Imported Upstream version 5.0.3

author: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
commit: 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree: bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/plugins/eap_radius
parent: 7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download: vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz
vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip
9 files changed, 1173 insertions, 79 deletions
diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am
index 181497ab5..628adbeb3 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.am
+++ b/src/libcharon/plugins/eap_radius/Makefile.am
@@ -15,6 +15,7 @@ libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 86d26390f..a686dde90 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -84,8 +101,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
 @MONOLITHIC_FALSE@libstrongswan_eap_radius_la_DEPENDENCIES =  \
 @MONOLITHIC_FALSE@	$(top_builddir)/src/libradius/libradius.la
 am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \
-	eap_radius.lo eap_radius_accounting.lo eap_radius_dae.lo \
-	eap_radius_forward.lo
+	eap_radius.lo eap_radius_accounting.lo eap_radius_provider.lo \
+	eap_radius_dae.lo eap_radius_forward.lo
 libstrongswan_eap_radius_la_OBJECTS =  \
 	$(am_libstrongswan_eap_radius_la_OBJECTS)
 libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \
@@ -110,6 +127,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
 DIST_SOURCES = $(libstrongswan_eap_radius_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
@@ -126,6 +148,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -142,6 +166,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -210,8 +235,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -267,7 +290,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -312,6 +334,7 @@ libstrongswan_eap_radius_la_SOURCES = \
 	eap_radius_plugin.h eap_radius_plugin.c \
 	eap_radius.h eap_radius.c \
 	eap_radius_accounting.h eap_radius_accounting.c \
+	eap_radius_provider.h eap_radius_provider.c \
 	eap_radius_dae.h eap_radius_dae.c \
 	eap_radius_forward.h eap_radius_forward.c
 
@@ -361,7 +384,6 @@ clean-noinstLTLIBRARIES:
 	done
 install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
 	@list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -369,6 +391,8 @@ install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
 	}
@@ -404,6 +428,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_dae.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_forward.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_provider.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 6009d3a1f..59340df01 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -16,6 +16,8 @@
 #include "eap_radius.h"
 #include "eap_radius_plugin.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
+#include "eap_radius_accounting.h"
 
 #include <radius_message.h>
 #include <radius_client.h>
@@ -155,17 +157,67 @@ static bool radius2ike(private_eap_radius_t *this,
 	return FALSE;
 }
 
+/**
+ * Add a set of RADIUS attributes to a request message
+ */
+static void add_radius_request_attrs(private_eap_radius_t *this,
+									 radius_message_t *request)
+{
+	ike_sa_t *ike_sa;
+	host_t *host;
+	char buf[40];
+	u_int32_t value;
+	chunk_t chunk;
+
+	chunk = chunk_from_str(this->id_prefix);
+	chunk = chunk_cata("cc", chunk, this->peer->get_encoding(this->peer));
+	request->add(request, RAT_USER_NAME, chunk);
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	request->add(request, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	request->add(request, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		value = htonl(ike_sa->get_unique_id(ike_sa));
+		request->add(request, RAT_NAS_PORT, chunk_from_thing(value));
+		request->add(request, RAT_NAS_PORT_ID,
+					 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+		host = ike_sa->get_my_host(ike_sa);
+		chunk = host->get_address(host);
+		switch (host->get_family(host))
+		{
+			case AF_INET:
+				request->add(request, RAT_NAS_IP_ADDRESS, chunk);
+				break;
+			case AF_INET6:
+				request->add(request, RAT_NAS_IPV6_ADDRESS, chunk);
+			default:
+				break;
+		}
+		snprintf(buf, sizeof(buf), "%#H", host);
+		request->add(request, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+		host = ike_sa->get_other_host(ike_sa);
+		snprintf(buf, sizeof(buf), "%#H", host);
+		request->add(request, RAT_CALLING_STATION_ID, chunk_from_str(buf));
+	}
+
+	eap_radius_forward_from_ike(request);
+}
+
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_radius_t *this, eap_payload_t **out)
 {
 	radius_message_t *request, *response;
 	status_t status = FAILED;
-	chunk_t username;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	username = chunk_create(this->id_prefix, strlen(this->id_prefix));
-	username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
-	request->add(request, RAT_USER_NAME, username);
+	add_radius_request_attrs(this, request);
 
 	if (this->eap_start)
 	{
@@ -175,7 +227,6 @@ METHOD(eap_method_t, initiate, status_t,
 	{
 		add_eap_identity(this, request);
 	}
-	eap_radius_forward_from_ike(request);
 
 	response = this->client->request(this->client, request);
 	if (response)
@@ -203,7 +254,7 @@ METHOD(eap_method_t, initiate, status_t,
 	}
 	else
 	{
-		charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+		eap_radius_handle_timeout(NULL);
 	}
 	request->destroy(request);
 	return status;
@@ -303,7 +354,7 @@ static void process_filter_id(private_eap_radius_t *this, radius_message_t *msg)
 }
 
 /**
- * Handle Session-Timeout attribte
+ * Handle Session-Timeout attribte and Interim updates
  */
 static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
 {
@@ -312,19 +363,78 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
 	chunk_t data;
 	int type;
 
