diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-10-17 21:23:38 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-10-17 21:23:38 +0200 |
| commit | 9d37ad77ef660b92ea51b69d74e14f931d2a04e2 (patch) | |
| tree | d6bbb4a5fed1959f8675df9ee7c03713b543fcc9 /src/libcharon/plugins/eap_radius | |
| parent | 104f57d4b0fb6d7547d6898352eaa5fb4b222010 (diff) | |
| parent | e5ee4e7fcdd58b7d86bf1b458da2c63e8e19627b (diff) | |
| download | vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.tar.gz vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.zip | |
Merge tag 'v5.1.0-1' into sid
tag strongSwan 5.1.0-1
Diffstat (limited to 'src/libcharon/plugins/eap_radius')
| -rw-r--r-- | src/libcharon/plugins/eap_radius/Makefile.am | 13 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/Makefile.in | 162 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius.c | 240 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius.h | 24 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_accounting.c | 532 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_accounting.h | 8 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_dae.c | 56 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_forward.c | 17 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_plugin.c | 175 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_plugin.h | 11 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_provider.c | 550 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_provider.h | 74 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_xauth.c | 202 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_radius/eap_radius_xauth.h | 49 |
14 files changed, 1871 insertions, 242 deletions
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am index 181497ab5..6fdb0d099 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.am +++ b/src/libcharon/plugins/eap_radius/Makefile.am @@ -1,8 +1,11 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libradius -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius - -AM_CFLAGS = -rdynamic +AM_CFLAGS = \ + -rdynamic if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-eap-radius.la @@ -14,7 +17,9 @@ endif libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + eap_radius_xauth.h eap_radius_xauth.c \ eap_radius_accounting.h eap_radius_accounting.c \ + eap_radius_provider.h eap_radius_provider.c \ eap_radius_dae.h eap_radius_dae.c \ eap_radius_forward.h eap_radius_forward.c diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 0bef44042..24818d4fb 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,6 +16,23 @@ @SET_MAKE@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -72,58 +90,92 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES = \ @MONOLITHIC_FALSE@ $(top_builddir)/src/libradius/libradius.la am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \ - eap_radius.lo eap_radius_accounting.lo eap_radius_dae.lo \ - eap_radius_forward.lo + eap_radius.lo eap_radius_xauth.lo eap_radius_accounting.lo \ + eap_radius_provider.lo eap_radius_dae.lo eap_radius_forward.lo libstrongswan_eap_radius_la_OBJECTS = \ $(am_libstrongswan_eap_radius_la_OBJECTS) -libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \ +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +libstrongswan_eap_radius_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_eap_radius_la_LDFLAGS) \ $(LDFLAGS) -o $@ @MONOLITHIC_FALSE@am_libstrongswan_eap_radius_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_eap_radius_la_rpath = -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; SOURCES = $(libstrongswan_eap_radius_la_SOURCES) DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -132,13 +184,16 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENHTML = @GENHTML@ GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ @@ -151,6 +206,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -178,11 +234,13 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ @@ -190,6 +248,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -198,8 +257,6 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ -axis2c_CFLAGS = @axis2c_CFLAGS@ -axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -208,14 +265,19 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -229,17 +291,17 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -249,16 +311,15 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ -p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -286,17 +347,24 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libradius +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libradius + +AM_CFLAGS = \ + -rdynamic -AM_CFLAGS = -rdynamic @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-radius.la @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_LIBADD = $(top_builddir)/src/libradius/libradius.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-radius.la libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + eap_radius_xauth.h eap_radius_xauth.c \ eap_radius_accounting.h eap_radius_accounting.c \ + eap_radius_provider.h eap_radius_provider.c \ eap_radius_dae.h eap_radius_dae.c \ eap_radius_forward.h eap_radius_forward.c @@ -346,7 +414,6 @@ clean-noinstLTLIBRARIES: done install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -354,6 +421,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) else :; fi; \ done; \ test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ } @@ -375,8 +444,8 @@ clean-pluginLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) - $(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS) +libstrongswan-eap-radius.la: $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_DEPENDENCIES) $(EXTRA_libstrongswan_eap_radius_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_eap_radius_la_LINK) $(am_libstrongswan_eap_radius_la_rpath) $(libstrongswan_eap_radius_la_OBJECTS) $(libstrongswan_eap_radius_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -389,27 +458,29 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_dae.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_forward.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_provider.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_xauth.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo @@ -516,10 +587,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index c0a3703b6..b06b6c392 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -16,6 +16,8 @@ #include "eap_radius.h" #include "eap_radius_plugin.h" #include "eap_radius_forward.h" +#include "eap_radius_provider.h" +#include "eap_radius_accounting.h" #include <radius_message.h> #include <radius_client.h> @@ -73,16 +75,6 @@ struct private_eap_radius_t { * Prefix to prepend to EAP identity */ char *id_prefix; - - /** - * Handle the Class attribute as group membership information? - */ - bool class_group; - - /** - * Handle the Filter-Id attribute as IPsec CHILD_SA name? - */ - bool filter_id; }; /** @@ -155,17 +147,86 @@ static bool radius2ike(private_eap_radius_t *this, return FALSE; } +/** + * See header. + */ +void eap_radius_build_attributes(radius_message_t *request) +{ + ike_sa_t *ike_sa; + host_t *host; + char buf[40], *station_id_fmt;; + u_int32_t value; + chunk_t chunk; + + /* virtual NAS-Port-Type */ + value = htonl(5); + request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value)); + /* framed ServiceType */ + value = htonl(2); + request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value)); + + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + value = htonl(ike_sa->get_unique_id(ike_sa)); + request->add(request, RAT_NAS_PORT, chunk_from_thing(value)); + request->add(request, RAT_NAS_PORT_ID, + chunk_from_str(ike_sa->get_name(ike_sa))); + + host = ike_sa->get_my_host(ike_sa); + chunk = host->get_address(host); + switch (host->get_family(host)) + { + case AF_INET: + request->add(request, RAT_NAS_IP_ADDRESS, chunk); + break; + case AF_INET6: + request->add(request, RAT_NAS_IPV6_ADDRESS, chunk); + default: + break; + } + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.station_id_with_port", + TRUE, charon->name)) + { + station_id_fmt = "%#H"; + } + else + { + station_id_fmt = "%H"; + } + snprintf(buf, sizeof(buf), station_id_fmt, host); + request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf)); + host = ike_sa->get_other_host(ike_sa); + snprintf(buf, sizeof(buf), station_id_fmt, host); + request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf)); + } +} + +/** + * Add a set of RADIUS attributes to a request message + */ +static void add_radius_request_attrs(private_eap_radius_t *this, + radius_message_t *request) +{ + chunk_t chunk; + + chunk = chunk_from_str(this->id_prefix); + chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer)); + request->add(request, RAT_USER_NAME, chunk); + + eap_radius_build_attributes(request); + eap_radius_forward_from_ike(request); +} + METHOD(eap_method_t, initiate, status_t, private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; - chunk_t username; request = radius_message_create(RMC_ACCESS_REQUEST); - username = chunk_create(this->id_prefix, strlen(this->id_prefix)); - username = chunk_cata("cc", username, this->peer->get_encoding(this->peer)); - request->add(request, RAT_USER_NAME, username); + add_radius_request_attrs(this, request); if (this->eap_start) { @@ -175,21 +236,34 @@ METHOD(eap_method_t, initiate, status_t, { add_eap_identity(this, request); } - eap_radius_forward_from_ike(request); response = this->client->request(this->client, request); if (response) { eap_radius_forward_to_ike(response); - if (radius2ike(this, response, out)) + switch (response->get_code(response)) { - status = NEED_MORE; + case RMC_ACCESS_CHALLENGE: + if (radius2ike(this, response, out)) + { + status = NEED_MORE; + } + break; + case RMC_ACCESS_ACCEPT: + /* Microsoft RADIUS servers can run in a mode where they respond + * like this on the first request (i.e. without authentication), + * we treat this as Access-Reject */ + case RMC_ACCESS_REJECT: + default: + DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", + this->peer); + break; } response->destroy(response); } else { - charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); + eap_radius_handle_timeout(NULL); } request->destroy(request); return status; @@ -198,7 +272,7 @@ METHOD(eap_method_t, initiate, status_t, /** * Handle the Class attribute as group membership information */ -static void process_class(private_eap_radius_t *this, radius_message_t *msg) +static void process_class(radius_message_t *msg) { enumerator_t *enumerator; chunk_t data; @@ -235,7 +309,7 @@ static void process_class(private_eap_radius_t *this, radius_message_t *msg) /** * Handle the Filter-Id attribute as IPsec CHILD_SA name */ -static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg) +static void process_filter_id(radius_message_t *msg) { enumerator_t *enumerator; int type; @@ -264,7 +338,7 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg) case RAT_FILTER_ID: filter_id = data; DBG1(DBG_IKE, "received RADIUS attribute Filter-Id: " - "'%.*s'", filter_id.len, filter_id.ptr); + "'%.*s'", (int)filter_id.len, filter_id.ptr); break; default: break; @@ -289,28 +363,107 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg) } /** - * Handle Session-Timeout attribte + * Handle Session-Timeout attribte and Interim updates */ -static void process_timeout(private_eap_radius_t *this, radius_message_t *msg) +static void process_timeout(radius_message_t *msg) { enumerator_t *enumerator; ike_sa_t *ike_sa; chunk_t data; int type; - enumerator = msg->create_enumerator(msg); - while (enumerator->enumerate(enumerator, &type, &data)) + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) { - if (type == RAT_SESSION_TIMEOUT && data.len == 4) + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) { - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) + if (type == RAT_SESSION_TIMEOUT && data.len == 4) { ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr)); } + else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4) + { + eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr)); + } } + enumerator->destroy(enumerator); + } +} + +/** + * Handle Framed-IP-Address and other IKE configuration attributes + */ +static void process_cfg_attributes(radius_message_t *msg) +{ + eap_radius_provider_t *provider; + enumerator_t *enumerator; + ike_sa_t *ike_sa; + host_t *host; + chunk_t data; + int type, vendor; + + ike_sa = charon->bus->get_sa(charon->bus); + provider = eap_radius_provider_get(); + if (provider && ike_sa) + { + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4) + { + host = host_create_from_chunk(AF_INET, data, 0); + if (host) + { + provider->add_framed_ip(provider, + ike_sa->get_unique_id(ike_sa), host); + } + } + } + enumerator->destroy(enumerator); + + enumerator = msg->create_vendor_enumerator(msg); + while (enumerator->enumerate(enumerator, &vendor, &type, &data)) + { + if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */) + { + switch (type) + { + case 15: /* CVPN3000-IPSec-Banner1 */ + case 36: /* CVPN3000-IPSec-Banner2 */ + if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY)) + { + provider->add_attribute(provider, + ike_sa->get_unique_id(ike_sa), + UNITY_BANNER, data); + } + break; + default: + break; + } + } + } + enumerator->destroy(enumerator); } - enumerator->destroy(enumerator); +} + +/** + * See header. + */ +void eap_radius_process_attributes(radius_message_t *message) +{ + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.class_group", FALSE, charon->name)) + { + process_class(message); + } + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.filter_id", FALSE, charon->name)) + { + process_filter_id(message); + } + process_timeout(message); + process_cfg_attributes(message); } METHOD(eap_method_t, process, status_t, @@ -321,7 +474,8 @@ METHOD(eap_method_t, process, status_t, chunk_t data; request = radius_message_create(RMC_ACCESS_REQUEST); - request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); + add_radius_request_attrs(this, request); + data = in->get_data(in); DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data); @@ -334,7 +488,6 @@ METHOD(eap_method_t, process, status_t, } request->add(request, RAT_EAP_MESSAGE, data); - eap_radius_forward_from_ike(request); response = this->client->request(this->client, request); if (response) { @@ -350,22 +503,15 @@ METHOD(eap_method_t, process, status_t, status = FAILED; break; case RMC_ACCESS_ACCEPT: - if (this->class_group) - { - process_class(this, response); - } - if (this->filter_id) - { - process_filter_id(this, response); - } - process_timeout(this, response); + eap_radius_process_attributes(response); DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful", this->peer); status = SUCCESS; break; case RMC_ACCESS_REJECT: default: - DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", this->peer); + DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", + this->peer); status = FAILED; break; } @@ -453,14 +599,11 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ .type = EAP_RADIUS, .eap_start = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.eap_start", FALSE), + "%s.plugins.eap-radius.eap_start", FALSE, + charon->name), .id_prefix = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.id_prefix", ""), - .class_group = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.class_group", FALSE), - .filter_id = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.filter_id", FALSE), - + "%s.plugins.eap-radius.id_prefix", "", + charon->name), ); this->client = eap_radius_create_client(); if (!this->client) @@ -472,4 +615,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer this->server = server->clone(server); return &this->public; } - diff --git a/src/libcharon/plugins/eap_radius/eap_radius.h b/src/libcharon/plugins/eap_radius/eap_radius.h index e98cb06e3..ce583ac44 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.h +++ b/src/libcharon/plugins/eap_radius/eap_radius.h @@ -23,7 +23,8 @@ typedef struct eap_radius_t eap_radius_t; -#include <sa/authenticators/eap/eap_method.h> +#include <sa/eap/eap_method.h> +#include <radius_message.h> /** * Implementation of the eap_method_t interface using a RADIUS server. @@ -45,4 +46,25 @@ struct eap_radius_t { */ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer); +/** + * Process additional attributes from an Access-Accept. + * + * Parses and applies additional authorization attributes from an Accept + * message, such as group membership information or IKE configuration + * attributes. + * + * @param message Access-Accept message to process + */ +void eap_radius_process_attributes(radius_message_t *message); + +/** + * Build additional attributes for an Access-Request. + * + * Adds additional RADIUS attributes to use with Access-Request, such as + * different NAS specific attributes. + * + * @param message Access-Request message to add attributes to + */ +void eap_radius_build_attributes(radius_message_t *message); + #endif /** EAP_RADIUS_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c index 45be22704..e004589da 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c @@ -21,8 +21,9 @@ #include <radius_message.h> #include <radius_client.h> #include <daemon.h> -#include <utils/hashtable.h> +#include <collections/hashtable.h> #include <threading/mutex.h> +#include <processing/jobs/callback_job.h> typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t; @@ -37,7 +38,7 @@ struct private_eap_radius_accounting_t { eap_radius_accounting_t public; /** - * Hashtable with sessions, IKE_SA unique id => entry_t + * Hashtable with sessions, ike_sa_id_t => entry_t */ hashtable_t *sessions; @@ -50,23 +51,83 @@ struct private_eap_radius_accounting_t { * Session ID prefix */ u_int32_t prefix; + + /** + * Format string we use for Called/Calling-Station-Id for a host + */ + char *station_id_fmt; + + /** + * Disable accounting unless IKE_SA has at least one virtual IP + */ + bool acct_req_vip; }; /** + * Singleton instance of accounting + */ +static private_eap_radius_accounting_t *singleton = NULL; + +/** + * Acct-Terminate-Cause + */ +typedef enum { + ACCT_CAUSE_USER_REQUEST = 1, + ACCT_CAUSE_LOST_CARRIER = 2, + ACCT_CAUSE_LOST_SERVICE = 3, + ACCT_CAUSE_IDLE_TIMEOUT = 4, + ACCT_CAUSE_SESSION_TIMEOUT = 5, + ACCT_CAUSE_ADMIN_RESET = 6, + ACCT_CAUSE_ADMIN_REBOOT = 7, + ACCT_CAUSE_PORT_ERROR = 8, + ACCT_CAUSE_NAS_ERROR = 9, + ACCT_CAUSE_NAS_REQUEST = 10, + ACCT_CAUSE_NAS_REBOOT = 11, + ACCT_CAUSE_PORT_UNNEEDED = 12, + ACCT_CAUSE_PORT_PREEMPTED = 13, + ACCT_CAUSE_PORT_SUSPENDED = 14, + ACCT_CAUSE_SERVICE_UNAVAILABLE = 15, + ACCT_CAUSE_CALLBACK = 16, + ACCT_CAUSE_USER_ERROR = 17, + ACCT_CAUSE_HOST_REQUEST = 18, +} radius_acct_terminate_cause_t; + +/** * Hashtable entry with usage stats */ typedef struct { + /** IKE_SA identifier this entry is stored under */ + ike_sa_id_t *id; /** RADIUS accounting session ID */ char sid[16]; - /** number of octets sent */ - u_int64_t sent; - /** number of octets received */ - u_int64_t received; + /** number of sent/received octets/packets */ + struct { + u_int64_t sent; + u_int64_t received; + } bytes, packets; /** session creation time */ time_t created; + /** terminate cause */ + radius_acct_terminate_cause_t cause; + /* interim interval and timestamp of last update */ + struct { + u_int32_t interval; + time_t last; + } interim; + /** did we send Accounting-Start */ + bool start_sent; } entry_t; /** + * Destroy an entry_t + */ +static void destroy_entry(entry_t *this) +{ + this->id->destroy(this->id); + free(this); +} + +/** * Accounting message status types */ typedef enum { @@ -80,17 +141,17 @@ typedef enum { /** * Hashtable hash function */ -static u_int hash(uintptr_t key) +static u_int hash(ike_sa_id_t *key) { - return key; + return key->get_responder_spi(key); } /** * Hashtable equals function */ -static bool equals(uintptr_t a, uintptr_t b) +static bool equals(ike_sa_id_t *a, ike_sa_id_t *b) { - return a == b; + return a->equals(a, b); } /** @@ -99,19 +160,20 @@ static bool equals(uintptr_t a, uintptr_t b) static void update_usage(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa) { - u_int64_t sent, received; + u_int64_t bytes_in, bytes_out, packets_in, packets_out; entry_t *entry; - child_sa->get_usestats(child_sa, FALSE, NULL, &sent); - child_sa->get_usestats(child_sa, TRUE, NULL, &received); + child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out); + child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in); this->mutex->lock(this->mutex); - entry = this->sessions->get(this->sessions, - (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa)); + entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); if (entry) { - entry->sent += sent; - entry->received += received; + entry->bytes.sent += bytes_out; + entry->bytes.received += bytes_in; + entry->packets.sent += packets_out; + entry->packets.received += packets_in; } this->mutex->unlock(this->mutex); } @@ -135,10 +197,6 @@ static bool send_message(private_eap_radius_accounting_t *this, ack = response->get_code(response) == RMC_ACCOUNTING_RESPONSE; response->destroy(response); } - else - { - charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); - } client->destroy(client); } return ack; @@ -147,57 +205,291 @@ static bool send_message(private_eap_radius_accounting_t *this, /** * Add common IKE_SA parameters to RADIUS account message */ -static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa) +static void add_ike_sa_parameters(private_eap_radius_accounting_t *this, + radius_message_t *message, ike_sa_t *ike_sa) { - host_t *vip; + enumerator_t *enumerator; + host_t *vip, *host; char buf[64]; chunk_t data; + u_int32_t value; + + /* virtual NAS-Port-Type */ + value = htonl(5); + message->add(message, RAT_NAS_PORT_TYPE, chunk_from_thing(value)); + /* framed ServiceType */ + value = htonl(2); + message->add(message, RAT_SERVICE_TYPE, chunk_from_thing(value)); + + value = htonl(ike_sa->get_unique_id(ike_sa)); + message->add(message, RAT_NAS_PORT, chunk_from_thing(value)); + message->add(message, RAT_NAS_PORT_ID, + chunk_from_str(ike_sa->get_name(ike_sa))); + + host = ike_sa->get_my_host(ike_sa); + data = host->get_address(host); + switch (host->get_family(host)) + { + case AF_INET: + message->add(message, RAT_NAS_IP_ADDRESS, data); + break; + case AF_INET6: + message->add(message, RAT_NAS_IPV6_ADDRESS, data); + default: + break; + } + snprintf(buf, sizeof(buf), this->station_id_fmt, host); + message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf)); + host = ike_sa->get_other_host(ike_sa); + snprintf(buf, sizeof(buf), this->station_id_fmt, host); + message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf)); snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa)); - message->add(message, RAT_USER_NAME, chunk_create(buf, strlen(buf))); - snprintf(buf, sizeof(buf), "%#H", ike_sa->get_other_host(ike_sa)); - message->add(message, RAT_CALLING_STATION_ID, chunk_create(buf, strlen(buf))); - vip = ike_sa->get_virtual_ip(ike_sa, FALSE); - if (vip && vip->get_family(vip) == AF_INET) + message->add(message, RAT_USER_NAME, chunk_from_str(buf)); + + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE); + while (enumerator->enumerate(enumerator, &vip)) + { + switch (vip->get_family(vip)) + { + case AF_INET: + message->add(message, RAT_FRAMED_IP_ADDRESS, + vip->get_address(vip)); + break; + case AF_INET6: + /* we currently assign /128 prefixes, only (reserved, length) */ + data = chunk_from_chars(0, 128); + data = chunk_cata("cc", data, vip->get_address(vip)); + message->add(message, RAT_FRAMED_IPV6_PREFIX, data); + break; + default: + break; + } + } + enumerator->destroy(enumerator); +} + +/** + * Get an existing or create a new entry from the locked session table + */ +static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this, + ike_sa_t *ike_sa) +{ + ike_sa_id_t *id; + entry_t *entry; + time_t now; + + entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); + if (!entry) + { + now = time_monotonic(NULL); + id = ike_sa->get_id(ike_sa); + + INIT(entry, + .id = id->clone(id), + .created = now, + .interim = { + .last = now, + }, + /* default terminate cause, if none other catched */ + .cause = ACCT_CAUSE_USER_REQUEST, + ); + snprintf(entry->sid, sizeof(entry->sid), "%u-%u", + this->prefix, ike_sa->get_unique_id(ike_sa)); + this->sessions->put(this->sessions, entry->id, entry); + } + return entry; +} + +/* forward declaration */ +static void schedule_interim(private_eap_radius_accounting_t *this, + entry_t *entry); + +/** + * Data passed to send_interim() using callback job + */ +typedef struct { + /** reference to radius accounting */ + private_eap_radius_accounting_t *this; + /** IKE_SA identifier to send interim update to */ + ike_sa_id_t *id; +} interim_data_t; + +/** + * Clean up interim data + */ +void destroy_interim_data(interim_data_t *this) +{ + this->id->destroy(this->id); + free(this); +} + +/** + * Send an interim update for entry of given IKE_SA identifier + */ +static job_requeue_t send_interim(interim_data_t *data) +{ + private_eap_radius_accounting_t *this = data->this; + u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0; + u_int64_t bytes, packets; + radius_message_t *message = NULL; + enumerator_t *enumerator; + child_sa_t *child_sa; + ike_sa_t *ike_sa; + entry_t *entry; + u_int32_t value; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id); + if (!ike_sa) + { + return JOB_REQUEUE_NONE; + } + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets); + bytes_out += bytes; + packets_out += packets; + child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets); + bytes_in += bytes; + packets_in += packets; + } + enumerator->destroy(enumerator); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + + /* avoid any races by returning IKE_SA before acquiring lock */ + + this->mutex->lock(this->mutex); + entry = this->sessions->get(this->sessions, data->id); + if (entry) + { + entry->interim.last = time_monotonic(NULL); + + bytes_in += entry->bytes.received; + bytes_out += entry->bytes.sent; + packets_in += entry->packets.received; + packets_out += entry->packets.sent; + + message = radius_message_create(RMC_ACCOUNTING_REQUEST); + value = htonl(ACCT_STATUS_INTERIM_UPDATE); + message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); + message->add(message, RAT_ACCT_SESSION_ID, + chunk_create(entry->sid, strlen(entry->sid))); + add_ike_sa_parameters(this, message, ike_sa); + + value = htonl(bytes_out); + message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); + value = htonl(bytes_out >> 32); + if (value) + { + message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS, + chunk_from_thing(value)); + } + value = htonl(packets_out); + message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value)); + + value = htonl(bytes_in); + message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value)); + value = htonl(bytes_in >> 32); + if (value) + { + message->add(message, RAT_ACCT_INPUT_GIGAWORDS, + chunk_from_thing(value)); + } + value = htonl(packets_in); + message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value)); + + value = htonl(entry->interim.last - entry->created); + message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value)); + + schedule_interim(this, entry); + } + this->mutex->unlock(this->mutex); + + if (message) { - message->add(message, RAT_FRAMED_IP_ADDRESS, vip->get_address(vip)); + if (!send_message(this, message)) + { + eap_radius_handle_timeout(data->id); + } + message->destroy(message); } - if (vip && vip->get_family(vip) == AF_INET6) + return JOB_REQUEUE_NONE; +} + +/** + * Schedule interim update for given entry + */ +static void schedule_interim(private_eap_radius_accounting_t *this, + entry_t *entry) +{ + if (entry->interim.interval) { - /* we currently assign /128 prefixes, only (reserved, length) */ - data = chunk_from_chars(0, 128); - data = chunk_cata("cc", data, vip->get_address(vip)); - message->add(message, RAT_FRAMED_IPV6_PREFIX, data); + interim_data_t *data; + timeval_t tv = { + .tv_sec = entry->interim.last + entry->interim.interval, + }; + + INIT(data, + .this = this, + .id = entry->id->clone(entry->id), + ); + lib->scheduler->schedule_job_tv(lib->scheduler, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)send_interim, + data, (void*)destroy_interim_data, + (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv); } } /** + * Check if an IKE_SA has assigned a virtual IP (to peer) + */ +static bool has_vip(ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + host_t *host; + bool found; + + enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE); + found = enumerator->enumerate(enumerator, &host); + enumerator->destroy(enumerator); + + return found; +} + +/** * Send an accounting start message */ static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) { radius_message_t *message; entry_t *entry; - u_int32_t id, value; + u_int32_t value; - id = ike_sa->get_unique_id(ike_sa); - INIT(entry, - .created = time_monotonic(NULL), - ); - snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, id); + if (this->acct_req_vip && !has_vip(ike_sa)) + { + return; + } + + this->mutex->lock(this->mutex); + + entry = get_or_create_entry(this, ike_sa); + entry->start_sent = TRUE; message = radius_message_create(RMC_ACCOUNTING_REQUEST); value = htonl(ACCT_STATUS_START); message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); - add_ike_sa_parameters(message, ike_sa); - if (send_message(this, message)) + + schedule_interim(this, entry); + this->mutex->unlock(this->mutex); + + add_ike_sa_parameters(this, message, ike_sa); + if (!send_message(this, message)) { - this->mutex->lock(this->mutex); - entry = this->sessions->put(this->sessions, (void*)(uintptr_t)id, entry); - this->mutex->unlock(this->mutex); - free(entry); + eap_radius_handle_timeout(ike_sa->get_id(ike_sa)); } message->destroy(message); } @@ -209,45 +501,91 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa) { radius_message_t *message; entry_t *entry; - u_int32_t id, value; + u_int32_t value; - id = ike_sa->get_unique_id(ike_sa); this->mutex->lock(this->mutex); - entry = this->sessions->remove(this->sessions, (void*)(uintptr_t)id); + entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa)); this->mutex->unlock(this->mutex); if (entry) { + if (!entry->start_sent) + { /* we tried to authenticate this peer, but never sent a start */ + destroy_entry(entry); + return; + } message = radius_message_create(RMC_ACCOUNTING_REQUEST); value = htonl(ACCT_STATUS_STOP); message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value)); message->add(message, RAT_ACCT_SESSION_ID, chunk_create(entry->sid, strlen(entry->sid))); - add_ike_sa_parameters(message, ike_sa); - value = htonl(entry->sent); + add_ike_sa_parameters(this, message, ike_sa); + + value = htonl(entry->bytes.sent); message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value)); - value = htonl(entry->sent >> 32); + value = htonl(entry->bytes.sent >> 32); if (value) { message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS, chunk_from_thing(value)); } - value = htonl(entry->received); + value = htonl(entry->packets.sent); + message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value)); + + value = htonl(entry->bytes.received); message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value)); - value = htonl(entry->received >> 32); + value = htonl(entry->bytes.received >> 32); if (value) { message->add(message, RAT_ACCT_INPUT_GIGAWORDS, chunk_from_thing(value)); } + value = htonl(entry->packets.received); + message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value)); + value = htonl(time_monotonic(NULL) - entry->created); message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value)); - send_message(this, message); + + value = htonl(entry->cause); + message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value)); + + if (!send_message(this, message)) + { + eap_radius_handle_timeout(NULL); + } message->destroy(message); - free(entry); + destroy_entry(entry); } } +METHOD(listener_t, alert, bool, + private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, alert_t alert, + va_list args) +{ + radius_acct_terminate_cause_t cause; + entry_t *entry; + + switch (alert) + { + case ALERT_IKE_SA_EXPIRED: + cause = ACCT_CAUSE_SESSION_TIMEOUT; + break; + case ALERT_RETRANSMIT_SEND_TIMEOUT: + cause = ACCT_CAUSE_LOST_SERVICE; + break; + default: + return TRUE; + } + this->mutex->lock(this->mutex); + entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa)); + if (entry) + { + entry->cause = cause; + } + this->mutex->unlock(this->mutex); + return TRUE; +} + METHOD(listener_t, ike_updown, bool, private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool up) { @@ -271,15 +609,50 @@ METHOD(listener_t, ike_updown, bool, METHOD(listener_t, message_hook, bool, private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, - message_t *message, bool incoming) + message_t *message, bool incoming, bool plain) { /* start accounting here, virtual IP now is set */ - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && - message->get_exchange_type(message) == IKE_AUTH && + if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && !incoming && !message->get_request(message)) { - send_start(this, ike_sa); + if (ike_sa->get_version(ike_sa) == IKEV1 && + message->get_exchange_type(message) == TRANSACTION) + { + send_start(this, ike_sa); + } + if (ike_sa->get_version(ike_sa) == IKEV2 && + message->get_exchange_type(message) == IKE_AUTH) + { + send_start(this, ike_sa); + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_eap_radius_accounting_t *this, ike_sa_t *old, ike_sa_t *new) +{ + entry_t *entry; + + this->mutex->lock(this->mutex); + entry = this->sessions->remove(this->sessions, old->get_id(old)); + if (entry) + { + /* update IKE_SA identifier */ + entry->id->destroy(entry->id); + entry->id = new->get_id(new); + entry->id = entry->id->clone(entry->id); + /* fire new interim update job, old gets invalid */ + schedule_interim(this, entry); + + entry = this->sessions->put(this->sessions, entry->id, entry); + if (entry) + { + destroy_entry(entry); + } } + this->mutex->unlock(this->mutex); + return TRUE; } @@ -306,6 +679,8 @@ METHOD(listener_t, child_updown, bool, METHOD(eap_radius_accounting_t, destroy, void, private_eap_radius_accounting_t *this) { + charon->bus->remove_listener(charon->bus, &this->public.listener); + singleton = NULL; this->mutex->destroy(this->mutex); this->sessions->destroy(this->sessions); free(this); @@ -321,7 +696,9 @@ eap_radius_accounting_t *eap_radius_accounting_create() INIT(this, .public = { .listener = { + .alert = _alert, .