[pisa-src] r1157 - in trunk/community-operator: Makefile.am co_client.c co_client.cfg co_common_packets.h co_server.c hipl.c hipl.h
- From: Diego Biurrun <diego@xxxxxxxxxx>
- To: pisa-src@xxxxxxxxxxxxx
- Date: Thu, 15 Oct 2009 13:17:37 +0200
Author: biurrun
Date: Thu Oct 15 13:17:37 2009
New Revision: 1157
Log:
Revert r1152, it fails to compile and has multiple issues.
Deleted:
trunk/community-operator/co_common_packets.h
Modified:
trunk/community-operator/Makefile.am
trunk/community-operator/co_client.c
trunk/community-operator/co_client.cfg
trunk/community-operator/co_server.c
trunk/community-operator/hipl.c
trunk/community-operator/hipl.h
Modified: trunk/community-operator/Makefile.am
==============================================================================
--- trunk/community-operator/Makefile.am Thu Oct 15 13:01:26 2009
(r1156)
+++ trunk/community-operator/Makefile.am Thu Oct 15 13:17:37 2009
(r1157)
@@ -26,9 +26,8 @@
INCLUDES = -I@PISA_HIPL_SRCDIR@/libinet6/include
INCLUDES += -I@PISA_HIPL_SRCDIR@/libinet6
INCLUDES += -I@PISA_HIPL_SRCDIR@/libhiptool
-INCLUDES += -I@PISA_HIPL_SRCDIR@/opendht
+INCLUDES += -I@PISA_HIPL_SRCDIR@/libdht
INCLUDES += -I@PISA_HIPL_SRCDIR@/hipd
-INCLUDES += -I@PISA_HIPL_SRCDIR@/firewall
INCLUDES += -I@PISA_HIPL_SRCDIR@/i3/i3_client
INCLUDES += -I@PISA_HIPL_SRCDIR@/pjproject/pjnath/include
INCLUDES += -I@PISA_HIPL_SRCDIR@/pjproject/pjlib/include
@@ -43,11 +42,6 @@
co_server_SOURCES = co_server.c hipl.c
co_client_LDADD = $(LDADD) -lm -lcrypto
-if PISA_WITH_HIPL
-# TODO correct linking
-# pisa_split_cert function is needed in co_client.c
- co_client_LDADD += @PISA_HIPL_SRCDIR@/firewall/pisa_cert.o
-endif
co_client_SOURCES = co_client.c
include_HEADERS = hipl.h
Modified: trunk/community-operator/co_client.c
==============================================================================
--- trunk/community-operator/co_client.c Thu Oct 15 13:01:26 2009
(r1156)
+++ trunk/community-operator/co_client.c Thu Oct 15 13:17:37 2009
(r1157)
@@ -3,61 +3,17 @@
* All rights reserved.
*/
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <signal.h>
-#include <unistd.h>
-#include <dirent.h>
+#include <errno.h>
+#include <stdio.h>
-#include "global.h"
-
-#define __USE_XOPEN
-#include <time.h>
-
-#include "co_common_packets.h"
#include "config.h"
-#include "debug.h"
-//#include "util.h"
-
-#ifdef CONFIG_PISA_WITH_HIPL
-# include "pisa_cert.h" /* in firewall under the hipl source tree */
-#endif /* CONFIG_PISA_WITH_HIPL */
-
-#define CERT_FILENAME_FORMAT "%Y%m%d%H%M%S"
-
-#define PATH_BUFFER 1000 /** @todo */
-
-static int check_certs_dir(void);
-static void co_client_check_certs(int signal);
-static void co_client_init(void);
-static void co_client_main(void);
-static void co_client_quit(int signal);
-static int copy_cert(const char * source,char * destination);
-static int create_client_socket(struct sockaddr_in6 *srv_addr);
-static int is_valid_cert(const char *filename);
-static void print_deny_reason(int reason);
-static int receive_certificate(char **cert);
-static int retrieve_new_cert(void);
-static int request_cert(void);
-static int write_cert_file(char *cert,const char *filename);
-typedef struct co_client_conf
-{
- int retries;
- char srv_hit[INET6_ADDRSTRLEN];
- int port;
- char cert_filename[PATH_BUFFER];
- int check_interval;
- char certs_dir[PATH_BUFFER];
- int save_certs;
-}
-co_client_conf_t;
-
-co_client_conf_t co_client_conf;
-static int running;
-static int sock;
-char last_used_cert[PATH_BUFFER];
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
/**
* Write a certificate to a file.
@@ -82,27 +38,6 @@
}
/**
- * Prints the corresponding deny reason to the given reason number.
- * @param reason Reason number
- */
-static void print_deny_reason(int reason)
-{
- PISA_ERROR("Certificate request denied:\n");
- switch(reason)
- {
- case DENY_HIT_EXPIRED:
- PISA_ERROR("The HIT has expired.\n");
- break;
- case DENY_HIT_NOT_ALLOWED:
- PISA_ERROR("The HIT is not allowed to request certificates.\n");
- break;
- case DENY_UNKNOWN_ERROR:
- PISA_ERROR("An unknown error occurred.\n");
- break;
- }
-}
-
-/**
* Create a UDP socket connected to the server with a receive timeout.
*
* @param srv_addr HIT of the server
@@ -116,57 +51,38 @@
to.tv_sec = 5;
to.tv_usec = 0;
- if ((s = socket(PF_INET6, SOCK_DGRAM, 0)) == 0)
- {
- PISA_ERROR("socket() failed.\n");
- exit(-1);
- }
-
- if (connect(s, (struct sockaddr *)srv_addr,
- sizeof(struct sockaddr_in6)) == -1)
- {
- PISA_ERROR("connect to srv_addr failed.\n");
- exit(-1);
- }
+ if ((s = socket(PF_INET6, SOCK_DGRAM, 0)) == 0) {
+ printf("socket() failed.\n");
+ exit(-1);
+ }
+
+ if (connect(s, (struct sockaddr *)srv_addr,
+ sizeof(struct sockaddr_in6)) == -1) {
+ printf("connect to srv_addr failed.\n");
+ exit(-1);
+ }
- if (setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &to, sizeof(to)))
- PISA_ERROR("Could not set a receive timeout.\n");
+ if (setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &to, sizeof(to)))
+ printf("Could not set a receive timeout.\n");
- return s;
+ return s;
}
+static int sock;
+
/**
* Request a certificate from the server using the previously opened socket.
* @todo define protocol
*
- * @return 1 on success, 0 otherwise
+ * @return 0 on success, -1 otherwise
*/
-static int request_cert(void)
+static int sendRequest(void)
{
- int sent;
- co_packet *packet;
- packet = malloc(sizeof(co_packet));
-
- packet->message_type = MESSAGE_CERTIFICATE_REQUEST;
-
- sent = send(sock,packet,sizeof(co_packet),0);
- free(packet);
- if(sent == -1)
- {
- PISA_ERROR("send failed.\n");
-
- return 0;
- }
-
- if (sent!=sizeof(co_packet))
- {
- PISA_ERROR("sent bytes (%i) do not match expected value (%i).\n",
- sent, sizeof(co_packet));
-
- return 0;
- }
-
- return 1;
+ if (send(sock, "blah", 4, 0) != 4) {
+ printf("failed to request the certificate\n");
+ return -1;
+ }
+ return 0;
}
/**
@@ -176,390 +92,69 @@
* @param cert place to store the newly malloced certificate
* @return 0 for success, -1 for permanent failure, -2 for retry
*/
-static int receive_certificate(char **cert)
+static int receiveCertificate(char **cert)
{
- co_packet *packet;
- ssize_t count;
-
- int result;
-
- *cert = NULL;
+ char buffer[10240] = "";
+ ssize_t count;
- packet = malloc(sizeof(co_packet));
+ *cert = NULL;
- if ((count = recv(sock, packet, sizeof(co_packet) , 0)) == -1)
- {
- PISA_ERROR("Receive failed (errno %i): %s\n", errno,
- strerror(errno));
- if (errno == EAGAIN)
- result = -2;
- result = -1;
- }
-
- switch(packet->message_type)
- {
- case MESSAGE_CERTIFICATE_DENY:
- print_deny_reason(packet->message.deny.reason);
- result = -1;
- break;
- case MESSAGE_CERTIFICATE_ACCEPT:
- PISA_INFO("Certificate request approved!\n");
- *cert = strdup(packet->message.cert.cert);
- result = 0;
- break;
- case MESSAGE_ERROR:
- PISA_ERROR("Error(%i):
%s\n",packet->message.error.error_type,packet->message.error.error_message);
- result = -1;
- break;
- default:
- PISA_ERROR("Unknown error occurred.\n");
- result = -2;
- break;
- }
-
- free(packet);
- return result;
-}
-
-
-/**
- * Terminate community-operator client by receiving signal
- * @param signal signal quit code
- */
-static void co_client_quit(int signal)
-{
- running = 0;
- PISA_INFO("Shutting down Community-Operator client...\n");
- pisa_cfg_cleanup();
-}
-
-/**
- * Main loop
- */
-static void co_client_main(void)
-{
- while(running)
- { }
-}
-
-/**
- * Copies cert file to destination.
