*** empty log message ***

ValdikSS · Mar 8, 2009 · 19a9c10 · 19a9c10
1 parent 8f18e24
commit 19a9c10
Show file tree

Hide file tree

Showing 13 changed files with 112 additions and 36 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -83,5 +83,8 @@ radiusplugin_2.1_beta:
 - Support for OPENVPN_PLUGIN_FUNC_DEFERRED, the authentication is done a thread if an auth_control_file is defined.
 -- The OpenVPN process needs write permission in the OpenVPN directory.
 - Timestamps are included in the debug information.
+- Adapted to OPENVPN_PLUGIN_VERSION 2
+- Option to swith on/off the usage of auth control files
+- Internal key is now based on untrusted_ip and untrusted_before.
 
 
diff --git a/Config.cpp b/Config.cpp
@@ -32,6 +32,7 @@ Config::Config(void)
 	this->usernameascommonname=false;
 	this->clientcertnotrequired=false;
 	this->overwriteccfiles=true;
+        this->useauthcontrolfile=false;
 	this->ccdPath="";
 	this->openvpnconfig="";
 	this->vsanamedpipe="";
@@ -57,6 +58,7 @@ Config::Config(char * configfile)
 	this->usernameascommonname=false;
 	this->clientcertnotrequired=false;
 	this->overwriteccfiles=true;	
+        this->useauthcontrolfile=false;
 	this->parseConfigFile(configfile);
 
 }
@@ -131,6 +133,16 @@ int Config::parseConfigFile(const char * configfile)
 					else return BAD_FILE;
 
 				}
+                                if (strncmp(line.c_str(),"useauthcontrolfile=",19)==0)
+				{
+
+					string stmp=line.substr(19,line.size()-19);
+					deletechars(&stmp);
+					if(stmp == "true") this->useauthcontrolfile=true;
+					else if (stmp =="false") this->useauthcontrolfile=false;
+					else return BAD_FILE;
+
+				}
 			}
 
 		}
@@ -434,7 +446,7 @@ void Config::setOpenVPNConfig(string conf)
 	this->openvpnconfig=conf;
 }
 
-/** Returns getter method for the overwriteccfiles variable.
+/** The getter method for the overwriteccfiles variable.
  * @return A bool of overwriteccfiles.
  */
 bool Config::getOverWriteCCFiles(void)
@@ -449,3 +461,19 @@ void Config::setOverWriteCCFiles(bool overwrite)
 {
 	this->overwriteccfiles=overwrite;	
 }
+
+/** Getter method for the authcontrolfile variable.
+ * @return A bool of authcontrolfile .
+ */
+bool Config::getUseAuthControlFile(void)
+{
+	return this->useauthcontrolfile;
+}
+
+/** The setter method for the authcontrolfile  varibale
+ * @param overwrite Set to true if the plugin if auth control files should be if supported by the OpenVPN version.
+ */
+void Config::setUseAuthControlFile(bool b)
+{
+	this->useauthcontrolfile=b;	
+}
diff --git a/Config.h b/Config.h
@@ -49,6 +49,7 @@ class Config
 	bool clientcertnotrequired;		/**<For OpenVPN option client_cert_not_required, commonname = UNDEF.*/
 	string openvpnconfig;			/**<Path to OpenVPN config.*/
 	bool overwriteccfiles; 			/**<If true the plugin overwrites the client config files.*/
+        bool useauthcontrolfile;                /**<If true and the OpenVPN version supports auth control files, the acf is used.*/
 
 	void deletechars(string * );
 
