aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2013-03-12 17:44:13 +0100
committerMartin Willi <martin@revosec.ch>2013-03-12 17:44:13 +0100
commitf4c8e6def7446a364585b3d7d772b568e49ff25e (patch)
tree01c00122936ca001cba5731e3e0cae8f93ec3821 /src
parent3a23794fa2387934c98b3bfe17f1aaf129339a07 (diff)
downloadstrongswan-f4c8e6def7446a364585b3d7d772b568e49ff25e.tar.bz2
strongswan-f4c8e6def7446a364585b3d7d772b568e49ff25e.tar.xz
In eap-radius, hand out received Framed-IP-Address attributes as virtual IP
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/plugins/eap_radius/Makefile.am1
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius.c34
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_plugin.c14
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.c350
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.h63
5 files changed, 460 insertions, 2 deletions
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 181497ab5..628adbeb3 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -15,6 +15,7 @@ libstrongswan_eap_radius_la_SOURCES = \
eap_radius_plugin.h eap_radius_plugin.c \
eap_radius.h eap_radius.c \
eap_radius_accounting.h eap_radius_accounting.c \
+ eap_radius_provider.h eap_radius_provider.c \
eap_radius_dae.h eap_radius_dae.c \
eap_radius_forward.h eap_radius_forward.c
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6009d3a1f..28cd17eb8 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -16,6 +16,7 @@
#include "eap_radius.h"
#include "eap_radius_plugin.h"
#include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
#include <radius_message.h>
#include <radius_client.h>
@@ -327,6 +328,37 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
enumerator->destroy(enumerator);
}
+/**
+ * Handle Framed-IP-Address and other IKE configuration attributes
+ */
+static void process_cfg_attributes(private_eap_radius_t *this,
+ radius_message_t *msg)
+{
+ eap_radius_provider_t *provider;
+ enumerator_t *enumerator;
+ host_t *host;
+ chunk_t data;
+ int type;
+
+ provider = eap_radius_provider_get();
+ if (provider)
+ {
+ enumerator = msg->create_enumerator(msg);
+ while (enumerator->enumerate(enumerator, &type, &data))
+ {
+ if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
+ {
+ host = host_create_from_chunk(AF_INET, data, 0);
+ if (host)
+ {
+ provider->add_framed_ip(provider, this->peer, host);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+}
+
METHOD(eap_method_t, process, status_t,
private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
{
@@ -373,6 +405,7 @@ METHOD(eap_method_t, process, status_t,
process_filter_id(this, response);
}
process_timeout(this, response);
+ process_cfg_attributes(this, response);
DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
this->peer);
status = SUCCESS;
@@ -490,4 +523,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
this->server = server->clone(server);
return &this->public;
}
-
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 9d4bbe1f3..75d7f8b96 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -19,11 +19,13 @@
#include "eap_radius_accounting.h"
#include "eap_radius_dae.h"
#include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
#include <radius_client.h>
#include <radius_config.h>
#include <daemon.h>
+#include <hydra.h>
#include <threading/rwlock.h>
/**
@@ -64,6 +66,11 @@ struct private_eap_radius_plugin_t {
eap_radius_accounting_t *accounting;
/**
+ * IKE attribute provider
+ */
+ eap_radius_provider_t *provider;
+
+ /**
* Dynamic authorization extensions
*/
eap_radius_dae_t *dae;
@@ -207,6 +214,9 @@ METHOD(plugin_t, reload, bool,
METHOD(plugin_t, destroy, void,
private_eap_radius_plugin_t *this)
{
+ hydra->attributes->remove_provider(hydra->attributes,
+ &this->provider->provider);
+ this->provider->destroy(this->provider);
if (this->forward)
{
charon->bus->remove_listener(charon->bus, &this->forward->listener);
@@ -242,6 +252,7 @@ plugin_t *eap_radius_plugin_create()
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.accounting = eap_radius_accounting_create(),
.forward = eap_radius_forward_create(),
+ .provider = eap_radius_provider_create(),
);
load_configs(this);
@@ -261,6 +272,8 @@ plugin_t *eap_radius_plugin_create()
{
charon->bus->add_listener(charon->bus, &this->forward->listener);
}
+ hydra->attributes->add_provider(hydra->attributes,
+ &this->provider->provider);
return &this->public.plugin;
}
@@ -307,4 +320,3 @@ radius_client_t *eap_radius_create_client()
}
return NULL;
}
-
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
new file mode 100644
index 000000000..6cdbb3ca5
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -0,0 +1,350 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_provider.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+typedef struct private_eap_radius_provider_t private_eap_radius_provider_t;
+typedef struct private_listener_t private_listener_t;
+
+/**
+ * Private data of registered listener
+ */
+struct private_listener_t {
+
+ /**
+ * Implements listener_t interface
+ */
+ listener_t public;
+
+ /**
+ * Leases not acquired yet, identification_t => entry_t
+ */
+ hashtable_t *unclaimed;
+
+ /**
+ * Leases acquired, identification_t => entry_t
+ */
+ hashtable_t *claimed;
+
+ /**
+ * Mutex to lock leases
+ */
+ mutex_t *mutex;
+};
+
+/**
+ * Private data of an eap_radius_provider_t object.
