gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1.注册maat延迟删除接口keyring_table_new_cb等

Browse Source 
2.增加读取本地默认证书开关,
开启:读取本地根证书
关闭:keyring_id为0本地非可信根证书,keyring_id为1本地可信根证书

3.将valid标志写入redis-key中
This commit is contained in:
fengweihao
2019-05-24 15:09:34 +08:00
parent f6b42ceed5
commit 82840b59d9
9 changed files with 325 additions and 273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
conf/cert_store.ini
View File

@@ -10,6 +10,7 @@ thread-nu = 4
#Local default root certificate is valid for 30 days by default
expire_after = 30
#Local default root certificate path
local_debug = 0
ca_path = ../ca/mesalab-ca.pem
untrusted_ca_path = ../ca/mesalab-ca-untrust.pem
[NTC_MAAT]

14
conf/pxy_obj_keyring.json
View File

@@ -73,15 +73,11 @@
{
"table_name": "PXY_OBJ_KEYRING",
"table_content": [
"1\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\thttp://www.test.com\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer",
"2\t1\tname_02\troot\t/test/01\t/test/01\t90\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer",
"3\t1\tname_03\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer",
"4\t1\tname_04\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer",
"5\t1\tname_05\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer",
"6\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test01.p12",
"9\t1\tname_06\tend-entity\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test02.p12",
"8\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test02.p12",
"256\t1\tinsec\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-insec-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-insec-cert.cer"
"0\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\tURI:http://www.test.com\t1\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca-untrust.pem\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca-untrust.pem",
"1\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\tURI:http://www.test.com\t1\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca.pem",
"363\t1\tname_02\troot\t/test/01\t/test/01\t90\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-trust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-trust-ca.pem",
"364\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t /home/fengweihao/workspace/cert_store/test_data/tango-v2.key\t/home/fengweihao/workspace/cert_store/test_data/tango-v2.p12",
"365\t1\tname_06\tend-entity\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/test_data/sina.key\t/home/fengweihao/workspace/cert_store/test_data/sina.p12"
]
}
]

2
conf/table_info.conf
View File

@@ -17,4 +17,4 @@
#id name type src_charset dst_charset do_merge cross_cache quick_mode
1 COMPILE compile
2 GROUP group
3 PXY_OBJ_KEYRING plugin {"valid":10,"foreign":"11,12"}
3 PXY_OBJ_KEYRING plugin {"key":1,"valid":11,"foreign":"11,12"}

7
src/cert_conf.c
View File

@@ -24,7 +24,6 @@ struct config_bucket_t certConfig = {
.ca_path = "./cert/mesalab-ca.pem",
.uninsec_path = "./cert/mesalab-ca-untrust.pem",
.addr_t = {9995, 6379, "0.0.0.0", 0, 6379, "0.0.0.0"},
.keyring = {0, 0, NULL, NULL},
};
struct config_bucket_t *cert_default_config()
@@ -55,6 +54,12 @@ static int load_system_config(char *config)
goto finish;
}
xret = MESA_load_profile_uint_nodef(config, "CONFIG", "local_debug", &(rte->local_debug));
if (xret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of local_debug failed");
}
xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128);
if (xret <0 && rt_file_exsit(rte->uninsec_path)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist",

30
src/cert_conf.h
View File

@@ -15,8 +15,13 @@
#include <x509.h>
#include <evp.h>
#include "moodycamel_maat_rule.h"
#include "MESA_htable.h"
#define CT_PATH_MAX 256
#define CT_ARRARY_LEN (CT_PATH_MAX/2)
#define CT_STRING_MAX 1024
struct request_t{
#define DATALEN 128
int thread_id;
@@ -30,27 +35,18 @@ struct request_t{
};
struct pxy_obj_keyring{
int id;
int service;
int keyring_id;
char keyring_type[CT_ARRARY_LEN];
uint64_t expire_after;
char public_algo[CT_STRING_MAX];
char v3_ctl[CT_STRING_MAX];
char finger[EVP_MAX_MD_SIZE];
EVP_PKEY *key;
X509 *root;
char digest[EVP_MAX_MD_SIZE];
char name[128];
char type[128];
char ctl[512];
char public_algo[256];
uint64_t expire_after;
int is_valid;
STACK_OF(X509) *stack_ca;
};
struct key_ring_list
{
int updata_type;
uint64_t sum_cnt;
MESA_htable_handle htable, oldhtable;
};
struct _initer_addr_t{
uint16_t e_port; /*libevent prot*/
uint16_t maat_port; /*maat redis port*/
@@ -71,13 +67,15 @@ struct ntc_maat_t{
};
struct config_bucket_t{
Maat_feather_t feather;
int table_id;
unsigned int local_debug;
unsigned int thread_nu;
unsigned int expire_after;
char ca_path[128];
char uninsec_path[128];
struct ntc_maat_t maat_t;
struct _initer_addr_t addr_t;
struct key_ring_list keyring;
};
extern struct config_bucket_t *cert_default_config();