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, .message = _message_hook, .child_updown = _child_updown, .child_rekey = _child_rekey, @@ -334,6 +711,41 @@ eap_radius_accounting_t *eap_radius_accounting_create() (hashtable_equals_t)equals, 32), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.station_id_with_port", TRUE, charon->name)) + { + this->station_id_fmt = "%#H"; + } + else + { + this->station_id_fmt = "%H"; + } + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting", FALSE, charon->name)) + { + singleton = this; + charon->bus->add_listener(charon->bus, &this->public.listener); + } + this->acct_req_vip = lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.accounting_requires_vip", + FALSE, charon->name); return &this->public; } + +/** + * See header + */ +void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval) +{ + if (singleton) + { + entry_t *entry; + + DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval); + singleton->mutex->lock(singleton->mutex); + entry = get_or_create_entry(singleton, ike_sa); + entry->interim.interval = interval; + singleton->mutex->unlock(singleton->mutex); + } +} diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h index 811a5bb90..8d4f9a0e1 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h @@ -46,4 +46,12 @@ struct eap_radius_accounting_t { */ eap_radius_accounting_t *eap_radius_accounting_create(); +/** + * Schedule Accounting interim updates for the given IKE_SA. + * + * @param ike_sa IKE_SA to send updates for + * @param interval interval for interim updates + */ +void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval); + #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_dae.c b/src/libcharon/plugins/eap_radius/eap_radius_dae.c index e84fe5b9c..f22ddc56f 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_dae.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_dae.c @@ -53,11 +53,6 @@ struct private_eap_radius_dae_t { int fd; /** - * Listen job - */ - callback_job_t *job; - - /** * RADIUS shared secret for DAE exchanges */ chunk_t secret; @@ -189,11 +184,16 @@ static void send_response(private_eap_radius_dae_t *this, response = radius_message_create(code); response->set_identifier(response, request->get_identifier(request)); - response->sign(response, request->get_authenticator(request), - this->secret, this->hasher, this->signer, NULL, FALSE); - - send_message(this, response, client); - save_retransmit(this, response, client); + if (response->sign(response, request->get_authenticator(request), + this->secret, this->hasher, this->signer, NULL, FALSE)) + { + send_message(this, response, client); + save_retransmit(this, response, client); + } + else + { + response->destroy(response); + } } /** @@ -379,21 +379,17 @@ static void process_coa(private_eap_radius_dae_t *this, /** * Receive RADIUS DAE requests */ -static job_requeue_t receive(private_eap_radius_dae_t *this) +static bool receive(private_eap_radius_dae_t *this) { struct sockaddr_storage addr; socklen_t addr_len = sizeof(addr); radius_message_t *request; char buf[2048]; ssize_t len; - bool oldstate; host_t *client; - oldstate = thread_cancelability(TRUE); - len = recvfrom(this->fd, buf, sizeof(buf), 0, + len = recvfrom(this->fd, buf, sizeof(buf), MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len); - thread_cancelability(oldstate); - if (len > 0) { request = radius_message_parse(chunk_create(buf, len)); @@ -433,11 +429,11 @@ static job_requeue_t receive(private_eap_radius_dae_t *this) DBG1(DBG_NET, "ignoring invalid RADIUS DAE request"); } } - else + else if (errno != EWOULDBLOCK) { DBG1(DBG_NET, "receiving RADIUS DAE request failed: %s", strerror(errno)); } - return JOB_REQUEUE_DIRECT; + return TRUE; } /** @@ -456,9 +452,11 @@ static bool open_socket(private_eap_radius_dae_t *this) host = host_create_from_string( lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.dae.listen", "0.0.0.0"), + "%s.plugins.eap-radius.dae.listen", "0.0.0.0", + charon->name), lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.dae.port", RADIUS_DAE_PORT)); + "%s.plugins.eap-radius.dae.port", RADIUS_DAE_PORT, + charon->name)); if (!host) { DBG1(DBG_CFG, "invalid RADIUS DAE listen address"); @@ -479,12 +477,9 @@ static bool open_socket(private_eap_radius_dae_t *this) METHOD(eap_radius_dae_t, destroy, void, private_eap_radius_dae_t *this) { - if (this->job) - { - this->job->cancel(this->job); - } if (this->fd != -1) { + lib->watcher->remove(lib->watcher, this->fd); close(this->fd); } DESTROY_IF(this->signer); @@ -508,7 +503,8 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting) .fd = -1, .secret = { .ptr = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.dae.secret", NULL), + "%s.plugins.eap-radius.dae.secret", NULL, + charon->name), }, .hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5), .signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128), @@ -527,17 +523,15 @@ eap_radius_dae_t *eap_radius_dae_create(eap_radius_accounting_t *accounting) return NULL; } this->secret.len = strlen(this->secret.ptr); - this->signer->set_key(this->signer, this->secret); - - if (!open_socket(this)) + if (!this->signer->set_key(this->signer, this->secret) || + !open_socket(this)) { destroy(this); return NULL; } - this->job = callback_job_create_with_prio((callback_job_cb_t)receive, - this, NULL, NULL, JOB_PRIO_CRITICAL); - lib->processor->queue_job(lib->processor, (job_t*)this->job); + lib->watcher->add(lib->watcher, this->fd, WATCHER_READ, + (watcher_cb_t)receive, this); return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_forward.c b/src/libcharon/plugins/eap_radius/eap_radius_forward.c index cb4ca74e3..3e80e8918 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_forward.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_forward.c @@ -16,8 +16,8 @@ #include "eap_radius_forward.h" #include <daemon.h> -#include <utils/linked_list.h> -#include <utils/hashtable.h> +#include <collections/linked_list.h> +#include <collections/hashtable.h> #include <threading/mutex.h> typedef struct private_eap_radius_forward_t private_eap_radius_forward_t; @@ -248,7 +248,8 @@ static void ike2queue(message_t *message, linked_list_t *queue, enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { - if (payload->get_type(payload) == NOTIFY) + if (payload->get_type(payload) == NOTIFY || + payload->get_type(payload) == NOTIFY_V1) { notify = (notify_payload_t*)payload; if (notify->get_notify_type(notify) == RADIUS_ATTRIBUTE) @@ -319,11 +320,11 @@ void eap_radius_forward_to_ike(radius_message_t *response) METHOD(listener_t, message, bool, private_eap_radius_forward_t *this, - ike_sa_t *ike_sa, message_t *message, bool incoming) + ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain) { linked_list_t *queue; - if (message->get_exchange_type(message) == IKE_AUTH) + if (plain && message->get_exchange_type(message) == IKE_AUTH) { if (incoming) { @@ -436,9 +437,11 @@ eap_radius_forward_t *eap_radius_forward_create() .destroy = _destroy, }, .from_attr = parse_selector(lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.forward.ike_to_radius", "")), + "%s.plugins.eap-radius.forward.ike_to_radius", "", + charon->name)), .to_attr = parse_selector(lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.forward.radius_to_ike", "")), + "%s.plugins.eap-radius.forward.radius_to_ike", "", + charon->name)), .from = hashtable_create((hashtable_hash_t)hash, (hashtable_equals_t)equals, 8), .to = hashtable_create((hashtable_hash_t)hash, diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 8ee0ab81a..90a4ef6de 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2013 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -16,15 +17,19 @@ #include "eap_radius_plugin.h" #include "eap_radius.h" +#include "eap_radius_xauth.h" #include "eap_radius_accounting.h" #include "eap_radius_dae.h" #include "eap_radius_forward.h" +#include "eap_radius_provider.h" #include <radius_client.h> #include <radius_config.h> -#include <daemon.h> +#include <hydra.h> #include <threading/rwlock.h> +#include <processing/jobs/callback_job.h> +#include <processing/jobs/delete_ike_sa_job.h> /** * Default RADIUS server port for authentication @@ -64,6 +69,11 @@ struct private_eap_radius_plugin_t { eap_radius_accounting_t *accounting; /** + * IKE attribute provider + */ + eap_radius_provider_t *provider; + + /** * Dynamic authorization extensions */ eap_radius_dae_t *dae; @@ -90,22 +100,23 @@ static void load_configs(private_eap_radius_plugin_t *this) int auth_port, acct_port, sockets, preference; address = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.server", NULL); + "%s.plugins.eap-radius.server", NULL, charon->name); if (address) { /* legacy configuration */ secret = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.secret", NULL); + "%s.plugins.eap-radius.secret", NULL, charon->name); if (!secret) { - DBG1(DBG_CFG, "no RADUIS secret defined"); + DBG1(DBG_CFG, "no RADIUS secret defined"); return; } nas_identifier = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.nas_identifier", "strongSwan"); + "%s.plugins.eap-radius.nas_identifier", "strongSwan", + charon->name); auth_port = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.port", AUTH_PORT); + "%s.plugins.eap-radius.port", AUTH_PORT, charon->name); sockets = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.sockets", 1); + "%s.plugins.eap-radius.sockets", 1, charon->name); config = radius_config_create(address, address, auth_port, ACCT_PORT, nas_identifier, secret, sockets, 0); if (!config) @@ -118,38 +129,43 @@ static void load_configs(private_eap_radius_plugin_t *this) } enumerator = lib->settings->create_section_enumerator(lib->settings, - "charon.plugins.eap-radius.servers"); + "%s.plugins.eap-radius.servers", charon->name); while (enumerator->enumerate(enumerator, §ion)) { address = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.servers.