Changeset 20:277ec00d793e in freeDiameter

Timestamp:

Oct 7, 2009, 7:31:39 PM (15 years ago)

Author:

Sebastien Decugis <sdecugis@nict.go.jp>

Branch:

default

Phase:

public

Message:

Backup before typhoon... Progress on server side

Files:

• INSTALL (modified) (2 diffs)
• doc/freediameter.conf.sample (modified) (4 diffs)
• freeDiameter/CMakeLists.txt (modified) (2 diffs)
• freeDiameter/cnxctx.c (added)
• freeDiameter/config.c (modified) (1 diff)
• freeDiameter/fD.h (modified) (2 diffs)
• freeDiameter/fdd.y (modified) (2 diffs)
• freeDiameter/main.c (modified) (2 diffs)
• freeDiameter/p_psm.c (modified) (1 diff)
• freeDiameter/peers.c (modified) (1 diff)
• freeDiameter/sctp.c (added)
• freeDiameter/server.c (added)
• include/freeDiameter/freeDiameter.h (modified) (7 diffs)
• include/freeDiameter/libfreeDiameter.h (modified) (1 diff)

INSTALL

@@ -9 +9 @@
 
 You can enable the unary tests by doing:
-cmake -DNO_TESTS:BOOL=OFF ../
+cmake -DSKIP_TESTS:BOOL=OFF ../
 make
 make tests
@@ -38 +38 @@
 DEFAULT_CONF_FILE:STRING=/path/to/some/freeDiameter.conf
 
+Build binary with symbols, for debug:
+CMAKE_BUILD_TYPE:STRING=Debug

doc/freediameter.conf.sample

@@ -1 +1 @@
 # This is a sample configuration file for freeDiameter daemon.
+
+# Only the "TLS_Cred" directive is really mandatory in this file.
 
 ##############################################################
@@ -31 +33 @@
 #TLS_old_method;
 
-# Disable use of TCP protocol (only SCTP)
+# Disable use of TCP protocol (only listen and connect in SCTP)
 # Default : TCP enabled
 #No_TCP;
 
-# Disable use of SCTP protocol (only TCP)
+# Disable use of SCTP protocol (only listen and connect in TCP)
 # Default : SCTP enabled
 #No_SCTP;
@@ -93 +95 @@
 # The file contains a list of trusted CRLs in PEM format. They should have been verified before. 
 # (This parameter is passed to gnutls_certificate_set_x509_crl_file function)
+# Note: currently, openssl CRL seems not supported...
 # Default : GNUTLS default behavior
 #TLS_CRL = "<file.PEM>";
@@ -211 +214 @@
 ConnectPeer = "jules.nautilus6.org" ;
 ConnectPeer = "aaa.nautilus6.org" { No_TLS; No_IP; No_TCP; SCTP_streams = 60; } ;
+TLS_Cred = "/etc/openssl-ca/clients/certs/fdtest.cert" , "/etc/openssl-ca/clients/privkeys/fdtest.key.pem";
+TLS_CA = "/etc/openssl-ca/public-www/cacert.pem";
+# TLS_CRL = "/etc/openssl-ca/public-www/crl.pem";
+

freeDiameter/CMakeLists.txt

@@ -11 +11 @@
         fD.h
         config.c
+        cnxctx.c
         dispatch.c
         extensions.c
@@ -19 +20 @@
         p_expiry.c
         p_psm.c
+        server.c
         )
+
+IF(NOT DISABLE_SCTP)
+        SET(FD_COMMON_SRC ${FD_COMMON_SRC} sctp.c)
+ENDIF(NOT DISABLE_SCTP)
 
 SET(FD_COMMON_GEN_SRC

freeDiameter/config.c

@@ -239 +239 @@
         }
         if (! fd_g_config->cnf_sec_data.dh_bits) {
+                TRACE_DEBUG(FULL, "Generating DH parameters...");
                 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 
                                         fd_g_config->cnf_sec_data.dh_cache,
                                         GNUTLS_DEFAULT_DHBITS),
                                  { TRACE_DEBUG(INFO, "Error in DH bits value : %d", GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
+                TRACE_DEBUG(FULL, "DH parameters generated.");
         }
         

freeDiameter/fD.h

@@ -173 +173 @@
 };
 
+/* The connection context structure */
+struct cnxctx {
+        int             cc_socket;      /* The socket object of the connection -- <=0 if no socket is created */
+        
+        struct fifo   **cc_events;      /* Location of the events list to send connection events */
+        
+        int             cc_proto;       /* IPPROTO_TCP or IPPROTO_SCTP */
+        int             cc_tls;         /* Is TLS already started ? */
+        
+        uint16_t        cc_port;        /* Remote port of the connection, when we are client */
+        struct fd_list  cc_ep_remote;   /* The remote address(es) of the connection */
+        struct fd_list  cc_ep_local;    /* The local address(es) of the connection */
+        
+        /* If cc_proto == SCTP */
+        struct  {
+                int             str_out;/* Out streams */
+                int             str_in; /* In streams */
+                int             pairs;  /* max number of pairs ( = min(in, out)) */
+                int             next;   /* # of stream the next message will be sent to */
+        }               cc_sctp_para;
+        
+        /* If cc_tls == true */
+        struct {
+                int                              mode;          /* GNUTLS_CLIENT / GNUTLS_SERVER */
+                gnutls_session_t                 session;       /* Session object (stream #0 in case of SCTP) */
+        }               cc_tls_para;
+        
+        /* If both conditions */
+        struct {
+                gnutls_session_t                *res_sessions;  /* Sessions of other pairs of streams, resumed from the first */
+                /* Buffers, threads, ... */
+        }               cc_sctp_tls_para;
+};
+
 /* Functions */
 int fd_peer_fini();
@@ -192 +226 @@
 void fd_psm_abord(struct fd_peer * peer );
 
+/* Server sockets */
+void fd_servers_dump();
+int fd_servers_start();
+void fd_servers_stop();
+
+/* Connection contexts */
+struct cnxctx * fd_cnx_init(int sock, int proto);
+int fd_cnx_handshake(struct cnxctx * conn, int mode);
+
+/* SCTP */
+#ifndef DISABLE_SCTP
+int fd_sctp_create_bind_server( int * socket, uint16_t port );
+int fd_sctp_get_str_info( int socket, int *in, int *out );
+
+#endif /* DISABLE_SCTP */
+
+
+
 #endif /* _FD_H */

freeDiameter/fdd.y

@@ -511 +511 @@
                         {
                                 conf->cnf_sec_data.dh_bits = $3;
+                                TRACE_DEBUG(FULL, "Generating DH parameters...");
                                 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 
                                                         conf->cnf_sec_data.dh_cache,
@@ -516 +517 @@
                                                 { yyerror (&yylloc, conf, "Error setting DH Bits parameters."); 
                                                  YYERROR; } );
-                        }
-                        ;
+                                TRACE_DEBUG(FULL, "DH parameters generated.");
+                        }
+                        ;

freeDiameter/main.c

@@ -123 +123 @@
                                 break;
                         
+                        case FDEV_DUMP_SERV:
+                                fd_servers_dump();
+                                break;
+                        
                         case FDEV_DUMP_QUEUES:
                                 fd_fifo_dump(0, "Incoming messages", fd_g_incoming, fd_msg_dump_walk);
@@ -171 +175 @@
                 case_str(FDEV_DUMP_DICT);
                 case_str(FDEV_DUMP_EXT);
+                case_str(FDEV_DUMP_SERV);
                 case_str(FDEV_DUMP_QUEUES);
                 case_str(FDEV_DUMP_CONFIG);

freeDiameter/p_psm.c

@@ -44 +44 @@
         , "STATE_WAITCNXACK_ELEC"
         , "STATE_WAITCEA"
+        , "STATE_OPEN_HANDSHAKE"
         , "STATE_SUSPECT"
         , "STATE_REOPEN"

freeDiameter/peers.c

@@ -344 +344 @@
                                         (peer->p_hdr.info.pi_flags.sec == PI_SEC_NONE ? "IPSec." : "InbandTLS."),
                                 peer->p_hdr.info.pi_flags.exp ? "Expire." : "",
-                                peer->p_hdr.info.pi_flags.inband & PI_INB_NONE ? "InbandIPsecOK." : "",
-                                peer->p_hdr.info.pi_flags.inband & PI_INB_TLS ?  "InbandTLSOK." : "",
+                                peer->p_hdr.info.pi_flags.inband_none ? "InbandIPsec." : "",
+                                peer->p_hdr.info.pi_flags.inband_tls ?  "InbandTLS." : "",
                                 peer->p_hdr.info.pi_flags.relay ? "Relay (0xffffff)" : "No relay"
                                 );

include/freeDiameter/freeDiameter.h

@@ -118 +118 @@
 struct fd_endpoint {
         struct fd_list  chain;  /* link in cnf_endpoints list */
-        sSS             ss;     /* the socket information. */
+        sSS             ss;     /* the socket information. List is always ordered by ss value (memcmp) */
         struct {
                 unsigned conf : 1; /* This endpoint is statically configured in a configuration file */
@@ -175 +175 @@
         ,FDEV_DUMP_DICT         /* Dump the content of the dictionary */
         ,FDEV_DUMP_EXT          /* Dump state of extensions */
+        ,FDEV_DUMP_SERV         /* Dump the server socket status */
         ,FDEV_DUMP_QUEUES       /* Dump the message queues */
         ,FDEV_DUMP_CONFIG       /* Dump the configuration */
         ,FDEV_DUMP_PEERS        /* Dump the list of peers */
 };
-const char * fd_ev_str(int event);
+const char * fd_ev_str(int event); /* defined in freeDiameter/main.c */
 
 
@@ -202 +203 @@
                                    If we win the election, we must disconnect the initiated connection and send a CEA on the other => we go to OPEN state.
                                    If we lose, we disconnect the other connection (receiver) and fallback to WAITCEA state. */
+        STATE_OPEN_HANDSHAKE,   /* TLS Handshake and validation are in progress in open state */
         
         /* Failover state machine */
@@ -211 +213 @@
 #define STATE_MAX STATE_ZOMBIE
 };
-extern const char *peer_state_str[];
+extern const char *peer_state_str[]; /* defined in freeDiameter/p_psm.c */
 #define STATE_STR(state) \
         (((unsigned)(state)) <= STATE_MAX ? peer_state_str[((unsigned)(state)) ] : "<Invalid>")
@@ -245 +247 @@
                 unsigned        exp :1;
                 
-                /* Following flags are read-only and received from remote peer */
-                #define PI_INB_NONE     1       /* Remote peer advertised inband-sec-id 0 (None) */
-                #define PI_INB_TLS      2       /* Remote peer advertised inband-sec-id 1 (TLS) */
-                unsigned        inband :2;      /* This is only meaningful with pi_flags.sec == 3 */
+                unsigned        inband_none :1; /* This is only meaningful with pi_flags.sec == 3 */
+                unsigned        inband_tls  :1; /* This is only meaningful with pi_flags.sec == 3 */
                 
                 unsigned        relay :1;       /* The remote peer advertized the relay application */
@@ -338 +338 @@
  * !0   : An error occurred.
  */
-int fd_peer_validate_register ( int (*peer_validate)(struct peer_info * /* info */, int * /* auth */) );
+int fd_peer_validate_register ( int (*peer_validate)(struct peer_info * /* info */, int * /* auth */, int (**cb2)(struct peer_info *)) );
 /*
  * CALLBACK:    peer_validate
@@ -345 +345 @@
  *   info     : Structure containing information about the peer attempting the connection.
  *   auth     : Store there the result if the peer is accepted (1), rejected (-1), or unknown (0).
+ *   cb2      : If != NULL and in case of PI_SEC_TLS_OLD, another callback to call after handshake (if auth = 1).
  *
  * DESCRIPTION: 
  *   This callback is called when a new connection is being established from an unknown peer,
- *  after the CER is received. An extension must register such callback with peer_validate_register.
+ * after the CER is received. An extension must register such callback with peer_validate_register.
+ *
+ *   If (info->pi_flags.sec == PI_SEC_TLS_OLD) the extension may instruct the daemon explicitely
+ * to not use TLS by clearing info->pi_flags.inband_tls -- only if inband_none is set.
+ *
+ *   If (info->pi_flags.sec == PI_SEC_TLS_OLD) and info->pi_flags.inband_tls is set,
+ * the extension may also need to check the credentials provided during the TLS
+ * exchange (remote certificate). For this purpose, it may set the address of a new callback
+ * to be called once the handshake is completed. This new callback receives the information
+ * structure as parameter (with pi_sec_data set) and returns 0 if the credentials are correct,
+ * or an error code otherwise. If the error code is received, the connection is closed and the 
+ * peer is destroyed.
  *
  * RETURN VALUE:

include/freeDiameter/libfreeDiameter.h

@@ -336 +336 @@
 }
 /* if needed, add sSA_DUMP_SERVICE */
+
+/* A l4 protocol name (TCP / SCTP) */
+#define IPPROTO_NAME( _proto )                                  \
+        ( ((_proto) == IPPROTO_TCP) ? "TCP" :                   \
+                (((_proto) == IPPROTO_SCTP) ? "SCTP" :          \
+                        "Unknown"))
 
 /* The sockaddr length of a sSS structure */