[8bd77b5] | 1 | /** |
---|
| 2 | ** abac_verifier.c |
---|
| 3 | **/ |
---|
[53e540d] | 4 | |
---|
| 5 | // include the GNU extension of asprintf |
---|
| 6 | #define _GNU_SOURCE |
---|
| 7 | |
---|
[5110d42] | 8 | #include <stdio.h> |
---|
[d037f54] | 9 | #include <sys/types.h> |
---|
[186cb75] | 10 | #include <assert.h> |
---|
| 11 | |
---|
[5450aeb] | 12 | #include <library.h> |
---|
| 13 | |
---|
[2e9455f] | 14 | #include <chunk.h> |
---|
[8bd77b5] | 15 | #include "abac_internal.h" |
---|
[3c251d0] | 16 | #include "abac_util.h" |
---|
[2e9455f] | 17 | #include "abac_context.h" |
---|
| 18 | #include "abac_list.h" |
---|
| 19 | #include "abac_stack.h" |
---|
| 20 | #include "uthash.h" |
---|
| 21 | #include "abac_id.h" |
---|
| 22 | #include "abac_attribute.h" |
---|
| 23 | #include "abac_pl_yap.h" |
---|
[5450aeb] | 24 | |
---|
[8bd77b5] | 25 | static int debug=0; |
---|
[2e9455f] | 26 | static int hack=1; |
---|
[ba6027a] | 27 | |
---|
[2e9455f] | 28 | /* need to add locks onto theseXXX */ |
---|
| 29 | /* hash table base on sha with a p */ |
---|
[8bd77b5] | 30 | struct _abac_id_credential_t { |
---|
[2e9455f] | 31 | char *hashkeyid; |
---|
[8bd77b5] | 32 | abac_id_t *id; |
---|
[5450aeb] | 33 | UT_hash_handle hh; |
---|
[202a7f9] | 34 | }; |
---|
[5450aeb] | 35 | |
---|
[da5afdf] | 36 | /* can store either role or oset */ |
---|
[401a054] | 37 | struct _abac_credential_t { |
---|
[8bd77b5] | 38 | char *hashkeyid; |
---|
| 39 | abac_attribute_t *attr; |
---|
[53e540d] | 40 | UT_hash_handle hh; |
---|
[8bd77b5] | 41 | }; |
---|
[202a7f9] | 42 | |
---|
[2e9455f] | 43 | typedef struct _abac_verifier_session_t { |
---|
| 44 | abac_list_t *contexts; |
---|
| 45 | char *stub; /* namespace stub */ |
---|
[6244e28] | 46 | |
---|
[2e9455f] | 47 | abac_id_credential_t *id_creds; |
---|
| 48 | /* linked list of all the ids's hashkeyid */ |
---|
| 49 | abac_list_t *id_hashkeyid_list; |
---|
[5450aeb] | 50 | |
---|
[2e9455f] | 51 | /* hash table base on encoded attr rule */ |
---|
| 52 | /* can store either role or oset */ |
---|
| 53 | abac_credential_t *attr_creds; |
---|
| 54 | abac_list_t *attr_hashkeyid_list; |
---|
[5450aeb] | 55 | |
---|
[2e9455f] | 56 | } abac_verifier_session_t; |
---|
[5450aeb] | 57 | |
---|
[8bd77b5] | 58 | |
---|
[2e9455f] | 59 | /* **GLOBAL** the one and only */ |
---|
| 60 | abac_verifier_session_t *abac_session=NULL; |
---|
[8bd77b5] | 61 | |
---|
[2e9455f] | 62 | /* local */ |
---|
| 63 | abac_id_t *abac_id_credential_id(abac_id_credential_t *ptr); |
---|
| 64 | char *abac_idtype_string(int i); |
---|
[d0efdec] | 65 | abac_credential_t *abac_credential_dup(abac_credential_t *ptr); |
---|
[2e9455f] | 66 | /****************************************************************/ |
---|
| 67 | void show_debug_info(const char *msg) |
---|
[5110d42] | 68 | { |
---|
[2e9455f] | 69 | int ctxt_sz=0; |
---|
| 70 | int id_sz=0; |
---|
| 71 | int attr_sz=0; |
---|
| 72 | if(abac_session !=NULL) { |
---|
| 73 | ctxt_sz=abac_list_size(abac_session->contexts); |
---|
| 74 | id_sz=abac_list_size(abac_session->id_hashkeyid_list); |
---|
| 75 | attr_sz=abac_list_size(abac_session->attr_hashkeyid_list); |
---|
| 76 | } |
---|
| 77 | fprintf(stderr,"/* ===== %s ======== */\n",msg); |
---|
| 78 | fprintf(stderr," number of contexts: %d\n",ctxt_sz); |
---|
| 79 | fprintf(stderr," number of principals: %d\n",id_sz); |
