Commit 2e4e8b5f authored by venaas's avatar venaas Committed by venaas

rewriting code for hosts,ports,resolving,builds but needs testing

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@462 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 67902f98
/*
* Copyright (C) 2008 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2008-2009 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -33,6 +33,7 @@
#ifdef RADPROT_DTLS
#include "debug.h"
#include "util.h"
#include "hostport.h"
static void setprotoopts(struct commonprotoopts *opts);
static char **getlistenerargs();
......@@ -99,8 +100,7 @@ struct dtlsservernewparams {
void dtlssetsrcres() {
if (!srcres)
srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL);
srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype);
}
int udp2bio(int s, struct gqueue *q, int cnt) {
......@@ -531,7 +531,8 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *
time_t elapsed;
X509 *cert;
SSL_CTX *ctx = NULL;
struct hostportres *hp;
debug(DBG_DBG, "dtlsconnect: called from %s", text);
pthread_mutex_lock(&server->lock);
if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) {
......@@ -541,6 +542,7 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *
return 1;
}
hp = (struct hostportres *)list_first(server->conf->hostports)->data;
for (;;) {
gettimeofday(&now, NULL);
elapsed = now.tv_sec - server->lastconnecttry.tv_sec;
......@@ -566,14 +568,14 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *
sleep(60);
} else
server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", server->conf->host, server->conf->port);
debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", hp->host, hp->port);
SSL_free(server->ssl);
server->ssl = NULL;
ctx = tlsgetctx(handle, server->conf->tlsconf);
if (!ctx)
continue;
server->ssl = dtlsacccon(0, ctx, server->sock, server->conf->addrinfo->ai_addr, server->rbios);
server->ssl = dtlsacccon(0, ctx, server->sock, hp->addrinfo->ai_addr, server->rbios);
if (!server->ssl)
continue;
debug(DBG_DBG, "dtlsconnect: DTLS: ok");
......@@ -587,7 +589,7 @@ int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *
X509_free(cert);
}
X509_free(cert);
debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", server->conf->host, server->conf->port);
debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", hp->host, hp->port);
server->connectionok = 1;
gettimeofday(&server->lastconnecttry, NULL);
pthread_mutex_unlock(&server->lock);
......@@ -608,7 +610,7 @@ int clientradputdtls(struct server *server, unsigned char *rad) {
debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL));
return 0;
}
debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->host);
debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->name);
return 1;
}
......@@ -665,12 +667,12 @@ void *dtlsclientrd(void *arg) {
}
void addserverextradtls(struct clsrvconf *conf) {
switch (conf->addrinfo->ai_family) {
switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) {
case AF_INET:
if (client4_sock < 0) {
client4_sock = bindtoaddr(srcres, AF_INET, 0, 1);
if (client4_sock < 0)
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host);
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name);
}
conf->servers->sock = client4_sock;
break;
......@@ -678,7 +680,7 @@ void addserverextradtls(struct clsrvconf *conf) {
if (client6_sock < 0) {
client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1);
if (client6_sock < 0)
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host);
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name);
}
conf->servers->sock = client6_sock;
break;
......
