X-Git-Url: http://tinc-vpn.org/git/browse?a=blobdiff_plain;f=lib%2Ffides.cc;h=dab667e5604d51403d3286c9f488b8d040d70978;hb=c0deb87e9de6041a023c80cf50a7870ce563a852;hp=46dcd7fee1e255c5bab5b8023fd49a87d3acda30;hpb=406a506e2cb5e69789aef20e145b47e36a778543;p=fides diff --git a/lib/fides.cc b/lib/fides.cc index 46dcd7f..dab667e 100644 --- a/lib/fides.cc +++ b/lib/fides.cc @@ -33,6 +33,12 @@ #include "fides.h" +#ifndef FIDES_DEBUG +#define FIDES_DEBUG false +#endif + +#define debug if(FIDES_DEBUG) + using namespace std; // Global state @@ -267,7 +273,7 @@ fides::certificate *fides::certificate_from_string(const string &data) { if(e == string::npos) throw exception("Invalid certificate"); string fingerprint = hexdecode(data.substr(0, e)); - publickey *signer = find_key(fingerprint); + const publickey *signer = find_key(fingerprint); if(!signer) throw exception("Unknown public key"); b = e + 1; @@ -295,7 +301,7 @@ fides::certificate *fides::certificate_from_string(const string &data) { // Fides main functions fides::fides(const string &dir): homedir(dir) { - cerr << "Fides initialising\n"; + debug cerr << "Fides initialising\n"; // Set homedir to provided directory, or $FIDES_HOME, or $HOME/.fides, or as a last resort $PWD/.fides if(homedir.empty()) @@ -330,7 +336,7 @@ fides::fides(const string &dir): homedir(dir) { } vector files = dirlist(keydir); for(size_t i = 0; i < files.size(); ++i) { - cerr << "Loading key " << files[i] << '\n'; + debug cerr << "Loading key " << files[i] << '\n'; publickey *key = new publickey(); key->load(keydir + files[i]); @@ -341,10 +347,10 @@ fides::fides(const string &dir): homedir(dir) { files = dirlist(certdir); for(size_t i = 0; i < files.size(); ++i) { - cerr << "Loading certificate " << files[i] << '\n'; + debug cerr << "Loading certificate " << files[i] << '\n'; certificate *cert = certificate_load(certdir + files[i]); if(false && !cert->validate()) { - cerr << "Bad certificate!\n"; + cerr << "Bad certificate in database: " << cert->to_string() << '\n'; continue; } certs[hexdecode(files[i])] = cert; @@ -358,10 +364,10 @@ fides::fides(const string &dir): homedir(dir) { } fides::~fides() { - cerr << "Fides exitting\n"; - for(map::iterator i = certs.begin(); i != certs.end(); ++i) + debug cerr << "Fides exitting\n"; + for(map::const_iterator i = certs.begin(); i != certs.end(); ++i) delete i->second; - for(map::iterator i = keys.begin(); i != keys.end(); ++i) + for(map::const_iterator i = keys.begin(); i != keys.end(); ++i) if(i->second != &mykey) delete i->second; } @@ -397,8 +403,8 @@ fides::publickey *fides::find_key(const string &fingerprint) const { return 0; } -vector fides::find_certificates(const publickey *signer, const string ®ex) const { - vector found; +vector fides::find_certificates(const publickey *signer, const string ®ex) const { + vector found; map::const_iterator i; regexp regexp(regex); for(i = certs.begin(); i != certs.end(); ++i) { @@ -413,8 +419,8 @@ vector fides::find_certificates(const publickey *signer, c return found; } -vector fides::find_certificates(const string ®ex) const { - vector found; +vector fides::find_certificates(const string ®ex) const { + vector found; map::const_iterator i; regexp regexp(regex); for(i = certs.begin(); i != certs.end(); ++i) @@ -423,8 +429,8 @@ vector fides::find_certificates(const string ®ex) const return found; } -vector fides::find_certificates(const publickey *signer) const { - vector found; +vector fides::find_certificates(const publickey *signer) const { + vector found; map::const_iterator i; for(i = certs.begin(); i != certs.end(); ++i) if(i->second->signer == signer) @@ -445,7 +451,7 @@ void fides::import_all(istream &in) { if(!line.compare(0, 9, "-----END ")) { fides::publickey *key = new publickey(); key->from_string(pem); - cerr << "Imported key " << hexencode(key->fingerprint()) << '\n'; + debug cerr << "Imported key " << hexencode(key->fingerprint()) << '\n'; merge(key); is_pem = false; } else { @@ -455,7 +461,7 @@ void fides::import_all(istream &in) { } fides::certificate *cert = certificate_from_string(line); - cerr << "Importing certificate " << hexencode(cert->fingerprint()) << '\n'; + debug cerr << "Importing certificate " << hexencode(cert->fingerprint()) << '\n'; merge(cert); } } @@ -484,7 +490,7 @@ void fides::dctrust(const publickey *key) { void fides::update_trust() { // clear trust on all keys - for(map::iterator i = keys.begin(); i != keys.end(); ++i) + for(map::const_iterator i = keys.begin(); i != keys.end(); ++i) i->second->trust = 0; // Start by checking all trust certificates from ourself. @@ -511,7 +517,7 @@ void fides::update_trust() { // loop over all keys whose certificates need to be checked for(i = tocheck.begin(); i != tocheck.end(); ++i) { - cerr << "Trust for key " << hexencode((*i)->fingerprint()) << " set to " << (*i)->trust << '\n'; + debug cerr << "Trust for key " << hexencode((*i)->fingerprint()) << " set to " << (*i)->trust << '\n'; // except if this key is not trusted @@ -520,7 +526,7 @@ void fides::update_trust() { // find all non-zero trust certificates of this key - vector matches = find_certificates(*i, "^t[+-] "); + vector matches = find_certificates(*i, "^t[+-] "); // update trust value of those keys @@ -535,7 +541,7 @@ void fides::update_trust() { // except for keys we already checked if(checked.find(other) != checked.end()) { - cerr << "Skipping trust certificate for already checked key: " << matches[j]->to_string() << '\n'; + debug cerr << "Skipping trust certificate for already checked key: " << matches[j]->to_string() << '\n'; continue; } @@ -556,7 +562,7 @@ void fides::update_trust() { void fides::merge(publickey *key) { if(keys.find(key->fingerprint()) != keys.end()) { - cerr << "Key already known\n"; + debug cerr << "Key already known\n"; return; } @@ -570,21 +576,21 @@ void fides::merge(certificate *cert) { // If we already know this certificate, drop it. if(certs.find(cert->fingerprint()) != certs.end()) { - cerr << "Certificate already known\n"; + debug cerr << "Certificate already known\n"; return; } // If the certificate does not validate, drop it. if(!cert->validate()) { // TODO: this should not happen, be wary of DoS attacks - cerr << "Certificate invalid\n"; + cerr << "Trying to merge invalid certificate: " << cert->to_string() << '\n'; return; } // TODO: move these regexps to the class? regexp authexp("^a[+0-] "); regexp trustexp("^t[+0-] "); - vector others; + vector others; // Is this an authorisation cert? if(authexp.match(cert->statement)) { @@ -593,15 +599,15 @@ void fides::merge(certificate *cert) { others = find_certificates(cert->signer, string("^a[+0-] ") + cert->statement.substr(3) + '$'); if(others.size()) { if(timercmp(&others[0]->timestamp, &cert->timestamp, >)) { - cerr << "Certificate is overruled by a newer certificate\n"; + debug cerr << "Certificate is overruled by a newer certificate\n"; return; } if(timercmp(&others[0]->timestamp, &cert->timestamp, ==)) { // TODO: this should not happen, be wary of DoS attacks - cerr << "Certificate has same timestamp as another timestamp!\n"; + debug cerr << "Certificate has same timestamp as another timestamp!\n"; return; } - cerr << "Certificate overrules an older certificate!\n"; + debug cerr << "Certificate overrules an older certificate!\n"; // save new cert first certificate_save(cert, certdir + hexencode(cert->fingerprint())); certs[cert->fingerprint()] = cert; @@ -622,15 +628,15 @@ void fides::merge(certificate *cert) { others = find_certificates(cert->signer, string("^t[+0-] ") + cert->statement.substr(3) + '$'); if(others.size()) { if(timercmp(&others[0]->timestamp, &cert->timestamp, >)) { - cerr << "Certificate is overruled by a newer certificate\n"; + debug cerr << "Certificate is overruled by a newer certificate\n"; return; } if(timercmp(&others[0]->timestamp, &cert->timestamp, ==)) { // TODO: this should not happen, be wary of DoS attacks - cerr << "Certificate has same timestamp as another timestamp!\n"; + debug cerr << "Certificate has same timestamp as another timestamp!\n"; return; } - cerr << "Certificate overrules an older certificate!\n"; + debug cerr << "Certificate overrules an older certificate!\n"; // delete old one rename((certdir + hexencode(others[0]->fingerprint())).c_str(), (obsoletedir + hexencode(others[0]->fingerprint())).c_str()); certs.erase(others[0]->fingerprint()); @@ -646,15 +652,15 @@ void fides::merge(certificate *cert) { others = find_certificates(cert->signer, string("^") + cert->statement + '$'); if(others.size()) { if(timercmp(&others[0]->timestamp, &cert->timestamp, >)) { - cerr << "Certificate is overruled by a newer certificate\n"; + debug cerr << "Certificate is overruled by a newer certificate\n"; return; } if(timercmp(&others[0]->timestamp, &cert->timestamp, ==)) { // TODO: this should not happen, be wary of DoS attacks - cerr << "Certificate has same timestamp as another timestamp!\n"; + debug cerr << "Certificate has same timestamp as another timestamp!\n"; return; } - cerr << "Certificate overrules an older certificate!\n"; + debug cerr << "Certificate overrules an older certificate!\n"; // delete old one rename((certdir + hexencode(others[0]->fingerprint())).c_str(), (obsoletedir + hexencode(others[0]->fingerprint())).c_str()); certs.erase(others[0]->fingerprint()); @@ -664,14 +670,14 @@ void fides::merge(certificate *cert) { return; } - cerr << "Certificate is new\n"; + debug cerr << "Certificate is new\n"; certs[cert->fingerprint()] = cert; certificate_save(cert, certdir + hexencode(cert->fingerprint())); } void fides::auth_stats(const string &statement, int &self, int &trusted, int &all) const { self = trusted = all = 0; - vector matches = find_certificates(string("^a[+0-] ") + statement + '$'); + vector matches = find_certificates(string("^a[+0-] ") + statement + '$'); for(size_t i = 0; i < matches.size(); ++i) { char code = matches[i]->statement[1]; int diff = 0;