| Brian Waters | 13d9601 | 2017-12-08 16:53:31 -0600 | [diff] [blame^] | 1 | /********************************************************************************************************* |
| 2 | * Software License Agreement (BSD License) * |
| 3 | * Author: Sebastien Decugis <sdecugis@freediameter.net> * |
| 4 | * * |
| 5 | * Copyright (c) 2011, WIDE Project and NICT * |
| 6 | * All rights reserved. * |
| 7 | * * |
| 8 | * Redistribution and use of this software in source and binary forms, with or without modification, are * |
| 9 | * permitted provided that the following conditions are met: * |
| 10 | * * |
| 11 | * * Redistributions of source code must retain the above * |
| 12 | * copyright notice, this list of conditions and the * |
| 13 | * following disclaimer. * |
| 14 | * * |
| 15 | * * Redistributions in binary form must reproduce the above * |
| 16 | * copyright notice, this list of conditions and the * |
| 17 | * following disclaimer in the documentation and/or other * |
| 18 | * materials provided with the distribution. * |
| 19 | * * |
| 20 | * * Neither the name of the WIDE Project or NICT nor the * |
| 21 | * names of its contributors may be used to endorse or * |
| 22 | * promote products derived from this software without * |
| 23 | * specific prior written permission of WIDE Project and * |
| 24 | * NICT. * |
| 25 | * * |
| 26 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * |
| 27 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * |
| 28 | * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * |
| 29 | * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * |
| 30 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * |
| 31 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * |
| 32 | * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * |
| 33 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * |
| 34 | *********************************************************************************************************/ |
| 35 | |
| 36 | /* |
| 37 | * Whitelist extension for freeDiameter. |
| 38 | */ |
| 39 | |
| 40 | #include "acl_wl.h" |
| 41 | |
| 42 | /* The validator function */ |
| 43 | static int aw_validate(struct peer_info * info, int * auth, int (**cb2)(struct peer_info *)) |
| 44 | { |
| 45 | int res; |
| 46 | |
| 47 | TRACE_ENTRY("%p %p %p", info, auth, cb2); |
| 48 | |
| 49 | CHECK_PARAMS(info && auth && cb2); |
| 50 | |
| 51 | /* We don't use the second callback */ |
| 52 | *cb2 = NULL; |
| 53 | |
| 54 | /* Default to unknown result */ |
| 55 | *auth = 0; |
| 56 | |
| 57 | /* Now search the peer in our tree */ |
| 58 | CHECK_FCT( aw_tree_lookup(info->pi_diamid, &res) ); |
| 59 | if (res < 0) { |
| 60 | /* The peer is not whitelisted */ |
| 61 | return 0; |
| 62 | } |
| 63 | |
| 64 | /* We found the peer in the tree, now check the status */ |
| 65 | |
| 66 | /* First, if TLS is already in place, just accept */ |
| 67 | if (info->runtime.pir_cert_list) { |
| 68 | *auth = 1; |
| 69 | return 0; |
| 70 | } |
| 71 | |
| 72 | /* Now, if we did not specify any flag, reject */ |
| 73 | if (res == 0) { |
| 74 | TRACE_DEBUG(INFO, "Peer '%s' rejected, only TLS-protected connection is whitelisted.", info->pi_diamid); |
| 75 | /* We don't actually set *auth = -1, leave space for a further extension to validate the peer */ |
| 76 | return 0; |
| 77 | } |
| 78 | |
| 79 | /* Otherwise, just set the configured flags for the peer, and authorize it */ |
| 80 | *auth = 1; |
| 81 | |
| 82 | /* Save information about the security mechanism to use after CER/CEA exchange */ |
| 83 | if ((res & PI_SEC_NONE) && (res & PI_SEC_TLS_OLD)) |
| 84 | res = PI_SEC_NONE; /* If we authorized it, we must have an IPsec tunnel setup, no need for TLS in this case */ |
| 85 | |
| 86 | info->config.pic_flags.sec = res; |
| 87 | return 0; |
| 88 | } |
| 89 | |
| 90 | /* entry point */ |
| 91 | static int aw_entry(char * conffile) |
| 92 | { |
| 93 | TRACE_ENTRY("%p", conffile); |
| 94 | CHECK_PARAMS(conffile); |
| 95 | |
| 96 | /* Parse configuration file */ |
| 97 | CHECK_FCT( aw_conf_handle(conffile) ); |
| 98 | |
| 99 | TRACE_DEBUG(INFO, "Extension ACL_wl initialized with configuration: '%s'", conffile); |
| 100 | if (TRACE_BOOL(ANNOYING)) { |
| 101 | aw_tree_dump(); |
| 102 | } |
| 103 | |
| 104 | /* Register the validator function */ |
| 105 | CHECK_FCT( fd_peer_validate_register ( aw_validate ) ); |
| 106 | |
| 107 | return 0; |
| 108 | } |
| 109 | |
| 110 | /* Unload */ |
| 111 | void fd_ext_fini(void) |
| 112 | { |
| 113 | /* Destroy the tree */ |
| 114 | aw_tree_destroy(); |
| 115 | } |
| 116 | |
| 117 | EXTENSION_ENTRY("acl_wl", aw_entry); |