Changeset 565:64e55fc10ab3 in freeDiameter
- Timestamp:
- Sep 27, 2010, 4:39:14 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/app_diameap.conf.sample
r441 r565 29 29 Load_plugin = "EAP Identity":1:0:"/extensions/eap_identity.emp":""; 30 30 31 # Enable/disable checking User's Identity. If disabled, default parameters value will be used for authentication and authorization attributes. 32 # Default values are defined in database for 'Default User'. 33 Check_User_Identity = 1; 31 34 32 35 # In addition to authentication DiamEAP can be configured to check authorization of authenticated users. If set to 0 authorization is disabled, otherwise enabled.( by default disabled). -
doc/eap_tls_plugin.diameap.conf.sample
r425 r565 9 9 #CRL file 10 10 #CRL = "<Path to CRL file>"; 11 12 #Enable/disable checking certificate's CN 13 check_cert_cn_username = 1; -
extensions/app_diameap/diameap.l
r438 r565 107 107 } 108 108 109 (?i:"Check_user_identity") { 110 return CHECK_USER_IDENTITY; 111 } 109 112 110 113 "="|";"|":"|"," { -
extensions/app_diameap/diameap.y
r511 r565 84 84 %token MAX_INVALID_EAP_PACKET 85 85 %token MULTI_ROUND_TIMEOUT 86 %token CHECK_USER_IDENTITY 86 87 87 88 %% … … 93 94 | confparams MAX_Invalid_EAP_Packet 94 95 | confparams Multi_Round_Timeout 96 | confparams Check_User_Identity 95 97 | confparams errors 96 98 { … … 174 176 config->multi_round_time_out=(unsigned int)$3; 175 177 }; 176 178 179 Check_User_Identity: CHECK_USER_IDENTITY '=' NUM ';' 180 { 181 if((int)$3){ 182 check_user_identity = TRUE; 183 }else{ 184 check_user_identity = FALSE; 185 } 186 }; 177 187 188 178 189 %% 179 190 -
extensions/app_diameap/diameap_init.c
r465 r565 134 134 diameap_config->max_invalid_eap_packet = 5; 135 135 diameap_config->multi_round_time_out = 30; 136 check_user_identity = TRUE; 137 136 138 return 0; 137 139 } -
extensions/app_diameap/diameap_server.c
r444 r565 439 439 } 440 440 441 if((eap_sm->respMethod == TYPE_IDENTITY) && (length < 6)){ 442 TRACE_DEBUG(INFO,"%sUser Identity missing",DIAMEAP_EXTENSION); 443 return 0; 444 } 445 441 446 eap_sm->rxResp = TRUE; 442 447 return 0; -
extensions/app_diameap/diameap_tls.h
r438 r565 60 60 char * crlfile; 61 61 62 //configuration parameters 63 boolean check_cert_cn_username; 64 62 65 int max_size; 63 66 -
extensions/app_diameap/diameap_user.h
r425 r565 74 74 }; 75 75 76 76 boolean check_user_identity; 77 77 78 78 int diameap_user_get_password(struct eap_user user, u8 * password,u16 *length); -
extensions/app_diameap/plugins/eap_identity/eap_identity.c
r438 r565 138 138 U8COPY((u8 *)user,0,len,Respdata); 139 139 user[length-5]='\0'; 140 141 ret=diameap_get_eap_user(&(smd->user),user); 142 140 if(check_user_identity == FALSE){ 141 ret=diameap_get_eap_user(&(smd->user),"Default User"); 142 CHECK_MALLOC_DO(smd->user.userid=realloc(smd->user.userid,strlen(user)+1),{ret = 1; goto next;}); 143 memcpy(smd->user.userid,user,strlen(user)); 144 smd->user.useridLength = strlen(user); 145 } else { 146 ret=diameap_get_eap_user(&(smd->user),user); 147 } 148 next: 143 149 if(ret==0) 144 150 { -
extensions/app_diameap/plugins/eap_tls/eap_tls.c
r425 r565 70 70 tls_global_conf.cafile = NULL; 71 71 tls_global_conf.crlfile = NULL; 72 tls_global_conf.check_cert_cn_username = FALSE; 72 73 73 74 /*Parse EAP TLS configuration file */ … … 185 186 data->state = SUCCESS; 186 187 smd->user.success = TRUE; 188 189 if(tls_global_conf.check_cert_cn_username == TRUE){ 190 unsigned int list_size; 191 const gnutls_datum_t * list = gnutls_certificate_get_peers (data->session, &list_size); 192 if(list_size<1){ 193 goto failure; 194 } 195 196 gnutls_x509_crt_t cert; 197 198 CHECK_GNUTLS_DO(gnutls_x509_crt_init(&cert),{ 199 TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error in initialization crt init",DIAMEAP_EXTENSION); 200 goto failure;}); 201 202 CHECK_GNUTLS_DO(gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER), { 203 TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error parsing certificate",DIAMEAP_EXTENSION); 204 goto failure;}); 205 206 void * buff; 207 size_t size_buffer; 208 int ret; 209 ret = gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,NULL,&size_buffer); 210 if( ret != GNUTLS_E_SHORT_MEMORY_BUFFER){ 211 CHECK_GNUTLS_DO(ret,{ 212 TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION); 213 goto failure;}); 214 } 215 216 CHECK_MALLOC_DO(buff=malloc(size_buffer), goto failure); 217 218 CHECK_GNUTLS_DO(gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,buff,&size_buffer),{ 219 TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION); 220 goto failure;}); 221 222 if(strcmp((char *)smd->user.userid,buff)!=0){ 223 goto failure; 224 } 225 226 gnutls_x509_crt_deinit(cert); 227 goto next; 228 229 failure: 230 TRACE_DEBUG(NONE,"%s[EAP TLS plugin] Checking failed. certificate's CN does not match User_Name AVP value.",DIAMEAP_EXTENSION); 231 data->state = FAILURE; 232 smd->user.success = FALSE; 233 gnutls_x509_crt_deinit(cert); 234 } 235 236 next: 187 237 smd->methodData = (struct tls_data*) data; 188 238 return 0; 239 189 240 } 190 241 -
extensions/app_diameap/plugins/eap_tls/eaptls.l
r438 r565 95 95 } 96 96 97 (?i:"check_cert_cn_username") { 98 return CHECK_CN_USERNAME; 99 } 100 97 101 98 102 -
extensions/app_diameap/plugins/eap_tls/eaptls.y
r438 r565 80 80 %token CAPATH 81 81 %token CRLPATH 82 %token CHECK_CN_USERNAME 82 83 83 84 %% … … 87 88 | confparams CA_file 88 89 | confparams CRL_file 90 | confparams CHECK_CN_USERNAME_param 89 91 | confparams errors 90 92 { … … 220 222 } 221 223 ; 222 224 225 CHECK_CN_USERNAME_param : 226 CHECK_CN_USERNAME '=' NUM ';' 227 { 228 if((int)$3 == 0){ 229 config->check_cert_cn_username = FALSE; 230 } 231 else 232 { 233 config->check_cert_cn_username = TRUE; 234 } 235 } 236 ; 223 237 224 238 %%
Note: See TracChangeset
for help on using the changeset viewer.