2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * @brief Integration with external trust router code
22 * @copyright 2014 Network RADIUS SARL
24 #include <trust_router/tid.h>
25 #include <freeradius-devel/radiusd.h>
26 #include <freeradius-devel/rad_assert.h>
27 #include <freeradius-devel/modules.h>
28 #include <freeradius-devel/realms.h>
30 #ifdef HAVE_TRUST_ROUTER_TR_DH_H
31 #include "trustrouter.h"
33 #include <trust_router/tr_dh.h>
34 static TIDC_INSTANCE *global_tidc = NULL;
47 if (global_tidc) return true;
49 global_tidc = tidc_create();
51 DEBUG2( "tr_init: Error creating global TIDC instance.\n");
55 if (!tidc_set_dh(global_tidc, tr_create_dh_params(NULL, 0))) {
56 DEBUG2( "tr_init: Error creating client DH params.\n");
63 static fr_tls_server_conf_t *construct_tls(TIDC_INSTANCE *inst,
67 fr_tls_server_conf_t *tls;
68 unsigned char *key_buf = NULL;
73 tls = fr_tls_server_conf_alloc(hs);
74 if (!tls) return NULL;
76 aaa_server_dh = tid_srvr_get_dh(server);
77 keylen = tr_compute_dh_key(&key_buf, aaa_server_dh->pub_key,
84 hexbuf = talloc_size(tls, keylen*2 + 1);
85 if (!hexbuf) goto error;
87 tr_bin_to_hex(key_buf, keylen, hexbuf, 2*keylen + 1);
89 tls->psk_password = hexbuf;
90 tls->psk_identity = talloc_strdup(tls, tid_srvr_get_key_name(server)->buf);
92 tls->cipher_list = talloc_strdup(tls, "PSK");
93 tls->fragment_size = 4200;
94 tls->ctx = tls_init_ctx(tls, 1);
95 if (!tls->ctx) goto error;
97 memset(key_buf, 0, keylen);
103 memset(key_buf, 0, keylen);
106 if (hexbuf) memset(hexbuf, 0, keylen*2);
108 if (tls) talloc_free(tls);
112 static char *build_pool_name(TALLOC_CTX *ctx, TID_RESP *resp)
114 size_t index, sa_len, sl;
115 TID_SRVR_BLK *server;
116 char *pool_name = NULL;
118 const struct sockaddr *sa;
119 pool_name = talloc_strdup(ctx, "hp-");
121 tid_resp_servers_foreach(resp, server, index) {
122 tid_srvr_get_address(server, &sa, &sa_len);
123 if (0 != getnameinfo(sa, sa_len,
124 addr_buf, sizeof(addr_buf)-1,
125 NULL, 0, NI_NUMERICHOST)) {
126 DEBUG2("getnameinfo failed");
130 sl = strlen(addr_buf);
131 rad_assert(sl+2 <= sizeof(addr_buf));
134 addr_buf[sl+1] = '\0';
136 pool_name = talloc_strdup_append(pool_name, addr_buf);
142 static home_server_t *srvr_blk_to_home_server(TALLOC_CTX *ctx,
145 char const *realm_name)
147 home_server_t *hs = NULL;
148 const struct sockaddr *sa = NULL;
150 fr_ipaddr_t home_server_ip;
154 rad_assert(blk != NULL);
155 tid_srvr_get_address(blk, &sa, &sa_len);
157 fr_sockaddr2ipaddr((struct sockaddr_storage *) sa, sa_len, &home_server_ip, &port);
159 if (0 != getnameinfo(sa, sa_len,
164 DEBUG2("getnameinfo failed");
168 hs = talloc_zero(ctx, home_server_t);
169 if (!hs) return NULL;
172 * All dynamic home servers are for authentication.
174 hs->type = HOME_TYPE_AUTH;
175 hs->ipaddr = home_server_ip;
176 hs->src_ipaddr.af = home_server_ip.af;
177 hs->log_name = talloc_asprintf(hs, "%s-for-%s", nametemp, realm_name);
178 hs->name = talloc_strdup(hs, nametemp);
180 hs->proto = IPPROTO_TCP;
181 hs->secret = talloc_strdup(hs, "radsec");
182 hs->response_window.tv_sec = 30;
183 hs->last_packet_recv = time(NULL);
185 * We want sockets using these servers to close as soon as possible,
186 * to make sure that whenever a pool is replaced, sockets using old ones
187 * will not last long (hopefully less than 300s).
