[pubcookie-dev] WEBISO CVS update: fox;
keyclient.c,2.35.2.1,2.35.2.2 keyserver.c,2.36.2.2,2.36.2.3
libpubcookie.c,2.60.2.1,2.60.2.2 libpubcookie.h,1.37.2.1,1.37.2.2
Jim Fox
fox at cac.washington.edu
Wed Oct 1 12:37:41 PDT 2003
Update of /usr/local/cvsroot/webiso/pubcookie/src
In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv4995/webiso/pubcookie/src
Modified Files:
Tag: UWash3
index.cgi.c keyclient.c keyserver.c libpubcookie.c
libpubcookie.h
Log Message:
implement keyserver PERMIT option
Index: webiso/pubcookie/src/index.cgi.c
diff -c webiso/pubcookie/src/index.cgi.c:1.108.2.1 webiso/pubcookie/src/index.cgi.c:1.108.2.2
*** webiso/pubcookie/src/index.cgi.c:1.108.2.1 Fri Sep 19 14:58:15 2003
--- webiso/pubcookie/src/index.cgi.c Wed Oct 1 12:37:39 2003
***************
*** 6,12 ****
/** @file index.cgi.c
* Login server CGI
*
! * $Id: index.cgi.c,v 1.108.2.1 2003/09/19 21:58:15 willey Exp $
*/
#ifdef HAVE_CONFIG_H
--- 6,12 ----
/** @file index.cgi.c
* Login server CGI
*
! * $Id: index.cgi.c,v 1.108.2.2 2003/10/01 19:37:39 fox Exp $
*/
#ifdef HAVE_CONFIG_H
***************
*** 385,390 ****
--- 385,391 ----
r->pre_sess_tok = 0;
r->flavor_extension = NULL;
+ r->duration = 0;
}
/*
***************
*** 1090,1096 ****
pbc_log_activity(p, PBC_LOG_DEBUG_VERBOSE,"compute_l_expire: hello");
! if( (l->duration = get_kiosk_duration(p, l)) == PBC_FALSE )
l->duration =
libpbc_config_getint(p, "default_l_expire",DEFAULT_LOGIN_EXPIRE);
--- 1091,1097 ----
pbc_log_activity(p, PBC_LOG_DEBUG_VERBOSE,"compute_l_expire: hello");
! if((l->duration==0) && (l->duration=get_kiosk_duration(p, l))==PBC_FALSE)
l->duration =
libpbc_config_getint(p, "default_l_expire",DEFAULT_LOGIN_EXPIRE);
Index: webiso/pubcookie/src/keyclient.c
diff -c webiso/pubcookie/src/keyclient.c:2.35.2.1 webiso/pubcookie/src/keyclient.c:2.35.2.2
*** webiso/pubcookie/src/keyclient.c:2.35.2.1 Thu Jul 10 11:58:31 2003
--- webiso/pubcookie/src/keyclient.c Wed Oct 1 12:37:39 2003
***************
*** 6,12 ****
/** @file keyclient.c
* Key administration tool for clients
*
! * $Id: keyclient.c,v 2.35.2.1 2003/07/10 18:58:31 willey Exp $
*/
--- 6,12 ----
/** @file keyclient.c
* Key administration tool for clients
*
! * $Id: keyclient.c,v 2.35.2.2 2003/10/01 19:37:39 fox Exp $
*/
***************
*** 109,114 ****
--- 109,115 ----
printf(" -K <URI> : base URL of key management server\n");
printf(" -C <cert file> : CA cert to use for client verification\n");
printf(" -D <ca dir> : directory of trusted CAs, hashed OpenSSL-style\n");
+ printf(" -1 : permit <hostname>\n");
exit(1);
}
***************
*** 148,153 ****
--- 149,155 ----
crypt_stuff c_stuff;
const char *hostname;
int newkeyp;
+ int permit;
X509 *server_cert;
const char *keyfile;
const char *certfile;
***************
*** 190,196 ****
hostname = NULL;
newkeyp = 1;
! while ((c = getopt(argc, argv, "apc:k:C:D:nudH:L:K:")) != -1) {
switch (c) {
case 'a':
