diff options
author | Martin Willi <martin@revosec.ch> | 2013-03-12 17:44:13 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2013-03-12 17:44:13 +0100 |
commit | f4c8e6def7446a364585b3d7d772b568e49ff25e (patch) | |
tree | 01c00122936ca001cba5731e3e0cae8f93ec3821 /src | |
parent | 3a23794fa2387934c98b3bfe17f1aaf129339a07 (diff) | |
download | strongswan-f4c8e6def7446a364585b3d7d772b568e49ff25e.tar.bz2 strongswan-f4c8e6def7446a364585b3d7d772b568e49ff25e.tar.xz |
In eap-radius, hand out received Framed-IP-Address attributes as virtual IP
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/plugins/eap_radius/Makefile.am | 1 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius.c | 34 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_plugin.c | 14 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_provider.c | 350 | ||||
-rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_provider.h | 63 |
5 files changed, 460 insertions, 2 deletions
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am index 181497ab5..628adbeb3 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.am +++ b/src/libcharon/plugins/eap_radius/Makefile.am @@ -15,6 +15,7 @@ libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ eap_radius_accounting.h eap_radius_accounting.c \ + eap_radius_provider.h eap_radius_provider.c \ eap_radius_dae.h eap_radius_dae.c \ eap_radius_forward.h eap_radius_forward.c diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index 6009d3a1f..28cd17eb8 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -16,6 +16,7 @@ #include "eap_radius.h" #include "eap_radius_plugin.h" #include "eap_radius_forward.h" +#include "eap_radius_provider.h" #include <radius_message.h> #include <radius_client.h> @@ -327,6 +328,37 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg) enumerator->destroy(enumerator); } +/** + * Handle Framed-IP-Address and other IKE configuration attributes + */ +static void process_cfg_attributes(private_eap_radius_t *this, + radius_message_t *msg) +{ + eap_radius_provider_t *provider; + enumerator_t *enumerator; + host_t *host; + chunk_t data; + int type; + + provider = eap_radius_provider_get(); + if (provider) + { + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4) + { + host = host_create_from_chunk(AF_INET, data, 0); + if (host) + { + provider->add_framed_ip(provider, this->peer, host); + } + } + } + enumerator->destroy(enumerator); + } +} + METHOD(eap_method_t, process, status_t, private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { @@ -373,6 +405,7 @@ METHOD(eap_method_t, process, status_t, process_filter_id(this, response); } process_timeout(this, response); + process_cfg_attributes(this, response); DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful", this->peer); status = SUCCESS; @@ -490,4 +523,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer this->server = server->clone(server); return &this->public; } - diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 9d4bbe1f3..75d7f8b96 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -19,11 +19,13 @@ #include "eap_radius_accounting.h" #include "eap_radius_dae.h" #include "eap_radius_forward.h" +#include "eap_radius_provider.h" #include <radius_client.h> #include <radius_config.h> #include <daemon.h> +#include <hydra.h> #include <threading/rwlock.h> /** @@ -64,6 +66,11 @@ struct private_eap_radius_plugin_t { eap_radius_accounting_t *accounting; /** + * IKE attribute provider + */ + eap_radius_provider_t *provider; + + /** * Dynamic authorization extensions */ eap_radius_dae_t *dae; @@ -207,6 +214,9 @@ METHOD(plugin_t, reload, bool, METHOD(plugin_t, destroy, void, private_eap_radius_plugin_t *this) { + hydra->attributes->remove_provider(hydra->attributes, + &this->provider->provider); + this->provider->destroy(this->provider); if (this->forward) { charon->bus->remove_listener(charon->bus, &this->forward->listener); @@ -242,6 +252,7 @@ plugin_t *eap_radius_plugin_create() .