keep up with master

.gitignore

@@ -29,5 +29,6 @@ tests/t_fticks
 tests/t_rewrite
 tests/t_rewrite_config
 tests/t_resizeattr
+tests/t_verify_cert
 tests/*.log
 tests/*.trs

ChangeLog

@@ -1,20 +1,31 @@
-chanes since 1.8.1
+unreleased chanes
 	New features:
 	- Accept multiple source* configs for IPv4/v6
 	- Specify source per server
-
-	Bug fixes:
-	- Fix wrong config-unhexing if %25 (%) occurs
+	- User configurable cipher-list and ciphersuites
+	- User configurable TLS versions
+	- Config option for DH-file
+	- Add rID and otherName options to certifcateAttributeCheck
+	- Allow multiple matchCertificateAttribute
 
 	Misc:
 	- Move radsecproxy manpage to section 8
 
+2020-08-06 1.8.2
+	Bug fixes:
+	- Fix wrong config-unhexing if %25 (%) occurs
+	- Fix compatibility with GCC 10 (#63)
+	- Fix spelling in manpage
+	- Fix modifyVendorAttribute not applied (#62)
+	- Fix unncessary status-server when in minimal mode (#61)
+
 2019-10-01 1.8.1
 	Bug fixes:
 	- Handle Tunnel-Password attribute correctly
 	- Fix BSD platform issues
 	- Fix spelling in log messages and manpages
 	- Fix compile issues for unit tests
+	- Don't hardcode location of config files
 
 2019-07-04 1.8.0
 	New features:

README

@@ -1,4 +1,4 @@
-This is radsecproxy 1.8.0
+This is radsecproxy 1.8.2
 
 radsecproxy is a generic RADIUS proxy that supports both UDP and TLS
 (RadSec) RADIUS transports.  There is also experimental support for

configure.ac

@@ -2,7 +2,7 @@ dnl Copyright (c) 2006-2010, UNINETT AS
 dnl Copyright (c) 2010-2013,2016, NORDUnet A/S
 dnl See LICENSE for licensing information.
 
-AC_INIT(radsecproxy, 1.8.0, https://radsecproxy.github.io)
+AC_INIT(radsecproxy, 1.8.2, https://radsecproxy.github.io)
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE

radmsg.c

@@ -296,7 +296,7 @@ struct radmsg *buf2radmsg(uint8_t *buf, uint8_t *secret, int secret_len, uint8_t
     while (p - buf + 2 <= len) {
 	t = *p++;
         l = *p++;
-	if (l < 2) {
+	if (l < 2 || l > 255) {
 	    debug(DBG_WARN, "buf2radmsg: invalid attribute length %d", l);
 	    radmsg_free(msg);
 	    return NULL;

radsecproxy.c

@@ -84,6 +84,7 @@ extern int optind;
 extern char *optarg;
 #endif
 static const struct protodefs *protodefs[RAD_PROTOCOUNT];
+pthread_attr_t pthread_attr;
 
 /* minimum required declarations to avoid reordering code */
 struct realm *adddynamicrealmserver(struct realm *realm, char *id);
@@ -1648,8 +1649,11 @@ void *clientwr(void *arg) {
 #endif
 	pthread_mutex_unlock(&server->newrq_mutex);
 
-	for (i = 0; i < MAX_REQUESTS; i++) {
-	    if (server->clientrdgone) {
+    if (do_resend || server->lastrcv.tv_sec > laststatsrv.tv_sec)
+        statusserver_requested = 0;
+
+    for (i = 0; i < MAX_REQUESTS; i++) {
+        if (server->clientrdgone) {
 		server->state = RSP_SERVER_STATE_FAILING;
                 if (conf->pdef->connecter)
                     pthread_join(clientrdth, NULL);
@@ -1680,7 +1684,7 @@ void *clientwr(void *arg) {
             continue;
         }
 