+ */
+struct private_eap_radius_provider_t {
+
+ /**
+ * Public eap_radius_provider_t interface.
+ */
+ eap_radius_provider_t public;
+
+ /**
+ * Additionally implements the listener_t interface
+ */
+ private_listener_t listener;
+};
+
+/**
+ * Singleton instance of provider
+ */
+static eap_radius_provider_t *singleton = NULL;
+
+/**
+ * Hashtable entry with leases
+ */
+typedef struct {
+ /** identity we assigned the IP lease */
+ identification_t *id;
+ /** list of IP leases received from AAA, as host_t */
+ linked_list_t *addrs;
+} entry_t;
+
+/**
+ * destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+ this->id->destroy(this->id);
+ this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
+ free(this);
+}
+
+/**
+ * Get or create an entry from a locked hashtable
+ */
+static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id)
+{
+ entry_t *entry;
+
+ entry = hashtable->get(hashtable, id);
+ if (!entry)
+ {
+ INIT(entry,
+ .id = id->clone(id),
+ .addrs = linked_list_create(),
+ );
+ hashtable->put(hashtable, entry->id, entry);
+ }
+ return entry;
+}
+
+/**
+ * Put an entry to hashtable, or destroy it ife empty
+ */
+static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
+{
+ if (entry->addrs->get_count(entry->addrs) > 0)
+ {
+ hashtable->put(hashtable, entry->id, entry);
+ }
+ else
+ {
+ destroy_entry(entry);
+ }
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(identification_t *id)
+{
+ return chunk_hash_inc(id->get_encoding(id), id->get_type(id));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+ return a->equals(a, b);
+}
+
+/**
+ * Insert an address entry to a locked claimed/unclaimed hashtable
+ */
+static void add_addr(private_eap_radius_provider_t *this,
+ hashtable_t *hashtable, identification_t *id, host_t *host)
+{
+ entry_t *entry;
+
+ entry = get_or_create_entry(hashtable, id);
+ entry->addrs->insert_last(entry->addrs, host);
+}
+
+/**
+ * Remove the next address from the locked hashtable stored for given id
+ */
+static host_t* remove_addr(private_eap_radius_provider_t *this,
+ hashtable_t *hashtable, identification_t *id)
+{
+ entry_t *entry;
+ host_t *addr = NULL;
+
+ entry = hashtable->remove(hashtable, id);
+ if (entry)
+ {
+ entry->addrs->remove_first(entry->addrs, (void**)&addr);
+ put_or_destroy_entry(hashtable, entry);
+ }
+ return addr;
+}
+
+/**
+ * Clean up unclaimed leases assigned for an IKE_SA
+ */
+static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
+{
+ identification_t *id;
+ entry_t *entry;
+
+ id = ike_sa->get_other_eap_id(ike_sa);
+ this->mutex->lock(this->mutex);
+ entry = this->unclaimed->remove(this->unclaimed, id);
+ this->mutex->unlock(this->mutex);
+ if (entry)
+ {
+ destroy_entry(entry);
+ }
+}
+
+METHOD(listener_t, message_hook, bool,
+ private_listener_t *this, ike_sa_t *ike_sa,
+ message_t *message, bool incoming, bool plain)
+{
+ if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+ !incoming && !message->get_request(message))
+ {
+ if ((ike_sa->get_version(ike_sa) == IKEV1 &&
+ message->get_exchange_type(message) == TRANSACTION) ||
+ (ike_sa->get_version(ike_sa) == IKEV2 &&
+ message->get_exchange_type(message) == IKE_AUTH))
+ {
+ /* if the addresses have not been claimed yet, they won't. Release
+ * these ressources. */
+ release_unclaimed(this, ike_sa);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+ private_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+ if (!up)
+ {
+ /* if the message hook does not apply because of a failed exchange
+ * or something, make sure we release any ressources now */
+ release_unclaimed(this, ike_sa);
+ }
+ return TRUE;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+ private_eap_radius_provider_t *this, linked_list_t *pools,
+ identification_t *id, host_t *requested)
+{
+ enumerator_t *enumerator;
+ host_t *addr = NULL;
+ char *name;
+
+ enumerator = pools->create_enumerator(pools);