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), .accounting = eap_radius_accounting_create(), .forward = eap_radius_forward_create(), + .provider = eap_radius_provider_create(), ); load_configs(this); @@ -261,6 +272,8 @@ plugin_t *eap_radius_plugin_create() { charon->bus->add_listener(charon->bus, &this->forward->listener); } + hydra->attributes->add_provider(hydra->attributes, + &this->provider->provider); return &this->public.plugin; } @@ -307,4 +320,3 @@ radius_client_t *eap_radius_create_client() } return NULL; } - diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c new file mode 100644 index 000000000..6cdbb3ca5 --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -0,0 +1,350 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_radius_provider.h" + +#include <daemon.h> +#include <collections/hashtable.h> +#include <threading/mutex.h> + +typedef struct private_eap_radius_provider_t private_eap_radius_provider_t; +typedef struct private_listener_t private_listener_t; + +/** + * Private data of registered listener + */ +struct private_listener_t { + + /** + * Implements listener_t interface + */ + listener_t public; + + /** + * Leases not acquired yet, identification_t => entry_t + */ + hashtable_t *unclaimed; + + /** + * Leases acquired, identification_t => entry_t + */ + hashtable_t *claimed; + + /** + * Mutex to lock leases + */ + mutex_t *mutex; +}; + +/** + * Private data of an eap_radius_provider_t object. + */ +struct private_eap_radius_provider_t { + + /** + * Public eap_radius_provider_t interface. + */ + eap_radius_provider_t public; + + /** + * Additionally implements the listener_t interface + */ + private_listener_t listener; +}; + +/** + * Singleton instance of provider + */ +static eap_radius_provider_t *singleton = NULL; + +/** + * Hashtable entry with leases + */ +typedef struct { + /** identity we assigned the IP lease */ + identification_t *id; + /** list of IP leases received from AAA, as host_t */ + linked_list_t *addrs; +} entry_t; + +/** + * destroy an entry_t + */ +static void destroy_entry(entry_t *this) +{ + this->id->destroy(this->id); + this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy)); + free(this); +} + +/** + * Get or create an entry from a locked hashtable + */ +static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id) +{ + entry_t *entry; + + entry = hashtable->get(hashtable, id); + if (!entry) + { + INIT(entry, + .id = id->clone(id), + .addrs = linked_list_create(), + ); + hashtable->put(hashtable, entry->id, entry); + } + return entry; +} + +/** + * Put an entry to hashtable, or destroy it ife empty + */ +static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry) +{ + if (entry->addrs->get_count(entry->addrs) > 0) + { + hashtable->put(hashtable, entry->id, entry); + } + else + { + destroy_entry(entry); + } +} + +/** + * Hashtable hash function + */ +static u_int hash(identification_t *id) +{ + return chunk_hash_inc(id->get_encoding(id), id->get_type(id)); +} + +/** + * Hashtable equals function + */ +static bool equals(identification_t *a, identification_t *b) +{ + return a->equals(a, b); +} + +/** + * Insert an address entry to a locked claimed/unclaimed hashtable + */ +static void add_addr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, identification_t *id, host_t *host) +{ + entry_t *entry; + + entry = get_or_create_entry(hashtable, id); + entry->addrs->insert_last(entry->addrs, host); +} + +/** + * Remove the next address from the locked hashtable stored for given id + */ +static host_t* remove_addr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, identification_t *id) +{ + entry_t *entry; + host_t *addr = NULL; + + entry = hashtable->remove(hashtable, id); + if (entry) + { + entry->addrs->remove_first(entry->addrs, (void**)&addr); + put_or_destroy_entry(hashtable, entry); + } + return addr; +} + +/** + * Clean up unclaimed leases assigned for an IKE_SA + */ +static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa) +{ + identification_t *id; + entry_t *entry; + + id = ike_sa->get_other_eap_id(ike_sa); + this->mutex->lock(this->mutex); + entry = this->unclaimed->remove(this->unclaimed, id); + this->mutex->unlock(this->mutex); + if (entry) + { + destroy_entry(entry); + } +} + +METHOD(listener_t, message_hook, bool, + private_listener_t *this, ike_sa_t *ike_sa, + message_t *message, bool incoming, bool plain) +{ + if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + !incoming && !message->get_request(message)) + { + if ((ike_sa->get_version(ike_sa) == IKEV1 && + message->get_exchange_type(message) == TRANSACTION) || + (ike_sa->get_version(ike_sa) == IKEV2 && + message->get_exchange_type(message) == IKE_AUTH)) + { + /* if the addresses have not been claimed yet, they won't. Release + * these ressources. */ + release_unclaimed(this, ike_sa); + } + } + return