// include the GNU extension of asprintf #define _GNU_SOURCE #include #include #include #include #include #include #include "abac_verifier.h" #include "abac_list.h" #include "abac_util.h" #include "abac_rt.h" extern abac_role_t *abac_yy_get_rule_head_role(); extern abac_role_t *abac_yy_get_rule_tail_role(); extern abac_oset_t *abac_yy_get_rule_head_oset(); extern abac_oset_t *abac_yy_get_rule_tail_oset(); extern int abac_yy_get_rule_is_oset(); extern abac_list_t *abac_yy_get_rule_clauses(); extern char* abac_decode_string(char *); extern void abac_yy_free_rule_clauses(); extern char *generate_pl_type_clause(char *, int); /* keeping this a fixed enum is to have tighter control of what are acceptabletypes of keyid are we allowing */ typedef enum _keyidtype_t { e_KEYID = 1, } keyidtype_t; /* keyidname[keyidtype] */ static char * const keyidname[] = { "badidtype", "keyid", 0 }; typedef enum _credtype_t { e_CREDTYPE_ROLE =1, e_CREDTYPE_OSET =2, } credtype_t; static int keyidname_cnt=1; struct _abac_id_cert_t { char *keyid; char *cn; int type; /* keyidtype */ certificate_t *cert; char *clause; UT_hash_handle hh; }; /* can store either role or oset */ struct _abac_credential_t { int type; void *head; void *tail; certificate_t *cert; certificate_t *issuer; abac_list_t *clauses; int refcount; }; typedef struct _abac_str_cred_t { char *strid; abac_credential_t *cred; UT_hash_handle hh; } abac_str_cred_t; abac_id_cert_t *id_certs = NULL; abac_str_cred_t *str_creds = NULL; static int debug=0; static void check_id_cert(abac_id_cert_t *id_cert); extern void abac_print_role_string_with_condition(abac_role_t *role, FILE*); // void abac_print_cred_info(abac_credential_t *cred, FILE *fp) { if(fp == NULL) fp=stdout; if(debug) { fprintf(fp,"---> printing out credential info cred(%d)..\n", (int) cred); if(cred->head) { fprintf(fp," head cred(%d):\n",(int)cred->head); if(cred->type == e_CREDTYPE_ROLE) abac_print_role_string_with_condition((abac_role_t*)cred->head,fp); else abac_print_oset_string_with_condition((abac_oset_t*)cred->head,fp); } if(cred->tail) { fprintf(fp,"\n tail cred(%d):\n",(int)cred->tail); if(cred->type == e_CREDTYPE_ROLE) abac_print_role_string_with_condition((abac_role_t*)cred->tail,fp); else abac_print_oset_string_with_condition((abac_oset_t*)cred->tail,fp); } abac_list_t *clauses=cred->clauses; if (clauses != NULL) { char *cur=NULL; abac_list_foreach(clauses, cur, fprintf(fp,"\n a clause(%d):\n",(int)cur); if(cur) fprintf(fp,"strlen(%d)loc(%d)(%s)\n", strlen(cur),(int)cur, cur); ); } } else { fprintf(fp," "); if(cred->type == e_CREDTYPE_ROLE) abac_print_role_string_with_condition((abac_role_t *)cred->head,fp); else abac_print_oset_string_with_condition((abac_oset_t *)cred->head,fp); fprintf(fp," <- "); if(cred->type == e_CREDTYPE_ROLE) abac_print_role_string_with_condition((abac_role_t *)cred->tail,fp); else abac_print_oset_string_with_condition((abac_oset_t *)cred->tail,fp); fprintf(fp,"\n"); } } // int abac_verify_keyid_type(char *type) { int i; if (type == NULL) return 0; for (i = 1; i <= keyidname_cnt ; i++) if(strcmp(type,keyidname[i])==0) return i; return 0; } char *abac_keyid_type(int i) { return keyidname[i]; } // convert a chunk to a lowercase binary string // malloc's the string static char *_chunk_to_string(chunk_t chunk) { int i; char *ret = abac_xmalloc(chunk.len * 2 + 1); for (i = 0; i < chunk.len; ++i) sprintf(ret + 2 * i, "%02x", chunk.ptr[i]); return ret; } // verify that cert was issued by issuer // cert and issuer can be the same, in which case the self-sig is validated static int _verify_signature(certificate_t *issuer, certificate_t *cert) { if (cert->issued_by(cert, issuer)) if (cert->get_validity(cert, NULL, NULL, NULL)) return 1; return 0; } /** * Init the verifier subsystem. */ void abac_verifier_init(void) { // silence all debugging if (!library_init(NULL)) exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); if (!lib->plugins->load(lib->plugins, NULL, lib->settings->get_str(lib->settings, "pki.load", PLUGINS))) exit(SS_RC_INITIALIZATION_FAILED); } /** * Uninitialize the system, free up any allocated memory. */ void abac_verifier_deinit(void) { abac_id_cert_t *id; while ((id = id_certs) != NULL) { HASH_DEL(id_certs, id); free(id->keyid); free(id->cn); id->cert->destroy(id->cert); free(id); } abac_str_cred_t *id2; while ((id2 = str_creds) != NULL) { HASH_DEL(str_creds, id2); free(id2->strid); free(id2); } library_deinit(); } /** * Load an ID certificate. */ static int _load_id(certificate_t *cert, abac_id_cert_t **id_cert_ret) { abac_id_cert_t *id_cert = NULL; char *keyid = NULL; chunk_t id; int ret; x509_t *x509 = (x509_t *)cert; assert(cert != NULL); // get the key ID id = x509->get_subjectKeyIdentifier(x509); keyid = _chunk_to_string(id); /* Mike said this is the way it is */ char *str; int rv = asprintf(&str, "%Y", cert->get_issuer(cert)); /* add p to cn name here */ char *cn=(char *)abac_xmalloc(strlen(str)+2); cn[0]='p'; int n=sscanf(str,"CN=%s", &(cn[1])); if ( n!=1 ) { ret = ABAC_CERT_BAD_CN; goto error; } if(debug) { printf ("DEBUG:keyid %s \n", keyid); printf( "DEBUG:issuer '%s' \n", str); printf ("DEBUG:cn %s \n", cn); } free(str); // if we already have this cert 'error' with success HASH_FIND_STR(id_certs, keyid, id_cert); if (id_cert != NULL) { ret = ABAC_CERT_SUCCESS; goto error; } // validate sig ret = _verify_signature(cert, cert); if (!ret) { ret = ABAC_CERT_BAD_SIG; goto error; } // success, add the key to the map of certificates id_cert = abac_xmalloc(sizeof(abac_id_cert_t)); id_cert->keyid = keyid; id_cert->cert = cert; id_cert->cn = cn; id_cert->type = e_KEYID; id_cert->clause = generate_pl_type_clause(cn, id_cert->type); HASH_ADD_KEYPTR(hh, id_certs, id_cert->keyid, strlen(id_cert->keyid), id_cert); *id_cert_ret=id_cert; return ABAC_CERT_SUCCESS; error: if (keyid != NULL) free(keyid); if (cn != NULL) free(cn); return ret; } static void check_id_cert(abac_id_cert_t *id_cert) { if(id_cert) { printf("checking on this id_cert %d\n", (int)id_cert); printf(" --> sha is (%s)\n", id_cert->keyid); printf(" --> cn is (%s)\n", id_cert->cn); } } /** * Load an attribute cert as string. * have minimum syntax & validity check */ static int _load_attribute_string(char* attr_string) { printf("NOT implemented yet!!!"); return ABAC_CERT_INVALID; } /** * Load an ID cert from a file. */ int abac_verifier_load_id_file(char *filename, abac_id_cert_t **id_cert_ret) { if (lib == NULL) errx(1, "looks like you didn't call libabac_init() (lib is NULL)"); // load the cert certificate_t *cert = lib->creds->create( lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, filename, BUILD_X509_FLAG, X509_AA, // attribute authority, dumb BUILD_END ); if (cert == NULL) return ABAC_CERT_INVALID; return _load_id(cert,id_cert_ret); } /** * Load an ID cert from a chunk. */ int abac_verifier_load_id_chunk(chunk_t chunk, abac_id_cert_t **id_cert_ret) { // load the cert certificate_t *cert = lib->creds->create( lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB_ASN1_DER, chunk, BUILD_X509_FLAG, X509_AA, // attribute authority, dumb BUILD_END ); if (cert == NULL) return ABAC_CERT_INVALID; return _load_id(cert,id_cert_ret); } void abac_print_clauses(abac_list_t *clauses, FILE *fp) { if (clauses != NULL) { char *cur; printf("total-- %d clauses\n", abac_list_size(clauses)); abac_list_foreach(clauses, cur, if(cur) { if(fp) fprintf (fp,"a clause, %d(%s)\n", (int)cur,cur); else printf ("a clause, %d(%s)\n", (int)cur,cur); } ); } } static int _verify_valid_role_credential(certificate_t *cert, abac_credential_t **cred_ret, char *encoded_attr_string) { abac_role_t *head_role = NULL; abac_role_t *tail_role = NULL; abac_list_t *clauses=NULL; abac_id_cert_t *issuer; int ret, i; // get the attr head_role = abac_yy_get_rule_head_role(); tail_role = abac_yy_get_rule_tail_role(); clauses = abac_yy_get_rule_clauses(); // get the issuer based on keyid char *principalname = abac_role_principal(head_role); HASH_FIND_STR(id_certs, principalname, issuer); if (issuer == NULL) { ret = ABAC_CERT_MISSING_ISSUER; goto error; } // make sure the issuer's signed it ret = _verify_signature(issuer->cert, cert); if (!ret) { abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG); goto error; } // at this point we know we have a good attribute cert abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t)); cred->type= e_CREDTYPE_ROLE; cred->head = head_role; cred->tail = tail_role; cred->cert = cert; cred->issuer = issuer->cert->get_ref(issuer->cert); cred->clauses = clauses; cred->refcount = 1; *cred_ret = cred; // success, add the key to the map of certificates abac_str_cred_t *str_cred; str_cred=abac_xmalloc(sizeof(abac_str_cred_t)); str_cred->strid=strdup(encoded_attr_string); str_cred->cred=cred; HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred); return ABAC_CERT_SUCCESS; error: if (head_role) abac_role_free(head_role); if (tail_role) abac_role_free(tail_role); abac_yy_free_rule_clauses(); return ret; } static int _verify_valid_oset_credential(certificate_t *cert, abac_credential_t **cred_ret, char *encoded_attr_string) { abac_oset_t *head_oset = NULL; abac_oset_t *tail_oset = NULL; abac_list_t *clauses=NULL; abac_id_cert_t *issuer; int ret, i; // get the attr head_oset = abac_yy_get_rule_head_oset(); tail_oset = abac_yy_get_rule_tail_oset(); clauses = abac_yy_get_rule_clauses(); // get the issuer based on keyid char *principalname = abac_oset_principal(head_oset); HASH_FIND_STR(id_certs, principalname, issuer); if (issuer == NULL) { ret = ABAC_CERT_MISSING_ISSUER; goto error; } // make sure the issuer's signed it ret = _verify_signature(issuer->cert, cert); if (!ret) { abac_yy_set_error_code(ABAC_RT_CERT_BAD_SIG); goto error; } // at this point we know we have a good attribute cert abac_credential_t *cred = abac_xmalloc(sizeof(abac_credential_t)); cred->type= e_CREDTYPE_OSET; cred->head = head_oset; cred->tail = tail_oset; cred->cert = cert; cred->issuer = issuer->cert->get_ref(issuer->cert); cred->clauses = clauses; cred->refcount = 1; *cred_ret = cred; // success, add the key to the map of certificates abac_str_cred_t *str_cred; str_cred=abac_xmalloc(sizeof(abac_str_cred_t)); str_cred->strid=strdup(encoded_attr_string); str_cred->cred=cred; HASH_ADD_KEYPTR(hh, str_creds, str_cred->strid, strlen(str_cred->strid), str_cred); return ABAC_CERT_SUCCESS; error: if (head_oset) abac_oset_free(head_oset); if (tail_oset) abac_oset_free(tail_oset); abac_yy_free_rule_clauses(); return ret; } /** * Load an attribute cert. * Returns true only if the certificate is valid and is issued by the proper * authority. */ static int _load_attribute_cert(certificate_t *cert, abac_credential_t **cred_ret) { ietf_attributes_t *attr_cert = NULL; abac_id_cert_t *issuer; int ret, i; // get the attr ac_t *ac = (ac_t *)cert; attr_cert = ac->get_groups(ac); if (attr_cert == NULL) { ret = ABAC_CERT_INVALID; goto error; } char *encoded_attr_string=attr_cert->get_string(attr_cert); char *attr_string = abac_decode_string(encoded_attr_string); if(debug) printf("string to be yyparse..(%s)\n",attr_string); if (attr_string == NULL) { ret = ABAC_CERT_INVALID; goto error; } /* call into yacc parser */ abac_reset_yyfptr(attr_string); abac_yy_init(); int rc=yyparse(); if (rc) { ret = ABAC_CERT_INVALID; goto error; } if(abac_yy_get_rule_is_oset()) { ret=_verify_valid_oset_credential(cert,cred_ret,encoded_attr_string); } else { ret=_verify_valid_role_credential(cert,cred_ret,encoded_attr_string); } // free up some crap attr_cert->destroy(attr_cert); return ABAC_CERT_SUCCESS; error: if (cert) cert->destroy(cert); if (attr_cert) attr_cert->destroy(attr_cert); return ret; } /** * Load an attribute cert from a file. */ int abac_verifier_load_attribute_cert_file(char *filename, abac_credential_t **cred) { // load the cert certificate_t *cert = lib->creds->create( lib->creds, CRED_CERTIFICATE, CERT_X509_AC, BUILD_FROM_FILE, filename, BUILD_END ); if (cert == NULL) return ABAC_CERT_INVALID; return _load_attribute_cert(cert, cred); } /** * Load attribute cert rules from a file. (this should only be used to test) */ int abac_verifier_load_certs_file(char *filename) { size_t nbytes=0; char *input=NULL; FILE *fp; int ret; fp=fopen(filename, "r"); if(fp == NULL) return ABAC_CERT_INVALID; while( (ret=getline(&input, &nbytes, fp)) != -1 ) { ret=_load_attribute_string(input); free(input); if(ret != ABAC_CERT_SUCCESS ) fclose(fp); return ret; } fclose(fp); return ABAC_CERT_SUCCESS; } /** * Load an attribute cert from a chunk. */ int abac_verifier_load_attribute_cert_chunk(chunk_t chunk, abac_credential_t **cred) { // load the cert certificate_t *cert = lib->creds->create( lib->creds, CRED_CERTIFICATE, CERT_X509_AC, BUILD_BLOB_ASN1_DER, chunk, BUILD_END ); if (cert == NULL) return ABAC_CERT_INVALID; return _load_attribute_cert(cert, cred); } /** * Return the encoding of the attribute cert. */ abac_chunk_t abac_credential_attribute_cert(abac_credential_t *cred) { chunk_t encoding = cred->cert->get_encoding(cred->cert); abac_chunk_t ret = { encoding.ptr, encoding.len }; return ret; } /** * Return the encoding of the issuer cert. */ abac_chunk_t abac_credential_issuer_cert(abac_credential_t *cred) { chunk_t encoding = cred->issuer->get_encoding(cred->issuer); abac_chunk_t ret = { encoding.ptr, encoding.len }; return ret; } /** * Return the clause of the cert */ abac_list_t *abac_credential_clauses(abac_credential_t *cred) { return cred->clauses; } /** * Increase the ref count of a credential. */ abac_credential_t *abac_credential_dup(abac_credential_t *cred) { assert(cred != NULL); ++cred->refcount; return cred; } /** * lookup for a credential. */ abac_credential_t *abac_credential_lookup(char* cred_string) { if(debug) printf("DEBUG:doing abac_crendential_lookup ... (%s)\n", cred_string); abac_str_cred_t *str_cred; HASH_FIND_STR(str_creds, cred_string, str_cred); if (str_cred == NULL) { if(debug) printf("DEBUG:NOT FOUND..\n"); return NULL; } if(debug) printf("DEBUG:FOUND..(%d)\n", (int) str_cred->cred); return str_cred->cred; } /** * Decrease the reference count of a credential, freeing it when it reaches 0. */ void abac_credential_free(abac_credential_t *cred) { if(debug) printf("DEBUG:freeing cred(%d)clause(%d)\n", (int)cred, (int)cred->clauses); if (cred == NULL) return; --cred->refcount; if (cred->refcount > 0) return; if(cred->type == e_CREDTYPE_ROLE) { abac_role_free((abac_role_t *)cred->head); abac_role_free((abac_role_t *)cred->tail); } else { abac_oset_free((abac_oset_t *)cred->head); abac_oset_free((abac_oset_t *)cred->tail); } cred->cert->destroy(cred->cert); cred->issuer->destroy(cred->issuer); // reference counted /* no need to freeyap_clauses here */ free(cred); } char *abac_id_clause(abac_id_cert_t *id_cert) { if(id_cert) return id_cert->clause; return NULL; } /* retrieve the cn that is associated with this sha_string */ char *abac_cn_with_sha(char *sha_string) { // get the issuer based on keyid abac_id_cert_t *id_cert; HASH_FIND_STR(id_certs, sha_string, id_cert); if (id_cert == NULL) { return NULL; } if(debug) check_id_cert(id_cert); return id_cert->cn; } /* retrieve the cn that is associated with the principal of this role */ char *abac_cn_with_role(abac_role_t *role) { char *principal = abac_role_principal(role); return abac_cn_with_sha(principal); } /* retrieve the cn that is associated with the principal of this oset */ char *abac_cn_with_oset(abac_oset_t *oset) { char *principal = abac_oset_principal(oset); return abac_cn_with_sha(principal); }