All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
trustrouter.c
Go to the documentation of this file.
1 /*
2  * This program is is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or (at
5  * your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 49f4faa53ad64604a5849062b37d530f2b8d81d3 $
19  * @file trustrouter.c
20  * @brief Integration with external trust router code
21  *
22  * @copyright 2014 Network RADIUS SARL
23  */
24 #include <trust_router/tid.h>
25 #include <freeradius-devel/radiusd.h>
26 #include <freeradius-devel/rad_assert.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/realms.h>
29 
30 #ifdef HAVE_TRUST_ROUTER_TR_DH_H
31 #include "trustrouter.h"
32 
33 #include <trust_router/tr_dh.h>
34 static TIDC_INSTANCE *global_tidc = NULL;
35 
36 struct resp_opaque {
37  REALM *orig_realm;
38  REALM *output_realm;
39  TID_RC result;
40  char err_msg[1024];
41  char *fr_realm_name;
42 };
43 
44 
45 bool tr_init(void)
46 {
47  if (global_tidc) return true;
48 
49  global_tidc = tidc_create();
50  if (!global_tidc) {
51  DEBUG2( "tr_init: Error creating global TIDC instance.\n");
52  return false;
53  }
54 
55  if (!tidc_set_dh(global_tidc, tr_create_dh_params(NULL, 0))) {
56  DEBUG2( "tr_init: Error creating client DH params.\n");
57  return false;
58  }
59 
60  return true;
61 }
62 
63 static fr_tls_server_conf_t *construct_tls(TIDC_INSTANCE *inst,
64  home_server_t *hs,
65  TID_SRVR_BLK *server)
66 {
67  fr_tls_server_conf_t *tls;
68  unsigned char *key_buf = NULL;
69  ssize_t keylen;
70  char *hexbuf = NULL;
71  DH *aaa_server_dh;
72 
73  tls = talloc_zero( hs, fr_tls_server_conf_t);
74  if (!tls) return NULL;
75 
76  aaa_server_dh = tid_srvr_get_dh(server);
77  keylen = tr_compute_dh_key(&key_buf, aaa_server_dh->pub_key,
78  tidc_get_dh(inst));
79  if (keylen <= 0) {
80  DEBUG2("DH error");
81  goto error;
82  }
83 
84  hexbuf = talloc_size(tls, keylen*2 + 1);
85  if (!hexbuf) goto error;
86 
87  tr_bin_to_hex(key_buf, keylen, hexbuf, 2*keylen + 1);
88 
89  tls->psk_password = hexbuf;
90  tls->psk_identity = talloc_strdup(tls, tid_srvr_get_key_name(server)->buf);
91 
92  tls->cipher_list = talloc_strdup(tls, "PSK");
93  tls->fragment_size = 4200;
94  tls->ctx = tls_init_ctx(tls, true);
95  if (!tls->ctx) goto error;
96 
97  memset(key_buf, 0, keylen);
98  tr_dh_free(key_buf);
99  return tls;
100 
101 error:
102  if (key_buf) {
103  memset(key_buf, 0, keylen);
104  tr_dh_free(key_buf);
105  }
106  if (hexbuf) memset(hexbuf, 0, keylen*2);
107 
108  if (tls) talloc_free(tls);
109  return NULL;
110 }
111 
112 static char *build_pool_name(TALLOC_CTX *ctx, TID_RESP *resp)
113 {
114  size_t index, sa_len, sl;
115  TID_SRVR_BLK *server;
116  char *pool_name = NULL;
117  char addr_buf[256];
118  const struct sockaddr *sa;
119  pool_name = talloc_strdup(ctx, "hp-");
120 
121  tid_resp_servers_foreach(resp, server, index) {
122  tid_srvr_get_address(server, &sa, &sa_len);
123  if (0 != getnameinfo(sa, sa_len,
124  addr_buf, sizeof(addr_buf)-1,
125  NULL, 0, NI_NUMERICHOST)) {
126  DEBUG2("getnameinfo failed");
127  return NULL;
128  }
129 
130  sl = strlen(addr_buf);
131  rad_assert(sl+2 <= sizeof(addr_buf));
132 
133  addr_buf[sl] = '-';
134  addr_buf[sl+1] = '\0';
135 
136  pool_name = talloc_strdup_append(pool_name, addr_buf);
137  }
138 
139  return pool_name;
140 }
141 
142 static home_server_t *srvr_blk_to_home_server(TALLOC_CTX *ctx,
143  TIDC_INSTANCE *inst,
144  TID_SRVR_BLK *blk,
145  char const *realm_name)
146 {
147  home_server_t *hs = NULL;
148  const struct sockaddr *sa = NULL;
149  size_t sa_len = 0;
150  fr_ipaddr_t home_server_ip;
151  uint16_t port;
152  char nametemp[256];
153 
154  rad_assert(blk != NULL);
155  tid_srvr_get_address(blk, &sa, &sa_len);
156 
157  fr_ipaddr_from_sockaddr((struct sockaddr_storage *) sa, sa_len, &home_server_ip, &port);
158 
159  if (0 != getnameinfo(sa, sa_len,
160  nametemp,
161  sizeof nametemp,
162  NULL, 0,
163  NI_NUMERICHOST)) {
164  DEBUG2("getnameinfo failed");
165  return NULL;
166  }
167 
168  hs = talloc_zero(ctx, home_server_t);
169  if (!hs) return NULL;
170 
171  /*
172  * All dynamic home servers are for authentication.
