Changeset 18:e7187583dcf8 in freeDiameter
- Timestamp:
- Oct 5, 2009, 5:13:01 PM (14 years ago)
- Branch:
- default
- Phase:
- public
- Files:
-
- 2 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
INSTALL
r1 r18 18 18 Note that there are dependencies on external tools that may not be enforced by the configure script. 19 19 On Ubuntu Intrepid, the following packages were required (aptitude install ...): 20 gcc make flex bison libsctp1 libsctp-dev cmake 20 gcc make flex bison libsctp1 libsctp-dev cmake libgnutls-dev libgcrypt-dev 21 21 22 22 On FreeBSD the following packages were required: -
doc/freediameter.conf.sample
r13 r18 66 66 #ListenOn = "202.249.37.5"; 67 67 #ListenOn = "2001:200:903:2::202:1"; 68 69 ############################################################## 70 ## TLS Configuration 71 72 # TLS is managed by the GNUTLS library in the freeDiameter daemon. 73 # You may find more information about parameters and special behaviors 74 # in the relevant documentation. 75 # http://www.gnu.org/software/gnutls/manual/ 76 77 # Credentials of the local peer 78 # The X509 certificate and private key file to use for the local peer. 79 # The files must contain PKCS-1 encoded RSA key, in PEM format. 80 # (These parameters are passed to gnutls_certificate_set_x509_key_file function) 81 # Default : NO DEFAULT 82 #TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>"; 83 84 # Certificate authority / trust anchors 85 # The file containing the list of trusted Certificate Authorities (PEM list) 86 # (This parameter is passed to gnutls_certificate_set_x509_trust_file function) 87 # The directive can appear several times to specify several files. 88 # Default : GNUTLS default behavior 89 #TLS_CA = "<file.PEM>"; 90 91 # Certificate Revocation List file 92 # The information about revoked certificates. 93 # The file contains a list of trusted CRLs in PEM format. They should have been verified before. 94 # (This parameter is passed to gnutls_certificate_set_x509_crl_file function) 95 # Default : GNUTLS default behavior 96 #TLS_CRL = "<file.PEM>"; 97 98 # GNU TLS Priority string 99 # This string allows to configure the behavior of GNUTLS key exchanges 100 # algorithms. See gnutls_priority_init function documentation for information. 101 # You should also refer to the Diameter required TLS support here: 102 # http://tools.ietf.org/html/draft-ietf-dime-rfc3588bis-18#section-13.1 103 # Default : "NORMAL" 104 # Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"; 105 #TLS_Prio = "NORMAL"; 106 107 # Diffie-Hellman parameters size 108 # Set the number of bits for generated DH parameters 109 # Valid value should be 768, 1024, 2048, 3072 or 4096. 110 # (This parameter is passed to gnutls_dh_params_generate2 function, 111 # it usually should match RSA key size) 112 # Default : 1024 113 #TLS_DH_Bits = 1024; 114 68 115 69 116 ############################################################## -
freeDiameter/config.c
r17 r18 38 38 /* Configuration management */ 39 39 40 #ifndef GNUTLS_DEFAULT_PRIORITY 41 # define GNUTLS_DEFAULT_PRIORITY "NORMAL" 42 #endif /* GNUTLS_DEFAULT_PRIORITY */ 43 #ifndef GNUTLS_DEFAULT_DHBITS 44 # define GNUTLS_DEFAULT_DHBITS 1024 45 #endif /* GNUTLS_DEFAULT_DHBITS */ 46 40 47 /* Initialize the fd_g_config structure to default values */ 41 48 int fd_conf_init() … … 63 70 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev) ); 64 71 72 /* TLS parameters */ 73 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM ); 74 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM ); 75 65 76 return 0; 66 77 } … … 111 122 } 112 123 } 124 113 125 fd_log_debug(" Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled"); 114 126 fd_log_debug(" - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled"); … … 122 134 fd_log_debug(" - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP"); 123 135 fd_log_debug(" - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port"); 124 fd_log_debug(" TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(none)"); 125 fd_log_debug(" - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(none)"); 126 fd_log_debug(" - CA ........... : %s\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)"); 136 137 fd_log_debug(" TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)"); 138 fd_log_debug(" - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)"); 139 fd_log_debug(" - CA (trust) ... : %s\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)"); 127 140 fd_log_debug(" - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"); 128 fd_log_debug(" - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default)"); 141 fd_log_debug(" - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"); 142 fd_log_debug(" - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 143 129 144 fd_log_debug(" Origin-State-Id ........ : %u\n", fd_g_config->cnf_orstateid); 130 145 } … … 149 164 /* close the file */ 150 165 fclose(fddin); 166 167 /* Check that TLS private key was given */ 168 if (! fd_g_config->cnf_sec_data.key_file) { 169 fprintf(stderr, "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive.\n"); 170 return EINVAL; 171 } 151 172 152 173 /* Resolve hostname if not provided */ … … 208 229 } 209 230 210 /* TLS parameters */ 211 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM ); 212 213 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM ); 214 231 /* Configure TLS default parameters */ 232 if (! fd_g_config->cnf_sec_data.prio_string) { 233 const char * err_pos = NULL; 234 CHECK_GNUTLS_DO( gnutls_priority_init( 235 &fd_g_config->cnf_sec_data.prio_cache, 236 GNUTLS_DEFAULT_PRIORITY, 237 &err_pos), 238 { TRACE_DEBUG(INFO, "Error in priority string at position : %s", err_pos); return EINVAL; } ); 239 } 240 if (! fd_g_config->cnf_sec_data.dh_bits) { 241 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 242 fd_g_config->cnf_sec_data.dh_cache, 243 GNUTLS_DEFAULT_DHBITS), 244 { TRACE_DEBUG(INFO, "Error in DH bits value : %d", GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 245 } 246 215 247 216 248 return 0; -
freeDiameter/fdd.l
r12 r18 131 131 (?i:"ConnectTo") { return CONNTO; } 132 132 (?i:"No_TLS") { return NOTLS; } 133 (?i:"TLS_Cred") { return TLS_CRED; } 134 (?i:"TLS_CA") { return TLS_CA; } 135 (?i:"TLS_CRL") { return TLS_CRL; } 136 (?i:"TLS_Prio") { return TLS_PRIO; } 137 (?i:"TLS_DH_bits") { return TLS_DH_BITS; } 133 138 134 139 -
freeDiameter/fdd.y
r14 r18 112 112 %token CONNPEER 113 113 %token CONNTO 114 %token TLS_CRED 115 %token TLS_CA 116 %token TLS_CRL 117 %token TLS_PRIO 118 %token TLS_DH_BITS 114 119 115 120 … … 118 123 119 124 /* The grammar definition - Sections blocs. */ 120 conffile: /* Empty is OK */125 conffile: /* Empty is OK -- for simplicity here, we reject in daemon later */ 121 126 | conffile identity 122 127 | conffile realm … … 136 141 | conffile loadext 137 142 | conffile connpeer 143 | conffile tls_cred 144 | conffile tls_ca 145 | conffile tls_crl 146 | conffile tls_prio 147 | conffile tls_dh 138 148 | conffile errors 139 149 { … … 447 457 } 448 458 ; 459 460 tls_cred: TLS_CRED '=' QSTRING ',' QSTRING ';' 461 { 462 conf->cnf_sec_data.cert_file = $3; 463 conf->cnf_sec_data.key_file = $5; 464 465 CHECK_GNUTLS_DO( gnutls_certificate_set_x509_key_file( 466 conf->cnf_sec_data.credentials, 467 conf->cnf_sec_data.cert_file, 468 conf->cnf_sec_data.key_file, 469 GNUTLS_X509_FMT_PEM), 470 { yyerror (&yylloc, conf, "Error opening certificate or private key file."); YYERROR; } ); 471 } 472 ; 473 474 tls_ca: TLS_CA '=' QSTRING ';' 475 { 476 conf->cnf_sec_data.ca_file = $3; 477 CHECK_GNUTLS_DO( gnutls_certificate_set_x509_trust_file( 478 conf->cnf_sec_data.credentials, 479 conf->cnf_sec_data.ca_file, 480 GNUTLS_X509_FMT_PEM), 481 { yyerror (&yylloc, conf, "Error setting CA parameters."); YYERROR; } ); 482 } 483 ; 484 485 tls_crl: TLS_CRL '=' QSTRING ';' 486 { 487 conf->cnf_sec_data.crl_file = $3; 488 CHECK_GNUTLS_DO( gnutls_certificate_set_x509_crl_file( 489 conf->cnf_sec_data.credentials, 490 conf->cnf_sec_data.ca_file, 491 GNUTLS_X509_FMT_PEM), 492 { yyerror (&yylloc, conf, "Error setting CRL parameters."); YYERROR; } ); 493 } 494 ; 495 496 tls_prio: TLS_PRIO '=' QSTRING ';' 497 { 498 const char * err_pos = NULL; 499 conf->cnf_sec_data.prio_string = $3; 500 CHECK_GNUTLS_DO( gnutls_priority_init( 501 &conf->cnf_sec_data.prio_cache, 502 conf->cnf_sec_data.prio_string, 503 &err_pos), 504 { yyerror (&yylloc, conf, "Error setting Priority parameter."); 505 fprintf(stderr, "Error at position : %s\n", err_pos); 506 YYERROR; } ); 507 } 508 ; 509 510 tls_dh: TLS_DH_BITS '=' INTEGER ';' 511 { 512 conf->cnf_sec_data.dh_bits = $3; 513 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 514 conf->cnf_sec_data.dh_cache, 515 conf->cnf_sec_data.dh_bits), 516 { yyerror (&yylloc, conf, "Error setting DH Bits parameters."); 517 YYERROR; } ); 518 } 519 ; -
freeDiameter/main.c
r17 r18 41 41 #include <gcrypt.h> 42 42 43 GCRY_THREAD_OPTION_PTHREAD_IMPL;44 45 43 /* forward declarations */ 46 44 static void * sig_hdl(void * arg); … … 53 51 struct fd_config * fd_g_config = &conf; 54 52 53 GCRY_THREAD_OPTION_PTHREAD_IMPL; 54 55 55 /* freeDiameter starting point */ 56 56 int main(int argc, char * argv[]) … … 77 77 CHECK_FCT( main_cmdline(argc, argv) ); 78 78 79 /* Initialize g nutls */79 /* Initialize gcrypt and gnutls */ 80 80 (void) gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); 81 (void) gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); 81 82 CHECK_GNUTLS_DO( gnutls_global_init(), return EINVAL ); 82 83 if ( ! gnutls_check_version(GNUTLS_VERSION) ) { -
include/freeDiameter/freeDiameter.h
r17 r18 90 90 91 91 struct { 92 /* Credentials parameters */ 93 char * key_file; 94 char * cert_file; 95 char * ca_file; 96 char * crl_file; 97 char * prio_string; 98 /* GNUTLS server credential(s) (created from previous files) */ 99 gnutls_certificate_credentials_t credentials; 100 /* Other GNUTLS global parameters */ 101 gnutls_priority_t prio_cache; 102 gnutls_dh_params_t dh_cache; 92 /* Credentials parameters (backup) */ 93 char * cert_file; 94 char * key_file; 95 96 char * ca_file; 97 char * crl_file; 98 99 char * prio_string; 100 unsigned int dh_bits; 101 102 /* GNUTLS parameters */ 103 gnutls_priority_t prio_cache; 104 gnutls_dh_params_t dh_cache; 105 106 /* GNUTLS server credential(s) */ 107 gnutls_certificate_credentials_t credentials; 108 103 109 } cnf_sec_data; 104 110
Note: See TracChangeset
for help on using the changeset viewer.