2 * Copyright (c) 2012, 2015, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
45 #include <tid_internal.h>
46 #include <trust_router/tr_constraint.h>
47 #include <trust_router/tr_dh.h>
48 #include <openssl/rand.h>
50 static sqlite3 *db = NULL;
51 static sqlite3_stmt *insert_stmt = NULL;
52 static sqlite3_stmt *authorization_insert = NULL;
54 static int create_key_id(char *out_id, size_t len)
56 unsigned char rand_buf[32];
60 strncpy(out_id, "key-", len);
63 if (sizeof(rand_buf)*2+1 < len)
64 len = sizeof(rand_buf)*2 + 1;
66 if (-1 == RAND_pseudo_bytes(rand_buf, bin_len))
68 tr_bin_to_hex(rand_buf, bin_len, out_id, len);
69 out_id[bin_len*2] = '\0';
81 for (lc = 0; lc < len; lc++) {
82 if (strchr(wc[lc], '%')) {
83 *error = talloc_asprintf( req, "Constraint match `%s' is not appropriate for SQL",
87 if ('*' ==wc[lc][0]) {
89 s = talloc_strdup(req, wc[lc]);
99 static int handle_authorizations(TID_REQ *req, const unsigned char *dh_hash,
102 TR_CONSTRAINT_SET *intersected = NULL;
103 const char **domain_wc, **realm_wc;
104 size_t domain_len, realm_len;
105 size_t domain_index, realm_index;
110 tr_debug("Request has no constraints, so no authorizations.");
113 intersected = tr_constraint_set_intersect(req, req->cons);
116 if (0 != tr_constraint_set_get_match_strings(req,
117 intersected, "domain",
118 &domain_wc, &domain_len))
120 if (0 != tr_constraint_set_get_match_strings(req,
121 intersected, "realm",
122 &realm_wc, &realm_len))
124 tr_debug(" %u domain constraint matches and %u realm constraint matches",
125 (unsigned) domain_len, (unsigned) realm_len);
126 if (0 != sqlify_wc(req, domain_wc, domain_len, &error)) {
127 tr_debug("Processing domain constraints: %s", error);
129 }else if (0 != sqlify_wc(req, realm_wc, realm_len, &error)) {
130 tr_debug("Processing realm constraints: %s", error);
133 if (!authorization_insert) {
134 tr_debug( " No database, no authorizations inserted");
137 for (domain_index = 0; domain_index < domain_len; domain_index++)
138 for (realm_index = 0; realm_index < realm_len; realm_index++) {
139 TR_NAME *community = req->orig_coi;
141 community = req->comm;
142 sqlite3_bind_blob(authorization_insert, 1, dh_hash, hash_len, SQLITE_TRANSIENT);
143 sqlite3_bind_text(authorization_insert, 2, community->buf, community->len, SQLITE_TRANSIENT);
144 sqlite3_bind_text(authorization_insert, 3, realm_wc[realm_index], -1, SQLITE_TRANSIENT);
145 sqlite3_bind_text(authorization_insert, 4, domain_wc[domain_index], -1, SQLITE_TRANSIENT);
146 sqlite3_bind_text(authorization_insert, 5, req->comm->buf, req->comm->len, SQLITE_TRANSIENT);
147 sqlite3_result = sqlite3_step(authorization_insert);
148 if (SQLITE_DONE != sqlite3_result)
149 tr_crit("sqlite3: failed to write to database");
150 sqlite3_reset(authorization_insert);
151 sqlite3_clear_bindings(authorization_insert);
157 static int tids_req_handler (TIDS_INSTANCE *tids,
162 unsigned char *s_keybuf = NULL;
165 unsigned char *pub_digest=NULL;
166 size_t pub_digest_len;
169 tr_debug("tids_req_handler: Request received! target_realm = %s, community = %s", req->realm->buf, req->comm->buf);
173 if (!(resp) || !resp) {
174 tr_debug("tids_req_handler: No response structure.");
179 /* Allocate a new server block */
180 tid_srvr_blk_add(resp->servers, tid_srvr_blk_new(resp));
181 if (NULL==resp->servers) {
182 tr_crit("tids_req_handler(): unable to allocate server block.");
186 /* TBD -- Set up the server IP Address */
188 if (!(req) || !(req->tidc_dh)) {
189 tr_debug("tids_req_handler(): No client DH info.");
193 if ((!req->tidc_dh->p) || (!req->tidc_dh->g)) {
194 tr_debug("tids_req_handler: NULL dh values.");
198 /* Generate the server DH block based on the client DH block */
199 // fprintf(stderr, "Generating the server DH block.\n");
200 // fprintf(stderr, "...from client DH block, dh_g = %s, dh_p = %s.\n", BN_bn2hex(req->tidc_dh->g), BN_bn2hex(req->tidc_dh->p));
202 if (NULL == (resp->servers->aaa_server_dh = tr_create_matching_dh(NULL, 0, req->tidc_dh))) {
203 tr_debug("tids_req_handler: Can't create server DH params.");
207 resp->servers->aaa_server_addr=talloc_strdup(resp->servers, tids->ipaddr);
209 /* Set the key name */
210 if (-1 == create_key_id(key_id, sizeof(key_id)))
212 resp->servers->key_name = tr_new_name(key_id);
214 /* Generate the server key */
215 // fprintf(stderr, "Generating the server key.\n");
217 if (0 > (s_keylen = tr_compute_dh_key(&s_keybuf,
218 req->tidc_dh->pub_key,
219 resp->servers->aaa_server_dh))) {
220 tr_debug("tids_req_handler: Key computation failed.");
223 if (0 != tr_dh_pub_hash(req,
224 &pub_digest, &pub_digest_len)) {
225 tr_debug("tids_req_handler: Unable to digest client public key");
228 if (0 != handle_authorizations(req, pub_digest, pub_digest_len))
230 tid_srvr_blk_set_path(resp->servers, (TID_PATH *)(req->path));
232 if (req->expiration_interval < 1)
233 req->expiration_interval = 1;
234 g_get_current_time(&resp->servers->key_expiration);
235 resp->servers->key_expiration.tv_sec += req->expiration_interval * 60 /*in minutes*/;
237 if (NULL != insert_stmt) {
239 gchar *expiration_str = g_time_val_to_iso8601(&resp->servers->key_expiration);
240 sqlite3_bind_text(insert_stmt, 1, key_id, -1, SQLITE_TRANSIENT);
241 sqlite3_bind_blob(insert_stmt, 2, s_keybuf, s_keylen, SQLITE_TRANSIENT);
242 sqlite3_bind_blob(insert_stmt, 3, pub_digest, pub_digest_len, SQLITE_TRANSIENT);
243 sqlite3_bind_text(insert_stmt, 4, expiration_str, -1, SQLITE_TRANSIENT);
244 g_free(expiration_str); /* bind_text already made its own copy */
245 sqlite3_result = sqlite3_step(insert_stmt);
246 if (SQLITE_DONE != sqlite3_result)
247 tr_crit("sqlite3: failed to write to database");
248 sqlite3_reset(insert_stmt);
249 sqlite3_clear_bindings(insert_stmt);
252 /* Print out the key. */
253 // fprintf(stderr, "tids_req_handler(): Server Key Generated (len = %d):\n", s_keylen);
254 // for (i = 0; i < s_keylen; i++) {
255 // fprintf(stderr, "%x", s_keybuf[i]);
257 // fprintf(stderr, "\n");
262 if (pub_digest!=NULL)
263 talloc_free(pub_digest);
268 static int auth_handler(gss_name_t gss_name, TR_NAME *client,
269 void *expected_client)
271 TR_NAME *expected_client_trname = (TR_NAME*) expected_client;
272 int result=tr_name_cmp(client, expected_client_trname);
274 tr_notice("Auth denied for incorrect gss-name ('%.*s' requested, expected '%.*s').",
275 client->len, client->buf,
276 expected_client_trname->len, expected_client_trname->buf);
281 /* command-line option setup */
283 /* argp global parameters */
284 const char *argp_program_bug_address=PACKAGE_BUGREPORT; /* bug reporting address */
287 static const char doc[]=PACKAGE_NAME " - TID Server";
288 static const char arg_doc[]="<ip-address> <gss-name> <hostname> <database-name>"; /* string describing arguments, if any */
290 /* define the options here. Fields are:
291 * { long-name, short-name, variable name, options, help description } */
292 static const struct argp_option cmdline_options[] = {
296 /* structure for communicating with option parser */
297 struct cmdline_args {
304 /* parser for individual options - fills in a struct cmdline_args */
305 static error_t parse_option(int key, char *arg, struct argp_state *state)
307 /* get a shorthand to the command line argument structure, part of state */
308 struct cmdline_args *arguments=state->input;
311 case ARGP_KEY_ARG: /* handle argument (not option) */
312 switch (state->arg_num) {
314 arguments->ip_address=arg;
318 arguments->gss_name=arg;
322 arguments->hostname=arg;
326 arguments->database_name=arg;
330 /* too many arguments */
335 case ARGP_KEY_END: /* no more arguments */
336 if (state->arg_num < 4) {
337 /* not enough arguments encountered */
343 return ARGP_ERR_UNKNOWN;
346 return 0; /* success */
349 /* assemble the argp parser */
350 static struct argp argp = {cmdline_options, parse_option, arg_doc, doc};
356 TR_NAME *gssname = NULL;
357 struct cmdline_args opts={NULL};
358 #define MAX_SOCKETS 10
359 int tids_socket[MAX_SOCKETS];
361 struct pollfd poll_fds[MAX_SOCKETS];
364 /* parse the command line*/
365 argp_parse(&argp, argc, argv, 0, 0, &opts);
367 talloc_set_log_stderr();
369 /* Use standalone logging */
372 /* set logging levels */
373 tr_log_threshold(LOG_CRIT);
374 tr_console_threshold(LOG_DEBUG);
376 gssname = tr_new_name(opts.gss_name);
377 if (SQLITE_OK != sqlite3_open(opts.database_name, &db)) {
378 tr_crit("Error opening database %s", opts.database_name);
381 sqlite3_busy_timeout( db, 1000);
382 sqlite3_prepare_v2(db, "insert into psk_keys_tab (keyid, key, client_dh_pub, key_expiration) values(?, ?, ?, ?)",
383 -1, &insert_stmt, NULL);
384 sqlite3_prepare_v2(db, "insert into authorizations (client_dh_pub, coi, acceptor_realm, hostname, apc) values(?, ?, ?, ?, ?)",
385 -1, &authorization_insert, NULL);
387 /* Create a TID server instance */
388 if (NULL == (tids = tids_create())) {
389 tr_crit("Unable to create TIDS instance, exiting.");
393 tids->ipaddr = opts.ip_address;
395 /* get listener for tids port */
396 n_sockets = tids_get_listener(tids, &tids_req_handler, auth_handler, opts.hostname, TID_PORT, gssname,
397 tids_socket, MAX_SOCKETS);
399 for (ii=0; ii<n_sockets; ii++) {
400 poll_fds[ii].fd=tids_socket[ii];
401 poll_fds[ii].events=POLLIN; /* poll on ready for reading */
402 poll_fds[ii].revents=0;
405 /* main event loop */
407 /* wait up to 100 ms for an event, then handle any idle work */
408 if(poll(poll_fds, n_sockets, 100) > 0) {
409 for (ii=0; ii<n_sockets; ii++) {
410 if (poll_fds[ii].revents & POLLIN) {
411 if (0 != tids_accept(tids, tids_socket[ii])) {
412 tr_err("Error handling tids request.");
417 /* idle loop stuff here */
420 /* Clean-up the TID server instance */