diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | radsecproxy.c | 109 | ||||
| -rw-r--r-- | radsecproxy.conf.5 | 35 | ||||
| -rw-r--r-- | radsecproxy.conf.5.xml | 48 | ||||
| -rw-r--r-- | radsecproxy.h | 1 |
7 files changed, 147 insertions, 58 deletions
@@ -47,3 +47,9 @@ Additional features in devel-20081006 Dynamic server discovery DuplicateInterval option in client block for specifying for how long a request/reply shall be stored for duplicate detection +Additional features in devel-20081106 + Support for RADIUS TTL (hopcount) attribute. Decrements value of + the TTL attribute if present, discards message if becomes 0. + If addTTL option is used, the TTL attribute is added with the + specified value if the forwarded message does not have one. + PolicyOID option can be used to require certain CA policies. @@ -1,4 +1,4 @@ -This is a revision from the radsecproxy 2.0 devel branch. +This is a snapshot of the radsecproxy 2.0 devel branch from Nov 6, 2008 radsecproxy is a generic RADIUS proxy that can support various RADIUS clients over UDP or TLS (RadSec). @@ -37,4 +37,4 @@ let me know if you feel left out. For more information, feedback etc. please see the information at http://software.uninett.no/radsecproxy/ -Stig Venaas <venaas@uninett.no> -- 2008.10.07 +Stig Venaas <venaas@uninett.no> -- 2008.11.06 diff --git a/configure.ac b/configure.ac index 65f386e..e5aa6b2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(radsecproxy, 2.0-devel, venaas@uninett.no) +AC_INIT(radsecproxy, devel-20081106, venaas@uninett.no) AM_INIT_AUTOMAKE AC_PROG_CC AM_PROG_CC_C_O diff --git a/radsecproxy.c b/radsecproxy.c index b611053..347d72a 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1616,6 +1616,7 @@ int addvendorattr(struct radmsg *msg, uint32_t vendor, struct tlv *attr) { vendor = htonl(vendor); memcpy(v, &vendor, 4); tlv2buf(v + 4, attr); + v[5] += 2; vattr = maketlv(RAD_Attr_Vendor_Specific, l, v); if (vattr && radmsg_add(msg, vattr)) return 1; @@ -1664,7 +1665,8 @@ int decttl(uint8_t l, uint8_t *v) { return 1; } -int dottl(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) { +/* returns -1 if no ttl, 0 if exceeded, 1 if ok */ +int checkttl(struct radmsg *msg, uint32_t *attrtype) { uint8_t alen, *subattrs; struct tlv *attr; struct list_node *node; @@ -1695,9 +1697,7 @@ int dottl(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) { subattrs += alen; } } - if (addttl) - addttlattr(msg, attrtype, addttl); - return 1; + return -1; } const char *radmsgtype2string(uint8_t code) { @@ -1902,6 +1902,7 @@ int radsrv(struct request *rq) { struct realm *realm = NULL; struct server *to = NULL; struct client *from = rq->from; + int ttlres; msg = buf2radmsg(rq->buf, (uint8_t *)from->conf->secret, NULL); free(rq->buf); @@ -1936,7 +1937,8 @@ int radsrv(struct request *rq) { if (from->conf->rewritein && !dorewrite(msg, from->conf->rewritein)) goto rmclrqexit; - if (!dottl(msg, options.ttlattrtype, options.addttl)) { + ttlres = checkttl(msg, options.ttlattrtype); + if (!ttlres) { debug(DBG_WARN, "radsrv: ignoring request from client %s (%s), ttl exceeded", from->conf->name, addr2string(from->addr)); goto exit; } @@ -2013,6 +2015,9 @@ int radsrv(struct request *rq) { if (to->conf->rewriteout && !dorewrite(msg, to->conf->rewriteout)) goto rmclrqexit; + if (ttlres == -1 && (options.addttl || to->conf->addttl)) + addttlattr(msg, options.ttlattrtype, to->conf->addttl ? to->conf->addttl : options.addttl); + free(userascii); rq->to = to; sendrq(rq); @@ -2035,7 +2040,7 @@ int radsrv(struct request *rq) { void replyh(struct server *server, unsigned char *buf) { struct client *from; struct rqout *rqout; - int sublen; + int sublen, ttlres; unsigned char *subattrs; uint8_t *username, *stationid, *replymsg; struct radmsg *msg = NULL; @@ -2084,7 +2089,8 @@ void replyh(struct server *server, unsigned char *buf) { goto errunlock; } - if (!dottl(msg, options.ttlattrtype, options.addttl)) { + ttlres = checkttl(msg, options.ttlattrtype); + if (!ttlres) { debug(DBG_WARN, "replyh: ignoring reply from server %s, ttl exceeded", server->conf->host); goto errunlock; } @@ -2159,6 +2165,9 @@ void replyh(struct server *server, unsigned char *buf) { debug(DBG_WARN, "replyh: rewriteout failed"); goto errunlock; } + + if (ttlres == -1 && (options.addttl || from->conf->addttl)) + addttlattr(msg, options.ttlattrtype, from->conf->addttl ? from->conf->addttl : options.addttl); debug(DBG_INFO, "replyh: passing reply to client %s (%s)", from->conf->name, addr2string(from->addr)); radmsg_free(rqout->rq->msg); @@ -3266,7 +3275,7 @@ int mergesrvconf(struct clsrvconf *dst, struct clsrvconf *src) { int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { struct clsrvconf *conf; char *conftype = NULL, *rewriteinalias = NULL; - long int dupinterval = LONG_MIN; + long int dupinterval = LONG_MIN, addttl = LONG_MIN; debug(DBG_DBG, "confclient_cb called for %s", block); @@ -3277,18 +3286,19 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char conf->certnamecheck = 1; if (!getgenericconfig(cf, block, - "type", CONF_STR, &conftype, - "host", CONF_STR, &conf->host, - "secret", CONF_STR, &conf->secret, - "tls", CONF_STR, &conf->tls, - "matchcertificateattribute", CONF_STR, &conf->matchcertattr, - "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, - "DuplicateInterval", CONF_LINT, &dupinterval, - "rewrite", CONF_STR, &rewriteinalias, - "rewriteIn", CONF_STR, &conf->confrewritein, - "rewriteOut", CONF_STR, &conf->confrewriteout, - "rewriteattribute", CONF_STR, &conf->confrewriteusername, - NULL + "type", CONF_STR, &conftype, + "host", CONF_STR, &conf->host, + "secret", CONF_STR, &conf->secret, + "tls", CONF_STR, &conf->tls, + "matchcertificateattribute", CONF_STR, &conf->matchcertattr, + "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, + "DuplicateInterval", CONF_LINT, &dupinterval, + "addTTL", CONF_LINT, &addttl, + "rewrite", CONF_STR, &rewriteinalias, + "rewriteIn", CONF_STR, &conf->confrewritein, + "rewriteOut", CONF_STR, &conf->confrewriteout, + "rewriteattribute", CONF_STR, &conf->confrewriteusername, + NULL )) debugx(1, DBG_ERR, "configuration error"); @@ -3321,6 +3331,12 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char } else conf->dupinterval = conf->pdef->duplicateintervaldefault; + if (addttl != LONG_MIN) { + if (addttl < 1 || addttl > 255) + debugx(1, DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl); + conf->addttl = (uint8_t)addttl; + } + if (!conf->confrewritein) conf->confrewritein = rewriteinalias; else @@ -3408,7 +3424,7 @@ int compileserverconfig(struct clsrvconf *conf, const char *block) { int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { struct clsrvconf *conf, *resconf; char *conftype = NULL, *rewriteinalias = NULL; - long int retryinterval = LONG_MIN, retrycount = LONG_MIN; + long int retryinterval = LONG_MIN, retrycount = LONG_MIN, addttl = LONG_MIN; debug(DBG_DBG, "confserver_cb called for %s", block); @@ -3432,6 +3448,7 @@ int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char "secret", CONF_STR, &conf->secret, "tls", CONF_STR, &conf->tls, "MatchCertificateAttribute", CONF_STR, &conf->matchcertattr, + "addTTL", CONF_LINT, &addttl, "rewrite", CONF_STR, &rewriteinalias, "rewriteIn", CONF_STR, &conf->confrewritein, "rewriteOut", CONF_STR, &conf->confrewriteout, @@ -3494,6 +3511,14 @@ int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char } else conf->retrycount = 255; + if (addttl != LONG_MIN) { + if (addttl < 1 || addttl > 255) { + debug(DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl); + goto errexit; + } + conf->addttl = (uint8_t)addttl; + } + if (resconf) { if (!mergesrvconf(resconf, conf)) goto errexit; @@ -3533,11 +3558,11 @@ int confrealm_cb(struct gconffile **cf, void *arg, char *block, char *opt, char debug(DBG_DBG, "confrealm_cb called for %s", block); if (!getgenericconfig(cf, block, - "server", CONF_MSTR, &servers, - "accountingServer", CONF_MSTR, &accservers, - "ReplyMessage", CONF_STR, &msg, - "AccountingResponse", CONF_BLN, &accresp, - NULL + "server", CONF_MSTR, &servers, + "accountingServer", CONF_MSTR, &accservers, + "ReplyMessage", CONF_STR, &msg, + "AccountingResponse", CONF_BLN, &accresp, + NULL )) debugx(1, DBG_ERR, "configuration error"); @@ -3559,15 +3584,15 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v memset(conf, 0, sizeof(struct tls)); if (!getgenericconfig(cf, block, - "CACertificateFile", CONF_STR, &conf->cacertfile, - "CACertificatePath", CONF_STR, &conf->cacertpath, - "CertificateFile", CONF_STR, &conf->certfile, - "CertificateKeyFile", CONF_STR, &conf->certkeyfile, - "CertificateKeyPassword", CONF_STR, &conf->certkeypwd, - "CacheExpiry", CONF_LINT, &expiry, - "CRLCheck", CONF_BLN, &conf->crlcheck, - "PolicyOID", CONF_MSTR, &conf->policyoids, - NULL + "CACertificateFile", CONF_STR, &conf->cacertfile, + "CACertificatePath", CONF_STR, &conf->cacertpath, + "CertificateFile", CONF_STR, &conf->certfile, + "CertificateKeyFile", CONF_STR, &conf->certkeyfile, + "CertificateKeyPassword", CONF_STR, &conf->certkeypwd, + "CacheExpiry", CONF_LINT, &expiry, + "CRLCheck", CONF_BLN, &conf->crlcheck, + "PolicyOID", CONF_MSTR, &conf->policyoids, + NULL )) { debug(DBG_ERR, "conftls_cb: configuration error in block %s", val); goto errexit; @@ -3620,11 +3645,11 @@ int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, cha debug(DBG_DBG, "confrewrite_cb called for %s", block); if (!getgenericconfig(cf, block, - "removeAttribute", CONF_MSTR, &rmattrs, - "removeVendorAttribute", CONF_MSTR, &rmvattrs, - "addAttribute", CONF_MSTR, &addattrs, - "modifyAttribute", CONF_MSTR, &modattrs, - NULL + "removeAttribute", CONF_MSTR, &rmattrs, + "removeVendorAttribute", CONF_MSTR, &rmvattrs, + "addAttribute", CONF_MSTR, &addattrs, + "modifyAttribute", CONF_MSTR, &modattrs, + NULL )) debugx(1, DBG_ERR, "configuration error"); addrewrite(val, rmattrs, rmvattrs, addattrs, modattrs); @@ -3715,7 +3740,7 @@ void getargs(int argc, char **argv, uint8_t *foreground, uint8_t *pretend, uint8 *pretend = 1; break; case 'v': - debugx(0, DBG_ERR, "radsecproxy revision $Rev$"); + debugx(0, DBG_ERR, "radsecproxy devel-20081106"); default: goto usage; } @@ -3802,7 +3827,7 @@ int main(int argc, char **argv) { debugx(1, DBG_ERR, "daemon() failed: %s", strerror(errno)); debug_timestamp_on(); - debug(DBG_INFO, "radsecproxy revision $Rev$ starting"); + debug(DBG_INFO, "radsecproxy devel-20081106 starting"); sigemptyset(&sigset); /* exit on all but SIGPIPE, ignore more? */ diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5 index 315ccf2..0fb7826 100644 --- a/radsecproxy.conf.5 +++ b/radsecproxy.conf.5 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH "radsecproxy.conf " 5 2008-10-16 "radsecproxy devel 2008-10-16" "" +.TH "radsecproxy.conf " 5 2008-11-06 "radsecproxy devel-20081106" "" .SH NAME radsecproxy.conf \- Radsec proxy configuration file @@ -171,6 +171,21 @@ will use for TLS connections. This can be used to specify source address and/or source port that the proxy will use for DTLS connections. .TP +\*(T<TTLAttribute\*(T> +This can be used to change the default TTL attribute. Only change this if +you know what you are doing. The syntax is either a numerical value +denoting the TTL attribute, or two numerical values separated by column +specifying a vendor attribute, i.e. \*(T<vendorid:attribute\*(T>. +.TP +\*(T<addTTL\*(T> +If a TTL attribute is present, the proxy will decrement the value and +discard the message if zero. Normally the proxy does nothing if no TTL +attribute is present. If you use the addTTL option with a value 1-255, +the proxy will when forwarding a message with no TTL attribute, add one +with the specified value. Note that this option can also be specified +for a client/server. It will then override this setting when forwarding +a message to that client/server. +.TP \*(T<loopPrevention\*(T> This can be set to \*(T<on\*(T> or \*(T<off\*(T> with \*(T<off\*(T> being the default. When this is enabled, a request @@ -225,9 +240,10 @@ The allowed options in a client block are \*(T<host\*(T>, \*(T<type\*(T>, \*(T<secret\*(T>, \*(T<tls\*(T>, \*(T<certificateNameCheck\*(T>, \*(T<matchCertificateAttribute\*(T>, -\*(T<duplicateInterval\*(T>, \*(T<rewrite\*(T>, -\*(T<rewriteIn\*(T>, \*(T<rewriteOut\*(T> and -\*(T<rewriteAttribute\*(T>. We already discussed the +\*(T<duplicateInterval\*(T>, \*(T<addTTL\*(T>, +\*(T<rewrite\*(T>, \*(T<rewriteIn\*(T>, +\*(T<rewriteOut\*(T> and \*(T<rewriteAttribute\*(T>. +We already discussed the \*(T<host\*(T> option. The value of \*(T<type\*(T> must be one of \*(T<udp\*(T>, \*(T<tcp\*(T>, \*(T<tls\*(T> or \*(T<dtls\*(T>. The value of \*(T<secret\*(T> is the @@ -262,6 +278,11 @@ from the same client, with the same authenticator etc. The proxy will then ignore the new request (if it is still processing the previous one), or returned a copy of the previous reply. .PP +The \*(T<addTTL\*(T> option is similar to the +\*(T<addTTL\*(T> option used in the basic config. See that for +details. Any value configured here overrides the basic one when sending +messages to this client. +.PP The \*(T<rewrite\*(T> option is deprecated. Use \*(T<rewriteIn\*(T> instead. .PP @@ -309,7 +330,8 @@ administrator. The allowed options in a server block are \*(T<host\*(T>, \*(T<port\*(T>, \*(T<type\*(T>, \*(T<secret\*(T>, \*(T<tls\*(T>, \*(T<certificateNameCheck\*(T>, -\*(T<matchCertificateAttribute\*(T>, \*(T<rewrite\*(T>, +\*(T<matchCertificateAttribute\*(T>, \*(T<addTTL\*(T>, +\*(T<rewrite\*(T>, \*(T<rewriteIn\*(T>, \*(T<rewriteOut\*(T>, \*(T<statusServer\*(T>, \*(T<retryCount\*(T>, \*(T<retryInterval\*(T> and \*(T<dynamicLookupCommand\*(T>. @@ -318,7 +340,8 @@ We already discussed the \*(T<host\*(T> option. The \*(T<port\*(T> option allows you to specify which port number the server uses. The usage of \*(T<type\*(T>, \*(T<secret\*(T>, \*(T<tls\*(T>, \*(T<certificateNameCheck\*(T>, -\*(T<matchCertificateAttribute\*(T>, \*(T<rewrite\*(T>, +\*(T<matchCertificateAttribute\*(T>, \*(T<addTTL\*(T>, +\*(T<rewrite\*(T>, \*(T<rewriteIn\*(T> and \*(T<rewriteOut\*(T> are just as specified for the \*(T<client block\*(T> above, except that \*(T<defaultServer\*(T> (and not \*(T<defaultClient\*(T>) diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 41f29be..a40e341 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,14 +2,14 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2008-10-16</date> + <date>2008-11-06</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo> + <refmiscinfo>radsecproxy devel-20081106</refmiscinfo> </refmeta> <refnamediv> <refname> @@ -256,6 +256,31 @@ will use for DTLS connections. </listitem> </varlistentry> <varlistentry> + <term><literal>TTLAttribute</literal></term> + <listitem> + <para> +This can be