Gitiles
Code Review Sign In
gerrit.opencord.org / freeDiameter-old / 13b0e7de0d66906d50e074a339f890d6e59813ad / . / libfdcore / p_ce.c
blob: 1b4cd1315b200225ae083e69e547a3b7d87e9b49 [file] [log] [blame]
Brian Waters13d96012017-12-08 16:53:31 -0600[diff] [blame]1/*********************************************************************************************************
2* Software License Agreement (BSD License) *
3* Author: Sebastien Decugis <sdecugis@freediameter.net> *
4* *
5* Copyright (c) 2015, WIDE Project and NICT *
6* All rights reserved. *
7* *
8* Redistribution and use of this software in source and binary forms, with or without modification, are *
9* permitted provided that the following conditions are met: *
10* *
11* * Redistributions of source code must retain the above *
12* copyright notice, this list of conditions and the *
13* following disclaimer. *
14* *
15* * Redistributions in binary form must reproduce the above *
16* copyright notice, this list of conditions and the *
17* following disclaimer in the documentation and/or other *
18* materials provided with the distribution. *
19* *
20* * Neither the name of the WIDE Project or NICT nor the *
21* names of its contributors may be used to endorse or *
22* promote products derived from this software without *
23* specific prior written permission of WIDE Project and *
24* NICT. *
25* *
26* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
27* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
28* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
29* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
30* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
31* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
32* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
33* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
34*********************************************************************************************************/
35
36#include "fdcore-internal.h"
37
38/* This file contains code to handle Capabilities Exchange messages (CER and CEA) and election process */
39
40/* Save a connection as peer's principal */
41static int set_peer_cnx(struct fd_peer * peer, struct cnxctx **cnx)
42{
43 CHECK_PARAMS( peer->p_cnxctx == NULL );
44
45 /* Save the connection in peer */
46 peer->p_cnxctx = *cnx;
47 *cnx = NULL;
48
49 /* Set the events to be sent to the PSM */
50 CHECK_FCT( fd_cnx_recv_setaltfifo(peer->p_cnxctx, peer->p_events) );
51
52 /* Read the credentials if possible */
53 if (fd_cnx_getTLS(peer->p_cnxctx)) {
54 CHECK_FCT( fd_cnx_getcred(peer->p_cnxctx, &peer->p_hdr.info.runtime.pir_cert_list, &peer->p_hdr.info.runtime.pir_cert_list_size) );
55 }
56
57 /* Read the endpoints, maybe used to reconnect to the peer later */
58 CHECK_FCT( fd_cnx_getremoteeps(peer->p_cnxctx, &peer->p_hdr.info.pi_endpoints) );
59
60 /* Read the protocol */
61 peer->p_hdr.info.runtime.pir_proto = fd_cnx_getproto(peer->p_cnxctx);
62
63 return 0;
64}
65
66/* Delete the peer connection, and cleanup associated information */
67void fd_p_ce_clear_cnx(struct fd_peer * peer, struct cnxctx ** cnx_kept)
68{
69 peer->p_hdr.info.runtime.pir_cert_list = NULL;
70 peer->p_hdr.info.runtime.pir_cert_list_size = 0;
71 peer->p_hdr.info.runtime.pir_proto = 0;
72
73 if (peer->p_cnxctx) {
74 if (cnx_kept != NULL) {
75 *cnx_kept = peer->p_cnxctx;
76 } else {
77 fd_cnx_destroy(peer->p_cnxctx);
78 }
79 peer->p_cnxctx = NULL;
80 }
81}
82
83/* Election: compare the Diameter Ids by lexical order, return true if the election is won */
84static __inline__ int election_result(struct fd_peer * peer)
85{
86 int ret = (strcasecmp(peer->p_hdr.info.pi_diamid, fd_g_config->cnf_diamid) < 0);
87 if (ret) {
88 TRACE_DEBUG(INFO, "Election WON against peer '%s'", peer->p_hdr.info.pi_diamid);
89 } else {
90 TRACE_DEBUG(INFO, "Election LOST against peer '%s'", peer->p_hdr.info.pi_diamid);
91 }
92 return ret;
93}
94
95/* Add AVPs about local information in a CER or CEA */
96static int add_CE_info(struct msg *msg, struct cnxctx * cnx, int isi_tls, int isi_none)
97{
98 struct dict_object * dictobj = NULL;
99 struct avp * avp = NULL;
100 union avp_value val;
101 struct fd_list *li;
102
103 /* Add the Origin-* AVPs */
104 CHECK_FCT( fd_msg_add_origin ( msg, 1 ) );
105
106 /* Find the model for Host-IP-Address AVP */
107 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Host-IP-Address", &dictobj, ENOENT ) );
108
109 /* Add the AVP(s) -- not sure what is the purpose... We could probably only add the primary one ? */
110 for (li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) {
111 struct fd_endpoint * ep = (struct fd_endpoint *)li;
112 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
113 CHECK_FCT( fd_msg_avp_value_encode ( &ep->ss, avp ) );
114 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
115 }
116
117 /* Vendor-Id, Product-Name, and Firmware-Revision AVPs */
118 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Vendor-Id", &dictobj, ENOENT ) );
119 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
120 val.u32 = MY_VENDOR_ID;
121 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
122 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
123
124 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Product-Name", &dictobj, ENOENT ) );
125 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
126 val.os.data = (unsigned char *)FD_PROJECT_NAME;
127 val.os.len = strlen(FD_PROJECT_NAME);
128 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
129 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
130
131 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Firmware-Revision", &dictobj, ENOENT ) );
132 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
133 val.u32 = (uint32_t)(FD_PROJECT_VERSION_MAJOR * 10000 + FD_PROJECT_VERSION_MINOR * 100 + FD_PROJECT_VERSION_REV);
134 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
135 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
136
137
138 /* Add the Inband-Security-Id AVP if needed */
139 if (isi_tls || isi_none) {
140 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Inband-Security-Id", &dictobj, ENOENT ) );
141
142 if (isi_none) {
143 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
144 val.u32 = ACV_ISI_NO_INBAND_SECURITY;
145 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
146 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
147 }
148
149 if (isi_tls) {
150 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
151 val.u32 = ACV_ISI_TLS;
152 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
153 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
154 }
155 }
156
157 /* List of local applications */
158 {
159 struct dict_object * dictobj_auth = NULL;
160 struct dict_object * dictobj_acct = NULL;
161 struct dict_object * dictobj_vid = NULL;
162
163 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Vendor-Specific-Application-Id", &dictobj, ENOENT ) );
164 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Vendor-Id", &dictobj_vid, ENOENT ) );
165 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Auth-Application-Id", &dictobj_auth, ENOENT ) );
166 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Acct-Application-Id", &dictobj_acct, ENOENT ) );
167
168 for (li = fd_g_config->cnf_apps.next; li != &fd_g_config->cnf_apps; li = li->next) {
169 struct fd_app * a = (struct fd_app *)(li);
170
171 if (a->flags.auth) {
172 CHECK_FCT( fd_msg_avp_new ( dictobj_auth, 0, &avp ) );
173 val.u32 = a->appid;
174 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
175 if (a->vndid != 0) {
176 struct avp * avp2 = NULL;
177 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp2 ) );
178 CHECK_FCT( fd_msg_avp_add( avp2, MSG_BRW_LAST_CHILD, avp ) );
179 avp = avp2;
180 CHECK_FCT( fd_msg_avp_new ( dictobj_vid, 0, &avp2 ) );
181 val.u32 = a->vndid;
182 CHECK_FCT( fd_msg_avp_setvalue( avp2, &val ) );
183 CHECK_FCT( fd_msg_avp_add( avp, MSG_BRW_LAST_CHILD, avp2 ) );
184 }
185 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
186 }
187 if (a->flags.acct) {
188 CHECK_FCT( fd_msg_avp_new ( dictobj_acct, 0, &avp ) );
189 val.u32 = a->appid;
190 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
191 if (a->vndid != 0) {
192 struct avp * avp2 = NULL;
193 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp2 ) );
194 CHECK_FCT( fd_msg_avp_add( avp2, MSG_BRW_LAST_CHILD, avp ) );
195 avp = avp2;
196 CHECK_FCT( fd_msg_avp_new ( dictobj_vid, 0, &avp2 ) );
197 val.u32 = a->vndid;
198 CHECK_FCT( fd_msg_avp_setvalue( avp2, &val ) );
199 CHECK_FCT( fd_msg_avp_add( avp, MSG_BRW_LAST_CHILD, avp2 ) );
200 }
201 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
202 }
203 }
204
205 /* do not forget the relay application */
206 if (! fd_g_config->cnf_flags.no_fwd) {
207 CHECK_FCT( fd_msg_avp_new ( dictobj_auth, 0, &avp ) );
208 val.u32 = AI_RELAY;
209 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
210 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
211 }
212 }
213
214 /* Add the list of supported vendors */
215 {
216 uint32_t * array = fd_dict_get_vendorid_list(fd_g_config->cnf_dict);
217 if (array) {
218 int i = 0;
219 CHECK_FCT( fd_dict_search( fd_g_config->cnf_dict, DICT_AVP, AVP_BY_NAME, "Supported-Vendor-Id", &dictobj, ENOENT ) );
220
221 while (array[i] != 0) {
222 CHECK_FCT( fd_msg_avp_new ( dictobj, 0, &avp ) );
223 val.u32 = array[i];
224 CHECK_FCT( fd_msg_avp_setvalue( avp, &val ) );
225 CHECK_FCT( fd_msg_avp_add( msg, MSG_BRW_LAST_CHILD, avp ) );
226 i++;
227 }
228
229 free(array);
230 }
231 }
232
233 return 0;
234}
235
236/* Remove any information saved from a previous CER/CEA exchange */
237static void cleanup_remote_CE_info(struct fd_peer * peer)
238{
239 /* free linked information */
240 free(peer->p_hdr.info.runtime.pir_realm);
241 free(peer->p_hdr.info.runtime.pir_prodname);
242 while (!FD_IS_LIST_EMPTY(&peer->p_hdr.info.runtime.pir_apps)) {
243 struct fd_list * li = peer->p_hdr.info.runtime.pir_apps.next;
244 fd_list_unlink(li);
245 free(li);
246 }
247 /* note: pir_cert_list needs not be freed (belongs to gnutls) */
248
249 /* cleanup the area */
250 memset(&peer->p_hdr.info.runtime, 0, sizeof(peer->p_hdr.info.runtime));
251
252 /* reinit the list */
253 fd_list_init(&peer->p_hdr.info.runtime.pir_apps, peer);
254
255 /* Remove previously advertised endpoints */
256 fd_ep_clearflags( &peer->p_hdr.info.pi_endpoints, EP_FL_ADV );
257}
258
259/* Extract information sent by the remote peer and save it in our peer structure */
260static int save_remote_CE_info(struct msg * msg, struct fd_peer * peer, struct fd_pei * error, uint32_t *rc)
261{
262 struct avp * avp = NULL;
263
264 cleanup_remote_CE_info(peer);
265
266 CHECK_FCT( fd_msg_browse( msg, MSG_BRW_FIRST_CHILD, &avp, NULL) );
267
268 /* Loop on all AVPs and save what we are interrested into */
269 while (avp) {
270 struct avp_hdr * hdr;
271
272 CHECK_FCT( fd_msg_avp_hdr( avp, &hdr ) );
273
274 if (hdr->avp_flags & AVP_FLAG_VENDOR) {
275 /* Ignore all vendor-specific AVPs in CER/CEA because we don't support any currently */
276 LOG_A("Ignored a vendor-specific AVP in CER / CEA");
277 goto next;
278 }
279
280 switch (hdr->avp_code) {
281 case AC_RESULT_CODE: /* Result-Code */
282 if (hdr->avp_value == NULL) {
283 /* This is a sanity check */
284 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
285 ASSERT(0); /* To check if this really happens, and understand why... */
286 goto next;
287 }
288
289 if (rc)
290 *rc = hdr->avp_value->u32;
291 break;
292
293 case AC_ORIGIN_HOST: /* Origin-Host */
294 if (hdr->avp_value == NULL) {
295 /* This is a sanity check */
296 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
297 ASSERT(0); /* To check if this really happens, and understand why... */
298 goto next;
299 }
300
301 /* We check that the value matches what we know, otherwise disconnect the peer */
302 if (fd_os_almostcasesrch(hdr->avp_value->os.data, hdr->avp_value->os.len,
303 peer->p_hdr.info.pi_diamid, peer->p_hdr.info.pi_diamidlen, NULL)) {
304 TRACE_DEBUG(INFO, "Received a message with Origin-Host set to '%.*s' while expecting '%s'",
305 (int)hdr->avp_value->os.len, hdr->avp_value->os.data, peer->p_hdr.info.pi_diamid);
306 error->pei_errcode = "DIAMETER_AVP_NOT_ALLOWED";
307 error->pei_message = "Your Origin-Host value does not match my configuration.";
308 error->pei_avp = avp;
309 return EINVAL;
310 }
311
312 break;
313
314 case AC_ORIGIN_REALM: /* Origin-Realm */
315 if (hdr->avp_value == NULL) {
316 /* This is a sanity check */
317 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
318 ASSERT(0); /* To check if this really happens, and understand why... */
319 goto next;
320 }
321
322 /* In case of multiple AVPs */
323 if (peer->p_hdr.info.runtime.pir_realm) {
324 TRACE_DEBUG(INFO, "Multiple instances of the Origin-Realm AVP");
325 error->pei_errcode = "DIAMETER_AVP_OCCURS_TOO_MANY_TIMES";
326 error->pei_message = "I found several Origin-Realm AVPs";
327 error->pei_avp = avp;
328 return EINVAL;
329 }
330
331 /* If the octet string contains a \0 */
332 if (!fd_os_is_valid_DiameterIdentity(hdr->avp_value->os.data, hdr->avp_value->os.len)) {
333 error->pei_errcode = "DIAMETER_INVALID_AVP_VALUE";
334 error->pei_message = "Your Origin-Realm contains invalid characters.";
335 error->pei_avp = avp;
336 return EINVAL;
337 }
338
339 /* Save the value */
340 CHECK_MALLOC( peer->p_hdr.info.runtime.pir_realm = os0dup( hdr->avp_value->os.data, hdr->avp_value->os.len ) );
341 peer->p_hdr.info.runtime.pir_realmlen = hdr->avp_value->os.len;
342 break;
343
344 case AC_HOST_IP_ADDRESS: /* Host-IP-Address */
345 if (hdr->avp_value == NULL) {
346 /* This is a sanity check */
347 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
348 ASSERT(0); /* To check if this really happens, and understand why... */
349 goto next;
350 }
351 {
352 sSS ss;
353
354 /* Get the sockaddr value */
355 memset(&ss, 0, sizeof(ss));
356 CHECK_FCT_DO( fd_msg_avp_value_interpret( avp, &ss),
357 {
358 /* in case of error, assume the AVP value was wrong */
359 error->pei_errcode = "DIAMETER_INVALID_AVP_VALUE";
360 error->pei_avp = avp;
361 return EINVAL;
362 } );
363
364 /* Save this endpoint in the list as advertized */
365 CHECK_FCT( fd_ep_add_merge( &peer->p_hdr.info.pi_endpoints, (sSA *)&ss, sizeof(sSS), EP_FL_ADV ) );
366 }
367 break;
368
369 case AC_VENDOR_ID: /* Vendor-Id */
370 if (hdr->avp_value == NULL) {
371 /* This is a sanity check */
372 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
373 ASSERT(0); /* To check if this really happens, and understand why... */
374 goto next;
375 }
376
377 /* In case of multiple AVPs */
378 if (peer->p_hdr.info.runtime.pir_vendorid) {
379 TRACE_DEBUG(INFO, "Multiple instances of the Vendor-Id AVP");
380 error->pei_errcode = "DIAMETER_AVP_OCCURS_TOO_MANY_TIMES";
381 error->pei_message = "I found several Vendor-Id AVPs";
382 error->pei_avp = avp;
383 return EINVAL;
384 }
385
386 peer->p_hdr.info.runtime.pir_vendorid = hdr->avp_value->u32;
387 break;
388
389 case AC_PRODUCT_NAME: /* Product-Name */
390 if (hdr->avp_value == NULL) {
391 /* This is a sanity check */
392 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
393 ASSERT(0); /* To check if this really happens, and understand why... */
394 goto next;
395 }
396
397 /* In case of multiple AVPs */
398 if (peer->p_hdr.info.runtime.pir_prodname) {
399 TRACE_DEBUG(INFO, "Multiple instances of the Product-Name AVP");
400 error->pei_errcode = "DIAMETER_AVP_OCCURS_TOO_MANY_TIMES";
401 error->pei_message = "I found several Product-Name AVPs";
402 error->pei_avp = avp;
403 return EINVAL;
404 }
405
406 CHECK_MALLOC( peer->p_hdr.info.runtime.pir_prodname = calloc( hdr->avp_value->os.len + 1, 1 ) );
407 memcpy(peer->p_hdr.info.runtime.pir_prodname, hdr->avp_value->os.data, hdr->avp_value->os.len);
408 break;
409
410 case AC_ORIGIN_STATE_ID: /* Origin-State-Id */
411 if (hdr->avp_value == NULL) {
412 /* This is a sanity check */
413 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
414 ASSERT(0); /* To check if this really happens, and understand why... */
415 goto next;
416 }
417
418 /* In case of multiple AVPs */
419 if (peer->p_hdr.info.runtime.pir_orstate) {
420 TRACE_DEBUG(INFO, "Multiple instances of the Origin-State-Id AVP");
421 error->pei_errcode = "DIAMETER_AVP_OCCURS_TOO_MANY_TIMES";
422 error->pei_message = "I found several Origin-State-Id AVPs";
423 error->pei_avp = avp;
424 return EINVAL;
425 }
426
427 peer->p_hdr.info.runtime.pir_orstate = hdr->avp_value->u32;
428 break;
429
430 case AC_SUPPORTED_VENDOR_ID: /* Supported-Vendor-Id */
431 if (hdr->avp_value == NULL) {
432 /* This is a sanity check */
433 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
434 ASSERT(0); /* To check if this really happens, and understand why... */
435 goto next;
436 }
437
438 TRACE_DEBUG(FULL, "'%s' claims support for a subset of vendor %d features.", peer->p_hdr.info.pi_diamid, hdr->avp_value->u32);
439 /* not that it makes a difference for us...