@@ -89,6 +90,9 @@ class Config
 
 	bool getOverWriteCCFiles(void);
 	void setOverWriteCCFiles(bool);
+
+        bool getUseAuthControlFile(void);
+	void setUseAuthControlFile(bool);
 
 	string getOpenVPNConfig(void);
 	void setOpenVPNConfig(string);

diff --git a/Exception.cpp b/Exception.cpp
@@ -57,7 +57,7 @@ Exception::Exception(string txt)
  */
 ostream & operator <<(ostream& os, const Exception& e)
 {
-     os << "Error: " << e.errtext << "\n";
+     os <<"Error: " << e.errtext << "\n";
      return os;
 }
 

diff --git a/Exception.h b/Exception.h
@@ -23,6 +23,7 @@
 #define _EXCEPTION_H_
 #include <string>
 #include <iostream>
+//#include "radiusplugin.h"
 
 using namespace std;
 

diff --git a/PluginContext.cpp b/PluginContext.cpp
@@ -119,7 +119,7 @@ void PluginContext::addUser(UserPlugin * newuser)
 
 }
 
-/**The method deletes the user from the map with the key cn.
+/**The method deletes the user from the map with the key.
  * @param key The key of the user.
  */
 void PluginContext::delUser(string key)

diff --git a/PluginContext.h b/PluginContext.h
@@ -41,6 +41,7 @@ using std::list;
 
 using namespace std;
 
+
 /** This class saves all information for the different processes and 
  * it saves the users for the foreground process.*/
 class PluginContext

diff --git a/UserAcct.h b/UserAcct.h
@@ -30,6 +30,7 @@
 #include "PluginContext.h"
 
 
+
 /** The class represents a user in the accounting background process. The class is
  * derived from the User class. This class defined additonal attributes
  * for accouting a user.*/

diff --git a/UserAuth.h b/UserAuth.h
@@ -38,6 +38,8 @@
 #include <stdlib.h>
 using namespace std;
 
+
+
 /**The class represents an user for the authentication process.**/
 class UserAuth : public User
 {

diff --git a/main.cpp b/main.cpp
@@ -106,9 +106,9 @@ int main (void)
 	argv[0]="radiusplugin.so";
 	argv[1]="./radiusplugin.cnf";
 	argv[2]=NULL;
-
+        system("rm acfuser*"); //remove the acf files
+
 	context=openvpn_plugin_open_v2(&type_mask,(const char **) argv,(const char **) env1, NULL);
-
 	if (context==NULL)
 	{
 		return -1;	
@@ -130,32 +130,46 @@ int main (void)
 	if(success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED)
         {
           char c1,c2,c3,c4;
+          ifstream file1(get_env("auth_control_file", env1));
+          ifstream file2(get_env("auth_control_file", env2));
+          ifstream file3(get_env("auth_control_file", env3));
+          ifstream file4(get_env("auth_control_file", env4));
           do
           {
-            ifstream file1(get_env("auth_control_file", env1));
             if(file1.is_open())
             {
               file1.read (&c1, 1);
             }
-            ifstream file2(get_env("auth_control_file", env2));
+            else file1.open(get_env("auth_control_file", env1));
+
             if(file2.is_open())
             {
               file2.read (&c2, 1);
             }
-            ifstream file3(get_env("auth_control_file", env3));
+            else file2.open(get_env("auth_control_file", env2));
             if(file3.is_open())
             {
               file3.read (&c3, 1);
             }
-            ifstream file4(get_env("auth_control_file", env4));
+            else file3.open(get_env("auth_control_file", env3));
             if(file4.is_open())
             {
-              file4.read (&c4, 1);
+              file4.read(&c4, 1);
             }
-
+            else file4.open(get_env("auth_control_file", env4));
+            sleep(1);
           }
-          while(c1 != '1' && c2 != '1' && c3 != '1' && c4 != '1');
-          success1=success2=success3=success4=0;
+          while(!file1.is_open() || !file2.is_open() || !file3.is_open() || !file4.is_open());
+          success1=c1-'0';
+          success2=c1-'0';
+          success3=c1-'0';
+          success4=c1-'0';
+          success1=success2=success3=success4= success1 & success2 & success3 & success4;
+          file1.close(); 
+          file2.close();
+          file3.close();
+          file4.close();
+          system("rm acfuser*"); //remove the acf files
         }
 
