diff options
| -rw-r--r-- | radsecproxy.c | 89 | ||||
| -rw-r--r-- | radsecproxy.conf-example | 20 | 
2 files changed, 72 insertions, 37 deletions
| diff --git a/radsecproxy.c b/radsecproxy.c index 1eb84bb..107883f 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1687,8 +1687,9 @@ int tlslistener() {  }  void addrealm(char *value, char *server) { -    int i; +    int i, n;      struct realm *realm; +    char *s, *regex = NULL;      for (i = 0; i < server_count; i++)  	if (!strcasecmp(server, servers[i].peer.host)) @@ -1696,13 +1697,31 @@ void addrealm(char *value, char *server) {      if (i == server_count)  	debugx(1, DBG_ERR, "addrealm failed, no server %s", server); -    /* temporary warnings */ -    if (*value == '*') -	debugx(1, DBG_ERR, "Regexps are now used for specifying realms, a string\nstarting with '*' is meaningless, you probably want '.*' for matching everything\nEXITING\n"); -    if (value[strlen(value) - 1] != '$' && value[strlen(value) - 1] != '*') { -	debug(DBG_ERR, "Regexps are now used for specifying realms, you\nprobably want to rewrite this as e.g. '@example\\.com$' or '\\.com$'\nYou can even do things like '^[a-n].*@example\\.com$' to make about half of the\nusers use this server. Note that the matching is case insensitive.\n"); -	sleep(3); +    if (*value != '/') { +	/* not a regexp, let us make it one */ +	if (*value == '*' && !value[1]) +	    regex = stringcopy(".*", 0); +	else { +	    for (n = 0, s = value; *s;) +		if (*s++ == '.') +		    n++; +	    regex = malloc(strlen(value) + n + 3); +	    if (regex) { +		regex[0] = '@'; +		for (n = 1, s = value; *s; s++) { +		    if (*s == '.') +			regex[n++] = '\\'; +		    regex[n++] = *s; +		} +		regex[n++] = '$'; +		regex[n] = '\0'; +	    } +	} +	if (!regex) +	    debugx(1, DBG_ERR, "malloc failed"); +	debug(DBG_DBG, "addrealm: constructed regexp %s from %s", regex, value);      } +      realm_count++;      realms = realloc(realms, realm_count * sizeof(struct realm));      if (!realms) @@ -1710,9 +1729,13 @@ void addrealm(char *value, char *server) {      realm = realms + realm_count - 1;      memset(realm, 0, sizeof(struct realm));      realm->name = stringcopy(value, 0); +    if (!realm->name) +	debugx(1, DBG_ERR, "malloc failed");      realm->server = servers + i; -    if (regcomp(&realm->regex, value, REG_ICASE | REG_NOSUB)) -	debugx(1, DBG_ERR, "addrealm: failed to compile regular expression %s", value); +    if (regcomp(&realm->regex, regex ? regex : value + 1, REG_ICASE | REG_NOSUB)) +	debugx(1, DBG_ERR, "addrealm: failed to compile regular expression %s", regex ? regex : value + 1); +    if (regex) +	free(regex);      debug(DBG_DBG, "addrealm: added realm %s for server %s", value, server);  } @@ -1977,36 +2000,35 @@ struct peer *server_create(char type) {      return server;  } -/* returns 0 on error, 1 if ok. E.g. "" will return token with empty string */ -int strtokenquote(char *s, char **token, char *del, char *quote, char *comment) { -    char *t = s, *q; +/* returns NULL on error, where to continue parsing if token and ok. E.g. "" will return token with empty string */ +char *strtokenquote(char *s, char **token, char *del, char *quote) { +    char *t = s, *q, *r;      if (!t || !token || !del) -	return 0; -    while (strchr(del, *t)) +	return NULL; +    while (*t && strchr(del, *t))  	t++; -    if (!*t || comment && strchr(comment, *t)) { +    if (!*t) {  	*token = NULL; -	return 1; +	return t + 1; /* needs to be non-NULL, but value doesn't matter */      }      if (quote && (q = strchr(quote, *t))) {  	t++; +	r = t;  	while (*t && *t != *q)  	    t++; -	if (!*t) -	    return 0; -	if (t[1] && !strchr(del, t[1])) -	    return 0; +	if (!*t || (t[1] && !strchr(del, t[1]))) +	    return NULL;  	*t = '\0'; -	*token = q + 1; -	return 1; +	*token = r; +	return t + 1;      }      *token = t;      t++;      while (*t && !strchr(del, *t))  	t++;      *t = '\0'; -    return 1; +    return t + 1;  }  /* Parses config with following syntax: @@ -2023,17 +2045,23 @@ void getgeneralconfig(FILE *f, char *block, ...) {      va_list ap;      char line[1024];      /* initialise lots of stuff to avoid stupid compiler warnings */ -    char *tokens[3], *opt = NULL, *val = NULL, *word, **str = NULL; +    char *tokens[3], *s, *opt = NULL, *val = NULL, *word, **str = NULL;      int type = 0, tcount, conftype = 0;      void (*cbk)(FILE *, char *, char *) = NULL;      while (fgets(line, 1024, f)) { -	tokens[0] = strtok(line, " \t\n"); -	if (!*tokens || **tokens == '#') +	s = line; +	for (tcount = 0; tcount < 3; tcount++) { +	    s = strtokenquote(s, &tokens[tcount], " \t\n", "\"'"); +	    if (!s) +		debugx(1, DBG_ERR, "Syntax error in line starting with: %s", line); +	    if (!tokens[tcount]) +		break; +	} +	if (!tcount || **tokens == '#')  	    continue; -	for (tcount = 1; tcount < 3 && (tokens[tcount] = strtok(NULL, " \t\n")); tcount++); -	 -	if (tcount && **tokens == '}') { + +	if (**tokens == '}') {  	    if (block)  		return;  	    debugx(1, DBG_ERR, "configuration error, found } with no matching {"); @@ -2065,6 +2093,9 @@ void getgeneralconfig(FILE *f, char *block, ...) {  	    debugx(1, DBG_ERR, "configuration error, syntax error in line starting with %s", tokens[0]);  	} +	if (!*val) +	    debugx(1, DBG_ERR, "configuration error, option %s needs a non-empty value", opt); +	  	va_start(ap, block);  	while ((word = va_arg(ap, char *))) {  	    type = va_arg(ap, int); diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 27cc176..6cda59e 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -33,12 +33,14 @@ TLSCertificateKeyPassword	follow the white rabbit  #also the lines above may be in any order, except that a realm  #can only be configured to use a server that is previously configured. -#Also note that case insensitive regexp is used for realms, matching -#the entire username string. The matching is done in the order the -#realms are specified, using the first match found. Some examples are +#A realm can be a literal domain name, * which matches all, or a +#regexp. A regexp is specified by the character prefix / +#For regexp we do case insensitive matching of the entire username string. +#The matching of realms is done in the order they are specified, using the +#first match found. Some examples are  #"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".  #To treat local users separately you might try first specifying "@" -#and after that ".*". +#and after that "*".  client 2001:db8::1 {  	type	tls @@ -57,7 +59,7 @@ server 127.0.0.1 {  	type	UDP  	secret	secret  } -realm	@eduroam\.cc$ { +realm	eduroam.cc {  	server	127.0.0.1  } @@ -73,12 +75,14 @@ server radius.example.com {  # statusserver is optional, can be on or off. Off is default  } -realm @example\.com$ { +# Equivalent to example.com +realm /@example\.com$ {  	server 2001:db8::1  } -realm \.com$ { +realm /\.com$ {  	server 2001:db8::1  } -realm .* { +# The realm below is equivalent to /.* +realm * {  	server radius.example.com  } | 
