From de8bf9112695763664912e340b265fa898188460 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 26 Aug 2024 12:41:52 +0200 Subject: Merging upstream version 3.2.5+dfsg. Signed-off-by: Daniel Baumann --- src/include/clients.h | 6 ++++- src/include/conffile.h | 1 + src/include/dlist.h | 63 +++++++++++++++++++++++++++++++++++++++++++++++++ src/include/event.h | 2 ++ src/include/features-h | 2 +- src/include/libradius.h | 20 +++++++++++++++- src/include/radius.h | 1 + src/include/radiusd.h | 11 +++++++-- src/include/realms.h | 4 ++++ src/include/tls-h | 10 +++++++- 10 files changed, 114 insertions(+), 6 deletions(-) create mode 100644 src/include/dlist.h (limited to 'src/include') diff --git a/src/include/clients.h b/src/include/clients.h index 46b5b3b..7e962b6 100644 --- a/src/include/clients.h +++ b/src/include/clients.h @@ -43,7 +43,11 @@ typedef struct radclient { char const *secret; //!< Secret PSK. - bool message_authenticator; //!< Require RADIUS message authenticator in requests. + fr_bool_auto_t require_ma; //!< Require RADIUS message authenticator in requests. + + bool dynamic_require_ma; //!< for dynamic clients + + fr_bool_auto_t limit_proxy_state; //!< Limit Proxy-State in requests char const *nas_type; //!< Type of client (arbitrary). diff --git a/src/include/conffile.h b/src/include/conffile.h index b996881..237469c 100644 --- a/src/include/conffile.h +++ b/src/include/conffile.h @@ -140,6 +140,7 @@ typedef struct timeval _timeval_t; #define PW_TYPE_MULTI (1 << 18) //!< CONF_PAIR can have multiple copies. #define PW_TYPE_NOT_EMPTY (1 << 19) //!< CONF_PAIR is required to have a non zero length value. #define PW_TYPE_FILE_EXISTS ((1 << 20) | PW_TYPE_STRING) //!< File matching value must exist +#define PW_TYPE_IGNORE_DEFAULT (1 << 21) //!< don't set from .dflt if the CONF_PAIR is missing /* @} **/ #define FR_INTEGER_COND_CHECK(_name, _var, _cond, _new)\ diff --git a/src/include/dlist.h b/src/include/dlist.h new file mode 100644 index 0000000..c1bc1d5 --- /dev/null +++ b/src/include/dlist.h @@ -0,0 +1,63 @@ +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * + * @file dlist.h + * @brief doubly linked lists + * + * @copyright 2023 Network RADIUS SAS (legal@networkradius.com) + */ + +#ifndef RADIUS_DLIST_H +#define RADIUS_DLIST_H + +RCSIDH(dlist_h, "$Id$") + +/* + * We have an internal cache, keyed by (mac + ssid). + * + * It returns the PMK and PSK for the user. + */ +typedef struct fr_dlist_s fr_dlist_t; + +struct fr_dlist_s { + fr_dlist_t *prev; + fr_dlist_t *next; +}; + +static inline void fr_dlist_entry_init(fr_dlist_t *entry) +{ + entry->prev = entry->next = entry; +} + +static inline CC_HINT(nonnull) void fr_dlist_entry_unlink(fr_dlist_t *entry) +{ + entry->prev->next = entry->next; + entry->next->prev = entry->prev; + entry->prev = entry->next = entry; +} + +static inline CC_HINT(nonnull) void fr_dlist_insert_tail(fr_dlist_t *head, fr_dlist_t *entry) +{ + entry->next = head; + entry->prev = head->prev; + head->prev->next = entry; + head->prev = entry; +} + +#endif /* RADIUS_DLIST_H */ diff --git a/src/include/event.h b/src/include/event.h index 0409728..822da96 100644 --- a/src/include/event.h +++ b/src/include/event.h @@ -39,6 +39,8 @@ typedef void (*fr_event_fd_handler_t)(fr_event_list_t *el, int sock, void *ctx); fr_event_list_t *fr_event_list_create(TALLOC_CTX *ctx, fr_event_status_t status); +extern int