-        if (rqout->tries > 0 && now.tv_sec - server->lastrcv.tv_sec > conf->retryinterval)
+        if (rqout->tries > 0 && now.tv_sec - server->lastrcv.tv_sec > conf->retryinterval && !do_resend)
             statusserver_requested = 1;
         if (rqout->tries == (*rqout->rq->buf == RAD_Status_Server ? 1 : conf->retrycount + 1)) {
             debug(DBG_DBG, "clientwr: removing expired packet from queue");
@@ -2170,11 +2174,8 @@ void freeclsrvconf(struct clsrvconf *conf) {
     free(conf->confsecret);
     free(conf->secret);
     free(conf->tls);
-    free(conf->matchcertattr);
-    if (conf->certcnregex)
-	regfree(conf->certcnregex);
-    if (conf->certuriregex)
-	regfree(conf->certuriregex);
+    freegconfmstr(conf->confmatchcertattrs);
+    freematchcertattr(conf);
     free(conf->confrewritein);
     free(conf->confrewriteout);
     if (conf->rewriteusername) {
@@ -2264,7 +2265,7 @@ int mergesrvconf(struct clsrvconf *dst, struct clsrvconf *src) {
     !mergeconfmstring(&dst->source, &src->source) ||
 	!mergeconfstring(&dst->confsecret, &src->confsecret) ||
 	!mergeconfstring(&dst->tls, &src->tls) ||
-	!mergeconfstring(&dst->matchcertattr, &src->matchcertattr) ||
+	!mergeconfmstring(&dst->confmatchcertattrs, &src->confmatchcertattrs) ||
 	!mergeconfstring(&dst->confrewritein, &src->confrewritein) ||
 	!mergeconfstring(&dst->confrewriteout, &src->confrewriteout) ||
 	!mergeconfstring(&dst->confrewriteusername, &src->confrewriteusername) ||
@@ -2305,10 +2306,11 @@ int config_hostaf(const char *desc, int ipv4only, int ipv6only, int *af) {
 
 int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
     struct clsrvconf *conf, *existing;
-    char *conftype = NULL, *rewriteinalias = NULL;
+    char *conftype = NULL, *rewriteinalias = NULL, **matchcertattrs = NULL;
     long int dupinterval = LONG_MIN, addttl = LONG_MIN;
     uint8_t ipv4only = 0, ipv6only = 0;
     struct list_node *entry;
+    int i;
 
     debug(DBG_DBG, "confclient_cb called for %s", block);
 
@@ -2327,7 +2329,7 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
 	    "secret", CONF_STR_NOESC, &conf->confsecret,
 #if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
 	    "tls", CONF_STR, &conf->tls,
-	    "matchcertificateattribute", CONF_STR, &conf->matchcertattr,
+	    "matchcertificateattribute", CONF_MSTR, &matchcertattrs,
 	    "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
 #endif
 	    "DuplicateInterval", CONF_LINT, &dupinterval,
@@ -2364,13 +2366,19 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
 
 #if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
     if (conf->type == RAD_TLS || conf->type == RAD_DTLS) {
-	conf->tlsconf = conf->tls
-            ? tlsgettls(conf->tls, NULL)
-            : tlsgettls("defaultClient", "default");
-	if (!conf->tlsconf)
-	    debugx(1, DBG_ERR, "error in block %s, no tls context defined", block);
-	if (conf->matchcertattr && !addmatchcertattr(conf))
-	    debugx(1, DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block);
+        conf->tlsconf = conf->tls
+                ? tlsgettls(conf->tls, NULL)
+                : tlsgettls("defaultClient", "default");
+        if (!conf->tlsconf)
+            debugx(1, DBG_ERR, "error in block %s, no tls context defined", block);
+        if (matchcertattrs) {
+            for (i=0; matchcertattrs[i]; i++){
+                if (!addmatchcertattr(conf, matchcertattrs[i])) {
+                    debugx(1, DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block);
+                }
+            }
+            freegconfmstr(matchcertattrs);
+        }
     }
 #endif
 
@@ -2447,19 +2455,23 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
 }
 
 int compileserverconfig(struct clsrvconf *conf, const char *block) {
+    int i;
 #if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
     if (conf->type == RAD_TLS || conf->type == RAD_DTLS) {
     	conf->tlsconf = conf->tls
             ? tlsgettls(conf->tls, NULL)
             : tlsgettls("defaultServer", "default");
-	if (!conf->tlsconf) {
-	    debug(DBG_ERR, "error in block %s, no tls context defined", block);
-	    return 0;
-	}
-	if (conf->matchcertattr && !addmatchcertattr(conf)) {
-	    debug(DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block);
-	    return 0;
-	}
+        if (!conf->tlsconf) {
+            debug(DBG_ERR, "error in block %s, no tls context defined", block);
+            return 0;
+        }
+        if (conf->confmatchcertattrs) {
+            for (i=0; conf->confmatchcertattrs[i]; i++){
+                if (!addmatchcertattr(conf, conf->confmatchcertattrs[i])) {
+                    debugx(1, DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block);
+                }
+            }
+        }
     }
 #endif
 
