summaryrefslogtreecommitdiffstats
path: root/src/modules/rlm_realm/trustrouter.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/modules/rlm_realm/trustrouter.c715
1 files changed, 715 insertions, 0 deletions
diff --git a/src/modules/rlm_realm/trustrouter.c b/src/modules/rlm_realm/trustrouter.c
new file mode 100644
index 0000000..c62edea
--- /dev/null
+++ b/src/modules/rlm_realm/trustrouter.c
@@ -0,0 +1,715 @@
+/*
+ * This program is is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ * @file trustrouter.c
+ * @brief Integration with external trust router code
+ *
+ * @copyright 2014 Network RADIUS SARL
+ */
+#include <trust_router/tid.h>
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/rad_assert.h>
+#include <freeradius-devel/modules.h>
+#include <freeradius-devel/realms.h>
+
+#ifdef HAVE_TRUST_ROUTER_TR_DH_H
+#include "trustrouter.h"
+
+#include <trust_router/tr_dh.h>
+#include <ctype.h>
+
+struct resp_opaque {
+ REALM *orig_realm;
+ REALM *output_realm;
+ TID_RC result;
+ char err_msg[1024];
+ char *fr_realm_name;
+};
+
+/*
+ * This structure represents a rekey context. It is created once a new REALM is added to the REALM rbtree and it
+ * contains the values required to recreate the TIDC request that originated that REALM.
+ */
+struct rekey_ctx {
+ REALM *realm;
+ char const *realm_name;
+ char const *community;
+ char const *rprealm;
+ char const *trustrouter;
+ unsigned int port;
+ unsigned int times;
+ unsigned int failed;
+ fr_event_t *ev;
+};
+
+/* Thread, event list, and mutexes to protect access to the event list */
+static pthread_t rekeyer_thread_id;
+static fr_event_list_t *rekey_evl = NULL;
+static pthread_mutex_t evl_mutex;
+static pthread_mutexattr_t evl_mutex_attr;
+
+/* Mutex to control concurrent acceses to the realm tree */
+static pthread_mutex_t realm_tree_mutex;
+
+/* Mutexes to serialise TID queries for the same realm */
+#define REALM_MUTEX_MAX 16
+static pthread_mutex_t realm_mutex[REALM_MUTEX_MAX];
+
+/* Constant declarations */
+static uint MAX_FAILED_REKEYS = 5; // Max number of tolerable consecutive rekey errors
+static uint REKEY_ERROR_DELAY = 10; // Number of seconds we wait until we start a new rekey after a failure
+static uint REKEY_THRESHOLD = 60; // Number of seconds before the REALM expires to start a rekey
+
+/* Configuration parameters */
+static uint32_t realm_lifetime = 0; // Number of seconds the REALM can be used
+static bool rekey_enabled = false; // Is the rekey functionality enabled?
+
+/* Forward declarations */
+static void tr_response_func(TIDC_INSTANCE*, TID_REQ*, TID_RESP*, void*);
+static void _tr_do_rekey(void *);
+
+/* Copied from dict_hashname */
+#define FNV_MAGIC_INIT (0x811c9dc5)
+#define FNV_MAGIC_PRIME (0x01000193)
+
+static uint32_t realm_name_hash(const char* realm_name)
+{
+ uint32_t hash = FNV_MAGIC_INIT;
+ char const *p;
+
+ for (p = realm_name; *p != '\0'; p++) {
+ int c = *(unsigned char const *) p;
+ if (isalpha(c)) c = tolower(c);
+
+ hash *= FNV_MAGIC_PRIME;
+ hash ^= (uint32_t ) (c & 0xff);
+ }
+
+ return hash % REALM_MUTEX_MAX;
+}
+
+static void realm_lock(const char *realm_name)
+{
+ int index = realm_name_hash(realm_name);
+ DEBUG2("Locking realm %s using mutex %d", realm_name, index);
+ pthread_mutex_lock(&realm_mutex[index]);
+}
+
+static void realm_unlock(const char *realm_name)
+{
+ int index = realm_name_hash(realm_name);
+ DEBUG2("Unlocking realm %s using mutex %d", realm_name, index);
+ pthread_mutex_unlock(&realm_mutex[index]);
+}
+
+/*
+ * Builds a rekey_ctx context using the given parameters.