-	enumerator = msg->create_enumerator(msg);
-	while (enumerator->enumerate(enumerator, &type, &data))
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
 	{
-		if (type == RAT_SESSION_TIMEOUT && data.len == 4)
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
 		{
-			ike_sa = charon->bus->get_sa(charon->bus);
-			if (ike_sa)
+			if (type == RAT_SESSION_TIMEOUT && data.len == 4)
 			{
 				ike_sa->set_auth_lifetime(ike_sa, untoh32(data.ptr));
 			}
+			else if (type == RAT_ACCT_INTERIM_INTERVAL && data.len == 4)
+			{
+				eap_radius_accounting_start_interim(ike_sa, untoh32(data.ptr));
+			}
 		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
+ * Handle Framed-IP-Address and other IKE configuration attributes
+ */
+static void process_cfg_attributes(private_eap_radius_t *this,
+								   radius_message_t *msg)
+{
+	eap_radius_provider_t *provider;
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+	host_t *host;
+	chunk_t data;
+	int type, vendor;
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	provider = eap_radius_provider_get();
+	if (provider && ike_sa)
+	{
+		enumerator = msg->create_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &type, &data))
+		{
+			if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
+			{
+				host = host_create_from_chunk(AF_INET, data, 0);
+				if (host)
+				{
+					provider->add_framed_ip(provider, this->peer, host);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+
+		enumerator = msg->create_vendor_enumerator(msg);
+		while (enumerator->enumerate(enumerator, &vendor, &type, &data))
+		{
+			if (vendor == PEN_ALTIGA /* aka Cisco VPN3000 */)
+			{
+				switch (type)
+				{
+					case 15: /* CVPN3000-IPSec-Banner1 */
+					case 36: /* CVPN3000-IPSec-Banner2 */
+						if (ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+						{
+							provider->add_attribute(provider, this->peer,
+													UNITY_BANNER, data);
+						}
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
 }
 
 METHOD(eap_method_t, process, status_t,
@@ -335,7 +445,8 @@ METHOD(eap_method_t, process, status_t,
 	chunk_t data;
 
 	request = radius_message_create(RMC_ACCESS_REQUEST);
-	request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+	add_radius_request_attrs(this, request);
+
 	data = in->get_data(in);
 	DBG3(DBG_IKE, "%N payload %B", eap_type_names, this->type, &data);
 
@@ -348,7 +459,6 @@ METHOD(eap_method_t, process, status_t,
 	}
 	request->add(request, RAT_EAP_MESSAGE, data);
 
-	eap_radius_forward_from_ike(request);
 	response = this->client->request(this->client, request);
 	if (response)
 	{
@@ -373,6 +483,7 @@ METHOD(eap_method_t, process, status_t,
 					process_filter_id(this, response);
 				}
 				process_timeout(this, response);
+				process_cfg_attributes(this, response);
 				DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
 					 this->peer);
 				status = SUCCESS;
@@ -490,4 +601,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
 	this->server = server->clone(server);
 	return &this->public;
 }
-
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 3c72c122d..ec78c8ef2 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -23,6 +23,7 @@
 #include <daemon.h>
 #include <collections/hashtable.h>
 #include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
 
 typedef struct private_eap_radius_accounting_t private_eap_radius_accounting_t;
 
@@ -37,7 +38,7 @@ struct private_eap_radius_accounting_t {
 	eap_radius_accounting_t public;
 
 	/**
-	 * Hashtable with sessions, IKE_SA unique id => entry_t
+	 * Hashtable with sessions, ike_sa_id_t => entry_t
 	 */
 	hashtable_t *sessions;
 
@@ -53,20 +54,70 @@ struct private_eap_radius_accounting_t {
 };
 
 /**
+ * Singleton instance of accounting
+ */
+static private_eap_radius_accounting_t *singleton = NULL;
+
+/**
+ * Acct-Terminate-Cause
+ */
+typedef enum {
+	ACCT_CAUSE_USER_REQUEST = 1,
+	ACCT_CAUSE_LOST_CARRIER = 2,
+	ACCT_CAUSE_LOST_SERVICE = 3,
+	ACCT_CAUSE_IDLE_TIMEOUT = 4,
+	ACCT_CAUSE_SESSION_TIMEOUT = 5,
+	ACCT_CAUSE_ADMIN_RESET = 6,
+	ACCT_CAUSE_ADMIN_REBOOT = 7,
+	ACCT_CAUSE_PORT_ERROR = 8,
+	ACCT_CAUSE_NAS_ERROR = 9,
+	ACCT_CAUSE_NAS_REQUEST = 10,
+	ACCT_CAUSE_NAS_REBOOT = 11,
+	ACCT_CAUSE_PORT_UNNEEDED = 12,
+	ACCT_CAUSE_PORT_PREEMPTED = 13,
+	ACCT_CAUSE_PORT_SUSPENDED = 14,
+	ACCT_CAUSE_SERVICE_UNAVAILABLE = 15,
+	ACCT_CAUSE_CALLBACK = 16,
+	ACCT_CAUSE_USER_ERROR = 17,
+	ACCT_CAUSE_HOST_REQUEST = 18,
+} radius_acct_terminate_cause_t;
+
+/**
  * Hashtable entry with usage stats
  */
 typedef struct {
+	/** IKE_SA identifier this entry is stored under */
+	ike_sa_id_t *id;
 	/** RADIUS accounting session ID */
 	char sid[16];
-	/** number of octets sent */
-	u_int64_t sent;
-	/** number of octets received */
-	u_int64_t received;
+	/** number of sent/received octets/packets */
+	struct {
+		u_int64_t sent;
+		u_int64_t received;
+	} bytes, packets;
 	/** session creation time */
 	time_t created;
+	/** terminate cause */
+	radius_acct_terminate_cause_t cause;
+	/* interim interval and timestamp of last update */
+	struct {
+		u_int32_t interval;
+		time_t last;
+	} interim;
+	/** did we send Accounting-Start */
+	bool start_sent;
 } entry_t;
 
