From 3d954bfd2f658ac05a0f20a1241738ed3e3fdd28 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Wed, 5 Feb 2014 11:10:02 +0100 Subject: Move lib to the root. --- .gitignore | 17 + CHANGES | 17 + Doxyfile | 1630 ++++++++++++++++++++++++++++++++ HACKING | 91 ++ LICENSE | 33 + Makefile.am | 72 ++ README | 51 +- autogen.sh | 14 + avp.c | 540 +++++++++++ compat.c | 22 + compat.h | 5 + conf.c | 255 +++++ configure.ac | 68 ++ conn.c | 335 +++++++ conn.h | 7 + debug.c | 46 + debug.h | 27 + err.c | 276 ++++++ err.h | 9 + event.c | 300 ++++++ event.h | 12 + examples/Makefile.am | 8 + examples/blocking.c | 71 ++ examples/blocking.h | 4 + examples/client-blocking.c | 127 +++ examples/client-psk.conf | 18 + examples/client.conf | 24 + include/Makefile.am | 12 + include/radsec/.gitignore | 1 + include/radsec/radsec-impl.h | 156 +++ include/radsec/radsec.h | 607 ++++++++++++ include/radsec/request-impl.h | 24 + include/radsec/request.h | 50 + lib/.gitignore | 17 - lib/CHANGES | 17 - lib/Doxyfile | 1630 -------------------------------- lib/HACKING | 91 -- lib/LICENSE | 33 - lib/Makefile.am | 72 -- lib/README | 48 - lib/autogen.sh | 14 - lib/avp.c | 540 ----------- lib/compat.c | 22 - lib/compat.h | 5 - lib/conf.c | 255 ----- lib/configure.ac | 68 -- lib/conn.c | 335 ------- lib/conn.h | 7 - lib/debug.c | 46 - lib/debug.h | 27 - lib/err.c | 276 ------ lib/err.h | 9 - lib/event.c | 300 ------ lib/event.h | 12 - lib/examples/Makefile.am | 8 - lib/examples/blocking.c | 71 -- lib/examples/blocking.h | 4 - lib/examples/client-blocking.c | 127 --- lib/examples/client-psk.conf | 18 - lib/examples/client.conf | 24 - lib/include/Makefile.am | 12 - lib/include/radsec/.gitignore | 1 - lib/include/radsec/radsec-impl.h | 156 --- lib/include/radsec/radsec.h | 607 ------------ lib/include/radsec/request-impl.h | 24 - lib/include/radsec/request.h | 50 - lib/libradsec.spec.in | 77 -- lib/md5.c | 295 ------ lib/md5.h | 45 - lib/packet.c | 294 ------ lib/packet.h | 7 - lib/peer.c | 113 --- lib/peer.h | 5 - lib/radius/.gitignore | 1 - lib/radius/LICENSE | 24 - lib/radius/Makefile.am | 42 - lib/radius/attrs.c | 1411 --------------------------- lib/radius/client.h | 1302 ------------------------- lib/radius/common.pl | 220 ----- lib/radius/convert.pl | 197 ---- lib/radius/crypto.c | 233 ----- lib/radius/custom.c | 163 ---- lib/radius/dict.c | 172 ---- lib/radius/doc.txt | 41 - lib/radius/doxygen.conf | 1417 --------------------------- lib/radius/examples/Makefile | 54 -- lib/radius/examples/example_1.c | 86 -- lib/radius/examples/example_2.c | 86 -- lib/radius/examples/example_3.c | 123 --- lib/radius/examples/example_4.c | 94 -- lib/radius/examples/nr_vp_create.c | 61 -- lib/radius/header.pl | 68 -- lib/radius/id.c | 181 ---- lib/radius/parse.c | 149 --- lib/radius/print.c | 227 ----- lib/radius/radpkt.c | 920 ------------------ lib/radius/share/dictionary.abfab.ietf | 4 - lib/radius/share/dictionary.juniper | 23 - lib/radius/share/dictionary.microsoft | 17 - lib/radius/share/dictionary.txt | 136 --- lib/radius/share/dictionary.ukerna | 20 - lib/radius/share/dictionary.vendor | 10 - lib/radius/static.c | 37 - lib/radius/tests/Makefile | 25 - lib/radius/tests/radattr.c | 769 --------------- lib/radius/tests/rfc.txt | 144 --- lib/radius/valuepair.c | 191 ---- lib/radsec.c | 141 --- lib/radsec.h | 7 - lib/radsec.sym | 86 -- lib/radsecproxy/Makefile.am | 23 - lib/radsecproxy/debug.c | 213 ----- lib/radsecproxy/debug.h | 36 - lib/radsecproxy/gconfig.h | 32 - lib/radsecproxy/hash.c | 131 --- lib/radsecproxy/hash.h | 51 - lib/radsecproxy/hostport_types.h | 6 - lib/radsecproxy/list.c | 122 --- lib/radsecproxy/list.h | 54 -- lib/radsecproxy/radmsg.h | 40 - lib/radsecproxy/radsecproxy.h | 216 ----- lib/radsecproxy/tlscommon.c | 455 --------- lib/radsecproxy/tlscommon.h | 42 - lib/radsecproxy/tlv11.h | 23 - lib/radsecproxy/util.c | 256 ----- lib/radsecproxy/util.h | 35 - lib/request.c | 158 ---- lib/send.c | 138 --- lib/tcp.c | 274 ------ lib/tcp.h | 7 - lib/tests/Makefile.am | 12 - lib/tests/README | 39 - lib/tests/demoCA/index.txt | 3 - lib/tests/demoCA/index.txt.attr | 1 - lib/tests/demoCA/newcerts/01.pem | 46 - lib/tests/demoCA/newcerts/02.pem | 49 - lib/tests/demoCA/newcerts/03.pem | 49 - lib/tests/demoCA/private/cakey.pem | 9 - lib/tests/demoCA/private/cli1.key | 9 - lib/tests/demoCA/private/srv1.key | 9 - lib/tests/demoCA/serial | 1 - lib/tests/test-udp.c | 153 --- lib/tests/test.conf | 30 - lib/tests/udp-server.c | 35 - lib/tests/udp.c | 141 --- lib/tests/udp.h | 20 - lib/tls.c | 372 -------- lib/tls.h | 23 - lib/udp.c | 177 ---- lib/udp.h | 5 - lib/util.c | 25 - lib/util.h | 4 - libradsec.spec.in | 77 ++ md5.c | 295 ++++++ md5.h | 45 + packet.c | 294 ++++++ packet.h | 7 + peer.c | 113 +++ peer.h | 5 + radius/.gitignore | 1 + radius/LICENSE | 24 + radius/Makefile.am | 42 + radius/attrs.c | 1411 +++++++++++++++++++++++++++ radius/client.h | 1302 +++++++++++++++++++++++++ radius/common.pl | 220 +++++ radius/convert.pl | 197 ++++ radius/crypto.c | 233 +++++ radius/custom.c | 163 ++++ radius/dict.c | 172 ++++ radius/doc.txt | 41 + radius/doxygen.conf | 1417 +++++++++++++++++++++++++++ radius/examples/Makefile | 54 ++ radius/examples/example_1.c | 86 ++ radius/examples/example_2.c | 86 ++ radius/examples/example_3.c | 123 +++ radius/examples/example_4.c | 94 ++ radius/examples/nr_vp_create.c | 61 ++ radius/header.pl | 68 ++ radius/id.c | 181 ++++ radius/parse.c | 149 +++ radius/print.c | 227 +++++ radius/radpkt.c | 920 ++++++++++++++++++ radius/share/dictionary.abfab.ietf | 4 + radius/share/dictionary.juniper | 23 + radius/share/dictionary.microsoft | 17 + radius/share/dictionary.txt | 136 +++ radius/share/dictionary.ukerna | 20 + radius/share/dictionary.vendor | 10 + radius/static.c | 37 + radius/tests/Makefile | 25 + radius/tests/radattr.c | 769 +++++++++++++++ radius/tests/rfc.txt | 144 +++ radius/valuepair.c | 191 ++++ radsec.c | 141 +++ radsec.h | 7 + radsec.sym | 86 ++ radsecproxy/Makefile.am | 23 + radsecproxy/debug.c | 213 +++++ radsecproxy/debug.h | 36 + radsecproxy/gconfig.h | 32 + radsecproxy/hash.c | 131 +++ radsecproxy/hash.h | 51 + radsecproxy/hostport_types.h | 6 + radsecproxy/list.c | 122 +++ radsecproxy/list.h | 54 ++ radsecproxy/radmsg.h | 40 + radsecproxy/radsecproxy.h | 216 +++++ radsecproxy/tlscommon.c | 455 +++++++++ radsecproxy/tlscommon.h | 42 + radsecproxy/tlv11.h | 23 + radsecproxy/util.c | 256 +++++ radsecproxy/util.h | 35 + request.c | 158 ++++ send.c | 138 +++ tcp.c | 274 ++++++ tcp.h | 7 + tests/Makefile.am | 12 + tests/README | 39 + tests/demoCA/index.txt | 3 + tests/demoCA/index.txt.attr | 1 + tests/demoCA/newcerts/01.pem | 46 + tests/demoCA/newcerts/02.pem | 49 + tests/demoCA/newcerts/03.pem | 49 + tests/demoCA/private/cakey.pem | 9 + tests/demoCA/private/cli1.key | 9 + tests/demoCA/private/srv1.key | 9 + tests/demoCA/serial | 1 + tests/test-udp.c | 153 +++ tests/test.conf | 30 + tests/udp-server.c | 35 + tests/udp.c | 141 +++ tests/udp.h | 20 + tls.c | 372 ++++++++ tls.h | 23 + udp.c | 177 ++++ udp.h | 5 + util.c | 25 + util.h | 4 + 238 files changed, 18166 insertions(+), 18173 deletions(-) create mode 100644 .gitignore create mode 100644 CHANGES create mode 100644 Doxyfile create mode 100644 HACKING create mode 100644 LICENSE create mode 100644 Makefile.am create mode 100644 autogen.sh create mode 100644 avp.c create mode 100644 compat.c create mode 100644 compat.h create mode 100644 conf.c create mode 100644 configure.ac create mode 100644 conn.c create mode 100644 conn.h create mode 100644 debug.c create mode 100644 debug.h create mode 100644 err.c create mode 100644 err.h create mode 100644 event.c create mode 100644 event.h create mode 100644 examples/Makefile.am create mode 100644 examples/blocking.c create mode 100644 examples/blocking.h create mode 100644 examples/client-blocking.c create mode 100644 examples/client-psk.conf create mode 100644 examples/client.conf create mode 100644 include/Makefile.am create mode 100644 include/radsec/.gitignore create mode 100644 include/radsec/radsec-impl.h create mode 100644 include/radsec/radsec.h create mode 100644 include/radsec/request-impl.h create mode 100644 include/radsec/request.h delete mode 100644 lib/.gitignore delete mode 100644 lib/CHANGES delete mode 100644 lib/Doxyfile delete mode 100644 lib/HACKING delete mode 100644 lib/LICENSE delete mode 100644 lib/Makefile.am delete mode 100644 lib/README delete mode 100644 lib/autogen.sh delete mode 100644 lib/avp.c delete mode 100644 lib/compat.c delete mode 100644 lib/compat.h delete mode 100644 lib/conf.c delete mode 100644 lib/configure.ac delete mode 100644 lib/conn.c delete mode 100644 lib/conn.h delete mode 100644 lib/debug.c delete mode 100644 lib/debug.h delete mode 100644 lib/err.c delete mode 100644 lib/err.h delete mode 100644 lib/event.c delete mode 100644 lib/event.h delete mode 100644 lib/examples/Makefile.am delete mode 100644 lib/examples/blocking.c delete mode 100644 lib/examples/blocking.h delete mode 100644 lib/examples/client-blocking.c delete mode 100644 lib/examples/client-psk.conf delete mode 100644 lib/examples/client.conf delete mode 100644 lib/include/Makefile.am delete mode 100644 lib/include/radsec/.gitignore delete mode 100644 lib/include/radsec/radsec-impl.h delete mode 100644 lib/include/radsec/radsec.h delete mode 100644 lib/include/radsec/request-impl.h delete mode 100644 lib/include/radsec/request.h delete mode 100644 lib/libradsec.spec.in delete mode 100644 lib/md5.c delete mode 100644 lib/md5.h delete mode 100644 lib/packet.c delete mode 100644 lib/packet.h delete mode 100644 lib/peer.c delete mode 100644 lib/peer.h delete mode 100644 lib/radius/.gitignore delete mode 100644 lib/radius/LICENSE delete mode 100644 lib/radius/Makefile.am delete mode 100644 lib/radius/attrs.c delete mode 100644 lib/radius/client.h delete mode 100644 lib/radius/common.pl delete mode 100755 lib/radius/convert.pl delete mode 100644 lib/radius/crypto.c delete mode 100644 lib/radius/custom.c delete mode 100644 lib/radius/dict.c delete mode 100644 lib/radius/doc.txt delete mode 100644 lib/radius/doxygen.conf delete mode 100644 lib/radius/examples/Makefile delete mode 100644 lib/radius/examples/example_1.c delete mode 100644 lib/radius/examples/example_2.c delete mode 100644 lib/radius/examples/example_3.c delete mode 100644 lib/radius/examples/example_4.c delete mode 100644 lib/radius/examples/nr_vp_create.c delete mode 100755 lib/radius/header.pl delete mode 100644 lib/radius/id.c delete mode 100644 lib/radius/parse.c delete mode 100644 lib/radius/print.c delete mode 100644 lib/radius/radpkt.c delete mode 100644 lib/radius/share/dictionary.abfab.ietf delete mode 100644 lib/radius/share/dictionary.juniper delete mode 100644 lib/radius/share/dictionary.microsoft delete mode 100644 lib/radius/share/dictionary.txt delete mode 100644 lib/radius/share/dictionary.ukerna delete mode 100644 lib/radius/share/dictionary.vendor delete mode 100644 lib/radius/static.c delete mode 100644 lib/radius/tests/Makefile delete mode 100644 lib/radius/tests/radattr.c delete mode 100644 lib/radius/tests/rfc.txt delete mode 100644 lib/radius/valuepair.c delete mode 100644 lib/radsec.c delete mode 100644 lib/radsec.h delete mode 100644 lib/radsec.sym delete mode 100644 lib/radsecproxy/Makefile.am delete mode 100644 lib/radsecproxy/debug.c delete mode 100644 lib/radsecproxy/debug.h delete mode 100644 lib/radsecproxy/gconfig.h delete mode 100644 lib/radsecproxy/hash.c delete mode 100644 lib/radsecproxy/hash.h delete mode 100644 lib/radsecproxy/hostport_types.h delete mode 100644 lib/radsecproxy/list.c delete mode 100644 lib/radsecproxy/list.h delete mode 100644 lib/radsecproxy/radmsg.h delete mode 100644 lib/radsecproxy/radsecproxy.h delete mode 100644 lib/radsecproxy/tlscommon.c delete mode 100644 lib/radsecproxy/tlscommon.h delete mode 100644 lib/radsecproxy/tlv11.h delete mode 100644 lib/radsecproxy/util.c delete mode 100644 lib/radsecproxy/util.h delete mode 100644 lib/request.c delete mode 100644 lib/send.c delete mode 100644 lib/tcp.c delete mode 100644 lib/tcp.h delete mode 100644 lib/tests/Makefile.am delete mode 100644 lib/tests/README delete mode 100644 lib/tests/demoCA/index.txt delete mode 100644 lib/tests/demoCA/index.txt.attr delete mode 100644 lib/tests/demoCA/newcerts/01.pem delete mode 100644 lib/tests/demoCA/newcerts/02.pem delete mode 100644 lib/tests/demoCA/newcerts/03.pem delete mode 100644 lib/tests/demoCA/private/cakey.pem delete mode 100644 lib/tests/demoCA/private/cli1.key delete mode 100644 lib/tests/demoCA/private/srv1.key delete mode 100644 lib/tests/demoCA/serial delete mode 100644 lib/tests/test-udp.c delete mode 100644 lib/tests/test.conf delete mode 100644 lib/tests/udp-server.c delete mode 100644 lib/tests/udp.c delete mode 100644 lib/tests/udp.h delete mode 100644 lib/tls.c delete mode 100644 lib/tls.h delete mode 100644 lib/udp.c delete mode 100644 lib/udp.h delete mode 100644 lib/util.c delete mode 100644 lib/util.h create mode 100644 libradsec.spec.in create mode 100644 md5.c create mode 100644 md5.h create mode 100644 packet.c create mode 100644 packet.h create mode 100644 peer.c create mode 100644 peer.h create mode 100644 radius/.gitignore create mode 100644 radius/LICENSE create mode 100644 radius/Makefile.am create mode 100644 radius/attrs.c create mode 100644 radius/client.h create mode 100644 radius/common.pl create mode 100755 radius/convert.pl create mode 100644 radius/crypto.c create mode 100644 radius/custom.c create mode 100644 radius/dict.c create mode 100644 radius/doc.txt create mode 100644 radius/doxygen.conf create mode 100644 radius/examples/Makefile create mode 100644 radius/examples/example_1.c create mode 100644 radius/examples/example_2.c create mode 100644 radius/examples/example_3.c create mode 100644 radius/examples/example_4.c create mode 100644 radius/examples/nr_vp_create.c create mode 100755 radius/header.pl create mode 100644 radius/id.c create mode 100644 radius/parse.c create mode 100644 radius/print.c create mode 100644 radius/radpkt.c create mode 100644 radius/share/dictionary.abfab.ietf create mode 100644 radius/share/dictionary.juniper create mode 100644 radius/share/dictionary.microsoft create mode 100644 radius/share/dictionary.txt create mode 100644 radius/share/dictionary.ukerna create mode 100644 radius/share/dictionary.vendor create mode 100644 radius/static.c create mode 100644 radius/tests/Makefile create mode 100644 radius/tests/radattr.c create mode 100644 radius/tests/rfc.txt create mode 100644 radius/valuepair.c create mode 100644 radsec.c create mode 100644 radsec.h create mode 100644 radsec.sym create mode 100644 radsecproxy/Makefile.am create mode 100644 radsecproxy/debug.c create mode 100644 radsecproxy/debug.h create mode 100644 radsecproxy/gconfig.h create mode 100644 radsecproxy/hash.c create mode 100644 radsecproxy/hash.h create mode 100644 radsecproxy/hostport_types.h create mode 100644 radsecproxy/list.c create mode 100644 radsecproxy/list.h create mode 100644 radsecproxy/radmsg.h create mode 100644 radsecproxy/radsecproxy.h create mode 100644 radsecproxy/tlscommon.c create mode 100644 radsecproxy/tlscommon.h create mode 100644 radsecproxy/tlv11.h create mode 100644 radsecproxy/util.c create mode 100644 radsecproxy/util.h create mode 100644 request.c create mode 100644 send.c create mode 100644 tcp.c create mode 100644 tcp.h create mode 100644 tests/Makefile.am create mode 100644 tests/README create mode 100644 tests/demoCA/index.txt create mode 100644 tests/demoCA/index.txt.attr create mode 100644 tests/demoCA/newcerts/01.pem create mode 100644 tests/demoCA/newcerts/02.pem create mode 100644 tests/demoCA/newcerts/03.pem create mode 100644 tests/demoCA/private/cakey.pem create mode 100644 tests/demoCA/private/cli1.key create mode 100644 tests/demoCA/private/srv1.key create mode 100644 tests/demoCA/serial create mode 100644 tests/test-udp.c create mode 100644 tests/test.conf create mode 100644 tests/udp-server.c create mode 100644 tests/udp.c create mode 100644 tests/udp.h create mode 100644 tls.c create mode 100644 tls.h create mode 100644 udp.c create mode 100644 udp.h create mode 100644 util.c create mode 100644 util.h diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..97aee05 --- /dev/null +++ b/.gitignore @@ -0,0 +1,17 @@ +*.*~* +TAGS +*.o +.deps +.libs +autom4te.cache +config.log +config.h* +config.status +configure +aclocal.m4 +*.lo +*.la +Makefile.in +Makefile +stamp-h1 +libtool diff --git a/CHANGES b/CHANGES new file mode 100644 index 0000000..928dfbe --- /dev/null +++ b/CHANGES @@ -0,0 +1,17 @@ +Changes between 0.0.4 and 0.0.5 + + - When POSIX thread support is detected at configure and build time + libradsec will be more safe to use by programs that call it from + more than one thread simultaneously. + + - The initialisation of the OpenSSL PRNG has been improved. + +User visible changes between 0.0.1 and 0.0.4 + + - TLS support is now enabled by default. Use --disable-tls to + disable it. + + - Support for TLS-PSK has been added (--enable-tls-psk). + + - The RADIUS dictionaries are now compiled into the library and are + no longer read from disk. diff --git a/Doxyfile b/Doxyfile new file mode 100644 index 0000000..9c79d20 --- /dev/null +++ b/Doxyfile @@ -0,0 +1,1630 @@ +# Doxyfile 1.7.1 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = libradsec + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = doxy + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = NO + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = NO + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given extension. +# Doxygen has a built-in mapping, but you can override or extend it using this +# tag. The format is ext=language, where ext is a file extension, and language +# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C, +# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make +# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C +# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions +# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. + +EXTENSION_MAPPING = + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen to replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penality. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will rougly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols + +SYMBOL_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = NO + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen +# will list include files with double quotes in the documentation +# rather than with sharp brackets. + +FORCE_LOCAL_INCLUDES = NO + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen +# will sort the (brief and detailed) documentation of class members so that +# constructors and destructors are listed first. If set to NO (the default) +# the constructors will appear in the respective orders defined by +# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. +# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO +# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. The create the layout file +# that represents doxygen's defaults, run doxygen with the -l option. +# You can optionally specify a file name after the option, if omitted +# DoxygenLayout.xml will be used as the name of the layout file. + +LAYOUT_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = include/radsec/radsec.h include/radsec/request.h + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 + +FILE_PATTERNS = *.c *.h + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = YES + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. +# Doxygen will adjust the colors in the stylesheet and background images +# according to this color. Hue is specified as an angle on a colorwheel, +# see http://en.wikipedia.org/wiki/Hue for more information. +# For instance the value 0 represents red, 60 is yellow, 120 is green, +# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. +# The allowed range is 0 to 359. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of +# the colors in the HTML output. For a value of 0 the output will use +# grayscales only. A value of 255 will produce the most vivid colors. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to +# the luminance component of the colors in the HTML output. Values below +# 100 gradually make the output lighter, whereas values above 100 make +# the output darker. The value divided by 100 is the actual gamma applied, +# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, +# and 100 does not change the gamma. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML +# page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = YES + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html +# for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify +# the documentation publisher. This should be a reverse domain-name style +# string, e.g. com.mycompany.MyDocSet.documentation. + +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated +# that can be used as input for Qt's qhelpgenerator to generate a +# Qt Compressed Help (.qch) of the generated HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = org.doxygen.Project + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to +# add. For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see +# +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. + +GENERATE_TREEVIEW = NO + +# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, +# and Class Hierarchy pages using a tree view instead of an ordered list. + +USE_INLINE_TREES = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = YES + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a PHP enabled web server instead of at the web client +# using Javascript. Doxygen will generate the search PHP script and index +# file to put on the web server. The advantage of the server +# based approach is that it scales better to large projects and allows +# full text search. The disadvances is that it is more difficult to setup +# and does not have live searching capabilities. + +SERVER_BASED_SEARCH = NO + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = YES + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + +# By default doxygen will write a font called FreeSans.ttf to the output +# directory and reference it in all dot files that doxygen generates. This +# font does not include all possible unicode characters however, so when you need +# these (or just want a differently looking font) you can specify the font name +# using DOT_FONTNAME. You need need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans.ttf + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = NO + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = YES + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/HACKING b/HACKING new file mode 100644 index 0000000..8278238 --- /dev/null +++ b/HACKING @@ -0,0 +1,91 @@ +HACKING file for libradsec (in Emacs -*- org -*- mode). + +Status as of libradsec-0.0.5 (2014-02-03). + +* Build instructions +sh autogen.sh +./configure +make + +examples/client -r examples/client.conf blocking-tls; echo $? + +* Design of the API +- There are three usage modes: + + - Application uses blocking send and receive calls (blocking + mode). This is typically fine for a simple client. + + - Application registers callbacks with libradsec and runs the + libevent dispatch loop (a.k.a. user dispatch mode). This would + probably how to implement a server or a proxy. + + - Application runs its own event loop, using fd's for select and + performs I/O using libradsec send/receive functions + (a.k.a. on-your-own mode). Might be useful for an application + which already has an event loop that wants to add RadSec + functionality. + +- Apart from configuration and error handling, an application + shouldn't need to handle TCP and UDP connections + differently. Similarly, the use of TLS/DTLS or not shouldn't + influence the libradsec calls made by the application. + +- Configuration is done either by using the API or by pointing at a + configuration file which is parsed by libradsec. + +- Fully reentrant. + +- Application chooses allocation regime. + +Note that as of 0.0.4 libradsec suffers from way too much focus on +the behaviour of a blocking client and is totally useless as a server. +Not only does it lack most of the functions needed for writing a +server but it also contains at least one architectural mishap which +kills the server idea -- a connection timeout (TCP) or a retransmit +timeout (UDP) will result in the event loop being broken. The same +thing will happen if there's an error on a TCP connection, f.ex. a +failing certificate validation (TLS). + +* Dependencies +Details (within parentheses) apply to Debian Wheezy. + +- libconfuse (2.7-4) + sudo apt-get install libconfuse-dev libconfuse0 +- libevent2 (2.0.19-stable-3) + sudo apt-get install libevent-dev libevent-2.0-5 +- OpenSSL (1.0.1c-4) -- optional, for TLS and DTLS support + sudo apt-get install libssl-dev libssl1.0.0 + +* Functionality and quality in 0.0.x +** Not well tested +- reading config file +- [TCP] short read +- [TCP] short write +- [TLS] basic tls support +- [TLS] preshared key support +- [TLS] verification of CN + +** Known issues +- error stack is only one entry deep +- custom allocation scheme is not used in all places + +** Not implemented +- dispatch mode (planned for 0.1) +- [client] server failover / RFC3539 watchdog (planned for 0.1) +- [server] support (planned for 0.2) +- [client] TCP keepalive +- on-your-own mode +- [DTLS] support + +* Found a bug? +Please report it. That is how we improve the quality of the code. + +If possible, please build the library with DEBUG defined (CFLAGS="-g +-DDEBUG") and reproduce the problem. With DEBUG defined, lots of +asserts are enabled which might give a hint about what's gone wrong. + +Running the library under gdb is another good idea. If you experience +a crash, catching the crash in gdb and providing a backtrace is highly +valuable for debugging. + +Contact: mailto:linus+libradsec@nordu.net diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..be32a9a --- /dev/null +++ b/LICENSE @@ -0,0 +1,33 @@ +* Copyright (c) 2007-2010, UNINETT AS +* Copyright (c) 2011, JANET(UK) +* Copyright (c) 2010-2013, NORDUnet A/S +* All rights reserved. +* +* Redistribution and use in source and binary forms, with or without +* modification, are permitted provided that the following conditions are +* met: +* +* 1. Redistributions of source code must retain the above copyright +* notice, this list of conditions and the following disclaimer. +* +* 2. Redistributions in binary form must reproduce the above +* copyright notice, this list of conditions and the following +* disclaimer in the documentation and/or other materials provided +* with the distribution. +* +* 3. Neither the name of NORDUnet A/S nor the names of the +* contributors may be used to endorse or promote products +* derived from this software without specific prior written +* permission. +* +* THIS SOFTWARE IS PROVIDED BY NORDUNET A/S ``AS IS'' AND +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NORDUNET A/S OR CONTRIBUTORS +* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..84f7491 --- /dev/null +++ b/Makefile.am @@ -0,0 +1,72 @@ +AUTOMAKE_OPTIONS = foreign +ACLOCAL_AMFLAGS = -I m4 + +# Shared library interface version, i.e. -version-info to Libtool, +# expressed as three integers CURRENT:REVISION:AGE. +# +# CURRENT is the version number of the current interface. Increment +# CURRENT when the library interface has changed or has been extended. +# +# REVISION is the version number of the _implementation_ of the +# CURRENT interface. Set REVISION to 0 when CURRENT changes, else +# increment. +# +# AGE is the number of interfaces this library implements, i.e. how +# many versions before CURRENT that are supported. Increment AGE when +# the library interface is _extended_. Set AGE to 0 when the library +# interface is _changed_. + + +SUBDIRS = radius radsecproxy include . examples +DIST_SUBDIRS = $(SUBDIRS) tests + +AM_CPPFLAGS = -I$(srcdir)/include +AM_CFLAGS = -Wall -Werror -g + +lib_LTLIBRARIES = libradsec.la + +libradsec_la_SOURCES = \ + avp.c \ + compat.c \ + conf.c \ + conn.c \ + debug.c \ + err.c \ + event.c \ + packet.c \ + peer.c \ + radsec.c \ + request.c \ + send.c \ + tcp.c \ + udp.c \ + util.c + +if RS_ENABLE_TLS +libradsec_la_SOURCES += tls.c +else +libradsec_la_SOURCES += md5.c +endif + +libradsec_la_SOURCES += \ + compat.h \ + conn.h \ + debug.h \ + err.h \ + event.h \ + md5.h \ + packet.h \ + peer.h \ + radsec.h \ + tcp.h \ + tls.h \ + udp.h \ + util.h + +EXTRA_DIST = CHANGES HACKING LICENSE libradsec.spec radsec.sym +EXTRA_libradsec_la_DEPENDENCIES = radsec.sym +AM_DISTCHECK_CONFIGURE_FLAGS = --enable-tls --enable-tls-psk + +libradsec_la_LIBADD = radsecproxy/libradsec-radsecproxy.la radius/libradsec-radius.la +libradsec_la_LDFLAGS = -version-info 1:0:1 -export-symbols $(srcdir)/radsec.sym +libradsec_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H -Werror # -DDEBUG -DDEBUG_LEVENT diff --git a/README b/README index 729f3bb..4c0d277 100644 --- a/README +++ b/README @@ -1,7 +1,48 @@ -This is libradsec, not radsecproxy, sharing repository with -radsecproxy. +Libradsec is a RADIUS library for clients doing RADIUS over UDP or +TLS. The goal is to add support for writing servers (and thus proxies) +and to add transports TCP and DTLS. -For radsecproxy, see branch 'master'. -The source code can be found at -http://git.nordu.net/?p=radsecproxy.git;a=summary . +The canonical pickup point is +http://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/libradsec + + +The source code is licensed under a 3-clause BSD license. See the +LICENSE file. + + +Libradsec depends on +- libconfuse +- libevent2 +- openssl (unless configured with --disable-tls) + + +To compile the library and the examples, do something like + + sh autogen.sh && ./configure && make + + +There are a couple of options that can be used when configuring. See + + ./configure --help + +for the full list. Worth mentioning here is --enable-tls-psk. + +If the preprocessor has a hard time finding some of the header files +are, try setting environment variable CPPFLAGS at configure +time. Example: + + CPPFLAGS="-I/usr/local/include" ./configure --enable-tls + +If the link editor has trouble finding any of the libraries needed, +try setting environment variable LDFLAGS at configure time. Example: + + LDFLAGS="-L/usr/local/lib" ./configure --enable-tls + + +The parts of the library which has been tested has been so on Linux +(Debian) with libconfuse (2.7), libevent (2.0.19) and OpenSSL +(1.0.1c). + +The file HACKING contains more detailed info on the state of the +various parts of the library. diff --git a/autogen.sh b/autogen.sh new file mode 100644 index 0000000..d9cee9d --- /dev/null +++ b/autogen.sh @@ -0,0 +1,14 @@ +#! /bin/sh + +[ -d m4 ] || mkdir m4 +[ -d build-aux ] || mkdir build-aux + +if [ -x "`which autoreconf 2>/dev/null`" ] ; then + exec autoreconf -ivf +fi + +aclocal -I m4 && \ + autoheader && \ + libtoolize --automake -c && \ + autoconf && \ + automake --add-missing --copy diff --git a/avp.c b/avp.c new file mode 100644 index 0000000..11c56db --- /dev/null +++ b/avp.c @@ -0,0 +1,540 @@ +/* Copyright 2011 JANET(UK). All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include + +#include +#include + +#define RS_ERR(err) ((err) < 0 ? -err : RSE_OK) + +void +rs_avp_free (rs_avp **vps) +{ + nr_vp_free (vps); +} + +size_t +rs_avp_length (rs_const_avp *vp) +{ + if (vp == NULL) + return 0; + + return vp->length; +} + +rs_attr_type_t +rs_avp_typeof (rs_const_avp *vp) +{ + if (vp == NULL) + return RS_TYPE_INVALID; + + return vp->da->type; +} + +void +rs_avp_attrid (rs_const_avp *vp, + unsigned int *attr, + unsigned int *vendor) +{ + assert (vp != NULL); + + *attr = vp->da->attr; + *vendor = vp->da->vendor; +} + +const char * +rs_avp_name (rs_const_avp *vp) +{ + return (vp != NULL) ? vp->da->name : NULL; +} + +void +rs_avp_append (rs_avp **head, rs_avp *tail) +{ + nr_vps_append (head, tail); +} + +rs_avp * +rs_avp_find (rs_avp *vp, unsigned int attr, unsigned int vendor) +{ + if (vp == NULL) + return NULL; + + return nr_vps_find (vp, attr, vendor); +} + +rs_const_avp * +rs_avp_find_const (rs_const_avp *vp, + unsigned int attr, unsigned int vendor) +{ + if (vp == NULL) + return NULL; + + return nr_vps_find ((rs_avp *)vp, attr, vendor); +} + +rs_avp * +rs_avp_alloc (unsigned int attr, unsigned int vendor) +{ + const DICT_ATTR *da; + VALUE_PAIR *vp; + + da = nr_dict_attr_byvalue (attr, vendor); + if (da == NULL) { + vp = nr_vp_alloc_raw (attr, vendor); + } else { + vp = nr_vp_alloc (da); + } + + if (vp == NULL) + return NULL; + + return vp; +} + +rs_avp * +rs_avp_dup (rs_const_avp *vp) +{ + rs_avp *vp2; + + if (vp->da->flags.unknown) + vp2 = nr_vp_alloc_raw (vp->da->attr, vp->da->vendor); + else + vp2 = nr_vp_alloc (vp->da); + if (vp2 == NULL) + return NULL; + + vp2->length = vp->length; + vp2->tag = vp->tag; + vp2->next = NULL; + +#ifdef RS_TYPE_TLV + if (rs_avp_is_tlv (vp)) { + vp2->vp_tlv = malloc (vp->length); + if (vp2->vp_tlv == NULL) { + rs_avp_free (vp2); + return NULL; + } + memcpy (vp2->vp_tlv, vp->vp_tlv, vp->length); + return vp2; + } +#endif + + memcpy (vp2->vp_strvalue, vp->vp_strvalue, vp->length); + if (rs_avp_is_string (vp)) + vp2->vp_strvalue[vp->length] = '\0'; + + return vp2; +} + +rs_avp * +rs_avp_next (rs_avp *vp) +{ + return (vp != NULL) ? vp->next : NULL; +} + +rs_const_avp * +rs_avp_next_const (rs_const_avp *vp) +{ + return (vp != NULL) ? vp->next : NULL; +} + +int +rs_avp_delete (rs_avp **first, + unsigned int attr, unsigned int vendor) +{ + int found = 0; + rs_avp **p; + + for (p = first; *p != NULL; p++) { + if ((*p)->da->attr == attr && + (*p)->da->vendor == vendor) { + rs_avp *next = (*p)->next; + + (*p)->next = NULL; + rs_avp_free (p); + + *p = next; + found++; + } + } + + return found ? RSE_OK : RSE_ATTR_UNKNOWN; +} + +const char * +rs_avp_string_value (rs_const_avp *vp) +{ + if (!rs_avp_is_string (vp)) + return NULL; + + return vp->vp_strvalue; +} + +int +rs_avp_string_set (rs_avp *vp, const char *str) +{ + int err; + + if (vp == NULL) + return RSE_INVAL; + if (!rs_avp_is_string (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, str, strlen (str)); + return RS_ERR(err); +} + +uint32_t +rs_avp_integer_value (rs_const_avp *vp) +{ + if (!rs_avp_is_integer (vp)) + return 0; + return vp->vp_integer; +} + +int +rs_avp_integer_set (rs_avp *vp, uint32_t val) +{ + int err; + + if (vp == NULL) + return RSE_INVAL; + if (!rs_avp_is_integer (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, &val, sizeof (val)); + return RS_ERR(err); +} + +uint32_t +rs_avp_ipaddr_value (rs_const_avp *vp) +{ + if (!rs_avp_is_ipaddr (vp)) + return 0; + return vp->vp_ipaddr; +} + +int +rs_avp_ipaddr_set (rs_avp *vp, struct in_addr in) +{ + int err; + + if (vp == NULL) + return RSE_INVAL; + if (!rs_avp_is_ipaddr (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, &in, sizeof (in)); + return RS_ERR(err); +} + +time_t +rs_avp_date_value (rs_const_avp *vp) +{ + if (!rs_avp_is_date (vp)) + return 0; + return vp->vp_date; +} + +int +rs_avp_date_set (rs_avp *vp, time_t date) +{ + uint32_t date32; + int err; + + if (vp == NULL) + return RSE_INVAL; + if (!rs_avp_is_date (vp)) + return RSE_ATTR_INVALID; + if (date > 0xFFFFFFFF) + return RSE_ATTR_INVALID; + + date32 = (uint32_t)date; + err = nr_vp_set_data (vp, &date32, sizeof (date32)); + + return RS_ERR(err); +} + +const unsigned char * +rs_avp_octets_value_const_ptr (rs_const_avp *vp) +{ + return rs_avp_octets_value_ptr ((rs_avp *)vp); +} + +unsigned char * +rs_avp_octets_value_ptr (rs_avp *vp) +{ + if (vp == NULL) + return NULL; + +#ifdef RS_TYPE_TLV + if (rs_avp_is_tlv (vp)) + return vp->vp_tlv; +#endif + + return vp->vp_octets; +} + +int +rs_avp_octets_value_byref (rs_avp *vp, + unsigned char **p, + size_t *len) +{ + if (vp == NULL) + return RSE_INVAL; + + *len = vp->length; + *p = (unsigned char *)rs_avp_octets_value_ptr (vp); + + return RSE_OK; +} + +int +rs_avp_octets_value (rs_const_avp *vp, + unsigned char *buf, + size_t *len) +{ + if (vp == NULL) + return RSE_INVAL; + + if (vp->length > *len) { + *len = vp->length; + return RSE_ATTR_TOO_SMALL; + } + + *len = vp->length; + +#ifdef RS_TYPE_TLV + if (rs_avp_is_tlv (vp)) + memcpy (buf, vp->vp_tlv, vp->length); + else +#endif + memcpy (buf, vp->vp_octets, vp->length); + + return RSE_OK; +} + +int +rs_avp_fragmented_value (rs_const_avp *vps, + unsigned char *buf, + size_t *len) +{ + size_t total_len = 0; + unsigned char *p; + rs_const_avp *vp; + + if (vps == NULL) + return RSE_INVAL; + + if (!rs_avp_is_octets (vps) && + !rs_avp_is_string (vps)) + return RSE_ATTR_INVALID; + + for (vp = vps; + vp != NULL; + vp = rs_avp_find_const (vp->next, vp->da->attr, vp->da->vendor)) + total_len += vp->length; + + if (*len < total_len) { + *len = total_len; + return RSE_ATTR_TOO_SMALL; + } + + for (vp = vps, p = buf; + vp != NULL; + vp = rs_avp_find_const (vp->next, vp->da->attr, vp->da->vendor)) { + memcpy (p, vp->vp_octets, vp->length); + p += vp->length; + } + + *len = total_len; + + return RSE_OK; +} + +int +rs_avp_octets_set (rs_avp *vp, + const unsigned char *buf, + size_t len) +{ + int err; + + if (!rs_avp_is_octets (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, buf, len); + + return RS_ERR(err); +} + +int +rs_avp_ifid_value (rs_const_avp *vp, uint8_t val[8]) +{ + if (!rs_avp_is_ifid (vp)) + return RSE_ATTR_INVALID; + + memcpy (val, vp->vp_ifid, 8); + + return RSE_OK; +} + +int +rs_avp_ifid_set (rs_avp *vp, const uint8_t val[8]) +{ + int err; + + if (!rs_avp_is_ifid (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, val, 8); + return RS_ERR(err); +} + +uint8_t +rs_avp_byte_value (rs_const_avp *vp) +{ + if (!rs_avp_is_byte (vp)) + return 0; + return vp->vp_integer; +} + +int +rs_avp_byte_set (rs_avp *vp, uint8_t val) +{ + int err; + + if (!rs_avp_is_byte (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, &val, sizeof (val)); + return RS_ERR(err); +} + +uint16_t +rs_avp_short_value (rs_const_avp *vp) +{ + if (!rs_avp_is_short (vp)) + return 0; + return vp->vp_integer; +} + +int +rs_avp_short_set (rs_avp *vp, uint16_t val) +{ + int err; + + if (!rs_avp_is_short (vp)) + return RSE_ATTR_INVALID; + + err = nr_vp_set_data (vp, &val, sizeof (val)); + return RS_ERR(err); +} + +int +rs_attr_find (const char *name, + unsigned int *attr, + unsigned int *vendor) +{ + const DICT_ATTR *da; + + da = nr_dict_attr_byname (name); + if (da == NULL) + return RSE_ATTR_UNKNOWN; + + *attr = da->attr; + *vendor = da->vendor; + + return RSE_OK; +} + +int +rs_attr_display_name (unsigned int attr, + unsigned int vendor, + char *buffer, + size_t bufsize, + int canonical) +{ + const DICT_ATTR *da = NULL; + DICT_ATTR da2; + int err; + + if (!canonical) { + da = nr_dict_attr_byvalue (attr, vendor); + } + if (da == NULL) { + err = nr_dict_attr_2struct(&da2, attr, vendor, + buffer, bufsize); + if (err < 0) + return -err; + } else { + snprintf(buffer, bufsize, "%s", da->name); + } + + return RSE_OK; +} + +int +rs_attr_parse_name (const char *name, + unsigned int *attr, + unsigned int *vendor) +{ + const DICT_ATTR *da; + + if (strncmp(name, "Attr-", 5) == 0) { + char *s = (char *)&name[5]; + unsigned int tmp; + + tmp = strtoul(s, &s, 10); + if (*s == '.') { + s++; + + switch (tmp) { + case PW_VENDOR_SPECIFIC: + *vendor = strtoul(s, &s, 10); + if (*s != '.') + return RSE_ATTR_BAD_NAME; + + s++; + + *attr = strtoul(s, &s, 10); + if (*s != '\0') + return RSE_ATTR_BAD_NAME; + + break; + default: + return RSE_ATTR_BAD_NAME; + } + } else { + *attr = tmp; + *vendor = 0; + } + } else { + da = nr_dict_attr_byname (name); + if (da == NULL) + return RSE_ATTR_UNKNOWN; + + *attr = da->attr; + *vendor = da->vendor; + } + + return RSE_OK; +} + +size_t +rs_avp_display_value (rs_const_avp *vp, + char *buffer, + size_t buflen) +{ + return nr_vp_snprintf_value (buffer, buflen, vp); +} + diff --git a/compat.c b/compat.c new file mode 100644 index 0000000..7c4e346 --- /dev/null +++ b/compat.c @@ -0,0 +1,22 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include "compat.h" + +ssize_t +compat_send (int sockfd, const void *buf, size_t len, int flags) +{ + return send (sockfd, buf, len, flags); +} + +ssize_t +compat_recv (int sockfd, void *buf, size_t len, int flags) +{ + return recv (sockfd, buf, len, flags); +} diff --git a/compat.h b/compat.h new file mode 100644 index 0000000..d3083e9 --- /dev/null +++ b/compat.h @@ -0,0 +1,5 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +ssize_t compat_send (int sockfd, const void *buf, size_t len, int flags); +ssize_t compat_recv (int sockfd, void *buf, size_t len, int flags); diff --git a/conf.c b/conf.c new file mode 100644 index 0000000..4e0df31 --- /dev/null +++ b/conf.c @@ -0,0 +1,255 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include "peer.h" +#include "util.h" +#include "debug.h" + +#if 0 + # common config options + + # common realm config options + realm STRING { + type = "UDP"|"TCP"|"TLS"|"DTLS" + timeout = INT + retries = INT + cacertfile = STRING + #cacertpath = STRING + certfile = STRING + certkeyfile = STRING + pskstr = STRING # Transport pre-shared key, UTF-8 form. + pskhexstr = STRING # Transport pre-shared key, ASCII hex form. + pskid = STRING + pskex = "PSK"|"DHE_PSK"|"RSA_PSK" + disable_hostname_check = "yes"|"no" + } + + # client specific realm config options + realm STRING { + server { + hostname = STRING + service = STRING + secret = STRING # RADIUS secret + } + } +#endif + +/* FIXME: Leaking memory in error cases. */ +int +rs_context_read_config(struct rs_context *ctx, const char *config_file) +{ + cfg_t *cfg, *cfg_realm, *cfg_server; + int err = 0; + int i, j; + const char *s; + struct rs_config *config = NULL; + + cfg_opt_t server_opts[] = + { + CFG_STR ("hostname", NULL, CFGF_NONE), + CFG_STR ("service", "2083", CFGF_NONE), + CFG_STR ("secret", "radsec", CFGF_NONE), + CFG_END () + }; + cfg_opt_t realm_opts[] = + { + CFG_STR ("type", "UDP", CFGF_NONE), + CFG_INT ("timeout", 2, CFGF_NONE), /* FIXME: Remove? */ + CFG_INT ("retries", 2, CFGF_NONE), /* FIXME: Remove? */ + CFG_STR ("cacertfile", NULL, CFGF_NONE), + /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/ + CFG_STR ("certfile", NULL, CFGF_NONE), + CFG_STR ("certkeyfile", NULL, CFGF_NONE), + CFG_STR ("pskstr", NULL, CFGF_NONE), + CFG_STR ("pskhexstr", NULL, CFGF_NONE), + CFG_STR ("pskid", NULL, CFGF_NONE), + CFG_STR ("pskex", "PSK", CFGF_NONE), + CFG_BOOL ("disable_hostname_check", cfg_false, CFGF_NONE), + CFG_SEC ("server", server_opts, CFGF_MULTI), + CFG_END () + }; + cfg_opt_t opts[] = + { + CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI), + CFG_END () + }; + + cfg = cfg_init (opts, CFGF_NONE); + if (cfg == NULL) + return rs_err_ctx_push (ctx, RSE_CONFIG, "unable to initialize libconfuse"); + err = cfg_parse (cfg, config_file); + switch (err) + { + case CFG_SUCCESS: + break; + case CFG_FILE_ERROR: + return rs_err_ctx_push (ctx, RSE_CONFIG, + "%s: unable to open configuration file", + config_file); + case CFG_PARSE_ERROR: + return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: invalid configuration file", + config_file); + default: + return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: unknown parse error", + config_file); + } + + config = rs_calloc (ctx, 1, sizeof (*config)); + if (config == NULL) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); + ctx->config = config; + + for (i = 0; i < cfg_size (cfg, "realm"); i++) + { + struct rs_realm *r = NULL; + const char *typestr; + char *pskstr = NULL, *pskhexstr = NULL; + + r = rs_calloc (ctx, 1, sizeof(*r)); + if (r == NULL) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); + if (config->realms != NULL) + { + r->next = config->realms->next; + config->realms->next = r; + } + else + { + config->realms = r; + } + cfg_realm = cfg_getnsec (cfg, "realm", i); + s = cfg_title (cfg_realm); + if (s == NULL) + return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__, + "missing realm name"); + /* We use a copy of the return value of cfg_title() since it's const. */ + r->name = rs_strdup (ctx, s); + if (r->name == NULL) + return RSE_NOMEM; + + typestr = cfg_getstr (cfg_realm, "type"); + if (strcmp (typestr, "UDP") == 0) + r->type = RS_CONN_TYPE_UDP; + else if (strcmp (typestr, "TCP") == 0) + r->type = RS_CONN_TYPE_TCP; + else if (strcmp (typestr, "TLS") == 0) + r->type = RS_CONN_TYPE_TLS; + else if (strcmp (typestr, "DTLS") == 0) + r->type = RS_CONN_TYPE_DTLS; + else + return rs_err_ctx_push (ctx, RSE_CONFIG, + "%s: invalid connection type: %s", + r->name, typestr); + r->timeout = cfg_getint (cfg_realm, "timeout"); + r->retries = cfg_getint (cfg_realm, "retries"); + r->disable_hostname_check = cfg_getbool (cfg_realm, "disable_hostname_check"); + + r->cacertfile = cfg_getstr (cfg_realm, "cacertfile"); + /*r->cacertpath = cfg_getstr (cfg_realm, "cacertpath");*/ + r->certfile = cfg_getstr (cfg_realm, "certfile"); + r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile"); + + pskstr = cfg_getstr (cfg_realm, "pskstr"); + pskhexstr = cfg_getstr (cfg_realm, "pskhexstr"); + if (pskstr || pskhexstr) + { +#if defined RS_ENABLE_TLS_PSK + char *kex = cfg_getstr (cfg_realm, "pskex"); + rs_cred_type_t type = RS_CRED_NONE; + struct rs_credentials *cred = NULL; + assert (kex != NULL); + + if (!strcmp (kex, "PSK")) + type = RS_CRED_TLS_PSK; + else + { + /* TODO: push a warning on the error stack:*/ + /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange" + " algorithm -- PSK not used", kex);*/ + } + + if (type != RS_CRED_NONE) + { + cred = rs_calloc (ctx, 1, sizeof (*cred)); + if (cred == NULL) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, + NULL); + cred->type = type; + cred->identity = cfg_getstr (cfg_realm, "pskid"); + if (pskhexstr) + { + cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX; + cred->secret = pskhexstr; + if (pskstr) + ; /* TODO: warn that we're ignoring pskstr */ + } + else + { + cred->secret_encoding = RS_KEY_ENCODING_UTF8; + cred->secret = pskstr; + } + + r->transport_cred = cred; + } +#else /* !RS_ENABLE_TLS_PSK */ + /* TODO: push a warning on the error stack: */ + /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with " + "support for TLS preshared keys, ignoring pskstr " + "and pskhexstr");*/ +#endif /* RS_ENABLE_TLS_PSK */ + } + + /* For TLS and DTLS realms, validate that we either have (i) CA + cert file or path or (ii) PSK. */ + if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS) + && (r->cacertfile == NULL && r->cacertpath == NULL) + && r->transport_cred == NULL) + return rs_err_ctx_push (ctx, RSE_CONFIG, + "%s: missing both CA file/path and PSK", + r->name); + + /* Add peers, one per server stanza. */ + for (j = 0; j < cfg_size (cfg_realm, "server"); j++) + { + struct rs_peer *p = peer_create (ctx, &r->peers); + if (p == NULL) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, + NULL); + p->realm = r; + + cfg_server = cfg_getnsec (cfg_realm, "server", j); + p->hostname = cfg_getstr (cfg_server, "hostname"); + p->service = cfg_getstr (cfg_server, "service"); + p->secret = cfg_getstr (cfg_server, "secret"); + } + } + + /* Save config object in context, for freeing in rs_context_destroy(). */ + ctx->config->cfg = cfg; + + return RSE_OK; +} + +struct rs_realm * +rs_conf_find_realm(struct rs_context *ctx, const char *name) +{ + struct rs_realm *r; + assert (ctx); + + if (ctx->config) + for (r = ctx->config->realms; r; r = r->next) + if (strcmp (r->name, name) == 0) + return r; + + return NULL; +} diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..d99bab4 --- /dev/null +++ b/configure.ac @@ -0,0 +1,68 @@ +# -*- Autoconf -*- script for libradsec. + +AC_PREREQ([2.63]) +AC_INIT([libradsec], [0.0.5], [linus+libradsec@nordu.net]) +AC_CONFIG_MACRO_DIR([m4]) +AC_CONFIG_SRCDIR([radsec.c]) +AC_CONFIG_AUX_DIR([build-aux]) +AC_CONFIG_HEADERS([config.h]) +AM_INIT_AUTOMAKE +LT_INIT + +# Checks for programs. +AC_PROG_CC + +# Checks for libraries. +AC_CHECK_LIB([confuse], [cfg_init],, + AC_MSG_ERROR([required library libconfuse not found])) +AC_CHECK_LIB([event_core], [event_get_version],, + AC_MSG_ERROR([required library libevent_core not found])) +AH_TEMPLATE([HAVE_PTHREADS], [POSIX threads are available on this system]) +AC_SEARCH_LIBS([pthread_create], [pthread], AC_DEFINE([HAVE_PTHREADS])) + +# Enable-knobs. +## Enable TLS (RadSec), default on. +want_tls=yes +AH_TEMPLATE([RS_ENABLE_TLS], [TLS (RadSec) enabled]) +AH_TEMPLATE([RADPROT_TLS], []) +AC_ARG_ENABLE([tls], + AS_HELP_STRING([--disable-tls], [disable TLS (RadSec)]), + [want_tls=$enableval]) +AM_CONDITIONAL([RS_ENABLE_TLS], [test $want_tls = yes]) +if test $want_tls = yes; then + AC_CHECK_LIB([event_openssl], [bufferevent_openssl_socket_new],, + AC_MSG_ERROR([required library event_openssl not found])) + AC_DEFINE([RS_ENABLE_TLS]) + AC_DEFINE([RADPROT_TLS]) +else + # Define WITHOUT_OPENSSL for radius/client.h. + CPPFLAGS="$CPPFLAGS -DWITHOUT_OPENSSL" +fi +## Enable TLS-PSK (preshared keys). +AH_TEMPLATE([RS_ENABLE_TLS_PSK], [TLS-PSK (TLS preshared keys) enabled]) +AC_ARG_ENABLE([tls-psk], AS_HELP_STRING([--enable-tls-psk], [enable TLS-PSK (TLS preshared keys)]), + [AC_CHECK_LIB([ssl], [SSL_set_psk_client_callback],, + AC_MSG_ERROR([required library openssl with SSL_set_psk_client_callback() not found])) + AC_DEFINE([RS_ENABLE_TLS_PSK])]) +AM_CONDITIONAL([RS_ENABLE_TLS_PSK], [test "${enable_tls_psk+set}" = set]) + +# Checks for header files. +AC_CHECK_HEADERS( + [sys/time.h time.h netdb.h netinet/in.h stdint.h stdlib.h strings.h string.h \ + sys/socket.h unistd.h syslog.h sys/select.h fcntl.h arpa/inet.h pthread.h]) + +# Checks for typedefs, structures, and compiler characteristics. +AC_TYPE_SIZE_T +AC_TYPE_SSIZE_T +AC_TYPE_UINT8_T + +# Checks for library functions. +AC_CHECK_FUNCS([memset socket strdup strerror strrchr]) + +AC_CONFIG_FILES([Makefile libradsec.spec + radsecproxy/Makefile + radius/Makefile + include/Makefile + examples/Makefile + tests/Makefile]) +AC_OUTPUT diff --git a/conn.c b/conn.c new file mode 100644 index 0000000..970a071 --- /dev/null +++ b/conn.c @@ -0,0 +1,335 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "conn.h" +#include "event.h" +#include "packet.h" +#include "tcp.h" + +int +conn_user_dispatch_p (const struct rs_connection *conn) +{ + assert (conn); + + return (conn->callbacks.connected_cb || + conn->callbacks.disconnected_cb || + conn->callbacks.received_cb || + conn->callbacks.sent_cb); +} + + +int +conn_activate_timeout (struct rs_connection *conn) +{ + assert (conn); + assert (conn->tev); + assert (conn->evb); + if (conn->timeout.tv_sec || conn->timeout.tv_usec) + { + rs_debug (("%s: activating timer: %d.%d\n", __func__, + conn->timeout.tv_sec, conn->timeout.tv_usec)); + if (evtimer_add (conn->tev, &conn->timeout)) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "evtimer_add: %d", errno); + } + return RSE_OK; +} + +int +conn_type_tls (const struct rs_connection *conn) +{ + return conn->realm->type == RS_CONN_TYPE_TLS + || conn->realm->type == RS_CONN_TYPE_DTLS; +} + +int +conn_cred_psk (const struct rs_connection *conn) +{ + return conn->realm->transport_cred && + conn->realm->transport_cred->type == RS_CRED_TLS_PSK; +} + + +/* Public functions. */ +int +rs_conn_create (struct rs_context *ctx, + struct rs_connection **conn, + const char *config) +{ + struct rs_connection *c; + + c = (struct rs_connection *) malloc (sizeof(struct rs_connection)); + if (!c) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); + + memset (c, 0, sizeof(struct rs_connection)); + c->ctx = ctx; + c->fd = -1; + if (config) + { + struct rs_realm *r = rs_conf_find_realm (ctx, config); + if (r) + { + struct rs_peer *p; + + c->realm = r; + c->peers = r->peers; /* FIXME: Copy instead? */ + for (p = c->peers; p; p = p->next) + p->conn = c; + c->timeout.tv_sec = r->timeout; + c->tryagain = r->retries; + } + else + { + c->realm = rs_malloc (ctx, sizeof (struct rs_realm)); + if (!c->realm) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, + NULL); + memset (c->realm, 0, sizeof (struct rs_realm)); + } + } + + if (conn) + *conn = c; + return RSE_OK; +} + +void +rs_conn_set_type (struct rs_connection *conn, rs_conn_type_t type) +{ + assert (conn); + assert (conn->realm); + conn->realm->type = type; +} + +int +rs_conn_add_listener (struct rs_connection *conn, + rs_conn_type_t type, + const char *hostname, + int port) +{ + return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); +} + + +int +rs_conn_disconnect (struct rs_connection *conn) +{ + int err = 0; + + assert (conn); + + if (conn->is_connected) + event_on_disconnect (conn); + + if (conn->bev) + { + bufferevent_free (conn->bev); + conn->bev = NULL; + } + if (conn->rev) + { + event_free (conn->rev); + conn->rev = NULL; + } + if (conn->wev) + { + event_free (conn->wev); + conn->wev = NULL; + } + + err = evutil_closesocket (conn->fd); + conn->fd = -1; + return err; +} + +int +rs_conn_destroy (struct rs_connection *conn) +{ + int err = 0; + + assert (conn); + + /* NOTE: conn->realm is owned by context. */ + /* NOTE: conn->peers is owned by context. */ + + if (conn->is_connected) + err = rs_conn_disconnect (conn); + +#if defined (RS_ENABLE_TLS) + if (conn->tls_ssl) /* FIXME: Free SSL strucxt in rs_conn_disconnect? */ + SSL_free (conn->tls_ssl); + if (conn->tls_ctx) + SSL_CTX_free (conn->tls_ctx); +#endif + + if (conn->tev) + event_free (conn->tev); + if (conn->bev) + bufferevent_free (conn->bev); + if (conn->rev) + event_free (conn->rev); + if (conn->wev) + event_free (conn->wev); + if (conn->evb) + event_base_free (conn->evb); + + rs_free (conn->ctx, conn); + + return err; +} + +int +rs_conn_set_eventbase (struct rs_connection *conn, struct event_base *eb) +{ + return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); +} + +void +rs_conn_set_callbacks (struct rs_connection *conn, struct rs_conn_callbacks *cb) +{ + assert (conn); + memcpy (&conn->callbacks, cb, sizeof (conn->callbacks)); +} + +void +rs_conn_del_callbacks (struct rs_connection *conn) +{ + assert (conn); + memset (&conn->callbacks, 0, sizeof (conn->callbacks)); +} + +struct rs_conn_callbacks * +rs_conn_get_callbacks(struct rs_connection *conn) +{ + assert (conn); + return &conn->callbacks; +} + +int +rs_conn_select_peer (struct rs_connection *conn, const char *name) +{ + return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); +} + +int +rs_conn_get_current_peer (struct rs_connection *conn, + const char *name, + size_t buflen) +{ + return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); +} + +int rs_conn_fd (struct rs_connection *conn) +{ + assert (conn); + assert (conn->active_peer); + return conn->fd; +} + +static void +_rcb (struct rs_packet *packet, void *user_data) +{ + struct rs_packet *pkt = (struct rs_packet *) user_data; + assert (pkt); + assert (pkt->conn); + + pkt->flags |= RS_PACKET_RECEIVED; + if (pkt->conn->bev) + bufferevent_disable (pkt->conn->bev, EV_WRITE|EV_READ); + else + event_del (pkt->conn->rev); +} + +int +rs_conn_receive_packet (struct rs_connection *conn, + struct rs_packet *req_msg, + struct rs_packet **pkt_out) +{ + int err = 0; + struct rs_packet *pkt = NULL; + + assert (conn); + assert (conn->realm); + assert (!conn_user_dispatch_p (conn)); /* Blocking mode only. */ + + if (rs_packet_create (conn, &pkt)) + return -1; + + assert (conn->evb); + assert (conn->fd >= 0); + + conn->callbacks.received_cb = _rcb; + conn->user_data = pkt; + pkt->flags &= ~RS_PACKET_RECEIVED; + + if (conn->bev) /* TCP. */ + { + bufferevent_setwatermark (conn->bev, EV_READ, RS_HEADER_LEN, 0); + bufferevent_setcb (conn->bev, tcp_read_cb, NULL, tcp_event_cb, pkt); + bufferevent_enable (conn->bev, EV_READ); + } + else /* UDP. */ + { + /* Put fresh packet in user_data for the callback and enable the + read event. */ + event_assign (conn->rev, conn->evb, event_get_fd (conn->rev), + EV_READ, event_get_callback (conn->rev), pkt); + err = event_add (conn->rev, NULL); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, + "event_add: %s", + evutil_gai_strerror (err)); + + /* Activate retransmission timer. */ + conn_activate_timeout (pkt->conn); + } + + rs_debug (("%s: entering event loop\n", __func__)); + err = event_base_dispatch (conn->evb); + conn->callbacks.received_cb = NULL; + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, + "event_base_dispatch: %s", + evutil_gai_strerror (err)); + rs_debug (("%s: event loop done\n", __func__)); + + if ((pkt->flags & RS_PACKET_RECEIVED) != 0) + { + /* If the caller passed a request, check the response. */ + if (req_msg) + err = packet_verify_response (pkt->conn, pkt, req_msg); + + /* If the response was OK and the caller wants it, hand it + over, else free it. */ + if (err == RSE_OK && pkt_out) + *pkt_out = pkt; + else + rs_packet_destroy (pkt); + } + else + err = rs_err_conn_peek_code (pkt->conn); + + return err; +} + +void +rs_conn_set_timeout(struct rs_connection *conn, struct timeval *tv) +{ + assert (conn); + assert (tv); + conn->timeout = *tv; +} diff --git a/conn.h b/conn.h new file mode 100644 index 0000000..66e15e2 --- /dev/null +++ b/conn.h @@ -0,0 +1,7 @@ +/* Copyright 2011,2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +int conn_user_dispatch_p (const struct rs_connection *conn); +int conn_activate_timeout (struct rs_connection *conn); +int conn_type_tls (const struct rs_connection *conn); +int conn_cred_psk (const struct rs_connection *conn); diff --git a/debug.c b/debug.c new file mode 100644 index 0000000..903c793 --- /dev/null +++ b/debug.c @@ -0,0 +1,46 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include "debug.h" + +void +rs_dump_packet (const struct rs_packet *pkt) +{ + const RADIUS_PACKET *p = NULL; + + if (!pkt || !pkt->rpkt) + return; + p = pkt->rpkt; + + fprintf (stderr, "\tCode: %u, Identifier: %u, Lenght: %zu\n", + p->code, + p->id, + p->sizeof_data); + fflush (stderr); +} + +#if defined DEBUG +int +_rs_debug (const char *fmt, ...) +{ + int n; + va_list args; + + va_start (args, fmt); + n = vfprintf (stderr, fmt, args); + va_end (args); + fflush (stderr); + + return n; +} +#endif diff --git a/debug.h b/debug.h new file mode 100644 index 0000000..ed62da1 --- /dev/null +++ b/debug.h @@ -0,0 +1,27 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#define hd(p, l) { int i; \ + for (i = 1; i <= l; i++) { \ + printf ("%02x ", p[i-1]); \ + if (i % 8 == 0) printf (" "); \ + if (i % 16 == 0) printf ("\n"); } \ + printf ("\n"); } + +#if defined (__cplusplus) +extern "C" { +#endif + +struct rs_packet; +void rs_dump_packet (const struct rs_packet *pkt); +int _rs_debug (const char *fmt, ...); + +#if defined (DEBUG) +#define rs_debug(x) _rs_debug x +#else +#define rs_debug(x) do {;} while (0) +#endif + +#if defined (__cplusplus) +} +#endif diff --git a/err.c b/err.c new file mode 100644 index 0000000..0c7d5a8 --- /dev/null +++ b/err.c @@ -0,0 +1,276 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include + +static const char *_errtxt[] = { + "SUCCESS", /* 0 RSE_OK */ + "out of memory", /* 1 RSE_NOMEM */ + "not yet implemented", /* 2 RSE_NOSYS */ + "invalid handle", /* 3 RSE_INVALID_CTX */ + "invalid connection", /* 4 RSE_INVALID_CONN */ + "connection type mismatch", /* 5 RSE_CONN_TYPE_MISMATCH */ + "FreeRadius error", /* 6 RSE_FR */ + "bad hostname or port", /* 7 RSE_BADADDR */ + "no peer configured", /* 8 RSE_NOPEER */ + "libevent error", /* 9 RSE_EVENT */ + "socket error", /* 10 RSE_SOCKERR */ + "invalid configuration file", /* 11 RSE_CONFIG */ + "authentication failed", /* 12 RSE_BADAUTH */ + "internal error", /* 13 RSE_INTERNAL */ + "SSL error", /* 14 RSE_SSLERR */ + "invalid packet", /* 15 RSE_INVALID_PKT */ + "connect timeout", /* 16 RSE_TIMEOUT_CONN */ + "invalid argument", /* 17 RSE_INVAL */ + "I/O timeout", /* 18 RSE_TIMEOUT_IO */ + "timeout", /* 19 RSE_TIMEOUT */ + "peer disconnected", /* 20 RSE_DISCO */ + "resource is in use", /* 21 RSE_INUSE */ + "packet is too small", /* 22 RSE_PACKET_TOO_SMALL */ + "packet is too large", /* 23 RSE_PACKET_TOO_LARGE */ + "attribute overflows packet", /* 24 RSE_ATTR_OVERFLOW */ + "attribute is too small", /* 25 RSE_ATTR_TOO_SMALL */ + "attribute is too large", /* 26 RSE_ATTR_TOO_LARGE */ + "unknown attribute", /* 27 RSE_ATTR_UNKNOWN */ + "invalid name for attribute", /* 28 RSE_ATTR_BAD_NAME */ + "invalid value for attribute", /* 29 RSE_ATTR_VALUE_MALFORMED */ + "invalid attribute", /* 30 RSE_ATTR_INVALID */ + "too many attributes in the packet", /* 31 RSE_TOO_MANY_ATTRS */ + "attribute type unknown", /* 32 RSE_ATTR_TYPE_UNKNOWN */ + "invalid message authenticator", /* 33 RSE_MSG_AUTH_LEN */ + "incorrect message authenticator", /* 34 RSE_MSG_AUTH_WRONG */ + "request is required", /* 35 RSE_REQUEST_REQUIRED */ + "invalid request code", /* 36 RSE_REQUEST_CODE_INVALID */ + "incorrect request authenticator", /* 37 RSE_AUTH_VECTOR_WRONG */ + "response code is unsupported", /* 38 RSE_INVALID_RESPONSE_CODE */ + "response ID is invalid", /* 39 RSE_INVALID_RESPONSE_ID */ + "response from the wrong source address", /* 40 RSE_INVALID_RESPONSE_SRC */ + "no packet data", /* 41 RSE_NO_PACKET_DATA */ + "vendor is unknown", /* 42 RSE_VENDOR_UNKNOWN */ + "invalid credentials", /* 43 RSE_CRED */ + "certificate validation error", /* 44 RSE_CERT */ +}; +#define ERRTXT_SIZE (sizeof(_errtxt) / sizeof(*_errtxt)) + +static struct rs_error * +_err_vcreate (unsigned int code, const char *file, int line, const char *fmt, + va_list args) +{ + struct rs_error *err = NULL; + + err = malloc (sizeof(struct rs_error)); + if (err) + { + int n; + memset (err, 0, sizeof(struct rs_error)); + err->code = code; + if (fmt) + n = vsnprintf (err->buf, sizeof(err->buf), fmt, args); + else + { + strncpy (err->buf, + err->code < ERRTXT_SIZE ? _errtxt[err->code] : "", + sizeof(err->buf)); + n = strlen (err->buf); + } + if (n >= 0 && file) + { + char *sep = strrchr (file, '/'); + if (sep) + file = sep + 1; + snprintf (err->buf + n, sizeof(err->buf) - n, " (%s:%d)", file, + line); + } + } + return err; +} + +struct rs_error * +err_create (unsigned int code, + const char *file, + int line, + const char *fmt, + ...) +{ + struct rs_error *err = NULL; + + va_list args; + va_start (args, fmt); + err = _err_vcreate (code, file, line, fmt, args); + va_end (args); + + return err; +} + +static int +_ctx_err_vpush_fl (struct rs_context *ctx, int code, const char *file, + int line, const char *fmt, va_list args) +{ + struct rs_error *err = _err_vcreate (code, file, line, fmt, args); + + if (!err) + return RSE_NOMEM; + + /* TODO: Implement a stack. */ + if (ctx->err) + rs_err_free (ctx->err); + ctx->err = err; + + return err->code; +} + +int +rs_err_ctx_push (struct rs_context *ctx, int code, const char *fmt, ...) +{ + int r = 0; + va_list args; + + va_start (args, fmt); + r = _ctx_err_vpush_fl (ctx, code, NULL, 0, fmt, args); + va_end (args); + + return r; +} + +int +rs_err_ctx_push_fl (struct rs_context *ctx, int code, const char *file, + int line, const char *fmt, ...) +{ + int r = 0; + va_list args; + + va_start (args, fmt); + r = _ctx_err_vpush_fl (ctx, code, file, line, fmt, args); + va_end (args); + + return r; +} + +int +err_conn_push_err (struct rs_connection *conn, struct rs_error *err) +{ + assert (conn); + assert (err); + + if (conn->err) + rs_err_free (conn->err); + conn->err = err; /* FIXME: use a stack */ + + return err->code; +} + +static int +_conn_err_vpush_fl (struct rs_connection *conn, int code, const char *file, + int line, const char *fmt, va_list args) +{ + struct rs_error *err = _err_vcreate (code, file, line, fmt, args); + + if (!err) + return RSE_NOMEM; + + return err_conn_push_err (conn, err); +} + +int +rs_err_conn_push (struct rs_connection *conn, int code, const char *fmt, ...) +{ + int r = 0; + + va_list args; + va_start (args, fmt); + r = _conn_err_vpush_fl (conn, code, NULL, 0, fmt, args); + va_end (args); + + return r; +} + +int +rs_err_conn_push_fl (struct rs_connection *conn, int code, const char *file, + int line, const char *fmt, ...) +{ + int r = 0; + + va_list args; + va_start (args, fmt); + r = _conn_err_vpush_fl (conn, code, file, line, fmt, args); + va_end (args); + + return r; +} + +struct rs_error * +rs_err_ctx_pop (struct rs_context *ctx) +{ + struct rs_error *err; + + if (!ctx) + return NULL; /* FIXME: RSE_INVALID_CTX. */ + err = ctx->err; + ctx->err = NULL; + + return err; +} + +struct rs_error * +rs_err_conn_pop (struct rs_connection *conn) +{ + struct rs_error *err; + + if (!conn) + return NULL; /* FIXME: RSE_INVALID_CONN */ + err = conn->err; + conn->err = NULL; + + return err; +} + +int +rs_err_conn_peek_code (struct rs_connection *conn) +{ + if (!conn) + return -1; /* FIXME: RSE_INVALID_CONN */ + if (conn->err) + return conn->err->code; + + return RSE_OK; +} + +void +rs_err_free (struct rs_error *err) +{ + assert (err); + free (err); +} + +char * +rs_err_msg (struct rs_error *err) +{ + if (!err) + return NULL; + + return err->buf; +} + +int +rs_err_code (struct rs_error *err, int dofree_flag) +{ + int code; + + if (!err) + return -1; + code = err->code; + + if (dofree_flag) + rs_err_free (err); + + return code; +} diff --git a/err.h b/err.h new file mode 100644 index 0000000..ba83a53 --- /dev/null +++ b/err.h @@ -0,0 +1,9 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +struct rs_error *err_create (unsigned int code, + const char *file, + int line, + const char *fmt, + ...); +int err_conn_push_err (struct rs_connection *conn, struct rs_error *err); diff --git a/event.c b/event.c new file mode 100644 index 0000000..a532da9 --- /dev/null +++ b/event.c @@ -0,0 +1,300 @@ +/* Copyright 2011-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +#include +#include +#if defined (RS_ENABLE_TLS) +#include +#include +#endif +#include +#include +#include "tcp.h" +#include "udp.h" +#if defined (RS_ENABLE_TLS) +#include "tls.h" +#endif +#include "err.h" +#include "radsec.h" +#include "event.h" +#include "packet.h" +#include "conn.h" +#include "debug.h" + +#if defined (DEBUG) +extern int _event_debug_mode_on; +#endif + +static void +_evlog_cb (int severity, const char *msg) +{ + const char *sevstr; + switch (severity) + { + case _EVENT_LOG_DEBUG: +#if !defined (DEBUG_LEVENT) + return; +#endif + sevstr = "debug"; + break; + case _EVENT_LOG_MSG: + sevstr = "msg"; + break; + case _EVENT_LOG_WARN: + sevstr = "warn"; + break; + case _EVENT_LOG_ERR: + sevstr = "err"; + break; + default: + sevstr = "???"; + break; + } + fprintf (stderr, "libevent: [%s] %s\n", sevstr, msg); /* FIXME: stderr? */ +} + +void +event_conn_timeout_cb (int fd, short event, void *data) +{ + struct rs_connection *conn = NULL; + + assert (data); + conn = (struct rs_connection *) data; + + if (event & EV_TIMEOUT) + { + rs_debug (("%s: connection timeout on %p (fd %d) connecting to %p\n", + __func__, conn, conn->fd, conn->active_peer)); + conn->is_connecting = 0; + rs_err_conn_push_fl (conn, RSE_TIMEOUT_CONN, __FILE__, __LINE__, NULL); + event_loopbreak (conn); + } +} + +void +event_retransmit_timeout_cb (int fd, short event, void *data) +{ + struct rs_connection *conn = NULL; + + assert (data); + conn = (struct rs_connection *) data; + + if (event & EV_TIMEOUT) + { + rs_debug (("%s: retransmission timeout on %p (fd %d) sending to %p\n", + __func__, conn, conn->fd, conn->active_peer)); + rs_err_conn_push_fl (conn, RSE_TIMEOUT_IO, __FILE__, __LINE__, NULL); + + /* Disable/delete read and write events. Timing out on reading + might f.ex. trigger resending of a message. It'd be + surprising to end up reading without having enabled/created a + read event in that case. */ + if (conn->bev) /* TCP. */ + bufferevent_disable (conn->bev, EV_WRITE|EV_READ); + else /* UDP. */ + { + if (conn->wev) + event_del (conn->wev); + if (conn->rev) + event_del (conn->rev); + } + + event_loopbreak (conn); + } +} + +int +event_init_socket (struct rs_connection *conn, struct rs_peer *p) +{ + if (conn->fd != -1) + return RSE_OK; + + if (p->addr_cache == NULL) + { + struct rs_error *err = + rs_resolve (&p->addr_cache, p->realm->type, p->hostname, p->service); + if (err != NULL) + return err_conn_push_err (conn, err); + } + + conn->fd = socket (p->addr_cache->ai_family, p->addr_cache->ai_socktype, + p->addr_cache->ai_protocol); + if (conn->fd < 0) + return rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, + "socket: %d (%s)", + errno, strerror (errno)); + if (evutil_make_socket_nonblocking (conn->fd) < 0) + { + evutil_closesocket (conn->fd); + conn->fd = -1; + return rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, + "evutil_make_socket_nonblocking: %d (%s)", + errno, strerror (errno)); + } + return RSE_OK; +} + +int +event_init_bufferevent (struct rs_connection *conn, struct rs_peer *peer) +{ + if (conn->bev) + return RSE_OK; + + if (conn->realm->type == RS_CONN_TYPE_TCP) + { + conn->bev = bufferevent_socket_new (conn->evb, conn->fd, 0); + if (!conn->bev) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "bufferevent_socket_new"); + } +#if defined (RS_ENABLE_TLS) + else if (conn->realm->type == RS_CONN_TYPE_TLS) + { + if (tls_init_conn (conn)) + return -1; + /* Would be convenient to pass BEV_OPT_CLOSE_ON_FREE but things + seem to break when be_openssl_ctrl() (in libevent) calls + SSL_set_bio() after BIO_new_socket() with flag=1. */ + conn->bev = + bufferevent_openssl_socket_new (conn->evb, conn->fd, conn->tls_ssl, + BUFFEREVENT_SSL_CONNECTING, 0); + if (!conn->bev) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "bufferevent_openssl_socket_new"); + } +#endif /* RS_ENABLE_TLS */ + else + { + return rs_err_conn_push_fl (conn, RSE_INTERNAL, __FILE__, __LINE__, + "%s: unknown connection type: %d", __func__, + conn->realm->type); + } + + return RSE_OK; +} + +void +event_do_connect (struct rs_connection *conn) +{ + struct rs_peer *p; + int err, sockerr; + + assert (conn); + assert (conn->active_peer); + p = conn->active_peer; + +#if defined (DEBUG) + { + char host[80], serv[80]; + + getnameinfo (p->addr_cache->ai_addr, + p->addr_cache->ai_addrlen, + host, sizeof(host), serv, sizeof(serv), + 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); + rs_debug (("%s: connecting to %s:%s\n", __func__, host, serv)); + } +#endif + + if (p->conn->bev) /* TCP */ + { + conn_activate_timeout (conn); /* Connect timeout. */ + err = bufferevent_socket_connect (p->conn->bev, p->addr_cache->ai_addr, + p->addr_cache->ai_addrlen); + if (err < 0) + rs_err_conn_push_fl (p->conn, RSE_EVENT, __FILE__, __LINE__, + "bufferevent_socket_connect: %s", + evutil_gai_strerror (err)); + else + p->conn->is_connecting = 1; + } + else /* UDP */ + { + err = connect (p->conn->fd, + p->addr_cache->ai_addr, + p->addr_cache->ai_addrlen); + if (err < 0) + { + sockerr = evutil_socket_geterror (p->conn->fd); + rs_debug (("%s: %d: connect: %d (%s)\n", __func__, p->conn->fd, + sockerr, evutil_socket_error_to_string (sockerr))); + rs_err_conn_push_fl (p->conn, RSE_SOCKERR, __FILE__, __LINE__, + "%d: connect: %d (%s)", p->conn->fd, sockerr, + evutil_socket_error_to_string (sockerr)); + } + } +} + +int +event_loopbreak (struct rs_connection *conn) +{ + int err = event_base_loopbreak (conn->evb); + if (err < 0) + rs_err_conn_push (conn, RSE_EVENT, "event_base_loopbreak"); + return err; +} + + +void +event_on_disconnect (struct rs_connection *conn) +{ + conn->is_connecting = 0; + conn->is_connected = 0; + rs_debug (("%s: %p disconnected\n", __func__, conn->active_peer)); + if (conn->callbacks.disconnected_cb) + conn->callbacks.disconnected_cb (conn->user_data); +} + +/** Internal connect event returning 0 on success or -1 on error. */ +int +event_on_connect (struct rs_connection *conn, struct rs_packet *pkt) +{ + assert (!conn->is_connecting); + +#if defined (RS_ENABLE_TLS) + if (conn_type_tls(conn) && !conn_cred_psk(conn)) + if (tls_verify_cert (conn) != RSE_OK) + { + rs_debug (("%s: server cert verification failed\n", __func__)); + return -1; + } +#endif /* RS_ENABLE_TLS */ + + conn->is_connected = 1; + rs_debug (("%s: %p connected\n", __func__, conn->active_peer)); + + if (conn->callbacks.connected_cb) + conn->callbacks.connected_cb (conn->user_data); + + if (pkt) + packet_do_send (pkt); + + return 0; +} + +int +event_init_eventbase (struct rs_connection *conn) +{ + assert (conn); + if (conn->evb) + return RSE_OK; + +#if defined (DEBUG) + if (!_event_debug_mode_on) + event_enable_debug_mode (); +#endif + event_set_log_callback (_evlog_cb); + conn->evb = event_base_new (); + if (!conn->evb) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "event_base_new"); + + return RSE_OK; +} diff --git a/event.h b/event.h new file mode 100644 index 0000000..bd9ec77 --- /dev/null +++ b/event.h @@ -0,0 +1,12 @@ +/* Copyright 2011-2012 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +void event_on_disconnect (struct rs_connection *conn); +int event_on_connect (struct rs_connection *conn, struct rs_packet *pkt); +int event_loopbreak (struct rs_connection *conn); +int event_init_eventbase (struct rs_connection *conn); +int event_init_socket (struct rs_connection *conn, struct rs_peer *p); +int event_init_bufferevent (struct rs_connection *conn, struct rs_peer *peer); +void event_do_connect (struct rs_connection *conn); +void event_conn_timeout_cb (int fd, short event, void *data); +void event_retransmit_timeout_cb (int fd, short event, void *data); diff --git a/examples/Makefile.am b/examples/Makefile.am new file mode 100644 index 0000000..fa1c835 --- /dev/null +++ b/examples/Makefile.am @@ -0,0 +1,8 @@ +AUTOMAKE_OPTIONS = foreign +AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) +AM_CFLAGS = -Wall -Werror -g + +noinst_PROGRAMS = client +client_SOURCES = client-blocking.c +client_LDADD = ../libradsec.la #-lefence +client_CFLAGS = $(AM_CFLAGS) -DUSE_CONFIG_FILE diff --git a/examples/blocking.c b/examples/blocking.c new file mode 100644 index 0000000..b66eb64 --- /dev/null +++ b/examples/blocking.c @@ -0,0 +1,71 @@ +/* Example usage of libradsec-base, using blocking i/o. */ + +#include +#include +#include +#include +#include "blocking.h" + +struct rs_packet * +next_packet (const struct rs_handle *ctx, int fd) +{ + uint8_t hdr[RS_HEADER_LEN]; + uint8_t *buf; + size_t len; + struct rs_packet *p; + ssize_t n; + + /* Read fixed length header. */ + n = 0; + while (n < RS_HEADER_LEN) + n += read (fd, hdr, RS_HEADER_LEN - n); + + p = rs_packet_new (ctx, hdr, &len); + fprintf (stderr, "DEBUG: got header, total packet len is %d\n", + len + RS_HEADER_LEN); + + /* Read the rest of the message. */ + if (p) + { + buf = malloc (len); + if (buf) + { + n = 0; + while (n < len) + n += read (fd, buf, len - n); + p = rs_packet_parse (ctx, &p, buf, len); + free (buf); + } + else + rs_packet_free (ctx, &p); + } + + return p; +} + +int +send_packet(const struct rs_handle *ctx, int fd, struct rs_packet *p) +{ + uint8_t *buf = NULL; + ssize_t n = -20; /* Arbitrary packet size -- a guess. */ + + while (n < 0) + { + buf = realloc (buf, -n); + if (buf == NULL) + return -1; + n = rs_packet_serialize (p, buf, -n); + } + + while (n) + { + ssize_t count = write (fd, buf, n); + if (count == -1) + return -1; + n -= count; + } + + free (buf); + rs_packet_free (ctx, &p); + return 0; +} diff --git a/examples/blocking.h b/examples/blocking.h new file mode 100644 index 0000000..f91e6be --- /dev/null +++ b/examples/blocking.h @@ -0,0 +1,4 @@ +#include "libradsec-base.h" + +struct rs_packet *next_packet (const struct rs_handle *ctx, int fd); +int send_packet (const struct rs_handle *ctx, int fd, struct rs_packet *p); diff --git a/examples/client-blocking.c b/examples/client-blocking.c new file mode 100644 index 0000000..a50ee8a --- /dev/null +++ b/examples/client-blocking.c @@ -0,0 +1,127 @@ +/* RADIUS/RadSec client using libradsec in blocking mode. */ + +#include +#include +#include +#include +#include +#include "err.h" +#include "debug.h" /* For rs_dump_packet(). */ + +#define SECRET "sikrit" +#define USER_NAME "molgan@PROJECT-MOONSHOT.ORG" +#define USER_PW "password" + +struct rs_error * +blocking_client (const char *config_fn, const char *configuration, + int use_request_object_flag) +{ + struct rs_context *h = NULL; + struct rs_connection *conn = NULL; + struct rs_request *request = NULL; + struct rs_packet *req = NULL, *resp = NULL; + struct rs_error *err = NULL; + int r; + + r = rs_context_create (&h); + if (r) + { + assert (!"unable to create libradsec context"); + } + +#if !defined (USE_CONFIG_FILE) + { + struct rs_peer *server; + + if (rs_conn_create (h, &conn, NULL)) + goto cleanup; + rs_conn_set_type (conn, RS_CONN_TYPE_UDP); + if (rs_peer_create (conn, &server)) + goto cleanup; + if (rs_peer_set_address (server, av1, av2)) + goto cleanup; + rs_peer_set_timeout (server, 1); + rs_peer_set_retries (server, 3); + if (rs_peer_set_secret (server, SECRET)) + goto cleanup; + } +#else /* defined (USE_CONFIG_FILE) */ + if (rs_context_read_config (h, config_fn)) + goto cleanup; + if (rs_conn_create (h, &conn, configuration)) + goto cleanup; +#endif /* defined (USE_CONFIG_FILE) */ + + if (use_request_object_flag) + { + if (rs_request_create_authn (conn, &request, USER_NAME, USER_PW)) + goto cleanup; + if (rs_request_send (request, &resp)) + goto cleanup; + } + else + { + if (rs_packet_create_authn_request (conn, &req, USER_NAME, USER_PW)) + goto cleanup; + if (rs_packet_send (req, NULL)) + goto cleanup; + if (rs_conn_receive_packet (conn, req, &resp)) + goto cleanup; + } + + if (resp) + { + rs_dump_packet (resp); + if (rs_packet_code (resp) == PW_ACCESS_ACCEPT) + printf ("Good auth.\n"); + else + printf ("Bad auth: %d\n", rs_packet_code (resp)); + } + else + fprintf (stderr, "%s: no response\n", __func__); + + cleanup: + err = rs_err_ctx_pop (h); + if (err == RSE_OK) + err = rs_err_conn_pop (conn); + if (resp) + rs_packet_destroy (resp); + if (request) + rs_request_destroy (request); + if (conn) + rs_conn_destroy (conn); + if (h) + rs_context_destroy (h); + + return err; +} + +void +usage (int argc, char *argv[]) +{ + fprintf (stderr, "usage: %s: [-r] config-file config-name\n", argv[0]); + exit (1); +} + +int +main (int argc, char *argv[]) +{ + int use_request_object_flag = 0; + struct rs_error *err; + + if (argc > 1 && argv[1] && argv[1][0] == '-' && argv[1][1] == 'r') + { + use_request_object_flag = 1; + argc--; + argv++; + } + if (argc < 3) + usage (argc, argv); + err = blocking_client (argv[1], argv[2], use_request_object_flag); + if (err) + { + fprintf (stderr, "error: %s: %d\n", rs_err_msg (err), rs_err_code (err, 0)); + return rs_err_code (err, 1); + } + return 0; +} diff --git a/examples/client-psk.conf b/examples/client-psk.conf new file mode 100644 index 0000000..7b35e23 --- /dev/null +++ b/examples/client-psk.conf @@ -0,0 +1,18 @@ +# We keep PSK configurations in a separate config file until +# --enable-tls-psk is on by default. This configuration is not valid +# without PSK support. + +realm blocking-tls-psk { + type = "TLS" + timeout = 1 + retries = 3 + #pskstr = "sikrit psk" + pskhexstr = "deadbeef4711" + pskid = "Client_identity" + pskex = "PSK" + server { + hostname = "srv1" + service = "4433" + secret = "sikrit" + } +} diff --git a/examples/client.conf b/examples/client.conf new file mode 100644 index 0000000..b0b4536 --- /dev/null +++ b/examples/client.conf @@ -0,0 +1,24 @@ +realm blocking-udp { + type = "UDP" + timeout = 2 + retries = 2 + server { + hostname = "127.0.0.1" + service = "1820" + secret = "sikrit" + } +} + +realm blocking-tls { + type = "TLS" + timeout = 1 + retries = 3 + cacertfile = "tests/demoCA/newcerts/01.pem" + certfile = "tests/demoCA/newcerts/03.pem" + certkeyfile = "tests/demoCA/private/cli1.key" + server { + hostname = "srv1" + service = "2083" + secret = "sikrit" + } +} diff --git a/include/Makefile.am b/include/Makefile.am new file mode 100644 index 0000000..754590c --- /dev/null +++ b/include/Makefile.am @@ -0,0 +1,12 @@ +RADSEC_EXPORT = \ + radsec/radsec.h \ + radsec/radsec-impl.h \ + radsec/request.h \ + radsec/request-impl.h \ + radsec/radius.h + +EXTRA_SRC = $(RADSEC_EXPORT) +nobase_include_HEADERS = $(RADSEC_EXPORT) + +clean-local: + rm -f radsec/radius.h diff --git a/include/radsec/.gitignore b/include/radsec/.gitignore new file mode 100644 index 0000000..c20d18b --- /dev/null +++ b/include/radsec/.gitignore @@ -0,0 +1 @@ +radius.h diff --git a/include/radsec/radsec-impl.h b/include/radsec/radsec-impl.h new file mode 100644 index 0000000..0ecd631 --- /dev/null +++ b/include/radsec/radsec-impl.h @@ -0,0 +1,156 @@ +/** @file libradsec-impl.h + @brief Libraray internal header file for libradsec. */ + +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#ifndef _RADSEC_RADSEC_IMPL_H_ +#define _RADSEC_RADSEC_IMPL_H_ 1 + +#include +#include +#if defined(RS_ENABLE_TLS) +#include +#endif + +/* Constants. */ +#define RS_HEADER_LEN 4 + +/* Data types. */ +enum rs_cred_type { + RS_CRED_NONE = 0, + /* TLS pre-shared keys, RFC 4279. */ + RS_CRED_TLS_PSK, + /* RS_CRED_TLS_DH_PSK, */ + /* RS_CRED_TLS_RSA_PSK, */ +}; +typedef unsigned int rs_cred_type_t; + +enum rs_key_encoding { + RS_KEY_ENCODING_UTF8 = 1, + RS_KEY_ENCODING_ASCII_HEX = 2, +}; +typedef unsigned int rs_key_encoding_t; + +#if defined (__cplusplus) +extern "C" { +#endif + +struct rs_credentials { + enum rs_cred_type type; + char *identity; + char *secret; + enum rs_key_encoding secret_encoding; + unsigned int secret_len; +}; + +struct rs_error { + int code; + char buf[1024]; +}; + +/** Configuration object for a connection. */ +struct rs_peer { + struct rs_connection *conn; + struct rs_realm *realm; + char *hostname; + char *service; + char *secret; /* RADIUS secret. */ + struct evutil_addrinfo *addr_cache; + struct rs_peer *next; +}; + +/** Configuration object for a RADIUS realm. */ +struct rs_realm { + char *name; + enum rs_conn_type type; + int timeout; + int retries; + char *cacertfile; + char *cacertpath; + char *certfile; + char *certkeyfile; + int disable_hostname_check; + struct rs_credentials *transport_cred; + struct rs_peer *peers; + struct rs_realm *next; +}; + +/** Top configuration object. */ +struct rs_config { + struct rs_realm *realms; + cfg_t *cfg; +}; + +struct rs_context { + struct rs_config *config; + struct rs_alloc_scheme alloc_scheme; + struct rs_error *err; +}; + +struct rs_connection { + struct rs_context *ctx; + struct rs_realm *realm; /* Owned by ctx. */ + struct event_base *evb; /* Event base. */ + struct event *tev; /* Timeout event. */ + struct rs_conn_callbacks callbacks; + void *user_data; + struct rs_peer *peers; + struct rs_peer *active_peer; + struct rs_error *err; + struct timeval timeout; + char is_connecting; /* FIXME: replace with a single state member */ + char is_connected; /* FIXME: replace with a single state member */ + int fd; /* Socket. */ + int tryagain; /* For server failover. */ + int nextid; /* Next RADIUS packet identifier. */ + /* TCP transport specifics. */ + struct bufferevent *bev; /* Buffer event. */ + /* UDP transport specifics. */ + struct event *wev; /* Write event (for UDP). */ + struct event *rev; /* Read event (for UDP). */ + struct rs_packet *out_queue; /* Queue for outgoing UDP packets. */ +#if defined(RS_ENABLE_TLS) + /* TLS specifics. */ + SSL_CTX *tls_ctx; + SSL *tls_ssl; +#endif +}; + +enum rs_packet_flags { + RS_PACKET_HEADER_READ, + RS_PACKET_RECEIVED, + RS_PACKET_SENT, +}; + +struct radius_packet; + +struct rs_packet { + struct rs_connection *conn; + unsigned int flags; + uint8_t hdr[RS_HEADER_LEN]; + struct radius_packet *rpkt; /* FreeRADIUS object. */ + struct rs_packet *next; /* Used for UDP output queue. */ +}; + +#if defined (__cplusplus) +} +#endif + +/* Convenience macros. */ +#define rs_calloc(h, nmemb, size) \ + (h->alloc_scheme.calloc ? h->alloc_scheme.calloc : calloc)(nmemb, size) +#define rs_malloc(h, size) \ + (h->alloc_scheme.malloc ? h->alloc_scheme.malloc : malloc)(size) +#define rs_free(h, ptr) \ + (h->alloc_scheme.free ? h->alloc_scheme.free : free)(ptr) +#define rs_realloc(h, realloc, ptr, size) \ + (h->alloc_scheme.realloc ? h->alloc_scheme.realloc : realloc)(ptr, size) +#define min(a, b) ((a) < (b) ? (a) : (b)) +#define max(a, b) ((a) > (b) ? (a) : (b)) + +#endif /* _RADSEC_RADSEC_IMPL_H_ */ + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/include/radsec/radsec.h b/include/radsec/radsec.h new file mode 100644 index 0000000..1d718a0 --- /dev/null +++ b/include/radsec/radsec.h @@ -0,0 +1,607 @@ +/** \file radsec.h + \brief Public interface for libradsec. */ + +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#ifndef _RADSEC_RADSEC_H_ +#define _RADSEC_RADSEC_H_ 1 + +#ifdef HAVE_CONFIG_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif +#ifdef HAVE_ARPA_INET_H +#include +#endif +#ifdef HAVE_UNISTD_H +#include +#endif +#ifdef HAVE_STDINT_H +#include +#endif + +enum rs_error_code { + RSE_OK = 0, + RSE_NOMEM = 1, + RSE_NOSYS = 2, + RSE_INVALID_CTX = 3, + RSE_INVALID_CONN = 4, + RSE_CONN_TYPE_MISMATCH = 5, + RSE_BADADDR = 7, + RSE_NOPEER = 8, + RSE_EVENT = 9, /* libevent error. */ + RSE_SOCKERR = 10, + RSE_CONFIG = 11, + RSE_BADAUTH = 12, + RSE_INTERNAL = 13, + RSE_SSLERR = 14, /* OpenSSL error. */ + RSE_INVALID_PKT = 15, + RSE_TIMEOUT_CONN = 16, /* Connection timeout. */ + RSE_INVAL = 17, /* Invalid argument. */ + RSE_TIMEOUT_IO = 18, /* I/O timeout. */ + RSE_TIMEOUT = 19, /* High level timeout. */ + RSE_DISCO = 20, + RSE_INUSE = 21, + RSE_PACKET_TOO_SMALL = 22, + RSE_PACKET_TOO_LARGE = 23, + RSE_ATTR_OVERFLOW = 24, + RSE_ATTR_TOO_SMALL = 25, + RSE_ATTR_TOO_LARGE = 26, + RSE_ATTR_UNKNOWN = 27, + RSE_ATTR_BAD_NAME = 28, + RSE_ATTR_VALUE_MALFORMED = 29, + RSE_ATTR_INVALID = 30, + RSE_TOO_MANY_ATTRS = 31, + RSE_ATTR_TYPE_UNKNOWN = 32, + RSE_MSG_AUTH_LEN = 33, + RSE_MSG_AUTH_WRONG = 34, + RSE_REQUEST_REQUIRED = 35, + RSE_INVALID_REQUEST_CODE = 36, + RSE_AUTH_VECTOR_WRONG = 37, + RSE_INVALID_RESPONSE_CODE = 38, + RSE_INVALID_RESPONSE_ID = 39, + RSE_INVALID_RESPONSE_SRC = 40, + RSE_NO_PACKET_DATA = 41, + RSE_VENDOR_UNKNOWN = 42, + RSE_CRED = 43, + RSE_CERT = 44, + RSE_MAX = RSE_CERT +}; + +enum rs_conn_type { + RS_CONN_TYPE_NONE = 0, + RS_CONN_TYPE_UDP, + RS_CONN_TYPE_TCP, + RS_CONN_TYPE_TLS, + RS_CONN_TYPE_DTLS, +}; +typedef unsigned int rs_conn_type_t; + +typedef enum rs_attr_type_t { + RS_TYPE_INVALID = 0, /**< Invalid data type */ + RS_TYPE_STRING, /**< printable-text */ + RS_TYPE_INTEGER, /**< a 32-bit unsigned integer */ + RS_TYPE_IPADDR, /**< an IPv4 address */ + RS_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */ + RS_TYPE_OCTETS, /**< a sequence of binary octets */ + RS_TYPE_IFID, /**< an Interface Id */ + RS_TYPE_IPV6ADDR, /**< an IPv6 address */ + RS_TYPE_IPV6PREFIX, /**< an IPv6 prefix */ + RS_TYPE_BYTE, /**< an 8-bit integer */ + RS_TYPE_SHORT, /**< a 16-bit integer */ +} rs_attr_type_t; + +#define PW_ACCESS_REQUEST 1 +#define PW_ACCESS_ACCEPT 2 +#define PW_ACCESS_REJECT 3 +#define PW_ACCOUNTING_REQUEST 4 +#define PW_ACCOUNTING_RESPONSE 5 +#define PW_ACCOUNTING_STATUS 6 +#define PW_PASSWORD_REQUEST 7 +#define PW_PASSWORD_ACK 8 +#define PW_PASSWORD_REJECT 9 +#define PW_ACCOUNTING_MESSAGE 10 +#define PW_ACCESS_CHALLENGE 11 +#define PW_STATUS_SERVER 12 +#define PW_STATUS_CLIENT 13 +#define PW_DISCONNECT_REQUEST 40 +#define PW_DISCONNECT_ACK 41 +#define PW_DISCONNECT_NAK 42 +#define PW_COA_REQUEST 43 +#define PW_COA_ACK 44 +#define PW_COA_NAK 45 + +#if defined (__cplusplus) +extern "C" { +#endif + +/* Data types. */ +struct rs_context; /* radsec-impl.h */ +struct rs_connection; /* radsec-impl.h */ +struct rs_packet; /* radsec-impl.h */ +struct rs_conn; /* radsec-impl.h */ +struct rs_error; /* radsec-impl.h */ +struct rs_peer; /* radsec-impl.h */ +struct radius_packet; /* */ +struct value_pair; /* */ +struct event_base; /* */ + +typedef void *(*rs_calloc_fp) (size_t nmemb, size_t size); +typedef void *(*rs_malloc_fp) (size_t size); +typedef void (*rs_free_fp) (void *ptr); +typedef void *(*rs_realloc_fp) (void *ptr, size_t size); +struct rs_alloc_scheme { + rs_calloc_fp calloc; + rs_malloc_fp malloc; + rs_free_fp free; + rs_realloc_fp realloc; +}; + +typedef void (*rs_conn_connected_cb) (void *user_data /* FIXME: peer? */ ); +typedef void (*rs_conn_disconnected_cb) (void *user_data /* FIXME: reason? */ ); +typedef void (*rs_conn_packet_received_cb) (struct rs_packet *packet, + void *user_data); +typedef void (*rs_conn_packet_sent_cb) (void *user_data); +struct rs_conn_callbacks { + /** Callback invoked when the connection has been established. */ + rs_conn_connected_cb connected_cb; + /** Callback invoked when the connection has been torn down. */ + rs_conn_disconnected_cb disconnected_cb; + /** Callback invoked when a packet was received. */ + rs_conn_packet_received_cb received_cb; + /** Callback invoked when a packet was successfully sent. */ + rs_conn_packet_sent_cb sent_cb; +}; + +typedef struct value_pair rs_avp; +typedef const struct value_pair rs_const_avp; + +/* Function prototypes. */ + +/*************/ +/* Context. */ +/*************/ +/** Create a context. Freed by calling \a rs_context_destroy. Note + that the context must not be freed before all other libradsec + objects have been freed. + + If support for POSIX threads was detected at configure and build + time \a rs_context_create will use mutexes to protect multiple + threads from stomping on each other in OpenSSL. + + \a ctx Address of pointer to a struct rs_context. This is the + output of this function. + + \return RSE_OK (0) on success, RSE_SSLERR on TLS library + initialisation error and RSE_NOMEM on out of memory. */ +int rs_context_create(struct rs_context **ctx); + +/** Free a context. Note that the context must not be freed before + all other libradsec objects have been freed. */ +void rs_context_destroy(struct rs_context *ctx); + +/** Set allocation scheme to use. \a scheme is the allocation scheme + to use, see \a rs_alloc_scheme. \return On success, RSE_OK (0) is + returned. On error, !0 is returned and a struct \a rs_error is + pushed on the error stack for the context. The error can be + accessed using \a rs_err_ctx_pop. */ +int rs_context_set_alloc_scheme(struct rs_context *ctx, + struct rs_alloc_scheme *scheme); + +/** Read configuration file. \a config_file is the path of the + configuration file to read. \return On success, RSE_OK (0) is + returned. On error, !0 is returned and a struct \a rs_error is + pushed on the error stack for the context. The error can be + accessed using \a rs_err_ctx_pop. */ +int rs_context_read_config(struct rs_context *ctx, const char *config_file); + +/****************/ +/* Connection. */ +/****************/ +/** Create a connection. \a conn is the address of a pointer to an \a + rs_connection, the output. Free the connection using \a + rs_conn_destroy. Note that a connection must not be freed before + all packets associated with the connection have been freed. A + packet is associated with a connection when it's created (\a + rs_packet_create) or received (\a rs_conn_receive_packet). + + If \a config is not NULL it should be the name of a configuration + found in the config file read in using \a rs_context_read_config. + \return On success, RSE_OK (0) is returned. On error, !0 is + returned and a struct \a rs_error is pushed on the error stack for + the context. The error can be accessed using \a + rs_err_ctx_pop. */ +int rs_conn_create(struct rs_context *ctx, + struct rs_connection **conn, + const char *config); + +/** Not implemented. */ +int rs_conn_add_listener(struct rs_connection *conn, + rs_conn_type_t type, + const char *hostname, + int port); +/** Disconnect connection \a conn. \return RSE_OK (0) on success, !0 + * on error. On error, errno is set appropriately. */ +int rs_conn_disconnect (struct rs_connection *conn); + +/** Disconnect and free memory allocated for connection \a conn. Note + that a connection must not be freed before all packets associated + with the connection have been freed. A packet is associated with + a connection when it's created (\a rs_packet_create) or received + (\a rs_conn_receive_packet). \return RSE_OK (0) on success, !0 * + on error. On error, errno is set appropriately. */ +int rs_conn_destroy(struct rs_connection *conn); + +/** Set connection type for \a conn. */ +void rs_conn_set_type(struct rs_connection *conn, rs_conn_type_t type); + +/** Not implemented. */ +int rs_conn_set_eventbase(struct rs_connection *conn, struct event_base *eb); + +/** Register callbacks \a cb for connection \a conn. */ +void rs_conn_set_callbacks(struct rs_connection *conn, + struct rs_conn_callbacks *cb); + +/** Remove callbacks for connection \a conn. */ +void rs_conn_del_callbacks(struct rs_connection *conn); + +/** Return callbacks registered for connection \a conn. \return + Installed callbacks are returned. */ +struct rs_conn_callbacks *rs_conn_get_callbacks(struct rs_connection *conn); + +/** Not implemented. */ +int rs_conn_select_peer(struct rs_connection *conn, const char *name); + +/** Not implemented. */ +int rs_conn_get_current_peer(struct rs_connection *conn, + const char *name, + size_t buflen); + +/** Special function used in blocking mode, i.e. with no callbacks + registered. For any other use of libradsec, a \a received_cb + callback should be registered using \a rs_conn_set_callbacks. + + If \a req_msg is not NULL, a successfully received RADIUS message + is verified against it. If \a pkt_out is not NULL it will upon + return contain a pointer to an \a rs_packet containing the new + message. + + \return On error or if the connect (TCP only) or read times out, + \a pkt_out will not be changed and one or more errors are pushed + on \a conn (available through \a rs_err_conn_pop). */ +int rs_conn_receive_packet(struct rs_connection *conn, + struct rs_packet *request, + struct rs_packet **pkt_out); + +/** Get the file descriptor associated with connection \a conn. + * \return File descriptor. */ +int rs_conn_fd(struct rs_connection *conn); + +/** Set the timeout value for connection \a conn. */ +void rs_conn_set_timeout(struct rs_connection *conn, struct timeval *tv); + +/* Peer -- client and server. */ +int rs_peer_create(struct rs_connection *conn, struct rs_peer **peer_out); +int rs_peer_set_address(struct rs_peer *peer, + const char *hostname, + const char *service); +int rs_peer_set_secret(struct rs_peer *peer, const char *secret); +void rs_peer_set_timeout(struct rs_peer *peer, int timeout); +void rs_peer_set_retries(struct rs_peer *peer, int retries); + +/************/ +/* Packet. */ +/************/ +/** Create a packet associated with connection \a conn. */ +int rs_packet_create(struct rs_connection *conn, struct rs_packet **pkt_out); + +/** Free all memory allocated for packet \a pkt. */ +void rs_packet_destroy(struct rs_packet *pkt); + +/** Send packet \a pkt on the connection associated with \a pkt. + \a user_data is passed to the \a rs_conn_packet_received_cb callback + registered with the connection. If no callback is registered with + the connection, the event loop is run by \a rs_packet_send and it + blocks until the full packet has been sent. Note that sending can + fail in several ways, f.ex. if the transmission protocol in use + is connection oriented (\a RS_CONN_TYPE_TCP and \a RS_CONN_TYPE_TLS) + and the connection can not be established. Also note that no + retransmission is done, something that is required for connectionless + transport protocols (\a RS_CONN_TYPE_UDP and \a RS_CONN_TYPE_DTLS). + The "request" API with \a rs_request_send can help with this. + + \return On success, RSE_OK (0) is returned. On error, !0 is + returned and a struct \a rs_error is pushed on the error stack for + the connection. The error can be accessed using \a rs_err_conn_pop. */ +int rs_packet_send(struct rs_packet *pkt, void *user_data); + +/** Create a RADIUS authentication request packet associated with + connection \a conn. Optionally, User-Name and User-Password + attributes are added to the packet using the data in \a user_name + and \a user_pw. */ +int rs_packet_create_authn_request(struct rs_connection *conn, + struct rs_packet **pkt, + const char *user_name, + const char *user_pw); + +/** Add a new attribute-value pair to \a pkt. */ +int rs_packet_add_avp(struct rs_packet *pkt, + unsigned int attr, unsigned int vendor, + const void *data, size_t data_len); + +/** Append a new attribute to packet \a pkt. Note that this function + encodes the attribute and therefore might require the secret + shared with the thought recipient to be set in pkt->rpkt. Note + also that this function marks \a pkt as already encoded and can + not be used on packets with non-encoded value-pairs already + added. */ +int +rs_packet_append_avp(struct rs_packet *pkt, + unsigned int attribute, unsigned int vendor, + const void *data, size_t data_len); + +/*** Get pointer to \a pkt attribute value pairs. */ +void +rs_packet_avps(struct rs_packet *pkt, rs_avp ***vps); + +/*** Get RADIUS packet type of \a pkt. */ +unsigned int +rs_packet_code(struct rs_packet *pkt); + +/*** Get RADIUS AVP from \a pkt. */ +rs_const_avp * +rs_packet_find_avp(struct rs_packet *pkt, unsigned int attr, unsigned int vendor); + +/*** Set packet identifier in \a pkt; returns old identifier */ +int +rs_packet_set_id (struct rs_packet *pkt, int id); + +/************/ +/* Config. */ +/************/ +/** Find the realm named \a name in the configuration file previoiusly + read in using \a rs_context_read_config. */ +struct rs_realm *rs_conf_find_realm(struct rs_context *ctx, const char *name); + +/***********/ +/* Error. */ +/***********/ +/** Create a struct \a rs_error and push it on a FIFO associated with + context \a ctx. Note: The depth of the error stack is one (1) at + the moment. This will change in a future release. */ +int rs_err_ctx_push(struct rs_context *ctx, int code, const char *fmt, ...); +int rs_err_ctx_push_fl(struct rs_context *ctx, + int code, + const char *file, + int line, + const char *fmt, + ...); +/** Pop the first error from the error FIFO associated with context \a + ctx or NULL if there are no errors in the FIFO. */ +struct rs_error *rs_err_ctx_pop(struct rs_context *ctx); + +/** Create a struct \a rs_error and push it on a FIFO associated with + connection \a conn. Note: The depth of the error stack is one (1) + at the moment. This will change in a future release. */ +int rs_err_conn_push(struct rs_connection *conn, + int code, + const char *fmt, + ...); +int rs_err_conn_push_fl(struct rs_connection *conn, + int code, + const char *file, + int line, + const char *fmt, + ...); +/** Pop the first error from the error FIFO associated with connection + \a conn or NULL if there are no errors in the FIFO. */ +struct rs_error *rs_err_conn_pop(struct rs_connection *conn); + +int rs_err_conn_peek_code (struct rs_connection *conn); +void rs_err_free(struct rs_error *err); +char *rs_err_msg(struct rs_error *err); +int rs_err_code(struct rs_error *err, int dofree_flag); + +/************/ +/* AVPs. */ +/************/ +#define rs_avp_is_string(vp) (rs_avp_typeof(vp) == RS_TYPE_STRING) +#define rs_avp_is_integer(vp) (rs_avp_typeof(vp) == RS_TYPE_INTEGER) +#define rs_avp_is_ipaddr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPADDR) +#define rs_avp_is_date(vp) (rs_avp_typeof(vp) == RS_TYPE_DATE) +#define rs_avp_is_octets(vp) (rs_avp_typeof(vp) == RS_TYPE_OCTETS) +#define rs_avp_is_ifid(vp) (rs_avp_typeof(vp) == RS_TYPE_IFID) +#define rs_avp_is_ipv6addr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6ADDR) +#define rs_avp_is_ipv6prefix(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6PREFIX) +#define rs_avp_is_byte(vp) (rs_avp_typeof(vp) == RS_TYPE_BYTE) +#define rs_avp_is_short(vp) (rs_avp_typeof(vp) == RS_TYPE_SHORT) +#define rs_avp_is_tlv(vp) (rs_avp_typeof(vp) == RS_TYPE_TLV) + +/** The maximum length of a RADIUS attribute. + * + * The RFCs require that a RADIUS attribute transport no more than + * 253 octets of data. We add an extra byte for a trailing NUL, so + * that the VALUE_PAIR::vp_strvalue field can be handled as a C + * string. + */ +#define RS_MAX_STRING_LEN 254 + +/** Free the AVP list \a vps */ +void +rs_avp_free(rs_avp **vps); + +/** Return the length of AVP \a vp in bytes */ +size_t +rs_avp_length(rs_const_avp *vp); + +/** Return the type of \a vp */ +rs_attr_type_t +rs_avp_typeof(rs_const_avp *vp); + +/** Retrieve the attribute and vendor ID of \a vp */ +void +rs_avp_attrid(rs_const_avp *vp, unsigned int *attr, unsigned int *vendor); + +/** Add \a vp to the list pointed to by \a head */ +void +rs_avp_append(rs_avp **head, rs_avp *vp); + +/** Find an AVP in \a vp that matches \a attr and \a vendor */ +rs_avp * +rs_avp_find(rs_avp *vp, unsigned int attr, unsigned int vendor); + +/** Find an AVP in \a vp that matches \a attr and \a vendor */ +rs_const_avp * +rs_avp_find_const(rs_const_avp *vp, unsigned int attr, unsigned int vendor); + +/** Alloc a new AVP for \a attr and \a vendor */ +rs_avp * +rs_avp_alloc(unsigned int attr, unsigned int vendor); + +/** Duplicate existing AVP \a vp */ +rs_avp * +rs_avp_dup(rs_const_avp *vp); + +/** Remove matching AVP from list \a vps */ +int +rs_avp_delete(rs_avp **vps, unsigned int attr, unsigned int vendor); + +/** Return next AVP in list */ +rs_avp * +rs_avp_next(rs_avp *vp); + +/** Return next AVP in list */ +rs_const_avp * +rs_avp_next_const(rs_const_avp *avp); + +/** Return string value of \a vp */ +const char * +rs_avp_string_value(rs_const_avp *vp); + +/** Set AVP \a vp to string \a str */ +int +rs_avp_string_set(rs_avp *vp, const char *str); + +/** Return integer value of \a vp */ +uint32_t +rs_avp_integer_value(rs_const_avp *vp); + +/** Set AVP \a vp to integer \a val */ +int +rs_avp_integer_set(rs_avp *vp, uint32_t val); + +/** Return IPv4 value of \a vp */ +uint32_t +rs_avp_ipaddr_value(rs_const_avp *vp); + +/** Set AVP \a vp to IPv4 address \a in */ +int +rs_avp_ipaddr_set(rs_avp *vp, struct in_addr in); + +/** Return POSIX time value of \a vp */ +time_t +rs_avp_date_value(rs_const_avp *vp); + +/** Set AVP \a vp to POSIX time \a date */ +int +rs_avp_date_set(rs_avp *vp, time_t date); + +/** Return constant pointer to octets in \a vp */ +const unsigned char * +rs_avp_octets_value_const_ptr(rs_const_avp *vp); + +/** Return pointer to octets in \a vp */ +unsigned char * +rs_avp_octets_value_ptr(rs_avp *vp); + +/** Retrieve octet pointer \a p and length \a len from \a vp */ +int +rs_avp_octets_value_byref(rs_avp *vp, + unsigned char **p, + size_t *len); + +/** Copy octets from \a vp into \a buf and \a len */ +int +rs_avp_octets_value(rs_const_avp *vp, + unsigned char *buf, + size_t *len); + +/** + * Copy octets possibly fragmented across multiple VPs + * into \a buf and \a len + */ +int +rs_avp_fragmented_value(rs_const_avp *vps, + unsigned char *buf, + size_t *len); + +/** Copy \a len octets in \a buf to AVP \a vp */ +int +rs_avp_octets_set(rs_avp *vp, + const unsigned char *buf, + size_t len); + +/** Return IFID value of \a vp */ +int +rs_avp_ifid_value(rs_const_avp *vp, uint8_t val[8]); + +int +rs_avp_ifid_set(rs_avp *vp, const uint8_t val[8]); + +/** Return byte value of \a vp */ +uint8_t +rs_avp_byte_value(rs_const_avp *vp); + +/** Set AVP \a vp to byte \a val */ +int +rs_avp_byte_set(rs_avp *vp, uint8_t val); + +/** Return short value of \a vp */ +uint16_t +rs_avp_short_value(rs_const_avp *vp); + +/** Set AVP \a vp to short integer \a val */ +int +rs_avp_short_set(rs_avp *vp, uint16_t val); + +/** Display possibly \a canonical attribute name into \a buffer */ +int +rs_attr_display_name (unsigned int attr, + unsigned int vendor, + char *buffer, + size_t bufsize, + int canonical); + +/** Display AVP \a vp into \a buffer */ +size_t +rs_avp_display_value(rs_const_avp *vp, + char *buffer, + size_t buflen); + +int +rs_attr_parse_name (const char *name, + unsigned int *attr, + unsigned int *vendor); + +/** Lookup attribute \a name */ +int +rs_attr_find(const char *name, + unsigned int *attr, + unsigned int *vendor); + +/** Return dictionary name for AVP \a vp */ +const char * +rs_avp_name(rs_const_avp *vp); + +#if defined (__cplusplus) +} +#endif + +#endif /* _RADSEC_RADSEC_H_ */ + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/include/radsec/request-impl.h b/include/radsec/request-impl.h new file mode 100644 index 0000000..97335e5 --- /dev/null +++ b/include/radsec/request-impl.h @@ -0,0 +1,24 @@ +/* Copyright 2010-2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#ifndef _RADSEC_REQUEST_IMPL_H_ +#define _RADSEC_REQUEST_IMPL_H_ 1 + +#if defined (__cplusplus) +extern "C" { +#endif + +struct rs_request +{ + struct rs_connection *conn; + struct event *timer; + struct rs_packet *req_msg; + struct rs_conn_callbacks saved_cb; + void *saved_user_data; +}; + +#if defined (__cplusplus) +} +#endif + +#endif /* _RADSEC_REQUEST_IMPL_H_ */ diff --git a/include/radsec/request.h b/include/radsec/request.h new file mode 100644 index 0000000..d4c72b3 --- /dev/null +++ b/include/radsec/request.h @@ -0,0 +1,50 @@ +/** \file request.h + \brief Public interface for libradsec request's. */ + +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#ifndef _RADSEC_REQUEST_H_ +#define _RADSEC_REQUEST_H_ 1 + +struct rs_request; + +#if defined (__cplusplus) +extern "C" { +#endif + +/** Create a request associated with connection \a conn. */ +int rs_request_create(struct rs_connection *conn, struct rs_request **req_out); + +/** Add RADIUS request message \a req_msg to request \a req. + FIXME: Rename to rs_request_add_reqmsg? */ +void rs_request_add_reqpkt(struct rs_request *req, struct rs_packet *req_msg); + +/** Create a request associated with connection \a conn containing a + newly created RADIUS authentication message, possibly with \a + user_name and \a user_pw attributes. \a user_name and _user_pw + are optional and can be NULL. */ +int rs_request_create_authn(struct rs_connection *conn, + struct rs_request **req_out, + const char *user_name, + const char *user_pw); + +/** Send request \a req and wait for a matching response. The + response is put in \a resp_msg (if not NULL). NOTE: At present, + no more than one outstanding request to a given realm is + supported. This will change in a future version. */ +int rs_request_send(struct rs_request *req, struct rs_packet **resp_msg); + +/** Free all memory allocated by request \a req including any request + packet associated with the request. Note that a request must be + freed before its associated connection can be freed. */ +void rs_request_destroy(struct rs_request *req); + +/** Return request message in request \a req. */ +struct rs_packet *rs_request_get_reqmsg(const struct rs_request *req); + +#if defined (__cplusplus) +} +#endif + +#endif /* _RADSEC_REQUEST_H_ */ diff --git a/lib/.gitignore b/lib/.gitignore deleted file mode 100644 index 97aee05..0000000 --- a/lib/.gitignore +++ /dev/null @@ -1,17 +0,0 @@ -*.*~* -TAGS -*.o -.deps -.libs -autom4te.cache -config.log -config.h* -config.status -configure -aclocal.m4 -*.lo -*.la -Makefile.in -Makefile -stamp-h1 -libtool diff --git a/lib/CHANGES b/lib/CHANGES deleted file mode 100644 index 928dfbe..0000000 --- a/lib/CHANGES +++ /dev/null @@ -1,17 +0,0 @@ -Changes between 0.0.4 and 0.0.5 - - - When POSIX thread support is detected at configure and build time - libradsec will be more safe to use by programs that call it from - more than one thread simultaneously. - - - The initialisation of the OpenSSL PRNG has been improved. - -User visible changes between 0.0.1 and 0.0.4 - - - TLS support is now enabled by default. Use --disable-tls to - disable it. - - - Support for TLS-PSK has been added (--enable-tls-psk). - - - The RADIUS dictionaries are now compiled into the library and are - no longer read from disk. diff --git a/lib/Doxyfile b/lib/Doxyfile deleted file mode 100644 index 9c79d20..0000000 --- a/lib/Doxyfile +++ /dev/null @@ -1,1630 +0,0 @@ -# Doxyfile 1.7.1 - -# This file describes the settings to be used by the documentation system -# doxygen (www.doxygen.org) for a project -# -# All text after a hash (#) is considered a comment and will be ignored -# The format is: -# TAG = value [value, ...] -# For lists items can also be appended using: -# TAG += value [value, ...] -# Values that contain spaces should be placed between quotes (" ") - -#--------------------------------------------------------------------------- -# Project related configuration options -#--------------------------------------------------------------------------- - -# This tag specifies the encoding used for all characters in the config file -# that follow. The default is UTF-8 which is also the encoding used for all -# text before the first occurrence of this tag. Doxygen uses libiconv (or the -# iconv built into libc) for the transcoding. See -# http://www.gnu.org/software/libiconv for the list of possible encodings. - -DOXYFILE_ENCODING = UTF-8 - -# The PROJECT_NAME tag is a single word (or a sequence of words surrounded -# by quotes) that should identify the project. - -PROJECT_NAME = libradsec - -# The PROJECT_NUMBER tag can be used to enter a project or revision number. -# This could be handy for archiving the generated documentation or -# if some version control system is used. - -PROJECT_NUMBER = - -# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) -# base path where the generated documentation will be put. -# If a relative path is entered, it will be relative to the location -# where doxygen was started. If left blank the current directory will be used. - -OUTPUT_DIRECTORY = doxy - -# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create -# 4096 sub-directories (in 2 levels) under the output directory of each output -# format and will distribute the generated files over these directories. -# Enabling this option can be useful when feeding doxygen a huge amount of -# source files, where putting all generated files in the same directory would -# otherwise cause performance problems for the file system. - -CREATE_SUBDIRS = NO - -# The OUTPUT_LANGUAGE tag is used to specify the language in which all -# documentation generated by doxygen is written. Doxygen will use this -# information to generate all constant output in the proper language. -# The default language is English, other supported languages are: -# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, -# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, -# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English -# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, -# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, -# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. - -OUTPUT_LANGUAGE = English - -# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will -# include brief member descriptions after the members that are listed in -# the file and class documentation (similar to JavaDoc). -# Set to NO to disable this. - -BRIEF_MEMBER_DESC = YES - -# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend -# the brief description of a member or function before the detailed description. -# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the -# brief descriptions will be completely suppressed. - -REPEAT_BRIEF = YES - -# This tag implements a quasi-intelligent brief description abbreviator -# that is used to form the text in various listings. Each string -# in this list, if found as the leading text of the brief description, will be -# stripped from the text and the result after processing the whole list, is -# used as the annotated text. Otherwise, the brief description is used as-is. -# If left blank, the following values are used ("$name" is automatically -# replaced with the name of the entity): "The $name class" "The $name widget" -# "The $name file" "is" "provides" "specifies" "contains" -# "represents" "a" "an" "the" - -ABBREVIATE_BRIEF = - -# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then -# Doxygen will generate a detailed section even if there is only a brief -# description. - -ALWAYS_DETAILED_SEC = NO - -# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all -# inherited members of a class in the documentation of that class as if those -# members were ordinary class members. Constructors, destructors and assignment -# operators of the base classes will not be shown. - -INLINE_INHERITED_MEMB = NO - -# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full -# path before files name in the file list and in the header files. If set -# to NO the shortest path that makes the file name unique will be used. - -FULL_PATH_NAMES = YES - -# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag -# can be used to strip a user-defined part of the path. Stripping is -# only done if one of the specified strings matches the left-hand part of -# the path. The tag can be used to show relative paths in the file list. -# If left blank the directory from which doxygen is run is used as the -# path to strip. - -STRIP_FROM_PATH = - -# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of -# the path mentioned in the documentation of a class, which tells -# the reader which header file to include in order to use a class. -# If left blank only the name of the header file containing the class -# definition is used. Otherwise one should specify the include paths that -# are normally passed to the compiler using the -I flag. - -STRIP_FROM_INC_PATH = - -# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter -# (but less readable) file names. This can be useful is your file systems -# doesn't support long names like on DOS, Mac, or CD-ROM. - -SHORT_NAMES = NO - -# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen -# will interpret the first line (until the first dot) of a JavaDoc-style -# comment as the brief description. If set to NO, the JavaDoc -# comments will behave just like regular Qt-style comments -# (thus requiring an explicit @brief command for a brief description.) - -JAVADOC_AUTOBRIEF = NO - -# If the QT_AUTOBRIEF tag is set to YES then Doxygen will -# interpret the first line (until the first dot) of a Qt-style -# comment as the brief description. If set to NO, the comments -# will behave just like regular Qt-style comments (thus requiring -# an explicit \brief command for a brief description.) - -QT_AUTOBRIEF = NO - -# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen -# treat a multi-line C++ special comment block (i.e. a block of //! or /// -# comments) as a brief description. This used to be the default behaviour. -# The new default is to treat a multi-line C++ comment block as a detailed -# description. Set this tag to YES if you prefer the old behaviour instead. - -MULTILINE_CPP_IS_BRIEF = NO - -# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented -# member inherits the documentation from any documented member that it -# re-implements. - -INHERIT_DOCS = YES - -# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce -# a new page for each member. If set to NO, the documentation of a member will -# be part of the file/class/namespace that contains it. - -SEPARATE_MEMBER_PAGES = NO - -# The TAB_SIZE tag can be used to set the number of spaces in a tab. -# Doxygen uses this value to replace tabs by spaces in code fragments. - -TAB_SIZE = 8 - -# This tag can be used to specify a number of aliases that acts -# as commands in the documentation. An alias has the form "name=value". -# For example adding "sideeffect=\par Side Effects:\n" will allow you to -# put the command \sideeffect (or @sideeffect) in the documentation, which -# will result in a user-defined paragraph with heading "Side Effects:". -# You can put \n's in the value part of an alias to insert newlines. - -ALIASES = - -# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C -# sources only. Doxygen will then generate output that is more tailored for C. -# For instance, some of the names that are used will be different. The list -# of all members will be omitted, etc. - -OPTIMIZE_OUTPUT_FOR_C = NO - -# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java -# sources only. Doxygen will then generate output that is more tailored for -# Java. For instance, namespaces will be presented as packages, qualified -# scopes will look different, etc. - -OPTIMIZE_OUTPUT_JAVA = NO - -# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran -# sources only. Doxygen will then generate output that is more tailored for -# Fortran. - -OPTIMIZE_FOR_FORTRAN = NO - -# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL -# sources. Doxygen will then generate output that is tailored for -# VHDL. - -OPTIMIZE_OUTPUT_VHDL = NO - -# Doxygen selects the parser to use depending on the extension of the files it -# parses. With this tag you can assign which parser to use for a given extension. -# Doxygen has a built-in mapping, but you can override or extend it using this -# tag. The format is ext=language, where ext is a file extension, and language -# is one of the parsers supported by doxygen: IDL, Java, Javascript, CSharp, C, -# C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, C++. For instance to make -# doxygen treat .inc files as Fortran files (default is PHP), and .f files as C -# (default is Fortran), use: inc=Fortran f=C. Note that for custom extensions -# you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. - -EXTENSION_MAPPING = - -# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want -# to include (a tag file for) the STL sources as input, then you should -# set this tag to YES in order to let doxygen match functions declarations and -# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. -# func(std::string) {}). This also make the inheritance and collaboration -# diagrams that involve STL classes more complete and accurate. - -BUILTIN_STL_SUPPORT = NO - -# If you use Microsoft's C++/CLI language, you should set this option to YES to -# enable parsing support. - -CPP_CLI_SUPPORT = NO - -# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. -# Doxygen will parse them like normal C++ but will assume all classes use public -# instead of private inheritance when no explicit protection keyword is present. - -SIP_SUPPORT = NO - -# For Microsoft's IDL there are propget and propput attributes to indicate getter -# and setter methods for a property. Setting this option to YES (the default) -# will make doxygen to replace the get and set methods by a property in the -# documentation. This will only work if the methods are indeed getting or -# setting a simple type. If this is not the case, or you want to show the -# methods anyway, you should set this option to NO. - -IDL_PROPERTY_SUPPORT = YES - -# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC -# tag is set to YES, then doxygen will reuse the documentation of the first -# member in the group (if any) for the other members of the group. By default -# all members of a group must be documented explicitly. - -DISTRIBUTE_GROUP_DOC = NO - -# Set the SUBGROUPING tag to YES (the default) to allow class member groups of -# the same type (for instance a group of public functions) to be put as a -# subgroup of that type (e.g. under the Public Functions section). Set it to -# NO to prevent subgrouping. Alternatively, this can be done per class using -# the \nosubgrouping command. - -SUBGROUPING = YES - -# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum -# is documented as struct, union, or enum with the name of the typedef. So -# typedef struct TypeS {} TypeT, will appear in the documentation as a struct -# with name TypeT. When disabled the typedef will appear as a member of a file, -# namespace, or class. And the struct will be named TypeS. This can typically -# be useful for C code in case the coding convention dictates that all compound -# types are typedef'ed and only the typedef is referenced, never the tag name. - -TYPEDEF_HIDES_STRUCT = NO - -# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to -# determine which symbols to keep in memory and which to flush to disk. -# When the cache is full, less often used symbols will be written to disk. -# For small to medium size projects (<1000 input files) the default value is -# probably good enough. For larger projects a too small cache size can cause -# doxygen to be busy swapping symbols to and from disk most of the time -# causing a significant performance penality. -# If the system has enough physical memory increasing the cache will improve the -# performance by keeping more symbols in memory. Note that the value works on -# a logarithmic scale so increasing the size by one will rougly double the -# memory usage. The cache size is given by this formula: -# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, -# corresponding to a cache size of 2^16 = 65536 symbols - -SYMBOL_CACHE_SIZE = 0 - -#--------------------------------------------------------------------------- -# Build related configuration options -#--------------------------------------------------------------------------- - -# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in -# documentation are documented, even if no documentation was available. -# Private class members and static file members will be hidden unless -# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES - -EXTRACT_ALL = NO - -# If the EXTRACT_PRIVATE tag is set to YES all private members of a class -# will be included in the documentation. - -EXTRACT_PRIVATE = NO - -# If the EXTRACT_STATIC tag is set to YES all static members of a file -# will be included in the documentation. - -EXTRACT_STATIC = NO - -# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) -# defined locally in source files will be included in the documentation. -# If set to NO only classes defined in header files are included. - -EXTRACT_LOCAL_CLASSES = YES - -# This flag is only useful for Objective-C code. When set to YES local -# methods, which are defined in the implementation section but not in -# the interface are included in the documentation. -# If set to NO (the default) only methods in the interface are included. - -EXTRACT_LOCAL_METHODS = NO - -# If this flag is set to YES, the members of anonymous namespaces will be -# extracted and appear in the documentation as a namespace called -# 'anonymous_namespace{file}', where file will be replaced with the base -# name of the file that contains the anonymous namespace. By default -# anonymous namespace are hidden. - -EXTRACT_ANON_NSPACES = NO - -# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all -# undocumented members of documented classes, files or namespaces. -# If set to NO (the default) these members will be included in the -# various overviews, but no documentation section is generated. -# This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_MEMBERS = NO - -# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all -# undocumented classes that are normally visible in the class hierarchy. -# If set to NO (the default) these classes will be included in the various -# overviews. This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_CLASSES = NO - -# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all -# friend (class|struct|union) declarations. -# If set to NO (the default) these declarations will be included in the -# documentation. - -HIDE_FRIEND_COMPOUNDS = NO - -# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any -# documentation blocks found inside the body of a function. -# If set to NO (the default) these blocks will be appended to the -# function's detailed documentation block. - -HIDE_IN_BODY_DOCS = NO - -# The INTERNAL_DOCS tag determines if documentation -# that is typed after a \internal command is included. If the tag is set -# to NO (the default) then the documentation will be excluded. -# Set it to YES to include the internal documentation. - -INTERNAL_DOCS = NO - -# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate -# file names in lower-case letters. If set to YES upper-case letters are also -# allowed. This is useful if you have classes or files whose names only differ -# in case and if your file system supports case sensitive file names. Windows -# and Mac users are advised to set this option to NO. - -CASE_SENSE_NAMES = YES - -# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen -# will show members with their full class and namespace scopes in the -# documentation. If set to YES the scope will be hidden. - -HIDE_SCOPE_NAMES = NO - -# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen -# will put a list of the files that are included by a file in the documentation -# of that file. - -SHOW_INCLUDE_FILES = YES - -# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen -# will list include files with double quotes in the documentation -# rather than with sharp brackets. - -FORCE_LOCAL_INCLUDES = NO - -# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] -# is inserted in the documentation for inline members. - -INLINE_INFO = YES - -# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen -# will sort the (detailed) documentation of file and class members -# alphabetically by member name. If set to NO the members will appear in -# declaration order. - -SORT_MEMBER_DOCS = YES - -# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the -# brief documentation of file, namespace and class members alphabetically -# by member name. If set to NO (the default) the members will appear in -# declaration order. - -SORT_BRIEF_DOCS = NO - -# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen -# will sort the (brief and detailed) documentation of class members so that -# constructors and destructors are listed first. If set to NO (the default) -# the constructors will appear in the respective orders defined by -# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. -# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO -# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. - -SORT_MEMBERS_CTORS_1ST = NO - -# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the -# hierarchy of group names into alphabetical order. If set to NO (the default) -# the group names will appear in their defined order. - -SORT_GROUP_NAMES = NO - -# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be -# sorted by fully-qualified names, including namespaces. If set to -# NO (the default), the class list will be sorted only by class name, -# not including the namespace part. -# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. -# Note: This option applies only to the class list, not to the -# alphabetical list. - -SORT_BY_SCOPE_NAME = NO - -# The GENERATE_TODOLIST tag can be used to enable (YES) or -# disable (NO) the todo list. This list is created by putting \todo -# commands in the documentation. - -GENERATE_TODOLIST = YES - -# The GENERATE_TESTLIST tag can be used to enable (YES) or -# disable (NO) the test list. This list is created by putting \test -# commands in the documentation. - -GENERATE_TESTLIST = YES - -# The GENERATE_BUGLIST tag can be used to enable (YES) or -# disable (NO) the bug list. This list is created by putting \bug -# commands in the documentation. - -GENERATE_BUGLIST = YES - -# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or -# disable (NO) the deprecated list. This list is created by putting -# \deprecated commands in the documentation. - -GENERATE_DEPRECATEDLIST= YES - -# The ENABLED_SECTIONS tag can be used to enable conditional -# documentation sections, marked by \if sectionname ... \endif. - -ENABLED_SECTIONS = - -# The MAX_INITIALIZER_LINES tag determines the maximum number of lines -# the initial value of a variable or define consists of for it to appear in -# the documentation. If the initializer consists of more lines than specified -# here it will be hidden. Use a value of 0 to hide initializers completely. -# The appearance of the initializer of individual variables and defines in the -# documentation can be controlled using \showinitializer or \hideinitializer -# command in the documentation regardless of this setting. - -MAX_INITIALIZER_LINES = 30 - -# Set the SHOW_USED_FILES tag to NO to disable the list of files generated -# at the bottom of the documentation of classes and structs. If set to YES the -# list will mention the files that were used to generate the documentation. - -SHOW_USED_FILES = YES - -# If the sources in your project are distributed over multiple directories -# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy -# in the documentation. The default is NO. - -SHOW_DIRECTORIES = NO - -# Set the SHOW_FILES tag to NO to disable the generation of the Files page. -# This will remove the Files entry from the Quick Index and from the -# Folder Tree View (if specified). The default is YES. - -SHOW_FILES = YES - -# Set the SHOW_NAMESPACES tag to NO to disable the generation of the -# Namespaces page. -# This will remove the Namespaces entry from the Quick Index -# and from the Folder Tree View (if specified). The default is YES. - -SHOW_NAMESPACES = YES - -# The FILE_VERSION_FILTER tag can be used to specify a program or script that -# doxygen should invoke to get the current version for each file (typically from -# the version control system). Doxygen will invoke the program by executing (via -# popen()) the command , where is the value of -# the FILE_VERSION_FILTER tag, and is the name of an input file -# provided by doxygen. Whatever the program writes to standard output -# is used as the file version. See the manual for examples. - -FILE_VERSION_FILTER = - -# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed -# by doxygen. The layout file controls the global structure of the generated -# output files in an output format independent way. The create the layout file -# that represents doxygen's defaults, run doxygen with the -l option. -# You can optionally specify a file name after the option, if omitted -# DoxygenLayout.xml will be used as the name of the layout file. - -LAYOUT_FILE = - -#--------------------------------------------------------------------------- -# configuration options related to warning and progress messages -#--------------------------------------------------------------------------- - -# The QUIET tag can be used to turn on/off the messages that are generated -# by doxygen. Possible values are YES and NO. If left blank NO is used. - -QUIET = NO - -# The WARNINGS tag can be used to turn on/off the warning messages that are -# generated by doxygen. Possible values are YES and NO. If left blank -# NO is used. - -WARNINGS = YES - -# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings -# for undocumented members. If EXTRACT_ALL is set to YES then this flag will -# automatically be disabled. - -WARN_IF_UNDOCUMENTED = YES - -# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for -# potential errors in the documentation, such as not documenting some -# parameters in a documented function, or documenting parameters that -# don't exist or using markup commands wrongly. - -WARN_IF_DOC_ERROR = YES - -# This WARN_NO_PARAMDOC option can be abled to get warnings for -# functions that are documented, but have no documentation for their parameters -# or return value. If set to NO (the default) doxygen will only warn about -# wrong or incomplete parameter documentation, but not about the absence of -# documentation. - -WARN_NO_PARAMDOC = NO - -# The WARN_FORMAT tag determines the format of the warning messages that -# doxygen can produce. The string should contain the $file, $line, and $text -# tags, which will be replaced by the file and line number from which the -# warning originated and the warning text. Optionally the format may contain -# $version, which will be replaced by the version of the file (if it could -# be obtained via FILE_VERSION_FILTER) - -WARN_FORMAT = "$file:$line: $text" - -# The WARN_LOGFILE tag can be used to specify a file to which warning -# and error messages should be written. If left blank the output is written -# to stderr. - -WARN_LOGFILE = - -#--------------------------------------------------------------------------- -# configuration options related to the input files -#--------------------------------------------------------------------------- - -# The INPUT tag can be used to specify the files and/or directories that contain -# documented source files. You may enter file names like "myfile.cpp" or -# directories like "/usr/src/myproject". Separate the files or directories -# with spaces. - -INPUT = include/radsec/radsec.h include/radsec/request.h - -# This tag can be used to specify the character encoding of the source files -# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is -# also the default input encoding. Doxygen uses libiconv (or the iconv built -# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for -# the list of possible encodings. - -INPUT_ENCODING = UTF-8 - -# If the value of the INPUT tag contains directories, you can use the -# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank the following patterns are tested: -# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx -# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 - -FILE_PATTERNS = *.c *.h - -# The RECURSIVE tag can be used to turn specify whether or not subdirectories -# should be searched for input files as well. Possible values are YES and NO. -# If left blank NO is used. - -RECURSIVE = NO - -# The EXCLUDE tag can be used to specify files and/or directories that should -# excluded from the INPUT source files. This way you can easily exclude a -# subdirectory from a directory tree whose root is specified with the INPUT tag. - -EXCLUDE = - -# The EXCLUDE_SYMLINKS tag can be used select whether or not files or -# directories that are symbolic links (a Unix filesystem feature) are excluded -# from the input. - -EXCLUDE_SYMLINKS = NO - -# If the value of the INPUT tag contains directories, you can use the -# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude -# certain files from those directories. Note that the wildcards are matched -# against the file with absolute path, so to exclude all test directories -# for example use the pattern */test/* - -EXCLUDE_PATTERNS = - -# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names -# (namespaces, classes, functions, etc.) that should be excluded from the -# output. The symbol name can be a fully qualified name, a word, or if the -# wildcard * is used, a substring. Examples: ANamespace, AClass, -# AClass::ANamespace, ANamespace::*Test - -EXCLUDE_SYMBOLS = - -# The EXAMPLE_PATH tag can be used to specify one or more files or -# directories that contain example code fragments that are included (see -# the \include command). - -EXAMPLE_PATH = - -# If the value of the EXAMPLE_PATH tag contains directories, you can use the -# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank all files are included. - -EXAMPLE_PATTERNS = - -# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be -# searched for input files to be used with the \include or \dontinclude -# commands irrespective of the value of the RECURSIVE tag. -# Possible values are YES and NO. If left blank NO is used. - -EXAMPLE_RECURSIVE = NO - -# The IMAGE_PATH tag can be used to specify one or more files or -# directories that contain image that are included in the documentation (see -# the \image command). - -IMAGE_PATH = - -# The INPUT_FILTER tag can be used to specify a program that doxygen should -# invoke to filter for each input file. Doxygen will invoke the filter program -# by executing (via popen()) the command , where -# is the value of the INPUT_FILTER tag, and is the name of an -# input file. Doxygen will then use the output that the filter program writes -# to standard output. -# If FILTER_PATTERNS is specified, this tag will be -# ignored. - -INPUT_FILTER = - -# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern -# basis. -# Doxygen will compare the file name with each pattern and apply the -# filter if there is a match. -# The filters are a list of the form: -# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further -# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER -# is applied to all files. - -FILTER_PATTERNS = - -# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using -# INPUT_FILTER) will be used to filter the input files when producing source -# files to browse (i.e. when SOURCE_BROWSER is set to YES). - -FILTER_SOURCE_FILES = NO - -#--------------------------------------------------------------------------- -# configuration options related to source browsing -#--------------------------------------------------------------------------- - -# If the SOURCE_BROWSER tag is set to YES then a list of source files will -# be generated. Documented entities will be cross-referenced with these sources. -# Note: To get rid of all source code in the generated output, make sure also -# VERBATIM_HEADERS is set to NO. - -SOURCE_BROWSER = NO - -# Setting the INLINE_SOURCES tag to YES will include the body -# of functions and classes directly in the documentation. - -INLINE_SOURCES = NO - -# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct -# doxygen to hide any special comment blocks from generated source code -# fragments. Normal C and C++ comments will always remain visible. - -STRIP_CODE_COMMENTS = YES - -# If the REFERENCED_BY_RELATION tag is set to YES -# then for each documented function all documented -# functions referencing it will be listed. - -REFERENCED_BY_RELATION = NO - -# If the REFERENCES_RELATION tag is set to YES -# then for each documented function all documented entities -# called/used by that function will be listed. - -REFERENCES_RELATION = NO - -# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) -# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from -# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will -# link to the source code. -# Otherwise they will link to the documentation. - -REFERENCES_LINK_SOURCE = YES - -# If the USE_HTAGS tag is set to YES then the references to source code -# will point to the HTML generated by the htags(1) tool instead of doxygen -# built-in source browser. The htags tool is part of GNU's global source -# tagging system (see http://www.gnu.org/software/global/global.html). You -# will need version 4.8.6 or higher. - -USE_HTAGS = NO - -# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen -# will generate a verbatim copy of the header file for each class for -# which an include is specified. Set to NO to disable this. - -VERBATIM_HEADERS = YES - -#--------------------------------------------------------------------------- -# configuration options related to the alphabetical class index -#--------------------------------------------------------------------------- - -# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index -# of all compounds will be generated. Enable this if the project -# contains a lot of classes, structs, unions or interfaces. - -ALPHABETICAL_INDEX = YES - -# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then -# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns -# in which this list will be split (can be a number in the range [1..20]) - -COLS_IN_ALPHA_INDEX = 5 - -# In case all classes in a project start with a common prefix, all -# classes will be put under the same header in the alphabetical index. -# The IGNORE_PREFIX tag can be used to specify one or more prefixes that -# should be ignored while generating the index headers. - -IGNORE_PREFIX = - -#--------------------------------------------------------------------------- -# configuration options related to the HTML output -#--------------------------------------------------------------------------- - -# If the GENERATE_HTML tag is set to YES (the default) Doxygen will -# generate HTML output. - -GENERATE_HTML = YES - -# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `html' will be used as the default path. - -HTML_OUTPUT = html - -# The HTML_FILE_EXTENSION tag can be used to specify the file extension for -# each generated HTML page (for example: .htm,.php,.asp). If it is left blank -# doxygen will generate files with .html extension. - -HTML_FILE_EXTENSION = .html - -# The HTML_HEADER tag can be used to specify a personal HTML header for -# each generated HTML page. If it is left blank doxygen will generate a -# standard header. - -HTML_HEADER = - -# The HTML_FOOTER tag can be used to specify a personal HTML footer for -# each generated HTML page. If it is left blank doxygen will generate a -# standard footer. - -HTML_FOOTER = - -# The HTML_STYLESHEET tag can be used to specify a user-defined cascading -# style sheet that is used by each HTML page. It can be used to -# fine-tune the look of the HTML output. If the tag is left blank doxygen -# will generate a default style sheet. Note that doxygen will try to copy -# the style sheet file to the HTML output directory, so don't put your own -# stylesheet in the HTML output directory as well, or it will be erased! - -HTML_STYLESHEET = - -# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. -# Doxygen will adjust the colors in the stylesheet and background images -# according to this color. Hue is specified as an angle on a colorwheel, -# see http://en.wikipedia.org/wiki/Hue for more information. -# For instance the value 0 represents red, 60 is yellow, 120 is green, -# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. -# The allowed range is 0 to 359. - -HTML_COLORSTYLE_HUE = 220 - -# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of -# the colors in the HTML output. For a value of 0 the output will use -# grayscales only. A value of 255 will produce the most vivid colors. - -HTML_COLORSTYLE_SAT = 100 - -# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to -# the luminance component of the colors in the HTML output. Values below -# 100 gradually make the output lighter, whereas values above 100 make -# the output darker. The value divided by 100 is the actual gamma applied, -# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, -# and 100 does not change the gamma. - -HTML_COLORSTYLE_GAMMA = 80 - -# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML -# page will contain the date and time when the page was generated. Setting -# this to NO can help when comparing the output of multiple runs. - -HTML_TIMESTAMP = YES - -# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, -# files or namespaces will be aligned in HTML using tables. If set to -# NO a bullet list will be used. - -HTML_ALIGN_MEMBERS = YES - -# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML -# documentation will contain sections that can be hidden and shown after the -# page has loaded. For this to work a browser that supports -# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox -# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). - -HTML_DYNAMIC_SECTIONS = NO - -# If the GENERATE_DOCSET tag is set to YES, additional index files -# will be generated that can be used as input for Apple's Xcode 3 -# integrated development environment, introduced with OSX 10.5 (Leopard). -# To create a documentation set, doxygen will generate a Makefile in the -# HTML output directory. Running make will produce the docset in that -# directory and running "make install" will install the docset in -# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find -# it at startup. -# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html -# for more information. - -GENERATE_DOCSET = NO - -# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the -# feed. A documentation feed provides an umbrella under which multiple -# documentation sets from a single provider (such as a company or product suite) -# can be grouped. - -DOCSET_FEEDNAME = "Doxygen generated docs" - -# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that -# should uniquely identify the documentation set bundle. This should be a -# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen -# will append .docset to the name. - -DOCSET_BUNDLE_ID = org.doxygen.Project - -# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely identify -# the documentation publisher. This should be a reverse domain-name style -# string, e.g. com.mycompany.MyDocSet.documentation. - -DOCSET_PUBLISHER_ID = org.doxygen.Publisher - -# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. - -DOCSET_PUBLISHER_NAME = Publisher - -# If the GENERATE_HTMLHELP tag is set to YES, additional index files -# will be generated that can be used as input for tools like the -# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) -# of the generated HTML documentation. - -GENERATE_HTMLHELP = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can -# be used to specify the file name of the resulting .chm file. You -# can add a path in front of the file if the result should not be -# written to the html output directory. - -CHM_FILE = - -# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can -# be used to specify the location (absolute path including file name) of -# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run -# the HTML help compiler on the generated index.hhp. - -HHC_LOCATION = - -# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag -# controls if a separate .chi index file is generated (YES) or that -# it should be included in the master .chm file (NO). - -GENERATE_CHI = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING -# is used to encode HtmlHelp index (hhk), content (hhc) and project file -# content. - -CHM_INDEX_ENCODING = - -# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag -# controls whether a binary table of contents is generated (YES) or a -# normal table of contents (NO) in the .chm file. - -BINARY_TOC = NO - -# The TOC_EXPAND flag can be set to YES to add extra items for group members -# to the contents of the HTML help documentation and to the tree view. - -TOC_EXPAND = NO - -# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and -# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated -# that can be used as input for Qt's qhelpgenerator to generate a -# Qt Compressed Help (.qch) of the generated HTML documentation. - -GENERATE_QHP = NO - -# If the QHG_LOCATION tag is specified, the QCH_FILE tag can -# be used to specify the file name of the resulting .qch file. -# The path specified is relative to the HTML output folder. - -QCH_FILE = - -# The QHP_NAMESPACE tag specifies the namespace to use when generating -# Qt Help Project output. For more information please see -# http://doc.trolltech.com/qthelpproject.html#namespace - -QHP_NAMESPACE = org.doxygen.Project - -# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating -# Qt Help Project output. For more information please see -# http://doc.trolltech.com/qthelpproject.html#virtual-folders - -QHP_VIRTUAL_FOLDER = doc - -# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to -# add. For more information please see -# http://doc.trolltech.com/qthelpproject.html#custom-filters - -QHP_CUST_FILTER_NAME = - -# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the -# custom filter to add. For more information please see -# -# Qt Help Project / Custom Filters. - -QHP_CUST_FILTER_ATTRS = - -# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this -# project's -# filter section matches. -# -# Qt Help Project / Filter Attributes. - -QHP_SECT_FILTER_ATTRS = - -# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can -# be used to specify the location of Qt's qhelpgenerator. -# If non-empty doxygen will try to run qhelpgenerator on the generated -# .qhp file. - -QHG_LOCATION = - -# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files -# will be generated, which together with the HTML files, form an Eclipse help -# plugin. To install this plugin and make it available under the help contents -# menu in Eclipse, the contents of the directory containing the HTML and XML -# files needs to be copied into the plugins directory of eclipse. The name of -# the directory within the plugins directory should be the same as -# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before -# the help appears. - -GENERATE_ECLIPSEHELP = NO - -# A unique identifier for the eclipse help plugin. When installing the plugin -# the directory name containing the HTML and XML files should also have -# this name. - -ECLIPSE_DOC_ID = org.doxygen.Project - -# The DISABLE_INDEX tag can be used to turn on/off the condensed index at -# top of each HTML page. The value NO (the default) enables the index and -# the value YES disables it. - -DISABLE_INDEX = NO - -# This tag can be used to set the number of enum values (range [1..20]) -# that doxygen will group on one line in the generated HTML documentation. - -ENUM_VALUES_PER_LINE = 4 - -# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index -# structure should be generated to display hierarchical information. -# If the tag value is set to YES, a side panel will be generated -# containing a tree-like index structure (just like the one that -# is generated for HTML Help). For this to work a browser that supports -# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). -# Windows users are probably better off using the HTML help feature. - -GENERATE_TREEVIEW = NO - -# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, -# and Class Hierarchy pages using a tree view instead of an ordered list. - -USE_INLINE_TREES = NO - -# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be -# used to set the initial width (in pixels) of the frame in which the tree -# is shown. - -TREEVIEW_WIDTH = 250 - -# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open -# links to external symbols imported via tag files in a separate window. - -EXT_LINKS_IN_WINDOW = NO - -# Use this tag to change the font size of Latex formulas included -# as images in the HTML documentation. The default is 10. Note that -# when you change the font size after a successful doxygen run you need -# to manually remove any form_*.png images from the HTML output directory -# to force them to be regenerated. - -FORMULA_FONTSIZE = 10 - -# Use the FORMULA_TRANPARENT tag to determine whether or not the images -# generated for formulas are transparent PNGs. Transparent PNGs are -# not supported properly for IE 6.0, but are supported on all modern browsers. -# Note that when changing this option you need to delete any form_*.png files -# in the HTML output before the changes have effect. - -FORMULA_TRANSPARENT = YES - -# When the SEARCHENGINE tag is enabled doxygen will generate a search box -# for the HTML output. The underlying search engine uses javascript -# and DHTML and should work on any modern browser. Note that when using -# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets -# (GENERATE_DOCSET) there is already a search function so this one should -# typically be disabled. For large projects the javascript based search engine -# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. - -SEARCHENGINE = YES - -# When the SERVER_BASED_SEARCH tag is enabled the search engine will be -# implemented using a PHP enabled web server instead of at the web client -# using Javascript. Doxygen will generate the search PHP script and index -# file to put on the web server. The advantage of the server -# based approach is that it scales better to large projects and allows -# full text search. The disadvances is that it is more difficult to setup -# and does not have live searching capabilities. - -SERVER_BASED_SEARCH = NO - -#--------------------------------------------------------------------------- -# configuration options related to the LaTeX output -#--------------------------------------------------------------------------- - -# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will -# generate Latex output. - -GENERATE_LATEX = YES - -# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `latex' will be used as the default path. - -LATEX_OUTPUT = latex - -# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be -# invoked. If left blank `latex' will be used as the default command name. -# Note that when enabling USE_PDFLATEX this option is only used for -# generating bitmaps for formulas in the HTML output, but not in the -# Makefile that is written to the output directory. - -LATEX_CMD_NAME = latex - -# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to -# generate index for LaTeX. If left blank `makeindex' will be used as the -# default command name. - -MAKEINDEX_CMD_NAME = makeindex - -# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact -# LaTeX documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_LATEX = NO - -# The PAPER_TYPE tag can be used to set the paper type that is used -# by the printer. Possible values are: a4, a4wide, letter, legal and -# executive. If left blank a4wide will be used. - -PAPER_TYPE = a4wide - -# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX -# packages that should be included in the LaTeX output. - -EXTRA_PACKAGES = - -# The LATEX_HEADER tag can be used to specify a personal LaTeX header for -# the generated latex document. The header should contain everything until -# the first chapter. If it is left blank doxygen will generate a -# standard header. Notice: only use this tag if you know what you are doing! - -LATEX_HEADER = - -# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated -# is prepared for conversion to pdf (using ps2pdf). The pdf file will -# contain links (just like the HTML output) instead of page references -# This makes the output suitable for online browsing using a pdf viewer. - -PDF_HYPERLINKS = YES - -# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of -# plain latex in the generated Makefile. Set this option to YES to get a -# higher quality PDF documentation. - -USE_PDFLATEX = YES - -# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. -# command to the generated LaTeX files. This will instruct LaTeX to keep -# running if errors occur, instead of asking the user for help. -# This option is also used when generating formulas in HTML. - -LATEX_BATCHMODE = NO - -# If LATEX_HIDE_INDICES is set to YES then doxygen will not -# include the index chapters (such as File Index, Compound Index, etc.) -# in the output. - -LATEX_HIDE_INDICES = NO - -# If LATEX_SOURCE_CODE is set to YES then doxygen will include -# source code with syntax highlighting in the LaTeX output. -# Note that which sources are shown also depends on other settings -# such as SOURCE_BROWSER. - -LATEX_SOURCE_CODE = NO - -#--------------------------------------------------------------------------- -# configuration options related to the RTF output -#--------------------------------------------------------------------------- - -# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output -# The RTF output is optimized for Word 97 and may not look very pretty with -# other RTF readers or editors. - -GENERATE_RTF = NO - -# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `rtf' will be used as the default path. - -RTF_OUTPUT = rtf - -# If the COMPACT_RTF tag is set to YES Doxygen generates more compact -# RTF documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_RTF = NO - -# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated -# will contain hyperlink fields. The RTF file will -# contain links (just like the HTML output) instead of page references. -# This makes the output suitable for online browsing using WORD or other -# programs which support those fields. -# Note: wordpad (write) and others do not support links. - -RTF_HYPERLINKS = NO - -# Load stylesheet definitions from file. Syntax is similar to doxygen's -# config file, i.e. a series of assignments. You only have to provide -# replacements, missing definitions are set to their default value. - -RTF_STYLESHEET_FILE = - -# Set optional variables used in the generation of an rtf document. -# Syntax is similar to doxygen's config file. - -RTF_EXTENSIONS_FILE = - -#--------------------------------------------------------------------------- -# configuration options related to the man page output -#--------------------------------------------------------------------------- - -# If the GENERATE_MAN tag is set to YES (the default) Doxygen will -# generate man pages - -GENERATE_MAN = NO - -# The MAN_OUTPUT tag is used to specify where the man pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `man' will be used as the default path. - -MAN_OUTPUT = man - -# The MAN_EXTENSION tag determines the extension that is added to -# the generated man pages (default is the subroutine's section .3) - -MAN_EXTENSION = .3 - -# If the MAN_LINKS tag is set to YES and Doxygen generates man output, -# then it will generate one additional man file for each entity -# documented in the real man page(s). These additional files -# only source the real man page, but without them the man command -# would be unable to find the correct page. The default is NO. - -MAN_LINKS = NO - -#--------------------------------------------------------------------------- -# configuration options related to the XML output -#--------------------------------------------------------------------------- - -# If the GENERATE_XML tag is set to YES Doxygen will -# generate an XML file that captures the structure of -# the code including all documentation. - -GENERATE_XML = NO - -# The XML_OUTPUT tag is used to specify where the XML pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `xml' will be used as the default path. - -XML_OUTPUT = xml - -# The XML_SCHEMA tag can be used to specify an XML schema, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -XML_SCHEMA = - -# The XML_DTD tag can be used to specify an XML DTD, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -XML_DTD = - -# If the XML_PROGRAMLISTING tag is set to YES Doxygen will -# dump the program listings (including syntax highlighting -# and cross-referencing information) to the XML output. Note that -# enabling this will significantly increase the size of the XML output. - -XML_PROGRAMLISTING = YES - -#--------------------------------------------------------------------------- -# configuration options for the AutoGen Definitions output -#--------------------------------------------------------------------------- - -# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will -# generate an AutoGen Definitions (see autogen.sf.net) file -# that captures the structure of the code including all -# documentation. Note that this feature is still experimental -# and incomplete at the moment. - -GENERATE_AUTOGEN_DEF = NO - -#--------------------------------------------------------------------------- -# configuration options related to the Perl module output -#--------------------------------------------------------------------------- - -# If the GENERATE_PERLMOD tag is set to YES Doxygen will -# generate a Perl module file that captures the structure of -# the code including all documentation. Note that this -# feature is still experimental and incomplete at the -# moment. - -GENERATE_PERLMOD = NO - -# If the PERLMOD_LATEX tag is set to YES Doxygen will generate -# the necessary Makefile rules, Perl scripts and LaTeX code to be able -# to generate PDF and DVI output from the Perl module output. - -PERLMOD_LATEX = NO - -# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be -# nicely formatted so it can be parsed by a human reader. -# This is useful -# if you want to understand what is going on. -# On the other hand, if this -# tag is set to NO the size of the Perl module output will be much smaller -# and Perl will parse it just the same. - -PERLMOD_PRETTY = YES - -# The names of the make variables in the generated doxyrules.make file -# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. -# This is useful so different doxyrules.make files included by the same -# Makefile don't overwrite each other's variables. - -PERLMOD_MAKEVAR_PREFIX = - -#--------------------------------------------------------------------------- -# Configuration options related to the preprocessor -#--------------------------------------------------------------------------- - -# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will -# evaluate all C-preprocessor directives found in the sources and include -# files. - -ENABLE_PREPROCESSING = YES - -# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro -# names in the source code. If set to NO (the default) only conditional -# compilation will be performed. Macro expansion can be done in a controlled -# way by setting EXPAND_ONLY_PREDEF to YES. - -MACRO_EXPANSION = NO - -# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES -# then the macro expansion is limited to the macros specified with the -# PREDEFINED and EXPAND_AS_DEFINED tags. - -EXPAND_ONLY_PREDEF = NO - -# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files -# in the INCLUDE_PATH (see below) will be search if a #include is found. - -SEARCH_INCLUDES = YES - -# The INCLUDE_PATH tag can be used to specify one or more directories that -# contain include files that are not input files but should be processed by -# the preprocessor. - -INCLUDE_PATH = - -# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard -# patterns (like *.h and *.hpp) to filter out the header-files in the -# directories. If left blank, the patterns specified with FILE_PATTERNS will -# be used. - -INCLUDE_FILE_PATTERNS = - -# The PREDEFINED tag can be used to specify one or more macro names that -# are defined before the preprocessor is started (similar to the -D option of -# gcc). The argument of the tag is a list of macros of the form: name -# or name=definition (no spaces). If the definition and the = are -# omitted =1 is assumed. To prevent a macro definition from being -# undefined via #undef or recursively expanded use the := operator -# instead of the = operator. - -PREDEFINED = - -# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then -# this tag can be used to specify a list of macro names that should be expanded. -# The macro definition that is found in the sources will be used. -# Use the PREDEFINED tag if you want to use a different macro definition. - -EXPAND_AS_DEFINED = - -# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then -# doxygen's preprocessor will remove all function-like macros that are alone -# on a line, have an all uppercase name, and do not end with a semicolon. Such -# function macros are typically used for boiler-plate code, and will confuse -# the parser if not removed. - -SKIP_FUNCTION_MACROS = YES - -#--------------------------------------------------------------------------- -# Configuration::additions related to external references -#--------------------------------------------------------------------------- - -# The TAGFILES option can be used to specify one or more tagfiles. -# Optionally an initial location of the external documentation -# can be added for each tagfile. The format of a tag file without -# this location is as follows: -# -# TAGFILES = file1 file2 ... -# Adding location for the tag files is done as follows: -# -# TAGFILES = file1=loc1 "file2 = loc2" ... -# where "loc1" and "loc2" can be relative or absolute paths or -# URLs. If a location is present for each tag, the installdox tool -# does not have to be run to correct the links. -# Note that each tag file must have a unique name -# (where the name does NOT include the path) -# If a tag file is not located in the directory in which doxygen -# is run, you must also specify the path to the tagfile here. - -TAGFILES = - -# When a file name is specified after GENERATE_TAGFILE, doxygen will create -# a tag file that is based on the input files it reads. - -GENERATE_TAGFILE = - -# If the ALLEXTERNALS tag is set to YES all external classes will be listed -# in the class index. If set to NO only the inherited external classes -# will be listed. - -ALLEXTERNALS = NO - -# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed -# in the modules index. If set to NO, only the current project's groups will -# be listed. - -EXTERNAL_GROUPS = YES - -# The PERL_PATH should be the absolute path and name of the perl script -# interpreter (i.e. the result of `which perl'). - -PERL_PATH = /usr/bin/perl - -#--------------------------------------------------------------------------- -# Configuration options related to the dot tool -#--------------------------------------------------------------------------- - -# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will -# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base -# or super classes. Setting the tag to NO turns the diagrams off. Note that -# this option is superseded by the HAVE_DOT option below. This is only a -# fallback. It is recommended to install and use dot, since it yields more -# powerful graphs. - -CLASS_DIAGRAMS = YES - -# You can define message sequence charts within doxygen comments using the \msc -# command. Doxygen will then run the mscgen tool (see -# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the -# documentation. The MSCGEN_PATH tag allows you to specify the directory where -# the mscgen tool resides. If left empty the tool is assumed to be found in the -# default search path. - -MSCGEN_PATH = - -# If set to YES, the inheritance and collaboration graphs will hide -# inheritance and usage relations if the target is undocumented -# or is not a class. - -HIDE_UNDOC_RELATIONS = YES - -# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is -# available from the path. This tool is part of Graphviz, a graph visualization -# toolkit from AT&T and Lucent Bell Labs. The other options in this section -# have no effect if this option is set to NO (the default) - -HAVE_DOT = NO - -# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is -# allowed to run in parallel. When set to 0 (the default) doxygen will -# base this on the number of processors available in the system. You can set it -# explicitly to a value larger than 0 to get control over the balance -# between CPU load and processing speed. - -DOT_NUM_THREADS = 0 - -# By default doxygen will write a font called FreeSans.ttf to the output -# directory and reference it in all dot files that doxygen generates. This -# font does not include all possible unicode characters however, so when you need -# these (or just want a differently looking font) you can specify the font name -# using DOT_FONTNAME. You need need to make sure dot is able to find the font, -# which can be done by putting it in a standard location or by setting the -# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory -# containing the font. - -DOT_FONTNAME = FreeSans.ttf - -# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. -# The default size is 10pt. - -DOT_FONTSIZE = 10 - -# By default doxygen will tell dot to use the output directory to look for the -# FreeSans.ttf font (which doxygen will put there itself). If you specify a -# different font using DOT_FONTNAME you can set the path where dot -# can find it using this tag. - -DOT_FONTPATH = - -# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect inheritance relations. Setting this tag to YES will force the -# the CLASS_DIAGRAMS tag to NO. - -CLASS_GRAPH = YES - -# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect implementation dependencies (inheritance, containment, and -# class references variables) of the class with other documented classes. - -COLLABORATION_GRAPH = YES - -# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for groups, showing the direct groups dependencies - -GROUP_GRAPHS = YES - -# If the UML_LOOK tag is set to YES doxygen will generate inheritance and -# collaboration diagrams in a style similar to the OMG's Unified Modeling -# Language. - -UML_LOOK = NO - -# If set to YES, the inheritance and collaboration graphs will show the -# relations between templates and their instances. - -TEMPLATE_RELATIONS = NO - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT -# tags are set to YES then doxygen will generate a graph for each documented -# file showing the direct and indirect include dependencies of the file with -# other documented files. - -INCLUDE_GRAPH = YES - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and -# HAVE_DOT tags are set to YES then doxygen will generate a graph for each -# documented header file showing the documented files that directly or -# indirectly include this file. - -INCLUDED_BY_GRAPH = YES - -# If the CALL_GRAPH and HAVE_DOT options are set to YES then -# doxygen will generate a call dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable call graphs -# for selected functions only using the \callgraph command. - -CALL_GRAPH = NO - -# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then -# doxygen will generate a caller dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable caller -# graphs for selected functions only using the \callergraph command. - -CALLER_GRAPH = NO - -# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen -# will graphical hierarchy of all classes instead of a textual one. - -GRAPHICAL_HIERARCHY = YES - -# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES -# then doxygen will show the dependencies a directory has on other directories -# in a graphical way. The dependency relations are determined by the #include -# relations between the files in the directories. - -DIRECTORY_GRAPH = YES - -# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images -# generated by dot. Possible values are png, jpg, or gif -# If left blank png will be used. - -DOT_IMAGE_FORMAT = png - -# The tag DOT_PATH can be used to specify the path where the dot tool can be -# found. If left blank, it is assumed the dot tool can be found in the path. - -DOT_PATH = - -# The DOTFILE_DIRS tag can be used to specify one or more directories that -# contain dot files that are included in the documentation (see the -# \dotfile command). - -DOTFILE_DIRS = - -# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of -# nodes that will be shown in the graph. If the number of nodes in a graph -# becomes larger than this value, doxygen will truncate the graph, which is -# visualized by representing a node as a red box. Note that doxygen if the -# number of direct children of the root node in a graph is already larger than -# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note -# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. - -DOT_GRAPH_MAX_NODES = 50 - -# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the -# graphs generated by dot. A depth value of 3 means that only nodes reachable -# from the root by following a path via at most 3 edges will be shown. Nodes -# that lay further from the root node will be omitted. Note that setting this -# option to 1 or 2 may greatly reduce the computation time needed for large -# code bases. Also note that the size of a graph can be further restricted by -# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. - -MAX_DOT_GRAPH_DEPTH = 0 - -# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent -# background. This is disabled by default, because dot on Windows does not -# seem to support this out of the box. Warning: Depending on the platform used, -# enabling this option may lead to badly anti-aliased labels on the edges of -# a graph (i.e. they become hard to read). - -DOT_TRANSPARENT = NO - -# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output -# files in one run (i.e. multiple -o and -T options on the command line). This -# makes dot run faster, but since only newer versions of dot (>1.8.10) -# support this, this feature is disabled by default. - -DOT_MULTI_TARGETS = YES - -# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will -# generate a legend page explaining the meaning of the various boxes and -# arrows in the dot generated graphs. - -GENERATE_LEGEND = YES - -# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will -# remove the intermediate dot files that are used to generate -# the various graphs. - -DOT_CLEANUP = YES diff --git a/lib/HACKING b/lib/HACKING deleted file mode 100644 index 8278238..0000000 --- a/lib/HACKING +++ /dev/null @@ -1,91 +0,0 @@ -HACKING file for libradsec (in Emacs -*- org -*- mode). - -Status as of libradsec-0.0.5 (2014-02-03). - -* Build instructions -sh autogen.sh -./configure -make - -examples/client -r examples/client.conf blocking-tls; echo $? - -* Design of the API -- There are three usage modes: - - - Application uses blocking send and receive calls (blocking - mode). This is typically fine for a simple client. - - - Application registers callbacks with libradsec and runs the - libevent dispatch loop (a.k.a. user dispatch mode). This would - probably how to implement a server or a proxy. - - - Application runs its own event loop, using fd's for select and - performs I/O using libradsec send/receive functions - (a.k.a. on-your-own mode). Might be useful for an application - which already has an event loop that wants to add RadSec - functionality. - -- Apart from configuration and error handling, an application - shouldn't need to handle TCP and UDP connections - differently. Similarly, the use of TLS/DTLS or not shouldn't - influence the libradsec calls made by the application. - -- Configuration is done either by using the API or by pointing at a - configuration file which is parsed by libradsec. - -- Fully reentrant. - -- Application chooses allocation regime. - -Note that as of 0.0.4 libradsec suffers from way too much focus on -the behaviour of a blocking client and is totally useless as a server. -Not only does it lack most of the functions needed for writing a -server but it also contains at least one architectural mishap which -kills the server idea -- a connection timeout (TCP) or a retransmit -timeout (UDP) will result in the event loop being broken. The same -thing will happen if there's an error on a TCP connection, f.ex. a -failing certificate validation (TLS). - -* Dependencies -Details (within parentheses) apply to Debian Wheezy. - -- libconfuse (2.7-4) - sudo apt-get install libconfuse-dev libconfuse0 -- libevent2 (2.0.19-stable-3) - sudo apt-get install libevent-dev libevent-2.0-5 -- OpenSSL (1.0.1c-4) -- optional, for TLS and DTLS support - sudo apt-get install libssl-dev libssl1.0.0 - -* Functionality and quality in 0.0.x -** Not well tested -- reading config file -- [TCP] short read -- [TCP] short write -- [TLS] basic tls support -- [TLS] preshared key support -- [TLS] verification of CN - -** Known issues -- error stack is only one entry deep -- custom allocation scheme is not used in all places - -** Not implemented -- dispatch mode (planned for 0.1) -- [client] server failover / RFC3539 watchdog (planned for 0.1) -- [server] support (planned for 0.2) -- [client] TCP keepalive -- on-your-own mode -- [DTLS] support - -* Found a bug? -Please report it. That is how we improve the quality of the code. - -If possible, please build the library with DEBUG defined (CFLAGS="-g --DDEBUG") and reproduce the problem. With DEBUG defined, lots of -asserts are enabled which might give a hint about what's gone wrong. - -Running the library under gdb is another good idea. If you experience -a crash, catching the crash in gdb and providing a backtrace is highly -valuable for debugging. - -Contact: mailto:linus+libradsec@nordu.net diff --git a/lib/LICENSE b/lib/LICENSE deleted file mode 100644 index be32a9a..0000000 --- a/lib/LICENSE +++ /dev/null @@ -1,33 +0,0 @@ -* Copyright (c) 2007-2010, UNINETT AS -* Copyright (c) 2011, JANET(UK) -* Copyright (c) 2010-2013, NORDUnet A/S -* All rights reserved. -* -* Redistribution and use in source and binary forms, with or without -* modification, are permitted provided that the following conditions are -* met: -* -* 1. Redistributions of source code must retain the above copyright -* notice, this list of conditions and the following disclaimer. -* -* 2. Redistributions in binary form must reproduce the above -* copyright notice, this list of conditions and the following -* disclaimer in the documentation and/or other materials provided -* with the distribution. -* -* 3. Neither the name of NORDUnet A/S nor the names of the -* contributors may be used to endorse or promote products -* derived from this software without specific prior written -* permission. -* -* THIS SOFTWARE IS PROVIDED BY NORDUNET A/S ``AS IS'' AND -* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NORDUNET A/S OR CONTRIBUTORS -* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/lib/Makefile.am b/lib/Makefile.am deleted file mode 100644 index 84f7491..0000000 --- a/lib/Makefile.am +++ /dev/null @@ -1,72 +0,0 @@ -AUTOMAKE_OPTIONS = foreign -ACLOCAL_AMFLAGS = -I m4 - -# Shared library interface version, i.e. -version-info to Libtool, -# expressed as three integers CURRENT:REVISION:AGE. -# -# CURRENT is the version number of the current interface. Increment -# CURRENT when the library interface has changed or has been extended. -# -# REVISION is the version number of the _implementation_ of the -# CURRENT interface. Set REVISION to 0 when CURRENT changes, else -# increment. -# -# AGE is the number of interfaces this library implements, i.e. how -# many versions before CURRENT that are supported. Increment AGE when -# the library interface is _extended_. Set AGE to 0 when the library -# interface is _changed_. - - -SUBDIRS = radius radsecproxy include . examples -DIST_SUBDIRS = $(SUBDIRS) tests - -AM_CPPFLAGS = -I$(srcdir)/include -AM_CFLAGS = -Wall -Werror -g - -lib_LTLIBRARIES = libradsec.la - -libradsec_la_SOURCES = \ - avp.c \ - compat.c \ - conf.c \ - conn.c \ - debug.c \ - err.c \ - event.c \ - packet.c \ - peer.c \ - radsec.c \ - request.c \ - send.c \ - tcp.c \ - udp.c \ - util.c - -if RS_ENABLE_TLS -libradsec_la_SOURCES += tls.c -else -libradsec_la_SOURCES += md5.c -endif - -libradsec_la_SOURCES += \ - compat.h \ - conn.h \ - debug.h \ - err.h \ - event.h \ - md5.h \ - packet.h \ - peer.h \ - radsec.h \ - tcp.h \ - tls.h \ - udp.h \ - util.h - -EXTRA_DIST = CHANGES HACKING LICENSE libradsec.spec radsec.sym -EXTRA_libradsec_la_DEPENDENCIES = radsec.sym -AM_DISTCHECK_CONFIGURE_FLAGS = --enable-tls --enable-tls-psk - -libradsec_la_LIBADD = radsecproxy/libradsec-radsecproxy.la radius/libradsec-radius.la -libradsec_la_LDFLAGS = -version-info 1:0:1 -export-symbols $(srcdir)/radsec.sym -libradsec_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H -Werror # -DDEBUG -DDEBUG_LEVENT diff --git a/lib/README b/lib/README deleted file mode 100644 index 4c0d277..0000000 --- a/lib/README +++ /dev/null @@ -1,48 +0,0 @@ -Libradsec is a RADIUS library for clients doing RADIUS over UDP or -TLS. The goal is to add support for writing servers (and thus proxies) -and to add transports TCP and DTLS. - - -The canonical pickup point is -http://git.nordu.net/?p=radsecproxy.git;a=shortlog;h=refs/heads/libradsec - - -The source code is licensed under a 3-clause BSD license. See the -LICENSE file. - - -Libradsec depends on -- libconfuse -- libevent2 -- openssl (unless configured with --disable-tls) - - -To compile the library and the examples, do something like - - sh autogen.sh && ./configure && make - - -There are a couple of options that can be used when configuring. See - - ./configure --help - -for the full list. Worth mentioning here is --enable-tls-psk. - -If the preprocessor has a hard time finding some of the header files -are, try setting environment variable CPPFLAGS at configure -time. Example: - - CPPFLAGS="-I/usr/local/include" ./configure --enable-tls - -If the link editor has trouble finding any of the libraries needed, -try setting environment variable LDFLAGS at configure time. Example: - - LDFLAGS="-L/usr/local/lib" ./configure --enable-tls - - -The parts of the library which has been tested has been so on Linux -(Debian) with libconfuse (2.7), libevent (2.0.19) and OpenSSL -(1.0.1c). - -The file HACKING contains more detailed info on the state of the -various parts of the library. diff --git a/lib/autogen.sh b/lib/autogen.sh deleted file mode 100644 index d9cee9d..0000000 --- a/lib/autogen.sh +++ /dev/null @@ -1,14 +0,0 @@ -#! /bin/sh - -[ -d m4 ] || mkdir m4 -[ -d build-aux ] || mkdir build-aux - -if [ -x "`which autoreconf 2>/dev/null`" ] ; then - exec autoreconf -ivf -fi - -aclocal -I m4 && \ - autoheader && \ - libtoolize --automake -c && \ - autoconf && \ - automake --add-missing --copy diff --git a/lib/avp.c b/lib/avp.c deleted file mode 100644 index 11c56db..0000000 --- a/lib/avp.c +++ /dev/null @@ -1,540 +0,0 @@ -/* Copyright 2011 JANET(UK). All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include - -#include -#include - -#define RS_ERR(err) ((err) < 0 ? -err : RSE_OK) - -void -rs_avp_free (rs_avp **vps) -{ - nr_vp_free (vps); -} - -size_t -rs_avp_length (rs_const_avp *vp) -{ - if (vp == NULL) - return 0; - - return vp->length; -} - -rs_attr_type_t -rs_avp_typeof (rs_const_avp *vp) -{ - if (vp == NULL) - return RS_TYPE_INVALID; - - return vp->da->type; -} - -void -rs_avp_attrid (rs_const_avp *vp, - unsigned int *attr, - unsigned int *vendor) -{ - assert (vp != NULL); - - *attr = vp->da->attr; - *vendor = vp->da->vendor; -} - -const char * -rs_avp_name (rs_const_avp *vp) -{ - return (vp != NULL) ? vp->da->name : NULL; -} - -void -rs_avp_append (rs_avp **head, rs_avp *tail) -{ - nr_vps_append (head, tail); -} - -rs_avp * -rs_avp_find (rs_avp *vp, unsigned int attr, unsigned int vendor) -{ - if (vp == NULL) - return NULL; - - return nr_vps_find (vp, attr, vendor); -} - -rs_const_avp * -rs_avp_find_const (rs_const_avp *vp, - unsigned int attr, unsigned int vendor) -{ - if (vp == NULL) - return NULL; - - return nr_vps_find ((rs_avp *)vp, attr, vendor); -} - -rs_avp * -rs_avp_alloc (unsigned int attr, unsigned int vendor) -{ - const DICT_ATTR *da; - VALUE_PAIR *vp; - - da = nr_dict_attr_byvalue (attr, vendor); - if (da == NULL) { - vp = nr_vp_alloc_raw (attr, vendor); - } else { - vp = nr_vp_alloc (da); - } - - if (vp == NULL) - return NULL; - - return vp; -} - -rs_avp * -rs_avp_dup (rs_const_avp *vp) -{ - rs_avp *vp2; - - if (vp->da->flags.unknown) - vp2 = nr_vp_alloc_raw (vp->da->attr, vp->da->vendor); - else - vp2 = nr_vp_alloc (vp->da); - if (vp2 == NULL) - return NULL; - - vp2->length = vp->length; - vp2->tag = vp->tag; - vp2->next = NULL; - -#ifdef RS_TYPE_TLV - if (rs_avp_is_tlv (vp)) { - vp2->vp_tlv = malloc (vp->length); - if (vp2->vp_tlv == NULL) { - rs_avp_free (vp2); - return NULL; - } - memcpy (vp2->vp_tlv, vp->vp_tlv, vp->length); - return vp2; - } -#endif - - memcpy (vp2->vp_strvalue, vp->vp_strvalue, vp->length); - if (rs_avp_is_string (vp)) - vp2->vp_strvalue[vp->length] = '\0'; - - return vp2; -} - -rs_avp * -rs_avp_next (rs_avp *vp) -{ - return (vp != NULL) ? vp->next : NULL; -} - -rs_const_avp * -rs_avp_next_const (rs_const_avp *vp) -{ - return (vp != NULL) ? vp->next : NULL; -} - -int -rs_avp_delete (rs_avp **first, - unsigned int attr, unsigned int vendor) -{ - int found = 0; - rs_avp **p; - - for (p = first; *p != NULL; p++) { - if ((*p)->da->attr == attr && - (*p)->da->vendor == vendor) { - rs_avp *next = (*p)->next; - - (*p)->next = NULL; - rs_avp_free (p); - - *p = next; - found++; - } - } - - return found ? RSE_OK : RSE_ATTR_UNKNOWN; -} - -const char * -rs_avp_string_value (rs_const_avp *vp) -{ - if (!rs_avp_is_string (vp)) - return NULL; - - return vp->vp_strvalue; -} - -int -rs_avp_string_set (rs_avp *vp, const char *str) -{ - int err; - - if (vp == NULL) - return RSE_INVAL; - if (!rs_avp_is_string (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, str, strlen (str)); - return RS_ERR(err); -} - -uint32_t -rs_avp_integer_value (rs_const_avp *vp) -{ - if (!rs_avp_is_integer (vp)) - return 0; - return vp->vp_integer; -} - -int -rs_avp_integer_set (rs_avp *vp, uint32_t val) -{ - int err; - - if (vp == NULL) - return RSE_INVAL; - if (!rs_avp_is_integer (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, &val, sizeof (val)); - return RS_ERR(err); -} - -uint32_t -rs_avp_ipaddr_value (rs_const_avp *vp) -{ - if (!rs_avp_is_ipaddr (vp)) - return 0; - return vp->vp_ipaddr; -} - -int -rs_avp_ipaddr_set (rs_avp *vp, struct in_addr in) -{ - int err; - - if (vp == NULL) - return RSE_INVAL; - if (!rs_avp_is_ipaddr (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, &in, sizeof (in)); - return RS_ERR(err); -} - -time_t -rs_avp_date_value (rs_const_avp *vp) -{ - if (!rs_avp_is_date (vp)) - return 0; - return vp->vp_date; -} - -int -rs_avp_date_set (rs_avp *vp, time_t date) -{ - uint32_t date32; - int err; - - if (vp == NULL) - return RSE_INVAL; - if (!rs_avp_is_date (vp)) - return RSE_ATTR_INVALID; - if (date > 0xFFFFFFFF) - return RSE_ATTR_INVALID; - - date32 = (uint32_t)date; - err = nr_vp_set_data (vp, &date32, sizeof (date32)); - - return RS_ERR(err); -} - -const unsigned char * -rs_avp_octets_value_const_ptr (rs_const_avp *vp) -{ - return rs_avp_octets_value_ptr ((rs_avp *)vp); -} - -unsigned char * -rs_avp_octets_value_ptr (rs_avp *vp) -{ - if (vp == NULL) - return NULL; - -#ifdef RS_TYPE_TLV - if (rs_avp_is_tlv (vp)) - return vp->vp_tlv; -#endif - - return vp->vp_octets; -} - -int -rs_avp_octets_value_byref (rs_avp *vp, - unsigned char **p, - size_t *len) -{ - if (vp == NULL) - return RSE_INVAL; - - *len = vp->length; - *p = (unsigned char *)rs_avp_octets_value_ptr (vp); - - return RSE_OK; -} - -int -rs_avp_octets_value (rs_const_avp *vp, - unsigned char *buf, - size_t *len) -{ - if (vp == NULL) - return RSE_INVAL; - - if (vp->length > *len) { - *len = vp->length; - return RSE_ATTR_TOO_SMALL; - } - - *len = vp->length; - -#ifdef RS_TYPE_TLV - if (rs_avp_is_tlv (vp)) - memcpy (buf, vp->vp_tlv, vp->length); - else -#endif - memcpy (buf, vp->vp_octets, vp->length); - - return RSE_OK; -} - -int -rs_avp_fragmented_value (rs_const_avp *vps, - unsigned char *buf, - size_t *len) -{ - size_t total_len = 0; - unsigned char *p; - rs_const_avp *vp; - - if (vps == NULL) - return RSE_INVAL; - - if (!rs_avp_is_octets (vps) && - !rs_avp_is_string (vps)) - return RSE_ATTR_INVALID; - - for (vp = vps; - vp != NULL; - vp = rs_avp_find_const (vp->next, vp->da->attr, vp->da->vendor)) - total_len += vp->length; - - if (*len < total_len) { - *len = total_len; - return RSE_ATTR_TOO_SMALL; - } - - for (vp = vps, p = buf; - vp != NULL; - vp = rs_avp_find_const (vp->next, vp->da->attr, vp->da->vendor)) { - memcpy (p, vp->vp_octets, vp->length); - p += vp->length; - } - - *len = total_len; - - return RSE_OK; -} - -int -rs_avp_octets_set (rs_avp *vp, - const unsigned char *buf, - size_t len) -{ - int err; - - if (!rs_avp_is_octets (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, buf, len); - - return RS_ERR(err); -} - -int -rs_avp_ifid_value (rs_const_avp *vp, uint8_t val[8]) -{ - if (!rs_avp_is_ifid (vp)) - return RSE_ATTR_INVALID; - - memcpy (val, vp->vp_ifid, 8); - - return RSE_OK; -} - -int -rs_avp_ifid_set (rs_avp *vp, const uint8_t val[8]) -{ - int err; - - if (!rs_avp_is_ifid (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, val, 8); - return RS_ERR(err); -} - -uint8_t -rs_avp_byte_value (rs_const_avp *vp) -{ - if (!rs_avp_is_byte (vp)) - return 0; - return vp->vp_integer; -} - -int -rs_avp_byte_set (rs_avp *vp, uint8_t val) -{ - int err; - - if (!rs_avp_is_byte (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, &val, sizeof (val)); - return RS_ERR(err); -} - -uint16_t -rs_avp_short_value (rs_const_avp *vp) -{ - if (!rs_avp_is_short (vp)) - return 0; - return vp->vp_integer; -} - -int -rs_avp_short_set (rs_avp *vp, uint16_t val) -{ - int err; - - if (!rs_avp_is_short (vp)) - return RSE_ATTR_INVALID; - - err = nr_vp_set_data (vp, &val, sizeof (val)); - return RS_ERR(err); -} - -int -rs_attr_find (const char *name, - unsigned int *attr, - unsigned int *vendor) -{ - const DICT_ATTR *da; - - da = nr_dict_attr_byname (name); - if (da == NULL) - return RSE_ATTR_UNKNOWN; - - *attr = da->attr; - *vendor = da->vendor; - - return RSE_OK; -} - -int -rs_attr_display_name (unsigned int attr, - unsigned int vendor, - char *buffer, - size_t bufsize, - int canonical) -{ - const DICT_ATTR *da = NULL; - DICT_ATTR da2; - int err; - - if (!canonical) { - da = nr_dict_attr_byvalue (attr, vendor); - } - if (da == NULL) { - err = nr_dict_attr_2struct(&da2, attr, vendor, - buffer, bufsize); - if (err < 0) - return -err; - } else { - snprintf(buffer, bufsize, "%s", da->name); - } - - return RSE_OK; -} - -int -rs_attr_parse_name (const char *name, - unsigned int *attr, - unsigned int *vendor) -{ - const DICT_ATTR *da; - - if (strncmp(name, "Attr-", 5) == 0) { - char *s = (char *)&name[5]; - unsigned int tmp; - - tmp = strtoul(s, &s, 10); - if (*s == '.') { - s++; - - switch (tmp) { - case PW_VENDOR_SPECIFIC: - *vendor = strtoul(s, &s, 10); - if (*s != '.') - return RSE_ATTR_BAD_NAME; - - s++; - - *attr = strtoul(s, &s, 10); - if (*s != '\0') - return RSE_ATTR_BAD_NAME; - - break; - default: - return RSE_ATTR_BAD_NAME; - } - } else { - *attr = tmp; - *vendor = 0; - } - } else { - da = nr_dict_attr_byname (name); - if (da == NULL) - return RSE_ATTR_UNKNOWN; - - *attr = da->attr; - *vendor = da->vendor; - } - - return RSE_OK; -} - -size_t -rs_avp_display_value (rs_const_avp *vp, - char *buffer, - size_t buflen) -{ - return nr_vp_snprintf_value (buffer, buflen, vp); -} - diff --git a/lib/compat.c b/lib/compat.c deleted file mode 100644 index 7c4e346..0000000 --- a/lib/compat.c +++ /dev/null @@ -1,22 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include "compat.h" - -ssize_t -compat_send (int sockfd, const void *buf, size_t len, int flags) -{ - return send (sockfd, buf, len, flags); -} - -ssize_t -compat_recv (int sockfd, void *buf, size_t len, int flags) -{ - return recv (sockfd, buf, len, flags); -} diff --git a/lib/compat.h b/lib/compat.h deleted file mode 100644 index d3083e9..0000000 --- a/lib/compat.h +++ /dev/null @@ -1,5 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -ssize_t compat_send (int sockfd, const void *buf, size_t len, int flags); -ssize_t compat_recv (int sockfd, void *buf, size_t len, int flags); diff --git a/lib/conf.c b/lib/conf.c deleted file mode 100644 index 4e0df31..0000000 --- a/lib/conf.c +++ /dev/null @@ -1,255 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include "peer.h" -#include "util.h" -#include "debug.h" - -#if 0 - # common config options - - # common realm config options - realm STRING { - type = "UDP"|"TCP"|"TLS"|"DTLS" - timeout = INT - retries = INT - cacertfile = STRING - #cacertpath = STRING - certfile = STRING - certkeyfile = STRING - pskstr = STRING # Transport pre-shared key, UTF-8 form. - pskhexstr = STRING # Transport pre-shared key, ASCII hex form. - pskid = STRING - pskex = "PSK"|"DHE_PSK"|"RSA_PSK" - disable_hostname_check = "yes"|"no" - } - - # client specific realm config options - realm STRING { - server { - hostname = STRING - service = STRING - secret = STRING # RADIUS secret - } - } -#endif - -/* FIXME: Leaking memory in error cases. */ -int -rs_context_read_config(struct rs_context *ctx, const char *config_file) -{ - cfg_t *cfg, *cfg_realm, *cfg_server; - int err = 0; - int i, j; - const char *s; - struct rs_config *config = NULL; - - cfg_opt_t server_opts[] = - { - CFG_STR ("hostname", NULL, CFGF_NONE), - CFG_STR ("service", "2083", CFGF_NONE), - CFG_STR ("secret", "radsec", CFGF_NONE), - CFG_END () - }; - cfg_opt_t realm_opts[] = - { - CFG_STR ("type", "UDP", CFGF_NONE), - CFG_INT ("timeout", 2, CFGF_NONE), /* FIXME: Remove? */ - CFG_INT ("retries", 2, CFGF_NONE), /* FIXME: Remove? */ - CFG_STR ("cacertfile", NULL, CFGF_NONE), - /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/ - CFG_STR ("certfile", NULL, CFGF_NONE), - CFG_STR ("certkeyfile", NULL, CFGF_NONE), - CFG_STR ("pskstr", NULL, CFGF_NONE), - CFG_STR ("pskhexstr", NULL, CFGF_NONE), - CFG_STR ("pskid", NULL, CFGF_NONE), - CFG_STR ("pskex", "PSK", CFGF_NONE), - CFG_BOOL ("disable_hostname_check", cfg_false, CFGF_NONE), - CFG_SEC ("server", server_opts, CFGF_MULTI), - CFG_END () - }; - cfg_opt_t opts[] = - { - CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI), - CFG_END () - }; - - cfg = cfg_init (opts, CFGF_NONE); - if (cfg == NULL) - return rs_err_ctx_push (ctx, RSE_CONFIG, "unable to initialize libconfuse"); - err = cfg_parse (cfg, config_file); - switch (err) - { - case CFG_SUCCESS: - break; - case CFG_FILE_ERROR: - return rs_err_ctx_push (ctx, RSE_CONFIG, - "%s: unable to open configuration file", - config_file); - case CFG_PARSE_ERROR: - return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: invalid configuration file", - config_file); - default: - return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: unknown parse error", - config_file); - } - - config = rs_calloc (ctx, 1, sizeof (*config)); - if (config == NULL) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); - ctx->config = config; - - for (i = 0; i < cfg_size (cfg, "realm"); i++) - { - struct rs_realm *r = NULL; - const char *typestr; - char *pskstr = NULL, *pskhexstr = NULL; - - r = rs_calloc (ctx, 1, sizeof(*r)); - if (r == NULL) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); - if (config->realms != NULL) - { - r->next = config->realms->next; - config->realms->next = r; - } - else - { - config->realms = r; - } - cfg_realm = cfg_getnsec (cfg, "realm", i); - s = cfg_title (cfg_realm); - if (s == NULL) - return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__, - "missing realm name"); - /* We use a copy of the return value of cfg_title() since it's const. */ - r->name = rs_strdup (ctx, s); - if (r->name == NULL) - return RSE_NOMEM; - - typestr = cfg_getstr (cfg_realm, "type"); - if (strcmp (typestr, "UDP") == 0) - r->type = RS_CONN_TYPE_UDP; - else if (strcmp (typestr, "TCP") == 0) - r->type = RS_CONN_TYPE_TCP; - else if (strcmp (typestr, "TLS") == 0) - r->type = RS_CONN_TYPE_TLS; - else if (strcmp (typestr, "DTLS") == 0) - r->type = RS_CONN_TYPE_DTLS; - else - return rs_err_ctx_push (ctx, RSE_CONFIG, - "%s: invalid connection type: %s", - r->name, typestr); - r->timeout = cfg_getint (cfg_realm, "timeout"); - r->retries = cfg_getint (cfg_realm, "retries"); - r->disable_hostname_check = cfg_getbool (cfg_realm, "disable_hostname_check"); - - r->cacertfile = cfg_getstr (cfg_realm, "cacertfile"); - /*r->cacertpath = cfg_getstr (cfg_realm, "cacertpath");*/ - r->certfile = cfg_getstr (cfg_realm, "certfile"); - r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile"); - - pskstr = cfg_getstr (cfg_realm, "pskstr"); - pskhexstr = cfg_getstr (cfg_realm, "pskhexstr"); - if (pskstr || pskhexstr) - { -#if defined RS_ENABLE_TLS_PSK - char *kex = cfg_getstr (cfg_realm, "pskex"); - rs_cred_type_t type = RS_CRED_NONE; - struct rs_credentials *cred = NULL; - assert (kex != NULL); - - if (!strcmp (kex, "PSK")) - type = RS_CRED_TLS_PSK; - else - { - /* TODO: push a warning on the error stack:*/ - /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange" - " algorithm -- PSK not used", kex);*/ - } - - if (type != RS_CRED_NONE) - { - cred = rs_calloc (ctx, 1, sizeof (*cred)); - if (cred == NULL) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, - NULL); - cred->type = type; - cred->identity = cfg_getstr (cfg_realm, "pskid"); - if (pskhexstr) - { - cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX; - cred->secret = pskhexstr; - if (pskstr) - ; /* TODO: warn that we're ignoring pskstr */ - } - else - { - cred->secret_encoding = RS_KEY_ENCODING_UTF8; - cred->secret = pskstr; - } - - r->transport_cred = cred; - } -#else /* !RS_ENABLE_TLS_PSK */ - /* TODO: push a warning on the error stack: */ - /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with " - "support for TLS preshared keys, ignoring pskstr " - "and pskhexstr");*/ -#endif /* RS_ENABLE_TLS_PSK */ - } - - /* For TLS and DTLS realms, validate that we either have (i) CA - cert file or path or (ii) PSK. */ - if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS) - && (r->cacertfile == NULL && r->cacertpath == NULL) - && r->transport_cred == NULL) - return rs_err_ctx_push (ctx, RSE_CONFIG, - "%s: missing both CA file/path and PSK", - r->name); - - /* Add peers, one per server stanza. */ - for (j = 0; j < cfg_size (cfg_realm, "server"); j++) - { - struct rs_peer *p = peer_create (ctx, &r->peers); - if (p == NULL) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, - NULL); - p->realm = r; - - cfg_server = cfg_getnsec (cfg_realm, "server", j); - p->hostname = cfg_getstr (cfg_server, "hostname"); - p->service = cfg_getstr (cfg_server, "service"); - p->secret = cfg_getstr (cfg_server, "secret"); - } - } - - /* Save config object in context, for freeing in rs_context_destroy(). */ - ctx->config->cfg = cfg; - - return RSE_OK; -} - -struct rs_realm * -rs_conf_find_realm(struct rs_context *ctx, const char *name) -{ - struct rs_realm *r; - assert (ctx); - - if (ctx->config) - for (r = ctx->config->realms; r; r = r->next) - if (strcmp (r->name, name) == 0) - return r; - - return NULL; -} diff --git a/lib/configure.ac b/lib/configure.ac deleted file mode 100644 index d99bab4..0000000 --- a/lib/configure.ac +++ /dev/null @@ -1,68 +0,0 @@ -# -*- Autoconf -*- script for libradsec. - -AC_PREREQ([2.63]) -AC_INIT([libradsec], [0.0.5], [linus+libradsec@nordu.net]) -AC_CONFIG_MACRO_DIR([m4]) -AC_CONFIG_SRCDIR([radsec.c]) -AC_CONFIG_AUX_DIR([build-aux]) -AC_CONFIG_HEADERS([config.h]) -AM_INIT_AUTOMAKE -LT_INIT - -# Checks for programs. -AC_PROG_CC - -# Checks for libraries. -AC_CHECK_LIB([confuse], [cfg_init],, - AC_MSG_ERROR([required library libconfuse not found])) -AC_CHECK_LIB([event_core], [event_get_version],, - AC_MSG_ERROR([required library libevent_core not found])) -AH_TEMPLATE([HAVE_PTHREADS], [POSIX threads are available on this system]) -AC_SEARCH_LIBS([pthread_create], [pthread], AC_DEFINE([HAVE_PTHREADS])) - -# Enable-knobs. -## Enable TLS (RadSec), default on. -want_tls=yes -AH_TEMPLATE([RS_ENABLE_TLS], [TLS (RadSec) enabled]) -AH_TEMPLATE([RADPROT_TLS], []) -AC_ARG_ENABLE([tls], - AS_HELP_STRING([--disable-tls], [disable TLS (RadSec)]), - [want_tls=$enableval]) -AM_CONDITIONAL([RS_ENABLE_TLS], [test $want_tls = yes]) -if test $want_tls = yes; then - AC_CHECK_LIB([event_openssl], [bufferevent_openssl_socket_new],, - AC_MSG_ERROR([required library event_openssl not found])) - AC_DEFINE([RS_ENABLE_TLS]) - AC_DEFINE([RADPROT_TLS]) -else - # Define WITHOUT_OPENSSL for radius/client.h. - CPPFLAGS="$CPPFLAGS -DWITHOUT_OPENSSL" -fi -## Enable TLS-PSK (preshared keys). -AH_TEMPLATE([RS_ENABLE_TLS_PSK], [TLS-PSK (TLS preshared keys) enabled]) -AC_ARG_ENABLE([tls-psk], AS_HELP_STRING([--enable-tls-psk], [enable TLS-PSK (TLS preshared keys)]), - [AC_CHECK_LIB([ssl], [SSL_set_psk_client_callback],, - AC_MSG_ERROR([required library openssl with SSL_set_psk_client_callback() not found])) - AC_DEFINE([RS_ENABLE_TLS_PSK])]) -AM_CONDITIONAL([RS_ENABLE_TLS_PSK], [test "${enable_tls_psk+set}" = set]) - -# Checks for header files. -AC_CHECK_HEADERS( - [sys/time.h time.h netdb.h netinet/in.h stdint.h stdlib.h strings.h string.h \ - sys/socket.h unistd.h syslog.h sys/select.h fcntl.h arpa/inet.h pthread.h]) - -# Checks for typedefs, structures, and compiler characteristics. -AC_TYPE_SIZE_T -AC_TYPE_SSIZE_T -AC_TYPE_UINT8_T - -# Checks for library functions. -AC_CHECK_FUNCS([memset socket strdup strerror strrchr]) - -AC_CONFIG_FILES([Makefile libradsec.spec - radsecproxy/Makefile - radius/Makefile - include/Makefile - examples/Makefile - tests/Makefile]) -AC_OUTPUT diff --git a/lib/conn.c b/lib/conn.c deleted file mode 100644 index 970a071..0000000 --- a/lib/conn.c +++ /dev/null @@ -1,335 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "conn.h" -#include "event.h" -#include "packet.h" -#include "tcp.h" - -int -conn_user_dispatch_p (const struct rs_connection *conn) -{ - assert (conn); - - return (conn->callbacks.connected_cb || - conn->callbacks.disconnected_cb || - conn->callbacks.received_cb || - conn->callbacks.sent_cb); -} - - -int -conn_activate_timeout (struct rs_connection *conn) -{ - assert (conn); - assert (conn->tev); - assert (conn->evb); - if (conn->timeout.tv_sec || conn->timeout.tv_usec) - { - rs_debug (("%s: activating timer: %d.%d\n", __func__, - conn->timeout.tv_sec, conn->timeout.tv_usec)); - if (evtimer_add (conn->tev, &conn->timeout)) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "evtimer_add: %d", errno); - } - return RSE_OK; -} - -int -conn_type_tls (const struct rs_connection *conn) -{ - return conn->realm->type == RS_CONN_TYPE_TLS - || conn->realm->type == RS_CONN_TYPE_DTLS; -} - -int -conn_cred_psk (const struct rs_connection *conn) -{ - return conn->realm->transport_cred && - conn->realm->transport_cred->type == RS_CRED_TLS_PSK; -} - - -/* Public functions. */ -int -rs_conn_create (struct rs_context *ctx, - struct rs_connection **conn, - const char *config) -{ - struct rs_connection *c; - - c = (struct rs_connection *) malloc (sizeof(struct rs_connection)); - if (!c) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL); - - memset (c, 0, sizeof(struct rs_connection)); - c->ctx = ctx; - c->fd = -1; - if (config) - { - struct rs_realm *r = rs_conf_find_realm (ctx, config); - if (r) - { - struct rs_peer *p; - - c->realm = r; - c->peers = r->peers; /* FIXME: Copy instead? */ - for (p = c->peers; p; p = p->next) - p->conn = c; - c->timeout.tv_sec = r->timeout; - c->tryagain = r->retries; - } - else - { - c->realm = rs_malloc (ctx, sizeof (struct rs_realm)); - if (!c->realm) - return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, - NULL); - memset (c->realm, 0, sizeof (struct rs_realm)); - } - } - - if (conn) - *conn = c; - return RSE_OK; -} - -void -rs_conn_set_type (struct rs_connection *conn, rs_conn_type_t type) -{ - assert (conn); - assert (conn->realm); - conn->realm->type = type; -} - -int -rs_conn_add_listener (struct rs_connection *conn, - rs_conn_type_t type, - const char *hostname, - int port) -{ - return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); -} - - -int -rs_conn_disconnect (struct rs_connection *conn) -{ - int err = 0; - - assert (conn); - - if (conn->is_connected) - event_on_disconnect (conn); - - if (conn->bev) - { - bufferevent_free (conn->bev); - conn->bev = NULL; - } - if (conn->rev) - { - event_free (conn->rev); - conn->rev = NULL; - } - if (conn->wev) - { - event_free (conn->wev); - conn->wev = NULL; - } - - err = evutil_closesocket (conn->fd); - conn->fd = -1; - return err; -} - -int -rs_conn_destroy (struct rs_connection *conn) -{ - int err = 0; - - assert (conn); - - /* NOTE: conn->realm is owned by context. */ - /* NOTE: conn->peers is owned by context. */ - - if (conn->is_connected) - err = rs_conn_disconnect (conn); - -#if defined (RS_ENABLE_TLS) - if (conn->tls_ssl) /* FIXME: Free SSL strucxt in rs_conn_disconnect? */ - SSL_free (conn->tls_ssl); - if (conn->tls_ctx) - SSL_CTX_free (conn->tls_ctx); -#endif - - if (conn->tev) - event_free (conn->tev); - if (conn->bev) - bufferevent_free (conn->bev); - if (conn->rev) - event_free (conn->rev); - if (conn->wev) - event_free (conn->wev); - if (conn->evb) - event_base_free (conn->evb); - - rs_free (conn->ctx, conn); - - return err; -} - -int -rs_conn_set_eventbase (struct rs_connection *conn, struct event_base *eb) -{ - return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); -} - -void -rs_conn_set_callbacks (struct rs_connection *conn, struct rs_conn_callbacks *cb) -{ - assert (conn); - memcpy (&conn->callbacks, cb, sizeof (conn->callbacks)); -} - -void -rs_conn_del_callbacks (struct rs_connection *conn) -{ - assert (conn); - memset (&conn->callbacks, 0, sizeof (conn->callbacks)); -} - -struct rs_conn_callbacks * -rs_conn_get_callbacks(struct rs_connection *conn) -{ - assert (conn); - return &conn->callbacks; -} - -int -rs_conn_select_peer (struct rs_connection *conn, const char *name) -{ - return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); -} - -int -rs_conn_get_current_peer (struct rs_connection *conn, - const char *name, - size_t buflen) -{ - return rs_err_conn_push_fl (conn, RSE_NOSYS, __FILE__, __LINE__, NULL); -} - -int rs_conn_fd (struct rs_connection *conn) -{ - assert (conn); - assert (conn->active_peer); - return conn->fd; -} - -static void -_rcb (struct rs_packet *packet, void *user_data) -{ - struct rs_packet *pkt = (struct rs_packet *) user_data; - assert (pkt); - assert (pkt->conn); - - pkt->flags |= RS_PACKET_RECEIVED; - if (pkt->conn->bev) - bufferevent_disable (pkt->conn->bev, EV_WRITE|EV_READ); - else - event_del (pkt->conn->rev); -} - -int -rs_conn_receive_packet (struct rs_connection *conn, - struct rs_packet *req_msg, - struct rs_packet **pkt_out) -{ - int err = 0; - struct rs_packet *pkt = NULL; - - assert (conn); - assert (conn->realm); - assert (!conn_user_dispatch_p (conn)); /* Blocking mode only. */ - - if (rs_packet_create (conn, &pkt)) - return -1; - - assert (conn->evb); - assert (conn->fd >= 0); - - conn->callbacks.received_cb = _rcb; - conn->user_data = pkt; - pkt->flags &= ~RS_PACKET_RECEIVED; - - if (conn->bev) /* TCP. */ - { - bufferevent_setwatermark (conn->bev, EV_READ, RS_HEADER_LEN, 0); - bufferevent_setcb (conn->bev, tcp_read_cb, NULL, tcp_event_cb, pkt); - bufferevent_enable (conn->bev, EV_READ); - } - else /* UDP. */ - { - /* Put fresh packet in user_data for the callback and enable the - read event. */ - event_assign (conn->rev, conn->evb, event_get_fd (conn->rev), - EV_READ, event_get_callback (conn->rev), pkt); - err = event_add (conn->rev, NULL); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_add: %s", - evutil_gai_strerror (err)); - - /* Activate retransmission timer. */ - conn_activate_timeout (pkt->conn); - } - - rs_debug (("%s: entering event loop\n", __func__)); - err = event_base_dispatch (conn->evb); - conn->callbacks.received_cb = NULL; - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_dispatch: %s", - evutil_gai_strerror (err)); - rs_debug (("%s: event loop done\n", __func__)); - - if ((pkt->flags & RS_PACKET_RECEIVED) != 0) - { - /* If the caller passed a request, check the response. */ - if (req_msg) - err = packet_verify_response (pkt->conn, pkt, req_msg); - - /* If the response was OK and the caller wants it, hand it - over, else free it. */ - if (err == RSE_OK && pkt_out) - *pkt_out = pkt; - else - rs_packet_destroy (pkt); - } - else - err = rs_err_conn_peek_code (pkt->conn); - - return err; -} - -void -rs_conn_set_timeout(struct rs_connection *conn, struct timeval *tv) -{ - assert (conn); - assert (tv); - conn->timeout = *tv; -} diff --git a/lib/conn.h b/lib/conn.h deleted file mode 100644 index 66e15e2..0000000 --- a/lib/conn.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Copyright 2011,2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -int conn_user_dispatch_p (const struct rs_connection *conn); -int conn_activate_timeout (struct rs_connection *conn); -int conn_type_tls (const struct rs_connection *conn); -int conn_cred_psk (const struct rs_connection *conn); diff --git a/lib/debug.c b/lib/debug.c deleted file mode 100644 index 903c793..0000000 --- a/lib/debug.c +++ /dev/null @@ -1,46 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include "debug.h" - -void -rs_dump_packet (const struct rs_packet *pkt) -{ - const RADIUS_PACKET *p = NULL; - - if (!pkt || !pkt->rpkt) - return; - p = pkt->rpkt; - - fprintf (stderr, "\tCode: %u, Identifier: %u, Lenght: %zu\n", - p->code, - p->id, - p->sizeof_data); - fflush (stderr); -} - -#if defined DEBUG -int -_rs_debug (const char *fmt, ...) -{ - int n; - va_list args; - - va_start (args, fmt); - n = vfprintf (stderr, fmt, args); - va_end (args); - fflush (stderr); - - return n; -} -#endif diff --git a/lib/debug.h b/lib/debug.h deleted file mode 100644 index ed62da1..0000000 --- a/lib/debug.h +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#define hd(p, l) { int i; \ - for (i = 1; i <= l; i++) { \ - printf ("%02x ", p[i-1]); \ - if (i % 8 == 0) printf (" "); \ - if (i % 16 == 0) printf ("\n"); } \ - printf ("\n"); } - -#if defined (__cplusplus) -extern "C" { -#endif - -struct rs_packet; -void rs_dump_packet (const struct rs_packet *pkt); -int _rs_debug (const char *fmt, ...); - -#if defined (DEBUG) -#define rs_debug(x) _rs_debug x -#else -#define rs_debug(x) do {;} while (0) -#endif - -#if defined (__cplusplus) -} -#endif diff --git a/lib/err.c b/lib/err.c deleted file mode 100644 index 0c7d5a8..0000000 --- a/lib/err.c +++ /dev/null @@ -1,276 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include - -static const char *_errtxt[] = { - "SUCCESS", /* 0 RSE_OK */ - "out of memory", /* 1 RSE_NOMEM */ - "not yet implemented", /* 2 RSE_NOSYS */ - "invalid handle", /* 3 RSE_INVALID_CTX */ - "invalid connection", /* 4 RSE_INVALID_CONN */ - "connection type mismatch", /* 5 RSE_CONN_TYPE_MISMATCH */ - "FreeRadius error", /* 6 RSE_FR */ - "bad hostname or port", /* 7 RSE_BADADDR */ - "no peer configured", /* 8 RSE_NOPEER */ - "libevent error", /* 9 RSE_EVENT */ - "socket error", /* 10 RSE_SOCKERR */ - "invalid configuration file", /* 11 RSE_CONFIG */ - "authentication failed", /* 12 RSE_BADAUTH */ - "internal error", /* 13 RSE_INTERNAL */ - "SSL error", /* 14 RSE_SSLERR */ - "invalid packet", /* 15 RSE_INVALID_PKT */ - "connect timeout", /* 16 RSE_TIMEOUT_CONN */ - "invalid argument", /* 17 RSE_INVAL */ - "I/O timeout", /* 18 RSE_TIMEOUT_IO */ - "timeout", /* 19 RSE_TIMEOUT */ - "peer disconnected", /* 20 RSE_DISCO */ - "resource is in use", /* 21 RSE_INUSE */ - "packet is too small", /* 22 RSE_PACKET_TOO_SMALL */ - "packet is too large", /* 23 RSE_PACKET_TOO_LARGE */ - "attribute overflows packet", /* 24 RSE_ATTR_OVERFLOW */ - "attribute is too small", /* 25 RSE_ATTR_TOO_SMALL */ - "attribute is too large", /* 26 RSE_ATTR_TOO_LARGE */ - "unknown attribute", /* 27 RSE_ATTR_UNKNOWN */ - "invalid name for attribute", /* 28 RSE_ATTR_BAD_NAME */ - "invalid value for attribute", /* 29 RSE_ATTR_VALUE_MALFORMED */ - "invalid attribute", /* 30 RSE_ATTR_INVALID */ - "too many attributes in the packet", /* 31 RSE_TOO_MANY_ATTRS */ - "attribute type unknown", /* 32 RSE_ATTR_TYPE_UNKNOWN */ - "invalid message authenticator", /* 33 RSE_MSG_AUTH_LEN */ - "incorrect message authenticator", /* 34 RSE_MSG_AUTH_WRONG */ - "request is required", /* 35 RSE_REQUEST_REQUIRED */ - "invalid request code", /* 36 RSE_REQUEST_CODE_INVALID */ - "incorrect request authenticator", /* 37 RSE_AUTH_VECTOR_WRONG */ - "response code is unsupported", /* 38 RSE_INVALID_RESPONSE_CODE */ - "response ID is invalid", /* 39 RSE_INVALID_RESPONSE_ID */ - "response from the wrong source address", /* 40 RSE_INVALID_RESPONSE_SRC */ - "no packet data", /* 41 RSE_NO_PACKET_DATA */ - "vendor is unknown", /* 42 RSE_VENDOR_UNKNOWN */ - "invalid credentials", /* 43 RSE_CRED */ - "certificate validation error", /* 44 RSE_CERT */ -}; -#define ERRTXT_SIZE (sizeof(_errtxt) / sizeof(*_errtxt)) - -static struct rs_error * -_err_vcreate (unsigned int code, const char *file, int line, const char *fmt, - va_list args) -{ - struct rs_error *err = NULL; - - err = malloc (sizeof(struct rs_error)); - if (err) - { - int n; - memset (err, 0, sizeof(struct rs_error)); - err->code = code; - if (fmt) - n = vsnprintf (err->buf, sizeof(err->buf), fmt, args); - else - { - strncpy (err->buf, - err->code < ERRTXT_SIZE ? _errtxt[err->code] : "", - sizeof(err->buf)); - n = strlen (err->buf); - } - if (n >= 0 && file) - { - char *sep = strrchr (file, '/'); - if (sep) - file = sep + 1; - snprintf (err->buf + n, sizeof(err->buf) - n, " (%s:%d)", file, - line); - } - } - return err; -} - -struct rs_error * -err_create (unsigned int code, - const char *file, - int line, - const char *fmt, - ...) -{ - struct rs_error *err = NULL; - - va_list args; - va_start (args, fmt); - err = _err_vcreate (code, file, line, fmt, args); - va_end (args); - - return err; -} - -static int -_ctx_err_vpush_fl (struct rs_context *ctx, int code, const char *file, - int line, const char *fmt, va_list args) -{ - struct rs_error *err = _err_vcreate (code, file, line, fmt, args); - - if (!err) - return RSE_NOMEM; - - /* TODO: Implement a stack. */ - if (ctx->err) - rs_err_free (ctx->err); - ctx->err = err; - - return err->code; -} - -int -rs_err_ctx_push (struct rs_context *ctx, int code, const char *fmt, ...) -{ - int r = 0; - va_list args; - - va_start (args, fmt); - r = _ctx_err_vpush_fl (ctx, code, NULL, 0, fmt, args); - va_end (args); - - return r; -} - -int -rs_err_ctx_push_fl (struct rs_context *ctx, int code, const char *file, - int line, const char *fmt, ...) -{ - int r = 0; - va_list args; - - va_start (args, fmt); - r = _ctx_err_vpush_fl (ctx, code, file, line, fmt, args); - va_end (args); - - return r; -} - -int -err_conn_push_err (struct rs_connection *conn, struct rs_error *err) -{ - assert (conn); - assert (err); - - if (conn->err) - rs_err_free (conn->err); - conn->err = err; /* FIXME: use a stack */ - - return err->code; -} - -static int -_conn_err_vpush_fl (struct rs_connection *conn, int code, const char *file, - int line, const char *fmt, va_list args) -{ - struct rs_error *err = _err_vcreate (code, file, line, fmt, args); - - if (!err) - return RSE_NOMEM; - - return err_conn_push_err (conn, err); -} - -int -rs_err_conn_push (struct rs_connection *conn, int code, const char *fmt, ...) -{ - int r = 0; - - va_list args; - va_start (args, fmt); - r = _conn_err_vpush_fl (conn, code, NULL, 0, fmt, args); - va_end (args); - - return r; -} - -int -rs_err_conn_push_fl (struct rs_connection *conn, int code, const char *file, - int line, const char *fmt, ...) -{ - int r = 0; - - va_list args; - va_start (args, fmt); - r = _conn_err_vpush_fl (conn, code, file, line, fmt, args); - va_end (args); - - return r; -} - -struct rs_error * -rs_err_ctx_pop (struct rs_context *ctx) -{ - struct rs_error *err; - - if (!ctx) - return NULL; /* FIXME: RSE_INVALID_CTX. */ - err = ctx->err; - ctx->err = NULL; - - return err; -} - -struct rs_error * -rs_err_conn_pop (struct rs_connection *conn) -{ - struct rs_error *err; - - if (!conn) - return NULL; /* FIXME: RSE_INVALID_CONN */ - err = conn->err; - conn->err = NULL; - - return err; -} - -int -rs_err_conn_peek_code (struct rs_connection *conn) -{ - if (!conn) - return -1; /* FIXME: RSE_INVALID_CONN */ - if (conn->err) - return conn->err->code; - - return RSE_OK; -} - -void -rs_err_free (struct rs_error *err) -{ - assert (err); - free (err); -} - -char * -rs_err_msg (struct rs_error *err) -{ - if (!err) - return NULL; - - return err->buf; -} - -int -rs_err_code (struct rs_error *err, int dofree_flag) -{ - int code; - - if (!err) - return -1; - code = err->code; - - if (dofree_flag) - rs_err_free (err); - - return code; -} diff --git a/lib/err.h b/lib/err.h deleted file mode 100644 index ba83a53..0000000 --- a/lib/err.h +++ /dev/null @@ -1,9 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -struct rs_error *err_create (unsigned int code, - const char *file, - int line, - const char *fmt, - ...); -int err_conn_push_err (struct rs_connection *conn, struct rs_error *err); diff --git a/lib/event.c b/lib/event.c deleted file mode 100644 index a532da9..0000000 --- a/lib/event.c +++ /dev/null @@ -1,300 +0,0 @@ -/* Copyright 2011-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#include -#include -#if defined (RS_ENABLE_TLS) -#include -#include -#endif -#include -#include -#include "tcp.h" -#include "udp.h" -#if defined (RS_ENABLE_TLS) -#include "tls.h" -#endif -#include "err.h" -#include "radsec.h" -#include "event.h" -#include "packet.h" -#include "conn.h" -#include "debug.h" - -#if defined (DEBUG) -extern int _event_debug_mode_on; -#endif - -static void -_evlog_cb (int severity, const char *msg) -{ - const char *sevstr; - switch (severity) - { - case _EVENT_LOG_DEBUG: -#if !defined (DEBUG_LEVENT) - return; -#endif - sevstr = "debug"; - break; - case _EVENT_LOG_MSG: - sevstr = "msg"; - break; - case _EVENT_LOG_WARN: - sevstr = "warn"; - break; - case _EVENT_LOG_ERR: - sevstr = "err"; - break; - default: - sevstr = "???"; - break; - } - fprintf (stderr, "libevent: [%s] %s\n", sevstr, msg); /* FIXME: stderr? */ -} - -void -event_conn_timeout_cb (int fd, short event, void *data) -{ - struct rs_connection *conn = NULL; - - assert (data); - conn = (struct rs_connection *) data; - - if (event & EV_TIMEOUT) - { - rs_debug (("%s: connection timeout on %p (fd %d) connecting to %p\n", - __func__, conn, conn->fd, conn->active_peer)); - conn->is_connecting = 0; - rs_err_conn_push_fl (conn, RSE_TIMEOUT_CONN, __FILE__, __LINE__, NULL); - event_loopbreak (conn); - } -} - -void -event_retransmit_timeout_cb (int fd, short event, void *data) -{ - struct rs_connection *conn = NULL; - - assert (data); - conn = (struct rs_connection *) data; - - if (event & EV_TIMEOUT) - { - rs_debug (("%s: retransmission timeout on %p (fd %d) sending to %p\n", - __func__, conn, conn->fd, conn->active_peer)); - rs_err_conn_push_fl (conn, RSE_TIMEOUT_IO, __FILE__, __LINE__, NULL); - - /* Disable/delete read and write events. Timing out on reading - might f.ex. trigger resending of a message. It'd be - surprising to end up reading without having enabled/created a - read event in that case. */ - if (conn->bev) /* TCP. */ - bufferevent_disable (conn->bev, EV_WRITE|EV_READ); - else /* UDP. */ - { - if (conn->wev) - event_del (conn->wev); - if (conn->rev) - event_del (conn->rev); - } - - event_loopbreak (conn); - } -} - -int -event_init_socket (struct rs_connection *conn, struct rs_peer *p) -{ - if (conn->fd != -1) - return RSE_OK; - - if (p->addr_cache == NULL) - { - struct rs_error *err = - rs_resolve (&p->addr_cache, p->realm->type, p->hostname, p->service); - if (err != NULL) - return err_conn_push_err (conn, err); - } - - conn->fd = socket (p->addr_cache->ai_family, p->addr_cache->ai_socktype, - p->addr_cache->ai_protocol); - if (conn->fd < 0) - return rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, - "socket: %d (%s)", - errno, strerror (errno)); - if (evutil_make_socket_nonblocking (conn->fd) < 0) - { - evutil_closesocket (conn->fd); - conn->fd = -1; - return rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, - "evutil_make_socket_nonblocking: %d (%s)", - errno, strerror (errno)); - } - return RSE_OK; -} - -int -event_init_bufferevent (struct rs_connection *conn, struct rs_peer *peer) -{ - if (conn->bev) - return RSE_OK; - - if (conn->realm->type == RS_CONN_TYPE_TCP) - { - conn->bev = bufferevent_socket_new (conn->evb, conn->fd, 0); - if (!conn->bev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_socket_new"); - } -#if defined (RS_ENABLE_TLS) - else if (conn->realm->type == RS_CONN_TYPE_TLS) - { - if (tls_init_conn (conn)) - return -1; - /* Would be convenient to pass BEV_OPT_CLOSE_ON_FREE but things - seem to break when be_openssl_ctrl() (in libevent) calls - SSL_set_bio() after BIO_new_socket() with flag=1. */ - conn->bev = - bufferevent_openssl_socket_new (conn->evb, conn->fd, conn->tls_ssl, - BUFFEREVENT_SSL_CONNECTING, 0); - if (!conn->bev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_openssl_socket_new"); - } -#endif /* RS_ENABLE_TLS */ - else - { - return rs_err_conn_push_fl (conn, RSE_INTERNAL, __FILE__, __LINE__, - "%s: unknown connection type: %d", __func__, - conn->realm->type); - } - - return RSE_OK; -} - -void -event_do_connect (struct rs_connection *conn) -{ - struct rs_peer *p; - int err, sockerr; - - assert (conn); - assert (conn->active_peer); - p = conn->active_peer; - -#if defined (DEBUG) - { - char host[80], serv[80]; - - getnameinfo (p->addr_cache->ai_addr, - p->addr_cache->ai_addrlen, - host, sizeof(host), serv, sizeof(serv), - 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); - rs_debug (("%s: connecting to %s:%s\n", __func__, host, serv)); - } -#endif - - if (p->conn->bev) /* TCP */ - { - conn_activate_timeout (conn); /* Connect timeout. */ - err = bufferevent_socket_connect (p->conn->bev, p->addr_cache->ai_addr, - p->addr_cache->ai_addrlen); - if (err < 0) - rs_err_conn_push_fl (p->conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_socket_connect: %s", - evutil_gai_strerror (err)); - else - p->conn->is_connecting = 1; - } - else /* UDP */ - { - err = connect (p->conn->fd, - p->addr_cache->ai_addr, - p->addr_cache->ai_addrlen); - if (err < 0) - { - sockerr = evutil_socket_geterror (p->conn->fd); - rs_debug (("%s: %d: connect: %d (%s)\n", __func__, p->conn->fd, - sockerr, evutil_socket_error_to_string (sockerr))); - rs_err_conn_push_fl (p->conn, RSE_SOCKERR, __FILE__, __LINE__, - "%d: connect: %d (%s)", p->conn->fd, sockerr, - evutil_socket_error_to_string (sockerr)); - } - } -} - -int -event_loopbreak (struct rs_connection *conn) -{ - int err = event_base_loopbreak (conn->evb); - if (err < 0) - rs_err_conn_push (conn, RSE_EVENT, "event_base_loopbreak"); - return err; -} - - -void -event_on_disconnect (struct rs_connection *conn) -{ - conn->is_connecting = 0; - conn->is_connected = 0; - rs_debug (("%s: %p disconnected\n", __func__, conn->active_peer)); - if (conn->callbacks.disconnected_cb) - conn->callbacks.disconnected_cb (conn->user_data); -} - -/** Internal connect event returning 0 on success or -1 on error. */ -int -event_on_connect (struct rs_connection *conn, struct rs_packet *pkt) -{ - assert (!conn->is_connecting); - -#if defined (RS_ENABLE_TLS) - if (conn_type_tls(conn) && !conn_cred_psk(conn)) - if (tls_verify_cert (conn) != RSE_OK) - { - rs_debug (("%s: server cert verification failed\n", __func__)); - return -1; - } -#endif /* RS_ENABLE_TLS */ - - conn->is_connected = 1; - rs_debug (("%s: %p connected\n", __func__, conn->active_peer)); - - if (conn->callbacks.connected_cb) - conn->callbacks.connected_cb (conn->user_data); - - if (pkt) - packet_do_send (pkt); - - return 0; -} - -int -event_init_eventbase (struct rs_connection *conn) -{ - assert (conn); - if (conn->evb) - return RSE_OK; - -#if defined (DEBUG) - if (!