2 * Copyright (c) 2012, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
42 #include <tid_internal.h>
43 #include <trust_router/tr_constraint.h>
44 #include <trust_router/tr_dh.h>
45 #include <openssl/rand.h>
47 static sqlite3 *db = NULL;
48 static sqlite3_stmt *insert_stmt = NULL;
49 static sqlite3_stmt *authorization_insert = NULL;
51 static int create_key_id(char *out_id, size_t len)
53 unsigned char rand_buf[32];
57 strncpy(out_id, "key-", len);
60 if (sizeof(rand_buf)*2+1 < len)
61 len = sizeof(rand_buf)*2 + 1;
63 if (-1 == RAND_pseudo_bytes(rand_buf, bin_len))
65 tr_bin_to_hex(rand_buf, bin_len, out_id, len);
66 out_id[bin_len*2] = '\0';
78 for (lc = 0; lc < len; lc++) {
79 if (strchr(wc[lc], '%')) {
80 *error = talloc_asprintf( req, "Constraint match `%s' is not appropriate for SQL",
84 if ('*' ==wc[lc][0]) {
86 s = talloc_strdup(req, wc[lc]);
96 static int handle_authorizations(TID_REQ *req, const unsigned char *dh_hash,
99 TR_CONSTRAINT_SET *intersected = NULL;
100 const char **domain_wc, **realm_wc;
101 size_t domain_len, realm_len;
102 size_t domain_index, realm_index;
107 tr_debug("Request has no constraints, so no authorizations.");
110 intersected = tr_constraint_set_intersect(req, req->cons);
113 if (0 != tr_constraint_set_get_match_strings(req,
114 intersected, "domain",
115 &domain_wc, &domain_len))
117 if (0 != tr_constraint_set_get_match_strings(req,
118 intersected, "realm",
119 &realm_wc, &realm_len))
121 tr_debug(" %u domain constraint matches and %u realm constraint matches",
122 (unsigned) domain_len, (unsigned) realm_len);
123 if (0 != sqlify_wc(req, domain_wc, domain_len, &error)) {
124 tr_debug("Processing domain constraints: %s", error);
126 }else if (0 != sqlify_wc(req, realm_wc, realm_len, &error)) {
127 tr_debug("Processing realm constraints: %s", error);
130 if (!authorization_insert) {
131 tr_debug( " No database, no authorizations inserted");
134 for (domain_index = 0; domain_index < domain_len; domain_index++)
135 for (realm_index = 0; realm_index < realm_len; realm_index++) {
136 TR_NAME *community = req->orig_coi;
138 community = req->comm;
139 sqlite3_bind_blob(authorization_insert, 1, dh_hash, hash_len, SQLITE_TRANSIENT);
140 sqlite3_bind_text(authorization_insert, 2, community->buf, community->len, SQLITE_TRANSIENT);
141 sqlite3_bind_text(authorization_insert, 3, realm_wc[realm_index], -1, SQLITE_TRANSIENT);
142 sqlite3_bind_text(authorization_insert, 4, domain_wc[domain_index], -1, SQLITE_TRANSIENT);
143 sqlite3_bind_text(authorization_insert, 5, req->comm->buf, req->comm->len, SQLITE_TRANSIENT);
144 sqlite3_result = sqlite3_step(authorization_insert);
145 if (SQLITE_DONE != sqlite3_result)
146 tr_crit("sqlite3: failed to write to database");
147 sqlite3_reset(authorization_insert);
153 static int tids_req_handler (TIDS_INSTANCE *tids,
158 unsigned char *s_keybuf = NULL;
161 unsigned char *pub_digest;
162 size_t pub_digest_len;
165 tr_debug("tids_req_handler: Request received! target_realm = %s, community = %s", req->realm->buf, req->comm->buf);
169 if (!(resp) || !resp) {
170 tr_debug("tids_req_handler: No response structure.");
174 /* Allocate a new server block */
175 if (NULL == (resp->servers = malloc(sizeof(TID_SRVR_BLK)))){
176 tr_crit("tids_req_handler(): malloc failed.");
179 memset(resp->servers, 0, sizeof(TID_SRVR_BLK));
180 resp->num_servers = 1;
182 /* TBD -- Set up the server IP Address */
184 if (!(req) || !(req->tidc_dh)) {
185 tr_debug("tids_req_handler(): No client DH info.");
189 if ((!req->tidc_dh->p) || (!req->tidc_dh->g)) {
190 tr_debug("tids_req_handler: NULL dh values.");
194 /* Generate the server DH block based on the client DH block */
195 // fprintf(stderr, "Generating the server DH block.\n");
196 // fprintf(stderr, "...from client DH block, dh_g = %s, dh_p = %s.\n", BN_bn2hex(req->tidc_dh->g), BN_bn2hex(req->tidc_dh->p));
198 if (NULL == (resp->servers->aaa_server_dh = tr_create_matching_dh(NULL, 0, req->tidc_dh))) {
199 tr_debug("tids_req_handler: Can't create server DH params.");
203 if (0 == inet_aton(tids->ipaddr, &(resp->servers->aaa_server_addr))) {
204 tr_debug("tids_req_handler: inet_aton() failed.");
208 /* Set the key name */
209 if (-1 == create_key_id(key_id, sizeof(key_id)))
211 resp->servers->key_name = tr_new_name(key_id);
213 /* Generate the server key */
214 // fprintf(stderr, "Generating the server key.\n");
216 if (0 > (s_keylen = tr_compute_dh_key(&s_keybuf,
217 req->tidc_dh->pub_key,
218 resp->servers->aaa_server_dh))) {
219 tr_debug("tids_req_handler: Key computation failed.");
222 if (0 != tr_dh_pub_hash(req,
223 &pub_digest, &pub_digest_len)) {
224 tr_debug("tids_req_handler: Unable to digest client public key");
227 if (0 != handle_authorizations(req, pub_digest, pub_digest_len))
229 if (NULL != insert_stmt) {
231 sqlite3_bind_text(insert_stmt, 1, key_id, -1, SQLITE_TRANSIENT);
232 sqlite3_bind_blob(insert_stmt, 2, s_keybuf, s_keylen, SQLITE_TRANSIENT);
233 sqlite3_bind_blob(insert_stmt, 3, pub_digest, pub_digest_len, SQLITE_TRANSIENT);
234 sqlite3_result = sqlite3_step(insert_stmt);
235 if (SQLITE_DONE != sqlite3_result)
236 tr_crit("sqlite3: failed to write to database");
237 sqlite3_reset(insert_stmt);
240 /* Print out the key. */
241 // fprintf(stderr, "tids_req_handler(): Server Key Generated (len = %d):\n", s_keylen);
242 // for (i = 0; i < s_keylen; i++) {
243 // fprintf(stderr, "%x", s_keybuf[i]);
245 // fprintf(stderr, "\n");
249 static int auth_handler(gss_name_t gss_name, TR_NAME *client,
250 void *expected_client)
252 TR_NAME *expected_client_trname = (TR_NAME*) expected_client;
253 return tr_name_cmp(client, expected_client_trname);
263 const char *hostname = NULL;
264 TR_NAME *gssname = NULL;
266 talloc_set_log_stderr();
267 /* Parse command-line arguments */
269 fprintf(stdout, "Usage: %s <ip-address> <gss-name> <hostname> <database-name>\n", argv[0]);
273 /* set logging levels */
274 tr_log_threshold(LOG_CRIT);
275 tr_console_threshold(LOG_DEBUG);
277 ipaddr = (char *)argv[1];
278 gssname = tr_new_name((char *) argv[2]);
280 if (SQLITE_OK != sqlite3_open(argv[4], &db)) {
281 tr_crit("Error opening database %s", argv[4]);
284 sqlite3_busy_timeout( db, 1000);
285 sqlite3_prepare_v2(db, "insert into psk_keys (keyid, key, client_dh_pub) values(?, ?, ?)",
286 -1, &insert_stmt, NULL);
287 sqlite3_prepare_v2(db, "insert into authorizations (client_dh_pub, coi, acceptor_realm, hostname, apc) values(?, ?, ?, ?, ?)",
288 -1, &authorization_insert, NULL);
290 /* Create a TID server instance */
291 if (NULL == (tids = tids_create())) {
292 tr_crit("Unable to create TIDS instance, exiting.");
296 tids->ipaddr = ipaddr;
298 /* Start-up the server, won't return unless there is an error. */
299 rc = tids_start(tids, &tids_req_handler , auth_handler, hostname, TID_PORT, gssname);
301 tr_crit("Error in tids_start(), rc = %d. Exiting.", rc);
303 /* Clean-up the TID server instance */