 /**
+ * Destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
  * Accounting message status types
  */
 typedef enum {
@@ -80,17 +131,17 @@ typedef enum {
 /**
  * Hashtable hash function
  */
-static u_int hash(uintptr_t key)
+static u_int hash(ike_sa_id_t *key)
 {
-	return key;
+	return key->get_responder_spi(key);
 }
 
 /**
  * Hashtable equals function
  */
-static bool equals(uintptr_t a, uintptr_t b)
+static bool equals(ike_sa_id_t *a, ike_sa_id_t *b)
 {
-	return a == b;
+	return a->equals(a, b);
 }
 
 /**
@@ -99,19 +150,20 @@ static bool equals(uintptr_t a, uintptr_t b)
 static void update_usage(private_eap_radius_accounting_t *this,
 						 ike_sa_t *ike_sa, child_sa_t *child_sa)
 {
-	u_int64_t sent, received;
+	u_int64_t bytes_in, bytes_out, packets_in, packets_out;
 	entry_t *entry;
 
-	child_sa->get_usestats(child_sa, FALSE, NULL, &sent);
-	child_sa->get_usestats(child_sa, TRUE, NULL, &received);
+	child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out, &packets_out);
+	child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in, &packets_in);
 
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->get(this->sessions,
-								(void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
 	if (entry)
 	{
-		entry->sent += sent;
-		entry->received += received;
+		entry->bytes.sent += bytes_out;
+		entry->bytes.received += bytes_in;
+		entry->packets.sent += packets_out;
+		entry->packets.received += packets_in;
 	}
 	this->mutex->unlock(this->mutex);
 }
@@ -135,10 +187,6 @@ static bool send_message(private_eap_radius_accounting_t *this,
 			ack = response->get_code(response) == RMC_ACCOUNTING_RESPONSE;
 			response->destroy(response);
 		}
-		else
-		{
-			charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
-		}
 		client->destroy(client);
 	}
 	return ack;
@@ -150,14 +198,43 @@ static bool send_message(private_eap_radius_accounting_t *this,
 static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
 {
 	enumerator_t *enumerator;
-	host_t *vip;
+	host_t *vip, *host;
 	char buf[64];
 	chunk_t data;
+	u_int32_t value;
+
+	/* virtual NAS-Port-Type */
+	value = htonl(5);
+	message->add(message, RAT_NAS_PORT_TYPE, chunk_from_thing(value));
+	/* framed ServiceType */
+	value = htonl(2);
+	message->add(message, RAT_SERVICE_TYPE, chunk_from_thing(value));
+
+	value = htonl(ike_sa->get_unique_id(ike_sa));
+	message->add(message, RAT_NAS_PORT, chunk_from_thing(value));
+	message->add(message, RAT_NAS_PORT_ID,
+				 chunk_from_str(ike_sa->get_name(ike_sa)));
+
+	host = ike_sa->get_my_host(ike_sa);
+	data = host->get_address(host);
+	switch (host->get_family(host))
+	{
+		case AF_INET:
+			message->add(message, RAT_NAS_IP_ADDRESS, data);
+			break;
+		case AF_INET6:
+			message->add(message, RAT_NAS_IPV6_ADDRESS, data);
+		default:
+			break;
+	}
+	snprintf(buf, sizeof(buf), "%#H", host);
+	message->add(message, RAT_CALLED_STATION_ID, chunk_from_str(buf));
+	host = ike_sa->get_other_host(ike_sa);
+	snprintf(buf, sizeof(buf), "%#H", host);
+	message->add(message, RAT_CALLING_STATION_ID, chunk_from_str(buf));
 
 	snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
-	message->add(message, RAT_USER_NAME, chunk_create(buf, strlen(buf)));
-	snprintf(buf, sizeof(buf), "%#H", ike_sa->get_other_host(ike_sa));
-	message->add(message, RAT_CALLING_STATION_ID, chunk_create(buf, strlen(buf)));
+	message->add(message, RAT_USER_NAME, chunk_from_str(buf));
 
 	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
 	while (enumerator->enumerate(enumerator, &vip))
@@ -182,34 +259,207 @@ static void add_ike_sa_parameters(radius_message_t *message, ike_sa_t *ike_sa)
 }
 
