mirror of https://github.com/docker/cli.git
Remove unused depdendencies from vendor
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This commit is contained in:
parent
a0113c3a44
commit
724f03bb23
|
@ -6,21 +6,19 @@ github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
|
||||||
github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
|
github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
|
||||||
github.com/docker/docker 184cea5ff710abde25547749e5608b24a255ba09
|
github.com/docker/docker 184cea5ff710abde25547749e5608b24a255ba09
|
||||||
github.com/docker/docker-credential-helpers v0.5.1
|
github.com/docker/docker-credential-helpers v0.5.1
|
||||||
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
|
|
||||||
|
|
||||||
# the docker/go package contains a customized version of canonical/json
|
# the docker/go package contains a customized version of canonical/json
|
||||||
# and is used by Notary. The package is periodically rebased on current Go versions.
|
# and is used by Notary. The package is periodically rebased on current Go versions.
|
||||||
github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
|
github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
|
||||||
|
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
|
||||||
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
|
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
|
||||||
github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
|
github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
|
||||||
github.com/docker/libnetwork 19ac3ea7f52bb46e0eb10669756cdae0c441a5b1
|
|
||||||
github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
|
github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
|
||||||
github.com/docker/notary v0.4.2-sirupsen https://github.com/simonferquel/notary.git
|
github.com/docker/notary v0.4.2-sirupsen https://github.com/simonferquel/notary.git
|
||||||
github.com/docker/swarmkit 0554c9bc9a485025e89b8e5c2c1f0d75961906a2
|
github.com/docker/swarmkit 0554c9bc9a485025e89b8e5c2c1f0d75961906a2
|
||||||
github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
|
github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
|
||||||
github.com/gogo/protobuf v0.4
|
github.com/gogo/protobuf v0.4
|
||||||
github.com/golang/protobuf 7a211bcf3bce0e3f1d74f9894916e6f116ae83b4
|
github.com/golang/protobuf 7a211bcf3bce0e3f1d74f9894916e6f116ae83b4
|
||||||
github.com/google/certificate-transparency 0f6e3d1d1ba4d03fdaab7cd716f36255c2e48341
|
|
||||||
github.com/gorilla/context v1.1
|
github.com/gorilla/context v1.1
|
||||||
github.com/gorilla/mux v1.1
|
github.com/gorilla/mux v1.1
|
||||||
github.com/gotestyourself/gotestyourself v1.0.0
|
github.com/gotestyourself/gotestyourself v1.0.0
|
||||||
|
|
|
@ -1,202 +0,0 @@
|
||||||
Apache License
|
|
||||||
Version 2.0, January 2004
|
|
||||||
http://www.apache.org/licenses/
|
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
||||||
|
|
||||||
1. Definitions.
|
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
|
||||||
the copyright owner that is granting the License.
|
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
|
||||||
other entities that control, are controlled by, or are under common
|
|
||||||
control with that entity. For the purposes of this definition,
|
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
|
||||||
direction or management of such entity, whether by contract or
|
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
|
||||||
exercising permissions granted by this License.
|
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
|
||||||
including but not limited to software source code, documentation
|
|
||||||
source, and configuration files.
|
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
|
||||||
transformation or translation of a Source form, including but
|
|
||||||
not limited to compiled object code, generated documentation,
|
|
||||||
and conversions to other media types.
|
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
|
||||||
Object form, made available under the License, as indicated by a
|
|
||||||
copyright notice that is included in or attached to the work
|
|
||||||
(an example is provided in the Appendix below).
|
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
|
||||||
form, that is based on (or derived from) the Work and for which the
|
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
|
||||||
of this License, Derivative Works shall not include works that remain
|
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
|
||||||
the Work and Derivative Works thereof.
|
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
|
||||||
the original version of the Work and any modifications or additions
|
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
|
||||||
means any form of electronic, verbal, or written communication sent
|
|
||||||
to the Licensor or its representatives, including but not limited to
|
|
||||||
communication on electronic mailing lists, source code control systems,
|
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
|
||||||
excluding communication that is conspicuously marked or otherwise
|
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
|
||||||
subsequently incorporated within the Work.
|
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
|
||||||
Work and such Derivative Works in Source or Object form.
|
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
(except as stated in this section) patent license to make, have made,
|
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
||||||
where such license applies only to those patent claims licensable
|
|
||||||
by such Contributor that are necessarily infringed by their
|
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
|
||||||
institute patent litigation against any entity (including a
|
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
|
||||||
or contributory patent infringement, then any patent licenses
|
|
||||||
granted to You under this License for that Work shall terminate
|
|
||||||
as of the date such litigation is filed.
