libtr_tid_la_CFLAGS = $(AM_CFLAGS) -fvisibility=hidden
libtr_tid_la_LIBADD = gsscon/libgsscon.la $(GLIB_LIBS)
-libtr_tid_la_LDFLAGS = $(AM_LDFLAGS) -version-info 4:0:2 -no-undefined
+libtr_tid_la_LDFLAGS = $(AM_LDFLAGS) -version-info 4:1:2 -no-undefined
common_t_constraint_SOURCES = common/t_constraint.c \
common/tr_debug.c \
return NULL;
/* will not remove the head here, that has already been done */
- for (comm=head; comm->next!=NULL; comm=comm->next) {
+ for (comm=head; (comm!=NULL) && (comm->next!=NULL); comm=comm->next) {
if (comm->next->refcount==0) {
old_next=comm->next;
- tr_comm_remove(head, comm->next); /* changes comm->next */
+ tr_comm_remove(head, comm->next); /* changes comm->next, may make it null */
tr_comm_free(old_next);
}
}
return DH_new();
}
-DH *tr_create_dh_params(unsigned char *priv_key,
+DH *tr_create_dh_params(unsigned char *priv_key,
size_t keylen) {
DH *dh = NULL;
(NULL == (dh->p = BN_new())) ||
(NULL == (dh->q = BN_new()))) {
DH_free(dh);
+ return NULL;
}
BN_set_word(dh->g, 2);
return out;
}
-int tr_compute_dh_key(unsigned char **pbuf,
- BIGNUM *pub_key,
+int tr_compute_dh_key(unsigned char **pbuf,
+ BIGNUM *pub_key,
DH *priv_dh) {
size_t buflen;
unsigned char *buf = NULL;;
int rc = 0;
-
- if ((!pbuf) ||
- (!pub_key) ||
+
+ if ((!pbuf) ||
+ (!pub_key) ||
(!priv_dh)) {
tr_debug("tr_compute_dh_key: Invalid parameters.");
return(-1);
return -1;
}
-
+
rc = DH_compute_key(buf, pub_key, priv_dh);
if (0 <= rc) {
*pbuf = buf;
if (head==NULL)
return NULL;
- /* will not remove the head here, that has already been done */
- for (idp=head; idp->next!=NULL; idp=idp->next) {
+ /* Will not remove the head here, that has already been done.*/
+ for (idp=head; (idp!=NULL) && (idp->next!=NULL); idp=idp->next) {
if (idp->next->refcount==0) {
old_next=idp->next;
- tr_idp_realm_remove(head, idp->next); /* changes idp->next */
+ tr_idp_realm_remove(head, idp->next); /* changes idp->next, may make it NULL */
tr_idp_realm_free(old_next);
}
}
return NULL;
/* will not remove the head here, that has already been done */
- for (rp=head; rp->next!=NULL; rp=rp->next) {
+ for (rp=head; (rp!=NULL) && (rp->next!=NULL); rp=rp->next) {
if (rp->next->refcount==0) {
old_next=rp->next;
- tr_rp_realm_remove(head, rp->next); /* changes rp->next */
+ tr_rp_realm_remove(head, rp->next); /* changes rp->next, may make it null */
tr_rp_realm_free(old_next);
}
}
AC_PREREQ(2.63)
-AC_INIT([trust_router],[3.0.2],
+AC_INIT([trust_router],[3.3.0],
[bugs@project-moonshot.org])
AC_CONFIG_MACRO_DIR(m4)
AC_CONFIG_AUX_DIR(build-aux)
{
"tr_internal": {
- "max_tree_depth": 12,
"hostname":"beta.example.com",
"trps_port":12308,
"tids_port":12309,
{
"apcs": [],
"community_id": "apc.x",
- "idp_realms": ["idp.x", "other.idp.x"],
- "rp_realms": ["rp.x", "other.rp.x"],
+ "idp_realms": ["apc.x",
+ "idp.x",
+ "other.idp.x"],
+ "rp_realms": ["rp.x",
+ "other.rp.x"],
"type": "apc",
- "expiration_interval": 10
+ "expiration_interval": 30
},
{
- "apcs": ["apc."],
+ "apcs": ["apc.x"],
"community_id": "coi.x",
"idp_realms": ["idp.x"],
"rp_realms": ["rp.x"],
],
"local_organizations": [
{
+ "organization_name": "APC",
+ "realms": [
+ {
+ "realm": "apc.x",
+ "identity_provider": {
+ "aaa_servers": [
+ "apc.example.com"
+ ],
+ "apcs": [
+ "apc.x"
+ ],
+ "shared_config": "no"
+ }
+ }
+ ]
+ },
+ {
"organization_name": "Demo Organization",
"realms": [
- {
- "realm": "rp.x",
- "gss_names": ["alpha-cred@apc.x",
- "beta-cred@apc.x",
- "gamma-cred@apc.x"],
- "filters": {
- "tid_inbound": [
- {
- "action": "accept",
- "domain_constraints": [