 /**
+ * Get an existing or create a new entry from the locked session table
+ */
+static entry_t* get_or_create_entry(private_eap_radius_accounting_t *this,
+									ike_sa_t *ike_sa)
+{
+	ike_sa_id_t *id;
+	entry_t *entry;
+	time_t now;
+
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (!entry)
+	{
+		now = time_monotonic(NULL);
+		id = ike_sa->get_id(ike_sa);
+
+		INIT(entry,
+			.id = id->clone(id),
+			.created = now,
+			.interim = {
+				.last = now,
+			},
+			/* default terminate cause, if none other catched */
+			.cause = ACCT_CAUSE_USER_REQUEST,
+		);
+		snprintf(entry->sid, sizeof(entry->sid), "%u-%u",
+				 this->prefix, ike_sa->get_unique_id(ike_sa));
+		this->sessions->put(this->sessions, entry->id, entry);
+	}
+	return entry;
+}
+
+/* forward declaration */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry);
+
+/**
+ * Data passed to send_interim() using callback job
+ */
+typedef struct {
+	/** reference to radius accounting */
+	private_eap_radius_accounting_t *this;
+	/** IKE_SA identifier to send interim update to */
+	ike_sa_id_t *id;
+} interim_data_t;
+
+/**
+ * Clean up interim data
+ */
+void destroy_interim_data(interim_data_t *this)
+{
+	this->id->destroy(this->id);
+	free(this);
+}
+
+/**
+ * Send an interim update for entry of given IKE_SA identifier
+ */
+static job_requeue_t send_interim(interim_data_t *data)
+{
+	private_eap_radius_accounting_t *this = data->this;
+	u_int64_t bytes_in = 0, bytes_out = 0, packets_in = 0, packets_out = 0;
+	u_int64_t bytes, packets;
+	radius_message_t *message = NULL;
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+	ike_sa_t *ike_sa;
+	entry_t *entry;
+	u_int32_t value;
+
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, data->id);
+	if (!ike_sa)
+	{
+		return JOB_REQUEUE_NONE;
+	}
+	enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		child_sa->get_usestats(child_sa, FALSE, NULL, &bytes, &packets);
+		bytes_out += bytes;
+		packets_out += packets;
+		child_sa->get_usestats(child_sa, TRUE, NULL, &bytes, &packets);
+		bytes_in += bytes;
+		packets_in += packets;
+	}
+	enumerator->destroy(enumerator);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+
+	/* avoid any races by returning IKE_SA before acquiring lock */
+
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, data->id);
+	if (entry)
+	{
+		entry->interim.last = time_monotonic(NULL);
+
+		bytes_in += entry->bytes.received;
+		bytes_out += entry->bytes.sent;
+		packets_in += entry->packets.received;
+		packets_out += entry->packets.sent;
+
+		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
+		value = htonl(ACCT_STATUS_INTERIM_UPDATE);
+		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
+		message->add(message, RAT_ACCT_SESSION_ID,
+					 chunk_create(entry->sid, strlen(entry->sid)));
+		add_ike_sa_parameters(message, ike_sa);
+
+		value = htonl(bytes_out);
+		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_out >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_out);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(bytes_in);
+		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
+		value = htonl(bytes_in >> 32);
+		if (value)
+		{
+			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
+						 chunk_from_thing(value));
+		}
+		value = htonl(packets_in);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->interim.last - entry->created);
+		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
+
+		schedule_interim(this, entry);
+	}
+	this->mutex->unlock(this->mutex);
+
+	if (message)
+	{
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(data->id);
+		}
+		message->destroy(message);
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Schedule interim update for given entry
+ */
+static void schedule_interim(private_eap_radius_accounting_t *this,
+							 entry_t *entry)
+{
+	if (entry->interim.interval)
+	{
+		interim_data_t *data;
+		timeval_t tv = {
+			.tv_sec = entry->interim.last + entry->interim.interval,
+		};
+
+		INIT(data,
+			.this = this,
+			.id = entry->id->clone(entry->id),
+		);
+		lib->scheduler->schedule_job_tv(lib->scheduler,
+			(job_t*)callback_job_create_with_prio(
+				(callback_job_cb_t)send_interim,
+				data, (void*)destroy_interim_data,
+				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
+	}
+}
+
+/**
  * Send an accounting start message
  */
 static void send_start(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
-	INIT(entry,
-		.created = time_monotonic(NULL),
-	);
-	snprintf(entry->sid, sizeof(entry->sid), "%u-%u", this->prefix, id);
+	this->mutex->lock(this->mutex);
+
+	entry = get_or_create_entry(this, ike_sa);
+	entry->start_sent = TRUE;
 
 	message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 	value = htonl(ACCT_STATUS_START);
 	message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 	message->add(message, RAT_ACCT_SESSION_ID,
 				 chunk_create(entry->sid, strlen(entry->sid)));
+
+	schedule_interim(this, entry);
+	this->mutex->unlock(this->mutex);
+
 	add_ike_sa_parameters(message, ike_sa);
-	if (send_message(this, message))
+	if (!send_message(this, message))
 	{
-		this->mutex->lock(this->mutex);
-		entry = this->sessions->put(this->sessions, (void*)(uintptr_t)id, entry);
-		this->mutex->unlock(this->mutex);
+		eap_radius_handle_timeout(ike_sa->get_id(ike_sa));
 	}
 	message->destroy(message);
-	free(entry);
 }
 
 /**
@@ -219,45 +469,91 @@ static void send_stop(private_eap_radius_accounting_t *this, ike_sa_t *ike_sa)
 {
 	radius_message_t *message;
 	entry_t *entry;
-	u_int32_t id, value;
+	u_int32_t value;
 
-	id = ike_sa->get_unique_id(ike_sa);
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->remove(this->sessions, (void*)(uintptr_t)id);
+	entry = this->sessions->remove(this->sessions, ike_sa->get_id(ike_sa));
 	this->mutex->unlock(this->mutex);
 	if (entry)
 	{
+		if (!entry->start_sent)
+		{	/* we tried to authenticate this peer, but never sent a start */
+			destroy_entry(entry);
+			return;
+		}
 		message = radius_message_create(RMC_ACCOUNTING_REQUEST);
 		value = htonl(ACCT_STATUS_STOP);
 		message->add(message, RAT_ACCT_STATUS_TYPE, chunk_from_thing(value));
 		message->add(message, RAT_ACCT_SESSION_ID,
 					 chunk_create(entry->sid, strlen(entry->sid)));
 		add_ike_sa_parameters(message, ike_sa);
-		value = htonl(entry->sent);
+
+		value = htonl(entry->bytes.sent);
 		message->add(message, RAT_ACCT_OUTPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->sent >> 32);
+		value = htonl(entry->bytes.sent >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_OUTPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
-		value = htonl(entry->received);
+		value = htonl(entry->packets.sent);
+		message->add(message, RAT_ACCT_OUTPUT_PACKETS, chunk_from_thing(value));
+
+		value = htonl(entry->bytes.received);
 		message->add(message, RAT_ACCT_INPUT_OCTETS, chunk_from_thing(value));
-		value = htonl(entry->received >> 32);
+		value = htonl(entry->bytes.received >> 32);
 		if (value)
 		{
 			message->add(message, RAT_ACCT_INPUT_GIGAWORDS,
 						 chunk_from_thing(value));
 		}
+		value = htonl(entry->packets.received);
+		message->add(message, RAT_ACCT_INPUT_PACKETS, chunk_from_thing(value));
+
 		value = htonl(time_monotonic(NULL) - entry->created);
 		message->add(message, RAT_ACCT_SESSION_TIME, chunk_from_thing(value));
 
-		send_message(this, message);
+
+		value = htonl(entry->cause);
+		message->add(message, RAT_ACCT_TERMINATE_CAUSE, chunk_from_thing(value));
+
+		if (!send_message(this, message))
+		{
+			eap_radius_handle_timeout(NULL);
+		}
 		message->destroy(message);
-		free(entry);
+		destroy_entry(entry);
 	}
 }
 
+METHOD(listener_t, alert, bool,
+	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, alert_t alert,
+	va_list args)
+{
+	radius_acct_terminate_cause_t cause;
+	entry_t *entry;
+
+	switch (alert)
+	{
+		case ALERT_IKE_SA_EXPIRED:
+			cause = ACCT_CAUSE_SESSION_TIMEOUT;
+			break;
+		case ALERT_RETRANSMIT_SEND_TIMEOUT:
+			cause = ACCT_CAUSE_LOST_SERVICE;
+			break;
+		default:
+			return TRUE;
+	}
+	this->mutex->lock(this->mutex);
+	entry = this->sessions->get(this->sessions, ike_sa->get_id(ike_sa));
+	if (entry)
+	{
+		entry->cause = cause;
+	}
+	this->mutex->unlock(this->mutex);
+	return TRUE;
+}
+
 METHOD(listener_t, ike_updown, bool,
 	private_eap_radius_accounting_t *this, ike_sa_t *ike_sa, bool up)
 {
@@ -307,15 +603,20 @@ METHOD(listener_t, ike_rekey, bool,
 	entry_t *entry;
 
 	this->mutex->lock(this->mutex);
-	entry = this->sessions->remove(this->sessions,
-							(void*)(uintptr_t)old->get_unique_id(old));
+	entry = this->sessions->remove(this->sessions, old->get_id(old));
 	if (entry)
 	{
-		entry = this->sessions->put(this->sessions,
-							(void*)(uintptr_t)new->get_unique_id(new), entry);
+		/* update IKE_SA identifier */
+		entry->id->destroy(entry->id);
+		entry->id = new->get_id(new);
+		entry->id = entry->id->clone(entry->id);
+		/* fire new interim update job, old gets invalid */
+		schedule_interim(this, entry);
+
+		entry = this->sessions->put(this->sessions, entry->id, entry);
 		if (entry)
 		{
-			free(entry);
+			destroy_entry(entry);
 		}
 	}
 	this->mutex->unlock(this->mutex);
@@ -346,6 +647,8 @@ METHOD(listener_t, child_updown, bool,
 METHOD(eap_radius_accounting_t, destroy, void,
 	private_eap_radius_accounting_t *this)
 {
+	charon->bus->remove_listener(charon->bus, &this->public.listener);
+	singleton = NULL;
 	this->mutex->destroy(this->mutex);
 	this->sessions->destroy(this->sessions);
 	free(this);
@@ -361,6 +664,7 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 	INIT(this,
 		.public = {
 			.listener = {
+				.alert = _alert,
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
 				.message = _message_hook,
@@ -376,5 +680,28 @@ eap_radius_accounting_t *eap_radius_accounting_create()
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
+	if (lib->settings->get_bool(lib->settings,
+					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
+	{
+		singleton = this;
+		charon->bus->add_listener(charon->bus, &this->public.listener);
+	}
 	return &this->public;
 }
+
+/**
+ * See header
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval)
+{
+	if (singleton)
+	{
+		entry_t *entry;
+
+		DBG1(DBG_CFG, "scheduling RADIUS Interim-Updates every %us", interval);
+		singleton->mutex->lock(singleton->mutex);
+		entry = get_or_create_entry(singleton, ike_sa);
+		entry->interim.interval = interval;
+		singleton->mutex->unlock(singleton->mutex);
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
index 811a5bb90..8d4f9a0e1 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.h
@@ -46,4 +46,12 @@ struct eap_radius_accounting_t {
  */
 eap_radius_accounting_t *eap_radius_accounting_create();
 
+/**
+ * Schedule Accounting interim updates for the given IKE_SA.
+ *
+ * @param ike_sa			IKE_SA to send updates for
+ * @param interval			interval for interim updates
+ */
+void eap_radius_accounting_start_interim(ike_sa_t *ike_sa, u_int32_t interval);
+
 #endif /** EAP_RADIUS_ACCOUNTING_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 9d4bbe1f3..3baf46731 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -19,12 +19,15 @@
 #include "eap_radius_accounting.h"
 #include "eap_radius_dae.h"
 #include "eap_radius_forward.h"
+#include "eap_radius_provider.h"
 
 #include <radius_client.h>
 #include <radius_config.h>
 
-#include <daemon.h>
+#include <hydra.h>
 #include <threading/rwlock.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 /**
  * Default RADIUS server port for authentication
@@ -64,6 +67,11 @@ struct private_eap_radius_plugin_t {
 	eap_radius_accounting_t *accounting;
 