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ if (streq(name, "radius"))
+ {
+ this->listener.mutex->lock(this->listener.mutex);
+ addr = remove_addr(this, this->listener.unclaimed, id);
+ if (addr)
+ {
+ add_addr(this, this->listener.claimed, id, addr->clone(addr));
+ }
+ this->listener.mutex->unlock(this->listener.mutex);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+ private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
+ identification_t *id)
+{
+ enumerator_t *enumerator;
+ host_t *found = NULL;
+ char *name;
+
+ enumerator = pools->create_enumerator(pools);
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ if (streq(name, "radius"))
+ {
+ this->listener.mutex->lock(this->listener.mutex);
+ found = remove_addr(this, this->listener.claimed, id);
+ this->listener.mutex->unlock(this->listener.mutex);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (found)
+ {
+ found->destroy(found);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+ private_eap_radius_provider_t *this, linked_list_t *pools,
+ identification_t *id, linked_list_t *vips)
+{
+ return enumerator_create_empty();
+}
+
+METHOD(eap_radius_provider_t, add_framed_ip, void,
+ private_eap_radius_provider_t *this, identification_t *id, host_t *ip)
+{
+ this->listener.mutex->lock(this->listener.mutex);
+ add_addr(this, this->listener.unclaimed, id, ip);
+ this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, destroy, void,
+ private_eap_radius_provider_t *this)
+{
+ singleton = NULL;
+ charon->bus->remove_listener(charon->bus, &this->listener.public);
+ this->listener.mutex->destroy(this->listener.mutex);
+ this->listener.claimed->destroy(this->listener.claimed);
+ this->listener.unclaimed->destroy(this->listener.unclaimed);
+ free(this);
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_create()
+{
+ if (!singleton)
+ {
+ private_eap_radius_provider_t *this;
+
+ INIT(this,
+ .public = {
+ .provider = {
+ .acquire_address = _acquire_address,
+ .release_address = _release_address,
+ .create_attribute_enumerator = _create_attribute_enumerator,
+ },
+ .add_framed_ip = _add_framed_ip,
+ .destroy = _destroy,
+ },
+ .listener = {
+ .public = {
+ .ike_updown = _ike_updown,
+ .message = _message_hook,
+ },
+ .claimed = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 32),
+ .unclaimed = hashtable_create((hashtable_hash_t)hash,
+ (hashtable_equals_t)equals, 32),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ },
+ );
+
+ charon->bus->add_listener(charon->bus, &this->listener.public);
+
+ singleton = &this->public;
+ }
+ return singleton;
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_get()
+{
+ return singleton;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
new file mode 100644
index 000000000..2be9fefc2
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_provider eap_radius_provider
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PROVIDER_H_
+#define EAP_RADIUS_PROVIDER_H_
+
+#include <attributes/attribute_provider.h>
+
+typedef struct eap_radius_provider_t eap_radius_provider_t;
+
+/**
+ * IKE configuration attribute fed by RADIUS attributes
+ */
+struct eap_radius_provider_t {
+
+ /**
+ * Implements attribute_provider_t
+ */
+ attribute_provider_t provider;
+
+ /**
+ * Add a received Framed-IP-Address to the provider to serve to client.
+ *
+ * @param id client identity
+ * @param ip IP address received from RADIUS server, gets owned
+ */
+ void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id,
+ host_t *ip);
+
+ /**
+ * Destroy a eap_radius_provider_t.
+ */
+ void (*destroy)(eap_radius_provider_t *this);
+};
+
+/**
+ * Create a eap_radius_provider instance.
+ */
+eap_radius_provider_t *eap_radius_provider_create();
+
+/**
+ * Get singleton instance previously created with eap_radius_provider_create().
+ */
+eap_radius_provider_t *eap_radius_provider_get();
+
+#endif /** EAP_RADIUS_PROVIDER_H_ @}*/