......@@ -264,3 +264,20 @@ int addressmatches(struct list *hostports, struct sockaddr *addr) {
}
return 0;
}
int connecttcphostlist(struct list *hostports, struct addrinfo *src) {
int s;
struct list_node *entry;
struct hostportres *hp = NULL;
for (entry = list_first(hostports); entry; entry = list_next(entry)) {
hp = (struct hostportres *)entry->data;
debug(DBG_WARN, "connecttcphostlist: trying to open TCP connection to %s port %s", hp->host, hp->port);
if ((s = connecttcp(hp->addrinfo, src)) >= 0) {
debug(DBG_WARN, "connecttcphostlist: TCP connection to %s port %s up", hp->host, hp->port);
return s;
}
}
debug(DBG_ERR, "connecttcphostlist: failed");
return -1;
}
......@@ -18,3 +18,4 @@ void freehostports(struct list *hostports);
int resolvehostports(struct list *hostports, int socktype);
struct addrinfo *resolvepassiveaddrinfo(char *hostport, char *default_port, int socktype);
int addressmatches(struct list *hostports, struct sockaddr *addr);
int connecttcphostlist(struct list *hostports, struct addrinfo *src);
/*
* Copyright (C) 2008 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2008-2009 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -25,6 +25,7 @@
#include <regex.h>
#include <pthread.h>
#include "list.h"
#include "hostport.h"
#include "radsecproxy.h"
#ifdef RADPROT_TCP
......@@ -78,9 +79,9 @@ static char **getlistenerargs() {
void tcpsetsrcres() {
if (!srcres)
srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL);
srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype);
}
int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text) {
struct timeval now;
time_t elapsed;
......@@ -117,14 +118,12 @@ int tcpconnect(struct server *server, struct timeval *when, int timeout, char *t
sleep(60);
} else
server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
debug(DBG_WARN, "tcpconnect: trying to open TCP connection to %s port %s", server->conf->host, server->conf->port);
if (server->sock >= 0)
close(server->sock);
if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) >= 0)
if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) >= 0)
break;
debug(DBG_ERR, "tcpconnect: connecttcp failed");
}
debug(DBG_WARN, "tcpconnect: TCP connection to %s port %s up", server->conf->host, server->conf->port);
server->connectionok = 1;
gettimeofday(&server->lastconnecttry, NULL);
pthread_mutex_unlock(&server->lock);
......@@ -210,7 +209,7 @@ int clientradputtcp(struct server *server, unsigned char *rad) {
debug(DBG_ERR, "clientradputtcp: write error");
return 0;
}
debug(DBG_DBG, "clientradputtcp: Sent %d bytes, Radius packet of length %d to TCP peer %s", cnt, len, conf->host);
debug(DBG_DBG, "clientradputtcp: Sent %d bytes, Radius packet of length %d to TCP peer %s", cnt, len, conf->name);
return 1;
}
......
/*
* Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -27,6 +27,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "list.h"
#include "hostport.h"
#include "radsecproxy.h"
#ifdef RADPROT_TLS
......@@ -82,8 +83,7 @@ static char **getlistenerargs() {
void tlssetsrcres() {
if (!srcres)
srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL);
srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype);
}
int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) {
......@@ -127,13 +127,11 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t
sleep(60);
} else
server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */
debug(DBG_WARN, "tlsconnect: trying to open TLS connection to %s port %s", server->conf->host, server->conf->port);
if (server->sock >= 0)
close(server->sock);
if ((server->sock = connecttcp(server->conf->addrinfo, srcres)) < 0) {
debug(DBG_ERR, "tlsconnect: connecttcp failed");
if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) < 0)
continue;
}
SSL_free(server->ssl);
server->ssl = NULL;
......@@ -159,7 +157,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t
}
X509_free(cert);
}
debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port);
debug(DBG_WARN, "tlsconnect: TLS connection to %s up", server->conf->name);
server->connectionok = 1;
gettimeofday(&server->lastconnecttry, NULL);
pthread_mutex_unlock(&server->lock);
......@@ -260,7 +258,7 @@ int clientradputtls(struct server *server, unsigned char *rad) {
return 0;
}
debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host);
debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->name);
return 1;
}
......