 	/**
+	 * IKE attribute provider
+	 */
+	eap_radius_provider_t *provider;
+
+	/**
 	 * Dynamic authorization extensions
 	 */
 	eap_radius_dae_t *dae;
@@ -207,6 +215,9 @@ METHOD(plugin_t, reload, bool,
 METHOD(plugin_t, destroy, void,
 	private_eap_radius_plugin_t *this)
 {
+	hydra->attributes->remove_provider(hydra->attributes,
+									   &this->provider->provider);
+	this->provider->destroy(this->provider);
 	if (this->forward)
 	{
 		charon->bus->remove_listener(charon->bus, &this->forward->listener);
@@ -216,7 +227,6 @@ METHOD(plugin_t, destroy, void,
 	this->configs->destroy_offset(this->configs,
 								  offsetof(radius_config_t, destroy));
 	this->lock->destroy(this->lock);
-	charon->bus->remove_listener(charon->bus, &this->accounting->listener);
 	this->accounting->destroy(this->accounting);
 	free(this);
 	instance = NULL;
@@ -242,17 +252,13 @@ plugin_t *eap_radius_plugin_create()
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
 		.accounting = eap_radius_accounting_create(),
 		.forward = eap_radius_forward_create(),
+		.provider = eap_radius_provider_create(),
 	);
 
 	load_configs(this);
 	instance = this;
 
 	if (lib->settings->get_bool(lib->settings,
-					"%s.plugins.eap-radius.accounting", FALSE, charon->name))
-	{
-		charon->bus->add_listener(charon->bus, &this->accounting->listener);
-	}
-	if (lib->settings->get_bool(lib->settings,
 					"%s.plugins.eap-radius.dae.enable", FALSE, charon->name))
 	{
 		this->dae = eap_radius_dae_create(this->accounting);
@@ -261,6 +267,8 @@ plugin_t *eap_radius_plugin_create()
 	{
 		charon->bus->add_listener(charon->bus, &this->forward->listener);
 	}
+	hydra->attributes->add_provider(hydra->attributes,
+									&this->provider->provider);
 
 	return &this->public.plugin;
 }
@@ -308,3 +316,47 @@ radius_client_t *eap_radius_create_client()
 	return NULL;
 }
 
+/**
+ * Job to delete all active IKE_SAs
+ */
+static job_requeue_t delete_all_async(void *data)
+{
+	enumerator_t *enumerator;
+	ike_sa_t *ike_sa;
+
+	enumerator = charon->ike_sa_manager->create_enumerator(
+												charon->ike_sa_manager, TRUE);
+	while (enumerator->enumerate(enumerator, &ike_sa))
+	{
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(ike_sa->get_id(ike_sa), TRUE));
+	}
+	enumerator->destroy(enumerator);
+
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * See header.
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id)
+{
+	charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
+
+	if (lib->settings->get_bool(lib->settings,
+								"%s.plugins.eap-radius.close_all_on_timeout",
+								FALSE, charon->name))
+	{
+		DBG1(DBG_CFG, "deleting all IKE_SAs after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio(
+						(callback_job_cb_t)delete_all_async, NULL, NULL,
+						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+	}
+	else if (id)
+	{
+		DBG1(DBG_CFG, "deleting IKE_SA after RADIUS timeout");
+		lib->processor->queue_job(lib->processor,
+				(job_t*)delete_ike_sa_job_create(id, TRUE));
+	}
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
index 1570bd566..80fa209d6 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h
@@ -27,6 +27,7 @@
 #include <plugins/plugin.h>
 
 #include <radius_client.h>
+#include <daemon.h>
 
 typedef struct eap_radius_plugin_t eap_radius_plugin_t;
 
@@ -51,4 +52,14 @@ struct eap_radius_plugin_t {
  */
 radius_client_t *eap_radius_create_client();
 