%s.address", NULL, section); + "%s.plugins.eap-radius.servers.%s.address", NULL, + charon->name, section); if (!address) { DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section); continue; } secret = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.servers.%s.secret", NULL, section); + "%s.plugins.eap-radius.servers.%s.secret", NULL, + charon->name, section); if (!secret) { DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section); continue; } nas_identifier = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.servers.%s.nas_identifier", - "strongSwan", section); + "%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan", + charon->name, section); auth_port = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.servers.%s.auth_port", + "%s.plugins.eap-radius.servers.%s.auth_port", lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.servers.%s.port", - AUTH_PORT, section), - section); + "%s.plugins.eap-radius.servers.%s.port", + AUTH_PORT, charon->name, section), + charon->name, section); acct_port = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT, section); + "%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT, + charon->name, section); sockets = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.servers.%s.sockets", 1, section); + "%s.plugins.eap-radius.servers.%s.sockets", 1, + charon->name, section); preference = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.servers.%s.preference", 0, section); + "%s.plugins.eap-radius.servers.%s.preference", 0, + charon->name, section); config = radius_config_create(section, address, auth_port, acct_port, nas_identifier, secret, sockets, preference); if (!config) @@ -172,12 +188,60 @@ METHOD(plugin_t, get_name, char*, return "eap-radius"; } +/** + * Register listener + */ +static bool plugin_cb(private_eap_radius_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + this->accounting = eap_radius_accounting_create(); + this->forward = eap_radius_forward_create(); + this->provider = eap_radius_provider_create(); + + load_configs(this); + + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.dae.enable", FALSE, charon->name)) + { + this->dae = eap_radius_dae_create(this->accounting); + } + if (this->forward) + { + charon->bus->add_listener(charon->bus, &this->forward->listener); + } + hydra->attributes->add_provider(hydra->attributes, + &this->provider->provider); + } + else + { + hydra->attributes->remove_provider(hydra->attributes, + &this->provider->provider); + if (this->forward) + { + charon->bus->remove_listener(charon->bus, &this->forward->listener); + this->forward->destroy(this->forward); + } + DESTROY_IF(this->dae); + this->provider->destroy(this->provider); + this->accounting->destroy(this->accounting); + } + return TRUE; +} + METHOD(plugin_t, get_features, int, - eap_radius_plugin_t *this, plugin_feature_t *features[]) + private_eap_radius_plugin_t *this, plugin_feature_t *features[]) { static plugin_feature_t f[] = { PLUGIN_CALLBACK(eap_method_register, eap_radius_create), PLUGIN_PROVIDE(EAP_SERVER, EAP_RADIUS), + PLUGIN_DEPENDS(CUSTOM, "eap-radius"), + PLUGIN_CALLBACK(xauth_method_register, eap_radius_xauth_create_server), + PLUGIN_PROVIDE(XAUTH_SERVER, "radius"), + PLUGIN_DEPENDS(CUSTOM, "eap-radius"), + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "eap-radius"), PLUGIN_DEPENDS(HASHER, HASH_MD5), PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_MD5_128), PLUGIN_DEPENDS(RNG, RNG_WEAK), @@ -201,17 +265,9 @@ METHOD(plugin_t, reload, bool, METHOD(plugin_t, destroy, void, private_eap_radius_plugin_t *this) { - if (this->forward) - { - charon->bus->remove_listener(charon->bus, &this->forward->listener); - this->forward->destroy(this->forward); - } - DESTROY_IF(this->dae); this->configs->destroy_offset(this->configs, offsetof(radius_config_t, destroy)); this->lock->destroy(this->lock); - charon->bus->remove_listener(charon->bus, &this->accounting->listener); - this->accounting->destroy(this->accounting); free(this); instance = NULL; } @@ -234,28 +290,9 @@ plugin_t *eap_radius_plugin_create() }, .configs = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - .accounting = eap_radius_accounting_create(), - .forward = eap_radius_forward_create(), ); - - load_configs(this); instance = this; - if (lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.accounting", FALSE)) - { - charon->bus->add_listener(charon->bus, &this->accounting->listener); - } - if (lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.dae.enable", FALSE)) - { - this->dae = eap_radius_dae_create(this->accounting); - } - if (this->forward) - { - charon->bus->add_listener(charon->bus, &this->forward->listener); - } - return &this->public.plugin; } @@ -302,3 +339,47 @@ radius_client_t *eap_radius_create_client() return NULL; } +/** + * Job to delete all active IKE_SAs + */ +static job_requeue_t delete_all_async(void *data) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + + enumerator = charon->ike_sa_manager->create_enumerator( + charon->ike_sa_manager, TRUE); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + lib->processor->queue_job(lib->processor, + (job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE)); + } + enumerator->destroy(enumerator); + + return JOB_REQUEUE_NONE; +} + +/** + * See header. + */ +void eap_radius_handle_timeout(ike_sa_id_t *id) +{ + charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); + + if (lib->settings->get_bool(lib->settings, + "%s.plugins.eap-radius.close_all_on_timeout", + FALSE, charon->name)) + { + DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout"); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)delete_all_async, NULL, NULL, + (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); + } + else if (id) + { + DBG1(DBG_CFG, "deleting IKE_SA after RADIUS timeout"); + lib->processor->queue_job(lib->processor, + (job_t*)delete_ike_sa_job_create(id, TRUE)); + } +} diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h index 1570bd566..80fa209d6 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h @@ -27,6 +27,7 @@ #include <plugins/plugin.h> #include <radius_client.h> +#include <daemon.h> typedef struct eap_radius_plugin_t eap_radius_plugin_t; @@ -51,4 +52,14 @@ struct eap_radius_plugin_t { */ radius_client_t *eap_radius_create_client(); +/** + * Handle a RADIUS request timeout. + * + * If an IKE_SA is given, it gets deleted (unless the policy says to delete + * any established IKE_SA). + * + * @param id associated IKE_SA where timeout happened, or NULL + */ +void eap_radius_handle_timeout(ike_sa_id_t *id); + #endif /** EAP_RADIUS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c new file mode 100644 index 000000000..7c794616b --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -0,0 +1,550 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_radius_provider.h" + +#include <daemon.h> +#include <collections/hashtable.h> +#include <threading/mutex.h> + +typedef struct private_eap_radius_provider_t private_eap_radius_provider_t; +typedef struct private_listener_t private_listener_t; + +/** + * Private data of registered listener + */ +struct private_listener_t { + + /** + * Implements listener_t interface + */ + listener_t public; + + /** + * Leases not acquired yet, identification_t => entry_t + */ + hashtable_t *unclaimed; + + /** + * Leases acquired, identification_t => entry_t + */ + hashtable_t *claimed; + + /** + * Mutex to lock leases + */ + mutex_t *mutex; +}; + +/** + * Private data of an eap_radius_provider_t object. + */ +struct private_eap_radius_provider_t { + + /** + * Public eap_radius_provider_t interface. + */ + eap_radius_provider_t public; + + /** + * Additionally implements the listener_t interface + */ + private_listener_t