Add PT-TLS interface to strongSwan PDP

author Andreas Steffen <andreas.steffen@strongswan.org>

Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Thu, 15 Aug 2013 21:34:22 +0000 (23:34 +0200)
author Andreas Steffen <andreas.steffen@strongswan.org>
Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Thu, 15 Aug 2013 21:34:22 +0000 (23:34 +0200)
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in

index ecc2f71c0dd2d3a057b62b2f1558e77c4715ca92..f9a7ba5b4faeb4b2c9b866e083fbeeab446d78ab 100644 (file)
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -730,13 +730,16 @@ Preferred language for TNC recommendations
  .BR charon.plugins.tnc-imv.dlclose " [yes]"
  Unload IMV after use
  .TP
-.BR charon.plugins.tnc-pdp.method " [ttls]"
+.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
+PT-TLS server port the strongSwan PDP is listening on
+.TP
+.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
  EAP tunnel method to be used
  .TP
-.BR charon.plugins.tnc-pdp.port " [1812]"
+.BR charon.plugins.tnc-pdp.radius.port " [1812]"
  RADIUS server port the strongSwan PDP is listening on
  .TP
-.BR charon.plugins.tnc-pdp.secret
+.BR charon.plugins.tnc-pdp.radius.secret
  Shared RADIUS secret between strongSwan PDP and NAS
  .TP
  .BR charon.plugins.tnc-pdp.server
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.am b/src/libcharon/plugins/tnc_pdp/Makefile.am

index ce0ddce06023b7ff5ac52240343409c4be1068be..cc7c934d863f88c7025cdbe14026798da3e0efe2 100644 (file)
--- a/src/libcharon/plugins/tnc_pdp/Makefile.am
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.am
@@ -2,7 +2,11 @@ AM_CPPFLAGS = \
         -I$(top_srcdir)/src/libstrongswan \
         -I$(top_srcdir)/src/libhydra \
         -I$(top_srcdir)/src/libcharon \
-       -I$(top_srcdir)/src/libradius
+       -I$(top_srcdir)/src/libradius \
+       -I$(top_srcdir)/src/libtncif \
+       -I$(top_srcdir)/src/libtnccs \
+       -I$(top_srcdir)/src/libtls \
+       -I$(top_srcdir)/src/libpttls
  
  AM_CFLAGS = \
         -rdynamic
@@ -13,6 +17,7 @@ else
  plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
  libstrongswan_tnc_pdp_la_LIBADD = \
         $(top_builddir)/src/libradius/libradius.la \
+       $(top_builddir)/src/libpttls/libpttls.la \
         $(top_builddir)/src/libtls/libtls.la \
         $(top_builddir)/src/libtnccs/libtnccs.la
  endif
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c

index a30d895350f646a0096d55d7eb0d16a006260d7a..7ef67fd1826a129615311d8dceb3fa0c99a7883f 100644 (file)
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -22,6 +22,8 @@
  #include <radius_message.h>
  #include <radius_mppe.h>
  
+#include <pt_tls_dispatcher.h>
+
  #include <daemon.h>
  #include <utils/debug.h>
  #include <pen/pen.h>
@@ -31,6 +33,16 @@
  
  typedef struct private_tnc_pdp_t private_tnc_pdp_t;
  
+/**
+ * Default RADIUS port, when not configured
+ */
+#define RADIUS_PORT 1812
+
+/**
+ * Default PT-TLS port, when not configured
+ */
+#define PT_TLS_PORT     271
+
  /**
   * Maximum size of a RADIUS IP packet
   */
@@ -90,6 +102,12 @@ struct private_tnc_pdp_t {
          * List of registered TNC-PDP connections
          */
         tnc_pdp_connections_t *connections;
+
+       /**
+        * PT-TLS dispatcher
+        */
+       pt_tls_dispatcher_t *pt_tls_dispatcher;
+
  };
  
  
@@ -521,6 +539,7 @@ METHOD(tnc_pdp_t, destroy, void,
                 close(this->ipv6);
         }
         DESTROY_IF(this->server);
+       DESTROY_IF(this->pt_tls_dispatcher);
         DESTROY_IF(this->signer);
         DESTROY_IF(this->hasher);
         DESTROY_IF(this->ng);
@@ -531,17 +550,54 @@ METHOD(tnc_pdp_t, destroy, void,
  /*
   * see header file
   */
-tnc_pdp_t *tnc_pdp_create(u_int16_t port)
+tnc_pdp_t *tnc_pdp_create(void)
  {
         private_tnc_pdp_t *this;
         char *secret, *server, *eap_type_str;
+       int radius_port, pt_tls_port;
+       identification_t *id;
+       host_t *host;
+
+       server = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.server", NULL, charon->name);
+       pt_tls_port = lib->settings->get_int(lib->settings,
+                                       "%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
+       radius_port = lib->settings->get_int(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
+       secret = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
+       eap_type_str = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
+
+       if (!server)
+       {
+               DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
+               return NULL;
+       }
+       if (!secret)
+       {
+               DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
+               return NULL;
+       }
+
+       host = host_create_from_dns(server, AF_UNSPEC, pt_tls_port);
+       if (!host)
+       {
+               DBG1(DBG_CFG, "could not resolve server name");
+               return NULL;
+       }
+       id = identification_create_from_string(server);
  
         INIT(this,
                 .public = {
                         .destroy = _destroy,
                 },
-               .ipv4 = open_socket(AF_INET,  port),
-               .ipv6 = open_socket(AF_INET6, port),
+               .server = id,
+               .pt_tls_dispatcher = pt_tls_dispatcher_create(host, id, PT_TLS_AUTH_NONE),
+               .ipv4 = open_socket(AF_INET,  radius_port),
+               .ipv6 = open_socket(AF_INET6, radius_port),
+               .secret = chunk_from_str(secret),
+               .type = eap_type_from_string(eap_type_str),
                 .hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
                 .signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
                 .ng = lib->crypto->create_nonce_gen(lib->crypto),
@@ -554,6 +610,7 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                 destroy(this);
                 return NULL;
         }
+
         if (!this->ipv4 && !this->ipv6)
         {
                 DBG1(DBG_NET, "could not create any RADIUS sockets");
@@ -579,25 +636,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                 DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
         }
  
-       server = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.server", NULL, charon->name);
-       if (!server)
-       {
-               DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
-               destroy(this);
-               return NULL;
-       }
-       this->server = identification_create_from_string(server);
-
-       secret = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.secret", NULL, charon->name);
-       if (!secret)
-       {
-               DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
-               destroy(this);
-               return NULL;
-       }
-       this->secret = chunk_create(secret, strlen(secret));
         if (!this->signer->set_key(this->signer, this->secret))
         {
                 DBG1(DBG_CFG, "could not set signer key");
@@ -605,9 +643,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                 return NULL;
         }
  
-       eap_type_str = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.method", "ttls", charon->name);
-       this->type = eap_type_from_string(eap_type_str);
         if (this->type == 0)
         {
                 DBG1(DBG_CFG, "unrecognized eap method \"%s\"", eap_type_str);
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.h b/src/libcharon/plugins/tnc_pdp/tnc_pdp.h

index 06291220f499a7e28a567ba95b8bbc7945258539..25a041944a2b778bbb443a49374ee63b157ad922 100644 (file)
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.h
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.h
@@ -38,9 +38,7 @@ struct tnc_pdp_t {
  
  /**
   * Create a TNC PDP instance
- *
- * @param port         RADIUS port of TNC PDP
   */
-tnc_pdp_t* tnc_pdp_create(u_int16_t port);
+tnc_pdp_t* tnc_pdp_create(void);
  
  #endif /** TNC_PDP_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c

index e35ba9ead7adb1267c486a8aa480fb63a2305c4d..14ab9cf6f827819ac89f6112216e6815436d1057 100644 (file)
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c
@@ -20,11 +20,6 @@
  
  typedef struct private_tnc_pdp_plugin_t private_tnc_pdp_plugin_t;
  
-/**
- * Default RADIUS port, when not configured
- */
-#define RADIUS_PORT 1812
-
  /**
   * private data of tnc_pdp plugin
   */
@@ -56,11 +51,7 @@ static bool plugin_cb(private_tnc_pdp_plugin_t *this,
  {
         if (reg)
         {
-               int port;
-
-               port = lib->settings->get_int(lib->settings,
-                                               "%s.plugins.tnc-pdp.port", RADIUS_PORT, charon->name);
-               this->pdp = tnc_pdp_create(port);
+               this->pdp = tnc_pdp_create();
         }
         else
         {
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Thu, 15 Aug 2013 21:34:22 +0000 (23:34 +0200)
man/strongswan.conf.5.in		patch \| blob \| blame \| history
src/libcharon/plugins/tnc_pdp/Makefile.am		patch \| blob \| blame \| history
src/libcharon/plugins/tnc_pdp/tnc_pdp.c		patch \| blob \| blame \| history
src/libcharon/plugins/tnc_pdp/tnc_pdp.h		patch \| blob \| blame \| history
src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c		patch \| blob \| blame \| history