TRUE; +} + +METHOD(listener_t, ike_updown, bool, + private_listener_t *this, ike_sa_t *ike_sa, bool up) +{ + if (!up) + { + /* if the message hook does not apply because of a failed exchange + * or something, make sure we release any ressources now */ + release_unclaimed(this, ike_sa); + } + return TRUE; +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_eap_radius_provider_t *this, linked_list_t *pools, + identification_t *id, host_t *requested) +{ + enumerator_t *enumerator; + host_t *addr = NULL; + char *name; + + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + if (streq(name, "radius")) + { + this->listener.mutex->lock(this->listener.mutex); + addr = remove_addr(this, this->listener.unclaimed, id); + if (addr) + { + add_addr(this, this->listener.claimed, id, addr->clone(addr)); + } + this->listener.mutex->unlock(this->listener.mutex); + break; + } + } + enumerator->destroy(enumerator); + + return addr; +} + +METHOD(attribute_provider_t, release_address, bool, + private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address, + identification_t *id) +{ + enumerator_t *enumerator; + host_t *found = NULL; + char *name; + + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + if (streq(name, "radius")) + { + this->listener.mutex->lock(this->listener.mutex); + found = remove_addr(this, this->listener.claimed, id); + this->listener.mutex->unlock(this->listener.mutex); + break; + } + } + enumerator->destroy(enumerator); + + if (found) + { + found->destroy(found); + return TRUE; + } + return FALSE; +} + +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_eap_radius_provider_t *this, linked_list_t *pools, + identification_t *id, linked_list_t *vips) +{ + return enumerator_create_empty(); +} + +METHOD(eap_radius_provider_t, add_framed_ip, void, + private_eap_radius_provider_t *this, identification_t *id, host_t *ip) +{ + this->listener.mutex->lock(this->listener.mutex); + add_addr(this, this->listener.unclaimed, id, ip); + this->listener.mutex->unlock(this->listener.mutex); +} + +METHOD(eap_radius_provider_t, destroy, void, + private_eap_radius_provider_t *this) +{ + singleton = NULL; + charon->bus->remove_listener(charon->bus, &this->listener.public); + this->listener.mutex->destroy(this->listener.mutex); + this->listener.claimed->destroy(this->listener.claimed); + this->listener.unclaimed->destroy(this->listener.unclaimed); + free(this); +} + +/** + * See header + */ +eap_radius_provider_t *eap_radius_provider_create() +{ + if (!singleton) + { + private_eap_radius_provider_t *this; + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .add_framed_ip = _add_framed_ip, + .destroy = _destroy, + }, + .listener = { + .public = { + .ike_updown = _ike_updown, + .message = _message_hook, + }, + .claimed = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 32), + .unclaimed = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 32), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + }, + ); + + charon->bus->add_listener(charon->bus, &this->listener.public); + + singleton = &this->public; + } + return singleton; +} + +/** + * See header + */ +eap_radius_provider_t *eap_radius_provider_get() +{ + return singleton; +} diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h new file mode 100644 index 000000000..2be9fefc2 --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_radius_provider eap_radius_provider + * @{ @ingroup eap_radius + */ + +#ifndef EAP_RADIUS_PROVIDER_H_ +#define EAP_RADIUS_PROVIDER_H_ + +#include <attributes/attribute_provider.h> + +typedef struct eap_radius_provider_t eap_radius_provider_t; + +/** + * IKE configuration attribute fed by RADIUS attributes + */ +struct eap_radius_provider_t { + + /** + * Implements attribute_provider_t + */ + attribute_provider_t provider; + + /** + * Add a received Framed-IP-Address to the provider to serve to client. + * + * @param id client identity + * @param ip IP address received from RADIUS server, gets owned + */ + void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id, + host_t *ip); + + /** + * Destroy a eap_radius_provider_t. + */ + void (*destroy)(eap_radius_provider_t *this); +}; + +/** + * Create a eap_radius_provider instance. + */ +eap_radius_provider_t *eap_radius_provider_create(); + +/** + * Get singleton instance previously created with eap_radius_provider_create(). + */ +eap_radius_provider_t *eap_radius_provider_get(); + +#endif /** EAP_RADIUS_PROVIDER_H_ @}*/ |