fr_ev_max_fds; /* must be a power of 2 */ + int fr_event_list_num_fds(fr_event_list_t *el); int fr_event_list_num_elements(fr_event_list_t *el); diff --git a/src/include/features-h b/src/include/features-h index 158541f..1e2f29e 100644 --- a/src/include/features-h +++ b/src/include/features-h @@ -69,7 +69,7 @@ #ifdef WITH_TLS # ifdef WITH_COA # ifndef WITHOUT_COA_TUNNEL -# define WITH_COA_TUNNEL (1) +//# define WITH_COA_TUNNEL (1) # endif # endif #endif diff --git a/src/include/libradius.h b/src/include/libradius.h index 777927e..5cb5b06 100644 --- a/src/include/libradius.h +++ b/src/include/libradius.h @@ -410,6 +410,11 @@ typedef struct radius_packet { #ifdef WITH_RADIUSV11 bool radiusv11; #endif + bool tls; //!< uses secure transport + + bool message_authenticator; + bool proxy_state; + bool eap_message; } RADIUS_PACKET; typedef enum { @@ -527,6 +532,13 @@ DICT_VENDOR *dict_vendorbyvalue(int vendor); /* radius.c */ int rad_send(RADIUS_PACKET *, RADIUS_PACKET const *, char const *secret); bool rad_packet_ok(RADIUS_PACKET *packet, int flags, decode_fail_t *reason); + +/* + * 1 == require_ma + * 2 == msg_peek + * 4 == limit_proxy_state + * 8 == require_ma for Access-* replies and Protocol-Error + */ RADIUS_PACKET *rad_recv(TALLOC_CTX *ctx, int fd, int flags); ssize_t rad_recv_header(int sockfd, fr_ipaddr_t *src_ipaddr, uint16_t *src_port, int *code); void rad_recv_discard(int sockfd); @@ -720,7 +732,7 @@ extern bool fr_dns_lookups; /* do IP -> hostname lookups? */ extern bool fr_hostname_lookups; /* do hostname -> IP lookups? */ extern int fr_debug_lvl; /* 0 = no debugging information */ extern uint32_t fr_max_attributes; /* per incoming packet */ -#define FR_MAX_PACKET_CODE (52) +#define FR_MAX_PACKET_CODE (53) extern char const *fr_packet_codes[FR_MAX_PACKET_CODE]; #define is_radius_code(_x) ((_x > 0) && (_x < FR_MAX_PACKET_CODE)) extern FILE *fr_log_fp; @@ -958,6 +970,12 @@ int fr_socket_wait_for_connect(int sockfd, struct timeval *timeout); } #endif +typedef enum { + FR_BOOL_FALSE = 0, + FR_BOOL_TRUE, + FR_BOOL_AUTO, +} fr_bool_auto_t; + #include #ifdef WITH_TCP diff --git a/src/include/radius.h b/src/include/radius.h index 473528d..147d674 100644 --- a/src/include/radius.h +++ b/src/include/radius.h @@ -61,6 +61,7 @@ typedef enum { PW_CODE_COA_REQUEST = 43, //!< RFC3575/RFC5176 - CoA-Request PW_CODE_COA_ACK = 44, //!< RFC3575/RFC5176 - CoA-Ack (positive) PW_CODE_COA_NAK = 45, //!< RFC3575/RFC5176 - CoA-Nak (not willing to perform) + PW_CODE_PROTOCOL_ERROR = 52, //!< RFC7930 - Protocol layer issue PW_CODE_MAX = 255, //!< Maximum possible code } PW_CODE; diff --git a/src/include/radiusd.h b/src/include/radiusd.h index 594a6bd..c7c03cd 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -141,6 +141,8 @@ typedef struct main_config { uint32_t cleanup_delay; //!< How long before cleaning up cached responses. uint32_t max_requests; + uint32_t proxy_dedup_window; //!< suppress duplicate retransmitssions from a NAS + bool postauth_client_lost; //!< Whether to run Post-Auth-Type Client-Lost section uint32_t debug_level; @@ -174,6 +176,9 @@ typedef struct main_config { bool exiting; //!< are we exiting? + fr_bool_auto_t require_ma; //!< global configuration for all clients and home servers + + fr_bool_auto_t limit_proxy_state; //!