---|
| 80 | fprintf(stderr," number of attributes: %d\n",attr_sz); |
---|
| 81 | |
---|
[5110d42] | 82 | } |
---|
| 83 | |
---|
[2e9455f] | 84 | static void _check_id_cred(abac_id_credential_t *id_cred) |
---|
[8bd77b5] | 85 | { |
---|
| 86 | if(id_cred) { |
---|
[d0efdec] | 87 | printf("checking on this id_cred location %ld\n", (long)id_cred); |
---|
[8bd77b5] | 88 | printf(" --> sha is (%s)\n", abac_id_keyid(id_cred->id)); |
---|
| 89 | printf(" --> cn is (%s)\n", abac_id_cn(id_cred->id)); |
---|
[202a7f9] | 90 | } |
---|
| 91 | } |
---|
| 92 | |
---|
[2e9455f] | 93 | /* retrieve the cn that is associated with this sha_string, checking |
---|
| 94 | with just the master list */ |
---|
| 95 | char *abac_cn_with_sha(char *sha_string) |
---|
[2efdff5] | 96 | { |
---|
[2e9455f] | 97 | // get the issuer based on keyid |
---|
| 98 | abac_id_credential_t *id_cred; |
---|
| 99 | HASH_FIND_STR(abac_session->id_creds, sha_string, id_cred); |
---|
| 100 | if (id_cred == NULL) { |
---|
[2efdff5] | 101 | return NULL; |
---|
[5110d42] | 102 | } |
---|
[2e9455f] | 103 | if(debug) |
---|
| 104 | _check_id_cred(id_cred); |
---|
| 105 | return abac_id_cn(id_cred->id); |
---|
[5110d42] | 106 | } |
---|
| 107 | |
---|
[2e9455f] | 108 | char *abac_idtype_with_sha(char* sha_string) |
---|
[ba6027a] | 109 | { |
---|
[2e9455f] | 110 | // get the issuer based on keyid |
---|
| 111 | abac_id_credential_t *id_cred; |
---|
| 112 | HASH_FIND_STR(abac_session->id_creds, sha_string, id_cred); |
---|
| 113 | if (id_cred == NULL) { |
---|
| 114 | // this id, sha string is not in the db... |
---|
| 115 | DEBUG_PRINTF("abac_idtype_with_sha: this id is not in the id_creds list\n"); |
---|
| 116 | return NULL; |
---|
[ba6027a] | 117 | } |
---|
[2e9455f] | 118 | int idtype=abac_id_idtype(id_cred->id); |
---|
| 119 | return abac_idtype_string(idtype); |
---|
[ba6027a] | 120 | } |
---|
[5110d42] | 121 | |
---|
[2e9455f] | 122 | /****************************************************************/ |
---|
| 123 | /** |
---|
| 124 | * abac_credential_t |
---|
| 125 | **/ |
---|
| 126 | abac_id_credential_t *abac_id_credential_new(abac_id_t *a_id) |
---|
[202a7f9] | 127 | { |
---|
[2e9455f] | 128 | char *keyid=abac_id_keyid(a_id); |
---|
| 129 | |
---|
| 130 | abac_id_credential_t *id_cred = abac_xmalloc(sizeof(abac_id_credential_t)); |
---|
| 131 | id_cred->hashkeyid = abac_xstrdup(keyid); |
---|
| 132 | id_cred->id=abac_id_dup(a_id); |
---|
| 133 | return id_cred; |
---|
[202a7f9] | 134 | } |
---|
| 135 | |
---|
[2e9455f] | 136 | abac_id_credential_t *abac_id_credential_dup(abac_id_credential_t *ptr) |
---|
| 137 | { |
---|
[8bd77b5] | 138 | assert(ptr != NULL); |
---|
[2e9455f] | 139 | DEBUG_PRINTF("calling abac_id_credential_dup, increment id ref count\n"); |
---|
[8bd77b5] | 140 | abac_id_dup(ptr->id); |
---|
| 141 | return ptr; |
---|
| 142 | } |
---|
| 143 | |
---|
| 144 | abac_id_t *abac_id_credential_id(abac_id_credential_t *ptr) |
---|
[da5afdf] | 145 | { |
---|
[8bd77b5] | 146 | assert(ptr); |
---|
| 147 | return ptr->id; |
---|
| 148 | } |
---|
[53e540d] | 149 | |
---|
[2e9455f] | 150 | char *abac_id_credential_hashkey(abac_id_credential_t *ptr) |
---|
| 151 | { |
---|
| 152 | assert(ptr); |
---|
| 153 | return ptr->hashkeyid; |
---|
| 154 | } |
---|
| 155 | |
---|
| 156 | /* XXX needs to lock this !! */ |
---|
| 157 | void abac_add_id_cred(abac_id_credential_t *id_cred) |