189 hs->limit.idle_timeout = 5;
190 hs->tls = construct_tls(inst, hs, blk);
191 if (!hs->tls) goto error;
193 realm_home_server_sanitize(hs, NULL);
201 static home_pool_t *servers_to_pool(TALLOC_CTX *ctx,
204 const char *realm_name)
206 home_pool_t *pool = NULL;
207 size_t num_servers = 0, index;
208 TID_SRVR_BLK *server = NULL;
210 num_servers = tid_resp_get_num_servers(resp);
212 pool = talloc_zero_size(ctx, sizeof(*pool) + num_servers *sizeof(home_server_t *));
213 if (!pool) goto error;
215 pool->type = HOME_POOL_CLIENT_PORT_BALANCE;
216 pool->server_type = HOME_TYPE_AUTH;
218 pool->name = build_pool_name(pool, resp);
219 if (!pool->name) goto error;
221 pool->num_home_servers = num_servers;
223 tid_resp_servers_foreach(resp, server, index) {
226 hs = srvr_blk_to_home_server(pool, inst, server, realm_name);
228 pool->servers[index] = hs;
234 if (pool) talloc_free(pool);
239 static void tr_response_func( TIDC_INSTANCE *inst,
240 UNUSED TID_REQ *req, TID_RESP *resp,
243 struct resp_opaque *opaque = (struct resp_opaque *) cookie;
244 REALM *nr = opaque->orig_realm;
246 if (tid_resp_get_result(resp) != TID_SUCCESS) {
249 opaque->result = tid_resp_get_result(resp);
250 memset(opaque->err_msg, 0, sizeof(opaque->err_msg));
252 if (tid_resp_get_err_msg(resp)) {
253 TR_NAME *err_msg = tid_resp_get_err_msg(resp);
254 err_msg_len = err_msg->len+1;
255 if (err_msg_len > sizeof(opaque->err_msg))
256 err_msg_len = sizeof(opaque->err_msg);
257 strlcpy(opaque->err_msg, err_msg->buf, err_msg_len);
263 nr = talloc_zero(NULL, REALM);
265 nr->name = talloc_move(nr, &opaque->fr_realm_name);
266 nr->auth_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
267 if (!realm_realm_add(nr, NULL)) goto error;
270 home_pool_t *old_pool = nr->auth_pool;
271 home_pool_t *new_pool;
273 new_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
275 ERROR("Unable to recreate pool for %s", opaque->fr_realm_name);
278 nr->auth_pool = new_pool;
281 * Mark the old pool as "to be freed"
283 realm_pool_free(old_pool);
286 opaque->output_realm = nr;
290 if (nr && !opaque->orig_realm) {
297 static bool update_required(REALM const *r)
299 const home_pool_t *pool;
301 const home_server_t *server;
302 time_t now = time(NULL);
305 * No pool. Not our realm.
307 if (!r->auth_pool) return false;
311 for (i = 0; i < pool->num_home_servers; i++) {
312 server = pool->servers[i];
315 * The realm was loaded from the configuration
318 if (server->cs) return false;
321 * These values don't make sense.
323 if ((server->last_packet_recv > (now + 5)) ||
324 (server->last_failed_open > (now + 5))) {
329 * If we've opened in the last 10 minutes, then
330 * open rather than update.
332 if ((now - server->last_failed_open) > 600) {
342 REALM *tr_query_realm(REQUEST *request, char const *realm,
343 char const *community,
345 char const *trustrouter,
352 struct resp_opaque cookie;
354 if (!realm) return NULL;
356 if (!trustrouter || (strcmp(trustrouter, "none") == 0)) return NULL;
358 /* clear the cookie structure */
359 memset (&cookie, 0, sizeof(cookie));
361 /* See if the request overrides the community*/
362 vp = fr_pair_find_by_num(request->packet->vps, PW_UKERNA_TR_COI, VENDORPEC_UKERNA, TAG_ANY);
364 community = vp->vp_strvalue;
365 else pair_make_request("Trust-Router-COI", community, T_OP_SET);
367 cookie.fr_realm_name = talloc_asprintf(NULL,
371 cookie.orig_realm = cookie.output_realm = realm_find(cookie.fr_realm_name);
373 if (cookie.orig_realm && !update_required(cookie.orig_realm)) {
374 talloc_free(cookie.fr_realm_name);
375 return cookie.orig_realm;
378 /* Set-up TID connection */
379 DEBUG2("Opening TIDC connection to %s:%u", trustrouter, port);
381 conn = tidc_open_connection(global_tidc, (char *)trustrouter, port, &gssctx);
384 DEBUG2("Error in tidc_open_connection.\n");
388 /* Send a TID request */
389 rcode = tidc_send_request(global_tidc, conn, gssctx, (char *)rprealm,
390 (char *) realm, (char *)community,
391 &tr_response_func, &cookie);
394 DEBUG2("Error in tidc_send_request, rc = %d.\n", rcode);
397 if (cookie.result != TID_SUCCESS) {
398 DEBUG2("TID response is error, rc = %d: %s.\n", cookie.result,
399 cookie.err_msg?cookie.err_msg:"(NO ERROR TEXT)");
401 pair_make_reply("Reply-Message", cookie.err_msg, T_OP_SET);
402 pair_make_reply("Error-Cause", "502", T_OP_SET); /*proxy unroutable*/
406 if (cookie.fr_realm_name)
407 talloc_free(cookie.fr_realm_name);
409 return cookie.output_realm;
411 #endif /* HAVE_TRUST_ROUTER_TR_DH_H */