In eap-radius, hand out received Framed-IP-Address attributes as virtual IP
This commit is contained in:
parent
3a23794fa2
commit
f4c8e6def7
|
@ -15,6 +15,7 @@ libstrongswan_eap_radius_la_SOURCES = \
|
|||
eap_radius_plugin.h eap_radius_plugin.c \
|
||||
eap_radius.h eap_radius.c \
|
||||
eap_radius_accounting.h eap_radius_accounting.c \
|
||||
eap_radius_provider.h eap_radius_provider.c \
|
||||
eap_radius_dae.h eap_radius_dae.c \
|
||||
eap_radius_forward.h eap_radius_forward.c
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
#include "eap_radius.h"
|
||||
#include "eap_radius_plugin.h"
|
||||
#include "eap_radius_forward.h"
|
||||
#include "eap_radius_provider.h"
|
||||
|
||||
#include <radius_message.h>
|
||||
#include <radius_client.h>
|
||||
|
@ -327,6 +328,37 @@ static void process_timeout(private_eap_radius_t *this, radius_message_t *msg)
|
|||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle Framed-IP-Address and other IKE configuration attributes
|
||||
*/
|
||||
static void process_cfg_attributes(private_eap_radius_t *this,
|
||||
radius_message_t *msg)
|
||||
{
|
||||
eap_radius_provider_t *provider;
|
||||
enumerator_t *enumerator;
|
||||
host_t *host;
|
||||
chunk_t data;
|
||||
int type;
|
||||
|
||||
provider = eap_radius_provider_get();
|
||||
if (provider)
|
||||
{
|
||||
enumerator = msg->create_enumerator(msg);
|
||||
while (enumerator->enumerate(enumerator, &type, &data))
|
||||
{
|
||||
if (type == RAT_FRAMED_IP_ADDRESS && data.len == 4)
|
||||
{
|
||||
host = host_create_from_chunk(AF_INET, data, 0);
|
||||
if (host)
|
||||
{
|
||||
provider->add_framed_ip(provider, this->peer, host);
|
||||
}
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(eap_method_t, process, status_t,
|
||||
private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out)
|
||||
{
|
||||
|
@ -373,6 +405,7 @@ METHOD(eap_method_t, process, status_t,
|
|||
process_filter_id(this, response);
|
||||
}
|
||||
process_timeout(this, response);
|
||||
process_cfg_attributes(this, response);
|
||||
DBG1(DBG_IKE, "RADIUS authentication of '%Y' successful",
|
||||
this->peer);
|
||||
status = SUCCESS;
|
||||
|
@ -490,4 +523,3 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
|
|||
this->server = server->clone(server);
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
@ -19,11 +19,13 @@
|
|||
#include "eap_radius_accounting.h"
|
||||
#include "eap_radius_dae.h"
|
||||
#include "eap_radius_forward.h"
|
||||
#include "eap_radius_provider.h"
|
||||
|
||||
#include <radius_client.h>
|
||||
#include <radius_config.h>
|
||||
|
||||
#include <daemon.h>
|
||||
#include <hydra.h>
|
||||
#include <threading/rwlock.h>
|
||||
|
||||
/**
|
||||
|
@ -63,6 +65,11 @@ struct private_eap_radius_plugin_t {
|
|||
*/
|
||||
eap_radius_accounting_t *accounting;
|
||||
|
||||
/**
|
||||
* IKE attribute provider
|
||||
*/
|
||||
eap_radius_provider_t *provider;
|
||||
|
||||
/**
|
||||
* Dynamic authorization extensions
|
||||
*/
|
||||
|
@ -207,6 +214,9 @@ METHOD(plugin_t, reload, bool,
|
|||
METHOD(plugin_t, destroy, void,
|
||||
private_eap_radius_plugin_t *this)
|
||||
{
|
||||
hydra->attributes->remove_provider(hydra->attributes,
|
||||
&this->provider->provider);
|
||||
this->provider->destroy(this->provider);
|
||||
if (this->forward)
|
||||
{
|
||||
charon->bus->remove_listener(charon->bus, &this->forward->listener);
|
||||
|
@ -242,6 +252,7 @@ plugin_t *eap_radius_plugin_create()
|
|||
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
|
||||
.accounting = eap_radius_accounting_create(),
|
||||
.forward = eap_radius_forward_create(),
|
||||
.provider = eap_radius_provider_create(),
|
||||
);
|
||||
|
||||
load_configs(this);
|
||||
|
@ -261,6 +272,8 @@ plugin_t *eap_radius_plugin_create()
|
|||
{
|
||||
charon->bus->add_listener(charon->bus, &this->forward->listener);
|
||||
}
|
||||