|
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
|
||||||
modifications, and in Source or Object form, provided that You
|
|
||||||
meet the following conditions:
|
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
|
||||||
Derivative Works a copy of this License; and
|
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
|
||||||
stating that You changed the files; and
|
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
|
||||||
that You distribute, all copyright, patent, trademark, and
|
|
||||||
attribution notices from the Source form of the Work,
|
|
||||||
excluding those notices that do not pertain to any part of
|
|
||||||
the Derivative Works; and
|
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
|
||||||
distribution, then any Derivative Works that You distribute must
|
|
||||||
include a readable copy of the attribution notices contained
|
|
||||||
within such NOTICE file, excluding those notices that do not
|
|
||||||
pertain to any part of the Derivative Works, in at least one
|
|
||||||
of the following places: within a NOTICE text file distributed
|
|
||||||
as part of the Derivative Works; within the Source form or
|
|
||||||
documentation, if provided along with the Derivative Works; or,
|
|
||||||
within a display generated by the Derivative Works, if and
|
|
||||||
wherever such third-party notices normally appear. The contents
|
|
||||||
of the NOTICE file are for informational purposes only and
|
|
||||||
do not modify the License. You may add Your own attribution
|
|
||||||
notices within Derivative Works that You distribute, alongside
|
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
|
||||||
that such additional attribution notices cannot be construed
|
|
||||||
as modifying the License.
|
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
|
||||||
may provide additional or different license terms and conditions
|
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
|
||||||
the conditions stated in this License.
|
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
|
||||||
this License, without any additional terms or conditions.
|
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
|
||||||
the terms of any separate license agreement you may have executed
|
|
||||||
with Licensor regarding such Contributions.
|
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
|
||||||
except as required for reasonable and customary use in describing the
|
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
implied, including, without limitation, any warranties or conditions
|
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
||||||
appropriateness of using or redistributing the Work and assume any
|
|
||||||
risks associated with Your exercise of permissions under this License.
|
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
|
||||||
unless required by applicable law (such as deliberate and grossly
|
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
|
||||||
liable to You for damages, including any direct, indirect, special,
|
|
||||||
incidental, or consequential damages of any character arising as a
|
|
||||||
result of this License or out of the use or inability to use the
|
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
|
||||||
other commercial damages or losses), even if such Contributor
|
|
||||||
has been advised of the possibility of such damages.
|
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
||||||
or other liability obligations and/or rights consistent with this
|
|
||||||
License. However, in accepting such obligations, You may act only
|
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
|
||||||
defend, and hold each Contributor harmless for any liability
|
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
|
||||||
of your accepting any such warranty or additional liability.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
|
||||||
boilerplate notice, with the fields enclosed by brackets "{}"
|
|
||||||
replaced with your own identifying information. (Don't include
|
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
|
||||||
comment syntax for the file format. We also recommend that a
|
|
||||||
file or class name and description of purpose be included on the
|
|
||||||
same "printed page" as the copyright notice for easier
|
|
||||||
identification within third-party archives.
|
|
||||||
|
|
||||||
Copyright {yyyy} {name of copyright owner}
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
|
|
|
@ -1,89 +0,0 @@
|
||||||
# libnetwork - networking for containers
|
|
||||||
|
|
||||||
[![Circle CI](https://circleci.com/gh/docker/libnetwork/tree/master.svg?style=svg)](https://circleci.com/gh/docker/libnetwork/tree/master) [![Coverage Status](https://coveralls.io/repos/docker/libnetwork/badge.svg)](https://coveralls.io/r/docker/libnetwork) [![GoDoc](https://godoc.org/github.com/docker/libnetwork?status.svg)](https://godoc.org/github.com/docker/libnetwork)
|
|
||||||
|
|
||||||
Libnetwork provides a native Go implementation for connecting containers
|
|
||||||
|
|
||||||
The goal of libnetwork is to deliver a robust Container Network Model that provides a consistent programming interface and the required network abstractions for applications.
|
|
||||||
|
|
||||||
#### Design
|
|
||||||
Please refer to the [design](docs/design.md) for more information.
|
|
||||||
|
|
||||||
#### Using libnetwork
|
|
||||||
|
|
||||||
There are many networking solutions available to suit a broad range of use-cases. libnetwork uses a driver / plugin model to support all of these solutions while abstracting the complexity of the driver implementations by exposing a simple and consistent Network Model to users.
|
|
||||||
|
|
||||||
|
|
||||||
```go
|
|
||||||
func main() {
|
|
||||||
if reexec.Init() {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Select and configure the network driver
|
|
||||||
networkType := "bridge"
|
|
||||||
|
|
||||||
// Create a new controller instance
|
|
||||||
driverOptions := options.Generic{}
|
|
||||||
genericOption := make(map[string]interface{})
|
|
||||||
genericOption[netlabel.GenericData] = driverOptions
|
|
||||||
controller, err := libnetwork.New(config.OptionDriverConfig(networkType, genericOption))
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("libnetwork.New: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Create a network for containers to join.
|
|
||||||
// NewNetwork accepts Variadic optional arguments that libnetwork and Drivers can use.
|
|
||||||
network, err := controller.NewNetwork(networkType, "network1", "")
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("controller.NewNetwork: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// For each new container: allocate IP and interfaces. The returned network
|
|
||||||
// settings will be used for container infos (inspect and such), as well as
|
|
||||||
// iptables rules for port publishing. This info is contained or accessible
|
|
||||||
// from the returned endpoint.
