Mercurial > hg > waaad
changeset 104:a6fb0680654e
Adding security extensions, work in progress
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Fri, 25 Jul 2008 18:07:11 +0900 |
parents | 5c9a4c18d414 |
children | ea698d19f63a |
files | configure.ac extensions/Makefile.am extensions/sample/Makefile.am extensions/sec_nosec/Makefile.am extensions/sec_nosec/sec_nosec.c extensions/sec_nosec/sec_nosec.h extensions/sec_nosec/sns_is_supported_peer.c extensions/sec_nosec/sns_peers.c extensions/sec_nosec/sns_recv_unprotect.c extensions/sec_nosec/sns_send_protect.c extensions/sec_nosec/sns_state_change.c extensions/sec_nosec/todo.c extensions/sec_tls_gnutls/Makefile.am extensions/sec_tls_gnutls/sec_tls_gnutls.c extensions/sec_tls_gnutls/sec_tls_gnutls.h extensions/sec_tls_gnutls/todo.c include/waaad/waaad.h |
diffstat | 17 files changed, 987 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/configure.ac Fri Jul 25 11:14:01 2008 +0900 +++ b/configure.ac Fri Jul 25 18:07:11 2008 +0900 @@ -223,6 +223,8 @@ AC_CONFIG_FILES([waaad/tests/Makefile]) AC_CONFIG_FILES([extensions/Makefile]) AC_CONFIG_FILES([extensions/sample/Makefile]) +AC_CONFIG_FILES([extensions/sec_nosec/Makefile]) +AC_CONFIG_FILES([extensions/sec_tls_gnutls/Makefile]) # Create these files from these files.in (created by automake from .am if any) # Contains all definitions made with AC_SUBST # AC_SUBST([XYZ]) are replaced into @XYZ@ in the files.
--- a/extensions/Makefile.am Fri Jul 25 11:14:01 2008 +0900 +++ b/extensions/Makefile.am Fri Jul 25 18:07:11 2008 +0900 @@ -1,8 +1,17 @@ # Subdirectories to compile: + +################################ +# Sample - for developers only # +################################ SUBDIRS = sample -## For later: -# if !NOGNUTLS -## We can use the $(GNUTLS) var in the subdir's LDFLAGS rule when linking to gnutls. -# SUBDIRS += sec-tls -# endif + + +####################### +# Security extensions # +####################### +SUBDIRS += sec_nosec + +if !NOGNUTLS +SUBDIRS += sec_tls_gnutls +endif
--- a/extensions/sample/Makefile.am Fri Jul 25 11:14:01 2008 +0900 +++ b/extensions/sample/Makefile.am Fri Jul 25 18:07:11 2008 +0900 @@ -1,6 +1,6 @@ # Compile the sample extension. -pkglib_LTLIBRARIES = sample.la +noinst_LTLIBRARIES = sample.la sample_la_SOURCES = sample.c fini.c sample_la_LDFLAGS = -module
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/Makefile.am Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,17 @@ +# Compile the nosec extension. + +# Location of the API headers: +AM_CPPFLAGS = -I$(srcdir)/../../include + +pkglib_LTLIBRARIES = sec_nosec.la +sec_nosec_la_LDFLAGS = -module + +sec_nosec_la_SOURCES = sec_nosec.c \ + sns_state_change.c \ + sns_send_protect.c \ + sns_recv_unprotect.c \ + sns_is_supported_peer.c \ + sns_peers.c \ + todo.c + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sec_nosec.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,127 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* + * Extension to implement the NO_SEC security mechanism (Inband-Security-Id 0) + * + * The peers to which no security is acceptable MUST be explicitely listed in the configuration file + * of this extension. + */ + +/* We need this to use the waaad API */ +#define DECLARE_API_POINTERS + +/* Include the extension definitions and daemon definitions */ +#include "sec_nosec.h" + +static sec_module_t sns_mod; +static sec_mod_hdl_t * sns_hdl; +int verbosity; + +/* The main entry point of the extension, called when the extension is loaded, after API initialization */ +static int sec_nosec_main(char * conffile) +{ + int ret = 0; + + TRACE_ENTRY("%p", conffile); + + verbosity = 0; + + /* The configuration file is mandatory */ + if (!conffile) { + TRACE_DEBUG(INFO, "Missing configuration file"); + return EINVAL; + } + + /* Now initialize the extension */ + ret = sns_init(); + if (ret != 0) { + TRACE_DEBUG(INFO, "sns_init failed: %s", strerror(ret)); + return ret; + } + + /* Parse the configuration file */ + ret = sns_parse(conffile); + if (ret != 0) { + TRACE_DEBUG(INFO, "sns_parse failed: %s", strerror(ret)); + (void)sns_fini(); + return ret; + } + + /* Finaly, register the security module */ + memset(&sns_mod, 0, sizeof(sec_module_t) ); + sns_mod.sec_insecid = SEC_NOSEC_INBAND_SECURITY_ID; + sns_mod.sec_is_supported_peer = sns_is_supported_peer; + sns_mod.sec_state_change = sns_state_change; + sns_mod.sec_send_protect = sns_send_protect; + sns_mod.sec_recv_unprotect = sns_recv_unprotect; + + ret = sec_register( &sns_mod, &sns_hdl ); + if (ret != 0) { + TRACE_DEBUG(INFO, "sec_register failed: %s", strerror(ret)); + (void)sns_fini(); + return ret; + } + + /* Done! */ + return 0; +} + +EXTENSION_API_INIT(API_MODULE_LOG | API_MODULE_CONF | API_MODULE_SECURITY, sec_nosec_main, "sec_nosec"); + +/* Code that is called after the extension terminates */ +void waaad_ext_fini(void) +{ + int ret = 0; + + TRACE_ENTRY(""); + + /* Unregister the security module */ + ret = sec_unregister( sns_hdl ); + if (ret != 0) { + TRACE_DEBUG(INFO, "sec_unregister failed: %s", strerror(ret)); + } + + /* Destroy the data of the extension */ + ret = sns_fini(); + if (ret != 0) { + TRACE_DEBUG(INFO, "sns_fini failed: %s", strerror(ret)); + } + + /* Done! */ + return ; +} + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sec_nosec.h Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,104 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Header file for the sec_nosec extension. + * + * This extension provides the "no encryption" mechanism to the waaad daemon. + * The extension receives a configuration file that must list explicitely all + * peers to which the peer can connect without additional security (i.e. IPsec + * or other transparent mechanism is already set). + * Note that the extension only uses the diameter identity of the peer. + * To improve security, one should also use the sockaddr parameters. + * + * A better replacement for this extension would be a binding with a IKEv2 process + * for example, where peers to which a SA is already established are automatically + * accepted. + */ + +#define IN_EXTENSION +#include <waaad/waaad.h> + +#include <stdlib.h> +#include <string.h> + + +/* The value of the Inband-Security-Id that this extension provides */ +#define SEC_NOSEC_INBAND_SECURITY_ID 0 + +/************************************************************************** + * The functions that are provided back to the daemon, as a security module. + * See <waaad/security-api.h> + **************************************************************************/ +int sns_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session); +int sns_send_protect (sec_session_t * session, void ** ext_session, void * data, size_t length); +int sns_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length); +int sns_is_supported_peer (char * diamid, struct sockaddr * sa, int * priority); + +/************************************************************************** + * The functions internal to the extension. + **************************************************************************/ +/* Initialize the hash table where the peers are stored */ +int sns_init(void); + +/* Add a new peer entry */ +int sns_addpeer( char * diameterid, int priority ); + +/* Find a peer in the table. Return the priority if found, -1 otherwise */ +int sns_findpeer( char * diameterid ); + +/* Parse the configuration file */ +int sns_parse(char * conffile); + +/* Destroy the table and free all data */ +int sns_fini(void); + + +/********************************************************************************** + * Define the TRACE_DEBUG macro to be used similarly as in the daemon (see log.h) + **********************************************************************************/ +#define NONE 0 +#define INFO 1 +#define FULL 2 +#ifndef TRACE_LEVEL +#define TRACE_LEVEL INFO +#endif /* TRACE_LEVEL */ +static int debug_level = TRACE_LEVEL; +extern int verbosity; +#define TRACE_DEBUG(level,format,args... ) \ + { if ( level <= debug_level + verbosity ) \ + log_debug("%-12s:%-4d( %-15s): " format "\n", __FILE__, __LINE__, __FUNCTION__, ## args); } +#define TRACE_ENTRY(_format,_args... ) \ + TRACE_DEBUG(FULL, "Entering ext function (parms: " _format ")", ##_args ) +/**************************************************************************************/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_is_supported_peer.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,59 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Code of the is_supported_peer callback function. + * See <waaad/security-api.h> for more information. + */ + +#include "sec_nosec.h" + +int sns_is_supported_peer (char * diamid, struct sockaddr * sa, int * priority) +{ + TRACE_ENTRY("%p %p %p", diamid, sa, priority); + + /* Check parameters */ + if (!diamid || !priority) { + TRACE_DEBUG(INFO, "Invalid parameter"); + return EINVAL; + } + + /* Search this peer in our local list. It returns -1 (=> peer not supported) if not found */ + *priority = sns_findpeer( diamid ); + + TRACE_DEBUG(FULL, "NO_SEC with priority %d for peer '%s'", *priority, diamid); + + /* All done */ + return 0; +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_peers.