hydra->attributes->add_provider(hydra->attributes,
|
||||
&this->provider->provider);
|
||||
|
||||
return &this->public.plugin;
|
||||
}
|
||||
|
@ -307,4 +320,3 @@ radius_client_t *eap_radius_create_client()
|
|||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,350 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Martin Willi
|
||||
* Copyright (C) 2013 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
#include "eap_radius_provider.h"
|
||||
|
||||
#include <daemon.h>
|
||||
#include <collections/hashtable.h>
|
||||
#include <threading/mutex.h>
|
||||
|
||||
typedef struct private_eap_radius_provider_t private_eap_radius_provider_t;
|
||||
typedef struct private_listener_t private_listener_t;
|
||||
|
||||
/**
|
||||
* Private data of registered listener
|
||||
*/
|
||||
struct private_listener_t {
|
||||
|
||||
/**
|
||||
* Implements listener_t interface
|
||||
*/
|
||||
listener_t public;
|
||||
|
||||
/**
|
||||
* Leases not acquired yet, identification_t => entry_t
|
||||
*/
|
||||
hashtable_t *unclaimed;
|
||||
|
||||
/**
|
||||
* Leases acquired, identification_t => entry_t
|
||||
*/
|
||||
hashtable_t *claimed;
|
||||
|
||||
/**
|
||||
* Mutex to lock leases
|
||||
*/
|
||||
mutex_t *mutex;
|
||||
};
|
||||
|
||||
/**
|
||||
* Private data of an eap_radius_provider_t object.
|
||||
*/
|
||||
struct private_eap_radius_provider_t {
|
||||
|
||||
/**
|
||||
* Public eap_radius_provider_t interface.
|
||||
*/
|
||||
eap_radius_provider_t public;
|
||||
|
||||
/**
|
||||
* Additionally implements the listener_t interface
|
||||
*/
|
||||
private_listener_t listener;
|
||||
};
|
||||
|
||||
/**
|
||||
* Singleton instance of provider
|
||||
*/
|
||||
static eap_radius_provider_t *singleton = NULL;
|
||||
|
||||
/**
|
||||
* Hashtable entry with leases
|
||||
*/
|
||||
typedef struct {
|
||||
/** identity we assigned the IP lease */
|
||||
identification_t *id;
|
||||
/** list of IP leases received from AAA, as host_t */
|
||||
linked_list_t *addrs;
|
||||
} entry_t;
|
||||
|
||||
/**
|
||||
* destroy an entry_t
|
||||
*/
|
||||
static void destroy_entry(entry_t *this)
|
||||
{
|
||||
this->id->destroy(this->id);
|
||||
this->addrs->destroy_offset(this->addrs, offsetof(host_t, destroy));
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get or create an entry from a locked hashtable
|
||||
*/
|
||||
static entry_t* get_or_create_entry(hashtable_t *hashtable, identification_t *id)
|
||||
{
|
||||
entry_t *entry;
|
||||
|
||||
entry = hashtable->get(hashtable, id);
|
||||
if (!entry)
|
||||
{
|
||||
INIT(entry,
|
||||
.id = id->clone(id),
|
||||
.addrs = linked_list_create(),
|
||||
);
|
||||
hashtable->put(hashtable, entry->id, entry);
|
||||
}
|
||||
return entry;
|
||||
}
|
||||
|
||||
/**
|
||||
* Put an entry to hashtable, or destroy it ife empty
|
||||
*/
|
||||
static void put_or_destroy_entry(hashtable_t *hashtable, entry_t *entry)
|
||||
{
|
||||
if (entry->addrs->get_count(entry->addrs) > 0)
|
||||
{
|
||||
hashtable->put(hashtable, entry->id, entry);
|
||||
}
|
||||
else
|
||||
{
|
||||
destroy_entry(entry);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Hashtable hash function
|
||||
*/
|
||||
static u_int hash(identification_t *id)
|
||||
{
|
||||
return chunk_hash_inc(id->get_encoding(id), id->get_type(id));
|
||||
}
|
||||
|
||||
/**
|
||||
* Hashtable equals function
|
||||
*/
|
||||
static bool equals(identification_t *a, identification_t *b)
|
||||
{
|
||||
return a->equals(a, b);
|
||||
}
|
||||
|
||||
/**
|
||||
* Insert an address entry to a locked claimed/unclaimed hashtable
|
||||
*/
|
||||
static void add_addr(private_eap_radius_provider_t *this,
|
||||
hashtable_t *hashtable, identification_t *id, host_t *host)
|
||||
{
|
||||
entry_t *entry;
|
||||
|
||||
entry = get_or_create_entry(hashtable, id);
|
||||
entry->addrs->insert_last(entry->addrs, host);
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove the next address from the locked hashtable stored for given id
|
||||
*/
|
||||
static host_t* remove_addr(private_eap_radius_provider_t *this,
|
||||
hashtable_t *hashtable, identification_t *id)
|
||||
{
|
||||
entry_t *entry;
|
||||
host_t *addr = NULL;
|
||||
|
||||
entry = hashtable->remove(hashtable, id);
|
||||
if (entry)
|
||||
{
|
||||
entry->addrs->remove_first(entry->addrs, (void**)&addr);
|
||||
put_or_destroy_entry(hashtable, entry);
|
||||
}
|
||||
return addr;
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean up unclaimed leases assigned for an IKE_SA
|
||||
*/
|
||||
static void release_unclaimed(private_listener_t *this, ike_sa_t *ike_sa)
|
||||
{
|
||||
identification_t *id;
|
||||
entry_t *entry;
|
||||
|
||||
id = ike_sa->get_other_eap_id(ike_sa);
|
||||
this->mutex->lock(this->mutex);
|
||||
entry = this->unclaimed->remove(this->unclaimed, id);
|
||||
this->mutex->unlock(this->mutex);
|
||||
if (entry)
|
||||
{
|
||||
destroy_entry(entry);
|
||||
}
|
||||
}
|
||||
|
||||
METHOD(listener_t, message_hook, bool,
|
||||
private_listener_t *this, ike_sa_t *ike_sa,
|
||||
message_t *message, bool incoming, bool plain)
|
||||
{
|
||||
if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
|
||||
!incoming && !message->get_request(message))
|
||||
{
|
||||
if ((ike_sa->get_version(ike_sa) == IKEV1 &&
|
||||
message->get_exchange_type(message) == TRANSACTION) ||
|
||||
(ike_sa->get_version(ike_sa) == IKEV2 &&
|
||||
message->get_exchange_type(message) == IKE_AUTH))
|
||||
{
|
||||
/* if the addresses have not been claimed yet, they won't. Release
|
||||
* these ressources. */
|
||||
release_unclaimed(this, ike_sa);
|
||||
}
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(listener_t, ike_updown, bool,
|
||||
private_listener_t *this, ike_sa_t *ike_sa, bool up)
|
||||
{
|
||||
if (!up)
|
||||
{
|
||||
/* if the message hook does not apply because of a failed exchange
|
||||
* or something, make sure we release any ressources now */
|
||||
release_unclaimed(this, ike_sa);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
METHOD(attribute_provider_t, acquire_address, host_t*,
|
||||
private_eap_radius_provider_t *this, linked_list_t *pools,
|
||||
identification_t *id, host_t *requested)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
host_t *addr = NULL;
|
||||
char *name;
|
||||
|
||||
enumerator = pools->create_enumerator(pools);
|
||||
while (enumerator->enumerate(enumerator, &name))
|
||||
{
|
||||
if (streq(name, "radius"))
|
||||
{
|
||||
this->listener.mutex->lock(this->listener.mutex);
|
||||
addr = remove_addr(this, this->listener.unclaimed, id);
|
||||
if (addr)
|
||||
{
|
||||
add_addr(this, this->listener.claimed, id, addr->clone(addr));
|
||||
}
|
||||
this->listener.mutex->unlock(this->listener.mutex);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
return addr;
|
||||
}
|
||||
|
||||
METHOD(attribute_provider_t, release_address, bool,
|
||||
private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
|
||||
identification_t *id)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
host_t *found = NULL;
|
||||
char *name;
|
||||
|
||||
enumerator = pools->create_enumerator(pools);
|
||||
while (enumerator->enumerate(enumerator, &name))
|
||||
{
|
||||
if (streq(name, "radius"))
|
||||
{
|
||||
this->listener.mutex->lock(this->listener.mutex);
|
||||
found = remove_addr(this, this->listener.claimed, id);
|
||||
this->listener.mutex->unlock(this->listener.mutex);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
if (found)
|
||||
{
|
||||
found->destroy(found);
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
|
||||
private_eap_radius_provider_t *this, linked_list_t *pools,
|
||||
identification_t *id, linked_list_t *vips)
|
||||
{
|
||||