173  */
174  hs->type = HOME_TYPE_AUTH;
175  hs->ipaddr = home_server_ip;
176  hs->src_ipaddr.af = home_server_ip.af;
177  hs->log_name = talloc_asprintf(hs, "%s-for-%s", nametemp, realm_name);
178  hs->name = talloc_strdup(hs, nametemp);
179  hs->port = port;
180  hs->proto = IPPROTO_TCP;
181  hs->secret = talloc_strdup(hs, "radsec");
182  hs->response_window.tv_sec = 30;
183  hs->last_packet_recv = time(NULL);
184 
185  hs->tls = construct_tls(inst, hs, blk);
186  if (!hs->tls) goto error;
187 
188  realm_home_server_sanitize(hs, NULL);
189 
190  return hs;
191 error:
192  talloc_free(hs);
193  return NULL;
194 }
195 
196 static home_pool_t *servers_to_pool(TALLOC_CTX *ctx,
197  TIDC_INSTANCE *inst,
198  TID_RESP *resp,
199  const char *realm_name)
200 {
201  home_pool_t *pool = NULL;
202  size_t num_servers = 0, index;
203  TID_SRVR_BLK *server = NULL;
204 
205  num_servers = tid_resp_get_num_servers(resp);
206 
207  pool = talloc_zero_size(ctx, sizeof(*pool) + num_servers *sizeof(home_server_t *));
208  if (!pool) goto error;
209 
211  pool->server_type = HOME_TYPE_AUTH;
212 
213  pool->name = build_pool_name(pool, resp);
214  if (!pool->name) goto error;
215 
216  pool->num_home_servers = num_servers;
217 
218  tid_resp_servers_foreach(resp, server, index) {
219  home_server_t *hs;
220 
221  hs = srvr_blk_to_home_server(pool, inst, server, realm_name);
222  if (!hs) goto error;
223  pool->servers[index] = hs;
224  }
225 
226  return pool;
227 
228 error:
229  if (pool) talloc_free(pool);
230 
231  return NULL;
232 }
233 
234 static void tr_response_func( TIDC_INSTANCE *inst,
235  UNUSED TID_REQ *req, TID_RESP *resp,
236  void *cookie)
237 {
238  struct resp_opaque *opaque = (struct resp_opaque *) cookie;
239  REALM *nr = opaque->orig_realm;
240 
241  if (tid_resp_get_result(resp) != TID_SUCCESS) {
242 
243  size_t err_msg_len;
244  opaque->result = tid_resp_get_result(resp);
245  memset(opaque->err_msg, 0, sizeof(opaque->err_msg));
246 
247  if (tid_resp_get_err_msg(resp)) {
248  TR_NAME *err_msg = tid_resp_get_err_msg(resp);
249  err_msg_len = err_msg->len+1;
250  if (err_msg_len > sizeof(opaque->err_msg))
251  err_msg_len = sizeof(opaque->err_msg);
252  strlcpy(opaque->err_msg, err_msg->buf, err_msg_len);
253  }
254  return;
255  }
256 
257  if (!nr) {
258  nr = talloc_zero(NULL, REALM);
259  if (!nr) goto error;
260  nr->name = talloc_move(nr, &opaque->fr_realm_name);
261  nr->auth_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
262  if (!realm_realm_add(nr, NULL)) goto error;
263 
264  } else {
265  home_pool_t *old_pool = nr->auth_pool;
266  home_pool_t *new_pool;
267 
268  new_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
269  if (!new_pool) {
270  ERROR("Unable to recreate pool for %s", opaque->fr_realm_name);
271  goto error;
272  }
273  nr->auth_pool = new_pool;
274 
275  /*
276  * Mark the old pool as "to be freed"
277  */
278  realm_pool_free(old_pool);
279  }
280 
281  opaque->output_realm = nr;
282  return;
283 
284 error:
285  if (nr && !opaque->orig_realm) {
286  talloc_free(nr);
287  }
288 
289  return;
290 }
291 
292 static bool update_required(REALM const *r)
293 {
294  const home_pool_t *pool;
295  int i;
296  const home_server_t *server;
297  time_t now = time(NULL);
298 
299  /*
300  * No pool. Not our realm.
