Mercurial > hg > freeDiameter

view extensions/acl_wl/acl_wl.c @ 258:5df55136361b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated copyright information
author Sebastien Decugis <sdecugis@nict.go.jp>
date Fri, 16 Apr 2010 17:04:15 +0900
parents 79768bf7d208
children e624fa5f85ca
line wrap: on
line source

/*********************************************************************************************************
* Software License Agreement (BSD License)                                                               *
* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
*													 *
* Copyright (c) 2010, WIDE Project and NICT								 *
* All rights reserved.											 *
* 													 *
* Redistribution and use of this software in source and binary forms, with or without modification, are  *
* permitted provided that the following conditions are met:						 *
* 													 *
* * Redistributions of source code must retain the above 						 *
*   copyright notice, this list of conditions and the 							 *
*   following disclaimer.										 *
*    													 *
* * Redistributions in binary form must reproduce the above 						 *
*   copyright notice, this list of conditions and the 							 *
*   following disclaimer in the documentation and/or other						 *
*   materials provided with the distribution.								 *
* 													 *
* * Neither the name of the WIDE Project or NICT nor the 						 *
*   names of its contributors may be used to endorse or 						 *
*   promote products derived from this software without 						 *
*   specific prior written permission of WIDE Project and 						 *
*   NICT.												 *
* 													 *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
*********************************************************************************************************/

/* 
 * Whitelist extension for freeDiameter.
 */

#include "acl_wl.h"

/* The validator function */
static int aw_validate(struct peer_info * info, int * auth, int (**cb2)(struct peer_info *))
{
	int res;
	
	TRACE_ENTRY("%p %p %p", info, auth, cb2);
	
	CHECK_PARAMS(info && auth && cb2);
	
	/* We don't use the second callback */
	*cb2 = NULL;
	
	/* Default to unknown result */
	*auth = 0;
	
	/* Now search the peer in our tree */
	CHECK_FCT( aw_tree_lookup(info->pi_diamid, &res) );
	if (res < 0) {
		/* The peer is not whitelisted */
		return 0;
	}
	
	/* We found the peer in the tree, now check the status */
	
	/* First, if TLS is already in place, just accept */
	if (info->runtime.pir_cert_list) {
		*auth = 1;
		return 0;
	}
	
	/* Now, if we did not specify any flag, reject */
	if (res == 0) {
		TRACE_DEBUG(INFO, "Peer '%s' rejected, only TLS-protected connection is whitelisted.", info->pi_diamid);
		/* We don't actually set *auth = -1, leave space for a further extension to validate the peer */
		return 0;
	}
	
	/* Check the Inband-Security-Id value */
	res &= info->runtime.pir_isi;
	if (res == 0) {
		TRACE_DEBUG(INFO, "Peer '%s' rejected, remotely advertised Inband-Security-Id is not compatible with whitelist flags.", info->pi_diamid);
		/* We don't actually set *auth = -1, leave space for a further extension to validate the peer */
		return 0;
	}
	
	/* Ok, the peer is whitelisted */
	*auth = 1;
	
	/* Now, configure the peer for the authorized mechanism */
	if ((res & PI_SEC_NONE) && (res & PI_SEC_TLS_OLD))
		res = PI_SEC_NONE; /* If we authorized it, we must have an IPsec tunnel setup, no need for TLS in this case */
	
	/* Save information about the security mechanism to use after CER/CEA exchange */
	info->config.pic_flags.sec = res;
	return 0;
}

/* entry point */
static int aw_entry(char * conffile)
{
	TRACE_ENTRY("%p", conffile);
	CHECK_PARAMS(conffile);
	
	/* Parse configuration file */
	CHECK_FCT( aw_conf_handle(conffile) );
	
	TRACE_DEBUG(INFO, "Extension ACL_wl initialized with configuration: '%s'", conffile);
	if (TRACE_BOOL(ANNOYING)) {
		aw_tree_dump();
	}
	
	/* Register the validator function */
	CHECK_FCT( fd_peer_validate_register ( aw_validate ) );

	return 0;
}

/* Unload */
void fd_ext_fini(void)
{
	/* Destroy the tree */
	aw_tree_destroy();
}

EXTENSION_ENTRY("acl_wl", aw_entry);
"Welcome to our mercurial repository"