return enumerator_create_empty();
|
||||
}
|
||||
|
||||
METHOD(eap_radius_provider_t, add_framed_ip, void,
|
||||
private_eap_radius_provider_t *this, identification_t *id, host_t *ip)
|
||||
{
|
||||
this->listener.mutex->lock(this->listener.mutex);
|
||||
add_addr(this, this->listener.unclaimed, id, ip);
|
||||
this->listener.mutex->unlock(this->listener.mutex);
|
||||
}
|
||||
|
||||
METHOD(eap_radius_provider_t, destroy, void,
|
||||
private_eap_radius_provider_t *this)
|
||||
{
|
||||
singleton = NULL;
|
||||
charon->bus->remove_listener(charon->bus, &this->listener.public);
|
||||
this->listener.mutex->destroy(this->listener.mutex);
|
||||
this->listener.claimed->destroy(this->listener.claimed);
|
||||
this->listener.unclaimed->destroy(this->listener.unclaimed);
|
||||
free(this);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
eap_radius_provider_t *eap_radius_provider_create()
|
||||
{
|
||||
if (!singleton)
|
||||
{
|
||||
private_eap_radius_provider_t *this;
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.provider = {
|
||||
.acquire_address = _acquire_address,
|
||||
.release_address = _release_address,
|
||||
.create_attribute_enumerator = _create_attribute_enumerator,
|
||||
},
|
||||
.add_framed_ip = _add_framed_ip,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.listener = {
|
||||
.public = {
|
||||
.ike_updown = _ike_updown,
|
||||
.message = _message_hook,
|
||||
},
|
||||
.claimed = hashtable_create((hashtable_hash_t)hash,
|
||||
(hashtable_equals_t)equals, 32),
|
||||
.unclaimed = hashtable_create((hashtable_hash_t)hash,
|
||||
(hashtable_equals_t)equals, 32),
|
||||
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
|
||||
},
|
||||
);
|
||||
|
||||
charon->bus->add_listener(charon->bus, &this->listener.public);
|
||||
|
||||
singleton = &this->public;
|
||||
}
|
||||
return singleton;
|
||||
}
|
||||
|
||||
/**
|
||||
* See header
|
||||
*/
|
||||
eap_radius_provider_t *eap_radius_provider_get()
|
||||
{
|
||||
return singleton;
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
/*
|
||||
* Copyright (C) 2013 Martin Willi
|
||||
* Copyright (C) 2013 revosec AG
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
* Free Software Foundation; either version 2 of the License, or (at your
|
||||
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but
|
||||
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* for more details.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @defgroup eap_radius_provider eap_radius_provider
|
||||
* @{ @ingroup eap_radius
|
||||
*/
|
||||
|
||||
#ifndef EAP_RADIUS_PROVIDER_H_
|
||||
#define EAP_RADIUS_PROVIDER_H_
|
||||
|
||||
#include <attributes/attribute_provider.h>
|
||||
|
||||
typedef struct eap_radius_provider_t eap_radius_provider_t;
|
||||
|
||||
/**
|
||||
* IKE configuration attribute fed by RADIUS attributes
|
||||
*/
|
||||
struct eap_radius_provider_t {
|
||||
|
||||
/**
|
||||
* Implements attribute_provider_t
|
||||
*/
|
||||
attribute_provider_t provider;
|
||||
|
||||
/**
|
||||
* Add a received Framed-IP-Address to the provider to serve to client.
|
||||
*
|
||||
* @param id client identity
|
||||
* @param ip IP address received from RADIUS server, gets owned
|
||||
*/
|
||||
void (*add_framed_ip)(eap_radius_provider_t *this, identification_t *id,
|
||||
host_t *ip);
|
||||
|
||||
/**
|
||||
* Destroy a eap_radius_provider_t.
|
||||
*/
|
||||
void (*destroy)(eap_radius_provider_t *this);
|
||||
};
|
||||
|
||||
/**
|
||||
* Create a eap_radius_provider instance.
|
||||
*/
|
||||
eap_radius_provider_t *eap_radius_provider_create();
|
||||
|
||||
/**
|
||||
* Get singleton instance previously created with eap_radius_provider_create().
|
||||
*/
|
||||
eap_radius_provider_t *eap_radius_provider_get();
|
||||
|
||||
#endif /** EAP_RADIUS_PROVIDER_H_ @}*/
|
Loading…
Reference in New Issue