|
|
||||||
ep, err := network.CreateEndpoint("Endpoint1")
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("network.CreateEndpoint: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Create the sandbox for the container.
|
|
||||||
// NewSandbox accepts Variadic optional arguments which libnetwork can use.
|
|
||||||
sbx, err := controller.NewSandbox("container1",
|
|
||||||
libnetwork.OptionHostname("test"),
|
|
||||||
libnetwork.OptionDomainname("docker.io"))
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("controller.NewSandbox: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// A sandbox can join the endpoint via the join api.
|
|
||||||
err = ep.Join(sbx)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("ep.Join: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// libnetwork client can check the endpoint's operational data via the Info() API
|
|
||||||
epInfo, err := ep.DriverInfo()
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("ep.DriverInfo: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
macAddress, ok := epInfo[netlabel.MacAddress]
|
|
||||||
if !ok {
|
|
||||||
log.Fatalf("failed to get mac address from endpoint info")
|
|
||||||
}
|
|
||||||
|
|
||||||
fmt.Printf("Joined endpoint %s (%s) to sandbox %s (%s)\n", ep.Name(), macAddress, sbx.ContainerID(), sbx.Key())
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## Future
|
|
||||||
Please refer to [roadmap](ROADMAP.md) for more information.
|
|
||||||
|
|
||||||
## Contributing
|
|
||||||
|
|
||||||
Want to hack on libnetwork? [Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md) apply.
|
|
||||||
|
|
||||||
## Copyright and license
|
|
||||||
Code and documentation copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons.
|
|
|
@ -1,44 +0,0 @@
|
||||||
github.com/Azure/go-ansiterm 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
|
|
||||||
github.com/BurntSushi/toml f706d00e3de6abe700c994cdd545a1a4915af060
|
|
||||||
github.com/Microsoft/go-winio ce2922f643c8fd76b46cadc7f404a06282678b34
|
|
||||||
github.com/Microsoft/hcsshim v0.6.1
|
|
||||||
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
|
|
||||||
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
|
|
||||||
github.com/boltdb/bolt c6ba97b89e0454fec9aa92e1d33a4e2c5fc1f631
|
|
||||||
github.com/codegangsta/cli a65b733b303f0055f8d324d805f393cd3e7a7904
|
|
||||||
github.com/coreos/etcd 925d1d74cec8c3b169c52fd4b2dc234a35934fce
|
|
||||||
github.com/coreos/go-systemd b4a58d95188dd092ae20072bac14cece0e67c388
|
|
||||||
github.com/deckarep/golang-set ef32fa3046d9f249d399f98ebaf9be944430fd1d
|
|
||||||
|
|
||||||
github.com/docker/docker 2cac43e3573893cf8fd816e0ad5615426acb87f4 https://github.com/dmcgowan/docker.git
|
|
||||||
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
|
|
||||||
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
|
|
||||||
github.com/docker/go-units 8e2d4523730c73120e10d4652f36ad6010998f4e
|
|
||||||
github.com/docker/libkv 1d8431073ae03cdaedb198a89722f3aab6d418ef
|
|
||||||
|
|
||||||
github.com/godbus/dbus 5f6efc7ef2759c81b7ba876593971bfce311eab3
|
|
||||||
github.com/gogo/protobuf 8d70fb3182befc465c4a1eac8ad4d38ff49778e2
|
|
||||||
github.com/golang/protobuf f7137ae6b19afbfd61a94b746fda3b3fe0491874
|
|
||||||
github.com/gorilla/context 215affda49addc4c8ef7e2534915df2c8c35c6cd
|
|
||||||
github.com/gorilla/mux 8096f47503459bcc74d1f4c487b7e6e42e5746b5
|
|
||||||
github.com/hashicorp/consul 954aec66231b79c161a4122b023fbcad13047f79
|
|
||||||
github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b
|
|
||||||
github.com/hashicorp/go-multierror 2167c8ec40776024589f483a6b836489e47e1049
|
|
||||||
github.com/hashicorp/memberlist v0.1.0
|
|
||||||
github.com/sean-/seed e2103e2c35297fb7e17febb81e49b312087a2372
|
|
||||||
github.com/hashicorp/go-sockaddr acd314c5781ea706c710d9ea70069fd2e110d61d
|
|
||||||
github.com/hashicorp/serf 598c54895cc5a7b1a24a398d635e8c0ea0959870
|
|
||||||
github.com/mattn/go-shellwords 525bedee691b5a8df547cb5cf9f86b7fb1883e24
|
|
||||||
github.com/miekg/dns d27455715200c7d3e321a1e5cadb27c9ee0b0f02
|
|
||||||
github.com/opencontainers/runc 8694d576ea3ce3c9e2c804b7f91b4e1e9a575d1c https://github.com/dmcgowan/runc.git
