diff --git a/conf/cert_store.ini b/conf/cert_store.ini index bf7eaed..78d01bb 100644 --- a/conf/cert_store.ini +++ b/conf/cert_store.ini @@ -10,6 +10,7 @@ thread-nu = 4 #Local default root certificate is valid for 30 days by default expire_after = 30 #Local default root certificate path +local_debug = 0 ca_path = ../ca/mesalab-ca.pem untrusted_ca_path = ../ca/mesalab-ca-untrust.pem [NTC_MAAT] diff --git a/conf/pxy_obj_keyring.json b/conf/pxy_obj_keyring.json index baa6f9b..c9a76a0 100644 --- a/conf/pxy_obj_keyring.json +++ b/conf/pxy_obj_keyring.json @@ -73,15 +73,11 @@ { "table_name": "PXY_OBJ_KEYRING", "table_content": [ - "1\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\thttp://www.test.com\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer", - "2\t1\tname_02\troot\t/test/01\t/test/01\t90\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer", - "3\t1\tname_03\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer", - "4\t1\tname_04\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer", - "5\t1\tname_05\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-ca-cert.cer", - "6\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test01.p12", - "9\t1\tname_06\tend-entity\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test02.p12", - "8\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/01/server.key\t/home/fengweihao/workspace/01/test02.p12", - "256\t1\tinsec\troot\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/ca/mesalab-insec-cert.key\t/home/fengweihao/workspace/cert_store/ca/mesalab-insec-cert.cer" + "0\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\tURI:http://www.test.com\t1\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca-untrust.pem\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca-untrust.pem", + "1\t1\tname_01\troot\t/test/01\t/test/01\t15\trsa2048\tURI:http://www.test.com\t1\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/mesalab-ca.pem", + "363\t1\tname_02\troot\t/test/01\t/test/01\t90\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-trust-ca.pem\t/home/fengweihao/workspace/cert_store/test_data/tango-ca-trust-ca.pem", + "364\t1\tname_06\tintermediate\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t /home/fengweihao/workspace/cert_store/test_data/tango-v2.key\t/home/fengweihao/workspace/cert_store/test_data/tango-v2.p12", + "365\t1\tname_06\tend-entity\t/test/01\t/test/01\t30\trsa2048\tnull\t1\t/home/fengweihao/workspace/cert_store/test_data/sina.key\t/home/fengweihao/workspace/cert_store/test_data/sina.p12" ] } ] diff --git a/conf/table_info.conf b/conf/table_info.conf index e82d0f8..ebaf30c 100644 --- a/conf/table_info.conf +++ b/conf/table_info.conf @@ -17,4 +17,4 @@ #id name type src_charset dst_charset do_merge cross_cache quick_mode 1 COMPILE compile 2 GROUP group -3 PXY_OBJ_KEYRING plugin {"valid":10,"foreign":"11,12"} +3 PXY_OBJ_KEYRING plugin {"key":1,"valid":11,"foreign":"11,12"} diff --git a/src/cert_conf.c b/src/cert_conf.c index cbf2171..950f6e0 100644 --- a/src/cert_conf.c +++ b/src/cert_conf.c @@ -24,7 +24,6 @@ struct config_bucket_t certConfig = { .ca_path = "./cert/mesalab-ca.pem", .uninsec_path = "./cert/mesalab-ca-untrust.pem", .addr_t = {9995, 6379, "0.0.0.0", 0, 6379, "0.0.0.0"}, - .keyring = {0, 0, NULL, NULL}, }; struct config_bucket_t *cert_default_config() @@ -55,6 +54,12 @@ static int load_system_config(char *config) goto finish; } + + xret = MESA_load_profile_uint_nodef(config, "CONFIG", "local_debug", &(rte->local_debug)); + if (xret < 0){ + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of local_debug failed"); + } + xret = MESA_load_profile_string_nodef(config, "CONFIG", "untrusted_ca_path", rte->uninsec_path, 128); if (xret <0 && rt_file_exsit(rte->uninsec_path)){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Read the untrusted ca path failed or the (%s) does not exist", diff --git a/src/cert_conf.h b/src/cert_conf.h index 27a4543..8fbe8a9 100644 --- a/src/cert_conf.h +++ b/src/cert_conf.h @@ -15,8 +15,13 @@ #include #include +#include "moodycamel_maat_rule.h" #include "MESA_htable.h" +#define CT_PATH_MAX 256 +#define CT_ARRARY_LEN (CT_PATH_MAX/2) +#define CT_STRING_MAX 1024 + struct request_t{ #define DATALEN 128 int thread_id; @@ -30,27 +35,18 @@ struct request_t{ }; struct pxy_obj_keyring{ - int id; - int service; + int keyring_id; + char keyring_type[CT_ARRARY_LEN]; + uint64_t expire_after; + char public_algo[CT_STRING_MAX]; + char v3_ctl[CT_STRING_MAX]; + char finger[EVP_MAX_MD_SIZE]; EVP_PKEY *key; X509 *root; - char digest[EVP_MAX_MD_SIZE]; - char name[128]; - char