+ * Memory context is attached to the REALM object, whereas all the char* fields are copied.
+ */
+static struct rekey_ctx *build_rekey_ctx(REALM *realm, char const *realm_name, char const *community,
+ char const *rprealm, const char *trustrouter, int port)
+{
+ struct rekey_ctx *ctx = talloc_zero(realm, struct rekey_ctx);
+ ctx->realm = realm;
+ ctx->realm_name = talloc_strdup(ctx, realm_name);
+ ctx->community = talloc_strdup(ctx, community);
+ ctx->rprealm = talloc_strdup(ctx, rprealm);
+ ctx->trustrouter = talloc_strdup(ctx, trustrouter);
+ ctx->port = port;
+ ctx->times = 0;
+ ctx->ev = NULL;
+ return ctx;
+}
+
+/*
+ * Main function for the rekeyer thread, which implements the rekey event loop.
+ * A recursive lock is used to protect access to the event list, which might receive insertions from
+ * other threads (i.e. REQUESTS).
+ * If there are no rekey events to be executed, it sleeps for 1 second.
+ */
+void *rekeyer_thread(UNUSED void* args)
+{
+ struct timeval when;
+ int rv = 0;
+ while (true) {
+ gettimeofday(&when, NULL);
+ pthread_mutex_lock(&evl_mutex);
+ rv = fr_event_run(rekey_evl, &when);
+ // DEBUG2("REALMs to be rekeyed: %d. Next rekey event in %lu seconds",
+ // fr_event_list_num_elements(rekey_evl), when.tv_sec - time(NULL));
+ pthread_mutex_unlock(&evl_mutex);
+ if (!rv) sleep(1);
+ }
+ return NULL;
+}
+
+/*
+ * Sends a TIDC request and fills up the provided cookie with the response.
+ * Returns FALSE if a response cannot be obtained for some reason (e.g. cannot connect to the TR)
+ */
+static bool tidc_send_recv(const char *trustrouter, int port, const char *rprealm, const char *realm_name,
+ const char *community, struct resp_opaque *cookie)
+{
+ gss_ctx_id_t gssctx;
+ int conn = 0;
+ int rcode;
+ bool result = false;
+
+ /* Open TIDC connection */
+ DEBUG2("Opening TIDC connection to %s:%u for resolving realm %s", trustrouter, port, realm_name);
+ TIDC_INSTANCE *tidc = tidc_create();
+ if (!tidc) {
+ DEBUG2( "tr_init: Error creating global TIDC instance.\n");
+ goto cleanup;
+ }
+
+ if (!tidc_set_dh(tidc, tr_create_dh_params(NULL, 0))) {
+ DEBUG2( "tr_init: Error creating client DH params.\n");
+ goto cleanup;
+ }
+
+
+ conn = tidc_open_connection(tidc, (char *) trustrouter, port, &gssctx);
+ if (conn < 0) {
+ DEBUG2("Error in tidc_open_connection.");
+ goto cleanup;
+ }
+
+ /* Send TIDC request */
+ rcode = tidc_send_request(tidc, conn, gssctx, (char *) rprealm, (char *) realm_name,
+ (char *) community, &tr_response_func, cookie);
+ if (rcode < 0) {
+ DEBUG2("Error in tidc_send_request for %s, rc = %d.", realm_name, rcode);
+ goto cleanup;
+ }
+
+ result = true;
+cleanup:
+ tidc_destroy(tidc);
+ return result;
+}
+
+/*
+ * Gets the maximum expiration time of the realm's auth pool.