@@ -2529,7 +2541,7 @@ int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
             "secret", CONF_STR_NOESC, &conf->confsecret,
 #if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
             "tls", CONF_STR, &conf->tls,
-            "MatchCertificateAttribute", CONF_STR, &conf->matchcertattr,
+            "MatchCertificateAttribute", CONF_STR, &conf->confmatchcertattrs,
             "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
 #endif
             "addTTL", CONF_LINT, &addttl,
@@ -3045,7 +3057,8 @@ int radsecproxy_main(int argc, char **argv) {
     sigaddset(&sigset, SIGHUP);
     sigaddset(&sigset, SIGPIPE);
     pthread_sigmask(SIG_BLOCK, &sigset, NULL);
-    pthread_create(&sigth, &pthread_attr, sighandler, NULL);
+    if (pthread_create(&sigth, &pthread_attr, sighandler, NULL))
+        debugx(1, DBG_ERR, "pthread_create failed: sighandler");
 
     for (entry = list_first(srvconfs); entry; entry = list_next(entry)) {
 	srvconf = (struct clsrvconf *)entry->data;

radsecproxy.conf.5.in

@@ -1,4 +1,4 @@
-.TH radsecproxy.conf 5 2019-07-04 "radsecproxy 1.8.0" ""
+.TH radsecproxy.conf 5 2020-08-06 "radsecproxy 1.8.2" ""
 
 .SH NAME
 radsecproxy.conf \- Radsec proxy configuration file
@@ -413,13 +413,21 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
 SubjectAltName against the specified hostname or IP address.
 .RE
 
-\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+\fBMatchCertificateAttribute \fRCN:/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:DNS:/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:URI:/\fIregexp\fR/
 .br
 \fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:rID:\fIoid\fR
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:otherName:\fIoid\fR:/\fIregexp\fR/
 .RS
 Perform additional validation of certificate attributes. Currently matching
-of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this 
-option can only be specified once in a client block.
+of CN and SubjectAltName types URI, DNS, IP, rID, and otherName is supported. If specified
+multiple times, all terms must match for the certificate to be considered valid.
 .RE
 
 .BI "DuplicateInterval " seconds
@@ -539,7 +547,7 @@ options above.
 
 .BI "DynamicLookupCommand " command
 .RS
-Execude the \fIcommand\fR to dynamically configure a server. The executable file
+Execute the \fIcommand\fR to dynamically configure a server. The executable file
 should be given with full path and will be invoked with the name of the realm as
 its first and only argument. It should either print a valid \fBserver {...}\fR
 option on stdout and exit with a code of 0 or print nothing and exit with a
@@ -617,9 +625,7 @@ block. The details are not repeated here. Please refer to the definitions in the
 .br
 .BR "CertificateNameCheck (" on | off )
 .br
-\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
-.br
-\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
+\fBMatchCertificateAttribute \fR...
 .br
 .BR "AddTTL " 1-255
 .br
@@ -799,6 +805,43 @@ can be triggered by sending a SIGHUP to the radsecproxy process. This option may
 be set to zero to disable caching.
 .RE
 
+.BI "CipherList " ciphers
+.RS
+Specify the list of accepted \fIciphers\fR. See 
+.BR openssl-ciphers (1).
+.RE
+
+.BI "CipherSuites " ciphersuites
+.RS
+Specify the \fIciphersuites\fR to be used for TLS1.3. See 
+.BR openssl-ciphers (1).
+.br
+Note this requires openssl 1.1.1
+.RE
+
+.BR "TlsVersion " (
+.IR version " | " minversion : maxversion " )"
+.br
+.BR "DtlsVersion " (
+.IR version " | " minversion : maxversion " )"
+.RS
+Specify the TLS/DTLS protocol \fIversion\fR to be used.
+.br
+Specify the range of allowed protocol versions between \fIminversion\fR and 
+\fImaxversion\fR (inclusive). If either is left out, any version up to, or 
+starting from this version is allowed. E.g. "TLS1_2:" will allow TLSv1.2 or later.
+.br
+Currently supported values are
+.BR SSL3 , TLS1 , TLS1_1 , TLS1_2 , TLS1_3
+for TLS and
+.BR DTLS1 , DTLS1_1
+for DTLS.
+.RE
+
+.BI "DhFile " file
+.RS
+DH parameter \fIfile\fR to use. See \fBopenssl-dhparam\fR(1)
+
 