- * @param source Source filename
- * @param destination Destination filename
- * @return 1 -> success
- * @return 0 -> error
- */
-static int copy_cert(const char * source,char * destination)
-{
- FILE *from,*to;
- char ch;
-
- if((from = fopen(source,"r")) == NULL)
- {
- perror("open");
- return 0;
- }
-
- if((to = fopen(destination, "w")) == NULL)
- {
- perror("open");
- return 0;
- }
-
- while(!feof(from))
- {
- ch = fgetc(from);
- if(ferror(from))
- {
- PISA_ERROR("Error reading source file.\n");
- return 0;
- }
- if(!feof(from))
- fputc(ch, to);
- if(ferror(to))
- {
- PISA_ERROR("Error writing destination file.\n");
- return 0;
- }
- }
-
- if(fclose(from)==EOF)
- {
- PISA_ERROR("Error closing source file.\n");
- return 0;
- }
-
- if(fclose(to)==EOF)
- {
- PISA_ERROR("Error closing destination file.\n");
- return 0;
- }
- return 1;
-}
-
-/**
- * Reads the settings from the config file.
- */
-static void co_client_init(void)
-{
- pisa_cfg_get_string_value("hit", co_client_conf.srv_hit, INET6_ADDRSTRLEN);
- pisa_cfg_get_int_value("port", &co_client_conf.port);
- pisa_cfg_get_int_value("retry", &co_client_conf.retries);
-
pisa_cfg_get_string_value("filename",co_client_conf.cert_filename,PATH_BUFFER);
- pisa_cfg_get_int_value("check_interval",&co_client_conf.check_interval);
-
pisa_cfg_get_string_value("certs_dir",co_client_conf.certs_dir,PATH_BUFFER);
- pisa_cfg_get_bool_value("save_certs",&co_client_conf.save_certs);
-
- /* sanity check configuration values */
- if (co_client_conf.retries < 1)
- co_client_conf.retries = 1;
- if (co_client_conf.retries > 100) /* @todo find reasonable maximum */
- co_client_conf.retries = 100;
-
- if(co_client_conf.check_interval<=0)
- co_client_conf.check_interval = 60;
-}
-
-/**
- * Retrieves new certificates from community-operator server
- * @return 1 -> success
- * @return 0 -> error
- */
-static int retrieve_new_cert(void)
-{
- struct sockaddr_in6 srv_addr = { 0 };
- char *cert = NULL;
- int count;
-
- srv_addr.sin6_family = AF_INET6;
- inet_pton(PF_INET6, co_client_conf.srv_hit, &(srv_addr.sin6_addr));
- srv_addr.sin6_port = htons(co_client_conf.port);
- sock = create_client_socket(&srv_addr);
-
- for (count = 0; count < co_client_conf.retries; count++)
- {
- if (request_cert() == 0)
- break;
- if (receive_certificate(&cert) != -2)
- break;
- }
-
- close(sock);
-
- // Successfully received certificate
- if (cert)
- {
- PISA_INFO("Certificate was successfully retrieved.\n");
-#ifdef CONFIG_PISA_WITH_HIPL
- if(co_client_conf.save_certs)
- {
- struct pisa_cert pc;
- struct tm *ts;
- char buf_before[15];
- char buf_after[15];
- char path[100];
- time_t now;
- char *cert_start;
-
- // Workaround:
- // Because pisa_cert.c seems to be made for a different cert file
format
- cert_start = strstr(cert,"(cert");
- // Create pisa_struct from cert file
- pisa_split_cert(cert_start, &pc);
-
- // Convert dates to format yyyymmddhhmmss
- PISA_DEBUG(PL_GENERIC,"Certificate is valid from:
%s",ctime(&pc.not_before));
- ts = localtime(&pc.not_before);
- strftime(buf_before, sizeof(buf_before), CERT_FILENAME_FORMAT, ts);
- ts = localtime(&pc.not_after);
- PISA_DEBUG(PL_GENERIC,"Certificate expires at:
%s",ctime(&pc.not_after));
- strftime(buf_after, sizeof(buf_after), CERT_FILENAME_FORMAT, ts);
-
- // Create filename notbefore-notaftercert
(yyyymmddhhmmss-yyyymmddhhmmsscert)
- // in co_client_conf.certs_dir
- snprintf((char
*)path,sizeof(path),"%s/%s-%scert",co_client_conf.certs_dir
,buf_before,buf_after);
- write_cert_file(cert, path);
- time(&now);
-
- // Certificate is already valid
- if(difftime(now,pc.not_before)>=0)
- {
- PISA_DEBUG(PL_GENERIC,"Copying to cert location...\n");
- strncpy(last_used_cert,path,PATH_BUFFER);
- write_cert_file(cert,co_client_conf.cert_filename);
- }
- else
- {
- PISA_DEBUG(PL_GENERIC,"Certificate not yet valid.\n");
- }
- free(cert);
- return 1;
- }
-#else
- write_cert_file(cert,co_client_conf.cert_filename);
-#endif
-
- }
- else
- {
- PISA_ERROR("Certificate could not be obtained.\n");
- return 0;
- }
-
- return 1;
-}
-
-/**
- * Checks expiration dates of a cert filename
- * @param filename filename to check
- * @return 1 -> cert is valid
- * @return 0 -> cert not yet valid
- * @return -1 -> cert expired
- */
-static int is_valid_cert(const char *filename)
-{
- struct tm ts_before,ts_after;
- char buf_before[15];
- char buf_after[15];
- time_t now,not_before,not_after;
-
- // Read not-before date
- strncpy(buf_before,filename,14);
- strptime(buf_before,CERT_FILENAME_FORMAT,&ts_before);
-
- // Read not-after date
- strncpy(buf_after,filename+15,14);
- strptime(buf_after,CERT_FILENAME_FORMAT,&ts_after);
-
- time(&now);
- not_before = mktime(&ts_before);
- not_after = mktime(&ts_after);
-
- // Expired
- if(difftime(now,not_after)>0)
- {
- PISA_DEBUG(PL_GENERIC,"Cert: %s expired.\n",filename);
- return -1;
- }
-
- // Not yet valid
- if(difftime(now,not_before)<0)
- {
- PISA_DEBUG(PL_GENERIC,"Cert: %s is not yet valid.\n",filename);
- return 0;
- }
-
- PISA_DEBUG(PL_GENERIC,"Cert: %s is valid.\n",filename);
- return 1;
-}
+ if ((count = recv(sock, buffer, sizeof(buffer) -1, 0)) == -1) {
+ printf("Receive failed (errno %i): %s\n", errno,
+ strerror(errno));
+ if (errno == EAGAIN)
+ return -2;
+ return -1;
+ }
-/**
- * Checks if there is a valid cert in co_client_conf.certs_dir
- * and copies the cert to co_client_conf.filename
- * @return 1 -> a valid cert file existent
- * @return 0 -> no valid cert file found
- */
-static int check_certs_dir(void)
-{
- struct dirent **namelist;
- int n,i,found,result;
- char path[PATH_BUFFER];
-
- found = 0;
- n = scandir(co_client_conf.certs_dir, &namelist, 0, alphasort);
- if (n < 0)
- perror("scandir");
- else
- {
- for(i = 0; i<n && !found; i++)
- {
- // Skip . and ..
- if(strcmp(namelist[i]->d_name,".")!=0 &&
strcmp(namelist[i]->d_name,"..")!=0)
- {
- result = is_valid_cert(namelist[i]->d_name);
- snprintf((char
*)path,sizeof(path),"%s/%s",co_client_conf.certs_dir ,namelist[i]->d_name);
- // Cert expired
- if(result == -1)
- {
- PISA_DEBUG(PL_GENERIC,"Removing cert...\n");
- if(remove(path)!=0)
- {
- perror("Removing cert failed");
- }
- }
- else if(result)
- {
- found = 1;
- if(strcmp(path,last_used_cert)!=0)
- {
- strncpy(last_used_cert,path,PATH_BUFFER);
- PISA_DEBUG(PL_GENERIC,"Found valid cert.\n");
- PISA_DEBUG(PL_GENERIC,"Copying to cert location...\n");
- copy_cert(path,co_client_conf.cert_filename);
- }
- }
- }
- free(namelist[i]);
- }
- free(namelist);
- }
- return found;
-}
+ buffer[count] = 0;
+ if (!strcmp(buffer, "denied")) {
+ printf("Community operator server denied the certificate.\n");
+ return -1;
+ }
-/**
- * Function is called periodically to retrieve new certs if old certs in
co_client_conf.certs_dir expired.
- * @param signal signal code
- */
-static void co_client_check_certs(int signal)
-{
- if(co_client_conf.save_certs)
- {
- PISA_INFO("Checking existing certificates...\n");
- if(!check_certs_dir())
- {
- PISA_INFO("Did not find a valid cert\n");
- PISA_INFO("Requesting new cert...\n");
- retrieve_new_cert();
- }
- alarm(co_client_conf.check_interval);
- }
- else
- {
- retrieve_new_cert();
- }
+ *cert = strdup(buffer);
+ return 0;
}
int main(int argc, char **argv)
{
-
- signal(SIGTERM, co_client_quit);
- signal(SIGINT, co_client_quit);
- signal(SIGQUIT, co_client_quit);
- signal(SIGILL, co_client_quit);
- signal(SIGHUP, co_client_quit);
- signal(SIGPIPE, SIG_IGN);
- signal(SIGBUS, co_client_quit);
- signal(SIGSEGV, co_client_quit);
- signal(SIGALRM, co_client_check_certs);
+ struct sockaddr_in6 srv_addr = { 0 };
+ char *cert = NULL;
+ char srv_hit[1000]; /* @todo */
+ int count, port, retries = 3;
pisa_cfg_setup_file("co_client.cfg");
+ pisa_cfg_get_string_value("hit", srv_hit, 1000);
+ pisa_cfg_get_int_value("port", &port);
+ pisa_cfg_get_int_value("retry", &retries);
+
+ /* sanity check configuration values */
+ if (retries < 1)
+ retries = 1;
+ if (retries > 100) /* @todo find reasonable maximum */
+ retries = 100;
+
+ srv_addr.sin6_family = AF_INET6;
+ inet_pton(PF_INET6, srv_hit, &(srv_addr.sin6_addr));
+ srv_addr.sin6_port = htons(port);
+ sock = createClientSocket(&srv_addr);
+
+ for (count = 0; count < retries; count++) {
+ if (sendRequest() < 0)
+ break;
+ if (receiveCertificate(&cert) != -2)
+ break;
+ }
+
+ if (cert) {
+ writeCertFile(cert, "test-cert");
+ free(cert);
+ printf("Certificate was successfully retrieved.\n");
+ } else
+ printf("Certificate could not be obtained.\n");
- co_client_init();
-
- running = 1;
-
- co_client_check_certs(SIGALRM);
-
- // Only enter infinite loop if we periodically check for valid certs
- if(co_client_conf.save_certs)
- {
- co_client_main();
- }
-
- co_client_quit(0);
-
- exit(EXIT_SUCCESS);
-
- return 0;
-
+ pisa_cfg_cleanup();
+ close(sock);
+ return 0;
}
Modified: trunk/community-operator/co_client.cfg
==============================================================================
--- trunk/community-operator/co_client.cfg Thu Oct 15 13:01:26 2009
(r1156)
+++ trunk/community-operator/co_client.cfg Thu Oct 15 13:17:37 2009
(r1157)
@@ -5,15 +5,5 @@
# How often should we retry if we don't receive an answer before the timeout
retry=3;
-# Saves valid certs to certs_dir and only retrieves new certs if no valid cert
is found.
-# Otherwise, the cert is received directly from server and is written to
"filename"
-save_certs=false;
-
-# Directory to save received certificates
-certs_dir="certs";
-
-# Interval (in seconds) to check certs_dir for expired certificates
-check_interval=60;
-
# should be /etc/hip/cert for deployment
-filename="/etc/hip/cert";
+filename="test.file";
Modified: trunk/community-operator/co_server.c
==============================================================================
--- trunk/community-operator/co_server.c Thu Oct 15 13:01:26 2009
(r1156)
+++ trunk/community-operator/co_server.c Thu Oct 15 13:17:37 2009
(r1157)
@@ -7,35 +7,19 @@
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
-#include <sys/select.h>
-#include <signal.h>
#include "ac_config.h"
#include "global.h"
#include "debug.h"
-#include "co_common_packets.h"
#include "config.h"
#include "hitlist.h"
#include "hipl.h"
-//#define BUFSIZE 10240
+#define BUFSIZE 10240
#define CERT_BUF_SIZE 10240
-#define DEFAULT_NUMBER_OF_PARALLEL_USERS 3
-
-static int running;
static struct in6_addr issuer_hit;
static pisa_hitlist *allowed = NULL;
-static int sock;
-
-
-static int create_server_socket(void);
-static int answer_certificate_query(struct sockaddr_in6 *cl_addr);
-static int handle_certificate_request(struct sockaddr_in6
*socket_addr,co_certificate_request *request);
-static void co_quit(int quitcode);
-static char *get_certificate_for_hit(struct in6_addr *hit,int *reason);
-static int handle_packet(struct sockaddr_in6 *socket_addr, co_packet
*co_packet);
-static int get_number_of_parallel_users(pisa_hitlist_entry *entry);
/**
* Create a socket and port specified in the config file.
@@ -66,34 +50,12 @@
exit(-1);
}
- PISA_INFO("socket created and bound to port %i\n", port);
+ printf("socket created and bound to port %i\n", port);
return s;
}
/**
- * Terminate community-operator server by receiving signal
- * @param signal signal quit code
- */
-static void co_quit(int quitcode)
-{
- switch (quitcode)
- {
- case SIGTERM:
- case SIGINT:
- case SIGQUIT:
- case SIGBUS:
- PISA_INFO("Shutting down Community-Operator Server...\n");
- running = 0;
- break;
-
- case SIGILL:
- case SIGPIPE:
- break;
- }
-}
-
-/**
* Request a certificate for a specified hit, if all requirements are met:
* - HIT must be whitelisted in the allowed HIT list.
* - expiration date for that HIT must not be in the past.
@@ -102,252 +64,124 @@
* date is within that week.
*
* @param hit HIT of the requesting host
- * @param reason Pointer to an int which holds the reason for the deny
* @return pointer to certificate on success, NULL otherwise
*/
-static char *get_certificate_for_hit(struct in6_addr *hit,int *reason)
+static char *getCertificateForHit(struct in6_addr *hit)
{
-
- char *cert;
- time_t not_before, not_after;
- pisa_hitlist_entry*conn;
- int parallel_users;
-
- time(¬_before);
- time(¬_after);
-
- /* certificate for one week */
- not_after += 7 * 24 * 60 * 60;
-
- if (!(conn = pisa_hitlist_find(allowed, hit)))
- {
- *reason = DENY_HIT_NOT_ALLOWED;
- return NULL;
- }
- if (conn->expiration < not_before)
- {
- *reason = DENY_HIT_EXPIRED;
- return NULL;
- }
- if (conn->expiration < not_after)
- {
- not_after = conn->expiration;
- }
-
- parallel_users = get_number_of_parallel_users(conn);
-
- cert = malloc(CERT_BUF_SIZE);
- if (createCertificate(¬_before, ¬_after, hit, &issuer_hit,
parallel_users, cert,
- CERT_BUF_SIZE) != 0)
- {
- free(cert);
- *reason = DENY_UNKNOWN_ERROR;
- return NULL;
- }
-
- return cert;
-}
-
-static int get_number_of_parallel_users(pisa_hitlist_entry *entry)
-{
- config_setting_t *users;
- users =config_setting_get_member(entry->group,"parallel_users");
- if(users!=NULL)
- {
- return config_setting_get_int(users);
- }else
- {
- return DEFAULT_NUMBER_OF_PARALLEL_USERS;
+ char *cert;
+ time_t not_before, not_after;
+ pisa_hitlist_entry *conn;
+
+ time(¬_before);
+ time(¬_after);
+
+ /* certificate for one week */
+ not_after += 7 * 24 * 60 * 60;
+
+ if (!(conn = pisa_hitlist_find(allowed, hit)))
+ return NULL;
+ if (conn->expiration < not_before)
+ return NULL;
+ if (conn->expiration < not_after)
+ not_after = conn->expiration;
+ cert = malloc(CERT_BUF_SIZE);
+ if (createCertificate(¬_before, ¬_after, hit, &issuer_hit, cert,
+ CERT_BUF_SIZE) != 0) {
+ free(cert);
+ return NULL;
}
+ return cert;
}
+static int sock;
/**
* Process a request from a specified client and send back the result
+ * @todo specify protocol
*
* @param cl_addr client that requested the certificate
- * @param number_of_access_points Number of Access-Points the client provides
- * @return 1 -> success; 0 -> error;
*/
static void answerCertificateQuery(struct sockaddr_in6 *cl_addr)
{
- char *cert;
- int sent,reason;
- co_packet *packet;
-
- packet = malloc(sizeof(co_packet));
-
- if (!(cert = get_certificate_for_hit(&cl_addr->sin6_addr,&reason)))
- {
- // Deny request
- packet->message_type = MESSAGE_CERTIFICATE_DENY;
- packet->message.deny.reason = reason;
- }
- else
- {
- // Accept request
- packet->message_type = MESSAGE_CERTIFICATE_ACCEPT;
- strncpy(packet->message.cert.cert,cert,strlen(cert));
- }
-
- sent = sendto(sock,packet,sizeof(co_packet),0,(struct sockaddr *) cl_addr,
- sizeof(struct sockaddr_in6));
- if(sent == -1)
- {
- PISA_ERROR("sendto failed.\n");
- free(cert);
- return 0;
- }
-
- if (sent!=sizeof(co_packet))
- {
- PISA_ERROR("sent bytes (%i) do not match expected value (%i).\n",
- sent, sizeof(co_packet));
- return 0;
- }
- else
- {
- PISA_INFO("the request has been answered.\n");
- return 1;
- }
+ char *cert;
+ int bytes, sent;
+
+ if (!(cert = getCertificateForHit(&cl_addr->sin6_addr))) {
+ cert = strdup("denied");
+ }
+ bytes = strlen(cert);
+
+ if ((sent = sendto(sock, cert, bytes, 0, (struct sockaddr *) cl_addr,
+ sizeof(struct sockaddr_in6))) == -1) {
+ printf("sendto failed.\n");
+ free(cert);
+ return;
+ }
- free(cert);
- free(packet);
+ if (bytes != sent)
+ printf("sent bytes (%i) do not match expected value (%i).\n",
+ sent, bytes);
+ else
+ printf("the request has been answered.\n");
+
+ free(cert);
}
int main(int argc, char **argv)
{
+ int received;
+ size_t addrlen;
+ struct sockaddr_in6 cl_addr = { 0 };
+ char *buf, *addr_string;
+
+ if (getuid() != 0) {
+ printf("You're not root. HIPD won't sign certificates.\n");
+ return -1;
+ }
+
+ buf = malloc(BUFSIZE);
+ addr_string = malloc(INET6_ADDRSTRLEN);
- signal(SIGTERM, co_quit);
- signal(SIGINT, co_quit);
- signal(SIGQUIT, co_quit);
- signal(SIGILL, co_quit);
- signal(SIGPIPE, SIG_IGN);
- signal(SIGBUS, co_quit);
-
- int received;
- size_t addrlen;
- char *addr_string;
- co_packet *packet;
- struct sockaddr_in6 cl_addr = { 0 };
-
-
- if (getuid() != 0)
- {
- PISA_ERROR("You're not root. HIPD won't sign certificates.\n");
- return -1;
- }
-
- running = 1;
-
- packet = malloc(sizeof(co_packet));
- addr_string = malloc(INET6_ADDRSTRLEN);
-
- pisa_cfg_authorized_hosts_setup_file("co_server.cfg");
- pisa_cfg_setup_file("co_server.cfg");
- allowed = pisa_hitlist_build("allowed_hosts");
+ pisa_cfg_setup_file("co_server.cfg");
+ allowed = pisa_hitlist_build("allowed_hosts");
#ifdef CONFIG_PISA_WITH_HIPL
hip_set_logdebug(1); /* disable the debug output from HIPL code */
#endif /* CONFIG_PISA_WITH_HIPL */
+ sock = createServerSocket();
+ getDefaultHIT(&issuer_hit);
- sock = create_server_socket();
-
- getDefaultHIT(&issuer_hit);
-
- PISA_INFO("community operator server ready\n");
- PISA_INFO("\nwaiting for incoming packet...\n");
- while (running)
- {
- fd_set readfds;
- struct timeval select_to;
-
- FD_ZERO(&readfds);
-
- select_to.tv_sec = 1;
- select_to.tv_usec = 0;
-
- FD_SET(sock,&readfds);
-
- if (select(sock + 1, &readfds, NULL, NULL, &select_to) > 0)
- {
- // Receive request
- if(FD_ISSET(sock,&readfds))
- {
- addrlen = sizeof(cl_addr);
- received = recvfrom(sock,packet,sizeof(co_packet),0, (struct
sockaddr *)&cl_addr, &addrlen);
-
- if (received < 0)
- {
- perror("error in recvfrom:");
- continue;
- }
- else if (received == 0)
- continue;
-
- inet_ntop(AF_INET6, &cl_addr.sin6_addr, addr_string,
- INET6_ADDRSTRLEN);
- PISA_DEBUG(PL_GENERIC,"received %i bytes from %s\n", received,
addr_string);
-
- if (pisa_ipv6_addr_is_hit(&cl_addr.sin6_addr))
- {
- PISA_DEBUG(PL_GENERIC,"sender was a HIT, processing
request.\n");
- handle_packet(&cl_addr,packet);
- }
- else
- {
- PISA_DEBUG(PL_GENERIC,"sender was not a HIT, ignoring
request.\n");
- }
-
- PISA_INFO("\nwaiting for incoming packet...\n");
- }
- }
- }
-
- pisa_hitlist_destroy(allowed);
- pisa_cfg_cleanup();
- pisa_cfg_authorized_hosts_cleanup();
- free(packet);
- free(addr_string);
- close(sock);
-
- return 0;
-}
-
-/**
- * This function handles any packet received.
- *
- * @param socket_addr IP address where the packet was received
- * @param co_packet A pointer to a co_packet_t structure
- *
- * @return 1 if successfully handled; 0 if packet unrecognized
- */
-static int handle_packet(struct sockaddr_in6 *socket_addr, co_packet *packet)
-{
- int result;
-
- assert(socket_addr != NULL);
- assert(packet != NULL);
+ printf("community operator server ready\n");
- switch (packet->message_type)
- {
- case MESSAGE_CERTIFICATE_REQUEST:
- result =
handle_certificate_request(socket_addr,&(packet->message.request));
- break;
- case MESSAGE_ERROR:
- PISA_ERROR("Error: %i\n",packet->message.error.error_type);
- result = 0;
- break;
- default:
- result = 0;
- break;
- }
+ while (1) {
+ printf("\nwaiting for incoming packet...\n");
+ addrlen = sizeof(cl_addr);
+ received = recvfrom(sock, buf, BUFSIZE, 0,
+ (struct sockaddr *)&cl_addr, &addrlen);
+
+ if (received < 0) {
+ perror("error in recvfrom:");
+ continue;
+ } else if (received == 0)
+ continue;
+
+ inet_ntop(AF_INET6, &cl_addr.sin6_addr, addr_string,
+ INET6_ADDRSTRLEN);
+ printf("received %i bytes from %s\n", received, addr_string);
+
+ if (pisa_ipv6_addr_is_hit(&cl_addr.sin6_addr)) {
+ printf("sender was a HIT, processing request.\n");
+ answerCertificateQuery(&cl_addr);
+ } else {
+ printf("sender was not a HIT, ignoring request.\n");
+ }
+ }
- return result;
-}
+ pisa_hitlist_destroy(allowed);
+ configCleanup();
+ close(sock);
+ free(buf);
+ free(addr_string);
-static int handle_certificate_request(struct sockaddr_in6
*socket_addr,co_certificate_request *request)
-{
- return answer_certificate_query(socket_addr);
+ return 0;
}
-
Modified: trunk/community-operator/hipl.c
==============================================================================
--- trunk/community-operator/hipl.c Thu Oct 15 13:01:26 2009 (r1156)
+++ trunk/community-operator/hipl.c Thu Oct 15 13:17:37 2009 (r1157)
@@ -14,15 +14,9 @@
#include <string.h>
#include <netinet/in.h>
-#ifdef HIPL_CERTIFICATE_CHANGES
-int createCertificate(time_t *not_before, time_t *not_after,
- struct in6_addr *hit, struct in6_addr *issuer_hit,
- int parallel_users, char *certificate, size_t size)
-#else
int createCertificate(time_t *not_before, time_t *not_after,
struct in6_addr *hit, struct in6_addr *issuer_hit,
char *certificate, size_t size)
-#endif
{
#ifdef CONFIG_PISA_WITH_HIPL
struct hip_cert_spki_info cert = { 0 };
@@ -32,13 +26,8 @@
return -1;
}
-#ifdef HIPL_CERTIFICATE_CHANGES
hip_cert_spki_create_cert(&cert, "hit", issuer_hit, "hit", hit,
not_before, not_after);
-#else
- hip_cert_spki_create_cert(&cert, "hit", issuer_hit, "hit", hit,
- not_before, not_after, parallel_users);
-#endif
snprintf(certificate, size, "(sequence %s%s%s)", cert.public_key,
cert.cert, cert.signature);
Modified: trunk/community-operator/hipl.h
==============================================================================
--- trunk/community-operator/hipl.h Thu Oct 15 13:01:26 2009 (r1156)
+++ trunk/community-operator/hipl.h Thu Oct 15 13:17:37 2009 (r1157)
@@ -7,27 +7,9 @@
#define PISA_HIPL_H
#include <time.h>
+#include <string.h>
#include <netinet/in.h>
-#ifdef HIPL_CERTIFICATE_CHANGES
-/**
- * Create the certificate with the given parameters. This is a wrapper
- * function for hip_cert_spki_create_cert. It requires a running hipd on
- * the same machine and superuser privileges.
- *
- * @param not_before start of certificate lifetime
- * @param not_after end of certificate lifetime
- * @param hit HIT of subject (the home router HIT)
- * @param issuer_hit HIT of issuer (the community operator HIT)
- * @param certificate buffer to store the resulting certificate in
- * @param size size of the certificate buffer
- * @param parallel_users The number of allowed parallel users
- * @return 0 on success
- */
-int createCertificate(time_t *not_before, time_t *not_after,
- struct in6_addr *hit, struct in6_addr *issuer_hit,
- int parallel_users, char *certificate, size_t size);
-#else
/**
* Create the certificate with the given parameters. This is a wrapper
* function for hip_cert_spki_create_cert. It requires a running hipd on
@@ -44,7 +26,7 @@
int createCertificate(time_t *not_before, time_t *not_after,
struct in6_addr *hit, struct in6_addr *issuer_hit,
char *certificate, size_t size);
-#endif
+
/**
* Get the default hit of the local HIPD. Requires a running hipd on the same
* machine. Sends a query to hipd and expects the default HIT to be returned.
Other related posts:
- » [pisa-src] r1157 - in trunk/community-operator: Makefile.am co_client.c co_client.cfg co_common_packets.h co_server.c hipl.c hipl.h - Diego Biurrun