+ */
+static time_t get_realm_expiration(REALM const *realm)
+{
+ time_t expiration = 0;
+ for (int i = 0; i < realm->auth_pool->num_home_servers; i++) {
+ home_server_t *server = realm->auth_pool->servers[i];
+ if (server->expiration > expiration)
+ expiration = server->expiration;
+ }
+ return expiration;
+}
+
+/*
+ * Schedules a rekey event with the indicated context by inserting a new event in the list.
+ * It uses the evl_mutex to make sure no other thread accesses the event list at the same time.
+ */
+static int schedule_rekey(struct rekey_ctx *rekey_ctx)
+{
+ int rv = 0;
+ struct timeval when;
+ gettimeofday(&when, NULL);
+ pthread_mutex_lock(&evl_mutex);
+ /* If last attempt was a failure, schedule a rekey in REKEY_ERROR_DELAY seconds.
+ * Else, schedule the rekey for REKEY_THRESHOLD seconds before the actual REALM expiration.
+ */
+ if (rekey_ctx->failed)
+ when.tv_sec += REKEY_ERROR_DELAY;
+ else
+ when.tv_sec = get_realm_expiration(rekey_ctx->realm) - REKEY_THRESHOLD;
+
+ rv = fr_event_insert(rekey_evl, _tr_do_rekey, rekey_ctx, &when, &rekey_ctx->ev);
+ pthread_mutex_unlock(&evl_mutex);
+ DEBUG2("Scheduled a rekey for realm %s in %lu seconds", rekey_ctx->realm_name, when.tv_sec - time(NULL));
+ return rv;
+}
+
+/*
+ * Callback that performs the actual rekey of a REALM. It receives a rekey_ctx which is used to replicate the
+ * original TIDC query. If the request is sucessful, a new rekey is scheduled based on the expiration lifetime and
+ * the configured threshold (REKEY_THRESHOLD).
+ * When a failure is found, a new rekey is scheduled in a shorter period of time (REKEY_ERROR_DELAY).
+ */
+static void _tr_do_rekey(void *ctx){
+ struct rekey_ctx *rekey_ctx = (struct rekey_ctx *) ctx;
+ bool result;
+ struct resp_opaque cookie;
+
+ /* clear the cookie structure and copy values from the rekey context */
+ memset (&cookie, 0, sizeof(cookie));
+ cookie.fr_realm_name = (char*) rekey_ctx->realm->name;
+ cookie.orig_realm = rekey_ctx->realm;
+
+ DEBUG2("Rekeying realm %s for the %dth time", rekey_ctx->realm_name, ++rekey_ctx->times);
+
+ /* send the TIDC request and get the response. Use REALM mutext */
+ realm_lock(rekey_ctx->realm_name);
+ result = tidc_send_recv(rekey_ctx->trustrouter, rekey_ctx->port, rekey_ctx->rprealm,
+ rekey_ctx->realm_name, rekey_ctx->community, &cookie);
+ realm_unlock(rekey_ctx->realm_name);
+
+ /* If the rekey failed, schedule a new rekey in REKEY_ERROR_DELAY seconds, unless we have failed more
+ than MAX_FAILED_REKEYS times in a row. In that case, return without scheduling a rekey */
+ if (!result || cookie.result != TID_SUCCESS) {
+ if (++rekey_ctx->failed >= MAX_FAILED_REKEYS) {
+ DEBUG2("Reached the maximum number of failed rekeys (%d) for realm %s. Giving up.",
+ MAX_FAILED_REKEYS, rekey_ctx->realm_name);
+ talloc_free(rekey_ctx);
+ return;
+ }
