2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License, version 2 if the
4 * License as published by the Free Software Foundation.
6 * This program is distributed in the hope that it will be useful,
7 * but WITHOUT ANY WARRANTY; without even the implied warranty of
8 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 * GNU General Public License for more details.
11 * You should have received a copy of the GNU General Public License
12 * along with this program; if not, write to the Free Software
13 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * @brief Integration with external trust router code
21 * @copyright 2014 Network RADIUS SARL
23 #include <trust_router/tid.h>
24 #include <freeradius-devel/radiusd.h>
25 #include <freeradius-devel/rad_assert.h>
26 #include <freeradius-devel/modules.h>
27 #include <freeradius-devel/realms.h>
29 #ifdef HAVE_TRUST_ROUTER_TR_DH_H
30 #include "trustrouter.h"
32 #include <trust_router/tr_dh.h>
33 static TIDC_INSTANCE *global_tidc = NULL;
46 if (global_tidc) return true;
48 global_tidc = tidc_create();
50 DEBUG2( "tr_init: Error creating global TIDC instance.\n");
54 if (!tidc_set_dh(global_tidc, tr_create_dh_params(NULL, 0))) {
55 DEBUG2( "tr_init: Error creating client DH params.\n");
62 static fr_tls_server_conf_t *construct_tls(TIDC_INSTANCE *inst,
66 fr_tls_server_conf_t *tls;
67 unsigned char *key_buf = NULL;
72 tls = talloc_zero( hs, fr_tls_server_conf_t);
73 if (!tls) return NULL;
75 aaa_server_dh = tid_srvr_get_dh(server);
76 keylen = tr_compute_dh_key(&key_buf, aaa_server_dh->pub_key,
83 hexbuf = talloc_size(tls, keylen*2 + 1);
84 if (!hexbuf) goto error;
86 tr_bin_to_hex(key_buf, keylen, hexbuf, 2*keylen + 1);
88 tls->psk_password = hexbuf;
89 tls->psk_identity = talloc_strdup(tls, tid_srvr_get_key_name(server)->buf);
91 tls->cipher_list = talloc_strdup(tls, "PSK");
92 tls->fragment_size = 4200;
93 tls->ctx = tls_init_ctx(tls, 1);
94 if (!tls->ctx) goto error;
96 memset(key_buf, 0, keylen);
102 memset(key_buf, 0, keylen);
105 if (hexbuf) memset(hexbuf, 0, keylen*2);
107 if (tls) talloc_free(tls);
111 static char *build_pool_name(TALLOC_CTX *ctx, TID_RESP *resp)
113 size_t index, sa_len, sl;
114 TID_SRVR_BLK *server;
115 char *pool_name = NULL;
117 const struct sockaddr *sa;
118 pool_name = talloc_strdup(ctx, "hp-");
120 tid_resp_servers_foreach(resp, server, index) {
121 tid_srvr_get_address(server, &sa, &sa_len);
122 if (0 != getnameinfo(sa, sa_len,
123 addr_buf, sizeof(addr_buf)-1,
124 NULL, 0, NI_NUMERICHOST)) {
125 DEBUG2("getnameinfo failed");
129 sl = strlen(addr_buf);
130 rad_assert(sl+2 <= sizeof(addr_buf));
133 addr_buf[sl+1] = '\0';
135 pool_name = talloc_strdup_append(pool_name, addr_buf);
141 static home_server_t *srvr_blk_to_home_server(TALLOC_CTX *ctx,
144 char const *realm_name)
146 home_server_t *hs = NULL;
147 const struct sockaddr *sa = NULL;
149 fr_ipaddr_t home_server_ip;
153 rad_assert(blk != NULL);
154 tid_srvr_get_address(blk, &sa, &sa_len);
155 switch(sa->sa_family) {
158 const struct sockaddr_in *sin = (const struct sockaddr_in *) sa;
159 home_server_ip.af = AF_INET;
160 home_server_ip.scope = 0;
161 home_server_ip.ipaddr.ip4addr = sin->sin_addr;
162 port = ntohs(sin->sin_port);
167 const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *) sa;
168 home_server_ip.af = AF_INET6;
169 home_server_ip.scope = sin6->sin6_scope_id;
170 home_server_ip.ipaddr.ip6addr = sin6->sin6_addr;
175 DEBUG2("Unknown address family in tid srvr block");
179 if (0 != getnameinfo(sa, sa_len,
184 DEBUG2("getnameinfo failed");
188 hs = talloc_zero(ctx, home_server_t);
189 if (!hs) return NULL;
192 * All dynamic home servers are for authentication.
