diff options
Diffstat (limited to 'lib/include/radsec')
-rw-r--r-- | lib/include/radsec/.gitignore | 1 | ||||
-rw-r--r-- | lib/include/radsec/radsec-impl.h | 14 | ||||
-rw-r--r-- | lib/include/radsec/radsec.h | 333 | ||||
-rw-r--r-- | lib/include/radsec/request-impl.h | 7 | ||||
-rw-r--r-- | lib/include/radsec/request.h | 18 |
5 files changed, 330 insertions, 43 deletions
diff --git a/lib/include/radsec/.gitignore b/lib/include/radsec/.gitignore new file mode 100644 index 0000000..c20d18b --- /dev/null +++ b/lib/include/radsec/.gitignore @@ -0,0 +1 @@ +radius.h diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h index 752ea71..a4d97f0 100644 --- a/lib/include/radsec/radsec-impl.h +++ b/lib/include/radsec/radsec-impl.h @@ -1,9 +1,11 @@ /** @file libradsec-impl.h @brief Libraray internal header file for libradsec. */ -/* See the file COPYING for licensing information. */ +/* See LICENSE for licensing information. */ + +#ifndef _RADSEC_RADSEC_IMPL_H_ +#define _RADSEC_RADSEC_IMPL_H_ 1 -#include <freeradius/libradius.h> #include <event2/util.h> #include <confuse.h> #if defined(RS_ENABLE_TLS) @@ -74,7 +76,6 @@ struct rs_realm { /** Top configuration object. */ struct rs_config { - char *dictionary; struct rs_realm *realms; cfg_t *cfg; }; @@ -83,7 +84,6 @@ struct rs_context { struct rs_config *config; struct rs_alloc_scheme alloc_scheme; struct rs_error *err; - fr_randctx fr_randctx; }; struct rs_connection { @@ -121,11 +121,13 @@ enum rs_packet_flags { rs_packet_sent_flag, }; +struct radius_packet; + struct rs_packet { struct rs_connection *conn; unsigned int flags; uint8_t hdr[RS_HEADER_LEN]; - RADIUS_PACKET *rpkt; /* FreeRADIUS object. */ + struct radius_packet *rpkt; /* FreeRADIUS object. */ struct rs_packet *next; /* Used for UDP output queue. */ }; @@ -145,6 +147,8 @@ struct rs_packet { #define min(a, b) ((a) < (b) ? (a) : (b)) #define max(a, b) ((a) > (b) ? (a) : (b)) +#endif /* _RADSEC_RADSEC_IMPL_H_ */ + /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ diff --git a/lib/include/radsec/radsec.h b/lib/include/radsec/radsec.h index e62986e..7bd7f10 100644 --- a/lib/include/radsec/radsec.h +++ b/lib/include/radsec/radsec.h @@ -1,16 +1,26 @@ /** \file radsec.h \brief Public interface for libradsec. */ -/* See the file COPYING for licensing information. */ +/* See LICENSE for licensing information. */ -#include <unistd.h> -#include <sys/time.h> +#ifndef _RADSEC_RADSEC_H_ +#define _RADSEC_RADSEC_H_ 1 -#ifdef SYSCONFDIR -#define RS_FREERADIUS_DICT SYSCONFDIR "/raddb/dictionary" -#else /* !SYSCONFDIR */ -#define RS_FREERADIUS_DICT "/usr/local/raddb/dictionary" -#endif /* !SYSCONFDIR */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#ifdef HAVE_SYS_TIME_H +#include <sys/time.h> +#endif +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif enum rs_error_code { RSE_OK = 0, @@ -19,7 +29,7 @@ enum rs_error_code { RSE_INVALID_CTX = 3, RSE_INVALID_CONN = 4, RSE_CONN_TYPE_MISMATCH = 5, - RSE_FR = 6, /* FreeRADIUS error. */ + RSE_FR = 6, RSE_BADADDR = 7, RSE_NOPEER = 8, RSE_EVENT = 9, /* libevent error. */ @@ -34,8 +44,31 @@ enum rs_error_code { RSE_TIMEOUT_IO = 18, /* I/O timeout. */ RSE_TIMEOUT = 