+ DEBUG2("Rekey for realm %s failed for the %dth time.", rekey_ctx->realm_name, rekey_ctx->failed);
+ }
+ /* if rekey is successful, reset the failed counter */
+ else {
+ rekey_ctx->failed = 0;
+ }
+
+ /* schedule the new rekey */
+ if (!schedule_rekey(rekey_ctx)){
+ DEBUG2("Error scheduling rekey event for realm %s!", rekey_ctx->realm_name);
+ talloc_free(rekey_ctx);
+ }
+}
+
+bool tr_init(bool cnf_rekey_enabled, uint32_t cnf_realm_lifetime)
+{
+ int i = 0;
+ DEBUG2( "tr_init: Init Trust Router module.\n");
+
+ realm_lifetime = cnf_realm_lifetime;
+ rekey_enabled = cnf_rekey_enabled;
+
+ /* create the locks */
+ pthread_mutex_init(&realm_tree_mutex, NULL);
+ for (i=0; i<REALM_MUTEX_MAX; i++)
+ pthread_mutex_init(&realm_mutex[i], NULL);
+
+ /* If rekey is enabled, set up and create the rekeyer thread, event list and event mutex (recursive) */
+ if (rekey_enabled) {
+ rekey_evl = fr_event_list_create(NULL, NULL);
+ pthread_mutexattr_init(&evl_mutex_attr);
+ pthread_mutexattr_settype(&evl_mutex_attr, PTHREAD_MUTEX_RECURSIVE);
+ pthread_mutex_init(&evl_mutex, &evl_mutex_attr);
+ pthread_create(&rekeyer_thread_id, NULL, rekeyer_thread, NULL);
+ }
+
+ return true;
+}
+
+static fr_tls_server_conf_t *construct_tls(TIDC_INSTANCE *inst,
+ home_server_t *hs,
+ TID_SRVR_BLK *server)
+{
+ fr_tls_server_conf_t *tls;
+ unsigned char *key_buf = NULL;
+ ssize_t keylen = 0;
+ char *hexbuf = NULL;
+ DH *aaa_server_dh;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const BIGNUM *dh_pubkey = NULL;
+#endif
+
+ tls = tls_server_conf_alloc(hs);
+ if (!tls) return NULL;
+
+ aaa_server_dh = tid_srvr_get_dh(server);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ DH_get0_key(aaa_server_dh, &dh_pubkey, NULL);
+ if (NULL == dh_pubkey) {
+ DEBUG2("DH error");
+ goto error;
+ }
+
+ keylen = tr_compute_dh_key(&key_buf, BN_dup(dh_pubkey),
+ tidc_get_dh(inst));
+#else
+ keylen = tr_compute_dh_key(&key_buf, aaa_server_dh->pub_key,
+ tidc_get_dh(inst));
+#endif
+ if (keylen <= 0) {
+ DEBUG2("DH error");
+ goto error;
+ }
+
+ hexbuf = talloc_size(tls, keylen*2 + 1);
+ if (!hexbuf) goto error;
+
+ tr_bin_to_hex(key_buf, keylen, hexbuf, 2*keylen + 1);
+
+ tls->psk_password = hexbuf;
+ tls->psk_identity = talloc_strdup(tls, tid_srvr_get_key_name(server)->buf);
+
+ tls->cipher_list = talloc_strdup(tls, "aPSK");
+ tls->fragment_size = 4200;
+ tls->ctx = tls_init_ctx(tls, 1, NULL, NULL);
+ if (!tls->ctx) goto error;
+
+ memset(key_buf, 0, keylen);
+ tr_dh_free(key_buf);
+ return tls;
+
+error:
+ if (key_buf) {
+ memset(key_buf, 0, keylen);
+ tr_dh_free(key_buf);
+ }
+ if (hexbuf) memset(hexbuf, 0, keylen*2);
+
+ if (tls) talloc_free(tls);
+ return NULL;
+}
+
+static char *build_pool_name(TALLOC_CTX *ctx, TID_RESP *resp)
+{
+ size_t index, sa_len, sl;
+ TID_SRVR_BLK *server;
+ char *pool_name = NULL;
+ char addr_buf[256];
+ const struct sockaddr *sa;