+/**
+ * Handle a RADIUS request timeout.
+ *
+ * If an IKE_SA is given, it gets deleted (unless the policy says to delete
+ * any established IKE_SA).
+ *
+ * @param id		associated IKE_SA where timeout happened, or NULL
+ */
+void eap_radius_handle_timeout(ike_sa_id_t *id);
+
 #endif /** EAP_RADIUS_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
new file mode 100644
index 000000000..6087313b5
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -0,0 +1,486 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_radius_provider.h"
+
+#include <daemon.h>
+#include <collections/hashtable.h>
+#include <threading/mutex.h>
+
+typedef struct private_eap_radius_provider_t private_eap_radius_provider_t;
+typedef struct private_listener_t private_listener_t;
+
+/**
+ * Private data of registered listener
+ */
+struct private_listener_t {
+
+	/**
+	 * Implements listener_t interface
+	 */
+	listener_t public;
+
+	/**
+	 * Leases not acquired yet, identification_t => entry_t
+	 */
+	hashtable_t *unclaimed;
+
+	/**
+	 * Leases acquired, identification_t => entry_t
+	 */
+	hashtable_t *claimed;
+
+	/**
+	 * Mutex to lock leases
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Private data of an eap_radius_provider_t object.
+ */
+struct private_eap_radius_provider_t {
+
+	/**
+	 * Public eap_radius_provider_t interface.
+	 */
+	eap_radius_provider_t public;
+
+	/**
+	 * Additionally implements the listener_t interface
+	 */
+	private_listener_t listener;
+};
+
+/**
+ * Singleton instance of provider
+ */
+static eap_radius_provider_t *singleton = NULL;
+
+/**
+ * Configuration attribute in an entry
+ */
+typedef struct {
+	/** type of attribute */
+	configuration_attribute_type_t type;
+	/** attribute data */
+	chunk_t data;
+} attr_t;
+
+/**
+ * Destroy an attr_t
+ */
+static void destroy_attr(attr_t *this)
+{
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Hashtable entry with leases and attributes
+ */
+typedef struct {
+	/** identity we assigned the IP lease */
+	identification_t *id;
+	/** list of IP leases received from AAA, as host_t */
+	linked_list_t *addrs;
+	/** list of configuration attributes, as attr_t */
+	linked_list_t *attrs;
+} entry_t;
+
+/**
+ * destroy an entry_t
+ */
+static void destroy_entry(entry_t *this)
+{
+	this->id->destroy(this->id);
+	this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
+	this->attrs->destroy_function(this->attrs, (void*)destroy_attr);
+	free(this);
+}
+
+/**
+ * Get or create an entry from a locked hashtable
+ */
+static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+
+	entry = hashtable->get(hashtable, id);
+	if (!entry)
+	{
+		INIT(entry,
+			.id = id->clone(id),
+			.addrs = linked_list_create(),
+			.attrs = linked_list_create(),
+		);
+		hashtable->put(hashtable, entry->id, entry);
+	}
+	return entry;
+}
+
+/**
+ * Put an entry to hashtable, or destroy it ife empty
+ */
+static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
+{
+	if (entry->addrs->get_count(entry->addrs) > 0 ||
+		entry->attrs->get_count(entry->attrs) > 0)
+	{
+		hashtable->put(hashtable, entry->id, entry);
+	}
+	else
+	{
+		destroy_entry(entry);
+	}
+}
+
+/**
+ * Hashtable hash function
+ */
+static u_int hash(identification_t *id)
+{
+	return chunk_hash_inc(id->get_encoding(id), id->get_type(id));
+}
+
+/**
+ * Hashtable equals function
+ */
+static bool equals(identification_t *a, identification_t *b)
+{
+	return a->equals(a, b);
+}
+
+/**
+ * Insert an address entry to a locked claimed/unclaimed hashtable
+ */
+static void add_addr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, identification_t *id, host_t *host)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->addrs->insert_last(entry->addrs, host);
+}
+
+/**
+ * Remove the next address from the locked hashtable stored for given id
+ */
+static host_t* remove_addr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+	host_t *addr = NULL;
+
+	entry = hashtable->remove(hashtable, id);
+	if (entry)
+	{
+		entry->addrs->remove_first(entry->addrs, (void**)&addr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return addr;
+}
+
+/**
+ * Insert an attribute entry to a locked claimed/unclaimed hashtable
+ */
+static void add_attr(private_eap_radius_provider_t *this,
+					 hashtable_t *hashtable, identification_t *id, attr_t *attr)
+{
+	entry_t *entry;
+
+	entry = get_or_create_entry(hashtable, id);
+	entry->attrs->insert_last(entry->attrs, attr);
+}
+
+/**
+ * Remove the next attribute from the locked hashtable stored for given id
+ */
+static attr_t* remove_attr(private_eap_radius_provider_t *this,
+						   hashtable_t *hashtable, identification_t *id)
+{
+	entry_t *entry;
+	attr_t *attr = NULL;
+
+	entry = hashtable->remove(hashtable, id);
+	if (entry)
+	{
+		entry->attrs->remove_first(entry->attrs, (void**)&attr);
+		put_or_destroy_entry(hashtable, entry);
+	}
+	return attr;
+}
+
+/**
+ * Clean up unclaimed leases assigned for an IKE_SA
+ */
+static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
+{
+	identification_t *id;
+	entry_t *entry;
+
+	id = ike_sa->get_other_eap_id(ike_sa);
+	this->mutex->lock(this->mutex);
+	entry = this->unclaimed->remove(this->unclaimed, id);
+	this->mutex->unlock(this->mutex);
+	if (entry)
+	{
+		destroy_entry(entry);
+	}
+}
+
+METHOD(listener_t, message_hook, bool,
+	private_listener_t *this, ike_sa_t *ike_sa,
+	message_t *message, bool incoming, bool plain)
+{
+	if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+		!incoming && !message->get_request(message))
+	{
+		if ((ike_sa->get_version(ike_sa) == IKEV1 &&
+			 message->get_exchange_type(message) == TRANSACTION) ||
+			(ike_sa->get_version(ike_sa) == IKEV2 &&
+			 message->get_exchange_type(message) == IKE_AUTH))
+		{
+			/* if the addresses have not been claimed yet, they won't. Release
+			 * these resources. */
+			release_unclaimed(this, ike_sa);
+		}
+	}
+	return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+	private_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+	if (!up)
+	{
+		/* if the message hook does not apply because of a failed exchange
+		 * or something, make sure we release any resources now */
+		release_unclaimed(this, ike_sa);
+	}
+	return TRUE;
+}
+
+METHOD(attribute_provider_t, acquire_address, host_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, host_t *requested)
+{
+	enumerator_t *enumerator;
+	host_t *addr = NULL;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			addr = remove_addr(this, this->listener.unclaimed, id);
+			if (addr)
+			{