|
|
||||||
github.com/samuel/go-zookeeper d0e0d8e11f318e000a8cc434616d69e329edc374
|
|
||||||
github.com/seccomp/libseccomp-golang 1b506fc7c24eec5a3693cdcbed40d9c226cfc6a1
|
|
||||||
github.com/sirupsen/logrus v1.0.1
|
|
||||||
github.com/stretchr/testify dab07ac62d4905d3e48d17dc549c684ac3b7c15a
|
|
||||||
github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
|
|
||||||
github.com/ugorji/go f1f1a805ed361a0e078bb537e4ea78cd37dcf065
|
|
||||||
github.com/vishvananda/netlink bd6d5de5ccef2d66b0a26177928d0d8895d7f969
|
|
||||||
github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
|
|
||||||
golang.org/x/net c427ad74c6d7a814201695e9ffde0c5d400a7674
|
|
||||||
golang.org/x/sys 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
|
|
||||||
github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
|
|
|
@ -1,202 +0,0 @@
|
||||||
|
|
||||||
Apache License
|
|
||||||
Version 2.0, January 2004
|
|
||||||
http://www.apache.org/licenses/
|
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
||||||
|
|
||||||
1. Definitions.
|
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
|
||||||
the copyright owner that is granting the License.
|
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
|
||||||
other entities that control, are controlled by, or are under common
|
|
||||||
control with that entity. For the purposes of this definition,
|
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
|
||||||
direction or management of such entity, whether by contract or
|
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
|
||||||
exercising permissions granted by this License.
|
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
|
||||||
including but not limited to software source code, documentation
|
|
||||||
source, and configuration files.
|
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
|
||||||
transformation or translation of a Source form, including but
|
|
||||||
not limited to compiled object code, generated documentation,
|
|
||||||
and conversions to other media types.
|
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
|
||||||
Object form, made available under the License, as indicated by a
|
|
||||||
copyright notice that is included in or attached to the work
|
|
||||||
(an example is provided in the Appendix below).
|
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
|
||||||
form, that is based on (or derived from) the Work and for which the
|
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
|
||||||
of this License, Derivative Works shall not include works that remain
|
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
|
||||||
the Work and Derivative Works thereof.
|
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
|
||||||
the original version of the Work and any modifications or additions
|
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
|
||||||
means any form of electronic, verbal, or written communication sent
|
|
||||||
to the Licensor or its representatives, including but not limited to
|
|
||||||
communication on electronic mailing lists, source code control systems,
|
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
|
||||||
excluding communication that is conspicuously marked or otherwise
|
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
|
||||||
subsequently incorporated within the Work.
|
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
|
||||||
Work and such Derivative Works in Source or Object form.
|
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
(except as stated in this section) patent license to make, have made,
|
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
||||||
where such license applies only to those patent claims licensable
|
|
||||||
by such Contributor that are necessarily infringed by their
|
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
|
||||||
institute patent litigation against any entity (including a
|
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
|
||||||
or contributory patent infringement, then any patent licenses
|
|
||||||
granted to You under this License for that Work shall terminate
|
|
||||||
as of the date such litigation is filed.
|
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
|
||||||
modifications, and in Source or Object form, provided that You
|
|
||||||
meet the following conditions:
|
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
|
||||||
Derivative Works a copy of this License; and
|
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
|
||||||
stating that You changed the files; and
|
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
|
||||||
that You distribute, all copyright, patent, trademark, and
|
|
||||||
attribution notices from the Source form of the Work,
|
|
||||||
excluding those notices that do not pertain to any part of
|
|
||||||
the Derivative Works; and
|
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
|
||||||
distribution, then any Derivative Works that You distribute must
|
|
||||||
include a readable copy of the attribution notices contained
|
|
||||||
within such NOTICE file, excluding those notices that do not
|
|
||||||
pertain to any part of the Derivative Works, in at least one
|
|
||||||
of the following places: within a NOTICE text file distributed
|
|
||||||
as part of the Derivative Works; within the Source form or
|
|
||||||
documentation, if provided along with the Derivative Works; or,
|
|
||||||
within a display generated by the Derivative Works, if and
|
|
||||||
wherever such third-party notices normally appear. The contents
|
|
||||||
of the NOTICE file are for informational purposes only and
|
|
||||||
do not modify the License. You may add Your own attribution
|
|
||||||
notices within Derivative Works that You distribute, alongside
|
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
|
||||||
that such additional attribution notices cannot be construed
|
|
||||||
as modifying the License.
|
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
|
||||||
may provide additional or different license terms and conditions
|
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
|
||||||
the conditions stated in this License.
|
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
|
||||||
this License, without any additional terms or conditions.
|
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
|
||||||
the terms of any separate license agreement you may have executed
|
|
||||||
with Licensor regarding such Contributions.
|
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
|
||||||
except as required for reasonable and customary use in describing the
|
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
implied, including, without limitation, any warranties or conditions
|
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
||||||
appropriateness of using or redistributing the Work and assume any
|
|
||||||
risks associated with Your exercise of permissions under this License.
|
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
|
||||||
unless required by applicable law (such as deliberate and grossly
|
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
|
||||||
liable to You for damages, including any direct, indirect, special,
|
|
||||||
incidental, or consequential damages of any character arising as a
|
|
||||||
result of this License or out of the use or inability to use the
|
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
|
||||||
other commercial damages or losses), even if such Contributor
|
|
||||||
has been advised of the possibility of such damages.