---|
| 158 | { |
---|
| 159 | HASH_ADD_KEYPTR(hh, abac_session->id_creds, id_cred->hashkeyid, |
---|
| 160 | strlen(id_cred->hashkeyid), id_cred); |
---|
| 161 | abac_list_add(abac_session->id_hashkeyid_list, |
---|
| 162 | abac_xstrdup(id_cred->hashkeyid)); |
---|
| 163 | |
---|
| 164 | DEBUG_PRINTF("-->adding into master id_creds, key(%s)..idx(%d)sz(%d)\n", |
---|
| 165 | id_cred->hashkeyid, HASH_COUNT(abac_session->id_creds), |
---|
| 166 | abac_list_size(abac_session->id_hashkeyid_list)); |
---|
| 167 | } |
---|
[53e540d] | 168 | |
---|
[2e9455f] | 169 | abac_id_credential_t *abac_check_id_cred(char *keyid) |
---|
[8bd77b5] | 170 | { |
---|
| 171 | abac_id_credential_t *id_cred=NULL; |
---|
[2e9455f] | 172 | HASH_FIND_STR(abac_session->id_creds, keyid, id_cred); |
---|
| 173 | return id_cred; |
---|
[8bd77b5] | 174 | } |
---|
[7727f26] | 175 | |
---|
[8bd77b5] | 176 | void abac_id_credential_free(abac_id_credential_t *ptr) |
---|
| 177 | { |
---|
[2e9455f] | 178 | char *keyid=ptr->hashkeyid; |
---|
| 179 | int found=0; |
---|
[53e540d] | 180 | |
---|
[2e9455f] | 181 | DEBUG_PRINTF("abac_id_credential_free: keyid(%s)\n", keyid); |
---|
| 182 | |
---|
| 183 | char *cur=NULL; |
---|
| 184 | abac_list_foreach(abac_session->id_hashkeyid_list, cur, |
---|
| 185 | if(strcmp(cur,keyid)==0) { |
---|
| 186 | found=1; |
---|
| 187 | break; |
---|
| 188 | } |
---|
| 189 | ); |
---|
| 190 | assert(found==1); // big panic |
---|
[5110d42] | 191 | |
---|
[2e9455f] | 192 | // this is very tricky... |
---|
[8bd77b5] | 193 | int last=abac_id_lastone(ptr->id); |
---|
| 194 | if(!last) { |
---|
| 195 | abac_id_free(ptr->id); |
---|
| 196 | } else { |
---|
[2e9455f] | 197 | DEBUG_PRINTF("abac_id_credential_free: deleting id (%s)(%s)\n",abac_id_name(ptr->id), cur); |
---|
| 198 | abac_list_remove(abac_session->id_hashkeyid_list, cur); |
---|
| 199 | free(cur); |
---|
| 200 | |
---|
[8bd77b5] | 201 | free(ptr->hashkeyid); |
---|
| 202 | abac_id_free(ptr->id); |
---|
[2e9455f] | 203 | HASH_DEL(abac_session->id_creds, ptr); |
---|
[8bd77b5] | 204 | free(ptr); |
---|
[53e540d] | 205 | } |
---|
[da5afdf] | 206 | } |
---|
| 207 | |
---|
[2e9455f] | 208 | /****************************************************************/ |
---|
| 209 | /** |
---|
| 210 | * abac_credential_t |
---|
| 211 | **/ |
---|
[8bd77b5] | 212 | |
---|
[2e9455f] | 213 | abac_credential_t *abac_credential_new(abac_attribute_t *attr, char* key) |
---|
[da5afdf] | 214 | { |
---|
[2e9455f] | 215 | abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t)); |
---|
| 216 | cred->hashkeyid=abac_xstrdup(key); |
---|
| 217 | cred->attr=abac_attribute_dup(attr); |
---|
| 218 | return cred; |
---|
| 219 | } |
---|
[53e540d] | 220 | |
---|
[2e9455f] | 221 | abac_attribute_t *abac_credential_attribute(abac_credential_t *ptr) |
---|
| 222 | { |
---|
| 223 | assert(ptr!=NULL); |
---|
| 224 | return ptr->attr; |
---|
| 225 | } |
---|
[53e540d] | 226 | |
---|
[2e9455f] | 227 | abac_credential_t *abac_credential_dup(abac_credential_t *ptr) |
---|
| 228 | { |
---|
| 229 | assert(ptr != NULL); |
---|
| 230 | abac_attribute_dup(ptr->attr); |
---|
| 231 | return ptr; |
---|
| 232 | } |
---|
[8bd77b5] | 233 | |
---|
[2e9455f] | 234 | void abac_add_cred(abac_credential_t *cred) |
---|
| 235 | { |
---|
| 236 | HASH_ADD_KEYPTR(hh, abac_session->attr_creds, cred->hashkeyid, |