listener; +}; + +/** + * Singleton instance of provider + */ +static eap_radius_provider_t *singleton = NULL; + +/** + * Configuration attribute in an entry + */ +typedef struct { + /** type of attribute */ + configuration_attribute_type_t type; + /** attribute data */ + chunk_t data; +} attr_t; + +/** + * Destroy an attr_t + */ +static void destroy_attr(attr_t *this) +{ + free(this->data.ptr); + free(this); +} + +/** + * Hashtable entry with leases and attributes + */ +typedef struct { + /** IKE_SA uniqe id we assign the IP lease */ + uintptr_t id; + /** list of IP leases received from AAA, as host_t */ + linked_list_t *addrs; + /** list of configuration attributes, as attr_t */ + linked_list_t *attrs; +} entry_t; + +/** + * destroy an entry_t + */ +static void destroy_entry(entry_t *this) +{ + this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy)); + this->attrs->destroy_function(this->attrs, (void*)destroy_attr); + free(this); +} + +/** + * Get or create an entry from a locked hashtable + */ +static entry_t* get_or_create_entry(hashtable_t *hashtable, uintptr_t id) +{ + entry_t *entry; + + entry = hashtable->get(hashtable, (void*)id); + if (!entry) + { + INIT(entry, + .id = id, + .addrs = linked_list_create(), + .attrs = linked_list_create(), + ); + hashtable->put(hashtable, (void*)id, entry); + } + return entry; +} + +/** + * Put an entry to hashtable, or destroy it ife empty + */ +static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry) +{ + if (entry->addrs->get_count(entry->addrs) > 0 || + entry->attrs->get_count(entry->attrs) > 0) + { + hashtable->put(hashtable, (void*)entry->id, entry); + } + else + { + destroy_entry(entry); + } +} + +/** + * Hashtable hash function + */ +static u_int hash(uintptr_t id) +{ + return id; +} + +/** + * Hashtable equals function + */ +static bool equals(uintptr_t a, uintptr_t b) +{ + return a == b; +} + +/** + * Insert an address entry to a locked claimed/unclaimed hashtable + */ +static void add_addr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, uintptr_t id, host_t *host) +{ + entry_t *entry; + + entry = get_or_create_entry(hashtable, id); + entry->addrs->insert_last(entry->addrs, host); +} + +/** + * Remove the next address from the locked hashtable stored for given id + */ +static host_t* remove_addr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, uintptr_t id) +{ + entry_t *entry; + host_t *addr = NULL; + + entry = hashtable->remove(hashtable, (void*)id); + if (entry) + { + entry->addrs->remove_first(entry->addrs, (void**)&addr); + put_or_destroy_entry(hashtable, entry); + } + return addr; +} + +/** + * Insert an attribute entry to a locked claimed/unclaimed hashtable + */ +static void add_attr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, uintptr_t id, attr_t *attr) +{ + entry_t *entry; + + entry = get_or_create_entry(hashtable, id); + entry->attrs->insert_last(entry->attrs, attr); +} + +/** + * Remove the next attribute from the locked hashtable stored for given id + */ +static attr_t* remove_attr(private_eap_radius_provider_t *this, + hashtable_t *hashtable, uintptr_t id) +{ + entry_t *entry; + attr_t *attr = NULL; + + entry = hashtable->remove(hashtable, (void*)id); + if (entry) + { + entry->attrs->remove_first(entry->attrs, (void**)&attr); + put_or_destroy_entry(hashtable, entry); + } + return attr; +} + +/** + * Clean up unclaimed leases assigned for an IKE_SA + */ +static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa) +{ + uintptr_t id; + entry_t *entry; + + id = ike_sa->get_unique_id(ike_sa); + this->mutex->lock(this->mutex); + entry = this->unclaimed->remove(this->unclaimed, (void*)id); + this->mutex->unlock(this->mutex); + if (entry) + { + destroy_entry(entry); + } +} + +METHOD(listener_t, message_hook, bool, + private_listener_t *this, ike_sa_t *ike_sa, + message_t *message, bool incoming, bool plain) +{ + if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + !incoming && !message->get_request(message)) + { + if ((ike_sa->get_version(ike_sa) == IKEV1 && + message->get_exchange_type(message) == TRANSACTION) || + (ike_sa->get_version(ike_sa) == IKEV2 && + message->get_exchange_type(message) == IKE_AUTH)) + { + /* if the addresses have not been claimed yet, they won't. Release + * these resources. */ + release_unclaimed(this, ike_sa); + } + } + return TRUE; +} + +METHOD(listener_t, ike_updown, bool, + private_listener_t *this, ike_sa_t *ike_sa, bool up) +{ + if (!up) + { + /* if the message hook does not apply because of a failed exchange + * or something, make sure we release any resources now */ + release_unclaimed(this, ike_sa); + } + return TRUE; +} + +/** + * Migrate an entry in hashtable from old to new id + */ +static void migrate_entry(hashtable_t *table, uintptr_t old, uintptr_t new) +{ + entry_t *entry; + + entry = table->remove(table, (void*)old); + if (entry) + { + entry->id = new; + entry = table->put(table, (void*)new, entry); + if (entry) + { /* shouldn't happen */ + destroy_entry(entry); + } + } +} + +METHOD(listener_t, ike_rekey, bool, + private_listener_t *this, ike_sa_t *old, ike_sa_t *new) +{ + uintptr_t old_id, new_id; + + old_id = old->get_unique_id(old); + new_id = new->get_unique_id(new); + + this->mutex->lock(this->mutex); + + migrate_entry(this->unclaimed, old_id, new_id); + migrate_entry(this->claimed, old_id, new_id); + + this->mutex->unlock(this->mutex); + + return TRUE; +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_eap_radius_provider_t *this, linked_list_t *pools, + identification_t *id, host_t *requested) +{ + enumerator_t *enumerator; + host_t *addr = NULL; + ike_sa_t *ike_sa; + uintptr_t sa; + char *name; + + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + return NULL; + } + sa = ike_sa->get_unique_id(ike_sa); + + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + if (streq(name, "radius")) + { + this->listener.mutex->lock(this->listener.mutex); + addr = remove_addr(this, this->listener.unclaimed, sa); + if (addr) + { + add_addr(this, this->listener.claimed, sa, addr->clone(addr)); + } + this->listener.mutex->unlock(this->listener.mutex); + break; + } + } + enumerator->destroy(enumerator); + + return addr; +} + +METHOD(attribute_provider_t, release_address, bool, + private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address, + identification_t *id) +{ + enumerator_t *enumerator; + host_t *found = NULL; + ike_sa_t *ike_sa; + uintptr_t sa; + char *name; + + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + return FALSE; + } + sa = ike_sa->get_unique_id(ike_sa); + + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + if (streq(name, "radius")) + { + this->listener.mutex->lock(this->listener.mutex); + found = remove_addr(this, this->listener.claimed, sa); + this->listener.mutex->unlock(this->listener.mutex); + break; + } + } + enumerator->destroy(enumerator); + + if (found) + { + found->destroy(found); + return TRUE; + } + return FALSE; +} + +/** + * Enumerator implementation over attributes + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** list of attributes to enumerate */ + linked_list_t *list; + /** currently enumerating attribute */ + attr_t *current; +} attribute_enumerator_t; + + +METHOD(enumerator_t, attribute_enumerate, bool, + attribute_enumerator_t *this, configuration_attribute_type_t *type, + chunk_t *data) +{ + if (this->current) + { + destroy_attr(this->current); + this->current = NULL; + } + if (this->list->remove_first(this->list, (void**)&this->current) == SUCCESS) + { + *type = this->current->type; + *data = this->current->data; + return TRUE; + } + return FALSE; +} + +METHOD(enumerator_t, attribute_destroy, void, + attribute_enumerator_t *this) +{ + if (this->current) + { + destroy_attr(this->current); + } + this->list->destroy_function(this->list, (void*)destroy_attr); + free(this); +} + +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_eap_radius_provider_t *this, linked_list_t *pools, + identification_t *id, linked_list_t *vips) +{ + attribute_enumerator_t *enumerator; + attr_t *attr; + ike_sa_t *ike_sa; + uintptr_t sa; + + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + return NULL; + } + sa = ike_sa->get_unique_id(ike_sa); + + INIT(enumerator, + .public = { + .enumerate = (void*)_attribute_enumerate, + .destroy = _attribute_destroy, + }, + .list = linked_list_create(), + ); + + /* we forward attributes regardless of pool configurations */ + this->listener.mutex->lock(this->listener.mutex); + while (TRUE) + { + attr = remove_attr(this, this->listener.unclaimed, sa); + if (!attr) + { + break; + } + enumerator->list->insert_last(enumerator->list, attr); + } + this->listener.mutex->unlock(this->listener.mutex); + + return &enumerator->public; +} + +METHOD(eap_radius_provider_t, add_framed_ip, void, + private_eap_radius_provider_t *this, u_int32_t id, host_t *ip) +{ + this->listener.mutex->lock(this->listener.mutex); + add_addr(this, this->listener.unclaimed, id, ip); + this->listener.mutex->unlock(this->listener.mutex); +} + +METHOD(eap_radius_provider_t, add_attribute, void, + private_eap_radius_provider_t *this, u_int32_t id, + configuration_attribute_type_t type, chunk_t data) +{ + attr_t *attr; + + INIT(attr, + .type = type, + .data = chunk_clone(data), + ); + this->listener.mutex->lock(this->listener.mutex); + add_attr(this, this->listener.unclaimed, id, attr); + this->listener.mutex->unlock(this->listener.mutex); +} + +METHOD(eap_radius_provider_t, destroy, void, + private_eap_radius_provider_t *this) +{ + singleton = NULL; + charon->bus->remove_listener(charon->bus, &this->listener.public); + this->listener.mutex->destroy(this->listener.mutex); + this->listener.claimed->destroy(this->listener.claimed); + this->listener.unclaimed->destroy(this->listener.unclaimed); + free(this); +} + +/** + * See header + */ +eap_radius_provider_t *eap_radius_provider_create() +{ + if (!singleton) + { + private_eap_radius_provider_t *this; + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .add_framed_ip = _add_framed_ip, + .add_attribute = _add_attribute, + .destroy = _destroy, + }, + .listener = { + .public = { + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .message = _message_hook, + }, + .claimed = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 32), + .unclaimed = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 32), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + }, + ); + + charon->bus->add_listener(charon->bus, &this->listener.public); + + singleton = &this->public; + } + return singleton; +} + +/** + * See header + */ +eap_radius_provider_t *eap_radius_provider_get() +{ + return singleton; +} diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h new file mode 100644 index 000000000..5a62f4a38 --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_radius_provider eap_radius_provider + * @{ @ingroup eap_radius + */ + +#ifndef EAP_RADIUS_PROVIDER_H_ +#define EAP_RADIUS_PROVIDER_H_ + +#include <attributes/attributes.h> +#include <attributes/attribute_provider.h> + +typedef struct eap_radius_provider_t eap_radius_provider_t; + +/** + * IKE configuration attribute fed by RADIUS attributes + */ +struct eap_radius_provider_t { + + /** + * Implements attribute_provider_t + */ + attribute_provider_t provider; + + /** + * Add a received Framed-IP-Address to the provider to serve to client. + * + * @param id IKE_SA unique identifier + * @param ip IP address received from RADIUS server, gets owned + */ + void (*add_framed_ip)(eap_radius_provider_t *this, u_int32_t id, + host_t *ip); + + /** + * Add a configuration attribute received from RADIUS to forward. + * + * @param id IKE_SA unique identifier + * @param type attribute type + * @param data attribute data + */ + void (*add_attribute)(eap_radius_provider_t *this, u_int32_t id, + configuration_attribute_type_t type, chunk_t data); + + /** + * Destroy a eap_radius_provider_t. + */ + void (*destroy)(eap_radius_provider_t *this); +}; + +/** + * Create a eap_radius_provider instance. + */ +eap_radius_provider_t *eap_radius_provider_create(); + +/** + * Get singleton instance previously created with eap_radius_provider_create(). + */ +eap_radius_provider_t *eap_radius_provider_get(); + +#endif /** EAP_RADIUS_PROVIDER_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c new file mode 100644 index 000000000..bd960d2bc --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c @@ -0,0 +1,202 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_radius_xauth.h" +#include "eap_radius_plugin.h" +#include "eap_radius.h" +#include "eap_radius_forward.h" + +#include <daemon.h> +#include <radius_client.h> + + +typedef struct private_eap_radius_xauth_t private_eap_radius_xauth_t; + +/** + * Private data of an eap_radius_xauth_t object. + */ +struct private_eap_radius_xauth_t { + + /** + * Public interface. + */ + eap_radius_xauth_t public; + + /** + * ID of the server + */ + identification_t *server; + + /** + * ID of the peer + */ + identification_t *peer; + + /** + * RADIUS connection + */ + radius_client_t *client; +}; + +METHOD(xauth_method_t, initiate, status_t, + private_eap_radius_xauth_t *this, cp_payload_t **out) +{ + cp_payload_t *cp; + + cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REQUEST); + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_NAME, chunk_empty)); + cp->add_attribute(cp, configuration_attribute_create_chunk( + CONFIGURATION_ATTRIBUTE_V1, XAUTH_USER_PASSWORD, chunk_empty)); + *out = cp; + return NEED_MORE; +} + +/** + * Verify a password using RADIUS User-Name/User-Password attributes + */ +static status_t verify_radius(private_eap_radius_xauth_t *this, chunk_t pass) +{ + radius_message_t *request, *response; + status_t status = FAILED; + + request = radius_message_create(RMC_ACCESS_REQUEST); + request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); + request->add(request, RAT_USER_PASSWORD, pass); + + eap_radius_build_attributes(request); + eap_radius_forward_from_ike(request); + + response = this->client->request(this->client, request); + if (response) + { + eap_radius_forward_to_ike(response); + switch (response->get_code(response)) + { + case RMC_ACCESS_ACCEPT: + eap_radius_process_attributes(response); + status = SUCCESS; + break; + case RMC_ACCESS_CHALLENGE: + DBG1(DBG_IKE, "RADIUS Access-Challenge not supported"); + /* FALL */ + case RMC_ACCESS_REJECT: + default: + DBG1(DBG_IKE, "RADIUS authentication of '%Y' failed", + this->peer); + break; + } + response->destroy(response); + } + else + { + eap_radius_handle_timeout(NULL); + } + request->destroy(request); + return status; +} + +METHOD(xauth_method_t, process, status_t, + private_eap_radius_xauth_t *this, cp_payload_t *in, cp_payload_t **out) +{ + configuration_attribute_t *attr; + enumerator_t *enumerator; + identification_t *id; + chunk_t user = chunk_empty, pass = chunk_empty; + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &attr)) + { + switch (attr->get_type(attr)) + { + case XAUTH_USER_NAME: + user = attr->get_chunk(attr); + break; + case XAUTH_USER_PASSWORD: + pass = attr->get_chunk(attr); + /* trim password to any null termination. As User-Password + * uses null padding, we can't have any null in it, and some + * clients actually send null terminated strings (Android). */ + pass.len = strnlen(pass.ptr, pass.len); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (!user.ptr || !pass.ptr) + { + DBG1(DBG_IKE, "peer did not respond to our XAuth request"); + return FAILED; + } + if (user.len) + { + id = identification_create_from_data(user); + if (!id) + { + DBG1(DBG_IKE, "failed to parse provided XAuth username"); + return FAILED; + } + this->peer->destroy(this->peer); + this->peer = id; + } + return verify_radius(this, pass); +} + +METHOD(xauth_method_t, get_identity, identification_t*, + private_eap_radius_xauth_t *this) +{ + return this->peer; +} + +METHOD(xauth_method_t, destroy, void, + private_eap_radius_xauth_t *this) +{ + DESTROY_IF(this->client); + this->server->destroy(this->server); + this->peer->destroy(this->peer); + free(this); +} + +/* + * Described in header. + */ +eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server, + identification_t *peer) +{ + private_eap_radius_xauth_t *this; + + INIT(this, + .public = { + .xauth_method = { + .initiate = _initiate, + .process = _process, + .get_identity = _get_identity, + .destroy = _destroy, + }, + }, + .server = server->clone(server), + .peer = peer->clone(peer), + .client = eap_radius_create_client(), + ); + + if (!this->client) + { + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.h b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h new file mode 100644 index 000000000..8571bbc9f --- /dev/null +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_radius_xauth eap_radius_xauth + * @{ @ingroup eap_radius + */ + +#ifndef EAP_RADIUS_XAUTH_H_ +#define EAP_RADIUS_XAUTH_H_ + +#include <sa/xauth/xauth_method.h> + +typedef struct eap_radius_xauth_t eap_radius_xauth_t; + +/** + * XAuth backend using plain RADIUS authentication (no EAP involved). + */ +struct eap_radius_xauth_t { + + /** + * Implements XAuth module interface + */ + xauth_method_t xauth_method; +}; + +/** + * Creates the RADIUS XAuth method, acting as server. + * + * @param server ID of the XAuth server + * @param peer ID of the XAuth client + * @return xauth_generic_t object + */ +eap_radius_xauth_t *eap_radius_xauth_create_server(identification_t *server, + identification_t *peer); + +#endif /** EAP_RADIUS_XAUTH_H_ @}*/ |