 	//CONNECT
@@ -189,32 +203,46 @@ int main (void)
 	if(success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED || success1 == OPENVPN_PLUGIN_FUNC_DEFERRED)
         {
           char c1,c2,c3,c4;
+          ifstream file1(get_env("auth_control_file", env1));
+          ifstream file2(get_env("auth_control_file", env2));
+          ifstream file3(get_env("auth_control_file", env3));
+          ifstream file4(get_env("auth_control_file", env4));
           do
           {
-            ifstream file1(get_env ( "auth_control_file", env1));
             if(file1.is_open())
             {
               file1.read (&c1, 1);
             }
-            ifstream file2(get_env ( "auth_control_file", env2));
+            else file1.open(get_env("auth_control_file", env1));
+
             if(file2.is_open())
             {
               file2.read (&c2, 1);
             }
-            ifstream file3(get_env ( "auth_control_file", env3));
+            else file2.open(get_env("auth_control_file", env2));
             if(file3.is_open())
             {
               file3.read (&c3, 1);
             }
-            ifstream file4(get_env ( "auth_control_file", env4));
+            else file3.open(get_env("auth_control_file", env3));
             if(file4.is_open())
             {
-              file4.read (&c4, 1);
+              file4.read(&c4, 1);
             }
-
+            else file4.open(get_env("auth_control_file", env4));
+            sleep(1);
           }
-          while(c1 != '1' && c2 != '1' && c3 != '1' && c4 != '1');
-          success1=success2=success3=success4=0;
+          while(!file1.is_open() || !file2.is_open() || !file3.is_open() || !file4.is_open());
+          success1=c1-'0';
+          success2=c1-'0';
+          success3=c1-'0';
+          success4=c1-'0';
+          success1=success2=success3=success4= success1 & success2 & success3 & success4;
+          file1.close(); 
+          file2.close();
+          file3.close();
+          file4.close();
+          system("rm acfuser*"); //remove the acf files
         }
 
 	if (success5==0 && success6==0 && success7==0 && success8==0)

diff --git a/radiusplugin.cnf b/radiusplugin.cnf
@@ -35,6 +35,11 @@ subnet=255.255.255.0
 # default is true
 overwriteccfiles=true
 
+# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
+# default is false
+# useauthcontrolfile=false
+
+
 # Path to a script for vendor specific attributes.
 # Leave it out if you don't use an own script.
 # vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

diff --git a/radiusplugin.cpp b/radiusplugin.cpp
@@ -439,11 +439,12 @@ extern "C"
 
 
 				newuser->setUntrustedPort ( get_env ( "untrusted_port", envp ) );
-				newuser->setKey ( newuser->getCommonname() +string ( "," ) + untrusted_ip + string ( ":" ) + get_env ( "untrusted_port", envp ) );
+				//newuser->setKey(newuser->getCommonname() +string ( "," ) + untrusted_ip + string ( ":" ) + get_env ( "untrusted_port", envp ) );
+                                newuser->setKey(untrusted_ip + string ( ":" ) + get_env ( "untrusted_port", envp ) );
+                                if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() << "RADIUS-PLUGIN: FOREGROUND: Key: " << newuser->getKey() << ".\n";
 
-                                if (newuser->getAuthControlFile().length() > 0)
+                                if (newuser->getAuthControlFile().length() > 0 && context->conf.getUseAuthControlFile())
                                 {
-
                                   pthread_mutex_lock(context->getMutexSend());
                                   context->addNewUser(newuser);
                                   pthread_cond_signal( context->getCondSend( ));
@@ -452,7 +453,6 @@ extern "C"
                                 }
                                 else
                                 {
-
                                   pthread_mutex_lock(context->getMutexSend());
                                   context->addNewUser(newuser);
                                   pthread_cond_signal( context->getCondSend( ));
@@ -534,9 +534,12 @@ extern "C"
 
