Mercurial > hg > freeDiameter
changeset 565:64e55fc10ab3
added configuration parameters for DiamEAP and EAP-TLS
author | Souheil Ben Ayed <souheil@tera.ics.keio.ac.jp> |
---|---|
date | Mon, 27 Sep 2010 16:39:14 +0900 |
parents | 603f70bf1453 |
children | 62ad61238af2 |
files | doc/app_diameap.conf.sample doc/eap_tls_plugin.diameap.conf.sample extensions/app_diameap/diameap.l extensions/app_diameap/diameap.y extensions/app_diameap/diameap_init.c extensions/app_diameap/diameap_server.c extensions/app_diameap/diameap_tls.h extensions/app_diameap/diameap_user.h extensions/app_diameap/plugins/eap_identity/eap_identity.c extensions/app_diameap/plugins/eap_tls/eap_tls.c extensions/app_diameap/plugins/eap_tls/eaptls.l extensions/app_diameap/plugins/eap_tls/eaptls.y |
diffstat | 12 files changed, 111 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/app_diameap.conf.sample Fri Sep 17 17:23:46 2010 +0900 +++ b/doc/app_diameap.conf.sample Mon Sep 27 16:39:14 2010 +0900 @@ -28,6 +28,9 @@ Load_plugin = "EAP Identity":1:0:"/extensions/eap_identity.emp":""; +# Enable/disable checking User's Identity. If disabled, default parameters value will be used for authentication and authorization attributes. +# Default values are defined in database for 'Default User'. +Check_User_Identity = 1; # In addition to authentication DiamEAP can be configured to check authorization of authenticated users. If set to 0 authorization is disabled, otherwise enabled.( by default disabled). Authorization = 1;
--- a/doc/eap_tls_plugin.diameap.conf.sample Fri Sep 17 17:23:46 2010 +0900 +++ b/doc/eap_tls_plugin.diameap.conf.sample Mon Sep 27 16:39:14 2010 +0900 @@ -8,3 +8,6 @@ #CRL file #CRL = "<Path to CRL file>"; + +#Enable/disable checking certificate's CN +check_cert_cn_username = 1;
--- a/extensions/app_diameap/diameap.l Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap.l Mon Sep 27 16:39:14 2010 +0900 @@ -106,6 +106,9 @@ return MULTI_ROUND_TIMEOUT; } +(?i:"Check_user_identity") { + return CHECK_USER_IDENTITY; + } "="|";"|":"|"," { return yytext[0];
--- a/extensions/app_diameap/diameap.y Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap.y Mon Sep 27 16:39:14 2010 +0900 @@ -83,6 +83,7 @@ %token DIAMEAP_MYSQL %token MAX_INVALID_EAP_PACKET %token MULTI_ROUND_TIMEOUT +%token CHECK_USER_IDENTITY %% @@ -92,6 +93,7 @@ | confparams DiamEAP_MySQL | confparams MAX_Invalid_EAP_Packet | confparams Multi_Round_Timeout + | confparams Check_User_Identity | confparams errors { yyerror(&yylloc, config, "Unrecognized configuration parameter."); @@ -173,8 +175,17 @@ { config->multi_round_time_out=(unsigned int)$3; }; - + +Check_User_Identity: CHECK_USER_IDENTITY '=' NUM ';' + { + if((int)$3){ + check_user_identity = TRUE; + }else{ + check_user_identity = FALSE; + } + }; + %% void yyerror(YYLTYPE *llocp, struct diameap_conf * config,const char *str)
--- a/extensions/app_diameap/diameap_init.c Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap_init.c Mon Sep 27 16:39:14 2010 +0900 @@ -133,6 +133,8 @@ diameap_config->diam_realm = strdup(fd_g_config->cnf_diamrlm); diameap_config->max_invalid_eap_packet = 5; diameap_config->multi_round_time_out = 30; + check_user_identity = TRUE; + return 0; }
--- a/extensions/app_diameap/diameap_server.c Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap_server.c Mon Sep 27 16:39:14 2010 +0900 @@ -438,6 +438,11 @@ eap_sm->user.methodId = 0;*/ } + if((eap_sm->respMethod == TYPE_IDENTITY) && (length < 6)){ + TRACE_DEBUG(INFO,"%sUser Identity missing",DIAMEAP_EXTENSION); + return 0; + } + eap_sm->rxResp = TRUE; return 0; }
--- a/extensions/app_diameap/diameap_tls.h Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap_tls.h Mon Sep 27 16:39:14 2010 +0900 @@ -59,6 +59,9 @@ char * cafile; char * crlfile; + //configuration parameters + boolean check_cert_cn_username; + int max_size; gnutls_certificate_credentials_t cert_cred;
