507 lines
14 KiB
C
507 lines
14 KiB
C
/* Registry dependencies */
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <unistd.h>
|
|
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
|
|
/* We use RSA public-key encryption to begin with. We expect the config file
|
|
* to give us PEM-encoded data.
|
|
*/
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/rsa.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/err.h>
|
|
|
|
#include <json/json_tokener.h>
|
|
#include <json/linkhash.h>
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include "util.h"
|
|
#include "rlocs.h"
|
|
|
|
#define JSON_TYPE "rloc-registry"
|
|
|
|
void rlocs_init(void)
|
|
{
|
|
uint32_t seed;
|
|
SSL_load_error_strings(); /* readable error messages */
|
|
SSL_library_init(); /* initialize library */
|
|
|
|
// set the random seed to something good
|
|
if ( RAND_bytes( (unsigned char*)&seed, sizeof( uint32_t ) ) != 1 ) {
|
|
warn( "Failed to initialize random seed" );
|
|
exit(1);
|
|
}
|
|
|
|
srand( seed );
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
int rlocs_rloc_from_json(struct rlocs* reg, const char* key, json_object* val )
|
|
{
|
|
ssize_t pem_data_size;
|
|
const char* pem_data;
|
|
struct rloc *rloc;
|
|
RSA *rsa_key, *result;
|
|
BIO *bp;
|
|
|
|
if ( !json_object_is_type( val, json_type_string ) ) {
|
|
warn( "Non-string value in 'keys' object" );
|
|
return 0;
|
|
}
|
|
|
|
if ( reg->num_entries >= MAX_RLOCS ) {
|
|
warn( "Too many RLOCs in config-file!" );
|
|
return 0;
|
|
}
|
|
|
|
rloc = ®->entries[reg->num_entries];
|
|
|
|
if ( strchr( key, ':' ) == NULL ) { /* IPv4 */
|
|
rloc->family = AF_INET;
|
|
} else { /* IPv6 */
|
|
rloc->family = AF_INET6;
|
|
}
|
|
|
|
if ( inet_pton( rloc->family, key, (void*)&rloc->addr ) != 1 ) {
|
|
warn( "Couldn't parse %s as an IP address", key );
|
|
return 0;
|
|
}
|
|
|
|
// Next, we need to read and store the PEM-encoded RSA public key
|
|
pem_data = json_object_get_string( val );
|
|
pem_data_size = json_object_get_string_len( val );
|
|
|
|
rsa_key = RSA_new();
|
|
bp = BIO_new_mem_buf( (void*)pem_data, pem_data_size );
|
|
result = PEM_read_bio_RSA_PUBKEY( bp, &rsa_key, NULL, NULL );
|
|
BIO_vfree( bp );
|
|
|
|
if ( result == NULL ) {
|
|
RSA_free( rsa_key );
|
|
warn( "Couldn't parse key for %s as an RSA public key", key );
|
|
return 0;
|
|
}
|
|
|
|
rloc->key = rsa_key;
|
|
reg->num_entries++;
|
|
return 1;
|
|
}
|
|
|
|
int rlocs_eid_from_json( struct rlocs *reg, json_object *map)
|
|
{
|
|
json_object *entry;
|
|
const char *str;
|
|
int mask;
|
|
|
|
if ( !json_object_is_type( map, json_type_object ) ) {
|
|
warn( "eid_rloc_maps array in config contains non-object" );
|
|
return 0;
|
|
}
|
|
|
|
/* Initial processing of the netmask entry */
|
|
entry = json_object_object_get( map, "netmask" );
|
|
if ( !json_object_is_type( entry, json_type_int ) ) {
|
|
warn( "No netmask specified" );
|
|
return 0;
|
|
}
|
|
|
|
mask = json_object_get_int( entry );
|
|
if ( mask < 0 ) {
|
|
warn( "Bad netmask specified (%i)", mask );
|
|
return 0;
|
|
}
|
|
|
|
/* Work out the family and finish off processing */
|
|
entry = json_object_object_get( map, "family" );
|
|
if ( !json_object_is_type( entry, json_type_string ) ) {
|
|
warn( "No ip address family specified" );
|
|
return 0;
|
|
}
|
|
str = json_object_get_string( entry );
|
|
|
|
if ( strcmp( "ipv4", str ) == 0 ) {
|
|
struct ip4_eid_map_entry *eid_mapping;
|
|
struct in_addr addr;
|
|
|
|
if ( reg->num_ip4_map_entries >= MAX_EID_MAPPINGS ) {
|
|
warn( "Limit of %i IPv4 EID mappings reached!", MAX_EID_MAPPINGS );
|
|
return 0;
|
|
}
|
|
|
|
if ( mask > 32 ) {
|
|
warn( "Bad netmask specified for IPv4 (%i)", mask );
|
|
return 0;
|
|
}
|
|
|
|
eid_mapping = ®->ip4_mappings[reg->num_ip4_map_entries];
|
|
eid_mapping->mask = (unsigned int) mask;
|
|
|
|
// parse our network address
|
|
entry = json_object_object_get( map, "network" );
|
|
if (!json_object_is_type( entry, json_type_string ) ) {
|
|
warn( "No network specified" );
|
|
return 0;
|
|
}
|
|
str = json_object_get_string( entry );
|
|
if ( inet_pton( AF_INET, str, &eid_mapping->network ) != 1 ) {
|
|
warn( "Invalid network specified: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
// Remember, in_addrs are stored in network byte order
|
|
eid_mapping->broadcast.s_addr =
|
|
htonl( ntohl( eid_mapping->network.s_addr ) | (( 1 << (32 - mask )) -1 ) );
|
|
|
|
// Get a pointer to the rloc these eids are mapped to
|
|
entry = json_object_object_get( map, "rloc" );
|
|
if ( !json_object_is_type( entry, json_type_string ) ) {
|
|
warn( "no rloc specified" );
|
|
return 0;
|
|
}
|
|
str = json_object_get_string( entry );
|
|
if ( inet_pton( AF_INET, str, &addr ) != 1 ) {
|
|
warn( "Invalid rloc specified: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
eid_mapping->rloc = rloc_find_by_address( reg, &addr, NULL );
|
|
if ( eid_mapping->rloc == NULL ) {
|
|
warn( "Unknown rloc: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
// success!
|
|
reg->num_ip4_map_entries++;
|
|
} else if ( strcmp( "ipv6", str ) == 0 ) {
|
|
struct ip6_eid_map_entry *eid_mapping;
|
|
struct in6_addr addr;
|
|
|
|
if ( reg->num_ip6_map_entries >= MAX_EID_MAPPINGS ) {
|
|
warn( "Limit of %i IPv6 EID mappings reached!", MAX_EID_MAPPINGS );
|
|
return 0;
|
|
}
|
|
|
|
|
|
if ( mask > 128 ) {
|
|
warn( "Bad netmask specified for IPv6 (%i)", mask );
|
|
return 0;
|
|
}
|
|
|
|
eid_mapping = ®->ip6_mappings[reg->num_ip6_map_entries];
|
|
eid_mapping->mask = (unsigned int) mask;
|
|
|
|
// parse our network address
|
|
entry = json_object_object_get( map, "network" );
|
|
if (!json_object_is_type( entry, json_type_string ) ) {
|
|
warn( "No network specified" );
|
|
return 0;
|
|
}
|
|
str = json_object_get_string( entry );
|
|
if ( inet_pton( AF_INET6, str, &eid_mapping->network ) != 1 ) {
|
|
warn( "Invalid network specified: %s", str );
|
|
return 0;
|
|
}
|
|
warn( "setting eid_mapping->network with %s", str );
|
|
|
|
memcpy( &eid_mapping->broadcast, &eid_mapping->network, sizeof( struct in6_addr ) );
|
|
// FIXME: calculate ipv6 broadcast here. ipv6 is broken until we do
|
|
warn( "IPv6 broadcast not calculated yet" );
|
|
|
|
|
|
// Get a pointer to the rloc these eids are mapped to
|
|
entry = json_object_object_get( map, "rloc" );
|
|
if ( !json_object_is_type( entry, json_type_string ) ) {
|
|
warn( "no rloc specified" );
|
|
return 0;
|
|
}
|
|
str = json_object_get_string( entry );
|
|
if ( inet_pton( AF_INET6, str, &addr ) != 1 ) {
|
|
warn( "Invalid rloc specified: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
eid_mapping->rloc = rloc_find_by_address( reg, NULL, &addr );
|
|
if ( eid_mapping->rloc == NULL ) {
|
|
warn( "Unknown rloc: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
// success!
|
|
reg->num_ip6_map_entries++;
|
|
} else {
|
|
warn( "Unknown family specified: %s", str );
|
|
return 0;
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
struct rlocs* rlocs_new( char* filename )
|
|
{
|
|
struct rlocs* result;
|
|
struct stat filedata;
|
|
json_object* config;
|
|
ssize_t have_read = 0;
|
|
char* json_text;
|
|
int fd;
|
|
|
|
fd = open( filename, O_RDONLY );
|
|
if ( errno < 0 ) {
|
|
warn( "Error %s (%i) opening %s", strerror(errno), errno, filename );
|
|
return NULL;
|
|
}
|
|
|
|
fstat( fd, &filedata );
|
|
if ( errno < 0 ) {
|
|
warn( "Error %s (%i) getting size of %s", strerror(errno), errno, filename );
|
|
return NULL;
|
|
}
|
|
|
|
/* Make sure we're null-terminated */
|
|
json_text = xmalloc( filedata.st_size + 1 );
|
|
|
|
while ( have_read < filedata.st_size ) {
|
|
ssize_t bytes = read( fd, json_text + have_read, filedata.st_size - have_read );
|
|
if ( bytes < 0 ) {
|
|
warn( "Error %s (%i) reading %s", strerror(errno), errno, filename ) ;
|
|
free( json_text );
|
|
close( fd );
|
|
return NULL;
|
|
}
|
|
|
|
have_read += bytes;
|
|
|
|
//EOF
|
|
if ( bytes == 0 ) {
|
|
warn( "short read of %s: %zu instead of %zu", filename, have_read, filedata.st_size );
|
|
filedata.st_size = have_read;
|
|
|
|
}
|
|
}
|
|
|
|
//info( "Current config:\n %s", json_text );
|
|
|
|
close( fd );
|
|
config = json_tokener_parse( json_text );
|
|
free( json_text );
|
|
|
|
if ( !json_object_is_type( config, json_type_object ) ) {
|
|
warn( "Config does not parse to a JSON object" );
|
|
return NULL;
|
|
}
|
|
|
|
json_object* type_field = json_object_object_get( config, "type" );
|
|
const char* type_data = json_object_get_string( type_field );
|
|
if ( strcmp( JSON_TYPE, type_data ) != 0 ) {
|
|
warn( "Expected type to be %s, not %s", JSON_TYPE, type_data );
|
|
return NULL;
|
|
}
|
|
|
|
json_object * keys_field = json_object_object_get( config, "keys" );
|
|
|
|
if ( !json_object_is_type( keys_field, json_type_object ) ) {
|
|
warn( "keys field is not present in config" );
|
|
return NULL;
|
|
}
|
|
|
|
result = xmalloc( sizeof( struct rlocs ) );
|
|
result->config = config;
|
|
|
|
/* populate our array of rloc objects */
|
|
json_object_object_foreach( keys_field, key, val ) {
|
|
if ( !rlocs_rloc_from_json( result, key, val ) ) {
|
|
warn( "Failed to process rloc %s", key );
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
|
|
json_object * maps_field = json_object_object_get( config, "eid_rloc_map" );
|
|
if ( !json_object_is_type( maps_field, json_type_array ) ) {
|
|
warn( "Couldn't find eid_rloc_map field in config" );
|
|
goto fail;
|
|
}
|
|
|
|
int i, len = json_object_array_length( maps_field );
|
|
for ( i = 0; i < len ; i++ ) {
|
|
json_object *map_field = json_object_array_get_idx( maps_field, i );
|
|
|
|
if ( !rlocs_eid_from_json( result, map_field ) ) {
|
|
warn( "Failed to process eid map %i", i );
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
return result;
|
|
|
|
fail:
|
|
rlocs_free( result ); // deallocate any struct rloc we already created
|
|
return NULL;
|
|
}
|
|
|
|
// FIXME: these really do need to be as fast as possible. This is a 2-minute effort.
|
|
struct rloc *rloc_find_for_ipv4( struct rlocs *reg, struct in_addr *eid )
|
|
{
|
|
struct ip4_eid_map_entry *current;
|
|
uint32_t host_eid = ntohl( eid->s_addr );
|
|
int i;
|
|
|
|
for ( i = 0 ; i < reg->num_ip4_map_entries ; i++ ) {
|
|
current = ®->ip4_mappings[i];
|
|
|
|
uint32_t host_start = ntohl( current->network.s_addr );
|
|
uint32_t host_end = ntohl( current->broadcast.s_addr );
|
|
|
|
if ( host_start <= host_eid && host_end >= host_eid ) {
|
|
break;
|
|
}
|
|
|
|
}
|
|
|
|
return i < reg->num_ip4_map_entries ? current->rloc : NULL;
|
|
}
|
|
|
|
struct rloc *rloc_find_for_ipv6( struct rlocs *reg, struct in6_addr *eid )
|
|
{
|
|
warn( "Searching for IPv6 RLOCs not done yet" );
|
|
return NULL;
|
|
}
|
|
|
|
struct rloc *rloc_find_by_address( struct rlocs *reg, struct in_addr *ipv4, struct in6_addr *ipv6 )
|
|
{
|
|
struct rloc *current;
|
|
int i, cmp;
|
|
|
|
for( i = 0 ; i < reg->num_entries; i++ ) {
|
|
current = ®->entries[i];
|
|
cmp = 1;
|
|
switch( current->family ) {
|
|
case AF_INET:
|
|
if ( ipv4 != NULL ) {
|
|
cmp = memcmp( ¤t->addr, ipv4, sizeof( struct in_addr ) );
|
|
}
|
|
break;
|
|
case AF_INET6:
|
|
if ( ipv6 != NULL ) {
|
|
cmp = memcmp( ¤t->addr, ipv6, sizeof( struct in6_addr ) );
|
|
}
|
|
break;
|
|
}
|
|
if ( cmp == 0 ) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
return i < reg->num_entries ? current : NULL;
|
|
}
|
|
|
|
/* Replaces the public key in the rloc struct with a private key so we can
|
|
* unwrap, as well as wrap, packets.
|
|
*/
|
|
int rloc_add_private_key( struct rloc *rloc, char *filename )
|
|
{
|
|
BIO *key_data = BIO_new_file( filename, "r" );
|
|
|
|
RSA* key = PEM_read_bio_RSAPrivateKey( key_data, NULL, NULL, NULL );
|
|
|
|
if ( key == NULL ) {
|
|
warn( "Failed to add private key %s", filename );
|
|
return 0;
|
|
}
|
|
|
|
RSA_free( rloc->key );
|
|
rloc->key = key;
|
|
|
|
return 1;
|
|
}
|
|
|
|
void show_ssl_errors(void)
|
|
{
|
|
long err;
|
|
char msg[256];
|
|
|
|
while ( ( err = ERR_get_error() ) ) {
|
|
ERR_error_string( err, &msg[0] );
|
|
warn( "Error %lu in crypto: %s", err, &msg[0] );
|
|
}
|
|
|
|
}
|
|
|
|
ssize_t rloc_encrypt( struct rloc *rloc, unsigned char *data, size_t data_len, unsigned char *dest, size_t dest_len )
|
|
{
|
|
ssize_t result = RSA_public_encrypt( data_len, data, dest, rloc->key, RSA_PKCS1_OAEP_PADDING );
|
|
|
|
if ( result < 0 ) {
|
|
show_ssl_errors();
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
ssize_t rloc_decrypt( struct rloc *rloc, unsigned char *data, size_t data_len, unsigned char *dest, size_t dest_len )
|
|
{
|
|
ssize_t result = RSA_private_decrypt( data_len, data, dest, rloc->key, RSA_PKCS1_OAEP_PADDING );
|
|
|
|
if ( result < 0 ) {
|
|
show_ssl_errors();
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
|
|
void rlocs_debug_output( struct rlocs *reg )
|
|
{
|
|
int i;
|
|
char addr1[128], addr2[128];
|
|
|
|
info( "Configuration has parsed as:" );
|
|
for( i = 0 ; i < reg->num_entries; i++ ) {
|
|
struct rloc *current = ®->entries[i];
|
|
inet_ntop( current->family, ¤t->addr, &addr1[0], 128 );
|
|
|
|
info( "RLOC %i: family %i, address %s", i, current->family, &addr1[0] );
|
|
}
|
|
|
|
for ( i = 0 ; i < reg->num_ip4_map_entries ; i++ ) {
|
|
struct ip4_eid_map_entry *current = ®->ip4_mappings[i];
|
|
inet_ntop( AF_INET, ¤t->network, &addr1[0], 128 );
|
|
inet_ntop( AF_INET, ¤t->rloc->addr, &addr2[0], 128 );
|
|
info( "IPv4 EID mapping %i: %s/%u => %s", i, addr1, current->mask, addr2 );
|
|
}
|
|
|
|
for ( i = 0 ; i < reg->num_ip6_map_entries ; i++ ) {
|
|
struct ip6_eid_map_entry *current = ®->ip6_mappings[i];
|
|
inet_ntop( AF_INET6, ¤t->network, &addr1[0], 128 );
|
|
inet_ntop( AF_INET6, ¤t->rloc->addr, &addr2[0], 128 );
|
|
info( "IPv6 EID mapping %i: %s/%u => %s", i, addr1, current->mask, addr2 );
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
void rlocs_free( struct rlocs* registry )
|
|
{
|
|
int i;
|
|
|
|
for( i = 0; i < registry->num_entries; i++ ) {
|
|
if ( registry->entries[i].key != NULL ) {
|
|
RSA_free( registry->entries[i].key );
|
|
}
|
|
}
|
|
// No need to do json_object_put() here.
|
|
free( registry );
|
|
return;
|
|
}
|