---|
| 237 | strlen(cred->hashkeyid), cred); |
---|
| 238 | abac_list_add(abac_session->attr_hashkeyid_list, |
---|
| 239 | abac_xstrdup(cred->hashkeyid)); |
---|
[53e540d] | 240 | |
---|
[2e9455f] | 241 | DEBUG_PRINTF("-->adding into master attr_creds, key(%s)..idx(%d)sz(%d)\n", |
---|
| 242 | abac_decode_string(cred->hashkeyid), HASH_COUNT(abac_session->attr_creds), |
---|
| 243 | abac_list_size(abac_session->attr_hashkeyid_list)); |
---|
| 244 | } |
---|
[53e540d] | 245 | |
---|
[9b43fc3] | 246 | |
---|
[2e9455f] | 247 | abac_aspect_t *abac_credential_head(abac_credential_t *cred) |
---|
| 248 | { |
---|
| 249 | return abac_attribute_head(cred->attr); |
---|
| 250 | } |
---|
[9b43fc3] | 251 | |
---|
[2e9455f] | 252 | abac_aspect_t *abac_credential_tail(abac_credential_t *cred) |
---|
| 253 | { |
---|
| 254 | return abac_attribute_tail(cred->attr); |
---|
| 255 | } |
---|
[da5afdf] | 256 | |
---|
[2e9455f] | 257 | char *abac_credential_hashkey(abac_credential_t *ptr) |
---|
| 258 | { |
---|
| 259 | assert(ptr); |
---|
| 260 | return ptr->hashkeyid; |
---|
| 261 | } |
---|
[da5afdf] | 262 | |
---|
[2e9455f] | 263 | abac_credential_t *abac_check_cred(char *keyid) |
---|
| 264 | { |
---|
| 265 | abac_credential_t *cred=NULL; |
---|
| 266 | HASH_FIND_STR(abac_session->attr_creds, keyid, cred); |
---|
| 267 | return cred; |
---|
[da5afdf] | 268 | } |
---|
[8bd77b5] | 269 | |
---|
[da5afdf] | 270 | /** |
---|
[2e9455f] | 271 | * Decrease the reference count of a credential, freeing it when it reaches 0. |
---|
[da5afdf] | 272 | */ |
---|
[2e9455f] | 273 | void abac_credential_free(abac_credential_t *ptr) |
---|
| 274 | { |
---|
| 275 | /* first make sure it is there */ |
---|
| 276 | char *keyid=ptr->hashkeyid; |
---|
| 277 | int found=0; |
---|
[da5afdf] | 278 | |
---|
[2e9455f] | 279 | DEBUG_PRINTF("abac_credential_free: keyid(%s)\n", keyid); |
---|
[da5afdf] | 280 | |
---|
[2e9455f] | 281 | char *cur; |
---|
| 282 | abac_list_foreach(abac_session->attr_hashkeyid_list, cur, |
---|
| 283 | if(strcmp(cur,keyid)==0) { |
---|
| 284 | found=1; |
---|
| 285 | break; |
---|
| 286 | } |
---|
| 287 | ); |
---|
| 288 | assert(found==1); // big panic |
---|
[da5afdf] | 289 | |
---|
[2e9455f] | 290 | // this is very tricky... |
---|
| 291 | int last=abac_attribute_lastone(ptr->attr); |
---|
| 292 | if(!last) { |
---|
| 293 | abac_attribute_free(ptr->attr); |
---|
| 294 | } else { |
---|
[da5afdf] | 295 | |
---|
[2e9455f] | 296 | abac_list_remove(abac_session->attr_hashkeyid_list, cur); |
---|
| 297 | free(cur); |
---|
[da5afdf] | 298 | |
---|
[2e9455f] | 299 | DEBUG_PRINTF("abac_credential_free: real free for (%d)\n",(int) ptr); |
---|
| 300 | free(ptr->hashkeyid); |
---|
| 301 | abac_attribute_free(ptr->attr); |
---|
| 302 | HASH_DEL(abac_session->attr_creds, ptr); |
---|
| 303 | free(ptr); |
---|
[5110d42] | 304 | } |
---|
[2e9455f] | 305 | } |
---|
[5110d42] | 306 | |
---|
[2e9455f] | 307 | /****************************************************************/ |
---|
| 308 | void abac_print_cred_info(abac_credential_t *cred, FILE *fp) |
---|
| 309 | { |
---|
| 310 | if(fp == NULL) |
---|
| 311 | fp=stdout; |
---|
[53e540d] | 312 | |
---|
[2e9455f] | 313 | abac_attribute_t *ptr=cred->attr; |
---|
| 314 | abac_aspect_t *head=abac_attribute_head(ptr); |
---|
| 315 | abac_aspect_t *tail=abac_attribute_tail(ptr); |
---|
[53e540d] | 316 | |
---|
[2e9455f] | 317 | fprintf(fp," "); |
---|
| 318 | abac_print_aspect_string_with_condition(head,fp); |
---|
| 319 | fprintf(fp," <- "); |
---|
| 320 | abac_print_aspect_string_with_condition(tail,fp); |
---|
| 321 | fprintf(fp,"\n"); |
---|
[5450aeb] | 322 | } |
---|
[5f99fbc] | 323 | |
---|
[2e9455f] | 324 | void abac_print_prin_info(abac_id_credential_t *prin, FILE *fp) |
---|
| 325 | { |
---|
| 326 | if(fp == NULL) |
---|
| 327 | fp=stdout; |
---|
[5d06689] | 328 | |
---|
[2e9455f] | 329 | abac_id_t *ptr=abac_id_credential_id(prin); |
---|
| 330 | if(abac_id_has_privkey(ptr)) |
---|
| 331 | fprintf(fp," [%s,%s] #y\n",abac_id_idtype_string(ptr), abac_id_name(ptr)); |
---|
| 332 | else |
---|
| 333 | fprintf(fp," [%s,%s] #n\n", abac_id_idtype_string(ptr), abac_id_name(ptr)); |
---|
| 334 | } |
---|
[5d06689] | 335 | |
---|
[2e9455f] | 336 | void abac_print_typed_cred_info(abac_credential_t *cred, FILE *fp) |
---|
| 337 | { |
---|
| 338 | if(fp == NULL) |
---|
| 339 | fp=stdout; |
---|
[9b43fc3] | 340 | |
---|
[2e9455f] | 341 | abac_attribute_t *ptr=cred->attr; |
---|
| 342 | abac_aspect_t *head=abac_attribute_head(ptr); |
---|
| 343 | abac_aspect_t *tail=abac_attribute_tail(ptr); |
---|
[5d06689] | 344 | |
---|
[2e9455f] | 345 | fprintf(fp," "); |
---|
| 346 | abac_print_aspect_typed_string_with_condition(head,fp); |
---|
| 347 | fprintf(fp," <- "); |
---|
| 348 | abac_print_aspect_typed_string_with_condition(tail,fp); |
---|
| 349 | fprintf(fp,"\n"); |
---|
| 350 | } |
---|
[5d06689] | 351 | |
---|
| 352 | |
---|
[2e9455f] | 353 | /* not duplicated */ |
---|
| 354 | abac_credential_t *abac_credential_lookup(char* cred_string) |
---|
| 355 | { |
---|
| 356 | assert(cred_string); |
---|
| 357 | DEBUG_PRINTF("abac_credential_lookup: looking for (%s)\n", cred_string); |
---|
| 358 | abac_credential_t *attr_cred; |
---|
| 359 | HASH_FIND_STR(abac_session->attr_creds, cred_string, attr_cred); |
---|
| 360 | if (attr_cred == NULL) { |
---|
| 361 | DEBUG_PRINTF("abac_credential_lookup:NOT FOUND..\n"); |
---|
| 362 | return NULL; |
---|
| 363 | } |
---|
| 364 | DEBUG_PRINTF("abac_credential_lookup:FOUND, looking for (%s)\n", cred_string); |
---|
| 365 | abac_credential_t *rt=attr_cred; |
---|
| 366 | return rt; |
---|
| 367 | } |
---|
[9b43fc3] | 368 | |
---|
[2e9455f] | 369 | /* not duplicated */ |
---|
| 370 | abac_id_credential_t *abac_id_credential_lookup(char* name) |
---|
| 371 | { |
---|
| 372 | assert(name); |
---|
| 373 | DEBUG_PRINTF("abac_id_credential_lookup: looking for (%s)\n", name); |
---|
| 374 | abac_id_credential_t *id_cred; |
---|
| 375 | HASH_FIND_STR(abac_session->id_creds, name, id_cred); |
---|
| 376 | if (id_cred == NULL) { |
---|
| 377 | DEBUG_PRINTF("abac_id_credential_lookup:NOT FOUND..\n"); |
---|
| 378 | return NULL; |
---|
| 379 | } |
---|
| 380 | DEBUG_PRINTF(" --> sha is (%s)\n", abac_id_keyid(id_cred->id)); |
---|
| 381 | DEBUG_PRINTF(" --> cn is (%s)\n", abac_id_cn(id_cred->id)); |
---|
| 382 | return id_cred; |
---|
[8bd77b5] | 383 | } |
---|
| 384 | |
---|
[2e9455f] | 385 | /* collect all the creds stored so far for the session */ |
---|
| 386 | abac_stack_t *abac_dump_creds() |
---|
| 387 | { |
---|
| 388 | abac_stack_t *cred_list = abac_stack_new(); |
---|
| 389 | |
---|
| 390 | int cnt=0; |
---|
| 391 | if(abac_session->attr_hashkeyid_list) { |
---|
| 392 | char *keyid; |
---|
| 393 | abac_credential_t *cred; |
---|
| 394 | abac_list_foreach(abac_session->attr_hashkeyid_list, keyid, |
---|
| 395 | cred=abac_credential_lookup(keyid); |
---|
| 396 | abac_stack_push(cred_list, cred); |
---|
| 397 | cnt++; |
---|
| 398 | ); |
---|
| 399 | } |
---|
| 400 | DEBUG_PRINTF("abac_dump_cred: %d\n",cnt); |
---|
| 401 | return cred_list; |
---|
[e898049] | 402 | } |
---|
| 403 | |
---|
[9b43fc3] | 404 | |
---|
[2e9455f] | 405 | /* collect all the id creds stored so far for the session */ |
---|
| 406 | abac_stack_t *abac_dump_principals() |
---|
| 407 | { |
---|
| 408 | abac_stack_t *id_list = abac_stack_new(); |
---|
| 409 | |
---|
| 410 | int cnt=0; |
---|
| 411 | if(abac_session->id_hashkeyid_list) { |
---|
| 412 | char *keyid; |
---|
| 413 | abac_id_credential_t *id; |
---|
| 414 | abac_list_foreach(abac_session->id_hashkeyid_list, keyid, |
---|
| 415 | id=abac_id_credential_lookup(keyid); |
---|
| 416 | abac_stack_push(id_list, id); |
---|
| 417 | cnt++; |
---|
| 418 | ); |
---|
| 419 | } |
---|
| 420 | DEBUG_PRINTF("abac_dump_principals: %d\n",cnt); |
---|
| 421 | return id_list; |
---|
[e898049] | 422 | } |
---|
| 423 | |
---|
[85cdf53] | 424 | /** |
---|
| 425 | * Return the encoding of the attribute cert. |
---|
| 426 | */ |
---|
[401a054] | 427 | abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) { |
---|
[8bd77b5] | 428 | abac_attribute_t *ptr=cred->attr; |
---|
| 429 | certificate_t *cert=abac_attribute_cert(ptr); |
---|
[137b55f] | 430 | chunk_t encoding = chunk_empty; |
---|
| 431 | int rc=cert->get_encoding(cert,CERT_ASN1_DER,&encoding); |
---|
[9efbfbf] | 432 | abac_chunk_t ret = { encoding.ptr, encoding.len }; |
---|
| 433 | return ret; |
---|
[85cdf53] | 434 | } |
---|
| 435 | |
---|
| 436 | /** |
---|
| 437 | * Return the encoding of the issuer cert. |
---|
| 438 | */ |
---|
[2e9455f] | 439 | abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) |
---|
| 440 | { |
---|
[8bd77b5] | 441 | certificate_t *issuer_cert=abac_attribute_issuer_cert(cred->attr); |
---|
| 442 | assert(issuer_cert); |
---|
[137b55f] | 443 | chunk_t encoding = chunk_empty; |
---|
| 444 | // XXX MEI, not sure ?? |
---|
| 445 | int rc=issuer_cert->get_encoding(issuer_cert,CERT_ASN1_DER,&encoding); |
---|
[9efbfbf] | 446 | abac_chunk_t ret = { encoding.ptr, encoding.len }; |
---|
| 447 | return ret; |
---|
[85cdf53] | 448 | } |
---|
[186cb75] | 449 | |
---|
[53e540d] | 450 | |
---|
[2e9455f] | 451 | /****************************************************************/ |
---|
[202a7f9] | 452 | |
---|
[2e9455f] | 453 | void abac_verifier_session_new() |
---|
| 454 | { |
---|
| 455 | assert(abac_session==NULL); |
---|
| 456 | abac_session = abac_xmalloc(sizeof(abac_verifier_session_t)); |
---|
| 457 | abac_session->stub=abac_xstrdup("abac_"); |
---|
| 458 | abac_session->contexts=abac_list_new(); |
---|
[186cb75] | 459 | |
---|
[2e9455f] | 460 | abac_session->attr_hashkeyid_list = abac_list_new(); |
---|
| 461 | abac_session->id_hashkeyid_list = abac_list_new(); |
---|
| 462 | abac_session->id_creds=NULL; |
---|
| 463 | abac_session->attr_creds=NULL; |
---|
| 464 | |
---|
| 465 | abac_pl_init(); |
---|
[186cb75] | 466 | } |
---|
| 467 | |
---|
[2e9455f] | 468 | void abac_verifier_session_free() |
---|
[202a7f9] | 469 | { |
---|
[2e9455f] | 470 | DEBUG_PRINTF("abac_verifier_session_free: freeing...\n"); |
---|
| 471 | if(abac_session->stub) free(abac_session->stub); |
---|
| 472 | |
---|
| 473 | int size=abac_list_size(abac_session->contexts); |
---|
| 474 | if(size) { |
---|
| 475 | abac_context_t *cur; |
---|
| 476 | abac_stack_t *tmp=abac_stack_new(); |
---|
| 477 | abac_list_foreach(abac_session->contexts, cur, |
---|
| 478 | if(cur) abac_stack_push(tmp,cur); |
---|
| 479 | ); |
---|
| 480 | while(size) { |
---|
| 481 | cur=(abac_context_t *) abac_stack_pop(tmp); |
---|
| 482 | abac_context_free(cur); |
---|
| 483 | size--; |
---|
| 484 | } |
---|
| 485 | abac_stack_free(tmp); |
---|
| 486 | } |
---|
| 487 | abac_list_free(abac_session->contexts); |
---|
[9b43fc3] | 488 | |
---|
[2e9455f] | 489 | abac_id_credential_t *ptr; |
---|
| 490 | int id_sz=abac_list_size(abac_session->id_hashkeyid_list); |
---|
| 491 | DEBUG_PRINTF("abac_verifier_session_free: number of ids(%d)\n",id_sz); |
---|
| 492 | while ((ptr = abac_session->id_creds) != NULL) { |
---|
| 493 | DEBUG_PRINTF("abac_verifier_session_free: deleting id (%s)\n",abac_id_name(ptr->id)); |
---|
| 494 | HASH_DEL(abac_session->id_creds, ptr); |
---|
| 495 | free(ptr->hashkeyid); |
---|
| 496 | abac_id_free(ptr->id); |
---|
| 497 | free(ptr); |
---|
[53e540d] | 498 | } |
---|
| 499 | |
---|
[2e9455f] | 500 | abac_credential_t *ptr2; |
---|
| 501 | int attr_sz=abac_list_size(abac_session->attr_hashkeyid_list); |
---|
| 502 | DEBUG_PRINTF("abac_verifier_session_free: number of attrs(%d)\n",attr_sz); |
---|
| 503 | while ((ptr2 = abac_session->attr_creds) != NULL) { |
---|
| 504 | HASH_DEL(abac_session->attr_creds, ptr2); |
---|
| 505 | DEBUG_PRINTF("abac_verifier_session_free: deleting attr hashkey(%s)\n",ptr2->hashkeyid); |
---|
| 506 | free(ptr2->hashkeyid); |
---|
| 507 | abac_attribute_free(ptr2->attr); |
---|
| 508 | free(ptr2); |
---|
| 509 | } |
---|
[202a7f9] | 510 | |
---|
[2e9455f] | 511 | if(abac_session->attr_hashkeyid_list) { |
---|
| 512 | DEBUG_PRINTF("looking to free attr_hashkeyid_list..\n"); |
---|
| 513 | char *cur; |
---|
| 514 | abac_list_foreach(abac_session->attr_hashkeyid_list, cur, |
---|
| 515 | if(cur) free(cur); |
---|
| 516 | ); |
---|
| 517 | abac_list_free(abac_session->attr_hashkeyid_list); |
---|
| 518 | } |
---|
[186cb75] | 519 | |
---|
[2e9455f] | 520 | if(abac_session->id_hashkeyid_list) { |
---|
| 521 | DEBUG_PRINTF("looking to free id_hashkeyid_list..\n"); |
---|
| 522 | char *cur; |
---|
| 523 | abac_list_foreach(abac_session->id_hashkeyid_list, cur, |
---|
| 524 | if(cur) { |
---|
| 525 | DEBUG_PRINTF("hum.. id hashkey being freed.. %s\n", cur); |
---|
| 526 | free(cur); |
---|
| 527 | } |
---|
| 528 | ); |
---|
| 529 | abac_list_free(abac_session->id_hashkeyid_list); |
---|
[da5afdf] | 530 | } |
---|
[2e9455f] | 531 | free(abac_session); |
---|
| 532 | abac_session=NULL; |
---|
[186cb75] | 533 | } |
---|
[53e540d] | 534 | |
---|
[2e9455f] | 535 | /* long int random(void); */ |
---|
| 536 | char *abac_verifier_session_next_namespace() |
---|
[202a7f9] | 537 | { |
---|
[2e9455f] | 538 | char *tmp=NULL; |
---|
| 539 | asprintf(&tmp,"%s_%ld",abac_session->stub,random()); |
---|
| 540 | return tmp; |
---|
[202a7f9] | 541 | } |
---|
| 542 | |
---|
[2e9455f] | 543 | void abac_verifier_session_add_context(abac_context_t *ctx) |
---|
[5110d42] | 544 | { |
---|
[2e9455f] | 545 | abac_list_add(abac_session->contexts, ctx); |
---|
[53e540d] | 546 | } |
---|
| 547 | |
---|
[2e9455f] | 548 | void abac_verifier_session_dump() |
---|
| 549 | { |
---|
| 550 | printf("....SESSION....\n"); |
---|
| 551 | int cnt=abac_list_size(abac_session->contexts); |
---|
| 552 | abac_context_t *cur; |
---|
| 553 | abac_list_foreach(abac_session->contexts, cur, |
---|
| 554 | if(cur) abac_context_dump(cur); |
---|
| 555 | ); |
---|
| 556 | } |
---|
| 557 | |
---|
| 558 | int abac_verifier_session_remove_context(abac_context_t *ctx) |
---|
| 559 | { |
---|
| 560 | int rc=abac_list_remove(abac_session->contexts, ctx); |
---|
| 561 | if(rc!=1) { |
---|
| 562 | DEBUG_PRINTF("abac_verifier_session_remove_context, ??? did not find context\n"); |
---|
| 563 | exit(ABAC_VERIFIER_UNKNOWN_CONTEXT); |
---|
[8bd77b5] | 564 | } |
---|
[2e9455f] | 565 | return rc; |
---|
| 566 | } |
---|
| 567 | |
---|
| 568 | abac_context_t *abac_verifier_session_context_lookup(char *namespace) |
---|
| 569 | { |
---|
| 570 | abac_context_t *cur; |
---|
| 571 | abac_list_foreach(abac_session->contexts, cur, |
---|
| 572 | if(strcmp(abac_context_namespace(cur),namespace)==0) |
---|
| 573 | return cur; |
---|
| 574 | ); |
---|
| 575 | return NULL; |
---|
[923b4dd] | 576 | } |
---|
| 577 | |
---|
[2e9455f] | 578 | /****************************************************************/ |
---|
| 579 | int abac_verify_idtype_type(char *type) { |
---|
| 580 | if (type == NULL) return 0; |
---|
| 581 | return abac_idtype_lookup(type); |
---|
[923b4dd] | 582 | } |
---|
| 583 | |
---|
[2e9455f] | 584 | // verify that cert was issued by issuer |
---|
| 585 | // cert and issuer can be the same, in which case the self-sig is validated |
---|
| 586 | int verify_signature(certificate_t *issuer_cert, certificate_t *cert) |
---|
| 587 | { |
---|
| 588 | /** XXX for strongswan 5.0.1 |
---|
| 589 | if (cert->issued_by(cert, issuer_cert, NULL)) |
---|
| 590 | */ |
---|
| 591 | if (cert->issued_by(cert, issuer_cert)) |
---|
| 592 | if (cert->get_validity(cert, NULL, NULL, NULL)) { |
---|
| 593 | return 1; |
---|
| 594 | } |
---|
| 595 | return 0; |
---|
[923b4dd] | 596 | } |
---|
| 597 | |
---|
[2e9455f] | 598 | /** |
---|
| 599 | * Init the verifier subsystem. |
---|
| 600 | */ |
---|
| 601 | void abac_verifier_init(void) { |
---|
| 602 | // silence all debugging |
---|
| 603 | |
---|
| 604 | DEBUG_PRINTF("abac_verifier_init... init strongswan..\n"); |
---|
| 605 | if (!library_init(NULL)) |
---|
| 606 | exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); |
---|
| 607 | |
---|
| 608 | if (!lib->plugins->load(lib->plugins, NULL, |
---|
| 609 | lib->settings->get_str(lib->settings, "pki.load", PLUGINS))) |
---|
| 610 | exit(SS_RC_INITIALIZATION_FAILED); |
---|
| 611 | |
---|
| 612 | abac_verifier_session_new(); |
---|
| 613 | } |
---|
[923b4dd] | 614 | |
---|
[2e9455f] | 615 | /** |
---|
| 616 | * Uninitialize the system, free up any allocated memory. |
---|
| 617 | */ |
---|
| 618 | void abac_verifier_deinit(void) { |
---|
| 619 | DEBUG_PRINTF("abac_verifier_deinit... being called..\n"); |
---|
| 620 | abac_verifier_session_free(); |
---|
| 621 | /* XXX crashs in swig/python?java, it is as some threads before |
---|
| 622 | getting into library deinit */ |
---|
| 623 | if(!hack) { |
---|
| 624 | DEBUG_PRINTF("now it is time to deinit strongswan lib..\n"); |
---|
| 625 | library_deinit(); |
---|
| 626 | } |
---|
| 627 | } |
---|