used to change the default TTL attribute. Only change this if +you know what you are doing. The syntax is either a numerical value +denoting the TTL attribute, or two numerical values separated by column +specifying a vendor attribute, i.e. <literal>vendorid:attribute</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>addTTL</literal></term> + <listitem> + <para> +If a TTL attribute is present, the proxy will decrement the value and +discard the message if zero. Normally the proxy does nothing if no TTL +attribute is present. If you use the addTTL option with a value 1-255, +the proxy will when forwarding a message with no TTL attribute, add one +with the specified value. Note that this option can also be specified +for a client/server. It will then override this setting when forwarding +a message to that client/server. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><literal>loopPrevention</literal></term> <listitem> <para> @@ -333,9 +358,10 @@ The allowed options in a client block are <literal>host</literal>, <literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>, <literal>certificateNameCheck</literal>, <literal>matchCertificateAttribute</literal>, -<literal>duplicateInterval</literal>, <literal>rewrite</literal>, -<literal>rewriteIn</literal>, <literal>rewriteOut</literal> and -<literal>rewriteAttribute</literal>. We already discussed the +<literal>duplicateInterval</literal>, <literal>addTTL</literal>, +<literal>rewrite</literal>, <literal>rewriteIn</literal>, +<literal>rewriteOut</literal> and <literal>rewriteAttribute</literal>. +We already discussed the <literal>host</literal> option. The value of <literal>type</literal> must be one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal> or <literal>dtls</literal>. The value of <literal>secret</literal> is the @@ -375,6 +401,12 @@ ignore the new request (if it is still processing the previous one), or returned a copy of the previous reply. </para> <para> +The <literal>addTTL</literal> option is similar to the +<literal>addTTL</literal> option used in the basic config. See that for +details. Any value configured here overrides the basic one when sending +messages to this client. + </para> + <para> The <literal>rewrite</literal> option is deprecated. Use <literal>rewriteIn</literal> instead. </para> @@ -433,7 +465,8 @@ administrator. The allowed options in a server block are <literal>host</literal>, <literal>port</literal>, <literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>rewrite</literal>, +<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, +<literal>rewrite</literal>, <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, <literal>statusServer</literal>, <literal>retryCount</literal>, <literal>retryInterval</literal> and <literal>dynamicLookupCommand</literal>. @@ -443,7 +476,8 @@ We already discussed the <literal>host</literal> option. The <literal>port</literal> option allows you to specify which port number the server uses. The usage of <literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>rewrite</literal>, +<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, +<literal>rewrite</literal>, <literal>rewriteIn</literal> and <literal>rewriteOut</literal> are just as specified for the <literal>client block</literal> above, except that <literal>defaultServer</literal> (and not <literal>defaultClient</literal>) diff --git a/radsecproxy.h b/radsecproxy.h index c891ba5..a67d88d 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -92,6 +92,7 @@ struct clsrvconf { uint8_t retrycount; uint8_t dupinterval; uint8_t certnamecheck; + uint8_t addttl; struct rewrite *rewritein; struct rewrite *rewriteout; struct addrinfo *addrinfo; |