440 -- if an application actually needs this info, we could save it somewhere.
441 */
442 break;
443
444 case AC_VENDOR_SPECIFIC_APPLICATION_ID: /* Vendor-Specific-Application-Id (grouped)*/
445 {
446 struct avp * inavp = NULL;
447 vendor_id_t vid = 0;
448 application_id_t auth_aid = 0;
449 application_id_t acct_aid = 0;
450 int invalid=0;
451
452 /* get the first child AVP */
453 CHECK_FCT( fd_msg_browse(avp, MSG_BRW_FIRST_CHILD, &inavp, NULL) );
454
455 while (inavp) {
456 struct avp_hdr * inhdr;
457 CHECK_FCT( fd_msg_avp_hdr( inavp, &inhdr ) );
458
459 if (inhdr->avp_flags & AVP_FLAG_VENDOR) {
460 LOG_A("Ignored a vendor AVP inside Vendor-Specific-Application-Id AVP");
461 goto innext;
462 }
463
464 if (inhdr->avp_value == NULL) {
465 /* This is a sanity check */
466 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
467 ASSERT(0); /* To check if this really happens, and understand why... */
468 goto innext;
469 }
470 switch (inhdr->avp_code) {
471 case AC_VENDOR_ID: /* Vendor-Id */
472#ifndef WORKAROUND_ACCEPT_INVALID_VSAI
473 if (vid != 0)
474 invalid++; /* We already had one such AVP. This is invalid according to RFC6733 but not RFC3588 (but there is an erratum) */
475#endif /* WORKAROUND_ACCEPT_INVALID_VSAI */
476 vid = inhdr->avp_value->u32;
477 break;
478 case AC_AUTH_APPLICATION_ID: /* Auth-Application-Id */
479 if (auth_aid != 0)
480 invalid++; /* We already had one such AVP */
481#ifndef WORKAROUND_ACCEPT_INVALID_VSAI
482 if (acct_aid != 0)
483 invalid++; /* Only 1 *-Application-Id AVP is allowed */
484#endif /* WORKAROUND_ACCEPT_INVALID_VSAI */
485 auth_aid = inhdr->avp_value->u32;
486 break;
487 case AC_ACCT_APPLICATION_ID: /* Acct-Application-Id */
488 if (acct_aid != 0)
489 invalid++; /* We already had one such AVP */
490#ifndef WORKAROUND_ACCEPT_INVALID_VSAI
491 if (auth_aid != 0)
492 invalid++; /* Only 1 *-Application-Id AVP is allowed */
493#endif /* WORKAROUND_ACCEPT_INVALID_VSAI */
494 acct_aid = inhdr->avp_value->u32;
495 break;
496 /* ignore other AVPs */
497 }
498
499 if (invalid) {
500 TRACE_DEBUG(FULL, "Invalid Vendor-Specific-Application-Id AVP received");
501 error->pei_errcode = "DIAMETER_INVALID_AVP_VALUE";
502 error->pei_avp = avp;
503 return EINVAL;
504 }
505
506 innext:
507 /* Go to next in AVP */
508 CHECK_FCT( fd_msg_browse(inavp, MSG_BRW_NEXT, &inavp, NULL) );
509 }
510
511 /* Add entry in the list */
512 if (auth_aid) {
513 CHECK_FCT( fd_app_merge(&peer->p_hdr.info.runtime.pir_apps, auth_aid, vid, 1, 0) );
514 }
515 if (acct_aid) {
516 CHECK_FCT( fd_app_merge(&peer->p_hdr.info.runtime.pir_apps, acct_aid, vid, 0, 1) );
517 }
518 }
519 break;
520
521 case AC_AUTH_APPLICATION_ID: /* Auth-Application-Id */
522 if (hdr->avp_value == NULL) {
523 /* This is a sanity check */
524 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
525 ASSERT(0); /* To check if this really happens, and understand why... */
526 goto next;
527 }
528
529 if (hdr->avp_value->u32 == AI_RELAY) {
530 peer->p_hdr.info.runtime.pir_relay = 1;
531 } else {
532 CHECK_FCT( fd_app_merge(&peer->p_hdr.info.runtime.pir_apps, hdr->avp_value->u32, 0, 1, 0) );
533 }
534 break;
535
536 case AC_ACCT_APPLICATION_ID: /* Acct-Application-Id */
537 if (hdr->avp_value == NULL) {
538 /* This is a sanity check */
539 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
540 ASSERT(0); /* To check if this really happens, and understand why... */
541 goto next;
542 }
543
544 if (hdr->avp_value->u32 == AI_RELAY) {
545 /* Not clear if the relay application can be inside this AVP... */
546 peer->p_hdr.info.runtime.pir_relay = 1;
547 } else {
548 CHECK_FCT( fd_app_merge(&peer->p_hdr.info.runtime.pir_apps, hdr->avp_value->u32, 0, 0, 1) );
549 }
550 break;
551
552 case AC_FIRMWARE_REVISION: /* Firmware-Revision */
553 if (hdr->avp_value == NULL) {
554 /* This is a sanity check */
555 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
556 ASSERT(0); /* To check if this really happens, and understand why... */
557 goto next;
558 }
559
560 peer->p_hdr.info.runtime.pir_firmrev = hdr->avp_value->u32;
561 break;
562
563 case AC_INBAND_SECURITY_ID: /* Inband-Security-Id */
564 if (hdr->avp_value == NULL) {
565 /* This is a sanity check */
566 LOG_F("Ignored an AVP (code %x) with unset value in CER/CEA", hdr->avp_code);
567 ASSERT(0); /* To check if this really happens, and understand why... */
568 goto next;
569 }
570 if (hdr->avp_value->u32 >= 32 ) {
571 error->pei_errcode = "DIAMETER_INVALID_AVP_VALUE";
572 error->pei_message = "I don't support this Inband-Security-Id value (yet).";
573 error->pei_avp = avp;
574 return EINVAL;
575 }
576 peer->p_hdr.info.runtime.pir_isi |= (1 << hdr->avp_value->u32);
577 break;
578 }
579
580next:
581 /* Go to next AVP */
582 CHECK_FCT( fd_msg_browse(avp, MSG_BRW_NEXT, &avp, NULL) );
583 }
584
585 return 0;
586}
587
588/* Create a CER message for sending */
589static int create_CER(struct fd_peer * peer, struct cnxctx * cnx, struct msg ** cer)
590{
591 int isi_tls = 0;
592 int isi_none = 0;
593
594 /* Find CER dictionary object and create an instance */
595 CHECK_FCT( fd_msg_new ( fd_dict_cmd_CER, MSGFL_ALLOC_ETEID, cer ) );
596
597 /* Do we need Inband-Security-Id AVPs ? If we're already using TLS, we don't... */
598 if (!fd_cnx_getTLS(cnx)) {
599 isi_none = peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE; /* we add it even if the peer does not use the old mechanism, it is impossible to distinguish */
600
601 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) {
602 if (fd_g_config->cnf_sec_data.tls_disabled) {
603 LOG_N("TLS disabled locally, so Inband-Security-Id (TLS) not included for peer %s", peer->p_hdr.info.pi_diamid);
604 } else {
605 isi_tls = 1;
606 }
607 }
608 }
609
610 /* Add the information about the local peer */
611 CHECK_FCT( add_CE_info(*cer, cnx, isi_tls, isi_none) );
612
613 /* Done! */
614 return 0;
615}
616
617
618/* Continue with the initiator side */
619static int to_waitcea(struct fd_peer * peer, struct cnxctx * cnx)
620{
621 /* We sent a CER on the connection, set the event queue so that we receive the CEA */
622 CHECK_FCT( set_peer_cnx(peer, &cnx) );
623
624 /* Change state and reset the timer */
625 CHECK_FCT( fd_psm_change_state(peer, STATE_WAITCEA) );
626 fd_psm_next_timeout(peer, 0, CEA_TIMEOUT);
627
628 return 0;
629}
630
631/* Reject an incoming connection attempt */
632static void receiver_reject(struct cnxctx ** recv_cnx, struct msg ** cer, struct fd_pei * error)
633{
634 struct msg_hdr * hdr = NULL;
635
636 /* Create and send the CEA with appropriate error code */
637 CHECK_FCT_DO( fd_msg_new_answer_from_req ( fd_g_config->cnf_dict, cer, MSGFL_ANSW_ERROR ), goto destroy );
638 CHECK_FCT_DO( fd_msg_rescode_set(*cer, error->pei_errcode, error->pei_message, error->pei_avp, 0 ), goto destroy );
639 CHECK_FCT_DO( fd_msg_hdr( *cer, &hdr ), goto destroy );
640 if (hdr->msg_flags & CMD_FLAG_ERROR) {
641 /* Generic error format, just add the origin AVPs */
642 CHECK_FCT_DO( fd_msg_add_origin ( *cer, 1 ), goto destroy );
643 } else {
644 /* Add other AVPs to be compliant with the ABNF */
645 CHECK_FCT_DO( add_CE_info(*cer, *recv_cnx, 0, 0), goto destroy );
646 }
647 CHECK_FCT_DO( fd_out_send(cer, *recv_cnx, NULL, 0), goto destroy );
648
649 if (error->pei_avp_free) {
650 fd_msg_free(error->pei_avp);
651 }
652
653 /* And now destroy this connection */
654destroy:
655 fd_cnx_destroy(*recv_cnx);
656 *recv_cnx = NULL;
657 if (*cer) {
658 fd_hook_call(HOOK_MESSAGE_DROPPED, *cer, NULL, "An error occurred while rejecting this CER.", fd_msg_pmdl_get(*cer));
659 fd_msg_free(*cer);
660 *cer = NULL;
661 }
662}
663
664/* We have established a new connection to the remote peer, send CER and eventually process the election */
665int fd_p_ce_handle_newcnx(struct fd_peer * peer, struct cnxctx * initiator)
666{
667 struct msg * cer = NULL;
668
669 /* Send CER on the new connection */
670 CHECK_FCT( create_CER(peer, initiator, &cer) );
671 CHECK_FCT( fd_out_send(&cer, initiator, peer, 0) );
672
673 /* Are we doing an election ? */
674 if (fd_peer_getstate(peer) == STATE_WAITCNXACK_ELEC) {
675 if (election_result(peer)) {
676 /* Close initiator connection */
677 fd_cnx_destroy(initiator);
678
679 LOG_D("%s: Election lost on outgoing connection, closing and answering CEA on incoming connection.", peer->p_hdr.info.pi_diamid);
680
681 /* Process with the receiver side */
682 CHECK_FCT( fd_p_ce_process_receiver(peer) );
683
684 } else {
685 struct fd_pei pei;
686 memset(&pei, 0, sizeof(pei));
687 pei.pei_errcode = "ELECTION_LOST";
688 pei.pei_message = "Please answer my CER instead, you won the election.";
689 LOG_D("%s: Election lost on incoming connection, closing and waiting for CEA on outgoing connection.", peer->p_hdr.info.pi_diamid);
690
691 /* Answer an ELECTION LOST to the receiver side */
692 receiver_reject(&peer->p_receiver, &peer->p_cer, &pei);
693 CHECK_FCT( to_waitcea(peer, initiator) );
694 }
695 } else {
696 /* No election (yet) */
697 CHECK_FCT( to_waitcea(peer, initiator) );
698 }
699
700 return 0;
701}
702
703/* We have received a Capabilities Exchange message on the peer connection */
704int fd_p_ce_msgrcv(struct msg ** msg, int req, struct fd_peer * peer)
705{
706 uint32_t rc = 0;
707 int st;
708 struct fd_pei pei;
709
710 TRACE_ENTRY("%p %p", msg, peer);
711 CHECK_PARAMS( msg && *msg && CHECK_PEER(peer) );
712
713 /* The only valid situation where we are called is in WAITCEA and we receive a CEA (we may have won an election) */
714
715 /* Note : to implement Capabilities Update, we would need to change here */
716
717 /* If it is a CER, just reply an error */
718 if (req) {
719 /* Create the error message */
720 CHECK_FCT( fd_msg_new_answer_from_req ( fd_g_config->cnf_dict, msg, MSGFL_ANSW_ERROR ) );
721
722 /* Set the error code */
723 CHECK_FCT( fd_msg_rescode_set(*msg, "DIAMETER_UNABLE_TO_COMPLY", "No CER allowed in current state", NULL, 1 ) );
724
725 /* msg now contains an answer message to send back */
726 CHECK_FCT_DO( fd_out_send(msg, NULL, peer, 0), /* In case of error the message has already been dumped */ );
727 }
728
729 /* If the state is not WAITCEA, just discard the message */
730 if (req || ((st = fd_peer_getstate(peer)) != STATE_WAITCEA)) {
731 if (*msg) {
732 /* In such case, just discard the message */
733 char buf[128];
734 snprintf(buf, sizeof(buf), "Received while peer state machine was in state %s.", STATE_STR(st));
735 fd_hook_call(HOOK_MESSAGE_DROPPED, *msg, peer, buf, fd_msg_pmdl_get(*msg));
736
737 CHECK_FCT_DO( fd_msg_free(*msg), /* continue */);
738 *msg = NULL;
739 }
740
741 return 0;
742 }
743
744 memset(&pei, 0, sizeof(pei));
745
746 /* Save info from the CEA into the peer */
747 CHECK_FCT_DO( save_remote_CE_info(*msg, peer, &pei, &rc),
748 {
749 fd_hook_call(HOOK_PEER_CONNECT_FAILED, *msg, peer, "An error occurred while processing incoming CEA.", NULL);
750 goto cleanup;
751 } );
752
753 /* Check the Result-Code */
754 switch (rc) {
755 case ER_DIAMETER_SUCCESS:
756 /* Log success */
757 fd_hook_call(HOOK_PEER_CONNECT_SUCCESS, *msg, peer, NULL, NULL);
758
759 /* Dispose of the message, we don't need it anymore */
760 CHECK_FCT_DO( fd_msg_free(*msg), /* continue */ );
761 *msg = NULL;
762
763 /* No problem, we can continue */
764 break;
765
766 case ER_DIAMETER_TOO_BUSY:
767 /* Retry later */
768 fd_hook_call(HOOK_PEER_CONNECT_FAILED, *msg, peer, "Remote peer is too busy", NULL);
769 fd_psm_cleanup(peer, 0);
770 fd_psm_next_timeout(peer, 0, 300);
771 return 0;
772
773 case ER_ELECTION_LOST:
774 /* Ok, just wait for a little while for the CER to be processed on the other connection. */
775 TRACE_DEBUG(FULL, "Peer %s replied a CEA with Result-Code AVP ELECTION_LOST, waiting for events.", peer->p_hdr.info.pi_diamid);
776 return 0;
777
778 default:
779 /* In any other case, we abort all attempts to connect to this peer */
780 fd_hook_call(HOOK_PEER_CONNECT_FAILED, *msg, peer, "CEA with unexpected error code", NULL);
781 return EINVAL;
782 }
783
784
785 /* Handshake if needed, start clear otherwise */
786 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) {
787 int todo = peer->p_hdr.info.config.pic_flags.sec & peer->p_hdr.info.runtime.pir_isi ;
788 /* Special case: if the peer did not send a ISI AVP */
789 if (peer->p_hdr.info.runtime.pir_isi == 0)
790 todo = peer->p_hdr.info.config.pic_flags.sec;
791
792 if (todo == PI_SEC_NONE) {
793 /* Ok for clear connection */
794 TRACE_DEBUG(INFO, "No TLS protection negotiated with peer '%s'.", peer->p_hdr.info.pi_diamid);
795 CHECK_FCT( fd_cnx_start_clear(peer->p_cnxctx, 1) );
796
797 } else if (fd_g_config->cnf_sec_data.tls_disabled) {
798 LOG_E("Clear connection with remote peer '%s' is not (explicitly) allowed, and TLS is disabled. Giving up...", peer->p_hdr.info.pi_diamid);
799 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "TLS is disabled and peer is not configured for IPsec", NULL);
800 goto cleanup;
801
802 } else {
803 fd_psm_change_state(peer, STATE_OPEN_HANDSHAKE);
804 CHECK_FCT_DO( fd_cnx_handshake(peer->p_cnxctx, GNUTLS_CLIENT, ALGO_HANDSHAKE_3436, peer->p_hdr.info.config.pic_priority, NULL),
805 {
806 /* Handshake failed ... */
807 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "TLS handshake failed after CER/CEA exchange", NULL);
808 goto cleanup;
809 } );
810
811 /* Retrieve the credentials */
812 CHECK_FCT( fd_cnx_getcred(peer->p_cnxctx, &peer->p_hdr.info.runtime.pir_cert_list, &peer->p_hdr.info.runtime.pir_cert_list_size) );
813 }
814 }
815
816 /* Move to next state */
817 if (peer->p_flags.pf_cnx_pb) {
818 fd_psm_change_state(peer, STATE_REOPEN );
819 CHECK_FCT( fd_p_dw_reopen(peer) );
820 } else {
821 fd_psm_change_state(peer, STATE_OPEN );
822 fd_psm_next_timeout(peer, 1, peer->p_hdr.info.config.pic_twtimer ?: fd_g_config->cnf_timer_tw);
823 }
824
825 return 0;
826
827cleanup:
828 fd_p_ce_clear_cnx(peer, NULL);
829
830 /* Send the error to the peer */
831 CHECK_FCT( fd_event_send(peer->p_events, FDEVP_CNX_ERROR, 0, NULL) );
832
833 return 0;
834}
835
836/* Handle the receiver side to go to OPEN or OPEN_NEW state (any election is resolved) */
837int fd_p_ce_process_receiver(struct fd_peer * peer)
838{
839 struct fd_pei pei;
840 struct msg * msg = NULL;
841 int isi = 0;
842 int fatal = 0;
843 int tls_sync=0;
844
845 TRACE_ENTRY("%p", peer);
846
847 CHECK_FCT_DO( set_peer_cnx(peer, &peer->p_receiver),
848 {
849 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "Error saving the incoming connection in the peer structure", NULL);
850 return __ret__;
851 } );
852 msg = peer->p_cer;
853 peer->p_cer = NULL;
854
855 memset(&pei, 0, sizeof(pei));
856
857 /* Parse the content of the received CER */
858 CHECK_FCT_DO( save_remote_CE_info(msg, peer, &pei, NULL), goto error_abort );
859
860 /* Validate the realm if needed */
861 if (peer->p_hdr.info.config.pic_realm) {
862 size_t len = strlen(peer->p_hdr.info.config.pic_realm);
863 if (fd_os_almostcasesrch(peer->p_hdr.info.config.pic_realm, len, peer->p_hdr.info.runtime.pir_realm, peer->p_hdr.info.runtime.pir_realmlen, NULL)) {
864 TRACE_DEBUG(INFO, "Rejected CER from peer '%s', realm mismatch with configured value (returning DIAMETER_UNKNOWN_PEER).", peer->p_hdr.info.pi_diamid);
865 pei.pei_errcode = "DIAMETER_UNKNOWN_PEER"; /* maybe AVP_NOT_ALLOWED would be better fit? */
866 goto error_abort;
867 }
868 }
869
870 /* Save the credentials if handshake already occurred */
871 if ( fd_cnx_getTLS(peer->p_cnxctx) ) {
872 CHECK_FCT( fd_cnx_getcred(peer->p_cnxctx, &peer->p_hdr.info.runtime.pir_cert_list, &peer->p_hdr.info.runtime.pir_cert_list_size) );
873 }
874
875 /* Validate the peer if needed */
876 if (peer->p_flags.pf_responder) {
877 int res = fd_peer_validate( peer );
878 if (res < 0) {
879 TRACE_DEBUG(INFO, "Rejected CER from peer '%s', validation failed (returning DIAMETER_UNKNOWN_PEER).", peer->p_hdr.info.pi_diamid);
880 pei.pei_errcode = "DIAMETER_UNKNOWN_PEER";
881 goto error_abort;
882 }
883 CHECK_FCT( res );
884 }
885
886 /* Check if we have common applications */
887 if ( fd_g_config->cnf_flags.no_fwd && (! peer->p_hdr.info.runtime.pir_relay) ) {
888 int got_common;
889 CHECK_FCT( fd_app_check_common( &fd_g_config->cnf_apps, &peer->p_hdr.info.runtime.pir_apps, &got_common) );
890 if (!got_common) {
891 TRACE_DEBUG(INFO, "No common application with peer '%s', sending DIAMETER_NO_COMMON_APPLICATION", peer->p_hdr.info.pi_diamid);
892 pei.pei_errcode = "DIAMETER_NO_COMMON_APPLICATION";
893 fatal = 1;
894 goto error_abort;
895 }
896 }
897
898 /* Do we agree on ISI ? */
899 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) {
900
901 /* In case of responder, the validate callback must have set the config.pic_flags.sec value already */
902
903 /* First case: we are not using old mechanism: ISI are deprecated, we ignore it. */
904 if ( ! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)) {
905 /* Just check then that the peer configuration allows for IPsec protection */
906 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) {
907 isi = PI_SEC_NONE;
908 } else {
909 /* otherwise, we should have already been protected. Reject */
910 TRACE_DEBUG(INFO, "Non TLS-protected CER/CEA exchanges are not allowed with this peer, rejecting.");
911 }
912 } else {
913 /* The old mechanism is allowed with this peer. Now, look into the ISI AVP values */
914
915 /* In case no ISI was present anyway: */
916 if (!peer->p_hdr.info.runtime.pir_isi) {
917 TRACE_DEBUG(INFO, "Inband-Security-Id AVP is missing in received CER.");
918 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) {
919 isi = PI_SEC_NONE;
920 TRACE_DEBUG(INFO, "IPsec protection allowed by configuration, allowing this mechanism to be used.");
921 } else {
922 /* otherwise, we should have already been protected. Reject */
923 TRACE_DEBUG(INFO, "Rejecting the peer connection (please allow IPsec here or configure TLS in the remote peer).");
924 }
925 } else {
926 /* OK, the remote peer did send the ISI AVP. */
927 if ((peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE) && (peer->p_hdr.info.runtime.pir_isi & PI_SEC_NONE)) {
928 /* We have allowed IPsec */
929 isi = PI_SEC_NONE;
930 } else if (fd_g_config->cnf_sec_data.tls_disabled) {
931 /* We can agree on TLS */
932 TRACE_DEBUG(INFO, "Remote peer is not allowed for IPsec and TLS is disabled.");;
933 } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) {
934 /* We can agree on TLS */
935 isi = PI_SEC_TLS_OLD;
936 } else {
937 TRACE_DEBUG(INFO, "Remote peer requested IPsec protection, but local configuration forbids it.");
938 }
939 }
940 }
941
942 /* If we did not find an agreement */
943 if (!isi) {
944 TRACE_DEBUG(INFO, "No common security mechanism with '%s', sending DIAMETER_NO_COMMON_SECURITY", peer->p_hdr.info.pi_diamid);
945 pei.pei_errcode = "DIAMETER_NO_COMMON_SECURITY";
946 fatal = 1;
947 goto error_abort;
948 }
949
950 /* Do not send the ISI IPsec if we are using the new mechanism */
951 if ((isi == PI_SEC_NONE) && (! (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD)))
952 isi = 0;
953 } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) {
954 /* Seem some weird peers are sending the Inband-Security-Id AVP on the secure port... No harm */
955 isi = PI_SEC_TLS_OLD;
956 }
957
958 /* Reply a CEA */
959 CHECK_FCT( fd_msg_new_answer_from_req ( fd_g_config->cnf_dict, &msg, 0 ) );
960 CHECK_FCT( fd_msg_rescode_set(msg, "DIAMETER_SUCCESS", NULL, NULL, 0 ) );
961 CHECK_FCT( add_CE_info(msg, peer->p_cnxctx, isi & PI_SEC_TLS_OLD, isi & PI_SEC_NONE) );
962
963 /* The connection is complete, but we may still need TLS handshake */
964 fd_hook_call(HOOK_PEER_CONNECT_SUCCESS, msg, peer, NULL, NULL);
965
966 CHECK_FCT( fd_out_send(&msg, peer->p_cnxctx, peer, 0 ) );
