Mercurial > hg > waaad

changeset 106:e243c9a234cd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Completed the sec_nosec extension
author Sebastien Decugis <sdecugis@nict.go.jp>
date Mon, 28 Jul 2008 13:59:54 +0900
parents ea698d19f63a
children c956cc2dbaed
files doc/sec_nosec.conf.sample doc/waaad.conf.sample extensions/sample/Makefile.am extensions/sec_nosec/Makefile.am extensions/sec_nosec/sec_nosec.c extensions/sec_nosec/sec_nosec.h extensions/sec_nosec/sns_gram.y extensions/sec_nosec/sns_parse.c extensions/sec_nosec/sns_peers.c extensions/sec_nosec/sns_recv_unprotect.c extensions/sec_nosec/sns_state_change.c extensions/sec_nosec/sns_token.l extensions/sec_nosec/todo.c
diffstat 13 files changed, 416 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/sec_nosec.conf.sample	Mon Jul 28 13:59:54 2008 +0900
@@ -0,0 +1,22 @@
+# This is a sample configuration file for the sec_nosec waaad extension.
+
+# For debug purpose, use this parameter to change the debug verbosity of the extension.
+# 0: no debug
+# 1: information only (error conditions)
+# 2: full debug (errors and tracing)
+# Debug_Verbosity = 1;
+
+# Specify the default priority given to this extension to handle a peer.
+# The extension with the highest priority will handle a connection.
+# This parameter is optional. The default value is 1.
+# The parameter may be given several times. It applies only to the peers
+# following the definition in the file.
+# Default_Priority = 1;
+
+# Each Diameter peer to which no security mechanism is provided by waaad
+# must be listed explicitely here.
+# The priority may be overwriten for each peer.
+# Format: diameter_id [, priority];
+# Examples:
+# nas.domain.net;
+# home.domain.net, 10;
--- a/doc/waaad.conf.sample	Mon Jul 28 10:57:29 2008 +0900
+++ b/doc/waaad.conf.sample	Mon Jul 28 13:59:54 2008 +0900
@@ -50,6 +50,11 @@
 	filename="/root/sources/waaad/build/extensions/sample/.libs/sample.so";
 };
 
+"sec_nosec" = {
+	filename="/root/sources/waaad/build/extensions/sec_nosec/.libs/sec_nosec.so";
+	conffile="/root/sources/waaad/doc/sec_nosec.conf.sample";
+};
+
 
 [peers]
 
--- a/extensions/sample/Makefile.am	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sample/Makefile.am	Mon Jul 28 13:59:54 2008 +0900
@@ -1,6 +1,7 @@
 # Compile the sample extension.
 
-noinst_LTLIBRARIES = sample.la
+# noinst_LTLIBRARIES = sample.la
+pkglib_LTLIBRARIES = sample.la
 sample_la_SOURCES = sample.c fini.c
 sample_la_LDFLAGS = -module
 
--- a/extensions/sec_nosec/Makefile.am	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/Makefile.am	Mon Jul 28 13:59:54 2008 +0900
@@ -3,6 +3,10 @@
 # Location of the API headers:
 AM_CPPFLAGS = -I$(srcdir)/../../include
 
+# For bison
+AM_YFLAGS = -d
+BUILT_SOURCES = sns_gram.h
+
 pkglib_LTLIBRARIES = sec_nosec.la
 sec_nosec_la_LDFLAGS = -module
 
@@ -12,6 +16,8 @@
 			sns_recv_unprotect.c 	\
 			sns_is_supported_peer.c	\
 			sns_peers.c		\
-			todo.c
+			sns_parse.c		\
+			sns_gram.y		\
+			sns_token.l
 
 
--- a/extensions/sec_nosec/sec_nosec.c	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/sec_nosec.c	Mon Jul 28 13:59:54 2008 +0900
@@ -80,6 +80,9 @@
 		return ret;
 	}
 	
+	/* For debug purpose */
+	sns_dump();
+	
 	/* Finaly, register the security module */
 	memset(&sns_mod, 0, sizeof(sec_module_t) );
 	sns_mod.sec_insecid 		= SEC_NOSEC_INBAND_SECURITY_ID;
--- a/extensions/sec_nosec/sec_nosec.h	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/sec_nosec.h	Mon Jul 28 13:59:54 2008 +0900
@@ -57,6 +57,11 @@
 /* The value of the Inband-Security-Id that this extension provides */
 #define SEC_NOSEC_INBAND_SECURITY_ID	0
 
+/* The maximum size of messages we accept. Bigger messages are considered as trash and failure occurs */
+#define DIAMETER_MSG_SIZE_MAX	65536
+
+
+
 /**************************************************************************
  * The functions that are provided back to the daemon, as a security module. 
  * See <waaad/security-api.h> 
@@ -81,6 +86,9 @@
 /* Parse the configuration file */
 int sns_parse(char * conffile);
 