19, /* High level timeout. */ RSE_DISCO = 20, - RSE_CRED = 21, /* Credentials. */ - RSE_CERT = 22, /* Cert validation. */ + RSE_INUSE = 21, + RSE_PACKET_TOO_SMALL = 22, + RSE_PACKET_TOO_LARGE = 23, + RSE_ATTR_OVERFLOW = 24, + RSE_ATTR_TOO_SMALL = 25, + RSE_ATTR_TOO_LARGE = 26, + RSE_ATTR_UNKNOWN = 27, + RSE_ATTR_BAD_NAME = 28, + RSE_ATTR_VALUE_MALFORMED = 29, + RSE_ATTR_INVALID = 30, + RSE_TOO_MANY_ATTRS = 31, + RSE_ATTR_TYPE_UNKNOWN = 32, + RSE_MSG_AUTH_LEN = 33, + RSE_MSG_AUTH_WRONG = 34, + RSE_REQUEST_REQUIRED = 35, + RSE_INVALID_REQUEST_CODE = 36, + RSE_AUTH_VECTOR_WRONG = 37, + RSE_INVALID_RESPONSE_CODE = 38, + RSE_INVALID_RESPONSE_ID = 39, + RSE_INVALID_RESPONSE_SRC = 40, + RSE_NO_PACKET_DATA = 41, + RSE_VENDOR_UNKNOWN = 42, + RSE_CRED = 43, + RSE_CERT = 44, + RSE_MAX = RSE_CERT }; enum rs_conn_type { @@ -47,6 +80,39 @@ enum rs_conn_type { }; typedef unsigned int rs_conn_type_t; +typedef enum rs_attr_type_t { + RS_TYPE_INVALID = 0, /**< Invalid data type */ + RS_TYPE_STRING, /**< printable-text */ + RS_TYPE_INTEGER, /**< a 32-bit unsigned integer */ + RS_TYPE_IPADDR, /**< an IPv4 address */ + RS_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */ + RS_TYPE_OCTETS, /**< a sequence of binary octets */ + RS_TYPE_IFID, /**< an Interface Id */ + RS_TYPE_IPV6ADDR, /**< an IPv6 address */ + RS_TYPE_IPV6PREFIX, /**< an IPv6 prefix */ + RS_TYPE_BYTE, /**< an 8-bit integer */ + RS_TYPE_SHORT, /**< a 16-bit integer */ +} rs_attr_type_t; + +#define PW_ACCESS_REQUEST 1 +#define PW_ACCESS_ACCEPT 2 +#define PW_ACCESS_REJECT 3 +#define PW_ACCOUNTING_REQUEST 4 +#define PW_ACCOUNTING_RESPONSE 5 +#define PW_ACCOUNTING_STATUS 6 +#define PW_PASSWORD_REQUEST 7 +#define PW_PASSWORD_ACK 8 +#define PW_PASSWORD_REJECT 9 +#define PW_ACCOUNTING_MESSAGE 10 +#define PW_ACCESS_CHALLENGE 11 +#define PW_STATUS_SERVER 12 +#define PW_STATUS_CLIENT 13 +#define PW_DISCONNECT_REQUEST 40 +#define PW_DISCONNECT_ACK 41 +#define PW_DISCONNECT_NAK 42 +#define PW_COA_REQUEST 43 +#define PW_COA_ACK 44 +#define PW_COA_NAK 45 #if defined (__cplusplus) extern "C" { @@ -59,7 +125,8 @@ struct rs_packet; /* radsec-impl.h */ struct rs_conn; /* radsec-impl.h */ struct rs_error; /* radsec-impl.h */ struct rs_peer; /* radsec-impl.h */ -struct radius_packet; /* <freeradius/libradius.h> */ +struct radius_packet; /* <radius/client.h> */ +struct value_pair; /* <radius/client.h> */ struct event_base; /* <event2/event-internal.h> */ typedef void *(*rs_calloc_fp) (size_t nmemb, size_t size); @@ -89,6 +156,8 @@ struct rs_conn_callbacks { rs_conn_packet_sent_cb sent_cb; }; +typedef struct value_pair rs_avp; +typedef const struct value_pair rs_const_avp; /* Function prototypes. */ @@ -109,20 +178,6 @@ int rs_context_create(struct rs_context **ctx); all other libradsec objects have been freed. */ void rs_context_destroy(struct rs_context *ctx); -/** Initialize FreeRADIUS dictionary needed for creating packets. - - \a ctx Context. - - \a dict Optional string with full path to FreeRADIUS dictionary. - If \a dict is NULL the path to the dictionary file is taken from - the "dictionary" configuration directive. Note that the - configuration file must be read prior to