|
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
||||||
or other liability obligations and/or rights consistent with this
|
|
||||||
License. However, in accepting such obligations, You may act only
|
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
|
||||||
defend, and hold each Contributor harmless for any liability
|
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
|
||||||
of your accepting any such warranty or additional liability.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
|
||||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
||||||
replaced with your own identifying information. (Don't include
|
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
|
||||||
comment syntax for the file format. We also recommend that a
|
|
||||||
file or class name and description of purpose be included on the
|
|
||||||
same "printed page" as the copyright notice for easier
|
|
||||||
identification within third-party archives.
|
|
||||||
|
|
||||||
Copyright [yyyy] [name of copyright owner]
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
|
@ -1,91 +0,0 @@
|
||||||
## Quickstart on Fedora 22 ##
|
|
||||||
|
|
||||||
Please attempt to use the GClient build as documented in the
|
|
||||||
[main readme](README.md) as this is an easier process and will be
|
|
||||||
maintained in future.
|
|
||||||
|
|
||||||
If GClient works and tests pass then the following procedures are not
|
|
||||||
required.
|
|
||||||
|
|
||||||
## Deprecated Manual Build Process ##
|
|
||||||
|
|
||||||
Note: This assumes a Workstation install for x64. The additional dependency
|
|
||||||
packages that need to be installed may vary if you are starting with a
|
|
||||||
different base system.
|
|
||||||
|
|
||||||
|
|
||||||
Install Dependencies:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo dnf update
|
|
||||||
sudo dnf install cmake gcc-g++ libevent-devel golang autoconf pkgconfig \
|
|
||||||
json-c-devel gflags-devel glog-devel protobuf-devel leveldb-devel \
|
|
||||||
openssl-devel gperftools-devel protobuf-compiler sqlite-devel ant \
|
|
||||||
java-1.8.0-openjdk-devel protobuf-java python-gflags protobuf-python \
|
|
||||||
python-ecdsa python-mock python-httplib2 git ldns-devel automake \
|
|
||||||
libtool shtool libunwind-devel
|
|
||||||
```
|
|
||||||
|
|
||||||
Other Libraries
|
|
||||||
|
|
||||||
|
|
||||||
The `gflags` in Fedora is v2.1 and is using the new default namespace option of
|
|
||||||
‘gflags’ rather than ‘google’ so we need to build our own version.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/gflags/gflags.git
|
|
||||||
cd gflags
|
|
||||||
cmake -DGFLAGS_NAMESPACE:STRING=google \
|
|
||||||
-DCMAKE_CXX_FLAGS:STRING=-fPIC .
|
|
||||||
make
|
|
||||||
cd ..
|
|
||||||
```
|
|
||||||
|
|
||||||
Next, we need `libevhtp` version `1.2.10` which is not packaged in Fedora, so
|
|
||||||
we build from source:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://github.com/ellzey/libevhtp/archive/1.2.10.zip
|
|
||||||
unzip 1.2.10.zip
|
|
||||||
cd libevhtp-1.2.10/
|
|
||||||
cmake -DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC .
|
|
||||||
make
|
|
||||||
cd ..
|
|
||||||
```
|
|
||||||
|
|
||||||
And let's get our own Google Test / Google Mock as these vary in incompatible
|
|
||||||
ways between packaged releases:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
wget https://googlemock.googlecode.com/files/gmock-1.7.0.zip
|
|
||||||
unzip gmock-1.7.0.zip
|
|
||||||
```
|
|
||||||
Now, clone the CT repo:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
git clone https://github.com/google/certificate-transparency.git
|
|
||||||
cd certificate-transparency/
|
|
||||||
```
|
|
||||||
|
|
||||||
One-time setup for Go:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
export GOPATH=$PWD/go
|
|
||||||
mkdir -p $GOPATH/src/github.com/google
|
|
||||||
ln -s $PWD $GOPATH/src/github.com/google
|
|
||||||
go get -v -d ./...
|
|
||||||
```
|
|
||||||
|
|
||||||
Build CT server C++ code:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
./autogen.sh
|
|
||||||
./configure GTEST_DIR=../gmock-1.7.0/gtest GMOCK_DIR=../gmock-1.7.0 \
|
|
||||||
CPPFLAGS="-I../libevhtp-1.2.10 -I../libevhtp-1.2.10/evthr \
|
|
||||||
-I../libevhtp-1.2.10/htparse -I../gflags/include" \
|
|
||||||
LDFLAGS=”-L../libevhtp-1.2.10 -L../gflags/lib”
|
|
||||||
make check
|
|
||||||
```
|
|
||||||
|
|
||||||
The remainder of the Java, Go and Python steps should be very similar to those
|
|
||||||
documented for Ubuntu in the [main readme file](README.md).
|
|
|
@ -1,57 +0,0 @@
|
||||||
## OSX Builds Now Use GClient ##
|
|
||||||
|
|
||||||
We recommend that you use GClient to build on OSX. Please follow the
|
|
||||||
instructions in the [main readme](README.md) file.