+/* Dump the list to debug */
+void sns_dump(void);
+
 /* Destroy the table and free all data */
 int sns_fini(void);
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/sec_nosec/sns_gram.y	Mon Jul 28 13:59:54 2008 +0900
@@ -0,0 +1,169 @@
+/*********************************************************************************************************
+* Software License Agreement (BSD License)                                                               *
+* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
+*													 *
+* Copyright (c) 2008, WIDE Project and NICT								 *
+* All rights reserved.											 *
+* 													 *
+* Redistribution and use of this software in source and binary forms, with or without modification, are  *
+* permitted provided that the following conditions are met:						 *
+* 													 *
+* * Redistributions of source code must retain the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer.										 *
+*    													 *
+* * Redistributions in binary form must reproduce the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer in the documentation and/or other						 *
+*   materials provided with the distribution.								 *
+* 													 *
+* * Neither the name of the WIDE Project or NICT nor the 						 *
+*   names of its contributors may be used to endorse or 						 *
+*   promote products derived from this software without 						 *
+*   specific prior written permission of WIDE Project and 						 *
+*   NICT.												 *
+* 													 *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
+* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
+* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
+* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
+* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
+*********************************************************************************************************/
+
+/* Yacc sec_nosec extension's configuration parser.
+ */
+
+/* For development only : */
+%debug 
+%error-verbose
+
+/* The parser receives the configuration file filename as parameter */
+%parse-param {char * conffile}
+
+/* Keep track of location */
+%locations 
+%pure-parser
+
+%{
+#include "sec_nosec.h"
+#include "sns_gram.h"	/* bison is not smart enough to define the YYLTYPE before including this code, so... */
+
+#include <string.h>
+#include <errno.h>
+
+/* This function checks a string value can be a DiameterId (== a fqdn) */
+static int is_valid_fqdn( char * candidate ) 
+{
+	/* We first search for a '.' */
+	if (!strchr(candidate, '.')) {
+		log_error("The string '%s' is not a valid fully-qualified domain name (fqdn).\n", candidate);
+		return 0;
+	}
+	
+	/* We may do additional checking here */
+	
+	/* Ok this candidate is valid */
+	return 1;
+}
+
+/* Function to report the errors */
+void yyerror (YYLTYPE *ploc, char * conffile, char const *s)
+{
+	if (ploc->first_line != ploc->last_line)
+		log_error("%s:%d.%d-%d.%d : %s\n", conffile, ploc->first_line, ploc->first_column, ploc->last_line, ploc->last_column, s);
+	else if (ploc->first_column != ploc->last_column)
+		log_error("%s:%d.%d-%d : %s\n", conffile, ploc->first_line, ploc->first_column, ploc->last_column, s);
+	else
+		log_error("%s:%d.%d : %s\n", conffile, ploc->first_line, ploc->first_column, s);
+}
+
+/* Global variable to store the default priority */
+static int def_prio = 1;
+
+%}
+
+/* Values returned by lex for token */
+%union {
+	char 		*string;	/* The string is allocated by strdup in lex.*/
+	int		 integer;	/* Store integer values */
+}
+
+/* In case of error in the lexical analysis */
+%token 		LEX_ERROR
+
+/* A string (malloc'd in lex parser; it must be freed after use) */
+%token <string>	STRING
+/* Strings subtypes */
+%type <string>	FQDN		/* This is a fqdn. We check that the syntax is correct. */
+
+/* An integer value */
+%token <integer> INTEGER
+
+/* The default priority token */
+%token 		DEF_PRIO
+
+/* The debug level token */
+%token 		VERBOSITY
+
+/* -------------------------------------- */
+%%
+
+	/* The grammar definition */
+conffile:		/* empty grammar is OK */
+			| conffile verbosity
+			| conffile def_prio
+			| conffile peer
+			;
+
+	/* Defining the extension debug verbosity level */
+verbosity:		VERBOSITY '=' INTEGER ';'
+			{
+				verbosity = $3;
+			}
+			;
+
+	/* Defining the default peers priority */
+def_prio:		DEF_PRIO '=' INTEGER ';'
+			{
+				def_prio = $3;
+			}
+			;
+
+	/* Validating a FQDN: */
+FQDN:			STRING
+			{
+				/* Verify this is a valid FQDN */
+				if (!is_valid_fqdn($1)) {
+					yyerror (&yylloc, conffile, "An error was detected on a fqdn, aborting...");
+					YYERROR;
+				}
+				$$ = $1;
+			}
+			;
+	
+	/* A peer definition */
+peer:			FQDN ';'
+			{
+				int ret = 0;
+				ret = sns_addpeer( $1, def_prio );
+				if (ret != 0) {
+					log_error("An error occurred while saving peer '%s': %s\n", $1, strerror(ret));
+					YYERROR;
+				}
+				free( $1 );
+			}
+			| FQDN ',' INTEGER ';'
+			{
+				int ret = 0;
+				ret = sns_addpeer( $1, $3 );
+				if (ret != 0) {
+					log_error("An error occurred while saving peer '%s': %s\n", $1, strerror(ret));
+					YYERROR;
+				}
+				free( $1 );
+			}
+			;
+				
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/sec_nosec/sns_parse.c	Mon Jul 28 13:59:54 2008 +0900
@@ -0,0 +1,66 @@
+/*********************************************************************************************************
+* Software License Agreement (BSD License)                                                               *
+* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
+*													 *
+* Copyright (c) 2008, WIDE Project and NICT								 *
+* All rights reserved.											 *
+* 													 *
+* Redistribution and use of this software in source and binary forms, with or without modification, are  *
+* permitted provided that the following conditions are met:						 *
+* 													 *
+* * Redistributions of source code must retain the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer.										 *
+*    													 *
+* * Redistributions in binary form must reproduce the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer in the documentation and/or other						 *
+*   materials provided with the distribution.								 *
+* 													 *
+* * Neither the name of the WIDE Project or NICT nor the 						 *
+*   names of its contributors may be used to endorse or 						 *
+*   promote products derived from this software without 						 *
+*   specific prior written permission of WIDE Project and 						 *
+*   NICT.												 *
+* 													 *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
+* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
+* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
+* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
+* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
+*********************************************************************************************************/
+
+#include "sec_nosec.h"
+
+/* Parse the configuration file */
+int sns_parse(char * conffile)
+{
+	extern FILE * yyin;
+	int ret;
+	
+	TRACE_ENTRY("%p", conffile);
+	
+	TRACE_DEBUG (FULL, "Parsing configuration file: %s...", conffile);
+	
+	yyin = fopen(conffile, "r");
+	if (yyin == NULL) {
+		ret = errno;
+		log_error("Unable to open extension configuration file %s for reading: %s\n", conffile, strerror(ret));
+		TRACE_DEBUG (INFO, "Error occurred, message logged -- configuration file.");
+		return ret;
+	}
+
+	ret = yyparse();
+
+	fclose(yyin);
+
+	if (ret != 0) {
+		TRACE_DEBUG (INFO, "Unable to parse the configuration file.");
+		return EINVAL;
+	}
+	
+	return 0;
+}
--- a/extensions/sec_nosec/sns_peers.c	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/sns_peers.c	Mon Jul 28 13:59:54 2008 +0900
@@ -48,17 +48,17 @@
  
