#include <sys/time.h>
#include <glib.h>
#include <string.h>
+#include <poll.h> // for nfds_t
#include <gsscon.h>
#include <tr_comm.h>
#include <tr_apc.h>
#include <tr_rp.h>
-#include <trust_router/tr_name.h>
+#include <tr_name_internal.h>
+#include <trp_route.h>
#include <trp_internal.h>
-#include <tr_gss.h>
+#include <tr_gss_names.h>
+#include <trp_peer.h>
#include <trp_ptable.h>
#include <trp_rtable.h>
#include <tr_debug.h>
#include <tr_util.h>
+#include <tr_socket.h>
static int trps_destructor(void *object)
{
* connect fails */
if (trpc==NULL) {
tr_warning("trps_send_msg: skipping message queued for missing TRP client entry.");
+ } else if (trpc->shutting_down) {
+ tr_debug("trps_send_msg: skipping message because TRP client is shutting down.");
+ rc = TRP_SUCCESS; /* it's ok that this didn't get sent, the connection will be gone in a moment */
} else {
mq_msg=tr_mq_msg_new(tmp_ctx, TR_MQMSG_TRPC_SEND, TR_MQ_PRIO_NORMAL);
msg_dup=talloc_strdup(mq_msg, msg); /* get local copy in mq_msg context */
return rc;
}
-/* Listens on all interfaces. Returns number of sockets opened. Their
- * descriptors are stored in *fd_out, which should point to space for
- * up to max_fd of them. */
-static size_t trps_listen(TRPS_INSTANCE *trps, int port, int *fd_out, size_t max_fd)
-{
- int rc = 0;
- int conn = -1;
- int optval=0;
- struct addrinfo *ai=NULL;
- struct addrinfo *ai_head=NULL;
- struct addrinfo hints={.ai_flags=AI_PASSIVE,
- .ai_family=AF_UNSPEC,
- .ai_socktype=SOCK_STREAM,
- .ai_protocol=IPPROTO_TCP};
- char *port_str=NULL;
- size_t n_opened=0;
-
- port_str=talloc_asprintf(NULL, "%d", port);
- if (port_str==NULL) {
- tr_debug("trps_listen: unable to allocate port.");
- return -1;
- }
- getaddrinfo(NULL, port_str, &hints, &ai_head);
- talloc_free(port_str);
-
- for (ai=ai_head,n_opened=0; (ai!=NULL)&&(n_opened<max_fd); ai=ai->ai_next) {
- if (0 > (conn = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol))) {
- tr_debug("trps_listen: unable to open socket.");
- continue;
- }
-
- optval=1;
- if (0!=setsockopt(conn, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)))
- tr_debug("trps_listen: unable to set SO_REUSEADDR."); /* not fatal? */
-
- if (ai->ai_family==AF_INET6) {
- /* don't allow IPv4-mapped IPv6 addresses (per RFC4942, not sure
- * if still relevant) */
- if (0!=setsockopt(conn, IPPROTO_IPV6, IPV6_V6ONLY, &optval, sizeof(optval))) {
- tr_debug("trps_listen: unable to set IPV6_V6ONLY. Skipping interface.");
- close(conn);
- continue;
- }
- }
-
- rc=bind(conn, ai->ai_addr, ai->ai_addrlen);
- if (rc<0) {
- tr_debug("trps_listen: unable to bind to socket.");
- close(conn);
- continue;
- }
-
- if (0>listen(conn, 512)) {
- tr_debug("trps_listen: unable to listen on bound socket.");
- close(conn);
- continue;
- }
-
- /* ok, this one worked. Save it */
- fd_out[n_opened++]=conn;
- }
- freeaddrinfo(ai_head);
-
- if (n_opened==0) {
- tr_debug("trps_listen: no addresses available for listening.");
- return -1;
- }
-
- tr_debug("trps_listen: TRP Server listening on port %d on %d socket%s",
- port,
- n_opened,
- (n_opened==1)?"":"s");
-
- return n_opened;
-}
-
/* get the currently selected route if available */
TRP_ROUTE *trps_get_route(TRPS_INSTANCE *trps, TR_NAME *comm, TR_NAME *realm, TR_NAME *peer)
{
tr_debug("trps_read_message: message received, %u bytes.", (unsigned) buflen);
tr_debug("trps_read_message: %.*s", buflen, buf);
- *msg=tr_msg_decode(buf, buflen);
+ *msg= tr_msg_decode(NULL, buf, buflen);