301  */
302  if (!r->auth_pool) return false;
303 
304  pool = r->auth_pool;
305 
306  for (i = 0; i < pool->num_home_servers; i++) {
307  server = pool->servers[i];
308 
309  /*
310  * The realm was loaded from the configuration
311  * files.
312  */
313  if (server->cs) return false;
314 
315  /*
316  * These values don't make sense.
317  */
318  if ((server->last_packet_recv > (now + 5)) ||
319  (server->last_failed_open > (now + 5))) {
320  continue;
321  }
322 
323  /*
324  * This server has received a packet in the last
325  * 5 minutes. It doesn't need an update.
326  */
327  if ((now - server->last_packet_recv) < 300) {
328  return false;
329  }
330 
331  /*
332  * If we've opened in the last 10 minutes, then
333  * open rather than update.
334  */
335  if ((now - server->last_failed_open) > 600) {
336  return false;
337  }
338  }
339 
340  return true;
341 }
342 
343 
344 
345 REALM *tr_query_realm(REQUEST *request, char const *realm,
346  char const *community,
347  char const *rprealm,
348  char const *trustrouter,
349  unsigned int port)
350 {
351  int conn = 0;
352  int rcode;
353  VALUE_PAIR *vp;
354  gss_ctx_id_t gssctx;
355  struct resp_opaque cookie;
356 
357  if (!realm) return NULL;
358 
359  if (!trustrouter || (strcmp(trustrouter, "none") == 0)) return NULL;
360 
361  /* clear the cookie structure */
362  memset (&cookie, 0, sizeof(cookie));
363 
364  /* See if the request overrides the community*/
366  if (vp)
367  community = vp->vp_strvalue;
368  else pair_make_request("Trust-Router-COI", community, T_OP_SET);
369 
370  cookie.fr_realm_name = talloc_asprintf(NULL,
371  "%s%%%s",
372  community, realm);
373 
374  cookie.orig_realm = cookie.output_realm = realm_find(cookie.fr_realm_name);
375 
376  if (cookie.orig_realm && !update_required(cookie.orig_realm)) {
377  talloc_free(cookie.fr_realm_name);
378  return cookie.orig_realm;
379  }
380 
381  /* Set-up TID connection */
382  DEBUG2("Opening TIDC connection to %s:%u", trustrouter, port);
383 
384  conn = tidc_open_connection(global_tidc, (char *)trustrouter, port, &gssctx);
385  if (conn < 0) {
386  /* Handle error */
387  DEBUG2("Error in tidc_open_connection.\n");
388  goto cleanup;
389  }
390 
391  /* Send a TID request */
392  rcode = tidc_send_request(global_tidc, conn, gssctx, (char *)rprealm,
393  (char *) realm, (char *)community,
394  &tr_response_func, &cookie);
395  if (rcode < 0) {
396  /* Handle error */
397  DEBUG2("Error in tidc_send_request, rc = %d.\n", rcode);
398  goto cleanup;
399  }
400  if (cookie.result != TID_SUCCESS) {
401  DEBUG2("TID response is error, rc = %d: %s.\n", cookie.result,
402  cookie.err_msg?cookie.err_msg:"(NO ERROR TEXT)");
403  if (cookie.err_msg)
404  pair_make_reply("Reply-Message", cookie.err_msg, T_OP_SET);
405  pair_make_reply("Error-Cause", "502", T_OP_SET); /*proxy unroutable*/
406  }
407 
408 cleanup:
409  if (cookie.fr_realm_name)
410  talloc_free(cookie.fr_realm_name);
411 
412  return cookie.output_realm;
413 }
414 #endif /* HAVE_TRUST_ROUTER_TR_DH_H */
home_server_t * servers[1]
Definition: realms.h:174
char const * name
Name the server may be referenced by for querying stats or when specifying home servers for a pool...
Definition: realms.h:71
fr_ipaddr_t src_ipaddr
Resolved version of src_ipaddr_str.
Definition: realms.h:87
REALM * tr_query_realm(REQUEST *request, char const *realm, char const *community, char const *rprealm, char const *trustrouter, unsigned int port)
int fr_ipaddr_from_sockaddr(struct sockaddr_storage const *sa, socklen_t salen, fr_ipaddr_t *ipaddr, uint16_t *port)
Definition: inet.c:1095
#define PW_UKERNA_TR_COI
Definition: radius.h:223
time_t last_packet_recv
Definition: realms.h:107
home_type_t server_type
Definition: realms.h:164
#define UNUSED
Definition: libradius.h:134
VALUE_PAIR * vps
Result of decoding the packet into VALUE_PAIRs.
Definition: libradius.h:162
CONF_SECTION * cs
Definition: realms.h:129
Headers for trust router code.
void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs)
Definition: realms.c:362
#define pair_make_request(_a, _b, _c)
Definition: radiusd.h:545
#define blk(i)
Definition: sha1.c:23
home_pool_t * auth_pool
Definition: realms.h:183
Definition: realms.h:178
#define inst
int af
Address family.
Definition: inet.h:42
#define rad_assert(expr)
Definition: rad_assert.h:38
time_t last_failed_open
Definition: realms.h:108
#define DEBUG2(fmt,...)
Definition: log.h:176
Stores an attribute, a value and various bits of other data.
Definition: pair.h:112
#define VENDORPEC_UKERNA
Definition: radius.h:203
bool tr_init(void)
Definition: token.h:45
int num_home_servers
Definition: realms.h:173
static bool cleanup
Definition: radsniff.c:53
char const * log_name
The name used for log messages.
Definition: realms.h:69
home_pool_type_t type
Definition: realms.h:162
REALM * realm_find(char const *name)
Definition: realms.c:2235
#define TAG_ANY
Definition: pair.h:191
char const * name
Definition: realms.h:179
int getnameinfo(struct sockaddr const *sa, socklen_t salen, char *host, size_t hostlen, char *serv, size_t servlen, unsigned int flags)
Definition: getaddrinfo.c:379
#define pair_make_reply(_a, _b, _c)
Definition: radiusd.h:546
RADIUS_PACKET * packet
Incoming request.
Definition: radiusd.h:221
int realm_realm_add(REALM *r, CONF_SECTION *cs)
VALUE_PAIR * fr_pair_find_by_num(VALUE_PAIR *head, unsigned int vendor, unsigned int attr, int8_t tag)
Find the pair with the matching attribute.
Definition: pair.c:639
size_t strlcpy(char *dst, char const *src, size_t siz)
Definition: strlcpy.c:38
IPv4/6 prefix.
Definition: inet.h:41
void realm_pool_free(home_pool_t *pool)
Definition: realms.c:1011
static int r
Definition: rbmonkey.c:66
home_type_t type
Auth, Acct, CoA etc.
Definition: realms.h:82
char const * secret
Definition: realms.h:95
uint16_t port
Definition: realms.h:79
char const * name
Definition: realms.h:161
int proto
TCP or UDP.
Definition: realms.h:91
#define ERROR(fmt,...)
Definition: log.h:145
Authentication server.
Definition: realms.h:36
fr_ipaddr_t ipaddr
IP address of home server.
Definition: realms.h:78
struct timeval response_window
Definition: realms.h:100