filetype = SSL_FILETYPE_ASN1;
--- 192,199 ----
hostname = NULL;
newkeyp = 1;
! permit = 0;
! while ((c = getopt(argc, argv, "01apc:k:C:D:nudH:L:K:")) != -1) {
switch (c) {
case 'a':
filetype = SSL_FILETYPE_ASN1;
***************
*** 246,251 ****
--- 249,266 ----
keymgturi = strdup(optarg);
break;
+ case '0':
+ /* deny access to a cn */
+ newkeyp = -1;
+ permit = -1;
+ break;
+
+ case '1':
+ /* permit access to a cn */
+ newkeyp = -1;
+ permit = 1;
+ break;
+
case '?':
default:
usage();
***************
*** 401,417 ****
if (newkeyp == -1) {
char enckey[PBC_DES_KEY_BUF * 2];
! if (libpbc_get_crypt_key(p, &c_stuff, hostname) != PBC_OK) {
fprintf(stderr, "couldn't retrieve key\r\n");
exit(1);
! }
! libpbc_base64_encode(p, c_stuff.key_a, (unsigned char *) enckey, PBC_DES_KEY_BUF);
! /* we're uploading! */
! snprintf(buf, sizeof(buf),
"GET %s?genkey=put?setkey=%s;%s\r\n\r\n",
keymgturi, hostname, enckey);
} else {
snprintf(buf, sizeof(buf),
"GET %s?genkey=%s HTTP/1.0\r\n\r\n", keymgturi,
--- 416,439 ----
if (newkeyp == -1) {
char enckey[PBC_DES_KEY_BUF * 2];
! if (permit) {
! snprintf(buf, sizeof(buf),
! "GET %s?genkey=%s?setkey=%s;\r\n\r\n",
! keymgturi, (permit<0?"deny":"permit"), hostname);
!
! } else {
! if (libpbc_get_crypt_key(p, &c_stuff, hostname) != PBC_OK) {
fprintf(stderr, "couldn't retrieve key\r\n");
exit(1);
! }
! libpbc_base64_encode(p, c_stuff.key_a, (unsigned char *) enckey, PBC_DES_KEY_BUF);
! /* we're uploading! */
! snprintf(buf, sizeof(buf),
"GET %s?genkey=put?setkey=%s;%s\r\n\r\n",
keymgturi, hostname, enckey);
+ }
} else {
snprintf(buf, sizeof(buf),
"GET %s?genkey=%s HTTP/1.0\r\n\r\n", keymgturi,
Index: webiso/pubcookie/src/keyserver.c
diff -c webiso/pubcookie/src/keyserver.c:2.36.2.2 webiso/pubcookie/src/keyserver.c:2.36.2.3
*** webiso/pubcookie/src/keyserver.c:2.36.2.2 Fri Jul 11 17:38:54 2003
--- webiso/pubcookie/src/keyserver.c Wed Oct 1 12:37:39 2003
***************
*** 6,12 ****
/** @file keyserver.c
* Server side of key management structure
*
! * $Id: keyserver.c,v 2.36.2.2 2003/07/12 00:38:54 willey Exp $
*/
--- 6,12 ----
/** @file keyserver.c
* Server side of key management structure
*
! * $Id: keyserver.c,v 2.36.2.3 2003/10/01 19:37:39 fox Exp $
*/
***************
*** 146,152 ****
NOOP,
GENKEY,
SETKEY,
! FETCHKEY
};
/**
--- 146,153 ----
NOOP,
GENKEY,
SETKEY,
! FETCHKEY,
! PERMIT
};
/**
***************
*** 287,292 ****
--- 288,294 ----
* do the keyserver operation
* @param peer the name of the client that's connected to us
* @param op the operation to perform, one of:
+ * PERMIT - authorize a keyserver client
* GENKEY - generate a new key for peer
* SETKEY - key from friend login server
* FETCHKEY - peer requests it's key
***************
*** 299,323 ****
char buf[4 * PBC_DES_KEY_BUF];
crypt_stuff c_stuff;
pool *p = NULL;
/* no HTML headers for me */
myprintf("\r\n");
- /* check access list for client operations */
- if( op != SETKEY && check_access_list(peer) == PBC_FAIL ) {
- myprintf("you (%s) are not in keyserver client list\r\n", peer);
- pbc_log_activity(p, PBC_LOG_ERROR, "operation not allowed: %s", peer);
- return(1);
- }
-
switch (op) {
case GENKEY:
{
/* 'peer' has asked us to generate a new key */
assert(newkey == NULL);
! pbc_log_activity(p, PBC_LOG_AUDIT, "generating a new key for %s",
! peer);
if (libpbc_generate_crypt_key(p, peer) < 0) {
myprintf("NO generate_new_key() failed\r\n");
--- 301,382 ----
char buf[4 * PBC_DES_KEY_BUF];
crypt_stuff c_stuff;
pool *p = NULL;
+ int dokeyret = 0;
+ char *thepeer;
+ char *thekey64;
/* no HTML headers for me */
myprintf("\r\n");
switch (op) {
+ case PERMIT:
+ {
+ /* 'peer' has asked us to authorize a new CN (newkey) */
+ if(check_access_list(peer) == PBC_FAIL ) {
+ myprintf("NO you (%s) are not authorized to authorize\r\n",
+ peer);
+ pbc_log_activity(p, PBC_LOG_ERROR,
+ "operation not allowed: %s", peer);
+ return(1);
+ }
+
+ /* find <cn>;<test> */
+ thepeer = strdup(newkey);
+ thekey64 = strchr(thepeer, ';');
+ if (!thekey64) {
+ myprintf("NO bad form for authorize\r\n");
+ /* xxx log */
+ return(1);
+ }
+ *thekey64++ = '\0';
+
+ if (libpbc_test_crypt_key(p, thepeer) == PBC_OK) {
+ myprintf("OK already authorized\r\n");
+ pbc_log_activity(p, PBC_LOG_ERROR,
+ "already authorized");
+ return(1);
+ }
+
+ /* if just a test, return now */
+ if (!strncmp(thekey64, "test", 4)) {
+ myprintf("NO server is not authorized\r\n");
+ pbc_log_activity(p, PBC_LOG_ERROR,
+ "test - not yet");
+ return(1);
+ }
+
+
+ pbc_log_activity(p, PBC_LOG_AUDIT,
+ "authorizing %s", thepeer);
+
+ if (libpbc_generate_crypt_key(p, thepeer) != PBC_OK) {
+ myprintf("NO generate_new_key() failed\r\n");
+ pbc_log_activity(p, PBC_LOG_ERROR,
+ "generate_new_key() failed");
+ return(1);
+ }
+
+ /* push the new key to the other login servers */
+ pushkey(thepeer);
+
+ dokeyret = 0; /* don't return the key to this client */
+ break;
+ }
+
case GENKEY:
{
/* 'peer' has asked us to generate a new key */
+ if(libpbc_test_crypt_key(p, peer) == PBC_FAIL ) {
+ myprintf("NO you (%s) are not authorized for keys\r\n",
+ peer);
+ pbc_log_activity(p, PBC_LOG_ERROR,
+ "operation not allowed: %s", peer);
+ return(1);
+ }
assert(newkey == NULL);
! pbc_log_activity(p, PBC_LOG_AUDIT,
! "generating a new key for %s", peer);
if (libpbc_generate_crypt_key(p, peer) < 0) {
myprintf("NO generate_new_key() failed\r\n");
***************
*** 330,335 ****
--- 389,395 ----
/* push the new key to the other login servers */
pushkey(peer);
+ dokeyret = 1;
break;
}
***************
*** 395,400 ****
--- 455,461 ----
/* noop; we always return the new key */
assert(newkey == NULL);
+ dokeyret = 1;
break;
case NOOP:
***************
*** 404,417 ****
break;
}
! /* return the key */
! if (libpbc_get_crypt_key(p, &c_stuff, (char *) peer) != PBC_OK) {
! myprintf("NO couldn't retrieve key\r\n");
! return 1;
! }
!
! /* now give the key back to the application */
! libpbc_base64_encode(p, c_stuff.key_a, (unsigned char *) buf, PBC_DES_KEY_BUF);
myprintf("OK %s\r\n", buf);
fflush(stdout);
--- 465,480 ----
break;
}
! if (dokeyret) {
! /* return the key */
! if (libpbc_get_crypt_key(p, &c_stuff, (char *) peer) != PBC_OK) {
! myprintf("NO couldn't retrieve key\r\n");
! return 1;
! }
!
! /* now give the key back to the application */
! libpbc_base64_encode(p, c_stuff.key_a, (unsigned char *) buf, PBC_DES_KEY_BUF);
! } else buf[0] = '\0';
myprintf("OK %s\r\n", buf);
fflush(stdout);
***************
*** 629,634 ****
--- 692,701 ----
else if (*ptr == '?' && !strncmp(ptr+1, "genkey=put", 10)) {
op = SETKEY;
+ }
+
+ else if (*ptr == '?' && !strncmp(ptr+1, "genkey=permit", 10)) {
+ op = PERMIT;
}
/* look for 'setkey' */
Index: webiso/pubcookie/src/libpubcookie.c
diff -c webiso/pubcookie/src/libpubcookie.c:2.60.2.1 webiso/pubcookie/src/libpubcookie.c:2.60.2.2
*** webiso/pubcookie/src/libpubcookie.c:2.60.2.1 Fri Sep 19 14:58:15 2003
--- webiso/pubcookie/src/libpubcookie.c Wed Oct 1 12:37:39 2003
***************
*** 6,12 ****
/** @file libpubcookie.c
* Core pubcookie library
*
! * $Id: libpubcookie.c,v 2.60.2.1 2003/09/19 21:58:15 willey Exp $
*/
--- 6,12 ----
/** @file libpubcookie.c
* Core pubcookie library
*
! * $Id: libpubcookie.c,v 2.60.2.2 2003/10/01 19:37:39 fox Exp $
*/
***************
*** 454,459 ****
--- 454,478 ----
memcpy(c_stuff->key_a, key_in, sizeof(c_stuff->key_a));
pbc_free(p, key_in);
+
+ return PBC_OK;
+ }
+
+ /* */
+ int libpbc_test_crypt_key(pool *p, const char *peer)
+ {
+ FILE *fp;
+ char keyfile[1024];
+
+ /* pbc_log_activity(p, PBC_LOG_DEBUG_LOW, "libpbc_test_crypt_key\n"); */
+
+ make_crypt_keyfile(p, peer, keyfile);
+
+ if( ! (fp = pbc_fopen(p, keyfile, "rb")) ) {
+ return PBC_FAIL;
+ }
+
+ pbc_fclose(p, fp);
return PBC_OK;
}
Index: webiso/pubcookie/src/libpubcookie.h
diff -c webiso/pubcookie/src/libpubcookie.h:1.37.2.1 webiso/pubcookie/src/libpubcookie.h:1.37.2.2
*** webiso/pubcookie/src/libpubcookie.h:1.37.2.1 Fri Sep 19 14:58:15 2003
--- webiso/pubcookie/src/libpubcookie.h Wed Oct 1 12:37:39 2003
***************
*** 4,10 ****
*/
/*
! $Id: libpubcookie.h,v 1.37.2.1 2003/09/19 21:58:15 willey Exp $
*/
#ifndef PUBCOOKIE_LIB
--- 4,10 ----
*/
/*
! $Id: libpubcookie.h,v 1.37.2.2 2003/10/01 19:37:39 fox Exp $
*/
#ifndef PUBCOOKIE_LIB
***************
*** 85,90 ****
--- 85,97 ----
* @return PBC_OK for success, PBC_FAIL for failure
*/
int libpbc_set_crypt_key(pool *p, const char *key, const char *peer);
+
+ /**
+ * tests for presence of the keyfile for 'peer' (key permission)
+ * @param peer the certificate name of the peer
+ * @return PBC_OK for existance, PBC_FAIL for not
+ */
+ int libpbc_test_crypt_key(pool *p, const char *peer);
char *libpbc_time_string(pool *p, time_t);
void *libpbc_abend(pool *p, const char *,...);
end of message
More information about the pubcookie-dev
mailing list