Add PT-TLS interface to strongSwan PDP
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 31 Jul 2013 20:09:38 +0000 (22:09 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 15 Aug 2013 21:34:22 +0000 (23:34 +0200)
man/strongswan.conf.5.in
src/libcharon/plugins/tnc_pdp/Makefile.am
src/libcharon/plugins/tnc_pdp/tnc_pdp.c
src/libcharon/plugins/tnc_pdp/tnc_pdp.h
src/libcharon/plugins/tnc_pdp/tnc_pdp_plugin.c

index ecc2f71..f9a7ba5 100644 (file)
@@ -730,13 +730,16 @@ Preferred language for TNC recommendations
 .BR charon.plugins.tnc-imv.dlclose " [yes]"
 Unload IMV after use
 .TP
-.BR charon.plugins.tnc-pdp.method " [ttls]"
+.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
+PT-TLS server port the strongSwan PDP is listening on
+.TP
+.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
 EAP tunnel method to be used
 .TP
-.BR charon.plugins.tnc-pdp.port " [1812]"
+.BR charon.plugins.tnc-pdp.radius.port " [1812]"
 RADIUS server port the strongSwan PDP is listening on
 .TP
-.BR charon.plugins.tnc-pdp.secret
+.BR charon.plugins.tnc-pdp.radius.secret
 Shared RADIUS secret between strongSwan PDP and NAS
 .TP
 .BR charon.plugins.tnc-pdp.server
index ce0ddce..cc7c934 100644 (file)
@@ -2,7 +2,11 @@ AM_CPPFLAGS = \
        -I$(top_srcdir)/src/libstrongswan \
        -I$(top_srcdir)/src/libhydra \
        -I$(top_srcdir)/src/libcharon \
-       -I$(top_srcdir)/src/libradius
+       -I$(top_srcdir)/src/libradius \
+       -I$(top_srcdir)/src/libtncif \
+       -I$(top_srcdir)/src/libtnccs \
+       -I$(top_srcdir)/src/libtls \
+       -I$(top_srcdir)/src/libpttls
 
 AM_CFLAGS = \
        -rdynamic
@@ -13,6 +17,7 @@ else
 plugin_LTLIBRARIES = libstrongswan-tnc-pdp.la
 libstrongswan_tnc_pdp_la_LIBADD = \
        $(top_builddir)/src/libradius/libradius.la \
+       $(top_builddir)/src/libpttls/libpttls.la \
        $(top_builddir)/src/libtls/libtls.la \
        $(top_builddir)/src/libtnccs/libtnccs.la
 endif
index a30d895..7ef67fd 100644 (file)
@@ -22,6 +22,8 @@
 #include <radius_message.h>
 #include <radius_mppe.h>
 
+#include <pt_tls_dispatcher.h>
+
 #include <daemon.h>
 #include <utils/debug.h>
 #include <pen/pen.h>
 typedef struct private_tnc_pdp_t private_tnc_pdp_t;
 
 /**
+ * Default RADIUS port, when not configured
+ */
+#define RADIUS_PORT 1812
+
+/**
+ * Default PT-TLS port, when not configured
+ */
+#define PT_TLS_PORT     271
+
+/**
  * Maximum size of a RADIUS IP packet
  */
 #define MAX_PACKET 4096
@@ -90,6 +102,12 @@ struct private_tnc_pdp_t {
         * List of registered TNC-PDP connections
         */
        tnc_pdp_connections_t *connections;
+
+       /**
+        * PT-TLS dispatcher
+        */
+       pt_tls_dispatcher_t *pt_tls_dispatcher;
+
 };
 
