mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-05 00:00:45 -04:00
Add PT-TLS interface to strongSwan PDP
This commit is contained in:
Andreas Steffen
parent
f853e7bcc0
commit
f5b5d262e8
@ -730,13 +730,16 @@ Preferred language for TNC recommendations
|
||||
.BR charon.plugins.tnc-imv.dlclose " [yes]"
|
||||
Unload IMV after use
|
||||
.TP
|
||||
.BR charon.plugins.tnc-pdp.method " [ttls]"
|
||||
.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
|
||||
PT-TLS server port the strongSwan PDP is listening on
|
||||
.TP
|
||||
.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
|
||||
EAP tunnel method to be used
|
||||
.TP
|
||||
.BR charon.plugins.tnc-pdp.port " [1812]"
|
||||
.BR charon.plugins.tnc-pdp.radius.port " [1812]"
|
||||
RADIUS server port the strongSwan PDP is listening on
|
||||
.TP
|
||||
.BR charon.plugins.tnc-pdp.secret
|
||||
.BR charon.plugins.tnc-pdp.radius.secret
|
||||
Shared RADIUS secret between strongSwan PDP and NAS
|
||||
.TP
|
||||
.BR charon.plugins.tnc-pdp.server
|
||||
|
||||
@ -2,7 +2,11 @@ AM_CPPFLAGS = \
|
||||
-I$(top_srcdir)/src/libstrongswan \
|
||||
-I$(top_srcdir)/src/libhydra \
|
||||
-I$(top_srcdir)/src/libcharon \
|
||||
-I$(top_srcdir)/src/libradius
|
||||
-I$(top_srcdir)/src/libradius \
|
||||
-I$(top_srcdir)/src/libtncif \
|
||||
-I$(top_srcdir)/src/libtnccs \
|
||||
-I$(top_srcdir)/src/libtls \
|
||||
-I$(top_srcdir)/src/libpttls
|
||||
|
||||
AM_CFLAGS = \
|
||||
-rdynamic
|
||||
@ -13,6 +17,7 @@ else
|
||||
plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
|
||||
libstrongswan_tnc_pdp_la_LIBADD = \
|
||||
$(top_builddir)/src/libradius/libradius.la \
|
||||
$(top_builddir)/src/libpttls/libpttls.la \
|
||||
$(top_builddir)/src/libtls/libtls.la \
|
||||
$(top_builddir)/src/libtnccs/libtnccs.la
|
||||
endif
|
||||
|
||||
@ -22,6 +22,8 @@
|
||||
#include <radius_message.h>
|
||||
#include <radius_mppe.h>
|
||||
|
||||
#include <pt_tls_dispatcher.h>
|
||||
|
||||
#include <daemon.h>
|
||||
#include <utils/debug.h>
|
||||
#include <pen/pen.h>
|
||||
@ -31,6 +33,16 @@
|
||||
|
||||
typedef struct private_tnc_pdp_t private_tnc_pdp_t;
|
||||
|
||||
/**
|
||||
* Default RADIUS port, when not configured
|
||||
*/
|
||||
#define RADIUS_PORT 1812
|
||||
|
||||
/**
|
||||
* Default PT-TLS port, when not configured
|
||||
*/
|
||||
#define PT_TLS_PORT 271
|
||||
|
||||
/**
|
||||
* Maximum size of a RADIUS IP packet
|
||||
*/
|
||||
@ -90,6 +102,12 @@ struct private_tnc_pdp_t {
|
||||
* List of registered TNC-PDP connections
|
||||
*/
|
||||
tnc_pdp_connections_t *connections;
|
||||
|
||||
/**
|
||||
* PT-TLS dispatcher
|
||||
*/
|
||||
pt_tls_dispatcher_t *pt_tls_dispatcher;
|
||||
|
||||
};
|
||||
|
||||
|
||||
@ -521,6 +539,7 @@ METHOD(tnc_pdp_t, destroy, void,
|
||||
close(this->ipv6);
|
||||
}
|
||||
DESTROY_IF(this->server);
|
||||
DESTROY_IF(this->pt_tls_dispatcher);
|
||||
DESTROY_IF(this->signer);
|
||||
DESTROY_IF(this->hasher);
|
||||
DESTROY_IF(this->ng);
|
||||
@ -531,17 +550,54 @@ METHOD(tnc_pdp_t, destroy, void,
|
||||
/*
|
||||
* see header file
|
||||
*/
|
||||
tnc_pdp_t *tnc_pdp_create(u_int16_t port)
|
||||
tnc_pdp_t *tnc_pdp_create(void)
|
||||
{
|
||||
private_tnc_pdp_t *this;
|
||||
char *secret, *server, *eap_type_str;
|
||||
int radius_port, pt_tls_port;
|
||||
identification_t *id;
|
||||
host_t *host;
|
||||
|
||||
server = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.server", NULL, charon->name);
|
||||
pt_tls_port = lib->settings->get_int(lib->settings,
|
||||
"%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
|
||||
radius_port = lib->settings->get_int(lib->settings,
|
||||
"%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
|
||||
secret = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
|
||||
eap_type_str = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
|
||||
|
||||
if (!server)
|
||||
{
|
||||
DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
|
||||
return NULL;
|
||||
}
|
||||
if (!secret)
|
||||
{
|
||||
DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
host = host_create_from_dns(server, AF_UNSPEC, pt_tls_port);
|
||||
if (!host)
|
||||
{
|
||||
DBG1(DBG_CFG, "could not resolve server name");
|
||||
return NULL;
|
||||
}
|
||||
id = identification_create_from_string(server);
|
||||
|
||||
INIT(this,
|
||||
.public = {
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.ipv4 = open_socket(AF_INET, port),
|
||||
.ipv6 = open_socket(AF_INET6, port),
|
||||
.server = id,
|
||||
.pt_tls_dispatcher = pt_tls_dispatcher_create(host, id, PT_TLS_AUTH_NONE),
|
||||
.ipv4 = open_socket(AF_INET, radius_port),
|
||||
.ipv6 = open_socket(AF_INET6, radius_port),
|
||||
.secret = chunk_from_str(secret),
|
||||
.type = eap_type_from_string(eap_type_str),
|
||||
.hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
|
||||
.signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
|
||||
.ng = lib->crypto->create_nonce_gen(lib->crypto),
|
||||
@ -554,6 +610,7 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!this->ipv4 && !this->ipv6)
|
||||
{
|
||||
DBG1(DBG_NET, "could not create any RADIUS sockets");
|
||||
@ -579,25 +636,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
|
||||
DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
|
||||
}
|
||||
|
||||
server = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.server", NULL, charon->name);
|
||||
if (!server)
|
||||
{
|
||||
DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
this->server = identification_create_from_string(server);
|
||||
|
||||
secret = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.secret", NULL, charon->name);
|
||||
if (!secret)
|
||||
{
|
||||
DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
|
||||
destroy(this);
|
||||
return NULL;
|
||||
}
|
||||
this->secret = chunk_create(secret, strlen(secret));
|
||||
if (!this->signer->set_key(this->signer, this->secret))
|
||||
{
|
||||
DBG1(DBG_CFG, "could not set signer key");
|
||||
@ -605,9 +643,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
eap_type_str = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.tnc-pdp.method", "ttls", charon->name);
|
||||
this->type = eap_type_from_string(eap_type_str);
|
||||
if (this->type == 0)
|
||||
{
|
||||
DBG1(DBG_CFG, "unrecognized eap method \"%s\"", eap_type_str);
|
||||
|
||||
@ -38,9 +38,7 @@ struct tnc_pdp_t {
|
||||
|
||||
/**
|
||||
* Create a TNC PDP instance
|
||||
*
|
||||
* @param port RADIUS port of TNC PDP
|
||||
*/
|
||||
tnc_pdp_t* tnc_pdp_create(u_int16_t port);
|
||||
tnc_pdp_t* tnc_pdp_create(void);
|
||||
|
||||
#endif /** TNC_PDP_PLUGIN_H_ @}*/
|
||||
|
||||
@ -20,11 +20,6 @@
|
||||
|
||||
typedef struct private_tnc_pdp_plugin_t private_tnc_pdp_plugin_t;
|
||||
|
||||
/**
|
||||
* Default RADIUS port, when not configured
|
||||
*/
|
||||
#define RADIUS_PORT 1812
|
||||
|
||||
/**
|
||||
* private data of tnc_pdp plugin
|
||||
*/
|
||||
@ -56,11 +51,7 @@ static bool plugin_cb(private_tnc_pdp_plugin_t *this,
|
||||
{
|
||||
if (reg)
|
||||
{
|
||||
int port;
|
||||
|
||||
port = lib->settings->get_int(lib->settings,
|
||||
"%s.plugins.tnc-pdp.port", RADIUS_PORT, charon->name);
|
||||
this->pdp = tnc_pdp_create(port);
|
||||
this->pdp = tnc_pdp_create();
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user