|
|
||||||
|
|
||||||
## Trusted root certificates ##
|
|
||||||
|
|
||||||
The CT code requires a set of trusted root certificates in order to:
|
|
||||||
1. Validate outbound HTTPS connections
|
|
||||||
2. (In the case of the log-server) decide whether to accept a certificate
|
|
||||||
chain for inclusion.
|
|
||||||
|
|
||||||
On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
|
|
||||||
Apple-provided patches which intercept failed chain validations and re-attempts
|
|
||||||
them using roots obtained from the system keychain. Since we use a much more
|
|
||||||
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
|
|
||||||
a PEM file containing the trusted root certs must be used.
|
|
||||||
|
|
||||||
## Specifying root certificates to be used
|
|
||||||
|
|
||||||
To use a certificate PEM bundle file with the CT C++ code, the following
|
|
||||||
methods may be used:
|
|
||||||
|
|
||||||
### For verifying outbound HTTPS connections:
|
|
||||||
|
|
||||||
Either set the
|
|
||||||
`--trusted_roots_certs' flag, or the `SSL_CERT_FILE` environment variable, to
|
|
||||||
point to the location of the PEM file containing the root certificates to be
|
|
||||||
used to verify the outbound HTTPS connection.
|
|
||||||
|
|
||||||
### Incoming inclusion requests (ct-server only)
|
|
||||||
|
|
||||||
Set the `--trusted_cert_file` flag to point to the location of the PEM file
|
|
||||||
containing the set of root certificates whose chains should be accepted for
|
|
||||||
inclusion into the log.
|
|
||||||
|
|
||||||
## Sources of trusted roots
|
|
||||||
|
|
||||||
Obviously the choice of root certificates to trust for outbound HTTPS
|
|
||||||
connections and incoming inclusion requests are a matter of operating policy,
|
|
||||||
but it is often useful to have a set of common roots for testing and
|
|
||||||
development at the very least.
|
|
||||||
|
|
||||||
While OSX ships with a set of common trusted roots, they are not directly
|
|
||||||
available to OpenSSL and must be exported from the keychain first. This can be
|
|
||||||
achieved with the following command:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
|
|
||||||
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
|
|
||||||
```
|
|
||||||
|
|
||||||
## Deprecated Build Process ##
|
|
||||||
|
|
||||||
This may be out of date and is not guaranteed to work.
|
|
||||||
|
|
||||||
gtest: install from source.
|
|
|
@ -1,269 +0,0 @@
|
||||||
certificate-transparency
|
|
||||||
========================
|
|
||||||
|
|
||||||
#Auditing for TLS certificates#
|
|
||||||
|
|
||||||
[![Build Status](https://travis-ci.org/google/certificate-transparency.svg?branch=master)](https://travis-ci.org/google/certificate-transparency)
|
|
||||||
|
|
||||||
|
|
||||||
## Build With GClient ##
|
|
||||||
|
|
||||||
This is now the recommended method for all supported platforms. It gives you
|
|
||||||
a reproducible build and avoids the need to build some dependencies manually.
|
|
||||||
|
|
||||||
Known to work on FreeBSD 10, OS X (10.10) [tested with XCode + brew installation
|
|
||||||
of deps listed below], and Ubuntu 14.04. Tested on Fedora 22 but may require
|
|
||||||
manual override of compiler options as documented below. Tested on CentOS 7
|
|
||||||
with similar caveats.
|
|
||||||
|
|
||||||
### Install Dependencies ###
|
|
||||||
|
|
||||||
Depending on which platform you have the exact packages required will vary.
|
|
||||||
The following tools must be available for the GClient build to succeed:
|
|
||||||
|
|
||||||
- autoconf/automake etc.
|
|
||||||
- clang++ (>=3.4)
|
|
||||||
- cmake (>=v3.1.2)
|
|
||||||
- git
|
|
||||||
- GNU make
|
|
||||||
- libtool
|
|
||||||
- shtool
|
|
||||||
- Tcl
|
|
||||||
- pkgconf
|
|
||||||
- python27
|
|
||||||
- [depot_tools](https://www.chromium.org/developers/how-tos/install-depot-tools)
|
|
||||||
|
|
||||||
### Building with gclient ###
|
|
||||||
|
|
||||||
```bash
|
|
||||||
export CXX=clang++ CC=clang
|
|
||||||
mkdir ct # or whatever directory you prefer
|
|
||||||
cd ct
|
|
||||||
gclient config --name="certificate-transparency" https://github.com/google/certificate-transparency.git
|
|
||||||
gclient sync
|
|
||||||
# substitute gmake or gnumake below if that's what your platform calls it:
|
|
||||||
make -C certificate-transparency check
|
|
||||||
```
|
|
||||||
|
|
||||||
If you're trying to clone from a branch on the CT repo then you'll need to
|
|
||||||
substitute the following command for the `gclient config` command above,
|
|
||||||
replacing `branch` as appropriate
|
|
||||||
|
|
||||||
```bash
|
|
||||||
gclient config --name="certificate-transparency" https://github.com/google/certificate-transparency.git@branch
|
|
||||||
```
|
|
||||||
|
|
||||||
### Platform Specific Notes ###
|
|
||||||
|
|
||||||
#### Fedora / CentOS ####
|
|
||||||
|
|
||||||
When you issue the `gclient sync` command you may need to set compiler options
|
|
||||||
in order to build successfully. If the build fails to work try using:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
CXXFLAGS="-O2 -Wno-error=unused-variable" gclient sync
|
|
||||||
```
|
|
||||||
|
|
||||||
If this gives an error about an unused typedef in a `glog` header file try this:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
CXXFLAGS="-O2 -Wno-error=unused-variable -Wno-error=unused-local-typedefs" gclient sync
|
|
||||||
```
|
|
||||||
|
|
||||||
When changing `CXXFLAGS` it's safer to remove the existing build directories
|
|
||||||
in case not all dependencies are properly accounted for and rebuilt. If
|
|
||||||
problems persist check that the Makefile in `certificate-transparency`
|
|
||||||
contains the options that were passed in `CXXFLAGS`.