402
src/cert_session.c
View File

@@ -57,9 +57,6 @@
#define LOCAL_USER_DER 2
#define LOCAL_USER_P12 3
#define MESALAB_INSEC_CERT "mesalab-insec-cert.cer"
#define MESALAB_INSEC_KEY "mesalab-insec-cert.key"
#define CM_UPDATE_TYPE_FULL 1
#define CM_UPDATE_TYPE_INC 2
@@ -93,41 +90,6 @@ void disconnectCallback(const struct redisAsyncContext *c, int status) {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Redis server disconnected...");
}
static int
MESA_internal_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned value)
{
int ret = MESA_htable_set_opt(table, opt_type, &value, (int)(sizeof(value)));
return ret;
}
static MESA_htable_handle
key_ring_list_create()
{
int ret = 0;
MESA_htable_handle *htable = NULL;
htable = MESA_htable_born();
assert(htable != NULL);
MESA_internal_htable_set_opt(htable, MHO_SCREEN_PRINT_CTRL, 0);
MESA_internal_htable_set_opt(htable, MHO_THREAD_SAFE, 1);
MESA_internal_htable_set_opt(htable, MHO_MUTEX_NUM, 16);
MESA_internal_htable_set_opt(htable, MHO_HASH_SLOT_SIZE, 1024);
MESA_internal_htable_set_opt(htable, MHO_HASH_MAX_ELEMENT_NUM, 2048);
MESA_internal_htable_set_opt(htable, MHO_EXPIRE_TIME, 0);
MESA_internal_htable_set_opt(htable, MHO_ELIMIMINATE_TYPE,
HASH_ELIMINATE_ALGO_LRU);
ret = MESA_htable_mature(htable);
if(ret != 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "MESA htable mature running error!");
goto finish;
}
finish:
return htable;
}
void x509_get_private_key(EVP_PKEY *pkey, char *pubkey)
{
BIO *bp = NULL;
@@ -1045,57 +1007,85 @@ end:
return xret;
}
static struct pxy_obj_keyring* get_obj_for_id(int keyring_id)
{
#define KEY_LEN 16
struct pxy_obj_keyring *pxy_obj=NULL;
struct config_bucket_t *rte = cert_default_config();
char cfg_id_str[KEY_LEN] = {0};
snprintf(cfg_id_str, KEY_LEN, "%d", keyring_id);
int tables_id = rte->table_id;
pxy_obj = (struct pxy_obj_keyring*)maat_plugin_get_EX_data(rte->feather, tables_id, (const char*)cfg_id_str);
if(pxy_obj==NULL)
{
goto finish;
}
finish:
return pxy_obj;
}
static int x509_online_append(struct x509_object_ctx *def, struct request_t *request,
char **root, char **sign, char *pkey,
STACK_OF(X509) **stack_ca, int *verify)
{
void *odata = NULL;
X509* x509 = NULL;
int is_valid = request->is_valid;
int keyring_id = request->keyring_id;
int _expire = 0; char *_crl = NULL;
char *serial = NULL;
X509 *_root = NULL; EVP_PKEY *_key = NULL;
struct key_ring_list *keyring = &cert_default_config()->keyring;
if (keyring->htable == NULL){
_root = (is_valid == 1) ? def->root : def->insec_root;
_key = (is_valid == 1) ? def->key : def->insec_key;
_expire = cert_default_config()->expire_after;
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "The approval certificate chain is empty");
goto modify;
}
struct config_bucket_t *rte = cert_default_config();
odata = MESA_htable_search(keyring->htable, (const uchar *)&(request->keyring_id), sizeof(int));
if ( !odata ){
_root = (is_valid == 1) ? def->root : def->insec_root;
_key = (is_valid == 1) ? def->key : def->insec_key;
_expire = cert_default_config()->expire_after;
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Sing certificates using local default certificates");
} else {
struct pxy_obj_keyring *pxy_obj = (struct pxy_obj_keyring *)odata;
if (pxy_obj->is_valid != 1){
pxy_obj->root = def->root;
pxy_obj->key = def->key;
}else{
if (!STRCMP(pxy_obj->type, "end-entity")){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is an entity certificate",
pxy_obj->id);
*stack_ca = pxy_obj->stack_ca;
x509_get_msg_from_ca(pxy_obj->root, sign);
x509_get_private_key(pxy_obj->key, pkey);
goto finish;
if (is_valid == 0 && keyring_id != 0) keyring_id = 0;
if (is_valid == 1 && keyring_id == 0) keyring_id = 1;
struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id);
if (NULL == pxy_obj)
{
if (!rte->local_debug)
{
if (1==is_valid)
{
pxy_obj = get_obj_for_id(1);
}
if (!STRCMP(pxy_obj->type, "intermediate")){
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is intermediate, chain address %p",
pxy_obj->id, pxy_obj->stack_ca);
*stack_ca = pxy_obj->stack_ca;
if (0==is_valid)
{
pxy_obj = get_obj_for_id(0);
}
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Certificate issued by table id %d", keyring_id);
}
else
{
_root = (is_valid == 1) ? def->root : def->insec_root;
_key = (is_valid == 1) ? def->key : def->insec_key;
_expire = cert_default_config()->expire_after;