+ pool_name = talloc_strdup(ctx, "hp-");
+
+ tid_resp_servers_foreach(resp, server, index) {
+ tid_srvr_get_address(server, &sa, &sa_len);
+ if (0 != getnameinfo(sa, sa_len,
+ addr_buf, sizeof(addr_buf)-1,
+ NULL, 0, NI_NUMERICHOST)) {
+ DEBUG2("getnameinfo failed");
+ return NULL;
+ }
+
+ sl = strlen(addr_buf);
+ rad_assert(sl+2 <= sizeof(addr_buf));
+
+ addr_buf[sl] = '-';
+ addr_buf[sl+1] = '\0';
+
+ pool_name = talloc_strdup_append(pool_name, addr_buf);
+ }
+
+ return pool_name;
+}
+
+static home_server_t *srvr_blk_to_home_server(TALLOC_CTX *ctx,
+ TIDC_INSTANCE *inst,
+ TID_SRVR_BLK *blk,
+ char const *realm_name)
+{
+ home_server_t *hs = NULL;
+ const struct sockaddr *sa = NULL;
+ size_t sa_len = 0;
+ fr_ipaddr_t home_server_ip;
+ uint16_t port;
+ char nametemp[256];
+ time_t now = time(NULL);
+ struct timeval key_expiration;
+
+ rad_assert(blk != NULL);
+ tid_srvr_get_address(blk, &sa, &sa_len);
+ if (sa == NULL) {
+ DEBUG2("tid_srvr_get_address failed");
+ return NULL;
+ }
+
+ fr_sockaddr2ipaddr((struct sockaddr_storage *) sa, sa_len, &home_server_ip, &port);
+ if (0 != getnameinfo(sa, sa_len,
+ nametemp,
+ sizeof nametemp,
+ NULL, 0,
+ NI_NUMERICHOST)) {
+ DEBUG2("getnameinfo failed");
+ return NULL;
+ }
+
+ hs = talloc_zero(ctx, home_server_t);
+ if (!hs) return NULL;
+
+ /*
+ * All dynamic home servers are for authentication.
+ */
+ hs->type = HOME_TYPE_AUTH;
+ hs->ipaddr = home_server_ip;
+ hs->src_ipaddr.af = home_server_ip.af;
+ hs->log_name = talloc_asprintf(hs, "%s-for-%s", nametemp, realm_name);
+ hs->name = talloc_strdup(hs, nametemp);
+ hs->port = port;
+ hs->proto = IPPROTO_TCP;
+ hs->secret = talloc_strdup(hs, "radsec");
+ hs->response_window.tv_sec = 30;
+ hs->last_packet_recv = now;
+ /*
+ * We want sockets using these servers to close as soon as possible,
+ * to make sure that whenever a pool is replaced, sockets using old ones
+ * will not last long (hopefully less than 300s).
+ */
+ hs->limit.idle_timeout = 5;
+ /*
+ * Set the expiration of the server.
+ * If a realm_lifetime configuration parameter is provided (i.e. >0), use: now + realm_lifetime
+ * Else use the value from the TIDC response (if the accessor function is available) or now + 600
+ */
+#ifdef HAVE_TRUST_ROUTER_GET_KEY_EXP
+ tid_srvr_get_key_expiration(blk, &key_expiration);
+#else
+ key_expiration.tv_sec = now + 600;
+#endif
+ hs->expiration = realm_lifetime > 0 ? (now + realm_lifetime) : key_expiration.tv_sec;
+ hs->tls = construct_tls(inst, hs, blk);
+ if (!hs->tls) goto error;
+
+ realm_home_server_sanitize(hs, NULL);
+
+ return hs;
+error:
+ talloc_free(hs);
+ return NULL;
+}
+
+static home_pool_t *servers_to_pool(TALLOC_CTX *ctx,
+ TIDC_INSTANCE *inst,
+ TID_RESP *resp,
+ const char *realm_name)
+{
+ home_pool_t *pool = NULL;
+ size_t num_servers = 0, index;
+ TID_SRVR_BLK *server = NULL;
+