|
|
||||||
|
|
||||||
If there are still problems using GClient then an older style build can be
|
|
||||||
attempted. The process should be similar to the one documented for Ubuntu
|
|
||||||
below or in the [Fedora README](README.Fedora) depending on platform.
|
|
||||||
|
|
||||||
## Deprecated: Quickstart on Ubuntu ##
|
|
||||||
|
|
||||||
This should no longer be needed as the instructions above should work. But in
|
|
||||||
case of difficulties the dependencies can be built manually. The following
|
|
||||||
steps will checkout the code and build it on a clean Ubuntu 14.04 LTS
|
|
||||||
installation. It has also been tested on an Ubuntu 15.04 installation.
|
|
||||||
|
|
||||||
First, install packaged dependencies:
|
|
||||||
|
|
||||||
sudo apt-get update -qq
|
|
||||||
sudo apt-get install -qq unzip cmake g++ libevent-dev golang-go autoconf pkg-config \
|
|
||||||
libjson-c-dev libgflags-dev libgoogle-glog-dev libprotobuf-dev libleveldb-dev \
|
|
||||||
libssl-dev libgoogle-perftools-dev protobuf-compiler libsqlite3-dev ant openjdk-7-jdk \
|
|
||||||
libprotobuf-java python-gflags python-protobuf python-ecdsa python-mock \
|
|
||||||
python-httplib2 git libldns-dev
|
|
||||||
|
|
||||||
Next, we need `libevhtp` version `1.2.10` which is not packaged in Ubuntu yet, so we build from source:
|
|
||||||
|
|
||||||
wget https://github.com/ellzey/libevhtp/archive/1.2.10.zip
|
|
||||||
unzip 1.2.10.zip
|
|
||||||
cd libevhtp-1.2.10/
|
|
||||||
cmake -DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC .
|
|
||||||
make
|
|
||||||
cd ..
|
|
||||||
|
|
||||||
And let's get our own Google Test / Google Mock as these vary in incompatible ways between packaged releases:
|
|
||||||
|
|
||||||
wget https://googlemock.googlecode.com/files/gmock-1.7.0.zip
|
|
||||||
unzip gmock-1.7.0.zip
|
|
||||||
|
|
||||||
Now, clone the CT repo:
|
|
||||||
|
|
||||||
git clone https://github.com/google/certificate-transparency.git
|
|
||||||
cd certificate-transparency/
|
|
||||||
|
|
||||||
One-time setup for Go:
|
|
||||||
|
|
||||||
export GOPATH=$PWD/go
|
|
||||||
mkdir -p $GOPATH/src/github.com/google
|
|
||||||
ln -s $PWD $GOPATH/src/github.com/google
|
|
||||||
go get -v -d ./...
|
|
||||||
|
|
||||||
Build CT server C++ code:
|
|
||||||
|
|
||||||
./autogen.sh
|
|
||||||
./configure GTEST_DIR=../gmock-1.7.0/gtest GMOCK_DIR=../gmock-1.7.0 \
|
|
||||||
CPPFLAGS="-I../libevhtp-1.2.10 -I../libevhtp-1.2.10/evthr \
|
|
||||||
-I../libevhtp-1.2.10/htparse" LDFLAGS=-L../libevhtp-1.2.10
|
|
||||||
make check
|
|
||||||
|
|
||||||
Build and test Java code:
|
|
||||||
|
|
||||||
ant build test
|
|
||||||
|
|
||||||
Build and test Python code:
|
|
||||||
|
|
||||||
make -C python test
|
|
||||||
|
|
||||||
Best and test Go code:
|
|
||||||
|
|
||||||
go test -v ./go/...