free(buf);
if (*msg==NULL)
return TRP_NOPARSE;
int *fd_out,
size_t max_fd)
{
- size_t n_fd=0;
- size_t ii=0;
+ nfds_t n_fd=0;
+ nfds_t ii=0;
- n_fd=trps_listen(trps, port, fd_out, max_fd);
- if (n_fd==0)
- tr_debug("trps_get_listener: Error opening port %d.");
+ n_fd = tr_sock_listen_all(port, fd_out, max_fd);
+
+ if (n_fd == 0)
+ tr_err("trps_get_listener: Error opening port %d.");
else {
/* opening port succeeded */
- tr_debug("trps_get_listener: Opened port %d.", port);
+ tr_info("trps_get_listener: Opened port %d.", port);
/* make the sockets non-blocking */
for (ii=0; ii<n_fd; ii++) {
if (0 != fcntl(fd_out[ii], F_SETFL, O_NONBLOCK)) {
- tr_debug("trps_get_listener: Error setting O_NONBLOCK.");
+ tr_err("trps_get_listener: Error setting O_NONBLOCK.");
for (ii=0; ii<n_fd; ii++) {
close(fd_out[ii]);
fd_out[ii]=-1;
}
- n_fd=0;
+ n_fd = 0;
break;
}
}
}
- if (n_fd>0) {
+ if (n_fd > 0) {
/* store the caller's request handler & cookie */
trps->msg_handler = msg_handler;
trps->auth_handler = auth_handler;
trps->cookie = cookie;
}
- return n_fd;
+ return (int) n_fd;
}
TRP_RC trps_authorize_connection(TRPS_INSTANCE *trps, TRP_CONNECTION *conn)
static TRP_RC trps_handle_inforec_route(TRPS_INSTANCE *trps, TRP_UPD *upd, TRP_INFOREC *rec)
{
TRP_ROUTE *route=NULL;
+ TR_COMM *comm = NULL;
unsigned int feas=0;
/* determine feasibility */
feas=trps_check_feasibility(trps, trp_upd_get_realm(upd), trp_upd_get_comm(upd), rec);
tr_debug("trps_handle_update: record feasibility=%d", feas);
- /* do we have an existing route? */
- route=trps_get_route(trps,
- trp_upd_get_comm(upd),
- trp_upd_get_realm(upd),
- trp_upd_get_peer(upd));
- if (route!=NULL) {
- /* there was a route table entry already */
- tr_debug("trps_handle_updates: route entry already exists.");
- if (feas) {
- /* Update is feasible. Accept it. */
- trps_accept_update(trps, upd, rec);
- } else {
- /* Update is infeasible. Ignore it unless the trust router has changed. */
- if (0!=tr_name_cmp(trp_route_get_trust_router(route),
- trp_inforec_get_trust_router(rec))) {
- /* the trust router associated with the route has changed, treat update as a retraction */
- trps_retract_route(trps, route);
+ /* verify that the community is an APC */
+ comm = tr_comm_table_find_comm(trps->ctable, trp_upd_get_comm(upd));
+ if (comm == NULL) {
+ /* We don't know this community. Reject the route. */
+ tr_debug("trps_handle_updates: community %.*s unknown, ignoring route for %.*s",
+ trp_upd_get_comm(upd)->len, trp_upd_get_comm(upd)->buf,
+ trp_upd_get_realm(upd)->len, trp_upd_get_realm(upd)->buf);
+ } else if (tr_comm_get_type(comm) != TR_COMM_APC) {
+ /* The community in a route request *must* be an APC. This was not - ignore it. */
+ tr_debug("trps_handle_updates: community %.*s is not an APC, ignoring route for %.*s",
+ trp_upd_get_comm(upd)->len, trp_upd_get_comm(upd)->buf,
+ trp_upd_get_realm(upd)->len, trp_upd_get_realm(upd)->buf);
+ } else {
+ /* do we have an existing route? */
+ route=trps_get_route(trps,
+ trp_upd_get_comm(upd),
+ trp_upd_get_realm(upd),
+ trp_upd_get_peer(upd));
+ if (route!=NULL) {
+ /* there was a route table entry already */
+ tr_debug("trps_handle_updates: route entry already exists.");
+ if (feas) {
+ /* Update is feasible. Accept it. */
+ trps_accept_update(trps, upd, rec);
+ } else {
+ /* Update is infeasible. Ignore it unless the trust router has changed. */
+ if (0!=tr_name_cmp(trp_route_get_trust_router(route),
+ trp_inforec_get_trust_router(rec))) {
+ /* the trust router associated with the route has changed, treat update as a retraction */
+ trps_retract_route(trps, route);
+ }
}
+ } else {
+ /* No existing route table entry. Ignore it unless it is feasible and not a retraction. */
+ tr_debug("trps_handle_update: no route entry exists yet.");
+ if (feas && trp_metric_is_finite(trp_inforec_get_metric(rec)))
+ trps_accept_update(trps, upd, rec);
}
- } else {
- /* No existing route table entry. Ignore it unless it is feasible and not a retraction. */
- tr_debug("trps_handle_update: no route entry exists yet.");
- if (feas && trp_metric_is_finite(trp_inforec_get_metric(rec)))
- trps_accept_update(trps, upd, rec);
}
return TRP_SUCCESS;
return comm;
}
-static TR_RP_REALM *trps_create_new_rp_realm(TALLOC_CTX *mem_ctx, TR_NAME *realm_id, TRP_INFOREC *rec)
+static TR_RP_REALM *trps_create_new_rp_realm(TALLOC_CTX *mem_ctx, TR_NAME *comm, TR_NAME *realm_id, TRP_INFOREC *rec)
{
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
TR_RP_REALM *rp=tr_rp_realm_new(tmp_ctx);
return rp;
}
-static TR_IDP_REALM *trps_create_new_idp_realm(TALLOC_CTX *mem_ctx, TR_NAME *realm_id, TRP_INFOREC *rec)
+static TR_IDP_REALM *trps_create_new_idp_realm(TALLOC_CTX *mem_ctx,
+ TR_NAME *comm_id,
+ TR_NAME *realm_id,
+ TRP_INFOREC *rec)
{
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
TR_IDP_REALM *idp=tr_idp_realm_new(tmp_ctx);
-
+ TR_APC *realm_apcs = NULL;
+
if (idp==NULL) {
tr_debug("trps_create_new_idp_realm: unable to allocate new realm.");
goto cleanup;
idp=NULL;
goto cleanup;
}
- if (trp_inforec_get_apcs(rec)!=NULL) {
- tr_idp_realm_set_apcs(idp, tr_apc_dup(tmp_ctx, trp_inforec_get_apcs(rec)));
- if (tr_idp_realm_get_apcs(idp)==NULL) {
- tr_debug("trps_create_new_idp_realm: unable to allocate APC list.");
- idp=NULL;
+
+ /* Set the APCs. If the community is a CoI, copy its APCs. If it is an APC, then
+ * that community itself is the APC for the realm. */
+ if (trp_inforec_get_comm_type(rec) == TR_COMM_APC) {
+ /* the community is an APC for this realm */
+ realm_apcs = tr_apc_new(tmp_ctx);
+ if (realm_apcs == NULL) {
+ tr_debug("trps_create_new_idp_realm: unable to allocate new APC list.");
+ idp = NULL;
goto cleanup;
}
+
+ tr_apc_set_id(realm_apcs, tr_dup_name(comm_id));
+ if (tr_apc_get_id(realm_apcs) == NULL) {
+ tr_debug("trps_create_new_idp_realm: unable to allocate new APC name.");
+ idp = NULL;
+ goto cleanup;
+ }
+ } else {
+ /* the community is not an APC for this realm */
+ realm_apcs = trp_inforec_get_apcs(rec);
+ if (realm_apcs == NULL) {
+ tr_debug("trps_create_new_idp_realm: no APCs for realm %.*s/%.*s, cannot add.",
+ realm_id->len, realm_id->buf,
+ comm_id->len, comm_id->buf);
+ idp = NULL;
+ goto cleanup;
+ }
+
+ /* we have APCs, make our own copy */
+ realm_apcs = tr_apc_dup(tmp_ctx, realm_apcs);
+ if (realm_apcs == NULL) {
+ tr_debug("trps_create_new_idp_realm: unable to duplicate APC list.");
+ idp = NULL;
+ goto cleanup;
+ }
+ }
+
+ /* Whether the community is an APC or CoI, the APCs for the realm are in realm_apcs */
+ tr_idp_realm_set_apcs(idp, realm_apcs); /* takes realm_apcs out of tmp_ctx on success */
+ if (tr_idp_realm_get_apcs(idp) == NULL) {
+ tr_debug("trps_create_new_idp_realm: unable to set APC list for new realm.");
+ idp=NULL;
+ goto cleanup;
}
+
idp->origin=TR_REALM_DISCOVERED;
talloc_steal(mem_ctx, idp);
tr_debug("trps_handle_inforec_comm: unable to create new community.");
goto cleanup;
}
- tr_comm_table_add_comm(trps->ctable, comm);
+ if (tr_comm_table_add_comm(trps->ctable, comm) != 0)
+ {
+ tr_debug("trps_handle_inforec_comm: unable to add community to community table.");
+ goto cleanup;
+ }
}
/* TODO: see if other comm data match the new inforec and update or complain */
if (rp_realm==NULL) {
tr_debug("trps_handle_inforec_comm: unknown RP realm %.*s in inforec, creating it.",
realm_id->len, realm_id->buf);
- rp_realm=trps_create_new_rp_realm(tmp_ctx, realm_id, rec);
+ rp_realm= trps_create_new_rp_realm(tmp_ctx, tr_comm_get_id(comm), realm_id, rec);
if (rp_realm==NULL) {
tr_debug("trps_handle_inforec_comm: unable to create new RP realm.");
/* we may leave an unused community in the table, but it will only last until
if (idp_realm==NULL) {
tr_debug("trps_handle_inforec_comm: unknown IDP realm %.*s in inforec, creating it.",
realm_id->len, realm_id->buf);
- idp_realm=trps_create_new_idp_realm(tmp_ctx, realm_id, rec);
+ idp_realm= trps_create_new_idp_realm(tmp_ctx, tr_comm_get_id(comm), realm_id, rec);
if (idp_realm==NULL) {
tr_debug("trps_handle_inforec_comm: unable to create new IDP realm.");
/* we may leave an unused community in the table, but it will only last until
* Apply applicable TRP_INBOUND filters to an inforec. Rejects everything if peer has no filters.
*
* @param trps Active TRPS instance
- * @param peer_name Name of peer that sent this inforec
+ * @param upd TRP_UPD that contains the inforec to filter
* @param rec Inforec to filter
- * @param realm Name of realm
- * @param comm Name of community
* @return 1 if accepted by the filter, 0 otherwise
*/
-static int trps_filter_inbound_inforec(TRPS_INSTANCE *trps, TR_NAME *peer_name, TRP_INFOREC *rec, TR_NAME *realm, TR_NAME *comm)
+static int trps_filter_inbound_inforec(TRPS_INSTANCE *trps, TRP_UPD *upd, TRP_INFOREC *rec)
{
TRP_PEER *peer=NULL;
+ TR_NAME *peer_name=NULL;
TR_FILTER_ACTION action=TR_FILTER_ACTION_REJECT;
TR_FILTER_TARGET *target=NULL;
int retval=0;
/* Look up the peer. For inbound messages, the peer is identified by its GSS name */
+ peer_name=trp_upd_get_peer(upd);
peer=trps_get_peer_by_gssname(trps, peer_name);
if (peer==NULL) {
tr_err("trps_filter_inbound_inforec: received inforec from unknown peer (%.*s), rejecting.",
}
/* tr_filter_apply() and tr_filter_set_get() handle null filter sets/filters by rejecting */
- target=tr_filter_target_trp_inforec(NULL, rec, realm, comm);
+ target= tr_filter_target_trp_inforec(NULL, upd, rec);
if (target==NULL) {
/* TODO: signal that filtering failed. Until then, just filter everything and give an error message. */
tr_crit("trps_filter_inbound_inforec: Unable to allocate filter target, cannot apply filter!");
}
for (rec=trp_upd_get_inforec(upd); rec!=NULL; rec=trp_inforec_get_next(rec)) {
- if (!trps_filter_inbound_inforec(trps,
- trp_upd_get_peer(upd),
- rec,
- trp_upd_get_realm(upd),
- trp_upd_get_comm(upd))) {
+ if (!trps_filter_inbound_inforec(trps, upd, rec)) {
tr_debug("trps_handle_update: inforec rejected by filter.");
continue; /* just go on to the next record */
}
return TRP_ERROR;
}
- entry=trp_rtable_get_entries(trps->rtable, &n_entry); /* must talloc_free *entry */
+ entry= trp_rtable_get_entries(NULL, trps->rtable, &n_entry); /* must talloc_free *entry */
/* loop over the entries */
for (ii=0; ii<n_entry; ii++) {
}
-static char *timespec_to_str(struct timespec *ts)
-{
- struct tm tm;
- char *s=NULL;
-
- if (localtime_r(&(ts->tv_sec), &tm)==NULL)
- return NULL;
-
- s=malloc(40); /* long enough to contain strftime result */
- if (s==NULL)
- return NULL;
-
- if (strftime(s, 40, "%F %T", &tm)==0) {
- free(s);
- return NULL;
- }
- return s;
-}
-
-
/* Sweep for expired communities/realms/memberships. */
TRP_RC trps_sweep_ctable(TRPS_INSTANCE *trps)
{
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
struct timespec sweep_time={0,0};
+ struct timespec tmp = {0};
TR_COMM_MEMB *memb=NULL;
TR_COMM_ITER *iter=NULL;
TRP_RC rc=TRP_ERROR;
tr_comm_memb_get_realm_id(memb)->len, tr_comm_memb_get_realm_id(memb)->buf,
tr_comm_get_id(tr_comm_memb_get_comm(memb))->len, tr_comm_get_id(tr_comm_memb_get_comm(memb))->buf,
tr_comm_memb_get_origin(memb)->len, tr_comm_memb_get_origin(memb)->buf,
- timespec_to_str(tr_comm_memb_get_expiry(memb)));
+ timespec_to_str(tr_comm_memb_get_expiry_realtime(memb, &tmp)));
tr_comm_table_remove_memb(trps->ctable, memb);
tr_comm_memb_free(memb);
} else {
tr_comm_memb_expire(memb);
trps_compute_expiry(trps, tr_comm_memb_get_interval(memb), tr_comm_memb_get_expiry(memb));
tr_debug("trps_sweep_ctable: community membership expired at %s, resetting expiry to %s (%.*s in %.*s, origin %.*s).",
- timespec_to_str(&sweep_time),
- timespec_to_str(tr_comm_memb_get_expiry(memb)),
+ timespec_to_str(tr_clock_convert(TRP_CLOCK, &sweep_time, CLOCK_REALTIME, &tmp)),
+ timespec_to_str(tr_comm_memb_get_expiry_realtime(memb, &tmp)),
tr_comm_memb_get_realm_id(memb)->len, tr_comm_memb_get_realm_id(memb)->buf,
tr_comm_get_id(tr_comm_memb_get_comm(memb))->len, tr_comm_get_id(tr_comm_memb_get_comm(memb))->buf,
tr_comm_memb_get_origin(memb)->len, tr_comm_memb_get_origin(memb)->buf);
for(this=trp_upd_get_inforec(upd); this!=NULL; this=next) {
next=this->next;
- target=tr_filter_target_trp_inforec(NULL, this, trp_upd_get_realm(upd), trp_upd_get_comm(upd));
+ target= tr_filter_target_trp_inforec(NULL, upd, this);
if (target==NULL) {
/* TODO: signal that filtering failed. Until then, just filter everything and give an error message. */
tr_crit("trps_filter_one_outbound_update: Unable to allocate filter target, cannot apply filter!");
static void trps_filter_outbound_updates(TR_FILTER_SET *filters, GPtrArray *updates)
{
TRP_UPD *upd=NULL;
- int ii=0;
+ guint ii=0;
- /* walk backward through the array so we can remove elements */
- for (ii=updates->len-1; ii>=0; ii--) {
- upd=g_ptr_array_index(updates, ii);
+ /* Walk backward through the array so we can remove elements. Careful about loop
+ * termination - remember that ii is unsigned. */
+ for (ii=updates->len; ii>0; ii--) {
+ upd=g_ptr_array_index(updates, ii-1);
trps_filter_one_outbound_update(tr_filter_set_get(filters, TR_FILTER_TYPE_TRP_OUTBOUND), upd);
/* see if we removed all the records from this update */
if (trp_upd_num_inforecs(upd)==0)
- g_ptr_array_remove_index_fast(updates, ii); /* does not preserve order at index ii or higher */
+ g_ptr_array_remove_index_fast(updates, ii-1); /* does not preserve order at index ii or higher */
}
}
upd = (TRP_UPD *) g_ptr_array_index(updates, ii);
/* now encode the update message */
tr_msg_set_trp_upd(&msg, upd);
- encoded = tr_msg_encode(&msg);
+ encoded = tr_msg_encode(NULL, &msg);
if (encoded == NULL) {
tr_err("trps_update_one_peer: error encoding update.");
rc = TRP_ERROR;
}
tr_msg_set_trp_req(&msg, req);
- encoded=tr_msg_encode(&msg);
+ encoded= tr_msg_encode(NULL, &msg);
if (encoded==NULL) {
tr_err("trps_wildcard_route_req: error encoding wildcard TRP request.");
rc=TRP_ERROR;