Changeset 332:e624fa5f85ca in freeDiameter
- Timestamp:
- May 31, 2010, 7:09:24 PM (13 years ago)
- Branch:
- default
- Phase:
- public
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
extensions/acl_wl/acl_wl.c
r258 r332 77 77 } 78 78 79 /* Check the Inband-Security-Id value */ 80 res &= info->runtime.pir_isi; 81 if (res == 0) { 82 TRACE_DEBUG(INFO, "Peer '%s' rejected, remotely advertised Inband-Security-Id is not compatible with whitelist flags.", info->pi_diamid); 83 /* We don't actually set *auth = -1, leave space for a further extension to validate the peer */ 84 return 0; 85 } 86 87 /* Ok, the peer is whitelisted */ 79 /* Otherwise, just set the configured flags for the peer, and authorize it */ 88 80 *auth = 1; 89 81 90 /* Now, configure the peer for the authorized mechanism*/82 /* Save information about the security mechanism to use after CER/CEA exchange */ 91 83 if ((res & PI_SEC_NONE) && (res & PI_SEC_TLS_OLD)) 92 84 res = PI_SEC_NONE; /* If we authorized it, we must have an IPsec tunnel setup, no need for TLS in this case */ 93 85 94 /* Save information about the security mechanism to use after CER/CEA exchange */95 86 info->config.pic_flags.sec = res; 96 87 return 0; -
freeDiameter/p_ce.c
r267 r332 794 794 /* Do we agree on ISI ? */ 795 795 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) { 796 796 797 /* In case of responder, the validate callback must have set the config.pic_flags.sec value already */ 797 if (!peer->p_hdr.info.config.pic_flags.sec) { 798 /* The peer did not send the Inband-Security-Id AVP, reject */ 799 TRACE_DEBUG(INFO, "No security mechanism advertised by peer '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid); 800 ec = "DIAMETER_NO_COMMON_SECURITY"; 801 fatal = 1; 802 goto error_abort; 803 } 804 805 /* Now, check if we agree on the value IPsec */ 806 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) { 807 isi = PI_SEC_NONE; 808 } else if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD)) { 809 isi = PI_SEC_TLS_OLD; 810 } 811 798 799 /* First case: we are not using old mechanism: ISI are deprecated, we ignore it. */ 800 if ( ! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)) { 801 /* Just check then that the peer configuration allows for IPsec protection */ 802 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) { 803 isi = PI_SEC_NONE; 804 } else { 805 /* otherwise, we should have already been protected. Reject */ 806 TRACE_DEBUG(INFO, "Non TLS-protected CER/CEA exchanges are not allowed with this peer, rejecting."); 807 } 808 } else { 809 /* The old mechanism is allowed with this peer. Now, look into the ISI AVP values */ 810 811 /* In case no ISI was present anyway: */ 812 if (!peer->p_hdr.info.runtime.pir_isi) { 813 TRACE_DEBUG(INFO, "Inband-Security-Id AVP is missing in received CER."); 814 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) { 815 isi = PI_SEC_NONE; 816 TRACE_DEBUG(INFO, "IPsec protection allowed by configuration, allowing this mechanism to be used."); 817 } else { 818 /* otherwise, we should have already been protected. Reject */ 819 TRACE_DEBUG(INFO, "Rejecting the peer connection (please allow IPsec here or configure TLS in the remote peer)."); 820 } 821 } else { 822 /* OK, the remote peer did send the ISI AVP. */ 823 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) { 824 /* We have allowed IPsec */ 825 isi = PI_SEC_NONE; 826 } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) { 827 /* We can agree on TLS */ 828 isi = PI_SEC_TLS_OLD; 829 } else { 830 TRACE_DEBUG(INFO, "Remote peer requested IPsec protection, but local configuration forbids it."); 831 } 832 } 833 } 834 812 835 /* If we did not find an agreement */ 813 836 if (!isi) { … … 817 840 goto error_abort; 818 841 } 842 843 /* Do not send the ISI IPsec if we are using the new mechanism */ 844 if ((isi == PI_SEC_NONE) && (! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD))) 845 isi = 0; 819 846 } 820 847
Note: See TracChangeset
for help on using the changeset viewer.