Commit 5244ee96 authored by Souheil Ben Ayed's avatar Souheil Ben Ayed
Browse files

added configuration parameters for DiamEAP and EAP-TLS

parent 88529773
......@@ -28,6 +28,9 @@
Load_plugin = "EAP Identity":1:0:"/extensions/eap_identity.emp":"";
# Enable/disable checking User's Identity. If disabled, default parameters value will be used for authentication and authorization attributes.
# Default values are defined in database for 'Default User'.
Check_User_Identity = 1;
# In addition to authentication DiamEAP can be configured to check authorization of authenticated users. If set to 0 authorization is disabled, otherwise enabled.( by default disabled).
Authorization = 1;
......
......@@ -8,3 +8,6 @@
#CRL file
#CRL = "<Path to CRL file>";
#Enable/disable checking certificate's CN
check_cert_cn_username = 1;
......@@ -106,6 +106,9 @@
return MULTI_ROUND_TIMEOUT;
}
(?i:"Check_user_identity") {
return CHECK_USER_IDENTITY;
}
"="|";"|":"|"," {
return yytext[0];
......
......@@ -83,6 +83,7 @@ int diameaplex(YYSTYPE *lvalp, YYLTYPE *llocp);
%token DIAMEAP_MYSQL
%token MAX_INVALID_EAP_PACKET
%token MULTI_ROUND_TIMEOUT
%token CHECK_USER_IDENTITY
%%
......@@ -92,6 +93,7 @@ confparams : /* empty */
| confparams DiamEAP_MySQL
| confparams MAX_Invalid_EAP_Packet
| confparams Multi_Round_Timeout
| confparams Check_User_Identity
| confparams errors
{
yyerror(&yylloc, config, "Unrecognized configuration parameter.");
......@@ -173,8 +175,17 @@ Multi_Round_Timeout : MULTI_ROUND_TIMEOUT '=' NUM ';'
{
config->multi_round_time_out=(unsigned int)$3;
};
Check_User_Identity: CHECK_USER_IDENTITY '=' NUM ';'
{
if((int)$3){
check_user_identity = TRUE;
}else{
check_user_identity = FALSE;
}
};
%%
void yyerror(YYLTYPE *llocp, struct diameap_conf * config,const char *str)
......
......@@ -133,6 +133,8 @@ static int diameap_init_config(char * conffile)
diameap_config->diam_realm = strdup(fd_g_config->cnf_diamrlm);
diameap_config->max_invalid_eap_packet = 5;
diameap_config->multi_round_time_out = 30;
check_user_identity = TRUE;
return 0;
}
......
......@@ -438,6 +438,11 @@ static int diameap_parse_eap_resp(struct eap_state_machine * eap_sm,
eap_sm->user.methodId = 0;*/
}
if((eap_sm->respMethod == TYPE_IDENTITY) && (length < 6)){
TRACE_DEBUG(INFO,"%sUser Identity missing",DIAMEAP_EXTENSION);
return 0;
}
eap_sm->rxResp = TRUE;
return 0;
}
......
......@@ -59,6 +59,9 @@ struct tls_config{
char * cafile;
char * crlfile;
//configuration parameters
boolean check_cert_cn_username;
int max_size;
gnutls_certificate_credentials_t cert_cred;
......
......@@ -73,7 +73,7 @@ struct eap_user
boolean success; /* Set to TRUE if User is authenticated successfully */
};
boolean check_user_identity;
int diameap_user_get_password(struct eap_user user, u8 * password,u16 *length);
......
......@@ -137,9 +137,15 @@ int identity_process(struct eap_state_machine *smd, struct eap_packet eapRespDat
}
U8COPY((u8 *)user,0,len,Respdata);
user[length-5]='\0';
ret=diameap_get_eap_user(&(smd->user),user);
if(check_user_identity == FALSE){
ret=diameap_get_eap_user(&(smd->user),"Default User");
CHECK_MALLOC_DO(smd->user.userid=realloc(smd->user.userid,strlen(user)+1),{ret = 1; goto next;});
memcpy(smd->user.userid,user,strlen(user));
smd->user.useridLength = strlen(user);
} else {
ret=diameap_get_eap_user(&(smd->user),user);
}
next:
if(ret==0)
{
smd->user.methodId = -1;
......
......@@ -69,6 +69,7 @@ int eap_tls_configure(char * configfile)
tls_global_conf.keyfile = NULL;
tls_global_conf.cafile = NULL;
tls_global_conf.crlfile = NULL;
tls_global_conf.check_cert_cn_username = FALSE;
/*Parse EAP TLS configuration file */
eaptlsin = fopen(tls_global_conf.conffile, "r");
......@@ -184,8 +185,58 @@ int eap_tls_process(struct eap_state_machine *smd,
{
data->state = SUCCESS;
smd->user.success = TRUE;
if(tls_global_conf.check_cert_cn_username == TRUE){
unsigned int list_size;
const gnutls_datum_t * list = gnutls_certificate_get_peers (data->session, &list_size);
if(list_size<1){
goto failure;
}
gnutls_x509_crt_t cert;
CHECK_GNUTLS_DO(gnutls_x509_crt_init(&cert),{
TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error in initialization crt init",DIAMEAP_EXTENSION);
goto failure;});
CHECK_GNUTLS_DO(gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER), {
TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error parsing certificate",DIAMEAP_EXTENSION);
goto failure;});
void * buff;
size_t size_buffer;
int ret;
ret = gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,NULL,&size_buffer);
if( ret != GNUTLS_E_SHORT_MEMORY_BUFFER){
CHECK_GNUTLS_DO(ret,{
TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION);
goto failure;});
}
CHECK_MALLOC_DO(buff=malloc(size_buffer), goto failure);
CHECK_GNUTLS_DO(gnutls_x509_crt_get_dn_by_oid(cert,GNUTLS_OID_X520_COMMON_NAME,0,0,buff,&size_buffer),{
TRACE_DEBUG(NONE,"%s[EAP TLS plugin] [GnuTLS] error get dn by oid",DIAMEAP_EXTENSION);
goto failure;});
if(strcmp((char *)smd->user.userid,buff)!=0){
goto failure;
}
gnutls_x509_crt_deinit(cert);
goto next;
failure:
TRACE_DEBUG(NONE,"%s[EAP TLS plugin] Checking failed. certificate's CN does not match User_Name AVP value.",DIAMEAP_EXTENSION);
data->state = FAILURE;
smd->user.success = FALSE;
gnutls_x509_crt_deinit(cert);
}
next:
smd->methodData = (struct tls_data*) data;
return 0;
}
return 0;
......
......@@ -94,6 +94,10 @@
return CRLPATH;
}
(?i:"check_cert_cn_username") {
return CHECK_CN_USERNAME;
}
"="|";"|":"|"," { /* Single characters for yyparse */
......
......@@ -79,6 +79,7 @@ int eaptlslex(YYSTYPE *lvalp, YYLTYPE *llocp);
%token CERTS
%token CAPATH
%token CRLPATH
%token CHECK_CN_USERNAME
%%
......@@ -86,6 +87,7 @@ confparams : /* empty */
| confparams CERTS_files
| confparams CA_file
| confparams CRL_file
| confparams CHECK_CN_USERNAME_param
| confparams errors
{
return EINVAL;
......@@ -219,7 +221,19 @@ CRL_file : CRLPATH '=' iSTRING ';'
config->crlfile=$3;
}
;
CHECK_CN_USERNAME_param :
CHECK_CN_USERNAME '=' NUM ';'
{
if((int)$3 == 0){
config->check_cert_cn_username = FALSE;
}
else
{
config->check_cert_cn_username = TRUE;
}
}
;
%%
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment