2 * Copyright (c) 2016, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <trust_router/tr_dh.h>
38 #include <tid_internal.h>
39 #include <tr_filter.h>
46 #include <trp_internal.h>
47 #include <tr_config.h>
52 /* Structure to hold data for the tid response callback */
53 typedef struct tr_resp_cookie {
58 /* hold a tids instance and a config manager */
59 struct tr_tids_event_cookie {
65 static void tr_tidc_resp_handler(TIDC_INSTANCE *tidc,
70 TR_RESP_COOKIE *cookie=talloc_get_type_abort(resp_cookie, TR_RESP_COOKIE);
72 tr_debug("tr_tidc_resp_handler: Response received! Realm = %s, Community = %s, result = %s.",
75 (TID_SUCCESS==resp->result)?"success":"error");
77 if (resp->error_path!=NULL)
78 tr_debug("tr_tids_resp_handler: error_path is set.");
79 cookie->resp=tid_resp_dup(cookie, resp);
82 /* data for AAA req forwarding threads */
83 struct tr_tids_fwd_cookie {
85 pthread_mutex_t mutex; /* lock on the mq (separate from the locking within the mq, see below) */
86 TR_MQ *mq; /* messages from thread to main process; set to NULL to disable response */
87 TR_NAME *aaa_hostname;
89 TID_REQ *fwd_req; /* the req to duplicate */
92 static int tr_tids_fwd_cookie_destructor(void *obj)
94 struct tr_tids_fwd_cookie *c=talloc_get_type_abort(obj, struct tr_tids_fwd_cookie);
95 if (c->aaa_hostname!=NULL)
96 tr_free_name(c->aaa_hostname);
97 if (c->dh_params!=NULL)
98 tr_destroy_dh_params(c->dh_params);
102 /* Block until we get the lock, returns 0 on success.
103 * The mutex is used to protect changes to the mq pointer in
104 * a thread's cookie. The master thread sets this to null to indicate
105 * that it has abandoned the thread and the message queue is no longer
106 * valid. This is unrelated to the locking in the message queue
107 * implementation itself. */
108 static int tr_tids_fwd_get_mutex(struct tr_tids_fwd_cookie *cookie)
113 return (pthread_mutex_lock(&(cookie->mutex)));
116 static int tr_tids_fwd_release_mutex(struct tr_tids_fwd_cookie *cookie)
121 return (pthread_mutex_unlock(&(cookie->mutex)));
124 /* values for messages */
125 #define TR_TID_MQMSG_SUCCESS "tid success"
126 #define TR_TID_MQMSG_FAILURE "tid failure"
128 /* Thread main for sending and receiving a request to a single AAA server */
129 static void *tr_tids_req_fwd_thread(void *arg)
131 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
132 struct tr_tids_fwd_cookie *args=talloc_get_type_abort(arg, struct tr_tids_fwd_cookie);
133 TIDC_INSTANCE *tidc=tidc_create();
135 TR_RESP_COOKIE *cookie=NULL;
139 talloc_steal(tmp_ctx, args); /* take responsibility for the cookie */
142 talloc_steal(tmp_ctx, tidc);
144 /* create the cookie we will use for our response */
145 cookie=talloc(tmp_ctx, TR_RESP_COOKIE);
147 tr_notice("tr_tids_req_fwd_thread: unable to allocate response cookie.");
151 cookie->thread_id=args->thread_id;
152 tr_debug("tr_tids_req_fwd_thread: thread %d started.", cookie->thread_id);
154 /* Create a TID client instance */
156 tr_crit("tr_tids_req_fwd_thread: Unable to allocate TIDC instance.");
157 /*tids_send_err_response(tids, orig_req, "Memory allocation failure");*/
158 /* TODO: encode reason for failure */
163 /* Set-up TID connection */
164 if (-1==(args->fwd_req->conn = tidc_open_connection(tidc,
165 args->aaa_hostname->buf,
166 TID_PORT, /* TODO: make this configurable */
167 &(args->fwd_req->gssctx)))) {
168 tr_notice("tr_tids_req_fwd_thread: Error in tidc_open_connection.");
169 /* tids_send_err_response(tids, orig_req, "Can't open connection to next hop TIDS"); */
170 /* TODO: encode reason for failure */
174 tr_debug("tr_tids_req_fwd_thread: thread %d opened TID connection to %s.",
176 args->aaa_hostname->buf);
178 /* Send a TID request. */
179 if (0 > (rc = tidc_fwd_request(tidc, args->fwd_req, tr_tidc_resp_handler, (void *)cookie))) {
180 tr_notice("Error from tidc_fwd_request, rc = %d.", rc);
184 /* cookie->resp should now contain our copy of the response */
186 tr_debug("tr_tids_req_fwd_thread: thread %d received response.");
189 /* Notify parent thread of the response, if it's still listening. */
190 if (0!=tr_tids_fwd_get_mutex(args)) {
191 tr_notice("tr_tids_req_fwd_thread: thread %d unable to acquire mutex.", cookie->thread_id);
192 } else if (NULL!=args->mq) {
193 /* mq is still valid, so we can queue our response */
194 tr_debug("tr_tids_req_fwd_thread: thread %d using valid msg queue.", cookie->thread_id);
196 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_SUCCESS, TR_MQ_PRIO_NORMAL);
198 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_FAILURE, TR_MQ_PRIO_NORMAL);
201 tr_notice("tr_tids_req_fwd_thread: thread %d unable to allocate response msg.", cookie->thread_id);
203 tr_mq_msg_set_payload(msg, (void *)cookie, NULL);
205 talloc_steal(msg, cookie); /* attach this to the msg so we can forget about it */
206 tr_mq_add(args->mq, msg);
207 talloc_steal(NULL, args); /* take out of our tmp_ctx; master thread now responsible for freeing */
208 tr_debug("tr_tids_req_fwd_thread: thread %d queued response message.", cookie->thread_id);
209 if (0!=tr_tids_fwd_release_mutex(args))
210 tr_notice("tr_tids_req_fwd_thread: Error releasing mutex.");
213 talloc_free(tmp_ctx);
217 /* Merges r2 into r1 if they are compatible. */
218 static TID_RC tr_tids_merge_resps(TID_RESP *r1, TID_RESP *r2)
220 /* ensure these are compatible replies */
221 if ((r1->result!=TID_SUCCESS) || (r2->result!=TID_SUCCESS))
224 if ((0!=tr_name_cmp(r1->rp_realm, r2->rp_realm)) ||
225 (0!=tr_name_cmp(r1->realm, r2->realm)) ||
226 (0!=tr_name_cmp(r1->comm, r2->comm)))
229 tid_srvr_blk_add(r1->servers, tid_srvr_blk_dup(r1, r2->servers));
233 static int tr_tids_req_handler(TIDS_INSTANCE *tids,
238 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
239 TR_AAA_SERVER *aaa_servers=NULL, *this_aaa=NULL;
242 TR_AAA_SERVER_ITER *aaa_iter=NULL;
243 pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
244 struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
245 TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
246 TR_RP_CLIENT *rp_client=NULL;
247 TR_RP_CLIENT_ITER *rpc_iter=NULL;
249 TID_REQ *fwd_req = NULL;
250 TR_COMM *cfg_comm = NULL;
251 TR_COMM *cfg_apc = NULL;
252 TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
253 time_t expiration_interval=0;
254 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
255 TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
256 TRPS_INSTANCE *trps=cookie->trps;
257 TRP_ROUTE *route=NULL;
260 unsigned int n_responses=0;
261 unsigned int n_failed=0;
262 struct timespec ts_abort={0};
263 unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
264 unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
265 TR_RESP_COOKIE *payload=NULL;
266 TR_FILTER_TARGET *target=NULL;
270 if ((!tids) || (!orig_req) || (!resp)) {
271 tr_debug("tr_tids_req_handler: Bad parameters");
276 tr_debug("tr_tids_req_handler: Request received (conn = %d)! Realm = %s, Comm = %s", orig_req->conn,
277 orig_req->realm->buf, orig_req->comm->buf);
278 if (orig_req->request_id)
279 tr_debug("tr_tids_req_handler: TID request ID: %.*s", orig_req->request_id->len, orig_req->request_id->buf);
281 tr_debug("tr_tids_req_handler: TID request ID: none");
285 /* Duplicate the request, so we can modify and forward it */
286 if (NULL == (fwd_req=tid_dup_req(orig_req))) {
287 tr_debug("tr_tids_req_handler: Unable to duplicate request.");
291 talloc_steal(tmp_ctx, fwd_req);
293 if (NULL == (cfg_comm=tr_comm_table_find_comm(cfg_mgr->active->ctable, orig_req->comm))) {
294 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
295 tids_send_err_response(tids, orig_req, "Unknown community");
300 /* We now need to apply the filters associated with the RP client handing us the request.
301 * It is possible (or even likely) that more than one client is associated with the GSS
302 * name we got from the authentication. We will apply all of them in an arbitrary order.
303 * For this to result in well-defined behavior, either only accept or only reject filter
304 * lines should be used, or a unique GSS name must be given for each RP realm. */
306 if (!tids->gss_name) {
307 tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
308 tids_send_err_response(tids, orig_req, "No GSS name for request");
313 /* Keep original constraints, may add more from the filter. These will be added to orig_req as
314 * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
315 fwd_req->cons=orig_req->cons;
317 target=tr_filter_target_tid_req(tmp_ctx, orig_req);
319 tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
320 tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
325 rpc_iter=tr_rp_client_iter_new(tmp_ctx);
326 if (rpc_iter==NULL) {
327 tr_err("tid_req_handler: Unable to allocate RP client iterator.");
331 for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
333 rp_client=tr_rp_client_iter_next(rpc_iter)) {
335 if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
336 continue; /* skip any that don't match the GSS name */
338 if (TR_FILTER_MATCH == tr_filter_apply(target,
339 tr_filter_set_get(rp_client->filters,
340 TR_FILTER_TYPE_TID_INBOUND),
343 break; /* Stop looking, oaction is set */
346 /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
347 * a default action of reject, so we don't have to check why we exited the loop. */
348 if (oaction != TR_FILTER_ACTION_ACCEPT) {
349 tr_notice("tr_tids_req_handler: Incoming TID request rejected by filter for GSS name", orig_req->rp_realm->buf);
350 tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
355 /* Check that the rp_realm is a member of the community in the request */
356 if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
357 tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
358 tids_send_err_response(tids, orig_req, "RP COI membership error");
363 /* Map the comm in the request from a COI to an APC, if needed */
364 if (TR_COMM_COI == cfg_comm->type) {
365 if (orig_req->orig_coi!=NULL) {
366 tr_notice("tr_tids_req_handler: community %s is COI but COI to APC mapping already occurred. Dropping request.",
367 orig_req->comm->buf);
368 tids_send_err_response(tids, orig_req, "Second COI to APC mapping would result, permitted only once.");
373 tr_debug("tr_tids_req_handler: Community was a COI, switching.");
374 /* TBD -- In theory there can be more than one? How would that work? */
375 if ((!cfg_comm->apcs) || (!cfg_comm->apcs->id)) {
376 tr_notice("No valid APC for COI %s.", orig_req->comm->buf);
377 tids_send_err_response(tids, orig_req, "No valid APC for community");
381 apc = tr_dup_name(cfg_comm->apcs->id);
383 /* Check that the APC is configured */
384 if (NULL == (cfg_apc = tr_comm_table_find_comm(cfg_mgr->active->ctable, apc))) {
385 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", apc->buf);
386 tids_send_err_response(tids, orig_req, "Unknown APC");
392 fwd_req->orig_coi = orig_req->comm;
394 /* Check that rp_realm is a member of this APC */
395 if (NULL == (tr_comm_find_rp(cfg_mgr->active->ctable, cfg_apc, orig_req->rp_realm))) {
396 tr_notice("tr_tids_req_hander: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
397 tids_send_err_response(tids, orig_req, "RP APC membership error");
403 /* Look up the route for this community/realm. */
404 tr_debug("tr_tids_req_handler: looking up route.");
405 route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
407 /* No route. Use default AAA servers if we have them. */
408 tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
409 if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
411 tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
412 tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
418 /* Found a route. Determine the AAA servers or next hop address. */
419 tr_debug("tr_tids_req_handler: found route.");
420 if (trp_route_is_local(route)) {
421 tr_debug("tr_tids_req_handler: route is local.");
422 aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
427 tr_debug("tr_tids_req_handler: route not local.");
428 aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
432 /* Since we aren't defaulting, check idp coi and apc membership */
433 if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
434 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
435 tids_send_err_response(tids, orig_req, "IDP community membership error");
439 if ( cfg_apc && (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_apc, fwd_req->realm)))) {
440 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, orig_req->comm->buf);
441 tids_send_err_response(tids, orig_req, "IDP APC membership error");
447 /* Make sure we came through with a AAA server. If not, we can't handle the request. */
448 if (NULL == aaa_servers) {
449 tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
450 orig_req->realm->buf, orig_req->comm->buf);
451 tids_send_err_response(tids, orig_req, "Missing trust route error");
456 /* send a TID request to the AAA server(s), and get the answer(s) */
457 tr_debug("tr_tids_req_handler: sending TID request(s).");
459 expiration_interval = cfg_apc->expiration_interval;
460 else expiration_interval = cfg_comm->expiration_interval;
461 if (fwd_req->expiration_interval)
462 fwd_req->expiration_interval = (expiration_interval < fwd_req->expiration_interval) ? expiration_interval : fwd_req->expiration_interval;
463 else fwd_req->expiration_interval = expiration_interval;
465 /* Set up message queue for replies from req forwarding threads */
466 mq=tr_mq_new(tmp_ctx);
468 tr_notice("tr_tids_req_handler: unable to allocate message queue.");
472 tr_debug("tr_tids_req_handler: message queue allocated.");
475 aaa_iter=tr_aaa_server_iter_new(tmp_ctx);
476 if (aaa_iter==NULL) {
477 tr_notice("tr_tids_req_handler: unable to allocate AAA server iterator.");
481 for (n_aaa=0, this_aaa=tr_aaa_server_iter_first(aaa_iter, aaa_servers);
483 n_aaa++, this_aaa=tr_aaa_server_iter_next(aaa_iter)) {
484 tr_debug("tr_tids_req_handler: Preparing to start thread %d.", n_aaa);
486 aaa_cookie[n_aaa]=talloc(tmp_ctx, struct tr_tids_fwd_cookie);
487 if (aaa_cookie[n_aaa]==NULL) {
488 tr_notice("tr_tids_req_handler: unable to allocate cookie for AAA thread %d.", n_aaa);
492 talloc_set_destructor((void *)(aaa_cookie[n_aaa]), tr_tids_fwd_cookie_destructor);
493 /* fill in the cookie. To ensure the thread has valid data even if we exit first and
494 * abandon it, duplicate anything pointed to (except the mq). */
495 aaa_cookie[n_aaa]->thread_id=n_aaa;
496 if (0!=pthread_mutex_init(&(aaa_cookie[n_aaa]->mutex), NULL)) {
497 tr_notice("tr_tids_req_handler: unable to init mutex for AAA thread %d.", n_aaa);
501 aaa_cookie[n_aaa]->mq=mq;
502 aaa_cookie[n_aaa]->aaa_hostname=tr_dup_name(this_aaa->hostname);
503 aaa_cookie[n_aaa]->dh_params=tr_dh_dup(orig_req->tidc_dh);
504 aaa_cookie[n_aaa]->fwd_req=tid_dup_req(fwd_req);
505 talloc_steal(aaa_cookie[n_aaa], aaa_cookie[n_aaa]->fwd_req);
506 tr_debug("tr_tids_req_handler: cookie %d initialized.", n_aaa);
508 /* Take the cookie out of tmp_ctx before starting thread. If thread starts, it becomes
509 * responsible for freeing it until it queues a response. If we did not do this, the possibility
510 * exists that this function exits, freeing the cookie, before the thread takes the cookie
511 * out of our tmp_ctx. This would cause a segfault or talloc error in the thread. */
512 talloc_steal(NULL, aaa_cookie[n_aaa]);
513 if (0!=pthread_create(&(aaa_thread[n_aaa]), NULL, tr_tids_req_fwd_thread, aaa_cookie[n_aaa])) {
514 talloc_steal(tmp_ctx, aaa_cookie[n_aaa]); /* thread start failed; steal this back */
515 tr_notice("tr_tids_req_handler: unable to start AAA thread %d.", n_aaa);
519 tr_debug("tr_tids_req_handler: thread %d started.", n_aaa);
522 /* determine expiration time */
523 if (0!=tr_mq_pop_timeout(cfg_mgr->active->internal->tid_req_timeout, &ts_abort)) {
524 tr_notice("tr_tids_req_handler: unable to read clock for timeout.");
529 /* wait for responses */
530 tr_debug("tr_tids_req_handler: waiting for response(s).");
533 while (((n_responses+n_failed)<n_aaa) &&
534 (NULL!=(msg=tr_mq_pop(mq, &ts_abort)))) {
535 /* process message */
536 if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_SUCCESS)) {
537 payload=talloc_get_type_abort(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
538 talloc_steal(tmp_ctx, payload); /* put this back in our context */
539 aaa_resp[payload->thread_id]=payload->resp; /* save pointers to these */
541 if (payload->resp->result==TID_SUCCESS) {
542 tr_tids_merge_resps(resp, payload->resp);
546 tr_notice("tr_tids_req_handler: TID error received from AAA server %d: %.*s",
548 payload->resp->err_msg->len,
549 payload->resp->err_msg->buf);
551 } else if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_FAILURE)) {
554 payload=talloc_get_type(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
556 talloc_steal(tmp_ctx, payload); /* put this back in our context */
558 /* this means the thread was unable to allocate a response cookie, and we thus cannot determine which thread it was. This is bad and should never happen in a working system.. Give up. */
559 tr_notice("tr_tids_req_handler: TID request thread sent invalid reply. Aborting!");
563 tr_notice("tr_tids_req_handler: TID request for AAA server %d failed.",
566 /* unexpected message */
567 tr_err("tr_tids_req_handler: Unexpected message received. Aborting!");
572 /* Set the cookie pointer to NULL so we know we've dealt with this one. The
573 * cookie itself is in our tmp_ctx, which we'll free before exiting. Let it hang
574 * around in case we are still using pointers to elements of the cookie. */
575 aaa_cookie[payload->thread_id]=NULL;
579 /* check whether we've received enough responses to exit */
580 if ((idp_shared && (n_responses>0)) ||
581 (resp_frac_denom*n_responses>=resp_frac_numer*n_aaa))
585 tr_debug("tr_tids_req_handler: done waiting for responses. %d responses, %d failures.",
586 n_responses, n_failed);
587 /* Inform any remaining threads that we will no longer handle their responses. */
588 for (ii=0; ii<n_aaa; ii++) {
589 if (aaa_cookie[ii]!=NULL) {
590 if (0!=tr_tids_fwd_get_mutex(aaa_cookie[ii]))
591 tr_notice("tr_tids_req_handler: unable to get mutex for AAA thread %d.", ii);
593 aaa_cookie[ii]->mq=NULL; /* threads will not try to respond through a null mq */
595 if (0!=tr_tids_fwd_release_mutex(aaa_cookie[ii]))
596 tr_notice("tr_tids_req_handler: unable to release mutex for AAA thread %d.", ii);
600 /* Now all threads have either replied (and aaa_cookie[ii] is null) or have been told not to
601 * reply (by setting their mq pointer to null). However, some may have responded by placing
602 * a message on the mq after we last checked but before we set their mq pointer to null. These
603 * will not know that we gave up on them, so we must free their cookies for them. We can just
604 * go through any remaining messages on the mq to identify these threads. By putting them in
605 * our context instead of freeing them directly, we ensure we don't accidentally invalidate
606 * any of our own pointers into the structure before this function exits. */
607 while (NULL!=(msg=tr_mq_pop(mq, NULL))) {
608 payload=(TR_RESP_COOKIE *)tr_mq_msg_get_payload(msg);
609 if (aaa_cookie[payload->thread_id]!=NULL)
610 talloc_steal(tmp_ctx, aaa_cookie[payload->thread_id]);
615 if (n_responses==0) {
616 /* No requests succeeded. Forward an error if we got any error responses. */
617 for (ii=0; ii<n_aaa; ii++) {
618 if (aaa_resp[ii]!=NULL)
619 tids_send_response(tids, orig_req, aaa_resp[ii]);
621 tids_send_err_response(tids, orig_req, "Unable to contact AAA server(s).");
629 talloc_free(tmp_ctx);
633 static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
636 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
637 TIDS_INSTANCE *tids = cookie->tids;
638 TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
640 if ((!client_name) || (!gss_name) || (!tids) || (!cfg_mgr)) {
641 tr_debug("tr_tidc_gss_handler: Bad parameters.");
645 /* Ensure at least one client exists using this GSS name */
646 if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
647 tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
651 /* Store the GSS name */
652 tids->gss_name = tr_dup_name(gss_name);
653 tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
659 /***** TIDS event handling *****/
661 /* called when a connection to the TIDS port is received */
662 static void tr_tids_event_cb(int listener, short event, void *arg)
664 TIDS_INSTANCE *tids = (TIDS_INSTANCE *)arg;
666 if (0==(event & EV_READ))
667 tr_debug("tr_tids_event_cb: unexpected event on TIDS socket (event=0x%X)", event);
669 tids_accept(tids, listener);
672 /* Configure the tids instance and set up its event handler.
673 * Returns 0 on success, nonzero on failure. Fills in
674 * *tids_event (which should be allocated by caller). */
675 int tr_tids_event_init(struct event_base *base,
679 struct tr_socket_event *tids_ev)
681 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
682 struct tr_tids_event_cookie *cookie=NULL;
686 if (tids_ev == NULL) {
687 tr_debug("tr_tids_event_init: Null tids_ev.");
692 /* Create the cookie for callbacks. We'll put it in the tids context, so it will
693 * be cleaned up when tids is freed by talloc_free. */
694 cookie=talloc(tmp_ctx, struct tr_tids_event_cookie);
695 if (cookie == NULL) {
696 tr_debug("tr_tids_event_init: Unable to allocate cookie.");
701 cookie->cfg_mgr=cfg_mgr;
703 talloc_steal(tids, cookie);
705 /* get a tids listener */
706 tids_ev->n_sock_fd=tids_get_listener(tids,
709 cfg_mgr->active->internal->hostname,
710 cfg_mgr->active->internal->tids_port,
714 if (tids_ev->n_sock_fd==0) {
715 tr_crit("Error opening TID server socket.");
721 for (ii=0; ii<tids_ev->n_sock_fd; ii++) {
722 tids_ev->ev[ii]=event_new(base,
723 tids_ev->sock_fd[ii],
727 event_add(tids_ev->ev[ii], NULL);
731 talloc_free(tmp_ctx);
projects / trust_router.git / blob