 				const char *ifconfig_pool_remote_ip=get_env ( "ifconfig_pool_remote_ip", envp );
 				//find the user in the context, he was added at the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
-				string key=common_name + string ( "," ) +untrusted_ip+string ( ":" ) + string ( get_env ( "untrusted_port", envp ) );
-
-				newuser=context->findUser(key);
+				//string key=common_name + string ( "," ) +untrusted_ip+string ( ":" ) + string ( get_env ( "untrusted_port", envp ) );
+                                string key=untrusted_ip+string ( ":" ) + string ( get_env ( "untrusted_port", envp ) );
+                                if ( DEBUG ( context->getVerbosity() ) ){
+                                        cerr << getTime() << "RADIUS-PLUGIN: FOREGROUND: Key: " << key << ".\n";
+				}
+                                newuser=context->findUser(key);
                                 if(newuser == NULL)
                                 {
 
@@ -673,8 +676,8 @@ extern "C"
 				}
 
 				//find the user in the context
-				newuser=context->findUser ( common_name + string ( "," ) + untrusted_ip + string ( ":" ) + string ( get_env ( "untrusted_port", envp ) ) );
-
+				//newuser=context->findUser ( common_name + string ( "," ) + untrusted_ip + string ( ":" ) + string ( get_env ( "untrusted_port", envp ) ) );
+                                newuser=context->findUser ( untrusted_ip + string ( ":" ) + string ( get_env ( "untrusted_port", envp ) ) );
 
 				if ( newuser!=NULL )
 				{
@@ -946,10 +949,10 @@ string createSessionId ( UserPlugin * user )
  * @param _context The context pointer from OpenVPN.
  */
 
-void  * auth_user_pass_verify(void * _context)
+void  * auth_user_pass_verify(void * c)
 {
         cerr << getTime() << "RADIUS-PLUGIN: FOREGROUND THREAD: Auth_user_pass_verify thread started.\n";
-        PluginContext * context = (PluginContext *) _context;
+        PluginContext * context = (PluginContext *) c;
 
         //main thread loop for authentication
         while(!context->getStopThread())
@@ -1059,7 +1062,7 @@ void  * auth_user_pass_verify(void * _context)
                                   cerr << getTime() << "RADIUS-PLUGIN: FOREGROUND THREAD: Don't add the user to the map, it is a rekeying.\n";
                           }
 
-                          if(newuser->getAuthControlFile().length()>0)
+                          if(newuser->getAuthControlFile().length()>0 && context->conf.getUseAuthControlFile())
                           {
                             write_auth_control_file(context, newuser->getAuthControlFile(), '1');
                           }
@@ -1100,7 +1103,7 @@ void  * auth_user_pass_verify(void * _context)
                           context->delNasPort(newuser->getPortnumber());
                           context->delUser(newuser->getKey());
 
-                          if(newuser->getAuthControlFile().length()>0)
+                          if(newuser->getAuthControlFile().length()>0 && context->conf.getUseAuthControlFile())
                           {
                             write_auth_control_file(context, newuser->getAuthControlFile(), '0');
                           }
@@ -1121,7 +1124,7 @@ void  * auth_user_pass_verify(void * _context)
               context->delUser (newuser->getKey());
 
               //return OPENVPN_PLUGIN_FUNC_ERROR;
-              if(newuser->getAuthControlFile().length()>0)
+              if(newuser->getAuthControlFile().length()>0 && context->conf.getUseAuthControlFile())
               {
                 write_auth_control_file(context, newuser->getAuthControlFile(), '0');
               }

diff --git a/radiusplugin.h b/radiusplugin.h
@@ -109,7 +109,7 @@ void set_signals (void);
 string createSessionId (UserPlugin *);
 
 void * auth_user_pass_verify(void *);
-void write_auth_control_file(PluginContext * context, string filename, char c);
+void write_auth_control_file(PluginContext *, string filename, char c);
 string getTime();