194 hs->type = HOME_TYPE_AUTH;
195 hs->ipaddr = home_server_ip;
196 hs->src_ipaddr.af = home_server_ip.af;
197 hs->name = talloc_asprintf(hs, "%s-for-%s", nametemp, realm_name);
198 hs->hostname = talloc_strdup(hs, nametemp);
200 hs->proto = IPPROTO_TCP;
201 hs->secret = talloc_strdup(hs, "radsec");
202 hs->response_window.tv_sec = 30;
203 hs->last_packet_recv = time(NULL);
205 hs->tls = construct_tls(inst, hs, blk);
206 if (!hs->tls) goto error;
208 realm_home_server_sanitize(hs, NULL);
216 static home_pool_t *servers_to_pool(TALLOC_CTX *ctx,
219 const char *realm_name)
221 home_pool_t *pool = NULL;
222 size_t num_servers = 0, index;
223 TID_SRVR_BLK *server = NULL;
225 num_servers = tid_resp_get_num_servers(resp);
227 pool = talloc_zero_size(ctx, sizeof(*pool) + num_servers *sizeof(home_server_t *));
228 if (!pool) goto error;
230 pool->type = HOME_POOL_CLIENT_PORT_BALANCE;
231 pool->server_type = HOME_TYPE_AUTH;
233 pool->name = build_pool_name(pool, resp);
234 if (!pool->name) goto error;
236 pool->num_home_servers = num_servers;
238 tid_resp_servers_foreach(resp, server, index) {
241 hs = srvr_blk_to_home_server(pool, inst, server, realm_name);
243 pool->servers[index] = hs;
249 if (pool) talloc_free(pool);
254 static void tr_response_func( TIDC_INSTANCE *inst,
255 UNUSED TID_REQ *req, TID_RESP *resp,
258 struct resp_opaque *opaque = (struct resp_opaque *) cookie;
259 REALM *nr = opaque->orig_realm;
261 if (tid_resp_get_result(resp) != TID_SUCCESS) {
264 opaque->result = tid_resp_get_result(resp);
265 memset(opaque->err_msg, 0, sizeof(opaque->err_msg));
267 if (tid_resp_get_err_msg(resp)) {
268 TR_NAME *err_msg = tid_resp_get_err_msg(resp);
269 err_msg_len = err_msg->len+1;
270 if (err_msg_len > sizeof(opaque->err_msg))
271 err_msg_len = sizeof(opaque->err_msg);
272 strlcpy(opaque->err_msg, err_msg->buf, err_msg_len);
278 nr = talloc_zero(NULL, REALM);
280 nr->name = talloc_move(nr, &opaque->fr_realm_name);
281 nr->auth_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
282 if (!realm_realm_add(nr, NULL)) goto error;
285 home_pool_t *old_pool = nr->auth_pool;
286 home_pool_t *new_pool;
288 new_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
290 ERROR("Unable to recreate pool for %s", opaque->fr_realm_name);
293 nr->auth_pool = new_pool;
295 /* FIXME: Really we want to free this a few
296 * seconds from now, so that anyone who is load
297 * balancing in the new pool has gotten this
298 * update to avoid the race or at least make it
299 * basically unlikely to ever happen.
301 talloc_free(old_pool);
304 opaque->output_realm = nr;
308 if (nr && !opaque->orig_realm) {
315 static bool update_required(REALM const *r)
317 const home_pool_t *pool;
319 const home_server_t *server;
320 time_t now = time(NULL);
323 * No pool. Not our realm.
325 if (!r->auth_pool) return false;
329 for (i = 0; i < pool->num_home_servers; i++) {
330 server = pool->servers[i];
333 * The realm was loaded from the configuration
336 if (server->cs) return false;
339 * These values don't make sense.
341 if ((server->last_packet_recv > (now + 5)) ||
342 (server->last_failed_open > (now + 5))) {
347 * This server has received a packet in the last
348 * 5 minutes. It doesn't need an update.
350 if ((now - server->last_packet_recv) < 300) {
355 * If we've opened in the last 10 minutes, then
356 * open rather than update.
358 if ((now - server->last_failed_open) > 600) {
368 REALM *tr_query_realm(char const *realm,
369 char const *community,
371 char const *trustrouter,
377 struct resp_opaque cookie;
379 if (!realm) return NULL;
381 /* clear the cookie structure */
382 memset (&cookie, 0, sizeof(cookie));
384 cookie.fr_realm_name = talloc_asprintf(NULL,
388 cookie.orig_realm = cookie.output_realm = realm_find(cookie.fr_realm_name);
390 if (cookie.orig_realm && !update_required(cookie.orig_realm)) {
391 talloc_free(cookie.fr_realm_name);
392 return cookie.orig_realm;
395 /* Set-up TID connection */
396 DEBUG2("Opening TIDC connection to %s:%u", trustrouter, port);
398 conn = tidc_open_connection(global_tidc, (char *)trustrouter, port, &gssctx);
401 DEBUG2("Error in tidc_open_connection.\n");
405 /* Send a TID request */
406 rcode = tidc_send_request(global_tidc, conn, gssctx, (char *)rprealm,
407 (char *) realm, (char *)community,
408 &tr_response_func, &cookie);
411 DEBUG2("Error in tidc_send_request, rc = %d.\n", rcode);
416 if (cookie.fr_realm_name)
417 talloc_free(cookie.fr_realm_name);
419 return cookie.output_realm;
421 #endif /* HAVE_TRUST_ROUTER_TR_DH_H */