_event_debug_mode_on) - event_enable_debug_mode (); -#endif - event_set_log_callback (_evlog_cb); - conn->evb = event_base_new (); - if (!conn->evb) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_new"); - - return RSE_OK; -} diff --git a/lib/event.h b/lib/event.h deleted file mode 100644 index bd9ec77..0000000 --- a/lib/event.h +++ /dev/null @@ -1,12 +0,0 @@ -/* Copyright 2011-2012 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -void event_on_disconnect (struct rs_connection *conn); -int event_on_connect (struct rs_connection *conn, struct rs_packet *pkt); -int event_loopbreak (struct rs_connection *conn); -int event_init_eventbase (struct rs_connection *conn); -int event_init_socket (struct rs_connection *conn, struct rs_peer *p); -int event_init_bufferevent (struct rs_connection *conn, struct rs_peer *peer); -void event_do_connect (struct rs_connection *conn); -void event_conn_timeout_cb (int fd, short event, void *data); -void event_retransmit_timeout_cb (int fd, short event, void *data); diff --git a/lib/examples/Makefile.am b/lib/examples/Makefile.am deleted file mode 100644 index fa1c835..0000000 --- a/lib/examples/Makefile.am +++ /dev/null @@ -1,8 +0,0 @@ -AUTOMAKE_OPTIONS = foreign -AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) -AM_CFLAGS = -Wall -Werror -g - -noinst_PROGRAMS = client -client_SOURCES = client-blocking.c -client_LDADD = ../libradsec.la #-lefence -client_CFLAGS = $(AM_CFLAGS) -DUSE_CONFIG_FILE diff --git a/lib/examples/blocking.c b/lib/examples/blocking.c deleted file mode 100644 index b66eb64..0000000 --- a/lib/examples/blocking.c +++ /dev/null @@ -1,71 +0,0 @@ -/* Example usage of libradsec-base, using blocking i/o. */ - -#include -#include -#include -#include -#include "blocking.h" - -struct rs_packet * -next_packet (const struct rs_handle *ctx, int fd) -{ - uint8_t hdr[RS_HEADER_LEN]; - uint8_t *buf; - size_t len; - struct rs_packet *p; - ssize_t n; - - /* Read fixed length header. */ - n = 0; - while (n < RS_HEADER_LEN) - n += read (fd, hdr, RS_HEADER_LEN - n); - - p = rs_packet_new (ctx, hdr, &len); - fprintf (stderr, "DEBUG: got header, total packet len is %d\n", - len + RS_HEADER_LEN); - - /* Read the rest of the message. */ - if (p) - { - buf = malloc (len); - if (buf) - { - n = 0; - while (n < len) - n += read (fd, buf, len - n); - p = rs_packet_parse (ctx, &p, buf, len); - free (buf); - } - else - rs_packet_free (ctx, &p); - } - - return p; -} - -int -send_packet(const struct rs_handle *ctx, int fd, struct rs_packet *p) -{ - uint8_t *buf = NULL; - ssize_t n = -20; /* Arbitrary packet size -- a guess. */ - - while (n < 0) - { - buf = realloc (buf, -n); - if (buf == NULL) - return -1; - n = rs_packet_serialize (p, buf, -n); - } - - while (n) - { - ssize_t count = write (fd, buf, n); - if (count == -1) - return -1; - n -= count; - } - - free (buf); - rs_packet_free (ctx, &p); - return 0; -} diff --git a/lib/examples/blocking.h b/lib/examples/blocking.h deleted file mode 100644 index f91e6be..0000000 --- a/lib/examples/blocking.h +++ /dev/null @@ -1,4 +0,0 @@ -#include "libradsec-base.h" - -struct rs_packet *next_packet (const struct rs_handle *ctx, int fd); -int send_packet (const struct rs_handle *ctx, int fd, struct rs_packet *p); diff --git a/lib/examples/client-blocking.c b/lib/examples/client-blocking.c deleted file mode 100644 index a50ee8a..0000000 --- a/lib/examples/client-blocking.c +++ /dev/null @@ -1,127 +0,0 @@ -/* RADIUS/RadSec client using libradsec in blocking mode. */ - -#include -#include -#include -#include -#include -#include "err.h" -#include "debug.h" /* For rs_dump_packet(). */ - -#define SECRET "sikrit" -#define USER_NAME "molgan@PROJECT-MOONSHOT.ORG" -#define USER_PW "password" - -struct rs_error * -blocking_client (const char *config_fn, const char *configuration, - int use_request_object_flag) -{ - struct rs_context *h = NULL; - struct rs_connection *conn = NULL; - struct rs_request *request = NULL; - struct rs_packet *req = NULL, *resp = NULL; - struct rs_error *err = NULL; - int r; - - r = rs_context_create (&h); - if (r) - { - assert (!"unable to create libradsec context"); - } - -#if !defined (USE_CONFIG_FILE) - { - struct rs_peer *server; - - if (rs_conn_create (h, &conn, NULL)) - goto cleanup; - rs_conn_set_type (conn, RS_CONN_TYPE_UDP); - if (rs_peer_create (conn, &server)) - goto cleanup; - if (rs_peer_set_address (server, av1, av2)) - goto cleanup; - rs_peer_set_timeout (server, 1); - rs_peer_set_retries (server, 3); - if (rs_peer_set_secret (server, SECRET)) - goto cleanup; - } -#else /* defined (USE_CONFIG_FILE) */ - if (rs_context_read_config (h, config_fn)) - goto cleanup; - if (rs_conn_create (h, &conn, configuration)) - goto cleanup; -#endif /* defined (USE_CONFIG_FILE) */ - - if (use_request_object_flag) - { - if (rs_request_create_authn (conn, &request, USER_NAME, USER_PW)) - goto cleanup; - if (rs_request_send (request, &resp)) - goto cleanup; - } - else - { - if (rs_packet_create_authn_request (conn, &req, USER_NAME, USER_PW)) - goto cleanup; - if (rs_packet_send (req, NULL)) - goto cleanup; - if (rs_conn_receive_packet (conn, req, &resp)) - goto cleanup; - } - - if (resp) - { - rs_dump_packet (resp); - if (rs_packet_code (resp) == PW_ACCESS_ACCEPT) - printf ("Good auth.\n"); - else - printf ("Bad auth: %d\n", rs_packet_code (resp)); - } - else - fprintf (stderr, "%s: no response\n", __func__); - - cleanup: - err = rs_err_ctx_pop (h); - if (err == RSE_OK) - err = rs_err_conn_pop (conn); - if (resp) - rs_packet_destroy (resp); - if (request) - rs_request_destroy (request); - if (conn) - rs_conn_destroy (conn); - if (h) - rs_context_destroy (h); - - return err; -} - -void -usage (int argc, char *argv[]) -{ - fprintf (stderr, "usage: %s: [-r] config-file config-name\n", argv[0]); - exit (1); -} - -int -main (int argc, char *argv[]) -{ - int use_request_object_flag = 0; - struct rs_error *err; - - if (argc > 1 && argv[1] && argv[1][0] == '-' && argv[1][1] == 'r') - { - use_request_object_flag = 1; - argc--; - argv++; - } - if (argc < 3) - usage (argc, argv); - err = blocking_client (argv[1], argv[2], use_request_object_flag); - if (err) - { - fprintf (stderr, "error: %s: %d\n", rs_err_msg (err), rs_err_code (err, 0)); - return rs_err_code (err, 1); - } - return 0; -} diff --git a/lib/examples/client-psk.conf b/lib/examples/client-psk.conf deleted file mode 100644 index 7b35e23..0000000 --- a/lib/examples/client-psk.conf +++ /dev/null @@ -1,18 +0,0 @@ -# We keep PSK configurations in a separate config file until -# --enable-tls-psk is on by default. This configuration is not valid -# without PSK support. - -realm blocking-tls-psk { - type = "TLS" - timeout = 1 - retries = 3 - #pskstr = "sikrit psk" - pskhexstr = "deadbeef4711" - pskid = "Client_identity" - pskex = "PSK" - server { - hostname = "srv1" - service = "4433" - secret = "sikrit" - } -} diff --git a/lib/examples/client.conf b/lib/examples/client.conf deleted file mode 100644 index b0b4536..0000000 --- a/lib/examples/client.conf +++ /dev/null @@ -1,24 +0,0 @@ -realm blocking-udp { - type = "UDP" - timeout = 2 - retries = 2 - server { - hostname = "127.0.0.1" - service = "1820" - secret = "sikrit" - } -} - -realm blocking-tls { - type = "TLS" - timeout = 1 - retries = 3 - cacertfile = "tests/demoCA/newcerts/01.pem" - certfile = "tests/demoCA/newcerts/03.pem" - certkeyfile = "tests/demoCA/private/cli1.key" - server { - hostname = "srv1" - service = "2083" - secret = "sikrit" - } -} diff --git a/lib/include/Makefile.am b/lib/include/Makefile.am deleted file mode 100644 index 754590c..0000000 --- a/lib/include/Makefile.am +++ /dev/null @@ -1,12 +0,0 @@ -RADSEC_EXPORT = \ - radsec/radsec.h \ - radsec/radsec-impl.h \ - radsec/request.h \ - radsec/request-impl.h \ - radsec/radius.h - -EXTRA_SRC = $(RADSEC_EXPORT) -nobase_include_HEADERS = $(RADSEC_EXPORT) - -clean-local: - rm -f radsec/radius.h diff --git a/lib/include/radsec/.gitignore b/lib/include/radsec/.gitignore deleted file mode 100644 index c20d18b..0000000 --- a/lib/include/radsec/.gitignore +++ /dev/null @@ -1 +0,0 @@ -radius.h diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h deleted file mode 100644 index 0ecd631..0000000 --- a/lib/include/radsec/radsec-impl.h +++ /dev/null @@ -1,156 +0,0 @@ -/** @file libradsec-impl.h - @brief Libraray internal header file for libradsec. */ - -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#ifndef _RADSEC_RADSEC_IMPL_H_ -#define _RADSEC_RADSEC_IMPL_H_ 1 - -#include -#include -#if defined(RS_ENABLE_TLS) -#include -#endif - -/* Constants. */ -#define RS_HEADER_LEN 4 - -/* Data types. */ -enum rs_cred_type { - RS_CRED_NONE = 0, - /* TLS pre-shared keys, RFC 4279. */ - RS_CRED_TLS_PSK, - /* RS_CRED_TLS_DH_PSK, */ - /* RS_CRED_TLS_RSA_PSK, */ -}; -typedef unsigned int rs_cred_type_t; - -enum rs_key_encoding { - RS_KEY_ENCODING_UTF8 = 1, - RS_KEY_ENCODING_ASCII_HEX = 2, -}; -typedef unsigned int rs_key_encoding_t; - -#if defined (__cplusplus) -extern "C" { -#endif - -struct rs_credentials { - enum rs_cred_type type; - char *identity; - char *secret; - enum rs_key_encoding secret_encoding; - unsigned int secret_len; -}; - -struct rs_error { - int code; - char buf[1024]; -}; - -/** Configuration object for a connection. */ -struct rs_peer { - struct rs_connection *conn; - struct rs_realm *realm; - char *hostname; - char *service; - char *secret; /* RADIUS secret. */ - struct evutil_addrinfo *addr_cache; - struct rs_peer *next; -}; - -/** Configuration object for a RADIUS realm. */ -struct rs_realm { - char *name; - enum rs_conn_type type; - int timeout; - int retries; - char *cacertfile; - char *cacertpath; - char *certfile; - char *certkeyfile; - int disable_hostname_check; - struct rs_credentials *transport_cred; - struct rs_peer *peers; - struct rs_realm *next; -}; - -/** Top configuration object. */ -struct rs_config { - struct rs_realm *realms; - cfg_t *cfg; -}; - -struct rs_context { - struct rs_config *config; - struct rs_alloc_scheme alloc_scheme; - struct rs_error *err; -}; - -struct rs_connection { - struct rs_context *ctx; - struct rs_realm *realm; /* Owned by ctx. */ - struct event_base *evb; /* Event base. */ - struct event *tev; /* Timeout event. */ - struct rs_conn_callbacks callbacks; - void *user_data; - struct rs_peer *peers; - struct rs_peer *active_peer; - struct rs_error *err; - struct timeval timeout; - char is_connecting; /* FIXME: replace with a single state member */ - char is_connected; /* FIXME: replace with a single state member */ - int fd; /* Socket. */ - int tryagain; /* For server failover. */ - int nextid; /* Next RADIUS packet identifier. */ - /* TCP transport specifics. */ - struct bufferevent *bev; /* Buffer event. */ - /* UDP transport specifics. */ - struct event *wev; /* Write event (for UDP). */ - struct event *rev; /* Read event (for UDP). */ - struct rs_packet *out_queue; /* Queue for outgoing UDP packets. */ -#if defined(RS_ENABLE_TLS) - /* TLS specifics. */ - SSL_CTX *tls_ctx; - SSL *tls_ssl; -#endif -}; - -enum rs_packet_flags { - RS_PACKET_HEADER_READ, - RS_PACKET_RECEIVED, - RS_PACKET_SENT, -}; - -struct radius_packet; - -struct rs_packet { - struct rs_connection *conn; - unsigned int flags; - uint8_t hdr[RS_HEADER_LEN]; - struct radius_packet *rpkt; /* FreeRADIUS object. */ - struct rs_packet *next; /* Used for UDP output queue. */ -}; - -#if defined (__cplusplus) -} -#endif - -/* Convenience macros. */ -#define rs_calloc(h, nmemb, size) \ - (h->alloc_scheme.calloc ? h->alloc_scheme.calloc : calloc)(nmemb, size) -#define rs_malloc(h, size) \ - (h->alloc_scheme.malloc ? h->alloc_scheme.malloc : malloc)(size) -#define rs_free(h, ptr) \ - (h->alloc_scheme.free ? h->alloc_scheme.free : free)(ptr) -#define rs_realloc(h, realloc, ptr, size) \ - (h->alloc_scheme.realloc ? h->alloc_scheme.realloc : realloc)(ptr, size) -#define min(a, b) ((a) < (b) ? (a) : (b)) -#define max(a, b) ((a) > (b) ? (a) : (b)) - -#endif /* _RADSEC_RADSEC_IMPL_H_ */ - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/include/radsec/radsec.h b/lib/include/radsec/radsec.h deleted file mode 100644 index 1d718a0..0000000 --- a/lib/include/radsec/radsec.h +++ /dev/null @@ -1,607 +0,0 @@ -/** \file radsec.h - \brief Public interface for libradsec. */ - -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#ifndef _RADSEC_RADSEC_H_ -#define _RADSEC_RADSEC_H_ 1 - -#ifdef HAVE_CONFIG_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef HAVE_STDINT_H -#include -#endif - -enum rs_error_code { - RSE_OK = 0, - RSE_NOMEM = 1, - RSE_NOSYS = 2, - RSE_INVALID_CTX = 3, - RSE_INVALID_CONN = 4, - RSE_CONN_TYPE_MISMATCH = 5, - RSE_BADADDR = 7, - RSE_NOPEER = 8, - RSE_EVENT = 9, /* libevent error. */ - RSE_SOCKERR = 10, - RSE_CONFIG = 11, - RSE_BADAUTH = 12, - RSE_INTERNAL = 13, - RSE_SSLERR = 14, /* OpenSSL error. */ - RSE_INVALID_PKT = 15, - RSE_TIMEOUT_CONN = 16, /* Connection timeout. */ - RSE_INVAL = 17, /* Invalid argument. */ - RSE_TIMEOUT_IO = 18, /* I/O timeout. */ - RSE_TIMEOUT = 19, /* High level timeout. */ - RSE_DISCO = 20, - RSE_INUSE = 21, - RSE_PACKET_TOO_SMALL = 22, - RSE_PACKET_TOO_LARGE = 23, - RSE_ATTR_OVERFLOW = 24, - RSE_ATTR_TOO_SMALL = 25, - RSE_ATTR_TOO_LARGE = 26, - RSE_ATTR_UNKNOWN = 27, - RSE_ATTR_BAD_NAME = 28, - RSE_ATTR_VALUE_MALFORMED = 29, - RSE_ATTR_INVALID = 30, - RSE_TOO_MANY_ATTRS = 31, - RSE_ATTR_TYPE_UNKNOWN = 32, - RSE_MSG_AUTH_LEN = 33, - RSE_MSG_AUTH_WRONG = 34, - RSE_REQUEST_REQUIRED = 35, - RSE_INVALID_REQUEST_CODE = 36, - RSE_AUTH_VECTOR_WRONG = 37, - RSE_INVALID_RESPONSE_CODE = 38, - RSE_INVALID_RESPONSE_ID = 39, - RSE_INVALID_RESPONSE_SRC = 40, - RSE_NO_PACKET_DATA = 41, - RSE_VENDOR_UNKNOWN = 42, - RSE_CRED = 43, - RSE_CERT = 44, - RSE_MAX = RSE_CERT -}; - -enum rs_conn_type { - RS_CONN_TYPE_NONE = 0, - RS_CONN_TYPE_UDP, - RS_CONN_TYPE_TCP, - RS_CONN_TYPE_TLS, - RS_CONN_TYPE_DTLS, -}; -typedef unsigned int rs_conn_type_t; - -typedef enum rs_attr_type_t { - RS_TYPE_INVALID = 0, /**< Invalid data type */ - RS_TYPE_STRING, /**< printable-text */ - RS_TYPE_INTEGER, /**< a 32-bit unsigned integer */ - RS_TYPE_IPADDR, /**< an IPv4 address */ - RS_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */ - RS_TYPE_OCTETS, /**< a sequence of binary octets */ - RS_TYPE_IFID, /**< an Interface Id */ - RS_TYPE_IPV6ADDR, /**< an IPv6 address */ - RS_TYPE_IPV6PREFIX, /**< an IPv6 prefix */ - RS_TYPE_BYTE, /**< an 8-bit integer */ - RS_TYPE_SHORT, /**< a 16-bit integer */ -} rs_attr_type_t; - -#define PW_ACCESS_REQUEST 1 -#define PW_ACCESS_ACCEPT 2 -#define PW_ACCESS_REJECT 3 -#define PW_ACCOUNTING_REQUEST 4 -#define PW_ACCOUNTING_RESPONSE 5 -#define PW_ACCOUNTING_STATUS 6 -#define PW_PASSWORD_REQUEST 7 -#define PW_PASSWORD_ACK 8 -#define PW_PASSWORD_REJECT 9 -#define PW_ACCOUNTING_MESSAGE 10 -#define PW_ACCESS_CHALLENGE 11 -#define PW_STATUS_SERVER 12 -#define PW_STATUS_CLIENT 13 -#define PW_DISCONNECT_REQUEST 40 -#define PW_DISCONNECT_ACK 41 -#define PW_DISCONNECT_NAK 42 -#define PW_COA_REQUEST 43 -#define PW_COA_ACK 44 -#define PW_COA_NAK 45 - -#if defined (__cplusplus) -extern "C" { -#endif - -/* Data types. */ -struct rs_context; /* radsec-impl.h */ -struct rs_connection; /* radsec-impl.h */ -struct rs_packet; /* radsec-impl.h */ -struct rs_conn; /* radsec-impl.h */ -struct rs_error; /* radsec-impl.h */ -struct rs_peer; /* radsec-impl.h */ -struct radius_packet; /* */ -struct value_pair; /* */ -struct event_base; /* */ - -typedef void *(*rs_calloc_fp) (size_t nmemb, size_t size); -typedef void *(*rs_malloc_fp) (size_t size); -typedef void (*rs_free_fp) (void *ptr); -typedef void *(*rs_realloc_fp) (void *ptr, size_t size); -struct rs_alloc_scheme { - rs_calloc_fp calloc; - rs_malloc_fp malloc; - rs_free_fp free; - rs_realloc_fp realloc; -}; - -typedef void (*rs_conn_connected_cb) (void *user_data /* FIXME: peer? */ ); -typedef void (*rs_conn_disconnected_cb) (void *user_data /* FIXME: reason? */ ); -typedef void (*rs_conn_packet_received_cb) (struct rs_packet *packet, - void *user_data); -typedef void (*rs_conn_packet_sent_cb) (void *user_data); -struct rs_conn_callbacks { - /** Callback invoked when the connection has been established. */ - rs_conn_connected_cb connected_cb; - /** Callback invoked when the connection has been torn down. */ - rs_conn_disconnected_cb disconnected_cb; - /** Callback invoked when a packet was received. */ - rs_conn_packet_received_cb received_cb; - /** Callback invoked when a packet was successfully sent. */ - rs_conn_packet_sent_cb sent_cb; -}; - -typedef struct value_pair rs_avp; -typedef const struct value_pair rs_const_avp; - -/* Function prototypes. */ - -/*************/ -/* Context. */ -/*************/ -/** Create a context. Freed by calling \a rs_context_destroy. Note - that the context must not be freed before all other libradsec - objects have been freed. - - If support for POSIX threads was detected at configure and build - time \a rs_context_create will use mutexes to protect multiple - threads from stomping on each other in OpenSSL. - - \a ctx Address of pointer to a struct rs_context. This is the - output of this function. - - \return RSE_OK (0) on success, RSE_SSLERR on TLS library - initialisation error and RSE_NOMEM on out of memory. */ -int rs_context_create(struct rs_context **ctx); - -/** Free a context. Note that the context must not be freed before - all other libradsec objects have been freed. */ -void rs_context_destroy(struct rs_context *ctx); - -/** Set allocation scheme to use. \a scheme is the allocation scheme - to use, see \a rs_alloc_scheme. \return On success, RSE_OK (0) is - returned. On error, !0 is returned and a struct \a rs_error is - pushed on the error stack for the context. The error can be - accessed using \a rs_err_ctx_pop. */ -int rs_context_set_alloc_scheme(struct rs_context *ctx, - struct rs_alloc_scheme *scheme); - -/** Read configuration file. \a config_file is the path of the - configuration file to read. \return On success, RSE_OK (0) is - returned. On error, !0 is returned and a struct \a rs_error is - pushed on the error stack for the context. The error can be - accessed using \a rs_err_ctx_pop. */ -int rs_context_read_config(struct rs_context *ctx, const char *config_file); - -/****************/ -/* Connection. */ -/****************/ -/** Create a connection. \a conn is the address of a pointer to an \a - rs_connection, the output. Free the connection using \a - rs_conn_destroy. Note that a connection must not be freed before - all packets associated with the connection have been freed. A - packet is associated with a connection when it's created (\a - rs_packet_create) or received (\a rs_conn_receive_packet). - - If \a config is not NULL it should be the name of a configuration - found in the config file read in using \a rs_context_read_config. - \return On success, RSE_OK (0) is returned. On error, !0 is - returned and a struct \a rs_error is pushed on the error stack for - the context. The error can be accessed using \a - rs_err_ctx_pop. */ -int rs_conn_create(struct rs_context *ctx, - struct rs_connection **conn, - const char *config); - -/** Not implemented. */ -int rs_conn_add_listener(struct rs_connection *conn, - rs_conn_type_t type, - const char *hostname, - int port); -/** Disconnect connection \a conn. \return RSE_OK (0) on success, !0 - * on error. On error, errno is set appropriately. */ -int rs_conn_disconnect (struct rs_connection *conn); - -/** Disconnect and free memory allocated for connection \a conn. Note - that a connection must not be freed before all packets associated - with the connection have been freed. A packet is associated with - a connection when it's created (\a rs_packet_create) or received - (\a rs_conn_receive_packet). \return RSE_OK (0) on success, !0 * - on error. On error, errno is set appropriately. */ -int rs_conn_destroy(struct rs_connection *conn); - -/** Set connection type for \a conn. */ -void rs_conn_set_type(struct rs_connection *conn, rs_conn_type_t type); - -/** Not implemented. */ -int rs_conn_set_eventbase(struct rs_connection *conn, struct event_base *eb); - -/** Register callbacks \a cb for connection \a conn. */ -void rs_conn_set_callbacks(struct rs_connection *conn, - struct rs_conn_callbacks *cb); - -/** Remove callbacks for connection \a conn. */ -void rs_conn_del_callbacks(struct rs_connection *conn); - -/** Return callbacks registered for connection \a conn. \return - Installed callbacks are returned. */ -struct rs_conn_callbacks *rs_conn_get_callbacks(struct rs_connection *conn); - -/** Not implemented. */ -int rs_conn_select_peer(struct rs_connection *conn, const char *name); - -/** Not implemented. */ -int rs_conn_get_current_peer(struct rs_connection *conn, - const char *name, - size_t buflen); - -/** Special function used in blocking mode, i.e. with no callbacks - registered. For any other use of libradsec, a \a received_cb - callback should be registered using \a rs_conn_set_callbacks. - - If \a req_msg is not NULL, a successfully received RADIUS message - is verified against it. If \a pkt_out is not NULL it will upon - return contain a pointer to an \a rs_packet containing the new - message. - - \return On error or if the connect (TCP only) or read times out, - \a pkt_out will not be changed and one or more errors are pushed - on \a conn (available through \a rs_err_conn_pop). */ -int rs_conn_receive_packet(struct rs_connection *conn, - struct rs_packet *request, - struct rs_packet **pkt_out); - -/** Get the file descriptor associated with connection \a conn. - * \return File descriptor. */ -int rs_conn_fd(struct rs_connection *conn); - -/** Set the timeout value for connection \a conn. */ -void rs_conn_set_timeout(struct rs_connection *conn, struct timeval *tv); - -/* Peer -- client and server. */ -int rs_peer_create(struct rs_connection *conn, struct rs_peer **peer_out); -int rs_peer_set_address(struct rs_peer *peer, - const char *hostname, - const char *service); -int rs_peer_set_secret(struct rs_peer *peer, const char *secret); -void rs_peer_set_timeout(struct rs_peer *peer, int timeout); -void rs_peer_set_retries(struct rs_peer *peer, int retries); - -/************/ -/* Packet. */ -/************/ -/** Create a packet associated with connection \a conn. */ -int rs_packet_create(struct rs_connection *conn, struct rs_packet **pkt_out); - -/** Free all memory allocated for packet \a pkt. */ -void rs_packet_destroy(struct rs_packet *pkt); - -/** Send packet \a pkt on the connection associated with \a pkt. - \a user_data is passed to the \a rs_conn_packet_received_cb callback - registered with the connection. If no callback is registered with - the connection, the event loop is run by \a rs_packet_send and it - blocks until the full packet has been sent. Note that sending can - fail in several ways, f.ex. if the transmission protocol in use - is connection oriented (\a RS_CONN_TYPE_TCP and \a RS_CONN_TYPE_TLS) - and the connection can not be established. Also note that no - retransmission is done, something that is required for connectionless - transport protocols (\a RS_CONN_TYPE_UDP and \a RS_CONN_TYPE_DTLS). - The "request" API with \a rs_request_send can help with this. - - \return On success, RSE_OK (0) is returned. On error, !0 is - returned and a struct \a rs_error is pushed on the error stack for - the connection. The error can be accessed using \a rs_err_conn_pop. */ -int rs_packet_send(struct rs_packet *pkt, void *user_data); - -/** Create a RADIUS authentication request packet associated with - connection \a conn. Optionally, User-Name and User-Password - attributes are added to the packet using the data in \a user_name - and \a user_pw. */ -int rs_packet_create_authn_request(struct rs_connection *conn, - struct rs_packet **pkt, - const char *user_name, - const char *user_pw); - -/** Add a new attribute-value pair to \a pkt. */ -int rs_packet_add_avp(struct rs_packet *pkt, - unsigned int attr, unsigned int vendor, - const void *data, size_t data_len); - -/** Append a new attribute to packet \a pkt. Note that this function - encodes the attribute and therefore might require the secret - shared with the thought recipient to be set in pkt->rpkt. Note - also that this function marks \a pkt as already encoded and can - not be used on packets with non-encoded value-pairs already - added. */ -int -rs_packet_append_avp(struct rs_packet *pkt, - unsigned int attribute, unsigned int vendor, - const void *data, size_t data_len); - -/*** Get pointer to \a pkt attribute value pairs. */ -void -rs_packet_avps(struct rs_packet *pkt, rs_avp ***vps); - -/*** Get RADIUS packet type of \a pkt. */ -unsigned int -rs_packet_code(struct rs_packet *pkt); - -/*** Get RADIUS AVP from \a pkt. */ -rs_const_avp * -rs_packet_find_avp(struct rs_packet *pkt, unsigned int attr, unsigned int vendor); - -/*** Set packet identifier in \a pkt; returns old identifier */ -int -rs_packet_set_id (struct rs_packet *pkt, int id); - -/************/ -/* Config. */ -/************/ -/** Find the realm named \a name in the configuration file previoiusly - read in using \a rs_context_read_config. */ -struct rs_realm *rs_conf_find_realm(struct rs_context *ctx, const char *name); - -/***********/ -/* Error. */ -/***********/ -/** Create a struct \a rs_error and push it on a FIFO associated with - context \a ctx. Note: The depth of the error stack is one (1) at - the moment. This will change in a future release. */ -int rs_err_ctx_push(struct rs_context *ctx, int code, const char *fmt, ...); -int rs_err_ctx_push_fl(struct rs_context *ctx, - int code, - const char *file, - int line, - const char *fmt, - ...); -/** Pop the first error from the error FIFO associated with context \a - ctx or NULL if there are no errors in the FIFO. */ -struct rs_error *rs_err_ctx_pop(struct rs_context *ctx); - -/** Create a struct \a rs_error and push it on a FIFO associated with - connection \a conn. Note: The depth of the error stack is one (1) - at the moment. This will change in a future release. */ -int rs_err_conn_push(struct rs_connection *conn, - int code, - const char *fmt, - ...); -int rs_err_conn_push_fl(struct rs_connection *conn, - int code, - const char *file, - int line, - const char *fmt, - ...); -/** Pop the first error from the error FIFO associated with connection - \a conn or NULL if there are no errors in the FIFO. */ -struct rs_error *rs_err_conn_pop(struct rs_connection *conn); - -int rs_err_conn_peek_code (struct rs_connection *conn); -void rs_err_free(struct rs_error *err); -char *rs_err_msg(struct rs_error *err); -int rs_err_code(struct rs_error *err, int dofree_flag); - -/************/ -/* AVPs. */ -/************/ -#define rs_avp_is_string(vp) (rs_avp_typeof(vp) == RS_TYPE_STRING) -#define rs_avp_is_integer(vp) (rs_avp_typeof(vp) == RS_TYPE_INTEGER) -#define rs_avp_is_ipaddr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPADDR) -#define rs_avp_is_date(vp) (rs_avp_typeof(vp) == RS_TYPE_DATE) -#define rs_avp_is_octets(vp) (rs_avp_typeof(vp) == RS_TYPE_OCTETS) -#define rs_avp_is_ifid(vp) (rs_avp_typeof(vp) == RS_TYPE_IFID) -#define rs_avp_is_ipv6addr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6ADDR) -#define rs_avp_is_ipv6prefix(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6PREFIX) -#define rs_avp_is_byte(vp) (rs_avp_typeof(vp) == RS_TYPE_BYTE) -#define rs_avp_is_short(vp) (rs_avp_typeof(vp) == RS_TYPE_SHORT) -#define rs_avp_is_tlv(vp) (rs_avp_typeof(vp) == RS_TYPE_TLV) - -/** The maximum length of a RADIUS attribute. - * - * The RFCs require that a RADIUS attribute transport no more than - * 253 octets of data. We add an extra byte for a trailing NUL, so - * that the VALUE_PAIR::vp_strvalue field can be handled as a C - * string. - */ -#define RS_MAX_STRING_LEN 254 - -/** Free the AVP list \a vps */ -void -rs_avp_free(rs_avp **vps); - -/** Return the length of AVP \a vp in bytes */ -size_t -rs_avp_length(rs_const_avp *vp); - -/** Return the type of \a vp */ -rs_attr_type_t -rs_avp_typeof(rs_const_avp *vp); - -/** Retrieve the attribute and vendor ID of \a vp */ -void -rs_avp_attrid(rs_const_avp *vp, unsigned int *attr, unsigned int *vendor); - -/** Add \a vp to the list pointed to by \a head */ -void -rs_avp_append(rs_avp **head, rs_avp *vp); - -/** Find an AVP in \a vp that matches \a attr and \a vendor */ -rs_avp * -rs_avp_find(rs_avp *vp, unsigned int attr, unsigned int vendor); - -/** Find an AVP in \a vp that matches \a attr and \a vendor */ -rs_const_avp * -rs_avp_find_const(rs_const_avp *vp, unsigned int attr, unsigned int vendor); - -/** Alloc a new AVP for \a attr and \a vendor */ -rs_avp * -rs_avp_alloc(unsigned int attr, unsigned int vendor); - -/** Duplicate existing AVP \a vp */ -rs_avp * -rs_avp_dup(rs_const_avp *vp); - -/** Remove matching AVP from list \a vps */ -int -rs_avp_delete(rs_avp **vps, unsigned int attr, unsigned int vendor); - -/** Return next AVP in list */ -rs_avp * -rs_avp_next(rs_avp *vp); - -/** Return next AVP in list */ -rs_const_avp * -rs_avp_next_const(rs_const_avp *avp); - -/** Return string value of \a vp */ -const char * -rs_avp_string_value(rs_const_avp *vp); - -/** Set AVP \a vp to string \a str */ -int -rs_avp_string_set(rs_avp *vp, const char *str); - -/** Return integer value of \a vp */ -uint32_t -rs_avp_integer_value(rs_const_avp *vp); - -/** Set AVP \a vp to integer \a val */ -int -rs_avp_integer_set(rs_avp *vp, uint32_t val); - -/** Return IPv4 value of \a vp */ -uint32_t -rs_avp_ipaddr_value(rs_const_avp *vp); - -/** Set AVP \a vp to IPv4 address \a in */ -int -rs_avp_ipaddr_set(rs_avp *vp, struct in_addr in); - -/** Return POSIX time value of \a vp */ -time_t -rs_avp_date_value(rs_const_avp *vp); - -/** Set AVP \a vp to POSIX time \a date */ -int -rs_avp_date_set(rs_avp *vp, time_t date); - -/** Return constant pointer to octets in \a vp */ -const unsigned char * -rs_avp_octets_value_const_ptr(rs_const_avp *vp); - -/** Return pointer to octets in \a vp */ -unsigned char * -rs_avp_octets_value_ptr(rs_avp *vp); - -/** Retrieve octet pointer \a p and length \a len from \a vp */ -int -rs_avp_octets_value_byref(rs_avp *vp, - unsigned char **p, - size_t *len); - -/** Copy octets from \a vp into \a buf and \a len */ -int -rs_avp_octets_value(rs_const_avp *vp, - unsigned char *buf, - size_t *len); - -/** - * Copy octets possibly fragmented across multiple VPs - * into \a buf and \a len - */ -int -rs_avp_fragmented_value(rs_const_avp *vps, - unsigned char *buf, - size_t *len); - -/** Copy \a len octets in \a buf to AVP \a vp */ -int -rs_avp_octets_set(rs_avp *vp, - const unsigned char *buf, - size_t len); - -/** Return IFID value of \a vp */ -int -rs_avp_ifid_value(rs_const_avp *vp, uint8_t val[8]); - -int -rs_avp_ifid_set(rs_avp *vp, const uint8_t val[8]); - -/** Return byte value of \a vp */ -uint8_t -rs_avp_byte_value(rs_const_avp *vp); - -/** Set AVP \a vp to byte \a val */ -int -rs_avp_byte_set(rs_avp *vp, uint8_t val); - -/** Return short value of \a vp */ -uint16_t -rs_avp_short_value(rs_const_avp *vp); - -/** Set AVP \a vp to short integer \a val */ -int -rs_avp_short_set(rs_avp *vp, uint16_t val); - -/** Display possibly \a canonical attribute name into \a buffer */ -int -rs_attr_display_name (unsigned int attr, - unsigned int vendor, - char *buffer, - size_t bufsize, - int canonical); - -/** Display AVP \a vp into \a buffer */ -size_t -rs_avp_display_value(rs_const_avp *vp, - char *buffer, - size_t buflen); - -int -rs_attr_parse_name (const char *name, - unsigned int *attr, - unsigned int *vendor); - -/** Lookup attribute \a name */ -int -rs_attr_find(const char *name, - unsigned int *attr, - unsigned int *vendor); - -/** Return dictionary name for AVP \a vp */ -const char * -rs_avp_name(rs_const_avp *vp); - -#if defined (__cplusplus) -} -#endif - -#endif /* _RADSEC_RADSEC_H_ */ - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/include/radsec/request-impl.h b/lib/include/radsec/request-impl.h deleted file mode 100644 index 97335e5..0000000 --- a/lib/include/radsec/request-impl.h +++ /dev/null @@ -1,24 +0,0 @@ -/* Copyright 2010-2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#ifndef _RADSEC_REQUEST_IMPL_H_ -#define _RADSEC_REQUEST_IMPL_H_ 1 - -#if defined (__cplusplus) -extern "C" { -#endif - -struct rs_request -{ - struct rs_connection *conn; - struct event *timer; - struct rs_packet *req_msg; - struct rs_conn_callbacks saved_cb; - void *saved_user_data; -}; - -#if defined (__cplusplus) -} -#endif - -#endif /* _RADSEC_REQUEST_IMPL_H_ */ diff --git a/lib/include/radsec/request.h b/lib/include/radsec/request.h deleted file mode 100644 index d4c72b3..0000000 --- a/lib/include/radsec/request.h +++ /dev/null @@ -1,50 +0,0 @@ -/** \file request.h - \brief Public interface for libradsec request's. */ - -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#ifndef _RADSEC_REQUEST_H_ -#define _RADSEC_REQUEST_H_ 1 - -struct rs_request; - -#if defined (__cplusplus) -extern "C" { -#endif - -/** Create a request associated with connection \a conn. */ -int rs_request_create(struct rs_connection *conn, struct rs_request **req_out); - -/** Add RADIUS request message \a req_msg to request \a req. - FIXME: Rename to rs_request_add_reqmsg? */ -void rs_request_add_reqpkt(struct rs_request *req, struct rs_packet *req_msg); - -/** Create a request associated with connection \a conn containing a - newly created RADIUS authentication message, possibly with \a - user_name and \a user_pw attributes. \a user_name and _user_pw - are optional and can be NULL. */ -int rs_request_create_authn(struct rs_connection *conn, - struct rs_request **req_out, - const char *user_name, - const char *user_pw); - -/** Send request \a req and wait for a matching response. The - response is put in \a resp_msg (if not NULL). NOTE: At present, - no more than one outstanding request to a given realm is - supported. This will change in a future version. */ -int rs_request_send(struct rs_request *req, struct rs_packet **resp_msg); - -/** Free all memory allocated by request \a req including any request - packet associated with the request. Note that a request must be - freed before its associated connection can be freed. */ -void rs_request_destroy(struct rs_request *req); - -/** Return request message in request \a req. */ -struct rs_packet *rs_request_get_reqmsg(const struct rs_request *req); - -#if defined (__cplusplus) -} -#endif - -#endif /* _RADSEC_REQUEST_H_ */ diff --git a/lib/libradsec.spec.in b/lib/libradsec.spec.in deleted file mode 100644 index 97d6178..0000000 --- a/lib/libradsec.spec.in +++ /dev/null @@ -1,77 +0,0 @@ -Name: @PACKAGE@ -Version: @PACKAGE_VERSION@ -Release: 1%{?dist} -Summary: RADIUS over TLS library - -Group: System Environment/Libraries -License: BSD -URL: http://software.uninett.no/radsecproxy/?page=documentation -Source0: %{name}-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root - - - -BuildRequires: openssl-devel -BuildRequires: libconfuse-devel -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -BuildRequires: libevent-devel >= 2.0 - - - -%description - Libradsec is a RADIUS over TLS library. - - -%package devel -Summary: Development files for %{name} -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} - -%description devel -The %{name}-devel package contains libraries and header files for -developing applications that use %{name}. - - -%prep -%setup -q - - -%build - export CPPFLAGS='-I%{_includedir}' - export LDFLAGS='-L%{_libdir}' -%configure --disable-static -make %{?_smp_mflags} - - -%install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR=$RPM_BUILD_ROOT -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' - - -%clean -rm -rf $RPM_BUILD_ROOT - - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - - -%files -%defattr(-,root,root,-) -%doc README -%{_libdir}/*.so.* - -%files devel -%defattr(-,root,root,-) -%{_includedir}/* -%{_libdir}/*.so - - -%changelog -* Tue Sep 27 2011 - %{version}-1 -- initial version - diff --git a/lib/md5.c b/lib/md5.c deleted file mode 100644 index f4ac436..0000000 --- a/lib/md5.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. - * MD5 Message-Digest Algorithm (RFC 1321). - * - * Homepage: - * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 - * - * Author: - * Alexander Peslyak, better known as Solar Designer - * - * This software was written by Alexander Peslyak in 2001. No copyright is - * claimed, and the software is hereby placed in the public domain. - * In case this attempt to disclaim copyright and place the software in the - * public domain is deemed null and void, then the software is - * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the - * general public under the following terms: - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted. - * - * There's ABSOLUTELY NO WARRANTY, express or implied. - * - * (This is a heavily cut-down "BSD license".) - * - * This differs from Colin Plumb's older public domain implementation in that - * no exactly 32-bit integer data type is required (any 32-bit or wider - * unsigned integer data type will do), there's no compile-time endianness - * configuration, and the function prototypes match OpenSSL's. No code from - * Colin Plumb's implementation has been reused; this comment merely compares - * the properties of the two independent implementations. - * - * The primary goals of this implementation are portability and ease of use. - * It is meant to be fast, but not as fast as possible. Some known - * optimizations are not included to reduce source code size and avoid - * compile-time configuration. - */ - -#ifndef HAVE_OPENSSL - -#include - -#include "md5.h" - -/* - * The basic MD5 functions. - * - * F and G are optimized compared to their RFC 1321 definitions for - * architectures that lack an AND-NOT instruction, just like in Colin Plumb's - * implementation. - */ -#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) -#define G(x, y, z) ((y) ^ ((z) & ((x) ^ (y)))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) -#define I(x, y, z) ((y) ^ ((x) | ~(z))) - -/* - * The MD5 transformation for all four rounds. - */ -#define STEP(f, a, b, c, d, x, t, s) \ - (a) += f((b), (c), (d)) + (x) + (t); \ - (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); \ - (a) += (b); - -/* - * SET reads 4 input bytes in little-endian byte order and stores them - * in a properly aligned word in host byte order. - * - * The check for little-endian architectures that tolerate unaligned - * memory accesses is just an optimization. Nothing will break if it - * doesn't work. - */ -#if defined(__i386__) || defined(__x86_64__) || defined(__vax__) -#define SET(n) \ - (*(MD5_u32plus *)&ptr[(n) * 4]) -#define GET(n) \ - SET(n) -#else -#define SET(n) \ - (ctx->block[(n)] = \ - (MD5_u32plus)ptr[(n) * 4] | \ - ((MD5_u32plus)ptr[(n) * 4 + 1] << 8) | \ - ((MD5_u32plus)ptr[(n) * 4 + 2] << 16) | \ - ((MD5_u32plus)ptr[(n) * 4 + 3] << 24)) -#define GET(n) \ - (ctx->block[(n)]) -#endif - -/* - * This processes one or more 64-byte data blocks, but does NOT update - * the bit counters. There are no alignment requirements. - */ -static const void *body(MD5_CTX *ctx, const void *data, unsigned long size) -{ - const unsigned char *ptr; - MD5_u32plus a, b, c, d; - MD5_u32plus saved_a, saved_b, saved_c, saved_d; - - ptr = data; - - a = ctx->a; - b = ctx->b; - c = ctx->c; - d = ctx->d; - - do { - saved_a = a; - saved_b = b; - saved_c = c; - saved_d = d; - -/* Round 1 */ - STEP(F, a, b, c, d, SET(0), 0xd76aa478, 7) - STEP(F, d, a, b, c, SET(1), 0xe8c7b756, 12) - STEP(F, c, d, a, b, SET(2), 0x242070db, 17) - STEP(F, b, c, d, a, SET(3), 0xc1bdceee, 22) - STEP(F, a, b, c, d, SET(4), 0xf57c0faf, 7) - STEP(F, d, a, b, c, SET(5), 0x4787c62a, 12) - STEP(F, c, d, a, b, SET(6), 0xa8304613, 17) - STEP(F, b, c, d, a, SET(7), 0xfd469501, 22) - STEP(F, a, b, c, d, SET(8), 0x698098d8, 7) - STEP(F, d, a, b, c, SET(9), 0x8b44f7af, 12) - STEP(F, c, d, a, b, SET(10), 0xffff5bb1, 17) - STEP(F, b, c, d, a, SET(11), 0x895cd7be, 22) - STEP(F, a, b, c, d, SET(12), 0x6b901122, 7) - STEP(F, d, a, b, c, SET(13), 0xfd987193, 12) - STEP(F, c, d, a, b, SET(14), 0xa679438e, 17) - STEP(F, b, c, d, a, SET(15), 0x49b40821, 22) - -/* Round 2 */ - STEP(G, a, b, c, d, GET(1), 0xf61e2562, 5) - STEP(G, d, a, b, c, GET(6), 0xc040b340, 9) - STEP(G, c, d, a, b, GET(11), 0x265e5a51, 14) - STEP(G, b, c, d, a, GET(0), 0xe9b6c7aa, 20) - STEP(G, a, b, c, d, GET(5), 0xd62f105d, 5) - STEP(G, d, a, b, c, GET(10), 0x02441453, 9) - STEP(G, c, d, a, b, GET(15), 0xd8a1e681, 14) - STEP(G, b, c, d, a, GET(4), 0xe7d3fbc8, 20) - STEP(G, a, b, c, d, GET(9), 0x21e1cde6, 5) - STEP(G, d, a, b, c, GET(14), 0xc33707d6, 9) - STEP(G, c, d, a, b, GET(3), 0xf4d50d87, 14) - STEP(G, b, c, d, a, GET(8), 0x455a14ed, 20) - STEP(G, a, b, c, d, GET(13), 0xa9e3e905, 5) - STEP(G, d, a, b, c, GET(2), 0xfcefa3f8, 9) - STEP(G, c, d, a, b, GET(7), 0x676f02d9, 14) - STEP(G, b, c, d, a, GET(12), 0x8d2a4c8a, 20) - -/* Round 3 */ - STEP(H, a, b, c, d, GET(5), 0xfffa3942, 4) - STEP(H, d, a, b, c, GET(8), 0x8771f681, 11) - STEP(H, c, d, a, b, GET(11), 0x6d9d6122, 16) - STEP(H, b, c, d, a, GET(14), 0xfde5380c, 23) - STEP(H, a, b, c, d, GET(1), 0xa4beea44, 4) - STEP(H, d, a, b, c, GET(4), 0x4bdecfa9, 11) - STEP(H, c, d, a, b, GET(7), 0xf6bb4b60, 16) - STEP(H, b, c, d, a, GET(10), 0xbebfbc70, 23) - STEP(H, a, b, c, d, GET(13), 0x289b7ec6, 4) - STEP(H, d, a, b, c, GET(0), 0xeaa127fa, 11) - STEP(H, c, d, a, b, GET(3), 0xd4ef3085, 16) - STEP(H, b, c, d, a, GET(6), 0x04881d05, 23) - STEP(H, a, b, c, d, GET(9), 0xd9d4d039, 4) - STEP(H, d, a, b, c, GET(12), 0xe6db99e5, 11) - STEP(H, c, d, a, b, GET(15), 0x1fa27cf8, 16) - STEP(H, b, c, d, a, GET(2), 0xc4ac5665, 23) - -/* Round 4 */ - STEP(I, a, b, c, d, GET(0), 0xf4292244, 6) - STEP(I, d, a, b, c, GET(7), 0x432aff97, 10) - STEP(I, c, d, a, b, GET(14), 0xab9423a7, 15) - STEP(I, b, c, d, a, GET(5), 0xfc93a039, 21) - STEP(I, a, b, c, d, GET(12), 0x655b59c3, 6) - STEP(I, d, a, b, c, GET(3), 0x8f0ccc92, 10) - STEP(I, c, d, a, b, GET(10), 0xffeff47d, 15) - STEP(I, b, c, d, a, GET(1), 0x85845dd1, 21) - STEP(I, a, b, c, d, GET(8), 0x6fa87e4f, 6) - STEP(I, d, a, b, c, GET(15), 0xfe2ce6e0, 10) - STEP(I, c, d, a, b, GET(6), 0xa3014314, 15) - STEP(I, b, c, d, a, GET(13), 0x4e0811a1, 21) - STEP(I, a, b, c, d, GET(4), 0xf7537e82, 6) - STEP(I, d, a, b, c, GET(11), 0xbd3af235, 10) - STEP(I, c, d, a, b, GET(2), 0x2ad7d2bb, 15) - STEP(I, b, c, d, a, GET(9), 0xeb86d391, 21) - - a += saved_a; - b += saved_b; - c += saved_c; - d += saved_d; - - ptr += 64; - } while (size -= 64); - - ctx->a = a; - ctx->b = b; - ctx->c = c; - ctx->d = d; - - return ptr; -} - -void MD5_Init(MD5_CTX *ctx) -{ - ctx->a = 0x67452301; - ctx->b = 0xefcdab89; - ctx->c = 0x98badcfe; - ctx->d = 0x10325476; - - ctx->lo = 0; - ctx->hi = 0; -} - -void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size) -{ - MD5_u32plus saved_lo; - unsigned long used, free; - - saved_lo = ctx->lo; - if ((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo) - ctx->hi++; - ctx->hi += size >> 29; - - used = saved_lo & 0x3f; - - if (used) { - free = 64 - used; - - if (size < free) { - memcpy(&ctx->buffer[used], data, size); - return; - } - - memcpy(&ctx->buffer[used], data, free); - data = (unsigned char *)data + free; - size -= free; - body(ctx, ctx->buffer, 64); - } - - if (size >= 64) { - data = body(ctx, data, size & ~(unsigned long)0x3f); - size &= 0x3f; - } - - memcpy(ctx->buffer, data, size); -} - -void MD5_Final(unsigned char *result, MD5_CTX *ctx) -{ - unsigned long used, free; - - used = ctx->lo & 0x3f; - - ctx->buffer[used++] = 0x80; - - free = 64 - used; - - if (free < 8) { - memset(&ctx->buffer[used], 0, free); - body(ctx, ctx->buffer, 64); - used = 0; - free = 64; - } - - memset(&ctx->buffer[used], 0, free - 8); - - ctx->lo <<= 3; - ctx->buffer[56] = ctx->lo; - ctx->buffer[57] = ctx->lo >> 8; - ctx->buffer[58] = ctx->lo >> 16; - ctx->buffer[59] = ctx->lo >> 24; - ctx->buffer[60] = ctx->hi; - ctx->buffer[61] = ctx->hi >> 8; - ctx->buffer[62] = ctx->hi >> 16; - ctx->buffer[63] = ctx->hi >> 24; - - body(ctx, ctx->buffer, 64); - - result[0] = ctx->a; - result[1] = ctx->a >> 8; - result[2] = ctx->a >> 16; - result[3] = ctx->a >> 24; - result[4] = ctx->b; - result[5] = ctx->b >> 8; - result[6] = ctx->b >> 16; - result[7] = ctx->b >> 24; - result[8] = ctx->c; - result[9] = ctx->c >> 8; - result[10] = ctx->c >> 16; - result[11] = ctx->c >> 24; - result[12] = ctx->d; - result[13] = ctx->d >> 8; - result[14] = ctx->d >> 16; - result[15] = ctx->d >> 24; - - memset(ctx, 0, sizeof(*ctx)); -} - -#endif diff --git a/lib/md5.h b/lib/md5.h deleted file mode 100644 index 2da44bf..0000000 --- a/lib/md5.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. - * MD5 Message-Digest Algorithm (RFC 1321). - * - * Homepage: - * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 - * - * Author: - * Alexander Peslyak, better known as Solar Designer - * - * This software was written by Alexander Peslyak in 2001. No copyright is - * claimed, and the software is hereby placed in the public domain. - * In case this attempt to disclaim copyright and place the software in the - * public domain is deemed null and void, then the software is - * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the - * general public under the following terms: - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted. - * - * There's ABSOLUTELY NO WARRANTY, express or implied. - * - * See md5.c for more information. - */ - -#ifdef HAVE_OPENSSL -#include -#elif !defined(_MD5_H) -#define _MD5_H - -/* Any 32-bit or wider unsigned integer data type will do */ -typedef unsigned int MD5_u32plus; - -typedef struct { - MD5_u32plus lo, hi; - MD5_u32plus a, b, c, d; - unsigned char buffer[64]; - MD5_u32plus block[16]; -} MD5_CTX; - -extern void MD5_Init(MD5_CTX *ctx); -extern void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size); -extern void MD5_Final(unsigned char *result, MD5_CTX *ctx); - -#endif diff --git a/lib/packet.c b/lib/packet.c deleted file mode 100644 index 5daad25..0000000 --- a/lib/packet.c +++ /dev/null @@ -1,294 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include "conn.h" -#include "debug.h" -#include "packet.h" - -#if defined (DEBUG) -#include -#include -#include -#endif - -int -packet_verify_response (struct rs_connection *conn, - struct rs_packet *response, - struct rs_packet *request) -{ - int err; - - assert (conn); - assert (conn->active_peer); - assert (conn->active_peer->secret); - assert (response); - assert (response->rpkt); - assert (request); - assert (request->rpkt); - - response->rpkt->secret = conn->active_peer->secret; - response->rpkt->sizeof_secret = strlen (conn->active_peer->secret); - - /* Verify header and message authenticator. */ - err = nr_packet_verify (response->rpkt, request->rpkt); - if (err) - { - if (conn->is_connected) - rs_conn_disconnect(conn); - return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, - "nr_packet_verify"); - } - - /* Decode and decrypt. */ - err = nr_packet_decode (response->rpkt, request->rpkt); - if (err) - { - if (conn->is_connected) - rs_conn_disconnect(conn); - return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, - "nr_packet_decode"); - } - - return RSE_OK; -} - - -/* Badly named function for preparing a RADIUS message and queue it. - FIXME: Rename. */ -int -packet_do_send (struct rs_packet *pkt) -{ - int err; - - assert (pkt); - assert (pkt->conn); - assert (pkt->conn->active_peer); - assert (pkt->conn->active_peer->secret); - assert (pkt->rpkt); - - pkt->rpkt->secret = pkt->conn->active_peer->secret; - pkt->rpkt->sizeof_secret = strlen (pkt->rpkt->secret); - - /* Encode message. */ - err = nr_packet_encode (pkt->rpkt, NULL); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, - "nr_packet_encode"); - /* Sign message. */ - err = nr_packet_sign (pkt->rpkt, NULL); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, - "nr_packet_sign"); -#if defined (DEBUG) - { - char host[80], serv[80]; - - getnameinfo (pkt->conn->active_peer->addr_cache->ai_addr, - pkt->conn->active_peer->addr_cache->ai_addrlen, - host, sizeof(host), serv, sizeof(serv), - 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); - rs_debug (("%s: about to send this to %s:%s:\n", __func__, host, serv)); - rs_dump_packet (pkt); - } -#endif - - /* Put message in output buffer. */ - if (pkt->conn->bev) /* TCP. */ - { - int err = bufferevent_write (pkt->conn->bev, pkt->rpkt->data, - pkt->rpkt->length); - if (err < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "bufferevent_write: %s", - evutil_gai_strerror (err)); - } - else /* UDP. */ - { - struct rs_packet **pp = &pkt->conn->out_queue; - - while (*pp && (*pp)->next) - *pp = (*pp)->next; - *pp = pkt; - } - - return RSE_OK; -} - -/* Public functions. */ -int -rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out) -{ - struct rs_packet *p; - RADIUS_PACKET *rpkt; - int err; - - *pkt_out = NULL; - - rpkt = rs_malloc (conn->ctx, sizeof(*rpkt) + RS_MAX_PACKET_LEN); - if (rpkt == NULL) - return rs_err_conn_push (conn, RSE_NOMEM, __func__); - - err = nr_packet_init (rpkt, NULL, NULL, - PW_ACCESS_REQUEST, - rpkt + 1, RS_MAX_PACKET_LEN); - if (err < 0) - return rs_err_conn_push (conn, -err, __func__); - - p = (struct rs_packet *) rs_calloc (conn->ctx, 1, sizeof (*p)); - if (p == NULL) - { - rs_free (conn->ctx, rpkt); - return rs_err_conn_push (conn, RSE_NOMEM, __func__); - } - p->conn = conn; - p->rpkt = rpkt; - - *pkt_out = p; - return RSE_OK; -} - -int -rs_packet_create_authn_request (struct rs_connection *conn, - struct rs_packet **pkt_out, - const char *user_name, const char *user_pw) -{ - struct rs_packet *pkt; - int err; - - if (rs_packet_create (conn, pkt_out)) - return -1; - - pkt = *pkt_out; - pkt->rpkt->code = PW_ACCESS_REQUEST; - - if (user_name) - { - err = rs_packet_add_avp (pkt, PW_USER_NAME, 0, user_name, - strlen (user_name)); - if (err) - return err; - } - - if (user_pw) - { - err = rs_packet_add_avp (pkt, PW_USER_PASSWORD, 0, user_pw, - strlen (user_pw)); - if (err) - return err; - } - - return RSE_OK; -} - -void -rs_packet_destroy (struct rs_packet *pkt) -{ - assert (pkt); - assert (pkt->conn); - assert (pkt->conn->ctx); - - rs_avp_free (&pkt->rpkt->vps); - rs_free (pkt->conn->ctx, pkt->rpkt); - rs_free (pkt->conn->ctx, pkt); -} - -int -rs_packet_add_avp (struct rs_packet *pkt, - unsigned int attr, unsigned int vendor, - const void *data, size_t data_len) - -{ - const DICT_ATTR *da; - VALUE_PAIR *vp; - int err; - - assert (pkt); - assert (pkt->conn); - assert (pkt->conn->ctx); - - da = nr_dict_attr_byvalue (attr, vendor); - if (da == NULL) - return rs_err_conn_push (pkt->conn, RSE_ATTR_TYPE_UNKNOWN, - "nr_dict_attr_byvalue"); - vp = rs_malloc (pkt->conn->ctx, sizeof(*vp)); - if (vp == NULL) - return rs_err_conn_push (pkt->conn, RSE_NOMEM, NULL); - if (nr_vp_init (vp, da) == NULL) - { - nr_vp_free (&vp); - return rs_err_conn_push (pkt->conn, RSE_INTERNAL, NULL); - } - err = nr_vp_set_data (vp, data, data_len); - if (err < 0) - { - nr_vp_free (&vp); - return rs_err_conn_push (pkt->conn, -err, "nr_vp_set_data"); - } - nr_vps_append (&pkt->rpkt->vps, vp); - - return RSE_OK; -} - -/* TODO: Rename rs_packet_append_avp, indicating that encoding is - being done. */ -int -rs_packet_append_avp (struct rs_packet *pkt, - unsigned int attr, unsigned int vendor, - const void *data, size_t data_len) -{ - const DICT_ATTR *da; - int err; - - assert (pkt); - - da = nr_dict_attr_byvalue (attr, vendor); - if (da == NULL) - return rs_err_conn_push (pkt->conn, RSE_ATTR_TYPE_UNKNOWN, __func__); - - err = nr_packet_attr_append (pkt->rpkt, NULL, da, data, data_len); - if (err < 0) - return rs_err_conn_push (pkt->conn, -err, __func__); - - return RSE_OK; -} - -void -rs_packet_avps (struct rs_packet *pkt, rs_avp ***vps) -{ - assert (pkt); - *vps = &pkt->rpkt->vps; -} - -unsigned int -rs_packet_code (struct rs_packet *pkt) -{ - assert (pkt); - return pkt->rpkt->code; -} - -rs_const_avp * -rs_packet_find_avp (struct rs_packet *pkt, unsigned int attr, unsigned int vendor) -{ - assert (pkt); - return rs_avp_find_const (pkt->rpkt->vps, attr, vendor); -} - -int -rs_packet_set_id (struct rs_packet *pkt, int id) -{ - int old = pkt->rpkt->id; - - pkt->rpkt->id = id; - - return old; -} diff --git a/lib/packet.h b/lib/packet.h deleted file mode 100644 index 7cdbb35..0000000 --- a/lib/packet.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Copyright 2010, 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -int packet_do_send (struct rs_packet *pkt); -int packet_verify_response (struct rs_connection *conn, - struct rs_packet *response, - struct rs_packet *request); diff --git a/lib/peer.c b/lib/peer.c deleted file mode 100644 index decc64b..0000000 --- a/lib/peer.c +++ /dev/null @@ -1,113 +0,0 @@ -/* Copyright 2010-2012 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include - -#include -#include -#include "err.h" -#include "peer.h" -#include "util.h" - -struct rs_peer * -peer_pick_peer (struct rs_connection *conn) -{ - assert (conn); - - if (conn->active_peer) - conn->active_peer = conn->active_peer->next; /* Next. */ - if (!conn->active_peer) - conn->active_peer = conn->peers; /* From the top. */ - - return conn->active_peer; -} - -struct rs_peer * -peer_create (struct rs_context *ctx, struct rs_peer **rootp) -{ - struct rs_peer *p; - - p = (struct rs_peer *) rs_malloc (ctx, sizeof(*p)); - if (p) - { - memset (p, 0, sizeof(struct rs_peer)); - if (*rootp) - { - p->next = (*rootp)->next; - (*rootp)->next = p; - } - else - *rootp = p; - } - return p; -} - -/* Public functions. */ -int -rs_peer_create (struct rs_connection *conn, struct rs_peer **peer_out) -{ - struct rs_peer *peer; - - peer = peer_create (conn->ctx, &conn->peers); - if (peer) - { - peer->conn = conn; - peer->realm->timeout = 2; /* FIXME: Why? */ - peer->realm->retries = 2; /* FIXME: Why? */ - } - else - return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); - if (*peer_out) - *peer_out = peer; - return RSE_OK; -} - -int -rs_peer_set_address (struct rs_peer *peer, const char *hostname, - const char *service) -{ - assert (peer); - assert (peer->conn); - assert (peer->conn->ctx); - - peer->hostname = rs_strdup (peer->conn->ctx, hostname); - peer->service = rs_strdup (peer->conn->ctx, service); - if (peer->hostname == NULL || peer->service == NULL) - return RSE_NOMEM; - - return RSE_OK; -} - -void -rs_peer_set_timeout (struct rs_peer *peer, int timeout) -{ - assert (peer); - assert (peer->realm); - peer->realm->timeout = timeout; -} -void -rs_peer_set_retries (struct rs_peer *peer, int retries) -{ - assert (peer); - assert (peer->realm); - peer->realm->retries = retries; -} - -int -rs_peer_set_secret (struct rs_peer *peer, const char *secret) -{ - if (peer->secret) - free (peer->secret); - peer->secret = (char *) malloc (strlen(secret) + 1); - if (!peer->secret) - return rs_err_conn_push (peer->conn, RSE_NOMEM, NULL); - strcpy (peer->secret, secret); - return RSE_OK; -} - diff --git a/lib/peer.h b/lib/peer.h deleted file mode 100644 index b15395f..0000000 --- a/lib/peer.h +++ /dev/null @@ -1,5 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -struct rs_peer *peer_create (struct rs_context *ctx, struct rs_peer **rootp); -struct rs_peer *peer_pick_peer (struct rs_connection *conn); diff --git a/lib/radius/.gitignore b/lib/radius/.gitignore deleted file mode 100644 index 1af03df..0000000 --- a/lib/radius/.gitignore +++ /dev/null @@ -1 +0,0 @@ -dictionaries.c diff --git a/lib/radius/LICENSE b/lib/radius/LICENSE deleted file mode 100644 index 01dbe92..0000000 --- a/lib/radius/LICENSE +++ /dev/null @@ -1,24 +0,0 @@ -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/lib/radius/Makefile.am b/lib/radius/Makefile.am deleted file mode 100644 index 462a1e0..0000000 --- a/lib/radius/Makefile.am +++ /dev/null @@ -1,42 +0,0 @@ -AUTOMAKE_OPTIONS = foreign -ACLOCAL_AMFLAGS = -I m4 - -AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) -AM_CFLAGS = -Wall -g - -noinst_LTLIBRARIES = libradsec-radius.la - -libradsec_radius_la_SOURCES = \ - attrs.c \ - crypto.c \ - custom.c \ - dict.c \ - id.c \ - parse.c \ - print.c \ - radpkt.c \ - static.c \ - valuepair.c - -libradsec_radius_la_SOURCES += client.h - -libradsec_radius_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H - -DICTIONARIES = \ - share/dictionary.txt \ - share/dictionary.juniper \ - share/dictionary.microsoft \ - share/dictionary.ukerna \ - share/dictionary.abfab.ietf - -EXTRA_DIST = dictionaries.c $(DICTIONARIES) common.pl convert.pl - -$(top_srcdir)/include/radsec/radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl - $(srcdir)/convert.pl ${DICTIONARIES} - -static.$(OBJEXT): static.c dictionaries.c - -clean-local: - rm -f dictionaries.c - -$(libradsec_radius_la_SOURCES): $(top_srcdir)/include/radsec/radius.h diff --git a/lib/radius/attrs.c b/lib/radius/attrs.c deleted file mode 100644 index 21cd3f0..0000000 --- a/lib/radius/attrs.c +++ /dev/null @@ -1,1411 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file attrs.c - * \brief Attribute encoding and decoding routines. - */ - -#include "client.h" - -/* - * Encodes the data portion of an attribute. - * Returns -1 on error, or the length of the data portion. - */ -static ssize_t vp2data_any(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - int nest, - const VALUE_PAIR **pvp, - uint8_t *start, size_t room) -{ - uint32_t lvalue; - ssize_t len; - const uint8_t *data; - uint8_t *ptr = start; - uint8_t array[4]; - const VALUE_PAIR *vp = *pvp; - -#ifdef RS_TYPE_TLV - /* - * See if we need to encode a TLV. The low portion of - * the attribute has already been placed into the packer. - * If there are still attribute bytes left, then go - * encode them as TLVs. - * - * If we cared about the stack, we could unroll the loop. - */ - if ((nest > 0) && (nest <= nr_attr_max_tlv) && - ((vp->da->attr >> nr_attr_shift[nest]) != 0)) { - return vp2data_tlvs(packet, original, nest, pvp, - start, room); - } -#else - nest = nest; /* -Wunused */ -#endif - - /* - * Set up the default sources for the data. - */ - data = vp->vp_octets; - len = vp->length; - - switch(vp->da->type) { - case RS_TYPE_IPV6PREFIX: - len = sizeof(vp->vp_ipv6prefix); - break; - - case RS_TYPE_STRING: - case RS_TYPE_OCTETS: - case RS_TYPE_IFID: - case RS_TYPE_IPV6ADDR: -#ifdef RS_TYPE_ABINARY - case RS_TYPE_ABINARY: -#endif - /* nothing more to do */ - break; - - case RS_TYPE_BYTE: - len = 1; /* just in case */ - array[0] = vp->vp_integer & 0xff; - data = array; - break; - - case RS_TYPE_SHORT: - len = 2; /* just in case */ - array[0] = (vp->vp_integer >> 8) & 0xff; - array[1] = vp->vp_integer & 0xff; - data = array; - break; - - case RS_TYPE_INTEGER: - len = 4; /* just in case */ - lvalue = htonl(vp->vp_integer); - memcpy(array, &lvalue, sizeof(lvalue)); - data = array; - break; - - case RS_TYPE_IPADDR: - data = (const uint8_t *) &vp->vp_ipaddr; - len = 4; /* just in case */ - break; - - /* - * There are no tagged date attributes. - */ - case RS_TYPE_DATE: - lvalue = htonl(vp->vp_date); - data = (const uint8_t *) &lvalue; - len = 4; /* just in case */ - break; - -#ifdef VENDORPEC_WIMAX - case RS_TYPE_SIGNED: - { - int32_t slvalue; - - len = 4; /* just in case */ - slvalue = htonl(vp->vp_signed); - memcpy(array, &slvalue, sizeof(slvalue)); - break; - } -#endif - -#ifdef RS_TYPE_TLV - case RS_TYPE_TLV: - data = vp->vp_tlv; - if (!data) { - nr_debug_error("ERROR: Cannot encode NULL TLV"); - return -RSE_INVAL; - } - len = vp->length; - break; -#endif - - default: /* unknown type: ignore it */ - nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type); - return -RSE_ATTR_TYPE_UNKNOWN; - } - - /* - * Bound the data to the calling size - */ - if (len > (ssize_t) room) len = room; - -#ifndef FLAG_ENCRYPT_TUNNEL_PASSWORD - original = original; /* -Wunused */ -#endif - - /* - * Encrypt the various password styles - * - * Attributes with encrypted values MUST be less than - * 128 bytes long. - */ - switch (vp->da->flags.encrypt) { - case FLAG_ENCRYPT_USER_PASSWORD: - len = nr_password_encrypt(ptr, room, data, len, - packet->secret, packet->vector); - break; - -#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD - case FLAG_ENCRYPT_TUNNEL_PASSWORD: - lvalue = 0; - if (vp->da->flags.has_tag) lvalue = 1; - - /* - * Check if there's enough room. If there isn't, - * we discard the attribute. - * - * This is ONLY a problem if we have multiple VSA's - * in one Vendor-Specific, though. - */ - if (room < (18 + lvalue)) { - *pvp = vp->next; - return 0; - } - - switch (packet->code) { - case PW_ACCESS_ACCEPT: - case PW_ACCESS_REJECT: - case PW_ACCESS_CHALLENGE: - default: - if (!original) { - nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name); - return -RSE_REQUEST_REQUIRED; - } - - if (lvalue) ptr[0] = vp->tag; - len = nr_tunnelpw_encrypt(ptr + lvalue, - room - lvalue, data, len, - packet->secret, - original->vector); - if (len < 0) return len; - break; - case PW_ACCOUNTING_REQUEST: - case PW_DISCONNECT_REQUEST: - case PW_COA_REQUEST: - ptr[0] = vp->tag; - len = nr_tunnelpw_encrypt(ptr + 1, room, data, len - 1, - packet->secret, - packet->vector); - if (len < 0) return len; - break; - } - break; -#endif - - /* - * The code above ensures that this attribute - * always fits. - */ -#ifdef FLAG_ENCRYPT_ASCEND_SECRET - case FLAG_ENCRYPT_ASCEND_SECRET: - make_secret(ptr, packet->vector, packet->secret, data); - len = AUTH_VECTOR_LEN; - break; -#endif - - default: - if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) { - if (vp->da->type == RS_TYPE_STRING) { - if (len > ((ssize_t) (room - 1))) len = room - 1; - ptr[0] = vp->tag; - ptr++; - } else if (vp->da->type == RS_TYPE_INTEGER) { - array[0] = vp->tag; - } /* else it can't be any other type */ - } - memcpy(ptr, data, len); - break; - } /* switch over encryption flags */ - - *(pvp) = vp->next; - return len + (ptr - start);; -} - - -/* - * Encode an RFC format TLV. This could be a standard attribute, - * or a TLV data type. If it's a standard attribute, then - * vp->da->attr == attribute. Otherwise, attribute may be - * something else. - */ -static ssize_t vp2attr_rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, - unsigned int attribute, uint8_t *ptr, size_t room) -{ - ssize_t len; - - if (room < 2) { - *pvp = (*pvp)->next; - return 0; - } - - ptr[0] = attribute & 0xff; - ptr[1] = 2; - - if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; - - len = vp2data_any(packet, original, 0, pvp, ptr + ptr[1], room); - if (len < 0) return len; - - ptr[1] += len; - - return ptr[1]; -} - - -#ifndef WITHOUT_VSAS -/* - * Encode a VSA which is a TLV. If it's in the RFC format, call - * vp2attr_rfc. Otherwise, encode it here. - */ -static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, - unsigned int attribute, unsigned int vendor, - uint8_t *ptr, size_t room) -{ - ssize_t len; - const DICT_VENDOR *dv; - - /* - * Unknown vendor: RFC format. - * Known vendor and RFC format: go do that. - */ - dv = nr_dict_vendor_byvalue(vendor); - if (!dv || - ( -#ifdef RS_TYPE_TLV - !(*pvp)->flags.is_tlv && -#endif - (dv->type == 1) && (dv->length == 1))) { - return vp2attr_rfc(packet, original, pvp, - attribute, ptr, room); - } - -#ifdef RS_TYPE_TLV - if ((*pvp)->flags.is_tlv) { - return data2vp_tlvs(packet, original, 0, pvp, - ptr, room); - } -#endif - - switch (dv->type) { - default: - nr_debug_error("vp2attr_vsa: Internal sanity check failed," - " type %u", (unsigned) dv->type); - return -RSE_INTERNAL; - - case 4: - ptr[0] = 0; /* attr must be 24-bit */ - ptr[1] = (attribute >> 16) & 0xff; - ptr[2] = (attribute >> 8) & 0xff; - ptr[3] = attribute & 0xff; - break; - - case 2: - ptr[0] = (attribute >> 8) & 0xff; - ptr[1] = attribute & 0xff; - break; - - case 1: - ptr[0] = attribute & 0xff; - break; - } - - switch (dv->length) { - default: - nr_debug_error("vp2attr_vsa: Internal sanity check failed," - " length %u", (unsigned) dv->length); - return -RSE_INTERNAL; - - case 0: - break; - - case 2: - ptr[dv->type] = 0; - /* FALL-THROUGH */ - - case 1: - ptr[dv->type + dv->length - 1] = dv->type + dv->length; - break; - - } - - if (room > ((unsigned) 255 - (dv->type + dv->length))) { - room = 255 - (dv->type + dv->length); - } - - len = vp2data_any(packet, original, 0, pvp, - ptr + dv->type + dv->length, room); - if (len < 0) return len; - - if (dv->length) ptr[dv->type + dv->length - 1] += len; - - return dv->type + dv->length + len; -} - - -/* - * Encode a Vendor-Specific attribute. - */ -ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, uint8_t *ptr, - size_t room) -{ - ssize_t len; - uint32_t lvalue; - const VALUE_PAIR *vp = *pvp; - -#ifdef VENDORPEC_WIMAX - /* - * Double-check for WiMAX - */ - if (vp->da->vendor == VENDORPEC_WIMAX) { - return nr_vp2wimax(packet, original, pvp, - ptr, room); - } -#endif - - if (vp->da->vendor > RS_MAX_VENDOR) { - nr_debug_error("nr_vp2vsa: Invalid arguments"); - return -RSE_INVAL; - } - - /* - * Not enough room for: - * attr, len, vendor-id - */ - if (room < 6) { - *pvp = vp->next; - return 0; - } - - /* - * Build the Vendor-Specific header - */ - ptr[0] = PW_VENDOR_SPECIFIC; - ptr[1] = 6; - lvalue = htonl(vp->da->vendor); - memcpy(ptr + 2, &lvalue, 4); - - if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; - - len = vp2attr_vsa(packet, original, pvp, - vp->da->attr, vp->da->vendor, - ptr + ptr[1], room); - if (len < 0) return len; - - ptr[1] += len; - - return ptr[1]; -} -#endif - - -/* - * Encode an RFC standard attribute 1..255 - */ -ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, - uint8_t *ptr, size_t room) -{ - const VALUE_PAIR *vp = *pvp; - - if (vp->da->vendor != 0) { - nr_debug_error("nr_vp2rfc called with VSA"); - return -RSE_INVAL; - } - - if ((vp->da->attr == 0) || (vp->da->attr > 255)) { - nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr); - return -RSE_INVAL; - } - -#ifdef PW_CHARGEABLE_USER_IDENTITY - if ((vp->length == 0) && - (vp->da != RS_DA_CHARGEABLE_USER_IDENTITY)) { - *pvp = vp->next; - return 0; - } -#endif - - return vp2attr_rfc(packet, original, pvp, vp->da->attr, - ptr, room); -} - -#ifdef PW_CHAP_PASSWORD -/* - * Encode an RFC standard attribute 1..255 - */ -static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, - uint8_t *ptr, size_t room) -{ - ssize_t rcode; - const VALUE_PAIR *vp = *pvp; - RS_MD5_CTX ctx; - uint8_t buffer[RS_MAX_STRING_LEN*2 + 1], *p; - VALUE_PAIR chap = { - RS_DA_CHAP_PASSWORD, - 17, - 0, - NULL, - { - .octets = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 - }, - }, - }; - - if ((vp->da->vendor != 0) || (vp->da != RS_DA_CHAP_PASSWORD)) { - nr_debug_error("nr_chap2rfc called with non-CHAP"); - return -RSE_INVAL; - } - - p = buffer; - *(p++) = nr_rand() & 0xff; /* id */ - - memcpy(p, vp->vp_strvalue, strlen(vp->vp_strvalue)); - p += strlen(vp->vp_strvalue); - - vp = nr_vps_find(packet->vps, PW_CHAP_CHALLENGE, 0); - if (vp) { - memcpy(p, vp->vp_octets, vp->length); - p += vp->length; - } else { - memcpy(p, packet->vector, sizeof(packet->vector)); - p += sizeof(packet->vector); - } - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, buffer, p - buffer); - RS_MD5Final(&chap.vp_octets[1], &ctx); - - chap.vp_octets[0] = buffer[0]; - vp = &chap; - - rcode = vp2attr_rfc(packet, original, &vp, chap.da->attr, - ptr, room); - if (rcode < 0) return rcode; - - *pvp = (*pvp)->next; - return rcode; -} -#endif /* PW_CHAP_PASSWORD */ - -#ifdef PW_MESSAGE_AUTHENTICATOR -/** Fake Message-Authenticator. - * - * This structure is used to replace a Message-Authenticator in the - * input list of VALUE_PAIRs when encoding a packet. If the caller - * asks us to encode a Message-Authenticator, we ignore the one given - * to us by the caller (which may have the wrong length, etc.), and - * instead use this one, which has the correct length and data. - */ -static const VALUE_PAIR fake_ma = { - RS_DA_MESSAGE_AUTHENTICATOR, - 16, - 0, - NULL, - { - .octets = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 - }, - } -}; -#endif /* PW_MESSAGE_AUTHENTICATOR */ - -/* - * Parse a data structure into a RADIUS attribute. - */ -ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, uint8_t *start, - size_t room) -{ - const VALUE_PAIR *vp = *pvp; - - /* - * RFC format attributes take the fast path. - */ - if (vp->da->vendor != 0) { -#ifdef VENDORPEC_EXTENDED - if (vp->da->vendor > RS_MAX_VENDOR) { - return nr_vp2attr_extended(packet, original, - pvp, start, room); - - } -#endif - -#ifdef VENDORPEC_WIMAX - if (vp->da->vendor == VENDORPEC_WIMAX) { - return nr_vp2attr_wimax(packet, original, - pvp, start, room); - } -#endif - -#ifndef WITHOUT_VSAS - return nr_vp2vsa(packet, original, pvp, start, room); -#else - nr_debug_error("VSAs are not supported"); - return -RSE_UNSUPPORTED; -#endif - } - - /* - * Ignore non-protocol attributes. - */ - if (vp->da->attr > 255) { - *pvp = vp->next; - return 0; - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - /* - * The caller wants a Message-Authenticator, but doesn't - * know how to calculate it, or what the correct values - * are. So... create one for him. - */ - if (vp->da == RS_DA_MESSAGE_AUTHENTICATOR) { - ssize_t rcode; - - vp = &fake_ma; - rcode = nr_vp2rfc(packet, original, &vp, start, room); - if (rcode <= 0) return rcode; - *pvp = (*pvp)->next; - return rcode; - } -#endif - -#ifdef PW_CHAP_PASSWORD - /* - * The caller wants a CHAP-Password, but doesn't know how - * to calculate it, or what the correct values are. To - * help, we calculate it for him. - */ - if (vp->da == RS_DA_CHAP_PASSWORD) { - int encoded = 0; - - /* - * CHAP is ID + MD5(...). If it's length is NOT - * 17, then the caller has passed us a password, - * and wants us to encode it. If the length IS - * 17, then we need to double-check if the caller - * has already encoded it. - */ - if (vp->length == 17) { - int i; - - /* - * ASCII and UTF-8 disallow values 0..31. - * If they appear, then the CHAP-Password - * has already been encoded by the - * caller. The probability of a - * CHAP-Password being all 32..256 is - * (1-32/256)^17 =~ .10 - * - * This check isn't perfect, but it - * should be pretty rare for people to - * have 17-character passwords *and* have - * them all 32..256. - */ - for (i = 0; i < 17; i++) { - if (vp->vp_octets[i] < 32) { - encoded = 1; - break; - } - } - } - - if (!encoded) { - return nr_chap2rfc(packet, original, pvp, start, room); - } - } -#endif - - return nr_vp2rfc(packet, original, pvp, - start, room); -} - - -/* - * Ignore unknown attributes, but "decoding" them into nothing. - */ -static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet, - UNUSED const RADIUS_PACKET *original, - unsigned int attribute, - unsigned int vendor, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - VALUE_PAIR *vp; - - if (length > sizeof(vp->vp_octets)) return -RSE_ATTR_OVERFLOW; - - vp = nr_vp_alloc_raw(attribute, vendor); - if (!vp) return -RSE_NOMEM; - - memcpy(vp->vp_octets, data, length); - vp->length = length; - - *pvp = vp; - return length; -} - -ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - - if (length < 2) return -RSE_PACKET_TOO_SMALL; - if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; - if (data[1] > length) return -RSE_ATTR_OVERFLOW; - - return data2vp_raw(packet, original, data[0], 0, - data + 2, data[1] - 2, pvp); -} - -/* - * Create any kind of VP from the attribute contents. - * - * Will return -1 on error, or "length". - */ -static ssize_t data2vp_any(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - int nest, - unsigned int attribute, unsigned int vendor, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ -#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD - ssize_t rcode; -#endif - int data_offset = 0; - const DICT_ATTR *da; - VALUE_PAIR *vp = NULL; - - if (length == 0) { - /* - * Hacks for CUI. The WiMAX spec says that it - * can be zero length, even though this is - * forbidden by the RADIUS specs. So... we make - * a special case for it. - */ - if ((vendor == 0) && - (attribute == PW_CHARGEABLE_USER_IDENTITY)) { - data = (const uint8_t *) ""; - length = 1; - } else { - *pvp = NULL; - return 0; - } - } - - da = nr_dict_attr_byvalue(attribute, vendor); - - /* - * Unknown attribute. Create it as a "raw" attribute. - */ - if (!da) { - raw: - if (vp) nr_vp_free(&vp); - return data2vp_raw(packet, original, - attribute, vendor, data, length, pvp); - } - -#ifdef RS_TYPE_TLV - /* - * TLVs are handled first. They can't be tagged, and - * they can't be encrypted. - */ - if (da->da->type == RS_TYPE_TLV) { - return data2vp_tlvs(packet, original, - attribute, vendor, nest, - data, length, pvp); - } -#else - nest = nest; /* -Wunused */ -#endif - - /* - * The attribute is known, and well formed. We can now - * create it. The main failure from here on in is being - * out of memory. - */ - vp = nr_vp_alloc(da); - if (!vp) return -RSE_NOMEM; - - /* - * Handle tags. - */ - if (vp->da->flags.has_tag) { - if (TAG_VALID(data[0]) -#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD - || (vp->da->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) -#endif - ) { - /* - * Tunnel passwords REQUIRE a tag, even - * if don't have a valid tag. - */ - vp->tag = data[0]; - - if ((vp->da->type == RS_TYPE_STRING) || - (vp->da->type == RS_TYPE_OCTETS)) { - if (length == 0) goto raw; - data_offset = 1; - } - } - } - - /* - * Copy the data to be decrypted - */ - vp->length = length - data_offset; - memcpy(&vp->vp_octets[0], data + data_offset, vp->length); - - /* - * Decrypt the attribute. - */ - switch (vp->da->flags.encrypt) { - /* - * User-Password - */ - case FLAG_ENCRYPT_USER_PASSWORD: - if (original) { - rcode = nr_password_encrypt(vp->vp_octets, - sizeof(vp->vp_strvalue), - data + data_offset, vp->length, - packet->secret, - original->vector); - } else { - rcode = nr_password_encrypt(vp->vp_octets, - sizeof(vp->vp_strvalue), - data + data_offset, vp->length, - packet->secret, - packet->vector); - } - if (rcode < 0) goto raw; - vp->vp_strvalue[128] = '\0'; - vp->length = strlen(vp->vp_strvalue); - break; - - /* - * Tunnel-Password's may go ONLY - * in response packets. - */ -#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD - case FLAG_ENCRYPT_TUNNEL_PASSWORD: - if (!original) goto raw; - - rcode = nr_tunnelpw_decrypt(vp->vp_octets, - sizeof(vp->vp_octets), - data + data_offset, vp->length, - packet->secret, original->vector); - if (rcode < 0) goto raw; - vp->length = rcode; - break; -#endif - - -#ifdef FLAG_ENCRYPT_ASCEND_SECRET - /* - * Ascend-Send-Secret - * Ascend-Receive-Secret - */ - case FLAG_ENCRYPT_ASCEND_SECRET: - if (!original) { - goto raw; - } else { - uint8_t my_digest[AUTH_VECTOR_LEN]; - make_secret(my_digest, - original->vector, - packet->secret, data); - memcpy(vp->vp_strvalue, my_digest, - AUTH_VECTOR_LEN ); - vp->vp_strvalue[AUTH_VECTOR_LEN] = '\0'; - vp->length = strlen(vp->vp_strvalue); - } - break; -#endif - - default: - break; - } /* switch over encryption flags */ - - /* - * Expected a certain length, but got something else. - */ - if ((vp->da->flags.length != 0) && - (vp->length != vp->da->flags.length)) { - goto raw; - } - - switch (vp->da->type) { - case RS_TYPE_STRING: - case RS_TYPE_OCTETS: -#ifdef RS_TYPE_ABINARY - case RS_TYPE_ABINARY: -#endif - /* nothing more to do */ - break; - - case RS_TYPE_BYTE: - vp->vp_integer = vp->vp_octets[0]; - break; - - - case RS_TYPE_SHORT: - vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1]; - break; - - case RS_TYPE_INTEGER: - memcpy(&vp->vp_integer, vp->vp_octets, 4); - vp->vp_integer = ntohl(vp->vp_integer); - - if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff; - break; - - case RS_TYPE_DATE: - memcpy(&vp->vp_date, vp->vp_octets, 4); - vp->vp_date = ntohl(vp->vp_date); - break; - - - case RS_TYPE_IPADDR: - memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); - break; - - /* - * IPv6 interface ID is 8 octets long. - */ - case RS_TYPE_IFID: - /* vp->vp_ifid == vp->vp_octets */ - break; - - /* - * IPv6 addresses are 16 octets long - */ - case RS_TYPE_IPV6ADDR: - /* vp->vp_ipv6addr == vp->vp_octets */ - break; - - /* - * IPv6 prefixes are 2 to 18 octets long. - * - * RFC 3162: The first octet is unused. - * The second is the length of the prefix - * the rest are the prefix data. - * - * The prefix length can have value 0 to 128. - */ - case RS_TYPE_IPV6PREFIX: - if (vp->length < 2 || vp->length > 18) goto raw; - if (vp->vp_octets[1] > 128) goto raw; - - /* - * FIXME: double-check that - * (vp->vp_octets[1] >> 3) matches vp->length + 2 - */ - if (vp->length < 18) { - memset(vp->vp_octets + vp->length, 0, - 18 - vp->length); - } - break; - -#ifdef VENDORPEC_WIMAX - case RS_TYPE_SIGNED: - if (vp->length != 4) goto raw; - - /* - * Overload vp_integer for ntohl, which takes - * uint32_t, not int32_t - */ - memcpy(&vp->vp_integer, vp->vp_octets, 4); - vp->vp_integer = ntohl(vp->vp_integer); - memcpy(&vp->vp_signed, &vp->vp_integer, 4); - break; -#endif - -#ifdef RS_TYPE_TLV - case RS_TYPE_TLV: - nr_vp_free(&vp); - nr_debug_error("data2vp_any: Internal sanity check failed"); - return -RSE_ATTR_TYPE_UNKNOWN; -#endif - -#ifdef VENDORPEC_WIMAX - case RS_TYPE_COMBO_IP: - if (vp->length == 4) { - vp->da->type = RS_TYPE_IPADDR; - memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); - break; - - } else if (vp->length == 16) { - vp->da->type = RS_TYPE_IPV6ADDR; - /* vp->vp_ipv6addr == vp->vp_octets */ - break; - - } - /* FALL-THROUGH */ -#endif - - default: - goto raw; - } - - *pvp = vp; - - return length; -} - - -/* - * Create a "standard" RFC VALUE_PAIR from the given data. - */ -ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - ssize_t rcode; - - if (length < 2) return -RSE_PACKET_TOO_SMALL; - if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; - if (data[1] > length) return -RSE_ATTR_OVERFLOW; - - rcode = data2vp_any(packet, original, 0, - data[0], 0, data + 2, data[1] - 2, pvp); - if (rcode < 0) return rcode; - - return data[1]; -} - -#ifndef WITHOUT_VSAS -/* - * Check if a set of RADIUS formatted TLVs are OK. - */ -int nr_tlv_ok(const uint8_t *data, size_t length, - size_t dv_type, size_t dv_length) -{ - const uint8_t *end = data + length; - - if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) { - nr_debug_error("nr_tlv_ok: Invalid arguments"); - return -RSE_INVAL; - } - - while (data < end) { - size_t attrlen; - - if ((data + dv_type + dv_length) > end) { - nr_debug_error("Attribute header overflow"); - return -RSE_ATTR_TOO_SMALL; - } - - switch (dv_type) { - case 4: - if ((data[0] == 0) && (data[1] == 0) && - (data[2] == 0) && (data[3] == 0)) { - zero: - nr_debug_error("Invalid attribute 0"); - return -RSE_ATTR_INVALID; - } - - if (data[0] != 0) { - nr_debug_error("Invalid attribute > 2^24"); - return -RSE_ATTR_INVALID; - } - break; - - case 2: - if ((data[1] == 0) && (data[1] == 0)) goto zero; - break; - - case 1: - if (data[0] == 0) goto zero; - break; - - default: - nr_debug_error("Internal sanity check failed"); - return -RSE_INTERNAL; - } - - switch (dv_length) { - case 0: - return 0; - - case 2: - if (data[dv_type + 1] != 0) { - nr_debug_error("Attribute is longer than 256 octets"); - return -RSE_ATTR_TOO_LARGE; - } - /* FALL-THROUGH */ - case 1: - attrlen = data[dv_type + dv_length - 1]; - break; - - - default: - nr_debug_error("Internal sanity check failed"); - return -RSE_INTERNAL; - } - - if (attrlen < (dv_type + dv_length)) { - nr_debug_error("Attribute header has invalid length"); - return -RSE_PACKET_TOO_SMALL; - } - - if (attrlen > length) { - nr_debug_error("Attribute overflows container"); - return -RSE_ATTR_OVERFLOW; - } - - data += attrlen; - length -= attrlen; - } - - return 0; -} - - -/* - * Convert a top-level VSA to a VP. - */ -static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - unsigned int vendor, - size_t dv_type, size_t dv_length, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - unsigned int attribute; - ssize_t attrlen, my_len; - -#ifndef NDEBUG - if (length <= (dv_type + dv_length)) { - nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); - return -RSE_PACKET_TOO_SMALL; - } -#endif - - switch (dv_type) { - case 4: - /* data[0] must be zero */ - attribute = data[1] << 16; - attribute |= data[2] << 8; - attribute |= data[3]; - break; - - case 2: - attribute = data[0] << 8; - attribute |= data[1]; - break; - - case 1: - attribute = data[0]; - break; - - default: - nr_debug_error("attr2vp_vsa: Internal sanity check failed"); - return -RSE_INTERNAL; - } - - switch (dv_length) { - case 2: - /* data[dv_type] must be zero */ - attrlen = data[dv_type + 1]; - break; - - case 1: - attrlen = data[dv_type]; - break; - - case 0: - attrlen = length; - break; - - default: - nr_debug_error("attr2vp_vsa: Internal sanity check failed"); - return -RSE_INTERNAL; - } - -#ifndef NDEBUG - if (attrlen <= (ssize_t) (dv_type + dv_length)) { - nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); - return -RSE_PACKET_TOO_SMALL; - } -#endif - - attrlen -= (dv_type + dv_length); - - my_len = data2vp_any(packet, original, 0, - attribute, vendor, - data + dv_type + dv_length, attrlen, pvp); - if (my_len < 0) return my_len; - -#ifndef NDEBUG - if (my_len != attrlen) { - nr_vp_free(pvp); - nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d", - (int) my_len, (int) attrlen); - return -RSE_INTERNAL; - } -#endif - - return dv_type + dv_length + attrlen; -} - - -/* - * Create Vendor-Specifc VALUE_PAIRs from a RADIUS attribute. - */ -ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - size_t dv_type, dv_length; - ssize_t my_len; - uint32_t lvalue; - const DICT_VENDOR *dv; - - if (length < 2) return -RSE_PACKET_TOO_SMALL; - if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; - if (data[1] > length) return -RSE_ATTR_OVERFLOW; - - if (data[0] != PW_VENDOR_SPECIFIC) { - nr_debug_error("nr_attr2vp_vsa: Invalid attribute"); - return -RSE_INVAL; - } - - /* - * Not enough room for a Vendor-Id. - * Or the high octet of the Vendor-Id is set. - */ - if ((data[1] < 6) || (data[2] != 0)) { - return nr_attr2vp_raw(packet, original, - data, length, pvp); - } - - memcpy(&lvalue, data + 2, 4); - lvalue = ntohl(lvalue); - -#ifdef VENDORPEC_WIMAX - /* - * WiMAX gets its own set of magic. - */ - if (lvalue == VENDORPEC_WIMAX) { - return nr_attr2vp_wimax(packet, original, - data, length, pvp); - } -#endif - - dv_type = dv_length = 1; - dv = nr_dict_vendor_byvalue(lvalue); - if (!dv) { - return nr_attr2vp_rfc(packet, original, - data, length, pvp); - } - - dv_type = dv->type; - dv_length = dv->length; - - /* - * Attribute is not in the correct form. - */ - if (nr_tlv_ok(data + 6, data[1] - 6, dv_type, dv_length) < 0) { - return nr_attr2vp_raw(packet, original, - data, length, pvp); - } - - my_len = attr2vp_vsa(packet, original, - lvalue, dv_type, dv_length, - data + 6, data[1] - 6, pvp); - if (my_len < 0) return my_len; - -#ifndef NDEBUG - if (my_len != (data[1] - 6)) { - nr_vp_free(pvp); - nr_debug_error("nr_attr2vp_vsa: Incomplete decode"); - return -RSE_INTERNAL; - } -#endif - - return data[1]; -} -#endif /* WITHOUT_VSAS */ - - -/* - * Create a "normal" VALUE_PAIR from the given data. - */ -ssize_t nr_attr2vp(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp) -{ - if (length < 2) return -RSE_PACKET_TOO_SMALL; - if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; - if (data[1] > length) return -RSE_ATTR_OVERFLOW; - -#ifndef WITHOUT_VSAS - /* - * VSAs get their own handler. - */ - if (data[0] == PW_VENDOR_SPECIFIC) { - return nr_attr2vp_vsa(packet, original, - data, length, pvp); - } -#endif - -#ifdef VENDORPEC_EXTENDED - /* - * Extended attribute format gets their own handler. - */ - if (nr_dict_attr_byvalue(data[0], VENDORPEC_EXTENDED) != NULL) { - return nr_attr2vp_extended(packet, original, - data, length, pvp); - } -#endif - - return nr_attr2vp_rfc(packet, original, data, length, pvp); -} - -ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, - unsigned int attribute, unsigned int vendor, - const uint8_t **pdata, size_t *plength) -{ - uint8_t *data, *attr; - const uint8_t *end; - - if (!packet || !pdata || !plength) return -RSE_INVAL; - - if (!packet->data) return -RSE_INVAL; - if (packet->length < 20) return -RSE_INVAL; - - /* - * Too long or short, not good. - */ - if ((start < 0) || - ((start > 0) && (start < 20))) return -RSE_INVAL; - - if ((size_t) start >= (packet->length - 2)) return -RSE_INVAL; - - end = packet->data + packet->length; - - /* - * Loop over the packet, converting attrs to VPs. - */ - if (start == 0) { - data = packet->data + 20; - } else { - data = packet->data + start; - data += data[1]; - if (data >= end) return 0; - } - - for (attr = data; attr < end; attr += attr[1]) { - const DICT_VENDOR *dv = NULL; - -#ifndef NEBUG - /* - * This code is copied from packet_ok(). - * It could be put into a separate function. - */ - if ((attr + 2) > end) { - nr_debug_error("Attribute overflows packet"); - return -RSE_ATTR_OVERFLOW; - } - - if (attr[1] < 2) { - nr_debug_error("Attribute length is too small"); - return -RSE_ATTR_TOO_SMALL; - } - - if ((attr + attr[1]) > end) { - nr_debug_error("Attribute length is too large"); - return -RSE_ATTR_TOO_LARGE; - } -#endif - - if ((vendor == 0) && (attr[0] == attribute)) { - *pdata = attr + 2; - *plength = attr[1] - 2; - return attr - packet->data; - } - -#ifndef WITHOUT_VSAS - if (vendor != 0) { - uint32_t vendorpec; - - if (attr[0] != PW_VENDOR_SPECIFIC) continue; - - if (attr[1] < 6) continue; - - memcpy(&vendorpec, attr + 2, 4); - vendorpec = ntohl(vendorpec); - if (vendor != vendorpec) continue; - - if (!dv) { - dv = nr_dict_vendor_byvalue(vendor); - if (dv && - ((dv->type != 1) || (dv->length != 1))) { - return -RSE_VENDOR_UNKNOWN; - } - } - - /* - * No data. - */ - if (attr[1] < 9) continue; - - /* - * Malformed, or more than one VSA in - * the Vendor-Specific - */ - if (attr[7] + 6 != attr[1]) continue; - - /* - * Not the right VSA. - */ - if (attr[6] != attribute) continue; - - *pdata = attr + 8; - *plength = attr[1] - 8; - return attr - packet->data; - } -#endif - } - - return 0; /* nothing more: stop */ -} - diff --git a/lib/radius/client.h b/lib/radius/client.h deleted file mode 100644 index ab4718a..0000000 --- a/lib/radius/client.h +++ /dev/null @@ -1,1302 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file client.h - * \brief Main header file. - */ - -#ifndef _RADIUS_CLIENT_H_ -#define _RADIUS_CLIENT_H_ 1 - -/* - * System-specific header files. - */ -#include -#include -#include -#ifdef HAVE_STDINT_H -#include -#endif -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_STRING_H -#include -#endif -#include -#include -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_SYS_TIME_H -#include -#endif - -#include -#include -#include - -/** \defgroup build Build Helpers - * - * These definitions give the GNU C compiler more information about - * the functions being compiled. They are used to either remove - * warnings, or to enable better warnings. - **/ - -/** \defgroup custom Portability Functions - * - * These functions and definitions should be modified for your local - * system. See the individual definitions for details. - */ - -/** \defgroup error Error handling - * - * These definitions and routines manage errors. - */ - -/** \defgroup value_pair Attribute manipulation - * - * These routines manage structures which map to attributes. - */ - -/**\defgroup dict Dictionary Lookup Functions - * - * \sa doc/dictionaries.txt - * - * The RADIUS dictionaries perform name to number mappings. The names - * are used only for administrator convenience, for parsing - * configuration files, and printing humanly-readable output. The - * numbers are used when encoding data in a packet. - * - * When attributes are decoded from a packet, the numbers are used to - * look up the associated name, which is then placed into a data - * structure. - * - * When the data structures are encoded into a packet, the numbers are - * used to create RFC and VSA format attributes. - * - * \attention The definitions, structures, and functions given below - * are useful only for implementing "low level" RADIUS - * functionality. There is usually no need to refer to them in a - * client application. The library should be used at a higher level, - * which exposes a much simpler API. - */ - -/** \defgroup packet Packet manipulation - * - * These routines perform encoding and decoding of RADIUS packets. - */ - -/** \defgroup print Print / parse functions - * - * These routines convert the internal data structures to a printable - * form, or parse them. - */ - -/** \defgroup id ID allocation and freeing - * - * These routines manage RADIUS ID allocation. - */ - -/** \defgroup attr Low-level attribute encode/decoding - * - * These routines perform "low level" encoding, decoding, sending, and - * reception of RADIUS attributes. They are called by the \ref packet - * functions. - * - * \attention The structures and functions given below are useful only - * for implementing "low level" RADIUS functionality. There is usually - * no need to refer to them in a client application. The library - * should be used at a higher level, which exposes a much simpler API. - */ - -/** \defgroup internal Internal support functions. - * - * These functions are required to perform internal or "low-level" - * data manipulation. While they are exposed for completeness, they - * should not be called by any application. - */ - -#ifdef PW_EAP_MESSAGE -#ifndef PW_MESSAGE_AUTHENTICATOR -#error EAP-Message requires Message-Authenticator -#endif -#endif - -#ifdef WITHOUT_OPENSSL -#include "md5.h" -#else -#include -#endif - -/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define RS_MD5_CTX MD5_CTX -/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define RS_MD5Init MD5_Init -/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define RS_MD5Update MD5_Update -/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ -#define RS_MD5Final MD5_Final - - -#ifndef RS_MAX_PACKET_LEN -/** The maximum size of a packet that the library will send or receive. \ingroup custom - * - * The RFC requirement is to handle at least 4K packets. However, if - * you expect to only do username/password authentication, this value - * can be set to a smaller value, such as 256. - * - * Be warned that any packets larger than this value will be ignored - * and silently discarded. - */ -#define RS_MAX_PACKET_LEN (4096) -#endif - -#ifndef RS_MAX_ATTRIBUTES -/** The maximum number of attributes that the library will allow in a packet. \ingroup custom - * - * Packets which contain more than ::RS_MAX_ATTRIBUTES will generate - * an error. This value is configurable because there may be a need - * to accept a large mumber of attributes. - * - * This value is ignored when packets are sent. The library will - * send as many attributes as it is told to send. - */ -#define RS_MAX_ATTRIBUTES (200) -#endif - -#undef RS_MAX_PACKET_CODE -/** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict - * - * \attention This should not be changed, as it is used by other - * structures such as ::nr_packet_codes. - */ -#define RS_MAX_PACKET_CODE PW_COA_NAK - -/** The maximum vendor number which is permitted. \ingroup dict - * - * The RFCs require that the Vendor Id or Private Enterprise Number - * be encoded as 32 bits, with the upper 8 bits being zero. - */ -#define RS_MAX_VENDOR (1 << 24) - -/** Data Type Definitions. \ingroup dict - */ -#define TAG_VALID(x) ((x) < 0x20) - -/** The attribute is not encrypted. */ -#define FLAG_ENCRYPT_NONE (0) - -/** The attribute is encrypted using the RFC 2865 User-Password method */ -#define FLAG_ENCRYPT_USER_PASSWORD (1) - -/** The attribute is encrypted using the RFC 2868 Tunnel-Password method */ -#define FLAG_ENCRYPT_TUNNEL_PASSWORD (2) - -/** A set of flags which determine how the attribute should be handled. - * - * Most attributes are "normal", and do not require special handling. - * However, some require "encryption", tagging, or have other special - * formats. This structure contains the various options for the - * attribute formats. - */ -typedef struct attr_flags { - unsigned int has_tag : 1; /**< Attribute has an RFC 2868 tag */ - unsigned int unknown : 1; /**< Attribute is unknown */ -#ifdef RS_TYPE_TLV - unsigned int has_tlv : 1; /* has sub attributes */ - unsigned int is_tlv : 1; /* is a sub attribute */ -#endif - unsigned int extended : 1; /* extended attribute */ - unsigned int extended_flags : 1; /* with flag */ - unsigned int evs : 1; /* extended VSA */ - uint8_t encrypt; /**< Attribute encryption method */ - uint8_t length; /**< The expected length of the attribute */ -} ATTR_FLAGS; - - -/** Defines an dictionary mapping for an attribute. \ingroup dict - * - * The RADIUS dictionaries map humanly readable names to protocol - * numbers. The protocol numbers are used to encode/decode the - * attributes in a packet. - */ -typedef struct nr_dict_attr { - unsigned int attr; /**< Attribute number */ - rs_attr_type_t type; /**< Data type */ - unsigned int vendor; /**< Vendor-Id number */ - ATTR_FLAGS flags; - const char *name; /**< Printable name */ -} DICT_ATTR; - -/** Defines a dictionary mapping for a named enumeration. \ingroup dict - * - * This structure is currently not used. - */ -typedef struct nr_dict_value { - const DICT_ATTR *da; /**< pointer to a ::DICT_ATTR */ - int value; /**< enumerated value */ - char name[1]; /**< printable name */ -} DICT_VALUE; - -/** Defines an dictionary mapping for a vendor. \ingroup dict - * - * The RADIUS dictionaries map humanly readable vendor names to a - * Vendor-Id (or Private Enterprise Code) assigned by IANA. The - * Vendor-Id is used to encode/decode Vendor-Specific attributes in a - * packet. - */ -typedef struct nr_dict_vendor { - unsigned int vendor; /**< Vendor Private Enterprise Code */ - size_t type; /**< size of Vendor-Type field */ - size_t length; /**< size of Vendor-Length field */ - const char *name; /**< Printable name */ -} DICT_VENDOR; - -/** Union holding all possible types of data for a ::VALUE_PAIR. \ingroup value_pair - * - */ -typedef union value_pair_data { - char strvalue[RS_MAX_STRING_LEN]; /* +1 for NUL */ - uint8_t octets[253]; - struct in_addr ipaddr; - struct in6_addr ipv6addr; - uint32_t date; - uint32_t integer; -#ifdef RS_TYPE_SIGNED - int32_t sinteger; -#endif -#ifdef RS_TYPE_ABINARY - uint8_t filter[32]; -#endif - uint8_t ifid[8]; /* struct? */ - uint8_t ipv6prefix[18]; /* struct? */ -#ifdef RS_TYPE_TLV - uint8_t *tlv; -#endif -} VALUE_PAIR_DATA; - - -/** C structure version of a RADIUS attribute. \ingroup value_pair - * - * The library APIs use this structure to avoid depending on the - * details of the protocol. - */ -typedef struct value_pair { - const DICT_ATTR *da; /**< dictionary definition */ - size_t length; /**< number of octets in the data */ - int tag; /**< tag value if da->flags.has_tag */ - struct value_pair *next; /**< enables a linked list of values */ - VALUE_PAIR_DATA data; /**< the data of the attribute */ -} VALUE_PAIR; -#define vp_strvalue data.strvalue -#define vp_octets data.octets -#define vp_ipv6addr data.ipv6addr -#define vp_ifid data.ifid -#define vp_ipv6prefix data.ipv6prefix -#define vp_ipaddr data.ipaddr.s_addr -#define vp_date data.integer -#define vp_integer data.integer -#ifdef RS_TYPE_ABINARY -#define vp_filter data.filter -#endif -#ifdef RS_TYPE_ETHER -#define vp_ether data.ether -#endif -#ifdef RS_TYPE_SIGNED -#define vp_signed data.sinteger -#endif -#ifdef RS_TYPE_TLV -#define vp_tlv data.tlv -#endif - -#ifdef RS_TYPE_TLV -#define RS_ATTR_MAX_TLV (4) -extern const int nr_attr_shift[RS_ATTR_MAX_TLV]; -extern const int nr_attr_mask[RS_ATTR_MAX_TLV]; -extern const unsigned int nr_attr_max_tlv; -#endif - -/** A structure which describes a RADIUS packet. \ingroup packet - * - * In general, it should not be necessary to refererence the elements - * of this structure. - */ -typedef struct radius_packet { - int sockfd; /** The socket descriptor */ - struct sockaddr_storage src; /**< The packet source address */ - struct sockaddr_storage dst; /**< the packet destination address */ - const char *secret; /**< The shared secret */ - size_t sizeof_secret; /**< Length of the shared secret */ - unsigned int code; /**< The RADIUS Packet Code */ - int id; /**< The RADIUS Packet Id */ - size_t length; /**< The RADIUS Packet Length. This will be no larger than RADIUS_PACKET::sizeof_data */ - uint8_t vector[16]; /**< A copy of the authentication vector */ - int flags; /**< Internal flags. Do not modify this field. */ - int attempts; /**< The number of transmission attempt */ - uint8_t *data; /**< The raw packet data */ - size_t sizeof_data; /**< size of the data buffer */ - VALUE_PAIR *vps; /**< linked list of ::VALUE_PAIR */ -} RADIUS_PACKET; - -#define RS_PACKET_ENCODED (1 << 0) -#define RS_PACKET_HEADER (1 << 1) -#define RS_PACKET_SIGNED (1 << 2) -#define RS_PACKET_OK (1 << 3) -#define RS_PACKET_VERIFIED (1 << 4) -#define RS_PACKET_DECODED (1 << 5) - - -/** Track packets sent to a server. \ingroup id - * - * This data structure tracks Identifiers which are used to - * communicate with a particular destination server. The application - * should call nr_server_init() to initialize it. If necessary, the - * application should then call nr_server_set_ipv4() to open an IPv4 - * socket to the server. - * - * If the RADIUS packets are being transported over an encapsulation - * layer (e.g. RADIUS over TLS), then nr_server_set_ipv4() does not - * need to be called. The ::nr_server_t structure should instead be - * associated wih the TLS session / socket. - */ -typedef struct nr_server_t { - int sockfd; /**< socket for sending packets */ - int code; /**< default value for the Code */ - - struct sockaddr_storage src; /**< Source address of the packet */ - struct sockaddr_storage dst; /**< Destination address of the packet */ - - /** The shared secret. - * - * See also nr_packet_send() and nr_packet_recv(). - */ - const char *secret; - - /** The length of the shared secret. - * - * See also nr_packet_send() and nr_packet_recv(). - */ - size_t sizeof_secret; - - int used; /**< Number of used IDs */ - - void *free_list; /**< For managing packets */ - - RADIUS_PACKET *ids[256]; /**< Pointers to "in flight" packets */ -} nr_server_t; - - -/** Return a printable error message. \ingroup error - * - * This function returns a string describing the last error that - * occurred. These messages are intended for developers, and are not - * suitable for display to an end user. The application using this - * library should instead produce a "summary" message when an error - * occurs. e.g. "Failed to receive a response", is better than - * messages produced by this function, which contain text like - * "invalid response authentication vector". The first is - * understandable, the second is not. - * - * @param[in] error The error code (can be less than zero) - * @return A printable string describing the error. - */ -extern const char *nr_strerror(int error); - -/** Allocate a ::VALUE_PAIR which refers to a ::DICT_ATTR. \ingroup value_pair - * - * This returned ::VALUE_PAIR has no data associated with it. The - * nr_vp_set_data() function must be called before placing the - * ::VALUE_PAIR in a ::RADIUS_PACKET. - * - * @param[in] da The ::DICT_ATTR associated with the ::VALUE_PAIR - * @return The created ::VALUE_PAIR, or NULL on error. - */ -extern VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da); - -/** Free a ::VALUE_PAIR. \ingroup value_pair - * - * This function frees the ::VALUE_PAIR, and sets the head pointer to NULL. - * If head refers to a ::VALUE_PAIR list, then all of the structures in the - * list are freed. - * - * @param[in,out] head The pointer to a ::VALUE_PAIR, or a ::VALUE_PAIR list. - */ -extern void nr_vp_free(VALUE_PAIR **head); - -/** Initializes a ::VALUE_PAIR from a ::DICT_ATTR \ingroup value_pair - * - * This function assumes that the ::VALUE_PAIR points to existing - * and writable memory. - * - * @param[in,out] vp The ::VALUE_PAIR to be initialized - * @param[in] da The ::DICT_ATTR used to initialize the ::VALUE_PAIR - * @return The initialized ::VALUE_PAIR, or NULL on error. - */ -extern VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da); - -/** Allocate a ::VALUE_PAIR which refers to an unknown attribute. \ingroup value_pair - * - * It is used when an attribute is received, and that attribute does - * not exist in the dictionaries. - * - * The returned ::VALUE_PAIR has no data (i.e. VALUE_PAIR::length is - * zero). The nr_vp_set_data() function must be called before - * placing the ::VALUE_PAIR in a ::RADIUS_PACKET. - * - * @param[in] attr The attribute number, 0..2^16 - * @param[in] vendor The vendor number, 0..2^16 - * @return The created ::VALUE_PAIR, or NULL on error. - */ -extern VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor); - -/** Set the data associated with a previously allocated ::VALUE_PAIR. \ingroup value_pair - * - * If this function succeeds, VALUE_PAIR::length is no longer zero, - * and the structure contains the data. - * - * @param[in,out] vp The ::VALUE_PAIR to update - * @param[in] data Data to set inside of the ::VALUE_PAIR - * @param[in] data_len Length of the data field - * @return <0 on error, 0 for "data was truncated" - * >0 for "data successfully added" - */ -extern int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t data_len); - -/** Create a ::VALUE_PAIR and set its data. \ingroup value_pair - * - * @param[in] attr The attribute number of the ::VALUE_PAIR to create - * @param[in] vendor The vendor number of the ::VALUE_PAIR to create - * @param[in] data Data to set inside of the ::VALUE_PAIR - * @param[in] data_len Length of the data field - * @return The created ::VALUE_PAIR, or NULL on error. - */ -extern VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, - size_t data_len); - -/** Append a ::VALUE_PAIR to the end of a ::VALUE_PAIR list. \ingroup value_pair - * - * @param[in,out] head The head of the ::VALUE_PAIR list. May not be NULL. - * @param[in] vp The ::VALUE_PAIR to append to the list. - */ -extern void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *vp); - -/** Search a ::VALUE_PAIR list for one of a given number. \ingroup value_pair - * - * @param[in] head The head of the ::VALUE_PAIR list to search. - * @param[in] attr The attribute number of the ::VALUE_PAIR to find - * @param[in] vendor The vendor number of the ::VALUE_PAIR to find - * @return The found ::VALUE_PAIR, or NULL if it was not found. - */ -extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, - unsigned int attr, unsigned int vendor); - -/** Look up an attribute in the dictionaries. \ingroup dict - * - * The dictionary mapping contains information about the attribute, - * such as printable name, data type (ipaddr, integer, etc), and - * various other things used to encode/decode the attribute in a - * packet. - * - * \attention There is usually no need to call this function. Use - * the RS_DA_* definitions instead. - * - * @param[in] attr Value of the attribute - * @param[in] vendor Value of the vendor - * @return NULL for "not found", or a pointer to the attribute mapping. - */ -extern const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, - unsigned int vendor); - -/** Look up an attribute in the dictionaries. \ingroup dict - * - * The dictionary mapping contains information about the attribute, - * such as printable name, data type (ipaddr, integer, etc), and - * various other things used to encode/decode the attribute in a - * packet. - * - * \attention There is usually no need to call this function. - * - * @param[in] name Name of the attribute - * @return NULL for "not found", or a pointer to the attribute mapping. - */ -extern const DICT_ATTR *nr_dict_attr_byname(const char *name); - -/** Converts raw data to a ::DICT_ATTR structure. \ingroup dict - * - * It is called when the library is asked to decode an attribute - * which is not in the pre-defined dictionaries. - * - * \attention There is usually no need to call this function. - * - * @param[in,out] da The ::DICT_ATTR structure to initialize - * @param[in] attr The attribute number - * @param[in] vendor The vendor number - * @param[in] buffer The buffer where the name of the attribute is stored - * @param[in] bufsize Size of the buffer - * @return <0 for error, 0 for success - */ -extern int nr_dict_attr_2struct(DICT_ATTR *da, - unsigned int attr, unsigned int vendor, - char *buffer, size_t bufsize); - -/** Unused. \ngroup dict - * - */ -extern const DICT_VALUE *nr_dict_value_byattr(unsigned int attr, - unsigned int vendor, - int value); - -/** Unused. \ngroup dict - * - */ -const DICT_VALUE *nr_dict_value_byname(unsigned int attr, - unsigned int vendor, - const char *name); - -/** Look up a vendor in the dictionaries. \ingroup dict - * - * The dictionary mapping contains information about the vendor, such - * as printable name, VSA encoding method, etc. - * - * \attention There is usually no need to call this function. - * Applications do not need access to low-level RADIUS protocol - * information. - * - * @param[in] name Name of the vendor. - * @return NULL for "not found", or a pointer to the vendor mapping. - */ -extern int nr_dict_vendor_byname(const char *name); - -/** Look up an vendor in the dictionaries. \ingroup dict - * - * The dictionary mapping contains information about the vendor, such - * as printable name, VSA encoding method, etc. - * - * \attention There is usually no need to call this function. - * - * @param[in] vendor Vendor-Id (or Private Enterprise code) for the vendor. - * @return NULL for "not found", or a pointer to the vendor mapping. - */ -extern const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor); - -/** Static array of known vendors. \ingroup dict - * - * \attention This structure should only be accessed by internal RADIUS library - * functions. - */ -extern const DICT_VENDOR nr_dict_vendors[]; - -/** The number of attribute definitions in the dictionary. \ingroup dict - * - * This number is guaranteed to be at least 256, for speed. - * - * \attention This variable should only be accessed by internal RADIUS library - * functions. - */ -extern const int nr_dict_num_attrs; - -/** The list of attribute definitions. \ingroup dict - * - * The "standard" RFC attributes are located in the first 256 - * entries. Standard attributes without a dictionary definition are - * given an empty entry. - * - * The attributes are orderd by (vendor, attribute), in increasing - * order. This allows the dictionary lookups to find attributes by a - * binary search. - * - * \attention This variable should only be accessed by internal RADIUS library - * functions. - */ -extern const DICT_ATTR nr_dict_attrs[]; - -/** The number of attributes with names. \ingroup dict - * - * \attention This variable should only be accessed by internal RADIUS library - * functions. - */ -extern const int nr_dict_num_names; - -/** The list of attribute definitions, organized by name. \ingroup dict - * - * The attributes are orderd by name (case insensitive), in - * increasing order. This allows the dictionary lookups to find - * attributes by a binary search. - * - * \attention This variable should only be accessed by internal RADIUS library - * functions. - */ -extern const DICT_ATTR const *nr_dict_attr_names[]; - -/** Static array containing names the RADIUS_PACKET::code field. \ingroup dict - * - * The names are hard-coded and not in any dictionary because they do - * not change. - * - * The names are exported because they may be useful in your - * application. Packet codes which are not handled by the library - * have NULL for their names. - */ -extern const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1]; - -/** Verifies that a packet is "well formed". \ingroup packet - * - * This function performs basic validation to see if the packet is - * well formed. It is automatically called by nr_packet_decode(). - * - * @param[in] packet A pointer to the ::RADIUS_PACKET data. - * @return <0 means malformed, >= 0 means well-formed. - */ -extern int nr_packet_ok(RADIUS_PACKET *packet); - -/** Verifies that a packet is "well formed". \ingroup packet - * - * This function performs basic validation to see if the packet is - * well formed. You should normally use nr_packet_ok() instead of - * this function. - * - * @param[in] data A pointer to the raw packet data. - * @param[in] sizeof_data The length of the raw packet data - * @return <0 means malformed, >= 0 means well-formed. - */ -extern int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data); - -/** Encodes a packet. \ingroup packet - * - * This function encodes a packet using the fields of the - * ::RADIUS_PACKET structure. The RADIUS_PACKET::code and - * RADIUS_PACKET::id fields are used to fill in the relevant fields - * of the raw (encoded) packet. The RADIUS_PACKET::vps list is - * walked to encode the attributes. The packet is signed, if - * required. - * - * The raw packet is placed into the RADIUS_PACKET::data field, up to - * RADIUS_PACKET::sizeof_data bytes. the RADIUS_PACKET::length field - * is updated with the length of the raw packet. This field is - * always less than, or equal to, the RADIUS_PACKET::size_data field. - * If there is insufficient room to store all of the attributes, then - * some attributes are silently discarded. - * - * The RADIUS_PACKET::vector field is either calculated as part of - * the signing process, or is initialized by this function to be a - * random sequence of bytes. That field should therefore be left - * alone by the caller. - * - * When the encoding has been successful, it sets the - * RADIUS_PACKET::encoded field to non-zero. - * - * In addition, all required attribute "encryption" is performed. - * - * User-Password. The vp_strvalue field is assumed to contain the - * "clear-text" version of the password. The encrypted version is - * calculated, and placed in the packet. - * - * CHAP-Password. The vp_strvalue field is assumed to contain the - * "clear-text" version of the password. The encrypted version is - * calculated, and placed in the packet. If the RADIUS_PACKET::vps - * list contains a CHAP-Challenge attribute, it is used. Otherwise - * the RADIUS_PACKET::vector field is used a the challenge. - * - * Message-Authenticator. The contents of the Message-Authenticator - * in the RADIUS_PACKET::vps list are ignored. Instead, a - * "place-holder" is put into the packt. Tthe correct value is - * calculated and placed into the packet by nr_packet_sign(). - * - * The RADIUS_PACKET::vps list is left untouched by this function, - * even when attribute encryption or signing is performed. Any - * VALUE_PAIR structures can therefore be taken from static "const" - * variables. - * - * @param[in] packet The RADIUS packet to encode. - * @param[in] original The original request, when encoding a response. - * @return <0 on error, >= 0 on success. - */ -extern int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); - -/** Decodes a packet. \ingroup packet - * - * This function decodes a packet from the RADIUS_PACKET::data field - * into a sequence of ::VALUE_PAIR structures in the - * RADIUS_PACKET::vps list. - * - * @param[in] packet The RADIUS packet to decode. - * @param[in] original The original request, when decoding a response. - * @return <0 on error, >= 0 on success. - */ -extern int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); - -/** Signs a packet so that it can be sent. \ingroup packet - * - * This function calculates the Message-Authenticator (if required), - * and signs the packet. - * - * @param[in] packet The RADIUS packet to sign. - * @param[in] original The original request, when signing a response. - * @return <0 on error, >= 0 on success. - */ -extern int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original); - -/** Verifies that a packet is well-formed and contains the correct signature. \ingroup packet - * - * If "original" is specified, it also verifies that the packet is a - * response to the original request, and that it has the correct - * signature. - * - * @param[in] packet The RADIUS packet to verify. - * @param[in] original The original request, when verifying a response. - * @return <0 on error, >= 0 on success. - */ -extern int nr_packet_verify(RADIUS_PACKET *packet, - const RADIUS_PACKET *original); - -/** Pretty-prints a hex dump of a RADIUS packet. \ingroup packet print - * - * This function is available only in debugging builds of the - * library. It is useful during development, but should not be used - * in a production system. - * - * The packet headers are printed individually, and each attribute is - * printed as "type length data..." - * - * @param[in] packet The RADIUS packet to print - */ -extern void nr_packet_print_hex(RADIUS_PACKET *packet); - - -/** Return the given number of random bytes. \ingroup custom - * - * This function should be replaced by one that is specific to your - * system. - * - * This is a wrapper function which enables the library to be more - * portable. - * - * @param[in] data Location where the random bytes will be stored - * @param[in] data_len Number of bytes to store - * @return <0 on error, or the total number of bytes stored. - */ -extern ssize_t nr_rand_bytes(uint8_t *data, size_t data_len); - -/** Return a random 32-bit integer. \ingroup custom - * - * This function should be replaced by one that is specific to your - * system. The version supplied here just calls nr_rand_bytes() each - * time, which is slow. - * - * This is a wrapper function which enables the library to be more - * portable. - * - * @return An unsigned 32-bit random integer. - */ -extern uint32_t nr_rand(void); - -/** Add a time to the given ::struct timeval. \ingroup custom - * - * This is a wrapper function which enables the library to be more - * portable. - * - * @param[in,out] t The timeval to which the time is added. - * @param[in] seconds Time in seconds to add - * @param[in] usec Time in microseconds to add - */ -extern void nr_timeval_add(struct timeval *t, unsigned int seconds, - unsigned int usec); - -/** Compare two times. \ingroup custom - * - * This is a wrapper function which enables the library to be more - * portable. - * - * @param[in] a One timeval - * @param[in] b Another one - * @return a <=> b - */ -extern int nr_timeval_cmp(const struct timeval *a, const struct timeval *b); - -/** Initializes an ::nr_server_t. \ingroup id - * - * @param[in,ut] s The ::nr_server_t to initialize - * @param[in] code The packet code used for packets sent to this server - * @param[in] secret The shared secret used for packet sent to this server - * @return <0 for error, >= 0 for success - */ -extern int nr_server_init(nr_server_t *s, int code, const char *secret); - -/** Closes an ::nr_server_t data structure. \ingroup id - * - * Ensures that all IDs are free, and closes the socket. - * - * @param[in] s The server structure to close. - * @return <0 for error, 0 for success - */ -extern int nr_server_close(const nr_server_t *s); - -/** Allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id - * - * This function allocates a RADIUS_PACKET::id from the ::nr_server_t - * structure. It also fills in the RADIUS_PACKET::sockfd, - * RADIUS_PACKET::code, and RADIUS_PACKET::dst fields. - * - * @param[in] s The server structure which tracks the ID - * @param[in] packet The packet which needs an ID - * @return <0 for error, 0 for success - */ -extern int nr_server_id_alloc(nr_server_t *id, RADIUS_PACKET *packet); - -/** Re-allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id - * - * It is used when retransmitting an Accounting-Request packet to a - * server, after updating the Acct-Delay-Time field. The "realloc" - * name means that the new ID is allocated, and is guaranteed to be - * different from the old one. - * - * @param[in] s The server structure which tracks the ID - * @param[in] packet The packet which needs a new ID - * @return <0 for error, 0 for success - */ -extern int nr_server_id_realloc(nr_server_t *id, RADIUS_PACKET *packet); - -/** Free a RADIUS_PACKET::id value after sending a packet to a server. \ingroup id - * - * @param[in] s The server structure which tracks the ID - * @param[in] packet The packet which has an ID, and wants to free it - * @return <0 for error, 0 for success - */ -extern int nr_server_id_free(nr_server_t *id, RADIUS_PACKET *packet); - - -/** Allocates a packet using malloc(), and initializes it. \ingroup id - * - * @param[in] s The server structure - * @param[in,out] packet_p Pointer to the ::RADIUS_PACKET to be allocated - * @return <0 for error, 0 for success - */ -extern int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p); - -/** Record a humanly readable error message. \ingroup error - * - * \attention This structure should only be accessed by internal - * RADIUS library functions. - * - * @param[in] fmt The format to use. - */ -extern void nr_strerror_printf(const char *fmt, ...); - -#ifndef NDEBUG -#define nr_debug_error nr_strerror_printf /** \ingroup error */ -#else -#define nr_debug_error if (0) nr_strerror_printf -#endif - -/** Encrypts or decrypts a User-Password attribute. \ingroup internal - * - * \attention This structure should only be accessed by internal - * RADIUS library functions. - * - * @param[out] output Buffer where the password is stored - * @param[out] outlen Size of the output buffer - * @param[in] input Input buffer with password - * @param[in] inlen Length of the input buffer - * @param[in] secret The shared secret - * @param[in] vector Authentication vector - * @return <0 on error, or the length of data in "output" - */ -extern ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector); - -/** Encrypts a Tunnel-Password attribute. \ingroup internal - * - * \attention This structure should only be accessed by internal - * RADIUS library functions. - * - * @param[out] output Buffer where the password is stored - * @param[out] outlen Size of the output buffer - * @param[in] input Input buffer with password - * @param[in] inlen Length of the input buffer - * @param[in] secret The shared secret - * @param[in] vector Authentication vector - * @return <0 on error, or the length of data in "output" - */ -extern ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector); - -/** Decrypts a Tunnel-Password attribute. \ingroup internal - * - * - * \attention This structure should only be accessed by internal - * RADIUS library functions. - * - * @param[out] output Buffer where the password is stored - * @param[out] outlen Size of the output buffer - * @param[in] input Input buffer with password - * @param[in] inlen Length of the input buffer - * @param[in] secret The shared secret - * @param[in] vector Authentication vector - * @return <0 on error, or the length of data in "output" - */ -extern ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector); - -/** Calculates an HMAC-MD5. \ingroup internal - * - * @param[in] data Data to be hashed - * @param[in] data_len Length of data to be hashed - * @param[in] key Key for the HMAC - * @param[in] key_len Length of the key - * @param[out] digest - */ -extern void nr_hmac_md5(const uint8_t *data, size_t data_len, - const uint8_t *key, size_t key_len, - uint8_t digest[16]); - -/** Checks if a TLV is properly formatted. \ingroup internal - * - * \attention This structure should only be accessed by internal - * RADIUS library functions. - * - * @param[in] data Data to check - * @param[in] length Length of the data field - * @param[in] dv_type Length of the TLV "type" field - * @param[in] dv_length Length of the TLV "length" field - * @return <0 on error, 0 for "TLV is OK" - */ -extern int nr_tlv_ok(const uint8_t *data, size_t length, - size_t dv_type, size_t dv_length); - -/** A callback function used by nr_packet_walk(). \ingroup packet - * - * The function should return 0 on success (i.e. keep walking), and - * otherwise a negative number indicating an error code - * (::nr_error_t). That negative number will be used as the return - * code for nr_packet_walk(). - */ -typedef int (*nr_packet_walk_func_t)(void *, const DICT_ATTR *, const uint8_t *, size_t); - -/** Walks over all attributes in a packet. \ingroup packet - * - * This function is an iterator which calls a user-supplied callback - * function for each attribute in the packet. It should be used - * instead of manually walking over the attributes. There are a - * number of odd corner cases when handling Vendor-Specific - * attributes, and it is easy to get those corner cases wrong. - * - * This function iterates over *all* attributes, including nested - * VSAs. That is its main value. - * - * Encrypted attributes such as User-Password are not decrypted. - * - * @param[in] packet The packet containing the data - * @param[in] ctx A user-supplied context. May be NULL - * @param[in] callback The callback function where the information is passed. - * - * @return <0 for error, - * 0 for success. - */ -extern int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, - nr_packet_walk_func_t callback); - -/** Initialize a packet - * - * If original is specified, the packet is initialized as a response - * to the original request. - * - * @param[in,out] packet The packet to initialize - * @param[in] original The original request (if any) to use as a template - * @param[in] secret Shared secret - * @param[in] code RADIUS Code field. - * @param[in] data Buffer where packets will be stored (RADIUS_PACKET::data) - * @param[in] sizeof_data Size of buffer (RADIUS_PACKET::sizeof_data) - * @return <0 on error, 0 for success. - */ -extern int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const char *secret, int code, - void *data, size_t sizeof_data); - -/** Add one attribute to the packet. - * - * This function can be used to add "raw" data to a packet. It - * allows the caller to extend the RADIUS packet without using a - * ::VALUE_PAIR data structure. - * - * Some attributes are handled specially by this function. - * - * EAP-Message. This attribute is automatically split into 253-octet - * chunks. - * - * User-Password, CHAP-Password, and Message-Authenticator. These - * attributes are automatically encrypted, as is done by - * nr_packet_encode(). - * - * @param[in] packet The packet to edit - * @param[in] original The original request (if any) - * @param[in] da Pointer to the attribute definition - * @param[in] data Data to append to the packet - * @param[in] data_len Length of data to append to the packet - * - * @return <0 for error, >= 0 for "successfully appended data" - * The function returns the number of octets appended to the packet. - */ -extern ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const DICT_ATTR *da, - const void *data, size_t data_len); - - -/** Encodes any ::VALUE_PAIR into an attribute. \ingroup attr - * - * This function can be called for any ::VALUE_PAIR. It will examine - * that structure, and call one of nr_vp2rfc() or nr_vp2vsa() as - * necessary. - * - * \attention This function should not be called. - * - * @param[in] packet Where to place the encoded attribute. - * @param[in] original The original request (optional), if "packet" is a response - * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. - * @param[in] data Where the attribute is to be encoded. - * @param[in] room How many octets are available for attribute encoding. - * - * @return <0 for error, or the number of octets used to encode the attribute. - */ -extern ssize_t nr_vp2attr(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, uint8_t *data, size_t room); - -/** Encodes an RFC "standard" ::VALUE_PAIR into an attribute. \ingroup attr - * - * \attention This function should not be called. - * - * @param[in] packet Where to place the encoded attribute. - * @param[in] original The original request (optional), if "packet" is a response - * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. - * @param[in] data Where the attribute is to be encoded. - * @param[in] room How many octets are available for attribute encoding. - * - * @return <0 for error, or the number of octets used to encode the attribute. - */ -extern ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, - uint8_t *data, size_t room); - -/** Decodes any attribute into a ::VALUE_PAIR. \ingroup attr - * - * \attention This function should not be called. - * - * @param[in] packet The packet containing the attribute to be decoded. - * @param[in] original The original request (optional), if "packet" is a response - * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. - * @param[in] data Where the attribute is to be encoded. - * @param[in] length How many octets are available for attribute decoding. - * - * @return <0 for error, or the number of octets used to decode the attribute. - */ -extern ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp); - -/** Decodes an RFC "standard" attribute into a ::VALUE_PAIR. \ingroup attr - * - * \attention This function should not be called. - * - * @param[in] packet The packet containing the attribute to be decoded. - * @param[in] original The original request (optional), if "packet" is a response - * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. - * @param[in] data Where the attribute is to be encoded. - * @param[in] length How many octets are available for attribute decoding. - * - * @return <0 for error, or the number of octets used to decode the attribute. - */ -extern ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp); - -/** Decodes a Vendor-Specific attribute into a ::VALUE_PAIR. \ingroup attr - * - * \attention This function should not be called. - * - * @param[in] packet The packet containing the attribute to be decoded. - * @param[in] original The original request (optional), if "packet" is a response - * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. - * @param[in] data Where the attribute is to be encoded. - * @param[in] length How many octets are available for attribute decoding. - * - * @return <0 for error, or the number of octets used to decode the attribute. - */ -extern ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp); - -/** Decodes an attribute with an unexpected length into a ::VALUE_PAIR. \ingroup attr - * - * \attention This function should not be called. - * - * @param[in] packet The packet containing the attribute to be decoded. - * @param[in] original The original request (optional), if "packet" is a response - * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. - * @param[in] data Where the attribute is to be encoded. - * @param[in] length How many octets are available for attribute decoding. - * - * @return <0 for error, or the number of octets used to decode the attribute. - */ -extern ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const uint8_t *data, size_t length, - VALUE_PAIR **pvp); - -/** Encodes a Vendor-Specific ::VALUE_PAIR into an attribute. - * - * \attention This function should not be called. - * - * @param[in] packet Where to place the encoded attribute. - * @param[in] original The original request (optional), if "packet" is a response - * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. - * @param[in] data Where the attribute is to be encoded. - * @param[in] room How many octets are available for attribute encoding. - * - * @return <0 for error, or the number of octets used to encode the attribute. - */ -extern ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const VALUE_PAIR **pvp, uint8_t *data, - size_t room); - -/** Returns raw data from the RADIUS packet, for a given attribute. \ingroup attr - * - * This function can be called repeatedly to find all instances of a - * given attribute. The first time it is called, the "start" - * parameter should be zero. If the function returns a non-zero - * positive number, it means that there *may* be more attributes - * available. The returned value should be then passed via the - * "start" option in any subsequent calls to the function. - * - * This function should be called by an application when it wants - * access to data which is not in the pre-defined dictionaries. - * - * @param[in] packet The packet containing the attribute. - * @param[in] start Where in the packet we start searching for the attribute. - * @param[in] attr Value of the attribute to search for - * @param[in] vendor Value of the vendor (use 0 for IETF attributes) - * @param[out] pdata Pointer to the data. If no data was found, the pointer is unchanged. - * @param[out] plength Length of the data. If no data was found, the value pointed to is unchanged. - * - * @return <0 for error, - * 0 for "no attribute found, stop searching" - * >0 offset where the attribute was found. - */ -extern ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, - unsigned int attr, unsigned int vendor, - const uint8_t **pdata, size_t *plength); - -/** Pretty-print the entire ::VALUE_PAIR \ingroup print - * - * All data is printed in ASCII format. The data type of "octets" is - * printed as a hex string (e.g. 0xabcdef01...). The data type of - * "ipaddr" is printed as a dotted-quad (e.g. 192.0.2.15). - * - * The format is "Attribute-Name = value" - * - * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored - * @param[in] bufsize size of the output buffer - * @param[in] vp ::VALUE_PAIR to print - * @return length of data in buffer - */ -extern size_t nr_vp_snprintf(char *buffer, size_t bufsize, const VALUE_PAIR *vp); - -/** Pretty-print the VALUE_PAIR::data field \ingroup print - * - * Prints the value of a ::VALUE_PAIR, without the name or "=" sign. - * - * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored - * @param[in] bufsize size of the output buffer - * @param[in] vp ::VALUE_PAIR to print - * @return length of data in buffer - */ -extern size_t nr_vp_snprintf_value(char *buffer, size_t bufsize, const VALUE_PAIR *vp); - -/** Prints a list of :VALUE_PAIR structures to the given output. \ingroup print - * - * @param[in] fp Where to print the results - * @param[in] vps Linked list of ::VALUE_PAIR to print - */ -extern void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps); - -/** Scan a string into a ::VALUE_PAIR. The counterpart to - * nr_vp_snprintf_value() \ingroup print - * - * @param[in] string Printable version of the ::VALUE_PAIR - * @param[out] pvp Newly allocated ::VALUE_PAIR - * @return <0 on error, 0 for success. - */ -extern int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp); - -/** Scan the data portion of a ::VALUE_PAIR. The counterpart to - * nr_vp_snprintf_value() \ingroup print - * - * @param[in,out] vp The ::VALUE_PAIR where the data will be stored - * @param[in] value The string version of the data to be parsed - * @return <0 on error, >=0 for the number of characters parsed in value. - */ -extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value); - -#if defined(__GNUC__) -# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1))) -# define NEVER_RETURNS __attribute__ ((noreturn)) -# define UNUSED __attribute__ ((unused)) -# define BLANK_FORMAT " " /* GCC_LINT whines about empty formats */ -#else - -/** Macro used to quiet compiler warnings inside of the library. \ingroup build - * - */ -# define PRINTF_LIKE(n) - -/** Macro used to quiet compiler warnings inside of the library. \ingroup build - * - */ -# define NEVER_RETURNS - -/** Macro used to quiet compiler warnings inside of the library. \ingroup build - * - */ -# define UNUSED - -/** Macro used to quiet compiler warnings inside of the library. \ingroup build - * - */ -# define BLANK_FORMAT "" -#endif - -#endif /* _RADIUS_CLIENT_H_ */ diff --git a/lib/radius/common.pl b/lib/radius/common.pl deleted file mode 100644 index 7042fe5..0000000 --- a/lib/radius/common.pl +++ /dev/null @@ -1,220 +0,0 @@ -###################################################################### -# Copyright (c) 2011, Network RADIUS SARL -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the -# names of its contributors may be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -###################################################################### -our %attributes; -our %vendor; -our %vendorpec; -our $begin_vendor = 0; - -$vendorpec{'0'} = "IETF"; - -sub do_file() -{ - my $filename = shift; - my $fh; - - $dir = $filename; - $dir =~ s:/[^/]+?$::; - $lineno = 0; - - open $fh, "<$filename" or die "Failed to open $filename: $!\n"; - - while (<$fh>) { - $lineno++; - next if (/^\s*#/); - next if (/^\s*$/); - s/#.*//; - s/\s+$//; - - next if ($_ eq ""); - - # - # Remember the vendor - # - if (/^VENDOR\s+([\w-]+)\s+(\w+)(.*)/) { - my $me = $1; - - $vendor{$me}{'pec'} = $2; - $vendorpec{$2} = $me; - - $vendor{$me}{'type'} = 1; - $vendor{$me}{'length'} = 1; - - if ($3) { - $format=$3; - $format =~ s/^\s+//; - - if ($format !~ /^format=(\d+),(\d+)$/) { - die "Unknown format $format\n"; - } - $vendor{$me}{'type'} = $1; - $vendor{$me}{'length'} = $2; - } - next; - } - - # - # Remember if we did begin-vendor. - # - if (/^BEGIN-VENDOR\s+([\w-]+)/) { - if (!defined $vendor{$1}) { - die "Unknown vendor $1\n"; - } - $begin_vendor = $vendor{$1}{'pec'}; - next; - } - - # - # Remember if we did this. - # - if (/^END-VENDOR/) { - $begin_vendor = 0; - next; - } - - # - # Get attribute. - # - if (/^ATTRIBUTE\s+([\w-\/.]+)\s+(\w+)\s+(\w+)(.*)/) { - $name=$1; - $value = $2; - $type = $3; - $stuff = $4; - - $value =~ tr/[A-F]/[a-f]/; # normal form for hex - $value =~ tr/X/x/; - - if ($value =~ /^0x/) { - $index = hex $value; - } else { - $index = $value; - } - - next if (($begin_vendor == 0) && ($index > 255)); - - $index += ($begin_vendor << 16); - - $attributes{$index}{'name'} = $name; - $attributes{$index}{'value'} = $value; - if ($begin_vendor ne "") { - $attributes{$index}{'vendor'} = $begin_vendor; - } - - $type =~ tr/a-z/A-Z/; - $attributes{$index}{'type'} = "RS_TYPE_$type"; - - $stuff =~ s/^\s*//; - - if ($stuff) { - foreach $text (split /,/, $stuff) { - if ($text eq "encrypt=1") { - $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_USER_PASSWORD"; - } elsif ($text eq "encrypt=2") { - $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_TUNNEL_PASSWORD"; - - } elsif ($text eq "encrypt=3") { - $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_ASCEND_SECRET"; - - } elsif ($text eq "has_tag") { - $attributes{$index}{'flags'}{'has_tag'} = "1"; - - } elsif ($text =~ /\[(\d+)\]/) { - $attributes{$index}{'flags'}{'length'} = $1; - - } else { - die "$filename: $lineno - Unknown flag $text\n"; - } - } - } - - if ($type eq "BYTE") { - $attributes{$index}{'flags'}{'length'} = "1"; - - } elsif ($type eq "SHORT") { - $attributes{$index}{'flags'}{'length'} = "2"; - - } elsif ($type eq "INTEGER") { - $attributes{$index}{'flags'}{'length'} = "4"; - - } elsif ($type eq "IPADDR") { - $attributes{$index}{'flags'}{'length'} = "4"; - - } elsif ($type eq "DATE") { - $attributes{$index}{'flags'}{'length'} = "4"; - - } elsif ($type eq "IFID") { - $attributes{$index}{'flags'}{'length'} = "8"; - - } elsif ($type eq "IPV6ADDR") { - - $attributes{$index}{'flags'}{'length'} = "16"; - } - - $name2val{$name} = $index; - next; - } - - # - # Values. - # - if (/^VALUE\s+([\d\w-\/.]+)\s+([\w-\/,.+]+)\s+(\w+)(.*)/) { - next; - - $attr = $1; - $name = $2; - $value = $3; - $stuff = $d; - - $value =~ tr/[A-F]/[a-f]/; # normal form for hex - $value =~ tr/X/x/; - - if ($value =~ /^0x/) { - $index = hex $value; - } else { - $index = $value; - } - - if (!defined $name2val{$attr}) { - print "# FIXME: FORWARD REF?\nVALUE $attr $name $value$stuff\n"; - next; - } - - $values{$name2val{$attr}}{$index} = "$attr $name $value$stuff"; - next; - } - - if (/^\$INCLUDE\s+(.*)$/) { - do_file("$dir/$1"); - next; - } - - die "unknown text in line $lineno of $filename: $_\n"; - } - - close $fh; -} - -1; diff --git a/lib/radius/convert.pl b/lib/radius/convert.pl deleted file mode 100755 index 7ca424e..0000000 --- a/lib/radius/convert.pl +++ /dev/null @@ -1,197 +0,0 @@ -#!/usr/bin/env perl -###################################################################### -# Copyright (c) 2011, Network RADIUS SARL -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the -# names of its contributors may be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -###################################################################### -# -# Converts dictionaries to C structures. Does not yet do "VALUE"s. -# -# Usage: ./convert.pl dictionary ... -# -# Reads input dictionaries, and outputs "radius.h" and "dictionaries.c" -# -# $Id$ -# -require "common.pl"; - -# -# Read all of the dictionaries -# -while (@ARGV) { - $filename = shift; - do_file($filename); -} - -# -# For speed, the dictionary data structures have the first 256 -# attributes at fixed offsets in the array. If the user didn't -# define them, then we set them here to be "raw" or unknown. -# -foreach $attr_val (0..255) { - next if defined $attributes{$attr_val}; - - $attributes{$attr_val}{'raw'} = 1; -} - -if (scalar keys %attributes == 0) { - die "No attributes were defined\n"; -} - - -open DICT, ">dictionaries.c" or die "Failed creating dictionaries.c: $!\n"; - -# -# Print out the data structues for the vendors. -# -if (scalar keys %vendor > 0) { - print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n"; - foreach $v (sort keys %vendor) { - print DICT " { \n"; - print DICT " " . $vendor{$v}{'pec'} . ", \n"; - print DICT " " . $vendor{$v}{'type'} . ",\n"; - print DICT " " . $vendor{$v}{'length'} . ",\n"; - print DICT " \"" . $v, "\"\n"; - print DICT " },\n"; - } - print DICT " { \n"; - print DICT " 0,\n"; - print DICT " 0,\n"; - print DICT " 0,\n"; - print DICT " NULL\n"; - print DICT " },\n"; - print DICT "};\n\n"; -} - -# needed for later. -$vendor{""}{'pec'} = 0; - -sub printAttrFlag -{ - my $tmp = $attributes{$attr_val}{'flags'}{$_[0]}; - - if (!$tmp) { - $tmp = 0; - } - - print DICT $tmp . ", "; -} - -# -# Print DICT out the attributes sorted by number. -# -my $offset = 0; -my $num_names = 0; -print DICT "const DICT_ATTR nr_dict_attrs[] = {\n"; -foreach $attr_val (sort {$a <=> $b} keys %attributes) { - print DICT " { /* $offset */ \n"; - - if (defined $attributes{$attr_val}{'raw'}) { - print DICT " 0\n", - } else { - print DICT " ", $attributes{$attr_val}{'value'}, ", \n"; - print DICT " ", $attributes{$attr_val}{'type'}, ", \n"; - print DICT " ", $attributes{$attr_val}{'vendor'}, ", \n"; - print DICT " { "; - &printAttrFlag('has_tag'); - &printAttrFlag('unknown'); -# &printAttrFlag('has_tlv'); -# &printAttrFlag('is_tlv'); - &printAttrFlag('extended'); - &printAttrFlag('extended_flags'); - &printAttrFlag('evs'); - &printAttrFlag('encrypt'); - &printAttrFlag('length'); - print DICT "},\n"; - print DICT " \"", $attributes{$attr_val}{'name'}, "\", \n"; - $num_names++; - } - - $attributes{$attr_val}{'offset'} = $offset++; - - print DICT " },\n"; - -} -print DICT "};\n\n"; - -print DICT "const int nr_dict_num_attrs = ", $offset - 1, ";\n\n"; -print DICT "const int nr_dict_num_names = ", $num_names - 1, ";\n\n"; - -my $offset = 0; -print DICT "const DICT_ATTR *nr_dict_attr_names[] = {\n"; -foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'name'})} keys %attributes) { - next if (defined $attributes{$attr_val}{'raw'}); - - print DICT " &nr_dict_attrs[", $attributes{$attr_val}{'offset'}, "], /* ", $attributes{$attr_val}{'name'}, " */\n"; -} - -print DICT "};\n\n"; -close DICT; - -open HDR, ">../include/radsec/radius.h" or die "Failed creating radius.c: $!\n"; - -print HDR "/* Automatically generated file. Do not edit */\n\n"; - -foreach $v (sort keys %vendor) { - next if ($v eq ""); - - $name = $v; - $name =~ tr/a-z/A-Z/; # uppercase - $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ - - print HDR "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; -} -print HDR "\n"; - -$begin_vendor = -1; -foreach $attr_val (sort {$a <=> $b} keys %attributes) { - next if (defined $attributes{$attr_val}{'raw'}); - - if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { - print HDR "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; - $begin_vendor = $attributes{$attr_val}{'vendor'}; - } - - $name = $attributes{$attr_val}{'name'}; - $name =~ tr/a-z/A-Z/; - $name =~ tr/A-Z0-9/_/c; - - print HDR "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; -} -print HDR "\n"; - -print HDR "/* Fixed offsets to dictionary definitions of attributes */\n"; -foreach $attr_val (sort {$a <=> $b} keys %attributes) { - next if (defined $attributes{$attr_val}{'raw'}); - - $name = $attributes{$attr_val}{'name'}; - $name =~ tr/a-z/A-Z/; - $name =~ tr/-/_/; - - print HDR "#define RS_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n"; -} - -print HDR "/* Automatically generated file. Do not edit */\n"; - -close HDR; diff --git a/lib/radius/crypto.c b/lib/radius/crypto.c deleted file mode 100644 index 21cc7d0..0000000 --- a/lib/radius/crypto.c +++ /dev/null @@ -1,233 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file crypto.c - * \brief Data obfuscation and signing, using MD5. - * - * The "encryption" methods defined here are export-safe. The - * technical cryptography name for these functions is "obfuscation". - * They cannot properly be called "encryption", in the same way that - * DES or AES performs encryption. - */ - -/** \cond PRIVATE */ - -#include "client.h" - - -ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector) -{ - size_t i, j, len; - uint8_t digest[16]; - RS_MD5_CTX ctx, secret_ctx; - - if (!output || (outlen < 16) || !input || (inlen == 0) || - !secret || !vector) { - return -RSE_INVAL; - } - - len = inlen; - if (len > 128) return -RSE_ATTR_OVERFLOW; - - len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */ - - if (outlen < len) return -RSE_ATTR_OVERFLOW; - - memcpy(output, input, len); - memset(output + len, 0, 128 - len); - - RS_MD5Init(&secret_ctx); - RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); - - for (j = 0; j < len; j += 16) { - ctx = secret_ctx; - - if (j == 0) { - RS_MD5Update(&ctx, vector, 16); - RS_MD5Final(digest, &ctx); - } else { - RS_MD5Update(&ctx, &output[j - 16], 16); - RS_MD5Final(digest, &ctx); - } - - for (i = 0; i < 16; i++) { - output[i + j] ^= digest[i]; - } - } - - return len; -} - -#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD -ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector) -{ - size_t i, j, len; - RS_MD5_CTX ctx, secret_ctx; - uint8_t digest[16]; - - if (!output || (outlen < 18) || !input || (inlen == 0) || - !secret || !vector) { - return -RSE_INVAL; - } - - len = ((inlen + 1) + 0x0f) & ~0x0f; - if (len > 251) return -RSE_ATTR_OVERFLOW; - - output[0] = (nr_rand() & 0xff) | 0x80; - output[1] = nr_rand() & 0xff; - output[2] = inlen; - - memcpy(output + 3, input, inlen); - memset(output + 3 + inlen, 0, len - inlen - 1); - - RS_MD5Init(&secret_ctx); - RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); - - for (j = 0; j < len; j += 16) { - ctx = secret_ctx; - - if (j == 0) { - RS_MD5Update(&ctx, vector, 16); - RS_MD5Update(&ctx, output, 2); - RS_MD5Final(digest, &ctx); - } else { - RS_MD5Update(&ctx, &output[j + 2 - 16], 16); - RS_MD5Final(digest, &ctx); - } - - for (i = 0; i < 16; i++) { - output[i + j + 2] ^= digest[i]; - } - } - - return len + 2; -} - -ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, - const uint8_t *input, size_t inlen, - const char *secret, const uint8_t *vector) -{ - size_t i, j, len, encoded_len; - RS_MD5_CTX ctx, secret_ctx; - uint8_t digest[16]; - - if (!output || (outlen < 1) || !input || (inlen < 2) || - !secret || !vector) { - return -RSE_INVAL; - } - - if (inlen <= 3) { - output[0] = 0; - return 0; - } - - len = inlen - 2; - - if (outlen < (len - 1)) return -RSE_ATTR_OVERFLOW; - - RS_MD5Init(&secret_ctx); - RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); - - ctx = secret_ctx; - - RS_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */ - RS_MD5Update(&ctx, input, 2); - RS_MD5Final(digest, &ctx); - - encoded_len = input[2] ^ digest[0]; - if (encoded_len >= len) { - return -RSE_ATTR_TOO_LARGE; - } - - for (i = 0; i < 15; i++) { - output[i] = input[i + 3] ^ digest[i + 1]; - } - - for (j = 16; j < len; j += 16) { - ctx = secret_ctx; - - RS_MD5Update(&ctx, input + j - 16 + 2, 16); - RS_MD5Final(digest, &ctx); - - for (i = 0; i < 16; i++) { - output[i + j - 1] = input[i + j + 2] ^ digest[i]; - } - - - } - - output[encoded_len] = '\0'; - return encoded_len; -} -#endif - -void -nr_hmac_md5(const uint8_t *data, size_t data_len, - const uint8_t *key, size_t key_len, - uint8_t digest[16]) -{ - size_t i; - uint8_t k_ipad[64]; - uint8_t k_opad[64]; - uint8_t tk[16]; - RS_MD5_CTX ctx; - - if (key_len > 64) { - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, key, key_len); - RS_MD5Final(tk, &ctx); - - key = tk; - key_len = 16; - } - - memset(k_ipad, 0, sizeof(k_ipad)); - memset(k_opad, 0, sizeof(k_opad)); - memcpy(k_ipad, key, key_len); - memcpy(k_opad, key, key_len); - - for (i = 0; i < sizeof(k_ipad); i++) { - k_ipad[i] ^= 0x36; - k_opad[i] ^= 0x5c; - } - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, k_ipad, sizeof(k_ipad)); - RS_MD5Update(&ctx, data, data_len); - RS_MD5Final(digest, &ctx); - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, k_opad, sizeof(k_opad)); - RS_MD5Update(&ctx, digest, 16); - RS_MD5Final(digest, &ctx); -} - -/** \endcond */ diff --git a/lib/radius/custom.c b/lib/radius/custom.c deleted file mode 100644 index 917939a..0000000 --- a/lib/radius/custom.c +++ /dev/null @@ -1,163 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* - * Copyright (c) 2006 Kungliga Tekniska HAÎåÎÝgskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/** \file custom.c - * \brief Functions which should be customized for your local system. - */ - -#include "client.h" - -#include -#include - -#ifdef WIN32 -#include - -volatile static HCRYPTPROV nr_cryptprovider = 0; - -static HCRYPTPROV -nr_CryptProvider(void) -{ - BOOL rv; - HCRYPTPROV cryptprovider = 0; - - if (nr_cryptprovider != 0) - return nr_cryptprovider; - - rv = CryptAcquireContext(&cryptprovider, NULL, - MS_ENHANCED_PROV, PROV_RSA_FULL, - 0); - - if (GetLastError() == NTE_BAD_KEYSET) { - if(!rv) - rv = CryptAcquireContext(&cryptprovider, NULL, - MS_ENHANCED_PROV, PROV_RSA_FULL, - CRYPT_NEWKEYSET); - } - - if (rv && - InterlockedCompareExchangePointer((PVOID *) &nr_cryptprovider, - (PVOID) cryptprovider, 0) != 0) { - - CryptReleaseContext(cryptprovider, 0); - cryptprovider = nr_cryptprovider; - } - - return cryptprovider; -} - -ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) -{ - if (CryptGenRandom(nr_CryptProvider(), data_len, data)) - return 0; - return data_len; -} -#else -ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) -{ - static int fd = -1; - - if (fd < 0) { - fd = open("/dev/urandom", O_RDONLY); - if (fd < 0) { - nr_strerror_printf("Error opening randomness: %s", - strerror(errno)); - return 0; - } - } - - return read(fd, data, data_len); -} -#endif /* WIN32 */ - -uint32_t nr_rand(void) -{ - uint32_t lvalue; - - nr_rand_bytes((void *)&lvalue, sizeof(lvalue)); - return lvalue; -} - - -#ifndef USEC -#define USEC (1000000) -#endif - -void nr_timeval_add(struct timeval *t, unsigned int seconds, unsigned int usec) -{ - t->tv_sec += seconds; - t->tv_sec += usec / USEC; - t->tv_usec += usec % USEC; - if (t->tv_usec > USEC) { - t->tv_sec++; - t->tv_usec -= USEC; - } -} - -int nr_timeval_cmp(const struct timeval *a, const struct timeval *b) -{ - if (a->tv_sec > b->tv_sec) return +1; - if (a->tv_sec < b->tv_sec) return -1; - - if (a->tv_usec > b->tv_usec) return +1; - if (a->tv_usec < b->tv_usec) return -1; - - return 0; -} - diff --git a/lib/radius/dict.c b/lib/radius/dict.c deleted file mode 100644 index fc04ee2..0000000 --- a/lib/radius/dict.c +++ /dev/null @@ -1,172 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "client.h" -#include - -/** \file dict.c - * \brief Functions for name to number, and number to name mappings. - */ - -const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor) -{ - int start, half, end; - - if (!vendor && (attr > 0) && (attr < 256)) { - if (nr_dict_attrs[attr].name) { - return &nr_dict_attrs[attr]; - } - return NULL; - } - - if (!vendor) return NULL; /* no "non-protocol" attributes */ - - start = 256; /* first 256 entries are "standard" ones */ - end = nr_dict_num_attrs; - - do { - half = (start + end) / 2; - - if ((nr_dict_attrs[half].vendor == vendor) && - (nr_dict_attrs[half].attr == attr)) { - return &nr_dict_attrs[half]; - } - - if ((vendor >= nr_dict_attrs[half].vendor) && - (attr > nr_dict_attrs[half].attr)) { - start = half + 1; - } else { - end = half - 1; - } - - } while (start <= end); - - return NULL; -} - -const DICT_ATTR *nr_dict_attr_byname(const char *name) -{ - int start, half, end; - - start = 1; - end = nr_dict_num_names; - - if (!name || !*name) return NULL; - - do { - int rcode; - - half = (start + end) / 2; - - rcode = strcasecmp(name, nr_dict_attr_names[half]->name); - if (rcode == 0) return nr_dict_attr_names[half]; - - if (rcode > 0) { - start = half + 1; - } else { - end = half - 1; - } - - - } while (start <= end); - - return NULL; -} - -int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor, - char *buffer, size_t bufsize) -{ - if (!da || !buffer) return -RSE_INVAL; - - if (!vendor) { - if (attr > 256) return -RSE_INVAL; - - } else if (vendor > (1 << 24)) { - return -RSE_INVAL; - } - - memset(da, 0, sizeof(*da)); - da->attr = attr; - da->flags.unknown = 1; - da->type = RS_TYPE_OCTETS; - da->vendor = vendor; - - if (da->vendor) { - snprintf(buffer, bufsize, "Attr-26.%u.%u", - vendor, attr); - } else { - snprintf(buffer, bufsize, "Attr-%u", attr); - } - da->name = buffer; - - return 0; -} - - -const DICT_VALUE *nr_dict_value_byattr(UNUSED unsigned int attr, - UNUSED unsigned int vendor, - UNUSED int value) -{ - return NULL; -} - -const DICT_VALUE *nr_dict_value_byname(UNUSED unsigned int attr, - UNUSED unsigned int vendor, - UNUSED const char *name) -{ - return NULL; -} - -int nr_dict_vendor_byname(const char *name) -{ - const DICT_VENDOR *dv; - - if (!name || !*name) return 0; - - /* - * O(n) lookup. - */ - for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { - if (strcasecmp(dv->name, name) == 0) return dv->vendor; - } - - return 0; -} - -const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor) -{ - const DICT_VENDOR *dv; - - /* - * O(n) lookup. - */ - for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { - if (dv->vendor == vendor) return dv; - } - - return NULL; -} diff --git a/lib/radius/doc.txt b/lib/radius/doc.txt deleted file mode 100644 index 09a8415..0000000 --- a/lib/radius/doc.txt +++ /dev/null @@ -1,41 +0,0 @@ -/** - -\file doc.txt -\brief The main documentation. - -\mainpage The Network RADIUS Client Library - -This client library is intended for use in embedded systems. It is -small with a simple API, yet has more functionality than most -commercial or Open Source products. - -\section License - -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -\ref dictionaries.txt "Dictionaries and dictionary formats" - -*/ diff --git a/lib/radius/doxygen.conf b/lib/radius/doxygen.conf deleted file mode 100644 index e310771..0000000 --- a/lib/radius/doxygen.conf +++ /dev/null @@ -1,1417 +0,0 @@ -# Doxyfile 1.5.6 - -# This file describes the settings to be used by the documentation system -# doxygen (www.doxygen.org) for a project -# -# All text after a hash (#) is considered a comment and will be ignored -# The format is: -# TAG = value [value, ...] -# For lists items can also be appended using: -# TAG += value [value, ...] -# Values that contain spaces should be placed between quotes (" ") - -#--------------------------------------------------------------------------- -# Project related configuration options -#--------------------------------------------------------------------------- - -# This tag specifies the encoding used for all characters in the config file -# that follow. The default is UTF-8 which is also the encoding used for all -# text before the first occurrence of this tag. Doxygen uses libiconv (or the -# iconv built into libc) for the transcoding. See -# http://www.gnu.org/software/libiconv for the list of possible encodings. - -DOXYFILE_ENCODING = UTF-8 - -# The PROJECT_NAME tag is a single word (or a sequence of words surrounded -# by quotes) that should identify the project. - -PROJECT_NAME = networkclient - -# The PROJECT_NUMBER tag can be used to enter a project or revision number. -# This could be handy for archiving the generated documentation or -# if some version control system is used. - -PROJECT_NUMBER = - -# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) -# base path where the generated documentation will be put. -# If a relative path is entered, it will be relative to the location -# where doxygen was started. If left blank the current directory will be used. - -OUTPUT_DIRECTORY = - -# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create -# 4096 sub-directories (in 2 levels) under the output directory of each output -# format and will distribute the generated files over these directories. -# Enabling this option can be useful when feeding doxygen a huge amount of -# source files, where putting all generated files in the same directory would -# otherwise cause performance problems for the file system. - -CREATE_SUBDIRS = NO - -# The OUTPUT_LANGUAGE tag is used to specify the language in which all -# documentation generated by doxygen is written. Doxygen will use this -# information to generate all constant output in the proper language. -# The default language is English, other supported languages are: -# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, -# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, -# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), -# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, -# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, -# and Ukrainian. - -OUTPUT_LANGUAGE = English - -# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will -# include brief member descriptions after the members that are listed in -# the file and class documentation (similar to JavaDoc). -# Set to NO to disable this. - -BRIEF_MEMBER_DESC = YES - -# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend -# the brief description of a member or function before the detailed description. -# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the -# brief descriptions will be completely suppressed. - -REPEAT_BRIEF = YES - -# This tag implements a quasi-intelligent brief description abbreviator -# that is used to form the text in various listings. Each string -# in this list, if found as the leading text of the brief description, will be -# stripped from the text and the result after processing the whole list, is -# used as the annotated text. Otherwise, the brief description is used as-is. -# If left blank, the following values are used ("$name" is automatically -# replaced with the name of the entity): "The $name class" "The $name widget" -# "The $name file" "is" "provides" "specifies" "contains" -# "represents" "a" "an" "the" - -ABBREVIATE_BRIEF = - -# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then -# Doxygen will generate a detailed section even if there is only a brief -# description. - -ALWAYS_DETAILED_SEC = NO - -# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all -# inherited members of a class in the documentation of that class as if those -# members were ordinary class members. Constructors, destructors and assignment -# operators of the base classes will not be shown. - -INLINE_INHERITED_MEMB = NO - -# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full -# path before files name in the file list and in the header files. If set -# to NO the shortest path that makes the file name unique will be used. - -FULL_PATH_NAMES = YES - -# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag -# can be used to strip a user-defined part of the path. Stripping is -# only done if one of the specified strings matches the left-hand part of -# the path. The tag can be used to show relative paths in the file list. -# If left blank the directory from which doxygen is run is used as the -# path to strip. - -STRIP_FROM_PATH = - -# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of -# the path mentioned in the documentation of a class, which tells -# the reader which header file to include in order to use a class. -# If left blank only the name of the header file containing the class -# definition is used. Otherwise one should specify the include paths that -# are normally passed to the compiler using the -I flag. - -STRIP_FROM_INC_PATH = - -# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter -# (but less readable) file names. This can be useful is your file systems -# doesn't support long names like on DOS, Mac, or CD-ROM. - -SHORT_NAMES = NO - -# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen -# will interpret the first line (until the first dot) of a JavaDoc-style -# comment as the brief description. If set to NO, the JavaDoc -# comments will behave just like regular Qt-style comments -# (thus requiring an explicit @brief command for a brief description.) - -JAVADOC_AUTOBRIEF = NO - -# If the QT_AUTOBRIEF tag is set to YES then Doxygen will -# interpret the first line (until the first dot) of a Qt-style -# comment as the brief description. If set to NO, the comments -# will behave just like regular Qt-style comments (thus requiring -# an explicit \brief command for a brief description.) - -QT_AUTOBRIEF = NO - -# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen -# treat a multi-line C++ special comment block (i.e. a block of //! or /// -# comments) as a brief description. This used to be the default behaviour. -# The new default is to treat a multi-line C++ comment block as a detailed -# description. Set this tag to YES if you prefer the old behaviour instead. - -MULTILINE_CPP_IS_BRIEF = NO - -# If the DETAILS_AT_TOP tag is set to YES then Doxygen -# will output the detailed description near the top, like JavaDoc. -# If set to NO, the detailed description appears after the member -# documentation. - -DETAILS_AT_TOP = YES - -# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented -# member inherits the documentation from any documented member that it -# re-implements. - -INHERIT_DOCS = YES - -# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce -# a new page for each member. If set to NO, the documentation of a member will -# be part of the file/class/namespace that contains it. - -SEPARATE_MEMBER_PAGES = NO - -# The TAB_SIZE tag can be used to set the number of spaces in a tab. -# Doxygen uses this value to replace tabs by spaces in code fragments. - -TAB_SIZE = 8 - -# This tag can be used to specify a number of aliases that acts -# as commands in the documentation. An alias has the form "name=value". -# For example adding "sideeffect=\par Side Effects:\n" will allow you to -# put the command \sideeffect (or @sideeffect) in the documentation, which -# will result in a user-defined paragraph with heading "Side Effects:". -# You can put \n's in the value part of an alias to insert newlines. - -ALIASES = - -# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C -# sources only. Doxygen will then generate output that is more tailored for C. -# For instance, some of the names that are used will be different. The list -# of all members will be omitted, etc. - -OPTIMIZE_OUTPUT_FOR_C = YES - -# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java -# sources only. Doxygen will then generate output that is more tailored for -# Java. For instance, namespaces will be presented as packages, qualified -# scopes will look different, etc. - -OPTIMIZE_OUTPUT_JAVA = NO - -# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran -# sources only. Doxygen will then generate output that is more tailored for -# Fortran. - -OPTIMIZE_FOR_FORTRAN = NO - -# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL -# sources. Doxygen will then generate output that is tailored for -# VHDL. - -OPTIMIZE_OUTPUT_VHDL = NO - -# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want -# to include (a tag file for) the STL sources as input, then you should -# set this tag to YES in order to let doxygen match functions declarations and -# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. -# func(std::string) {}). This also make the inheritance and collaboration -# diagrams that involve STL classes more complete and accurate. - -BUILTIN_STL_SUPPORT = NO - -# If you use Microsoft's C++/CLI language, you should set this option to YES to -# enable parsing support. - -CPP_CLI_SUPPORT = NO - -# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. -# Doxygen will parse them like normal C++ but will assume all classes use public -# instead of private inheritance when no explicit protection keyword is present. - -SIP_SUPPORT = NO - -# For Microsoft's IDL there are propget and propput attributes to indicate getter -# and setter methods for a property. Setting this option to YES (the default) -# will make doxygen to replace the get and set methods by a property in the -# documentation. This will only work if the methods are indeed getting or -# setting a simple type. If this is not the case, or you want to show the -# methods anyway, you should set this option to NO. - -IDL_PROPERTY_SUPPORT = YES - -# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC -# tag is set to YES, then doxygen will reuse the documentation of the first -# member in the group (if any) for the other members of the group. By default -# all members of a group must be documented explicitly. - -DISTRIBUTE_GROUP_DOC = NO - -# Set the SUBGROUPING tag to YES (the default) to allow class member groups of -# the same type (for instance a group of public functions) to be put as a -# subgroup of that type (e.g. under the Public Functions section). Set it to -# NO to prevent subgrouping. Alternatively, this can be done per class using -# the \nosubgrouping command. - -SUBGROUPING = YES - -# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum -# is documented as struct, union, or enum with the name of the typedef. So -# typedef struct TypeS {} TypeT, will appear in the documentation as a struct -# with name TypeT. When disabled the typedef will appear as a member of a file, -# namespace, or class. And the struct will be named TypeS. This can typically -# be useful for C code in case the coding convention dictates that all compound -# types are typedef'ed and only the typedef is referenced, never the tag name. - -TYPEDEF_HIDES_STRUCT = NO - -#--------------------------------------------------------------------------- -# Build related configuration options -#--------------------------------------------------------------------------- - -# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in -# documentation are documented, even if no documentation was available. -# Private class members and static file members will be hidden unless -# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES - -EXTRACT_ALL = YES - -# If the EXTRACT_PRIVATE tag is set to YES all private members of a class -# will be included in the documentation. - -EXTRACT_PRIVATE = NO - -# If the EXTRACT_STATIC tag is set to YES all static members of a file -# will be included in the documentation. - -EXTRACT_STATIC = NO - -# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) -# defined locally in source files will be included in the documentation. -# If set to NO only classes defined in header files are included. - -EXTRACT_LOCAL_CLASSES = YES - -# This flag is only useful for Objective-C code. When set to YES local -# methods, which are defined in the implementation section but not in -# the interface are included in the documentation. -# If set to NO (the default) only methods in the interface are included. - -EXTRACT_LOCAL_METHODS = NO - -# If this flag is set to YES, the members of anonymous namespaces will be -# extracted and appear in the documentation as a namespace called -# 'anonymous_namespace{file}', where file will be replaced with the base -# name of the file that contains the anonymous namespace. By default -# anonymous namespace are hidden. - -EXTRACT_ANON_NSPACES = NO - -# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all -# undocumented members of documented classes, files or namespaces. -# If set to NO (the default) these members will be included in the -# various overviews, but no documentation section is generated. -# This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_MEMBERS = NO - -# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all -# undocumented classes that are normally visible in the class hierarchy. -# If set to NO (the default) these classes will be included in the various -# overviews. This option has no effect if EXTRACT_ALL is enabled. - -HIDE_UNDOC_CLASSES = NO - -# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all -# friend (class|struct|union) declarations. -# If set to NO (the default) these declarations will be included in the -# documentation. - -HIDE_FRIEND_COMPOUNDS = NO - -# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any -# documentation blocks found inside the body of a function. -# If set to NO (the default) these blocks will be appended to the -# function's detailed documentation block. - -HIDE_IN_BODY_DOCS = NO - -# The INTERNAL_DOCS tag determines if documentation -# that is typed after a \internal command is included. If the tag is set -# to NO (the default) then the documentation will be excluded. -# Set it to YES to include the internal documentation. - -INTERNAL_DOCS = NO - -# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate -# file names in lower-case letters. If set to YES upper-case letters are also -# allowed. This is useful if you have classes or files whose names only differ -# in case and if your file system supports case sensitive file names. Windows -# and Mac users are advised to set this option to NO. - -CASE_SENSE_NAMES = NO - -# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen -# will show members with their full class and namespace scopes in the -# documentation. If set to YES the scope will be hidden. - -HIDE_SCOPE_NAMES = NO - -# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen -# will put a list of the files that are included by a file in the documentation -# of that file. - -SHOW_INCLUDE_FILES = YES - -# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] -# is inserted in the documentation for inline members. - -INLINE_INFO = YES - -# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen -# will sort the (detailed) documentation of file and class members -# alphabetically by member name. If set to NO the members will appear in -# declaration order. - -SORT_MEMBER_DOCS = YES - -# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the -# brief documentation of file, namespace and class members alphabetically -# by member name. If set to NO (the default) the members will appear in -# declaration order. - -SORT_BRIEF_DOCS = NO - -# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the -# hierarchy of group names into alphabetical order. If set to NO (the default) -# the group names will appear in their defined order. - -SORT_GROUP_NAMES = NO - -# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be -# sorted by fully-qualified names, including namespaces. If set to -# NO (the default), the class list will be sorted only by class name, -# not including the namespace part. -# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. -# Note: This option applies only to the class list, not to the -# alphabetical list. - -SORT_BY_SCOPE_NAME = NO - -# The GENERATE_TODOLIST tag can be used to enable (YES) or -# disable (NO) the todo list. This list is created by putting \todo -# commands in the documentation. - -GENERATE_TODOLIST = YES - -# The GENERATE_TESTLIST tag can be used to enable (YES) or -# disable (NO) the test list. This list is created by putting \test -# commands in the documentation. - -GENERATE_TESTLIST = YES - -# The GENERATE_BUGLIST tag can be used to enable (YES) or -# disable (NO) the bug list. This list is created by putting \bug -# commands in the documentation. - -GENERATE_BUGLIST = YES - -# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or -# disable (NO) the deprecated list. This list is created by putting -# \deprecated commands in the documentation. - -GENERATE_DEPRECATEDLIST= YES - -# The ENABLED_SECTIONS tag can be used to enable conditional -# documentation sections, marked by \if sectionname ... \endif. - -ENABLED_SECTIONS = - -# The MAX_INITIALIZER_LINES tag determines the maximum number of lines -# the initial value of a variable or define consists of for it to appear in -# the documentation. If the initializer consists of more lines than specified -# here it will be hidden. Use a value of 0 to hide initializers completely. -# The appearance of the initializer of individual variables and defines in the -# documentation can be controlled using \showinitializer or \hideinitializer -# command in the documentation regardless of this setting. - -MAX_INITIALIZER_LINES = 30 - -# Set the SHOW_USED_FILES tag to NO to disable the list of files generated -# at the bottom of the documentation of classes and structs. If set to YES the -# list will mention the files that were used to generate the documentation. - -SHOW_USED_FILES = YES - -# If the sources in your project are distributed over multiple directories -# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy -# in the documentation. The default is NO. - -SHOW_DIRECTORIES = NO - -# Set the SHOW_FILES tag to NO to disable the generation of the Files page. -# This will remove the Files entry from the Quick Index and from the -# Folder Tree View (if specified). The default is YES. - -SHOW_FILES = YES - -# Set the SHOW_NAMESPACES tag to NO to disable the generation of the -# Namespaces page. This will remove the Namespaces entry from the Quick Index -# and from the Folder Tree View (if specified). The default is YES. - -SHOW_NAMESPACES = YES - -# The FILE_VERSION_FILTER tag can be used to specify a program or script that -# doxygen should invoke to get the current version for each file (typically from -# the version control system). Doxygen will invoke the program by executing (via -# popen()) the command , where is the value of -# the FILE_VERSION_FILTER tag, and is the name of an input file -# provided by doxygen. Whatever the program writes to standard output -# is used as the file version. See the manual for examples. - -FILE_VERSION_FILTER = - -#--------------------------------------------------------------------------- -# configuration options related to warning and progress messages -#--------------------------------------------------------------------------- - -# The QUIET tag can be used to turn on/off the messages that are generated -# by doxygen. Possible values are YES and NO. If left blank NO is used. - -QUIET = NO - -# The WARNINGS tag can be used to turn on/off the warning messages that are -# generated by doxygen. Possible values are YES and NO. If left blank -# NO is used. - -WARNINGS = YES - -# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings -# for undocumented members. If EXTRACT_ALL is set to YES then this flag will -# automatically be disabled. - -WARN_IF_UNDOCUMENTED = YES - -# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for -# potential errors in the documentation, such as not documenting some -# parameters in a documented function, or documenting parameters that -# don't exist or using markup commands wrongly. - -WARN_IF_DOC_ERROR = YES - -# This WARN_NO_PARAMDOC option can be abled to get warnings for -# functions that are documented, but have no documentation for their parameters -# or return value. If set to NO (the default) doxygen will only warn about -# wrong or incomplete parameter documentation, but not about the absence of -# documentation. - -WARN_NO_PARAMDOC = NO - -# The WARN_FORMAT tag determines the format of the warning messages that -# doxygen can produce. The string should contain the $file, $line, and $text -# tags, which will be replaced by the file and line number from which the -# warning originated and the warning text. Optionally the format may contain -# $version, which will be replaced by the version of the file (if it could -# be obtained via FILE_VERSION_FILTER) - -WARN_FORMAT = "$file:$line: $text" - -# The WARN_LOGFILE tag can be used to specify a file to which warning -# and error messages should be written. If left blank the output is written -# to stderr. - -WARN_LOGFILE = - -#--------------------------------------------------------------------------- -# configuration options related to the input files -#--------------------------------------------------------------------------- - -# The INPUT tag can be used to specify the files and/or directories that contain -# documented source files. You may enter file names like "myfile.cpp" or -# directories like "/usr/src/myproject". Separate the files or directories -# with spaces. - -INPUT = . doc/ - -# This tag can be used to specify the character encoding of the source files -# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is -# also the default input encoding. Doxygen uses libiconv (or the iconv built -# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for -# the list of possible encodings. - -INPUT_ENCODING = UTF-8 - -# If the value of the INPUT tag contains directories, you can use the -# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank the following patterns are tested: -# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx -# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 - -FILE_PATTERNS = *.txt *.[ch] - -# The RECURSIVE tag can be used to turn specify whether or not subdirectories -# should be searched for input files as well. Possible values are YES and NO. -# If left blank NO is used. - -RECURSIVE = NO - -# The EXCLUDE tag can be used to specify files and/or directories that should -# excluded from the INPUT source files. This way you can easily exclude a -# subdirectory from a directory tree whose root is specified with the INPUT tag. - -EXCLUDE = - -# The EXCLUDE_SYMLINKS tag can be used select whether or not files or -# directories that are symbolic links (a Unix filesystem feature) are excluded -# from the input. - -EXCLUDE_SYMLINKS = NO - -# If the value of the INPUT tag contains directories, you can use the -# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude -# certain files from those directories. Note that the wildcards are matched -# against the file with absolute path, so to exclude all test directories -# for example use the pattern */test/* - -EXCLUDE_PATTERNS = - -# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names -# (namespaces, classes, functions, etc.) that should be excluded from the -# output. The symbol name can be a fully qualified name, a word, or if the -# wildcard * is used, a substring. Examples: ANamespace, AClass, -# AClass::ANamespace, ANamespace::*Test - -EXCLUDE_SYMBOLS = - -# The EXAMPLE_PATH tag can be used to specify one or more files or -# directories that contain example code fragments that are included (see -# the \include command). - -EXAMPLE_PATH = examples - -# If the value of the EXAMPLE_PATH tag contains directories, you can use the -# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp -# and *.h) to filter out the source-files in the directories. If left -# blank all files are included. - -EXAMPLE_PATTERNS = *.[ch] - -# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be -# searched for input files to be used with the \include or \dontinclude -# commands irrespective of the value of the RECURSIVE tag. -# Possible values are YES and NO. If left blank NO is used. - -EXAMPLE_RECURSIVE = NO - -# The IMAGE_PATH tag can be used to specify one or more files or -# directories that contain image that are included in the documentation (see -# the \image command). - -IMAGE_PATH = - -# The INPUT_FILTER tag can be used to specify a program that doxygen should -# invoke to filter for each input file. Doxygen will invoke the filter program -# by executing (via popen()) the command , where -# is the value of the INPUT_FILTER tag, and is the name of an -# input file. Doxygen will then use the output that the filter program writes -# to standard output. If FILTER_PATTERNS is specified, this tag will be -# ignored. - -INPUT_FILTER = - -# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern -# basis. Doxygen will compare the file name with each pattern and apply the -# filter if there is a match. The filters are a list of the form: -# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further -# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER -# is applied to all files. - -FILTER_PATTERNS = - -# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using -# INPUT_FILTER) will be used to filter the input files when producing source -# files to browse (i.e. when SOURCE_BROWSER is set to YES). - -FILTER_SOURCE_FILES = NO - -#--------------------------------------------------------------------------- -# configuration options related to source browsing -#--------------------------------------------------------------------------- - -# If the SOURCE_BROWSER tag is set to YES then a list of source files will -# be generated. Documented entities will be cross-referenced with these sources. -# Note: To get rid of all source code in the generated output, make sure also -# VERBATIM_HEADERS is set to NO. - -SOURCE_BROWSER = NO - -# Setting the INLINE_SOURCES tag to YES will include the body -# of functions and classes directly in the documentation. - -INLINE_SOURCES = NO - -# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct -# doxygen to hide any special comment blocks from generated source code -# fragments. Normal C and C++ comments will always remain visible. - -STRIP_CODE_COMMENTS = YES - -# If the REFERENCED_BY_RELATION tag is set to YES -# then for each documented function all documented -# functions referencing it will be listed. - -REFERENCED_BY_RELATION = YES - -# If the REFERENCES_RELATION tag is set to YES -# then for each documented function all documented entities -# called/used by that function will be listed. - -REFERENCES_RELATION = YES - -# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) -# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from -# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will -# link to the source code. Otherwise they will link to the documentstion. - -REFERENCES_LINK_SOURCE = NO - -# If the USE_HTAGS tag is set to YES then the references to source code -# will point to the HTML generated by the htags(1) tool instead of doxygen -# built-in source browser. The htags tool is part of GNU's global source -# tagging system (see http://www.gnu.org/software/global/global.html). You -# will need version 4.8.6 or higher. - -USE_HTAGS = NO - -# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen -# will generate a verbatim copy of the header file for each class for -# which an include is specified. Set to NO to disable this. - -VERBATIM_HEADERS = YES - -#--------------------------------------------------------------------------- -# configuration options related to the alphabetical class index -#--------------------------------------------------------------------------- - -# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index -# of all compounds will be generated. Enable this if the project -# contains a lot of classes, structs, unions or interfaces. - -ALPHABETICAL_INDEX = NO - -# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then -# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns -# in which this list will be split (can be a number in the range [1..20]) - -COLS_IN_ALPHA_INDEX = 5 - -# In case all classes in a project start with a common prefix, all -# classes will be put under the same header in the alphabetical index. -# The IGNORE_PREFIX tag can be used to specify one or more prefixes that -# should be ignored while generating the index headers. - -IGNORE_PREFIX = - -#--------------------------------------------------------------------------- -# configuration options related to the HTML output -#--------------------------------------------------------------------------- - -# If the GENERATE_HTML tag is set to YES (the default) Doxygen will -# generate HTML output. - -GENERATE_HTML = YES - -# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `html' will be used as the default path. - -HTML_OUTPUT = html - -# The HTML_FILE_EXTENSION tag can be used to specify the file extension for -# each generated HTML page (for example: .htm,.php,.asp). If it is left blank -# doxygen will generate files with .html extension. - -HTML_FILE_EXTENSION = .html - -# The HTML_HEADER tag can be used to specify a personal HTML header for -# each generated HTML page. If it is left blank doxygen will generate a -# standard header. - -HTML_HEADER = - -# The HTML_FOOTER tag can be used to specify a personal HTML footer for -# each generated HTML page. If it is left blank doxygen will generate a -# standard footer. - -HTML_FOOTER = - -# The HTML_STYLESHEET tag can be used to specify a user-defined cascading -# style sheet that is used by each HTML page. It can be used to -# fine-tune the look of the HTML output. If the tag is left blank doxygen -# will generate a default style sheet. Note that doxygen will try to copy -# the style sheet file to the HTML output directory, so don't put your own -# stylesheet in the HTML output directory as well, or it will be erased! - -HTML_STYLESHEET = - -# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, -# files or namespaces will be aligned in HTML using tables. If set to -# NO a bullet list will be used. - -HTML_ALIGN_MEMBERS = YES - -# If the GENERATE_HTMLHELP tag is set to YES, additional index files -# will be generated that can be used as input for tools like the -# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) -# of the generated HTML documentation. - -GENERATE_HTMLHELP = NO - -# If the GENERATE_DOCSET tag is set to YES, additional index files -# will be generated that can be used as input for Apple's Xcode 3 -# integrated development environment, introduced with OSX 10.5 (Leopard). -# To create a documentation set, doxygen will generate a Makefile in the -# HTML output directory. Running make will produce the docset in that -# directory and running "make install" will install the docset in -# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find -# it at startup. - -GENERATE_DOCSET = NO - -# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the -# feed. A documentation feed provides an umbrella under which multiple -# documentation sets from a single provider (such as a company or product suite) -# can be grouped. - -DOCSET_FEEDNAME = "Doxygen generated docs" - -# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that -# should uniquely identify the documentation set bundle. This should be a -# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen -# will append .docset to the name. - -DOCSET_BUNDLE_ID = org.doxygen.Project - -# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML -# documentation will contain sections that can be hidden and shown after the -# page has loaded. For this to work a browser that supports -# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox -# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). - -HTML_DYNAMIC_SECTIONS = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can -# be used to specify the file name of the resulting .chm file. You -# can add a path in front of the file if the result should not be -# written to the html output directory. - -CHM_FILE = - -# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can -# be used to specify the location (absolute path including file name) of -# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run -# the HTML help compiler on the generated index.hhp. - -HHC_LOCATION = - -# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag -# controls if a separate .chi index file is generated (YES) or that -# it should be included in the master .chm file (NO). - -GENERATE_CHI = NO - -# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING -# is used to encode HtmlHelp index (hhk), content (hhc) and project file -# content. - -CHM_INDEX_ENCODING = - -# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag -# controls whether a binary table of contents is generated (YES) or a -# normal table of contents (NO) in the .chm file. - -BINARY_TOC = NO - -# The TOC_EXPAND flag can be set to YES to add extra items for group members -# to the contents of the HTML help documentation and to the tree view. - -TOC_EXPAND = NO - -# The DISABLE_INDEX tag can be used to turn on/off the condensed index at -# top of each HTML page. The value NO (the default) enables the index and -# the value YES disables it. - -DISABLE_INDEX = NO - -# This tag can be used to set the number of enum values (range [1..20]) -# that doxygen will group on one line in the generated HTML documentation. - -ENUM_VALUES_PER_LINE = 4 - -# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index -# structure should be generated to display hierarchical information. -# If the tag value is set to FRAME, a side panel will be generated -# containing a tree-like index structure (just like the one that -# is generated for HTML Help). For this to work a browser that supports -# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, -# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are -# probably better off using the HTML help feature. Other possible values -# for this tag are: HIERARCHIES, which will generate the Groups, Directories, -# and Class Hiererachy pages using a tree view instead of an ordered list; -# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which -# disables this behavior completely. For backwards compatibility with previous -# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE -# respectively. - -GENERATE_TREEVIEW = YES - -# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be -# used to set the initial width (in pixels) of the frame in which the tree -# is shown. - -TREEVIEW_WIDTH = 250 - -# Use this tag to change the font size of Latex formulas included -# as images in the HTML documentation. The default is 10. Note that -# when you change the font size after a successful doxygen run you need -# to manually remove any form_*.png images from the HTML output directory -# to force them to be regenerated. - -FORMULA_FONTSIZE = 10 - -#--------------------------------------------------------------------------- -# configuration options related to the LaTeX output -#--------------------------------------------------------------------------- - -# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will -# generate Latex output. - -GENERATE_LATEX = NO - -# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `latex' will be used as the default path. - -LATEX_OUTPUT = latex - -# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be -# invoked. If left blank `latex' will be used as the default command name. - -LATEX_CMD_NAME = latex - -# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to -# generate index for LaTeX. If left blank `makeindex' will be used as the -# default command name. - -MAKEINDEX_CMD_NAME = makeindex - -# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact -# LaTeX documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_LATEX = NO - -# The PAPER_TYPE tag can be used to set the paper type that is used -# by the printer. Possible values are: a4, a4wide, letter, legal and -# executive. If left blank a4wide will be used. - -PAPER_TYPE = a4wide - -# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX -# packages that should be included in the LaTeX output. - -EXTRA_PACKAGES = - -# The LATEX_HEADER tag can be used to specify a personal LaTeX header for -# the generated latex document. The header should contain everything until -# the first chapter. If it is left blank doxygen will generate a -# standard header. Notice: only use this tag if you know what you are doing! - -LATEX_HEADER = - -# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated -# is prepared for conversion to pdf (using ps2pdf). The pdf file will -# contain links (just like the HTML output) instead of page references -# This makes the output suitable for online browsing using a pdf viewer. - -PDF_HYPERLINKS = YES - -# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of -# plain latex in the generated Makefile. Set this option to YES to get a -# higher quality PDF documentation. - -USE_PDFLATEX = YES - -# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. -# command to the generated LaTeX files. This will instruct LaTeX to keep -# running if errors occur, instead of asking the user for help. -# This option is also used when generating formulas in HTML. - -LATEX_BATCHMODE = NO - -# If LATEX_HIDE_INDICES is set to YES then doxygen will not -# include the index chapters (such as File Index, Compound Index, etc.) -# in the output. - -LATEX_HIDE_INDICES = NO - -#--------------------------------------------------------------------------- -# configuration options related to the RTF output -#--------------------------------------------------------------------------- - -# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output -# The RTF output is optimized for Word 97 and may not look very pretty with -# other RTF readers or editors. - -GENERATE_RTF = NO - -# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `rtf' will be used as the default path. - -RTF_OUTPUT = rtf - -# If the COMPACT_RTF tag is set to YES Doxygen generates more compact -# RTF documents. This may be useful for small projects and may help to -# save some trees in general. - -COMPACT_RTF = NO - -# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated -# will contain hyperlink fields. The RTF file will -# contain links (just like the HTML output) instead of page references. -# This makes the output suitable for online browsing using WORD or other -# programs which support those fields. -# Note: wordpad (write) and others do not support links. - -RTF_HYPERLINKS = NO - -# Load stylesheet definitions from file. Syntax is similar to doxygen's -# config file, i.e. a series of assignments. You only have to provide -# replacements, missing definitions are set to their default value. - -RTF_STYLESHEET_FILE = - -# Set optional variables used in the generation of an rtf document. -# Syntax is similar to doxygen's config file. - -RTF_EXTENSIONS_FILE = - -#--------------------------------------------------------------------------- -# configuration options related to the man page output -#--------------------------------------------------------------------------- - -# If the GENERATE_MAN tag is set to YES (the default) Doxygen will -# generate man pages - -GENERATE_MAN = NO - -# The MAN_OUTPUT tag is used to specify where the man pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `man' will be used as the default path. - -MAN_OUTPUT = man - -# The MAN_EXTENSION tag determines the extension that is added to -# the generated man pages (default is the subroutine's section .3) - -MAN_EXTENSION = .3 - -# If the MAN_LINKS tag is set to YES and Doxygen generates man output, -# then it will generate one additional man file for each entity -# documented in the real man page(s). These additional files -# only source the real man page, but without them the man command -# would be unable to find the correct page. The default is NO. - -MAN_LINKS = NO - -#--------------------------------------------------------------------------- -# configuration options related to the XML output -#--------------------------------------------------------------------------- - -# If the GENERATE_XML tag is set to YES Doxygen will -# generate an XML file that captures the structure of -# the code including all documentation. - -GENERATE_XML = NO - -# The XML_OUTPUT tag is used to specify where the XML pages will be put. -# If a relative path is entered the value of OUTPUT_DIRECTORY will be -# put in front of it. If left blank `xml' will be used as the default path. - -XML_OUTPUT = xml - -# The XML_SCHEMA tag can be used to specify an XML schema, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -XML_SCHEMA = - -# The XML_DTD tag can be used to specify an XML DTD, -# which can be used by a validating XML parser to check the -# syntax of the XML files. - -XML_DTD = - -# If the XML_PROGRAMLISTING tag is set to YES Doxygen will -# dump the program listings (including syntax highlighting -# and cross-referencing information) to the XML output. Note that -# enabling this will significantly increase the size of the XML output. - -XML_PROGRAMLISTING = YES - -#--------------------------------------------------------------------------- -# configuration options for the AutoGen Definitions output -#--------------------------------------------------------------------------- - -# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will -# generate an AutoGen Definitions (see autogen.sf.net) file -# that captures the structure of the code including all -# documentation. Note that this feature is still experimental -# and incomplete at the moment. - -GENERATE_AUTOGEN_DEF = NO - -#--------------------------------------------------------------------------- -# configuration options related to the Perl module output -#--------------------------------------------------------------------------- - -# If the GENERATE_PERLMOD tag is set to YES Doxygen will -# generate a Perl module file that captures the structure of -# the code including all documentation. Note that this -# feature is still experimental and incomplete at the -# moment. - -GENERATE_PERLMOD = NO - -# If the PERLMOD_LATEX tag is set to YES Doxygen will generate -# the necessary Makefile rules, Perl scripts and LaTeX code to be able -# to generate PDF and DVI output from the Perl module output. - -PERLMOD_LATEX = NO - -# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be -# nicely formatted so it can be parsed by a human reader. This is useful -# if you want to understand what is going on. On the other hand, if this -# tag is set to NO the size of the Perl module output will be much smaller -# and Perl will parse it just the same. - -PERLMOD_PRETTY = YES - -# The names of the make variables in the generated doxyrules.make file -# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. -# This is useful so different doxyrules.make files included by the same -# Makefile don't overwrite each other's variables. - -PERLMOD_MAKEVAR_PREFIX = - -#--------------------------------------------------------------------------- -# Configuration options related to the preprocessor -#--------------------------------------------------------------------------- - -# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will -# evaluate all C-preprocessor directives found in the sources and include -# files. - -ENABLE_PREPROCESSING = YES - -# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro -# names in the source code. If set to NO (the default) only conditional -# compilation will be performed. Macro expansion can be done in a controlled -# way by setting EXPAND_ONLY_PREDEF to YES. - -MACRO_EXPANSION = NO - -# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES -# then the macro expansion is limited to the macros specified with the -# PREDEFINED and EXPAND_AS_DEFINED tags. - -EXPAND_ONLY_PREDEF = NO - -# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files -# in the INCLUDE_PATH (see below) will be search if a #include is found. - -SEARCH_INCLUDES = YES - -# The INCLUDE_PATH tag can be used to specify one or more directories that -# contain include files that are not input files but should be processed by -# the preprocessor. - -INCLUDE_PATH = - -# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard -# patterns (like *.h and *.hpp) to filter out the header-files in the -# directories. If left blank, the patterns specified with FILE_PATTERNS will -# be used. - -INCLUDE_FILE_PATTERNS = - -# The PREDEFINED tag can be used to specify one or more macro names that -# are defined before the preprocessor is started (similar to the -D option of -# gcc). The argument of the tag is a list of macros of the form: name -# or name=definition (no spaces). If the definition and the = are -# omitted =1 is assumed. To prevent a macro definition from being -# undefined via #undef or recursively expanded use the := operator -# instead of the = operator. - -PREDEFINED = - -# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then -# this tag can be used to specify a list of macro names that should be expanded. -# The macro definition that is found in the sources will be used. -# Use the PREDEFINED tag if you want to use a different macro definition. - -EXPAND_AS_DEFINED = - -# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then -# doxygen's preprocessor will remove all function-like macros that are alone -# on a line, have an all uppercase name, and do not end with a semicolon. Such -# function macros are typically used for boiler-plate code, and will confuse -# the parser if not removed. - -SKIP_FUNCTION_MACROS = YES - -#--------------------------------------------------------------------------- -# Configuration::additions related to external references -#--------------------------------------------------------------------------- - -# The TAGFILES option can be used to specify one or more tagfiles. -# Optionally an initial location of the external documentation -# can be added for each tagfile. The format of a tag file without -# this location is as follows: -# TAGFILES = file1 file2 ... -# Adding location for the tag files is done as follows: -# TAGFILES = file1=loc1 "file2 = loc2" ... -# where "loc1" and "loc2" can be relative or absolute paths or -# URLs. If a location is present for each tag, the installdox tool -# does not have to be run to correct the links. -# Note that each tag file must have a unique name -# (where the name does NOT include the path) -# If a tag file is not located in the directory in which doxygen -# is run, you must also specify the path to the tagfile here. - -TAGFILES = - -# When a file name is specified after GENERATE_TAGFILE, doxygen will create -# a tag file that is based on the input files it reads. - -GENERATE_TAGFILE = - -# If the ALLEXTERNALS tag is set to YES all external classes will be listed -# in the class index. If set to NO only the inherited external classes -# will be listed. - -ALLEXTERNALS = NO - -# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed -# in the modules index. If set to NO, only the current project's groups will -# be listed. - -EXTERNAL_GROUPS = YES - -# The PERL_PATH should be the absolute path and name of the perl script -# interpreter (i.e. the result of `which perl'). - -PERL_PATH = /usr/bin/perl - -#--------------------------------------------------------------------------- -# Configuration options related to the dot tool -#--------------------------------------------------------------------------- - -# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will -# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base -# or super classes. Setting the tag to NO turns the diagrams off. Note that -# this option is superseded by the HAVE_DOT option below. This is only a -# fallback. It is recommended to install and use dot, since it yields more -# powerful graphs. - -CLASS_DIAGRAMS = YES - -# You can define message sequence charts within doxygen comments using the \msc -# command. Doxygen will then run the mscgen tool (see -# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the -# documentation. The MSCGEN_PATH tag allows you to specify the directory where -# the mscgen tool resides. If left empty the tool is assumed to be found in the -# default search path. - -MSCGEN_PATH = - -# If set to YES, the inheritance and collaboration graphs will hide -# inheritance and usage relations if the target is undocumented -# or is not a class. - -HIDE_UNDOC_RELATIONS = YES - -# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is -# available from the path. This tool is part of Graphviz, a graph visualization -# toolkit from AT&T and Lucent Bell Labs. The other options in this section -# have no effect if this option is set to NO (the default) - -HAVE_DOT = YES - -# By default doxygen will write a font called FreeSans.ttf to the output -# directory and reference it in all dot files that doxygen generates. This -# font does not include all possible unicode characters however, so when you need -# these (or just want a differently looking font) you can specify the font name -# using DOT_FONTNAME. You need need to make sure dot is able to find the font, -# which can be done by putting it in a standard location or by setting the -# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory -# containing the font. - -DOT_FONTNAME = FreeSans - -# By default doxygen will tell dot to use the output directory to look for the -# FreeSans.ttf font (which doxygen will put there itself). If you specify a -# different font using DOT_FONTNAME you can set the path where dot -# can find it using this tag. - -DOT_FONTPATH = - -# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect inheritance relations. Setting this tag to YES will force the -# the CLASS_DIAGRAMS tag to NO. - -CLASS_GRAPH = YES - -# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for each documented class showing the direct and -# indirect implementation dependencies (inheritance, containment, and -# class references variables) of the class with other documented classes. - -COLLABORATION_GRAPH = YES - -# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen -# will generate a graph for groups, showing the direct groups dependencies - -GROUP_GRAPHS = YES - -# If the UML_LOOK tag is set to YES doxygen will generate inheritance and -# collaboration diagrams in a style similar to the OMG's Unified Modeling -# Language. - -UML_LOOK = NO - -# If set to YES, the inheritance and collaboration graphs will show the -# relations between templates and their instances. - -TEMPLATE_RELATIONS = NO - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT -# tags are set to YES then doxygen will generate a graph for each documented -# file showing the direct and indirect include dependencies of the file with -# other documented files. - -INCLUDE_GRAPH = YES - -# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and -# HAVE_DOT tags are set to YES then doxygen will generate a graph for each -# documented header file showing the documented files that directly or -# indirectly include this file. - -INCLUDED_BY_GRAPH = YES - -# If the CALL_GRAPH and HAVE_DOT options are set to YES then -# doxygen will generate a call dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable call graphs -# for selected functions only using the \callgraph command. - -CALL_GRAPH = YES - -# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then -# doxygen will generate a caller dependency graph for every global function -# or class method. Note that enabling this option will significantly increase -# the time of a run. So in most cases it will be better to enable caller -# graphs for selected functions only using the \callergraph command. - -CALLER_GRAPH = NO - -# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen -# will graphical hierarchy of all classes instead of a textual one. - -GRAPHICAL_HIERARCHY = YES - -# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES -# then doxygen will show the dependencies a directory has on other directories -# in a graphical way. The dependency relations are determined by the #include -# relations between the files in the directories. - -DIRECTORY_GRAPH = YES - -# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images -# generated by dot. Possible values are png, jpg, or gif -# If left blank png will be used. - -DOT_IMAGE_FORMAT = png - -# The tag DOT_PATH can be used to specify the path where the dot tool can be -# found. If left blank, it is assumed the dot tool can be found in the path. - -DOT_PATH = - -# The DOTFILE_DIRS tag can be used to specify one or more directories that -# contain dot files that are included in the documentation (see the -# \dotfile command). - -DOTFILE_DIRS = - -# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of -# nodes that will be shown in the graph. If the number of nodes in a graph -# becomes larger than this value, doxygen will truncate the graph, which is -# visualized by representing a node as a red box. Note that doxygen if the -# number of direct children of the root node in a graph is already larger than -# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note -# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. - -DOT_GRAPH_MAX_NODES = 50 - -# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the -# graphs generated by dot. A depth value of 3 means that only nodes reachable -# from the root by following a path via at most 3 edges will be shown. Nodes -# that lay further from the root node will be omitted. Note that setting this -# option to 1 or 2 may greatly reduce the computation time needed for large -# code bases. Also note that the size of a graph can be further restricted by -# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. - -MAX_DOT_GRAPH_DEPTH = 0 - -# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent -# background. This is enabled by default, which results in a transparent -# background. Warning: Depending on the platform used, enabling this option -# may lead to badly anti-aliased labels on the edges of a graph (i.e. they -# become hard to read). - -DOT_TRANSPARENT = YES - -# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output -# files in one run (i.e. multiple -o and -T options on the command line). This -# makes dot run faster, but since only newer versions of dot (>1.8.10) -# support this, this feature is disabled by default. - -DOT_MULTI_TARGETS = NO - -# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will -# generate a legend page explaining the meaning of the various boxes and -# arrows in the dot generated graphs. - -GENERATE_LEGEND = YES - -# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will -# remove the intermediate dot files that are used to generate -# the various graphs. - -DOT_CLEANUP = YES - -#--------------------------------------------------------------------------- -# Configuration::additions related to the search engine -#--------------------------------------------------------------------------- - -# The SEARCHENGINE tag specifies whether or not a search engine should be -# used. If set to NO the values of all tags below this one will be ignored. - -SEARCHENGINE = NO diff --git a/lib/radius/examples/Makefile b/lib/radius/examples/Makefile deleted file mode 100644 index f39c343..0000000 --- a/lib/radius/examples/Makefile +++ /dev/null @@ -1,54 +0,0 @@ -# -# GNU Makefile -# -.PHONY: all clean install - -SRCS = example_1.c example_2.c example_3.c example_4.c - -OBJS := ${SRCS:.c=.o} -PROGRAMS := ${SRCS:.c=} - -all: ${PROGRAMS} - -HEADERS := ../client.h ../radius.h - -${OBJS}: ${HEADERS} - -$(info ${PROGRAMS} ${OBJS}) - -${PROGRAMS}: ../libnetworkradius-client.a - - -%.o : %.c - $(CC) $(CFLAGS) -I.. -I. -c $< - -%.o: ${HEADERS} - -LDFLAGS = -L.. -lnetworkradius-client -lcrypto -lssl -CFLAGS = -I.. - -../libnetworkradius-client.a: - @${MAKE} -C .. libnetworkradius-client.a - -radsample.o: radsample.c ${HEADERS} nr_vp_create.c nr_packet_send.c - -#radsample: radsample.o ../libnetworkradius-client.a -# ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ - -sample_chap.o: sample_chap.c ${HEADERS} - -sample_chap: sample_chap.o ../libnetworkradius-client.a - ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ - -radsample2.o: radsample2.c ${HEADERS} nr_vp_create.c - -radsample2: radsample2.o ../libnetworkradius-client.a - ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ - -radsample3.o: radsample3.c ${HEADERS} nr_transmit.c nr_server_t.c nr_vp_create.c - -radsample3: radsample3.o ../libnetworkradius-client.a - ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ - -clean: - @rm -rf *.o *.a *~ diff --git a/lib/radius/examples/example_1.c b/lib/radius/examples/example_1.c deleted file mode 100644 index 265c880..0000000 --- a/lib/radius/examples/example_1.c +++ /dev/null @@ -1,86 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include - -/** \file example_1.c - * \brief Sample code to initialize a RADIUS packet. - * - * This example initializes a packet, and then adds User-Name and - * User-Password to it. The resulting packet is then printed to the - * standard output. - */ - -static const char *secret = "testing123"; -static uint8_t request_buffer[RS_MAX_PACKET_LEN]; -static uint8_t response_buffer[RS_MAX_PACKET_LEN]; -static RADIUS_PACKET request, response; - -int main(int argc, const char *argv[]) -{ - ssize_t rcode; - const char *user = "bob"; - const char *password = "password"; - - rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, - request_buffer, sizeof(request_buffer)); - if (rcode < 0) { - error: - fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); - return 1; - } - - if (argc > 1) user = argv[1]; - if (argc > 2) password = argv[2]; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_NAME, - user, 0); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_PASSWORD, - password, 0); - if (rcode < 0) goto error; - - /* - * ALWAYS call nr_packet_sign() before sending the packet - * to anyone else! - */ - rcode = nr_packet_sign(&request, NULL); - if (rcode < 0) goto error; - - nr_packet_print_hex(&request); - - rcode = nr_packet_decode(&request, NULL); - if (rcode < 0) goto error; - - nr_vp_fprintf_list(stdout, request.vps); - nr_vp_free(&request.vps); - - return 0; -} diff --git a/lib/radius/examples/example_2.c b/lib/radius/examples/example_2.c deleted file mode 100644 index 0a58523..0000000 --- a/lib/radius/examples/example_2.c +++ /dev/null @@ -1,86 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include - -/** \file example_2.c - * \brief Sample code to initialize a RADIUS packet. - * - * This example initializes a packet, and then adds User-Name and - * CHAP-Password to it. The resulting packet is then printed to the - * standard output. - */ - -static const char *secret = "testing123"; -static uint8_t request_buffer[RS_MAX_PACKET_LEN]; -static uint8_t response_buffer[RS_MAX_PACKET_LEN]; -static RADIUS_PACKET request, response; - -int main(int argc, const char *argv[]) -{ - int rcode; - const char *user = "bob"; - const char *password = "password"; - - rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, - request_buffer, sizeof(request_buffer)); - if (rcode < 0) { - error: - fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); - return 1; - } - - if (argc > 1) user = argv[1]; - if (argc > 2) password = argv[2]; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_NAME, - user, 0); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_CHAP_PASSWORD, - password, strlen(password)); - if (rcode < 0) goto error; - - /* - * ALWAYS call nr_packet_sign() before sending the packet - * to anyone else! - */ - rcode = nr_packet_sign(&request, NULL); - if (rcode < 0) goto error; - - nr_packet_print_hex(&request); - - rcode = nr_packet_decode(&request, NULL); - if (rcode < 0) goto error; - - nr_vp_fprintf_list(stdout, request.vps); - nr_vp_free(&request.vps); - - return 0; -} diff --git a/lib/radius/examples/example_3.c b/lib/radius/examples/example_3.c deleted file mode 100644 index 33fc671..0000000 --- a/lib/radius/examples/example_3.c +++ /dev/null @@ -1,123 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include - -/** \file example_3.c - * \brief Sample code to initialize a RADIUS packet and a response to it. - * - * This example initializes a packet, and then adds User-Name and - * User-Password to it. The resulting packet is then printed to the - * standard output. - * - * As a next step, it then creates the response, and prints that, - * too. - */ - -static const char *secret = "testing123"; -static uint8_t request_buffer[RS_MAX_PACKET_LEN]; -static uint8_t response_buffer[RS_MAX_PACKET_LEN]; -static RADIUS_PACKET request, response; - -int main(int argc, const char *argv[]) -{ - int rcode; - const char *user = "bob"; - const char *password = "password"; - - rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, - request_buffer, sizeof(request_buffer)); - if (rcode < 0) { - error: - fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); - return 1; - } - - if (argc > 1) user = argv[1]; - if (argc > 2) password = argv[2]; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_NAME, - user, 0); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_PASSWORD, - password, 0); - if (rcode < 0) goto error; - - /* - * ALWAYS call nr_packet_sign() before sending the packet - * to anyone else! - */ - rcode = nr_packet_sign(&request, NULL); - if (rcode < 0) goto error; - - nr_packet_print_hex(&request); - - rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, - response_buffer, sizeof(response_buffer)); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&response, &request, - RS_DA_REPLY_MESSAGE, - "Success!", 0); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&response, &request, - RS_DA_TUNNEL_PASSWORD, - password, 0); - if (rcode < 0) goto error; - rcode = nr_packet_sign(&response, &request); - if (rcode < 0) goto error; - - nr_packet_print_hex(&response); - - /* - * Check that the response is well-formed. The - * nr_packet_verify() function also calls nr_packet_ok(). - * However, it is sometimes useful to separate "malformed - * packet" errors from "packet is not a response to a - * reqeust" errors. - */ - rcode = nr_packet_ok(&response); - if (rcode < 0) goto error; - - /* - * Double-check the signature of the response. - */ - rcode = nr_packet_verify(&response, &request); - if (rcode < 0) goto error; - - rcode = nr_packet_decode(&response, &request); - if (rcode < 0) goto error; - - nr_vp_fprintf_list(stdout, response.vps); - nr_vp_free(&response.vps); - - return 0; -} diff --git a/lib/radius/examples/example_4.c b/lib/radius/examples/example_4.c deleted file mode 100644 index 2dadc89..0000000 --- a/lib/radius/examples/example_4.c +++ /dev/null @@ -1,94 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include - -/** \file example_4.c - * \brief Allocate and manage multiple packets. - */ - -static const char *secret = "testing123"; -static nr_server_t server; - -int main(int argc, const char *argv[]) -{ - int rcode; - const char *user = "bob"; - const char *password = "password"; - - rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, - request_buffer, sizeof(request_buffer)); - if (rcode < 0) { - error: - fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); - return 1; - } - - if (argc > 1) user = argv[1]; - if (argc > 2) password = argv[2]; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_NAME, - user, 0); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&request, NULL, - RS_DA_USER_PASSWORD, - password, 0); - if (rcode < 0) goto error; - - /* - * ALWAYS call nr_packet_sign() before sending the packet - * to anyone else! - */ - rcode = nr_packet_sign(&request, NULL); - if (rcode < 0) goto error; - - nr_packet_print_hex(&request); - - rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, - response_buffer, sizeof(response_buffer)); - if (rcode < 0) goto error; - - rcode = nr_packet_attr_append(&response, &request, - RS_DA_REPLY_MESSAGE, - "Success!", 0); - if (rcode < 0) goto error; - - rcode = nr_packet_sign(&response, &request); - if (rcode < 0) goto error; - - nr_packet_print_hex(&response); - - /* - * Double-check the signature of the response. - */ - rcode = nr_packet_verify(&response, &request); - if (rcode < 0) goto error; - - return 0; -} diff --git a/lib/radius/examples/nr_vp_create.c b/lib/radius/examples/nr_vp_create.c deleted file mode 100644 index bd04f17..0000000 --- a/lib/radius/examples/nr_vp_create.c +++ /dev/null @@ -1,61 +0,0 @@ -/* - * The person or persons who have associated work with this document - * (the "Dedicator" or "Certifier") hereby either (a) certifies that, - * to the best of his knowledge, the work of authorship identified is - * in the public domain of the country from which the work is - * published, or (b) hereby dedicates whatever copyright the - * dedicators holds in the work of authorship identified below (the - * "Work") to the public domain. A certifier, moreover, dedicates any - * copyright interest he may have in the associated work, and for - * these purposes, is described as a "dedicator" below. - * - * A certifier has taken reasonable steps to verify the copyright - * status of this work. Certifier recognizes that his good faith - * efforts may not shield him from liability if in fact the work - * certified is not in the public domain. - * - * Dedicator makes this dedication for the benefit of the public at - * large and to the detriment of the Dedicator's heirs and - * successors. Dedicator intends this dedication to be an overt act of - * relinquishment in perpetuity of all present and future rights under - * copyright law, whether vested or contingent, in the Work. Dedicator - * understands that such relinquishment of all rights includes the - * relinquishment of all rights to enforce (by lawsuit or otherwise) - * those copyrights in the Work. - * - * Dedicator recognizes that, once placed in the public domain, the - * Work may be freely reproduced, distributed, transmitted, used, - * modified, built upon, or otherwise exploited by anyone for any - * purpose, commercial or non-commercial, and in any way, including by - * methods that have not yet been invented or conceived. - */ - -static VALUE_PAIR *example_nr_vp_create(void) -{ - VALUE_PAIR *vp; - VALUE_PAIR *head = NULL; - - /* - * Create the request contents. - */ - vp = nr_vp_create(PW_USER_NAME, 0, "bob", 4); - if (!vp) { - fprintf(stderr, "User-Name: %s\n", nr_strerror(0)); - exit(1); - } - nr_vps_append(&head, vp); - - /* - * The User-Password attribute is automatically encrypted - * when being placed in the packet. This version stays - * untouched, and should be "plain text". - */ - vp = nr_vp_create(PW_USER_PASSWORD, 0, "hello", 6); - if (!vp) { - fprintf(stderr, "User-Password: %s\n", nr_strerror(0)); - exit(1); - } - nr_vps_append(&head, vp); - - return head; -} diff --git a/lib/radius/header.pl b/lib/radius/header.pl deleted file mode 100755 index c366612..0000000 --- a/lib/radius/header.pl +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env perl -###################################################################### -# Copyright (c) 2011, Network RADIUS SARL -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the -# names of its contributors may be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -###################################################################### -# -# Converts dictionaries to C defines. Does not yet do "VALUE"s. -# -# $Id$ -# -require "common.pl"; - -while (@ARGV) { - $filename = shift; - do_file($filename); -} - - -print "/* Automatically generated file. Do not edit */\n\n"; - -foreach $v (sort keys %vendor) { - $name = $v; - $name =~ tr/a-z/A-Z/; # uppercase - $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ - - print "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; -} -print "\n"; - -$begin_vendor = -1; -foreach $attr_val (sort {$a <=> $b} keys %attributes) { - if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { - print "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; - $begin_vendor = $attributes{$attr_val}{'vendor'}; - } - - $name = $attributes{$attr_val}{'name'}; - $name =~ tr/a-z/A-Z/; - $name =~ tr/A-Z0-9/_/c; - - print "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; -} -print "\n\n"; - -print "/* Automatically generated file. Do not edit */\n"; - diff --git a/lib/radius/id.c b/lib/radius/id.c deleted file mode 100644 index 4ccd032..0000000 --- a/lib/radius/id.c +++ /dev/null @@ -1,181 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "client.h" - -#ifdef HAVE_UNISTD_H -#include -#endif - -/** \file id.c - * \brief Handling of ID allocation / freeing - * - */ - -static int find_id(nr_server_t *s) -{ - int i; - uint32_t lvalue; - - if ((s->used < 0) || (s->used > 256)) return -RSE_INTERNAL; - - /* - * Ensure that the ID allocation is random. - */ - lvalue = nr_rand(); - - for (i = 0; i < 256; i++) { - int offset = (i + lvalue) & 0xff; - - if (!s->ids[offset]) return offset; - } - - nr_strerror_printf("Out of IDs for server"); - return -1; -} - -int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet) -{ - int new_id; - - if (!s || !packet) return -RSE_INVAL; - - new_id = find_id(s); - if (new_id < 0) return -new_id; - - s->ids[new_id] = packet; - s->used++; - packet->sockfd = s->sockfd; - packet->code = s->code; - packet->src = s->src; - packet->dst = s->dst; - packet->id = new_id; - - return 0; -} - -int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet) -{ - if (!s || !packet) return -RSE_INVAL; - - if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { - return -RSE_INVAL; - } - - if (s->ids[packet->id] != packet) return -RSE_INTERNAL; - - s->ids[packet->id] = NULL; - s->used--; - packet->sockfd = -1; - - return 0; -} - -int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet) -{ - int new_id; - - if (!s || !packet) return -RSE_INVAL; - - if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { - return -RSE_INVAL; - } - - if (s->ids[packet->id] != packet) return -RSE_INTERNAL; - - new_id = find_id(s); - if (new_id < 0) return new_id; - - s->ids[packet->id] = NULL; - packet->id = new_id; - s->ids[packet->id] = packet; - - return 0; -} - - -int nr_server_init(nr_server_t *s, int code, const char *secret) -{ - if (!s || !secret || !*secret || - (code == 0) || (code > RS_MAX_PACKET_CODE)) { - return -RSE_INVAL; - } - - memset(s, 0, sizeof(*s)); - - s->sockfd = -1; - s->code = code; - s->secret = secret; - s->sizeof_secret = strlen(secret); - s->src.ss_family = AF_UNSPEC; - s->dst.ss_family = AF_UNSPEC; - - return 0; -} - - -int nr_server_close(const nr_server_t *s) -{ - if (!s) return -RSE_INVAL; - - if (s->used > 0) return -RSE_INUSE; - - if (s->sockfd >= 0) evutil_closesocket(s->sockfd); - - return 0; -} - -int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p) -{ - int rcode; - RADIUS_PACKET *packet; - - if (!packet_p) return -RSE_INVAL; - - packet = malloc(sizeof(*packet) + RS_MAX_PACKET_LEN); - if (!packet) return -RSE_NOMEM; - - memset(packet, 0, sizeof(*packet)); - - if (!s) { - packet->data = (uint8_t *)(packet + 1); - packet->sizeof_data = RS_MAX_PACKET_LEN; - - *packet_p = packet; - return 0; - } - - rcode = nr_packet_init(packet, NULL, s->secret, s->code, - (uint8_t *)(packet + 1), RS_MAX_PACKET_LEN); - if (rcode < 0) { - free(packet); - return rcode; - } - - *packet_p = packet; - return 0; -} diff --git a/lib/radius/parse.c b/lib/radius/parse.c deleted file mode 100644 index 8446306..0000000 --- a/lib/radius/parse.c +++ /dev/null @@ -1,149 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file parse.c - * \brief Routines to parse strings into internal data structures - */ - -#include "client.h" - -#ifdef HAVE_ARPA_INET_H -#include -#endif - -ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) -{ - char *end; - - switch (vp->da->type) { - case RS_TYPE_STRING: { - size_t len = strlen(value); - - if (len >= RS_MAX_STRING_LEN) - return -RSE_ATTR_TOO_LARGE; - - memcpy(vp->vp_strvalue, value, len + 1); - return (vp->length = len); - } - case RS_TYPE_DATE: - case RS_TYPE_INTEGER: - vp->vp_integer = strtoul(value, &end, 10); - if ((value == end) || (*end != '\0')) { - nr_debug_error("Invalid value"); - return -RSE_ATTR_VALUE_MALFORMED; - } - return (end - value); - - case RS_TYPE_IPADDR: - if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) { - return -RSE_NOSYS; - } - return strlen(value); - -#ifdef RS_TYPE_IPV6ADDR - case RS_TYPE_IPV6ADDR: - if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) { - return -RSE_NOSYS; - } - return strlen(value); -#endif - -#ifdef RS_TYPE_IFID - case RS_TYPE_IFID: - { - int i, array[8]; - - if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x", - &array[0], &array[1], &array[2], &array[3], - &array[4], &array[5], &array[6], &array[7]) != 8) { - return -RSE_SYSTEM; - } - - for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff; - - } - break; -#endif - - default: - nr_debug_error("Invalid type"); - return -RSE_ATTR_TYPE_UNKNOWN; - } - - return 0; -} - -int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp) -{ - int rcode; - const char *p; - char *q; - const DICT_ATTR *da; - VALUE_PAIR *vp; - char buffer[256]; - - if (!string || !pvp) return -RSE_INVAL; - - p = string; - q = buffer; - while (*p && (*p != ' ') && (*p != '=')) { - *(q++) = *(p++); - } - *q = '\0'; - - if (q == buffer) { - nr_debug_error("No Attribute name"); - return -RSE_ATTR_BAD_NAME; - } - - da = nr_dict_attr_byname(buffer); - if (!da) { - nr_debug_error("Unknown attribute \"%s\"", buffer); - return -RSE_ATTR_UNKNOWN; - } - - while (*p == ' ') p++; - if (*p != '=') { - nr_debug_error("Unexpected text after attribute name"); - return -RSE_ATTR_BAD_NAME; - } - - p++; - while (*p == ' ') p++; - - vp = nr_vp_alloc(da); - if (!vp) return -RSE_NOMEM; - - rcode = nr_vp_sscanf_value(vp, p); - if (rcode < 0) { - nr_vp_free(&vp); - return rcode; - } - - *pvp = vp; - return 0; -} diff --git a/lib/radius/print.c b/lib/radius/print.c deleted file mode 100644 index 6fa06d7..0000000 --- a/lib/radius/print.c +++ /dev/null @@ -1,227 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file print.c - * \brief Functions to print things. - */ - -#include "client.h" -#include -#ifdef RS_TYPE_IPV6ADDR -#include -#endif - -#ifndef NDEBUG -void nr_packet_print_hex(RADIUS_PACKET *packet) -{ - int i; - - if (!packet->data) return; - - printf(" Code:\t\t%u\n", packet->data[0]); - printf(" Id:\t\t%u\n", packet->data[1]); - printf(" Length:\t%u\n", ((packet->data[2] << 8) | - (packet->data[3]))); - printf(" Vector:\t"); - for (i = 4; i < 20; i++) { - printf("%02x", packet->data[i]); - } - printf("\n"); - if ((packet->flags & RS_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n"); - - if (packet->length > 20) { - int total; - const uint8_t *ptr; - printf(" Data:"); - - total = packet->length - 20; - ptr = packet->data + 20; - - while (total > 0) { - int attrlen; - - printf("\t\t"); - if (total < 2) { /* too short */ - printf("%02x\n", *ptr); - break; - } - - if (ptr[1] > total) { /* too long */ - for (i = 0; i < total; i++) { - printf("%02x ", ptr[i]); - } - break; - } - - printf("%02x %02x ", ptr[0], ptr[1]); - attrlen = ptr[1] - 2; - ptr += 2; - total -= 2; - - for (i = 0; i < attrlen; i++) { - if ((i > 0) && ((i & 0x0f) == 0x00)) - printf("\t\t\t"); - printf("%02x ", ptr[i]); - if ((i & 0x0f) == 0x0f) printf("\n"); - } - - if (!attrlen || ((attrlen & 0x0f) != 0x00)) printf("\n"); - - ptr += attrlen; - total -= attrlen; - } - } - printf("\n"); - fflush(stdout); -} -#endif - -size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) -{ - size_t i, len; - char *p = buffer; - - switch (vp->da->type) { - case RS_TYPE_STRING: - /* - * FIXME: escape backslash && quotes! - */ - len = snprintf(p, buflen, "%s", vp->vp_strvalue); - break; - - case RS_TYPE_DATE: - case RS_TYPE_INTEGER: - case RS_TYPE_SHORT: - case RS_TYPE_BYTE: - len = snprintf(p, buflen, "%u", vp->vp_integer); - break; - - case RS_TYPE_IPADDR: - len = snprintf(p, buflen, "%u.%u.%u.%u", - (vp->vp_ipaddr >> 24) & 0xff, - (vp->vp_ipaddr >> 16) & 0xff, - (vp->vp_ipaddr >> 8) & 0xff, - vp->vp_ipaddr & 0xff); - break; - -#ifdef RS_TYPE_IPV6ADDR - case RS_TYPE_IPV6ADDR: - if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) { - return -RSE_SYSTEM; - } - break; -#endif - -#ifdef RS_TYPE_IFID - case RS_TYPE_IFID: - len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x", - vp->vp_ifid[0], vp->vp_ifid[1], - vp->vp_ifid[2], vp->vp_ifid[3], - vp->vp_ifid[4], vp->vp_ifid[5], - vp->vp_ifid[6], vp->vp_ifid[7]); - break; -#endif - - case RS_TYPE_OCTETS: - len = snprintf(p, buflen, "0x"); - if (len >= buflen) return 0; - - p += len; - buflen -= len; - - for (i = 0; i < vp->length; i++) { - len = snprintf(p, buflen, "%02x", vp->vp_octets[i]); - if (len >= buflen) return 0; - - p += len; - buflen -= len; - } - len = 0; - break; - - default: - len = 0; - break; - } - - if (len >= buflen) return 0; - - p += len; - buflen -= len; - - return p - buffer; -} - -size_t nr_vp_snprintf(char *buffer, size_t buflen, const VALUE_PAIR *vp) -{ - size_t len; - char *p = buffer; - - len = snprintf(p, buflen, "%s = ", vp->da->name); - if (len >= buflen) return 0; - - p += len; - buflen -= len; - - len = nr_vp_snprintf_value(p, buflen, vp); - if (len == 0) return 0; - - if (len >= buflen) return 0; - - p += len; - - return p - buffer; -} - -#ifndef NDEBUG -void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps) -{ - const VALUE_PAIR *vp; - char buffer[1024]; - - for (vp = vps; vp != NULL; vp = vp->next) { - nr_vp_snprintf(buffer, sizeof(buffer), vp); - fprintf(fp, "\t%s\n", buffer); - } -} -#endif - -/** \cond PRIVATE */ -#define NR_STRERROR_BUFSIZE (1024) -static char nr_strerror_buffer[NR_STRERROR_BUFSIZE]; - -void nr_strerror_printf(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - vsnprintf(nr_strerror_buffer, sizeof(nr_strerror_buffer), fmt, ap); - va_end(ap); - - fprintf(stderr, "ERROR: %s\n", nr_strerror_buffer); -} -/** \endcond */ - diff --git a/lib/radius/radpkt.c b/lib/radius/radpkt.c deleted file mode 100644 index d9486ea..0000000 --- a/lib/radius/radpkt.c +++ /dev/null @@ -1,920 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file packet.c - * \brief Encoding and decoding packets - */ - -#include "client.h" - -#if RS_MAX_PACKET_LEN < 64 -#error RS_MAX_PACKET_LEN is too small. It should be at least 64. -#endif - -#if RS_MAX_PACKET_LEN > 16384 -#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K. -#endif - -const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = { - NULL, - "Access-Request", - "Access-Accept", - "Access-Reject", - "Accounting-Request", - "Accounting-Response", - NULL, NULL, NULL, NULL, NULL, - "Access-Challenge", - "Status-Server", /* 12 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */ - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */ - "Disconnect-Request", - "Disconnect-ACK", - "Disconnect-NAK", - "CoA-Request", - "CoA-ACK", - "CoA-NAK" -}; - - -static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = { - 0, - (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), - 0, 0, - 1 << PW_ACCOUNTING_RESPONSE, - 0, - 0, 0, 0, 0, 0, - 0, - (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE), - 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */ - (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK), - 0, - 0, - (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK), - 0, - 0 -}; - - -int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) -{ - size_t packet_len; - const uint8_t *attr, *end; - - if (!data || (sizeof_data < 20)) { - nr_debug_error("Invalid argument"); - return -RSE_INVAL; - } - - packet_len = (data[2] << 8) | data[3]; - if (packet_len < 20) { - nr_debug_error("Packet length is too small"); - return -RSE_PACKET_TOO_SMALL; - } - - if (packet_len > sizeof_data) { - nr_debug_error("Packet length overflows received data"); - return -RSE_PACKET_TOO_LARGE; - } - - /* - * If we receive 100 bytes, and the header says it's 20 bytes, - * then it's 20 bytes. - */ - end = data + packet_len; - - for (attr = data + 20; attr < end; attr += attr[1]) { - if ((attr + 2) > end) { - nr_debug_error("Attribute overflows packet"); - return -RSE_ATTR_OVERFLOW; - } - - if (attr[1] < 2) { - nr_debug_error("Attribute length is too small"); - return -RSE_ATTR_TOO_SMALL; - } - - if ((attr + attr[1]) > end) { - nr_debug_error("Attribute length is too large"); - return -RSE_ATTR_TOO_LARGE; - } - } - - return 0; -} - -int nr_packet_ok(RADIUS_PACKET *packet) -{ - int rcode; - - if (!packet) return -RSE_INVAL; - - if ((packet->flags & RS_PACKET_OK) != 0) return 0; - - rcode = nr_packet_ok_raw(packet->data, packet->length); - if (rcode < 0) return rcode; - - packet->flags |= RS_PACKET_OK; - return 0; -} - - -/* - * Comparison function that is time-independent. Using "memcmp" - * would satisfy the "comparison" part. However, it would also - * leak information about *which* bytes are wrong. Attackers - * could use that leak to create a "correct" RADIUS packet which - * will be accepted by the client and/or server. - */ -static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length) -{ - int result = 0; - size_t i; - - for (i = 0; i < length; i++) { - result |= (a[i] ^ b[i]); - } - - return result; -} - - -#ifdef PW_MESSAGE_AUTHENTICATOR -static int msg_auth_ok(const RADIUS_PACKET *original, - uint8_t *ma, - uint8_t *data, size_t length) -{ - uint8_t packet_vector[sizeof(original->vector)]; - uint8_t msg_auth_vector[sizeof(original->vector)]; - uint8_t calc_auth_vector[sizeof(original->vector)]; - - if (ma[1] != 18) { - nr_debug_error("Message-Authenticator has invalid length"); - return -RSE_MSG_AUTH_LEN; - } - - memcpy(packet_vector, data + 4, sizeof(packet_vector)); - memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector)); - memset(ma + 2, 0, sizeof(msg_auth_vector)); - - switch (data[0]) { - default: - break; - - case PW_ACCOUNTING_REQUEST: - case PW_ACCOUNTING_RESPONSE: - case PW_DISCONNECT_REQUEST: - case PW_DISCONNECT_ACK: - case PW_DISCONNECT_NAK: - case PW_COA_REQUEST: - case PW_COA_ACK: - case PW_COA_NAK: - memset(data + 4, 0, sizeof(packet_vector)); - break; - - case PW_ACCESS_ACCEPT: - case PW_ACCESS_REJECT: - case PW_ACCESS_CHALLENGE: - if (!original) { - nr_debug_error("Cannot validate response without request"); - return -RSE_REQUEST_REQUIRED; - } - memcpy(data + 4, original->vector, sizeof(original->vector)); - break; - } - - nr_hmac_md5(data, length, - (const uint8_t *) original->secret, original->sizeof_secret, - calc_auth_vector); - - memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector)); - memcpy(data + 4, packet_vector, sizeof(packet_vector)); - - if (digest_cmp(calc_auth_vector, msg_auth_vector, - sizeof(calc_auth_vector)) != 0) { - nr_debug_error("Invalid Message-Authenticator"); - return -RSE_MSG_AUTH_WRONG; - } - - return 1; -} -#endif - -/* - * The caller ensures that the packet codes are as expected. - */ -static int packet_auth_ok(const RADIUS_PACKET *original, - uint8_t *data, size_t length) -{ - uint8_t packet_vector[sizeof(original->vector)]; - uint8_t calc_digest[sizeof(original->vector)]; - RS_MD5_CTX ctx; - - if ((data[0] == PW_ACCESS_REQUEST) || - (data[0] == PW_STATUS_SERVER)) return 1; - - memcpy(packet_vector, data + 4, sizeof(packet_vector)); - - if (!original) { - memset(data + 4, 0, sizeof(packet_vector)); - } else { - memcpy(data + 4, original->vector, sizeof(original->vector)); - } - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, data, length); - RS_MD5Update(&ctx, (const unsigned char *)original->secret, original->sizeof_secret); - RS_MD5Final(calc_digest, &ctx); - - memcpy(data + 4, packet_vector, sizeof(packet_vector)); - - if (digest_cmp(calc_digest, packet_vector, - sizeof(packet_vector)) != 0) { - nr_debug_error("Invalid authentication vector"); - return -RSE_AUTH_VECTOR_WRONG; - } - - return 0; -} - - -int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ - int rcode; - uint8_t *attr; -#ifdef PW_MESSAGE_AUTHENTICATOR - const uint8_t *end; -#endif - - if (!packet || !packet->data || !packet->secret) { - nr_debug_error("Invalid argument"); - return -RSE_INVAL; - } - - if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0; - - /* - * Packet isn't well formed. Ignore it. - */ - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - /* - * Get rid of improper packets as early as possible. - */ - if (original) { - uint64_t mask; - - if (original->code > RS_MAX_PACKET_CODE) { - nr_debug_error("Invalid original code %u", - original->code); - return -RSE_INVALID_REQUEST_CODE; - } - - if (packet->data[1] != original->id) { - nr_debug_error("Ignoring response with wrong ID %u", - packet->data[1]); - return -RSE_INVALID_RESPONSE_CODE; - } - - mask = 1; - mask <<= packet->data[0]; - - if ((allowed_responses[original->code] & mask) == 0) { - nr_debug_error("Ignoring response with wrong code %u", - packet->data[0]); - return -RSE_INVALID_RESPONSE_CODE; - } - - if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && - (evutil_sockaddr_cmp((struct sockaddr *)&packet->src, (struct sockaddr *)&original->dst, 1) != 0)) { - nr_debug_error("Ignoring response from wrong IP/port"); - return -RSE_INVALID_RESPONSE_SRC; - } - - } else if (allowed_responses[packet->data[0]] != 0) { - nr_debug_error("Ignoring response without original"); - return -RSE_INVALID_RESPONSE_CODE; - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - end = packet->data + packet->length; - - /* - * Note that the packet MUST be well-formed here. - */ - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { - rcode = msg_auth_ok(original, attr, - packet->data, packet->length); - if (rcode < 0) return rcode; - } - } -#endif - - /* - * Verify the packet authenticator. - */ - rcode = packet_auth_ok(original, packet->data, packet->length); - if (rcode < 0) return rcode; - - packet->flags |= RS_PACKET_VERIFIED; - - return 0; -} - - -int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ - int rcode, num_attributes; - uint8_t *data, *attr; - const uint8_t *end; - VALUE_PAIR **tail, *vp; - - if (!packet) return -RSE_INVAL; - - if ((packet->flags & RS_PACKET_DECODED) != 0) return 0; - - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - data = packet->data; - end = data + packet->length; - tail = &packet->vps; - num_attributes = 0; - - /* - * Loop over the packet, converting attrs to VPs. - */ - for (attr = data + 20; attr < end; attr += attr[1]) { - rcode = nr_attr2vp(packet, original, - attr, end - attr, &vp); - if (rcode < 0) { - nr_vp_free(&packet->vps); - return -rcode; - } - - *tail = vp; - while (vp) { - num_attributes++; - tail = &(vp->next); - vp = vp->next; - } - - if (num_attributes > RS_MAX_ATTRIBUTES) { - nr_debug_error("Too many attributes"); - nr_vp_free(&packet->vps); - return -RSE_TOO_MANY_ATTRS; - } - } - - packet->code = data[0]; - packet->id = data[1]; - memcpy(packet->vector, data + 4, sizeof(packet->vector)); - - packet->flags |= RS_PACKET_DECODED; - - return 0; -} - - -int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ -#ifdef PW_MESSAGE_AUTHENTICATOR - size_t ma = 0; - const uint8_t *attr, *end; -#endif - - if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0; - - if ((packet->flags & RS_PACKET_ENCODED) == 0) { - int rcode; - - rcode = nr_packet_encode(packet, original); - if (rcode < 0) return rcode; - } - - if ((packet->code == PW_ACCESS_ACCEPT) || - (packet->code == PW_ACCESS_CHALLENGE) || - (packet->code == PW_ACCESS_REJECT)) { -#ifdef PW_MESSAGE_AUTHENTICATOR - if (!original) { - nr_debug_error("Original packet is required to create the Message-Authenticator"); - return -RSE_REQUEST_REQUIRED; - } -#endif - - memcpy(packet->data + 4, original->vector, - sizeof(original->vector)); - } else { - memcpy(packet->data + 4, packet->vector, - sizeof(packet->vector)); - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - end = packet->data + packet->length; - - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { - ma = (attr - packet->data); - break; - } - } - - /* - * Force all Access-Request packets to have a - * Message-Authenticator. - */ - if (!ma && ((packet->length + 18) <= packet->sizeof_data) && - ((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER))) { - ma = packet->length; - - packet->data[ma]= PW_MESSAGE_AUTHENTICATOR; - packet->data[ma + 1] = 18; - memset(&packet->data[ma + 2], 0, 16); - packet->length += 18; - } - - /* - * Reset the length. - */ - packet->data[2] = (packet->length >> 8) & 0xff; - packet->data[3] = packet->length & 0xff; - - /* - * Sign the Message-Authenticator && packet. - */ - if (ma) { - nr_hmac_md5(packet->data, packet->length, - (const uint8_t *) packet->secret, packet->sizeof_secret, - packet->data + ma + 2); - } -#endif - - /* - * Calculate the signature. - */ - if (!((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER))) { - RS_MD5_CTX ctx; - - RS_MD5Init(&ctx); - RS_MD5Update(&ctx, packet->data, packet->length); - RS_MD5Update(&ctx, (const unsigned char *)packet->secret, packet->sizeof_secret); - RS_MD5Final(packet->vector, &ctx); - } - - memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); - - packet->attempts = 0; - packet->flags |= RS_PACKET_SIGNED; - - return 0; -} - - -static int can_encode_packet(RADIUS_PACKET *packet, - const RADIUS_PACKET *original) -{ - if ((packet->code == 0) || - (packet->code > RS_MAX_PACKET_CODE) || - (original && (original->code > RS_MAX_PACKET_CODE))) { - nr_debug_error("Cannot send unknown packet code"); - return -RSE_INVALID_REQUEST_CODE; - } - - if (!nr_packet_codes[packet->code]) { - nr_debug_error("Cannot handle packet code %u", - packet->code); - return -RSE_INVALID_REQUEST_CODE; - } - -#ifdef NR_NO_MALLOC - if (!packet->data) { - nr_debug_error("No place to put packet"); - return -RSE_NO_PACKET_DATA; - } -#endif - - if (packet->sizeof_data < 20) { - nr_debug_error("The buffer is too small to encode the packet"); - return -RSE_PACKET_TOO_SMALL; - } - - /* - * Enforce request / response correlation. - */ - if (original) { - uint64_t mask; - - mask = 1; - mask <<= packet->code; - - if ((allowed_responses[original->code] & mask) == 0) { - nr_debug_error("Cannot encode response %u to packet %u", - packet->code, original->code); - return -RSE_INVALID_RESPONSE_CODE; - } - packet->id = original->id; - - } else if (allowed_responses[packet->code] == 0) { - nr_debug_error("Cannot encode response %u without original", - packet->code); - return -RSE_REQUEST_REQUIRED; - } - - return 0; -} - -static void encode_header(RADIUS_PACKET *packet) -{ - if ((packet->flags & RS_PACKET_HEADER) != 0) return; - - memset(packet->data, 0, 20); - packet->data[0] = packet->code; - packet->data[1] = packet->id; - packet->data[2] = 0; - packet->data[3] = 20; - packet->length = 20; - - /* - * Calculate a random authentication vector. - */ - if ((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER)) { - nr_rand_bytes(packet->vector, sizeof(packet->vector)); - } else { - memset(packet->vector, 0, sizeof(packet->vector)); - } - - memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); - - packet->flags |= RS_PACKET_HEADER; -} - -int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) -{ -#ifdef PW_MESSAGE_AUTHENTICATOR - size_t ma = 0; -#endif - int rcode; - ssize_t len; - const VALUE_PAIR *vp; - uint8_t *data, *end; - - if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0; - - rcode = can_encode_packet(packet, original); - if (rcode < 0) return rcode; - - data = packet->data; - end = data + packet->sizeof_data; - - encode_header(packet); - data += 20; - - /* - * Encode each VALUE_PAIR - */ - vp = packet->vps; - while (vp) { -#ifdef PW_MESSAGE_AUTHENTICATOR - if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { - ma = (data - packet->data); - } -#endif - len = nr_vp2attr(packet, original, &vp, - data, end - data); - if (len < 0) return len; - - if (len == 0) break; /* insufficient room to encode it */ - - data += data[1]; - } - -#ifdef PW_MESSAGE_AUTHENTICATOR - /* - * Always send a Message-Authenticator. - * - * We do *not* recommend removing this code. - */ - if (((packet->code == PW_ACCESS_REQUEST) || - (packet->code == PW_STATUS_SERVER)) && - !ma && - ((data + 18) <= end)) { - ma = (data - packet->data); - data[0] = PW_MESSAGE_AUTHENTICATOR; - data[1] = 18; - memset(data + 2, 0, 16); - data += data[1]; - } -#endif - - packet->length = data - packet->data; - - packet->data[2] = (packet->length >> 8) & 0xff; - packet->data[3] = packet->length & 0xff; - - packet->flags |= RS_PACKET_ENCODED; - - return packet->length; -} - - -/* - * Ensure that the nr_data2attr_t structure is filled in - * appropriately. This includes filling in a fake DICT_ATTR - * structure, if necessary. - */ -static int do_callback(void *ctx, nr_packet_walk_func_t callback, - int attr, int vendor, - const uint8_t *data, size_t sizeof_data) - -{ - int rcode; - const DICT_ATTR *da; - DICT_ATTR myda; - char buffer[64]; - - da = nr_dict_attr_byvalue(attr, vendor); - - /* - * The attribute is supposed to have a particular length, - * but does not. It is therefore malformed. - */ - if (da && (da->flags.length != 0) && - da->flags.length != sizeof_data) { - da = NULL; - } - - if (!da) { - rcode = nr_dict_attr_2struct(&myda, attr, vendor, - buffer, sizeof(buffer)); - - if (rcode < 0) return rcode; - da = &myda; - } - - rcode = callback(ctx, da, data, sizeof_data); - if (rcode < 0) return rcode; - - return 0; -} - - -int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, - nr_packet_walk_func_t callback) -{ - int rcode; - uint8_t *attr; - const uint8_t *end; - - if (!packet || !callback) return -RSE_INVAL; - - rcode = nr_packet_ok(packet); - if (rcode < 0) return rcode; - - end = packet->data + packet->length; - - for (attr = packet->data + 20; attr < end; attr += attr[1]) { - int length, value; - int dv_type, dv_length; - uint32_t vendorpec; - const uint8_t *vsa; - const DICT_VENDOR *dv = NULL; - - vendorpec = 0; - value = attr[0]; - - if (value != PW_VENDOR_SPECIFIC) { - raw: - rcode = do_callback(ctx, callback, - attr[0], 0, - attr + 2, attr[1] - 2); - if (rcode < 0) return rcode; - continue; - } - - if (attr[1] < 6) goto raw; - memcpy(&vendorpec, attr + 2, 4); - vendorpec = ntohl(vendorpec); - - if (dv && (dv->vendor != vendorpec)) dv = NULL; - - if (!dv) dv = nr_dict_vendor_byvalue(vendorpec); - - if (dv) { - dv_type = dv->type; - dv_length = dv->length; - } else { - dv_type = 1; - dv_length = 1; - } - - /* - * Malformed: it's a raw attribute. - */ - if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) { - goto raw; - } - - for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) { - switch (dv_type) { - case 4: - value = (vsa[2] << 8) | vsa[3]; - break; - - case 2: - value = (vsa[0] << 8) | vsa[1]; - break; - - case 1: - value = vsa[0]; - break; - - default: - return -RSE_INTERNAL; - } - - switch (dv_length) { - case 0: - length = attr[1] - 6 - dv_type; - break; - - case 2: - case 1: - length = vsa[dv_type + dv_length - 1]; - break; - - default: - return -RSE_INTERNAL; - } - - rcode = do_callback(ctx, callback, - value, vendorpec, - vsa + dv_type + dv_length, - length - dv_type - dv_length); - if (rcode < 0) return rcode; - } - } - - return 0; -} - -int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, - const char *secret, int code, - void *data, size_t sizeof_data) -{ - int rcode; - - if ((code < 0) || (code > RS_MAX_PACKET_CODE)) { - return -RSE_INVALID_REQUEST_CODE; - } - - if (!data || (sizeof_data < 20)) return -RSE_INVAL; - - memset(packet, 0, sizeof(*packet)); - packet->secret = secret; - packet->sizeof_secret = secret ? strlen(secret) : 0; - packet->code = code; - packet->id = 0; - packet->data = data; - packet->sizeof_data = sizeof_data; - - rcode = can_encode_packet(packet, original); - if (rcode < 0) return rcode; - - encode_header(packet); - - return 0; -} - - -static int pack_eap(RADIUS_PACKET *packet, - const void *data, size_t data_len) -{ - uint8_t *attr, *end; - const uint8_t *eap; - size_t left; - - eap = data; - left = data_len; - attr = packet->data + packet->length; - end = attr + packet->sizeof_data; - - while (left > 253) { - if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW; - - attr[0] = PW_EAP_MESSAGE; - attr[1] = 255; - memcpy(attr + 2, eap, 253); - attr += attr[1]; - eap += 253; - left -= 253; - } - - if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW; - - attr[0] = PW_EAP_MESSAGE; - attr[1] = 2 + left; - memcpy(attr + 2, eap, left); - attr += attr[1]; - packet->length = attr - packet->data; - - return 0; -} - -ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, - const RADIUS_PACKET *original, - const DICT_ATTR *da, - const void *data, size_t data_len) -{ - ssize_t rcode; - uint8_t *attr, *end; - VALUE_PAIR my_vp; - const VALUE_PAIR *vp; - - if (!packet || !da || !data) { - return -RSE_INVAL; - } - - if (data_len == 0) { - if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL; - - data_len = strlen(data); - } - - /* We're going to mark the whole packet as encoded so we - better not have any unencoded value-pairs attached. */ - if (packet->vps) - return -RSE_INVAL; - packet->flags |= RS_PACKET_ENCODED; - - attr = packet->data + packet->length; - end = attr + packet->sizeof_data; - - if ((attr + 2 + data_len) > end) { - return -RSE_ATTR_OVERFLOW; - } - - if ((da->flags.length != 0) && - (data_len != da->flags.length)) { - return -RSE_ATTR_VALUE_MALFORMED; - } - -#ifdef PW_EAP_MESSAGE - /* - * automatically split EAP-Message into multiple - * attributes. - */ - if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) { - return pack_eap(packet, data, data_len); - } -#endif - - if (data_len > 253) return -RSE_ATTR_TOO_LARGE; - - vp = nr_vp_init(&my_vp, da); - rcode = nr_vp_set_data(&my_vp, data, data_len); - if (rcode < 0) return rcode; - - /* - * Note that this function packs VSAs each into their own - * Vendor-Specific attribute. If this isn't what you - * want, use the version of the library with full support - * for TLVs, WiMAX, and extended attributes. - */ - rcode = nr_vp2attr(packet, original, &vp, attr, end - attr); - if (rcode <= 0) return rcode; - - packet->length += rcode; - - return rcode; -} diff --git a/lib/radius/share/dictionary.abfab.ietf b/lib/radius/share/dictionary.abfab.ietf deleted file mode 100644 index b60702c..0000000 --- a/lib/radius/share/dictionary.abfab.ietf +++ /dev/null @@ -1,4 +0,0 @@ -ATTRIBUTE GSS-Acceptor-Service-Name 164 string -ATTRIBUTE GSS-Acceptor-Host-Name 165 string -ATTRIBUTE GSS-Acceptor-Service-Specifics 166 string -ATTRIBUTE GSS-Acceptor-Realm-Name 167 string diff --git a/lib/radius/share/dictionary.juniper b/lib/radius/share/dictionary.juniper deleted file mode 100644 index 9aa5df4..0000000 --- a/lib/radius/share/dictionary.juniper +++ /dev/null @@ -1,23 +0,0 @@ -# -*- text -*- -# -# dictionary.juniper -# -# As posted to the list by Eric Kilfoil -# -# Version: $Id$ -# - -VENDOR Juniper 2636 - -BEGIN-VENDOR Juniper - -ATTRIBUTE Juniper-Local-User-Name 1 string -ATTRIBUTE Juniper-Allow-Commands 2 string -ATTRIBUTE Juniper-Deny-Commands 3 string -ATTRIBUTE Juniper-Allow-Configuration 4 string -ATTRIBUTE Juniper-Deny-Configuration 5 string -ATTRIBUTE Juniper-Interactive-Command 8 string -ATTRIBUTE Juniper-Configuration-Change 9 string -ATTRIBUTE Juniper-User-Permissions 10 string - -END-VENDOR Juniper diff --git a/lib/radius/share/dictionary.microsoft b/lib/radius/share/dictionary.microsoft deleted file mode 100644 index 034e5f0..0000000 --- a/lib/radius/share/dictionary.microsoft +++ /dev/null @@ -1,17 +0,0 @@ -# A minimal dictionary for Microsoft VSAs -# -VENDOR Microsoft 311 - -BEGIN-VENDOR Microsoft -ATTRIBUTE MS-CHAP-Response 1 octets -ATTRIBUTE MS-CHAP-Error 2 string -ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets -ATTRIBUTE MS-MPPE-Encryption-Types 8 octets -ATTRIBUTE MS-CHAP-Domain 10 string -ATTRIBUTE MS-CHAP-Challenge 11 octets -ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1 -ATTRIBUTE MS-MPPE-Send-Key 16 octets encrypt=2 -ATTRIBUTE MS-MPPE-Recv-Key 17 octets encrypt=2 -ATTRIBUTE MS-CHAP2-Response 25 octets -ATTRIBUTE MS-CHAP2-Success 26 octets -END-VENDOR Microsoft diff --git a/lib/radius/share/dictionary.txt b/lib/radius/share/dictionary.txt deleted file mode 100644 index e62f8b3..0000000 --- a/lib/radius/share/dictionary.txt +++ /dev/null @@ -1,136 +0,0 @@ -ATTRIBUTE User-Name 1 string -ATTRIBUTE User-Password 2 string encrypt=1 -ATTRIBUTE CHAP-Password 3 octets -ATTRIBUTE NAS-IP-Address 4 ipaddr -ATTRIBUTE NAS-Port 5 integer -ATTRIBUTE Service-Type 6 integer -ATTRIBUTE Framed-Protocol 7 integer -ATTRIBUTE Framed-IP-Address 8 ipaddr -ATTRIBUTE Framed-IP-Netmask 9 ipaddr -ATTRIBUTE Framed-Routing 10 integer -ATTRIBUTE Filter-Id 11 string -ATTRIBUTE Framed-MTU 12 integer -ATTRIBUTE Framed-Compression 13 integer -ATTRIBUTE Login-IP-Host 14 ipaddr -ATTRIBUTE Login-Service 15 integer -ATTRIBUTE Login-TCP-Port 16 integer -ATTRIBUTE Reply-Message 18 string -ATTRIBUTE Callback-Number 19 string -ATTRIBUTE Callback-Id 20 string -ATTRIBUTE Framed-Route 22 string -ATTRIBUTE Framed-IPX-Network 23 ipaddr -ATTRIBUTE State 24 octets -ATTRIBUTE Class 25 octets -ATTRIBUTE Vendor-Specific 26 octets -ATTRIBUTE Session-Timeout 27 integer -ATTRIBUTE Idle-Timeout 28 integer -ATTRIBUTE Termination-Action 29 integer -ATTRIBUTE Called-Station-Id 30 string -ATTRIBUTE Calling-Station-Id 31 string -ATTRIBUTE NAS-Identifier 32 string -ATTRIBUTE Proxy-State 33 octets -ATTRIBUTE Login-LAT-Service 34 string -ATTRIBUTE Login-LAT-Node 35 string -ATTRIBUTE Login-LAT-Group 36 octets -ATTRIBUTE Framed-AppleTalk-Link 37 integer -ATTRIBUTE Framed-AppleTalk-Network 38 integer -ATTRIBUTE Framed-AppleTalk-Zone 39 string -ATTRIBUTE CHAP-Challenge 60 octets -ATTRIBUTE NAS-Port-Type 61 integer -ATTRIBUTE Port-Limit 62 integer -ATTRIBUTE Login-LAT-Port 63 string -ATTRIBUTE Acct-Status-Type 40 integer -ATTRIBUTE Acct-Delay-Time 41 integer -ATTRIBUTE Acct-Input-Octets 42 integer -ATTRIBUTE Acct-Output-Octets 43 integer -ATTRIBUTE Acct-Session-Id 44 string -ATTRIBUTE Acct-Authentic 45 integer -ATTRIBUTE Acct-Session-Time 46 integer -ATTRIBUTE Acct-Input-Packets 47 integer -ATTRIBUTE Acct-Output-Packets 48 integer -ATTRIBUTE Acct-Terminate-Cause 49 integer -ATTRIBUTE Acct-Multi-Session-Id 50 string -ATTRIBUTE Acct-Link-Count 51 integer -ATTRIBUTE Acct-Tunnel-Connection 68 string -ATTRIBUTE Acct-Tunnel-Packets-Lost 86 integer -ATTRIBUTE Tunnel-Type 64 integer has_tag -ATTRIBUTE Tunnel-Medium-Type 65 integer has_tag -ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag -ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag -ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2 -ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag -ATTRIBUTE Tunnel-Assignment-Id 82 string has_tag -ATTRIBUTE Tunnel-Preference 83 integer has_tag -ATTRIBUTE Tunnel-Client-Auth-Id 90 string has_tag -ATTRIBUTE Tunnel-Server-Auth-Id 91 string has_tag -ATTRIBUTE Acct-Input-Gigawords 52 integer -ATTRIBUTE Acct-Output-Gigawords 53 integer -ATTRIBUTE Event-Timestamp 55 date -ATTRIBUTE ARAP-Password 70 octets[16] -ATTRIBUTE ARAP-Features 71 octets[14] -ATTRIBUTE ARAP-Zone-Access 72 integer -ATTRIBUTE ARAP-Security 73 integer -ATTRIBUTE ARAP-Security-Data 74 string -ATTRIBUTE Password-Retry 75 integer -ATTRIBUTE Prompt 76 integer -ATTRIBUTE Connect-Info 77 string -ATTRIBUTE Configuration-Token 78 string -ATTRIBUTE EAP-Message 79 octets -ATTRIBUTE Message-Authenticator 80 octets -ATTRIBUTE ARAP-Challenge-Response 84 octets[8] -ATTRIBUTE Acct-Interim-Interval 85 integer -ATTRIBUTE NAS-Port-Id 87 string -ATTRIBUTE Framed-Pool 88 string -ATTRIBUTE NAS-IPv6-Address 95 ipv6addr -ATTRIBUTE Framed-Interface-Id 96 ifid -ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix -ATTRIBUTE Login-IPv6-Host 98 ipv6addr -ATTRIBUTE Framed-IPv6-Route 99 string -ATTRIBUTE Framed-IPv6-Pool 100 string -ATTRIBUTE Error-Cause 101 integer -ATTRIBUTE EAP-Key-Name 102 string -ATTRIBUTE Chargeable-User-Identity 89 string -ATTRIBUTE Egress-VLANID 56 integer -ATTRIBUTE Ingress-Filters 57 integer -ATTRIBUTE Egress-VLAN-Name 58 string -ATTRIBUTE User-Priority-Table 59 octets -ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix -ATTRIBUTE NAS-Filter-Rule 92 string -ATTRIBUTE Digest-Response 103 string -ATTRIBUTE Digest-Realm 104 string -ATTRIBUTE Digest-Nonce 105 string -ATTRIBUTE Digest-Response-Auth 106 string -ATTRIBUTE Digest-Nextnonce 107 string -ATTRIBUTE Digest-Method 108 string -ATTRIBUTE Digest-URI 109 string -ATTRIBUTE Digest-Qop 110 string -ATTRIBUTE Digest-Algorithm 111 string -ATTRIBUTE Digest-Entity-Body-Hash 112 string -ATTRIBUTE Digest-CNonce 113 string -ATTRIBUTE Digest-Nonce-Count 114 string -ATTRIBUTE Digest-Username 115 string -ATTRIBUTE Digest-Opaque 116 string -ATTRIBUTE Digest-Auth-Param 117 string -ATTRIBUTE Digest-AKA-Auts 118 string -ATTRIBUTE Digest-Domain 119 string -ATTRIBUTE Digest-Stale 120 string -ATTRIBUTE Digest-HA1 121 string -ATTRIBUTE SIP-AOR 122 string -ATTRIBUTE Operator-Name 126 string -ATTRIBUTE Location-Information 127 octets -ATTRIBUTE Location-Data 128 octets -ATTRIBUTE Basic-Location-Policy-Rules 129 octets -ATTRIBUTE Extended-Location-Policy-Rules 130 octets -ATTRIBUTE Location-Capable 131 integer -ATTRIBUTE Requested-Location-Info 132 integer -ATTRIBUTE Framed-Management 133 integer -ATTRIBUTE Management-Transport-Protection 134 integer -ATTRIBUTE Management-Policy-Id 135 string -ATTRIBUTE Management-Privilege-Level 136 integer -ATTRIBUTE PKM-SS-Cert 137 octets -ATTRIBUTE PKM-CA-Cert 138 octets -ATTRIBUTE PKM-Config-Settings 139 octets -ATTRIBUTE PKM-Cryptosuite-List 140 octets -ATTRIBUTE PKM-SAID 141 short -ATTRIBUTE PKM-SA-Descriptor 142 octets -ATTRIBUTE PKM-Auth-Key 143 octets diff --git a/lib/radius/share/dictionary.ukerna b/lib/radius/share/dictionary.ukerna deleted file mode 100644 index 7d9d22d..0000000 --- a/lib/radius/share/dictionary.ukerna +++ /dev/null @@ -1,20 +0,0 @@ -# -*- text -*- -# -# GSS-EAP VSAs -# -# $Id$ -# - -VENDOR UKERNA 25622 - -BEGIN-VENDOR UKERNA - -ATTRIBUTE GSS-Acceptor-Service-Name-VS 128 string -ATTRIBUTE GSS-Acceptor-Host-Name-VS 129 string -ATTRIBUTE GSS-Acceptor-Service-Specific-VS 130 string -ATTRIBUTE GSS-Acceptor-Realm-Name-VS 131 string -ATTRIBUTE SAML-AAA-Assertion 132 string -ATTRIBUTE MS-Windows-Auth-Data 133 octets -ATTRIBUTE MS-Windows-Group-Sid 134 string - -END-VENDOR UKERNA diff --git a/lib/radius/share/dictionary.vendor b/lib/radius/share/dictionary.vendor deleted file mode 100644 index 571dbc4..0000000 --- a/lib/radius/share/dictionary.vendor +++ /dev/null @@ -1,10 +0,0 @@ -# a sample vendor-specific dictionary - -VENDOR example 65535 - -BEGIN-VENDOR example -ATTRIBUTE Example-Integer 1 integer -ATTRIBUTE Example-String 2 string -ATTRIBUTE Example-IP-Address 3 ipaddr - -END-VENDOR example diff --git a/lib/radius/static.c b/lib/radius/static.c deleted file mode 100644 index bd87272..0000000 --- a/lib/radius/static.c +++ /dev/null @@ -1,37 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file static.c - * \brief Dummy file to include auto-generating static dictionary mappings. - */ - -#include "client.h" - -/* - * Include the dynamically generated dictionaries. - */ -#include "dictionaries.c" diff --git a/lib/radius/tests/Makefile b/lib/radius/tests/Makefile deleted file mode 100644 index b9d74ad..0000000 --- a/lib/radius/tests/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# -# GNU Makefile -# -.PHONY: all clean -all: radattr - -HEADERS := ../client.h ../radius.h -CFLAGS := -g - -%.o : %.c - $(CC) $(CFLAGS) -I.. -I. -c $< - -%.o: ${HEADERS} - -LIBS := -lcrypto -lssl -LDFLAGS = -L.. -lnetworkradius-client - -../libnetworkradius-client.a: - @${MAKE} -C .. libnetworkradius-client.a - -radattr: radattr.o ../libnetworkradius-client.a - ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ - -clean: - @rm -rf *.o *.a *~ diff --git a/lib/radius/tests/radattr.c b/lib/radius/tests/radattr.c deleted file mode 100644 index d41499a..0000000 --- a/lib/radius/tests/radattr.c +++ /dev/null @@ -1,769 +0,0 @@ -/* - * Copyright (C) 2011 Network RADIUS SARL - * - * This software may not be redistributed in any form without the prior - * written consent of Network RADIUS. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -#include - -#include - -static int packet_code = PW_ACCESS_REQUEST; -static int packet_id = 1; -static uint8_t packet_vector[16] = { 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0 }; -static char secret[256] = "testing123"; - -static int encode_tlv(char *buffer, uint8_t *output, size_t outlen); - -static const char *hextab = "0123456789abcdef"; - -static int encode_data_string(char *buffer, - uint8_t *output, size_t outlen) -{ - int length = 0; - char *p; - - p = buffer + 1; - - while (*p && (outlen > 0)) { - if (*p == '"') { - return length; - } - - if (*p != '\\') { - *(output++) = *(p++); - outlen--; - length++; - continue; - } - - switch (p[1]) { - default: - *(output++) = p[1]; - break; - - case 'n': - *(output++) = '\n'; - break; - - case 'r': - *(output++) = '\r'; - break; - - case 't': - *(output++) = '\t'; - break; - } - - outlen--; - length++; - } - - fprintf(stderr, "String is not terminated\n"); - return 0; -} - -static int encode_data_tlv(char *buffer, char **endptr, - uint8_t *output, size_t outlen) -{ - int depth = 0; - int length; - char *p; - - for (p = buffer; *p != '\0'; p++) { - if (*p == '{') depth++; - if (*p == '}') { - depth--; - if (depth == 0) break; - } - } - - if (*p != '}') { - fprintf(stderr, "No trailing '}' in string starting " - "with \"%s\"\n", - buffer); - return 0; - } - - *endptr = p + 1; - *p = '\0'; - - p = buffer + 1; - while (isspace((int) *p)) p++; - - length = encode_tlv(p, output, outlen); - if (length == 0) return 0; - - return length; -} - -static int encode_hex(char *p, uint8_t *output, size_t outlen) -{ - int length = 0; - while (*p) { - char *c1, *c2; - - while (isspace((int) *p)) p++; - - if (!*p) break; - - if(!(c1 = memchr(hextab, tolower((int) p[0]), 16)) || - !(c2 = memchr(hextab, tolower((int) p[1]), 16))) { - fprintf(stderr, "Invalid data starting at " - "\"%s\"\n", p); - return 0; - } - - *output = ((c1 - hextab) << 4) + (c2 - hextab); - output++; - length++; - p += 2; - - outlen--; - if (outlen == 0) { - fprintf(stderr, "Too much data\n"); - return 0; - } - } - - return length; -} - - -static int encode_data(char *p, uint8_t *output, size_t outlen) -{ - int length; - - if (!isspace((int) *p)) { - fprintf(stderr, "Invalid character following attribute " - "definition\n"); - return 0; - } - - while (isspace((int) *p)) p++; - - if (*p == '{') { - int sublen; - char *q; - - length = 0; - - do { - while (isspace((int) *p)) p++; - if (!*p) { - if (length == 0) { - fprintf(stderr, "No data\n"); - return 0; - } - - break; - } - - sublen = encode_data_tlv(p, &q, output, outlen); - if (sublen == 0) return 0; - - length += sublen; - output += sublen; - outlen -= sublen; - p = q; - } while (*q); - - return length; - } - - if (*p == '"') { - length = encode_data_string(p, output, outlen); - return length; - } - - length = encode_hex(p, output, outlen); - - if (length == 0) { - fprintf(stderr, "Empty string\n"); - return 0; - } - - return length; -} - -static int decode_attr(char *buffer, char **endptr) -{ - long attr; - - attr = strtol(buffer, endptr, 10); - if (*endptr == buffer) { - fprintf(stderr, "No valid number found in string " - "starting with \"%s\"\n", buffer); - return 0; - } - - if (!**endptr) { - fprintf(stderr, "Nothing follows attribute number\n"); - return 0; - } - - if ((attr <= 0) || (attr > 256)) { - fprintf(stderr, "Attribute number is out of valid " - "range\n"); - return 0; - } - - return (int) attr; -} - -static int decode_vendor(char *buffer, char **endptr) -{ - long vendor; - - if (*buffer != '.') { - fprintf(stderr, "Invalid separator before vendor id\n"); - return 0; - } - - vendor = strtol(buffer + 1, endptr, 10); - if (*endptr == (buffer + 1)) { - fprintf(stderr, "No valid vendor number found\n"); - return 0; - } - - if (!**endptr) { - fprintf(stderr, "Nothing follows vendor number\n"); - return 0; - } - - if ((vendor <= 0) || (vendor > (1 << 24))) { - fprintf(stderr, "Vendor number is out of valid range\n"); - return 0; - } - - if (**endptr != '.') { - fprintf(stderr, "Invalid data following vendor number\n"); - return 0; - } - (*endptr)++; - - return (int) vendor; -} - -static int encode_tlv(char *buffer, uint8_t *output, size_t outlen) -{ - int attr; - int length; - char *p; - - attr = decode_attr(buffer, &p); - if (attr == 0) return 0; - - output[0] = attr; - output[1] = 2; - - if (*p == '.') { - p++; - length = encode_tlv(p, output + 2, outlen - 2); - - } else { - length = encode_data(p, output + 2, outlen - 2); - } - - if (length == 0) return 0; - if (length > (255 - 2)) { - fprintf(stderr, "TLV data is too long\n"); - return 0; - } - - output[1] += length; - - return length + 2; -} - -static int encode_vsa(char *buffer, uint8_t *output, size_t outlen) -{ - int vendor; - int length; - char *p; - - vendor = decode_vendor(buffer, &p); - if (vendor == 0) return 0; - - output[0] = 0; - output[1] = (vendor >> 16) & 0xff; - output[2] = (vendor >> 8) & 0xff; - output[3] = vendor & 0xff; - - length = encode_tlv(p, output + 4, outlen - 4); - if (length == 0) return 0; - if (length > (255 - 6)) { - fprintf(stderr, "VSA data is too long\n"); - return 0; - } - - - return length + 4; -} - -static int encode_evs(char *buffer, uint8_t *output, size_t outlen) -{ - int vendor; - int attr; - int length; - char *p; - - vendor = decode_vendor(buffer, &p); - if (vendor == 0) return 0; - - attr = decode_attr(p, &p); - if (attr == 0) return 0; - - output[0] = 0; - output[1] = (vendor >> 16) & 0xff; - output[2] = (vendor >> 8) & 0xff; - output[3] = vendor & 0xff; - output[4] = attr; - - length = encode_data(p, output + 5, outlen - 5); - if (length == 0) return 0; - - return length + 5; -} - -static int encode_extended(char *buffer, - uint8_t *output, size_t outlen) -{ - int attr; - int length; - char *p; - - attr = decode_attr(buffer, &p); - if (attr == 0) return 0; - - output[0] = attr; - - if (attr == 26) { - length = encode_evs(p, output + 1, outlen - 1); - } else { - length = encode_data(p, output + 1, outlen - 1); - } - if (length == 0) return 0; - if (length > (255 - 3)) { - fprintf(stderr, "Extended Attr data is too long\n"); - return 0; - } - - return length + 1; -} - -static int encode_extended_flags(char *buffer, - uint8_t *output, size_t outlen) -{ - int attr; - int length, total; - char *p; - - attr = decode_attr(buffer, &p); - if (attr == 0) return 0; - - /* output[0] is the extended attribute */ - output[1] = 4; - output[2] = attr; - output[3] = 0; - - if (attr == 26) { - length = encode_evs(p, output + 4, outlen - 4); - if (length == 0) return 0; - - output[1] += 5; - length -= 5; - } else { - length = encode_data(p, output + 4, outlen - 4); - } - if (length == 0) return 0; - - total = 0; - while (1) { - int sublen = 255 - output[1]; - - if (length <= sublen) { - output[1] += length; - total += output[1]; - break; - } - - length -= sublen; - - memmove(output + 255 + 4, output + 255, length); - memcpy(output + 255, output, 4); - - output[1] = 255; - output[3] |= 0x80; - - output += 255; - output[1] = 4; - total += 255; - } - - return total; -} - -static int encode_rfc(char *buffer, uint8_t *output, size_t outlen) -{ - int attr; - int length, sublen; - char *p; - - attr = decode_attr(buffer, &p); - if (attr == 0) return 0; - - length = 2; - output[0] = attr; - output[1] = 2; - - if (attr == 26) { - sublen = encode_vsa(p, output + 2, outlen - 2); - - } else if ((attr < 241) || (attr > 246)) { - sublen = encode_data(p, output + 2, outlen - 2); - - } else { - if (*p != '.') { - fprintf(stderr, "Invalid data following " - "attribute number\n"); - return 0; - } - - if (attr < 245) { - sublen = encode_extended(p + 1, - output + 2, outlen - 2); - } else { - - /* - * Not like the others! - */ - return encode_extended_flags(p + 1, output, outlen); - } - } - if (sublen == 0) return 0; - if (sublen > (255 -2)) { - fprintf(stderr, "RFC Data is too long\n"); - return 0; - } - - output[1] += sublen; - return length + sublen; -} - -static int walk_callback(void *ctx, const DICT_ATTR *da, - const uint8_t *data, size_t sizeof_data) -{ - char **p = ctx; - - sprintf(*p, "v%u a%u l%ld,", - da->vendor, da->attr, sizeof_data); - - *p += strlen(*p); -} - -static void process_file(const char *filename) -{ - int lineno, rcode; - size_t i, outlen; - ssize_t len, data_len; - FILE *fp; - RADIUS_PACKET packet; - char input[8192], buffer[8192]; - char output[8192]; - uint8_t *attr, data[2048]; - - if (strcmp(filename, "-") == 0) { - fp = stdin; - filename = ""; - - } else { - fp = fopen(filename, "r"); - if (!fp) { - fprintf(stderr, "Error opening %s: %s\n", - filename, strerror(errno)); - exit(1); - } - } - - lineno = 0; - *output = '\0'; - data_len = 0; - - while (fgets(buffer, sizeof(buffer), fp) != NULL) { - char *p = strchr(buffer, '\n'); - VALUE_PAIR *vp, *head = NULL; - VALUE_PAIR **tail = &head; - - lineno++; - - if (!p) { - if (!feof(fp)) { - fprintf(stderr, "Line %d too long in %s\n", - lineno, filename); - exit(1); - } - } else { - *p = '\0'; - } - - p = strchr(buffer, '#'); - if (p) *p = '\0'; - - p = buffer; - while (isspace((int) *p)) p++; - if (!*p) continue; - - strcpy(input, p); - - if (strncmp(p, "raw ", 4) == 0) { - outlen = encode_rfc(p + 4, data, sizeof(data)); - if (outlen == 0) { - fprintf(stderr, "Parse error in line %d of %s\n", - lineno, filename); - exit(1); - } - - print_hex: - if (outlen == 0) { - output[0] = 0; - continue; - } - - data_len = outlen; - for (i = 0; i < outlen; i++) { - snprintf(output + 3*i, sizeof(output), - "%02x ", data[i]); - } - outlen = strlen(output); - output[outlen - 1] = '\0'; - continue; - } - - if (strncmp(p, "data ", 5) == 0) { - if (strcmp(p + 5, output) != 0) { - fprintf(stderr, "Mismatch in line %d of %s, expected: %s\n", - lineno, filename, output); - exit(1); - } - continue; - } - - head = NULL; - if (strncmp(p, "encode ", 7) == 0) { - if (strcmp(p + 7, "-") == 0) { - p = output; - } else { - p += 7; - } - - rcode = nr_vp_sscanf(p, &head); - if (rcode < 0) { - strcpy(output, nr_strerror(rcode)); - continue; - } - - attr = data; - vp = head; - while (vp != NULL) { - len = nr_vp2attr(NULL, NULL, &vp, - attr, sizeof(data) - (attr - data)); - if (len < 0) { - fprintf(stderr, "Failed encoding %s: %s\n", - vp->da->name, nr_strerror(len)); - exit(1); - } - - attr += len; - if (len == 0) break; - } - - nr_vp_free(&head); - outlen = len; - goto print_hex; - } - - if (strncmp(p, "decode ", 7) == 0) { - ssize_t my_len; - - if (strcmp(p + 7, "-") == 0) { - attr = data; - len = data_len; - } else { - attr = data; - len = encode_hex(p + 7, data, sizeof(data)); - if (len == 0) { - fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); - exit(1); - } - } - - while (len > 0) { - vp = NULL; - my_len = nr_attr2vp(NULL, NULL, - attr, len, &vp); - if (my_len < 0) { - nr_vp_free(&head); - break; - } - - if (my_len > len) { - fprintf(stderr, "Internal sanity check failed at %d\n", __LINE__); - exit(1); - } - - *tail = vp; - while (vp) { - tail = &(vp->next); - vp = vp->next; - } - - attr += my_len; - len -= my_len; - } - - /* - * Output may be an error, and we ignore - * it if so. - */ - if (head) { - p = output; - for (vp = head; vp != NULL; vp = vp->next) { - nr_vp_snprintf(p, sizeof(output) - (p - output), vp); - p += strlen(p); - - if (vp->next) {strcpy(p, ", "); - p += 2; - } - } - - nr_vp_free(&head); - } else if (my_len < 0) { - strcpy(output, nr_strerror(my_len)); - - } else { /* zero-length attribute */ - *output = '\0'; - } - continue; - } - - if (strncmp(p, "walk ", 5) == 0) { - len = encode_hex(p + 5, data + 20, sizeof(data) - 20); - - if (len == 0) { - fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); - exit(1); - } - - memset(data, 0, 20); - packet.data = data; - packet.length = len + 20; - packet.data[2] = ((len + 20) >> 8) & 0xff; - packet.data[3] = (len + 20) & 0xff; - - *output = '\0'; - p = output; - - rcode = nr_packet_walk(&packet, &p, walk_callback); - if (rcode < 0) { - snprintf(output, sizeof(output), "%d", rcode); - continue; - } - - if (*output) output[strlen(output) - 1] = '\0'; - continue; - } - - if (strncmp(p, "$INCLUDE ", 9) == 0) { - p += 9; - while (isspace((int) *p)) p++; - - process_file(p); - continue; - } - - if (strncmp(p, "secret ", 7) == 0) { - strlcpy(secret, p + 7, sizeof(secret)); - strlcpy(output, secret, sizeof(output)); - continue; - } - - if (strncmp(p, "code ", 5) == 0) { - packet_code = atoi(p + 5); - snprintf(output, sizeof(output), "%u", packet_code); - continue; - } - - if (strncmp(p, "sign ", 5) == 0) { - len = encode_hex(p + 5, data + 20, sizeof(data) - 20); - if (len == 0) { - fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); - exit(1); - } - - memset(&packet, 0, sizeof(packet)); - packet.secret = secret; - packet.sizeof_secret = strlen(secret); - packet.code = packet_code; - packet.id = packet_id; - memcpy(packet.vector, packet_vector, 16); - packet.data = data; - packet.length = len + 20; - - /* - * Hack encode the packet. - */ - packet.data[0] = packet_code; - packet.data[1] = packet_id; - packet.data[2] = ((len + 20) >> 8) & 0xff; - packet.data[3] = (len + 20) & 0xff; - memcpy(packet.data + 4, packet_vector, 16); - - rcode = nr_packet_sign(&packet, NULL); - if (rcode < 0) { - snprintf(output, sizeof(output), "%d", rcode); - continue; - } - - memcpy(data, packet.vector, sizeof(packet.vector)); - outlen = sizeof(packet.vector); - goto print_hex; - } - - fprintf(stderr, "Unknown input at line %d of %s\n", - lineno, filename); - exit(1); - } - - if (fp != stdin) fclose(fp); -} - -int main(int argc, char *argv[]) -{ - int c; - - if (argc < 2) { - process_file("-"); - - } else { - process_file(argv[1]); - } - - return 0; -} diff --git a/lib/radius/tests/rfc.txt b/lib/radius/tests/rfc.txt deleted file mode 100644 index d8bd613..0000000 --- a/lib/radius/tests/rfc.txt +++ /dev/null @@ -1,144 +0,0 @@ -# All attribute lengths are implicit, and are calculated automatically -# -# Input is of the form: -# -# WORD ... -# -# The WORD is a keyword which indicates the format of the following text. -# WORD is one of: -# -# raw - read the grammar defined below, and encode an attribute. -# The grammer supports a trivial way of describing RADIUS -# attributes, without reference to dictionaries or fancy -# parsers -# -# encode - reads "Attribute-Name = value", encodes it, and prints -# the result as text. -# use "-" to encode the output of the last command -# -# decode - reads hex, and decodes it "Attribute-Name = value" -# use "-" to decode the output of the last command -# -# data - the expected output of the previous command, in ASCII form. -# if the actual command output is different, an error message -# is produced, and the program terminates. -# -# -# The "raw" input satisfies the following grammar: -# -# Identifier = 1*DIGIT *( "." 1*DIGIT ) -# -# HEXCHAR = HEXDIG HEXDIG -# -# STRING = DQUOTE *CHAR DQUOTE -# -# TLV = "{" 1*DIGIT DATA "}" -# -# DATA = 1*HEXCHAR / 1*TLV / STRING -# -# LINE = Identifier DATA -# -# The "Identifier" is a RADIUS attribute identifier, as given in the draft. -# -# e.g. 1 for User-Name -# 26.9.1 Vendor-Specific, Cisco, Cisco-AVPAir -# 241.1 Extended Attribute, number 1 -# 241.2.3 Extended Attribute 2, data type TLV, TLV type 3 -# etc. -# -# The "DATA" portion is the contents of the RADIUS Attribute. -# -# 123456789abcdef hex string -# 12 34 56 ab with spaces for clarity -# "hello" Text string -# { 1 abcdef } TLV, TLV-Type 1, data "abcdef" -# -# TLVs can be nested: -# -# { tlv-type { tlv-type data } } { 3 { 4 01020304 } } -# -# TLVs can be concatencated -# -# {tlv-type data } { tlv-type data} { 3 040506 } { 8 aabbcc } -# -# The "raw" data is encoded without reference to dictionaries. Any -# valid string is parsed to a RADIUS attribute. The resulting RADIUS -# attribute *may not* be correctly formatted to the relevant RADIUS -# specifications. i.e. you can use this tool to create attribute 1 -# (User-Name), which is encoded as a series of TLVs. That's up to you. -# -# The purpose of the "raw" command is to have a simple way of encoding -# attributes which is independent of any dictionaries or packet processing -# routines. -# -# The output data is the hex version of the encoded attribute. -# - -encode User-Name = bob -data 01 05 62 6f 62 - -decode - -data User-Name = "bob" - -decode 01 05 62 6f 62 -data User-Name = "bob" - -# -# The Type/Length is OK, but the attribute data is of the wrong size. -# -decode 04 04 ab cd -data Attr-4 = 0xabcd - -# Zero-length attributes -decode 01 02 -data - -# don't encode zero-length attributes -#encode User-Name = "" -#data - -# except for CUI. Thank you, WiMAX! -decode 59 02 -data Chargeable-User-Identity = "" - -# Hah! Thought you had it figured out, didn't you? -#encode - -#data 59 02 - -encode NAS-Port = 10 -data 05 06 00 00 00 0a - -decode - -data NAS-Port = 10 - -walk 05 06 00 00 00 0a -data v0 a5 l4 - -walk 05 06 00 00 00 0a 02 06 00 00 00 0a -data v0 a5 l4,v0 a2 l4 - -walk 1a 0c 00 00 00 01 05 06 00 00 00 0a -data v1 a5 l4 - -walk 1a 12 00 00 00 01 05 06 00 00 00 0a 03 06 00 00 00 0a -data v1 a5 l4,v1 a3 l4 - -# Access-Request, code 1, authentication vector of zero -sign 05 06 00 00 00 0a -data 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - -code 4 - -sign 05 06 00 00 00 0a -data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 - -sign 05 06 00 00 00 0a -data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 - -secret hello -sign 05 06 00 00 00 0a -data 69 20 c0 b9 e1 2f 12 54 9f 92 16 5e f4 64 9b fd - -secret testing123 -sign 05 06 00 00 00 0a -data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 diff --git a/lib/radius/valuepair.c b/lib/radius/valuepair.c deleted file mode 100644 index 6277f7d..0000000 --- a/lib/radius/valuepair.c +++ /dev/null @@ -1,191 +0,0 @@ -/* -Copyright (c) 2011, Network RADIUS SARL -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - * Neither the name of the nor the - names of its contributors may be used to endorse or promote products - derived from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY -DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** \file valuepair.c - * \brief Functions to manipulate C structure versions of RADIUS attributes. - */ - -#include "client.h" - -void nr_vp_free(VALUE_PAIR **head) -{ - VALUE_PAIR *next, *vp; - - for (vp = *head; vp != NULL; vp = next) { - next = vp->next; - if (vp->da->flags.encrypt) { - memset(vp, 0, sizeof(vp)); - } - free(vp); - } - - *head = NULL; -} - - -VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da) -{ - memset(vp, 0, sizeof(*vp)); - - vp->da = da; - vp->length = da->flags.length; - - return vp; -} - - -VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da) -{ - VALUE_PAIR *vp = NULL; - - if (!da) { - nr_strerror_printf("Unknown attribute"); - return NULL; - } - - vp = malloc(sizeof(*vp)); - if (!vp) { - nr_strerror_printf("Out of memory"); - return NULL; - } - - return nr_vp_init(vp, da); -} - -VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor) -{ - VALUE_PAIR *vp = NULL; - DICT_ATTR *da; - - vp = malloc(sizeof(*vp) + sizeof(*da) + 64); - if (!vp) { - nr_strerror_printf("Out of memory"); - return NULL; - } - memset(vp, 0, sizeof(*vp)); - - da = (DICT_ATTR *) (vp + 1); - - if (nr_dict_attr_2struct(da, attr, vendor, (char *) (da + 1), 64) < 0) { - free(vp); - return NULL; - } - - vp->da = da; - - return vp; -} - -int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) -{ - int rcode = 1; /* OK */ - - if (!vp || !data || (sizeof_data == 0)) return -RSE_INVAL; - - switch (vp->da->type) { - case RS_TYPE_BYTE: - vp->vp_integer = *(const uint8_t *) data; - break; - - case RS_TYPE_SHORT: - vp->vp_integer = *(const uint16_t *) data; - break; - - case RS_TYPE_INTEGER: - case RS_TYPE_DATE: - case RS_TYPE_IPADDR: - vp->vp_integer = *(const uint32_t *) data; - break; - - case RS_TYPE_STRING: - if (sizeof_data >= sizeof(vp->vp_strvalue)) { - sizeof_data = sizeof(vp->vp_strvalue) - 1; - rcode = 0; /* truncated */ - } - - memcpy(vp->vp_strvalue, (const char *) data, sizeof_data); - vp->vp_strvalue[sizeof_data + 1] = '\0'; - vp->length = sizeof_data; - break; - - case RS_TYPE_OCTETS: - if (sizeof_data > sizeof(vp->vp_octets)) { - sizeof_data = sizeof(vp->vp_octets); - rcode = 0; /* truncated */ - } - memcpy(vp->vp_octets, data, sizeof_data); - vp->length = sizeof_data; - break; - - default: - return -RSE_ATTR_TYPE_UNKNOWN; - } - - return rcode; -} - -VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, size_t data_len) -{ - const DICT_ATTR *da; - VALUE_PAIR *vp; - - da = nr_dict_attr_byvalue(attr, vendor); - if (!da) return NULL; - - vp = nr_vp_alloc(da); - if (!vp) return NULL; - - if (nr_vp_set_data(vp, data, data_len) < 0) { - nr_vp_free(&vp); - return NULL; - } - - return vp; -} - -void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *tail) -{ - if (!tail) return; - - while (*head) { - head = &((*head)->next); - } - - *head = tail; -} - -VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, - unsigned int attr, unsigned int vendor) -{ - while (head) { - if ((head->da->attr == attr) && - (head->da->vendor == vendor)) return head; - head = head->next; - } - - return NULL; -} diff --git a/lib/radsec.c b/lib/radsec.c deleted file mode 100644 index 83ce6c5..0000000 --- a/lib/radsec.c +++ /dev/null @@ -1,141 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include "err.h" -#include "debug.h" -#include "radsecproxy/debug.h" -#if defined (RS_ENABLE_TLS) -#include "tls.h" -#include -#include "radsecproxy/list.h" -#include "radsecproxy/radsecproxy.h" -#endif - -/* Public functions. */ -int -rs_context_create (struct rs_context **ctx) -{ - struct rs_context *h; - -#if defined (RS_ENABLE_TLS) - if (tls_init ()) - return RSE_SSLERR; -#endif - - h = calloc (1, sizeof(*h)); - if (h == NULL) - return RSE_NOMEM; - - debug_init ("libradsec"); /* radsecproxy compat, FIXME: remove */ - - if (ctx != NULL) - *ctx = h; - - return RSE_OK; -} - -struct rs_error * -rs_resolve (struct evutil_addrinfo **addr, - rs_conn_type_t type, - const char *hostname, - const char *service) -{ - int err; - struct evutil_addrinfo hints, *res = NULL; - - memset (&hints, 0, sizeof(struct evutil_addrinfo)); - hints.ai_family = AF_UNSPEC; - hints.ai_flags = AI_ADDRCONFIG; - switch (type) - { - case RS_CONN_TYPE_NONE: - return err_create (RSE_INVALID_CONN, __FILE__, __LINE__, NULL, NULL); - case RS_CONN_TYPE_TCP: - /* Fall through. */ - case RS_CONN_TYPE_TLS: - hints.ai_socktype = SOCK_STREAM; - hints.ai_protocol = IPPROTO_TCP; - break; - case RS_CONN_TYPE_UDP: - /* Fall through. */ - case RS_CONN_TYPE_DTLS: - hints.ai_socktype = SOCK_DGRAM; - hints.ai_protocol = IPPROTO_UDP; - break; - default: - return err_create (RSE_INVALID_CONN, __FILE__, __LINE__, NULL, NULL); - } - err = evutil_getaddrinfo (hostname, service, &hints, &res); - if (err) - return err_create (RSE_BADADDR, __FILE__, __LINE__, - "%s:%s: bad host name or service name (%s)", - hostname, service, evutil_gai_strerror(err)); - *addr = res; /* Simply use first result. */ - return NULL; -} - -void -rs_context_destroy (struct rs_context *ctx) -{ - struct rs_realm *r = NULL; - struct rs_peer *p = NULL; - - if (ctx->config) - { - for (r = ctx->config->realms; r; ) - { - struct rs_realm *tmp = r; - for (p = r->peers; p; ) - { - struct rs_peer *tmp = p; - if (p->addr_cache) - { - evutil_freeaddrinfo (p->addr_cache); - p->addr_cache = NULL; - } - p = p->next; - rs_free (ctx, tmp); - } - free (r->name); - rs_free (ctx, r->transport_cred); - r = r->next; - rs_free (ctx, tmp); - } - } - - if (ctx->config) - { - if (ctx->config->cfg) - { - cfg_free (ctx->config->cfg); - ctx->config->cfg = NULL; - } - rs_free (ctx, ctx->config); - } - - free (ctx); -} - -int -rs_context_set_alloc_scheme (struct rs_context *ctx, - struct rs_alloc_scheme *scheme) -{ - return rs_err_ctx_push_fl (ctx, RSE_NOSYS, __FILE__, __LINE__, NULL); -} - diff --git a/lib/radsec.h b/lib/radsec.h deleted file mode 100644 index 703e44b..0000000 --- a/lib/radsec.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Copyright 2012 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -struct rs_error *rs_resolve (struct evutil_addrinfo **addr, - rs_conn_type_t type, - const char *hostname, - const char *service); diff --git a/lib/radsec.sym b/lib/radsec.sym deleted file mode 100644 index 77fcacc..0000000 --- a/lib/radsec.sym +++ /dev/null @@ -1,86 +0,0 @@ -rs_attr_display_name -rs_attr_find -rs_attr_parse_name -rs_avp_alloc -rs_avp_append -rs_avp_attrid -rs_avp_byte_set -rs_avp_byte_value -rs_avp_date_set -rs_avp_date_value -rs_avp_delete -rs_avp_display_value -rs_avp_dup -rs_avp_find -rs_avp_find_const -rs_avp_fragmented_value -rs_avp_free -rs_avp_ifid_set -rs_avp_ifid_value -rs_avp_integer_set -rs_avp_integer_value -rs_avp_ipaddr_set -rs_avp_ipaddr_value -rs_avp_length -rs_avp_name -rs_avp_next -rs_avp_next_const -rs_avp_octets_set -rs_avp_octets_value -rs_avp_octets_value_byref -rs_avp_octets_value_const_ptr -rs_avp_octets_value_ptr -rs_avp_short_set -rs_avp_short_value -rs_avp_string_set -rs_avp_string_value -rs_avp_typeof -rs_conf_find_realm -rs_conn_add_listener -rs_conn_create -rs_conn_del_callbacks -rs_conn_destroy -rs_conn_disconnect -rs_conn_fd -rs_conn_get_callbacks -rs_conn_get_current_peer -rs_conn_receive_packet -rs_conn_select_peer -rs_conn_set_callbacks -rs_conn_set_eventbase -rs_conn_set_timeout -rs_conn_set_type -rs_context_create -rs_context_destroy -rs_context_read_config -rs_context_set_alloc_scheme -rs_dump_packet -rs_err_code -rs_err_conn_peek_code -rs_err_conn_pop -rs_err_conn_push -rs_err_conn_push_fl -rs_err_ctx_pop -rs_err_ctx_push -rs_err_ctx_push_fl -rs_err_free -rs_err_msg -rs_packet_add_avp -rs_packet_append_avp -rs_packet_avps -rs_packet_code -rs_packet_create -rs_packet_create_authn_request -rs_packet_destroy -rs_packet_send -rs_peer_create -rs_peer_set_address -rs_peer_set_retries -rs_peer_set_secret -rs_peer_set_timeout -rs_request_add_reqpkt -rs_request_create -rs_request_create_authn -rs_request_destroy -rs_request_get_reqmsg -rs_request_send diff --git a/lib/radsecproxy/Makefile.am b/lib/radsecproxy/Makefile.am deleted file mode 100644 index dc5ffc4..0000000 --- a/lib/radsecproxy/Makefile.am +++ /dev/null @@ -1,23 +0,0 @@ -AUTOMAKE_OPTIONS = foreign -ACLOCAL_AMFLAGS = -I m4 - -AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) -AM_CFLAGS = -Wall -Werror -g - -noinst_LTLIBRARIES = libradsec-radsecproxy.la - -libradsec_radsecproxy_la_SOURCES = \ - debug.c debug.h \ - gconfig.h \ - hash.c hash.h \ - hostport_types.h \ - list.c list.h \ - radmsg.h \ - radsecproxy.h \ - tlv11.h \ - util.c util.h - -if RS_ENABLE_TLS -libradsec_radsecproxy_la_SOURCES += \ - tlscommon.c tlscommon.h -endif diff --git a/lib/radsecproxy/debug.c b/lib/radsecproxy/debug.c deleted file mode 100644 index 8a4881d..0000000 --- a/lib/radsecproxy/debug.c +++ /dev/null @@ -1,213 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS - * Copyright (c) 2010-2011, NORDUnet A/S */ -/* See LICENSE for licensing information. */ - -#ifndef SYS_SOLARIS9 -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "util.h" - -static char *debug_ident = NULL; -static uint8_t debug_level = DBG_INFO; -static char *debug_filepath = NULL; -static FILE *debug_file = NULL; -static int debug_syslogfacility = 0; -static uint8_t debug_timestamp = 0; - -void debug_init(char *ident) { - debug_file = stderr; - setvbuf(debug_file, NULL, _IONBF, 0); - debug_ident = ident; -} - -void debug_set_level(uint8_t level) { - switch (level) { - case 1: - debug_level = DBG_ERR; - return; - case 2: - debug_level = DBG_WARN; - return; - case 3: - debug_level = DBG_NOTICE; - return; - case 4: - debug_level = DBG_INFO; - return; - case 5: - debug_level = DBG_DBG; - return; - } -} - -void debug_timestamp_on() { - debug_timestamp = 1; -} - -uint8_t debug_get_level() { - return debug_level; -} - -int debug_set_destination(char *dest) { - static const char *facstrings[] = { "LOG_DAEMON", "LOG_MAIL", "LOG_USER", "LOG_LOCAL0", - "LOG_LOCAL1", "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", - "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7", NULL }; - static const int facvals[] = { LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, - LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, - LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 }; - extern int errno; - int i; - - if (!strncasecmp(dest, "file:///", 8)) { - debug_filepath = stringcopy(dest + 7, 0); - debug_file = fopen(debug_filepath, "a"); - if (!debug_file) { - debug_file = stderr; - debugx(1, DBG_ERR, "Failed to open logfile %s\n%s", - debug_filepath, strerror(errno)); - } - setvbuf(debug_file, NULL, _IONBF, 0); - return 1; - } - if (!strncasecmp(dest, "x-syslog://", 11)) { - dest += 11; - if (*dest == '/') - dest++; - if (*dest) { - for (i = 0; facstrings[i]; i++) - if (!strcasecmp(dest, facstrings[i])) - break; - if (!facstrings[i]) - debugx(1, DBG_ERR, "Unknown syslog facility %s", dest); - debug_syslogfacility = facvals[i]; - } else - debug_syslogfacility = LOG_DAEMON; - openlog(debug_ident, LOG_PID, debug_syslogfacility); - return 1; - } - debug(DBG_ERR, "Unknown log destination, exiting %s", dest); - exit(1); -} - -void debug_reopen_log() { - extern int errno; - - /* not a file, noop, return success */ - if (!debug_filepath) { - debug(DBG_ERR, "skipping reopen"); - return; - } - - if (debug_file != stderr) - fclose(debug_file); - - debug_file = fopen(debug_filepath, "a"); - if (debug_file) - debug(DBG_ERR, "Reopened logfile %s", debug_filepath); - else { - debug_file = stderr; - debug(DBG_ERR, "Failed to open logfile %s, using stderr\n%s", - debug_filepath, strerror(errno)); - } - setvbuf(debug_file, NULL, _IONBF, 0); -} - -void debug_logit(uint8_t level, const char *format, va_list ap) { - struct timeval now; - char *timebuf; - int priority; - - if (debug_syslogfacility) { - switch (level) { - case DBG_DBG: - priority = LOG_DEBUG; - break; - case DBG_INFO: - priority = LOG_INFO; - break; - case DBG_NOTICE: - priority = LOG_NOTICE; - break; - case DBG_WARN: - priority = LOG_WARNING; - break; - case DBG_ERR: - priority = LOG_ERR; - break; - default: - priority = LOG_DEBUG; - } - vsyslog(priority, format, ap); - } else { - if (debug_timestamp && (timebuf = malloc(256))) { - gettimeofday(&now, NULL); - ctime_r(&now.tv_sec, timebuf); - timebuf[strlen(timebuf) - 1] = '\0'; - fprintf(debug_file, "%s: ", timebuf + 4); - free(timebuf); - } - vfprintf(debug_file, format, ap); - fprintf(debug_file, "\n"); - } -} - -void debug(uint8_t level, char *format, ...) { - va_list ap; - if (level < debug_level) - return; - va_start(ap, format); - debug_logit(level, format, ap); - va_end(ap); -} - -void debugx(int status, uint8_t level, char *format, ...) { - if (level >= debug_level) { - va_list ap; - va_start(ap, format); - debug_logit(level, format, ap); - va_end(ap); - } - exit(status); -} - -void debugerrno(int err, uint8_t level, char *format, ...) { - if (level >= debug_level) { - va_list ap; - size_t len = strlen(format); - char *tmp = malloc(len + 1024 + 2); - assert(tmp); - strcpy(tmp, format); - tmp[len++] = ':'; - tmp[len++] = ' '; - if (strerror_r(err, tmp + len, 1024)) - tmp = format; - va_start(ap, format); - debug_logit(level, tmp, ap); - va_end(ap); - } -} - -void debugerrnox(int err, uint8_t level, char *format, ...) { - if (level >= debug_level) { - va_list ap; - va_start(ap, format); - debugerrno(err, level, format, ap); - va_end(ap); - } - exit(err); -} - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/debug.h b/lib/radsecproxy/debug.h deleted file mode 100644 index f9858ab..0000000 --- a/lib/radsecproxy/debug.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS - * Copyright (c) 2010-2011, NORDUnet A/S */ -/* See LICENSE for licensing information. */ - -#ifndef SYS_SOLARIS9 -#include -#endif - -#define DBG_DBG 8 -#define DBG_INFO 16 -#define DBG_NOTICE 32 -#define DBG_WARN 64 -#define DBG_ERR 128 - -#if defined (__cplusplus) -extern "C" { -#endif - -void debug_init(char *ident); -void debug_set_level(uint8_t level); -void debug_timestamp_on(); -uint8_t debug_get_level(); -void debug(uint8_t level, char *format, ...); -void debugx(int status, uint8_t level, char *format, ...); -void debugerrno(int err, uint8_t level, char *format, ...); -void debugerrnox(int err, uint8_t level, char *format, ...); -int debug_set_destination(char *dest); -void debug_reopen_log(); - -#if defined (__cplusplus) -} -#endif - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/gconfig.h b/lib/radsecproxy/gconfig.h deleted file mode 100644 index 3cb34b3..0000000 --- a/lib/radsecproxy/gconfig.h +++ /dev/null @@ -1,32 +0,0 @@ -/* Copyright (c) 2007-2008, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#define CONF_STR 1 -#define CONF_CBK 2 -#define CONF_MSTR 3 -#define CONF_BLN 4 -#define CONF_LINT 5 - -#include - -struct gconffile { - char *path; - FILE *file; - const char *data; - size_t datapos; -}; - -int getconfigline(struct gconffile **cf, char *block, char **opt, char **val, int *conftype); -int getgenericconfig(struct gconffile **cf, char *block, ...); -int pushgconfdata(struct gconffile **cf, const char *data); -FILE *pushgconfpath(struct gconffile **cf, const char *path); -FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description); -FILE *pushgconfpaths(struct gconffile **cf, const char *path); -int popgconf(struct gconffile **cf); -void freegconfmstr(char **mstr); -void freegconf(struct gconffile **cf); -struct gconffile *openconfigfile(const char *file); - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/hash.c b/lib/radsecproxy/hash.c deleted file mode 100644 index ab17433..0000000 --- a/lib/radsecproxy/hash.c +++ /dev/null @@ -1,131 +0,0 @@ -/* Copyright (c) 2008, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#include -#include -#include -#include "list.h" -#include "hash.h" - -/* allocates and initialises hash structure; returns NULL if malloc fails */ -struct hash *hash_create() { - struct hash *h = malloc(sizeof(struct hash)); - if (!h) - return NULL; - h->hashlist = list_create(); - if (!h->hashlist) { - free(h); - return NULL; - } - pthread_mutex_init(&h->mutex, NULL); - return h; -} - -/* frees all memory associated with the hash */ -void hash_destroy(struct hash *h) { - struct list_node *ln; - - if (!h) - return; - for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { - free(((struct hash_entry *)ln->data)->key); - free(((struct hash_entry *)ln->data)->data); - } - list_destroy(h->hashlist); - pthread_mutex_destroy(&h->mutex); -} - -/* insert entry in hash; returns 1 if ok, 0 if malloc fails */ -int hash_insert(struct hash *h, void *key, uint32_t keylen, void *data) { - struct hash_entry *e; - - if (!h) - return 0; - e = malloc(sizeof(struct hash_entry)); - if (!e) - return 0; - memset(e, 0, sizeof(struct hash_entry)); - e->key = malloc(keylen); - if (!e->key) { - free(e); - return 0; - } - memcpy(e->key, key, keylen); - e->keylen = keylen; - e->data = data; - pthread_mutex_lock(&h->mutex); - if (!list_push(h->hashlist, e)) { - pthread_mutex_unlock(&h->mutex); - free(e->key); - free(e); - return 0; - } - pthread_mutex_unlock(&h->mutex); - return 1; -} - -/* reads entry from hash */ -void *hash_read(struct hash *h, void *key, uint32_t keylen) { - struct list_node *ln; - struct hash_entry *e; - - if (!h) - return 0; - pthread_mutex_lock(&h->mutex); - for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { - e = (struct hash_entry *)ln->data; - if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { - pthread_mutex_unlock(&h->mutex); - return e->data; - } - } - pthread_mutex_unlock(&h->mutex); - return NULL; -} - -/* extracts entry from hash */ -void *hash_extract(struct hash *h, void *key, uint32_t keylen) { - struct list_node *ln; - struct hash_entry *e; - - if (!h) - return 0; - pthread_mutex_lock(&h->mutex); - for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { - e = (struct hash_entry *)ln->data; - if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { - free(e->key); - list_removedata(h->hashlist, e); - free(e); - pthread_mutex_unlock(&h->mutex); - return e->data; - } - } - pthread_mutex_unlock(&h->mutex); - return NULL; -} - -/* returns first entry */ -struct hash_entry *hash_first(struct hash *hash) { - struct list_node *ln; - struct hash_entry *e; - if (!hash || !((ln = list_first(hash->hashlist)))) - return NULL; - e = (struct hash_entry *)ln->data; - e->next = ln->next; - return e; -} - -/* returns the next node after the argument */ -struct hash_entry *hash_next(struct hash_entry *entry) { - struct hash_entry *e; - if (!entry || !entry->next) - return NULL; - e = (struct hash_entry *)entry->next->data; - e->next = (struct list_node *)entry->next->next; - return e; -} - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/hash.h b/lib/radsecproxy/hash.h deleted file mode 100644 index 90ba64b..0000000 --- a/lib/radsecproxy/hash.h +++ /dev/null @@ -1,51 +0,0 @@ -/* Copyright (c) 2008, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#ifndef SYS_SOLARIS9 -#include -#endif - -#if defined (__cplusplus) -extern "C" { -#endif - -struct hash { - struct list *hashlist; - pthread_mutex_t mutex; -}; - -struct hash_entry { - void *key; - uint32_t keylen; - void *data; - struct list_node *next; /* used when walking through hash */ -}; - -/* allocates and initialises hash structure; returns NULL if malloc fails */ -struct hash *hash_create(); - -/* frees all memory associated with the hash */ -void hash_destroy(struct hash *hash); - -/* insert entry in hash; returns 1 if ok, 0 if malloc fails */ -int hash_insert(struct hash *hash, void *key, uint32_t keylen, void *data); - -/* reads entry from hash */ -void *hash_read(struct hash *hash, void *key, uint32_t keylen); - -/* extracts (read and remove) entry from hash */ -void *hash_extract(struct hash *hash, void *key, uint32_t keylen); - -/* returns first entry */ -struct hash_entry *hash_first(struct hash *hash); - -/* returns the next entry after the argument */ -struct hash_entry *hash_next(struct hash_entry *entry); - -#if defined (__cplusplus) -} -#endif - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/hostport_types.h b/lib/radsecproxy/hostport_types.h deleted file mode 100644 index 01fb443..0000000 --- a/lib/radsecproxy/hostport_types.h +++ /dev/null @@ -1,6 +0,0 @@ -struct hostportres { - char *host; - char *port; - uint8_t prefixlen; - struct addrinfo *addrinfo; -}; diff --git a/lib/radsecproxy/list.c b/lib/radsecproxy/list.c deleted file mode 100644 index 4cfd358..0000000 --- a/lib/radsecproxy/list.c +++ /dev/null @@ -1,122 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include "list.h" - -/* allocates and initialises list structure; returns NULL if malloc fails */ -struct list *list_create() { - struct list *list = malloc(sizeof(struct list)); - if (list) - memset(list, 0, sizeof(struct list)); - return list; -} - -/* frees all memory associated with the list */ -void list_destroy(struct list *list) { - struct list_node *node, *next; - - if (!list) - return; - - for (node = list->first; node; node = next) { - free(node->data); - next = node->next; - free(node); - } - free(list); -} - -/* appends entry to list; returns 1 if ok, 0 if malloc fails */ -int list_push(struct list *list, void *data) { - struct list_node *node; - - node = malloc(sizeof(struct list_node)); - if (!node) - return 0; - - node->next = NULL; - node->data = data; - - if (list->first) - list->last->next = node; - else - list->first = node; - list->last = node; - - list->count++; - return 1; -} - -/* removes first entry from list and returns data */ -void *list_shift(struct list *list) { - struct list_node *node; - void *data; - - if (!list || !list->first) - return NULL; - - node = list->first; - list->first = node->next; - if (!list->first) - list->last = NULL; - data = node->data; - free(node); - list->count--; - return data; -} - -/* removes all entries with matching data pointer */ -void list_removedata(struct list *list, void *data) { - struct list_node *node, *t; - - if (!list || !list->first) - return; - - node = list->first; - while (node->data == data) { - list->first = node->next; - free(node); - list->count--; - node = list->first; - if (!node) { - list->last = NULL; - return; - } - } - for (; node->next; node = node->next) - if (node->next->data == data) { - t = node->next; - node->next = t->next; - free(t); - list->count--; - if (!node->next) { /* we removed the last one */ - list->last = node; - return; - } - } -} - -/* returns first node */ -struct list_node *list_first(struct list *list) { - return list ? list->first : NULL; -} - -/* returns the next node after the argument */ -struct list_node *list_next(struct list_node *node) { - return node->next; -} - -/* returns number of nodes */ -uint32_t list_count(struct list *list) { - return list->count; -} - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/list.h b/lib/radsecproxy/list.h deleted file mode 100644 index 4f4d1f9..0000000 --- a/lib/radsecproxy/list.h +++ /dev/null @@ -1,54 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#ifdef SYS_SOLARIS9 -#include -#else -#include -#endif - -#if defined (__cplusplus) -extern "C" { -#endif - -struct list_node { - struct list_node *next; - void *data; -}; - -struct list { - struct list_node *first, *last; - uint32_t count; -}; - -/* allocates and initialises list structure; returns NULL if malloc fails */ -struct list *list_create(); - -/* frees all memory associated with the list */ -void list_destroy(struct list *list); - -/* appends entry to list; returns 1 if ok, 0 if malloc fails */ -int list_push(struct list *list, void *data); - -/* removes first entry from list and returns data */ -void *list_shift(struct list *list); - -/* removes first entry with matching data pointer */ -void list_removedata(struct list *list, void *data); - -/* returns first node */ -struct list_node *list_first(struct list *list); - -/* returns the next node after the argument */ -struct list_node *list_next(struct list_node *node); - -/* returns number of nodes */ -uint32_t list_count(struct list *list); - -#if defined (__cplusplus) -} -#endif - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/radmsg.h b/lib/radsecproxy/radmsg.h deleted file mode 100644 index 1bef59b..0000000 --- a/lib/radsecproxy/radmsg.h +++ /dev/null @@ -1,40 +0,0 @@ -/* Copyright (c) 2007-2008, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#define RAD_Access_Request 1 -#define RAD_Access_Accept 2 -#define RAD_Access_Reject 3 -#define RAD_Accounting_Request 4 -#define RAD_Accounting_Response 5 -#define RAD_Access_Challenge 11 -#define RAD_Status_Server 12 -#define RAD_Status_Client 13 - -#define RAD_Attr_User_Name 1 -#define RAD_Attr_User_Password 2 -#define RAD_Attr_Reply_Message 18 -#define RAD_Attr_Vendor_Specific 26 -#define RAD_Attr_Calling_Station_Id 31 -#define RAD_Attr_Tunnel_Password 69 -#define RAD_Attr_Message_Authenticator 80 - -#define RAD_VS_ATTR_MS_MPPE_Send_Key 16 -#define RAD_VS_ATTR_MS_MPPE_Recv_Key 17 - -struct radmsg { - uint8_t code; - uint8_t id; - uint8_t auth[20]; - struct list *attrs; -}; - -void radmsg_free(struct radmsg *); -struct radmsg *radmsg_init(uint8_t, uint8_t, uint8_t *); -int radmsg_add(struct radmsg *, struct tlv *); -struct tlv *radmsg_gettype(struct radmsg *, uint8_t); -uint8_t *radmsg2buf(struct radmsg *msg, uint8_t *); -struct radmsg *buf2radmsg(uint8_t *, uint8_t *, uint8_t *); - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/radsecproxy.h b/lib/radsecproxy/radsecproxy.h deleted file mode 100644 index 7528f7f..0000000 --- a/lib/radsecproxy/radsecproxy.h +++ /dev/null @@ -1,216 +0,0 @@ -/* - * Copyright (C) 2006-2009 Stig Venaas - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - */ - -#include "tlv11.h" -#include "radmsg.h" -#include "gconfig.h" - -#define DEBUG_LEVEL 2 - -#define CONFIG_MAIN "/etc/radsecproxy.conf" - -/* MAX_REQUESTS must be 256 due to Radius' 8 bit ID field */ -#define MAX_REQUESTS 256 -#define REQUEST_RETRY_INTERVAL 5 -#define REQUEST_RETRY_COUNT 2 -#define DUPLICATE_INTERVAL REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT -#define MAX_CERT_DEPTH 5 -#define STATUS_SERVER_PERIOD 25 -#define IDLE_TIMEOUT 300 - -/* 27262 is vendor DANTE Ltd. */ -#define DEFAULT_TTL_ATTR "27262:1" - -#define RAD_UDP 0 -#define RAD_TLS 1 -#define RAD_TCP 2 -#define RAD_DTLS 3 -#define RAD_PROTOCOUNT 4 - -struct options { - char *logdestination; - char *ttlattr; - uint32_t ttlattrtype[2]; - uint8_t addttl; - uint8_t loglevel; - uint8_t loopprevention; -}; - -struct commonprotoopts { - char **listenargs; - char *sourcearg; -}; - -struct request { - struct timeval created; - uint32_t refcount; - uint8_t *buf, *replybuf; - struct radmsg *msg; - struct client *from; - struct server *to; - char *origusername; - uint8_t rqid; - uint8_t rqauth[16]; - uint8_t newid; - int udpsock; /* only for UDP */ - uint16_t udpport; /* only for UDP */ -}; - -/* requests that our client will send */ -struct rqout { - pthread_mutex_t *lock; - struct request *rq; - uint8_t tries; - struct timeval expiry; -}; - -struct gqueue { - struct list *entries; - pthread_mutex_t mutex; - pthread_cond_t cond; -}; - -struct clsrvconf { - char *name; - uint8_t type; /* RAD_UDP/RAD_TLS/RAD_TCP */ - const struct protodefs *pdef; - char **hostsrc; - char *portsrc; - struct list *hostports; - char *secret; - char *tls; - char *matchcertattr; - regex_t *certcnregex; - regex_t *certuriregex; - char *confrewritein; - char *confrewriteout; - char *confrewriteusername; - struct modattr *rewriteusername; - char *dynamiclookupcommand; - uint8_t statusserver; - uint8_t retryinterval; - uint8_t retrycount; - uint8_t dupinterval; - uint8_t certnamecheck; - uint8_t addttl; - uint8_t loopprevention; - struct rewrite *rewritein; - struct rewrite *rewriteout; - pthread_mutex_t *lock; /* only used for updating clients so far */ - struct tls *tlsconf; - struct list *clients; - struct server *servers; -}; - -#include "tlscommon.h" - -struct client { - struct clsrvconf *conf; - int sock; - SSL *ssl; - struct request *rqs[MAX_REQUESTS]; - struct gqueue *replyq; - struct gqueue *rbios; /* for dtls */ - struct sockaddr *addr; - time_t expiry; /* for udp */ -}; - -struct server { - struct clsrvconf *conf; - int sock; - SSL *ssl; - pthread_mutex_t lock; - pthread_t clientth; - uint8_t clientrdgone; - struct timeval lastconnecttry; - struct timeval lastreply; - uint8_t connectionok; - uint8_t lostrqs; - uint8_t dynstartup; - char *dynamiclookuparg; - int nextid; - struct timeval lastrcv; - struct rqout *requests; - uint8_t newrq; - pthread_mutex_t newrq_mutex; - pthread_cond_t newrq_cond; - struct gqueue *rbios; /* for dtls */ -}; - -struct realm { - char *name; - char *message; - uint8_t accresp; - regex_t regex; - uint32_t refcount; - pthread_mutex_t mutex; - struct realm *parent; - struct list *subrealms; - struct list *srvconfs; - struct list *accsrvconfs; -}; - -struct modattr { - uint8_t t; - char *replacement; - regex_t *regex; -}; - -struct rewrite { - uint8_t *removeattrs; - uint32_t *removevendorattrs; - struct list *addattrs; - struct list *modattrs; -}; - -struct protodefs { - char *name; - char *secretdefault; - int socktype; - char *portdefault; - uint8_t retrycountdefault; - uint8_t retrycountmax; - uint8_t retryintervaldefault; - uint8_t retryintervalmax; - uint8_t duplicateintervaldefault; - void (*setprotoopts)(struct commonprotoopts *); - char **(*getlistenerargs)(); - void *(*listener)(void*); - int (*connecter)(struct server *, struct timeval *, int, char *); - void *(*clientconnreader)(void*); - int (*clientradput)(struct server *, unsigned char *); - void (*addclient)(struct client *); - void (*addserverextra)(struct clsrvconf *); - void (*setsrcres)(); - void (*initextra)(); -}; - -#define RADLEN(x) ntohs(((uint16_t *)(x))[1]) - -#define ATTRTYPE(x) ((x)[0]) -#define ATTRLEN(x) ((x)[1]) -#define ATTRVAL(x) ((x) + 2) -#define ATTRVALLEN(x) ((x)[1] - 2) - -struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); -struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); -struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur); -struct client *addclient(struct clsrvconf *conf, uint8_t lock); -void removelockedclient(struct client *client); -void removeclient(struct client *client); -struct gqueue *newqueue(); -void freebios(struct gqueue *q); -struct request *newrequest(); -void freerq(struct request *rq); -int radsrv(struct request *rq); -void replyh(struct server *server, unsigned char *buf); -struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport); - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/tlscommon.c b/lib/radsecproxy/tlscommon.c deleted file mode 100644 index a31fa32..0000000 --- a/lib/radsecproxy/tlscommon.c +++ /dev/null @@ -1,455 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS - * Copyright (c) 2010-2011, NORDUnet A/S */ -/* See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef SYS_SOLARIS9 -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "list.h" -#include "hash.h" -#include "util.h" -#include "hostport_types.h" -#include "radsecproxy.h" - -static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) { - int pwdlen = strlen(userdata); - if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */ - return 0; - memcpy(buf, userdata, pwdlen); - return pwdlen; -} - -static int verify_cb(int ok, X509_STORE_CTX *ctx) { - char *buf = NULL; - X509 *err_cert; - int err, depth; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - if (depth > MAX_CERT_DEPTH) { - ok = 0; - err = X509_V_ERR_CERT_CHAIN_TOO_LONG; - X509_STORE_CTX_set_error(ctx, err); - } - - if (!ok) { - if (err_cert) - buf = X509_NAME_oneline(X509_get_subject_name(err_cert), NULL, 0); - debug(DBG_WARN, "verify error: num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf ? buf : ""); - free(buf); - buf = NULL; - - switch (err) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - if (err_cert) { - buf = X509_NAME_oneline(X509_get_issuer_name(err_cert), NULL, 0); - if (buf) { - debug(DBG_WARN, "\tIssuer=%s", buf); - free(buf); - buf = NULL; - } - } - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - debug(DBG_WARN, "\tCertificate not yet valid"); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - debug(DBG_WARN, "Certificate has expired"); - break; - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - debug(DBG_WARN, "Certificate no longer valid (after notAfter)"); - break; - case X509_V_ERR_NO_EXPLICIT_POLICY: - debug(DBG_WARN, "No Explicit Certificate Policy"); - break; - } - } - return ok; -} - -#ifdef DEBUG -static void ssl_info_callback(const SSL *ssl, int where, int ret) { - const char *s; - int w; - - w = where & ~SSL_ST_MASK; - - if (w & SSL_ST_CONNECT) - s = "SSL_connect"; - else if (w & SSL_ST_ACCEPT) - s = "SSL_accept"; - else - s = "undefined"; - - if (where & SSL_CB_LOOP) - debug(DBG_DBG, "%s:%s\n", s, SSL_state_string_long(ssl)); - else if (where & SSL_CB_ALERT) { - s = (where & SSL_CB_READ) ? "read" : "write"; - debug(DBG_DBG, "SSL3 alert %s:%s:%s\n", s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); - } - else if (where & SSL_CB_EXIT) { - if (ret == 0) - debug(DBG_DBG, "%s:failed in %s\n", s, SSL_state_string_long(ssl)); - else if (ret < 0) - debug(DBG_DBG, "%s:error in %s\n", s, SSL_state_string_long(ssl)); - } -} -#endif - -static X509_VERIFY_PARAM *createverifyparams(char **poids) { - X509_VERIFY_PARAM *pm; - ASN1_OBJECT *pobject; - int i; - - pm = X509_VERIFY_PARAM_new(); - if (!pm) - return NULL; - - for (i = 0; poids[i]; i++) { - pobject = OBJ_txt2obj(poids[i], 0); - if (!pobject) { - X509_VERIFY_PARAM_free(pm); - return NULL; - } - X509_VERIFY_PARAM_add0_policy(pm, pobject); - } - - X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY); - return pm; -} - -static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { - STACK_OF(X509_NAME) *calist; - X509_STORE *x509_s; - unsigned long error; - - if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { - while ((error = ERR_get_error())) - debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); - debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name); - return 0; - } - - calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; - - if (!conf->cacertfile || calist) { - if (conf->cacertpath) { - if (!calist) - calist = sk_X509_NAME_new_null(); - if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) { - sk_X509_NAME_free(calist); - calist = NULL; - } - } - } - if (!calist) { - while ((error = ERR_get_error())) - debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); - debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name); - return 0; - } - ERR_clear_error(); /* add_dir_cert_subj returns errors on success */ - SSL_CTX_set_client_CA_list(ctx, calist); - - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); - SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); - - if (conf->crlcheck || conf->vpm) { - x509_s = SSL_CTX_get_cert_store(ctx); - if (conf->crlcheck) - X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); - if (conf->vpm) - X509_STORE_set1_param(x509_s, conf->vpm); - } - - debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); - return 1; -} - -static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { - SSL_CTX *ctx = NULL; - unsigned long error; - - switch (type) { -#ifdef RADPROT_TLS - case RAD_TLS: - ctx = SSL_CTX_new(TLSv1_method()); - break; -#endif -#ifdef RADPROT_DTLS - case RAD_DTLS: - ctx = SSL_CTX_new(DTLSv1_method()); - SSL_CTX_set_read_ahead(ctx, 1); - break; -#endif - } - if (!ctx) { - debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); - while ((error = ERR_get_error())) - debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); - return NULL; - } -#ifdef DEBUG - SSL_CTX_set_info_callback(ctx, ssl_info_callback); -#endif - - if (conf->certkeypwd) { - SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd); - SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); - } - if (conf->certfile || conf->certkeyfile) { - if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || - !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || - !SSL_CTX_check_private_key(ctx)) { - while ((error = ERR_get_error())) - debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); - debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS (certfile issues) in TLS context %s", conf->name); - SSL_CTX_free(ctx); - return NULL; - } - } - - if (conf->policyoids) { - if (!conf->vpm) { - conf->vpm = createverifyparams(conf->policyoids); - if (!conf->vpm) { - debug(DBG_ERR, "tlscreatectx: Failed to add policyOIDs in TLS context %s", conf->name); - SSL_CTX_free(ctx); - return NULL; - } - } - } - - if (conf->cacertfile != NULL || conf->cacertpath != NULL) - if (!tlsaddcacrl(ctx, conf)) { - if (conf->vpm) { - X509_VERIFY_PARAM_free(conf->vpm); - conf->vpm = NULL; - } - SSL_CTX_free(ctx); - return NULL; - } - - debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); - return ctx; -} - -SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { - struct timeval now; - - if (!t) - return NULL; - gettimeofday(&now, NULL); - - switch (type) { -#ifdef RADPROT_TLS - case RAD_TLS: - if (t->tlsexpiry && t->tlsctx) { - if (t->tlsexpiry < now.tv_sec) { - t->tlsexpiry = now.tv_sec + t->cacheexpiry; - tlsaddcacrl(t->tlsctx, t); - } - } - if (!t->tlsctx) { - t->tlsctx = tlscreatectx(RAD_TLS, t); - if (t->cacheexpiry) - t->tlsexpiry = now.tv_sec + t->cacheexpiry; - } - return t->tlsctx; -#endif -#ifdef RADPROT_DTLS - case RAD_DTLS: - if (t->dtlsexpiry && t->dtlsctx) { - if (t->dtlsexpiry < now.tv_sec) { - t->dtlsexpiry = now.tv_sec + t->cacheexpiry; - tlsaddcacrl(t->dtlsctx, t); - } - } - if (!t->dtlsctx) { - t->dtlsctx = tlscreatectx(RAD_DTLS, t); - if (t->cacheexpiry) - t->dtlsexpiry = now.tv_sec + t->cacheexpiry; - } - return t->dtlsctx; -#endif - } - return NULL; -} - -X509 *verifytlscert(SSL *ssl) { - X509 *cert; - unsigned long error; - - if (SSL_get_verify_result(ssl) != X509_V_OK) { - debug(DBG_ERR, "verifytlscert: basic validation failed"); - while ((error = ERR_get_error())) - debug(DBG_ERR, "verifytlscert: TLS: %s", ERR_error_string(error, NULL)); - return NULL; - } - - cert = SSL_get_peer_certificate(ssl); - if (!cert) - debug(DBG_ERR, "verifytlscert: failed to obtain certificate"); - return cert; -} - -int subjectaltnameaddr(X509 *cert, int family, const struct in6_addr *addr) { - int loc, i, l, n, r = 0; - char *v; - X509_EXTENSION *ex; - STACK_OF(GENERAL_NAME) *alt; - GENERAL_NAME *gn; - - debug(DBG_DBG, "subjectaltnameaddr"); - - loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); - if (loc < 0) - return r; - - ex = X509_get_ext(cert, loc); - alt = X509V3_EXT_d2i(ex); - if (!alt) - return r; - - n = sk_GENERAL_NAME_num(alt); - for (i = 0; i < n; i++) { - gn = sk_GENERAL_NAME_value(alt, i); - if (gn->type != GEN_IPADD) - continue; - r = -1; - v = (char *)ASN1_STRING_data(gn->d.ia5); - l = ASN1_STRING_length(gn->d.ia5); - if (((family == AF_INET && l == sizeof(struct in_addr)) || (family == AF_INET6 && l == sizeof(struct in6_addr))) - && !memcmp(v, &addr, l)) { - r = 1; - break; - } - } - GENERAL_NAMES_free(alt); - return r; -} - -int subjectaltnameregexp(X509 *cert, int type, const char *exact, const regex_t *regex) { - int loc, i, l, n, r = 0; - char *s, *v; - X509_EXTENSION *ex; - STACK_OF(GENERAL_NAME) *alt; - GENERAL_NAME *gn; - - debug(DBG_DBG, "subjectaltnameregexp"); - - loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); - if (loc < 0) - return r; - - ex = X509_get_ext(cert, loc); - alt = X509V3_EXT_d2i(ex); - if (!alt) - return r; - - n = sk_GENERAL_NAME_num(alt); - for (i = 0; i < n; i++) { - gn = sk_GENERAL_NAME_value(alt, i); - if (gn->type != type) - continue; - r = -1; - v = (char *)ASN1_STRING_data(gn->d.ia5); - l = ASN1_STRING_length(gn->d.ia5); - if (l <= 0) - continue; -#ifdef DEBUG - printfchars(NULL, gn->type == GEN_DNS ? "dns" : "uri", NULL, v, l); -#endif - if (exact) { - if (memcmp(v, exact, l)) - continue; - } else { - s = stringcopy((char *)v, l); - if (!s) { - debug(DBG_ERR, "malloc failed"); - continue; - } - if (regexec(regex, s, 0, NULL, 0)) { - free(s); - continue; - } - free(s); - } - r = 1; - break; - } - GENERAL_NAMES_free(alt); - return r; -} - -int cnregexp(X509 *cert, const char *exact, const regex_t *regex) { - int loc, l; - char *v, *s; - X509_NAME *nm; - X509_NAME_ENTRY *e; - ASN1_STRING *t; - - nm = X509_get_subject_name(cert); - loc = -1; - for (;;) { - loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc); - if (loc == -1) - break; - e = X509_NAME_get_entry(nm, loc); - t = X509_NAME_ENTRY_get_data(e); - v = (char *) ASN1_STRING_data(t); - l = ASN1_STRING_length(t); - if (l < 0) - continue; - if (exact) { - if (l == strlen(exact) && !strncasecmp(exact, v, l)) - return 1; - } else { - s = stringcopy((char *)v, l); - if (!s) { - debug(DBG_ERR, "malloc failed"); - continue; - } - if (regexec(regex, s, 0, NULL, 0)) { - free(s); - continue; - } - free(s); - return 1; - } - } - return 0; -} - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/tlscommon.h b/lib/radsecproxy/tlscommon.h deleted file mode 100644 index 5a6d262..0000000 --- a/lib/radsecproxy/tlscommon.h +++ /dev/null @@ -1,42 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#include -#include - -#if defined (__cplusplus) -extern "C" { -#endif - -struct tls { - char *name; - char *cacertfile; - char *cacertpath; - char *certfile; - char *certkeyfile; - char *certkeypwd; - uint8_t crlcheck; - char **policyoids; - uint32_t cacheexpiry; - uint32_t tlsexpiry; - uint32_t dtlsexpiry; - X509_VERIFY_PARAM *vpm; - SSL_CTX *tlsctx; - SSL_CTX *dtlsctx; -}; - -#if defined(RADPROT_TLS) || defined(RADPROT_DTLS) -SSL_CTX *tlsgetctx(uint8_t type, struct tls *t); -X509 *verifytlscert(SSL *ssl); -int subjectaltnameaddr(X509 *cert, int family, const struct in6_addr *addr); -int subjectaltnameregexp(X509 *cert, int type, const char *exact, const regex_t *regex); -int cnregexp(X509 *cert, const char *exact, const regex_t *regex); -#endif - -#if defined (__cplusplus) -} -#endif - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/tlv11.h b/lib/radsecproxy/tlv11.h deleted file mode 100644 index 87909c0..0000000 --- a/lib/radsecproxy/tlv11.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (c) 2008, UNINETT AS - * Copyright (c) 2010, NORDUnet A/S */ -/* See LICENSE for licensing information. */ - -struct tlv { - uint8_t t; - uint8_t l; - uint8_t *v; -}; - -struct tlv *maketlv(uint8_t, uint8_t, void *); -struct tlv *copytlv(struct tlv *); -void freetlv(struct tlv *); -int eqtlv(struct tlv *, struct tlv *); -struct list *copytlvlist(struct list *); -void freetlvlist(struct list *); -void rmtlv(struct list *, uint8_t); -uint8_t *tlv2str(struct tlv *tlv); -uint8_t *tlv2buf(uint8_t *, const struct tlv *tlv); - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/util.c b/lib/radsecproxy/util.c deleted file mode 100644 index ad974ac..0000000 --- a/lib/radsecproxy/util.c +++ /dev/null @@ -1,256 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS */ -/* See LICENSE for licensing information. */ - -/* Code contributions from: - * - * Stefan Winter - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "util.h" - -char *stringcopy(const char *s, int len) { - char *r; - if (!s) - return NULL; - if (!len) - len = strlen(s); - r = malloc(len + 1); - if (!r) - debug(DBG_ERR, "stringcopy: malloc failed"); - memcpy(r, s, len); - r[len] = '\0'; - return r; -} - -void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len) { - int i; - unsigned char *s = (unsigned char *)chars; - if (prefix) - printf(prefixfmt ? prefixfmt : "%s: ", prefix); - for (i = 0; i < len; i++) - printf(charfmt ? charfmt : "%c", s[i]); - printf("\n"); -} - -void port_set(struct sockaddr *sa, uint16_t port) { - switch (sa->sa_family) { - case AF_INET: - ((struct sockaddr_in *)sa)->sin_port = htons(port); - break; - case AF_INET6: - ((struct sockaddr_in6 *)sa)->sin6_port = htons(port); - break; - } -} - -struct sockaddr *addr_copy(struct sockaddr *in) { - struct sockaddr *out = NULL; - - switch (in->sa_family) { - case AF_INET: - out = malloc(sizeof(struct sockaddr_in)); - if (out) { - memset(out, 0, sizeof(struct sockaddr_in)); - ((struct sockaddr_in *)out)->sin_addr = ((struct sockaddr_in *)in)->sin_addr; - } - break; - case AF_INET6: - out = malloc(sizeof(struct sockaddr_in6)); - if (out) { - memset(out, 0, sizeof(struct sockaddr_in6)); - ((struct sockaddr_in6 *)out)->sin6_addr = ((struct sockaddr_in6 *)in)->sin6_addr; - } - break; - } - out->sa_family = in->sa_family; -#ifdef SIN6_LEN - out->sa_len = in->sa_len; -#endif - return out; -} - -char *addr2string(struct sockaddr *addr) { - union { - struct sockaddr *sa; - struct sockaddr_in *sa4; - struct sockaddr_in6 *sa6; - } u; - struct sockaddr_in sa4; - static char addr_buf[2][INET6_ADDRSTRLEN]; - static int i = 0; - i = !i; - u.sa = addr; - if (u.sa->sa_family == AF_INET6) { - if (IN6_IS_ADDR_V4MAPPED(&u.sa6->sin6_addr)) { - memset(&sa4, 0, sizeof(sa4)); - sa4.sin_family = AF_INET; - sa4.sin_port = u.sa6->sin6_port; - memcpy(&sa4.sin_addr, &u.sa6->sin6_addr.s6_addr[12], 4); - u.sa4 = &sa4; - } - } - if (getnameinfo(u.sa, SOCKADDRP_SIZE(u.sa), addr_buf[i], sizeof(addr_buf[i]), - NULL, 0, NI_NUMERICHOST)) { - debug(DBG_WARN, "getnameinfo failed"); - return "getnameinfo_failed"; - } - return addr_buf[i]; -} - -#if 0 -/* not in use */ -int connectport(int type, char *host, char *port) { - struct addrinfo hints, *res0, *res; - int s = -1; - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = type; - hints.ai_family = AF_UNSPEC; - - if (getaddrinfo(host, port, &hints, &res0) != 0) { - debug(DBG_ERR, "connectport: can't resolve host %s port %s", host, port); - return -1; - } - - for (res = res0; res; res = res->ai_next) { - s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (s < 0) { - debug(DBG_WARN, "connectport: socket failed"); - continue; - } - if (connect(s, res->ai_addr, res->ai_addrlen) == 0) - break; - debug(DBG_WARN, "connectport: connect failed"); - close(s); - s = -1; - } - freeaddrinfo(res0); - return s; -} -#endif - -/* Disable the "Don't Fragment" bit for UDP sockets. It is set by default, which may cause an "oversized" - RADIUS packet to be discarded on first attempt (due to Path MTU discovery). -*/ - -void disable_DF_bit(int socket, struct addrinfo *res) { - if ((res->ai_family == AF_INET) && (res->ai_socktype == SOCK_DGRAM)) { -#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) - /* - * Turn off Path MTU discovery on IPv4/UDP sockets, Linux variant. - */ - int r, action; - debug(DBG_INFO, "disable_DF_bit: disabling DF bit (Linux variant)"); - action = IP_PMTUDISC_DONT; - r = setsockopt(socket, IPPROTO_IP, IP_MTU_DISCOVER, &action, sizeof(action)); - if (r == -1) - debug(DBG_WARN, "Failed to set IP_MTU_DISCOVER"); -#else - debug(DBG_INFO, "Non-Linux platform, unable to unset DF bit for UDP. You should check with tcpdump whether radsecproxy will send its UDP packets with DF bit set!"); -#endif - } -} - -int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only) { - int s, on = 1; - struct addrinfo *res; - - for (res = addrinfo; res; res = res->ai_next) { - if (family != AF_UNSPEC && family != res->ai_family) - continue; - s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (s < 0) { - debug(DBG_WARN, "bindtoaddr: socket failed"); - continue; - } - - disable_DF_bit(s,res); - - if (reuse) - setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); -#ifdef IPV6_V6ONLY - if (v6only) - setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)); -#endif - if (!bind(s, res->ai_addr, res->ai_addrlen)) - return s; - debug(DBG_WARN, "bindtoaddr: bind failed"); - close(s); - } - return -1; -} - -int connectnonblocking(int s, const struct sockaddr *addr, socklen_t addrlen, struct timeval *timeout) { - int origflags, error = 0, r = -1; - fd_set writefds; - socklen_t len; - - origflags = fcntl(s, F_GETFL, 0); - fcntl(s, F_SETFL, origflags | O_NONBLOCK); - if (!connect(s, addr, addrlen)) { - r = 0; - goto exit; - } - if (errno != EINPROGRESS) - goto exit; - - FD_ZERO(&writefds); - FD_SET(s, &writefds); - if (select(s + 1, NULL, &writefds, NULL, timeout) < 1) - goto exit; - - len = sizeof(error); - if (!getsockopt(s, SOL_SOCKET, SO_ERROR, (char*)&error, &len) && !error) - r = 0; - -exit: - fcntl(s, F_SETFL, origflags); - return r; -} - -int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout) { - int s; - struct addrinfo *res; - struct timeval to; - - s = -1; - if (timeout) { - if (addrinfo && addrinfo->ai_next && timeout > 5) - timeout = 5; - to.tv_sec = timeout; - to.tv_usec = 0; - } - - for (res = addrinfo; res; res = res->ai_next) { - s = bindtoaddr(src, res->ai_family, 1, 1); - if (s < 0) { - debug(DBG_WARN, "connecttoserver: socket failed"); - continue; - } - if ((timeout - ? connectnonblocking(s, res->ai_addr, res->ai_addrlen, &to) - : connect(s, res->ai_addr, res->ai_addrlen)) == 0) - break; - debug(DBG_WARN, "connecttoserver: connect failed"); - close(s); - s = -1; - } - return s; -} - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/radsecproxy/util.h b/lib/radsecproxy/util.h deleted file mode 100644 index cec4673..0000000 --- a/lib/radsecproxy/util.h +++ /dev/null @@ -1,35 +0,0 @@ -/* Copyright (c) 2007-2009, UNINETT AS */ -/* See LICENSE for licensing information. */ - -#include -#include - -#define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \ - sizeof(struct sockaddr_in) : \ - sizeof(struct sockaddr_in6)) - -#define SOCKADDRP_SIZE(addr) ((addr)->sa_family == AF_INET ? \ - sizeof(struct sockaddr_in) : \ - sizeof(struct sockaddr_in6)) - -#if defined (__cplusplus) -extern "C" { -#endif - -char *stringcopy(const char *s, int len); -char *addr2string(struct sockaddr *addr); -struct sockaddr *addr_copy(struct sockaddr *in); -void port_set(struct sockaddr *sa, uint16_t port); - -void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len); -void disable_DF_bit(int socket, struct addrinfo *res); -int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only); -int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout); - -#if defined (__cplusplus) -} -#endif - -/* Local Variables: */ -/* c-file-style: "stroustrup" */ -/* End: */ diff --git a/lib/request.c b/lib/request.c deleted file mode 100644 index 40ac56d..0000000 --- a/lib/request.c +++ /dev/null @@ -1,158 +0,0 @@ -/* Copyright 2010-2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "conn.h" -#include "tcp.h" -#include "udp.h" - -/* RFC 5080 2.2.1. Retransmission Behavior. */ -#define IRT 2 -#define MRC 5 -#define MRT 16 -#define MRD 30 -#define RAND 100 /* Rand factor, milliseconds. */ - -int -rs_request_create (struct rs_connection *conn, struct rs_request **req_out) -{ - struct rs_request *req = rs_malloc (conn->ctx, sizeof(*req)); - assert (req_out); - if (!req) - return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); - memset (req, 0, sizeof(*req)); - req->conn = conn; - *req_out = req; - return RSE_OK; -} - -void -rs_request_add_reqpkt (struct rs_request *req, struct rs_packet *req_msg) -{ - assert (req); - req->req_msg = req_msg; -} - -int -rs_request_create_authn (struct rs_connection *conn, - struct rs_request **req_out, - const char *user_name, - const char *user_pw) -{ - struct rs_request *req = NULL; - assert (req_out); - - if (rs_request_create (conn, &req)) - return -1; - - if (rs_packet_create_authn_request (conn, &req->req_msg, user_name, user_pw)) - return -1; - - if (req_out) - *req_out = req; - return RSE_OK; -} - -void -rs_request_destroy (struct rs_request *request) -{ - assert (request); - assert (request->conn); - assert (request->conn->ctx); - - if (request->req_msg) - rs_packet_destroy (request->req_msg); - rs_free (request->conn->ctx, request); -} - -static void -_rand_rt (struct timeval *res, uint32_t rtprev, uint32_t factor) -{ - uint32_t ms = rtprev * (nr_rand () % factor); - res->tv_sec = rtprev + ms / 1000; - res->tv_usec = (ms % 1000) * 1000; -} - -int -rs_request_send (struct rs_request *request, struct rs_packet **resp_msg) -{ - int r = 0; - struct rs_connection *conn = NULL; - int count = 0; - struct timeval rt = {0,0}; - struct timeval end = {0,0}; - struct timeval now = {0,0}; - struct timeval tmp_tv = {0,0}; - const struct timeval mrt_tv = {MRT,0}; - - if (!request || !request->conn || !request->req_msg || !resp_msg) - return rs_err_conn_push_fl (conn, RSE_INVAL, __FILE__, __LINE__, NULL); - conn = request->conn; - assert (!conn_user_dispatch_p (conn)); /* This function is high level. */ - - gettimeofday (&end, NULL); - end.tv_sec += MRD; - _rand_rt (&rt, IRT, RAND); - while (1) - { - rs_conn_set_timeout (conn, &rt); - - r = rs_packet_send (request->req_msg, NULL); - if (r == RSE_OK) - { - r = rs_conn_receive_packet (request->conn, - request->req_msg, - resp_msg); - if (r == RSE_OK) - break; /* Success. */ - } - if (r != RSE_TIMEOUT_CONN && r != RSE_TIMEOUT_IO) - break; /* Error. */ - - /* Timing out reading or writing. Pop the timeout error from the - stack and continue the loop. */ - rs_err_conn_pop (request->conn); - - gettimeofday (&now, NULL); - if (++count > MRC || timercmp (&now, &end, >)) - { - r = rs_err_conn_push_fl (request->conn, RSE_TIMEOUT, - __FILE__, __LINE__, NULL); - break; /* Timeout. */ - } - - /* rt = 2 * rt + rand_rt (rt, RAND); */ - timeradd (&rt, &rt, &rt); - _rand_rt (&tmp_tv, IRT, RAND); - timeradd (&rt, &tmp_tv, &rt); - if (timercmp (&rt, &mrt_tv, >)) - _rand_rt (&rt, MRT, RAND); - } - - timerclear (&rt); - rs_conn_set_timeout (conn, &rt); - - rs_debug (("%s: returning %d\n", __func__, r)); - return r; -} - -struct rs_packet * -rs_request_get_reqmsg (const struct rs_request *request) -{ - assert (request); - return request->req_msg; -} diff --git a/lib/send.c b/lib/send.c deleted file mode 100644 index 3161bbe..0000000 --- a/lib/send.c +++ /dev/null @@ -1,138 +0,0 @@ -/* Copyright 2011,2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include "debug.h" -#include "packet.h" -#include "event.h" -#include "peer.h" -#include "conn.h" -#include "tcp.h" -#include "udp.h" - -static int -_conn_open (struct rs_connection *conn, struct rs_packet *pkt) -{ - if (event_init_eventbase (conn)) - return -1; - - if (!conn->active_peer) - peer_pick_peer (conn); - if (!conn->active_peer) - return rs_err_conn_push_fl (conn, RSE_NOPEER, __FILE__, __LINE__, NULL); - - if (event_init_socket (conn, conn->active_peer)) - return -1; - - if (conn->realm->type == RS_CONN_TYPE_TCP - || conn->realm->type == RS_CONN_TYPE_TLS) - { - if (tcp_init_connect_timer (conn)) - return -1; - if (event_init_bufferevent (conn, conn->active_peer)) - return -1; - } - else - { - if (udp_init (conn, pkt)) - return -1; - if (udp_init_retransmit_timer (conn)) - return -1; - } - - if (!conn->is_connected) - if (!conn->is_connecting) - event_do_connect (conn); - - return RSE_OK; -} - -static int -_conn_is_open_p (struct rs_connection *conn) -{ - return conn->active_peer && conn->is_connected; -} - -/* User callback used when we're dispatching for user. */ -static void -_wcb (void *user_data) -{ - struct rs_packet *pkt = (struct rs_packet *) user_data; - assert (pkt); - pkt->flags |= RS_PACKET_SENT; - if (pkt->conn->bev) - bufferevent_disable (pkt->conn->bev, EV_WRITE|EV_READ); - else - event_del (pkt->conn->wev); -} - -int -rs_packet_send (struct rs_packet *pkt, void *user_data) -{ - struct rs_connection *conn = NULL; - int err = 0; - - assert (pkt); - assert (pkt->conn); - conn = pkt->conn; - - if (_conn_is_open_p (conn)) - packet_do_send (pkt); - else - if (_conn_open (conn, pkt)) - return -1; - - assert (conn->evb); - assert (conn->active_peer); - assert (conn->fd >= 0); - - conn->user_data = user_data; - - if (conn->bev) /* TCP */ - { - bufferevent_setcb (conn->bev, NULL, tcp_write_cb, tcp_event_cb, pkt); - bufferevent_enable (conn->bev, EV_WRITE); - } - else /* UDP */ - { - event_assign (conn->wev, conn->evb, event_get_fd (conn->wev), - EV_WRITE, event_get_callback (conn->wev), pkt); - err = event_add (conn->wev, NULL); - if (err < 0) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "event_add: %s", - evutil_gai_strerror (err)); - } - - /* Do dispatch, unless the user wants to do it herself. */ - if (!conn_user_dispatch_p (conn)) - { - conn->callbacks.sent_cb = _wcb; - conn->user_data = pkt; - rs_debug (("%s: entering event loop\n", __func__)); - err = event_base_dispatch (conn->evb); - if (err < 0) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "event_base_dispatch: %s", - evutil_gai_strerror (err)); - rs_debug (("%s: event loop done\n", __func__)); - conn->callbacks.sent_cb = NULL; - conn->user_data = NULL; - - if ((pkt->flags & RS_PACKET_SENT) == 0) - { - assert (rs_err_conn_peek_code (conn)); - return rs_err_conn_peek_code (conn); - } - } - - return RSE_OK; -} diff --git a/lib/tcp.c b/lib/tcp.c deleted file mode 100644 index 07bc109..0000000 --- a/lib/tcp.c +++ /dev/null @@ -1,274 +0,0 @@ -/* Copyright 2011-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#if defined (RS_ENABLE_TLS) -#include -#include -#endif -#include -#include -#include -#include "tcp.h" -#include "packet.h" -#include "conn.h" -#include "debug.h" -#include "event.h" - -#if defined (DEBUG) -#include -#endif - -/** Read one RADIUS packet header. Return !0 on error. */ -static int -_read_header (struct rs_packet *pkt) -{ - size_t n = 0; - - n = bufferevent_read (pkt->conn->bev, pkt->hdr, RS_HEADER_LEN); - if (n == RS_HEADER_LEN) - { - pkt->flags |= RS_PACKET_HEADER_READ; - pkt->rpkt->length = (pkt->hdr[2] << 8) + pkt->hdr[3]; - if (pkt->rpkt->length < 20 || pkt->rpkt->length > RS_MAX_PACKET_LEN) - { - rs_debug (("%s: invalid packet length: %d\n", - __func__, pkt->rpkt->length)); - rs_conn_disconnect (pkt->conn); - return rs_err_conn_push (pkt->conn, RSE_INVALID_PKT, - "invalid packet length: %d", - pkt->rpkt->length); - } - memcpy (pkt->rpkt->data, pkt->hdr, RS_HEADER_LEN); - bufferevent_setwatermark (pkt->conn->bev, EV_READ, - pkt->rpkt->length - RS_HEADER_LEN, 0); - rs_debug (("%s: packet header read, total pkt len=%d\n", - __func__, pkt->rpkt->length)); - } - else if (n < 0) - { - rs_debug (("%s: buffer frozen while reading header\n", __func__)); - } - else /* Error: libevent gave us less than the low watermark. */ - { - rs_debug (("%s: got: %d octets reading header\n", __func__, n)); - rs_conn_disconnect (pkt->conn); - return rs_err_conn_push_fl (pkt->conn, RSE_INTERNAL, __FILE__, __LINE__, - "got %d octets reading header", n); - } - - return 0; -} - -/** Read a message, check that it's valid RADIUS and hand it off to - registered user callback. - - The packet is read from the bufferevent associated with \a pkt and - the data is stored in \a pkt->rpkt. - - Return 0 on success and !0 on failure. */ -static int -_read_packet (struct rs_packet *pkt) -{ - size_t n = 0; - int err; - - rs_debug (("%s: trying to read %d octets of packet data\n", __func__, - pkt->rpkt->length - RS_HEADER_LEN)); - - n = bufferevent_read (pkt->conn->bev, - pkt->rpkt->data + RS_HEADER_LEN, - pkt->rpkt->length - RS_HEADER_LEN); - - rs_debug (("%s: read %ld octets of packet data\n", __func__, n)); - - if (n == pkt->rpkt->length - RS_HEADER_LEN) - { - bufferevent_disable (pkt->conn->bev, EV_READ); - rs_debug (("%s: complete packet read\n", __func__)); - pkt->flags &= ~RS_PACKET_HEADER_READ; - memset (pkt->hdr, 0, sizeof(*pkt->hdr)); - - /* Checks done by rad_packet_ok: - - lenghts (FIXME: checks really ok for tcp?) - - invalid code field - - attribute lengths >= 2 - - attribute sizes adding up correctly */ - err = nr_packet_ok (pkt->rpkt); - if (err != RSE_OK) - { - rs_debug (("%s: %d: invalid packet\n", __func__, -err)); - rs_conn_disconnect (pkt->conn); - return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, - "invalid packet"); - } - -#if defined (DEBUG) - /* Find out what happens if there's data left in the buffer. */ - { - size_t rest = 0; - rest = evbuffer_get_length (bufferevent_get_input (pkt->conn->bev)); - if (rest) - rs_debug (("%s: returning with %d octets left in buffer\n", __func__, - rest)); - } -#endif - - /* Hand over message to user. This changes ownership of pkt. - Don't touch it afterwards -- it might have been freed. */ - if (pkt->conn->callbacks.received_cb) - pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data); - } - else if (n < 0) /* Buffer frozen. */ - rs_debug (("%s: buffer frozen when reading packet\n", __func__)); - else /* Short packet. */ - rs_debug (("%s: waiting for another %d octets\n", __func__, - pkt->rpkt->length - RS_HEADER_LEN - n)); - - return 0; -} - -/* The read callback for TCP. - - Read exactly one RADIUS message from BEV and store it in struct - rs_packet passed in USER_DATA. - - Inform upper layer about successful reception of received RADIUS - message by invoking conn->callbacks.recevied_cb(), if !NULL. */ -void -tcp_read_cb (struct bufferevent *bev, void *user_data) -{ - struct rs_packet *pkt = (struct rs_packet *) user_data; - - assert (pkt); - assert (pkt->conn); - assert (pkt->rpkt); - - pkt->rpkt->sockfd = pkt->conn->fd; - pkt->rpkt->vps = NULL; /* FIXME: can this be done when initializing pkt? */ - - /* Read a message header if not already read, return if that - fails. Read a message and have it dispatched to the user - registered callback. - - Room for improvement: Peek inside buffer (evbuffer_copyout()) to - avoid the extra copying. */ - if ((pkt->flags & RS_PACKET_HEADER_READ) == 0) - if (_read_header (pkt)) - return; /* Error. */ - _read_packet (pkt); -} - -void -tcp_event_cb (struct bufferevent *bev, short events, void *user_data) -{ - struct rs_packet *pkt = (struct rs_packet *) user_data; - struct rs_connection *conn = NULL; - int sockerr = 0; -#if defined (RS_ENABLE_TLS) - unsigned long tlserr = 0; -#endif -#if defined (DEBUG) - struct rs_peer *p = NULL; -#endif - - assert (pkt); - assert (pkt->conn); - conn = pkt->conn; -#if defined (DEBUG) - assert (pkt->conn->active_peer); - p = conn->active_peer; -#endif - - conn->is_connecting = 0; - if (events & BEV_EVENT_CONNECTED) - { - if (conn->tev) - evtimer_del (conn->tev); /* Cancel connect timer. */ - if (event_on_connect (conn, pkt)) - { - event_on_disconnect (conn); - event_loopbreak (conn); - } - } - else if (events & BEV_EVENT_EOF) - { - event_on_disconnect (conn); - } - else if (events & BEV_EVENT_TIMEOUT) - { - rs_debug (("%s: %p times out on %s\n", __func__, p, - (events & BEV_EVENT_READING) ? "read" : "write")); - rs_err_conn_push_fl (conn, RSE_TIMEOUT_IO, __FILE__, __LINE__, NULL); - } - else if (events & BEV_EVENT_ERROR) - { - sockerr = evutil_socket_geterror (conn->active_peer->fd); - if (sockerr == 0) /* FIXME: True that errno == 0 means closed? */ - { - event_on_disconnect (conn); - rs_err_conn_push_fl (conn, RSE_DISCO, __FILE__, __LINE__, NULL); - } - else - { - rs_debug (("%s: %d: %d (%s)\n", __func__, conn->fd, sockerr, - evutil_socket_error_to_string (sockerr))); - rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, - "%d: %d (%s)", conn->fd, sockerr, - evutil_socket_error_to_string (sockerr)); - } -#if defined (RS_ENABLE_TLS) - if (conn->tls_ssl) /* FIXME: correct check? */ - { - for (tlserr = bufferevent_get_openssl_error (conn->bev); - tlserr; - tlserr = bufferevent_get_openssl_error (conn->bev)) - { - rs_debug (("%s: openssl error: %s\n", __func__, - ERR_error_string (tlserr, NULL))); - rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, - ERR_error_string (tlserr, NULL)); - } - } -#endif /* RS_ENABLE_TLS */ - event_loopbreak (conn); - } - -#if defined (DEBUG) - if (events & BEV_EVENT_ERROR && events != BEV_EVENT_ERROR) - rs_debug (("%s: BEV_EVENT_ERROR and more: 0x%x\n", __func__, events)); -#endif -} - -void -tcp_write_cb (struct bufferevent *bev, void *ctx) -{ - struct rs_packet *pkt = (struct rs_packet *) ctx; - - assert (pkt); - assert (pkt->conn); - - if (pkt->conn->callbacks.sent_cb) - pkt->conn->callbacks.sent_cb (pkt->conn->user_data); -} - -int -tcp_init_connect_timer (struct rs_connection *conn) -{ - assert (conn); - - if (conn->tev) - event_free (conn->tev); - conn->tev = evtimer_new (conn->evb, event_conn_timeout_cb, conn); - if (!conn->tev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "evtimer_new"); - - return RSE_OK; -} diff --git a/lib/tcp.h b/lib/tcp.h deleted file mode 100644 index eddc4c8..0000000 --- a/lib/tcp.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -void tcp_event_cb (struct bufferevent *bev, short events, void *user_data); -void tcp_read_cb (struct bufferevent *bev, void *user_data); -void tcp_write_cb (struct bufferevent *bev, void *ctx); -int tcp_init_connect_timer (struct rs_connection *conn); diff --git a/lib/tests/Makefile.am b/lib/tests/Makefile.am deleted file mode 100644 index 09f9d28..0000000 --- a/lib/tests/Makefile.am +++ /dev/null @@ -1,12 +0,0 @@ -AUTOMAKE_OPTIONS = foreign -AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) -AM_CFLAGS = -Wall -Werror -g - -TESTS = test-udp - -check_PROGRAMS = test-udp udp-server - -test_udp_SOURCES = test-udp.c udp.c udp.h -test_udp_LDADD = ../libradsec.la -lcunit -lm - -udp_server_SOURCES = udp-server.c udp.c udp.h diff --git a/lib/tests/README b/lib/tests/README deleted file mode 100644 index 33bddc1..0000000 --- a/lib/tests/README +++ /dev/null @@ -1,39 +0,0 @@ -This is the README file for the test directory of libradsec. - -Build ------ - -In order to build and run the tests, you'll need to have CUnit -installed. - -Source code: http://cunit.sourceforge.net/ -Debian package: libcunit1-dev -FreeBSD port: devel/cunit - - -Run ---- - -NOTE: To run the tests you currently need -- a RADIUS server running at localhost:1820 with the shared RADIUS - secret "sikrit" configured (or whatever "test-udp-auth" in test.conf - says) -- a user "molgan@PROJECT-MOONSHOT.ORG" with password "password" - present in the RADIUS database -These requirements will be removed in a future libradsec release. - - -Run the tests by typing - - make check - -The output should read something like - - --Run Summary: Type Total Ran Passed Failed - suites 2 2 n/a 0 - tests 2 2 2 0 - asserts 23 23 23 0 - PASS: test-udp - ============= - 1 test passed - ============= diff --git a/lib/tests/demoCA/index.txt b/lib/tests/demoCA/index.txt deleted file mode 100644 index 51f934f..0000000 --- a/lib/tests/demoCA/index.txt +++ /dev/null @@ -1,3 +0,0 @@ -V 250806115449Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ca -V 250806115457Z 02 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=srv1 -V 250806115504Z 03 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=cli1 diff --git a/lib/tests/demoCA/index.txt.attr b/lib/tests/demoCA/index.txt.attr deleted file mode 100644 index 8f7e63a..0000000 --- a/lib/tests/demoCA/index.txt.attr +++ /dev/null @@ -1 +0,0 @@ -unique_subject = yes diff --git a/lib/tests/demoCA/newcerts/01.pem b/lib/tests/demoCA/newcerts/01.pem deleted file mode 100644 index 29cb5ee..0000000 --- a/lib/tests/demoCA/newcerts/01.pem +++ /dev/null @@ -1,46 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca - Validity - Not Before: Sep 12 11:54:49 2012 GMT - Not After : Aug 6 11:54:49 2025 GMT - Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (512 bit) - Modulus: - 00:eb:9e:52:bf:1a:7c:32:63:9f:96:80:71:f1:98: - 87:90:97:f1:7a:4a:81:6d:66:7e:8e:7c:50:5f:f9: - 6e:94:1a:b0:7b:46:87:b5:9e:23:48:04:ad:f3:55: - a1:f9:31:50:a1:10:ab:ca:ba:70:ac:58:95:4e:9d: - 3a:2b:52:36:df - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 - X509v3 Authority Key Identifier: - keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 - - X509v3 Basic Constraints: - CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 15:12:3b:79:3d:61:d2:c7:d2:a8:0c:df:82:ea:66:76:26:cb: - ab:b5:83:a3:52:a0:23:1a:a9:92:8e:93:41:f7:6c:3f:8a:2c: - bd:32:3d:70:3f:b6:fd:f2:37:50:0a:66:8c:1c:44:bf:ef:50: - 24:33:bd:48:47:04:ee:8c:61:88 ------BEGIN CERTIFICATE----- -MIIB5TCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET -MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ -dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU0NDlaFw0yNTA4MDYxMTU0 -NDlaMFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK -DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAmNhMFwwDQYJKoZI -hvcNAQEBBQADSwAwSAJBAOueUr8afDJjn5aAcfGYh5CX8XpKgW1mfo58UF/5bpQa -sHtGh7WeI0gErfNVofkxUKEQq8q6cKxYlU6dOitSNt8CAwEAAaNQME4wHQYDVR0O -BBYEFBFXQAvwMy+uwtqkOgC66TSzdSAFMB8GA1UdIwQYMBaAFBFXQAvwMy+uwtqk -OgC66TSzdSAFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADQQAVEjt5PWHS -x9KoDN+C6mZ2JsurtYOjUqAjGqmSjpNB92w/iiy9Mj1wP7b98jdQCmaMHES/71Ak -M71IRwTujGGI ------END CERTIFICATE----- diff --git a/lib/tests/demoCA/newcerts/02.pem b/lib/tests/demoCA/newcerts/02.pem deleted file mode 100644 index 2e1cccb..0000000 --- a/lib/tests/demoCA/newcerts/02.pem +++ /dev/null @@ -1,49 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca - Validity - Not Before: Sep 12 11:54:57 2012 GMT - Not After : Aug 6 11:54:57 2025 GMT - Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=srv1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (512 bit) - Modulus: - 00:ac:21:78:6f:cb:1c:10:c2:71:7b:72:03:e3:4b: - b2:c7:f6:63:3f:69:d3:d3:48:e0:90:16:0f:5a:44: - f5:9c:ed:b9:6b:72:be:11:6e:26:09:32:0c:51:25: - 10:35:fe:a0:33:fe:cf:90:9f:2c:8b:3a:c5:98:86: - c2:a9:5c:ba:a7 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 08:13:6F:A0:93:47:21:31:9F:02:79:A5:CF:24:4A:D1:0B:A7:10:09 - X509v3 Authority Key Identifier: - keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 - - Signature Algorithm: sha1WithRSAEncryption - 2c:7e:61:65:48:cc:46:50:58:cc:9d:1b:b2:e7:2d:2b:72:e2: - a1:2f:2c:14:35:4d:b8:42:87:66:57:77:c4:02:17:fa:3c:db: - 83:3f:89:37:ae:f8:e9:00:fe:96:d8:4b:80:63:db:08:7a:c6: - e1:c7:59:ec:d9:76:4a:be:1a:19 ------BEGIN CERTIFICATE----- -MIICEjCCAbygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET -MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ -dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU0NTdaFw0yNTA4MDYxMTU0 -NTdaMFQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK -DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMMBHNydjEwXDANBgkq -hkiG9w0BAQEFAANLADBIAkEArCF4b8scEMJxe3ID40uyx/ZjP2nT00jgkBYPWkT1 -nO25a3K+EW4mCTIMUSUQNf6gM/7PkJ8sizrFmIbCqVy6pwIDAQABo3sweTAJBgNV -HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp -Y2F0ZTAdBgNVHQ4EFgQUCBNvoJNHITGfAnmlzyRK0QunEAkwHwYDVR0jBBgwFoAU -EVdAC/AzL67C2qQ6ALrpNLN1IAUwDQYJKoZIhvcNAQEFBQADQQAsfmFlSMxGUFjM -nRuy5y0rcuKhLywUNU24QodmV3fEAhf6PNuDP4k3rvjpAP6W2EuAY9sIesbhx1ns -2XZKvhoZ ------END CERTIFICATE----- diff --git a/lib/tests/demoCA/newcerts/03.pem b/lib/tests/demoCA/newcerts/03.pem deleted file mode 100644 index d07be19..0000000 --- a/lib/tests/demoCA/newcerts/03.pem +++ /dev/null @@ -1,49 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca - Validity - Not Before: Sep 12 11:55:04 2012 GMT - Not After : Aug 6 11:55:04 2025 GMT - Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=cli1 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (512 bit) - Modulus: - 00:99:7b:86:e0:46:de:f1:69:10:97:f8:4e:78:c8: - ee:c2:c8:65:64:90:72:dd:51:4f:c6:58:78:49:07: - 61:b9:ed:0a:77:7b:d2:6a:c3:49:e5:91:6c:bf:78: - d0:fc:8a:5c:80:1a:b0:03:28:b2:ea:e8:c8:a0:b6: - be:a1:42:30:5d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 10:17:90:80:D8:B0:7E:91:91:13:32:27:8C:EF:A6:DE:9F:C1:C4:A7 - X509v3 Authority Key Identifier: - keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 - - Signature Algorithm: sha1WithRSAEncryption - b1:08:87:88:7d:90:78:01:da:4a:e7:be:82:22:3f:58:07:f7: - 46:a9:9a:42:a4:88:d9:b8:6a:69:bf:cb:d0:39:2d:c9:49:06: - fa:31:80:66:17:32:cc:e8:ae:36:9c:c1:d5:ae:6d:3c:eb:72: - 77:55:92:fa:ab:f5:a3:bc:19:2d ------BEGIN CERTIFICATE----- -MIICEjCCAbygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET -MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ -dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU1MDRaFw0yNTA4MDYxMTU1 -MDRaMFQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK -DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMMBGNsaTEwXDANBgkq -hkiG9w0BAQEFAANLADBIAkEAmXuG4Ebe8WkQl/hOeMjuwshlZJBy3VFPxlh4SQdh -ue0Kd3vSasNJ5ZFsv3jQ/IpcgBqwAyiy6ujIoLa+oUIwXQIDAQABo3sweTAJBgNV -HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp -Y2F0ZTAdBgNVHQ4EFgQUEBeQgNiwfpGREzInjO+m3p/BxKcwHwYDVR0jBBgwFoAU -EVdAC/AzL67C2qQ6ALrpNLN1IAUwDQYJKoZIhvcNAQEFBQADQQCxCIeIfZB4AdpK -576CIj9YB/dGqZpCpIjZuGppv8vQOS3JSQb6MYBmFzLM6K42nMHVrm0863J3VZL6 -q/WjvBkt ------END CERTIFICATE----- diff --git a/lib/tests/demoCA/private/cakey.pem b/lib/tests/demoCA/private/cakey.pem deleted file mode 100644 index e7df9d0..0000000 --- a/lib/tests/demoCA/private/cakey.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAOueUr8afDJjn5aAcfGYh5CX8XpKgW1mfo58UF/5bpQasHtGh7We -I0gErfNVofkxUKEQq8q6cKxYlU6dOitSNt8CAwEAAQJAR+SmQPN24/Ur88M7gUlW -TBNgtjzXoyb8BMP/zlkQmZW5Tcv1xCa1UwK33u2wSmhSNP6zA1QrC2d2pv/7XZEp -wQIhAPpf2QuEooR5BPrvDiAVPlKp31EROrZOiOV5hbV1Kzx/AiEA8OmZZrvgrdQu -3PKRLfxD11NKf0yhC+7WdVWguYZ1VaECIF99XMcyz9TcXxThRa7gy0M1vJErlAvh -yf5TKba6OEI7AiBpNctdl11G7OxOZ8zJZWsHRYO6Vm/as0KLWYromvTxIQIhAK0c -r+G23R+dHDUdNEBSi6G74dbaJqaA8LsVr9w9m5gY ------END RSA PRIVATE KEY----- diff --git a/lib/tests/demoCA/private/cli1.key b/lib/tests/demoCA/private/cli1.key deleted file mode 100644 index 09381f1..0000000 --- a/lib/tests/demoCA/private/cli1.key +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBOQIBAAJBAJl7huBG3vFpEJf4TnjI7sLIZWSQct1RT8ZYeEkHYbntCnd70mrD -SeWRbL940PyKXIAasAMosuroyKC2vqFCMF0CAwEAAQJAEozki1zle0YYlFWVnnGi -sfYokxQGXguC2dU9jI4Q2LjGut6mVx/zLIU59BS4nUq2aYHg0hxwwzOba92c0lT/ -HQIhAMp0+k7FtDdRQzIaDzeEY6MYyLhhhukhI3xpyXYVuyx7AiEAwhLQl6hYlsgh -78CzTAhAdbheAwIQWyvY7XjKzxdpGwcCIG/hr0YC2bHMNZ8laY1bmxhRpPLH6p9A -0fR6HXwlTDerAiA1y21SfHGB6huuD2Yjry3e86nrf4j1HKRWvuLIoJ6bxQIgWmyj -YOSFsaBwj9ptkY0d4H84SDHnt7GRypm0/98OSg8= ------END RSA PRIVATE KEY----- diff --git a/lib/tests/demoCA/private/srv1.key b/lib/tests/demoCA/private/srv1.key deleted file mode 100644 index 284f1e1..0000000 --- a/lib/tests/demoCA/private/srv1.key +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAKwheG/LHBDCcXtyA+NLssf2Yz9p09NI4JAWD1pE9ZztuWtyvhFu -JgkyDFElEDX+oDP+z5CfLIs6xZiGwqlcuqcCAwEAAQJAbviJF7GfH2LsHISt4vyr -fuTmqTxF1wI13E6MiUrJ+eftT7Hq1Wq6B7gmlI1iJiJLlAH6o93PYhp8559Dfp+q -wQIhAOMbFp0NJPrVpycx5dQAYpM/edqXoOENQf1lMLOmOHlhAiEAwgfTbAaGNfQS -uXfzj0sx+IvoKE/MXfLKZ/uE9futCQcCIQC/mMjZMo+yNrHQdV5KHxEK3RB2hFmr -xD2aA9a0mVUnwQIgbYjHdNNWDr1DmMo7h+g2RI6Ot7scruiyFPNrgwXaEB8CICMa -8wjF27wlJ2nmhM9ZXUBtvBKgU+jspsA8n+wU+o+f ------END RSA PRIVATE KEY----- diff --git a/lib/tests/demoCA/serial b/lib/tests/demoCA/serial deleted file mode 100644 index 6496923..0000000 --- a/lib/tests/demoCA/serial +++ /dev/null @@ -1 +0,0 @@ -04 diff --git a/lib/tests/test-udp.c b/lib/tests/test-udp.c deleted file mode 100644 index ed176c0..0000000 --- a/lib/tests/test-udp.c +++ /dev/null @@ -1,153 +0,0 @@ -/* Copyright 2011,2013, NORDUnet A/S. All rights reserved. */ -/* See LICENSE for licensing information. */ - -#include -#include -#include -#include "radius/client.h" -#include "radsec/radsec.h" -#include "radsec/request.h" -#include "udp.h" - -static void -authenticate (struct rs_connection *conn, const char *user, const char *pw) -{ - struct rs_request *req; - struct rs_packet *msg, *resp; - - CU_ASSERT (rs_request_create (conn, &req) == 0); - CU_ASSERT (!rs_packet_create_authn_request (conn, &msg, user, pw)); - rs_request_add_reqpkt (req, msg); - CU_ASSERT (rs_request_send (req, &resp) == 0); - //printf ("%s\n", rs_err_msg (rs_err_conn_pop (conn), 1)); - CU_ASSERT (rs_packet_code(resp) == PW_ACCESS_ACCEPT); - - rs_request_destroy (req); -} - -static void -send_more_than_one_msg_in_one_packet (struct rs_connection *conn) -{ - struct rs_packet *msg0, *msg1; - - CU_ASSERT (rs_packet_create_authn_request (conn, &msg0, NULL, NULL) == 0); - CU_ASSERT (rs_packet_create_authn_request (conn, &msg1, NULL, NULL) == 0); - CU_ASSERT (rs_packet_send (msg0, NULL) == 0); - CU_ASSERT (rs_packet_send (msg1, NULL) == 0); -} - -#if 0 -static void -send_large_packet (struct rs_connection *conn) -{ - struct rs_packet *msg0; - struct radius_packet *frpkt = NULL; - char *buf; - int f; - - buf = malloc (RS_MAX_PACKET_LEN); - CU_ASSERT (buf != NULL); - memset (buf, 0, RS_MAX_PACKET_LEN); - - CU_ASSERT (rs_packet_create (conn, &msg0) == 0); - /* 16 chunks --> heap corruption in evbuffer_drain detected by free() */ - for (f = 0; f < 15; f++) - { - memset (buf, 'a' + f, 252); - //vp = pairmake ("EAP-Message", buf, T_OP_EQ); - CU_ASSERT (rs_packet_append_avp (msg0, fixme...) == RSE_OK); - } - CU_ASSERT (rs_packet_send (msg0, NULL) == 0); -} -#endif /* 0 */ - -/* ************************************************************ */ -static struct setup { - char *config_file; - char *config_name; - char *username; - char *pw; -} setup; - -static void -test_auth () -{ - struct rs_context *ctx; - struct rs_connection *conn; - - setup.config_file = "test.conf"; - setup.config_name = "test-udp-auth"; - setup.username = "molgan@PROJECT-MOONSHOT.ORG"; - setup.pw = "password"; - - CU_ASSERT (rs_context_create (&ctx) == 0); - CU_ASSERT (rs_context_read_config (ctx, setup.config_file) == 0); - CU_ASSERT (rs_conn_create (ctx, &conn, setup.config_name) == 0); - - authenticate (conn, setup.username, setup.pw); - - rs_conn_destroy (conn); - rs_context_destroy (ctx); -} - -static ssize_t -test_buffering_cb (const uint8_t *buf, ssize_t len) -{ - /* "Exactly one RADIUS packet is encapsulated in the UDP Data field" - [RFC 2865]*/ -#if 0 - hd (buf, len); -#endif - CU_ASSERT (len >= 20); - CU_ASSERT (len <= RS_MAX_PACKET_LEN); - CU_ASSERT ((buf[2] << 8) + buf[3] == len); - return len; -} - -static void -test_buffering () -{ - struct rs_context *ctx; - struct rs_connection *conn; - struct timeval timeout; - struct polldata *polldata; - - CU_ASSERT (rs_context_create (&ctx) == 0); - CU_ASSERT (rs_context_read_config (ctx, "test.conf") == 0); - CU_ASSERT (rs_conn_create (ctx, &conn, "test-udp-buffering") == 0); - - timeout.tv_sec = 0; - timeout.tv_usec = 150000; - polldata = udp_server ("11820", &timeout, test_buffering_cb); - CU_ASSERT (polldata != NULL); - - send_more_than_one_msg_in_one_packet (conn); - CU_ASSERT (udp_poll (polldata) > 0); - CU_ASSERT (udp_poll (polldata) > 0); - - - udp_free_polldata (polldata); - rs_conn_destroy (conn); - rs_context_destroy (ctx); -} - -/* ************************************************************ */ -int -main (int argc, char *argv[]) -{ - CU_pSuite s = NULL; - CU_pTest t = NULL; - unsigned int nfail; - - assert (CU_initialize_registry () == CUE_SUCCESS); - s = CU_add_suite ("auth", NULL, NULL); assert (s); - t = CU_ADD_TEST (s, test_auth); assert (t); - s = CU_add_suite ("buffering", NULL, NULL); assert (s); - t = CU_ADD_TEST (s, test_buffering); assert (t); - - assert (CU_basic_run_tests () == CUE_SUCCESS); - nfail = CU_get_number_of_failures(); - - CU_cleanup_registry (); - return nfail; -} diff --git a/lib/tests/test.conf b/lib/tests/test.conf deleted file mode 100644 index 98d0330..0000000 --- a/lib/tests/test.conf +++ /dev/null @@ -1,30 +0,0 @@ -realm test-udp-auth { - type = "UDP" - server { - hostname = "localhost" - service = "1820" - secret = "sikrit" - } -} - -realm test-udp-buffering { - type = "UDP" - server { - hostname = "localhost" - service = "11820" - secret = "sikrit" - } -} - -realm test-tls-test { - type = "TLS" - cacertfile = "/home/linus/nordberg-ca.crt" - certfile = "/home/linus/p/radsecproxy/src/maatuska.nordberg.se.crt" - certkeyfile = "/home/linus/p/radsecproxy/src/maatuska.nordberg.se.key" - - server { - hostname = "localhost" - service = "1820" - secret = "sikrit" - } -} diff --git a/lib/tests/udp-server.c b/lib/tests/udp-server.c deleted file mode 100644 index 77a35df..0000000 --- a/lib/tests/udp-server.c +++ /dev/null @@ -1,35 +0,0 @@ -/* Copyright 2011, NORDUnet A/S. All rights reserved. */ -/* See LICENSE for licensing information. */ - -#include -#include -#include "udp.h" - -ssize_t -handle_data (const uint8_t *buf, ssize_t len) -{ - return hd (buf, len); -} - -int -main (int argc, char *argv[]) -{ - int n, i; - struct timeval tv; - struct polldata *data; - -#define TIMEOUT 1 /* Seconds. */ - - tv.tv_sec = TIMEOUT; - tv.tv_usec = 0; - data = udp_server (argv[1], &tv, handle_data); - - for (i = 0, n = udp_poll (data); n == 0 && i < 3; n = udp_poll (data), i++) - { - fprintf (stderr, "waiting another %ld second%s\n", - tv.tv_sec, tv.tv_sec > 1 ? "s" : ""); - } - - udp_free_polldata (data); - return (n <= 0); -} diff --git a/lib/tests/udp.c b/lib/tests/udp.c deleted file mode 100644 index 2c580da..0000000 --- a/lib/tests/udp.c +++ /dev/null @@ -1,141 +0,0 @@ -/* Copyright 2011,2013, NORDUnet A/S. All rights reserved. */ -/* See LICENSE for licensing information. */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "radius/client.h" -#include "udp.h" - -static struct addrinfo * -_resolve (const char *str) -{ - static int first = 1; - static struct addrinfo hints, *result = NULL; - struct addrinfo *rp = NULL; - int r; - - if (first) - { - first = 0; - memset (&hints, 0, sizeof (hints)); - hints.ai_family = AF_INET; /* AF_UNSPEC */ - hints.ai_socktype = SOCK_DGRAM; - r = getaddrinfo (NULL, str, &hints, &result); - if (r) - fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (r)); - } - - if (result) - { - rp = result; - result = result->ai_next; - } - - return rp; -} - -void -udp_free_polldata (struct polldata *data) -{ - if (data) - { - if (data->timeout) - free (data->timeout); - free (data); - } -} - -/* @return if select() returns error or timeout, return select() - else return value from invoked callback function */ -ssize_t -udp_poll (struct polldata *data) -{ - int r; - long timeout = 0; - fd_set rfds; - ssize_t len; - uint8_t buf[RS_MAX_PACKET_LEN]; - - FD_ZERO (&rfds); - FD_SET (data->s, &rfds); - if (data->timeout) - timeout = data->timeout->tv_sec; /* Save from destruction (Linux). */ - //fprintf (stderr, "calling select with timeout %ld\n", timeout); - r = select (data->s + 1, &rfds, NULL, NULL, data->timeout); - if (data->timeout) - data->timeout->tv_sec = timeout; /* Restore. */ - //fprintf (stderr, "select returning %d\n", r); - if (r > 0) - { - len = recv (data->s, buf, sizeof (buf), 0); - if (len > 0) - return data->cb (buf, len); - } - return r; -} - -struct polldata * -udp_server (const char *bindto, struct timeval *timeout, data_cb cb) -{ - struct addrinfo *res; - int s = -1; - - for (res = _resolve (bindto); res; res = _resolve (bindto)) - { - s = socket (res->ai_family, res->ai_socktype, res->ai_protocol); - if (s >= 0) - { - if (bind (s, res->ai_addr, res->ai_addrlen) == 0) - break; /* Done. */ - else - { - close (s); - s = -1; - } - } - } - - if (s >= 0) - { - struct polldata *data = malloc (sizeof (struct polldata)); - assert (data); - memset (data, 0, sizeof (struct polldata)); - data->s = s; - data->cb = cb; - if (timeout) - { - data->timeout = malloc (sizeof (struct timeval)); - assert (data->timeout); - memcpy (data->timeout, timeout, sizeof (struct timeval)); - } - return data; - } - - return NULL; -} - -ssize_t -hd (const uint8_t *buf, ssize_t len) -{ - int i; - - printf ("# len: %ld\n", len); - for (i = 0; i < len; i++) - { - printf ("%02x%s", buf[i], (i+1) % 8 ? " " : " "); - if ((i + 1) % 16 == 0) - printf ("\n"); - } - printf ("\n"); - return len; -} diff --git a/lib/tests/udp.h b/lib/tests/udp.h deleted file mode 100644 index a8d5f23..0000000 --- a/lib/tests/udp.h +++ /dev/null @@ -1,20 +0,0 @@ -/* Copyright 2011, NORDUnet A/S. All rights reserved. */ -/* See LICENSE for licensing information. */ - -#include -#include -#include - -typedef ssize_t (*data_cb) (const uint8_t *buf, ssize_t len); - -struct polldata { - int s; - data_cb cb; - struct timeval *timeout; -}; - -struct polldata *udp_server (const char *bindto, struct timeval *timeout, data_cb cb); -ssize_t udp_poll (struct polldata *data); -void udp_free_polldata (struct polldata *data); - -ssize_t hd (const uint8_t *buf, ssize_t len); diff --git a/lib/tls.c b/lib/tls.c deleted file mode 100644 index ba3cab5..0000000 --- a/lib/tls.c +++ /dev/null @@ -1,372 +0,0 @@ -/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#if defined HAVE_PTHREAD_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include "radsecproxy/list.h" -#include "radsecproxy/radsecproxy.h" - -#include "tls.h" - -static struct tls * -_get_tlsconf (struct rs_connection *conn, const struct rs_realm *realm) -{ - struct tls *c = rs_malloc (conn->ctx, sizeof (struct tls)); - - if (c) - { - memset (c, 0, sizeof (struct tls)); - /* TODO: Make sure old radsecproxy code doesn't free these all - of a sudden, or strdup them. */ - c->name = realm->name; - c->cacertfile = realm->cacertfile; - c->cacertpath = NULL; /* NYI */ - c->certfile = realm->certfile; - c->certkeyfile = realm->certkeyfile; - c->certkeypwd = NULL; /* NYI */ - c->cacheexpiry = 0; /* NYI */ - c->crlcheck = 0; /* NYI */ - c->policyoids = (char **) NULL; /* NYI */ - } - else - rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); - - return c; -} - -#if defined RS_ENABLE_TLS_PSK -static unsigned int -psk_client_cb (SSL *ssl, - const char *hint, - char *identity, - unsigned int max_identity_len, - unsigned char *psk, - unsigned int max_psk_len) -{ - struct rs_connection *conn = NULL; - struct rs_credentials *cred = NULL; - - conn = SSL_get_ex_data (ssl, 0); - assert (conn != NULL); - cred = conn->active_peer->realm->transport_cred; - assert (cred != NULL); - /* NOTE: Ignoring identity hint from server. */ - - if (strlen (cred->identity) + 1 > max_identity_len) - { - rs_err_conn_push (conn, RSE_CRED, "PSK identity longer than max %d", - max_identity_len - 1); - return 0; - } - strcpy (identity, cred->identity); - - switch (cred->secret_encoding) - { - case RS_KEY_ENCODING_UTF8: - cred->secret_len = strlen (cred->secret); - if (cred->secret_len > max_psk_len) - { - rs_err_conn_push (conn, RSE_CRED, "PSK secret longer than max %d", - max_psk_len); - return 0; - } - memcpy (psk, cred->secret, cred->secret_len); - break; - case RS_KEY_ENCODING_ASCII_HEX: - { - BIGNUM *bn = NULL; - - if (BN_hex2bn (&bn, cred->secret) == 0) - { - rs_err_conn_push (conn, RSE_CRED, "Unable to convert pskhexstr"); - if (bn != NULL) - BN_clear_free (bn); - return 0; - } - if ((unsigned int) BN_num_bytes (bn) > max_psk_len) - { - rs_err_conn_push (conn, RSE_CRED, "PSK secret longer than max %d", - max_psk_len); - BN_clear_free (bn); - return 0; - } - cred->secret_len = BN_bn2bin (bn, psk); - BN_clear_free (bn); - } - break; - default: - assert (!"unknown psk encoding"); - } - - return cred->secret_len; -} -#endif /* RS_ENABLE_TLS_PSK */ - -/** Read \a buf_len bytes from one of the random devices into \a - buf. Return 0 on success and -1 on failure. */ -static int -load_rand_ (uint8_t *buf, size_t buf_len) -{ - static const char *fns[] = {"/dev/urandom", "/dev/random", NULL}; - int i; - - if (buf_len > SSIZE_MAX) - return -1; - - for (i = 0; fns[i] != NULL; i++) - { - size_t nread = 0; - int fd = open (fns[i], O_RDONLY); - if (fd < 0) - continue; - while (nread != buf_len) - { - ssize_t r = read (fd, buf + nread, buf_len - nread); - if (r < 0) - return -1; - if (r == 0) - break; - nread += r; - } - close (fd); - if (nread != buf_len) - return -1; - return 0; - } - return -1; -} - -/** Initialise OpenSSL's PRNG by possibly invoking RAND_poll() and by - feeding RAND_seed() data from one of the random devices. If either - succeeds, we're happy and return 0. */ -static int -init_openssl_rand_ (void) -{ - long openssl_version = 0; - int openssl_random_init_flag = 0; - int our_random_init_flag = 0; - uint8_t buf[32]; - - /* Older OpenSSL has a crash bug in RAND_poll (when a file it opens - gets a file descriptor with a number higher than FD_SETSIZE) so - use it only for newer versions. */ - openssl_version = SSLeay (); - if (openssl_version >= OPENSSL_V (0,9,8,'c')) - openssl_random_init_flag = RAND_poll (); - - our_random_init_flag = !load_rand_ (buf, sizeof(buf)); - if (our_random_init_flag) - RAND_seed (buf, sizeof(buf)); - memset (buf, 0, sizeof(buf)); /* FIXME: What if memset() is optimised out? */ - - if (!openssl_random_init_flag && !our_random_init_flag) - return -1; - if (!RAND_bytes (buf, sizeof(buf))) - return -1; - return 0; -} - -#if defined HAVE_PTHREADS -/** Array of pthread_mutex_t for OpenSSL. Allocated and initialised in - \a init_locking_ and never freed. */ -static pthread_mutex_t *s_openssl_mutexes = NULL; -/** Number of pthread_mutex_t's allocated at s_openssl_mutexes. */ -static int s_openssl_mutexes_count = 0; - -/** Callback for OpenSSL when a lock is to be held or released. */ -static void -openssl_locking_cb_ (int mode, int i, const char *file, int line) -{ - if (s_openssl_mutexes == NULL || i >= s_openssl_mutexes_count) - return; - if (mode & CRYPTO_LOCK) - pthread_mutex_lock (&s_openssl_mutexes[i]); - else - pthread_mutex_unlock (&s_openssl_mutexes[i]); -} - -/** Initialise any locking needed for being thread safe. Libradsec has - all its own state in one or more struct rs_context and doesn't - need locks but libraries used by libradsec may need protection. */ -static int -init_locking_ () -{ - int i, n; - n = CRYPTO_num_locks (); - - s_openssl_mutexes = calloc (n, sizeof(pthread_mutex_t)); - if (s_openssl_mutexes == NULL) - return -RSE_NOMEM; - for (i = 0; i < n; i++) - pthread_mutex_init (&s_openssl_mutexes[i], NULL); - s_openssl_mutexes_count = n; - - return 0; -} -#endif /* HAVE_PTHREADS */ - -/** Initialise the TLS library. Return 0 on success, -1 on failure. */ -int -tls_init () -{ - SSL_load_error_strings (); -#if defined HAVE_PTHREADS - if (CRYPTO_get_locking_callback () == NULL) - { - assert (s_openssl_mutexes_count == 0); - /* Allocate and initialise mutexes. We will never free - these. FIXME: Is there a portable way of having a function - invoked when a solib is unloaded? -ln */ - if (init_locking_ ()) - return -1; - CRYPTO_set_locking_callback (openssl_locking_cb_); - } -#endif /* HAVE_PTHREADS */ - SSL_library_init (); - return init_openssl_rand_ (); -} - -int -tls_init_conn (struct rs_connection *conn) -{ - struct rs_context *ctx = NULL; - struct tls *tlsconf = NULL; - SSL_CTX *ssl_ctx = NULL; - SSL *ssl = NULL; - unsigned long sslerr = 0; - - assert (conn->ctx); - ctx = conn->ctx; - - tlsconf = _get_tlsconf (conn, conn->active_peer->realm); - if (!tlsconf) - return -1; - ssl_ctx = tlsgetctx (RAD_TLS, tlsconf); - if (!ssl_ctx) - { - for (sslerr = ERR_get_error (); sslerr; sslerr = ERR_get_error ()) - rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, - ERR_error_string (sslerr, NULL)); - return -1; - } - ssl = SSL_new (ssl_ctx); - if (!ssl) - { - for (sslerr = ERR_get_error (); sslerr; sslerr = ERR_get_error ()) - rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, - ERR_error_string (sslerr, NULL)); - return -1; - } - -#if defined RS_ENABLE_TLS_PSK - if (conn->active_peer->realm->transport_cred != NULL) - { - SSL_set_psk_client_callback (ssl, psk_client_cb); - SSL_set_ex_data (ssl, 0, conn); - } -#endif /* RS_ENABLE_TLS_PSK */ - - conn->tls_ctx = ssl_ctx; - conn->tls_ssl = ssl; - rs_free (ctx, tlsconf); - return RSE_OK; -} - -/* draft-ietf-radext-radsec-11.txt - - * Certificate validation MUST include the verification rules as - per [RFC5280]. - - * Implementations SHOULD indicate their acceptable Certification - Authorities as per section 7.4.4 (server side) and x.y.z - ["Trusted CA Indication"] (client side) of [RFC5246] (see - Section 3.2) - - * Implementations SHOULD allow to configure a list of acceptable - certificates, identified via certificate fingerprint. When a - fingerprint configured, the fingerprint is prepended with an - ASCII label identifying the hash function followed by a colon. - Implementations MUST support SHA-1 as the hash algorithm and - use the ASCII label "sha-1" to identify the SHA-1 algorithm. - The length of a SHA-1 hash is 20 bytes and the length of the - corresponding fingerprint string is 65 characters. An example - certificate fingerprint is: sha- - 1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D - - * Peer validation always includes a check on whether the locally - configured expected DNS name or IP address of the server that - is contacted matches its presented certificate. DNS names and - IP addresses can be contained in the Common Name (CN) or - subjectAltName entries. For verification, only one of these - entries is to be considered. The following precedence - applies: for DNS name validation, subjectAltName:DNS has - precedence over CN; for IP address validation, subjectAltName: - iPAddr has precedence over CN. - - * Implementations SHOULD allow to configure a set of acceptable - values for subjectAltName:URI. - */ -int -tls_verify_cert (struct rs_connection *conn) -{ - int err = 0; - int success = 0; - X509 *peer_cert = NULL; - struct in6_addr addr; - const char *hostname = NULL; - - assert (conn->active_peer->conn == conn); - assert (conn->active_peer->hostname != NULL); - hostname = conn->active_peer->hostname; - - /* verifytlscert() performs basic verification as described by - OpenSSL VERIFY(1), i.e. verification of the certificate chain. */ - peer_cert = verifytlscert (conn->tls_ssl); - if (peer_cert == NULL) - { - err = rs_err_conn_push (conn, RSE_SSLERR, - "basic certificate validation failed"); - goto out; - } - - if (inet_pton (AF_INET, hostname, &addr)) - success = (subjectaltnameaddr (peer_cert, AF_INET, &addr) == 1); - else if (inet_pton (AF_INET6, hostname, &addr)) - success = (subjectaltnameaddr (peer_cert, AF_INET6, &addr) == 1); - else - success = (subjectaltnameregexp (peer_cert, GEN_DNS, hostname, NULL) == 1); - - if (!success) - success = (cnregexp (peer_cert, hostname, NULL) == 1); - - if (conn->realm->disable_hostname_check) - success = 1; - if (!success) - err = rs_err_conn_push (conn, RSE_CERT, "server certificate doesn't " - "match configured hostname \"%s\"", hostname); - - out: - if (peer_cert != NULL) - X509_free (peer_cert); - return err; -} diff --git a/lib/tls.h b/lib/tls.h deleted file mode 100644 index 51f2a64..0000000 --- a/lib/tls.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright 2010-2012 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined (__cplusplus) -extern "C" { -#endif - -int tls_init (void); -int tls_init_conn (struct rs_connection *conn); -int tls_verify_cert (struct rs_connection *conn); - -#define OPENSSL_VER(a,b,c,d,e) \ - (((a)<<28) | \ - ((b)<<20) | \ - ((c)<<12) | \ - ((d)<< 4) | \ - (e)) -#define OPENSSL_V(a,b,c,d) \ - OPENSSL_VER((a),(b),(c),(d)-'a'+1,0xf) - -#if defined (__cplusplus) -} -#endif diff --git a/lib/udp.c b/lib/udp.c deleted file mode 100644 index c00f215..0000000 --- a/lib/udp.c +++ /dev/null @@ -1,177 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#if defined HAVE_CONFIG_H -#include -#endif - -#include -#include -#include -#include -#include -#include -#include -#include "debug.h" -#include "event.h" -#include "compat.h" -#include "udp.h" - -/* Send one packet, the first in queue. */ -static int -_send (struct rs_connection *conn, int fd) -{ - ssize_t r = 0; - struct rs_packet *pkt = conn->out_queue; - - assert (pkt->rpkt); - assert (pkt->rpkt->data); - - /* Send. */ - r = compat_send (fd, pkt->rpkt->data, pkt->rpkt->length, 0); - if (r == -1) - { - int sockerr = evutil_socket_geterror (pkt->conn->fd); - if (sockerr != EAGAIN) - return rs_err_conn_push_fl (pkt->conn, RSE_SOCKERR, __FILE__, __LINE__, - "%d: send: %d (%s)", fd, sockerr, - evutil_socket_error_to_string (sockerr)); - } - - assert (r == pkt->rpkt->length); - /* Unlink the packet. */ - conn->out_queue = pkt->next; - - /* If there are more packets in queue, add the write event again. */ - if (pkt->conn->out_queue) - { - r = event_add (pkt->conn->wev, NULL); - if (r < 0) - return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, - "event_add: %s", evutil_gai_strerror (r)); - rs_debug (("%s: re-adding the write event\n", __func__)); - } - - return RSE_OK; -} - -/* Callback for conn->wev and conn->rev. FIXME: Rename. - - USER_DATA contains connection for EV_READ and a packet for - EV_WRITE. This is because we don't have a connect/establish entry - point at the user level -- send implies connect so when we're - connected we need the packet to send. */ -static void -_evcb (evutil_socket_t fd, short what, void *user_data) -{ - int err; - struct rs_packet *pkt = (struct rs_packet *) user_data; - - rs_debug (("%s: fd=%d what =", __func__, fd)); - if (what & EV_TIMEOUT) rs_debug ((" TIMEOUT -- shouldn't happen!")); - if (what & EV_READ) rs_debug ((" READ")); - if (what & EV_WRITE) rs_debug ((" WRITE")); - rs_debug (("\n")); - - assert (pkt); - assert (pkt->conn); - if (what & EV_READ) - { - /* Read a single UDP packet and stick it in USER_DATA. */ - /* TODO: Verify that unsolicited packets are dropped. */ - ssize_t r = 0; - - assert (pkt->rpkt->data); - - r = compat_recv (fd, pkt->rpkt->data, RS_MAX_PACKET_LEN, MSG_TRUNC); - if (r == -1) - { - int sockerr = evutil_socket_geterror (pkt->conn->fd); - if (sockerr == EAGAIN) - { - /* FIXME: Really shouldn't happen since we've been told - that fd is readable! */ - rs_debug (("%s: EAGAIN reading UDP packet -- wot?\n")); - goto err_out; - } - - /* Hard error. */ - rs_err_conn_push_fl (pkt->conn, RSE_SOCKERR, __FILE__, __LINE__, - "%d: recv: %d (%s)", fd, sockerr, - evutil_socket_error_to_string (sockerr)); - event_del (pkt->conn->tev); - goto err_out; - } - event_del (pkt->conn->tev); - if (r < 20 || r > RS_MAX_PACKET_LEN) /* Short or long packet. */ - { - rs_err_conn_push (pkt->conn, RSE_INVALID_PKT, - "invalid packet length: %d", r); - goto err_out; - } - pkt->rpkt->length = (pkt->rpkt->data[2] << 8) + pkt->rpkt->data[3]; - err = nr_packet_ok (pkt->rpkt); - if (err) - { - rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, - "invalid packet"); - goto err_out; - } - /* Hand over message to user. This changes ownership of pkt. - Don't touch it afterwards -- it might have been freed. */ - if (pkt->conn->callbacks.received_cb) - pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data); - else - rs_debug (("%s: no received-callback -- dropping packet\n", __func__)); - } - else if (what & EV_WRITE) - { - if (!pkt->conn->is_connected) - event_on_connect (pkt->conn, pkt); - - if (pkt->conn->out_queue) - if (_send (pkt->conn, fd) == RSE_OK) - if (pkt->conn->callbacks.sent_cb) - pkt->conn->callbacks.sent_cb (pkt->conn->user_data); - } - return; - - err_out: - rs_conn_disconnect (pkt->conn); -} - -int -udp_init (struct rs_connection *conn, struct rs_packet *pkt) -{ - assert (!conn->bev); - - conn->rev = event_new (conn->evb, conn->fd, EV_READ|EV_PERSIST, _evcb, NULL); - conn->wev = event_new (conn->evb, conn->fd, EV_WRITE, _evcb, NULL); - if (!conn->rev || !conn->wev) - { - if (conn->rev) - { - event_free (conn->rev); - conn->rev = NULL; - } - /* ENOMEM _or_ EINVAL but EINVAL only if we use EV_SIGNAL, at - least for now (libevent-2.0.5). */ - return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); - } - return RSE_OK; -} - -int -udp_init_retransmit_timer (struct rs_connection *conn) -{ - assert (conn); - - if (conn->tev) - event_free (conn->tev); - conn->tev = evtimer_new (conn->evb, event_retransmit_timeout_cb, conn); - if (!conn->tev) - return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, - "evtimer_new"); - - return RSE_OK; -} diff --git a/lib/udp.h b/lib/udp.h deleted file mode 100644 index 39d1aeb..0000000 --- a/lib/udp.h +++ /dev/null @@ -1,5 +0,0 @@ -/* Copyright 2011 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -int udp_init (struct rs_connection *conn, struct rs_packet *pkt); -int udp_init_retransmit_timer (struct rs_connection *conn); diff --git a/lib/util.c b/lib/util.c deleted file mode 100644 index 70d815c..0000000 --- a/lib/util.c +++ /dev/null @@ -1,25 +0,0 @@ -/* Copyright 2012-2013 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -#include -#include -#include -#include -#include "util.h" - -char * -rs_strdup (struct rs_context *ctx, const char *s) -{ - size_t len; - char *buf; - - len = strlen (s); - buf = rs_malloc (ctx, len + 1); - - if (buf != NULL) - memcpy (buf, s, len + 1); - else - rs_err_ctx_push (ctx, RSE_NOMEM, __func__); - - return buf; -} diff --git a/lib/util.h b/lib/util.h deleted file mode 100644 index f988d86..0000000 --- a/lib/util.h +++ /dev/null @@ -1,4 +0,0 @@ -/* Copyright 2012 NORDUnet A/S. All rights reserved. - See LICENSE for licensing information. */ - -char *rs_strdup (struct rs_context *ctx, const char *s); diff --git a/libradsec.spec.in b/libradsec.spec.in new file mode 100644 index 0000000..97d6178 --- /dev/null +++ b/libradsec.spec.in @@ -0,0 +1,77 @@ +Name: @PACKAGE@ +Version: @PACKAGE_VERSION@ +Release: 1%{?dist} +Summary: RADIUS over TLS library + +Group: System Environment/Libraries +License: BSD +URL: http://software.uninett.no/radsecproxy/?page=documentation +Source0: %{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + + + +BuildRequires: openssl-devel +BuildRequires: libconfuse-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: libevent-devel >= 2.0 + + + +%description + Libradsec is a RADIUS over TLS library. + + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%setup -q + + +%build + export CPPFLAGS='-I%{_includedir}' + export LDFLAGS='-L%{_libdir}' +%configure --disable-static +make %{?_smp_mflags} + + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + + +%files +%defattr(-,root,root,-) +%doc README +%{_libdir}/*.so.* + +%files devel +%defattr(-,root,root,-) +%{_includedir}/* +%{_libdir}/*.so + + +%changelog +* Tue Sep 27 2011 - %{version}-1 +- initial version + diff --git a/md5.c b/md5.c new file mode 100644 index 0000000..f4ac436 --- /dev/null +++ b/md5.c @@ -0,0 +1,295 @@ +/* + * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. + * MD5 Message-Digest Algorithm (RFC 1321). + * + * Homepage: + * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 + * + * Author: + * Alexander Peslyak, better known as Solar Designer + * + * This software was written by Alexander Peslyak in 2001. No copyright is + * claimed, and the software is hereby placed in the public domain. + * In case this attempt to disclaim copyright and place the software in the + * public domain is deemed null and void, then the software is + * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the + * general public under the following terms: + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * There's ABSOLUTELY NO WARRANTY, express or implied. + * + * (This is a heavily cut-down "BSD license".) + * + * This differs from Colin Plumb's older public domain implementation in that + * no exactly 32-bit integer data type is required (any 32-bit or wider + * unsigned integer data type will do), there's no compile-time endianness + * configuration, and the function prototypes match OpenSSL's. No code from + * Colin Plumb's implementation has been reused; this comment merely compares + * the properties of the two independent implementations. + * + * The primary goals of this implementation are portability and ease of use. + * It is meant to be fast, but not as fast as possible. Some known + * optimizations are not included to reduce source code size and avoid + * compile-time configuration. + */ + +#ifndef HAVE_OPENSSL + +#include + +#include "md5.h" + +/* + * The basic MD5 functions. + * + * F and G are optimized compared to their RFC 1321 definitions for + * architectures that lack an AND-NOT instruction, just like in Colin Plumb's + * implementation. + */ +#define F(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) +#define G(x, y, z) ((y) ^ ((z) & ((x) ^ (y)))) +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define I(x, y, z) ((y) ^ ((x) | ~(z))) + +/* + * The MD5 transformation for all four rounds. + */ +#define STEP(f, a, b, c, d, x, t, s) \ + (a) += f((b), (c), (d)) + (x) + (t); \ + (a) = (((a) << (s)) | (((a) & 0xffffffff) >> (32 - (s)))); \ + (a) += (b); + +/* + * SET reads 4 input bytes in little-endian byte order and stores them + * in a properly aligned word in host byte order. + * + * The check for little-endian architectures that tolerate unaligned + * memory accesses is just an optimization. Nothing will break if it + * doesn't work. + */ +#if defined(__i386__) || defined(__x86_64__) || defined(__vax__) +#define SET(n) \ + (*(MD5_u32plus *)&ptr[(n) * 4]) +#define GET(n) \ + SET(n) +#else +#define SET(n) \ + (ctx->block[(n)] = \ + (MD5_u32plus)ptr[(n) * 4] | \ + ((MD5_u32plus)ptr[(n) * 4 + 1] << 8) | \ + ((MD5_u32plus)ptr[(n) * 4 + 2] << 16) | \ + ((MD5_u32plus)ptr[(n) * 4 + 3] << 24)) +#define GET(n) \ + (ctx->block[(n)]) +#endif + +/* + * This processes one or more 64-byte data blocks, but does NOT update + * the bit counters. There are no alignment requirements. + */ +static const void *body(MD5_CTX *ctx, const void *data, unsigned long size) +{ + const unsigned char *ptr; + MD5_u32plus a, b, c, d; + MD5_u32plus saved_a, saved_b, saved_c, saved_d; + + ptr = data; + + a = ctx->a; + b = ctx->b; + c = ctx->c; + d = ctx->d; + + do { + saved_a = a; + saved_b = b; + saved_c = c; + saved_d = d; + +/* Round 1 */ + STEP(F, a, b, c, d, SET(0), 0xd76aa478, 7) + STEP(F, d, a, b, c, SET(1), 0xe8c7b756, 12) + STEP(F, c, d, a, b, SET(2), 0x242070db, 17) + STEP(F, b, c, d, a, SET(3), 0xc1bdceee, 22) + STEP(F, a, b, c, d, SET(4), 0xf57c0faf, 7) + STEP(F, d, a, b, c, SET(5), 0x4787c62a, 12) + STEP(F, c, d, a, b, SET(6), 0xa8304613, 17) + STEP(F, b, c, d, a, SET(7), 0xfd469501, 22) + STEP(F, a, b, c, d, SET(8), 0x698098d8, 7) + STEP(F, d, a, b, c, SET(9), 0x8b44f7af, 12) + STEP(F, c, d, a, b, SET(10), 0xffff5bb1, 17) + STEP(F, b, c, d, a, SET(11), 0x895cd7be, 22) + STEP(F, a, b, c, d, SET(12), 0x6b901122, 7) + STEP(F, d, a, b, c, SET(13), 0xfd987193, 12) + STEP(F, c, d, a, b, SET(14), 0xa679438e, 17) + STEP(F, b, c, d, a, SET(15), 0x49b40821, 22) + +/* Round 2 */ + STEP(G, a, b, c, d, GET(1), 0xf61e2562, 5) + STEP(G, d, a, b, c, GET(6), 0xc040b340, 9) + STEP(G, c, d, a, b, GET(11), 0x265e5a51, 14) + STEP(G, b, c, d, a, GET(0), 0xe9b6c7aa, 20) + STEP(G, a, b, c, d, GET(5), 0xd62f105d, 5) + STEP(G, d, a, b, c, GET(10), 0x02441453, 9) + STEP(G, c, d, a, b, GET(15), 0xd8a1e681, 14) + STEP(G, b, c, d, a, GET(4), 0xe7d3fbc8, 20) + STEP(G, a, b, c, d, GET(9), 0x21e1cde6, 5) + STEP(G, d, a, b, c, GET(14), 0xc33707d6, 9) + STEP(G, c, d, a, b, GET(3), 0xf4d50d87, 14) + STEP(G, b, c, d, a, GET(8), 0x455a14ed, 20) + STEP(G, a, b, c, d, GET(13), 0xa9e3e905, 5) + STEP(G, d, a, b, c, GET(2), 0xfcefa3f8, 9) + STEP(G, c, d, a, b, GET(7), 0x676f02d9, 14) + STEP(G, b, c, d, a, GET(12), 0x8d2a4c8a, 20) + +/* Round 3 */ + STEP(H, a, b, c, d, GET(5), 0xfffa3942, 4) + STEP(H, d, a, b, c, GET(8), 0x8771f681, 11) + STEP(H, c, d, a, b, GET(11), 0x6d9d6122, 16) + STEP(H, b, c, d, a, GET(14), 0xfde5380c, 23) + STEP(H, a, b, c, d, GET(1), 0xa4beea44, 4) + STEP(H, d, a, b, c, GET(4), 0x4bdecfa9, 11) + STEP(H, c, d, a, b, GET(7), 0xf6bb4b60, 16) + STEP(H, b, c, d, a, GET(10), 0xbebfbc70, 23) + STEP(H, a, b, c, d, GET(13), 0x289b7ec6, 4) + STEP(H, d, a, b, c, GET(0), 0xeaa127fa, 11) + STEP(H, c, d, a, b, GET(3), 0xd4ef3085, 16) + STEP(H, b, c, d, a, GET(6), 0x04881d05, 23) + STEP(H, a, b, c, d, GET(9), 0xd9d4d039, 4) + STEP(H, d, a, b, c, GET(12), 0xe6db99e5, 11) + STEP(H, c, d, a, b, GET(15), 0x1fa27cf8, 16) + STEP(H, b, c, d, a, GET(2), 0xc4ac5665, 23) + +/* Round 4 */ + STEP(I, a, b, c, d, GET(0), 0xf4292244, 6) + STEP(I, d, a, b, c, GET(7), 0x432aff97, 10) + STEP(I, c, d, a, b, GET(14), 0xab9423a7, 15) + STEP(I, b, c, d, a, GET(5), 0xfc93a039, 21) + STEP(I, a, b, c, d, GET(12), 0x655b59c3, 6) + STEP(I, d, a, b, c, GET(3), 0x8f0ccc92, 10) + STEP(I, c, d, a, b, GET(10), 0xffeff47d, 15) + STEP(I, b, c, d, a, GET(1), 0x85845dd1, 21) + STEP(I, a, b, c, d, GET(8), 0x6fa87e4f, 6) + STEP(I, d, a, b, c, GET(15), 0xfe2ce6e0, 10) + STEP(I, c, d, a, b, GET(6), 0xa3014314, 15) + STEP(I, b, c, d, a, GET(13), 0x4e0811a1, 21) + STEP(I, a, b, c, d, GET(4), 0xf7537e82, 6) + STEP(I, d, a, b, c, GET(11), 0xbd3af235, 10) + STEP(I, c, d, a, b, GET(2), 0x2ad7d2bb, 15) + STEP(I, b, c, d, a, GET(9), 0xeb86d391, 21) + + a += saved_a; + b += saved_b; + c += saved_c; + d += saved_d; + + ptr += 64; + } while (size -= 64); + + ctx->a = a; + ctx->b = b; + ctx->c = c; + ctx->d = d; + + return ptr; +} + +void MD5_Init(MD5_CTX *ctx) +{ + ctx->a = 0x67452301; + ctx->b = 0xefcdab89; + ctx->c = 0x98badcfe; + ctx->d = 0x10325476; + + ctx->lo = 0; + ctx->hi = 0; +} + +void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size) +{ + MD5_u32plus saved_lo; + unsigned long used, free; + + saved_lo = ctx->lo; + if ((ctx->lo = (saved_lo + size) & 0x1fffffff) < saved_lo) + ctx->hi++; + ctx->hi += size >> 29; + + used = saved_lo & 0x3f; + + if (used) { + free = 64 - used; + + if (size < free) { + memcpy(&ctx->buffer[used], data, size); + return; + } + + memcpy(&ctx->buffer[used], data, free); + data = (unsigned char *)data + free; + size -= free; + body(ctx, ctx->buffer, 64); + } + + if (size >= 64) { + data = body(ctx, data, size & ~(unsigned long)0x3f); + size &= 0x3f; + } + + memcpy(ctx->buffer, data, size); +} + +void MD5_Final(unsigned char *result, MD5_CTX *ctx) +{ + unsigned long used, free; + + used = ctx->lo & 0x3f; + + ctx->buffer[used++] = 0x80; + + free = 64 - used; + + if (free < 8) { + memset(&ctx->buffer[used], 0, free); + body(ctx, ctx->buffer, 64); + used = 0; + free = 64; + } + + memset(&ctx->buffer[used], 0, free - 8); + + ctx->lo <<= 3; + ctx->buffer[56] = ctx->lo; + ctx->buffer[57] = ctx->lo >> 8; + ctx->buffer[58] = ctx->lo >> 16; + ctx->buffer[59] = ctx->lo >> 24; + ctx->buffer[60] = ctx->hi; + ctx->buffer[61] = ctx->hi >> 8; + ctx->buffer[62] = ctx->hi >> 16; + ctx->buffer[63] = ctx->hi >> 24; + + body(ctx, ctx->buffer, 64); + + result[0] = ctx->a; + result[1] = ctx->a >> 8; + result[2] = ctx->a >> 16; + result[3] = ctx->a >> 24; + result[4] = ctx->b; + result[5] = ctx->b >> 8; + result[6] = ctx->b >> 16; + result[7] = ctx->b >> 24; + result[8] = ctx->c; + result[9] = ctx->c >> 8; + result[10] = ctx->c >> 16; + result[11] = ctx->c >> 24; + result[12] = ctx->d; + result[13] = ctx->d >> 8; + result[14] = ctx->d >> 16; + result[15] = ctx->d >> 24; + + memset(ctx, 0, sizeof(*ctx)); +} + +#endif diff --git a/md5.h b/md5.h new file mode 100644 index 0000000..2da44bf --- /dev/null +++ b/md5.h @@ -0,0 +1,45 @@ +/* + * This is an OpenSSL-compatible implementation of the RSA Data Security, Inc. + * MD5 Message-Digest Algorithm (RFC 1321). + * + * Homepage: + * http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 + * + * Author: + * Alexander Peslyak, better known as Solar Designer + * + * This software was written by Alexander Peslyak in 2001. No copyright is + * claimed, and the software is hereby placed in the public domain. + * In case this attempt to disclaim copyright and place the software in the + * public domain is deemed null and void, then the software is + * Copyright (c) 2001 Alexander Peslyak and it is hereby released to the + * general public under the following terms: + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * There's ABSOLUTELY NO WARRANTY, express or implied. + * + * See md5.c for more information. + */ + +#ifdef HAVE_OPENSSL +#include +#elif !defined(_MD5_H) +#define _MD5_H + +/* Any 32-bit or wider unsigned integer data type will do */ +typedef unsigned int MD5_u32plus; + +typedef struct { + MD5_u32plus lo, hi; + MD5_u32plus a, b, c, d; + unsigned char buffer[64]; + MD5_u32plus block[16]; +} MD5_CTX; + +extern void MD5_Init(MD5_CTX *ctx); +extern void MD5_Update(MD5_CTX *ctx, const void *data, unsigned long size); +extern void MD5_Final(unsigned char *result, MD5_CTX *ctx); + +#endif diff --git a/packet.c b/packet.c new file mode 100644 index 0000000..5daad25 --- /dev/null +++ b/packet.c @@ -0,0 +1,294 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include "conn.h" +#include "debug.h" +#include "packet.h" + +#if defined (DEBUG) +#include +#include +#include +#endif + +int +packet_verify_response (struct rs_connection *conn, + struct rs_packet *response, + struct rs_packet *request) +{ + int err; + + assert (conn); + assert (conn->active_peer); + assert (conn->active_peer->secret); + assert (response); + assert (response->rpkt); + assert (request); + assert (request->rpkt); + + response->rpkt->secret = conn->active_peer->secret; + response->rpkt->sizeof_secret = strlen (conn->active_peer->secret); + + /* Verify header and message authenticator. */ + err = nr_packet_verify (response->rpkt, request->rpkt); + if (err) + { + if (conn->is_connected) + rs_conn_disconnect(conn); + return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, + "nr_packet_verify"); + } + + /* Decode and decrypt. */ + err = nr_packet_decode (response->rpkt, request->rpkt); + if (err) + { + if (conn->is_connected) + rs_conn_disconnect(conn); + return rs_err_conn_push_fl (conn, -err, __FILE__, __LINE__, + "nr_packet_decode"); + } + + return RSE_OK; +} + + +/* Badly named function for preparing a RADIUS message and queue it. + FIXME: Rename. */ +int +packet_do_send (struct rs_packet *pkt) +{ + int err; + + assert (pkt); + assert (pkt->conn); + assert (pkt->conn->active_peer); + assert (pkt->conn->active_peer->secret); + assert (pkt->rpkt); + + pkt->rpkt->secret = pkt->conn->active_peer->secret; + pkt->rpkt->sizeof_secret = strlen (pkt->rpkt->secret); + + /* Encode message. */ + err = nr_packet_encode (pkt->rpkt, NULL); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "nr_packet_encode"); + /* Sign message. */ + err = nr_packet_sign (pkt->rpkt, NULL); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "nr_packet_sign"); +#if defined (DEBUG) + { + char host[80], serv[80]; + + getnameinfo (pkt->conn->active_peer->addr_cache->ai_addr, + pkt->conn->active_peer->addr_cache->ai_addrlen, + host, sizeof(host), serv, sizeof(serv), + 0 /* NI_NUMERICHOST|NI_NUMERICSERV*/); + rs_debug (("%s: about to send this to %s:%s:\n", __func__, host, serv)); + rs_dump_packet (pkt); + } +#endif + + /* Put message in output buffer. */ + if (pkt->conn->bev) /* TCP. */ + { + int err = bufferevent_write (pkt->conn->bev, pkt->rpkt->data, + pkt->rpkt->length); + if (err < 0) + return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, + "bufferevent_write: %s", + evutil_gai_strerror (err)); + } + else /* UDP. */ + { + struct rs_packet **pp = &pkt->conn->out_queue; + + while (*pp && (*pp)->next) + *pp = (*pp)->next; + *pp = pkt; + } + + return RSE_OK; +} + +/* Public functions. */ +int +rs_packet_create (struct rs_connection *conn, struct rs_packet **pkt_out) +{ + struct rs_packet *p; + RADIUS_PACKET *rpkt; + int err; + + *pkt_out = NULL; + + rpkt = rs_malloc (conn->ctx, sizeof(*rpkt) + RS_MAX_PACKET_LEN); + if (rpkt == NULL) + return rs_err_conn_push (conn, RSE_NOMEM, __func__); + + err = nr_packet_init (rpkt, NULL, NULL, + PW_ACCESS_REQUEST, + rpkt + 1, RS_MAX_PACKET_LEN); + if (err < 0) + return rs_err_conn_push (conn, -err, __func__); + + p = (struct rs_packet *) rs_calloc (conn->ctx, 1, sizeof (*p)); + if (p == NULL) + { + rs_free (conn->ctx, rpkt); + return rs_err_conn_push (conn, RSE_NOMEM, __func__); + } + p->conn = conn; + p->rpkt = rpkt; + + *pkt_out = p; + return RSE_OK; +} + +int +rs_packet_create_authn_request (struct rs_connection *conn, + struct rs_packet **pkt_out, + const char *user_name, const char *user_pw) +{ + struct rs_packet *pkt; + int err; + + if (rs_packet_create (conn, pkt_out)) + return -1; + + pkt = *pkt_out; + pkt->rpkt->code = PW_ACCESS_REQUEST; + + if (user_name) + { + err = rs_packet_add_avp (pkt, PW_USER_NAME, 0, user_name, + strlen (user_name)); + if (err) + return err; + } + + if (user_pw) + { + err = rs_packet_add_avp (pkt, PW_USER_PASSWORD, 0, user_pw, + strlen (user_pw)); + if (err) + return err; + } + + return RSE_OK; +} + +void +rs_packet_destroy (struct rs_packet *pkt) +{ + assert (pkt); + assert (pkt->conn); + assert (pkt->conn->ctx); + + rs_avp_free (&pkt->rpkt->vps); + rs_free (pkt->conn->ctx, pkt->rpkt); + rs_free (pkt->conn->ctx, pkt); +} + +int +rs_packet_add_avp (struct rs_packet *pkt, + unsigned int attr, unsigned int vendor, + const void *data, size_t data_len) + +{ + const DICT_ATTR *da; + VALUE_PAIR *vp; + int err; + + assert (pkt); + assert (pkt->conn); + assert (pkt->conn->ctx); + + da = nr_dict_attr_byvalue (attr, vendor); + if (da == NULL) + return rs_err_conn_push (pkt->conn, RSE_ATTR_TYPE_UNKNOWN, + "nr_dict_attr_byvalue"); + vp = rs_malloc (pkt->conn->ctx, sizeof(*vp)); + if (vp == NULL) + return rs_err_conn_push (pkt->conn, RSE_NOMEM, NULL); + if (nr_vp_init (vp, da) == NULL) + { + nr_vp_free (&vp); + return rs_err_conn_push (pkt->conn, RSE_INTERNAL, NULL); + } + err = nr_vp_set_data (vp, data, data_len); + if (err < 0) + { + nr_vp_free (&vp); + return rs_err_conn_push (pkt->conn, -err, "nr_vp_set_data"); + } + nr_vps_append (&pkt->rpkt->vps, vp); + + return RSE_OK; +} + +/* TODO: Rename rs_packet_append_avp, indicating that encoding is + being done. */ +int +rs_packet_append_avp (struct rs_packet *pkt, + unsigned int attr, unsigned int vendor, + const void *data, size_t data_len) +{ + const DICT_ATTR *da; + int err; + + assert (pkt); + + da = nr_dict_attr_byvalue (attr, vendor); + if (da == NULL) + return rs_err_conn_push (pkt->conn, RSE_ATTR_TYPE_UNKNOWN, __func__); + + err = nr_packet_attr_append (pkt->rpkt, NULL, da, data, data_len); + if (err < 0) + return rs_err_conn_push (pkt->conn, -err, __func__); + + return RSE_OK; +} + +void +rs_packet_avps (struct rs_packet *pkt, rs_avp ***vps) +{ + assert (pkt); + *vps = &pkt->rpkt->vps; +} + +unsigned int +rs_packet_code (struct rs_packet *pkt) +{ + assert (pkt); + return pkt->rpkt->code; +} + +rs_const_avp * +rs_packet_find_avp (struct rs_packet *pkt, unsigned int attr, unsigned int vendor) +{ + assert (pkt); + return rs_avp_find_const (pkt->rpkt->vps, attr, vendor); +} + +int +rs_packet_set_id (struct rs_packet *pkt, int id) +{ + int old = pkt->rpkt->id; + + pkt->rpkt->id = id; + + return old; +} diff --git a/packet.h b/packet.h new file mode 100644 index 0000000..7cdbb35 --- /dev/null +++ b/packet.h @@ -0,0 +1,7 @@ +/* Copyright 2010, 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +int packet_do_send (struct rs_packet *pkt); +int packet_verify_response (struct rs_connection *conn, + struct rs_packet *response, + struct rs_packet *request); diff --git a/peer.c b/peer.c new file mode 100644 index 0000000..decc64b --- /dev/null +++ b/peer.c @@ -0,0 +1,113 @@ +/* Copyright 2010-2012 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include + +#include +#include +#include "err.h" +#include "peer.h" +#include "util.h" + +struct rs_peer * +peer_pick_peer (struct rs_connection *conn) +{ + assert (conn); + + if (conn->active_peer) + conn->active_peer = conn->active_peer->next; /* Next. */ + if (!conn->active_peer) + conn->active_peer = conn->peers; /* From the top. */ + + return conn->active_peer; +} + +struct rs_peer * +peer_create (struct rs_context *ctx, struct rs_peer **rootp) +{ + struct rs_peer *p; + + p = (struct rs_peer *) rs_malloc (ctx, sizeof(*p)); + if (p) + { + memset (p, 0, sizeof(struct rs_peer)); + if (*rootp) + { + p->next = (*rootp)->next; + (*rootp)->next = p; + } + else + *rootp = p; + } + return p; +} + +/* Public functions. */ +int +rs_peer_create (struct rs_connection *conn, struct rs_peer **peer_out) +{ + struct rs_peer *peer; + + peer = peer_create (conn->ctx, &conn->peers); + if (peer) + { + peer->conn = conn; + peer->realm->timeout = 2; /* FIXME: Why? */ + peer->realm->retries = 2; /* FIXME: Why? */ + } + else + return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); + if (*peer_out) + *peer_out = peer; + return RSE_OK; +} + +int +rs_peer_set_address (struct rs_peer *peer, const char *hostname, + const char *service) +{ + assert (peer); + assert (peer->conn); + assert (peer->conn->ctx); + + peer->hostname = rs_strdup (peer->conn->ctx, hostname); + peer->service = rs_strdup (peer->conn->ctx, service); + if (peer->hostname == NULL || peer->service == NULL) + return RSE_NOMEM; + + return RSE_OK; +} + +void +rs_peer_set_timeout (struct rs_peer *peer, int timeout) +{ + assert (peer); + assert (peer->realm); + peer->realm->timeout = timeout; +} +void +rs_peer_set_retries (struct rs_peer *peer, int retries) +{ + assert (peer); + assert (peer->realm); + peer->realm->retries = retries; +} + +int +rs_peer_set_secret (struct rs_peer *peer, const char *secret) +{ + if (peer->secret) + free (peer->secret); + peer->secret = (char *) malloc (strlen(secret) + 1); + if (!peer->secret) + return rs_err_conn_push (peer->conn, RSE_NOMEM, NULL); + strcpy (peer->secret, secret); + return RSE_OK; +} + diff --git a/peer.h b/peer.h new file mode 100644 index 0000000..b15395f --- /dev/null +++ b/peer.h @@ -0,0 +1,5 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +struct rs_peer *peer_create (struct rs_context *ctx, struct rs_peer **rootp); +struct rs_peer *peer_pick_peer (struct rs_connection *conn); diff --git a/radius/.gitignore b/radius/.gitignore new file mode 100644 index 0000000..1af03df --- /dev/null +++ b/radius/.gitignore @@ -0,0 +1 @@ +dictionaries.c diff --git a/radius/LICENSE b/radius/LICENSE new file mode 100644 index 0000000..01dbe92 --- /dev/null +++ b/radius/LICENSE @@ -0,0 +1,24 @@ +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/radius/Makefile.am b/radius/Makefile.am new file mode 100644 index 0000000..462a1e0 --- /dev/null +++ b/radius/Makefile.am @@ -0,0 +1,42 @@ +AUTOMAKE_OPTIONS = foreign +ACLOCAL_AMFLAGS = -I m4 + +AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) +AM_CFLAGS = -Wall -g + +noinst_LTLIBRARIES = libradsec-radius.la + +libradsec_radius_la_SOURCES = \ + attrs.c \ + crypto.c \ + custom.c \ + dict.c \ + id.c \ + parse.c \ + print.c \ + radpkt.c \ + static.c \ + valuepair.c + +libradsec_radius_la_SOURCES += client.h + +libradsec_radius_la_CFLAGS = $(AM_CFLAGS) -DHAVE_CONFIG_H + +DICTIONARIES = \ + share/dictionary.txt \ + share/dictionary.juniper \ + share/dictionary.microsoft \ + share/dictionary.ukerna \ + share/dictionary.abfab.ietf + +EXTRA_DIST = dictionaries.c $(DICTIONARIES) common.pl convert.pl + +$(top_srcdir)/include/radsec/radius.h dictionaries.c: ${DICTIONARIES} convert.pl common.pl + $(srcdir)/convert.pl ${DICTIONARIES} + +static.$(OBJEXT): static.c dictionaries.c + +clean-local: + rm -f dictionaries.c + +$(libradsec_radius_la_SOURCES): $(top_srcdir)/include/radsec/radius.h diff --git a/radius/attrs.c b/radius/attrs.c new file mode 100644 index 0000000..21cd3f0 --- /dev/null +++ b/radius/attrs.c @@ -0,0 +1,1411 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file attrs.c + * \brief Attribute encoding and decoding routines. + */ + +#include "client.h" + +/* + * Encodes the data portion of an attribute. + * Returns -1 on error, or the length of the data portion. + */ +static ssize_t vp2data_any(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + int nest, + const VALUE_PAIR **pvp, + uint8_t *start, size_t room) +{ + uint32_t lvalue; + ssize_t len; + const uint8_t *data; + uint8_t *ptr = start; + uint8_t array[4]; + const VALUE_PAIR *vp = *pvp; + +#ifdef RS_TYPE_TLV + /* + * See if we need to encode a TLV. The low portion of + * the attribute has already been placed into the packer. + * If there are still attribute bytes left, then go + * encode them as TLVs. + * + * If we cared about the stack, we could unroll the loop. + */ + if ((nest > 0) && (nest <= nr_attr_max_tlv) && + ((vp->da->attr >> nr_attr_shift[nest]) != 0)) { + return vp2data_tlvs(packet, original, nest, pvp, + start, room); + } +#else + nest = nest; /* -Wunused */ +#endif + + /* + * Set up the default sources for the data. + */ + data = vp->vp_octets; + len = vp->length; + + switch(vp->da->type) { + case RS_TYPE_IPV6PREFIX: + len = sizeof(vp->vp_ipv6prefix); + break; + + case RS_TYPE_STRING: + case RS_TYPE_OCTETS: + case RS_TYPE_IFID: + case RS_TYPE_IPV6ADDR: +#ifdef RS_TYPE_ABINARY + case RS_TYPE_ABINARY: +#endif + /* nothing more to do */ + break; + + case RS_TYPE_BYTE: + len = 1; /* just in case */ + array[0] = vp->vp_integer & 0xff; + data = array; + break; + + case RS_TYPE_SHORT: + len = 2; /* just in case */ + array[0] = (vp->vp_integer >> 8) & 0xff; + array[1] = vp->vp_integer & 0xff; + data = array; + break; + + case RS_TYPE_INTEGER: + len = 4; /* just in case */ + lvalue = htonl(vp->vp_integer); + memcpy(array, &lvalue, sizeof(lvalue)); + data = array; + break; + + case RS_TYPE_IPADDR: + data = (const uint8_t *) &vp->vp_ipaddr; + len = 4; /* just in case */ + break; + + /* + * There are no tagged date attributes. + */ + case RS_TYPE_DATE: + lvalue = htonl(vp->vp_date); + data = (const uint8_t *) &lvalue; + len = 4; /* just in case */ + break; + +#ifdef VENDORPEC_WIMAX + case RS_TYPE_SIGNED: + { + int32_t slvalue; + + len = 4; /* just in case */ + slvalue = htonl(vp->vp_signed); + memcpy(array, &slvalue, sizeof(slvalue)); + break; + } +#endif + +#ifdef RS_TYPE_TLV + case RS_TYPE_TLV: + data = vp->vp_tlv; + if (!data) { + nr_debug_error("ERROR: Cannot encode NULL TLV"); + return -RSE_INVAL; + } + len = vp->length; + break; +#endif + + default: /* unknown type: ignore it */ + nr_debug_error("ERROR: Unknown attribute type %d", vp->da->type); + return -RSE_ATTR_TYPE_UNKNOWN; + } + + /* + * Bound the data to the calling size + */ + if (len > (ssize_t) room) len = room; + +#ifndef FLAG_ENCRYPT_TUNNEL_PASSWORD + original = original; /* -Wunused */ +#endif + + /* + * Encrypt the various password styles + * + * Attributes with encrypted values MUST be less than + * 128 bytes long. + */ + switch (vp->da->flags.encrypt) { + case FLAG_ENCRYPT_USER_PASSWORD: + len = nr_password_encrypt(ptr, room, data, len, + packet->secret, packet->vector); + break; + +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + case FLAG_ENCRYPT_TUNNEL_PASSWORD: + lvalue = 0; + if (vp->da->flags.has_tag) lvalue = 1; + + /* + * Check if there's enough room. If there isn't, + * we discard the attribute. + * + * This is ONLY a problem if we have multiple VSA's + * in one Vendor-Specific, though. + */ + if (room < (18 + lvalue)) { + *pvp = vp->next; + return 0; + } + + switch (packet->code) { + case PW_ACCESS_ACCEPT: + case PW_ACCESS_REJECT: + case PW_ACCESS_CHALLENGE: + default: + if (!original) { + nr_debug_error("ERROR: No request packet, cannot encrypt %s attribute in the vp.", vp->da->name); + return -RSE_REQUEST_REQUIRED; + } + + if (lvalue) ptr[0] = vp->tag; + len = nr_tunnelpw_encrypt(ptr + lvalue, + room - lvalue, data, len, + packet->secret, + original->vector); + if (len < 0) return len; + break; + case PW_ACCOUNTING_REQUEST: + case PW_DISCONNECT_REQUEST: + case PW_COA_REQUEST: + ptr[0] = vp->tag; + len = nr_tunnelpw_encrypt(ptr + 1, room, data, len - 1, + packet->secret, + packet->vector); + if (len < 0) return len; + break; + } + break; +#endif + + /* + * The code above ensures that this attribute + * always fits. + */ +#ifdef FLAG_ENCRYPT_ASCEND_SECRET + case FLAG_ENCRYPT_ASCEND_SECRET: + make_secret(ptr, packet->vector, packet->secret, data); + len = AUTH_VECTOR_LEN; + break; +#endif + + default: + if (vp->da->flags.has_tag && TAG_VALID(vp->tag)) { + if (vp->da->type == RS_TYPE_STRING) { + if (len > ((ssize_t) (room - 1))) len = room - 1; + ptr[0] = vp->tag; + ptr++; + } else if (vp->da->type == RS_TYPE_INTEGER) { + array[0] = vp->tag; + } /* else it can't be any other type */ + } + memcpy(ptr, data, len); + break; + } /* switch over encryption flags */ + + *(pvp) = vp->next; + return len + (ptr - start);; +} + + +/* + * Encode an RFC format TLV. This could be a standard attribute, + * or a TLV data type. If it's a standard attribute, then + * vp->da->attr == attribute. Otherwise, attribute may be + * something else. + */ +static ssize_t vp2attr_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + unsigned int attribute, uint8_t *ptr, size_t room) +{ + ssize_t len; + + if (room < 2) { + *pvp = (*pvp)->next; + return 0; + } + + ptr[0] = attribute & 0xff; + ptr[1] = 2; + + if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; + + len = vp2data_any(packet, original, 0, pvp, ptr + ptr[1], room); + if (len < 0) return len; + + ptr[1] += len; + + return ptr[1]; +} + + +#ifndef WITHOUT_VSAS +/* + * Encode a VSA which is a TLV. If it's in the RFC format, call + * vp2attr_rfc. Otherwise, encode it here. + */ +static ssize_t vp2attr_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + unsigned int attribute, unsigned int vendor, + uint8_t *ptr, size_t room) +{ + ssize_t len; + const DICT_VENDOR *dv; + + /* + * Unknown vendor: RFC format. + * Known vendor and RFC format: go do that. + */ + dv = nr_dict_vendor_byvalue(vendor); + if (!dv || + ( +#ifdef RS_TYPE_TLV + !(*pvp)->flags.is_tlv && +#endif + (dv->type == 1) && (dv->length == 1))) { + return vp2attr_rfc(packet, original, pvp, + attribute, ptr, room); + } + +#ifdef RS_TYPE_TLV + if ((*pvp)->flags.is_tlv) { + return data2vp_tlvs(packet, original, 0, pvp, + ptr, room); + } +#endif + + switch (dv->type) { + default: + nr_debug_error("vp2attr_vsa: Internal sanity check failed," + " type %u", (unsigned) dv->type); + return -RSE_INTERNAL; + + case 4: + ptr[0] = 0; /* attr must be 24-bit */ + ptr[1] = (attribute >> 16) & 0xff; + ptr[2] = (attribute >> 8) & 0xff; + ptr[3] = attribute & 0xff; + break; + + case 2: + ptr[0] = (attribute >> 8) & 0xff; + ptr[1] = attribute & 0xff; + break; + + case 1: + ptr[0] = attribute & 0xff; + break; + } + + switch (dv->length) { + default: + nr_debug_error("vp2attr_vsa: Internal sanity check failed," + " length %u", (unsigned) dv->length); + return -RSE_INTERNAL; + + case 0: + break; + + case 2: + ptr[dv->type] = 0; + /* FALL-THROUGH */ + + case 1: + ptr[dv->type + dv->length - 1] = dv->type + dv->length; + break; + + } + + if (room > ((unsigned) 255 - (dv->type + dv->length))) { + room = 255 - (dv->type + dv->length); + } + + len = vp2data_any(packet, original, 0, pvp, + ptr + dv->type + dv->length, room); + if (len < 0) return len; + + if (dv->length) ptr[dv->type + dv->length - 1] += len; + + return dv->type + dv->length + len; +} + + +/* + * Encode a Vendor-Specific attribute. + */ +ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *ptr, + size_t room) +{ + ssize_t len; + uint32_t lvalue; + const VALUE_PAIR *vp = *pvp; + +#ifdef VENDORPEC_WIMAX + /* + * Double-check for WiMAX + */ + if (vp->da->vendor == VENDORPEC_WIMAX) { + return nr_vp2wimax(packet, original, pvp, + ptr, room); + } +#endif + + if (vp->da->vendor > RS_MAX_VENDOR) { + nr_debug_error("nr_vp2vsa: Invalid arguments"); + return -RSE_INVAL; + } + + /* + * Not enough room for: + * attr, len, vendor-id + */ + if (room < 6) { + *pvp = vp->next; + return 0; + } + + /* + * Build the Vendor-Specific header + */ + ptr[0] = PW_VENDOR_SPECIFIC; + ptr[1] = 6; + lvalue = htonl(vp->da->vendor); + memcpy(ptr + 2, &lvalue, 4); + + if (room > ((unsigned) 255 - ptr[1])) room = 255 - ptr[1]; + + len = vp2attr_vsa(packet, original, pvp, + vp->da->attr, vp->da->vendor, + ptr + ptr[1], room); + if (len < 0) return len; + + ptr[1] += len; + + return ptr[1]; +} +#endif + + +/* + * Encode an RFC standard attribute 1..255 + */ +ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *ptr, size_t room) +{ + const VALUE_PAIR *vp = *pvp; + + if (vp->da->vendor != 0) { + nr_debug_error("nr_vp2rfc called with VSA"); + return -RSE_INVAL; + } + + if ((vp->da->attr == 0) || (vp->da->attr > 255)) { + nr_debug_error("nr_vp2rfc called with non-standard attribute %u", vp->da->attr); + return -RSE_INVAL; + } + +#ifdef PW_CHARGEABLE_USER_IDENTITY + if ((vp->length == 0) && + (vp->da != RS_DA_CHARGEABLE_USER_IDENTITY)) { + *pvp = vp->next; + return 0; + } +#endif + + return vp2attr_rfc(packet, original, pvp, vp->da->attr, + ptr, room); +} + +#ifdef PW_CHAP_PASSWORD +/* + * Encode an RFC standard attribute 1..255 + */ +static ssize_t nr_chap2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *ptr, size_t room) +{ + ssize_t rcode; + const VALUE_PAIR *vp = *pvp; + RS_MD5_CTX ctx; + uint8_t buffer[RS_MAX_STRING_LEN*2 + 1], *p; + VALUE_PAIR chap = { + RS_DA_CHAP_PASSWORD, + 17, + 0, + NULL, + { + .octets = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }, + }, + }; + + if ((vp->da->vendor != 0) || (vp->da != RS_DA_CHAP_PASSWORD)) { + nr_debug_error("nr_chap2rfc called with non-CHAP"); + return -RSE_INVAL; + } + + p = buffer; + *(p++) = nr_rand() & 0xff; /* id */ + + memcpy(p, vp->vp_strvalue, strlen(vp->vp_strvalue)); + p += strlen(vp->vp_strvalue); + + vp = nr_vps_find(packet->vps, PW_CHAP_CHALLENGE, 0); + if (vp) { + memcpy(p, vp->vp_octets, vp->length); + p += vp->length; + } else { + memcpy(p, packet->vector, sizeof(packet->vector)); + p += sizeof(packet->vector); + } + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, buffer, p - buffer); + RS_MD5Final(&chap.vp_octets[1], &ctx); + + chap.vp_octets[0] = buffer[0]; + vp = &chap; + + rcode = vp2attr_rfc(packet, original, &vp, chap.da->attr, + ptr, room); + if (rcode < 0) return rcode; + + *pvp = (*pvp)->next; + return rcode; +} +#endif /* PW_CHAP_PASSWORD */ + +#ifdef PW_MESSAGE_AUTHENTICATOR +/** Fake Message-Authenticator. + * + * This structure is used to replace a Message-Authenticator in the + * input list of VALUE_PAIRs when encoding a packet. If the caller + * asks us to encode a Message-Authenticator, we ignore the one given + * to us by the caller (which may have the wrong length, etc.), and + * instead use this one, which has the correct length and data. + */ +static const VALUE_PAIR fake_ma = { + RS_DA_MESSAGE_AUTHENTICATOR, + 16, + 0, + NULL, + { + .octets = { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }, + } +}; +#endif /* PW_MESSAGE_AUTHENTICATOR */ + +/* + * Parse a data structure into a RADIUS attribute. + */ +ssize_t nr_vp2attr(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *start, + size_t room) +{ + const VALUE_PAIR *vp = *pvp; + + /* + * RFC format attributes take the fast path. + */ + if (vp->da->vendor != 0) { +#ifdef VENDORPEC_EXTENDED + if (vp->da->vendor > RS_MAX_VENDOR) { + return nr_vp2attr_extended(packet, original, + pvp, start, room); + + } +#endif + +#ifdef VENDORPEC_WIMAX + if (vp->da->vendor == VENDORPEC_WIMAX) { + return nr_vp2attr_wimax(packet, original, + pvp, start, room); + } +#endif + +#ifndef WITHOUT_VSAS + return nr_vp2vsa(packet, original, pvp, start, room); +#else + nr_debug_error("VSAs are not supported"); + return -RSE_UNSUPPORTED; +#endif + } + + /* + * Ignore non-protocol attributes. + */ + if (vp->da->attr > 255) { + *pvp = vp->next; + return 0; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + /* + * The caller wants a Message-Authenticator, but doesn't + * know how to calculate it, or what the correct values + * are. So... create one for him. + */ + if (vp->da == RS_DA_MESSAGE_AUTHENTICATOR) { + ssize_t rcode; + + vp = &fake_ma; + rcode = nr_vp2rfc(packet, original, &vp, start, room); + if (rcode <= 0) return rcode; + *pvp = (*pvp)->next; + return rcode; + } +#endif + +#ifdef PW_CHAP_PASSWORD + /* + * The caller wants a CHAP-Password, but doesn't know how + * to calculate it, or what the correct values are. To + * help, we calculate it for him. + */ + if (vp->da == RS_DA_CHAP_PASSWORD) { + int encoded = 0; + + /* + * CHAP is ID + MD5(...). If it's length is NOT + * 17, then the caller has passed us a password, + * and wants us to encode it. If the length IS + * 17, then we need to double-check if the caller + * has already encoded it. + */ + if (vp->length == 17) { + int i; + + /* + * ASCII and UTF-8 disallow values 0..31. + * If they appear, then the CHAP-Password + * has already been encoded by the + * caller. The probability of a + * CHAP-Password being all 32..256 is + * (1-32/256)^17 =~ .10 + * + * This check isn't perfect, but it + * should be pretty rare for people to + * have 17-character passwords *and* have + * them all 32..256. + */ + for (i = 0; i < 17; i++) { + if (vp->vp_octets[i] < 32) { + encoded = 1; + break; + } + } + } + + if (!encoded) { + return nr_chap2rfc(packet, original, pvp, start, room); + } + } +#endif + + return nr_vp2rfc(packet, original, pvp, + start, room); +} + + +/* + * Ignore unknown attributes, but "decoding" them into nothing. + */ +static ssize_t data2vp_raw(UNUSED const RADIUS_PACKET *packet, + UNUSED const RADIUS_PACKET *original, + unsigned int attribute, + unsigned int vendor, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + VALUE_PAIR *vp; + + if (length > sizeof(vp->vp_octets)) return -RSE_ATTR_OVERFLOW; + + vp = nr_vp_alloc_raw(attribute, vendor); + if (!vp) return -RSE_NOMEM; + + memcpy(vp->vp_octets, data, length); + vp->length = length; + + *pvp = vp; + return length; +} + +ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; + + return data2vp_raw(packet, original, data[0], 0, + data + 2, data[1] - 2, pvp); +} + +/* + * Create any kind of VP from the attribute contents. + * + * Will return -1 on error, or "length". + */ +static ssize_t data2vp_any(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + int nest, + unsigned int attribute, unsigned int vendor, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + ssize_t rcode; +#endif + int data_offset = 0; + const DICT_ATTR *da; + VALUE_PAIR *vp = NULL; + + if (length == 0) { + /* + * Hacks for CUI. The WiMAX spec says that it + * can be zero length, even though this is + * forbidden by the RADIUS specs. So... we make + * a special case for it. + */ + if ((vendor == 0) && + (attribute == PW_CHARGEABLE_USER_IDENTITY)) { + data = (const uint8_t *) ""; + length = 1; + } else { + *pvp = NULL; + return 0; + } + } + + da = nr_dict_attr_byvalue(attribute, vendor); + + /* + * Unknown attribute. Create it as a "raw" attribute. + */ + if (!da) { + raw: + if (vp) nr_vp_free(&vp); + return data2vp_raw(packet, original, + attribute, vendor, data, length, pvp); + } + +#ifdef RS_TYPE_TLV + /* + * TLVs are handled first. They can't be tagged, and + * they can't be encrypted. + */ + if (da->da->type == RS_TYPE_TLV) { + return data2vp_tlvs(packet, original, + attribute, vendor, nest, + data, length, pvp); + } +#else + nest = nest; /* -Wunused */ +#endif + + /* + * The attribute is known, and well formed. We can now + * create it. The main failure from here on in is being + * out of memory. + */ + vp = nr_vp_alloc(da); + if (!vp) return -RSE_NOMEM; + + /* + * Handle tags. + */ + if (vp->da->flags.has_tag) { + if (TAG_VALID(data[0]) +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + || (vp->da->flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) +#endif + ) { + /* + * Tunnel passwords REQUIRE a tag, even + * if don't have a valid tag. + */ + vp->tag = data[0]; + + if ((vp->da->type == RS_TYPE_STRING) || + (vp->da->type == RS_TYPE_OCTETS)) { + if (length == 0) goto raw; + data_offset = 1; + } + } + } + + /* + * Copy the data to be decrypted + */ + vp->length = length - data_offset; + memcpy(&vp->vp_octets[0], data + data_offset, vp->length); + + /* + * Decrypt the attribute. + */ + switch (vp->da->flags.encrypt) { + /* + * User-Password + */ + case FLAG_ENCRYPT_USER_PASSWORD: + if (original) { + rcode = nr_password_encrypt(vp->vp_octets, + sizeof(vp->vp_strvalue), + data + data_offset, vp->length, + packet->secret, + original->vector); + } else { + rcode = nr_password_encrypt(vp->vp_octets, + sizeof(vp->vp_strvalue), + data + data_offset, vp->length, + packet->secret, + packet->vector); + } + if (rcode < 0) goto raw; + vp->vp_strvalue[128] = '\0'; + vp->length = strlen(vp->vp_strvalue); + break; + + /* + * Tunnel-Password's may go ONLY + * in response packets. + */ +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD + case FLAG_ENCRYPT_TUNNEL_PASSWORD: + if (!original) goto raw; + + rcode = nr_tunnelpw_decrypt(vp->vp_octets, + sizeof(vp->vp_octets), + data + data_offset, vp->length, + packet->secret, original->vector); + if (rcode < 0) goto raw; + vp->length = rcode; + break; +#endif + + +#ifdef FLAG_ENCRYPT_ASCEND_SECRET + /* + * Ascend-Send-Secret + * Ascend-Receive-Secret + */ + case FLAG_ENCRYPT_ASCEND_SECRET: + if (!original) { + goto raw; + } else { + uint8_t my_digest[AUTH_VECTOR_LEN]; + make_secret(my_digest, + original->vector, + packet->secret, data); + memcpy(vp->vp_strvalue, my_digest, + AUTH_VECTOR_LEN ); + vp->vp_strvalue[AUTH_VECTOR_LEN] = '\0'; + vp->length = strlen(vp->vp_strvalue); + } + break; +#endif + + default: + break; + } /* switch over encryption flags */ + + /* + * Expected a certain length, but got something else. + */ + if ((vp->da->flags.length != 0) && + (vp->length != vp->da->flags.length)) { + goto raw; + } + + switch (vp->da->type) { + case RS_TYPE_STRING: + case RS_TYPE_OCTETS: +#ifdef RS_TYPE_ABINARY + case RS_TYPE_ABINARY: +#endif + /* nothing more to do */ + break; + + case RS_TYPE_BYTE: + vp->vp_integer = vp->vp_octets[0]; + break; + + + case RS_TYPE_SHORT: + vp->vp_integer = (vp->vp_octets[0] << 8) | vp->vp_octets[1]; + break; + + case RS_TYPE_INTEGER: + memcpy(&vp->vp_integer, vp->vp_octets, 4); + vp->vp_integer = ntohl(vp->vp_integer); + + if (vp->da->flags.has_tag) vp->vp_integer &= 0x00ffffff; + break; + + case RS_TYPE_DATE: + memcpy(&vp->vp_date, vp->vp_octets, 4); + vp->vp_date = ntohl(vp->vp_date); + break; + + + case RS_TYPE_IPADDR: + memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); + break; + + /* + * IPv6 interface ID is 8 octets long. + */ + case RS_TYPE_IFID: + /* vp->vp_ifid == vp->vp_octets */ + break; + + /* + * IPv6 addresses are 16 octets long + */ + case RS_TYPE_IPV6ADDR: + /* vp->vp_ipv6addr == vp->vp_octets */ + break; + + /* + * IPv6 prefixes are 2 to 18 octets long. + * + * RFC 3162: The first octet is unused. + * The second is the length of the prefix + * the rest are the prefix data. + * + * The prefix length can have value 0 to 128. + */ + case RS_TYPE_IPV6PREFIX: + if (vp->length < 2 || vp->length > 18) goto raw; + if (vp->vp_octets[1] > 128) goto raw; + + /* + * FIXME: double-check that + * (vp->vp_octets[1] >> 3) matches vp->length + 2 + */ + if (vp->length < 18) { + memset(vp->vp_octets + vp->length, 0, + 18 - vp->length); + } + break; + +#ifdef VENDORPEC_WIMAX + case RS_TYPE_SIGNED: + if (vp->length != 4) goto raw; + + /* + * Overload vp_integer for ntohl, which takes + * uint32_t, not int32_t + */ + memcpy(&vp->vp_integer, vp->vp_octets, 4); + vp->vp_integer = ntohl(vp->vp_integer); + memcpy(&vp->vp_signed, &vp->vp_integer, 4); + break; +#endif + +#ifdef RS_TYPE_TLV + case RS_TYPE_TLV: + nr_vp_free(&vp); + nr_debug_error("data2vp_any: Internal sanity check failed"); + return -RSE_ATTR_TYPE_UNKNOWN; +#endif + +#ifdef VENDORPEC_WIMAX + case RS_TYPE_COMBO_IP: + if (vp->length == 4) { + vp->da->type = RS_TYPE_IPADDR; + memcpy(&vp->vp_ipaddr, vp->vp_octets, 4); + break; + + } else if (vp->length == 16) { + vp->da->type = RS_TYPE_IPV6ADDR; + /* vp->vp_ipv6addr == vp->vp_octets */ + break; + + } + /* FALL-THROUGH */ +#endif + + default: + goto raw; + } + + *pvp = vp; + + return length; +} + + +/* + * Create a "standard" RFC VALUE_PAIR from the given data. + */ +ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + ssize_t rcode; + + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; + + rcode = data2vp_any(packet, original, 0, + data[0], 0, data + 2, data[1] - 2, pvp); + if (rcode < 0) return rcode; + + return data[1]; +} + +#ifndef WITHOUT_VSAS +/* + * Check if a set of RADIUS formatted TLVs are OK. + */ +int nr_tlv_ok(const uint8_t *data, size_t length, + size_t dv_type, size_t dv_length) +{ + const uint8_t *end = data + length; + + if ((dv_length > 2) || (dv_type == 0) || (dv_type > 4)) { + nr_debug_error("nr_tlv_ok: Invalid arguments"); + return -RSE_INVAL; + } + + while (data < end) { + size_t attrlen; + + if ((data + dv_type + dv_length) > end) { + nr_debug_error("Attribute header overflow"); + return -RSE_ATTR_TOO_SMALL; + } + + switch (dv_type) { + case 4: + if ((data[0] == 0) && (data[1] == 0) && + (data[2] == 0) && (data[3] == 0)) { + zero: + nr_debug_error("Invalid attribute 0"); + return -RSE_ATTR_INVALID; + } + + if (data[0] != 0) { + nr_debug_error("Invalid attribute > 2^24"); + return -RSE_ATTR_INVALID; + } + break; + + case 2: + if ((data[1] == 0) && (data[1] == 0)) goto zero; + break; + + case 1: + if (data[0] == 0) goto zero; + break; + + default: + nr_debug_error("Internal sanity check failed"); + return -RSE_INTERNAL; + } + + switch (dv_length) { + case 0: + return 0; + + case 2: + if (data[dv_type + 1] != 0) { + nr_debug_error("Attribute is longer than 256 octets"); + return -RSE_ATTR_TOO_LARGE; + } + /* FALL-THROUGH */ + case 1: + attrlen = data[dv_type + dv_length - 1]; + break; + + + default: + nr_debug_error("Internal sanity check failed"); + return -RSE_INTERNAL; + } + + if (attrlen < (dv_type + dv_length)) { + nr_debug_error("Attribute header has invalid length"); + return -RSE_PACKET_TOO_SMALL; + } + + if (attrlen > length) { + nr_debug_error("Attribute overflows container"); + return -RSE_ATTR_OVERFLOW; + } + + data += attrlen; + length -= attrlen; + } + + return 0; +} + + +/* + * Convert a top-level VSA to a VP. + */ +static ssize_t attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + unsigned int vendor, + size_t dv_type, size_t dv_length, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + unsigned int attribute; + ssize_t attrlen, my_len; + +#ifndef NDEBUG + if (length <= (dv_type + dv_length)) { + nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); + return -RSE_PACKET_TOO_SMALL; + } +#endif + + switch (dv_type) { + case 4: + /* data[0] must be zero */ + attribute = data[1] << 16; + attribute |= data[2] << 8; + attribute |= data[3]; + break; + + case 2: + attribute = data[0] << 8; + attribute |= data[1]; + break; + + case 1: + attribute = data[0]; + break; + + default: + nr_debug_error("attr2vp_vsa: Internal sanity check failed"); + return -RSE_INTERNAL; + } + + switch (dv_length) { + case 2: + /* data[dv_type] must be zero */ + attrlen = data[dv_type + 1]; + break; + + case 1: + attrlen = data[dv_type]; + break; + + case 0: + attrlen = length; + break; + + default: + nr_debug_error("attr2vp_vsa: Internal sanity check failed"); + return -RSE_INTERNAL; + } + +#ifndef NDEBUG + if (attrlen <= (ssize_t) (dv_type + dv_length)) { + nr_debug_error("attr2vp_vsa: Failure to call nr_tlv_ok"); + return -RSE_PACKET_TOO_SMALL; + } +#endif + + attrlen -= (dv_type + dv_length); + + my_len = data2vp_any(packet, original, 0, + attribute, vendor, + data + dv_type + dv_length, attrlen, pvp); + if (my_len < 0) return my_len; + +#ifndef NDEBUG + if (my_len != attrlen) { + nr_vp_free(pvp); + nr_debug_error("attr2vp_vsa: Incomplete decode %d != %d", + (int) my_len, (int) attrlen); + return -RSE_INTERNAL; + } +#endif + + return dv_type + dv_length + attrlen; +} + + +/* + * Create Vendor-Specifc VALUE_PAIRs from a RADIUS attribute. + */ +ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + size_t dv_type, dv_length; + ssize_t my_len; + uint32_t lvalue; + const DICT_VENDOR *dv; + + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; + + if (data[0] != PW_VENDOR_SPECIFIC) { + nr_debug_error("nr_attr2vp_vsa: Invalid attribute"); + return -RSE_INVAL; + } + + /* + * Not enough room for a Vendor-Id. + * Or the high octet of the Vendor-Id is set. + */ + if ((data[1] < 6) || (data[2] != 0)) { + return nr_attr2vp_raw(packet, original, + data, length, pvp); + } + + memcpy(&lvalue, data + 2, 4); + lvalue = ntohl(lvalue); + +#ifdef VENDORPEC_WIMAX + /* + * WiMAX gets its own set of magic. + */ + if (lvalue == VENDORPEC_WIMAX) { + return nr_attr2vp_wimax(packet, original, + data, length, pvp); + } +#endif + + dv_type = dv_length = 1; + dv = nr_dict_vendor_byvalue(lvalue); + if (!dv) { + return nr_attr2vp_rfc(packet, original, + data, length, pvp); + } + + dv_type = dv->type; + dv_length = dv->length; + + /* + * Attribute is not in the correct form. + */ + if (nr_tlv_ok(data + 6, data[1] - 6, dv_type, dv_length) < 0) { + return nr_attr2vp_raw(packet, original, + data, length, pvp); + } + + my_len = attr2vp_vsa(packet, original, + lvalue, dv_type, dv_length, + data + 6, data[1] - 6, pvp); + if (my_len < 0) return my_len; + +#ifndef NDEBUG + if (my_len != (data[1] - 6)) { + nr_vp_free(pvp); + nr_debug_error("nr_attr2vp_vsa: Incomplete decode"); + return -RSE_INTERNAL; + } +#endif + + return data[1]; +} +#endif /* WITHOUT_VSAS */ + + +/* + * Create a "normal" VALUE_PAIR from the given data. + */ +ssize_t nr_attr2vp(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp) +{ + if (length < 2) return -RSE_PACKET_TOO_SMALL; + if (data[1] < 2) return -RSE_ATTR_TOO_SMALL; + if (data[1] > length) return -RSE_ATTR_OVERFLOW; + +#ifndef WITHOUT_VSAS + /* + * VSAs get their own handler. + */ + if (data[0] == PW_VENDOR_SPECIFIC) { + return nr_attr2vp_vsa(packet, original, + data, length, pvp); + } +#endif + +#ifdef VENDORPEC_EXTENDED + /* + * Extended attribute format gets their own handler. + */ + if (nr_dict_attr_byvalue(data[0], VENDORPEC_EXTENDED) != NULL) { + return nr_attr2vp_extended(packet, original, + data, length, pvp); + } +#endif + + return nr_attr2vp_rfc(packet, original, data, length, pvp); +} + +ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, + unsigned int attribute, unsigned int vendor, + const uint8_t **pdata, size_t *plength) +{ + uint8_t *data, *attr; + const uint8_t *end; + + if (!packet || !pdata || !plength) return -RSE_INVAL; + + if (!packet->data) return -RSE_INVAL; + if (packet->length < 20) return -RSE_INVAL; + + /* + * Too long or short, not good. + */ + if ((start < 0) || + ((start > 0) && (start < 20))) return -RSE_INVAL; + + if ((size_t) start >= (packet->length - 2)) return -RSE_INVAL; + + end = packet->data + packet->length; + + /* + * Loop over the packet, converting attrs to VPs. + */ + if (start == 0) { + data = packet->data + 20; + } else { + data = packet->data + start; + data += data[1]; + if (data >= end) return 0; + } + + for (attr = data; attr < end; attr += attr[1]) { + const DICT_VENDOR *dv = NULL; + +#ifndef NEBUG + /* + * This code is copied from packet_ok(). + * It could be put into a separate function. + */ + if ((attr + 2) > end) { + nr_debug_error("Attribute overflows packet"); + return -RSE_ATTR_OVERFLOW; + } + + if (attr[1] < 2) { + nr_debug_error("Attribute length is too small"); + return -RSE_ATTR_TOO_SMALL; + } + + if ((attr + attr[1]) > end) { + nr_debug_error("Attribute length is too large"); + return -RSE_ATTR_TOO_LARGE; + } +#endif + + if ((vendor == 0) && (attr[0] == attribute)) { + *pdata = attr + 2; + *plength = attr[1] - 2; + return attr - packet->data; + } + +#ifndef WITHOUT_VSAS + if (vendor != 0) { + uint32_t vendorpec; + + if (attr[0] != PW_VENDOR_SPECIFIC) continue; + + if (attr[1] < 6) continue; + + memcpy(&vendorpec, attr + 2, 4); + vendorpec = ntohl(vendorpec); + if (vendor != vendorpec) continue; + + if (!dv) { + dv = nr_dict_vendor_byvalue(vendor); + if (dv && + ((dv->type != 1) || (dv->length != 1))) { + return -RSE_VENDOR_UNKNOWN; + } + } + + /* + * No data. + */ + if (attr[1] < 9) continue; + + /* + * Malformed, or more than one VSA in + * the Vendor-Specific + */ + if (attr[7] + 6 != attr[1]) continue; + + /* + * Not the right VSA. + */ + if (attr[6] != attribute) continue; + + *pdata = attr + 8; + *plength = attr[1] - 8; + return attr - packet->data; + } +#endif + } + + return 0; /* nothing more: stop */ +} + diff --git a/radius/client.h b/radius/client.h new file mode 100644 index 0000000..ab4718a --- /dev/null +++ b/radius/client.h @@ -0,0 +1,1302 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file client.h + * \brief Main header file. + */ + +#ifndef _RADIUS_CLIENT_H_ +#define _RADIUS_CLIENT_H_ 1 + +/* + * System-specific header files. + */ +#include +#include +#include +#ifdef HAVE_STDINT_H +#include +#endif +#ifdef HAVE_STDLIB_H +#include +#endif +#ifdef HAVE_STRING_H +#include +#endif +#include +#include +#ifdef HAVE_NETDB_H +#include +#endif +#ifdef HAVE_NETINET_IN_H +#include +#endif +#ifdef HAVE_SYS_TIME_H +#include +#endif + +#include +#include +#include + +/** \defgroup build Build Helpers + * + * These definitions give the GNU C compiler more information about + * the functions being compiled. They are used to either remove + * warnings, or to enable better warnings. + **/ + +/** \defgroup custom Portability Functions + * + * These functions and definitions should be modified for your local + * system. See the individual definitions for details. + */ + +/** \defgroup error Error handling + * + * These definitions and routines manage errors. + */ + +/** \defgroup value_pair Attribute manipulation + * + * These routines manage structures which map to attributes. + */ + +/**\defgroup dict Dictionary Lookup Functions + * + * \sa doc/dictionaries.txt + * + * The RADIUS dictionaries perform name to number mappings. The names + * are used only for administrator convenience, for parsing + * configuration files, and printing humanly-readable output. The + * numbers are used when encoding data in a packet. + * + * When attributes are decoded from a packet, the numbers are used to + * look up the associated name, which is then placed into a data + * structure. + * + * When the data structures are encoded into a packet, the numbers are + * used to create RFC and VSA format attributes. + * + * \attention The definitions, structures, and functions given below + * are useful only for implementing "low level" RADIUS + * functionality. There is usually no need to refer to them in a + * client application. The library should be used at a higher level, + * which exposes a much simpler API. + */ + +/** \defgroup packet Packet manipulation + * + * These routines perform encoding and decoding of RADIUS packets. + */ + +/** \defgroup print Print / parse functions + * + * These routines convert the internal data structures to a printable + * form, or parse them. + */ + +/** \defgroup id ID allocation and freeing + * + * These routines manage RADIUS ID allocation. + */ + +/** \defgroup attr Low-level attribute encode/decoding + * + * These routines perform "low level" encoding, decoding, sending, and + * reception of RADIUS attributes. They are called by the \ref packet + * functions. + * + * \attention The structures and functions given below are useful only + * for implementing "low level" RADIUS functionality. There is usually + * no need to refer to them in a client application. The library + * should be used at a higher level, which exposes a much simpler API. + */ + +/** \defgroup internal Internal support functions. + * + * These functions are required to perform internal or "low-level" + * data manipulation. While they are exposed for completeness, they + * should not be called by any application. + */ + +#ifdef PW_EAP_MESSAGE +#ifndef PW_MESSAGE_AUTHENTICATOR +#error EAP-Message requires Message-Authenticator +#endif +#endif + +#ifdef WITHOUT_OPENSSL +#include "md5.h" +#else +#include +#endif + +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define RS_MD5_CTX MD5_CTX +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define RS_MD5Init MD5_Init +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define RS_MD5Update MD5_Update +/** Define for compile-time selection of the MD5 functions. Defaults to using the OpenSSL functions. \ingroup custom */ +#define RS_MD5Final MD5_Final + + +#ifndef RS_MAX_PACKET_LEN +/** The maximum size of a packet that the library will send or receive. \ingroup custom + * + * The RFC requirement is to handle at least 4K packets. However, if + * you expect to only do username/password authentication, this value + * can be set to a smaller value, such as 256. + * + * Be warned that any packets larger than this value will be ignored + * and silently discarded. + */ +#define RS_MAX_PACKET_LEN (4096) +#endif + +#ifndef RS_MAX_ATTRIBUTES +/** The maximum number of attributes that the library will allow in a packet. \ingroup custom + * + * Packets which contain more than ::RS_MAX_ATTRIBUTES will generate + * an error. This value is configurable because there may be a need + * to accept a large mumber of attributes. + * + * This value is ignored when packets are sent. The library will + * send as many attributes as it is told to send. + */ +#define RS_MAX_ATTRIBUTES (200) +#endif + +#undef RS_MAX_PACKET_CODE +/** The maximum RADIUS_PACKET::code which we can accept. \ingroup dict + * + * \attention This should not be changed, as it is used by other + * structures such as ::nr_packet_codes. + */ +#define RS_MAX_PACKET_CODE PW_COA_NAK + +/** The maximum vendor number which is permitted. \ingroup dict + * + * The RFCs require that the Vendor Id or Private Enterprise Number + * be encoded as 32 bits, with the upper 8 bits being zero. + */ +#define RS_MAX_VENDOR (1 << 24) + +/** Data Type Definitions. \ingroup dict + */ +#define TAG_VALID(x) ((x) < 0x20) + +/** The attribute is not encrypted. */ +#define FLAG_ENCRYPT_NONE (0) + +/** The attribute is encrypted using the RFC 2865 User-Password method */ +#define FLAG_ENCRYPT_USER_PASSWORD (1) + +/** The attribute is encrypted using the RFC 2868 Tunnel-Password method */ +#define FLAG_ENCRYPT_TUNNEL_PASSWORD (2) + +/** A set of flags which determine how the attribute should be handled. + * + * Most attributes are "normal", and do not require special handling. + * However, some require "encryption", tagging, or have other special + * formats. This structure contains the various options for the + * attribute formats. + */ +typedef struct attr_flags { + unsigned int has_tag : 1; /**< Attribute has an RFC 2868 tag */ + unsigned int unknown : 1; /**< Attribute is unknown */ +#ifdef RS_TYPE_TLV + unsigned int has_tlv : 1; /* has sub attributes */ + unsigned int is_tlv : 1; /* is a sub attribute */ +#endif + unsigned int extended : 1; /* extended attribute */ + unsigned int extended_flags : 1; /* with flag */ + unsigned int evs : 1; /* extended VSA */ + uint8_t encrypt; /**< Attribute encryption method */ + uint8_t length; /**< The expected length of the attribute */ +} ATTR_FLAGS; + + +/** Defines an dictionary mapping for an attribute. \ingroup dict + * + * The RADIUS dictionaries map humanly readable names to protocol + * numbers. The protocol numbers are used to encode/decode the + * attributes in a packet. + */ +typedef struct nr_dict_attr { + unsigned int attr; /**< Attribute number */ + rs_attr_type_t type; /**< Data type */ + unsigned int vendor; /**< Vendor-Id number */ + ATTR_FLAGS flags; + const char *name; /**< Printable name */ +} DICT_ATTR; + +/** Defines a dictionary mapping for a named enumeration. \ingroup dict + * + * This structure is currently not used. + */ +typedef struct nr_dict_value { + const DICT_ATTR *da; /**< pointer to a ::DICT_ATTR */ + int value; /**< enumerated value */ + char name[1]; /**< printable name */ +} DICT_VALUE; + +/** Defines an dictionary mapping for a vendor. \ingroup dict + * + * The RADIUS dictionaries map humanly readable vendor names to a + * Vendor-Id (or Private Enterprise Code) assigned by IANA. The + * Vendor-Id is used to encode/decode Vendor-Specific attributes in a + * packet. + */ +typedef struct nr_dict_vendor { + unsigned int vendor; /**< Vendor Private Enterprise Code */ + size_t type; /**< size of Vendor-Type field */ + size_t length; /**< size of Vendor-Length field */ + const char *name; /**< Printable name */ +} DICT_VENDOR; + +/** Union holding all possible types of data for a ::VALUE_PAIR. \ingroup value_pair + * + */ +typedef union value_pair_data { + char strvalue[RS_MAX_STRING_LEN]; /* +1 for NUL */ + uint8_t octets[253]; + struct in_addr ipaddr; + struct in6_addr ipv6addr; + uint32_t date; + uint32_t integer; +#ifdef RS_TYPE_SIGNED + int32_t sinteger; +#endif +#ifdef RS_TYPE_ABINARY + uint8_t filter[32]; +#endif + uint8_t ifid[8]; /* struct? */ + uint8_t ipv6prefix[18]; /* struct? */ +#ifdef RS_TYPE_TLV + uint8_t *tlv; +#endif +} VALUE_PAIR_DATA; + + +/** C structure version of a RADIUS attribute. \ingroup value_pair + * + * The library APIs use this structure to avoid depending on the + * details of the protocol. + */ +typedef struct value_pair { + const DICT_ATTR *da; /**< dictionary definition */ + size_t length; /**< number of octets in the data */ + int tag; /**< tag value if da->flags.has_tag */ + struct value_pair *next; /**< enables a linked list of values */ + VALUE_PAIR_DATA data; /**< the data of the attribute */ +} VALUE_PAIR; +#define vp_strvalue data.strvalue +#define vp_octets data.octets +#define vp_ipv6addr data.ipv6addr +#define vp_ifid data.ifid +#define vp_ipv6prefix data.ipv6prefix +#define vp_ipaddr data.ipaddr.s_addr +#define vp_date data.integer +#define vp_integer data.integer +#ifdef RS_TYPE_ABINARY +#define vp_filter data.filter +#endif +#ifdef RS_TYPE_ETHER +#define vp_ether data.ether +#endif +#ifdef RS_TYPE_SIGNED +#define vp_signed data.sinteger +#endif +#ifdef RS_TYPE_TLV +#define vp_tlv data.tlv +#endif + +#ifdef RS_TYPE_TLV +#define RS_ATTR_MAX_TLV (4) +extern const int nr_attr_shift[RS_ATTR_MAX_TLV]; +extern const int nr_attr_mask[RS_ATTR_MAX_TLV]; +extern const unsigned int nr_attr_max_tlv; +#endif + +/** A structure which describes a RADIUS packet. \ingroup packet + * + * In general, it should not be necessary to refererence the elements + * of this structure. + */ +typedef struct radius_packet { + int sockfd; /** The socket descriptor */ + struct sockaddr_storage src; /**< The packet source address */ + struct sockaddr_storage dst; /**< the packet destination address */ + const char *secret; /**< The shared secret */ + size_t sizeof_secret; /**< Length of the shared secret */ + unsigned int code; /**< The RADIUS Packet Code */ + int id; /**< The RADIUS Packet Id */ + size_t length; /**< The RADIUS Packet Length. This will be no larger than RADIUS_PACKET::sizeof_data */ + uint8_t vector[16]; /**< A copy of the authentication vector */ + int flags; /**< Internal flags. Do not modify this field. */ + int attempts; /**< The number of transmission attempt */ + uint8_t *data; /**< The raw packet data */ + size_t sizeof_data; /**< size of the data buffer */ + VALUE_PAIR *vps; /**< linked list of ::VALUE_PAIR */ +} RADIUS_PACKET; + +#define RS_PACKET_ENCODED (1 << 0) +#define RS_PACKET_HEADER (1 << 1) +#define RS_PACKET_SIGNED (1 << 2) +#define RS_PACKET_OK (1 << 3) +#define RS_PACKET_VERIFIED (1 << 4) +#define RS_PACKET_DECODED (1 << 5) + + +/** Track packets sent to a server. \ingroup id + * + * This data structure tracks Identifiers which are used to + * communicate with a particular destination server. The application + * should call nr_server_init() to initialize it. If necessary, the + * application should then call nr_server_set_ipv4() to open an IPv4 + * socket to the server. + * + * If the RADIUS packets are being transported over an encapsulation + * layer (e.g. RADIUS over TLS), then nr_server_set_ipv4() does not + * need to be called. The ::nr_server_t structure should instead be + * associated wih the TLS session / socket. + */ +typedef struct nr_server_t { + int sockfd; /**< socket for sending packets */ + int code; /**< default value for the Code */ + + struct sockaddr_storage src; /**< Source address of the packet */ + struct sockaddr_storage dst; /**< Destination address of the packet */ + + /** The shared secret. + * + * See also nr_packet_send() and nr_packet_recv(). + */ + const char *secret; + + /** The length of the shared secret. + * + * See also nr_packet_send() and nr_packet_recv(). + */ + size_t sizeof_secret; + + int used; /**< Number of used IDs */ + + void *free_list; /**< For managing packets */ + + RADIUS_PACKET *ids[256]; /**< Pointers to "in flight" packets */ +} nr_server_t; + + +/** Return a printable error message. \ingroup error + * + * This function returns a string describing the last error that + * occurred. These messages are intended for developers, and are not + * suitable for display to an end user. The application using this + * library should instead produce a "summary" message when an error + * occurs. e.g. "Failed to receive a response", is better than + * messages produced by this function, which contain text like + * "invalid response authentication vector". The first is + * understandable, the second is not. + * + * @param[in] error The error code (can be less than zero) + * @return A printable string describing the error. + */ +extern const char *nr_strerror(int error); + +/** Allocate a ::VALUE_PAIR which refers to a ::DICT_ATTR. \ingroup value_pair + * + * This returned ::VALUE_PAIR has no data associated with it. The + * nr_vp_set_data() function must be called before placing the + * ::VALUE_PAIR in a ::RADIUS_PACKET. + * + * @param[in] da The ::DICT_ATTR associated with the ::VALUE_PAIR + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da); + +/** Free a ::VALUE_PAIR. \ingroup value_pair + * + * This function frees the ::VALUE_PAIR, and sets the head pointer to NULL. + * If head refers to a ::VALUE_PAIR list, then all of the structures in the + * list are freed. + * + * @param[in,out] head The pointer to a ::VALUE_PAIR, or a ::VALUE_PAIR list. + */ +extern void nr_vp_free(VALUE_PAIR **head); + +/** Initializes a ::VALUE_PAIR from a ::DICT_ATTR \ingroup value_pair + * + * This function assumes that the ::VALUE_PAIR points to existing + * and writable memory. + * + * @param[in,out] vp The ::VALUE_PAIR to be initialized + * @param[in] da The ::DICT_ATTR used to initialize the ::VALUE_PAIR + * @return The initialized ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da); + +/** Allocate a ::VALUE_PAIR which refers to an unknown attribute. \ingroup value_pair + * + * It is used when an attribute is received, and that attribute does + * not exist in the dictionaries. + * + * The returned ::VALUE_PAIR has no data (i.e. VALUE_PAIR::length is + * zero). The nr_vp_set_data() function must be called before + * placing the ::VALUE_PAIR in a ::RADIUS_PACKET. + * + * @param[in] attr The attribute number, 0..2^16 + * @param[in] vendor The vendor number, 0..2^16 + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor); + +/** Set the data associated with a previously allocated ::VALUE_PAIR. \ingroup value_pair + * + * If this function succeeds, VALUE_PAIR::length is no longer zero, + * and the structure contains the data. + * + * @param[in,out] vp The ::VALUE_PAIR to update + * @param[in] data Data to set inside of the ::VALUE_PAIR + * @param[in] data_len Length of the data field + * @return <0 on error, 0 for "data was truncated" + * >0 for "data successfully added" + */ +extern int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t data_len); + +/** Create a ::VALUE_PAIR and set its data. \ingroup value_pair + * + * @param[in] attr The attribute number of the ::VALUE_PAIR to create + * @param[in] vendor The vendor number of the ::VALUE_PAIR to create + * @param[in] data Data to set inside of the ::VALUE_PAIR + * @param[in] data_len Length of the data field + * @return The created ::VALUE_PAIR, or NULL on error. + */ +extern VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, + size_t data_len); + +/** Append a ::VALUE_PAIR to the end of a ::VALUE_PAIR list. \ingroup value_pair + * + * @param[in,out] head The head of the ::VALUE_PAIR list. May not be NULL. + * @param[in] vp The ::VALUE_PAIR to append to the list. + */ +extern void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *vp); + +/** Search a ::VALUE_PAIR list for one of a given number. \ingroup value_pair + * + * @param[in] head The head of the ::VALUE_PAIR list to search. + * @param[in] attr The attribute number of the ::VALUE_PAIR to find + * @param[in] vendor The vendor number of the ::VALUE_PAIR to find + * @return The found ::VALUE_PAIR, or NULL if it was not found. + */ +extern VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, + unsigned int attr, unsigned int vendor); + +/** Look up an attribute in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the attribute, + * such as printable name, data type (ipaddr, integer, etc), and + * various other things used to encode/decode the attribute in a + * packet. + * + * \attention There is usually no need to call this function. Use + * the RS_DA_* definitions instead. + * + * @param[in] attr Value of the attribute + * @param[in] vendor Value of the vendor + * @return NULL for "not found", or a pointer to the attribute mapping. + */ +extern const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, + unsigned int vendor); + +/** Look up an attribute in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the attribute, + * such as printable name, data type (ipaddr, integer, etc), and + * various other things used to encode/decode the attribute in a + * packet. + * + * \attention There is usually no need to call this function. + * + * @param[in] name Name of the attribute + * @return NULL for "not found", or a pointer to the attribute mapping. + */ +extern const DICT_ATTR *nr_dict_attr_byname(const char *name); + +/** Converts raw data to a ::DICT_ATTR structure. \ingroup dict + * + * It is called when the library is asked to decode an attribute + * which is not in the pre-defined dictionaries. + * + * \attention There is usually no need to call this function. + * + * @param[in,out] da The ::DICT_ATTR structure to initialize + * @param[in] attr The attribute number + * @param[in] vendor The vendor number + * @param[in] buffer The buffer where the name of the attribute is stored + * @param[in] bufsize Size of the buffer + * @return <0 for error, 0 for success + */ +extern int nr_dict_attr_2struct(DICT_ATTR *da, + unsigned int attr, unsigned int vendor, + char *buffer, size_t bufsize); + +/** Unused. \ngroup dict + * + */ +extern const DICT_VALUE *nr_dict_value_byattr(unsigned int attr, + unsigned int vendor, + int value); + +/** Unused. \ngroup dict + * + */ +const DICT_VALUE *nr_dict_value_byname(unsigned int attr, + unsigned int vendor, + const char *name); + +/** Look up a vendor in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the vendor, such + * as printable name, VSA encoding method, etc. + * + * \attention There is usually no need to call this function. + * Applications do not need access to low-level RADIUS protocol + * information. + * + * @param[in] name Name of the vendor. + * @return NULL for "not found", or a pointer to the vendor mapping. + */ +extern int nr_dict_vendor_byname(const char *name); + +/** Look up an vendor in the dictionaries. \ingroup dict + * + * The dictionary mapping contains information about the vendor, such + * as printable name, VSA encoding method, etc. + * + * \attention There is usually no need to call this function. + * + * @param[in] vendor Vendor-Id (or Private Enterprise code) for the vendor. + * @return NULL for "not found", or a pointer to the vendor mapping. + */ +extern const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor); + +/** Static array of known vendors. \ingroup dict + * + * \attention This structure should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_VENDOR nr_dict_vendors[]; + +/** The number of attribute definitions in the dictionary. \ingroup dict + * + * This number is guaranteed to be at least 256, for speed. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const int nr_dict_num_attrs; + +/** The list of attribute definitions. \ingroup dict + * + * The "standard" RFC attributes are located in the first 256 + * entries. Standard attributes without a dictionary definition are + * given an empty entry. + * + * The attributes are orderd by (vendor, attribute), in increasing + * order. This allows the dictionary lookups to find attributes by a + * binary search. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_ATTR nr_dict_attrs[]; + +/** The number of attributes with names. \ingroup dict + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const int nr_dict_num_names; + +/** The list of attribute definitions, organized by name. \ingroup dict + * + * The attributes are orderd by name (case insensitive), in + * increasing order. This allows the dictionary lookups to find + * attributes by a binary search. + * + * \attention This variable should only be accessed by internal RADIUS library + * functions. + */ +extern const DICT_ATTR const *nr_dict_attr_names[]; + +/** Static array containing names the RADIUS_PACKET::code field. \ingroup dict + * + * The names are hard-coded and not in any dictionary because they do + * not change. + * + * The names are exported because they may be useful in your + * application. Packet codes which are not handled by the library + * have NULL for their names. + */ +extern const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1]; + +/** Verifies that a packet is "well formed". \ingroup packet + * + * This function performs basic validation to see if the packet is + * well formed. It is automatically called by nr_packet_decode(). + * + * @param[in] packet A pointer to the ::RADIUS_PACKET data. + * @return <0 means malformed, >= 0 means well-formed. + */ +extern int nr_packet_ok(RADIUS_PACKET *packet); + +/** Verifies that a packet is "well formed". \ingroup packet + * + * This function performs basic validation to see if the packet is + * well formed. You should normally use nr_packet_ok() instead of + * this function. + * + * @param[in] data A pointer to the raw packet data. + * @param[in] sizeof_data The length of the raw packet data + * @return <0 means malformed, >= 0 means well-formed. + */ +extern int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data); + +/** Encodes a packet. \ingroup packet + * + * This function encodes a packet using the fields of the + * ::RADIUS_PACKET structure. The RADIUS_PACKET::code and + * RADIUS_PACKET::id fields are used to fill in the relevant fields + * of the raw (encoded) packet. The RADIUS_PACKET::vps list is + * walked to encode the attributes. The packet is signed, if + * required. + * + * The raw packet is placed into the RADIUS_PACKET::data field, up to + * RADIUS_PACKET::sizeof_data bytes. the RADIUS_PACKET::length field + * is updated with the length of the raw packet. This field is + * always less than, or equal to, the RADIUS_PACKET::size_data field. + * If there is insufficient room to store all of the attributes, then + * some attributes are silently discarded. + * + * The RADIUS_PACKET::vector field is either calculated as part of + * the signing process, or is initialized by this function to be a + * random sequence of bytes. That field should therefore be left + * alone by the caller. + * + * When the encoding has been successful, it sets the + * RADIUS_PACKET::encoded field to non-zero. + * + * In addition, all required attribute "encryption" is performed. + * + * User-Password. The vp_strvalue field is assumed to contain the + * "clear-text" version of the password. The encrypted version is + * calculated, and placed in the packet. + * + * CHAP-Password. The vp_strvalue field is assumed to contain the + * "clear-text" version of the password. The encrypted version is + * calculated, and placed in the packet. If the RADIUS_PACKET::vps + * list contains a CHAP-Challenge attribute, it is used. Otherwise + * the RADIUS_PACKET::vector field is used a the challenge. + * + * Message-Authenticator. The contents of the Message-Authenticator + * in the RADIUS_PACKET::vps list are ignored. Instead, a + * "place-holder" is put into the packt. Tthe correct value is + * calculated and placed into the packet by nr_packet_sign(). + * + * The RADIUS_PACKET::vps list is left untouched by this function, + * even when attribute encryption or signing is performed. Any + * VALUE_PAIR structures can therefore be taken from static "const" + * variables. + * + * @param[in] packet The RADIUS packet to encode. + * @param[in] original The original request, when encoding a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Decodes a packet. \ingroup packet + * + * This function decodes a packet from the RADIUS_PACKET::data field + * into a sequence of ::VALUE_PAIR structures in the + * RADIUS_PACKET::vps list. + * + * @param[in] packet The RADIUS packet to decode. + * @param[in] original The original request, when decoding a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Signs a packet so that it can be sent. \ingroup packet + * + * This function calculates the Message-Authenticator (if required), + * and signs the packet. + * + * @param[in] packet The RADIUS packet to sign. + * @param[in] original The original request, when signing a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original); + +/** Verifies that a packet is well-formed and contains the correct signature. \ingroup packet + * + * If "original" is specified, it also verifies that the packet is a + * response to the original request, and that it has the correct + * signature. + * + * @param[in] packet The RADIUS packet to verify. + * @param[in] original The original request, when verifying a response. + * @return <0 on error, >= 0 on success. + */ +extern int nr_packet_verify(RADIUS_PACKET *packet, + const RADIUS_PACKET *original); + +/** Pretty-prints a hex dump of a RADIUS packet. \ingroup packet print + * + * This function is available only in debugging builds of the + * library. It is useful during development, but should not be used + * in a production system. + * + * The packet headers are printed individually, and each attribute is + * printed as "type length data..." + * + * @param[in] packet The RADIUS packet to print + */ +extern void nr_packet_print_hex(RADIUS_PACKET *packet); + + +/** Return the given number of random bytes. \ingroup custom + * + * This function should be replaced by one that is specific to your + * system. + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in] data Location where the random bytes will be stored + * @param[in] data_len Number of bytes to store + * @return <0 on error, or the total number of bytes stored. + */ +extern ssize_t nr_rand_bytes(uint8_t *data, size_t data_len); + +/** Return a random 32-bit integer. \ingroup custom + * + * This function should be replaced by one that is specific to your + * system. The version supplied here just calls nr_rand_bytes() each + * time, which is slow. + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @return An unsigned 32-bit random integer. + */ +extern uint32_t nr_rand(void); + +/** Add a time to the given ::struct timeval. \ingroup custom + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in,out] t The timeval to which the time is added. + * @param[in] seconds Time in seconds to add + * @param[in] usec Time in microseconds to add + */ +extern void nr_timeval_add(struct timeval *t, unsigned int seconds, + unsigned int usec); + +/** Compare two times. \ingroup custom + * + * This is a wrapper function which enables the library to be more + * portable. + * + * @param[in] a One timeval + * @param[in] b Another one + * @return a <=> b + */ +extern int nr_timeval_cmp(const struct timeval *a, const struct timeval *b); + +/** Initializes an ::nr_server_t. \ingroup id + * + * @param[in,ut] s The ::nr_server_t to initialize + * @param[in] code The packet code used for packets sent to this server + * @param[in] secret The shared secret used for packet sent to this server + * @return <0 for error, >= 0 for success + */ +extern int nr_server_init(nr_server_t *s, int code, const char *secret); + +/** Closes an ::nr_server_t data structure. \ingroup id + * + * Ensures that all IDs are free, and closes the socket. + * + * @param[in] s The server structure to close. + * @return <0 for error, 0 for success + */ +extern int nr_server_close(const nr_server_t *s); + +/** Allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id + * + * This function allocates a RADIUS_PACKET::id from the ::nr_server_t + * structure. It also fills in the RADIUS_PACKET::sockfd, + * RADIUS_PACKET::code, and RADIUS_PACKET::dst fields. + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which needs an ID + * @return <0 for error, 0 for success + */ +extern int nr_server_id_alloc(nr_server_t *id, RADIUS_PACKET *packet); + +/** Re-allocate a RADIUS_PACKET::id value for sending a packet to a server. \ingroup id + * + * It is used when retransmitting an Accounting-Request packet to a + * server, after updating the Acct-Delay-Time field. The "realloc" + * name means that the new ID is allocated, and is guaranteed to be + * different from the old one. + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which needs a new ID + * @return <0 for error, 0 for success + */ +extern int nr_server_id_realloc(nr_server_t *id, RADIUS_PACKET *packet); + +/** Free a RADIUS_PACKET::id value after sending a packet to a server. \ingroup id + * + * @param[in] s The server structure which tracks the ID + * @param[in] packet The packet which has an ID, and wants to free it + * @return <0 for error, 0 for success + */ +extern int nr_server_id_free(nr_server_t *id, RADIUS_PACKET *packet); + + +/** Allocates a packet using malloc(), and initializes it. \ingroup id + * + * @param[in] s The server structure + * @param[in,out] packet_p Pointer to the ::RADIUS_PACKET to be allocated + * @return <0 for error, 0 for success + */ +extern int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p); + +/** Record a humanly readable error message. \ingroup error + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[in] fmt The format to use. + */ +extern void nr_strerror_printf(const char *fmt, ...); + +#ifndef NDEBUG +#define nr_debug_error nr_strerror_printf /** \ingroup error */ +#else +#define nr_debug_error if (0) nr_strerror_printf +#endif + +/** Encrypts or decrypts a User-Password attribute. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Encrypts a Tunnel-Password attribute. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Decrypts a Tunnel-Password attribute. \ingroup internal + * + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[out] output Buffer where the password is stored + * @param[out] outlen Size of the output buffer + * @param[in] input Input buffer with password + * @param[in] inlen Length of the input buffer + * @param[in] secret The shared secret + * @param[in] vector Authentication vector + * @return <0 on error, or the length of data in "output" + */ +extern ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector); + +/** Calculates an HMAC-MD5. \ingroup internal + * + * @param[in] data Data to be hashed + * @param[in] data_len Length of data to be hashed + * @param[in] key Key for the HMAC + * @param[in] key_len Length of the key + * @param[out] digest + */ +extern void nr_hmac_md5(const uint8_t *data, size_t data_len, + const uint8_t *key, size_t key_len, + uint8_t digest[16]); + +/** Checks if a TLV is properly formatted. \ingroup internal + * + * \attention This structure should only be accessed by internal + * RADIUS library functions. + * + * @param[in] data Data to check + * @param[in] length Length of the data field + * @param[in] dv_type Length of the TLV "type" field + * @param[in] dv_length Length of the TLV "length" field + * @return <0 on error, 0 for "TLV is OK" + */ +extern int nr_tlv_ok(const uint8_t *data, size_t length, + size_t dv_type, size_t dv_length); + +/** A callback function used by nr_packet_walk(). \ingroup packet + * + * The function should return 0 on success (i.e. keep walking), and + * otherwise a negative number indicating an error code + * (::nr_error_t). That negative number will be used as the return + * code for nr_packet_walk(). + */ +typedef int (*nr_packet_walk_func_t)(void *, const DICT_ATTR *, const uint8_t *, size_t); + +/** Walks over all attributes in a packet. \ingroup packet + * + * This function is an iterator which calls a user-supplied callback + * function for each attribute in the packet. It should be used + * instead of manually walking over the attributes. There are a + * number of odd corner cases when handling Vendor-Specific + * attributes, and it is easy to get those corner cases wrong. + * + * This function iterates over *all* attributes, including nested + * VSAs. That is its main value. + * + * Encrypted attributes such as User-Password are not decrypted. + * + * @param[in] packet The packet containing the data + * @param[in] ctx A user-supplied context. May be NULL + * @param[in] callback The callback function where the information is passed. + * + * @return <0 for error, + * 0 for success. + */ +extern int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, + nr_packet_walk_func_t callback); + +/** Initialize a packet + * + * If original is specified, the packet is initialized as a response + * to the original request. + * + * @param[in,out] packet The packet to initialize + * @param[in] original The original request (if any) to use as a template + * @param[in] secret Shared secret + * @param[in] code RADIUS Code field. + * @param[in] data Buffer where packets will be stored (RADIUS_PACKET::data) + * @param[in] sizeof_data Size of buffer (RADIUS_PACKET::sizeof_data) + * @return <0 on error, 0 for success. + */ +extern int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const char *secret, int code, + void *data, size_t sizeof_data); + +/** Add one attribute to the packet. + * + * This function can be used to add "raw" data to a packet. It + * allows the caller to extend the RADIUS packet without using a + * ::VALUE_PAIR data structure. + * + * Some attributes are handled specially by this function. + * + * EAP-Message. This attribute is automatically split into 253-octet + * chunks. + * + * User-Password, CHAP-Password, and Message-Authenticator. These + * attributes are automatically encrypted, as is done by + * nr_packet_encode(). + * + * @param[in] packet The packet to edit + * @param[in] original The original request (if any) + * @param[in] da Pointer to the attribute definition + * @param[in] data Data to append to the packet + * @param[in] data_len Length of data to append to the packet + * + * @return <0 for error, >= 0 for "successfully appended data" + * The function returns the number of octets appended to the packet. + */ +extern ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const DICT_ATTR *da, + const void *data, size_t data_len); + + +/** Encodes any ::VALUE_PAIR into an attribute. \ingroup attr + * + * This function can be called for any ::VALUE_PAIR. It will examine + * that structure, and call one of nr_vp2rfc() or nr_vp2vsa() as + * necessary. + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2attr(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *data, size_t room); + +/** Encodes an RFC "standard" ::VALUE_PAIR into an attribute. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, + uint8_t *data, size_t room); + +/** Decodes any attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes an RFC "standard" attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_rfc(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes a Vendor-Specific attribute into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_vsa(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Decodes an attribute with an unexpected length into a ::VALUE_PAIR. \ingroup attr + * + * \attention This function should not be called. + * + * @param[in] packet The packet containing the attribute to be decoded. + * @param[in] original The original request (optional), if "packet" is a response + * @param[out] pvp Where to place the decoded ::VALUE_PAIR. On any return >=0, it is updated to point to the ::VALUE_PAIR which was decoded from the packet. + * @param[in] data Where the attribute is to be encoded. + * @param[in] length How many octets are available for attribute decoding. + * + * @return <0 for error, or the number of octets used to decode the attribute. + */ +extern ssize_t nr_attr2vp_raw(const RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const uint8_t *data, size_t length, + VALUE_PAIR **pvp); + +/** Encodes a Vendor-Specific ::VALUE_PAIR into an attribute. + * + * \attention This function should not be called. + * + * @param[in] packet Where to place the encoded attribute. + * @param[in] original The original request (optional), if "packet" is a response + * @param[in,out] pvp The ::VALUE_PAIR to encode. On any return >=0, it is updated to point to the "next" ::VALUE_PAIR which should be encoded. + * @param[in] data Where the attribute is to be encoded. + * @param[in] room How many octets are available for attribute encoding. + * + * @return <0 for error, or the number of octets used to encode the attribute. + */ +extern ssize_t nr_vp2vsa(const RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const VALUE_PAIR **pvp, uint8_t *data, + size_t room); + +/** Returns raw data from the RADIUS packet, for a given attribute. \ingroup attr + * + * This function can be called repeatedly to find all instances of a + * given attribute. The first time it is called, the "start" + * parameter should be zero. If the function returns a non-zero + * positive number, it means that there *may* be more attributes + * available. The returned value should be then passed via the + * "start" option in any subsequent calls to the function. + * + * This function should be called by an application when it wants + * access to data which is not in the pre-defined dictionaries. + * + * @param[in] packet The packet containing the attribute. + * @param[in] start Where in the packet we start searching for the attribute. + * @param[in] attr Value of the attribute to search for + * @param[in] vendor Value of the vendor (use 0 for IETF attributes) + * @param[out] pdata Pointer to the data. If no data was found, the pointer is unchanged. + * @param[out] plength Length of the data. If no data was found, the value pointed to is unchanged. + * + * @return <0 for error, + * 0 for "no attribute found, stop searching" + * >0 offset where the attribute was found. + */ +extern ssize_t nr_attr2data(const RADIUS_PACKET *packet, ssize_t start, + unsigned int attr, unsigned int vendor, + const uint8_t **pdata, size_t *plength); + +/** Pretty-print the entire ::VALUE_PAIR \ingroup print + * + * All data is printed in ASCII format. The data type of "octets" is + * printed as a hex string (e.g. 0xabcdef01...). The data type of + * "ipaddr" is printed as a dotted-quad (e.g. 192.0.2.15). + * + * The format is "Attribute-Name = value" + * + * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored + * @param[in] bufsize size of the output buffer + * @param[in] vp ::VALUE_PAIR to print + * @return length of data in buffer + */ +extern size_t nr_vp_snprintf(char *buffer, size_t bufsize, const VALUE_PAIR *vp); + +/** Pretty-print the VALUE_PAIR::data field \ingroup print + * + * Prints the value of a ::VALUE_PAIR, without the name or "=" sign. + * + * @param[out] buffer Where the printable version of the ::VALUE_PAIR is stored + * @param[in] bufsize size of the output buffer + * @param[in] vp ::VALUE_PAIR to print + * @return length of data in buffer + */ +extern size_t nr_vp_snprintf_value(char *buffer, size_t bufsize, const VALUE_PAIR *vp); + +/** Prints a list of :VALUE_PAIR structures to the given output. \ingroup print + * + * @param[in] fp Where to print the results + * @param[in] vps Linked list of ::VALUE_PAIR to print + */ +extern void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps); + +/** Scan a string into a ::VALUE_PAIR. The counterpart to + * nr_vp_snprintf_value() \ingroup print + * + * @param[in] string Printable version of the ::VALUE_PAIR + * @param[out] pvp Newly allocated ::VALUE_PAIR + * @return <0 on error, 0 for success. + */ +extern int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp); + +/** Scan the data portion of a ::VALUE_PAIR. The counterpart to + * nr_vp_snprintf_value() \ingroup print + * + * @param[in,out] vp The ::VALUE_PAIR where the data will be stored + * @param[in] value The string version of the data to be parsed + * @return <0 on error, >=0 for the number of characters parsed in value. + */ +extern ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value); + +#if defined(__GNUC__) +# define PRINTF_LIKE(n) __attribute__ ((format(printf, n, n+1))) +# define NEVER_RETURNS __attribute__ ((noreturn)) +# define UNUSED __attribute__ ((unused)) +# define BLANK_FORMAT " " /* GCC_LINT whines about empty formats */ +#else + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define PRINTF_LIKE(n) + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define NEVER_RETURNS + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define UNUSED + +/** Macro used to quiet compiler warnings inside of the library. \ingroup build + * + */ +# define BLANK_FORMAT "" +#endif + +#endif /* _RADIUS_CLIENT_H_ */ diff --git a/radius/common.pl b/radius/common.pl new file mode 100644 index 0000000..7042fe5 --- /dev/null +++ b/radius/common.pl @@ -0,0 +1,220 @@ +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +our %attributes; +our %vendor; +our %vendorpec; +our $begin_vendor = 0; + +$vendorpec{'0'} = "IETF"; + +sub do_file() +{ + my $filename = shift; + my $fh; + + $dir = $filename; + $dir =~ s:/[^/]+?$::; + $lineno = 0; + + open $fh, "<$filename" or die "Failed to open $filename: $!\n"; + + while (<$fh>) { + $lineno++; + next if (/^\s*#/); + next if (/^\s*$/); + s/#.*//; + s/\s+$//; + + next if ($_ eq ""); + + # + # Remember the vendor + # + if (/^VENDOR\s+([\w-]+)\s+(\w+)(.*)/) { + my $me = $1; + + $vendor{$me}{'pec'} = $2; + $vendorpec{$2} = $me; + + $vendor{$me}{'type'} = 1; + $vendor{$me}{'length'} = 1; + + if ($3) { + $format=$3; + $format =~ s/^\s+//; + + if ($format !~ /^format=(\d+),(\d+)$/) { + die "Unknown format $format\n"; + } + $vendor{$me}{'type'} = $1; + $vendor{$me}{'length'} = $2; + } + next; + } + + # + # Remember if we did begin-vendor. + # + if (/^BEGIN-VENDOR\s+([\w-]+)/) { + if (!defined $vendor{$1}) { + die "Unknown vendor $1\n"; + } + $begin_vendor = $vendor{$1}{'pec'}; + next; + } + + # + # Remember if we did this. + # + if (/^END-VENDOR/) { + $begin_vendor = 0; + next; + } + + # + # Get attribute. + # + if (/^ATTRIBUTE\s+([\w-\/.]+)\s+(\w+)\s+(\w+)(.*)/) { + $name=$1; + $value = $2; + $type = $3; + $stuff = $4; + + $value =~ tr/[A-F]/[a-f]/; # normal form for hex + $value =~ tr/X/x/; + + if ($value =~ /^0x/) { + $index = hex $value; + } else { + $index = $value; + } + + next if (($begin_vendor == 0) && ($index > 255)); + + $index += ($begin_vendor << 16); + + $attributes{$index}{'name'} = $name; + $attributes{$index}{'value'} = $value; + if ($begin_vendor ne "") { + $attributes{$index}{'vendor'} = $begin_vendor; + } + + $type =~ tr/a-z/A-Z/; + $attributes{$index}{'type'} = "RS_TYPE_$type"; + + $stuff =~ s/^\s*//; + + if ($stuff) { + foreach $text (split /,/, $stuff) { + if ($text eq "encrypt=1") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_USER_PASSWORD"; + } elsif ($text eq "encrypt=2") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_TUNNEL_PASSWORD"; + + } elsif ($text eq "encrypt=3") { + $attributes{$index}{'flags'}{'encrypt'} = "FLAG_ENCRYPT_ASCEND_SECRET"; + + } elsif ($text eq "has_tag") { + $attributes{$index}{'flags'}{'has_tag'} = "1"; + + } elsif ($text =~ /\[(\d+)\]/) { + $attributes{$index}{'flags'}{'length'} = $1; + + } else { + die "$filename: $lineno - Unknown flag $text\n"; + } + } + } + + if ($type eq "BYTE") { + $attributes{$index}{'flags'}{'length'} = "1"; + + } elsif ($type eq "SHORT") { + $attributes{$index}{'flags'}{'length'} = "2"; + + } elsif ($type eq "INTEGER") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "IPADDR") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "DATE") { + $attributes{$index}{'flags'}{'length'} = "4"; + + } elsif ($type eq "IFID") { + $attributes{$index}{'flags'}{'length'} = "8"; + + } elsif ($type eq "IPV6ADDR") { + + $attributes{$index}{'flags'}{'length'} = "16"; + } + + $name2val{$name} = $index; + next; + } + + # + # Values. + # + if (/^VALUE\s+([\d\w-\/.]+)\s+([\w-\/,.+]+)\s+(\w+)(.*)/) { + next; + + $attr = $1; + $name = $2; + $value = $3; + $stuff = $d; + + $value =~ tr/[A-F]/[a-f]/; # normal form for hex + $value =~ tr/X/x/; + + if ($value =~ /^0x/) { + $index = hex $value; + } else { + $index = $value; + } + + if (!defined $name2val{$attr}) { + print "# FIXME: FORWARD REF?\nVALUE $attr $name $value$stuff\n"; + next; + } + + $values{$name2val{$attr}}{$index} = "$attr $name $value$stuff"; + next; + } + + if (/^\$INCLUDE\s+(.*)$/) { + do_file("$dir/$1"); + next; + } + + die "unknown text in line $lineno of $filename: $_\n"; + } + + close $fh; +} + +1; diff --git a/radius/convert.pl b/radius/convert.pl new file mode 100755 index 0000000..7ca424e --- /dev/null +++ b/radius/convert.pl @@ -0,0 +1,197 @@ +#!/usr/bin/env perl +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +# +# Converts dictionaries to C structures. Does not yet do "VALUE"s. +# +# Usage: ./convert.pl dictionary ... +# +# Reads input dictionaries, and outputs "radius.h" and "dictionaries.c" +# +# $Id$ +# +require "common.pl"; + +# +# Read all of the dictionaries +# +while (@ARGV) { + $filename = shift; + do_file($filename); +} + +# +# For speed, the dictionary data structures have the first 256 +# attributes at fixed offsets in the array. If the user didn't +# define them, then we set them here to be "raw" or unknown. +# +foreach $attr_val (0..255) { + next if defined $attributes{$attr_val}; + + $attributes{$attr_val}{'raw'} = 1; +} + +if (scalar keys %attributes == 0) { + die "No attributes were defined\n"; +} + + +open DICT, ">dictionaries.c" or die "Failed creating dictionaries.c: $!\n"; + +# +# Print out the data structues for the vendors. +# +if (scalar keys %vendor > 0) { + print DICT "const DICT_VENDOR nr_dict_vendors[] = {\n"; + foreach $v (sort keys %vendor) { + print DICT " { \n"; + print DICT " " . $vendor{$v}{'pec'} . ", \n"; + print DICT " " . $vendor{$v}{'type'} . ",\n"; + print DICT " " . $vendor{$v}{'length'} . ",\n"; + print DICT " \"" . $v, "\"\n"; + print DICT " },\n"; + } + print DICT " { \n"; + print DICT " 0,\n"; + print DICT " 0,\n"; + print DICT " 0,\n"; + print DICT " NULL\n"; + print DICT " },\n"; + print DICT "};\n\n"; +} + +# needed for later. +$vendor{""}{'pec'} = 0; + +sub printAttrFlag +{ + my $tmp = $attributes{$attr_val}{'flags'}{$_[0]}; + + if (!$tmp) { + $tmp = 0; + } + + print DICT $tmp . ", "; +} + +# +# Print DICT out the attributes sorted by number. +# +my $offset = 0; +my $num_names = 0; +print DICT "const DICT_ATTR nr_dict_attrs[] = {\n"; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + print DICT " { /* $offset */ \n"; + + if (defined $attributes{$attr_val}{'raw'}) { + print DICT " 0\n", + } else { + print DICT " ", $attributes{$attr_val}{'value'}, ", \n"; + print DICT " ", $attributes{$attr_val}{'type'}, ", \n"; + print DICT " ", $attributes{$attr_val}{'vendor'}, ", \n"; + print DICT " { "; + &printAttrFlag('has_tag'); + &printAttrFlag('unknown'); +# &printAttrFlag('has_tlv'); +# &printAttrFlag('is_tlv'); + &printAttrFlag('extended'); + &printAttrFlag('extended_flags'); + &printAttrFlag('evs'); + &printAttrFlag('encrypt'); + &printAttrFlag('length'); + print DICT "},\n"; + print DICT " \"", $attributes{$attr_val}{'name'}, "\", \n"; + $num_names++; + } + + $attributes{$attr_val}{'offset'} = $offset++; + + print DICT " },\n"; + +} +print DICT "};\n\n"; + +print DICT "const int nr_dict_num_attrs = ", $offset - 1, ";\n\n"; +print DICT "const int nr_dict_num_names = ", $num_names - 1, ";\n\n"; + +my $offset = 0; +print DICT "const DICT_ATTR *nr_dict_attr_names[] = {\n"; +foreach $attr_val (sort {lc($attributes{$a}{'name'}) cmp lc($attributes{$b}{'name'})} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + print DICT " &nr_dict_attrs[", $attributes{$attr_val}{'offset'}, "], /* ", $attributes{$attr_val}{'name'}, " */\n"; +} + +print DICT "};\n\n"; +close DICT; + +open HDR, ">../include/radsec/radius.h" or die "Failed creating radius.c: $!\n"; + +print HDR "/* Automatically generated file. Do not edit */\n\n"; + +foreach $v (sort keys %vendor) { + next if ($v eq ""); + + $name = $v; + $name =~ tr/a-z/A-Z/; # uppercase + $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ + + print HDR "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; +} +print HDR "\n"; + +$begin_vendor = -1; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { + print HDR "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; + $begin_vendor = $attributes{$attr_val}{'vendor'}; + } + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/A-Z0-9/_/c; + + print HDR "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; +} +print HDR "\n"; + +print HDR "/* Fixed offsets to dictionary definitions of attributes */\n"; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + next if (defined $attributes{$attr_val}{'raw'}); + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/-/_/; + + print HDR "#define RS_DA_$name (&nr_dict_attrs[$attributes{$attr_val}{'offset'}])\n"; +} + +print HDR "/* Automatically generated file. Do not edit */\n"; + +close HDR; diff --git a/radius/crypto.c b/radius/crypto.c new file mode 100644 index 0000000..21cc7d0 --- /dev/null +++ b/radius/crypto.c @@ -0,0 +1,233 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file crypto.c + * \brief Data obfuscation and signing, using MD5. + * + * The "encryption" methods defined here are export-safe. The + * technical cryptography name for these functions is "obfuscation". + * They cannot properly be called "encryption", in the same way that + * DES or AES performs encryption. + */ + +/** \cond PRIVATE */ + +#include "client.h" + + +ssize_t nr_password_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len; + uint8_t digest[16]; + RS_MD5_CTX ctx, secret_ctx; + + if (!output || (outlen < 16) || !input || (inlen == 0) || + !secret || !vector) { + return -RSE_INVAL; + } + + len = inlen; + if (len > 128) return -RSE_ATTR_OVERFLOW; + + len = (len + 0x0f) & ~0x0f; /* round up to 16 byte boundary */ + + if (outlen < len) return -RSE_ATTR_OVERFLOW; + + memcpy(output, input, len); + memset(output + len, 0, 128 - len); + + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + for (j = 0; j < len; j += 16) { + ctx = secret_ctx; + + if (j == 0) { + RS_MD5Update(&ctx, vector, 16); + RS_MD5Final(digest, &ctx); + } else { + RS_MD5Update(&ctx, &output[j - 16], 16); + RS_MD5Final(digest, &ctx); + } + + for (i = 0; i < 16; i++) { + output[i + j] ^= digest[i]; + } + } + + return len; +} + +#ifdef FLAG_ENCRYPT_TUNNEL_PASSWORD +ssize_t nr_tunnelpw_encrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len; + RS_MD5_CTX ctx, secret_ctx; + uint8_t digest[16]; + + if (!output || (outlen < 18) || !input || (inlen == 0) || + !secret || !vector) { + return -RSE_INVAL; + } + + len = ((inlen + 1) + 0x0f) & ~0x0f; + if (len > 251) return -RSE_ATTR_OVERFLOW; + + output[0] = (nr_rand() & 0xff) | 0x80; + output[1] = nr_rand() & 0xff; + output[2] = inlen; + + memcpy(output + 3, input, inlen); + memset(output + 3 + inlen, 0, len - inlen - 1); + + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + for (j = 0; j < len; j += 16) { + ctx = secret_ctx; + + if (j == 0) { + RS_MD5Update(&ctx, vector, 16); + RS_MD5Update(&ctx, output, 2); + RS_MD5Final(digest, &ctx); + } else { + RS_MD5Update(&ctx, &output[j + 2 - 16], 16); + RS_MD5Final(digest, &ctx); + } + + for (i = 0; i < 16; i++) { + output[i + j + 2] ^= digest[i]; + } + } + + return len + 2; +} + +ssize_t nr_tunnelpw_decrypt(uint8_t *output, size_t outlen, + const uint8_t *input, size_t inlen, + const char *secret, const uint8_t *vector) +{ + size_t i, j, len, encoded_len; + RS_MD5_CTX ctx, secret_ctx; + uint8_t digest[16]; + + if (!output || (outlen < 1) || !input || (inlen < 2) || + !secret || !vector) { + return -RSE_INVAL; + } + + if (inlen <= 3) { + output[0] = 0; + return 0; + } + + len = inlen - 2; + + if (outlen < (len - 1)) return -RSE_ATTR_OVERFLOW; + + RS_MD5Init(&secret_ctx); + RS_MD5Update(&secret_ctx, (const uint8_t *) secret, strlen(secret)); + + ctx = secret_ctx; + + RS_MD5Update(&ctx, vector, 16); /* MD5(secret + vector + salt) */ + RS_MD5Update(&ctx, input, 2); + RS_MD5Final(digest, &ctx); + + encoded_len = input[2] ^ digest[0]; + if (encoded_len >= len) { + return -RSE_ATTR_TOO_LARGE; + } + + for (i = 0; i < 15; i++) { + output[i] = input[i + 3] ^ digest[i + 1]; + } + + for (j = 16; j < len; j += 16) { + ctx = secret_ctx; + + RS_MD5Update(&ctx, input + j - 16 + 2, 16); + RS_MD5Final(digest, &ctx); + + for (i = 0; i < 16; i++) { + output[i + j - 1] = input[i + j + 2] ^ digest[i]; + } + + + } + + output[encoded_len] = '\0'; + return encoded_len; +} +#endif + +void +nr_hmac_md5(const uint8_t *data, size_t data_len, + const uint8_t *key, size_t key_len, + uint8_t digest[16]) +{ + size_t i; + uint8_t k_ipad[64]; + uint8_t k_opad[64]; + uint8_t tk[16]; + RS_MD5_CTX ctx; + + if (key_len > 64) { + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, key, key_len); + RS_MD5Final(tk, &ctx); + + key = tk; + key_len = 16; + } + + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memcpy(k_ipad, key, key_len); + memcpy(k_opad, key, key_len); + + for (i = 0; i < sizeof(k_ipad); i++) { + k_ipad[i] ^= 0x36; + k_opad[i] ^= 0x5c; + } + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, k_ipad, sizeof(k_ipad)); + RS_MD5Update(&ctx, data, data_len); + RS_MD5Final(digest, &ctx); + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, k_opad, sizeof(k_opad)); + RS_MD5Update(&ctx, digest, 16); + RS_MD5Final(digest, &ctx); +} + +/** \endcond */ diff --git a/radius/custom.c b/radius/custom.c new file mode 100644 index 0000000..917939a --- /dev/null +++ b/radius/custom.c @@ -0,0 +1,163 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* + * Copyright (c) 2006 Kungliga Tekniska HAÎåÎÝgskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/** \file custom.c + * \brief Functions which should be customized for your local system. + */ + +#include "client.h" + +#include +#include + +#ifdef WIN32 +#include + +volatile static HCRYPTPROV nr_cryptprovider = 0; + +static HCRYPTPROV +nr_CryptProvider(void) +{ + BOOL rv; + HCRYPTPROV cryptprovider = 0; + + if (nr_cryptprovider != 0) + return nr_cryptprovider; + + rv = CryptAcquireContext(&cryptprovider, NULL, + MS_ENHANCED_PROV, PROV_RSA_FULL, + 0); + + if (GetLastError() == NTE_BAD_KEYSET) { + if(!rv) + rv = CryptAcquireContext(&cryptprovider, NULL, + MS_ENHANCED_PROV, PROV_RSA_FULL, + CRYPT_NEWKEYSET); + } + + if (rv && + InterlockedCompareExchangePointer((PVOID *) &nr_cryptprovider, + (PVOID) cryptprovider, 0) != 0) { + + CryptReleaseContext(cryptprovider, 0); + cryptprovider = nr_cryptprovider; + } + + return cryptprovider; +} + +ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) +{ + if (CryptGenRandom(nr_CryptProvider(), data_len, data)) + return 0; + return data_len; +} +#else +ssize_t nr_rand_bytes(uint8_t *data, size_t data_len) +{ + static int fd = -1; + + if (fd < 0) { + fd = open("/dev/urandom", O_RDONLY); + if (fd < 0) { + nr_strerror_printf("Error opening randomness: %s", + strerror(errno)); + return 0; + } + } + + return read(fd, data, data_len); +} +#endif /* WIN32 */ + +uint32_t nr_rand(void) +{ + uint32_t lvalue; + + nr_rand_bytes((void *)&lvalue, sizeof(lvalue)); + return lvalue; +} + + +#ifndef USEC +#define USEC (1000000) +#endif + +void nr_timeval_add(struct timeval *t, unsigned int seconds, unsigned int usec) +{ + t->tv_sec += seconds; + t->tv_sec += usec / USEC; + t->tv_usec += usec % USEC; + if (t->tv_usec > USEC) { + t->tv_sec++; + t->tv_usec -= USEC; + } +} + +int nr_timeval_cmp(const struct timeval *a, const struct timeval *b) +{ + if (a->tv_sec > b->tv_sec) return +1; + if (a->tv_sec < b->tv_sec) return -1; + + if (a->tv_usec > b->tv_usec) return +1; + if (a->tv_usec < b->tv_usec) return -1; + + return 0; +} + diff --git a/radius/dict.c b/radius/dict.c new file mode 100644 index 0000000..fc04ee2 --- /dev/null +++ b/radius/dict.c @@ -0,0 +1,172 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "client.h" +#include + +/** \file dict.c + * \brief Functions for name to number, and number to name mappings. + */ + +const DICT_ATTR *nr_dict_attr_byvalue(unsigned int attr, unsigned int vendor) +{ + int start, half, end; + + if (!vendor && (attr > 0) && (attr < 256)) { + if (nr_dict_attrs[attr].name) { + return &nr_dict_attrs[attr]; + } + return NULL; + } + + if (!vendor) return NULL; /* no "non-protocol" attributes */ + + start = 256; /* first 256 entries are "standard" ones */ + end = nr_dict_num_attrs; + + do { + half = (start + end) / 2; + + if ((nr_dict_attrs[half].vendor == vendor) && + (nr_dict_attrs[half].attr == attr)) { + return &nr_dict_attrs[half]; + } + + if ((vendor >= nr_dict_attrs[half].vendor) && + (attr > nr_dict_attrs[half].attr)) { + start = half + 1; + } else { + end = half - 1; + } + + } while (start <= end); + + return NULL; +} + +const DICT_ATTR *nr_dict_attr_byname(const char *name) +{ + int start, half, end; + + start = 1; + end = nr_dict_num_names; + + if (!name || !*name) return NULL; + + do { + int rcode; + + half = (start + end) / 2; + + rcode = strcasecmp(name, nr_dict_attr_names[half]->name); + if (rcode == 0) return nr_dict_attr_names[half]; + + if (rcode > 0) { + start = half + 1; + } else { + end = half - 1; + } + + + } while (start <= end); + + return NULL; +} + +int nr_dict_attr_2struct(DICT_ATTR *da, unsigned int attr, unsigned int vendor, + char *buffer, size_t bufsize) +{ + if (!da || !buffer) return -RSE_INVAL; + + if (!vendor) { + if (attr > 256) return -RSE_INVAL; + + } else if (vendor > (1 << 24)) { + return -RSE_INVAL; + } + + memset(da, 0, sizeof(*da)); + da->attr = attr; + da->flags.unknown = 1; + da->type = RS_TYPE_OCTETS; + da->vendor = vendor; + + if (da->vendor) { + snprintf(buffer, bufsize, "Attr-26.%u.%u", + vendor, attr); + } else { + snprintf(buffer, bufsize, "Attr-%u", attr); + } + da->name = buffer; + + return 0; +} + + +const DICT_VALUE *nr_dict_value_byattr(UNUSED unsigned int attr, + UNUSED unsigned int vendor, + UNUSED int value) +{ + return NULL; +} + +const DICT_VALUE *nr_dict_value_byname(UNUSED unsigned int attr, + UNUSED unsigned int vendor, + UNUSED const char *name) +{ + return NULL; +} + +int nr_dict_vendor_byname(const char *name) +{ + const DICT_VENDOR *dv; + + if (!name || !*name) return 0; + + /* + * O(n) lookup. + */ + for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { + if (strcasecmp(dv->name, name) == 0) return dv->vendor; + } + + return 0; +} + +const DICT_VENDOR *nr_dict_vendor_byvalue(unsigned int vendor) +{ + const DICT_VENDOR *dv; + + /* + * O(n) lookup. + */ + for (dv = &nr_dict_vendors[0]; dv->name != NULL; dv++) { + if (dv->vendor == vendor) return dv; + } + + return NULL; +} diff --git a/radius/doc.txt b/radius/doc.txt new file mode 100644 index 0000000..09a8415 --- /dev/null +++ b/radius/doc.txt @@ -0,0 +1,41 @@ +/** + +\file doc.txt +\brief The main documentation. + +\mainpage The Network RADIUS Client Library + +This client library is intended for use in embedded systems. It is +small with a simple API, yet has more functionality than most +commercial or Open Source products. + +\section License + +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +\ref dictionaries.txt "Dictionaries and dictionary formats" + +*/ diff --git a/radius/doxygen.conf b/radius/doxygen.conf new file mode 100644 index 0000000..e310771 --- /dev/null +++ b/radius/doxygen.conf @@ -0,0 +1,1417 @@ +# Doxyfile 1.5.6 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = networkclient + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, +# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), +# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, +# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, +# and Ukrainian. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = NO + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the DETAILS_AT_TOP tag is set to YES then Doxygen +# will output the detailed description near the top, like JavaDoc. +# If set to NO, the detailed description appears after the member +# documentation. + +DETAILS_AT_TOP = YES + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen to replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = NO + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = . doc/ + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 + +FILE_PATTERNS = *.txt *.[ch] + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = examples + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = *.[ch] + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = YES + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = YES + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. Otherwise they will link to the documentstion. + +REFERENCES_LINK_SOURCE = NO + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to FRAME, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, +# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are +# probably better off using the HTML help feature. Other possible values +# for this tag are: HIERARCHIES, which will generate the Groups, Directories, +# and Class Hiererachy pages using a tree view instead of an ordered list; +# ALL, which combines the behavior of FRAME and HIERARCHIES; and NONE, which +# disables this behavior completely. For backwards compatibility with previous +# releases of Doxygen, the values YES and NO are equivalent to FRAME and NONE +# respectively. + +GENERATE_TREEVIEW = YES + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. This is useful +# if you want to understand what is going on. On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = YES + +# By default doxygen will write a font called FreeSans.ttf to the output +# directory and reference it in all dot files that doxygen generates. This +# font does not include all possible unicode characters however, so when you need +# these (or just want a differently looking font) you can specify the font name +# using DOT_FONTNAME. You need need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = YES + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is enabled by default, which results in a transparent +# background. Warning: Depending on the platform used, enabling this option +# may lead to badly anti-aliased labels on the edges of a graph (i.e. they +# become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to the search engine +#--------------------------------------------------------------------------- + +# The SEARCHENGINE tag specifies whether or not a search engine should be +# used. If set to NO the values of all tags below this one will be ignored. + +SEARCHENGINE = NO diff --git a/radius/examples/Makefile b/radius/examples/Makefile new file mode 100644 index 0000000..f39c343 --- /dev/null +++ b/radius/examples/Makefile @@ -0,0 +1,54 @@ +# +# GNU Makefile +# +.PHONY: all clean install + +SRCS = example_1.c example_2.c example_3.c example_4.c + +OBJS := ${SRCS:.c=.o} +PROGRAMS := ${SRCS:.c=} + +all: ${PROGRAMS} + +HEADERS := ../client.h ../radius.h + +${OBJS}: ${HEADERS} + +$(info ${PROGRAMS} ${OBJS}) + +${PROGRAMS}: ../libnetworkradius-client.a + + +%.o : %.c + $(CC) $(CFLAGS) -I.. -I. -c $< + +%.o: ${HEADERS} + +LDFLAGS = -L.. -lnetworkradius-client -lcrypto -lssl +CFLAGS = -I.. + +../libnetworkradius-client.a: + @${MAKE} -C .. libnetworkradius-client.a + +radsample.o: radsample.c ${HEADERS} nr_vp_create.c nr_packet_send.c + +#radsample: radsample.o ../libnetworkradius-client.a +# ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +sample_chap.o: sample_chap.c ${HEADERS} + +sample_chap: sample_chap.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +radsample2.o: radsample2.c ${HEADERS} nr_vp_create.c + +radsample2: radsample2.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +radsample3.o: radsample3.c ${HEADERS} nr_transmit.c nr_server_t.c nr_vp_create.c + +radsample3: radsample3.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +clean: + @rm -rf *.o *.a *~ diff --git a/radius/examples/example_1.c b/radius/examples/example_1.c new file mode 100644 index 0000000..265c880 --- /dev/null +++ b/radius/examples/example_1.c @@ -0,0 +1,86 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_1.c + * \brief Sample code to initialize a RADIUS packet. + * + * This example initializes a packet, and then adds User-Name and + * User-Password to it. The resulting packet is then printed to the + * standard output. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + ssize_t rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_decode(&request, NULL); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, request.vps); + nr_vp_free(&request.vps); + + return 0; +} diff --git a/radius/examples/example_2.c b/radius/examples/example_2.c new file mode 100644 index 0000000..0a58523 --- /dev/null +++ b/radius/examples/example_2.c @@ -0,0 +1,86 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_2.c + * \brief Sample code to initialize a RADIUS packet. + * + * This example initializes a packet, and then adds User-Name and + * CHAP-Password to it. The resulting packet is then printed to the + * standard output. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error: %s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_CHAP_PASSWORD, + password, strlen(password)); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_decode(&request, NULL); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, request.vps); + nr_vp_free(&request.vps); + + return 0; +} diff --git a/radius/examples/example_3.c b/radius/examples/example_3.c new file mode 100644 index 0000000..33fc671 --- /dev/null +++ b/radius/examples/example_3.c @@ -0,0 +1,123 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_3.c + * \brief Sample code to initialize a RADIUS packet and a response to it. + * + * This example initializes a packet, and then adds User-Name and + * User-Password to it. The resulting packet is then printed to the + * standard output. + * + * As a next step, it then creates the response, and prints that, + * too. + */ + +static const char *secret = "testing123"; +static uint8_t request_buffer[RS_MAX_PACKET_LEN]; +static uint8_t response_buffer[RS_MAX_PACKET_LEN]; +static RADIUS_PACKET request, response; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, + response_buffer, sizeof(response_buffer)); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + RS_DA_REPLY_MESSAGE, + "Success!", 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + RS_DA_TUNNEL_PASSWORD, + password, 0); + if (rcode < 0) goto error; + rcode = nr_packet_sign(&response, &request); + if (rcode < 0) goto error; + + nr_packet_print_hex(&response); + + /* + * Check that the response is well-formed. The + * nr_packet_verify() function also calls nr_packet_ok(). + * However, it is sometimes useful to separate "malformed + * packet" errors from "packet is not a response to a + * reqeust" errors. + */ + rcode = nr_packet_ok(&response); + if (rcode < 0) goto error; + + /* + * Double-check the signature of the response. + */ + rcode = nr_packet_verify(&response, &request); + if (rcode < 0) goto error; + + rcode = nr_packet_decode(&response, &request); + if (rcode < 0) goto error; + + nr_vp_fprintf_list(stdout, response.vps); + nr_vp_free(&response.vps); + + return 0; +} diff --git a/radius/examples/example_4.c b/radius/examples/example_4.c new file mode 100644 index 0000000..2dadc89 --- /dev/null +++ b/radius/examples/example_4.c @@ -0,0 +1,94 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include + +/** \file example_4.c + * \brief Allocate and manage multiple packets. + */ + +static const char *secret = "testing123"; +static nr_server_t server; + +int main(int argc, const char *argv[]) +{ + int rcode; + const char *user = "bob"; + const char *password = "password"; + + rcode = nr_packet_init(&request, NULL, secret, PW_ACCESS_REQUEST, + request_buffer, sizeof(request_buffer)); + if (rcode < 0) { + error: + fprintf(stderr, "Error :%s\n", nr_strerror(rcode)); + return 1; + } + + if (argc > 1) user = argv[1]; + if (argc > 2) password = argv[2]; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_NAME, + user, 0); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&request, NULL, + RS_DA_USER_PASSWORD, + password, 0); + if (rcode < 0) goto error; + + /* + * ALWAYS call nr_packet_sign() before sending the packet + * to anyone else! + */ + rcode = nr_packet_sign(&request, NULL); + if (rcode < 0) goto error; + + nr_packet_print_hex(&request); + + rcode = nr_packet_init(&response, &request, secret, PW_ACCESS_ACCEPT, + response_buffer, sizeof(response_buffer)); + if (rcode < 0) goto error; + + rcode = nr_packet_attr_append(&response, &request, + RS_DA_REPLY_MESSAGE, + "Success!", 0); + if (rcode < 0) goto error; + + rcode = nr_packet_sign(&response, &request); + if (rcode < 0) goto error; + + nr_packet_print_hex(&response); + + /* + * Double-check the signature of the response. + */ + rcode = nr_packet_verify(&response, &request); + if (rcode < 0) goto error; + + return 0; +} diff --git a/radius/examples/nr_vp_create.c b/radius/examples/nr_vp_create.c new file mode 100644 index 0000000..bd04f17 --- /dev/null +++ b/radius/examples/nr_vp_create.c @@ -0,0 +1,61 @@ +/* + * The person or persons who have associated work with this document + * (the "Dedicator" or "Certifier") hereby either (a) certifies that, + * to the best of his knowledge, the work of authorship identified is + * in the public domain of the country from which the work is + * published, or (b) hereby dedicates whatever copyright the + * dedicators holds in the work of authorship identified below (the + * "Work") to the public domain. A certifier, moreover, dedicates any + * copyright interest he may have in the associated work, and for + * these purposes, is described as a "dedicator" below. + * + * A certifier has taken reasonable steps to verify the copyright + * status of this work. Certifier recognizes that his good faith + * efforts may not shield him from liability if in fact the work + * certified is not in the public domain. + * + * Dedicator makes this dedication for the benefit of the public at + * large and to the detriment of the Dedicator's heirs and + * successors. Dedicator intends this dedication to be an overt act of + * relinquishment in perpetuity of all present and future rights under + * copyright law, whether vested or contingent, in the Work. Dedicator + * understands that such relinquishment of all rights includes the + * relinquishment of all rights to enforce (by lawsuit or otherwise) + * those copyrights in the Work. + * + * Dedicator recognizes that, once placed in the public domain, the + * Work may be freely reproduced, distributed, transmitted, used, + * modified, built upon, or otherwise exploited by anyone for any + * purpose, commercial or non-commercial, and in any way, including by + * methods that have not yet been invented or conceived. + */ + +static VALUE_PAIR *example_nr_vp_create(void) +{ + VALUE_PAIR *vp; + VALUE_PAIR *head = NULL; + + /* + * Create the request contents. + */ + vp = nr_vp_create(PW_USER_NAME, 0, "bob", 4); + if (!vp) { + fprintf(stderr, "User-Name: %s\n", nr_strerror(0)); + exit(1); + } + nr_vps_append(&head, vp); + + /* + * The User-Password attribute is automatically encrypted + * when being placed in the packet. This version stays + * untouched, and should be "plain text". + */ + vp = nr_vp_create(PW_USER_PASSWORD, 0, "hello", 6); + if (!vp) { + fprintf(stderr, "User-Password: %s\n", nr_strerror(0)); + exit(1); + } + nr_vps_append(&head, vp); + + return head; +} diff --git a/radius/header.pl b/radius/header.pl new file mode 100755 index 0000000..c366612 --- /dev/null +++ b/radius/header.pl @@ -0,0 +1,68 @@ +#!/usr/bin/env perl +###################################################################### +# Copyright (c) 2011, Network RADIUS SARL +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the +# names of its contributors may be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +###################################################################### +# +# Converts dictionaries to C defines. Does not yet do "VALUE"s. +# +# $Id$ +# +require "common.pl"; + +while (@ARGV) { + $filename = shift; + do_file($filename); +} + + +print "/* Automatically generated file. Do not edit */\n\n"; + +foreach $v (sort keys %vendor) { + $name = $v; + $name =~ tr/a-z/A-Z/; # uppercase + $name =~ tr/A-Z0-9/_/c; # any ELSE becomes _ + + print "#define VENDORPEC_", $name, " ", $vendor{$v}{'pec'}, "\n"; +} +print "\n"; + +$begin_vendor = -1; +foreach $attr_val (sort {$a <=> $b} keys %attributes) { + if ($attributes{$attr_val}{'vendor'} != $begin_vendor) { + print "\n/* ", $vendorpec{$attributes{$attr_val}{'vendor'}}, " */\n"; + $begin_vendor = $attributes{$attr_val}{'vendor'}; + } + + $name = $attributes{$attr_val}{'name'}; + $name =~ tr/a-z/A-Z/; + $name =~ tr/A-Z0-9/_/c; + + print "#define PW_", $name, " ", $attributes{$attr_val}{'value'}, "\n"; +} +print "\n\n"; + +print "/* Automatically generated file. Do not edit */\n"; + diff --git a/radius/id.c b/radius/id.c new file mode 100644 index 0000000..4ccd032 --- /dev/null +++ b/radius/id.c @@ -0,0 +1,181 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "client.h" + +#ifdef HAVE_UNISTD_H +#include +#endif + +/** \file id.c + * \brief Handling of ID allocation / freeing + * + */ + +static int find_id(nr_server_t *s) +{ + int i; + uint32_t lvalue; + + if ((s->used < 0) || (s->used > 256)) return -RSE_INTERNAL; + + /* + * Ensure that the ID allocation is random. + */ + lvalue = nr_rand(); + + for (i = 0; i < 256; i++) { + int offset = (i + lvalue) & 0xff; + + if (!s->ids[offset]) return offset; + } + + nr_strerror_printf("Out of IDs for server"); + return -1; +} + +int nr_server_id_alloc(nr_server_t *s, RADIUS_PACKET *packet) +{ + int new_id; + + if (!s || !packet) return -RSE_INVAL; + + new_id = find_id(s); + if (new_id < 0) return -new_id; + + s->ids[new_id] = packet; + s->used++; + packet->sockfd = s->sockfd; + packet->code = s->code; + packet->src = s->src; + packet->dst = s->dst; + packet->id = new_id; + + return 0; +} + +int nr_server_id_free(nr_server_t *s, RADIUS_PACKET *packet) +{ + if (!s || !packet) return -RSE_INVAL; + + if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { + return -RSE_INVAL; + } + + if (s->ids[packet->id] != packet) return -RSE_INTERNAL; + + s->ids[packet->id] = NULL; + s->used--; + packet->sockfd = -1; + + return 0; +} + +int nr_server_id_realloc(nr_server_t *s, RADIUS_PACKET *packet) +{ + int new_id; + + if (!s || !packet) return -RSE_INVAL; + + if ((packet->id < 0) || (packet->id > 255) || !s->ids[packet->id]) { + return -RSE_INVAL; + } + + if (s->ids[packet->id] != packet) return -RSE_INTERNAL; + + new_id = find_id(s); + if (new_id < 0) return new_id; + + s->ids[packet->id] = NULL; + packet->id = new_id; + s->ids[packet->id] = packet; + + return 0; +} + + +int nr_server_init(nr_server_t *s, int code, const char *secret) +{ + if (!s || !secret || !*secret || + (code == 0) || (code > RS_MAX_PACKET_CODE)) { + return -RSE_INVAL; + } + + memset(s, 0, sizeof(*s)); + + s->sockfd = -1; + s->code = code; + s->secret = secret; + s->sizeof_secret = strlen(secret); + s->src.ss_family = AF_UNSPEC; + s->dst.ss_family = AF_UNSPEC; + + return 0; +} + + +int nr_server_close(const nr_server_t *s) +{ + if (!s) return -RSE_INVAL; + + if (s->used > 0) return -RSE_INUSE; + + if (s->sockfd >= 0) evutil_closesocket(s->sockfd); + + return 0; +} + +int nr_server_packet_alloc(const nr_server_t *s, RADIUS_PACKET **packet_p) +{ + int rcode; + RADIUS_PACKET *packet; + + if (!packet_p) return -RSE_INVAL; + + packet = malloc(sizeof(*packet) + RS_MAX_PACKET_LEN); + if (!packet) return -RSE_NOMEM; + + memset(packet, 0, sizeof(*packet)); + + if (!s) { + packet->data = (uint8_t *)(packet + 1); + packet->sizeof_data = RS_MAX_PACKET_LEN; + + *packet_p = packet; + return 0; + } + + rcode = nr_packet_init(packet, NULL, s->secret, s->code, + (uint8_t *)(packet + 1), RS_MAX_PACKET_LEN); + if (rcode < 0) { + free(packet); + return rcode; + } + + *packet_p = packet; + return 0; +} diff --git a/radius/parse.c b/radius/parse.c new file mode 100644 index 0000000..8446306 --- /dev/null +++ b/radius/parse.c @@ -0,0 +1,149 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file parse.c + * \brief Routines to parse strings into internal data structures + */ + +#include "client.h" + +#ifdef HAVE_ARPA_INET_H +#include +#endif + +ssize_t nr_vp_sscanf_value(VALUE_PAIR *vp, const char *value) +{ + char *end; + + switch (vp->da->type) { + case RS_TYPE_STRING: { + size_t len = strlen(value); + + if (len >= RS_MAX_STRING_LEN) + return -RSE_ATTR_TOO_LARGE; + + memcpy(vp->vp_strvalue, value, len + 1); + return (vp->length = len); + } + case RS_TYPE_DATE: + case RS_TYPE_INTEGER: + vp->vp_integer = strtoul(value, &end, 10); + if ((value == end) || (*end != '\0')) { + nr_debug_error("Invalid value"); + return -RSE_ATTR_VALUE_MALFORMED; + } + return (end - value); + + case RS_TYPE_IPADDR: + if (inet_pton(AF_INET, value, &vp->vp_ipaddr) < 0) { + return -RSE_NOSYS; + } + return strlen(value); + +#ifdef RS_TYPE_IPV6ADDR + case RS_TYPE_IPV6ADDR: + if (inet_pton(AF_INET6, value, &vp-vp>ipv6addr) < 0) { + return -RSE_NOSYS; + } + return strlen(value); +#endif + +#ifdef RS_TYPE_IFID + case RS_TYPE_IFID: + { + int i, array[8]; + + if (sscanf(value, "%02x%02x%02x%02x%02x%02x%02x%02x", + &array[0], &array[1], &array[2], &array[3], + &array[4], &array[5], &array[6], &array[7]) != 8) { + return -RSE_SYSTEM; + } + + for (i = 0; i < 8; i++) vp->vp_ifid[i] = array[i] & 0xff; + + } + break; +#endif + + default: + nr_debug_error("Invalid type"); + return -RSE_ATTR_TYPE_UNKNOWN; + } + + return 0; +} + +int nr_vp_sscanf(const char *string, VALUE_PAIR **pvp) +{ + int rcode; + const char *p; + char *q; + const DICT_ATTR *da; + VALUE_PAIR *vp; + char buffer[256]; + + if (!string || !pvp) return -RSE_INVAL; + + p = string; + q = buffer; + while (*p && (*p != ' ') && (*p != '=')) { + *(q++) = *(p++); + } + *q = '\0'; + + if (q == buffer) { + nr_debug_error("No Attribute name"); + return -RSE_ATTR_BAD_NAME; + } + + da = nr_dict_attr_byname(buffer); + if (!da) { + nr_debug_error("Unknown attribute \"%s\"", buffer); + return -RSE_ATTR_UNKNOWN; + } + + while (*p == ' ') p++; + if (*p != '=') { + nr_debug_error("Unexpected text after attribute name"); + return -RSE_ATTR_BAD_NAME; + } + + p++; + while (*p == ' ') p++; + + vp = nr_vp_alloc(da); + if (!vp) return -RSE_NOMEM; + + rcode = nr_vp_sscanf_value(vp, p); + if (rcode < 0) { + nr_vp_free(&vp); + return rcode; + } + + *pvp = vp; + return 0; +} diff --git a/radius/print.c b/radius/print.c new file mode 100644 index 0000000..6fa06d7 --- /dev/null +++ b/radius/print.c @@ -0,0 +1,227 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file print.c + * \brief Functions to print things. + */ + +#include "client.h" +#include +#ifdef RS_TYPE_IPV6ADDR +#include +#endif + +#ifndef NDEBUG +void nr_packet_print_hex(RADIUS_PACKET *packet) +{ + int i; + + if (!packet->data) return; + + printf(" Code:\t\t%u\n", packet->data[0]); + printf(" Id:\t\t%u\n", packet->data[1]); + printf(" Length:\t%u\n", ((packet->data[2] << 8) | + (packet->data[3]))); + printf(" Vector:\t"); + for (i = 4; i < 20; i++) { + printf("%02x", packet->data[i]); + } + printf("\n"); + if ((packet->flags & RS_PACKET_SIGNED) == 0) printf("\t\tWARNING: nr_packet_sign() was not called!\n"); + + if (packet->length > 20) { + int total; + const uint8_t *ptr; + printf(" Data:"); + + total = packet->length - 20; + ptr = packet->data + 20; + + while (total > 0) { + int attrlen; + + printf("\t\t"); + if (total < 2) { /* too short */ + printf("%02x\n", *ptr); + break; + } + + if (ptr[1] > total) { /* too long */ + for (i = 0; i < total; i++) { + printf("%02x ", ptr[i]); + } + break; + } + + printf("%02x %02x ", ptr[0], ptr[1]); + attrlen = ptr[1] - 2; + ptr += 2; + total -= 2; + + for (i = 0; i < attrlen; i++) { + if ((i > 0) && ((i & 0x0f) == 0x00)) + printf("\t\t\t"); + printf("%02x ", ptr[i]); + if ((i & 0x0f) == 0x0f) printf("\n"); + } + + if (!attrlen || ((attrlen & 0x0f) != 0x00)) printf("\n"); + + ptr += attrlen; + total -= attrlen; + } + } + printf("\n"); + fflush(stdout); +} +#endif + +size_t nr_vp_snprintf_value(char *buffer, size_t buflen, const VALUE_PAIR *vp) +{ + size_t i, len; + char *p = buffer; + + switch (vp->da->type) { + case RS_TYPE_STRING: + /* + * FIXME: escape backslash && quotes! + */ + len = snprintf(p, buflen, "%s", vp->vp_strvalue); + break; + + case RS_TYPE_DATE: + case RS_TYPE_INTEGER: + case RS_TYPE_SHORT: + case RS_TYPE_BYTE: + len = snprintf(p, buflen, "%u", vp->vp_integer); + break; + + case RS_TYPE_IPADDR: + len = snprintf(p, buflen, "%u.%u.%u.%u", + (vp->vp_ipaddr >> 24) & 0xff, + (vp->vp_ipaddr >> 16) & 0xff, + (vp->vp_ipaddr >> 8) & 0xff, + vp->vp_ipaddr & 0xff); + break; + +#ifdef RS_TYPE_IPV6ADDR + case RS_TYPE_IPV6ADDR: + if (!inet_ntop(AF_INET6, &vp->vp_ipv6addr, buffer, buflen)) { + return -RSE_SYSTEM; + } + break; +#endif + +#ifdef RS_TYPE_IFID + case RS_TYPE_IFID: + len = snprintf(p, buflen, "%02x%02x%02x%02x%02x%02x%02x%02x", + vp->vp_ifid[0], vp->vp_ifid[1], + vp->vp_ifid[2], vp->vp_ifid[3], + vp->vp_ifid[4], vp->vp_ifid[5], + vp->vp_ifid[6], vp->vp_ifid[7]); + break; +#endif + + case RS_TYPE_OCTETS: + len = snprintf(p, buflen, "0x"); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + for (i = 0; i < vp->length; i++) { + len = snprintf(p, buflen, "%02x", vp->vp_octets[i]); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + } + len = 0; + break; + + default: + len = 0; + break; + } + + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + return p - buffer; +} + +size_t nr_vp_snprintf(char *buffer, size_t buflen, const VALUE_PAIR *vp) +{ + size_t len; + char *p = buffer; + + len = snprintf(p, buflen, "%s = ", vp->da->name); + if (len >= buflen) return 0; + + p += len; + buflen -= len; + + len = nr_vp_snprintf_value(p, buflen, vp); + if (len == 0) return 0; + + if (len >= buflen) return 0; + + p += len; + + return p - buffer; +} + +#ifndef NDEBUG +void nr_vp_fprintf_list(FILE *fp, const VALUE_PAIR *vps) +{ + const VALUE_PAIR *vp; + char buffer[1024]; + + for (vp = vps; vp != NULL; vp = vp->next) { + nr_vp_snprintf(buffer, sizeof(buffer), vp); + fprintf(fp, "\t%s\n", buffer); + } +} +#endif + +/** \cond PRIVATE */ +#define NR_STRERROR_BUFSIZE (1024) +static char nr_strerror_buffer[NR_STRERROR_BUFSIZE]; + +void nr_strerror_printf(const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + vsnprintf(nr_strerror_buffer, sizeof(nr_strerror_buffer), fmt, ap); + va_end(ap); + + fprintf(stderr, "ERROR: %s\n", nr_strerror_buffer); +} +/** \endcond */ + diff --git a/radius/radpkt.c b/radius/radpkt.c new file mode 100644 index 0000000..d9486ea --- /dev/null +++ b/radius/radpkt.c @@ -0,0 +1,920 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file packet.c + * \brief Encoding and decoding packets + */ + +#include "client.h" + +#if RS_MAX_PACKET_LEN < 64 +#error RS_MAX_PACKET_LEN is too small. It should be at least 64. +#endif + +#if RS_MAX_PACKET_LEN > 16384 +#error RS_MAX_PACKET_LEN is too large. It should be smaller than 16K. +#endif + +const char *nr_packet_codes[RS_MAX_PACKET_CODE + 1] = { + NULL, + "Access-Request", + "Access-Accept", + "Access-Reject", + "Accounting-Request", + "Accounting-Response", + NULL, NULL, NULL, NULL, NULL, + "Access-Challenge", + "Status-Server", /* 12 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 19 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 20..29 */ + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, /* 30..39 */ + "Disconnect-Request", + "Disconnect-ACK", + "Disconnect-NAK", + "CoA-Request", + "CoA-ACK", + "CoA-NAK" +}; + + +static uint64_t allowed_responses[RS_MAX_PACKET_CODE + 1] = { + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE), + 0, 0, + 1 << PW_ACCOUNTING_RESPONSE, + 0, + 0, 0, 0, 0, 0, + 0, + (1 << PW_ACCESS_ACCEPT) | (1 << PW_ACCESS_REJECT) | (1 << PW_ACCESS_CHALLENGE) | (1 << PW_ACCOUNTING_RESPONSE), + 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 20..29 */ + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 30..39 */ + (((uint64_t) 1) << PW_DISCONNECT_ACK) | (((uint64_t) 1) << PW_DISCONNECT_NAK), + 0, + 0, + (((uint64_t) 1) << PW_COA_ACK) | (((uint64_t) 1) << PW_COA_NAK), + 0, + 0 +}; + + +int nr_packet_ok_raw(const uint8_t *data, size_t sizeof_data) +{ + size_t packet_len; + const uint8_t *attr, *end; + + if (!data || (sizeof_data < 20)) { + nr_debug_error("Invalid argument"); + return -RSE_INVAL; + } + + packet_len = (data[2] << 8) | data[3]; + if (packet_len < 20) { + nr_debug_error("Packet length is too small"); + return -RSE_PACKET_TOO_SMALL; + } + + if (packet_len > sizeof_data) { + nr_debug_error("Packet length overflows received data"); + return -RSE_PACKET_TOO_LARGE; + } + + /* + * If we receive 100 bytes, and the header says it's 20 bytes, + * then it's 20 bytes. + */ + end = data + packet_len; + + for (attr = data + 20; attr < end; attr += attr[1]) { + if ((attr + 2) > end) { + nr_debug_error("Attribute overflows packet"); + return -RSE_ATTR_OVERFLOW; + } + + if (attr[1] < 2) { + nr_debug_error("Attribute length is too small"); + return -RSE_ATTR_TOO_SMALL; + } + + if ((attr + attr[1]) > end) { + nr_debug_error("Attribute length is too large"); + return -RSE_ATTR_TOO_LARGE; + } + } + + return 0; +} + +int nr_packet_ok(RADIUS_PACKET *packet) +{ + int rcode; + + if (!packet) return -RSE_INVAL; + + if ((packet->flags & RS_PACKET_OK) != 0) return 0; + + rcode = nr_packet_ok_raw(packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= RS_PACKET_OK; + return 0; +} + + +/* + * Comparison function that is time-independent. Using "memcmp" + * would satisfy the "comparison" part. However, it would also + * leak information about *which* bytes are wrong. Attackers + * could use that leak to create a "correct" RADIUS packet which + * will be accepted by the client and/or server. + */ +static int digest_cmp(const uint8_t *a, const uint8_t *b, size_t length) +{ + int result = 0; + size_t i; + + for (i = 0; i < length; i++) { + result |= (a[i] ^ b[i]); + } + + return result; +} + + +#ifdef PW_MESSAGE_AUTHENTICATOR +static int msg_auth_ok(const RADIUS_PACKET *original, + uint8_t *ma, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t msg_auth_vector[sizeof(original->vector)]; + uint8_t calc_auth_vector[sizeof(original->vector)]; + + if (ma[1] != 18) { + nr_debug_error("Message-Authenticator has invalid length"); + return -RSE_MSG_AUTH_LEN; + } + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + memcpy(msg_auth_vector, ma + 2, sizeof(msg_auth_vector)); + memset(ma + 2, 0, sizeof(msg_auth_vector)); + + switch (data[0]) { + default: + break; + + case PW_ACCOUNTING_REQUEST: + case PW_ACCOUNTING_RESPONSE: + case PW_DISCONNECT_REQUEST: + case PW_DISCONNECT_ACK: + case PW_DISCONNECT_NAK: + case PW_COA_REQUEST: + case PW_COA_ACK: + case PW_COA_NAK: + memset(data + 4, 0, sizeof(packet_vector)); + break; + + case PW_ACCESS_ACCEPT: + case PW_ACCESS_REJECT: + case PW_ACCESS_CHALLENGE: + if (!original) { + nr_debug_error("Cannot validate response without request"); + return -RSE_REQUEST_REQUIRED; + } + memcpy(data + 4, original->vector, sizeof(original->vector)); + break; + } + + nr_hmac_md5(data, length, + (const uint8_t *) original->secret, original->sizeof_secret, + calc_auth_vector); + + memcpy(ma + 2, msg_auth_vector, sizeof(msg_auth_vector)); + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_auth_vector, msg_auth_vector, + sizeof(calc_auth_vector)) != 0) { + nr_debug_error("Invalid Message-Authenticator"); + return -RSE_MSG_AUTH_WRONG; + } + + return 1; +} +#endif + +/* + * The caller ensures that the packet codes are as expected. + */ +static int packet_auth_ok(const RADIUS_PACKET *original, + uint8_t *data, size_t length) +{ + uint8_t packet_vector[sizeof(original->vector)]; + uint8_t calc_digest[sizeof(original->vector)]; + RS_MD5_CTX ctx; + + if ((data[0] == PW_ACCESS_REQUEST) || + (data[0] == PW_STATUS_SERVER)) return 1; + + memcpy(packet_vector, data + 4, sizeof(packet_vector)); + + if (!original) { + memset(data + 4, 0, sizeof(packet_vector)); + } else { + memcpy(data + 4, original->vector, sizeof(original->vector)); + } + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, data, length); + RS_MD5Update(&ctx, (const unsigned char *)original->secret, original->sizeof_secret); + RS_MD5Final(calc_digest, &ctx); + + memcpy(data + 4, packet_vector, sizeof(packet_vector)); + + if (digest_cmp(calc_digest, packet_vector, + sizeof(packet_vector)) != 0) { + nr_debug_error("Invalid authentication vector"); + return -RSE_AUTH_VECTOR_WRONG; + } + + return 0; +} + + +int nr_packet_verify(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode; + uint8_t *attr; +#ifdef PW_MESSAGE_AUTHENTICATOR + const uint8_t *end; +#endif + + if (!packet || !packet->data || !packet->secret) { + nr_debug_error("Invalid argument"); + return -RSE_INVAL; + } + + if ((packet->flags & RS_PACKET_VERIFIED) != 0) return 0; + + /* + * Packet isn't well formed. Ignore it. + */ + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + /* + * Get rid of improper packets as early as possible. + */ + if (original) { + uint64_t mask; + + if (original->code > RS_MAX_PACKET_CODE) { + nr_debug_error("Invalid original code %u", + original->code); + return -RSE_INVALID_REQUEST_CODE; + } + + if (packet->data[1] != original->id) { + nr_debug_error("Ignoring response with wrong ID %u", + packet->data[1]); + return -RSE_INVALID_RESPONSE_CODE; + } + + mask = 1; + mask <<= packet->data[0]; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Ignoring response with wrong code %u", + packet->data[0]); + return -RSE_INVALID_RESPONSE_CODE; + } + + if ((memcmp(&packet->src, &original->dst, sizeof(packet->src)) != 0) && + (evutil_sockaddr_cmp((struct sockaddr *)&packet->src, (struct sockaddr *)&original->dst, 1) != 0)) { + nr_debug_error("Ignoring response from wrong IP/port"); + return -RSE_INVALID_RESPONSE_SRC; + } + + } else if (allowed_responses[packet->data[0]] != 0) { + nr_debug_error("Ignoring response without original"); + return -RSE_INVALID_RESPONSE_CODE; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + /* + * Note that the packet MUST be well-formed here. + */ + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + rcode = msg_auth_ok(original, attr, + packet->data, packet->length); + if (rcode < 0) return rcode; + } + } +#endif + + /* + * Verify the packet authenticator. + */ + rcode = packet_auth_ok(original, packet->data, packet->length); + if (rcode < 0) return rcode; + + packet->flags |= RS_PACKET_VERIFIED; + + return 0; +} + + +int nr_packet_decode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ + int rcode, num_attributes; + uint8_t *data, *attr; + const uint8_t *end; + VALUE_PAIR **tail, *vp; + + if (!packet) return -RSE_INVAL; + + if ((packet->flags & RS_PACKET_DECODED) != 0) return 0; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->length; + tail = &packet->vps; + num_attributes = 0; + + /* + * Loop over the packet, converting attrs to VPs. + */ + for (attr = data + 20; attr < end; attr += attr[1]) { + rcode = nr_attr2vp(packet, original, + attr, end - attr, &vp); + if (rcode < 0) { + nr_vp_free(&packet->vps); + return -rcode; + } + + *tail = vp; + while (vp) { + num_attributes++; + tail = &(vp->next); + vp = vp->next; + } + + if (num_attributes > RS_MAX_ATTRIBUTES) { + nr_debug_error("Too many attributes"); + nr_vp_free(&packet->vps); + return -RSE_TOO_MANY_ATTRS; + } + } + + packet->code = data[0]; + packet->id = data[1]; + memcpy(packet->vector, data + 4, sizeof(packet->vector)); + + packet->flags |= RS_PACKET_DECODED; + + return 0; +} + + +int nr_packet_sign(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; + const uint8_t *attr, *end; +#endif + + if ((packet->flags & RS_PACKET_SIGNED) != 0) return 0; + + if ((packet->flags & RS_PACKET_ENCODED) == 0) { + int rcode; + + rcode = nr_packet_encode(packet, original); + if (rcode < 0) return rcode; + } + + if ((packet->code == PW_ACCESS_ACCEPT) || + (packet->code == PW_ACCESS_CHALLENGE) || + (packet->code == PW_ACCESS_REJECT)) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (!original) { + nr_debug_error("Original packet is required to create the Message-Authenticator"); + return -RSE_REQUEST_REQUIRED; + } +#endif + + memcpy(packet->data + 4, original->vector, + sizeof(original->vector)); + } else { + memcpy(packet->data + 4, packet->vector, + sizeof(packet->vector)); + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + if (attr[0] == PW_MESSAGE_AUTHENTICATOR) { + ma = (attr - packet->data); + break; + } + } + + /* + * Force all Access-Request packets to have a + * Message-Authenticator. + */ + if (!ma && ((packet->length + 18) <= packet->sizeof_data) && + ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + ma = packet->length; + + packet->data[ma]= PW_MESSAGE_AUTHENTICATOR; + packet->data[ma + 1] = 18; + memset(&packet->data[ma + 2], 0, 16); + packet->length += 18; + } + + /* + * Reset the length. + */ + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + /* + * Sign the Message-Authenticator && packet. + */ + if (ma) { + nr_hmac_md5(packet->data, packet->length, + (const uint8_t *) packet->secret, packet->sizeof_secret, + packet->data + ma + 2); + } +#endif + + /* + * Calculate the signature. + */ + if (!((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER))) { + RS_MD5_CTX ctx; + + RS_MD5Init(&ctx); + RS_MD5Update(&ctx, packet->data, packet->length); + RS_MD5Update(&ctx, (const unsigned char *)packet->secret, packet->sizeof_secret); + RS_MD5Final(packet->vector, &ctx); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->attempts = 0; + packet->flags |= RS_PACKET_SIGNED; + + return 0; +} + + +static int can_encode_packet(RADIUS_PACKET *packet, + const RADIUS_PACKET *original) +{ + if ((packet->code == 0) || + (packet->code > RS_MAX_PACKET_CODE) || + (original && (original->code > RS_MAX_PACKET_CODE))) { + nr_debug_error("Cannot send unknown packet code"); + return -RSE_INVALID_REQUEST_CODE; + } + + if (!nr_packet_codes[packet->code]) { + nr_debug_error("Cannot handle packet code %u", + packet->code); + return -RSE_INVALID_REQUEST_CODE; + } + +#ifdef NR_NO_MALLOC + if (!packet->data) { + nr_debug_error("No place to put packet"); + return -RSE_NO_PACKET_DATA; + } +#endif + + if (packet->sizeof_data < 20) { + nr_debug_error("The buffer is too small to encode the packet"); + return -RSE_PACKET_TOO_SMALL; + } + + /* + * Enforce request / response correlation. + */ + if (original) { + uint64_t mask; + + mask = 1; + mask <<= packet->code; + + if ((allowed_responses[original->code] & mask) == 0) { + nr_debug_error("Cannot encode response %u to packet %u", + packet->code, original->code); + return -RSE_INVALID_RESPONSE_CODE; + } + packet->id = original->id; + + } else if (allowed_responses[packet->code] == 0) { + nr_debug_error("Cannot encode response %u without original", + packet->code); + return -RSE_REQUEST_REQUIRED; + } + + return 0; +} + +static void encode_header(RADIUS_PACKET *packet) +{ + if ((packet->flags & RS_PACKET_HEADER) != 0) return; + + memset(packet->data, 0, 20); + packet->data[0] = packet->code; + packet->data[1] = packet->id; + packet->data[2] = 0; + packet->data[3] = 20; + packet->length = 20; + + /* + * Calculate a random authentication vector. + */ + if ((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) { + nr_rand_bytes(packet->vector, sizeof(packet->vector)); + } else { + memset(packet->vector, 0, sizeof(packet->vector)); + } + + memcpy(packet->data + 4, packet->vector, sizeof(packet->vector)); + + packet->flags |= RS_PACKET_HEADER; +} + +int nr_packet_encode(RADIUS_PACKET *packet, const RADIUS_PACKET *original) +{ +#ifdef PW_MESSAGE_AUTHENTICATOR + size_t ma = 0; +#endif + int rcode; + ssize_t len; + const VALUE_PAIR *vp; + uint8_t *data, *end; + + if ((packet->flags & RS_PACKET_ENCODED) != 0) return 0; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + data = packet->data; + end = data + packet->sizeof_data; + + encode_header(packet); + data += 20; + + /* + * Encode each VALUE_PAIR + */ + vp = packet->vps; + while (vp) { +#ifdef PW_MESSAGE_AUTHENTICATOR + if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { + ma = (data - packet->data); + } +#endif + len = nr_vp2attr(packet, original, &vp, + data, end - data); + if (len < 0) return len; + + if (len == 0) break; /* insufficient room to encode it */ + + data += data[1]; + } + +#ifdef PW_MESSAGE_AUTHENTICATOR + /* + * Always send a Message-Authenticator. + * + * We do *not* recommend removing this code. + */ + if (((packet->code == PW_ACCESS_REQUEST) || + (packet->code == PW_STATUS_SERVER)) && + !ma && + ((data + 18) <= end)) { + ma = (data - packet->data); + data[0] = PW_MESSAGE_AUTHENTICATOR; + data[1] = 18; + memset(data + 2, 0, 16); + data += data[1]; + } +#endif + + packet->length = data - packet->data; + + packet->data[2] = (packet->length >> 8) & 0xff; + packet->data[3] = packet->length & 0xff; + + packet->flags |= RS_PACKET_ENCODED; + + return packet->length; +} + + +/* + * Ensure that the nr_data2attr_t structure is filled in + * appropriately. This includes filling in a fake DICT_ATTR + * structure, if necessary. + */ +static int do_callback(void *ctx, nr_packet_walk_func_t callback, + int attr, int vendor, + const uint8_t *data, size_t sizeof_data) + +{ + int rcode; + const DICT_ATTR *da; + DICT_ATTR myda; + char buffer[64]; + + da = nr_dict_attr_byvalue(attr, vendor); + + /* + * The attribute is supposed to have a particular length, + * but does not. It is therefore malformed. + */ + if (da && (da->flags.length != 0) && + da->flags.length != sizeof_data) { + da = NULL; + } + + if (!da) { + rcode = nr_dict_attr_2struct(&myda, attr, vendor, + buffer, sizeof(buffer)); + + if (rcode < 0) return rcode; + da = &myda; + } + + rcode = callback(ctx, da, data, sizeof_data); + if (rcode < 0) return rcode; + + return 0; +} + + +int nr_packet_walk(RADIUS_PACKET *packet, void *ctx, + nr_packet_walk_func_t callback) +{ + int rcode; + uint8_t *attr; + const uint8_t *end; + + if (!packet || !callback) return -RSE_INVAL; + + rcode = nr_packet_ok(packet); + if (rcode < 0) return rcode; + + end = packet->data + packet->length; + + for (attr = packet->data + 20; attr < end; attr += attr[1]) { + int length, value; + int dv_type, dv_length; + uint32_t vendorpec; + const uint8_t *vsa; + const DICT_VENDOR *dv = NULL; + + vendorpec = 0; + value = attr[0]; + + if (value != PW_VENDOR_SPECIFIC) { + raw: + rcode = do_callback(ctx, callback, + attr[0], 0, + attr + 2, attr[1] - 2); + if (rcode < 0) return rcode; + continue; + } + + if (attr[1] < 6) goto raw; + memcpy(&vendorpec, attr + 2, 4); + vendorpec = ntohl(vendorpec); + + if (dv && (dv->vendor != vendorpec)) dv = NULL; + + if (!dv) dv = nr_dict_vendor_byvalue(vendorpec); + + if (dv) { + dv_type = dv->type; + dv_length = dv->length; + } else { + dv_type = 1; + dv_length = 1; + } + + /* + * Malformed: it's a raw attribute. + */ + if (nr_tlv_ok(attr + 6, attr[1] - 6, dv_type, dv_length) < 0) { + goto raw; + } + + for (vsa = attr + 6; vsa < attr + attr[1]; vsa += length) { + switch (dv_type) { + case 4: + value = (vsa[2] << 8) | vsa[3]; + break; + + case 2: + value = (vsa[0] << 8) | vsa[1]; + break; + + case 1: + value = vsa[0]; + break; + + default: + return -RSE_INTERNAL; + } + + switch (dv_length) { + case 0: + length = attr[1] - 6 - dv_type; + break; + + case 2: + case 1: + length = vsa[dv_type + dv_length - 1]; + break; + + default: + return -RSE_INTERNAL; + } + + rcode = do_callback(ctx, callback, + value, vendorpec, + vsa + dv_type + dv_length, + length - dv_type - dv_length); + if (rcode < 0) return rcode; + } + } + + return 0; +} + +int nr_packet_init(RADIUS_PACKET *packet, const RADIUS_PACKET *original, + const char *secret, int code, + void *data, size_t sizeof_data) +{ + int rcode; + + if ((code < 0) || (code > RS_MAX_PACKET_CODE)) { + return -RSE_INVALID_REQUEST_CODE; + } + + if (!data || (sizeof_data < 20)) return -RSE_INVAL; + + memset(packet, 0, sizeof(*packet)); + packet->secret = secret; + packet->sizeof_secret = secret ? strlen(secret) : 0; + packet->code = code; + packet->id = 0; + packet->data = data; + packet->sizeof_data = sizeof_data; + + rcode = can_encode_packet(packet, original); + if (rcode < 0) return rcode; + + encode_header(packet); + + return 0; +} + + +static int pack_eap(RADIUS_PACKET *packet, + const void *data, size_t data_len) +{ + uint8_t *attr, *end; + const uint8_t *eap; + size_t left; + + eap = data; + left = data_len; + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + while (left > 253) { + if ((attr + 255) > end) return -RSE_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 255; + memcpy(attr + 2, eap, 253); + attr += attr[1]; + eap += 253; + left -= 253; + } + + if ((attr + (2 + left)) > end) return -RSE_ATTR_OVERFLOW; + + attr[0] = PW_EAP_MESSAGE; + attr[1] = 2 + left; + memcpy(attr + 2, eap, left); + attr += attr[1]; + packet->length = attr - packet->data; + + return 0; +} + +ssize_t nr_packet_attr_append(RADIUS_PACKET *packet, + const RADIUS_PACKET *original, + const DICT_ATTR *da, + const void *data, size_t data_len) +{ + ssize_t rcode; + uint8_t *attr, *end; + VALUE_PAIR my_vp; + const VALUE_PAIR *vp; + + if (!packet || !da || !data) { + return -RSE_INVAL; + } + + if (data_len == 0) { + if (da->type != RS_TYPE_STRING) return -RSE_ATTR_TOO_SMALL; + + data_len = strlen(data); + } + + /* We're going to mark the whole packet as encoded so we + better not have any unencoded value-pairs attached. */ + if (packet->vps) + return -RSE_INVAL; + packet->flags |= RS_PACKET_ENCODED; + + attr = packet->data + packet->length; + end = attr + packet->sizeof_data; + + if ((attr + 2 + data_len) > end) { + return -RSE_ATTR_OVERFLOW; + } + + if ((da->flags.length != 0) && + (data_len != da->flags.length)) { + return -RSE_ATTR_VALUE_MALFORMED; + } + +#ifdef PW_EAP_MESSAGE + /* + * automatically split EAP-Message into multiple + * attributes. + */ + if (!da->vendor && (da->attr == PW_EAP_MESSAGE) && (data_len > 253)) { + return pack_eap(packet, data, data_len); + } +#endif + + if (data_len > 253) return -RSE_ATTR_TOO_LARGE; + + vp = nr_vp_init(&my_vp, da); + rcode = nr_vp_set_data(&my_vp, data, data_len); + if (rcode < 0) return rcode; + + /* + * Note that this function packs VSAs each into their own + * Vendor-Specific attribute. If this isn't what you + * want, use the version of the library with full support + * for TLVs, WiMAX, and extended attributes. + */ + rcode = nr_vp2attr(packet, original, &vp, attr, end - attr); + if (rcode <= 0) return rcode; + + packet->length += rcode; + + return rcode; +} diff --git a/radius/share/dictionary.abfab.ietf b/radius/share/dictionary.abfab.ietf new file mode 100644 index 0000000..b60702c --- /dev/null +++ b/radius/share/dictionary.abfab.ietf @@ -0,0 +1,4 @@ +ATTRIBUTE GSS-Acceptor-Service-Name 164 string +ATTRIBUTE GSS-Acceptor-Host-Name 165 string +ATTRIBUTE GSS-Acceptor-Service-Specifics 166 string +ATTRIBUTE GSS-Acceptor-Realm-Name 167 string diff --git a/radius/share/dictionary.juniper b/radius/share/dictionary.juniper new file mode 100644 index 0000000..9aa5df4 --- /dev/null +++ b/radius/share/dictionary.juniper @@ -0,0 +1,23 @@ +# -*- text -*- +# +# dictionary.juniper +# +# As posted to the list by Eric Kilfoil +# +# Version: $Id$ +# + +VENDOR Juniper 2636 + +BEGIN-VENDOR Juniper + +ATTRIBUTE Juniper-Local-User-Name 1 string +ATTRIBUTE Juniper-Allow-Commands 2 string +ATTRIBUTE Juniper-Deny-Commands 3 string +ATTRIBUTE Juniper-Allow-Configuration 4 string +ATTRIBUTE Juniper-Deny-Configuration 5 string +ATTRIBUTE Juniper-Interactive-Command 8 string +ATTRIBUTE Juniper-Configuration-Change 9 string +ATTRIBUTE Juniper-User-Permissions 10 string + +END-VENDOR Juniper diff --git a/radius/share/dictionary.microsoft b/radius/share/dictionary.microsoft new file mode 100644 index 0000000..034e5f0 --- /dev/null +++ b/radius/share/dictionary.microsoft @@ -0,0 +1,17 @@ +# A minimal dictionary for Microsoft VSAs +# +VENDOR Microsoft 311 + +BEGIN-VENDOR Microsoft +ATTRIBUTE MS-CHAP-Response 1 octets +ATTRIBUTE MS-CHAP-Error 2 string +ATTRIBUTE MS-MPPE-Encryption-Policy 7 octets +ATTRIBUTE MS-MPPE-Encryption-Types 8 octets +ATTRIBUTE MS-CHAP-Domain 10 string +ATTRIBUTE MS-CHAP-Challenge 11 octets +ATTRIBUTE MS-CHAP-MPPE-Keys 12 octets encrypt=1 +ATTRIBUTE MS-MPPE-Send-Key 16 octets encrypt=2 +ATTRIBUTE MS-MPPE-Recv-Key 17 octets encrypt=2 +ATTRIBUTE MS-CHAP2-Response 25 octets +ATTRIBUTE MS-CHAP2-Success 26 octets +END-VENDOR Microsoft diff --git a/radius/share/dictionary.txt b/radius/share/dictionary.txt new file mode 100644 index 0000000..e62f8b3 --- /dev/null +++ b/radius/share/dictionary.txt @@ -0,0 +1,136 @@ +ATTRIBUTE User-Name 1 string +ATTRIBUTE User-Password 2 string encrypt=1 +ATTRIBUTE CHAP-Password 3 octets +ATTRIBUTE NAS-IP-Address 4 ipaddr +ATTRIBUTE NAS-Port 5 integer +ATTRIBUTE Service-Type 6 integer +ATTRIBUTE Framed-Protocol 7 integer +ATTRIBUTE Framed-IP-Address 8 ipaddr +ATTRIBUTE Framed-IP-Netmask 9 ipaddr +ATTRIBUTE Framed-Routing 10 integer +ATTRIBUTE Filter-Id 11 string +ATTRIBUTE Framed-MTU 12 integer +ATTRIBUTE Framed-Compression 13 integer +ATTRIBUTE Login-IP-Host 14 ipaddr +ATTRIBUTE Login-Service 15 integer +ATTRIBUTE Login-TCP-Port 16 integer +ATTRIBUTE Reply-Message 18 string +ATTRIBUTE Callback-Number 19 string +ATTRIBUTE Callback-Id 20 string +ATTRIBUTE Framed-Route 22 string +ATTRIBUTE Framed-IPX-Network 23 ipaddr +ATTRIBUTE State 24 octets +ATTRIBUTE Class 25 octets +ATTRIBUTE Vendor-Specific 26 octets +ATTRIBUTE Session-Timeout 27 integer +ATTRIBUTE Idle-Timeout 28 integer +ATTRIBUTE Termination-Action 29 integer +ATTRIBUTE Called-Station-Id 30 string +ATTRIBUTE Calling-Station-Id 31 string +ATTRIBUTE NAS-Identifier 32 string +ATTRIBUTE Proxy-State 33 octets +ATTRIBUTE Login-LAT-Service 34 string +ATTRIBUTE Login-LAT-Node 35 string +ATTRIBUTE Login-LAT-Group 36 octets +ATTRIBUTE Framed-AppleTalk-Link 37 integer +ATTRIBUTE Framed-AppleTalk-Network 38 integer +ATTRIBUTE Framed-AppleTalk-Zone 39 string +ATTRIBUTE CHAP-Challenge 60 octets +ATTRIBUTE NAS-Port-Type 61 integer +ATTRIBUTE Port-Limit 62 integer +ATTRIBUTE Login-LAT-Port 63 string +ATTRIBUTE Acct-Status-Type 40 integer +ATTRIBUTE Acct-Delay-Time 41 integer +ATTRIBUTE Acct-Input-Octets 42 integer +ATTRIBUTE Acct-Output-Octets 43 integer +ATTRIBUTE Acct-Session-Id 44 string +ATTRIBUTE Acct-Authentic 45 integer +ATTRIBUTE Acct-Session-Time 46 integer +ATTRIBUTE Acct-Input-Packets 47 integer +ATTRIBUTE Acct-Output-Packets 48 integer +ATTRIBUTE Acct-Terminate-Cause 49 integer +ATTRIBUTE Acct-Multi-Session-Id 50 string +ATTRIBUTE Acct-Link-Count 51 integer +ATTRIBUTE Acct-Tunnel-Connection 68 string +ATTRIBUTE Acct-Tunnel-Packets-Lost 86 integer +ATTRIBUTE Tunnel-Type 64 integer has_tag +ATTRIBUTE Tunnel-Medium-Type 65 integer has_tag +ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag +ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag +ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2 +ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag +ATTRIBUTE Tunnel-Assignment-Id 82 string has_tag +ATTRIBUTE Tunnel-Preference 83 integer has_tag +ATTRIBUTE Tunnel-Client-Auth-Id 90 string has_tag +ATTRIBUTE Tunnel-Server-Auth-Id 91 string has_tag +ATTRIBUTE Acct-Input-Gigawords 52 integer +ATTRIBUTE Acct-Output-Gigawords 53 integer +ATTRIBUTE Event-Timestamp 55 date +ATTRIBUTE ARAP-Password 70 octets[16] +ATTRIBUTE ARAP-Features 71 octets[14] +ATTRIBUTE ARAP-Zone-Access 72 integer +ATTRIBUTE ARAP-Security 73 integer +ATTRIBUTE ARAP-Security-Data 74 string +ATTRIBUTE Password-Retry 75 integer +ATTRIBUTE Prompt 76 integer +ATTRIBUTE Connect-Info 77 string +ATTRIBUTE Configuration-Token 78 string +ATTRIBUTE EAP-Message 79 octets +ATTRIBUTE Message-Authenticator 80 octets +ATTRIBUTE ARAP-Challenge-Response 84 octets[8] +ATTRIBUTE Acct-Interim-Interval 85 integer +ATTRIBUTE NAS-Port-Id 87 string +ATTRIBUTE Framed-Pool 88 string +ATTRIBUTE NAS-IPv6-Address 95 ipv6addr +ATTRIBUTE Framed-Interface-Id 96 ifid +ATTRIBUTE Framed-IPv6-Prefix 97 ipv6prefix +ATTRIBUTE Login-IPv6-Host 98 ipv6addr +ATTRIBUTE Framed-IPv6-Route 99 string +ATTRIBUTE Framed-IPv6-Pool 100 string +ATTRIBUTE Error-Cause 101 integer +ATTRIBUTE EAP-Key-Name 102 string +ATTRIBUTE Chargeable-User-Identity 89 string +ATTRIBUTE Egress-VLANID 56 integer +ATTRIBUTE Ingress-Filters 57 integer +ATTRIBUTE Egress-VLAN-Name 58 string +ATTRIBUTE User-Priority-Table 59 octets +ATTRIBUTE Delegated-IPv6-Prefix 123 ipv6prefix +ATTRIBUTE NAS-Filter-Rule 92 string +ATTRIBUTE Digest-Response 103 string +ATTRIBUTE Digest-Realm 104 string +ATTRIBUTE Digest-Nonce 105 string +ATTRIBUTE Digest-Response-Auth 106 string +ATTRIBUTE Digest-Nextnonce 107 string +ATTRIBUTE Digest-Method 108 string +ATTRIBUTE Digest-URI 109 string +ATTRIBUTE Digest-Qop 110 string +ATTRIBUTE Digest-Algorithm 111 string +ATTRIBUTE Digest-Entity-Body-Hash 112 string +ATTRIBUTE Digest-CNonce 113 string +ATTRIBUTE Digest-Nonce-Count 114 string +ATTRIBUTE Digest-Username 115 string +ATTRIBUTE Digest-Opaque 116 string +ATTRIBUTE Digest-Auth-Param 117 string +ATTRIBUTE Digest-AKA-Auts 118 string +ATTRIBUTE Digest-Domain 119 string +ATTRIBUTE Digest-Stale 120 string +ATTRIBUTE Digest-HA1 121 string +ATTRIBUTE SIP-AOR 122 string +ATTRIBUTE Operator-Name 126 string +ATTRIBUTE Location-Information 127 octets +ATTRIBUTE Location-Data 128 octets +ATTRIBUTE Basic-Location-Policy-Rules 129 octets +ATTRIBUTE Extended-Location-Policy-Rules 130 octets +ATTRIBUTE Location-Capable 131 integer +ATTRIBUTE Requested-Location-Info 132 integer +ATTRIBUTE Framed-Management 133 integer +ATTRIBUTE Management-Transport-Protection 134 integer +ATTRIBUTE Management-Policy-Id 135 string +ATTRIBUTE Management-Privilege-Level 136 integer +ATTRIBUTE PKM-SS-Cert 137 octets +ATTRIBUTE PKM-CA-Cert 138 octets +ATTRIBUTE PKM-Config-Settings 139 octets +ATTRIBUTE PKM-Cryptosuite-List 140 octets +ATTRIBUTE PKM-SAID 141 short +ATTRIBUTE PKM-SA-Descriptor 142 octets +ATTRIBUTE PKM-Auth-Key 143 octets diff --git a/radius/share/dictionary.ukerna b/radius/share/dictionary.ukerna new file mode 100644 index 0000000..7d9d22d --- /dev/null +++ b/radius/share/dictionary.ukerna @@ -0,0 +1,20 @@ +# -*- text -*- +# +# GSS-EAP VSAs +# +# $Id$ +# + +VENDOR UKERNA 25622 + +BEGIN-VENDOR UKERNA + +ATTRIBUTE GSS-Acceptor-Service-Name-VS 128 string +ATTRIBUTE GSS-Acceptor-Host-Name-VS 129 string +ATTRIBUTE GSS-Acceptor-Service-Specific-VS 130 string +ATTRIBUTE GSS-Acceptor-Realm-Name-VS 131 string +ATTRIBUTE SAML-AAA-Assertion 132 string +ATTRIBUTE MS-Windows-Auth-Data 133 octets +ATTRIBUTE MS-Windows-Group-Sid 134 string + +END-VENDOR UKERNA diff --git a/radius/share/dictionary.vendor b/radius/share/dictionary.vendor new file mode 100644 index 0000000..571dbc4 --- /dev/null +++ b/radius/share/dictionary.vendor @@ -0,0 +1,10 @@ +# a sample vendor-specific dictionary + +VENDOR example 65535 + +BEGIN-VENDOR example +ATTRIBUTE Example-Integer 1 integer +ATTRIBUTE Example-String 2 string +ATTRIBUTE Example-IP-Address 3 ipaddr + +END-VENDOR example diff --git a/radius/static.c b/radius/static.c new file mode 100644 index 0000000..bd87272 --- /dev/null +++ b/radius/static.c @@ -0,0 +1,37 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file static.c + * \brief Dummy file to include auto-generating static dictionary mappings. + */ + +#include "client.h" + +/* + * Include the dynamically generated dictionaries. + */ +#include "dictionaries.c" diff --git a/radius/tests/Makefile b/radius/tests/Makefile new file mode 100644 index 0000000..b9d74ad --- /dev/null +++ b/radius/tests/Makefile @@ -0,0 +1,25 @@ +# +# GNU Makefile +# +.PHONY: all clean +all: radattr + +HEADERS := ../client.h ../radius.h +CFLAGS := -g + +%.o : %.c + $(CC) $(CFLAGS) -I.. -I. -c $< + +%.o: ${HEADERS} + +LIBS := -lcrypto -lssl +LDFLAGS = -L.. -lnetworkradius-client + +../libnetworkradius-client.a: + @${MAKE} -C .. libnetworkradius-client.a + +radattr: radattr.o ../libnetworkradius-client.a + ${CC} ${LFDLAGS} ${LIBS} -o $@ $^ + +clean: + @rm -rf *.o *.a *~ diff --git a/radius/tests/radattr.c b/radius/tests/radattr.c new file mode 100644 index 0000000..d41499a --- /dev/null +++ b/radius/tests/radattr.c @@ -0,0 +1,769 @@ +/* + * Copyright (C) 2011 Network RADIUS SARL + * + * This software may not be redistributed in any form without the prior + * written consent of Network RADIUS. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#include + +#include + +static int packet_code = PW_ACCESS_REQUEST; +static int packet_id = 1; +static uint8_t packet_vector[16] = { 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0 }; +static char secret[256] = "testing123"; + +static int encode_tlv(char *buffer, uint8_t *output, size_t outlen); + +static const char *hextab = "0123456789abcdef"; + +static int encode_data_string(char *buffer, + uint8_t *output, size_t outlen) +{ + int length = 0; + char *p; + + p = buffer + 1; + + while (*p && (outlen > 0)) { + if (*p == '"') { + return length; + } + + if (*p != '\\') { + *(output++) = *(p++); + outlen--; + length++; + continue; + } + + switch (p[1]) { + default: + *(output++) = p[1]; + break; + + case 'n': + *(output++) = '\n'; + break; + + case 'r': + *(output++) = '\r'; + break; + + case 't': + *(output++) = '\t'; + break; + } + + outlen--; + length++; + } + + fprintf(stderr, "String is not terminated\n"); + return 0; +} + +static int encode_data_tlv(char *buffer, char **endptr, + uint8_t *output, size_t outlen) +{ + int depth = 0; + int length; + char *p; + + for (p = buffer; *p != '\0'; p++) { + if (*p == '{') depth++; + if (*p == '}') { + depth--; + if (depth == 0) break; + } + } + + if (*p != '}') { + fprintf(stderr, "No trailing '}' in string starting " + "with \"%s\"\n", + buffer); + return 0; + } + + *endptr = p + 1; + *p = '\0'; + + p = buffer + 1; + while (isspace((int) *p)) p++; + + length = encode_tlv(p, output, outlen); + if (length == 0) return 0; + + return length; +} + +static int encode_hex(char *p, uint8_t *output, size_t outlen) +{ + int length = 0; + while (*p) { + char *c1, *c2; + + while (isspace((int) *p)) p++; + + if (!*p) break; + + if(!(c1 = memchr(hextab, tolower((int) p[0]), 16)) || + !(c2 = memchr(hextab, tolower((int) p[1]), 16))) { + fprintf(stderr, "Invalid data starting at " + "\"%s\"\n", p); + return 0; + } + + *output = ((c1 - hextab) << 4) + (c2 - hextab); + output++; + length++; + p += 2; + + outlen--; + if (outlen == 0) { + fprintf(stderr, "Too much data\n"); + return 0; + } + } + + return length; +} + + +static int encode_data(char *p, uint8_t *output, size_t outlen) +{ + int length; + + if (!isspace((int) *p)) { + fprintf(stderr, "Invalid character following attribute " + "definition\n"); + return 0; + } + + while (isspace((int) *p)) p++; + + if (*p == '{') { + int sublen; + char *q; + + length = 0; + + do { + while (isspace((int) *p)) p++; + if (!*p) { + if (length == 0) { + fprintf(stderr, "No data\n"); + return 0; + } + + break; + } + + sublen = encode_data_tlv(p, &q, output, outlen); + if (sublen == 0) return 0; + + length += sublen; + output += sublen; + outlen -= sublen; + p = q; + } while (*q); + + return length; + } + + if (*p == '"') { + length = encode_data_string(p, output, outlen); + return length; + } + + length = encode_hex(p, output, outlen); + + if (length == 0) { + fprintf(stderr, "Empty string\n"); + return 0; + } + + return length; +} + +static int decode_attr(char *buffer, char **endptr) +{ + long attr; + + attr = strtol(buffer, endptr, 10); + if (*endptr == buffer) { + fprintf(stderr, "No valid number found in string " + "starting with \"%s\"\n", buffer); + return 0; + } + + if (!**endptr) { + fprintf(stderr, "Nothing follows attribute number\n"); + return 0; + } + + if ((attr <= 0) || (attr > 256)) { + fprintf(stderr, "Attribute number is out of valid " + "range\n"); + return 0; + } + + return (int) attr; +} + +static int decode_vendor(char *buffer, char **endptr) +{ + long vendor; + + if (*buffer != '.') { + fprintf(stderr, "Invalid separator before vendor id\n"); + return 0; + } + + vendor = strtol(buffer + 1, endptr, 10); + if (*endptr == (buffer + 1)) { + fprintf(stderr, "No valid vendor number found\n"); + return 0; + } + + if (!**endptr) { + fprintf(stderr, "Nothing follows vendor number\n"); + return 0; + } + + if ((vendor <= 0) || (vendor > (1 << 24))) { + fprintf(stderr, "Vendor number is out of valid range\n"); + return 0; + } + + if (**endptr != '.') { + fprintf(stderr, "Invalid data following vendor number\n"); + return 0; + } + (*endptr)++; + + return (int) vendor; +} + +static int encode_tlv(char *buffer, uint8_t *output, size_t outlen) +{ + int attr; + int length; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + output[0] = attr; + output[1] = 2; + + if (*p == '.') { + p++; + length = encode_tlv(p, output + 2, outlen - 2); + + } else { + length = encode_data(p, output + 2, outlen - 2); + } + + if (length == 0) return 0; + if (length > (255 - 2)) { + fprintf(stderr, "TLV data is too long\n"); + return 0; + } + + output[1] += length; + + return length + 2; +} + +static int encode_vsa(char *buffer, uint8_t *output, size_t outlen) +{ + int vendor; + int length; + char *p; + + vendor = decode_vendor(buffer, &p); + if (vendor == 0) return 0; + + output[0] = 0; + output[1] = (vendor >> 16) & 0xff; + output[2] = (vendor >> 8) & 0xff; + output[3] = vendor & 0xff; + + length = encode_tlv(p, output + 4, outlen - 4); + if (length == 0) return 0; + if (length > (255 - 6)) { + fprintf(stderr, "VSA data is too long\n"); + return 0; + } + + + return length + 4; +} + +static int encode_evs(char *buffer, uint8_t *output, size_t outlen) +{ + int vendor; + int attr; + int length; + char *p; + + vendor = decode_vendor(buffer, &p); + if (vendor == 0) return 0; + + attr = decode_attr(p, &p); + if (attr == 0) return 0; + + output[0] = 0; + output[1] = (vendor >> 16) & 0xff; + output[2] = (vendor >> 8) & 0xff; + output[3] = vendor & 0xff; + output[4] = attr; + + length = encode_data(p, output + 5, outlen - 5); + if (length == 0) return 0; + + return length + 5; +} + +static int encode_extended(char *buffer, + uint8_t *output, size_t outlen) +{ + int attr; + int length; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + output[0] = attr; + + if (attr == 26) { + length = encode_evs(p, output + 1, outlen - 1); + } else { + length = encode_data(p, output + 1, outlen - 1); + } + if (length == 0) return 0; + if (length > (255 - 3)) { + fprintf(stderr, "Extended Attr data is too long\n"); + return 0; + } + + return length + 1; +} + +static int encode_extended_flags(char *buffer, + uint8_t *output, size_t outlen) +{ + int attr; + int length, total; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + /* output[0] is the extended attribute */ + output[1] = 4; + output[2] = attr; + output[3] = 0; + + if (attr == 26) { + length = encode_evs(p, output + 4, outlen - 4); + if (length == 0) return 0; + + output[1] += 5; + length -= 5; + } else { + length = encode_data(p, output + 4, outlen - 4); + } + if (length == 0) return 0; + + total = 0; + while (1) { + int sublen = 255 - output[1]; + + if (length <= sublen) { + output[1] += length; + total += output[1]; + break; + } + + length -= sublen; + + memmove(output + 255 + 4, output + 255, length); + memcpy(output + 255, output, 4); + + output[1] = 255; + output[3] |= 0x80; + + output += 255; + output[1] = 4; + total += 255; + } + + return total; +} + +static int encode_rfc(char *buffer, uint8_t *output, size_t outlen) +{ + int attr; + int length, sublen; + char *p; + + attr = decode_attr(buffer, &p); + if (attr == 0) return 0; + + length = 2; + output[0] = attr; + output[1] = 2; + + if (attr == 26) { + sublen = encode_vsa(p, output + 2, outlen - 2); + + } else if ((attr < 241) || (attr > 246)) { + sublen = encode_data(p, output + 2, outlen - 2); + + } else { + if (*p != '.') { + fprintf(stderr, "Invalid data following " + "attribute number\n"); + return 0; + } + + if (attr < 245) { + sublen = encode_extended(p + 1, + output + 2, outlen - 2); + } else { + + /* + * Not like the others! + */ + return encode_extended_flags(p + 1, output, outlen); + } + } + if (sublen == 0) return 0; + if (sublen > (255 -2)) { + fprintf(stderr, "RFC Data is too long\n"); + return 0; + } + + output[1] += sublen; + return length + sublen; +} + +static int walk_callback(void *ctx, const DICT_ATTR *da, + const uint8_t *data, size_t sizeof_data) +{ + char **p = ctx; + + sprintf(*p, "v%u a%u l%ld,", + da->vendor, da->attr, sizeof_data); + + *p += strlen(*p); +} + +static void process_file(const char *filename) +{ + int lineno, rcode; + size_t i, outlen; + ssize_t len, data_len; + FILE *fp; + RADIUS_PACKET packet; + char input[8192], buffer[8192]; + char output[8192]; + uint8_t *attr, data[2048]; + + if (strcmp(filename, "-") == 0) { + fp = stdin; + filename = ""; + + } else { + fp = fopen(filename, "r"); + if (!fp) { + fprintf(stderr, "Error opening %s: %s\n", + filename, strerror(errno)); + exit(1); + } + } + + lineno = 0; + *output = '\0'; + data_len = 0; + + while (fgets(buffer, sizeof(buffer), fp) != NULL) { + char *p = strchr(buffer, '\n'); + VALUE_PAIR *vp, *head = NULL; + VALUE_PAIR **tail = &head; + + lineno++; + + if (!p) { + if (!feof(fp)) { + fprintf(stderr, "Line %d too long in %s\n", + lineno, filename); + exit(1); + } + } else { + *p = '\0'; + } + + p = strchr(buffer, '#'); + if (p) *p = '\0'; + + p = buffer; + while (isspace((int) *p)) p++; + if (!