 static sns_peer_t sentinel;
 
-/* Note: we don't need to protect the list since we're not yet multithreaded when we add to it */
+/* Note: we don't need to protect the list since we're not multithreaded when we add or remove entries */
 
 
-/* Initialize the hash table where the peers are stored */
+/* Initialize the list */
 int sns_init(void)
 {
 	TRACE_ENTRY("");
 	
 	memset(&sentinel, 0, sizeof(sns_peer_t));
 	
-	return ENOTSUP;
+	return 0;
 }
 
 /* Add a new peer entry. The diametedid string is copied. */
@@ -124,6 +124,19 @@
 	}
 }
 
+/* dump the list */
+void sns_dump(void)
+{
+	sns_peer_t * item;
+	
+	TRACE_DEBUG(FULL, "-- Dumping list of peers --");
+	for (item = sentinel.next; item != NULL; item = item->next) {
+		TRACE_DEBUG(FULL, "prio: %2d, peer: '%s'", item->prio, item->diamid);
+	}
+	
+	TRACE_DEBUG(FULL, "------ End of dump --------");
+}
+
 /* Destroy the table and free all data */
 int sns_fini(void)
 {
--- a/extensions/sec_nosec/sns_recv_unprotect.c	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/sns_recv_unprotect.c	Mon Jul 28 13:59:54 2008 +0900
@@ -39,10 +39,7 @@
 
 #include "sec_nosec.h"
 
-/* The maximum size of messages we accept. bigger messages are considered as trash and failure occurs */
-#define DIAMETER_MSG_SIZE_MAX	65536
-
-/* We just receive the buffer "as is" on the connection object, and rebuild a message */
+/* We just receive the buffer "as is" on the connection object, and rebuild a message (boundaries are lost with TCP) */
 
 int sns_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length)
 {
--- a/extensions/sec_nosec/sns_state_change.c	Mon Jul 28 10:57:29 2008 +0900
+++ b/extensions/sec_nosec/sns_state_change.c	Mon Jul 28 13:59:54 2008 +0900
@@ -42,6 +42,7 @@
 int sns_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session)
 {
 	TRACE_ENTRY("%d %d %p %p", newstate, oldstate, session, ext_session);
+	
 	/* We don't need to save a session state in this module, so do not do anything here */
 	return 0;
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/extensions/sec_nosec/sns_token.l	Mon Jul 28 13:59:54 2008 +0900
@@ -0,0 +1,116 @@
+/*********************************************************************************************************
+* Software License Agreement (BSD License)                                                               *
+* Author: Sebastien Decugis <sdecugis@nict.go.jp>							 *
+*													 *
+* Copyright (c) 2008, WIDE Project and NICT								 *
+* All rights reserved.											 *
+* 													 *
+* Redistribution and use of this software in source and binary forms, with or without modification, are  *
+* permitted provided that the following conditions are met:						 *
+* 													 *
+* * Redistributions of source code must retain the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer.										 *
+*    													 *
+* * Redistributions in binary form must reproduce the above 						 *
+*   copyright notice, this list of conditions and the 							 *
+*   following disclaimer in the documentation and/or other						 *
+*   materials provided with the distribution.								 *
+* 													 *
+* * Neither the name of the WIDE Project or NICT nor the 						 *
+*   names of its contributors may be used to endorse or 						 *
+*   promote products derived from this software without 						 *
+*   specific prior written permission of WIDE Project and 						 *
+*   NICT.												 *
+* 													 *
+* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
+* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
+* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
+* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 	 *
+* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 	 *
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
+* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF   *
+* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.								 *
+*********************************************************************************************************/
+
+/* Lex sec_nosec extension's configuration parser.
+ *
+ * The configuration file contains a default priority, and a list of peers with optional overwite priority.
+ * -- see the sec_nosec.conf.sample file for more detail.
+ */
+
+%{
+/* Include the daemon's header files */
+#include "sec_nosec.h"
+/* Include yacc tokens definitions */
+#include "sns_gram.h"
+
+/* Update the column information */
+#define YY_USER_ACTION { 					\
+	yylloc->first_column = yylloc->last_column + 1; 	\
+	yylloc->last_column = yylloc->first_column + yyleng - 1;\
+}
+%}
+
+%option bison-bridge bison-locations
+%option noyywrap
+
+%%
+
+	/* Update the line count */
+\n			{
+				yylloc->first_line++; 
+				yylloc->last_line++; 
+				yylloc->last_column=0; 
+			}
+	 
+	/* Eat all spaces */
+[[:space:]]+		;
+	/* Eat all comments */
+#.*$			;
+
+	/* Recognize any integer */
+[[:digit:]]+		{
+				/* Convert this to an integer value */
+				int ret=0;
+				ret = sscanf(yytext, "%i", &yylval->integer);
+				if (ret != 1) {
+					/* No matching: an error occurred */
+					log_error("Unable to convert the value '%s' to a valid number: %s\n", yytext, strerror(errno));
+					return LEX_ERROR; /* trig an error in yacc parser */
+					/* Maybe we could REJECT instead of failing here? */
+				}
+				return INTEGER;
+			}
+
+	/* Recognize the verbosity string */	
+(?i:"Debug_Verbosity")	{
+				return VERBOSITY;
+			}
+
+	/* Recognize the default_priority string */	
+(?i:"Default_Priority")	{
+				return DEF_PRIO; 
+			}
+
+	/* Any other string is considered as a fqdn, if the pattern is valid */
+[[:alnum:].-]+		{
+				/* Match a fqdn string. expected only ASCII characters, '-' and '.'. The validation of fqdn is done in yacc */
+				yylval->string = strdup(yytext);
+				if (!yylval->string) {
+					log_error("Unable to copy the string '%s': %s\n", yytext, strerror(errno));
+					return LEX_ERROR; /* trig an error in yacc parser */
+				}
+				return STRING;
+			}
+
+	/* Valid single characters for yyparse */
+[=,;]			{ return yytext[0]; }
+
+	/* Unrecognized sequence */
+[^[:space:]=,;\n]+	{ 
+				log_error("Unrecognized text on line %d col %d: '%s'.\n", yylloc->first_line, yylloc->first_column, yytext);
+			 	return LEX_ERROR; 
+			}
+
+%%
--- a/extensions/sec_nosec/todo.c	Mon Jul 28 10:57:29 2008 +0900
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,4 +0,0 @@
-/* Temporary file containing all code that is not written yet */
-
-
-
"Welcome to our mercurial repository"