using this option (see \a - rs_context_read_config). - - \return RSE_OK (0) on success, RSE_NOMEM on memory allocation - error and RSE_FR on FreeRADIUS error. */ -int rs_context_init_freeradius_dict(struct rs_context *ctx, const char *dict); - /** Set allocation scheme to use. \a scheme is the allocation scheme to use, see \a rs_alloc_scheme. \return On success, RSE_OK (0) is returned. On error, !0 is returned and a struct \a rs_error is @@ -253,17 +308,38 @@ void rs_packet_destroy(struct rs_packet *pkt); rs_err_conn_pop. */ int rs_packet_send(struct rs_packet *pkt, void *user_data); -/** Return the FreeRADIUS packet associated with packet \a pkt. */ -struct radius_packet *rs_packet_frpkt(struct rs_packet *pkt); - /** Create a RADIUS authentication request packet associated with connection \a conn. Optionally, User-Name and User-Password - attributes are added to the packet using the data in \a user_name - and \a user_pw. */ + attributes are added to the packet using the data in \a user_name, + \a user_pw and \a secret where \secret is the RADIUS shared + secret. */ int rs_packet_create_authn_request(struct rs_connection *conn, struct rs_packet **pkt, const char *user_name, - const char *user_pw); + const char *user_pw, + const char *secret); + +/*** Append \a tail to packet \a pkt. */ +int +rs_packet_append_avp(struct rs_packet *pkt, + unsigned int attribute, unsigned int vendor, + const void *data, size_t data_len); + +/*** Get pointer to \a pkt attribute value pairs. */ +void +rs_packet_avps(struct rs_packet *pkt, rs_avp ***vps); + +/*** Get RADIUS packet type of \a pkt. */ +unsigned int +rs_packet_code(struct rs_packet *pkt); + +/*** Get RADIUS AVP from \a pkt. */ +rs_const_avp * +rs_packet_find_avp(struct rs_packet *pkt, unsigned int attr, unsigned int vendor); + +/*** Set packet identifier in \a pkt; returns old identifier */ +int +rs_packet_set_id (struct rs_packet *pkt, int id); /************/ /* Config. */ @@ -311,10 +387,203 @@ void rs_err_free(struct rs_error *err); char *rs_err_msg(struct rs_error *err); int rs_err_code(struct rs_error *err, int dofree_flag); +/************/ +/* AVPs. */ +/************/ +#define rs_avp_is_string(vp) (rs_avp_typeof(vp) == RS_TYPE_STRING) +#define rs_avp_is_integer(vp) (rs_avp_typeof(vp) == RS_TYPE_INTEGER) +#define rs_avp_is_ipaddr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPADDR) +#define rs_avp_is_date(vp) (rs_avp_typeof(vp) == RS_TYPE_DATE) +#define rs_avp_is_octets(vp) (rs_avp_typeof(vp) == RS_TYPE_OCTETS) +#define rs_avp_is_ifid(vp) (rs_avp_typeof(vp) == RS_TYPE_IFID) +#define rs_avp_is_ipv6addr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6ADDR) +#define rs_avp_is_ipv6prefix(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6PREFIX) +#define rs_avp_is_byte(vp) (rs_avp_typeof(vp) == RS_TYPE_BYTE) +#define rs_avp_is_short(vp) (rs_avp_typeof(vp) == RS_TYPE_SHORT) +#define rs_avp_is_tlv(vp) (rs_avp_typeof(vp) == RS_TYPE_TLV) + +/** The maximum length of a RADIUS attribute. + * + * The RFCs require that a RADIUS attribute transport no more than + * 253 octets of data. We add an extra byte for a trailing NUL, so + * that the VALUE_PAIR::vp_strvalue