- "*.local"
- ],
- "specs": [
- {
- "field": "rp_realm",
- "match": "rp.x"
- },
- {
- "field": "rp_realm",
- "match": "*.rp.x"
- }
- ],
- "realm_constraints": [
- "rp.x", "*.rp.x"
- ]
- }
- ]
- }
- },
+ {
+ "realm": "rp.x",
+ "gss_names": ["rp-cred@apc.x",
+ "second-rp-cred@apc.x"],
+ "filters": {
+ "tid_inbound": [
+ {
+ "action": "accept",
+ "domain_constraints": [
+ "*.example.com"
+ ],
+ "specs": [
+ {
+ "field": "rp_realm",
+ "match": [
+ "rp.x", "*.rp.x"
+ ]
+ }
+ ],
+ "realm_constraints": [
+ "rp.x", "*.rp.x"
+ ]
+ }
+ ]
+ }
+ },
{
"realm": "other.rp.x",
- "gss_names": ["something@apc.x"]
+ "gss_names": ["other-rp-cred@apc.x"]
},
- {
- "realm": "idp.x",
- "gss_names": ["alpha-cred@apc.x"],
- "identity_provider": {
- "aaa_servers": ["alpha.local"],
- "apcs": ["apc.x"],
- "shared_config": "no"
- }
+ {
+ "realm": "idp.x",
+ "gss_names": ["idp-cred@apc.x"],
+ "identity_provider": {
+ "aaa_servers": ["idp.example.com"],
+ "apcs": ["apc.x"],
+ "shared_config": "no"
+ }
},
- {
- "realm": "other.idp.x",
- "gss_names": ["beta-cred@apc.x"],
- "identity_provider": {
- "aaa_servers": ["alpha.local"],
- "apcs": ["apc.x"],
- "shared_config": "no"
- }
- }
+ {
+ "realm": "other.idp.x",
+ "gss_names": ["other-idp-cred@apc.x"],
+ "identity_provider": {
+ "aaa_servers": ["idp.example.com"],
+ "apcs": ["apc.x"],
+ "shared_config": "no"
+ }
+ }
]
}
],
"peer_organizations": [
{
- "hostname": "gamma.local",
+ "hostname": "peer.example.com",
"port": 12310,
- "gss_names": ["gamma-cred@apc.x"]
+ "gss_names": ["peer-cred@apc.x"]
}
]
}
{
"tr_internal": {
- "max_tree_depth": 12,
- "hostname":"beta.example.com",
+ "hostname":"tr.example.com",
"trps_port":12308,
"tids_port":12309,
"cfg_poll_interval": 1,
{
"apcs": [],
"community_id": "apc.x",
- "idp_realms": ["idp.x", "other.idp.x"],
- "rp_realms": ["rp.x", "other.rp.x"],
+ "idp_realms": ["apc.x",
+ "idp.x",
+ "other.idp.x"],
+ "rp_realms": ["rp.x",
+ "other.rp.x"],
"type": "apc",
- "expiration_interval": 10
+ "expiration_interval": 30
},
{
- "apcs": ["apc."],
+ "apcs": ["apc.x"],
"community_id": "coi.x",
"idp_realms": ["idp.x"],
"rp_realms": ["rp.x"],
],
"local_organizations": [
{
+ "organization_name": "APC",
+ "realms": [
+ {
+ "realm": "apc.x",
+ "identity_provider": {
+ "aaa_servers": [
+ "apc.example.com"
+ ],
+ "apcs": [
+ "apc.x"
+ ],
+ "shared_config": "no"
+ }
+ }
+ ]
+ },
+ {
"organization_name": "Demo Organization",
"realms": [
- {
- "realm": "rp.x",
- "gss_names": ["alpha-cred@apc.x",
- "beta-cred@apc.x",
- "gamma-cred@apc.x"],
- "filters": {
- "tid_inbound": [
- {
- "action": "accept",
- "domain_constraints": [
- "*.local"
- ],
- "specs": [
- {
- "field": "rp_realm",
- "match": "rp.x"
- },
- {
- "field": "rp_realm",
- "match": "*.rp.x"
- }
- ],
- "realm_constraints": [
- "rp.x", "*.rp.x"
- ]
- }
- ]
- }
- },
+ {
+ "realm": "rp.x",
+ "gss_names": ["rp-cred@apc.x",
+ "second-rp-cred@apc.x"],
+ "filters": {
+ "tid_inbound": [
+ {
+ "action": "accept",
+ "domain_constraints": [
+ "*.example.com"
+ ],
+ "specs": [
+ {
+ "field": "rp_realm",
+ "match": [
+ "rp.x", "*.rp.x"
+ ]
+ }
+ ],
+ "realm_constraints": [
+ "rp.x", "*.rp.x"
+ ]
+ }
+ ]
+ }
+ },
{
"realm": "other.rp.x",
- "gss_names": ["something@apc.x"]
+ "gss_names": ["other-rp-cred@apc.x"]
},
- {
- "realm": "idp.x",
- "gss_names": ["alpha-cred@apc.x"],
- "identity_provider": {
- "aaa_servers": ["alpha.local"],
- "apcs": ["apc.x"],
- "shared_config": "no"
- }
+ {
+ "realm": "idp.x",
+ "gss_names": ["idp-cred@apc.x"],
+ "identity_provider": {
+ "aaa_servers": ["idp.example.com"],