/*
* Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -35,6 +35,7 @@
#include "list.h"
#include "hash.h"
#include "util.h"
#include "hostport.h"
#include "radsecproxy.h"
static struct hash *tlsconfs = NULL;
......@@ -461,31 +462,52 @@ static int cnregexp(X509 *cert, char *exact, regex_t *regex) {
return 0;
}
int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
/* this is a bit sloppy, should not always accept match to any */
int certnamecheck(X509 *cert, struct list *hostports) {
struct list_node *entry;
struct hostportres *hp;
int r;
uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */
struct in6_addr addr;
if (conf->certnamecheck && conf->prefixlen == 255) {
if (inet_pton(AF_INET, conf->host, &addr))
for (entry = list_first(hostports); entry; entry = list_next(entry)) {
hp = (struct hostportres *)entry->data;
if (hp->prefixlen != 255) {
/* we disable the check for prefixes */
return 1;
}
if (inet_pton(AF_INET, hp->host, &addr))
type = AF_INET;
else if (inet_pton(AF_INET6, conf->host, &addr))
else if (inet_pton(AF_INET6, hp->host, &addr))
type = AF_INET6;
else
type = 0;
r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, hp->host, NULL);
if (r) {
if (r < 0) {
debug(DBG_WARN, "verifyconfcert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
return 0;
if (r > 0) {
debug(DBG_DBG, "certnamecheck: Found subjectaltname matching %s %s", type ? "address" : "host", hp->host);
return 1;
}
debug(DBG_DBG, "verifyconfcert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
debug(DBG_WARN, "certnamecheck: No subjectaltname matching %s %s", type ? "address" : "host", hp->host);
} else {
if (!cnregexp(cert, conf->host, NULL)) {
debug(DBG_WARN, "verifyconfcert: cn not matching host %s", conf->host);
return 0;
}
debug(DBG_DBG, "verifyconfcert: Found cn matching host %s", conf->host);
if (cnregexp(cert, hp->host, NULL)) {
debug(DBG_DBG, "certnamecheck: Found cn matching host %s", hp->host);
return 1;
}
debug(DBG_WARN, "certnamecheck: cn not matching host %s", hp->host);
}
}
return 0;
}
int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
if (conf->certnamecheck) {
if (!certnamecheck(cert, conf->hostports)) {
debug(DBG_WARN, "verifyconfcert: certificate name check failed");
return 0;
}
debug(DBG_WARN, "verifyconfcert: certificate name check ok");
}
if (conf->certcnregex) {
if (cnregexp(cert, NULL, conf->certcnregex) < 1) {
......
/*
* Copyright (C) 2006-2008 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......@@ -25,6 +25,7 @@
#include <regex.h>
#include <pthread.h>
#include "list.h"
#include "hostport.h"
#include "radsecproxy.h"
#ifdef RADPROT_UDP
......@@ -85,7 +86,7 @@ static char **getlistenerargs() {
void udpsetsrcres() {
if (!srcres)
srcres = resolve_hostport_addrinfo(handle, protoopts ? protoopts->sourcearg : NULL);
srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, NULL, protodefs.socktype);
}
void removeudpclientfromreplyq(struct client *c) {
......@@ -243,10 +244,12 @@ unsigned char *radudpget(int s, struct client **client, struct server **server,
int clientradputudp(struct server *server, unsigned char *rad) {
size_t len;
struct clsrvconf *conf = server->conf;
struct addrinfo *ai;
len = RADLEN(rad);
if (sendto(server->sock, rad, len, 0, conf->addrinfo->ai_addr, conf->addrinfo->ai_addrlen) >= 0) {
debug(DBG_DBG, "clienradputudp: sent UDP of length %d to %s port %d", len, conf->host, port_get(conf->addrinfo->ai_addr));
ai = ((struct hostportres *)list_first(conf->hostports)->data)->addrinfo;
if (sendto(server->sock, rad, len, 0, ai->ai_addr, ai->ai_addrlen) >= 0) {
debug(DBG_DBG, "clienradputudp: sent UDP of length %d to %s port %d", len, addr2string(ai->ai_addr), port_get(ai->ai_addr));
return 1;
}
......@@ -315,12 +318,12 @@ void addclientudp(struct client *client) {
}
void addserverextraudp(struct clsrvconf *conf) {
switch (conf->addrinfo->ai_family) {
switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) {
case AF_INET:
if (client4_sock < 0) {
client4_sock = bindtoaddr(srcres, AF_INET, 0, 1);
if (client4_sock < 0)
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host);
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name);
}
conf->servers->sock = client4_sock;
break;
......@@ -328,7 +331,7 @@ void addserverextraudp(struct clsrvconf *conf) {
if (client6_sock < 0) {
client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1);
if (client6_sock < 0)
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->host);
debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name);
}
conf->servers->sock = client6_sock;
break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment