Commit 1bd41dd6 authored by Faidon Liambotis's avatar Faidon Liambotis

Import Upstream version 1.6.2

parent 13e513c0
......@@ -5,6 +5,7 @@ Radsecproxy is currently being maintained by Linus Nordberg
The following people have contributed to Radsecproxy in one way or
another:
Adam Osuchowski
Andreas Solberg
Arne Schwabe
Faidon Liambotis
......
2011-04-27 1.6
2012-10-25 1.6.2
Bug fixes (security):
- Fix the issue with verification of clients when using multiple
'tls' config blocks (RADSECPROXY-43) for DTLS too. Fixes
CVE-2012-4523. Reported by Raphael Geissert.
2012-09-14 1.6.1
Bug fixes (security):
- When verifying clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43,
CVE-2012-4523).
Bug fixes:
- Make naptr-eduroam.sh check NAPTR type case insensitively.
Fix from Adam Osuchowski.
2012-04-27 1.6
Incompatible changes:
- The default shared secret for TLS and DTLS connections change
from "mysecret" to "radsec" as per draft-ietf-radext-radsec-12
......
This is radsecproxy 1.6 from April 27 2012.
This is radsecproxy 1.6.2 from Oct 25 2012.
radsecproxy is a generic RADIUS proxy that supports both UDP and TLS
(RadSec) RADIUS transports. There is also experimental support for
......
......@@ -13,8 +13,8 @@
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],,
[m4_warning([this file was generated for autoconf 2.65.
m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],,
[m4_warning([this file was generated for autoconf 2.68.
You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically `autoreconf'.])])
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
AC_INIT(radsecproxy, 1.6, radsecproxy@uninett.no)
AC_INIT(radsecproxy, 1.6.2, radsecproxy@uninett.no)
AC_CANONICAL_TARGET
AM_INIT_AUTOMAKE
AC_PROG_CC
......
......@@ -354,6 +354,7 @@ void *dtlsservernew(void *arg) {
X509 *cert = NULL;
SSL_CTX *ctx = NULL;
uint8_t delay = 60;
struct tls *accepted_tls = NULL;
debug(DBG_DBG, "dtlsservernew: starting");
conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL);
......@@ -367,10 +368,11 @@ void *dtlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
accepted_tls = conf->tlsconf;
}
while (conf) {
if (verifyconfcert(cert, conf)) {
if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {
......
......@@ -5,7 +5,7 @@ radsecproxy-hash - print digests of Ethernet MAC addresses
.SH "SYNOPSIS"
.HP 12
radsecproxy-hash [-h] [-k key] [-t type]
radsecproxy-hash [\-h] [\-k key] [\-t type]
.sp
.SH "DESCRIPTION"
......@@ -14,15 +14,15 @@ input.
.SH "OPTIONS"
.TP
.B -h
.B \-h
\fIdisplay help and exit\fR
.TP
.B -k key
.B \-k key
\fIuse KEY for HMAC calculation\fR
.TP
.B -t type
.B \-t type
\fIprint digest of type TYPE [hash|hmac]\fR
......
......@@ -5,7 +5,7 @@ radsecproxy - a generic RADIUS proxy that provides both RADIUS UDP and TCP/TLS (
.SH "SYNOPSIS"
.HP 12
radsecproxy [-c configfile] [-d debuglevel] [-f] [-i pidfile] [-p] [-v]
radsecproxy [\-c configfile] [\-d debuglevel] [\-f] [\-i pidfile] [\-p] [\-v]
.sp
.SH "DESCRIPTION"
......@@ -34,7 +34,7 @@ where some RADIUS nodes use only IPv4 and some only IPv6.
.SH "OPTIONS"
.TP
.B -f
.B \-f
.sp
\fIRun in foreground\fR
.sp
......@@ -42,7 +42,7 @@ By specifying this option, the proxy will run in foreground mode. That
is, it won't detach. Also all logging will be done to stderr.
.TP
.B -d <debug level>
.B \-d <debug level>
.sp
\fIDebug level\fR
.sp
......@@ -51,7 +51,7 @@ This specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where
logs errors, warnings and a few informational messages.
.TP
.B -p
.B \-p
.sp
\fIPretend\fR
.sp
......@@ -62,7 +62,7 @@ may be used to verify configuration files, and can be done while another
instance is running.
.TP
.B -v
.B \-v
.sp
\fIPrint version\fR
.sp
......@@ -70,7 +70,7 @@ When this option is specified, the proxy will simply print version
information and exit.
.TP
.B -c <config file path>
.B \-c <config file path>
.sp
\fIConfig file path\fR
.sp
......@@ -78,7 +78,7 @@ This option allows you to specify which config file to use. This is useful
if you want to use a config file that is not in any of the default locations.
.TP
.B -i <pid file path>
.B \-i <pid file path>
.sp
\fIPID file path\fR
.sp
......
......@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
.TH "radsecproxy.conf " 5 2012-04-27 "radsecproxy 1.6" ""
.TH "radsecproxy.conf " 5 2012-10-25 "radsecproxy 1.6.2" ""
.SH NAME
radsecproxy.conf
\- Radsec proxy configuration file
......@@ -386,8 +386,10 @@ The value of \*(T<type\*(T> must be one of
\*(T<secret\*(T> is the shared RADIUS key used with
this client. If the secret contains whitespace, the value must
be quoted. This option is optional for TLS/DTLS and if omitted
will default to "mysecret". Note that the default value of
\*(T<secret\*(T> will change in an upcoming release.
will default to "radsec". (Note that using a secret other than
"radsec" for TLS is a violation of the standard (RFC 6614) and
that the proposed standard for DTLS stipulates that the secret
must be "radius/dtls".)
.PP
For a TLS/DTLS client you may also specify the
\*(T<tls\*(T> option. The option value must be the
......@@ -398,6 +400,13 @@ defined, it will try to use the TLS block named
\*(T<default\*(T>. If the specified TLS block name does
not exist, or the option is not specified and none of the
defaults exist, the proxy will exit with an error.
NOTE: All versions of radsecproxy up to and including 1.6
erroneously verify client certificate chains using the CA in the
very first matching client block regardless of which block is
used for the final decision. This was changed in version 1.6.1
so that a client block with a different \*(T<tls\*(T>
option than the first matching client block is no longer
considered for verification of clients.
.PP
For a TLS/DTLS client, the option
\*(T<certificateNameCheck\*(T> can be set to
......@@ -751,7 +760,7 @@ fine only defining two rewrite blocks named
\*(T<defaultClient\*(T> and
\*(T<defaultServer\*(T>. Note that these defaults are
only used for rewrite on input. No rewriting is done on output
unless explicitly specifed using the
unless explicitly specified using the
\*(T<rewriteOut\*(T> option.
.PP
The available rewrite block options are
......
......@@ -2,14 +2,14 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
<date>2012-04-27</date>
<date>2012-10-25</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>radsecproxy 1.6</refmiscinfo>
<refmiscinfo>radsecproxy 1.6.2</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
......@@ -531,8 +531,10 @@ blocktype name {
<literal>secret</literal> is the shared RADIUS key used with
this client. If the secret contains whitespace, the value must
be quoted. This option is optional for TLS/DTLS and if omitted
will default to "mysecret". Note that the default value of
<literal>secret</literal> will change in an upcoming release.
will default to "radsec". (Note that using a secret other than
"radsec" for TLS is a violation of the standard (RFC 6614) and
that the proposed standard for DTLS stipulates that the secret
must be "radius/dtls".)
</para>
<para>
For a TLS/DTLS client you may also specify the
......@@ -544,6 +546,15 @@ blocktype name {
<literal>default</literal>. If the specified TLS block name does
not exist, or the option is not specified and none of the
defaults exist, the proxy will exit with an error.
NOTE: All versions of radsecproxy up to and including 1.6
erroneously verify client certificate chains using the CA in the
very first matching client block regardless of which block is
used for the final decision. This was changed in version 1.6.1
so that a client block with a different <literal>tls</literal>
option than the first matching client block is no longer
considered for verification of clients.
</para>
<para>
For a TLS/DTLS client, the option
......@@ -950,7 +961,7 @@ blocktype name {
<literal>defaultClient</literal> and
<literal>defaultServer</literal>. Note that these defaults are
only used for rewrite on input. No rewriting is done on output
unless explicitly specifed using the
unless explicitly specified using the
<literal>rewriteOut</literal> option.
</para>
<para>
......
......@@ -385,6 +385,7 @@ void *tlsservernew(void *arg) {
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
struct tls *accepted_tls = NULL;
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
......@@ -412,22 +413,23 @@ void *tlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
accepted_tls = conf->tlsconf;
}
while (conf) {
if (verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {
client->ssl = ssl;
client->addr = addr_copy((struct sockaddr *)&from);
tlsserverrd(client);
removeclient(client);
} else
debug(DBG_WARN, "tlsservernew: failed to create new client instance");
goto exit;
}
conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {
client->ssl = ssl;
client->addr = addr_copy((struct sockaddr *)&from);
tlsserverrd(client);
removeclient(client);
} else
debug(DBG_WARN, "tlsservernew: failed to create new client instance");
goto exit;
}
conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)
......
......@@ -31,7 +31,7 @@ dig_it_naptr() {
${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k1 |
while read line; do
set $line ; TYPE=$3 ; HOST=$6
if [ "$TYPE" = "\"s\"" ]; then
if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then
SRV_HOST=${HOST%.}
dig_it_srv
fi
......@@ -50,7 +50,7 @@ host_it_naptr() {
${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k5 |
while read line; do
set $line ; TYPE=$7 ; HOST=${10}
if [ "$TYPE" = "\"s\"" ]; then
if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then
SRV_HOST=${HOST%.}
host_it_srv
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment