24 #include <trust_router/tid.h>
25 #include <freeradius-devel/radiusd.h>
26 #include <freeradius-devel/rad_assert.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/realms.h>
30 #ifdef HAVE_TRUST_ROUTER_TR_DH_H
33 #include <trust_router/tr_dh.h>
34 static TIDC_INSTANCE *global_tidc = NULL;
47 if (global_tidc)
return true;
49 global_tidc = tidc_create();
51 DEBUG2(
"tr_init: Error creating global TIDC instance.\n");
55 if (!tidc_set_dh(global_tidc, tr_create_dh_params(NULL, 0))) {
56 DEBUG2(
"tr_init: Error creating client DH params.\n");
63 static fr_tls_server_conf_t *construct_tls(TIDC_INSTANCE *
inst,
67 fr_tls_server_conf_t *tls;
68 unsigned char *key_buf = NULL;
73 tls = talloc_zero( hs, fr_tls_server_conf_t);
74 if (!tls)
return NULL;
76 aaa_server_dh = tid_srvr_get_dh(server);
77 keylen = tr_compute_dh_key(&key_buf, aaa_server_dh->pub_key,
84 hexbuf = talloc_size(tls, keylen*2 + 1);
85 if (!hexbuf)
goto error;
87 tr_bin_to_hex(key_buf, keylen, hexbuf, 2*keylen + 1);
89 tls->psk_password = hexbuf;
90 tls->psk_identity = talloc_strdup(tls, tid_srvr_get_key_name(server)->buf);
92 tls->cipher_list = talloc_strdup(tls,
"PSK");
93 tls->fragment_size = 4200;
94 tls->ctx = tls_init_ctx(tls,
true);
95 if (!tls->ctx)
goto error;
97 memset(key_buf, 0, keylen);
103 memset(key_buf, 0, keylen);
106 if (hexbuf) memset(hexbuf, 0, keylen*2);
108 if (tls) talloc_free(tls);
112 static char *build_pool_name(TALLOC_CTX *ctx, TID_RESP *resp)
114 size_t index, sa_len, sl;
115 TID_SRVR_BLK *server;
116 char *pool_name = NULL;
118 const struct sockaddr *sa;
119 pool_name = talloc_strdup(ctx,
"hp-");
121 tid_resp_servers_foreach(resp, server, index) {
122 tid_srvr_get_address(server, &sa, &sa_len);
124 addr_buf,
sizeof(addr_buf)-1,
125 NULL, 0, NI_NUMERICHOST)) {
126 DEBUG2(
"getnameinfo failed");
130 sl = strlen(addr_buf);
134 addr_buf[sl+1] =
'\0';
136 pool_name = talloc_strdup_append(pool_name, addr_buf);
142 static home_server_t *srvr_blk_to_home_server(TALLOC_CTX *ctx,
145 char const *realm_name)
148 const struct sockaddr *sa = NULL;
155 tid_srvr_get_address(blk, &sa, &sa_len);
164 DEBUG2(
"getnameinfo failed");
169 if (!hs)
return NULL;
175 hs->
ipaddr = home_server_ip;
177 hs->
log_name = talloc_asprintf(hs,
"%s-for-%s", nametemp, realm_name);
178 hs->
name = talloc_strdup(hs, nametemp);
180 hs->
proto = IPPROTO_TCP;
181 hs->
secret = talloc_strdup(hs,
"radsec");
185 hs->tls = construct_tls(inst, hs, blk);
186 if (!hs->tls)
goto error;
196 static home_pool_t *servers_to_pool(TALLOC_CTX *ctx,
199 const char *realm_name)
202 size_t num_servers = 0, index;
203 TID_SRVR_BLK *server = NULL;
205 num_servers = tid_resp_get_num_servers(resp);
207 pool = talloc_zero_size(ctx,
sizeof(*pool) + num_servers *
sizeof(
home_server_t *));
208 if (!pool)
goto error;
213 pool->
name = build_pool_name(pool, resp);
214 if (!pool->
name)
goto error;
218 tid_resp_servers_foreach(resp, server, index) {
221 hs = srvr_blk_to_home_server(pool, inst, server, realm_name);
229 if (pool) talloc_free(pool);
234 static void tr_response_func( TIDC_INSTANCE *inst,
235 UNUSED TID_REQ *req, TID_RESP *resp,
238 struct resp_opaque *opaque = (
struct resp_opaque *) cookie;
239 REALM *nr = opaque->orig_realm;
241 if (tid_resp_get_result(resp) != TID_SUCCESS) {
244 opaque->result = tid_resp_get_result(resp);
245 memset(opaque->err_msg, 0,
sizeof(opaque->err_msg));