+ num_servers = tid_resp_get_num_servers(resp);
+
+ pool = talloc_zero_size(ctx, sizeof(*pool) + num_servers *sizeof(home_server_t *));
+ if (!pool) goto error;
+
+ pool->type = HOME_POOL_CLIENT_PORT_BALANCE;
+ pool->server_type = HOME_TYPE_AUTH;
+
+ pool->name = build_pool_name(pool, resp);
+ if (!pool->name) goto error;
+
+ pool->num_home_servers = num_servers;
+
+ tid_resp_servers_foreach(resp, server, index) {
+ home_server_t *hs;
+
+ hs = srvr_blk_to_home_server(pool, inst, server, realm_name);
+ if (!hs) goto error;
+ pool->servers[index] = hs;
+ }
+
+ return pool;
+
+error:
+ if (pool) talloc_free(pool);
+
+ return NULL;
+}
+
+static void tr_response_func( TIDC_INSTANCE *inst,
+ UNUSED TID_REQ *req, TID_RESP *resp,
+ void *cookie)
+{
+ struct resp_opaque *opaque = (struct resp_opaque *) cookie;
+ REALM *nr = opaque->orig_realm;
+
+ if (tid_resp_get_result(resp) != TID_SUCCESS) {
+ size_t err_msg_len;
+ opaque->result = tid_resp_get_result(resp);
+ memset(opaque->err_msg, 0, sizeof(opaque->err_msg));
+
+ if (tid_resp_get_err_msg(resp)) {
+ TR_NAME *err_msg = tid_resp_get_err_msg(resp);
+ err_msg_len = err_msg->len+1;
+ if (err_msg_len > sizeof(opaque->err_msg))
+ err_msg_len = sizeof(opaque->err_msg);
+ strlcpy(opaque->err_msg, err_msg->buf, err_msg_len);
+ }
+ return;
+ }
+
+ pthread_mutex_lock(&realm_tree_mutex);
+ if (!nr) {
+ nr = talloc_zero(NULL, REALM);
+ if (!nr) goto error;
+ nr->name = talloc_move(nr, &opaque->fr_realm_name);
+ nr->auth_pool = servers_to_pool(nr, inst, resp, nr->name);
+ if (!nr->auth_pool) {
+ ERROR("Unable to create pool for %s", nr->name);
+ goto error;
+ }
+ if (!realm_realm_add(nr, NULL)) goto error;
+
+ } else {
+ home_pool_t *old_pool = nr->auth_pool;
+ home_pool_t *new_pool;
+
+ new_pool = servers_to_pool(nr, inst, resp, opaque->fr_realm_name);
+ if (!new_pool) {
+ ERROR("Unable to recreate pool for %s", opaque->fr_realm_name);
+ goto error;
+ }
+ nr->auth_pool = new_pool;
+
+ /*
+ * Mark the old pool as "to be freed"
+ */
+ realm_pool_free(old_pool);
+ }
+
+ opaque->output_realm = nr;
+ pthread_mutex_unlock(&realm_tree_mutex);
+ return;
+
+error:
+ if (nr && !opaque->orig_realm) {
+ talloc_free(nr);
+ }
+ opaque->result = TID_ERROR;
+ snprintf(opaque->err_msg, sizeof(opaque->err_msg),
+ "There was an error creating the pool for %s", opaque->fr_realm_name);
+ pthread_mutex_unlock(&realm_tree_mutex);
+ return;
+}
+
+static bool update_required(REALM const *r)
+{
+ const home_pool_t *pool;
+ int i;
+ const home_server_t *server;
+ time_t now = time(NULL);
+
+ /*
+ * No pool. Not our realm.
+ */
+ if (!r->auth_pool) return false;
+
+ pool = r->auth_pool;
+
+ for (i = 0; i < pool->num_home_servers; i++) {
+ server = pool->servers[i];
+
+ /*
+ * The realm was loaded from the configuration
+ * files.
+ */
+ if (server->cs) return false;
+
+ /*
+ * These values don't make sense.