type[128]; - char ctl[512]; - char public_algo[256]; - uint64_t expire_after; int is_valid; STACK_OF(X509) *stack_ca; }; -struct key_ring_list -{ - int updata_type; - uint64_t sum_cnt; - MESA_htable_handle htable, oldhtable; -}; - struct _initer_addr_t{ uint16_t e_port; /*libevent prot*/ uint16_t maat_port; /*maat redis port*/ @@ -71,13 +67,15 @@ struct ntc_maat_t{ }; struct config_bucket_t{ + Maat_feather_t feather; + int table_id; + unsigned int local_debug; unsigned int thread_nu; unsigned int expire_after; char ca_path[128]; char uninsec_path[128]; struct ntc_maat_t maat_t; struct _initer_addr_t addr_t; - struct key_ring_list keyring; }; extern struct config_bucket_t *cert_default_config(); diff --git a/src/cert_session.c b/src/cert_session.c index 5b1c7f2..5d7fcab 100644 --- a/src/cert_session.c +++ b/src/cert_session.c @@ -57,9 +57,6 @@ #define LOCAL_USER_DER 2 #define LOCAL_USER_P12 3 -#define MESALAB_INSEC_CERT "mesalab-insec-cert.cer" -#define MESALAB_INSEC_KEY "mesalab-insec-cert.key" - #define CM_UPDATE_TYPE_FULL 1 #define CM_UPDATE_TYPE_INC 2 @@ -93,41 +90,6 @@ void disconnectCallback(const struct redisAsyncContext *c, int status) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Redis server disconnected..."); } -static int -MESA_internal_htable_set_opt(MESA_htable_handle table, enum MESA_htable_opt opt_type, unsigned value) -{ - int ret = MESA_htable_set_opt(table, opt_type, &value, (int)(sizeof(value))); - return ret; -} - -static MESA_htable_handle -key_ring_list_create() -{ - int ret = 0; - MESA_htable_handle *htable = NULL; - - htable = MESA_htable_born(); - assert(htable != NULL); - - MESA_internal_htable_set_opt(htable, MHO_SCREEN_PRINT_CTRL, 0); - MESA_internal_htable_set_opt(htable, MHO_THREAD_SAFE, 1); - - MESA_internal_htable_set_opt(htable, MHO_MUTEX_NUM, 16); - MESA_internal_htable_set_opt(htable, MHO_HASH_SLOT_SIZE, 1024); - MESA_internal_htable_set_opt(htable, MHO_HASH_MAX_ELEMENT_NUM, 2048); - MESA_internal_htable_set_opt(htable, MHO_EXPIRE_TIME, 0); - - MESA_internal_htable_set_opt(htable, MHO_ELIMIMINATE_TYPE, - HASH_ELIMINATE_ALGO_LRU); - ret = MESA_htable_mature(htable); - if(ret != 0){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "MESA htable mature running error!"); - goto finish; - } -finish: - return htable; -} - void x509_get_private_key(EVP_PKEY *pkey, char *pubkey) { BIO *bp = NULL; @@ -1045,57 +1007,85 @@ end: return xret; } +static struct pxy_obj_keyring* get_obj_for_id(int keyring_id) +{ +#define KEY_LEN 16 + struct pxy_obj_keyring *pxy_obj=NULL; + + struct config_bucket_t *rte = cert_default_config(); + + char cfg_id_str[KEY_LEN] = {0}; + snprintf(cfg_id_str, KEY_LEN, "%d", keyring_id); + + int tables_id = rte->table_id; + pxy_obj = (struct pxy_obj_keyring*)maat_plugin_get_EX_data(rte->feather, tables_id, (const char*)cfg_id_str); + if(pxy_obj==NULL) + { + goto finish; + } +finish: + return pxy_obj; +} + static int x509_online_append(struct x509_object_ctx *def, struct request_t *request, char **root, char **sign, char *pkey, STACK_OF(X509) **stack_ca, int *verify) { - void *odata = NULL; X509* x509 = NULL; int is_valid = request->is_valid; + int keyring_id = request->keyring_id; int _expire = 0; char *_crl = NULL; char *serial = NULL; X509 *_root = NULL; EVP_PKEY *_key = NULL; - struct key_ring_list *keyring = &cert_default_config()->keyring; - if (keyring->htable == NULL){ - _root = (is_valid == 1) ? def->root : def->insec_root; - _key = (is_valid == 1) ? def->key : def->insec_key; - _expire = cert_default_config()->expire_after; - mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "The approval certificate chain is empty"); - goto modify; - } + struct config_bucket_t *rte = cert_default_config(); - odata = MESA_htable_search(keyring->htable, (const uchar *)&(request->keyring_id), sizeof(int)); - if ( !odata ){ - _root = (is_valid == 1) ? def->root : def->insec_root; - _key = (is_valid == 1) ? def->key : def->insec_key; - _expire = cert_default_config()->expire_after; - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Sing certificates using local default certificates"); - } else { - struct pxy_obj_keyring *pxy_obj = (struct pxy_obj_keyring *)odata; - if (pxy_obj->is_valid != 1){ - pxy_obj->root = def->root; - pxy_obj->key = def->key; - }else{ - if (!STRCMP(pxy_obj->type, "end-entity")){ - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is an entity certificate", - pxy_obj->id); - *stack_ca = pxy_obj->stack_ca; - x509_get_msg_from_ca(pxy_obj->root, sign); - x509_get_private_key(pxy_obj->key, pkey); - goto finish; + if (is_valid == 0 && keyring_id != 0) keyring_id = 0; + if (is_valid == 1 && keyring_id == 0) keyring_id = 1; + + struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id); + if (NULL == pxy_obj) + { + if (!rte->local_debug) + { + if (1==is_valid) + { + pxy_obj = get_obj_for_id(1); } - if (!STRCMP(pxy_obj->type, "intermediate")){ - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is intermediate, chain address %p", - pxy_obj->id, pxy_obj->stack_ca); - *stack_ca = pxy_obj->stack_ca; + if (0==is_valid) + { + pxy_obj = get_obj_for_id(0); } + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Certificate issued by table id %d", keyring_id); + } + else + { + _root = (is_valid == 1) ? def->root : def->insec_root; + _key = (is_valid == 1) ? def->key : def->insec_key; + _expire = cert_default_config()->expire_after; + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Certificate issued by local cert"); + goto modify; } - _root = (is_valid == 1) ? pxy_obj->root : def->insec_root; - _key = (is_valid == 1) ? pxy_obj->key : def->insec_key; - _expire = pxy_obj->expire_after; - _crl = pxy_obj->ctl; } + if (!STRCMP(pxy_obj->keyring_type, "end-entity")) + { + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is an entity certificate", + keyring_id); + *stack_ca = pxy_obj->stack_ca; + x509_get_msg_from_ca(pxy_obj->root, sign); + x509_get_private_key(pxy_obj->key, pkey); + goto finish; + } + if (!STRCMP(pxy_obj->keyring_type, "intermediate")) + { + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The certificate(%d) type is intermediate, chain address %p", + keyring_id, pxy_obj->stack_ca); + *stack_ca = pxy_obj->stack_ca; + } + _root = pxy_obj->root; + _key = pxy_obj->key; + _expire = pxy_obj->expire_after; + _crl = pxy_obj->v3_ctl; modify: x509 = x509_modify_by_cert(_root, _key, request->origin, pkey, _expire, request->sni, _crl); @@ -1108,7 +1098,8 @@ modify: OPENSSL_free(serial); *verify = x509_check_chain(*stack_ca, _root, x509); - if (*verify != 1){ + if (*verify != 1) + { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Certificate chain match failed"); } x509_get_msg_from_ca(x509, sign); @@ -1557,9 +1548,8 @@ finish: } static int -x509_get_rkey(X509 *origin, int keyring_id, char *rkey) +x509_get_rkey(X509 *origin, int keyring_id, char *rkey, int is_valid) { - void *odata = NULL; unsigned int len = 0, i = 0; char hex[EVP_MAX_MD_SIZE] = {0}; unsigned char fdig[EVP_MAX_MD_SIZE] = {0}; @@ -1568,17 +1558,17 @@ x509_get_rkey(X509 *origin, int keyring_id, char *rkey) for (i = 0; i < len ; ++i){ sprintf(hex + i * sizeof(unsigned char) * 2, "%02x", fdig[i]); } - struct key_ring_list *keyring = &cert_default_config()->keyring; - if (keyring->htable != NULL){ - odata = MESA_htable_search(keyring->htable, (const uchar *)&(keyring_id), sizeof(int)); - if (odata){ - struct pxy_obj_keyring *pxy_obj = (struct pxy_obj_keyring *)odata; + /** keyrind_id is 0, sign x509 by default */ + /** 0 uninsec, 1 insec*/ + if (is_valid && keyring_id == 0) keyring_id = 1; - snprintf(rkey, DATALEN, "%d:%s:%s", keyring_id, hex, pxy_obj->digest); - goto finish; - } + struct pxy_obj_keyring *pxy_obj = get_obj_for_id(keyring_id); + if (pxy_obj != NULL) + { + snprintf(rkey, DATALEN, "%d:%s:%s:%d", keyring_id, hex, pxy_obj->finger, is_valid); + goto finish; } - snprintf(rkey, DATALEN, "%d:%s", keyring_id, hex); + snprintf(rkey, DATALEN, "%d:%s:%d", keyring_id, hex, is_valid); finish: return 0; } @@ -1629,14 +1619,14 @@ pthread_work_proc(struct evhttp_request *evh_req, void *arg) goto error; } - x509_get_rkey(request->origin, request->keyring_id, request->rkey); + x509_get_rkey(request->origin, request->keyring_id, request->rkey, request->is_valid); if (request->rkey[0] == '\0'){ mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Get the redis key from the certificate failed"); goto error; } mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Redis key is %s", request->rkey); - if (info->cl_ctx->err != 0 || request->is_valid == 0){ + if (info->cl_ctx->err != 0){ xret = redis_clnt_pdu_send(request, NULL); if (xret < 0) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Local sign certificate failed"); @@ -1696,20 +1686,22 @@ task_private_init(struct event_base *base, libevent_thread *info) mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Initialize the sync redis connection is failure"); } - /* Initialize the X509 CA*/ - xret = x509_privatekey_init(config->ca_path, &info->def.key, &info->def.root); - if (xret < 0 || !(info->def.key) || !(info->def.root)){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate"); - goto finish; - } + if (config->local_debug) + { + /* Initialize the X509 CA*/ + xret = x509_privatekey_init(config->ca_path, &info->def.key, &info->def.root); + if (xret < 0 || !(info->def.key) || !(info->def.root)){ + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate"); + goto finish; + } - /* Initialize the insec CA*/ - xret = x509_privatekey_init(config->uninsec_path, &info->def.insec_key, &info->def.insec_root); - if (xret < 0 || !(info->def.key) || !(info->def.root)){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate"); - goto finish; + /* Initialize the insec CA*/ + xret = x509_privatekey_init(config->uninsec_path, &info->def.insec_key, &info->def.insec_root); + if (xret < 0 || !(info->def.key) || !(info->def.root)){ + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the insec x509 certificate"); + goto finish; + } } - finish: return xret; } @@ -1940,8 +1932,6 @@ void sigproc(int __attribute__((__unused__))sig) redisFree(thread->sync); } event_base_free(thread->base); - key_ring_list_destroy(&(rte->keyring.htable)); - key_ring_list_destroy(&(rte->keyring.oldhtable)); } kfree(threads); @@ -1992,135 +1982,109 @@ static int mesa_fiel_stat_init() return 0; } -void Maat_read_entry_start_cb(int update_type, void* u_para) -{ - struct key_ring_list *keyring = (struct key_ring_list *)u_para; - - if (update_type != CM_UPDATE_TYPE_FULL){ - keyring->updata_type = 2; - if (!keyring->oldhtable){ - keyring->oldhtable = key_ring_list_create(); - keyring->sum_cnt = 0; - keyring->updata_type = 1; - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The initial key ring list was successful, addr is %p", - keyring->oldhtable); - } - goto finish; - } - - if (keyring->oldhtable) - key_ring_list_destroy(&(keyring->oldhtable)); - - /*Keyring list initialization **/ - keyring->oldhtable = key_ring_list_create(); - keyring->sum_cnt = 0; - keyring->updata_type = 1; - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "The initial key ring list was successful, addr is %p", - keyring->oldhtable); -finish: - return; -} - static void -x509_get_fingerprint(X509 *x509, char *digest) +x509_get_fingerprint(X509 *x509, char *finger) { + int xret = -1; unsigned int len = 0, i = 0; unsigned char fdig[EVP_MAX_MD_SIZE] = {0}; - X509_digest(x509, EVP_sha1(), fdig, &len); + xret = X509_digest(x509, EVP_sha1(), fdig, &len); + if (xret != 1) + goto finish; for (i = 0; i < len ; ++i){ - sprintf(digest + i * sizeof(unsigned char) * 2, "%02x", fdig[i]); + sprintf(finger + i * sizeof(unsigned char) * 2, "%02x", fdig[i]); } +finish: return; } -static void -Maat_read_entry_cb(int __attribute__((__unused__))table_id, const char* table_line, - void *u_para) +void keyring_table_new_cb(int __attribute__((__unused__))table_id, const char __attribute__((__unused__))*key, +const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long __attribute__((__unused__))argl, void __attribute__((__unused__))* argp) { - int xret = 0; - struct pxy_obj_keyring *pxy_obj = NULL; - MESA_htable_handle htable = NULL; - char __attribute__((__unused__))_priv_file[512] = {0}; - char __attribute__((__unused__))_publi_file[512] = {0}; - char private_file[512] = {0}, public_file[512] = {0}; + char profile_name[CT_ARRARY_LEN]={0}; + char private_file[CT_STRING_MAX] = {0}, public_file[CT_STRING_MAX]={0}; + char __attribute__((__unused__))_priv_file[CT_PATH_MAX] = {0}; + char __attribute__((__unused__))_publi_file[CT_PATH_MAX] = {0}; + int service = 0, ret=0; - struct key_ring_list *keyring = (struct key_ring_list *)u_para; + struct pxy_obj_keyring *pxy_obj = NULL; pxy_obj = (struct pxy_obj_keyring *)malloc(sizeof(struct pxy_obj_keyring)); - if (!pxy_obj){ + if (!pxy_obj) + { mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Can not alloc, %s", strerror(errno)); goto finish; } memset(pxy_obj, 0, sizeof(struct pxy_obj_keyring)); - if (keyring->updata_type == CM_UPDATE_TYPE_FULL){ - htable = keyring->oldhtable; - }else{ - htable = keyring->htable; - } - - sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%s\t%s", &pxy_obj->id, &pxy_obj->service, pxy_obj->name, - pxy_obj->type, _priv_file, _publi_file, &pxy_obj->expire_after, pxy_obj->public_algo, - pxy_obj->ctl, &pxy_obj->is_valid, private_file, public_file); - - if (pxy_obj->is_valid){ - xret = x509_privatekey_init2(private_file, public_file, &pxy_obj->key, &pxy_obj->root, &pxy_obj->stack_ca); - if (xret < 0 || !pxy_obj->key || !pxy_obj->root){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to initialize the x509 certificate, the keyring id is %d", - pxy_obj->id); - goto finish; - } - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d", - pxy_obj->id); - x509_get_fingerprint(pxy_obj->root, pxy_obj->digest); - MESA_htable_add(htable, (const uchar *)(&(pxy_obj->id)), sizeof(int), pxy_obj); - keyring->sum_cnt++; - }else{ - mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Unapprove keyring id is %d", - pxy_obj->id); - MESA_htable_del(htable, (const uchar *)(&(pxy_obj->id)), sizeof(int), key_ring_free); + ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%lu\t%s\t%s\t%d\t%s\t%s", &pxy_obj->keyring_id, &service, profile_name, + pxy_obj->keyring_type, _priv_file, _publi_file, &pxy_obj->expire_after, pxy_obj->public_algo, + pxy_obj->v3_ctl, &pxy_obj->is_valid, private_file, public_file); + if(ret!=12) + { + kfree(&pxy_obj); + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore parse config failed: %s", table_line); + goto finish; + } + + ret = x509_privatekey_init2(private_file, public_file, &pxy_obj->key, &pxy_obj->root, &pxy_obj->stack_ca); + if (ret < 0 || !pxy_obj->key || !pxy_obj->root){ + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "initialize the x509 certificate failed, the keyring id is %d", + pxy_obj->keyring_id); + goto finish; } + mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "initialize the x509 certificate, the keyring id is %d", + pxy_obj->keyring_id); + x509_get_fingerprint(pxy_obj->root, pxy_obj->finger); + *ad = pxy_obj; finish: return; } -void Maat_read_entry_finish_cb(void* u_para) +void keyring_table_dup_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, +long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp) { - MESA_htable_handle tmphtable = NULL; - struct key_ring_list *keyring = (struct key_ring_list *)u_para; - - if (keyring->updata_type == CM_UPDATE_TYPE_FULL){ - tmphtable = keyring->htable; - keyring->htable = keyring->oldhtable; - keyring->oldhtable = tmphtable; - } - return; + struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*from); + *to=pxy_obj; } -int sample_plugin_table(Maat_feather_t feather,const char* table_name, - Maat_start_callback_t *start,Maat_update_callback_t *update,Maat_finish_callback_t *finish, - void *u_para, - void __attribute__((__unused__))*logger) +void keyring_table_free_cb(int __attribute__((__unused__))table_id, MAAT_PLUGIN_EX_DATA* ad, +long __attribute__((__unused__))argl, void __attribute__((__unused__))*argp) { - int table_id = 0,ret = 0; - table_id = Maat_inter_table_register(feather, table_name); - if(table_id == -1){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Database table %s register failed.",table_name); - }else{ - ret = Maat_inter_table_callback_register(feather, table_id, start, - update, finish, u_para); - if(ret < 0){ - mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Maat callback register table %s error.",table_name); - } - } + struct pxy_obj_keyring* pxy_obj=(struct pxy_obj_keyring*)(*ad); + X509_free(pxy_obj->root); + EVP_PKEY_free(pxy_obj->key); + kfree(&pxy_obj); + *ad=NULL; +} - return ret; +int maat_table_ex_init(const char* table_name, + Maat_plugin_EX_new_func_t* new_func, + Maat_plugin_EX_free_func_t* free_func, + Maat_plugin_EX_dup_func_t* dup_func) +{ + int table_id = 0; + + struct config_bucket_t *rte = cert_default_config(); + + table_id= rte->table_id = maat_table_register(rte->feather, table_name); + if(table_id<0) + { + goto finish; + } + table_id=maat_plugin_EX_register(rte->feather, + table_id, + new_func,free_func, + dup_func,NULL,0,NULL); +finish: + return table_id; } int maat_feather_init() { + int ret = -1; Maat_feather_t feather = NULL; int scan_interval_ms = 1000; @@ -2129,36 +2093,44 @@ int maat_feather_init() int effective_interval_ms = maat_t->effective_interval_s * 1000; - feather = Maat_inter_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle); + feather = maat_feather(rte->thread_nu, maat_t->info_path, logging_sc_lid.run_log_handle); - Maat_inter_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1); + maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, "certstore", strlen("certstore") + 1); if (maat_t->maat_json_switch == 1){ - Maat_inter_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1); + maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maat_t->pxy_path, strlen(maat_t->pxy_path)+1); } if (maat_t->maat_json_switch == 0){ - Maat_inter_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1); - Maat_inter_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1); + maat_set_feather_opt(feather, MAAT_OPT_FULL_CFG_DIR, maat_t->full_cfg_dir, strlen(maat_t->full_cfg_dir)+1); + maat_set_feather_opt(feather, MAAT_OPT_INC_CFG_DIR, maat_t->inc_cfg_dir, strlen(maat_t->inc_cfg_dir)+1); } if (maat_t->maat_json_switch == 2){ - Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1); - Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port)); - Maat_inter_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex)); + maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, rte->addr_t.maat_ip, strlen(rte->addr_t.maat_ip)+1); + maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, &rte->addr_t.maat_port, sizeof(rte->addr_t.maat_port)); + maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, &rte->addr_t.dbindex, sizeof(rte->addr_t.dbindex)); } - Maat_inter_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms)); - Maat_inter_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms)); + maat_set_feather_opt(feather, MAAT_OPT_SCANDIR_INTERVAL_MS,&scan_interval_ms, sizeof(scan_interval_ms)); + maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS,&effective_interval_ms, sizeof(effective_interval_ms)); /***/ const char* foregin_dir="./foreign_files/"; - Maat_inter_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1); - Maat_inter_initiate_feather(feather); + maat_set_feather_opt(feather, MAAT_OPT_FOREIGN_CONT_DIR,foregin_dir, strlen(foregin_dir)+1); + ret = maat_initiate_feather(feather); + if (ret < 0) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__); + } + rte->feather = feather; + + int table_id = maat_table_ex_init("PXY_OBJ_KEYRING", + keyring_table_new_cb, + keyring_table_free_cb, + keyring_table_dup_cb); + if(table_id<0) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "certstore register table PXY_OBJ_KEYRING failed"); + } - sample_plugin_table(feather, "PXY_OBJ_KEYRING", - Maat_read_entry_start_cb, - Maat_read_entry_cb, - Maat_read_entry_finish_cb, - &rte->keyring, - NULL); return 0; } diff --git a/src/inc/Maat_rule.h b/src/inc/Maat_rule.h index 91d373c..afba44c 100644 --- a/src/inc/Maat_rule.h +++ b/src/inc/Maat_rule.h @@ -1,12 +1,12 @@ /* -*****************Maat Network Flow Rule Manage Framework******** +*****************Maat Deep Packet Inspection Policy Framework******** * Maat is the Goddess of truth and justice in ancient Egyptian concept. * Her feather was the measure that determined whether the souls (considered * to reside in the heart) of the departed would reach the paradise of afterlife * successfully. -* Author: zhengchao@iie.ac.cn,MESA -* Version 2018-09-25 foreign key and rule tags. +* Author: zhengchao@iie.ac.cn, MESA +* Version 2018-12-07 Plugin Extra Data. * NOTE: MUST compile with G++ * All right reserved by Institute of Infomation Engineering,Chinese Academic of Science 2014~2018 ********************************************************* @@ -16,7 +16,7 @@ #ifndef __cplusplus #error("This file should be compiled with C++ compiler") #endif -#include "stream.h" +#include enum MAAT_CHARSET { CHARSET_NONE=0, @@ -159,14 +159,15 @@ enum MAAT_INIT_OPT MAAT_OPT_ENABLE_UPDATE, //VALUE is interger, SIZE=sizeof(int). 1: Enabled, 0:Disabled. DEFAULT: Backgroud update is enabled. Runtime setting is allowed. MAAT_OPT_ACCEPT_TAGS, //VALUE is a const char*, MUST end with '\0', SIZE= strlen(string+'\0')+1. Format is a JSON, e.g.{"tags":[{"tag":"location","value":"Beijing/ChaoYang/Huayan/22A"},{"tag":"isp","value":"telecom"}]} MAAT_OPT_FOREIGN_CONT_DIR, //VALUE is a const char*, MUST end with '\0', SIZE= strlen(string+'\0')+1. Specifies a local diretory to store foreign content. Default: []table_info_path]_files - MAAT_OPT_FOREIGN_CONT_LINGER //VALUE is interger *, SIZE=sizeof(int). Greater than 0: delete after VALUE seconds; 0: delete foreign content right after the notification callbacks; Less than 0: NEVER delete. Default: 0. - }; + MAAT_OPT_FOREIGN_CONT_LINGER //VALUE is interger *, SIZE=sizeof(int). Greater than 0: delete after VALUE seconds; 0: delete foreign content right after the notification callbacks; Less than 0: NEVER delete. Default: 0. +}; //return -1 if failed, return 0 on success; int Maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size); enum MAAT_STATE_OPT { - MAAT_STATE_VERSION=1, //Get current maat version. VALUE is long long, SIZE=sizeof(long long). - MAAT_STATE_LAST_UPDATING_TABLE //Query at Maat_finish_callback_t to determine whether this table is the last one to update. VALUE is interger, SIZE=sizeof(int), 1:yes, 0: no + MAAT_STATE_VERSION=1, //Get current maat version, if maat is in update progress, the updating version is returned. VALUE is long long, SIZE=sizeof(long long). + MAAT_STATE_LAST_UPDATING_TABLE, //Query at Maat_finish_callback_t to determine whether this table is the last one to update. VALUE is interger, SIZE=sizeof(int), 1:yes, 0: no + MAAT_STATE_IN_UPDATING }; int Maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size); @@ -181,6 +182,7 @@ int Maat_table_callback_register(Maat_feather_t feather,short table_id, Maat_finish_callback_t *finish,//u_para void* u_para); + enum MAAT_SCAN_OPT { MAAT_SET_SCAN_DISTRICT=1, //VALUE is a const char*,SIZE= strlen(string).DEFAULT: no default. @@ -238,6 +240,46 @@ int Maat_similar_scan_string(Maat_feather_t feather,int table_id ,scan_status_t* mid,int thread_num); void Maat_clean_status(scan_status_t* mid); + +typedef void* MAAT_RULE_EX_DATA; +// The idx parameter is the index: this will be the same value returned by Maat_rule_get_ex_new_index() when the functions were initially registered. +// Finally the argl and argp parameters are the values originally passed to the same corresponding parameters when Maat_rule_get_ex_new_index() was called. +typedef void Maat_rule_EX_new_func_t(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, + MAAT_RULE_EX_DATA* ad, long argl, void *argp); +typedef void Maat_rule_EX_free_func_t(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, + MAAT_RULE_EX_DATA* ad, long argl, void *argp); +typedef void Maat_rule_EX_dup_func_t(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp); + +int Maat_rule_get_ex_new_index(Maat_feather_t feather, const char* compile_table_name, + Maat_rule_EX_new_func_t* new_func, + Maat_rule_EX_free_func_t* free_func, + Maat_rule_EX_dup_func_t* dup_func, + long argl, void *argp); +//returned data is duplicated by dup_func of Maat_rule_get_ex_new_index, caller is responsible to free the data. +MAAT_RULE_EX_DATA Maat_rule_get_ex_data(Maat_feather_t feather, const struct Maat_rule_t* rule, int idx); + +//Helper function for parsing space or tab seperated line. +//Nth_column: the Nth column is numberd from 1. +//Return 0 if success. +int Maat_helper_read_column(const char* line, int Nth_column, size_t *column_offset, size_t *column_len); + + +//Following functions are similar to Maat_rule_get_ex_data, except they are effective on plugin table. +typedef void* MAAT_PLUGIN_EX_DATA; +typedef void Maat_plugin_EX_new_func_t(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); +typedef void Maat_plugin_EX_free_func_t(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); +typedef void Maat_plugin_EX_dup_func_t(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp); +typedef int Maat_plugin_EX_key2index_func_t(const char* key); + +int Maat_plugin_EX_register(Maat_feather_t feather, int table_id, + Maat_plugin_EX_new_func_t* new_func, + Maat_plugin_EX_free_func_t* free_func, + Maat_plugin_EX_dup_func_t* dup_func, + Maat_plugin_EX_key2index_func_t* key2index_func, + long argl, void *argp); +//Data is duplicated by dup_func of Maat_plugin_EX_register, caller is responsible to free the data. +MAAT_PLUGIN_EX_DATA Maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key); + enum MAAT_RULE_OPT { MAAT_RULE_SERV_DEFINE //VALUE is a char* buffer,SIZE= buffer size. diff --git a/src/inc/moodycamel_maat_rule.cpp b/src/inc/moodycamel_maat_rule.cpp index 7d88947..b00aff0 100644 --- a/src/inc/moodycamel_maat_rule.cpp +++ b/src/inc/moodycamel_maat_rule.cpp @@ -9,41 +9,50 @@ using namespace std; -#include "Maat_rule.h" +#include -extern "C" Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger); -extern "C" int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size); -extern "C" int Maat_inter_initiate_feather(Maat_feather_t feather); -extern "C" int Maat_inter_table_register(Maat_feather_t feather,const char* table_name); -extern "C" void Maat_inter_burn_feather(Maat_feather_t feather); -extern "C" int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id, +extern "C" Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger); +extern "C" int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size); +extern "C" int maat_initiate_feather(Maat_feather_t feather); +extern "C" int maat_table_register(Maat_feather_t feather,const char* table_name); +extern "C" void matt_burn_feather(Maat_feather_t feather); +extern "C" int maat_inter_table_callback_register(Maat_feather_t feather,short table_id, Maat_start_callback_t *start, Maat_update_callback_t *update, Maat_finish_callback_t *finish, void* u_para); -extern "C" int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size); +extern "C" int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size); -Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger) +extern "C" MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key); + +extern "C" int maat_plugin_EX_register(Maat_feather_t feather, int table_id, + Maat_plugin_EX_new_func_t* new_func, + Maat_plugin_EX_free_func_t* free_func, + Maat_plugin_EX_dup_func_t* dup_func, + Maat_plugin_EX_key2index_func_t* key2index_func, + long argl, void *argp); + +Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger) { return Maat_feather(max_thread_num, table_info_path, logger); } -int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size) +int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size) { return Maat_set_feather_opt(feather, type, value, size); } -int Maat_inter_initiate_feather(Maat_feather_t feather) +int maat_initiate_feather(Maat_feather_t feather) { return Maat_initiate_feather(feather); } -int Maat_inter_table_register(Maat_feather_t feather,const char* table_name) +int maat_table_register(Maat_feather_t feather,const char* table_name) { return Maat_table_register(feather, table_name); } -int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id, +int maat_inter_table_callback_register(Maat_feather_t feather,short table_id, Maat_start_callback_t *start, Maat_update_callback_t *update, Maat_finish_callback_t *finish, @@ -52,15 +61,30 @@ int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id, return Maat_table_callback_register(feather, table_id, start, update, finish, u_para); } -int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size) + +int maat_plugin_EX_register(Maat_feather_t feather, int table_id, + Maat_plugin_EX_new_func_t* new_func, + Maat_plugin_EX_free_func_t* free_func, + Maat_plugin_EX_dup_func_t* dup_func, + Maat_plugin_EX_key2index_func_t* key2index_func, + long argl, void *argp) +{ + return Maat_plugin_EX_register(feather,table_id,new_func,free_func,dup_func,key2index_func,argl,argp); +} + +MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key) +{ + return Maat_plugin_get_EX_data(feather, table_id, key); +} + +int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size) { return Maat_read_state(feather, type, value, size); } -void Maat_inter_burn_feather(Maat_feather_t feather) +void matt_burn_feather(Maat_feather_t feather) { return Maat_burn_feather(feather); } - diff --git a/src/inc/moodycamel_maat_rule.h b/src/inc/moodycamel_maat_rule.h index 3251e09..39d72e1 100644 --- a/src/inc/moodycamel_maat_rule.h +++ b/src/inc/moodycamel_maat_rule.h @@ -49,22 +49,36 @@ typedef void Maat_start_callback_t(int update_type,void* u_para); typedef void Maat_update_callback_t(int table_id,const char* table_line,void* u_para); typedef void Maat_finish_callback_t(void* u_para); -Maat_feather_t Maat_inter_feather(int max_thread_num,const char* table_info_path,void* logger); +typedef void* MAAT_PLUGIN_EX_DATA; +typedef void Maat_plugin_EX_new_func_t(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); +typedef void Maat_plugin_EX_free_func_t(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp); +typedef void Maat_plugin_EX_dup_func_t(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp); +typedef int Maat_plugin_EX_key2index_func_t(const char* key); -int Maat_inter_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size); +Maat_feather_t maat_feather(int max_thread_num,const char* table_info_path,void* logger); -int Maat_inter_initiate_feather(Maat_feather_t feather); +int maat_set_feather_opt(Maat_feather_t feather,enum MAAT_INIT_OPT type,const void* value,int size); -int Maat_inter_table_register(Maat_feather_t feather,const char* table_name); +int maat_initiate_feather(Maat_feather_t feather); -int Maat_inter_table_callback_register(Maat_feather_t feather,short table_id, +int maat_table_register(Maat_feather_t feather,const char* table_name); + +int maat_inter_table_callback_register(Maat_feather_t feather,short table_id, Maat_start_callback_t *start, Maat_update_callback_t *update, Maat_finish_callback_t *finish, void* u_para); -int Maat_inter_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size); +MAAT_PLUGIN_EX_DATA maat_plugin_get_EX_data(Maat_feather_t feather, int table_id, const char* key); -void Maat_inter_burn_feather(Maat_feather_t feather); +int maat_plugin_EX_register(Maat_feather_t feather, int table_id, + Maat_plugin_EX_new_func_t* new_func, + Maat_plugin_EX_free_func_t* free_func, + Maat_plugin_EX_dup_func_t* dup_func, + Maat_plugin_EX_key2index_func_t* key2index_func, + long argl, void *argp); +int maat_read_state(Maat_feather_t feather, enum MAAT_STATE_OPT type, void* value, int size); + +void matt_burn_feather(Maat_feather_t feather); #endif