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Certificate issued by local cert");
goto modify;
}
_root = (is_valid == 1) ? pxy_obj->root : def->insec_root;
_key = (is_valid == 1) ? pxy_obj->key : def->insec_key;
_expire = pxy_obj->expire_after;
_crl = pxy_obj->ctl;
}
if (!STRCMP(pxy_obj->keyring_type, "end-entity"))
{
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is an entity certificate",
keyring_id);
*stack_ca = pxy_obj->stack_ca;
x509_get_msg_from_ca(pxy_obj->root, sign);
x509_get_private_key(pxy_obj->key, pkey);
goto finish;
}
if (!STRCMP(pxy_obj->keyring_type, "intermediate"))
{
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is intermediate, chain address %p",
keyring_id, pxy_obj->stack_ca);
*stack_ca = pxy_obj->stack_ca;
}
_root = pxy_obj->root;
_key = pxy_obj->key;
_expire = pxy_obj->expire_after;
_crl = pxy_obj->v3_ctl;
modify:
x509 = x509_modify_by_cert(_root, _key, request->origin, pkey,
_expire, request->sni, _crl);
@@ -1108,7 +1098,8 @@ modify:
OPENSSL_free(serial);
*verify = x509_check_chain(*stack_ca, _root, x509);
if (*verify != 1){
if (*verify != 1)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certificate chain match failed");
}
x509_get_msg_from_ca(x509, sign);
@@ -1557,9 +1548,8 @@ finish:
}
static int
x509_get_rkey(X509 *origin, int keyring_id, char *rkey)
x509_get_rkey(X509 *origin, int keyring_id, char *rkey, int is_valid)
{
void *odata = NULL;
unsigned int len = 0, i = 0;
char hex[EVP_MAX_MD_SIZE] = {0};
unsigned char fdig[EVP_MAX_MD_SIZE] = {0};
@@ -1568,17 +1558,17 @@ x509_get_rkey(X509 *origin, int keyring_id, char *rkey)
for (i = 0; i < len ; ++i){
sprintf(hex + i * sizeof(unsigned char) * 2, "%02x", fdig[i]);
}
struct key_ring_list *keyring = &cert_default_config()->keyring;
if (keyring->htable != NULL){
odata = MESA_htable_search(keyring->htable, (const uchar *)&(keyring_id), sizeof(int));
if (odata){
struct pxy_obj_keyring *pxy_obj = (struct pxy_obj_keyring *)odata;
/** keyrind_id is 0, sign x509 by default */
/** 0 uninsec, 1 insec*/
if (is_valid && keyring_id == 0) keyring_id = 1;
snprintf(rkey, DATALEN, "%d:%s:%s", keyring_id, hex, pxy_obj->digest);
goto finish;
}
struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id);
if (pxy_obj != NULL)
{
snprintf(rkey, DATALEN, "%d:%s:%s:%d", keyring_id, hex, pxy_obj->finger, is_valid);
goto finish;
}
snprintf(rkey, DATALEN, "%d:%s", keyring_id, hex);
snprintf(rkey, DATALEN, "%d:%s:%d", keyring_id, hex, is_valid);
finish:
return 0;
}
@@ -1629,14 +1619,14 @@ pthread_work_proc(struct evhttp_request *evh_req, void *arg)
goto error;
}
x509_get_rkey(request->origin, request->keyring_id, request->rkey);
x509_get_rkey(request->origin, request->keyring_id, request->rkey, request->is_valid);
if (request->rkey[0] == '\0'){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get the redis key from the certificate failed");
goto error;
}
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Redis key is %s", request->rkey);
if (info->cl_ctx->err != 0 || request->is_valid == 0){
if (info->cl_ctx->err != 0){
xret = redis_clnt_pdu_send(request, NULL);
if (xret < 0)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Local sign certificate failed");
@@ -1696,20 +1686,22 @@ task_private_init(struct event_base *base, libevent_thread *info)
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Initialize the sync redis connection is failure");
}
/* Initialize the X509 CA*/
xret = x509_privatekey_init(config->ca_path, &info->def.key, &info->def.root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
goto finish;
}
if (config->local_debug)
{
/* Initialize the X509 CA*/
xret = x509_privatekey_init(config->ca_path, &info->def.key, &info->def.root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate");
goto finish;
}
/* Initialize the insec CA*/
xret = x509_privatekey_init(config->uninsec_path, &info->def.insec_key, &info->def.insec_root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
goto finish;
/* Initialize the insec CA*/
xret = x509_privatekey_init(config->uninsec_path, &info->def.insec_key, &info->def.insec_root);
if (xret < 0 || !(info->def.key) || !(info->def.root)){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate");
goto finish;
}
}
finish:
return xret;
}
@@ -1940,8 +1932,6 @@ void sigproc(int __attribute__((__unused__))sig)
redisFree(thread->sync);
}
event_base_free(thread->base);
key_ring_list_destroy(&(rte->keyring.htable));
key_ring_list_destroy(&(rte->keyring.oldhtable));
}
kfree(threads);
@@ -1992,135 +1982,109 @@ static int mesa_fiel_stat_init()
return 0;
}
void Maat_read_entry_start_cb(int update_type, void* u_para)
{
struct key_ring_list *keyring = (struct key_ring_list *)u_para;
if (update_type != CM_UPDATE_TYPE_FULL){
keyring->updata_type = 2;
if (!keyring->oldhtable){
keyring->oldhtable = key_ring_list_create();
keyring->sum_cnt = 0;
keyring->updata_type = 1;
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The initial key ring list was successful, addr is %p",
keyring->oldhtable);
}
goto finish;
}
if (keyring->oldhtable)
key_ring_list_destroy(&(keyring->oldhtable));
/*Keyring list initialization **/
keyring->oldhtable = key_ring_list_create();
keyring->sum_cnt = 0;
keyring->updata_type = 1;
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The initial key ring list was successful, addr is %p",
keyring->oldhtable);
finish:
return;
}
static void
x509_get_fingerprint(X509 *x509, char *digest)
x509_get_fingerprint(X509 *x509, char *finger)
{
int xret = -1;
unsigned int len = 0, i = 0;
unsigned char fdig[EVP_MAX_MD_SIZE] = {0};
X509_digest(x509, EVP_sha1(), fdig, &len);
xret = X509_digest(x509, EVP_sha1(), fdig, &len);
if (xret != 1)
goto finish;
for (i = 0; i < len ; ++i){
sprintf(digest + i * sizeof(unsigned char) * 2, "%02x", fdig[i]);
sprintf(finger + i * sizeof(unsigned char) * 2, "%02x", fdig[i]);
}
finish:
return;
}
static void
Maat_read_entry_cb(int __attribute__((__unused__))table_id, const char* table_line,
void *u_para)
void keyring_table_new_cb(int __attribute__((__unused__))table_id, const char __attribute__((__unused__))*key,
const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))* argp)
{
int xret = 0;
struct pxy_obj_keyring *pxy_obj = NULL;
MESA_htable_handle htable = NULL;
char __attribute__((__unused__))_priv_file[512] = {0};
char __attribute__((__unused__))_publi_file[512] = {0};
char private_file[512] = {0}, public_file[512] = {0};
char profile_name[CT_ARRARY_LEN]={0};
char private_file[CT_STRING_MAX] = {0}, public_file[CT_STRING_MAX]={0};
char __attribute__((__unused__))_priv_file[CT_PATH_MAX] = {0};
char __attribute__((__unused__))_publi_file[CT_PATH_MAX] = {0};
int service = 0, ret=0;
struct key_ring_list *keyring = (struct key_ring_list *)u_para;
struct pxy_obj_keyring *pxy_obj = NULL;
pxy_obj = (struct pxy_obj_keyring *)malloc(sizeof(struct pxy_obj_keyring));
if (!pxy_obj){
if (!pxy_obj)
{
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Can not alloc, %s", strerror(errno));
goto finish;
}
memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring));
if (keyring->updata_type == CM_UPDATE_TYPE_FULL){
htable = keyring->oldhtable;
}else{
htable = keyring->htable;
}
sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%s\t%s", &pxy_obj->id, &pxy_obj->service, pxy_obj->name,
pxy_obj->type, _priv_file, _publi_file, &pxy_obj->expire_after, pxy_obj->public_algo,
pxy_obj->ctl, &pxy_obj->is_valid, private_file, public_file);
if (pxy_obj->is_valid){
xret = x509_privatekey_init2(private_file, public_file, &pxy_obj->key, &pxy_obj->root, &pxy_obj->stack_ca);
if (xret < 0 || !pxy_obj->key || !pxy_obj->root){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate, the keyring id is %d",
pxy_obj->id);
goto finish;
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
pxy_obj->id);
x509_get_fingerprint(pxy_obj->root, pxy_obj->digest);
MESA_htable_add(htable, (const uchar *)(&(pxy_obj->id)), sizeof(int), pxy_obj);
keyring->sum_cnt++;
}else{
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Unapprove keyring id is %d",
pxy_obj->id);
MESA_htable_del(htable, (const uchar *)(&(pxy_obj->id)), sizeof(int), key_ring_free);
ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%s\t%s", &pxy_obj->keyring_id, &service, profile_name,
pxy_obj->keyring_type, _priv_file, _publi_file, &pxy_obj->expire_after, pxy_obj->public_algo,
pxy_obj->v3_ctl, &pxy_obj->is_valid, private_file, public_file);
if(ret!=12)
{
kfree(&pxy_obj);
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore parse config failed: %s", table_line);
goto finish;
}
ret = x509_privatekey_init2(private_file, public_file, &pxy_obj->key, &pxy_obj->root, &pxy_obj->stack_ca);
if (ret < 0 || !pxy_obj->key || !pxy_obj->root){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 certificate failed, the keyring id is %d",
pxy_obj->keyring_id);
goto finish;
}
mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d",
pxy_obj->keyring_id);
x509_get_fingerprint(pxy_obj->root, pxy_obj->finger);
*ad = pxy_obj;
finish:
return;
}
void Maat_read_entry_finish_cb(void* u_para)
void keyring_table_dup_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from,
long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
{
MESA_htable_handle tmphtable = NULL;
struct key_ring_list *keyring = (struct key_ring_list *)u_para;
if (keyring->updata_type == CM_UPDATE_TYPE_FULL){
tmphtable = keyring->htable;
keyring->htable = keyring->oldhtable;
keyring->oldhtable = tmphtable;
}
return;
struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*from);
*to=pxy_obj;
}
int sample_plugin_table(Maat_feather_t feather,const char* table_name,
Maat_start_callback_t *start,Maat_update_callback_t *update,Maat_finish_callback_t *finish,
void *u_para,
void __attribute__((__unused__))*logger)
void keyring_table_free_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA* ad,
long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp)
{
int table_id = 0,ret = 0;
table_id = Maat_inter_table_register(feather, table_name);
if(table_id == -1){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Database table %s register failed.",table_name);
}else{
ret = Maat_inter_table_callback_register(feather, table_id, start,
update, finish, u_para);
if(ret < 0){
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat callback register table %s error.",table_name);
}
}
struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*ad);
X509_free(pxy_obj->root);
EVP_PKEY_free(pxy_obj->key);
kfree(&pxy_obj);
*ad=NULL;
}
return ret;
int maat_table_ex_init(const char* table_name,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func)
{
int table_id = 0;
struct config_bucket_t *rte = cert_default_config();
table_id= rte->table_id = maat_table_register(rte->feather, table_name);
if(table_id<0)
{
goto finish;
}
table_id=maat_plugin_EX_register(rte->feather,
table_id,
new_func,free_func,
dup_func,NULL,0,NULL);
finish:
return table_id;
}
int maat_feather_init()
{
int ret = -1;
Maat_feather_t feather = NULL;
int scan_interval_ms = 1000;
@@ -2129,36 +2093,44 @@ int maat_feather_init()
int effective_interval_ms = maat_t->effective_interval_s * 1000;
feather = Maat_inter_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle);
feather = maat_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle);
Maat_inter_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1);
if (maat_t->maat_json_switch == 1){
Maat_inter_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1);
maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1);
}
if (maat_t->maat_json_switch == 0){
Maat_inter_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1);
Maat_inter_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1);
maat_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1);
maat_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1);
}
if (maat_t->maat_json_switch == 2){
Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1);
Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port));
Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex));
maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1);
maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port));
maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex));
}
Maat_inter_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
Maat_inter_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
maat_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms));
maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms));
/***/
const char* foregin_dir="./foreign_files/";
Maat_inter_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1);
Maat_inter_initiate_feather(feather);
maat_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1);
ret = maat_initiate_feather(feather);
if (ret < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
}
rte->feather = feather;
int table_id = maat_table_ex_init("PXY_OBJ_KEYRING",
keyring_table_new_cb,
keyring_table_free_cb,
keyring_table_dup_cb);
if(table_id<0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_OBJ_KEYRING failed");
}
sample_plugin_table(feather, "PXY_OBJ_KEYRING",
Maat_read_entry_start_cb,
Maat_read_entry_cb,
Maat_read_entry_finish_cb,
&rte->keyring,
NULL);
return 0;
}

