Changeset 162:79768bf7d208 in freeDiameter
- Timestamp:
- Jan 26, 2010, 1:23:03 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/acl_wl.conf.sample
r161 r162 16 16 # It is specified for example as: 17 17 # ALLOW_IPSEC vpn.example.net vpn2.example.net *.vpn.example.net 18 # These flag take effect from their position, until the end of the line. 18 19 -
extensions/acl_wl/CMakeLists.txt
r161 r162 8 8 9 9 # List of source files 10 SET( A PP_TEST_SRC10 SET( ACL_WL_SRC 11 11 acl_wl.h 12 12 acl_wl.c … … 18 18 19 19 # Compile as a module 20 FD_ADD_EXTENSION(acl_wl ${A PP_TEST_SRC})20 FD_ADD_EXTENSION(acl_wl ${ACL_WL_SRC}) -
extensions/acl_wl/acl_wl.c
r161 r162 71 71 72 72 /* Now, if we did not specify any flag, reject */ 73 if (res == 0) { 74 TRACE_DEBUG(INFO, "Peer '%s' rejected, only TLS-protected connection is whitelisted.", info->pi_diamid); 75 /* We don't actually set *auth = -1, leave space for a further extension to validate the peer */ 76 return 0; 77 } 73 78 74 79 /* Check the Inband-Security-Id value */ 80 res &= info->runtime.pir_isi; 81 if (res == 0) { 82 TRACE_DEBUG(INFO, "Peer '%s' rejected, remotely advertised Inband-Security-Id is not compatible with whitelist flags.", info->pi_diamid); 83 /* We don't actually set *auth = -1, leave space for a further extension to validate the peer */ 84 return 0; 85 } 86 87 /* Ok, the peer is whitelisted */ 88 *auth = 1; 89 90 /* Now, configure the peer for the authorized mechanism */ 91 if ((res & PI_SEC_NONE) && (res & PI_SEC_TLS_OLD)) 92 res = PI_SEC_NONE; /* If we authorized it, we must have an IPsec tunnel setup, no need for TLS in this case */ 93 94 /* Save information about the security mechanism to use after CER/CEA exchange */ 95 info->config.pic_flags.sec = res; 96 return 0; 75 97 } 76 98 … … 79 101 { 80 102 TRACE_ENTRY("%p", conffile); 81 82 103 CHECK_PARAMS(conffile); 83 104 … … 86 107 87 108 TRACE_DEBUG(INFO, "Extension ACL_wl initialized with configuration: '%s'", conffile); 88 aw_tree_dump(); 109 if (TRACE_BOOL(ANNOYING)) { 110 aw_tree_dump(); 111 } 89 112 90 113 /* Register the validator function */ 91 114 CHECK_FCT( fd_peer_validate_register ( aw_validate ) ); 115 92 116 return 0; 93 117 } … … 96 120 void fd_ext_fini(void) 97 121 { 98 /* Unregister the validator function */99 100 122 /* Destroy the tree */ 101 123 aw_tree_destroy(); 102 124 } 103 125 -
extensions/acl_wl/aw_tree.c
r161 r162 230 230 ti = (struct tree_item *)(senti->next); 231 231 if (ti->str == NULL) { 232 fd_log_debug("[acl_wl] Warning: entry '%s' is superseeded by a generic entry at l evel %d, ignoring.\n", name, lbl);232 fd_log_debug("[acl_wl] Warning: entry '%s' is superseeded by a generic entry at label %d, ignoring.\n", name, lbl + 1); 233 233 return 0; 234 234 } … … 287 287 ti = (struct tree_item *)(senti->next); 288 288 if (ti->str == NULL) { 289 fd_log_debug("[acl_wl] Warning: entry '%s' is superseeded by a generic entry at l evel 0, ignoring.\n", name);289 fd_log_debug("[acl_wl] Warning: entry '%s' is superseeded by a generic entry at label 1, ignoring.\n", name); 290 290 return 0; 291 291 } … … 367 367 ti = (struct tree_item *)(senti->next); 368 368 if (ti->str == NULL) { 369 TRACE_DEBUG( FULL, "[acl_wl] %s matched at level %d with a generic entry.", name, lbl);369 TRACE_DEBUG(ANNOYING, "[acl_wl] %s matched at label %d with a generic entry.", name, lbl + 1); 370 370 *result = ti->flags; 371 371 return 0; … … 407 407 return 0; 408 408 409 TRACE_DEBUG( FULL, "[acl_wl] %s matched exactly.", name);409 TRACE_DEBUG(ANNOYING, "[acl_wl] %s matched exactly.", name); 410 410 *result = ti->flags; 411 411 return 0; -
freeDiameter/p_ce.c
r160 r162 782 782 } 783 783 784 /* Do we send ISI back? */784 /* Do we agree on ISI ? */ 785 785 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) { 786 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) 787 isi = PI_SEC_NONE; /* Maybe we should also look at peer->p_hdr.info.runtime.pir_isi here ? */ 788 else 786 /* In case of responder, the validate callback must have set the config.pic_flags.sec value already */ 787 if (!peer->p_hdr.info.config.pic_flags.sec) { 788 /* The peer did not send the Inband-Security-Id AVP, reject */ 789 TRACE_DEBUG(INFO, "No security mechanism advertised by peer '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid); 790 ec = "DIAMETER_NO_COMMON_SECURITY"; 791 fatal = 1; 792 goto error_abort; 793 } 794 795 /* Now, check if we agree on the value IPsec */ 796 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) { 797 isi = PI_SEC_NONE; 798 } else if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD)) { 789 799 isi = PI_SEC_TLS_OLD; 800 } 801 802 /* If we did not find an agreement */ 803 if (!isi) { 804 TRACE_DEBUG(INFO, "No common security mechanism with '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid); 805 ec = "DIAMETER_NO_COMMON_SECURITY"; 806 fatal = 1; 807 goto error_abort; 808 } 790 809 } 791 810 -
include/freeDiameter/freeDiameter.h
r142 r162 303 303 304 304 /* 305 * FUNCTION: peer_validate_register305 * FUNCTION: fd_peer_validate_register 306 306 * 307 307 * PARAMETERS: … … 342 342 * or an error code otherwise. If the error code is received, the connection is closed and the 343 343 * peer is destroyed. 344 * Note that freeDiameter already achieves some usual checks. The callback may be used to enforce 345 * additional restrictions. 344 346 * 345 347 * RETURN VALUE:
Note: See TracChangeset
for help on using the changeset viewer.