 .SH "REWRITE BLOCK"
 .nf
@@ -899,7 +942,7 @@ the given vendor id are removed.
 .BR "WhitelistMode (" on | off )
 .RS
 Enable whitelist mode. All attributes except those configured with
-\fBWhitelistAttrbiute\fR or \fBWhitelistVendorAttribute\fR will be removed.
+\fBWhitelistAttribute\fR or \fBWhitelistVendorAttribute\fR will be removed.
 While whitelist mode is active, \fBRemoveAttribute\fR and
 \fBRemoveVendorAttribute\fR statements are ignored.
 .RE

radsecproxy.h

@@ -12,6 +12,8 @@
 #include "gconfig.h"
 #include "rewrite.h"
 
+#include <openssl/asn1.h>
+
 #define DEBUG_LEVEL 2
 
 #define CONFIG_MAIN SYSCONFDIR"/radsecproxy.conf"
@@ -149,12 +151,8 @@ struct clsrvconf {
     uint8_t *secret;
     int secret_len;
     char *tls;
-    char *matchcertattr;
-    regex_t *certcnregex;
-    regex_t *certuriregex;
-    regex_t *certdnsregex;
-    struct in6_addr certipmatch;
-    int certipmatchaf;
+    struct list *matchcertattrs;
+    char **confmatchcertattrs;
     char *confrewritein;
     char *confrewriteout;
     char *confrewriteusername;
@@ -263,7 +261,7 @@ int radsrv(struct request *rq);
 void replyh(struct server *server, unsigned char *buf);
 struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport);
 uint8_t *radattr2ascii(struct tlv *attr); /* TODO: mv this to radmsg? */
-pthread_attr_t pthread_attr;
+extern pthread_attr_t pthread_attr;
 
 /* Local Variables: */
 /* c-file-style: "stroustrup" */

rewrite.c

@@ -147,7 +147,7 @@ struct modattr *extractmodvattr(char *nameval) {
 
     s = strchr(nameval, ':');
     vendor = atoi(nameval);
-    if (!s || !vendor || !strchr(s,':'))
+    if (!s || !vendor || !strchr(s+1,':'))
         return NULL;
     modvattr = extractmodattr(s+1);
     if (modvattr)
@@ -278,7 +278,7 @@ void addrewrite(char *value, uint8_t whitelist_mode, char **rmattrs, char **rmva
         freegconfmstr(supvattrs);
     }
 
-    if (rma || rmva || adda || moda || supa) {
+    if (rma || rmva || adda || moda || modva || supa) {
         rewrite = malloc(sizeof(struct rewrite));
         if (!rewrite)
             debugx(1, DBG_ERR, "malloc failed");
@@ -499,7 +499,7 @@ int dorewritemodvattr(struct tlv *vendortlv, struct modattr *modvattr) {
 int dorewritemod(struct radmsg *msg, struct list *modattrs, struct list *modvattrs) {
     struct list_node *n, *m;
     uint32_t vendor;
-
+    
     for (n = list_first(msg->attrs); n; n = list_next(n)) {
         struct tlv *attr = (struct tlv *)n->data;
         if (attr->t == RAD_Attr_Vendor_Specific) {

tests/Makefile.am

@@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign
 LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) \
                   $(top_srcdir)/build-aux/tap-driver.sh
 
-check_PROGRAMS = t_fticks t_rewrite t_resizeattr t_rewrite_config
+check_PROGRAMS = t_fticks t_rewrite t_resizeattr t_rewrite_config t_verify_cert
 AM_CFLAGS = -g -Wall -Werror @SSL_CFLAGS@ @TARGET_CFLAGS@
 LDADD = $(top_builddir)/librsp.a @SSL_LIBS@
 LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ @LDFLAGS@