 
@@ -521,6 +539,7 @@ METHOD(tnc_pdp_t, destroy, void,
                close(this->ipv6);
        }
        DESTROY_IF(this->server);
+       DESTROY_IF(this->pt_tls_dispatcher);
        DESTROY_IF(this->signer);
        DESTROY_IF(this->hasher);
        DESTROY_IF(this->ng);
@@ -531,17 +550,54 @@ METHOD(tnc_pdp_t, destroy, void,
 /*
  * see header file
  */
-tnc_pdp_t *tnc_pdp_create(u_int16_t port)
+tnc_pdp_t *tnc_pdp_create(void)
 {
        private_tnc_pdp_t *this;
        char *secret, *server, *eap_type_str;
+       int radius_port, pt_tls_port;
+       identification_t *id;
+       host_t *host;
+
+       server = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.server", NULL, charon->name);
+       pt_tls_port = lib->settings->get_int(lib->settings,
+                                       "%s.plugins.tnc-pdp.pt_tls.port", PT_TLS_PORT, charon->name);
+       radius_port = lib->settings->get_int(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.port", RADIUS_PORT, charon->name);
+       secret = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.secret", NULL, charon->name);
+       eap_type_str = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.tnc-pdp.radius.method", "ttls", charon->name);
+
+       if (!server)
+       {
+               DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
+               return NULL;
+       }
+       if (!secret)
+       {
+               DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
+               return NULL;
+       }
+
+       host = host_create_from_dns(server, AF_UNSPEC, pt_tls_port);
+       if (!host)
+       {
+               DBG1(DBG_CFG, "could not resolve server name");
+               return NULL;
+       }
+       id = identification_create_from_string(server);
 
        INIT(this,
                .public = {
                        .destroy = _destroy,
                },
-               .ipv4 = open_socket(AF_INET,  port),
-               .ipv6 = open_socket(AF_INET6, port),
+               .server = id,
+               .pt_tls_dispatcher = pt_tls_dispatcher_create(host, id, PT_TLS_AUTH_NONE),
+               .ipv4 = open_socket(AF_INET,  radius_port),
+               .ipv6 = open_socket(AF_INET6, radius_port),
+               .secret = chunk_from_str(secret),
+               .type = eap_type_from_string(eap_type_str),
                .hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5),
                .signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128),
                .ng = lib->crypto->create_nonce_gen(lib->crypto),
@@ -554,6 +610,7 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                destroy(this);
                return NULL;
        }
+
        if (!this->ipv4 && !this->ipv6)
        {
                DBG1(DBG_NET, "could not create any RADIUS sockets");
@@ -579,25 +636,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                DBG1(DBG_NET, "could not open IPv6 RADIUS socket, IPv6 disabled");
        }
 
-       server = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.server", NULL, charon->name);
-       if (!server)
-       {
-               DBG1(DBG_CFG, "missing PDP server name, PDP disabled");
-               destroy(this);
-               return NULL;
-       }
-       this->server = identification_create_from_string(server);
-
-       secret = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.secret", NULL, charon->name);
-       if (!secret)
-       {
-               DBG1(DBG_CFG, "missing RADIUS secret, PDP disabled");
-               destroy(this);
-               return NULL;
-       }
-       this->secret = chunk_create(secret, strlen(secret));
        if (!this->signer->set_key(this->signer, this->secret))
        {
                DBG1(DBG_CFG, "could not set signer key");
@@ -605,9 +643,6 @@ tnc_pdp_t *tnc_pdp_create(u_int16_t port)
                return NULL;
        }
 
-       eap_type_str = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.tnc-pdp.method", "ttls", charon->name);
-       this->type = eap_type_from_string(eap_type_str);
        if (this->type == 0)
        {
                DBG1(DBG_CFG, "unrecognized eap method \"%s\"", eap_type_str);
index 0629122..25a0419 100644 (file)
@@ -38,9 +38,7 @@ struct tnc_pdp_t {
 
 /**
  * Create a TNC PDP instance
- *
- * @param port         RADIUS port of TNC PDP
  */
-tnc_pdp_t* tnc_pdp_create(u_int16_t port);
+tnc_pdp_t* tnc_pdp_create(void);
 
 #endif /** TNC_PDP_PLUGIN_H_ @}*/
index e35ba9e..14ab9cf 100644 (file)
 typedef struct private_tnc_pdp_plugin_t private_tnc_pdp_plugin_t;
 
 /**
- * Default RADIUS port, when not configured
- */
-#define RADIUS_PORT 1812
-
-/**
  * private data of tnc_pdp plugin
  */
 struct private_tnc_pdp_plugin_t {
@@ -56,11 +51,7 @@ static bool plugin_cb(private_tnc_pdp_plugin_t *this,
 {
        if (reg)
        {
-               int port;
-
-               port = lib->settings->get_int(lib->settings,
-                                               "%s.plugins.tnc-pdp.port", RADIUS_PORT, charon->name);
-               this->pdp = tnc_pdp_create(port);
+               this->pdp = tnc_pdp_create();
        }
        else
        {