< global configuration for all clients #ifdef ENABLE_OPENSSL_VERSION_CHECK char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged. @@ -194,9 +199,8 @@ typedef struct main_config { typedef enum { REQUEST_ACTIVE = 1, REQUEST_STOP_PROCESSING, - REQUEST_COUNTED } rad_master_state_t; -#define REQUEST_MASTER_NUM_STATES (REQUEST_COUNTED + 1) +#define REQUEST_MASTER_NUM_STATES (REQUEST_STOP_PROCESSING + 1) typedef enum { REQUEST_QUEUED = 1, @@ -320,6 +324,7 @@ struct rad_request { #define RAD_REQUEST_OPTION_COA (1 << 0) #define RAD_REQUEST_OPTION_CTX (1 << 1) #define RAD_REQUEST_OPTION_CANCELLED (1 << 2) +#define RAD_REQUEST_OPTION_STATS (1 << 3) #define SECONDS_PER_DAY 86400 #define MAX_REQUEST_TIME 30 @@ -565,6 +570,8 @@ int main_config_free(void); void main_config_hup(void); void hup_logfile(void); +int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str); + /* listen.c */ void listen_free(rad_listen_t **head); int listen_init(CONF_SECTION *cs, rad_listen_t **head, bool spawn_flag); diff --git a/src/include/realms.h b/src/include/realms.h index 23806f4..cc5d4c1 100644 --- a/src/include/realms.h +++ b/src/include/realms.h @@ -58,6 +58,8 @@ typedef struct fr_socket_limit_t { uint32_t num_requests; uint32_t lifetime; uint32_t idle_timeout; + uint32_t read_timeout; + uint32_t write_timeout; } fr_socket_limit_t; typedef struct home_server { @@ -69,6 +71,8 @@ typedef struct home_server { bool dual; //!< One of a pair of homeservers on consecutive ports. bool dynamic; //!< is this a dynamically added home server? bool nonblock; //!< Enable a socket non-blocking to the home server. + fr_bool_auto_t require_ma; //!< for all replies to Access-Request and Status-Server + #ifdef WITH_COA_TUNNEL bool recv_coa; //!< receive CoA packets, too #endif diff --git a/src/include/tls-h b/src/include/tls-h index 4bf1665..506fb19 100644 --- a/src/include/tls-h +++ b/src/include/tls-h @@ -152,6 +152,9 @@ typedef struct _tls_session_t { //!< If set to no then only the first fragment contains length. int peap_flag; + VALUE_PAIR *outer_tlvs; //!< only for TEAP, and only for the first fragment. + uint8_t *outer_tlvs_octets; //!< only for TEAP, needed for Crypto-Binding TLV + size_t tls_record_in_total_len; //!< How long the peer indicated the complete tls record //!< would be. size_t tls_record_in_recvd_len; //!< How much of the record we've received so far. @@ -176,17 +179,19 @@ typedef struct _tls_session_t { * * 0 1 2 3 4 5 6 7 8 * +-+-+-+-+-+-+-+-+ - * |L M S R R R R R| + * |L M S O R R R R| * +-+-+-+-+-+-+-+-+ * * L = Length included * M = More fragments * S = EAP-TLS start + * O = outer TLV length included (4 octets, only for TEAP) * R = Reserved */ #define TLS_START(x) (((x) & 0x20) != 0) #define TLS_MORE_FRAGMENTS(x) (((x) & 0x40) != 0) #define TLS_LENGTH_INCLUDED(x) (((x) & 0x80) != 0) +#define TLS_OUTER_TLV_INCLUDED(x) (((x) & 0x10) != 0) #define TLS_CHANGE_CIPHER_SPEC(x) (((x) & 0x0014) == 0x0014) #define TLS_ALERT(x) (((x) & 0x0015) == 0x0015) @@ -195,6 +200,7 @@ typedef struct _tls_session_t { #define SET_START(x) ((x) | (0x20)) #define SET_MORE_FRAGMENTS(x) ((x) | (0x40)) #define SET_LENGTH_INCLUDED(x) ((x) | (0x80)) +#define SET_OUTER_TLV_INCLUDED(x) ((x) | (0x10)) /* * Following enums from rfc2246 @@ -351,6 +357,8 @@ struct fr_tls_server_conf_t { SSL_CTX *ctx; CONF_SECTION *cs; + char const *name; //!< name of the thing doing TLS. + char const *private_key_password; char const *private_key_file; char const *certificate_file; -- cgit v1.2.3