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,142 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Management of the list of peers for this extension */ + +#include "sec_nosec.h" + +/* The peer names are stored in a simple list ordered alphabetically; + * this list is not supposed to be very long. Otherwise it can be changed to a hash table. */ + +typedef struct _sns_peer_ { + struct _sns_peer_ *next; + char *diamid; + int prio; + } sns_peer_t; + +static sns_peer_t sentinel; + +/* Note: we don't need to protect the list since we're not yet multithreaded when we add to it */ + + +/* Initialize the hash table where the peers are stored */ +int sns_init(void) +{ + TRACE_ENTRY(""); + + memset(&sentinel, 0, sizeof(sns_peer_t)); + + return ENOTSUP; +} + +/* Add a new peer entry. The diametedid string is copied. */ +int sns_addpeer( char * diameterid, int priority ) +{ + int ret = -1; + sns_peer_t * prev, *new; + + TRACE_ENTRY("%p %d", diameterid, priority); + + /* Search the correct place in the list. Diameter ID are FQDN, case-insensitive (RFC4343). */ + for (prev = &sentinel; (prev->next != NULL) && ( (ret = strcasecmp ( prev->next->diamid, diameterid )) < 0); prev = prev->next); + + /* Case of duplicate */ + if (ret == 0) { + TRACE_DEBUG(INFO, "This diameter id is already in the list"); + return EALREADY; + } + + /* Create a new element */ + new = malloc(sizeof(sns_peer_t)); + if (new == NULL) { + log_error("Memory allocation failed: %s\n", strerror(errno)); + TRACE_DEBUG(INFO, "malloc failed"); + return ENOMEM; + } + memset(new, 0, sizeof(sns_peer_t)); + new->diamid = strdup(diameterid); + if (new->diamid == NULL) { + log_error("Memory allocation failed: %s\n", strerror(errno)); + TRACE_DEBUG(INFO, "malloc failed"); + free(new); + return ENOMEM; + } + + new->prio = priority; + + /* link it */ + new->next = prev->next; + prev->next = new; + + /* Element added */ + return 0; +} + +/* Find a peer in the table. Return the priority if found, -1 otherwise */ +int sns_findpeer( char * diameterid ) +{ + int ret = -1; + sns_peer_t * item; + + TRACE_ENTRY("%p", diameterid); + + /* Search the element in the list. Diameter ID are FQDN, case-insensitive (RFC4343). */ + for (item = sentinel.next; (item != NULL) && ( (ret = strcasecmp ( item->diamid, diameterid )) < 0); item = item->next); + + if (ret == 0) { + /* we found the element */ + return item->prio; + } else { + /* The peer is not in the list, so return -1 to tell that we don't support it */ + return -1; + } +} + +/* Destroy the table and free all data */ +int sns_fini(void) +{ + sns_peer_t * item; + + TRACE_ENTRY(""); + + while (sentinel.next != NULL) { + item = sentinel.next; + sentinel.next = item->next; + free(item->diamid); + free(item); + } + + return 0; +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_recv_unprotect.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,119 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Code of the recv_unprotect callback function. + * See <waaad/security-api.h> for more information. + */ + +#include "sec_nosec.h" + +/* The maximum size of messages we accept. bigger messages are considered as trash and failure occurs */ +#define DIAMETER_MSG_SIZE_MAX 65536 + +/* We just receive the buffer "as is" on the connection object, and rebuild a message */ + +int sns_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length) +{ + unsigned char header[4]; + unsigned char * newmsg; + ssize_t ret = 0; + size_t received = 0; + + TRACE_ENTRY("%p %p %p %p", session, ext_session, data, length); + + if (!session || !session->recv_data || !data || !length) { + TRACE_DEBUG(INFO, "Invalid argument"); + return EINVAL; + } + + /* First, receive only a message header. */ + while (received < sizeof(header)) { + ret = (*session->recv_data) (session->conn, &header[received], sizeof(header) - received); + if (ret == 0) { + /* Shutdown in progress */ + TRACE_DEBUG(INFO, "The recv_data function returned 0"); + return ENOTCONN; + } + if (ret < 0) { + /* Error */ + ret = errno; + TRACE_DEBUG(INFO, "The recv_data function failed: %s", strerror(ret)); + return ret; + } + received += ret; + } + + *length = (size_t)header[1] << 16 + (size_t)header[2] << 8 + (size_t)header[3]; + + /* Check the received word is a valid begining of a Diameter message */ + if ((header[0] != MSG_VERSION) /* MSG_VERSION defined in <waaad/message-api.h> */ + || (*length > DIAMETER_MSG_SIZE_MAX)) { /* to avoid too big mallocs */ + /* The message is suspect */ + TRACE_DEBUG(INFO, "Received suspect message header: ver = %d, size = %d", (int)header[0], *length); + return EBADMSG; + } + + /* Ok, now we can really receive the data */ + newmsg = malloc( *length ); + if (newmsg == NULL) { + log_error("Memory allocation failed: %s\n", strerror(errno)); + TRACE_DEBUG(INFO, "malloc failed"); + return ENOMEM; + } + + memcpy(newmsg, header, sizeof(header)); + while (received < *length) { + ret = (*session->recv_data) (session->conn, newmsg + received, (*length) - received); + if (ret == 0) { + /* Shutdown in progress */ + TRACE_DEBUG(INFO, "The recv_data function returned 0"); + free(newmsg); + return ENOTCONN; + } + if (ret < 0) { + /* Error */ + ret = errno; + TRACE_DEBUG(INFO, "The recv_data function failed: %s", strerror(ret)); + free(newmsg); + return ret; + } + received += ret; + } + + /* We have received a full message, return it */ + *data = (void *) newmsg; + + return 0; +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_send_protect.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,67 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Code of the send_protect callback function. + * See <waaad/security-api.h> for more information. + */ + +#include "sec_nosec.h" + +/* We just write the buffer "as is" on the connection object */ + +int sns_send_protect (sec_session_t * session, void ** ext_session, void * data, size_t length) +{ + ssize_t ret = 0; + size_t sent = 0; + + TRACE_ENTRY("%p %p %p %d", session, ext_session, data, length); + + if (!session || !session->send_data) { + TRACE_DEBUG(INFO, "Invalid argument"); + return EINVAL; + } + + while (sent < length) { + ret = (*session->send_data) (session->conn, ((char *)data) + sent, length - sent); + if (ret == -1) { + ret = errno; + TRACE_DEBUG(INFO, "The send_data callback failed: %s", strerror(ret)); + return ret; + } + sent += ret; + } + + return 0; +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_state_change.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,47 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Code of the state_change callback function. + * See <waaad/security-api.h> for more information. + */ + +#include "sec_nosec.h" + +int sns_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session) +{ + TRACE_ENTRY("%d %d %p %p", newstate, oldstate, session, ext_session); + /* We don't need to save a session state in this module, so do not do anything here */ + return 0; +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/todo.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,20 @@ +/* Temporary file containing all code that is not written yet */ + +#include "sec_nosec.h" + + + +/************************************************************************** + * The functions internal to the extension. + **************************************************************************/ + + +/* Parse the configuration file */ +int sns_parse(char * conffile) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_tls_gnutls/Makefile.am Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,12 @@ +# Compile the tls_gnutls extension. + +# Location of the API headers: +AM_CPPFLAGS = -I$(srcdir)/../../include + +pkglib_LTLIBRARIES = sec_tls_gnutls.la +sec_tls_gnutls_la_LDFLAGS = -module $(GNUTLS) + +sec_tls_gnutls_la_SOURCES = sec_tls_gnutls.c \ + todo.c + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_tls_gnutls/sec_tls_gnutls.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,113 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* + * Extension to implement the NO_SEC security mechanism (Inband-Security-Id 0) + * + * The peers to which no security is acceptable MUST be explicitely listed in the configuration file + * of this extension. + */ + +/* We need this to use the waaad API */ +#define DECLARE_API_POINTERS + +/* Include the extension definitions and daemon definitions */ +#include "sec_tls_gnutls.h" + +static sec_module_t tls_mod; +static sec_mod_hdl_t * tls_hdl; +int ext_verbose; + +/* The main entry point of the extension, called when the extension is loaded, after API initialization */ +static int tls_main(char * conffile) +{ + int ret = 0; + + TRACE_ENTRY("%p", conffile); + + ext_verbose = 0; /* Get verbosity from somewhere else ? */ + + /* Initialize the extension */ + ret = tls_init(); + if (ret != 0) { + TRACE_DEBUG(INFO, "tls_init failed: %s", strerror(ret)); + return ret; + } + + /* Register the security module */ + memset(&tls_mod, 0, sizeof(sec_module_t) ); + tls_mod.sec_insecid = SEC_TLS_INBAND_SECURITY_ID; + tls_mod.sec_is_supported_peer = tls_is_supported_peer; + tls_mod.sec_state_change = tls_state_change; + tls_mod.sec_send_protect = tls_send_protect; + tls_mod.sec_recv_unprotect = tls_recv_unprotect; + + ret = sec_register( &tls_mod, &tls_hdl ); + if (ret != 0) { + TRACE_DEBUG(INFO, "sec_register failed: %s", strerror(ret)); + (void)tls_fini(); + return ret; + } + + /* Done! */ + return 0; +} + +EXTENSION_API_INIT(API_MODULE_LOG | API_MODULE_CONF | API_MODULE_SECURITY, tls_main, "sec_tls_gnutls"); + +/* Code that is called after the extension terminates */ +void waaad_ext_fini(void) +{ + int ret = 0; + + TRACE_ENTRY(""); + + /* Unregister the security module */ + ret = sec_unregister( tls_hdl ); + if (ret != 0) { + TRACE_DEBUG(INFO, "sec_unregister failed: %s", strerror(ret)); + } + + /* Destroy the data of the extension */ + ret = tls_fini(); + if (ret != 0) { + TRACE_DEBUG(INFO, "tls_fini failed: %s", strerror(ret)); + } + + /* Done! */ + return ; +} + +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_tls_gnutls/sec_tls_gnutls.h Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,87 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Header file for the sec_tls_gnutls extension. + * + * This extension provides the TLS mechanism to the waaad daemon. + * + * It relies on the gnutls library to perform the actual cryptographic operations. + */ + +#define IN_EXTENSION +#include <waaad/waaad.h> + +#include <string.h> + +/* The value of the Inband-Security-Id that this extension provides */ +#define SEC_TLS_INBAND_SECURITY_ID 1 + +/************************************************************************** + * The functions that are provided back to the daemon, as a security module. + * See <waaad/security-api.h> + **************************************************************************/ +int tls_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session); +int tls_send_protect (sec_session_t * session, void ** ext_session, void * data, size_t length); +int tls_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length); +int tls_is_supported_peer (char * diamid, struct sockaddr * sa, int * priority); + +/************************************************************************** + * The functions internal to the extension. + **************************************************************************/ +/* Initialize the extension */ +int tls_init(void); + +/* Destroy the table and free all data */ +int tls_fini(void); + + +/********************************************************************************** + * Define the TRACE_DEBUG macro to be used similarly as in the daemon (see log.h) + **********************************************************************************/ +extern int ext_verbose; + +#define NONE 0 +#define INFO 1 +#define FULL 2 +#ifndef TRACE_LEVEL +#define TRACE_LEVEL INFO +#endif /* TRACE_LEVEL */ +static int debug_level = TRACE_LEVEL; +#define TRACE_DEBUG(level,format,args... ) \ + { if ( level <= debug_level + ext_verbose ) \ + log_debug("%-12s:%-4d( %-15s): " format "\n", __FILE__, __LINE__, __FUNCTION__, ## args); } +#define TRACE_ENTRY(_format,_args... ) \ + TRACE_DEBUG(FULL, "Entering ext function (parms: " _format ")", ##_args ) +/**************************************************************************************/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_tls_gnutls/todo.c Fri Jul 25 18:07:11 2008 +0900 @@ -0,0 +1,53 @@ +/* Temporary file containing all code that is not written yet */ + +#include "sec_tls_gnutls.h" + +int tls_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + +int tls_send_protect (sec_session_t * session, void ** ext_session, void * data, size_t length) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + +int tls_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + +int tls_is_supported_peer (char * diamid, struct sockaddr * sa, int * priority) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + + +/************************************************************************** + * The functions internal to the extension. + **************************************************************************/ +/* Initialize the extension */ +int tls_init(void) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} + + +/* Destroy the table and free all data */ +int tls_fini(void) +{ + TRACE_ENTRY(""); + TRACE_DEBUG(INFO, "Not implemented"); + return ENOTSUP; +} +
--- a/include/waaad/waaad.h Fri Jul 25 11:14:01 2008 +0900 +++ b/include/waaad/waaad.h Fri Jul 25 18:07:11 2008 +0900 @@ -105,6 +105,9 @@ /* The code bellow this line is only used to load the API in an extension and check the API number version. */ #ifdef IN_EXTENSION +#include <stdio.h> +#include <errno.h> + typedef struct { size_t length; int version;