*p) continue; + + strcpy(input, p); + + if (strncmp(p, "raw ", 4) == 0) { + outlen = encode_rfc(p + 4, data, sizeof(data)); + if (outlen == 0) { + fprintf(stderr, "Parse error in line %d of %s\n", + lineno, filename); + exit(1); + } + + print_hex: + if (outlen == 0) { + output[0] = 0; + continue; + } + + data_len = outlen; + for (i = 0; i < outlen; i++) { + snprintf(output + 3*i, sizeof(output), + "%02x ", data[i]); + } + outlen = strlen(output); + output[outlen - 1] = '\0'; + continue; + } + + if (strncmp(p, "data ", 5) == 0) { + if (strcmp(p + 5, output) != 0) { + fprintf(stderr, "Mismatch in line %d of %s, expected: %s\n", + lineno, filename, output); + exit(1); + } + continue; + } + + head = NULL; + if (strncmp(p, "encode ", 7) == 0) { + if (strcmp(p + 7, "-") == 0) { + p = output; + } else { + p += 7; + } + + rcode = nr_vp_sscanf(p, &head); + if (rcode < 0) { + strcpy(output, nr_strerror(rcode)); + continue; + } + + attr = data; + vp = head; + while (vp != NULL) { + len = nr_vp2attr(NULL, NULL, &vp, + attr, sizeof(data) - (attr - data)); + if (len < 0) { + fprintf(stderr, "Failed encoding %s: %s\n", + vp->da->name, nr_strerror(len)); + exit(1); + } + + attr += len; + if (len == 0) break; + } + + nr_vp_free(&head); + outlen = len; + goto print_hex; + } + + if (strncmp(p, "decode ", 7) == 0) { + ssize_t my_len; + + if (strcmp(p + 7, "-") == 0) { + attr = data; + len = data_len; + } else { + attr = data; + len = encode_hex(p + 7, data, sizeof(data)); + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + } + + while (len > 0) { + vp = NULL; + my_len = nr_attr2vp(NULL, NULL, + attr, len, &vp); + if (my_len < 0) { + nr_vp_free(&head); + break; + } + + if (my_len > len) { + fprintf(stderr, "Internal sanity check failed at %d\n", __LINE__); + exit(1); + } + + *tail = vp; + while (vp) { + tail = &(vp->next); + vp = vp->next; + } + + attr += my_len; + len -= my_len; + } + + /* + * Output may be an error, and we ignore + * it if so. + */ + if (head) { + p = output; + for (vp = head; vp != NULL; vp = vp->next) { + nr_vp_snprintf(p, sizeof(output) - (p - output), vp); + p += strlen(p); + + if (vp->next) {strcpy(p, ", "); + p += 2; + } + } + + nr_vp_free(&head); + } else if (my_len < 0) { + strcpy(output, nr_strerror(my_len)); + + } else { /* zero-length attribute */ + *output = '\0'; + } + continue; + } + + if (strncmp(p, "walk ", 5) == 0) { + len = encode_hex(p + 5, data + 20, sizeof(data) - 20); + + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + + memset(data, 0, 20); + packet.data = data; + packet.length = len + 20; + packet.data[2] = ((len + 20) >> 8) & 0xff; + packet.data[3] = (len + 20) & 0xff; + + *output = '\0'; + p = output; + + rcode = nr_packet_walk(&packet, &p, walk_callback); + if (rcode < 0) { + snprintf(output, sizeof(output), "%d", rcode); + continue; + } + + if (*output) output[strlen(output) - 1] = '\0'; + continue; + } + + if (strncmp(p, "$INCLUDE ", 9) == 0) { + p += 9; + while (isspace((int) *p)) p++; + + process_file(p); + continue; + } + + if (strncmp(p, "secret ", 7) == 0) { + strlcpy(secret, p + 7, sizeof(secret)); + strlcpy(output, secret, sizeof(output)); + continue; + } + + if (strncmp(p, "code ", 5) == 0) { + packet_code = atoi(p + 5); + snprintf(output, sizeof(output), "%u", packet_code); + continue; + } + + if (strncmp(p, "sign ", 5) == 0) { + len = encode_hex(p + 5, data + 20, sizeof(data) - 20); + if (len == 0) { + fprintf(stderr, "Failed decoding hex string at line %d of %s\n", lineno, filename); + exit(1); + } + + memset(&packet, 0, sizeof(packet)); + packet.secret = secret; + packet.sizeof_secret = strlen(secret); + packet.code = packet_code; + packet.id = packet_id; + memcpy(packet.vector, packet_vector, 16); + packet.data = data; + packet.length = len + 20; + + /* + * Hack encode the packet. + */ + packet.data[0] = packet_code; + packet.data[1] = packet_id; + packet.data[2] = ((len + 20) >> 8) & 0xff; + packet.data[3] = (len + 20) & 0xff; + memcpy(packet.data + 4, packet_vector, 16); + + rcode = nr_packet_sign(&packet, NULL); + if (rcode < 0) { + snprintf(output, sizeof(output), "%d", rcode); + continue; + } + + memcpy(data, packet.vector, sizeof(packet.vector)); + outlen = sizeof(packet.vector); + goto print_hex; + } + + fprintf(stderr, "Unknown input at line %d of %s\n", + lineno, filename); + exit(1); + } + + if (fp != stdin) fclose(fp); +} + +int main(int argc, char *argv[]) +{ + int c; + + if (argc < 2) { + process_file("-"); + + } else { + process_file(argv[1]); + } + + return 0; +} diff --git a/radius/tests/rfc.txt b/radius/tests/rfc.txt new file mode 100644 index 0000000..d8bd613 --- /dev/null +++ b/radius/tests/rfc.txt @@ -0,0 +1,144 @@ +# All attribute lengths are implicit, and are calculated automatically +# +# Input is of the form: +# +# WORD ... +# +# The WORD is a keyword which indicates the format of the following text. +# WORD is one of: +# +# raw - read the grammar defined below, and encode an attribute. +# The grammer supports a trivial way of describing RADIUS +# attributes, without reference to dictionaries or fancy +# parsers +# +# encode - reads "Attribute-Name = value", encodes it, and prints +# the result as text. +# use "-" to encode the output of the last command +# +# decode - reads hex, and decodes it "Attribute-Name = value" +# use "-" to decode the output of the last command +# +# data - the expected output of the previous command, in ASCII form. +# if the actual command output is different, an error message +# is produced, and the program terminates. +# +# +# The "raw" input satisfies the following grammar: +# +# Identifier = 1*DIGIT *( "." 1*DIGIT ) +# +# HEXCHAR = HEXDIG HEXDIG +# +# STRING = DQUOTE *CHAR DQUOTE +# +# TLV = "{" 1*DIGIT DATA "}" +# +# DATA = 1*HEXCHAR / 1*TLV / STRING +# +# LINE = Identifier DATA +# +# The "Identifier" is a RADIUS attribute identifier, as given in the draft. +# +# e.g. 1 for User-Name +# 26.9.1 Vendor-Specific, Cisco, Cisco-AVPAir +# 241.1 Extended Attribute, number 1 +# 241.2.3 Extended Attribute 2, data type TLV, TLV type 3 +# etc. +# +# The "DATA" portion is the contents of the RADIUS Attribute. +# +# 123456789abcdef hex string +# 12 34 56 ab with spaces for clarity +# "hello" Text string +# { 1 abcdef } TLV, TLV-Type 1, data "abcdef" +# +# TLVs can be nested: +# +# { tlv-type { tlv-type data } } { 3 { 4 01020304 } } +# +# TLVs can be concatencated +# +# {tlv-type data } { tlv-type data} { 3 040506 } { 8 aabbcc } +# +# The "raw" data is encoded without reference to dictionaries. Any +# valid string is parsed to a RADIUS attribute. The resulting RADIUS +# attribute *may not* be correctly formatted to the relevant RADIUS +# specifications. i.e. you can use this tool to create attribute 1 +# (User-Name), which is encoded as a series of TLVs. That's up to you. +# +# The purpose of the "raw" command is to have a simple way of encoding +# attributes which is independent of any dictionaries or packet processing +# routines. +# +# The output data is the hex version of the encoded attribute. +# + +encode User-Name = bob +data 01 05 62 6f 62 + +decode - +data User-Name = "bob" + +decode 01 05 62 6f 62 +data User-Name = "bob" + +# +# The Type/Length is OK, but the attribute data is of the wrong size. +# +decode 04 04 ab cd +data Attr-4 = 0xabcd + +# Zero-length attributes +decode 01 02 +data + +# don't encode zero-length attributes +#encode User-Name = "" +#data + +# except for CUI. Thank you, WiMAX! +decode 59 02 +data Chargeable-User-Identity = "" + +# Hah! Thought you had it figured out, didn't you? +#encode - +#data 59 02 + +encode NAS-Port = 10 +data 05 06 00 00 00 0a + +decode - +data NAS-Port = 10 + +walk 05 06 00 00 00 0a +data v0 a5 l4 + +walk 05 06 00 00 00 0a 02 06 00 00 00 0a +data v0 a5 l4,v0 a2 l4 + +walk 1a 0c 00 00 00 01 05 06 00 00 00 0a +data v1 a5 l4 + +walk 1a 12 00 00 00 01 05 06 00 00 00 0a 03 06 00 00 00 0a +data v1 a5 l4,v1 a3 l4 + +# Access-Request, code 1, authentication vector of zero +sign 05 06 00 00 00 0a +data 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +code 4 + +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 + +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 + +secret hello +sign 05 06 00 00 00 0a +data 69 20 c0 b9 e1 2f 12 54 9f 92 16 5e f4 64 9b fd + +secret testing123 +sign 05 06 00 00 00 0a +data 62 63 f1 db 80 70 a6 64 37 31 63 e4 aa 95 5a 68 diff --git a/radius/valuepair.c b/radius/valuepair.c new file mode 100644 index 0000000..6277f7d --- /dev/null +++ b/radius/valuepair.c @@ -0,0 +1,191 @@ +/* +Copyright (c) 2011, Network RADIUS SARL +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** \file valuepair.c + * \brief Functions to manipulate C structure versions of RADIUS attributes. + */ + +#include "client.h" + +void nr_vp_free(VALUE_PAIR **head) +{ + VALUE_PAIR *next, *vp; + + for (vp = *head; vp != NULL; vp = next) { + next = vp->next; + if (vp->da->flags.encrypt) { + memset(vp, 0, sizeof(vp)); + } + free(vp); + } + + *head = NULL; +} + + +VALUE_PAIR *nr_vp_init(VALUE_PAIR *vp, const DICT_ATTR *da) +{ + memset(vp, 0, sizeof(*vp)); + + vp->da = da; + vp->length = da->flags.length; + + return vp; +} + + +VALUE_PAIR *nr_vp_alloc(const DICT_ATTR *da) +{ + VALUE_PAIR *vp = NULL; + + if (!da) { + nr_strerror_printf("Unknown attribute"); + return NULL; + } + + vp = malloc(sizeof(*vp)); + if (!vp) { + nr_strerror_printf("Out of memory"); + return NULL; + } + + return nr_vp_init(vp, da); +} + +VALUE_PAIR *nr_vp_alloc_raw(unsigned int attr, unsigned int vendor) +{ + VALUE_PAIR *vp = NULL; + DICT_ATTR *da; + + vp = malloc(sizeof(*vp) + sizeof(*da) + 64); + if (!vp) { + nr_strerror_printf("Out of memory"); + return NULL; + } + memset(vp, 0, sizeof(*vp)); + + da = (DICT_ATTR *) (vp + 1); + + if (nr_dict_attr_2struct(da, attr, vendor, (char *) (da + 1), 64) < 0) { + free(vp); + return NULL; + } + + vp->da = da; + + return vp; +} + +int nr_vp_set_data(VALUE_PAIR *vp, const void *data, size_t sizeof_data) +{ + int rcode = 1; /* OK */ + + if (!vp || !data || (sizeof_data == 0)) return -RSE_INVAL; + + switch (vp->da->type) { + case RS_TYPE_BYTE: + vp->vp_integer = *(const uint8_t *) data; + break; + + case RS_TYPE_SHORT: + vp->vp_integer = *(const uint16_t *) data; + break; + + case RS_TYPE_INTEGER: + case RS_TYPE_DATE: + case RS_TYPE_IPADDR: + vp->vp_integer = *(const uint32_t *) data; + break; + + case RS_TYPE_STRING: + if (sizeof_data >= sizeof(vp->vp_strvalue)) { + sizeof_data = sizeof(vp->vp_strvalue) - 1; + rcode = 0; /* truncated */ + } + + memcpy(vp->vp_strvalue, (const char *) data, sizeof_data); + vp->vp_strvalue[sizeof_data + 1] = '\0'; + vp->length = sizeof_data; + break; + + case RS_TYPE_OCTETS: + if (sizeof_data > sizeof(vp->vp_octets)) { + sizeof_data = sizeof(vp->vp_octets); + rcode = 0; /* truncated */ + } + memcpy(vp->vp_octets, data, sizeof_data); + vp->length = sizeof_data; + break; + + default: + return -RSE_ATTR_TYPE_UNKNOWN; + } + + return rcode; +} + +VALUE_PAIR *nr_vp_create(int attr, int vendor, const void *data, size_t data_len) +{ + const DICT_ATTR *da; + VALUE_PAIR *vp; + + da = nr_dict_attr_byvalue(attr, vendor); + if (!da) return NULL; + + vp = nr_vp_alloc(da); + if (!vp) return NULL; + + if (nr_vp_set_data(vp, data, data_len) < 0) { + nr_vp_free(&vp); + return NULL; + } + + return vp; +} + +void nr_vps_append(VALUE_PAIR **head, VALUE_PAIR *tail) +{ + if (!tail) return; + + while (*head) { + head = &((*head)->next); + } + + *head = tail; +} + +VALUE_PAIR *nr_vps_find(VALUE_PAIR *head, + unsigned int attr, unsigned int vendor) +{ + while (head) { + if ((head->da->attr == attr) && + (head->da->vendor == vendor)) return head; + head = head->next; + } + + return NULL; +} diff --git a/radsec.c b/radsec.c new file mode 100644 index 0000000..83ce6c5 --- /dev/null +++ b/radsec.c @@ -0,0 +1,141 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include "err.h" +#include "debug.h" +#include "radsecproxy/debug.h" +#if defined (RS_ENABLE_TLS) +#include "tls.h" +#include +#include "radsecproxy/list.h" +#include "radsecproxy/radsecproxy.h" +#endif + +/* Public functions. */ +int +rs_context_create (struct rs_context **ctx) +{ + struct rs_context *h; + +#if defined (RS_ENABLE_TLS) + if (tls_init ()) + return RSE_SSLERR; +#endif + + h = calloc (1, sizeof(*h)); + if (h == NULL) + return RSE_NOMEM; + + debug_init ("libradsec"); /* radsecproxy compat, FIXME: remove */ + + if (ctx != NULL) + *ctx = h; + + return RSE_OK; +} + +struct rs_error * +rs_resolve (struct evutil_addrinfo **addr, + rs_conn_type_t type, + const char *hostname, + const char *service) +{ + int err; + struct evutil_addrinfo hints, *res = NULL; + + memset (&hints, 0, sizeof(struct evutil_addrinfo)); + hints.ai_family = AF_UNSPEC; + hints.ai_flags = AI_ADDRCONFIG; + switch (type) + { + case RS_CONN_TYPE_NONE: + return err_create (RSE_INVALID_CONN, __FILE__, __LINE__, NULL, NULL); + case RS_CONN_TYPE_TCP: + /* Fall through. */ + case RS_CONN_TYPE_TLS: + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + break; + case RS_CONN_TYPE_UDP: + /* Fall through. */ + case RS_CONN_TYPE_DTLS: + hints.ai_socktype = SOCK_DGRAM; + hints.ai_protocol = IPPROTO_UDP; + break; + default: + return err_create (RSE_INVALID_CONN, __FILE__, __LINE__, NULL, NULL); + } + err = evutil_getaddrinfo (hostname, service, &hints, &res); + if (err) + return err_create (RSE_BADADDR, __FILE__, __LINE__, + "%s:%s: bad host name or service name (%s)", + hostname, service, evutil_gai_strerror(err)); + *addr = res; /* Simply use first result. */ + return NULL; +} + +void +rs_context_destroy (struct rs_context *ctx) +{ + struct rs_realm *r = NULL; + struct rs_peer *p = NULL; + + if (ctx->config) + { + for (r = ctx->config->realms; r; ) + { + struct rs_realm *tmp = r; + for (p = r->peers; p; ) + { + struct rs_peer *tmp = p; + if (p->addr_cache) + { + evutil_freeaddrinfo (p->addr_cache); + p->addr_cache = NULL; + } + p = p->next; + rs_free (ctx, tmp); + } + free (r->name); + rs_free (ctx, r->transport_cred); + r = r->next; + rs_free (ctx, tmp); + } + } + + if (ctx->config) + { + if (ctx->config->cfg) + { + cfg_free (ctx->config->cfg); + ctx->config->cfg = NULL; + } + rs_free (ctx, ctx->config); + } + + free (ctx); +} + +int +rs_context_set_alloc_scheme (struct rs_context *ctx, + struct rs_alloc_scheme *scheme) +{ + return rs_err_ctx_push_fl (ctx, RSE_NOSYS, __FILE__, __LINE__, NULL); +} + diff --git a/radsec.h b/radsec.h new file mode 100644 index 0000000..703e44b --- /dev/null +++ b/radsec.h @@ -0,0 +1,7 @@ +/* Copyright 2012 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +struct rs_error *rs_resolve (struct evutil_addrinfo **addr, + rs_conn_type_t type, + const char *hostname, + const char *service); diff --git a/radsec.sym b/radsec.sym new file mode 100644 index 0000000..77fcacc --- /dev/null +++ b/radsec.sym @@ -0,0 +1,86 @@ +rs_attr_display_name +rs_attr_find +rs_attr_parse_name +rs_avp_alloc +rs_avp_append +rs_avp_attrid +rs_avp_byte_set +rs_avp_byte_value +rs_avp_date_set +rs_avp_date_value +rs_avp_delete +rs_avp_display_value +rs_avp_dup +rs_avp_find +rs_avp_find_const +rs_avp_fragmented_value +rs_avp_free +rs_avp_ifid_set +rs_avp_ifid_value +rs_avp_integer_set +rs_avp_integer_value +rs_avp_ipaddr_set +rs_avp_ipaddr_value +rs_avp_length +rs_avp_name +rs_avp_next +rs_avp_next_const +rs_avp_octets_set +rs_avp_octets_value +rs_avp_octets_value_byref +rs_avp_octets_value_const_ptr +rs_avp_octets_value_ptr +rs_avp_short_set +rs_avp_short_value +rs_avp_string_set +rs_avp_string_value +rs_avp_typeof +rs_conf_find_realm +rs_conn_add_listener +rs_conn_create +rs_conn_del_callbacks +rs_conn_destroy +rs_conn_disconnect +rs_conn_fd +rs_conn_get_callbacks +rs_conn_get_current_peer +rs_conn_receive_packet +rs_conn_select_peer +rs_conn_set_callbacks +rs_conn_set_eventbase +rs_conn_set_timeout +rs_conn_set_type +rs_context_create +rs_context_destroy +rs_context_read_config +rs_context_set_alloc_scheme +rs_dump_packet +rs_err_code +rs_err_conn_peek_code +rs_err_conn_pop +rs_err_conn_push +rs_err_conn_push_fl +rs_err_ctx_pop +rs_err_ctx_push +rs_err_ctx_push_fl +rs_err_free +rs_err_msg +rs_packet_add_avp +rs_packet_append_avp +rs_packet_avps +rs_packet_code +rs_packet_create +rs_packet_create_authn_request +rs_packet_destroy +rs_packet_send +rs_peer_create +rs_peer_set_address +rs_peer_set_retries +rs_peer_set_secret +rs_peer_set_timeout +rs_request_add_reqpkt +rs_request_create +rs_request_create_authn +rs_request_destroy +rs_request_get_reqmsg +rs_request_send diff --git a/radsecproxy/Makefile.am b/radsecproxy/Makefile.am new file mode 100644 index 0000000..dc5ffc4 --- /dev/null +++ b/radsecproxy/Makefile.am @@ -0,0 +1,23 @@ +AUTOMAKE_OPTIONS = foreign +ACLOCAL_AMFLAGS = -I m4 + +AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) +AM_CFLAGS = -Wall -Werror -g + +noinst_LTLIBRARIES = libradsec-radsecproxy.la + +libradsec_radsecproxy_la_SOURCES = \ + debug.c debug.h \ + gconfig.h \ + hash.c hash.h \ + hostport_types.h \ + list.c list.h \ + radmsg.h \ + radsecproxy.h \ + tlv11.h \ + util.c util.h + +if RS_ENABLE_TLS +libradsec_radsecproxy_la_SOURCES += \ + tlscommon.c tlscommon.h +endif diff --git a/radsecproxy/debug.c b/radsecproxy/debug.c new file mode 100644 index 0000000..8a4881d --- /dev/null +++ b/radsecproxy/debug.c @@ -0,0 +1,213 @@ +/* Copyright (c) 2007-2009, UNINETT AS + * Copyright (c) 2010-2011, NORDUnet A/S */ +/* See LICENSE for licensing information. */ + +#ifndef SYS_SOLARIS9 +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "util.h" + +static char *debug_ident = NULL; +static uint8_t debug_level = DBG_INFO; +static char *debug_filepath = NULL; +static FILE *debug_file = NULL; +static int debug_syslogfacility = 0; +static uint8_t debug_timestamp = 0; + +void debug_init(char *ident) { + debug_file = stderr; + setvbuf(debug_file, NULL, _IONBF, 0); + debug_ident = ident; +} + +void debug_set_level(uint8_t level) { + switch (level) { + case 1: + debug_level = DBG_ERR; + return; + case 2: + debug_level = DBG_WARN; + return; + case 3: + debug_level = DBG_NOTICE; + return; + case 4: + debug_level = DBG_INFO; + return; + case 5: + debug_level = DBG_DBG; + return; + } +} + +void debug_timestamp_on() { + debug_timestamp = 1; +} + +uint8_t debug_get_level() { + return debug_level; +} + +int debug_set_destination(char *dest) { + static const char *facstrings[] = { "LOG_DAEMON", "LOG_MAIL", "LOG_USER", "LOG_LOCAL0", + "LOG_LOCAL1", "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", + "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7", NULL }; + static const int facvals[] = { LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, + LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, + LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 }; + extern int errno; + int i; + + if (!strncasecmp(dest, "file:///", 8)) { + debug_filepath = stringcopy(dest + 7, 0); + debug_file = fopen(debug_filepath, "a"); + if (!debug_file) { + debug_file = stderr; + debugx(1, DBG_ERR, "Failed to open logfile %s\n%s", + debug_filepath, strerror(errno)); + } + setvbuf(debug_file, NULL, _IONBF, 0); + return 1; + } + if (!strncasecmp(dest, "x-syslog://", 11)) { + dest += 11; + if (*dest == '/') + dest++; + if (*dest) { + for (i = 0; facstrings[i]; i++) + if (!strcasecmp(dest, facstrings[i])) + break; + if (!facstrings[i]) + debugx(1, DBG_ERR, "Unknown syslog facility %s", dest); + debug_syslogfacility = facvals[i]; + } else + debug_syslogfacility = LOG_DAEMON; + openlog(debug_ident, LOG_PID, debug_syslogfacility); + return 1; + } + debug(DBG_ERR, "Unknown log destination, exiting %s", dest); + exit(1); +} + +void debug_reopen_log() { + extern int errno; + + /* not a file, noop, return success */ + if (!debug_filepath) { + debug(DBG_ERR, "skipping reopen"); + return; + } + + if (debug_file != stderr) + fclose(debug_file); + + debug_file = fopen(debug_filepath, "a"); + if (debug_file) + debug(DBG_ERR, "Reopened logfile %s", debug_filepath); + else { + debug_file = stderr; + debug(DBG_ERR, "Failed to open logfile %s, using stderr\n%s", + debug_filepath, strerror(errno)); + } + setvbuf(debug_file, NULL, _IONBF, 0); +} + +void debug_logit(uint8_t level, const char *format, va_list ap) { + struct timeval now; + char *timebuf; + int priority; + + if (debug_syslogfacility) { + switch (level) { + case DBG_DBG: + priority = LOG_DEBUG; + break; + case DBG_INFO: + priority = LOG_INFO; + break; + case DBG_NOTICE: + priority = LOG_NOTICE; + break; + case DBG_WARN: + priority = LOG_WARNING; + break; + case DBG_ERR: + priority = LOG_ERR; + break; + default: + priority = LOG_DEBUG; + } + vsyslog(priority, format, ap); + } else { + if (debug_timestamp && (timebuf = malloc(256))) { + gettimeofday(&now, NULL); + ctime_r(&now.tv_sec, timebuf); + timebuf[strlen(timebuf) - 1] = '\0'; + fprintf(debug_file, "%s: ", timebuf + 4); + free(timebuf); + } + vfprintf(debug_file, format, ap); + fprintf(debug_file, "\n"); + } +} + +void debug(uint8_t level, char *format, ...) { + va_list ap; + if (level < debug_level) + return; + va_start(ap, format); + debug_logit(level, format, ap); + va_end(ap); +} + +void debugx(int status, uint8_t level, char *format, ...) { + if (level >= debug_level) { + va_list ap; + va_start(ap, format); + debug_logit(level, format, ap); + va_end(ap); + } + exit(status); +} + +void debugerrno(int err, uint8_t level, char *format, ...) { + if (level >= debug_level) { + va_list ap; + size_t len = strlen(format); + char *tmp = malloc(len + 1024 + 2); + assert(tmp); + strcpy(tmp, format); + tmp[len++] = ':'; + tmp[len++] = ' '; + if (strerror_r(err, tmp + len, 1024)) + tmp = format; + va_start(ap, format); + debug_logit(level, tmp, ap); + va_end(ap); + } +} + +void debugerrnox(int err, uint8_t level, char *format, ...) { + if (level >= debug_level) { + va_list ap; + va_start(ap, format); + debugerrno(err, level, format, ap); + va_end(ap); + } + exit(err); +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/debug.h b/radsecproxy/debug.h new file mode 100644 index 0000000..f9858ab --- /dev/null +++ b/radsecproxy/debug.h @@ -0,0 +1,36 @@ +/* Copyright (c) 2007-2009, UNINETT AS + * Copyright (c) 2010-2011, NORDUnet A/S */ +/* See LICENSE for licensing information. */ + +#ifndef SYS_SOLARIS9 +#include +#endif + +#define DBG_DBG 8 +#define DBG_INFO 16 +#define DBG_NOTICE 32 +#define DBG_WARN 64 +#define DBG_ERR 128 + +#if defined (__cplusplus) +extern "C" { +#endif + +void debug_init(char *ident); +void debug_set_level(uint8_t level); +void debug_timestamp_on(); +uint8_t debug_get_level(); +void debug(uint8_t level, char *format, ...); +void debugx(int status, uint8_t level, char *format, ...); +void debugerrno(int err, uint8_t level, char *format, ...); +void debugerrnox(int err, uint8_t level, char *format, ...); +int debug_set_destination(char *dest); +void debug_reopen_log(); + +#if defined (__cplusplus) +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/gconfig.h b/radsecproxy/gconfig.h new file mode 100644 index 0000000..3cb34b3 --- /dev/null +++ b/radsecproxy/gconfig.h @@ -0,0 +1,32 @@ +/* Copyright (c) 2007-2008, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#define CONF_STR 1 +#define CONF_CBK 2 +#define CONF_MSTR 3 +#define CONF_BLN 4 +#define CONF_LINT 5 + +#include + +struct gconffile { + char *path; + FILE *file; + const char *data; + size_t datapos; +}; + +int getconfigline(struct gconffile **cf, char *block, char **opt, char **val, int *conftype); +int getgenericconfig(struct gconffile **cf, char *block, ...); +int pushgconfdata(struct gconffile **cf, const char *data); +FILE *pushgconfpath(struct gconffile **cf, const char *path); +FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description); +FILE *pushgconfpaths(struct gconffile **cf, const char *path); +int popgconf(struct gconffile **cf); +void freegconfmstr(char **mstr); +void freegconf(struct gconffile **cf); +struct gconffile *openconfigfile(const char *file); + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/hash.c b/radsecproxy/hash.c new file mode 100644 index 0000000..ab17433 --- /dev/null +++ b/radsecproxy/hash.c @@ -0,0 +1,131 @@ +/* Copyright (c) 2008, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#include +#include +#include +#include "list.h" +#include "hash.h" + +/* allocates and initialises hash structure; returns NULL if malloc fails */ +struct hash *hash_create() { + struct hash *h = malloc(sizeof(struct hash)); + if (!h) + return NULL; + h->hashlist = list_create(); + if (!h->hashlist) { + free(h); + return NULL; + } + pthread_mutex_init(&h->mutex, NULL); + return h; +} + +/* frees all memory associated with the hash */ +void hash_destroy(struct hash *h) { + struct list_node *ln; + + if (!h) + return; + for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { + free(((struct hash_entry *)ln->data)->key); + free(((struct hash_entry *)ln->data)->data); + } + list_destroy(h->hashlist); + pthread_mutex_destroy(&h->mutex); +} + +/* insert entry in hash; returns 1 if ok, 0 if malloc fails */ +int hash_insert(struct hash *h, void *key, uint32_t keylen, void *data) { + struct hash_entry *e; + + if (!h) + return 0; + e = malloc(sizeof(struct hash_entry)); + if (!e) + return 0; + memset(e, 0, sizeof(struct hash_entry)); + e->key = malloc(keylen); + if (!e->key) { + free(e); + return 0; + } + memcpy(e->key, key, keylen); + e->keylen = keylen; + e->data = data; + pthread_mutex_lock(&h->mutex); + if (!list_push(h->hashlist, e)) { + pthread_mutex_unlock(&h->mutex); + free(e->key); + free(e); + return 0; + } + pthread_mutex_unlock(&h->mutex); + return 1; +} + +/* reads entry from hash */ +void *hash_read(struct hash *h, void *key, uint32_t keylen) { + struct list_node *ln; + struct hash_entry *e; + + if (!h) + return 0; + pthread_mutex_lock(&h->mutex); + for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { + e = (struct hash_entry *)ln->data; + if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { + pthread_mutex_unlock(&h->mutex); + return e->data; + } + } + pthread_mutex_unlock(&h->mutex); + return NULL; +} + +/* extracts entry from hash */ +void *hash_extract(struct hash *h, void *key, uint32_t keylen) { + struct list_node *ln; + struct hash_entry *e; + + if (!h) + return 0; + pthread_mutex_lock(&h->mutex); + for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { + e = (struct hash_entry *)ln->data; + if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { + free(e->key); + list_removedata(h->hashlist, e); + free(e); + pthread_mutex_unlock(&h->mutex); + return e->data; + } + } + pthread_mutex_unlock(&h->mutex); + return NULL; +} + +/* returns first entry */ +struct hash_entry *hash_first(struct hash *hash) { + struct list_node *ln; + struct hash_entry *e; + if (!hash || !((ln = list_first(hash->hashlist)))) + return NULL; + e = (struct hash_entry *)ln->data; + e->next = ln->next; + return e; +} + +/* returns the next node after the argument */ +struct hash_entry *hash_next(struct hash_entry *entry) { + struct hash_entry *e; + if (!entry || !entry->next) + return NULL; + e = (struct hash_entry *)entry->next->data; + e->next = (struct list_node *)entry->next->next; + return e; +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/hash.h b/radsecproxy/hash.h new file mode 100644 index 0000000..90ba64b --- /dev/null +++ b/radsecproxy/hash.h @@ -0,0 +1,51 @@ +/* Copyright (c) 2008, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#ifndef SYS_SOLARIS9 +#include +#endif + +#if defined (__cplusplus) +extern "C" { +#endif + +struct hash { + struct list *hashlist; + pthread_mutex_t mutex; +}; + +struct hash_entry { + void *key; + uint32_t keylen; + void *data; + struct list_node *next; /* used when walking through hash */ +}; + +/* allocates and initialises hash structure; returns NULL if malloc fails */ +struct hash *hash_create(); + +/* frees all memory associated with the hash */ +void hash_destroy(struct hash *hash); + +/* insert entry in hash; returns 1 if ok, 0 if malloc fails */ +int hash_insert(struct hash *hash, void *key, uint32_t keylen, void *data); + +/* reads entry from hash */ +void *hash_read(struct hash *hash, void *key, uint32_t keylen); + +/* extracts (read and remove) entry from hash */ +void *hash_extract(struct hash *hash, void *key, uint32_t keylen); + +/* returns first entry */ +struct hash_entry *hash_first(struct hash *hash); + +/* returns the next entry after the argument */ +struct hash_entry *hash_next(struct hash_entry *entry); + +#if defined (__cplusplus) +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/hostport_types.h b/radsecproxy/hostport_types.h new file mode 100644 index 0000000..01fb443 --- /dev/null +++ b/radsecproxy/hostport_types.h @@ -0,0 +1,6 @@ +struct hostportres { + char *host; + char *port; + uint8_t prefixlen; + struct addrinfo *addrinfo; +}; diff --git a/radsecproxy/list.c b/radsecproxy/list.c new file mode 100644 index 0000000..4cfd358 --- /dev/null +++ b/radsecproxy/list.c @@ -0,0 +1,122 @@ +/* Copyright (c) 2007-2009, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include "list.h" + +/* allocates and initialises list structure; returns NULL if malloc fails */ +struct list *list_create() { + struct list *list = malloc(sizeof(struct list)); + if (list) + memset(list, 0, sizeof(struct list)); + return list; +} + +/* frees all memory associated with the list */ +void list_destroy(struct list *list) { + struct list_node *node, *next; + + if (!list) + return; + + for (node = list->first; node; node = next) { + free(node->data); + next = node->next; + free(node); + } + free(list); +} + +/* appends entry to list; returns 1 if ok, 0 if malloc fails */ +int list_push(struct list *list, void *data) { + struct list_node *node; + + node = malloc(sizeof(struct list_node)); + if (!node) + return 0; + + node->next = NULL; + node->data = data; + + if (list->first) + list->last->next = node; + else + list->first = node; + list->last = node; + + list->count++; + return 1; +} + +/* removes first entry from list and returns data */ +void *list_shift(struct list *list) { + struct list_node *node; + void *data; + + if (!list || !list->first) + return NULL; + + node = list->first; + list->first = node->next; + if (!list->first) + list->last = NULL; + data = node->data; + free(node); + list->count--; + return data; +} + +/* removes all entries with matching data pointer */ +void list_removedata(struct list *list, void *data) { + struct list_node *node, *t; + + if (!list || !list->first) + return; + + node = list->first; + while (node->data == data) { + list->first = node->next; + free(node); + list->count--; + node = list->first; + if (!node) { + list->last = NULL; + return; + } + } + for (; node->next; node = node->next) + if (node->next->data == data) { + t = node->next; + node->next = t->next; + free(t); + list->count--; + if (!node->next) { /* we removed the last one */ + list->last = node; + return; + } + } +} + +/* returns first node */ +struct list_node *list_first(struct list *list) { + return list ? list->first : NULL; +} + +/* returns the next node after the argument */ +struct list_node *list_next(struct list_node *node) { + return node->next; +} + +/* returns number of nodes */ +uint32_t list_count(struct list *list) { + return list->count; +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/list.h b/radsecproxy/list.h new file mode 100644 index 0000000..4f4d1f9 --- /dev/null +++ b/radsecproxy/list.h @@ -0,0 +1,54 @@ +/* Copyright (c) 2007-2009, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#ifdef SYS_SOLARIS9 +#include +#else +#include +#endif + +#if defined (__cplusplus) +extern "C" { +#endif + +struct list_node { + struct list_node *next; + void *data; +}; + +struct list { + struct list_node *first, *last; + uint32_t count; +}; + +/* allocates and initialises list structure; returns NULL if malloc fails */ +struct list *list_create(); + +/* frees all memory associated with the list */ +void list_destroy(struct list *list); + +/* appends entry to list; returns 1 if ok, 0 if malloc fails */ +int list_push(struct list *list, void *data); + +/* removes first entry from list and returns data */ +void *list_shift(struct list *list); + +/* removes first entry with matching data pointer */ +void list_removedata(struct list *list, void *data); + +/* returns first node */ +struct list_node *list_first(struct list *list); + +/* returns the next node after the argument */ +struct list_node *list_next(struct list_node *node); + +/* returns number of nodes */ +uint32_t list_count(struct list *list); + +#if defined (__cplusplus) +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/radmsg.h b/radsecproxy/radmsg.h new file mode 100644 index 0000000..1bef59b --- /dev/null +++ b/radsecproxy/radmsg.h @@ -0,0 +1,40 @@ +/* Copyright (c) 2007-2008, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#define RAD_Access_Request 1 +#define RAD_Access_Accept 2 +#define RAD_Access_Reject 3 +#define RAD_Accounting_Request 4 +#define RAD_Accounting_Response 5 +#define RAD_Access_Challenge 11 +#define RAD_Status_Server 12 +#define RAD_Status_Client 13 + +#define RAD_Attr_User_Name 1 +#define RAD_Attr_User_Password 2 +#define RAD_Attr_Reply_Message 18 +#define RAD_Attr_Vendor_Specific 26 +#define RAD_Attr_Calling_Station_Id 31 +#define RAD_Attr_Tunnel_Password 69 +#define RAD_Attr_Message_Authenticator 80 + +#define RAD_VS_ATTR_MS_MPPE_Send_Key 16 +#define RAD_VS_ATTR_MS_MPPE_Recv_Key 17 + +struct radmsg { + uint8_t code; + uint8_t id; + uint8_t auth[20]; + struct list *attrs; +}; + +void radmsg_free(struct radmsg *); +struct radmsg *radmsg_init(uint8_t, uint8_t, uint8_t *); +int radmsg_add(struct radmsg *, struct tlv *); +struct tlv *radmsg_gettype(struct radmsg *, uint8_t); +uint8_t *radmsg2buf(struct radmsg *msg, uint8_t *); +struct radmsg *buf2radmsg(uint8_t *, uint8_t *, uint8_t *); + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/radsecproxy.h b/radsecproxy/radsecproxy.h new file mode 100644 index 0000000..7528f7f --- /dev/null +++ b/radsecproxy/radsecproxy.h @@ -0,0 +1,216 @@ +/* + * Copyright (C) 2006-2009 Stig Venaas + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + */ + +#include "tlv11.h" +#include "radmsg.h" +#include "gconfig.h" + +#define DEBUG_LEVEL 2 + +#define CONFIG_MAIN "/etc/radsecproxy.conf" + +/* MAX_REQUESTS must be 256 due to Radius' 8 bit ID field */ +#define MAX_REQUESTS 256 +#define REQUEST_RETRY_INTERVAL 5 +#define REQUEST_RETRY_COUNT 2 +#define DUPLICATE_INTERVAL REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT +#define MAX_CERT_DEPTH 5 +#define STATUS_SERVER_PERIOD 25 +#define IDLE_TIMEOUT 300 + +/* 27262 is vendor DANTE Ltd. */ +#define DEFAULT_TTL_ATTR "27262:1" + +#define RAD_UDP 0 +#define RAD_TLS 1 +#define RAD_TCP 2 +#define RAD_DTLS 3 +#define RAD_PROTOCOUNT 4 + +struct options { + char *logdestination; + char *ttlattr; + uint32_t ttlattrtype[2]; + uint8_t addttl; + uint8_t loglevel; + uint8_t loopprevention; +}; + +struct commonprotoopts { + char **listenargs; + char *sourcearg; +}; + +struct request { + struct timeval created; + uint32_t refcount; + uint8_t *buf, *replybuf; + struct radmsg *msg; + struct client *from; + struct server *to; + char *origusername; + uint8_t rqid; + uint8_t rqauth[16]; + uint8_t newid; + int udpsock; /* only for UDP */ + uint16_t udpport; /* only for UDP */ +}; + +/* requests that our client will send */ +struct rqout { + pthread_mutex_t *lock; + struct request *rq; + uint8_t tries; + struct timeval expiry; +}; + +struct gqueue { + struct list *entries; + pthread_mutex_t mutex; + pthread_cond_t cond; +}; + +struct clsrvconf { + char *name; + uint8_t type; /* RAD_UDP/RAD_TLS/RAD_TCP */ + const struct protodefs *pdef; + char **hostsrc; + char *portsrc; + struct list *hostports; + char *secret; + char *tls; + char *matchcertattr; + regex_t *certcnregex; + regex_t *certuriregex; + char *confrewritein; + char *confrewriteout; + char *confrewriteusername; + struct modattr *rewriteusername; + char *dynamiclookupcommand; + uint8_t statusserver; + uint8_t retryinterval; + uint8_t retrycount; + uint8_t dupinterval; + uint8_t certnamecheck; + uint8_t addttl; + uint8_t loopprevention; + struct rewrite *rewritein; + struct rewrite *rewriteout; + pthread_mutex_t *lock; /* only used for updating clients so far */ + struct tls *tlsconf; + struct list *clients; + struct server *servers; +}; + +#include "tlscommon.h" + +struct client { + struct clsrvconf *conf; + int sock; + SSL *ssl; + struct request *rqs[MAX_REQUESTS]; + struct gqueue *replyq; + struct gqueue *rbios; /* for dtls */ + struct sockaddr *addr; + time_t expiry; /* for udp */ +}; + +struct server { + struct clsrvconf *conf; + int sock; + SSL *ssl; + pthread_mutex_t lock; + pthread_t clientth; + uint8_t clientrdgone; + struct timeval lastconnecttry; + struct timeval lastreply; + uint8_t connectionok; + uint8_t lostrqs; + uint8_t dynstartup; + char *dynamiclookuparg; + int nextid; + struct timeval lastrcv; + struct rqout *requests; + uint8_t newrq; + pthread_mutex_t newrq_mutex; + pthread_cond_t newrq_cond; + struct gqueue *rbios; /* for dtls */ +}; + +struct realm { + char *name; + char *message; + uint8_t accresp; + regex_t regex; + uint32_t refcount; + pthread_mutex_t mutex; + struct realm *parent; + struct list *subrealms; + struct list *srvconfs; + struct list *accsrvconfs; +}; + +struct modattr { + uint8_t t; + char *replacement; + regex_t *regex; +}; + +struct rewrite { + uint8_t *removeattrs; + uint32_t *removevendorattrs; + struct list *addattrs; + struct list *modattrs; +}; + +struct protodefs { + char *name; + char *secretdefault; + int socktype; + char *portdefault; + uint8_t retrycountdefault; + uint8_t retrycountmax; + uint8_t retryintervaldefault; + uint8_t retryintervalmax; + uint8_t duplicateintervaldefault; + void (*setprotoopts)(struct commonprotoopts *); + char **(*getlistenerargs)(); + void *(*listener)(void*); + int (*connecter)(struct server *, struct timeval *, int, char *); + void *(*clientconnreader)(void*); + int (*clientradput)(struct server *, unsigned char *); + void (*addclient)(struct client *); + void (*addserverextra)(struct clsrvconf *); + void (*setsrcres)(); + void (*initextra)(); +}; + +#define RADLEN(x) ntohs(((uint16_t *)(x))[1]) + +#define ATTRTYPE(x) ((x)[0]) +#define ATTRLEN(x) ((x)[1]) +#define ATTRVAL(x) ((x) + 2) +#define ATTRVALLEN(x) ((x)[1] - 2) + +struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); +struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); +struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur); +struct client *addclient(struct clsrvconf *conf, uint8_t lock); +void removelockedclient(struct client *client); +void removeclient(struct client *client); +struct gqueue *newqueue(); +void freebios(struct gqueue *q); +struct request *newrequest(); +void freerq(struct request *rq); +int radsrv(struct request *rq); +void replyh(struct server *server, unsigned char *buf); +struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport); + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/tlscommon.c b/radsecproxy/tlscommon.c new file mode 100644 index 0000000..a31fa32 --- /dev/null +++ b/radsecproxy/tlscommon.c @@ -0,0 +1,455 @@ +/* Copyright (c) 2007-2009, UNINETT AS + * Copyright (c) 2010-2011, NORDUnet A/S */ +/* See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef SYS_SOLARIS9 +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "list.h" +#include "hash.h" +#include "util.h" +#include "hostport_types.h" +#include "radsecproxy.h" + +static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) { + int pwdlen = strlen(userdata); + if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */ + return 0; + memcpy(buf, userdata, pwdlen); + return pwdlen; +} + +static int verify_cb(int ok, X509_STORE_CTX *ctx) { + char *buf = NULL; + X509 *err_cert; + int err, depth; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + if (depth > MAX_CERT_DEPTH) { + ok = 0; + err = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(ctx, err); + } + + if (!ok) { + if (err_cert) + buf = X509_NAME_oneline(X509_get_subject_name(err_cert), NULL, 0); + debug(DBG_WARN, "verify error: num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf ? buf : ""); + free(buf); + buf = NULL; + + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + if (err_cert) { + buf = X509_NAME_oneline(X509_get_issuer_name(err_cert), NULL, 0); + if (buf) { + debug(DBG_WARN, "\tIssuer=%s", buf); + free(buf); + buf = NULL; + } + } + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + debug(DBG_WARN, "\tCertificate not yet valid"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + debug(DBG_WARN, "Certificate has expired"); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + debug(DBG_WARN, "Certificate no longer valid (after notAfter)"); + break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + debug(DBG_WARN, "No Explicit Certificate Policy"); + break; + } + } + return ok; +} + +#ifdef DEBUG +static void ssl_info_callback(const SSL *ssl, int where, int ret) { + const char *s; + int w; + + w = where & ~SSL_ST_MASK; + + if (w & SSL_ST_CONNECT) + s = "SSL_connect"; + else if (w & SSL_ST_ACCEPT) + s = "SSL_accept"; + else + s = "undefined"; + + if (where & SSL_CB_LOOP) + debug(DBG_DBG, "%s:%s\n", s, SSL_state_string_long(ssl)); + else if (where & SSL_CB_ALERT) { + s = (where & SSL_CB_READ) ? "read" : "write"; + debug(DBG_DBG, "SSL3 alert %s:%s:%s\n", s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); + } + else if (where & SSL_CB_EXIT) { + if (ret == 0) + debug(DBG_DBG, "%s:failed in %s\n", s, SSL_state_string_long(ssl)); + else if (ret < 0) + debug(DBG_DBG, "%s:error in %s\n", s, SSL_state_string_long(ssl)); + } +} +#endif + +static X509_VERIFY_PARAM *createverifyparams(char **poids) { + X509_VERIFY_PARAM *pm; + ASN1_OBJECT *pobject; + int i; + + pm = X509_VERIFY_PARAM_new(); + if (!pm) + return NULL; + + for (i = 0; poids[i]; i++) { + pobject = OBJ_txt2obj(poids[i], 0); + if (!pobject) { + X509_VERIFY_PARAM_free(pm); + return NULL; + } + X509_VERIFY_PARAM_add0_policy(pm, pobject); + } + + X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY); + return pm; +} + +static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { + STACK_OF(X509_NAME) *calist; + X509_STORE *x509_s; + unsigned long error; + + if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name); + return 0; + } + + calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; + + if (!conf->cacertfile || calist) { + if (conf->cacertpath) { + if (!calist) + calist = sk_X509_NAME_new_null(); + if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) { + sk_X509_NAME_free(calist); + calist = NULL; + } + } + } + if (!calist) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name); + return 0; + } + ERR_clear_error(); /* add_dir_cert_subj returns errors on success */ + SSL_CTX_set_client_CA_list(ctx, calist); + + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); + SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); + + if (conf->crlcheck || conf->vpm) { + x509_s = SSL_CTX_get_cert_store(ctx); + if (conf->crlcheck) + X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + if (conf->vpm) + X509_STORE_set1_param(x509_s, conf->vpm); + } + + debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); + return 1; +} + +static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { + SSL_CTX *ctx = NULL; + unsigned long error; + + switch (type) { +#ifdef RADPROT_TLS + case RAD_TLS: + ctx = SSL_CTX_new(TLSv1_method()); + break; +#endif +#ifdef RADPROT_DTLS + case RAD_DTLS: + ctx = SSL_CTX_new(DTLSv1_method()); + SSL_CTX_set_read_ahead(ctx, 1); + break; +#endif + } + if (!ctx) { + debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + return NULL; + } +#ifdef DEBUG + SSL_CTX_set_info_callback(ctx, ssl_info_callback); +#endif + + if (conf->certkeypwd) { + SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd); + SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); + } + if (conf->certfile || conf->certkeyfile) { + if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || + !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || + !SSL_CTX_check_private_key(ctx)) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS (certfile issues) in TLS context %s", conf->name); + SSL_CTX_free(ctx); + return NULL; + } + } + + if (conf->policyoids) { + if (!conf->vpm) { + conf->vpm = createverifyparams(conf->policyoids); + if (!conf->vpm) { + debug(DBG_ERR, "tlscreatectx: Failed to add policyOIDs in TLS context %s", conf->name); + SSL_CTX_free(ctx); + return NULL; + } + } + } + + if (conf->cacertfile != NULL || conf->cacertpath != NULL) + if (!tlsaddcacrl(ctx, conf)) { + if (conf->vpm) { + X509_VERIFY_PARAM_free(conf->vpm); + conf->vpm = NULL; + } + SSL_CTX_free(ctx); + return NULL; + } + + debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); + return ctx; +} + +SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { + struct timeval now; + + if (!t) + return NULL; + gettimeofday(&now, NULL); + + switch (type) { +#ifdef RADPROT_TLS + case RAD_TLS: + if (t->tlsexpiry && t->tlsctx) { + if (t->tlsexpiry < now.tv_sec) { + t->tlsexpiry = now.tv_sec + t->cacheexpiry; + tlsaddcacrl(t->tlsctx, t); + } + } + if (!t->tlsctx) { + t->tlsctx = tlscreatectx(RAD_TLS, t); + if (t->cacheexpiry) + t->tlsexpiry = now.tv_sec + t->cacheexpiry; + } + return t->tlsctx; +#endif +#ifdef RADPROT_DTLS + case RAD_DTLS: + if (t->dtlsexpiry && t->dtlsctx) { + if (t->dtlsexpiry < now.tv_sec) { + t->dtlsexpiry = now.tv_sec + t->cacheexpiry; + tlsaddcacrl(t->dtlsctx, t); + } + } + if (!t->dtlsctx) { + t->dtlsctx = tlscreatectx(RAD_DTLS, t); + if (t->cacheexpiry) + t->dtlsexpiry = now.tv_sec + t->cacheexpiry; + } + return t->dtlsctx; +#endif + } + return NULL; +} + +X509 *verifytlscert(SSL *ssl) { + X509 *cert; + unsigned long error; + + if (SSL_get_verify_result(ssl) != X509_V_OK) { + debug(DBG_ERR, "verifytlscert: basic validation failed"); + while ((error = ERR_get_error())) + debug(DBG_ERR, "verifytlscert: TLS: %s", ERR_error_string(error, NULL)); + return NULL; + } + + cert = SSL_get_peer_certificate(ssl); + if (!cert) + debug(DBG_ERR, "verifytlscert: failed to obtain certificate"); + return cert; +} + +int subjectaltnameaddr(X509 *cert, int family, const struct in6_addr *addr) { + int loc, i, l, n, r = 0; + char *v; + X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + GENERAL_NAME *gn; + + debug(DBG_DBG, "subjectaltnameaddr"); + + loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); + if (loc < 0) + return r; + + ex = X509_get_ext(cert, loc); + alt = X509V3_EXT_d2i(ex); + if (!alt) + return r; + + n = sk_GENERAL_NAME_num(alt); + for (i = 0; i < n; i++) { + gn = sk_GENERAL_NAME_value(alt, i); + if (gn->type != GEN_IPADD) + continue; + r = -1; + v = (char *)ASN1_STRING_data(gn->d.ia5); + l = ASN1_STRING_length(gn->d.ia5); + if (((family == AF_INET && l == sizeof(struct in_addr)) || (family == AF_INET6 && l == sizeof(struct in6_addr))) + && !memcmp(v, &addr, l)) { + r = 1; + break; + } + } + GENERAL_NAMES_free(alt); + return r; +} + +int subjectaltnameregexp(X509 *cert, int type, const char *exact, const regex_t *regex) { + int loc, i, l, n, r = 0; + char *s, *v; + X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + GENERAL_NAME *gn; + + debug(DBG_DBG, "subjectaltnameregexp"); + + loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); + if (loc < 0) + return r; + + ex = X509_get_ext(cert, loc); + alt = X509V3_EXT_d2i(ex); + if (!alt) + return r; + + n = sk_GENERAL_NAME_num(alt); + for (i = 0; i < n; i++) { + gn = sk_GENERAL_NAME_value(alt, i); + if (gn->type != type) + continue; + r = -1; + v = (char *)ASN1_STRING_data(gn->d.ia5); + l = ASN1_STRING_length(gn->d.ia5); + if (l <= 0) + continue; +#ifdef DEBUG + printfchars(NULL, gn->type == GEN_DNS ? "dns" : "uri", NULL, v, l); +#endif + if (exact) { + if (memcmp(v, exact, l)) + continue; + } else { + s = stringcopy((char *)v, l); + if (!s) { + debug(DBG_ERR, "malloc failed"); + continue; + } + if (regexec(regex, s, 0, NULL, 0)) { + free(s); + continue; + } + free(s); + } + r = 1; + break; + } + GENERAL_NAMES_free(alt); + return r; +} + +int cnregexp(X509 *cert, const char *exact, const regex_t *regex) { + int loc, l; + char *v, *s; + X509_NAME *nm; + X509_NAME_ENTRY *e; + ASN1_STRING *t; + + nm = X509_get_subject_name(cert); + loc = -1; + for (;;) { + loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc); + if (loc == -1) + break; + e = X509_NAME_get_entry(nm, loc); + t = X509_NAME_ENTRY_get_data(e); + v = (char *) ASN1_STRING_data(t); + l = ASN1_STRING_length(t); + if (l < 0) + continue; + if (exact) { + if (l == strlen(exact) && !strncasecmp(exact, v, l)) + return 1; + } else { + s = stringcopy((char *)v, l); + if (!s) { + debug(DBG_ERR, "malloc failed"); + continue; + } + if (regexec(regex, s, 0, NULL, 0)) { + free(s); + continue; + } + free(s); + return 1; + } + } + return 0; +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/tlscommon.h b/radsecproxy/tlscommon.h new file mode 100644 index 0000000..5a6d262 --- /dev/null +++ b/radsecproxy/tlscommon.h @@ -0,0 +1,42 @@ +/* Copyright (c) 2007-2009, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#include +#include + +#if defined (__cplusplus) +extern "C" { +#endif + +struct tls { + char *name; + char *cacertfile; + char *cacertpath; + char *certfile; + char *certkeyfile; + char *certkeypwd; + uint8_t crlcheck; + char **policyoids; + uint32_t cacheexpiry; + uint32_t tlsexpiry; + uint32_t dtlsexpiry; + X509_VERIFY_PARAM *vpm; + SSL_CTX *tlsctx; + SSL_CTX *dtlsctx; +}; + +#if defined(RADPROT_TLS) || defined(RADPROT_DTLS) +SSL_CTX *tlsgetctx(uint8_t type, struct tls *t); +X509 *verifytlscert(SSL *ssl); +int subjectaltnameaddr(X509 *cert, int family, const struct in6_addr *addr); +int subjectaltnameregexp(X509 *cert, int type, const char *exact, const regex_t *regex); +int cnregexp(X509 *cert, const char *exact, const regex_t *regex); +#endif + +#if defined (__cplusplus) +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/tlv11.h b/radsecproxy/tlv11.h new file mode 100644 index 0000000..87909c0 --- /dev/null +++ b/radsecproxy/tlv11.h @@ -0,0 +1,23 @@ +/* Copyright (c) 2008, UNINETT AS + * Copyright (c) 2010, NORDUnet A/S */ +/* See LICENSE for licensing information. */ + +struct tlv { + uint8_t t; + uint8_t l; + uint8_t *v; +}; + +struct tlv *maketlv(uint8_t, uint8_t, void *); +struct tlv *copytlv(struct tlv *); +void freetlv(struct tlv *); +int eqtlv(struct tlv *, struct tlv *); +struct list *copytlvlist(struct list *); +void freetlvlist(struct list *); +void rmtlv(struct list *, uint8_t); +uint8_t *tlv2str(struct tlv *tlv); +uint8_t *tlv2buf(uint8_t *, const struct tlv *tlv); + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/util.c b/radsecproxy/util.c new file mode 100644 index 0000000..ad974ac --- /dev/null +++ b/radsecproxy/util.c @@ -0,0 +1,256 @@ +/* Copyright (c) 2007-2009, UNINETT AS */ +/* See LICENSE for licensing information. */ + +/* Code contributions from: + * + * Stefan Winter + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "util.h" + +char *stringcopy(const char *s, int len) { + char *r; + if (!s) + return NULL; + if (!len) + len = strlen(s); + r = malloc(len + 1); + if (!r) + debug(DBG_ERR, "stringcopy: malloc failed"); + memcpy(r, s, len); + r[len] = '\0'; + return r; +} + +void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len) { + int i; + unsigned char *s = (unsigned char *)chars; + if (prefix) + printf(prefixfmt ? prefixfmt : "%s: ", prefix); + for (i = 0; i < len; i++) + printf(charfmt ? charfmt : "%c", s[i]); + printf("\n"); +} + +void port_set(struct sockaddr *sa, uint16_t port) { + switch (sa->sa_family) { + case AF_INET: + ((struct sockaddr_in *)sa)->sin_port = htons(port); + break; + case AF_INET6: + ((struct sockaddr_in6 *)sa)->sin6_port = htons(port); + break; + } +} + +struct sockaddr *addr_copy(struct sockaddr *in) { + struct sockaddr *out = NULL; + + switch (in->sa_family) { + case AF_INET: + out = malloc(sizeof(struct sockaddr_in)); + if (out) { + memset(out, 0, sizeof(struct sockaddr_in)); + ((struct sockaddr_in *)out)->sin_addr = ((struct sockaddr_in *)in)->sin_addr; + } + break; + case AF_INET6: + out = malloc(sizeof(struct sockaddr_in6)); + if (out) { + memset(out, 0, sizeof(struct sockaddr_in6)); + ((struct sockaddr_in6 *)out)->sin6_addr = ((struct sockaddr_in6 *)in)->sin6_addr; + } + break; + } + out->sa_family = in->sa_family; +#ifdef SIN6_LEN + out->sa_len = in->sa_len; +#endif + return out; +} + +char *addr2string(struct sockaddr *addr) { + union { + struct sockaddr *sa; + struct sockaddr_in *sa4; + struct sockaddr_in6 *sa6; + } u; + struct sockaddr_in sa4; + static char addr_buf[2][INET6_ADDRSTRLEN]; + static int i = 0; + i = !i; + u.sa = addr; + if (u.sa->sa_family == AF_INET6) { + if (IN6_IS_ADDR_V4MAPPED(&u.sa6->sin6_addr)) { + memset(&sa4, 0, sizeof(sa4)); + sa4.sin_family = AF_INET; + sa4.sin_port = u.sa6->sin6_port; + memcpy(&sa4.sin_addr, &u.sa6->sin6_addr.s6_addr[12], 4); + u.sa4 = &sa4; + } + } + if (getnameinfo(u.sa, SOCKADDRP_SIZE(u.sa), addr_buf[i], sizeof(addr_buf[i]), + NULL, 0, NI_NUMERICHOST)) { + debug(DBG_WARN, "getnameinfo failed"); + return "getnameinfo_failed"; + } + return addr_buf[i]; +} + +#if 0 +/* not in use */ +int connectport(int type, char *host, char *port) { + struct addrinfo hints, *res0, *res; + int s = -1; + + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = type; + hints.ai_family = AF_UNSPEC; + + if (getaddrinfo(host, port, &hints, &res0) != 0) { + debug(DBG_ERR, "connectport: can't resolve host %s port %s", host, port); + return -1; + } + + for (res = res0; res; res = res->ai_next) { + s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (s < 0) { + debug(DBG_WARN, "connectport: socket failed"); + continue; + } + if (connect(s, res->ai_addr, res->ai_addrlen) == 0) + break; + debug(DBG_WARN, "connectport: connect failed"); + close(s); + s = -1; + } + freeaddrinfo(res0); + return s; +} +#endif + +/* Disable the "Don't Fragment" bit for UDP sockets. It is set by default, which may cause an "oversized" + RADIUS packet to be discarded on first attempt (due to Path MTU discovery). +*/ + +void disable_DF_bit(int socket, struct addrinfo *res) { + if ((res->ai_family == AF_INET) && (res->ai_socktype == SOCK_DGRAM)) { +#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) + /* + * Turn off Path MTU discovery on IPv4/UDP sockets, Linux variant. + */ + int r, action; + debug(DBG_INFO, "disable_DF_bit: disabling DF bit (Linux variant)"); + action = IP_PMTUDISC_DONT; + r = setsockopt(socket, IPPROTO_IP, IP_MTU_DISCOVER, &action, sizeof(action)); + if (r == -1) + debug(DBG_WARN, "Failed to set IP_MTU_DISCOVER"); +#else + debug(DBG_INFO, "Non-Linux platform, unable to unset DF bit for UDP. You should check with tcpdump whether radsecproxy will send its UDP packets with DF bit set!"); +#endif + } +} + +int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only) { + int s, on = 1; + struct addrinfo *res; + + for (res = addrinfo; res; res = res->ai_next) { + if (family != AF_UNSPEC && family != res->ai_family) + continue; + s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (s < 0) { + debug(DBG_WARN, "bindtoaddr: socket failed"); + continue; + } + + disable_DF_bit(s,res); + + if (reuse) + setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); +#ifdef IPV6_V6ONLY + if (v6only) + setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)); +#endif + if (!bind(s, res->ai_addr, res->ai_addrlen)) + return s; + debug(DBG_WARN, "bindtoaddr: bind failed"); + close(s); + } + return -1; +} + +int connectnonblocking(int s, const struct sockaddr *addr, socklen_t addrlen, struct timeval *timeout) { + int origflags, error = 0, r = -1; + fd_set writefds; + socklen_t len; + + origflags = fcntl(s, F_GETFL, 0); + fcntl(s, F_SETFL, origflags | O_NONBLOCK); + if (!connect(s, addr, addrlen)) { + r = 0; + goto exit; + } + if (errno != EINPROGRESS) + goto exit; + + FD_ZERO(&writefds); + FD_SET(s, &writefds); + if (select(s + 1, NULL, &writefds, NULL, timeout) < 1) + goto exit; + + len = sizeof(error); + if (!getsockopt(s, SOL_SOCKET, SO_ERROR, (char*)&error, &len) && !error) + r = 0; + +exit: + fcntl(s, F_SETFL, origflags); + return r; +} + +int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout) { + int s; + struct addrinfo *res; + struct timeval to; + + s = -1; + if (timeout) { + if (addrinfo && addrinfo->ai_next && timeout > 5) + timeout = 5; + to.tv_sec = timeout; + to.tv_usec = 0; + } + + for (res = addrinfo; res; res = res->ai_next) { + s = bindtoaddr(src, res->ai_family, 1, 1); + if (s < 0) { + debug(DBG_WARN, "connecttoserver: socket failed"); + continue; + } + if ((timeout + ? connectnonblocking(s, res->ai_addr, res->ai_addrlen, &to) + : connect(s, res->ai_addr, res->ai_addrlen)) == 0) + break; + debug(DBG_WARN, "connecttoserver: connect failed"); + close(s); + s = -1; + } + return s; +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/radsecproxy/util.h b/radsecproxy/util.h new file mode 100644 index 0000000..cec4673 --- /dev/null +++ b/radsecproxy/util.h @@ -0,0 +1,35 @@ +/* Copyright (c) 2007-2009, UNINETT AS */ +/* See LICENSE for licensing information. */ + +#include +#include + +#define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \ + sizeof(struct sockaddr_in) : \ + sizeof(struct sockaddr_in6)) + +#define SOCKADDRP_SIZE(addr) ((addr)->sa_family == AF_INET ? \ + sizeof(struct sockaddr_in) : \ + sizeof(struct sockaddr_in6)) + +#if defined (__cplusplus) +extern "C" { +#endif + +char *stringcopy(const char *s, int len); +char *addr2string(struct sockaddr *addr); +struct sockaddr *addr_copy(struct sockaddr *in); +void port_set(struct sockaddr *sa, uint16_t port); + +void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len); +void disable_DF_bit(int socket, struct addrinfo *res); +int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only); +int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout); + +#if defined (__cplusplus) +} +#endif + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/request.c b/request.c new file mode 100644 index 0000000..40ac56d --- /dev/null +++ b/request.c @@ -0,0 +1,158 @@ +/* Copyright 2010-2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "conn.h" +#include "tcp.h" +#include "udp.h" + +/* RFC 5080 2.2.1. Retransmission Behavior. */ +#define IRT 2 +#define MRC 5 +#define MRT 16 +#define MRD 30 +#define RAND 100 /* Rand factor, milliseconds. */ + +int +rs_request_create (struct rs_connection *conn, struct rs_request **req_out) +{ + struct rs_request *req = rs_malloc (conn->ctx, sizeof(*req)); + assert (req_out); + if (!req) + return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); + memset (req, 0, sizeof(*req)); + req->conn = conn; + *req_out = req; + return RSE_OK; +} + +void +rs_request_add_reqpkt (struct rs_request *req, struct rs_packet *req_msg) +{ + assert (req); + req->req_msg = req_msg; +} + +int +rs_request_create_authn (struct rs_connection *conn, + struct rs_request **req_out, + const char *user_name, + const char *user_pw) +{ + struct rs_request *req = NULL; + assert (req_out); + + if (rs_request_create (conn, &req)) + return -1; + + if (rs_packet_create_authn_request (conn, &req->req_msg, user_name, user_pw)) + return -1; + + if (req_out) + *req_out = req; + return RSE_OK; +} + +void +rs_request_destroy (struct rs_request *request) +{ + assert (request); + assert (request->conn); + assert (request->conn->ctx); + + if (request->req_msg) + rs_packet_destroy (request->req_msg); + rs_free (request->conn->ctx, request); +} + +static void +_rand_rt (struct timeval *res, uint32_t rtprev, uint32_t factor) +{ + uint32_t ms = rtprev * (nr_rand () % factor); + res->tv_sec = rtprev + ms / 1000; + res->tv_usec = (ms % 1000) * 1000; +} + +int +rs_request_send (struct rs_request *request, struct rs_packet **resp_msg) +{ + int r = 0; + struct rs_connection *conn = NULL; + int count = 0; + struct timeval rt = {0,0}; + struct timeval end = {0,0}; + struct timeval now = {0,0}; + struct timeval tmp_tv = {0,0}; + const struct timeval mrt_tv = {MRT,0}; + + if (!request || !request->conn || !request->req_msg || !resp_msg) + return rs_err_conn_push_fl (conn, RSE_INVAL, __FILE__, __LINE__, NULL); + conn = request->conn; + assert (!conn_user_dispatch_p (conn)); /* This function is high level. */ + + gettimeofday (&end, NULL); + end.tv_sec += MRD; + _rand_rt (&rt, IRT, RAND); + while (1) + { + rs_conn_set_timeout (conn, &rt); + + r = rs_packet_send (request->req_msg, NULL); + if (r == RSE_OK) + { + r = rs_conn_receive_packet (request->conn, + request->req_msg, + resp_msg); + if (r == RSE_OK) + break; /* Success. */ + } + if (r != RSE_TIMEOUT_CONN && r != RSE_TIMEOUT_IO) + break; /* Error. */ + + /* Timing out reading or writing. Pop the timeout error from the + stack and continue the loop. */ + rs_err_conn_pop (request->conn); + + gettimeofday (&now, NULL); + if (++count > MRC || timercmp (&now, &end, >)) + { + r = rs_err_conn_push_fl (request->conn, RSE_TIMEOUT, + __FILE__, __LINE__, NULL); + break; /* Timeout. */ + } + + /* rt = 2 * rt + rand_rt (rt, RAND); */ + timeradd (&rt, &rt, &rt); + _rand_rt (&tmp_tv, IRT, RAND); + timeradd (&rt, &tmp_tv, &rt); + if (timercmp (&rt, &mrt_tv, >)) + _rand_rt (&rt, MRT, RAND); + } + + timerclear (&rt); + rs_conn_set_timeout (conn, &rt); + + rs_debug (("%s: returning %d\n", __func__, r)); + return r; +} + +struct rs_packet * +rs_request_get_reqmsg (const struct rs_request *request) +{ + assert (request); + return request->req_msg; +} diff --git a/send.c b/send.c new file mode 100644 index 0000000..3161bbe --- /dev/null +++ b/send.c @@ -0,0 +1,138 @@ +/* Copyright 2011,2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include "debug.h" +#include "packet.h" +#include "event.h" +#include "peer.h" +#include "conn.h" +#include "tcp.h" +#include "udp.h" + +static int +_conn_open (struct rs_connection *conn, struct rs_packet *pkt) +{ + if (event_init_eventbase (conn)) + return -1; + + if (!conn->active_peer) + peer_pick_peer (conn); + if (!conn->active_peer) + return rs_err_conn_push_fl (conn, RSE_NOPEER, __FILE__, __LINE__, NULL); + + if (event_init_socket (conn, conn->active_peer)) + return -1; + + if (conn->realm->type == RS_CONN_TYPE_TCP + || conn->realm->type == RS_CONN_TYPE_TLS) + { + if (tcp_init_connect_timer (conn)) + return -1; + if (event_init_bufferevent (conn, conn->active_peer)) + return -1; + } + else + { + if (udp_init (conn, pkt)) + return -1; + if (udp_init_retransmit_timer (conn)) + return -1; + } + + if (!conn->is_connected) + if (!conn->is_connecting) + event_do_connect (conn); + + return RSE_OK; +} + +static int +_conn_is_open_p (struct rs_connection *conn) +{ + return conn->active_peer && conn->is_connected; +} + +/* User callback used when we're dispatching for user. */ +static void +_wcb (void *user_data) +{ + struct rs_packet *pkt = (struct rs_packet *) user_data; + assert (pkt); + pkt->flags |= RS_PACKET_SENT; + if (pkt->conn->bev) + bufferevent_disable (pkt->conn->bev, EV_WRITE|EV_READ); + else + event_del (pkt->conn->wev); +} + +int +rs_packet_send (struct rs_packet *pkt, void *user_data) +{ + struct rs_connection *conn = NULL; + int err = 0; + + assert (pkt); + assert (pkt->conn); + conn = pkt->conn; + + if (_conn_is_open_p (conn)) + packet_do_send (pkt); + else + if (_conn_open (conn, pkt)) + return -1; + + assert (conn->evb); + assert (conn->active_peer); + assert (conn->fd >= 0); + + conn->user_data = user_data; + + if (conn->bev) /* TCP */ + { + bufferevent_setcb (conn->bev, NULL, tcp_write_cb, tcp_event_cb, pkt); + bufferevent_enable (conn->bev, EV_WRITE); + } + else /* UDP */ + { + event_assign (conn->wev, conn->evb, event_get_fd (conn->wev), + EV_WRITE, event_get_callback (conn->wev), pkt); + err = event_add (conn->wev, NULL); + if (err < 0) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "event_add: %s", + evutil_gai_strerror (err)); + } + + /* Do dispatch, unless the user wants to do it herself. */ + if (!conn_user_dispatch_p (conn)) + { + conn->callbacks.sent_cb = _wcb; + conn->user_data = pkt; + rs_debug (("%s: entering event loop\n", __func__)); + err = event_base_dispatch (conn->evb); + if (err < 0) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "event_base_dispatch: %s", + evutil_gai_strerror (err)); + rs_debug (("%s: event loop done\n", __func__)); + conn->callbacks.sent_cb = NULL; + conn->user_data = NULL; + + if ((pkt->flags & RS_PACKET_SENT) == 0) + { + assert (rs_err_conn_peek_code (conn)); + return rs_err_conn_peek_code (conn); + } + } + + return RSE_OK; +} diff --git a/tcp.c b/tcp.c new file mode 100644 index 0000000..07bc109 --- /dev/null +++ b/tcp.c @@ -0,0 +1,274 @@ +/* Copyright 2011-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#if defined (RS_ENABLE_TLS) +#include +#include +#endif +#include +#include +#include +#include "tcp.h" +#include "packet.h" +#include "conn.h" +#include "debug.h" +#include "event.h" + +#if defined (DEBUG) +#include +#endif + +/** Read one RADIUS packet header. Return !0 on error. */ +static int +_read_header (struct rs_packet *pkt) +{ + size_t n = 0; + + n = bufferevent_read (pkt->conn->bev, pkt->hdr, RS_HEADER_LEN); + if (n == RS_HEADER_LEN) + { + pkt->flags |= RS_PACKET_HEADER_READ; + pkt->rpkt->length = (pkt->hdr[2] << 8) + pkt->hdr[3]; + if (pkt->rpkt->length < 20 || pkt->rpkt->length > RS_MAX_PACKET_LEN) + { + rs_debug (("%s: invalid packet length: %d\n", + __func__, pkt->rpkt->length)); + rs_conn_disconnect (pkt->conn); + return rs_err_conn_push (pkt->conn, RSE_INVALID_PKT, + "invalid packet length: %d", + pkt->rpkt->length); + } + memcpy (pkt->rpkt->data, pkt->hdr, RS_HEADER_LEN); + bufferevent_setwatermark (pkt->conn->bev, EV_READ, + pkt->rpkt->length - RS_HEADER_LEN, 0); + rs_debug (("%s: packet header read, total pkt len=%d\n", + __func__, pkt->rpkt->length)); + } + else if (n < 0) + { + rs_debug (("%s: buffer frozen while reading header\n", __func__)); + } + else /* Error: libevent gave us less than the low watermark. */ + { + rs_debug (("%s: got: %d octets reading header\n", __func__, n)); + rs_conn_disconnect (pkt->conn); + return rs_err_conn_push_fl (pkt->conn, RSE_INTERNAL, __FILE__, __LINE__, + "got %d octets reading header", n); + } + + return 0; +} + +/** Read a message, check that it's valid RADIUS and hand it off to + registered user callback. + + The packet is read from the bufferevent associated with \a pkt and + the data is stored in \a pkt->rpkt. + + Return 0 on success and !0 on failure. */ +static int +_read_packet (struct rs_packet *pkt) +{ + size_t n = 0; + int err; + + rs_debug (("%s: trying to read %d octets of packet data\n", __func__, + pkt->rpkt->length - RS_HEADER_LEN)); + + n = bufferevent_read (pkt->conn->bev, + pkt->rpkt->data + RS_HEADER_LEN, + pkt->rpkt->length - RS_HEADER_LEN); + + rs_debug (("%s: read %ld octets of packet data\n", __func__, n)); + + if (n == pkt->rpkt->length - RS_HEADER_LEN) + { + bufferevent_disable (pkt->conn->bev, EV_READ); + rs_debug (("%s: complete packet read\n", __func__)); + pkt->flags &= ~RS_PACKET_HEADER_READ; + memset (pkt->hdr, 0, sizeof(*pkt->hdr)); + + /* Checks done by rad_packet_ok: + - lenghts (FIXME: checks really ok for tcp?) + - invalid code field + - attribute lengths >= 2 + - attribute sizes adding up correctly */ + err = nr_packet_ok (pkt->rpkt); + if (err != RSE_OK) + { + rs_debug (("%s: %d: invalid packet\n", __func__, -err)); + rs_conn_disconnect (pkt->conn); + return rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "invalid packet"); + } + +#if defined (DEBUG) + /* Find out what happens if there's data left in the buffer. */ + { + size_t rest = 0; + rest = evbuffer_get_length (bufferevent_get_input (pkt->conn->bev)); + if (rest) + rs_debug (("%s: returning with %d octets left in buffer\n", __func__, + rest)); + } +#endif + + /* Hand over message to user. This changes ownership of pkt. + Don't touch it afterwards -- it might have been freed. */ + if (pkt->conn->callbacks.received_cb) + pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data); + } + else if (n < 0) /* Buffer frozen. */ + rs_debug (("%s: buffer frozen when reading packet\n", __func__)); + else /* Short packet. */ + rs_debug (("%s: waiting for another %d octets\n", __func__, + pkt->rpkt->length - RS_HEADER_LEN - n)); + + return 0; +} + +/* The read callback for TCP. + + Read exactly one RADIUS message from BEV and store it in struct + rs_packet passed in USER_DATA. + + Inform upper layer about successful reception of received RADIUS + message by invoking conn->callbacks.recevied_cb(), if !NULL. */ +void +tcp_read_cb (struct bufferevent *bev, void *user_data) +{ + struct rs_packet *pkt = (struct rs_packet *) user_data; + + assert (pkt); + assert (pkt->conn); + assert (pkt->rpkt); + + pkt->rpkt->sockfd = pkt->conn->fd; + pkt->rpkt->vps = NULL; /* FIXME: can this be done when initializing pkt? */ + + /* Read a message header if not already read, return if that + fails. Read a message and have it dispatched to the user + registered callback. + + Room for improvement: Peek inside buffer (evbuffer_copyout()) to + avoid the extra copying. */ + if ((pkt->flags & RS_PACKET_HEADER_READ) == 0) + if (_read_header (pkt)) + return; /* Error. */ + _read_packet (pkt); +} + +void +tcp_event_cb (struct bufferevent *bev, short events, void *user_data) +{ + struct rs_packet *pkt = (struct rs_packet *) user_data; + struct rs_connection *conn = NULL; + int sockerr = 0; +#if defined (RS_ENABLE_TLS) + unsigned long tlserr = 0; +#endif +#if defined (DEBUG) + struct rs_peer *p = NULL; +#endif + + assert (pkt); + assert (pkt->conn); + conn = pkt->conn; +#if defined (DEBUG) + assert (pkt->conn->active_peer); + p = conn->active_peer; +#endif + + conn->is_connecting = 0; + if (events & BEV_EVENT_CONNECTED) + { + if (conn->tev) + evtimer_del (conn->tev); /* Cancel connect timer. */ + if (event_on_connect (conn, pkt)) + { + event_on_disconnect (conn); + event_loopbreak (conn); + } + } + else if (events & BEV_EVENT_EOF) + { + event_on_disconnect (conn); + } + else if (events & BEV_EVENT_TIMEOUT) + { + rs_debug (("%s: %p times out on %s\n", __func__, p, + (events & BEV_EVENT_READING) ? "read" : "write")); + rs_err_conn_push_fl (conn, RSE_TIMEOUT_IO, __FILE__, __LINE__, NULL); + } + else if (events & BEV_EVENT_ERROR) + { + sockerr = evutil_socket_geterror (conn->active_peer->fd); + if (sockerr == 0) /* FIXME: True that errno == 0 means closed? */ + { + event_on_disconnect (conn); + rs_err_conn_push_fl (conn, RSE_DISCO, __FILE__, __LINE__, NULL); + } + else + { + rs_debug (("%s: %d: %d (%s)\n", __func__, conn->fd, sockerr, + evutil_socket_error_to_string (sockerr))); + rs_err_conn_push_fl (conn, RSE_SOCKERR, __FILE__, __LINE__, + "%d: %d (%s)", conn->fd, sockerr, + evutil_socket_error_to_string (sockerr)); + } +#if defined (RS_ENABLE_TLS) + if (conn->tls_ssl) /* FIXME: correct check? */ + { + for (tlserr = bufferevent_get_openssl_error (conn->bev); + tlserr; + tlserr = bufferevent_get_openssl_error (conn->bev)) + { + rs_debug (("%s: openssl error: %s\n", __func__, + ERR_error_string (tlserr, NULL))); + rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, + ERR_error_string (tlserr, NULL)); + } + } +#endif /* RS_ENABLE_TLS */ + event_loopbreak (conn); + } + +#if defined (DEBUG) + if (events & BEV_EVENT_ERROR && events != BEV_EVENT_ERROR) + rs_debug (("%s: BEV_EVENT_ERROR and more: 0x%x\n", __func__, events)); +#endif +} + +void +tcp_write_cb (struct bufferevent *bev, void *ctx) +{ + struct rs_packet *pkt = (struct rs_packet *) ctx; + + assert (pkt); + assert (pkt->conn); + + if (pkt->conn->callbacks.sent_cb) + pkt->conn->callbacks.sent_cb (pkt->conn->user_data); +} + +int +tcp_init_connect_timer (struct rs_connection *conn) +{ + assert (conn); + + if (conn->tev) + event_free (conn->tev); + conn->tev = evtimer_new (conn->evb, event_conn_timeout_cb, conn); + if (!conn->tev) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "evtimer_new"); + + return RSE_OK; +} diff --git a/tcp.h b/tcp.h new file mode 100644 index 0000000..eddc4c8 --- /dev/null +++ b/tcp.h @@ -0,0 +1,7 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +void tcp_event_cb (struct bufferevent *bev, short events, void *user_data); +void tcp_read_cb (struct bufferevent *bev, void *user_data); +void tcp_write_cb (struct bufferevent *bev, void *ctx); +int tcp_init_connect_timer (struct rs_connection *conn); diff --git a/tests/Makefile.am b/tests/Makefile.am new file mode 100644 index 0000000..09f9d28 --- /dev/null +++ b/tests/Makefile.am @@ -0,0 +1,12 @@ +AUTOMAKE_OPTIONS = foreign +AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir) +AM_CFLAGS = -Wall -Werror -g + +TESTS = test-udp + +check_PROGRAMS = test-udp udp-server + +test_udp_SOURCES = test-udp.c udp.c udp.h +test_udp_LDADD = ../libradsec.la -lcunit -lm + +udp_server_SOURCES = udp-server.c udp.c udp.h diff --git a/tests/README b/tests/README new file mode 100644 index 0000000..33bddc1 --- /dev/null +++ b/tests/README @@ -0,0 +1,39 @@ +This is the README file for the test directory of libradsec. + +Build +----- + +In order to build and run the tests, you'll need to have CUnit +installed. + +Source code: http://cunit.sourceforge.net/ +Debian package: libcunit1-dev +FreeBSD port: devel/cunit + + +Run +--- + +NOTE: To run the tests you currently need +- a RADIUS server running at localhost:1820 with the shared RADIUS + secret "sikrit" configured (or whatever "test-udp-auth" in test.conf + says) +- a user "molgan@PROJECT-MOONSHOT.ORG" with password "password" + present in the RADIUS database +These requirements will be removed in a future libradsec release. + + +Run the tests by typing + + make check + +The output should read something like + + --Run Summary: Type Total Ran Passed Failed + suites 2 2 n/a 0 + tests 2 2 2 0 + asserts 23 23 23 0 + PASS: test-udp + ============= + 1 test passed + ============= diff --git a/tests/demoCA/index.txt b/tests/demoCA/index.txt new file mode 100644 index 0000000..51f934f --- /dev/null +++ b/tests/demoCA/index.txt @@ -0,0 +1,3 @@ +V 250806115449Z 01 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ca +V 250806115457Z 02 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=srv1 +V 250806115504Z 03 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=cli1 diff --git a/tests/demoCA/index.txt.attr b/tests/demoCA/index.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/tests/demoCA/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/tests/demoCA/newcerts/01.pem b/tests/demoCA/newcerts/01.pem new file mode 100644 index 0000000..29cb5ee --- /dev/null +++ b/tests/demoCA/newcerts/01.pem @@ -0,0 +1,46 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca + Validity + Not Before: Sep 12 11:54:49 2012 GMT + Not After : Aug 6 11:54:49 2025 GMT + Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (512 bit) + Modulus: + 00:eb:9e:52:bf:1a:7c:32:63:9f:96:80:71:f1:98: + 87:90:97:f1:7a:4a:81:6d:66:7e:8e:7c:50:5f:f9: + 6e:94:1a:b0:7b:46:87:b5:9e:23:48:04:ad:f3:55: + a1:f9:31:50:a1:10:ab:ca:ba:70:ac:58:95:4e:9d: + 3a:2b:52:36:df + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 + X509v3 Authority Key Identifier: + keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 15:12:3b:79:3d:61:d2:c7:d2:a8:0c:df:82:ea:66:76:26:cb: + ab:b5:83:a3:52:a0:23:1a:a9:92:8e:93:41:f7:6c:3f:8a:2c: + bd:32:3d:70:3f:b6:fd:f2:37:50:0a:66:8c:1c:44:bf:ef:50: + 24:33:bd:48:47:04:ee:8c:61:88 +-----BEGIN CERTIFICATE----- +MIIB5TCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET +MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU0NDlaFw0yNTA4MDYxMTU0 +NDlaMFIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK +DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAmNhMFwwDQYJKoZI +hvcNAQEBBQADSwAwSAJBAOueUr8afDJjn5aAcfGYh5CX8XpKgW1mfo58UF/5bpQa +sHtGh7WeI0gErfNVofkxUKEQq8q6cKxYlU6dOitSNt8CAwEAAaNQME4wHQYDVR0O +BBYEFBFXQAvwMy+uwtqkOgC66TSzdSAFMB8GA1UdIwQYMBaAFBFXQAvwMy+uwtqk +OgC66TSzdSAFMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADQQAVEjt5PWHS +x9KoDN+C6mZ2JsurtYOjUqAjGqmSjpNB92w/iiy9Mj1wP7b98jdQCmaMHES/71Ak +M71IRwTujGGI +-----END CERTIFICATE----- diff --git a/tests/demoCA/newcerts/02.pem b/tests/demoCA/newcerts/02.pem new file mode 100644 index 0000000..2e1cccb --- /dev/null +++ b/tests/demoCA/newcerts/02.pem @@ -0,0 +1,49 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca + Validity + Not Before: Sep 12 11:54:57 2012 GMT + Not After : Aug 6 11:54:57 2025 GMT + Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=srv1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (512 bit) + Modulus: + 00:ac:21:78:6f:cb:1c:10:c2:71:7b:72:03:e3:4b: + b2:c7:f6:63:3f:69:d3:d3:48:e0:90:16:0f:5a:44: + f5:9c:ed:b9:6b:72:be:11:6e:26:09:32:0c:51:25: + 10:35:fe:a0:33:fe:cf:90:9f:2c:8b:3a:c5:98:86: + c2:a9:5c:ba:a7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 08:13:6F:A0:93:47:21:31:9F:02:79:A5:CF:24:4A:D1:0B:A7:10:09 + X509v3 Authority Key Identifier: + keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 + + Signature Algorithm: sha1WithRSAEncryption + 2c:7e:61:65:48:cc:46:50:58:cc:9d:1b:b2:e7:2d:2b:72:e2: + a1:2f:2c:14:35:4d:b8:42:87:66:57:77:c4:02:17:fa:3c:db: + 83:3f:89:37:ae:f8:e9:00:fe:96:d8:4b:80:63:db:08:7a:c6: + e1:c7:59:ec:d9:76:4a:be:1a:19 +-----BEGIN CERTIFICATE----- +MIICEjCCAbygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET +MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU0NTdaFw0yNTA4MDYxMTU0 +NTdaMFQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK +DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMMBHNydjEwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEArCF4b8scEMJxe3ID40uyx/ZjP2nT00jgkBYPWkT1 +nO25a3K+EW4mCTIMUSUQNf6gM/7PkJ8sizrFmIbCqVy6pwIDAQABo3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUCBNvoJNHITGfAnmlzyRK0QunEAkwHwYDVR0jBBgwFoAU +EVdAC/AzL67C2qQ6ALrpNLN1IAUwDQYJKoZIhvcNAQEFBQADQQAsfmFlSMxGUFjM +nRuy5y0rcuKhLywUNU24QodmV3fEAhf6PNuDP4k3rvjpAP6W2EuAY9sIesbhx1ns +2XZKvhoZ +-----END CERTIFICATE----- diff --git a/tests/demoCA/newcerts/03.pem b/tests/demoCA/newcerts/03.pem new file mode 100644 index 0000000..d07be19 --- /dev/null +++ b/tests/demoCA/newcerts/03.pem @@ -0,0 +1,49 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=ca + Validity + Not Before: Sep 12 11:55:04 2012 GMT + Not After : Aug 6 11:55:04 2025 GMT + Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=cli1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (512 bit) + Modulus: + 00:99:7b:86:e0:46:de:f1:69:10:97:f8:4e:78:c8: + ee:c2:c8:65:64:90:72:dd:51:4f:c6:58:78:49:07: + 61:b9:ed:0a:77:7b:d2:6a:c3:49:e5:91:6c:bf:78: + d0:fc:8a:5c:80:1a:b0:03:28:b2:ea:e8:c8:a0:b6: + be:a1:42:30:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 10:17:90:80:D8:B0:7E:91:91:13:32:27:8C:EF:A6:DE:9F:C1:C4:A7 + X509v3 Authority Key Identifier: + keyid:11:57:40:0B:F0:33:2F:AE:C2:DA:A4:3A:00:BA:E9:34:B3:75:20:05 + + Signature Algorithm: sha1WithRSAEncryption + b1:08:87:88:7d:90:78:01:da:4a:e7:be:82:22:3f:58:07:f7: + 46:a9:9a:42:a4:88:d9:b8:6a:69:bf:cb:d0:39:2d:c9:49:06: + fa:31:80:66:17:32:cc:e8:ae:36:9c:c1:d5:ae:6d:3c:eb:72: + 77:55:92:fa:ab:f5:a3:bc:19:2d +-----BEGIN CERTIFICATE----- +MIICEjCCAbygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJBVTET +MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMQswCQYDVQQDDAJjYTAeFw0xMjA5MTIxMTU1MDRaFw0yNTA4MDYxMTU1 +MDRaMFQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK +DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDTALBgNVBAMMBGNsaTEwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEAmXuG4Ebe8WkQl/hOeMjuwshlZJBy3VFPxlh4SQdh +ue0Kd3vSasNJ5ZFsv3jQ/IpcgBqwAyiy6ujIoLa+oUIwXQIDAQABo3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUEBeQgNiwfpGREzInjO+m3p/BxKcwHwYDVR0jBBgwFoAU +EVdAC/AzL67C2qQ6ALrpNLN1IAUwDQYJKoZIhvcNAQEFBQADQQCxCIeIfZB4AdpK +576CIj9YB/dGqZpCpIjZuGppv8vQOS3JSQb6MYBmFzLM6K42nMHVrm0863J3VZL6 +q/WjvBkt +-----END CERTIFICATE----- diff --git a/tests/demoCA/private/cakey.pem b/tests/demoCA/private/cakey.pem new file mode 100644 index 0000000..e7df9d0 --- /dev/null +++ b/tests/demoCA/private/cakey.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOgIBAAJBAOueUr8afDJjn5aAcfGYh5CX8XpKgW1mfo58UF/5bpQasHtGh7We +I0gErfNVofkxUKEQq8q6cKxYlU6dOitSNt8CAwEAAQJAR+SmQPN24/Ur88M7gUlW +TBNgtjzXoyb8BMP/zlkQmZW5Tcv1xCa1UwK33u2wSmhSNP6zA1QrC2d2pv/7XZEp +wQIhAPpf2QuEooR5BPrvDiAVPlKp31EROrZOiOV5hbV1Kzx/AiEA8OmZZrvgrdQu +3PKRLfxD11NKf0yhC+7WdVWguYZ1VaECIF99XMcyz9TcXxThRa7gy0M1vJErlAvh +yf5TKba6OEI7AiBpNctdl11G7OxOZ8zJZWsHRYO6Vm/as0KLWYromvTxIQIhAK0c +r+G23R+dHDUdNEBSi6G74dbaJqaA8LsVr9w9m5gY +-----END RSA PRIVATE KEY----- diff --git a/tests/demoCA/private/cli1.key b/tests/demoCA/private/cli1.key new file mode 100644 index 0000000..09381f1 --- /dev/null +++ b/tests/demoCA/private/cli1.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOQIBAAJBAJl7huBG3vFpEJf4TnjI7sLIZWSQct1RT8ZYeEkHYbntCnd70mrD +SeWRbL940PyKXIAasAMosuroyKC2vqFCMF0CAwEAAQJAEozki1zle0YYlFWVnnGi +sfYokxQGXguC2dU9jI4Q2LjGut6mVx/zLIU59BS4nUq2aYHg0hxwwzOba92c0lT/ +HQIhAMp0+k7FtDdRQzIaDzeEY6MYyLhhhukhI3xpyXYVuyx7AiEAwhLQl6hYlsgh +78CzTAhAdbheAwIQWyvY7XjKzxdpGwcCIG/hr0YC2bHMNZ8laY1bmxhRpPLH6p9A +0fR6HXwlTDerAiA1y21SfHGB6huuD2Yjry3e86nrf4j1HKRWvuLIoJ6bxQIgWmyj +YOSFsaBwj9ptkY0d4H84SDHnt7GRypm0/98OSg8= +-----END RSA PRIVATE KEY----- diff --git a/tests/demoCA/private/srv1.key b/tests/demoCA/private/srv1.key new file mode 100644 index 0000000..284f1e1 --- /dev/null +++ b/tests/demoCA/private/srv1.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOgIBAAJBAKwheG/LHBDCcXtyA+NLssf2Yz9p09NI4JAWD1pE9ZztuWtyvhFu +JgkyDFElEDX+oDP+z5CfLIs6xZiGwqlcuqcCAwEAAQJAbviJF7GfH2LsHISt4vyr +fuTmqTxF1wI13E6MiUrJ+eftT7Hq1Wq6B7gmlI1iJiJLlAH6o93PYhp8559Dfp+q +wQIhAOMbFp0NJPrVpycx5dQAYpM/edqXoOENQf1lMLOmOHlhAiEAwgfTbAaGNfQS +uXfzj0sx+IvoKE/MXfLKZ/uE9futCQcCIQC/mMjZMo+yNrHQdV5KHxEK3RB2hFmr +xD2aA9a0mVUnwQIgbYjHdNNWDr1DmMo7h+g2RI6Ot7scruiyFPNrgwXaEB8CICMa +8wjF27wlJ2nmhM9ZXUBtvBKgU+jspsA8n+wU+o+f +-----END RSA PRIVATE KEY----- diff --git a/tests/demoCA/serial b/tests/demoCA/serial new file mode 100644 index 0000000..6496923 --- /dev/null +++ b/tests/demoCA/serial @@ -0,0 +1 @@ +04 diff --git a/tests/test-udp.c b/tests/test-udp.c new file mode 100644 index 0000000..ed176c0 --- /dev/null +++ b/tests/test-udp.c @@ -0,0 +1,153 @@ +/* Copyright 2011,2013, NORDUnet A/S. All rights reserved. */ +/* See LICENSE for licensing information. */ + +#include +#include +#include +#include "radius/client.h" +#include "radsec/radsec.h" +#include "radsec/request.h" +#include "udp.h" + +static void +authenticate (struct rs_connection *conn, const char *user, const char *pw) +{ + struct rs_request *req; + struct rs_packet *msg, *resp; + + CU_ASSERT (rs_request_create (conn, &req) == 0); + CU_ASSERT (!rs_packet_create_authn_request (conn, &msg, user, pw)); + rs_request_add_reqpkt (req, msg); + CU_ASSERT (rs_request_send (req, &resp) == 0); + //printf ("%s\n", rs_err_msg (rs_err_conn_pop (conn), 1)); + CU_ASSERT (rs_packet_code(resp) == PW_ACCESS_ACCEPT); + + rs_request_destroy (req); +} + +static void +send_more_than_one_msg_in_one_packet (struct rs_connection *conn) +{ + struct rs_packet *msg0, *msg1; + + CU_ASSERT (rs_packet_create_authn_request (conn, &msg0, NULL, NULL) == 0); + CU_ASSERT (rs_packet_create_authn_request (conn, &msg1, NULL, NULL) == 0); + CU_ASSERT (rs_packet_send (msg0, NULL) == 0); + CU_ASSERT (rs_packet_send (msg1, NULL) == 0); +} + +#if 0 +static void +send_large_packet (struct rs_connection *conn) +{ + struct rs_packet *msg0; + struct radius_packet *frpkt = NULL; + char *buf; + int f; + + buf = malloc (RS_MAX_PACKET_LEN); + CU_ASSERT (buf != NULL); + memset (buf, 0, RS_MAX_PACKET_LEN); + + CU_ASSERT (rs_packet_create (conn, &msg0) == 0); + /* 16 chunks --> heap corruption in evbuffer_drain detected by free() */ + for (f = 0; f < 15; f++) + { + memset (buf, 'a' + f, 252); + //vp = pairmake ("EAP-Message", buf, T_OP_EQ); + CU_ASSERT (rs_packet_append_avp (msg0, fixme...) == RSE_OK); + } + CU_ASSERT (rs_packet_send (msg0, NULL) == 0); +} +#endif /* 0 */ + +/* ************************************************************ */ +static struct setup { + char *config_file; + char *config_name; + char *username; + char *pw; +} setup; + +static void +test_auth () +{ + struct rs_context *ctx; + struct rs_connection *conn; + + setup.config_file = "test.conf"; + setup.config_name = "test-udp-auth"; + setup.username = "molgan@PROJECT-MOONSHOT.ORG"; + setup.pw = "password"; + + CU_ASSERT (rs_context_create (&ctx) == 0); + CU_ASSERT (rs_context_read_config (ctx, setup.config_file) == 0); + CU_ASSERT (rs_conn_create (ctx, &conn, setup.config_name) == 0); + + authenticate (conn, setup.username, setup.pw); + + rs_conn_destroy (conn); + rs_context_destroy (ctx); +} + +static ssize_t +test_buffering_cb (const uint8_t *buf, ssize_t len) +{ + /* "Exactly one RADIUS packet is encapsulated in the UDP Data field" + [RFC 2865]*/ +#if 0 + hd (buf, len); +#endif + CU_ASSERT (len >= 20); + CU_ASSERT (len <= RS_MAX_PACKET_LEN); + CU_ASSERT ((buf[2] << 8) + buf[3] == len); + return len; +} + +static void +test_buffering () +{ + struct rs_context *ctx; + struct rs_connection *conn; + struct timeval timeout; + struct polldata *polldata; + + CU_ASSERT (rs_context_create (&ctx) == 0); + CU_ASSERT (rs_context_read_config (ctx, "test.conf") == 0); + CU_ASSERT (rs_conn_create (ctx, &conn, "test-udp-buffering") == 0); + + timeout.tv_sec = 0; + timeout.tv_usec = 150000; + polldata = udp_server ("11820", &timeout, test_buffering_cb); + CU_ASSERT (polldata != NULL); + + send_more_than_one_msg_in_one_packet (conn); + CU_ASSERT (udp_poll (polldata) > 0); + CU_ASSERT (udp_poll (polldata) > 0); + + + udp_free_polldata (polldata); + rs_conn_destroy (conn); + rs_context_destroy (ctx); +} + +/* ************************************************************ */ +int +main (int argc, char *argv[]) +{ + CU_pSuite s = NULL; + CU_pTest t = NULL; + unsigned int nfail; + + assert (CU_initialize_registry () == CUE_SUCCESS); + s = CU_add_suite ("auth", NULL, NULL); assert (s); + t = CU_ADD_TEST (s, test_auth); assert (t); + s = CU_add_suite ("buffering", NULL, NULL); assert (s); + t = CU_ADD_TEST (s, test_buffering); assert (t); + + assert (CU_basic_run_tests () == CUE_SUCCESS); + nfail = CU_get_number_of_failures(); + + CU_cleanup_registry (); + return nfail; +} diff --git a/tests/test.conf b/tests/test.conf new file mode 100644 index 0000000..98d0330 --- /dev/null +++ b/tests/test.conf @@ -0,0 +1,30 @@ +realm test-udp-auth { + type = "UDP" + server { + hostname = "localhost" + service = "1820" + secret = "sikrit" + } +} + +realm test-udp-buffering { + type = "UDP" + server { + hostname = "localhost" + service = "11820" + secret = "sikrit" + } +} + +realm test-tls-test { + type = "TLS" + cacertfile = "/home/linus/nordberg-ca.crt" + certfile = "/home/linus/p/radsecproxy/src/maatuska.nordberg.se.crt" + certkeyfile = "/home/linus/p/radsecproxy/src/maatuska.nordberg.se.key" + + server { + hostname = "localhost" + service = "1820" + secret = "sikrit" + } +} diff --git a/tests/udp-server.c b/tests/udp-server.c new file mode 100644 index 0000000..77a35df --- /dev/null +++ b/tests/udp-server.c @@ -0,0 +1,35 @@ +/* Copyright 2011, NORDUnet A/S. All rights reserved. */ +/* See LICENSE for licensing information. */ + +#include +#include +#include "udp.h" + +ssize_t +handle_data (const uint8_t *buf, ssize_t len) +{ + return hd (buf, len); +} + +int +main (int argc, char *argv[]) +{ + int n, i; + struct timeval tv; + struct polldata *data; + +#define TIMEOUT 1 /* Seconds. */ + + tv.tv_sec = TIMEOUT; + tv.tv_usec = 0; + data = udp_server (argv[1], &tv, handle_data); + + for (i = 0, n = udp_poll (data); n == 0 && i < 3; n = udp_poll (data), i++) + { + fprintf (stderr, "waiting another %ld second%s\n", + tv.tv_sec, tv.tv_sec > 1 ? "s" : ""); + } + + udp_free_polldata (data); + return (n <= 0); +} diff --git a/tests/udp.c b/tests/udp.c new file mode 100644 index 0000000..2c580da --- /dev/null +++ b/tests/udp.c @@ -0,0 +1,141 @@ +/* Copyright 2011,2013, NORDUnet A/S. All rights reserved. */ +/* See LICENSE for licensing information. */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "radius/client.h" +#include "udp.h" + +static struct addrinfo * +_resolve (const char *str) +{ + static int first = 1; + static struct addrinfo hints, *result = NULL; + struct addrinfo *rp = NULL; + int r; + + if (first) + { + first = 0; + memset (&hints, 0, sizeof (hints)); + hints.ai_family = AF_INET; /* AF_UNSPEC */ + hints.ai_socktype = SOCK_DGRAM; + r = getaddrinfo (NULL, str, &hints, &result); + if (r) + fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (r)); + } + + if (result) + { + rp = result; + result = result->ai_next; + } + + return rp; +} + +void +udp_free_polldata (struct polldata *data) +{ + if (data) + { + if (data->timeout) + free (data->timeout); + free (data); + } +} + +/* @return if select() returns error or timeout, return select() + else return value from invoked callback function */ +ssize_t +udp_poll (struct polldata *data) +{ + int r; + long timeout = 0; + fd_set rfds; + ssize_t len; + uint8_t buf[RS_MAX_PACKET_LEN]; + + FD_ZERO (&rfds); + FD_SET (data->s, &rfds); + if (data->timeout) + timeout = data->timeout->tv_sec; /* Save from destruction (Linux). */ + //fprintf (stderr, "calling select with timeout %ld\n", timeout); + r = select (data->s + 1, &rfds, NULL, NULL, data->timeout); + if (data->timeout) + data->timeout->tv_sec = timeout; /* Restore. */ + //fprintf (stderr, "select returning %d\n", r); + if (r > 0) + { + len = recv (data->s, buf, sizeof (buf), 0); + if (len > 0) + return data->cb (buf, len); + } + return r; +} + +struct polldata * +udp_server (const char *bindto, struct timeval *timeout, data_cb cb) +{ + struct addrinfo *res; + int s = -1; + + for (res = _resolve (bindto); res; res = _resolve (bindto)) + { + s = socket (res->ai_family, res->ai_socktype, res->ai_protocol); + if (s >= 0) + { + if (bind (s, res->ai_addr, res->ai_addrlen) == 0) + break; /* Done. */ + else + { + close (s); + s = -1; + } + } + } + + if (s >= 0) + { + struct polldata *data = malloc (sizeof (struct polldata)); + assert (data); + memset (data, 0, sizeof (struct polldata)); + data->s = s; + data->cb = cb; + if (timeout) + { + data->timeout = malloc (sizeof (struct timeval)); + assert (data->timeout); + memcpy (data->timeout, timeout, sizeof (struct timeval)); + } + return data; + } + + return NULL; +} + +ssize_t +hd (const uint8_t *buf, ssize_t len) +{ + int i; + + printf ("# len: %ld\n", len); + for (i = 0; i < len; i++) + { + printf ("%02x%s", buf[i], (i+1) % 8 ? " " : " "); + if ((i + 1) % 16 == 0) + printf ("\n"); + } + printf ("\n"); + return len; +} diff --git a/tests/udp.h b/tests/udp.h new file mode 100644 index 0000000..a8d5f23 --- /dev/null +++ b/tests/udp.h @@ -0,0 +1,20 @@ +/* Copyright 2011, NORDUnet A/S. All rights reserved. */ +/* See LICENSE for licensing information. */ + +#include +#include +#include + +typedef ssize_t (*data_cb) (const uint8_t *buf, ssize_t len); + +struct polldata { + int s; + data_cb cb; + struct timeval *timeout; +}; + +struct polldata *udp_server (const char *bindto, struct timeval *timeout, data_cb cb); +ssize_t udp_poll (struct polldata *data); +void udp_free_polldata (struct polldata *data); + +ssize_t hd (const uint8_t *buf, ssize_t len); diff --git a/tls.c b/tls.c new file mode 100644 index 0000000..ba3cab5 --- /dev/null +++ b/tls.c @@ -0,0 +1,372 @@ +/* Copyright 2010-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#if defined HAVE_PTHREAD_H +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include "radsecproxy/list.h" +#include "radsecproxy/radsecproxy.h" + +#include "tls.h" + +static struct tls * +_get_tlsconf (struct rs_connection *conn, const struct rs_realm *realm) +{ + struct tls *c = rs_malloc (conn->ctx, sizeof (struct tls)); + + if (c) + { + memset (c, 0, sizeof (struct tls)); + /* TODO: Make sure old radsecproxy code doesn't free these all + of a sudden, or strdup them. */ + c->name = realm->name; + c->cacertfile = realm->cacertfile; + c->cacertpath = NULL; /* NYI */ + c->certfile = realm->certfile; + c->certkeyfile = realm->certkeyfile; + c->certkeypwd = NULL; /* NYI */ + c->cacheexpiry = 0; /* NYI */ + c->crlcheck = 0; /* NYI */ + c->policyoids = (char **) NULL; /* NYI */ + } + else + rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); + + return c; +} + +#if defined RS_ENABLE_TLS_PSK +static unsigned int +psk_client_cb (SSL *ssl, + const char *hint, + char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len) +{ + struct rs_connection *conn = NULL; + struct rs_credentials *cred = NULL; + + conn = SSL_get_ex_data (ssl, 0); + assert (conn != NULL); + cred = conn->active_peer->realm->transport_cred; + assert (cred != NULL); + /* NOTE: Ignoring identity hint from server. */ + + if (strlen (cred->identity) + 1 > max_identity_len) + { + rs_err_conn_push (conn, RSE_CRED, "PSK identity longer than max %d", + max_identity_len - 1); + return 0; + } + strcpy (identity, cred->identity); + + switch (cred->secret_encoding) + { + case RS_KEY_ENCODING_UTF8: + cred->secret_len = strlen (cred->secret); + if (cred->secret_len > max_psk_len) + { + rs_err_conn_push (conn, RSE_CRED, "PSK secret longer than max %d", + max_psk_len); + return 0; + } + memcpy (psk, cred->secret, cred->secret_len); + break; + case RS_KEY_ENCODING_ASCII_HEX: + { + BIGNUM *bn = NULL; + + if (BN_hex2bn (&bn, cred->secret) == 0) + { + rs_err_conn_push (conn, RSE_CRED, "Unable to convert pskhexstr"); + if (bn != NULL) + BN_clear_free (bn); + return 0; + } + if ((unsigned int) BN_num_bytes (bn) > max_psk_len) + { + rs_err_conn_push (conn, RSE_CRED, "PSK secret longer than max %d", + max_psk_len); + BN_clear_free (bn); + return 0; + } + cred->secret_len = BN_bn2bin (bn, psk); + BN_clear_free (bn); + } + break; + default: + assert (!"unknown psk encoding"); + } + + return cred->secret_len; +} +#endif /* RS_ENABLE_TLS_PSK */ + +/** Read \a buf_len bytes from one of the random devices into \a + buf. Return 0 on success and -1 on failure. */ +static int +load_rand_ (uint8_t *buf, size_t buf_len) +{ + static const char *fns[] = {"/dev/urandom", "/dev/random", NULL}; + int i; + + if (buf_len > SSIZE_MAX) + return -1; + + for (i = 0; fns[i] != NULL; i++) + { + size_t nread = 0; + int fd = open (fns[i], O_RDONLY); + if (fd < 0) + continue; + while (nread != buf_len) + { + ssize_t r = read (fd, buf + nread, buf_len - nread); + if (r < 0) + return -1; + if (r == 0) + break; + nread += r; + } + close (fd); + if (nread != buf_len) + return -1; + return 0; + } + return -1; +} + +/** Initialise OpenSSL's PRNG by possibly invoking RAND_poll() and by + feeding RAND_seed() data from one of the random devices. If either + succeeds, we're happy and return 0. */ +static int +init_openssl_rand_ (void) +{ + long openssl_version = 0; + int openssl_random_init_flag = 0; + int our_random_init_flag = 0; + uint8_t buf[32]; + + /* Older OpenSSL has a crash bug in RAND_poll (when a file it opens + gets a file descriptor with a number higher than FD_SETSIZE) so + use it only for newer versions. */ + openssl_version = SSLeay (); + if (openssl_version >= OPENSSL_V (0,9,8,'c')) + openssl_random_init_flag = RAND_poll (); + + our_random_init_flag = !load_rand_ (buf, sizeof(buf)); + if (our_random_init_flag) + RAND_seed (buf, sizeof(buf)); + memset (buf, 0, sizeof(buf)); /* FIXME: What if memset() is optimised out? */ + + if (!openssl_random_init_flag && !our_random_init_flag) + return -1; + if (!RAND_bytes (buf, sizeof(buf))) + return -1; + return 0; +} + +#if defined HAVE_PTHREADS +/** Array of pthread_mutex_t for OpenSSL. Allocated and initialised in + \a init_locking_ and never freed. */ +static pthread_mutex_t *s_openssl_mutexes = NULL; +/** Number of pthread_mutex_t's allocated at s_openssl_mutexes. */ +static int s_openssl_mutexes_count = 0; + +/** Callback for OpenSSL when a lock is to be held or released. */ +static void +openssl_locking_cb_ (int mode, int i, const char *file, int line) +{ + if (s_openssl_mutexes == NULL || i >= s_openssl_mutexes_count) + return; + if (mode & CRYPTO_LOCK) + pthread_mutex_lock (&s_openssl_mutexes[i]); + else + pthread_mutex_unlock (&s_openssl_mutexes[i]); +} + +/** Initialise any locking needed for being thread safe. Libradsec has + all its own state in one or more struct rs_context and doesn't + need locks but libraries used by libradsec may need protection. */ +static int +init_locking_ () +{ + int i, n; + n = CRYPTO_num_locks (); + + s_openssl_mutexes = calloc (n, sizeof(pthread_mutex_t)); + if (s_openssl_mutexes == NULL) + return -RSE_NOMEM; + for (i = 0; i < n; i++) + pthread_mutex_init (&s_openssl_mutexes[i], NULL); + s_openssl_mutexes_count = n; + + return 0; +} +#endif /* HAVE_PTHREADS */ + +/** Initialise the TLS library. Return 0 on success, -1 on failure. */ +int +tls_init () +{ + SSL_load_error_strings (); +#if defined HAVE_PTHREADS + if (CRYPTO_get_locking_callback () == NULL) + { + assert (s_openssl_mutexes_count == 0); + /* Allocate and initialise mutexes. We will never free + these. FIXME: Is there a portable way of having a function + invoked when a solib is unloaded? -ln */ + if (init_locking_ ()) + return -1; + CRYPTO_set_locking_callback (openssl_locking_cb_); + } +#endif /* HAVE_PTHREADS */ + SSL_library_init (); + return init_openssl_rand_ (); +} + +int +tls_init_conn (struct rs_connection *conn) +{ + struct rs_context *ctx = NULL; + struct tls *tlsconf = NULL; + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + unsigned long sslerr = 0; + + assert (conn->ctx); + ctx = conn->ctx; + + tlsconf = _get_tlsconf (conn, conn->active_peer->realm); + if (!tlsconf) + return -1; + ssl_ctx = tlsgetctx (RAD_TLS, tlsconf); + if (!ssl_ctx) + { + for (sslerr = ERR_get_error (); sslerr; sslerr = ERR_get_error ()) + rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, + ERR_error_string (sslerr, NULL)); + return -1; + } + ssl = SSL_new (ssl_ctx); + if (!ssl) + { + for (sslerr = ERR_get_error (); sslerr; sslerr = ERR_get_error ()) + rs_err_conn_push_fl (conn, RSE_SSLERR, __FILE__, __LINE__, + ERR_error_string (sslerr, NULL)); + return -1; + } + +#if defined RS_ENABLE_TLS_PSK + if (conn->active_peer->realm->transport_cred != NULL) + { + SSL_set_psk_client_callback (ssl, psk_client_cb); + SSL_set_ex_data (ssl, 0, conn); + } +#endif /* RS_ENABLE_TLS_PSK */ + + conn->tls_ctx = ssl_ctx; + conn->tls_ssl = ssl; + rs_free (ctx, tlsconf); + return RSE_OK; +} + +/* draft-ietf-radext-radsec-11.txt + + * Certificate validation MUST include the verification rules as + per [RFC5280]. + + * Implementations SHOULD indicate their acceptable Certification + Authorities as per section 7.4.4 (server side) and x.y.z + ["Trusted CA Indication"] (client side) of [RFC5246] (see + Section 3.2) + + * Implementations SHOULD allow to configure a list of acceptable + certificates, identified via certificate fingerprint. When a + fingerprint configured, the fingerprint is prepended with an + ASCII label identifying the hash function followed by a colon. + Implementations MUST support SHA-1 as the hash algorithm and + use the ASCII label "sha-1" to identify the SHA-1 algorithm. + The length of a SHA-1 hash is 20 bytes and the length of the + corresponding fingerprint string is 65 characters. An example + certificate fingerprint is: sha- + 1:E1:2D:53:2B:7C:6B:8A:29:A2:76:C8:64:36:0B:08:4B:7A:F1:9E:9D + + * Peer validation always includes a check on whether the locally + configured expected DNS name or IP address of the server that + is contacted matches its presented certificate. DNS names and + IP addresses can be contained in the Common Name (CN) or + subjectAltName entries. For verification, only one of these + entries is to be considered. The following precedence + applies: for DNS name validation, subjectAltName:DNS has + precedence over CN; for IP address validation, subjectAltName: + iPAddr has precedence over CN. + + * Implementations SHOULD allow to configure a set of acceptable + values for subjectAltName:URI. + */ +int +tls_verify_cert (struct rs_connection *conn) +{ + int err = 0; + int success = 0; + X509 *peer_cert = NULL; + struct in6_addr addr; + const char *hostname = NULL; + + assert (conn->active_peer->conn == conn); + assert (conn->active_peer->hostname != NULL); + hostname = conn->active_peer->hostname; + + /* verifytlscert() performs basic verification as described by + OpenSSL VERIFY(1), i.e. verification of the certificate chain. */ + peer_cert = verifytlscert (conn->tls_ssl); + if (peer_cert == NULL) + { + err = rs_err_conn_push (conn, RSE_SSLERR, + "basic certificate validation failed"); + goto out; + } + + if (inet_pton (AF_INET, hostname, &addr)) + success = (subjectaltnameaddr (peer_cert, AF_INET, &addr) == 1); + else if (inet_pton (AF_INET6, hostname, &addr)) + success = (subjectaltnameaddr (peer_cert, AF_INET6, &addr) == 1); + else + success = (subjectaltnameregexp (peer_cert, GEN_DNS, hostname, NULL) == 1); + + if (!success) + success = (cnregexp (peer_cert, hostname, NULL) == 1); + + if (conn->realm->disable_hostname_check) + success = 1; + if (!success) + err = rs_err_conn_push (conn, RSE_CERT, "server certificate doesn't " + "match configured hostname \"%s\"", hostname); + + out: + if (peer_cert != NULL) + X509_free (peer_cert); + return err; +} diff --git a/tls.h b/tls.h new file mode 100644 index 0000000..51f2a64 --- /dev/null +++ b/tls.h @@ -0,0 +1,23 @@ +/* Copyright 2010-2012 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined (__cplusplus) +extern "C" { +#endif + +int tls_init (void); +int tls_init_conn (struct rs_connection *conn); +int tls_verify_cert (struct rs_connection *conn); + +#define OPENSSL_VER(a,b,c,d,e) \ + (((a)<<28) | \ + ((b)<<20) | \ + ((c)<<12) | \ + ((d)<< 4) | \ + (e)) +#define OPENSSL_V(a,b,c,d) \ + OPENSSL_VER((a),(b),(c),(d)-'a'+1,0xf) + +#if defined (__cplusplus) +} +#endif diff --git a/udp.c b/udp.c new file mode 100644 index 0000000..c00f215 --- /dev/null +++ b/udp.c @@ -0,0 +1,177 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#if defined HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include "debug.h" +#include "event.h" +#include "compat.h" +#include "udp.h" + +/* Send one packet, the first in queue. */ +static int +_send (struct rs_connection *conn, int fd) +{ + ssize_t r = 0; + struct rs_packet *pkt = conn->out_queue; + + assert (pkt->rpkt); + assert (pkt->rpkt->data); + + /* Send. */ + r = compat_send (fd, pkt->rpkt->data, pkt->rpkt->length, 0); + if (r == -1) + { + int sockerr = evutil_socket_geterror (pkt->conn->fd); + if (sockerr != EAGAIN) + return rs_err_conn_push_fl (pkt->conn, RSE_SOCKERR, __FILE__, __LINE__, + "%d: send: %d (%s)", fd, sockerr, + evutil_socket_error_to_string (sockerr)); + } + + assert (r == pkt->rpkt->length); + /* Unlink the packet. */ + conn->out_queue = pkt->next; + + /* If there are more packets in queue, add the write event again. */ + if (pkt->conn->out_queue) + { + r = event_add (pkt->conn->wev, NULL); + if (r < 0) + return rs_err_conn_push_fl (pkt->conn, RSE_EVENT, __FILE__, __LINE__, + "event_add: %s", evutil_gai_strerror (r)); + rs_debug (("%s: re-adding the write event\n", __func__)); + } + + return RSE_OK; +} + +/* Callback for conn->wev and conn->rev. FIXME: Rename. + + USER_DATA contains connection for EV_READ and a packet for + EV_WRITE. This is because we don't have a connect/establish entry + point at the user level -- send implies connect so when we're + connected we need the packet to send. */ +static void +_evcb (evutil_socket_t fd, short what, void *user_data) +{ + int err; + struct rs_packet *pkt = (struct rs_packet *) user_data; + + rs_debug (("%s: fd=%d what =", __func__, fd)); + if (what & EV_TIMEOUT) rs_debug ((" TIMEOUT -- shouldn't happen!")); + if (what & EV_READ) rs_debug ((" READ")); + if (what & EV_WRITE) rs_debug ((" WRITE")); + rs_debug (("\n")); + + assert (pkt); + assert (pkt->conn); + if (what & EV_READ) + { + /* Read a single UDP packet and stick it in USER_DATA. */ + /* TODO: Verify that unsolicited packets are dropped. */ + ssize_t r = 0; + + assert (pkt->rpkt->data); + + r = compat_recv (fd, pkt->rpkt->data, RS_MAX_PACKET_LEN, MSG_TRUNC); + if (r == -1) + { + int sockerr = evutil_socket_geterror (pkt->conn->fd); + if (sockerr == EAGAIN) + { + /* FIXME: Really shouldn't happen since we've been told + that fd is readable! */ + rs_debug (("%s: EAGAIN reading UDP packet -- wot?\n")); + goto err_out; + } + + /* Hard error. */ + rs_err_conn_push_fl (pkt->conn, RSE_SOCKERR, __FILE__, __LINE__, + "%d: recv: %d (%s)", fd, sockerr, + evutil_socket_error_to_string (sockerr)); + event_del (pkt->conn->tev); + goto err_out; + } + event_del (pkt->conn->tev); + if (r < 20 || r > RS_MAX_PACKET_LEN) /* Short or long packet. */ + { + rs_err_conn_push (pkt->conn, RSE_INVALID_PKT, + "invalid packet length: %d", r); + goto err_out; + } + pkt->rpkt->length = (pkt->rpkt->data[2] << 8) + pkt->rpkt->data[3]; + err = nr_packet_ok (pkt->rpkt); + if (err) + { + rs_err_conn_push_fl (pkt->conn, -err, __FILE__, __LINE__, + "invalid packet"); + goto err_out; + } + /* Hand over message to user. This changes ownership of pkt. + Don't touch it afterwards -- it might have been freed. */ + if (pkt->conn->callbacks.received_cb) + pkt->conn->callbacks.received_cb (pkt, pkt->conn->user_data); + else + rs_debug (("%s: no received-callback -- dropping packet\n", __func__)); + } + else if (what & EV_WRITE) + { + if (!pkt->conn->is_connected) + event_on_connect (pkt->conn, pkt); + + if (pkt->conn->out_queue) + if (_send (pkt->conn, fd) == RSE_OK) + if (pkt->conn->callbacks.sent_cb) + pkt->conn->callbacks.sent_cb (pkt->conn->user_data); + } + return; + + err_out: + rs_conn_disconnect (pkt->conn); +} + +int +udp_init (struct rs_connection *conn, struct rs_packet *pkt) +{ + assert (!conn->bev); + + conn->rev = event_new (conn->evb, conn->fd, EV_READ|EV_PERSIST, _evcb, NULL); + conn->wev = event_new (conn->evb, conn->fd, EV_WRITE, _evcb, NULL); + if (!conn->rev || !conn->wev) + { + if (conn->rev) + { + event_free (conn->rev); + conn->rev = NULL; + } + /* ENOMEM _or_ EINVAL but EINVAL only if we use EV_SIGNAL, at + least for now (libevent-2.0.5). */ + return rs_err_conn_push_fl (conn, RSE_NOMEM, __FILE__, __LINE__, NULL); + } + return RSE_OK; +} + +int +udp_init_retransmit_timer (struct rs_connection *conn) +{ + assert (conn); + + if (conn->tev) + event_free (conn->tev); + conn->tev = evtimer_new (conn->evb, event_retransmit_timeout_cb, conn); + if (!conn->tev) + return rs_err_conn_push_fl (conn, RSE_EVENT, __FILE__, __LINE__, + "evtimer_new"); + + return RSE_OK; +} diff --git a/udp.h b/udp.h new file mode 100644 index 0000000..39d1aeb --- /dev/null +++ b/udp.h @@ -0,0 +1,5 @@ +/* Copyright 2011 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +int udp_init (struct rs_connection *conn, struct rs_packet *pkt); +int udp_init_retransmit_timer (struct rs_connection *conn); diff --git a/util.c b/util.c new file mode 100644 index 0000000..70d815c --- /dev/null +++ b/util.c @@ -0,0 +1,25 @@ +/* Copyright 2012-2013 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +#include +#include +#include +#include +#include "util.h" + +char * +rs_strdup (struct rs_context *ctx, const char *s) +{ + size_t len; + char *buf; + + len = strlen (s); + buf = rs_malloc (ctx, len + 1); + + if (buf != NULL) + memcpy (buf, s, len + 1); + else + rs_err_ctx_push (ctx, RSE_NOMEM, __func__); + + return buf; +} diff --git a/util.h b/util.h new file mode 100644 index 0000000..f988d86 --- /dev/null +++ b/util.h @@ -0,0 +1,4 @@ +/* Copyright 2012 NORDUnet A/S. All rights reserved. + See LICENSE for licensing information. */ + +char *rs_strdup (struct rs_context *ctx, const char *s); -- cgit v1.1