+ */
+ if ((server->last_packet_recv > (now + 5)) ||
+ (server->last_failed_open > (now + 5))) {
+ continue;
+ }
+
+ /*
+ * If home server is expired, update
+ */
+ if (now > server->expiration)
+ continue;
+ /*
+ * If we've opened in the last 10 minutes, then
+ * open rather than update.
+ */
+ if ((now - server->last_failed_open) > 600) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+REALM *tr_query_realm(REQUEST *request, char const *realm,
+ char const *community,
+ char const *rprealm,
+ char const *trustrouter,
+ unsigned int port)
+{
+ VALUE_PAIR *vp;
+ struct resp_opaque cookie;
+ bool rv = false;
+
+ if (!realm) return NULL;
+
+ if (!trustrouter || (strcmp(trustrouter, "none") == 0)) return NULL;
+
+ /* clear the cookie structure */
+ memset (&cookie, 0, sizeof(cookie));
+
+ /* See if the request overrides the community*/
+ vp = fr_pair_find_by_num(request->packet->vps, PW_UKERNA_TR_COI, VENDORPEC_UKERNA, TAG_ANY);
+ if (vp)
+ community = vp->vp_strvalue;
+ else pair_make_request("Trust-Router-COI", community, T_OP_SET);
+
+ /* Check if we already have a valid REALM and return it */
+ cookie.fr_realm_name = talloc_asprintf(NULL,
+ "%s%%%s",
+ community, realm);
+ cookie.orig_realm = cookie.output_realm = realm_find(cookie.fr_realm_name);
+ if (cookie.orig_realm && !update_required(cookie.orig_realm))
+ goto cleanup;
+
+ /* We use this lock for serializing TID requests for this realm */
+ realm_lock(realm);
+
+ /* Check again that the realm was not created while we were waiting to acquire the lock. */
+ cookie.orig_realm = cookie.output_realm = realm_find(cookie.fr_realm_name);
+ if (cookie.orig_realm && !update_required(cookie.orig_realm)){
+ realm_unlock(realm);
+ goto cleanup;
+ }
+
+ /* Perform the request/response exchange with the trust router server */
+ rv = tidc_send_recv(trustrouter, port, (char *) rprealm, (char *) realm, (char *)community, &cookie);
+ realm_unlock(realm);
+
+ /* If we weren't able to get a response from the trust router server, goto cleanup (hence return NULL realm) */
+ if (!rv) {
+ DEBUG2("Could not connect with Trust Router server for realm %s, rv = %d\n", realm, rv);
+ module_failure_msg(request, "Could not connect with Trust Router server for realm %s", realm);
+ goto cleanup;
+ }
+
+ /* If we got a response but it is an error one, include a Reply-Message and Error-Cause attributes */
+ if (cookie.result != TID_SUCCESS) {
+ DEBUG2("TID response is error, rc = %d: %s.\n", cookie.result,
+ cookie.err_msg?cookie.err_msg:"(NO ERROR TEXT)");
+ module_failure_msg(request, "TID response is error, rc = %d: %s.\n", cookie.result,
+ cookie.err_msg?cookie.err_msg:"(NO ERROR TEXT)");
+ if (cookie.err_msg)
+ pair_make_reply("Reply-Message", cookie.err_msg, T_OP_SET);
+ pair_make_reply("Error-Cause", "502", T_OP_SET); /*proxy unroutable*/
+ }
+ /* TIDC request was successful. If rekey is enabled, create a rekey event */
+ else if (rekey_enabled) {
+ struct rekey_ctx *rctx = build_rekey_ctx(cookie.output_realm, realm, community,
+ rprealm, trustrouter, port);
+ if (!schedule_rekey(rctx)){
+ talloc_free(rctx);
+ DEBUG2("Error scheduling rekey event for realm %s!", realm);
+ }
+ }
+
+cleanup:
+ if (cookie.fr_realm_name)
+ talloc_free(cookie.fr_realm_name);
+
+ return cookie.output_realm;
+}
+#endif /* HAVE_TRUST_ROUTER_TR_DH_H */