func serve(addr, fp string, cert []byte, signingKey *tao.Keys, policy *fileproxy.ProgramPolicy) error {
m := fileproxy.NewResourceMaster(fp)
policyCert, err := x509.ParseCertificate(cert)
if err != nil {
return err
}
conf, err := signingKey.TLSServerConfig(policyCert)
if err != nil {
return err
}
log.Println("fileserver listening")
sock, err := tls.Listen("tcp", addr, conf)
if err != nil {
return err
}
for {
// Accept and handle client connections one at a time.
conn, err := sock.Accept()
if err != nil {
return err
}
var clientName string
if err = conn.(*tls.Conn).Handshake(); err != nil {
log.Printf("fileserver: couldn't perform handshake: %s\n", err)
continue
}
peerCerts := conn.(*tls.Conn).ConnectionState().PeerCertificates
if peerCerts == nil {
log.Println("fileserver: couldn't get peer list")
continue
}
peerCert := conn.(*tls.Conn).ConnectionState().PeerCertificates[0]
if peerCert.Raw == nil {
log.Println("fileserver: couldn't get peer name")
continue
}
if peerCert.Subject.OrganizationalUnit != nil {
clientName = peerCert.Subject.OrganizationalUnit[0]
}
log.Printf("fileserver: peer name: '%s'\n", clientName)
ms := util.NewMessageStream(conn)
// TODO(tmroeder): support multiple simultaneous clients. This
// requires, e.g., adding locking to the ResourceMaster.
if err := m.RunMessageLoop(ms, policy); err != nil {
log.Printf("fileserver: failed to run message loop: %s\n", err)
continue
}
log.Println("Finished handling the client messages")
}
}
func serve(serverAddr string, prin string, policyCert []byte, signingKey *tao.Keys, policy *fileproxy.ProgramPolicy, m *fileproxy.RollbackMaster) error {
pc, err := x509.ParseCertificate(policyCert)
if err != nil {
return err
}
conf, err := signingKey.TLSServerConfig(pc)
if err != nil {
return err
}
log.Println("Rollback server listening")
sock, err := tls.Listen("tcp", serverAddr, conf)
if err != nil {
return err
}
for {
conn, err := sock.Accept()
if err != nil {
return err
}
var clientName string
if err = conn.(*tls.Conn).Handshake(); err != nil {
log.Println("TLS handshake failed")
continue
}
peerCerts := conn.(*tls.Conn).ConnectionState().PeerCertificates
if peerCerts == nil {
log.Println("rollbackserver: can't get peer list")
continue
}
peerCert := conn.(*tls.Conn).ConnectionState().PeerCertificates[0]
if peerCert.Raw == nil {
log.Println("rollbackserver: can't get peer name")
continue
}
if peerCert.Subject.OrganizationalUnit == nil {
log.Println("No OrganizationalUnit name in the peer certificate. Refusing the connection")
continue
}
clientName = peerCert.Subject.OrganizationalUnit[0]
ms := util.NewMessageStream(conn)
// TODO(tmroeder): support multiple simultaneous clients.
// Add this program as a rollback program.
log.Printf("Adding a program with name '%s'\n", clientName)
_ = m.AddRollbackProgram(clientName)
if err := m.RunMessageLoop(ms, policy, clientName); err != nil {
log.Printf("rollbackserver: failed to run message loop: %s\n", err)
}
}
}
func doServer() {
var sock net.Listener
var err error
var keys *tao.Keys
network := "tcp"
domain, err := tao.LoadDomain(configPath(), nil)
options.FailIf(err, "error: couldn't load the tao domain from %s\n", configPath())
switch *demoAuth {
case "tcp":
sock, err = net.Listen(network, serverAddr)
options.FailIf(err, "server: couldn't listen to the network")
case "tls", "tao":
// Generate a private/public key for this hosted program (hp) and
// request attestation from the host of the statement "hp speaksFor
// host". The resulting certificate, keys.Delegation, is a chain of
// "says" statements extending to the policy key. The policy is
// checked by the host before this program is executed.
keys, err = tao.NewTemporaryTaoDelegatedKeys(tao.Signing, nil, tao.Parent())
options.FailIf(err, "server: failed to generate delegated keys")
g := domain.Guard
if *ca != "" {
// Replace keys.Delegation with a "says" statement directly from
// the policy key.
na, err := tao.RequestTruncatedAttestation(network, *ca, keys, domain.Keys.VerifyingKey)
options.FailIf(err, "server: truncated attestation request failed")
keys.Delegation = na
g, err = newTempCAGuard(domain.Keys.VerifyingKey)
options.FailIf(err, "server: couldn't set up a new guard")
}
if *demoAuth == "tao" {
sock, err = tao.Listen(network, serverAddr, keys, g, domain.Keys.VerifyingKey, nil)
options.FailIf(err, "sever: couldn't create a taonet listener")
} else {
conf, err := keys.TLSServerConfig(nil)
options.FailIf(err, "server: couldn't encode TLS certificate")
sock, err = tls.Listen(network, serverAddr, conf)
options.FailIf(err, "server: couldn't create a tls listener")
}
}
fmt.Printf("server: listening at %s using %s authentication.\n", serverAddr, *demoAuth)
defer sock.Close()
pings := make(chan bool, 5)
connCount := 0
go func() {
for connCount = 0; connCount < *pingCount || *pingCount < 0; connCount++ { // negative means forever
conn, err := sock.Accept()
options.FailIf(err, "server: can't accept connection")
go doResponse(conn, pings)
}
}()
pingGood := 0
pingFail := 0
for {
select {
case ok := <-pings:
if ok {
pingGood++
} else {
pingFail++
}
}
}
}