247 if (tid_resp_get_err_msg(resp)) {
248 TR_NAME *err_msg = tid_resp_get_err_msg(resp);
249 err_msg_len = err_msg->len+1;
250 if (err_msg_len >
sizeof(opaque->err_msg))
251 err_msg_len =
sizeof(opaque->err_msg);
252 strlcpy(opaque->err_msg, err_msg->buf, err_msg_len);
258 nr = talloc_zero(NULL,
REALM);
260 nr->
name = talloc_move(nr, &opaque->fr_realm_name);
261 nr->
auth_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
268 new_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
270 ERROR(
"Unable to recreate pool for %s", opaque->fr_realm_name);
281 opaque->output_realm = nr;
285 if (nr && !opaque->orig_realm) {
292 static bool update_required(
REALM const *
r)
297 time_t now = time(NULL);
313 if (server->
cs)
return false;
346 char const *community,
348 char const *trustrouter,
355 struct resp_opaque cookie;
357 if (!realm)
return NULL;
359 if (!trustrouter || (strcmp(trustrouter,
"none") == 0))
return NULL;
362 memset (&cookie, 0,
sizeof(cookie));
367 community = vp->vp_strvalue;
370 cookie.fr_realm_name = talloc_asprintf(NULL,
374 cookie.orig_realm = cookie.output_realm =
realm_find(cookie.fr_realm_name);
376 if (cookie.orig_realm && !update_required(cookie.orig_realm)) {
377 talloc_free(cookie.fr_realm_name);
378 return cookie.orig_realm;
382 DEBUG2(
"Opening TIDC connection to %s:%u", trustrouter, port);
384 conn = tidc_open_connection(global_tidc, (
char *)trustrouter, port, &gssctx);
387 DEBUG2(
"Error in tidc_open_connection.\n");
392 rcode = tidc_send_request(global_tidc, conn, gssctx, (
char *)rprealm,
393 (
char *) realm, (
char *)community,
394 &tr_response_func, &cookie);
397 DEBUG2(
"Error in tidc_send_request, rc = %d.\n", rcode);
400 if (cookie.result != TID_SUCCESS) {
401 DEBUG2(
"TID response is error, rc = %d: %s.\n", cookie.result,
402 cookie.err_msg?cookie.err_msg:
"(NO ERROR TEXT)");
409 if (cookie.fr_realm_name)
410 talloc_free(cookie.fr_realm_name);
412 return cookie.output_realm;
home_server_t * servers[1]
char const * name
Name the server may be referenced by for querying stats or when specifying home servers for a pool...
fr_ipaddr_t src_ipaddr
Resolved version of src_ipaddr_str.
REALM * tr_query_realm(REQUEST *request, char const *realm, char const *community, char const *rprealm, char const *trustrouter, unsigned int port)
int fr_ipaddr_from_sockaddr(struct sockaddr_storage const *sa, socklen_t salen, fr_ipaddr_t *ipaddr, uint16_t *port)
VALUE_PAIR * vps
Result of decoding the packet into VALUE_PAIRs.
Headers for trust router code.
void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs)
#define pair_make_request(_a, _b, _c)
Stores an attribute, a value and various bits of other data.
char const * log_name
The name used for log messages.
REALM * realm_find(char const *name)
int getnameinfo(struct sockaddr const *sa, socklen_t salen, char *host, size_t hostlen, char *serv, size_t servlen, unsigned int flags)
#define pair_make_reply(_a, _b, _c)
RADIUS_PACKET * packet
Incoming request.
int realm_realm_add(REALM *r, CONF_SECTION *cs)
VALUE_PAIR * fr_pair_find_by_num(VALUE_PAIR *head, unsigned int vendor, unsigned int attr, int8_t tag)
Find the pair with the matching attribute.
size_t strlcpy(char *dst, char const *src, size_t siz)
void realm_pool_free(home_pool_t *pool)
home_type_t type
Auth, Acct, CoA etc.
fr_ipaddr_t ipaddr
IP address of home server.
struct timeval response_window