58
src/inc/Maat_rule.h
View File

@@ -1,12 +1,12 @@
/*
*****************Maat Network Flow Rule Manage Framework********
*****************Maat Deep Packet Inspection Policy Framework********
* Maat is the Goddess of truth and justice in ancient Egyptian concept.
* Her feather was the measure that determined whether the souls (considered
* to reside in the heart) of the departed would reach the paradise of afterlife
* successfully.
* Author: zhengchao@iie.ac.cn,MESA
* Version 2018-09-25 foreign key and rule tags.
* Author: zhengchao@iie.ac.cn, MESA
* Version 2018-12-07 Plugin Extra Data.
* NOTE: MUST compile with G++
* All right reserved by Institute of Infomation Engineering,Chinese Academic of Science 2014~2018
*********************************************************
@@ -16,7 +16,7 @@
#ifndef __cplusplus
#error("This file should be compiled with C++ compiler")
#endif
#include "stream.h"
#include <MESA/stream.h>
enum MAAT_CHARSET
{
CHARSET_NONE=0,
@@ -159,14 +159,15 @@ enum MAAT_INIT_OPT
MAAT_OPT_ENABLE_UPDATE, //VALUE is interger, SIZE=sizeof(int). 1: Enabled, 0:Disabled. DEFAULT: Backgroud update is enabled. Runtime setting is allowed.
MAAT_OPT_ACCEPT_TAGS, //VALUE is a const char*, MUST end with '\0', SIZE= strlen(string+'\0')+1. Format is a JSON, e.g.{"tags":[{"tag":"location","value":"Beijing/ChaoYang/Huayan/22A"},{"tag":"isp","value":"telecom"}]}
MAAT_OPT_FOREIGN_CONT_DIR, //VALUE is a const char*, MUST end with '\0', SIZE= strlen(string+'\0')+1. Specifies a local diretory to store foreign content. Default: []table_info_path]_files
MAAT_OPT_FOREIGN_CONT_LINGER //VALUE is interger *, SIZE=sizeof(int). Greater than 0: delete after VALUE seconds; 0: delete foreign content right after the notification callbacks; Less than 0: NEVER delete. Default: 0.
};
MAAT_OPT_FOREIGN_CONT_LINGER //VALUE is interger *, SIZE=sizeof(int). Greater than 0: delete after VALUE seconds; 0: delete foreign content right after the notification callbacks; Less than 0: NEVER delete. Default: 0.
};
//return -1 if failed, return 0 on success;
int Maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size);
enum MAAT_STATE_OPT
{
MAAT_STATE_VERSION=1, //Get current maat version. VALUE is long long, SIZE=sizeof(long long).
MAAT_STATE_LAST_UPDATING_TABLE //Query at Maat_finish_callback_t to determine whether this table is the last one to update. VALUE is interger, SIZE=sizeof(int), 1:yes, 0: no
MAAT_STATE_VERSION=1, //Get current maat version, if maat is in update progress, the updating version is returned. VALUE is long long, SIZE=sizeof(long long).
MAAT_STATE_LAST_UPDATING_TABLE, //Query at Maat_finish_callback_t to determine whether this table is the last one to update. VALUE is interger, SIZE=sizeof(int), 1:yes, 0: no
MAAT_STATE_IN_UPDATING
};
int Maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size);
@@ -181,6 +182,7 @@ int Maat_table_callback_register(Maat_feather_t feather,short table_id,
Maat_finish_callback_t *finish,//u_para
void* u_para);
enum MAAT_SCAN_OPT
{
MAAT_SET_SCAN_DISTRICT=1, //VALUE is a const char*,SIZE= strlen(string).DEFAULT: no default.
@@ -238,6 +240,46 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id
,scan_status_t* mid,int thread_num);
void Maat_clean_status(scan_status_t* mid);
typedef void* MAAT_RULE_EX_DATA;
// The idx parameter is the index: this will be the same value returned by Maat_rule_get_ex_new_index() when the functions were initially registered.
// Finally the argl and argp parameters are the values originally passed to the same corresponding parameters when Maat_rule_get_ex_new_index() was called.
typedef void Maat_rule_EX_new_func_t(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
MAAT_RULE_EX_DATA* ad, long argl, void *argp);
typedef void Maat_rule_EX_free_func_t(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
MAAT_RULE_EX_DATA* ad, long argl, void *argp);
typedef void Maat_rule_EX_dup_func_t(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp);
int Maat_rule_get_ex_new_index(Maat_feather_t feather, const char* compile_table_name,
Maat_rule_EX_new_func_t* new_func,
Maat_rule_EX_free_func_t* free_func,
Maat_rule_EX_dup_func_t* dup_func,
long argl, void *argp);
//returned data is duplicated by dup_func of Maat_rule_get_ex_new_index, caller is responsible to free the data.
MAAT_RULE_EX_DATA Maat_rule_get_ex_data(Maat_feather_t feather, const struct Maat_rule_t* rule, int idx);
//Helper function for parsing space or tab seperated line.
//Nth_column: the Nth column is numberd from 1.
//Return 0 if success.
int Maat_helper_read_column(const char* line, int Nth_column, size_t *column_offset, size_t *column_len);
//Following functions are similar to Maat_rule_get_ex_data, except they are effective on plugin table.
typedef void* MAAT_PLUGIN_EX_DATA;
typedef void Maat_plugin_EX_new_func_t(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
typedef void Maat_plugin_EX_free_func_t(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
typedef void Maat_plugin_EX_dup_func_t(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp);
typedef int Maat_plugin_EX_key2index_func_t(const char* key);
int Maat_plugin_EX_register(Maat_feather_t feather, int table_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func,
Maat_plugin_EX_key2index_func_t* key2index_func,
long argl, void *argp);
//Data is duplicated by dup_func of Maat_plugin_EX_register, caller is responsible to free the data.
MAAT_PLUGIN_EX_DATA Maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key);
enum MAAT_RULE_OPT
{
MAAT_RULE_SERV_DEFINE //VALUE is a char* buffer,SIZE= buffer size.

56
src/inc/moodycamel_maat_rule.cpp
View File

@@ -9,41 +9,50 @@
using namespace std;
#include "Maat_rule.h"
#include <Maat_rule.h>
extern "C" Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger);
extern "C" int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size);
extern "C" int Maat_inter_initiate_feather(Maat_feather_t feather);
extern "C" int Maat_inter_table_register(Maat_feather_t feather,const char* table_name);
extern "C" void Maat_inter_burn_feather(Maat_feather_t feather);
extern "C" int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
extern "C" Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger);
extern "C" int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size);
extern "C" int maat_initiate_feather(Maat_feather_t feather);
extern "C" int maat_table_register(Maat_feather_t feather,const char* table_name);
extern "C" void matt_burn_feather(Maat_feather_t feather);
extern "C" int maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
Maat_start_callback_t *start,
Maat_update_callback_t *update,
Maat_finish_callback_t *finish,
void* u_para);
extern "C" int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size);
extern "C" int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size);
Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger)
extern "C" MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key);
extern "C" int maat_plugin_EX_register(Maat_feather_t feather, int table_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func,
Maat_plugin_EX_key2index_func_t* key2index_func,
long argl, void *argp);
Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger)
{
return Maat_feather(max_thread_num, table_info_path, logger);
}
int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size)
int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size)
{
return Maat_set_feather_opt(feather, type, value, size);
}
int Maat_inter_initiate_feather(Maat_feather_t feather)
int maat_initiate_feather(Maat_feather_t feather)
{
return Maat_initiate_feather(feather);
}
int Maat_inter_table_register(Maat_feather_t feather,const char* table_name)
int maat_table_register(Maat_feather_t feather,const char* table_name)
{
return Maat_table_register(feather, table_name);
}
int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
int maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
Maat_start_callback_t *start,
Maat_update_callback_t *update,
Maat_finish_callback_t *finish,
@@ -52,15 +61,30 @@ int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
return Maat_table_callback_register(feather, table_id, start, update, finish, u_para);
}
int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size)
int maat_plugin_EX_register(Maat_feather_t feather, int table_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func,
Maat_plugin_EX_key2index_func_t* key2index_func,
long argl, void *argp)
{
return Maat_plugin_EX_register(feather,table_id,new_func,free_func,dup_func,key2index_func,argl,argp);
}
MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key)
{
return Maat_plugin_get_EX_data(feather, table_id, key);
}
int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size)
{
return Maat_read_state(feather, type, value, size);
}
void Maat_inter_burn_feather(Maat_feather_t feather)
void matt_burn_feather(Maat_feather_t feather)
{
return Maat_burn_feather(feather);
}

28
src/inc/moodycamel_maat_rule.h
View File

@@ -49,22 +49,36 @@ typedef void Maat_start_callback_t(int update_type,void* u_para);
typedef void Maat_update_callback_t(int table_id,const char* table_line,void* u_para);
typedef void Maat_finish_callback_t(void* u_para);
Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger);
typedef void* MAAT_PLUGIN_EX_DATA;
typedef void Maat_plugin_EX_new_func_t(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
typedef void Maat_plugin_EX_free_func_t(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
typedef void Maat_plugin_EX_dup_func_t(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp);
typedef int Maat_plugin_EX_key2index_func_t(const char* key);
int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size);
Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger);
int Maat_inter_initiate_feather(Maat_feather_t feather);
int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size);
int Maat_inter_table_register(Maat_feather_t feather,const char* table_name);
int maat_initiate_feather(Maat_feather_t feather);
int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
int maat_table_register(Maat_feather_t feather,const char* table_name);
int maat_inter_table_callback_register(Maat_feather_t feather,short table_id,
Maat_start_callback_t *start,
Maat_update_callback_t *update,
Maat_finish_callback_t *finish,
void* u_para);
int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size);
MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key);
void Maat_inter_burn_feather(Maat_feather_t feather);
int maat_plugin_EX_register(Maat_feather_t feather, int table_id,
Maat_plugin_EX_new_func_t* new_func,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func,
Maat_plugin_EX_key2index_func_t* key2index_func,
long argl, void *argp);
int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size);
void matt_burn_feather(Maat_feather_t feather);
#endif