+ "apcs": ["apc.x"],
+ "shared_config": "no"
+ }
},
- {
- "realm": "other.idp.x",
- "gss_names": ["beta-cred@apc.x"],
- "identity_provider": {
- "aaa_servers": ["alpha.local"],
- "apcs": ["apc.x"],
- "shared_config": "no"
- }
- }
+ {
+ "realm": "other.idp.x",
+ "gss_names": ["other-idp-cred@apc.x"],
+ "identity_provider": {
+ "aaa_servers": ["idp.example.com"],
+ "apcs": ["apc.x"],
+ "shared_config": "no"
+ }
+ }
]
}
],
"peer_organizations": [
{
- "hostname": "gamma.local",
+ "hostname": "peer.example.com",
"port": 12310,
- "gss_names": ["gamma-cred@apc.x"]
+ "gss_names": ["peer-cred@apc.x"]
}
]
}
tr_debug("tr_tids_req_handler: looking up route.");
route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
if (route==NULL) {
- tr_notice("tr_tids_req_handler: no route table entry found for realm (%s) in community (%s).",
- orig_req->realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "Missing trust route error");
- retval=-1;
- goto cleanup;
- }
- tr_debug("tr_tids_req_handler: found route.");
- if (trp_route_is_local(route)) {
- tr_debug("tr_tids_req_handler: route is local.");
- aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
- orig_req->realm,
- orig_req->comm,
- &idp_shared);
- } else {
- tr_debug("tr_tids_req_handler: route not local.");
- aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
- idp_shared=0;
- }
-
- /* Find the AAA server(s) for this request */
- if (NULL == aaa_servers) {
- tr_debug("tr_tids_req_handler: No AAA Servers for realm %s, defaulting.", orig_req->realm->buf);
- if (NULL == (aaa_servers = tr_default_server_lookup (cfg_mgr->active->default_servers,
- orig_req->comm))) {
+ /* No route. Use default AAA servers if we have them. */
+ tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
+ if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
+ orig_req->comm))) {
tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
- retval=-1;
+ retval = -1;
goto cleanup;
}
- idp_shared=0;
+ idp_shared = 0;
} else {
- /* if we aren't defaulting, check idp coi and apc membership */
+ /* Found a route. Determine the AAA servers or next hop address. */
+ tr_debug("tr_tids_req_handler: found route.");
+ if (trp_route_is_local(route)) {
+ tr_debug("tr_tids_req_handler: route is local.");
+ aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
+ orig_req->realm,
+ orig_req->comm,
+ &idp_shared);
+ } else {
+ tr_debug("tr_tids_req_handler: route not local.");
+ aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
+ idp_shared = 0;
+ }
+
+ /* Since we aren't defaulting, check idp coi and apc membership */
if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
tids_send_err_response(tids, orig_req, "IDP community membership error");
}
}
+ /* Make sure we came through with a AAA server. If not, we can't handle the request. */
+ if (NULL == aaa_servers) {
+ tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
+ orig_req->realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "Missing trust route error");
+ retval = -1;
+ goto cleanup;
+ }
+
/* send a TID request to the AAA server(s), and get the answer(s) */
tr_debug("tr_tids_req_handler: sending TID request(s).");
if (cfg_apc)
%global optflags %{optflags} -Wno-parentheses
Name: trust_router
-Version: 3.0.2
+Version: 3.3.0
Release: 1%{?dist}
Summary: Moonshot Trust Router
Source0: %{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: autoconf, automake, m4, libtool
BuildRequires: krb5-devel, glib2-devel
BuildRequires: jansson-devel >= 2.4
BuildRequires: sqlite-devel, openssl-devel, libtalloc-devel, libevent-devel