--- a/extensions/app_diameap/diameap_user.h Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/diameap_user.h Mon Sep 27 16:39:14 2010 +0900 @@ -73,7 +73,7 @@ boolean success; /* Set to TRUE if User is authenticated successfully */ }; - +boolean check_user_identity; int diameap_user_get_password(struct eap_user user, u8 * password,u16 *length);
--- a/extensions/app_diameap/plugins/eap_identity/eap_identity.c Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/plugins/eap_identity/eap_identity.c Mon Sep 27 16:39:14 2010 +0900 @@ -137,9 +137,15 @@ } U8COPY((u8 *)user,0,len,Respdata); user[length-5]='\0'; - - ret=diameap_get_eap_user(&(smd->user),user); - + if(check_user_identity == FALSE){ + ret=diameap_get_eap_user(&(smd->user),"Default User"); + CHECK_MALLOC_DO(smd->user.userid=realloc(smd->user.userid,strlen(user)+1),{ret = 1; goto next;}); + memcpy(smd->user.userid,user,strlen(user)); + smd->user.useridLength = strlen(user); + } else { + ret=diameap_get_eap_user(&(smd->user),user); + } +next: if(ret==0) { smd->user.methodId = -1;
--- a/extensions/app_diameap/plugins/eap_tls/eap_tls.c Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/plugins/eap_tls/eap_tls.c Mon Sep 27 16:39:14 2010 +0900 @@ -69,6 +69,7 @@ tls_global_conf.keyfile = NULL; tls_global_conf.cafile = NULL; tls_global_conf.crlfile = NULL; + tls_global_conf.check_cert_cn_username = FALSE; /*Parse EAP TLS configuration file */ eaptlsin = fopen(tls_global_conf.conffile, "r"); @@ -184,8 +185,58 @@ { data->state = SUCCESS; smd->user.success = TRUE; + + if(tls_global_conf.check_cert_cn_username == TRUE){ + unsigned int list_size; + const gnutls_datum_t * list = gnutls_certificate_get_peers (data->session, &list_size); + if(list_size<1){ + goto failure; + } + + gnutls_x509_crt_t cert; + + CHECK_GNUTLS_DO(gnutls_x509_crt_init(&cert),{ + TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error in initialization crt init",DIAMEAP_EXTENSION); + goto failure;}); + + CHECK_GNUTLS_DO(gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER), { + TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error parsing certificate",DIAMEAP_EXTENSION); + goto failure;}); + + void * buff; + size_t size_buffer; + int ret; + ret = gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,NULL,&size_buffer); + if( ret != GNUTLS_E_SHORT_MEMORY_BUFFER){ + CHECK_GNUTLS_DO(ret,{ + TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION); + goto failure;}); + } + + CHECK_MALLOC_DO(buff=malloc(size_buffer), goto failure); + + CHECK_GNUTLS_DO(gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,buff,&size_buffer),{ + TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION); + goto failure;}); + + if(strcmp((char *)smd->user.userid,buff)!=0){ + goto failure; + } + + gnutls_x509_crt_deinit(cert); + goto next; + + failure: + TRACE_DEBUG(NONE,"%s[EAP TLS plugin] Checking failed. certificate's CN does not match User_Name AVP value.",DIAMEAP_EXTENSION); + data->state = FAILURE; + smd->user.success = FALSE; + gnutls_x509_crt_deinit(cert); + } + + next: smd->methodData = (struct tls_data*) data; return 0; + } return 0;
--- a/extensions/app_diameap/plugins/eap_tls/eaptls.l Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/plugins/eap_tls/eaptls.l Mon Sep 27 16:39:14 2010 +0900 @@ -94,6 +94,10 @@ return CRLPATH; } +(?i:"check_cert_cn_username") { + return CHECK_CN_USERNAME; + } + "="|";"|":"|"," { /* Single characters for yyparse */
--- a/extensions/app_diameap/plugins/eap_tls/eaptls.y Fri Sep 17 17:23:46 2010 +0900 +++ b/extensions/app_diameap/plugins/eap_tls/eaptls.y Mon Sep 27 16:39:14 2010 +0900 @@ -79,6 +79,7 @@ %token CERTS %token CAPATH %token CRLPATH +%token CHECK_CN_USERNAME %% @@ -86,6 +87,7 @@ | confparams CERTS_files | confparams CA_file | confparams CRL_file + | confparams CHECK_CN_USERNAME_param | confparams errors { return EINVAL; @@ -219,7 +221,19 @@ config->crlfile=$3; } ; - + +CHECK_CN_USERNAME_param : + CHECK_CN_USERNAME '=' NUM ';' + { + if((int)$3 == 0){ + config->check_cert_cn_username = FALSE; + } + else + { + config->check_cert_cn_username = TRUE; + } + } + ; %%