+				add_addr(this, this->listener.claimed, id, addr->clone(addr));
+			}
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return addr;
+}
+
+METHOD(attribute_provider_t, release_address, bool,
+	private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
+	identification_t *id)
+{
+	enumerator_t *enumerator;
+	host_t *found = NULL;
+	char *name;
+
+	enumerator = pools->create_enumerator(pools);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (streq(name, "radius"))
+		{
+			this->listener.mutex->lock(this->listener.mutex);
+			found = remove_addr(this, this->listener.claimed, id);
+			this->listener.mutex->unlock(this->listener.mutex);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (found)
+	{
+		found->destroy(found);
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Enumerator implementation over attributes
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** list of attributes to enumerate */
+	linked_list_t *list;
+	/** currently enumerating attribute */
+	attr_t *current;
+} attribute_enumerator_t;
+
+
+METHOD(enumerator_t, attribute_enumerate, bool,
+	attribute_enumerator_t *this, configuration_attribute_type_t *type,
+	chunk_t *data)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+		this->current = NULL;
+	}
+	if (this->list->remove_first(this->list, (void**)&this->current) == SUCCESS)
+	{
+		*type = this->current->type;
+		*data = this->current->data;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+METHOD(enumerator_t, attribute_destroy, void,
+	attribute_enumerator_t *this)
+{
+	if (this->current)
+	{
+		destroy_attr(this->current);
+	}
+	this->list->destroy_function(this->list, (void*)destroy_attr);
+	free(this);
+}
+
+METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
+	private_eap_radius_provider_t *this, linked_list_t *pools,
+	identification_t *id, linked_list_t *vips)
+{
+	attribute_enumerator_t *enumerator;
+	attr_t *attr;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_attribute_enumerate,
+			.destroy = _attribute_destroy,
+		},
+		.list = linked_list_create(),
+	);
+
+	/* we forward attributes regardless of pool configurations */
+	this->listener.mutex->lock(this->listener.mutex);
+	while (TRUE)
+	{
+		attr = remove_attr(this, this->listener.unclaimed, id);
+		if (!attr)
+		{
+			break;
+		}
+		enumerator->list->insert_last(enumerator->list, attr);
+	}
+	this->listener.mutex->unlock(this->listener.mutex);
+
+	return &enumerator->public;
+}
+
+METHOD(eap_radius_provider_t, add_framed_ip, void,
+	private_eap_radius_provider_t *this, identification_t *id, host_t *ip)
+{
+	this->listener.mutex->lock(this->listener.mutex);
+	add_addr(this, this->listener.unclaimed, id, ip);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, add_attribute, void,
+	private_eap_radius_provider_t *this, identification_t *id,
+	configuration_attribute_type_t type, chunk_t data)
+{
+	attr_t *attr;
+
+	INIT(attr,
+		.type = type,
+		.data = chunk_clone(data),
+	);
+	this->listener.mutex->lock(this->listener.mutex);
+	add_attr(this, this->listener.unclaimed, id, attr);
+	this->listener.mutex->unlock(this->listener.mutex);
+}
+
+METHOD(eap_radius_provider_t, destroy, void,
+	private_eap_radius_provider_t *this)
+{
+	singleton = NULL;
+	charon->bus->remove_listener(charon->bus, &this->listener.public);
+	this->listener.mutex->destroy(this->listener.mutex);
+	this->listener.claimed->destroy(this->listener.claimed);
+	this->listener.unclaimed->destroy(this->listener.unclaimed);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_create()
+{
+	if (!singleton)
+	{
+		private_eap_radius_provider_t *this;
+
+		INIT(this,
+			.public = {
+				.provider = {
+					.acquire_address = _acquire_address,
+					.release_address = _release_address,
+					.create_attribute_enumerator = _create_attribute_enumerator,
+				},
+				.add_framed_ip = _add_framed_ip,
+				.add_attribute = _add_attribute,
+				.destroy = _destroy,
+			},
+			.listener = {
+				.public = {
+					.ike_updown = _ike_updown,
+					.message = _message_hook,
+				},
+				.claimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.unclaimed = hashtable_create((hashtable_hash_t)hash,
+										(hashtable_equals_t)equals, 32),
+				.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+			},
+		);
+
+		charon->bus->add_listener(charon->bus, &this->listener.public);
+
+		singleton = &this->public;
+	}
+	return singleton;
+}
+
+/**
+ * See header
+ */
+eap_radius_provider_t *eap_radius_provider_get()
+{
+	return singleton;
+}
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.h b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
new file mode 100644
index 000000000..a0b4a6b62
--- /dev/null
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_radius_provider eap_radius_provider
+ * @{ @ingroup eap_radius
+ */
+
+#ifndef EAP_RADIUS_PROVIDER_H_
+#define EAP_RADIUS_PROVIDER_H_
+
+#include <attributes/attributes.h>
+#include <attributes/attribute_provider.h>
+
+typedef struct eap_radius_provider_t eap_radius_provider_t;
+
+/**
+ * IKE configuration attribute fed by RADIUS attributes
+ */
+struct eap_radius_provider_t {
+
+	/**
+	 * Implements attribute_provider_t
+	 */
+	attribute_provider_t provider;
+
+	/**
+	 * Add a received Framed-IP-Address to the provider to serve to client.
+	 *
+	 * @param id			client identity
+	 * @param ip			IP address received from RADIUS server, gets owned
+	 */
+	void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id,
+						  host_t *ip);
+
+	/**
+	 * Add a configuration attribute received from RADIUS to forward.
+	 *
+	 * @param id			client identity
+	 * @param type			attribute type
+	 * @param data			attribute data
+	 */
+	void (*add_attribute)(eap_radius_provider_t *this, identification_t *id,
+						  configuration_attribute_type_t type, chunk_t data);
+
+	/**
+	 * Destroy a eap_radius_provider_t.
+	 */
+	void (*destroy)(eap_radius_provider_t *this);
+};
+
+/**
+ * Create a eap_radius_provider instance.
+ */
+eap_radius_provider_t *eap_radius_provider_create();
+
+/**
+ * Get singleton instance previously created with eap_radius_provider_create().
+ */
+eap_radius_provider_t *eap_radius_provider_get();
+
+#endif /** EAP_RADIUS_PROVIDER_H_ @}*/
author	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
commit	10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree	bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/libcharon/plugins/eap_radius
parent	7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download	vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip