - if (sendto(server->sock, rad, len, 0, conf->addrinfo->ai_addr, conf->addrinfo->ai_addrlen) >= 0) { - debug(DBG_DBG, "clienradputudp: sent UDP of length %d to %s port %d", len, conf->host, port_get(conf->addrinfo->ai_addr)); + ai = ((struct hostportres *)list_first(conf->hostports)->data)->addrinfo; + if (sendto(server->sock, rad, len, 0, ai->ai_addr, ai->ai_addrlen) >= 0) { + debug(DBG_DBG, "clienradputudp: sent UDP of length %d to %s port %d", len, addr2string(ai->ai_addr), port_get(ai->ai_addr)); return 1; } @@ -315,12 +318,12 @@ void addclientudp(struct client *client) { } void addserverextraudp(struct clsrvconf *conf) { - switch (conf->addrinfo->ai_family) { + switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) { case AF_INET: if (client4_sock < 0) { client4_sock = bindtoaddr(srcres, AF_INET, 0, 1); if (client4_sock < 0) - debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host); + debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client4_sock; break; @@ -328,7 +331,7 @@ void addserverextraudp(struct clsrvconf *conf) { if (client6_sock < 0) { client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1); if (client6_sock < 0) - debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host); + debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client6_sock; break; |