func doClient(domain *tao.Domain) {
	network := "tcp"
	keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent())
	options.FailIf(err, "client: couldn't generate temporary Tao keys")

	g := domain.Guard
	if *ca != "" {
		na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey)
		options.FailIf(err, "client: couldn't get a truncated attestation from %s: %s\n", *ca)

		keys.Delegation = na

		// If we're using a CA, then use a custom guard that accepts only
		// programs that have talked to the CA.
		g, err = newTempCAGuard(domain.Keys.VerifyingKey)
		options.FailIf(err, "client: couldn't set up a new guard")
	}

	pingGood := 0
	pingFail := 0
	for i := 0; i < *pingCount || *pingCount < 0; i++ { // negative means forever
		if doRequest(g, domain, keys) {
			pingGood++
		} else {
			pingFail++
		}
		fmt.Printf("client: made %d connections, finished %d ok, %d bad pings\n", i+1, pingGood, pingFail)
	}
}
Exemple #2
0
// NewRouterContext generates new keys, loads a local domain configuration from
// path and binds an anonymous listener socket to addr on network
// network. A delegation is requested from the Tao t which is  nominally
// the parent of this hosted program.
func NewRouterContext(path, network, addr string, batchSize int, timeout time.Duration,
	t tao.Tao) (hp *RouterContext, err error) {

	hp = new(RouterContext)
	hp.network = network
	hp.timeout = timeout

	// Generate keys and get attestation from parent.
	if hp.keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing|tao.Crypting, nil, t); err != nil {
		return nil, err
	}

	// Load domain from local configuration.
	if hp.domain, err = tao.LoadDomain(path, nil); err != nil {
		return nil, err
	}

	// Bind address to socket.
	if hp.proxyListener, err = tao.Listen(network, addr, hp.keys, nil, nil, nil); err != nil {
		return nil, err
	}

	// Instantiate the queues.
	hp.sendQueue = NewQueue(network, batchSize, timeout)
	hp.replyQueue = NewQueue(network, batchSize, timeout)
	hp.killQueue = make(chan bool)
	hp.killQueueErrorHandler = make(chan bool)
	go hp.sendQueue.DoQueue(hp.killQueue)
	go hp.replyQueue.DoQueue(hp.killQueue)
	go hp.sendQueue.DoQueueErrorHandler(hp.replyQueue, hp.killQueueErrorHandler)
	go hp.replyQueue.DoQueueErrorHandlerLog("reply queue", hp.killQueueErrorHandler)

	return hp, nil
}
Exemple #3
0
// NewRouterContext generates new keys, loads a local domain configuration from
// path and binds an anonymous listener socket to addr on network
// network. A delegation is requested from the Tao t which is  nominally
// the parent of this hosted program.
func NewRouterContext(path, network, addr string, batchSize int, timeout time.Duration,
	x509Identity *pkix.Name, t tao.Tao) (hp *RouterContext, err error) {

	hp = new(RouterContext)
	hp.network = network
	hp.timeout = timeout

	// Generate keys and get attestation from parent.
	if hp.keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing|tao.Crypting, t); err != nil {
		return nil, err
	}

	// Create a certificate.
	if hp.keys.Cert, err = hp.keys.SigningKey.CreateSelfSignedX509(x509Identity); err != nil {
		return nil, err
	}

	// Load domain from local configuration.
	if hp.domain, err = tao.LoadDomain(path, nil); err != nil {
		return nil, err
	}

	// Encode TLS certificate.
	cert, err := tao.EncodeTLSCert(hp.keys)
	if err != nil {
		return nil, err
	}

	tlsConfig := &tls.Config{
		RootCAs:            x509.NewCertPool(),
		Certificates:       []tls.Certificate{*cert},
		InsecureSkipVerify: true,
		ClientAuth:         tls.NoClientCert,
	}

	// Bind address to socket.
	if hp.proxyListener, err = tao.ListenAnonymous(network, addr, tlsConfig,
		hp.domain.Guard, hp.domain.Keys.VerifyingKey, hp.keys.Delegation); err != nil {
		return nil, err
	}

	// Instantiate the queues.
	hp.sendQueue = NewQueue(network, batchSize, timeout)
	hp.replyQueue = NewQueue(network, batchSize, timeout)
	hp.killQueue = make(chan bool)
	hp.killQueueErrorHandler = make(chan bool)
	go hp.sendQueue.DoQueue(hp.killQueue)
	go hp.replyQueue.DoQueue(hp.killQueue)
	go hp.sendQueue.DoQueueErrorHandler(hp.replyQueue, hp.killQueueErrorHandler)
	go hp.replyQueue.DoQueueErrorHandlerLog("reply queue", hp.killQueueErrorHandler)

	return hp, nil
}
Exemple #4
0
// Connect establishes a connection to a netlog server, if necessary. This will
// be called automatically by Log() and Entries().
func (srv *Server) Connect() error {
	if srv.Conn != nil {
		return nil
	}

	keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent())
	if err != nil {
		return err
	}

	conn, err := tao.Dial("tcp", srv.Addr, srv.Guard, srv.DomainKey, keys, nil)
	if err != nil {
		return err
	}

	srv.Conn = conn
	return nil
}
Exemple #5
0
// Connect opens a connection to the server, if not already connected. If keys
// are provided, they will be used to connect. Otherwise, if running under a
// Tao, new Tao-delegated keys will be created to authenticate to the rendezvous
// server.
func (s *Server) Connect(keys *tao.Keys) error {
	if s.conn != nil {
		return nil
	}
	var err error
	if keys == nil && tao.Parent() != nil {
		keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent())
		if err != nil {
			return err
		}
	}
	addr := net.JoinHostPort(s.Host, s.Port)
	conn, err := tao.Dial("tcp", addr, nil /* guard */, nil /* verifier */, keys, nil)
	if err != nil {
		return err
	}
	s.conn = conn
	return nil
}
func doClient(domain *tao.Domain) {
	network := "tcp"
	keys, err := tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent())
	options.FailIf(err, "client: couldn't generate temporary Tao keys")

	// TODO(tmroeder): fix the name
	cert, err := keys.SigningKey.CreateSelfSignedX509(&pkix.Name{
		Organization: []string{"Google Tao Demo"}})
	options.FailIf(err, "client: couldn't create a self-signed X.509 cert")

	// TODO(kwalsh) keys should save cert on disk if keys are on disk
	keys.Cert = cert

	g := domain.Guard
	if *ca != "" {
		na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey)
		options.FailIf(err, "client: couldn't get a truncated attestation from %s: %s\n", *ca)

		keys.Delegation = na

		// If we're using a CA, then use a custom guard that accepts only
		// programs that have talked to the CA.
		g, err = newTempCAGuard(domain.Keys.VerifyingKey)
		options.FailIf(err, "client: couldn't set up a new guard")
	}

	pingGood := 0
	pingFail := 0
	for i := 0; i < *pingCount || *pingCount < 0; i++ { // negative means forever
		if doRequest(g, domain, keys) {
			pingGood++
		} else {
			pingFail++
		}
		fmt.Printf("client: made %d connections, finished %d ok, %d bad pings\n", i+1, pingGood, pingFail)
	}
}
func doServer() {
	var sock net.Listener
	var err error
	var keys *tao.Keys
	network := "tcp"
	domain, err := tao.LoadDomain(configPath(), nil)
	options.FailIf(err, "error: couldn't load the tao domain from %s\n", configPath())

	switch *demoAuth {
	case "tcp":
		sock, err = net.Listen(network, serverAddr)
		options.FailIf(err, "server: couldn't listen to the network")

	case "tls", "tao":
		// Generate a private/public key for this hosted program (hp) and
		// request attestation from the host of the statement "hp speaksFor
		// host". The resulting certificate, keys.Delegation, is a chain of
		// "says" statements extending to the policy key. The policy is
		// checked by the host before this program is executed.
		keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, tao.Parent())
		options.FailIf(err, "server: failed to generate delegated keys")

		// Create a certificate for the hp.
		keys.Cert, err = keys.SigningKey.CreateSelfSignedX509(&pkix.Name{
			Organization: []string{"Google Tao Demo"}})
		options.FailIf(err, "server: couldn't create certificate")

		g := domain.Guard
		if *ca != "" {
			// Replace keys.Delegation with a "says" statement directly from
			// the policy key.
			na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey)
			options.FailIf(err, "server: truncated attestation request failed")
			keys.Delegation = na

			g, err = newTempCAGuard(domain.Keys.VerifyingKey)
			options.FailIf(err, "server: couldn't set up a new guard")
		}

		tlsc, err := tao.EncodeTLSCert(keys)
		options.FailIf(err, "server: couldn't encode TLS certificate")

		conf := &tls.Config{
			RootCAs:            x509.NewCertPool(),
			Certificates:       []tls.Certificate{*tlsc},
			InsecureSkipVerify: true,
			ClientAuth:         tls.RequireAnyClientCert,
		}

		if *demoAuth == "tao" {
			sock, err = tao.Listen(network, serverAddr, conf, g, domain.Keys.VerifyingKey, keys.Delegation)
			options.FailIf(err, "sever: couldn't create a taonet listener")
		} else {
			sock, err = tls.Listen(network, serverAddr, conf)
			options.FailIf(err, "server: couldn't create a tls listener")
		}
	}

	fmt.Printf("server: listening at %s using %s authentication.\n", serverAddr, *demoAuth)
	defer sock.Close()

	pings := make(chan bool, 5)
	connCount := 0

	go func() {
		for connCount = 0; connCount < *pingCount || *pingCount < 0; connCount++ { // negative means forever
			conn, err := sock.Accept()
			options.FailIf(err, "server: can't accept connection")
			go doResponse(conn, pings)
		}
	}()

	pingGood := 0
	pingFail := 0

	for {
		select {
		case ok := <-pings:
			if ok {
				pingGood++
			} else {
				pingFail++
			}
		}
	}
}