Mercurial > hg > waaad
changeset 106:e243c9a234cd
Completed the sec_nosec extension
author | Sebastien Decugis <sdecugis@nict.go.jp> |
---|---|
date | Mon, 28 Jul 2008 13:59:54 +0900 |
parents | ea698d19f63a |
children | c956cc2dbaed |
files | doc/sec_nosec.conf.sample doc/waaad.conf.sample extensions/sample/Makefile.am extensions/sec_nosec/Makefile.am extensions/sec_nosec/sec_nosec.c extensions/sec_nosec/sec_nosec.h extensions/sec_nosec/sns_gram.y extensions/sec_nosec/sns_parse.c extensions/sec_nosec/sns_peers.c extensions/sec_nosec/sns_recv_unprotect.c extensions/sec_nosec/sns_state_change.c extensions/sec_nosec/sns_token.l extensions/sec_nosec/todo.c |
diffstat | 13 files changed, 416 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/sec_nosec.conf.sample Mon Jul 28 13:59:54 2008 +0900 @@ -0,0 +1,22 @@ +# This is a sample configuration file for the sec_nosec waaad extension. + +# For debug purpose, use this parameter to change the debug verbosity of the extension. +# 0: no debug +# 1: information only (error conditions) +# 2: full debug (errors and tracing) +# Debug_Verbosity = 1; + +# Specify the default priority given to this extension to handle a peer. +# The extension with the highest priority will handle a connection. +# This parameter is optional. The default value is 1. +# The parameter may be given several times. It applies only to the peers +# following the definition in the file. +# Default_Priority = 1; + +# Each Diameter peer to which no security mechanism is provided by waaad +# must be listed explicitely here. +# The priority may be overwriten for each peer. +# Format: diameter_id [, priority]; +# Examples: +# nas.domain.net; +# home.domain.net, 10;
--- a/doc/waaad.conf.sample Mon Jul 28 10:57:29 2008 +0900 +++ b/doc/waaad.conf.sample Mon Jul 28 13:59:54 2008 +0900 @@ -50,6 +50,11 @@ filename="/root/sources/waaad/build/extensions/sample/.libs/sample.so"; }; +"sec_nosec" = { + filename="/root/sources/waaad/build/extensions/sec_nosec/.libs/sec_nosec.so"; + conffile="/root/sources/waaad/doc/sec_nosec.conf.sample"; +}; + [peers]
--- a/extensions/sample/Makefile.am Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sample/Makefile.am Mon Jul 28 13:59:54 2008 +0900 @@ -1,6 +1,7 @@ # Compile the sample extension. -noinst_LTLIBRARIES = sample.la +# noinst_LTLIBRARIES = sample.la +pkglib_LTLIBRARIES = sample.la sample_la_SOURCES = sample.c fini.c sample_la_LDFLAGS = -module
--- a/extensions/sec_nosec/Makefile.am Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/Makefile.am Mon Jul 28 13:59:54 2008 +0900 @@ -3,6 +3,10 @@ # Location of the API headers: AM_CPPFLAGS = -I$(srcdir)/../../include +# For bison +AM_YFLAGS = -d +BUILT_SOURCES = sns_gram.h + pkglib_LTLIBRARIES = sec_nosec.la sec_nosec_la_LDFLAGS = -module @@ -12,6 +16,8 @@ sns_recv_unprotect.c \ sns_is_supported_peer.c \ sns_peers.c \ - todo.c + sns_parse.c \ + sns_gram.y \ + sns_token.l
--- a/extensions/sec_nosec/sec_nosec.c Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/sec_nosec.c Mon Jul 28 13:59:54 2008 +0900 @@ -80,6 +80,9 @@ return ret; } + /* For debug purpose */ + sns_dump(); + /* Finaly, register the security module */ memset(&sns_mod, 0, sizeof(sec_module_t) ); sns_mod.sec_insecid = SEC_NOSEC_INBAND_SECURITY_ID;
--- a/extensions/sec_nosec/sec_nosec.h Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/sec_nosec.h Mon Jul 28 13:59:54 2008 +0900 @@ -57,6 +57,11 @@ /* The value of the Inband-Security-Id that this extension provides */ #define SEC_NOSEC_INBAND_SECURITY_ID 0 +/* The maximum size of messages we accept. Bigger messages are considered as trash and failure occurs */ +#define DIAMETER_MSG_SIZE_MAX 65536 + + + /************************************************************************** * The functions that are provided back to the daemon, as a security module. * See <waaad/security-api.h> @@ -81,6 +86,9 @@ /* Parse the configuration file */ int sns_parse(char * conffile); +/* Dump the list to debug */ +void sns_dump(void); + /* Destroy the table and free all data */ int sns_fini(void);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_gram.y Mon Jul 28 13:59:54 2008 +0900 @@ -0,0 +1,169 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Yacc sec_nosec extension's configuration parser. + */ + +/* For development only : */ +%debug +%error-verbose + +/* The parser receives the configuration file filename as parameter */ +%parse-param {char * conffile} + +/* Keep track of location */ +%locations +%pure-parser + +%{ +#include "sec_nosec.h" +#include "sns_gram.h" /* bison is not smart enough to define the YYLTYPE before including this code, so... */ + +#include <string.h> +#include <errno.h> + +/* This function checks a string value can be a DiameterId (== a fqdn) */ +static int is_valid_fqdn( char * candidate ) +{ + /* We first search for a '.' */ + if (!strchr(candidate, '.')) { + log_error("The string '%s' is not a valid fully-qualified domain name (fqdn).