967
968 /* Handshake if needed */
969 if (isi & PI_SEC_TLS_OLD) {
970 fd_psm_change_state(peer, STATE_OPEN_HANDSHAKE);
971 CHECK_FCT_DO( fd_cnx_handshake(peer->p_cnxctx, GNUTLS_SERVER, ALGO_HANDSHAKE_3436, peer->p_hdr.info.config.pic_priority, NULL),
972 {
973 /* Handshake failed ... */
974 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "TLS handshake failed after CER/CEA exchange", NULL);
975 goto cleanup;
976 } );
977
978 /* Retrieve the credentials */
979 CHECK_FCT_DO( fd_cnx_getcred(peer->p_cnxctx, &peer->p_hdr.info.runtime.pir_cert_list, &peer->p_hdr.info.runtime.pir_cert_list_size),
980 {
981 /* Error ... */
982 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "Unable to retrieve remote credentials after TLS handshake", NULL);
983 goto cleanup;
984 } );
985
986
987 /* Call second validation callback if needed */
988 if (peer->p_cb2) {
989 TRACE_DEBUG(FULL, "Calling second validation callback for %s", peer->p_hdr.info.pi_diamid);
990 CHECK_FCT_DO( (*peer->p_cb2)( &peer->p_hdr.info ),
991 {
992 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "Validation callback rejected the peer after handshake", NULL);
993 CHECK_FCT( fd_psm_terminate( peer, "DO_NOT_WANT_TO_TALK_TO_YOU" ) );
994 return 0;
995 } );
996 }
997 tls_sync = 1;
998 } else {
999 if ( ! fd_cnx_getTLS(peer->p_cnxctx) ) {
1000 TRACE_DEBUG(INFO, "No TLS protection negotiated with peer '%s'.", peer->p_hdr.info.pi_diamid);
1001 CHECK_FCT( fd_cnx_start_clear(peer->p_cnxctx, 1) );
1002 }
1003 }
1004
1005 /* Move to OPEN or REOPEN state */
1006 if (peer->p_flags.pf_cnx_pb) {
1007 fd_psm_change_state(peer, STATE_REOPEN );
1008 CHECK_FCT( fd_p_dw_reopen(peer) );
1009 } else {
1010 if ((!tls_sync) && (fd_cnx_is_unordered_delivery_supported(peer->p_cnxctx))) {
1011 fd_psm_change_state(peer, STATE_OPEN_NEW );
1012 /* send DWR */
1013 CHECK_FCT( fd_p_dw_timeout(peer) );
1014 } else {
1015
1016 fd_psm_change_state(peer, STATE_OPEN );
1017 fd_psm_next_timeout(peer, 1, peer->p_hdr.info.config.pic_twtimer ?: fd_g_config->cnf_timer_tw);
1018 }
1019 }
1020
1021 return 0;
1022
1023error_abort:
1024 if (pei.pei_errcode) {
1025 /* Send the error */
1026 fd_hook_call(HOOK_PEER_CONNECT_FAILED, msg, peer, pei.pei_message ?: pei.pei_errcode, NULL);
1027 receiver_reject(&peer->p_cnxctx, &msg, &pei);
1028 } else {
1029 char buf[1024];
1030 snprintf(buf, sizeof(buf), "Unexpected error occurred while processing incoming connection from '%s'.", peer->p_hdr.info.pi_diamid);
1031 fd_hook_call(HOOK_PEER_CONNECT_FAILED, msg, peer, buf, NULL);
1032 }
1033
1034cleanup:
1035 if (msg) {
1036 fd_msg_free(msg);
1037 }
1038 fd_p_ce_clear_cnx(peer, NULL);
1039
1040 /* Send the error to the peer */
1041 CHECK_FCT( fd_event_send(peer->p_events, fatal ? FDEVP_TERMINATE : FDEVP_CNX_ERROR, 0, NULL) );
1042
1043 return 0;
1044}
1045
1046/* We have received a CER on a new connection for this peer */
1047int fd_p_ce_handle_newCER(struct msg ** msg, struct fd_peer * peer, struct cnxctx ** cnx, int valid)
1048{
1049 struct fd_pei pei;
1050 int cur_state = fd_peer_getstate(peer);
1051 memset(&pei, 0, sizeof(pei));
1052
1053 switch (cur_state) {
1054 case STATE_CLOSED:
1055 peer->p_receiver = *cnx;
1056 *cnx = NULL;
1057 peer->p_cer = *msg;
1058 *msg = NULL;
1059 CHECK_FCT( fd_p_ce_process_receiver(peer) );
1060 break;
1061
1062 case STATE_WAITCNXACK:
1063 /* Save the parameters in the peer, move to STATE_WAITCNXACK_ELEC */
1064 peer->p_receiver = *cnx;
1065 *cnx = NULL;
1066 peer->p_cer = *msg;
1067 *msg = NULL;
1068 CHECK_FCT( fd_psm_change_state(peer, STATE_WAITCNXACK_ELEC) );
1069 break;
1070
1071 case STATE_WAITCEA:
1072 if (election_result(peer)) {
1073
1074 /* Close initiator connection (was already set as principal) */
1075 LOG_D("%s: Election lost on outgoing connection, closing and answering CEA on incoming connection.", peer->p_hdr.info.pi_diamid);
1076 fd_p_ce_clear_cnx(peer, NULL);
1077
1078 /* and go on with the receiver side */
1079 peer->p_receiver = *cnx;
1080 *cnx = NULL;
1081 peer->p_cer = *msg;
1082 *msg = NULL;
1083 CHECK_FCT( fd_p_ce_process_receiver(peer) );
1084
1085 } else {
1086
1087 /* Answer an ELECTION LOST to the receiver side and continue */
1088 pei.pei_errcode = "ELECTION_LOST";
1089 pei.pei_message = "Please answer my CER instead, you won the election.";
1090 LOG_D("%s: Election lost on incoming connection, closing and waiting for CEA on outgoing connection.", peer->p_hdr.info.pi_diamid);
1091 receiver_reject(cnx, msg, &pei);
1092 }
1093 break;
1094
1095 default:
1096 pei.pei_errcode = "DIAMETER_UNABLE_TO_COMPLY"; /* INVALID COMMAND? in case of Capabilities-Updates? */
1097 pei.pei_message = "Invalid state to receive a new connection attempt.";
1098 LOG_E("%s: Rejecting new connection attempt while our state machine is in state '%s'", peer->p_hdr.info.pi_diamid, STATE_STR(cur_state));
1099 receiver_reject(cnx, msg, &pei);
1100 }
1101
1102 return 0;
1103}