field can be handled as a C + * string. + */ +#define RS_MAX_STRING_LEN 254 + +/** Free the AVP list \a vps */ +void +rs_avp_free(rs_avp **vps); + +/** Return the length of AVP \a vp in bytes */ +size_t +rs_avp_length(rs_const_avp *vp); + +/** Return the type of \a vp */ +rs_attr_type_t +rs_avp_typeof(rs_const_avp *vp); + +/** Retrieve the attribute and vendor ID of \a vp */ +void +rs_avp_attrid(rs_const_avp *vp, unsigned int *attr, unsigned int *vendor); + +/** Add \a vp to the list pointed to by \a head */ +void +rs_avp_append(rs_avp **head, rs_avp *vp); + +/** Find an AVP in \a vp that matches \a attr and \a vendor */ +rs_avp * +rs_avp_find(rs_avp *vp, unsigned int attr, unsigned int vendor); + +/** Find an AVP in \a vp that matches \a attr and \a vendor */ +rs_const_avp * +rs_avp_find_const(rs_const_avp *vp, unsigned int attr, unsigned int vendor); + +/** Alloc a new AVP for \a attr and \a vendor */ +rs_avp * +rs_avp_alloc(unsigned int attr, unsigned int vendor); + +/** Duplicate existing AVP \a vp */ +rs_avp * +rs_avp_dup(rs_const_avp *vp); + +/** Remove matching AVP from list \a vps */ +int +rs_avp_delete(rs_avp **vps, unsigned int attr, unsigned int vendor); + +/** Return next AVP in list */ +rs_avp * +rs_avp_next(rs_avp *vp); + +/** Return next AVP in list */ +rs_const_avp * +rs_avp_next_const(rs_const_avp *avp); + +/** Return string value of \a vp */ +const char * +rs_avp_string_value(rs_const_avp *vp); + +/** Set AVP \a vp to string \a str */ +int +rs_avp_string_set(rs_avp *vp, const char *str); + +/** Return integer value of \a vp */ +uint32_t +rs_avp_integer_value(rs_const_avp *vp); + +/** Set AVP \a vp to integer \a val */ +int +rs_avp_integer_set(rs_avp *vp, uint32_t val); + +/** Return IPv4 value of \a vp */ +uint32_t +rs_avp_ipaddr_value(rs_const_avp *vp); + +/** Set AVP \a vp to IPv4 address \a in */ +int +rs_avp_ipaddr_set(rs_avp *vp, struct in_addr in); + +/** Return POSIX time value of \a vp */ +time_t +rs_avp_date_value(rs_const_avp *vp); + +/** Set AVP \a vp to POSIX time \a date */ +int +rs_avp_date_set(rs_avp *vp, time_t date); + +/** Return constant pointer to octets in \a vp */ +const unsigned char * +rs_avp_octets_value_const_ptr(rs_const_avp *vp); + +/** Return pointer to octets in \a vp */ +unsigned char * +rs_avp_octets_value_ptr(rs_avp *vp); + +/** Retrieve octet pointer \a p and length \a len from \a vp */ +int +rs_avp_octets_value_byref(rs_avp *vp, + unsigned char **p, + size_t *len); + +/** Copy octets from \a vp into \a buf and \a len */ +int +rs_avp_octets_value(rs_const_avp *vp, + unsigned char *buf, + size_t *len); + +/** + * Copy octets possibly fragmented across multiple VPs + * into \a buf and \a len + */ +int +rs_avp_fragmented_value(rs_const_avp *vps, + unsigned char *buf, + size_t *len); + +/** Copy \a len octets in \a buf to AVP \a vp */ +int +rs_avp_octets_set(rs_avp *vp, + const unsigned char *buf, + size_t len); + +/** Return IFID value of \a vp */ +int +rs_avp_ifid_value(rs_const_avp *vp, uint8_t val[8]); + +int +rs_avp_ifid_set(rs_avp *vp, const uint8_t val[8]); + +/** Return byte value of \a vp */ +uint8_t +rs_avp_byte_value(rs_const_avp *vp); + +/** Set AVP \a vp to byte \a val */ +int +rs_avp_byte_set(rs_avp *vp, uint8_t val); + +/** Return short value of \a vp */ +uint16_t +rs_avp_short_value(rs_const_avp *vp); + +/** Set AVP \a vp to short integer \a val */ +int +rs_avp_short_set(rs_avp *vp, uint16_t val); + +/** Display possibly \a canonical attribute name into \a buffer */ +int +rs_attr_display_name (unsigned int attr, + unsigned int vendor, + char *buffer, + size_t bufsize, + int canonical); + +/** Display AVP \a vp into \a buffer */ +size_t +rs_avp_display_value(rs_const_avp *vp, + char *buffer, + size_t buflen); + +int +rs_attr_parse_name (const char *name, + unsigned int *attr, + unsigned int *vendor); + +/** Lookup attribute \a name */ +int +rs_attr_find(const char *name, + unsigned int *attr, + unsigned int *vendor); + +/** Return dictionary name for AVP \a vp */ +const char * +rs_avp_name(rs_const_avp *vp); + #if defined (__cplusplus) } #endif +#endif /* _RADSEC_RADSEC_H_ */ + /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ diff --git a/lib/include/radsec/request-impl.h b/lib/include/radsec/request-impl.h index 8bcac60..bb61dd6 100644 --- a/lib/include/radsec/request-impl.h +++ b/lib/include/radsec/request-impl.h @@ -1,4 +1,7 @@ -/* See the file COPYING for licensing information. */ +/* See LICENSE for licensing information. */ + +#ifndef _RADSEC_REQUEST_IMPL_H_ +#define _RADSEC_REQUEST_IMPL_H_ 1 #if defined (__cplusplus) extern "C" { @@ -16,3 +19,5 @@ struct rs_request #if defined (__cplusplus) } #endif + +#endif /* _RADSEC_REQUEST_IMPL_H_ */ diff --git a/lib/include/radsec/request.h b/lib/include/radsec/request.h index e914164..f0151f8 100644 --- a/lib/include/radsec/request.h +++ b/lib/include/radsec/request.h @@ -1,7 +1,10 @@ /** \file request.h \brief Public interface for libradsec request's. */ -/* See the file COPYING for licensing information. */ +/* See LICENSE for licensing information. */ + +#ifndef _RADSEC_REQUEST_H_ +#define _RADSEC_REQUEST_H_ 1 struct rs_request; @@ -17,13 +20,16 @@ int rs_request_create(struct rs_connection *conn, struct rs_request **req_out); void rs_request_add_reqpkt(struct rs_request *req, struct rs_packet *req_msg); /** Create a request associated with connection \a conn containing a - newly created RADIUS authentication message, possibly with \a - user_name and \a user_pw attributes. \a user_name and _user_pw - are optional and can be NULL. */ + newly created RADIUS authentication message, possibly with + \a user_name and \a user_pw attributes. \a user_name and \a user_pw + are optional and can be NULL. If \a user_name and \a user_pw are provided, + \a secret must also be provided. \a secret is used for "hiding" the + password. */ int rs_request_create_authn(struct rs_connection *conn, struct rs_request **req_out, const char *user_name, - const char *user_pw); + const char *user_pw, + const char *secret); /** Send request \a req and wait for a matching response. The response is put in \a resp_msg (if not NULL). NOTE: At present, @@ -42,3 +48,5 @@ struct rs_packet *rs_request_get_reqmsg(const struct rs_request *req); #if defined (__cplusplus) } #endif + +#endif /* _RADSEC_REQUEST_H_ */ |