\n", candidate); + return 0; + } + + /* We may do additional checking here */ + + /* Ok this candidate is valid */ + return 1; +} + +/* Function to report the errors */ +void yyerror (YYLTYPE *ploc, char * conffile, char const *s) +{ + if (ploc->first_line != ploc->last_line) + log_error("%s:%d.%d-%d.%d : %s\n", conffile, ploc->first_line, ploc->first_column, ploc->last_line, ploc->last_column, s); + else if (ploc->first_column != ploc->last_column) + log_error("%s:%d.%d-%d : %s\n", conffile, ploc->first_line, ploc->first_column, ploc->last_column, s); + else + log_error("%s:%d.%d : %s\n", conffile, ploc->first_line, ploc->first_column, s); +} + +/* Global variable to store the default priority */ +static int def_prio = 1; + +%} + +/* Values returned by lex for token */ +%union { + char *string; /* The string is allocated by strdup in lex.*/ + int integer; /* Store integer values */ +} + +/* In case of error in the lexical analysis */ +%token LEX_ERROR + +/* A string (malloc'd in lex parser; it must be freed after use) */ +%token <string> STRING +/* Strings subtypes */ +%type <string> FQDN /* This is a fqdn. We check that the syntax is correct. */ + +/* An integer value */ +%token <integer> INTEGER + +/* The default priority token */ +%token DEF_PRIO + +/* The debug level token */ +%token VERBOSITY + +/* -------------------------------------- */ +%% + + /* The grammar definition */ +conffile: /* empty grammar is OK */ + | conffile verbosity + | conffile def_prio + | conffile peer + ; + + /* Defining the extension debug verbosity level */ +verbosity: VERBOSITY '=' INTEGER ';' + { + verbosity = $3; + } + ; + + /* Defining the default peers priority */ +def_prio: DEF_PRIO '=' INTEGER ';' + { + def_prio = $3; + } + ; + + /* Validating a FQDN: */ +FQDN: STRING + { + /* Verify this is a valid FQDN */ + if (!is_valid_fqdn($1)) { + yyerror (&yylloc, conffile, "An error was detected on a fqdn, aborting..."); + YYERROR; + } + $$ = $1; + } + ; + + /* A peer definition */ +peer: FQDN ';' + { + int ret = 0; + ret = sns_addpeer( $1, def_prio ); + if (ret != 0) { + log_error("An error occurred while saving peer '%s': %s\n", $1, strerror(ret)); + YYERROR; + } + free( $1 ); + } + | FQDN ',' INTEGER ';' + { + int ret = 0; + ret = sns_addpeer( $1, $3 ); + if (ret != 0) { + log_error("An error occurred while saving peer '%s': %s\n", $1, strerror(ret)); + YYERROR; + } + free( $1 ); + } + ; +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_parse.c Mon Jul 28 13:59:54 2008 +0900 @@ -0,0 +1,66 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +#include "sec_nosec.h" + +/* Parse the configuration file */ +int sns_parse(char * conffile) +{ + extern FILE * yyin; + int ret; + + TRACE_ENTRY("%p", conffile); + + TRACE_DEBUG (FULL, "Parsing configuration file: %s...", conffile); + + yyin = fopen(conffile, "r"); + if (yyin == NULL) { + ret = errno; + log_error("Unable to open extension configuration file %s for reading: %s\n", conffile, strerror(ret)); + TRACE_DEBUG (INFO, "Error occurred, message logged -- configuration file."); + return ret; + } + + ret = yyparse(); + + fclose(yyin); + + if (ret != 0) { + TRACE_DEBUG (INFO, "Unable to parse the configuration file."); + return EINVAL; + } + + return 0; +}
--- a/extensions/sec_nosec/sns_peers.c Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/sns_peers.c Mon Jul 28 13:59:54 2008 +0900 @@ -48,17 +48,17 @@ static sns_peer_t sentinel; -/* Note: we don't need to protect the list since we're not yet multithreaded when we add to it */ +/* Note: we don't need to protect the list since we're not multithreaded when we add or remove entries */ -/* Initialize the hash table where the peers are stored */ +/* Initialize the list */ int sns_init(void) { TRACE_ENTRY(""); memset(&sentinel, 0, sizeof(sns_peer_t)); - return ENOTSUP; + return 0; } /* Add a new peer entry. The diametedid string is copied. */ @@ -124,6 +124,19 @@ } } +/* dump the list */ +void sns_dump(void) +{ + sns_peer_t * item; + + TRACE_DEBUG(FULL, "-- Dumping list of peers --"); + for (item = sentinel.next; item != NULL; item = item->next) { + TRACE_DEBUG(FULL, "prio: %2d, peer: '%s'", item->prio, item->diamid); + } + + TRACE_DEBUG(FULL, "------ End of dump --------"); +} + /* Destroy the table and free all data */ int sns_fini(void) {
--- a/extensions/sec_nosec/sns_recv_unprotect.c Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/sns_recv_unprotect.c Mon Jul 28 13:59:54 2008 +0900 @@ -39,10 +39,7 @@ #include "sec_nosec.h" -/* The maximum size of messages we accept. bigger messages are considered as trash and failure occurs */ -#define DIAMETER_MSG_SIZE_MAX 65536 - -/* We just receive the buffer "as is" on the connection object, and rebuild a message */ +/* We just receive the buffer "as is" on the connection object, and rebuild a message (boundaries are lost with TCP) */ int sns_recv_unprotect (sec_session_t * session, void ** ext_session, void ** data, size_t *length) {
--- a/extensions/sec_nosec/sns_state_change.c Mon Jul 28 10:57:29 2008 +0900 +++ b/extensions/sec_nosec/sns_state_change.c Mon Jul 28 13:59:54 2008 +0900 @@ -42,6 +42,7 @@ int sns_state_change (sec_pss_t newstate, sec_pss_t oldstate, sec_session_t * session, void ** ext_session) { TRACE_ENTRY("%d %d %p %p", newstate, oldstate, session, ext_session); + /* We don't need to save a session state in this module, so do not do anything here */ return 0; }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/extensions/sec_nosec/sns_token.l Mon Jul 28 13:59:54 2008 +0900 @@ -0,0 +1,116 @@ +/********************************************************************************************************* +* Software License Agreement (BSD License) * +* Author: Sebastien Decugis <sdecugis@nict.go.jp> * +* * +* Copyright (c) 2008, WIDE Project and NICT * +* All rights reserved. * +* * +* Redistribution and use of this software in source and binary forms, with or without modification, are * +* permitted provided that the following conditions are met: * +* * +* * Redistributions of source code must retain the above * +* copyright notice, this list of conditions and the * +* following disclaimer. * +* * +* * Redistributions in binary form must reproduce the above * +* copyright notice, this list of conditions and the * +* following disclaimer in the documentation and/or other * +* materials provided with the distribution. * +* * +* * Neither the name of the WIDE Project or NICT nor the * +* names of its contributors may be used to endorse or * +* promote products derived from this software without * +* specific prior written permission of WIDE Project and * +* NICT. * +* * +* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * +* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * +* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * +* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * +* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * +* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * +* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * +* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * +*********************************************************************************************************/ + +/* Lex sec_nosec extension's configuration parser. + * + * The configuration file contains a default priority, and a list of peers with optional overwite priority. + * -- see the sec_nosec.conf.sample file for more detail. + */ + +%{ +/* Include the daemon's header files */ +#include "sec_nosec.h" +/* Include yacc tokens definitions */ +#include "sns_gram.h" + +/* Update the column information */ +#define YY_USER_ACTION { \ + yylloc->first_column = yylloc->last_column + 1; \ + yylloc->last_column = yylloc->first_column + yyleng - 1;\ +} +%} + +%option bison-bridge bison-locations +%option noyywrap + +%% + + /* Update the line count */ +\n { + yylloc->first_line++; + yylloc->last_line++; + yylloc->last_column=0; + } + + /* Eat all spaces */ +[[:space:]]+ ; + /* Eat all comments */ +#.*$ ; + + /* Recognize any integer */ +[[:digit:]]+ { + /* Convert this to an integer value */ + int ret=0; + ret = sscanf(yytext, "%i", &yylval->integer); + if (ret != 1) { + /* No matching: an error occurred */ + log_error("Unable to convert the value '%s' to a valid number: %s\n", yytext, strerror(errno)); + return LEX_ERROR; /* trig an error in yacc parser */ + /* Maybe we could REJECT instead of failing here? */ + } + return INTEGER; + } + + /* Recognize the verbosity string */ +(?i:"Debug_Verbosity") { + return VERBOSITY; + } + + /* Recognize the default_priority string */ +(?i:"Default_Priority") { + return DEF_PRIO; + } + + /* Any other string is considered as a fqdn, if the pattern is valid */ +[[:alnum:].-]+ { + /* Match a fqdn string. expected only ASCII characters, '-' and '.'. The validation of fqdn is done in yacc */ + yylval->string = strdup(yytext); + if (!yylval->string) { + log_error("Unable to copy the string '%s': %s\n", yytext, strerror(errno)); + return LEX_ERROR; /* trig an error in yacc parser */ + } + return STRING; + } + + /* Valid single characters for yyparse */ +[=,;] { return yytext[0]; } + + /* Unrecognized sequence */ +[^[:space:]=,;\n]+ { + log_error("Unrecognized text on line %d col %d: '%s'.\n", yylloc->first_line, yylloc->first_column, yytext); + return LEX_ERROR; + } + +%%