|
|
||||||
|
|
||||||
|
|
||||||
## Deprecated: Older Build Method ##
|
|
||||||
|
|
||||||
- [OpenSSL](https://www.openssl.org/source/), at least 1.0.0q,
|
|
||||||
preferably 1.0.1l or 1.0.2 (and up)
|
|
||||||
|
|
||||||
The checking of SCTs included in the
|
|
||||||
[RFC 6962](http://tools.ietf.org/html/rfc6962) TLS extension is only
|
|
||||||
included in OpenSSL 1.0.2. As of this writing, this version is not yet
|
|
||||||
released, so this means hand building the `OpenSSL_1_0_2-stable`
|
|
||||||
branch from the
|
|
||||||
[OpenSSL git repository](https://www.openssl.org/source/repos.html).
|
|
||||||
|
|
||||||
- [googlemock](https://github.com/google/googlemock) (tested with 1.7.0)
|
|
||||||
|
|
||||||
Gmock provides a bundled version of gtest, which will also be used.
|
|
||||||
|
|
||||||
Unpack googlemock, but do not build it. Upstream recommends to build a
|
|
||||||
new copy from source for each package to be tested. We follow this
|
|
||||||
advice in our `Makefile`, which builds gmock/gtest automatically.
|
|
||||||
|
|
||||||
Some systems make the googlemock source available as a package; on
|
|
||||||
Debian, this is in the google-mock package, which puts it in
|
|
||||||
`/usr/src/gmock`. Our `Makefile` looks in that location by default,
|
|
||||||
but if your googlemock sources are in a different location, set the
|
|
||||||
`GMOCK_DIR` environment variable to point at them.
|
|
||||||
|
|
||||||
If you are on FreeBSD, you may need to apply the patch in gtest.patch
|
|
||||||
to the gtest subdirectory of gmock.
|
|
||||||
|
|
||||||
- [protobuf](https://github.com/google/protobuf) (tested with 2.5.0)
|
|
||||||
- [gflags](https://github.com/gflags/gflags) (tested with 1.6
|
|
||||||
and 2.0)
|
|
||||||
- [glog](https://github.com/google/glog) (tested with 0.3.1)
|
|
||||||
|
|
||||||
Make sure to install glog **after** gflags, to avoid linking errors.
|
|
||||||
|
|
||||||
- [sqlite3](http://www.sqlite.org/)
|
|
||||||
- [leveldb](https://github.com/google/leveldb)
|
|
||||||
- [JSON-C](https://github.com/json-c/json-c/), at least 0.11
|
|
||||||
|
|
||||||
You can specify a JSON-C library in a non-standard location using the
|
|
||||||
`JSONCLIBDIR` environment variable. Version 0.10 would work as well,
|
|
||||||
except the `json_object_iterator.h` header is not properly copied when
|
|
||||||
installing. If you can install the missing header manually, it should
|
|
||||||
work.
|
|
||||||
|
|
||||||
- [libevent](http://libevent.org/) (tested with 2.0.21-stable)
|
|
||||||
- [libevhtp](https://github.com/ellzey/libevhtp) (tested with 1.2.10)
|
|
||||||
If building libevhtp from source, you may need to disable the regex support
|
|
||||||
with the following cmake flag: `-DEVHTP_DISABLE_REGEX:STRING=ON`
|
|
||||||
|
|
||||||
You can specify a non-installed locally built library using the
|
|
||||||
`LIBEVENTDIR` environment variable to point to the local build. Note
|
|
||||||
that the FreeBSD port version 2.0.21_2 does not appear to work
|
|
||||||
correctly (it only listens on IPv6 for the HTTP server) - for that
|
|
||||||
platform we had to build from the source, specifically commit
|
|
||||||
6dba1694c89119c44cef03528945e5a5978ab43a.
|
|
||||||
|
|
||||||
- [ldns](http://www.nlnetlabs.nl/projects/ldns/)
|
|
||||||
- [ant](http://ant.apache.org/)
|
|
||||||
- Python libraries:
|
|
||||||
- pyasn1 and pyasn1-modules (optional, needed for `upload_server_cert.sh`)
|
|
||||||
- [dnspython](http://www.dnspython.org/)
|
|
||||||
|
|
||||||
### Building ###
|
|
||||||
|
|
||||||
You can build the log server with the following commands:
|
|
||||||
|
|
||||||
$ ./autogen.sh # only necessary if you're building from git
|
|
||||||
$ ./configure
|
|
||||||
$ make
|
|
||||||
|
|
||||||
You can give the `configure` script extra parameters, to set
|
|
||||||
compilation flags, or point to custom versions of some dependencies
|
|
||||||
(notably, googlemock often needs this). For example, to compile with
|
|
||||||
Clang, using googlemock in `$HOME/gmock`, and a custom libevent in
|
|
||||||
`$HOME/libevent`:
|
|
||||||
|
|
||||||
$ ./configure CXX=clang++ GMOCK_DIR=$HOME CPPFLAGS="-I$HOME/libevent/include" LDFLAGS="-L$HOME/libevent/.libs"
|
|
||||||
|
|
||||||
Running `./configure --help` provides more information about various
|
|
||||||
variables that can be set.
|
|
||||||
|
|
||||||
## Running Unit Tests ##
|
|
||||||
|
|
||||||
Run unit tests with this command
|
|
||||||
|
|
||||||
$ make check
|
|
||||||
|
|
||||||
If the build still fails because of missing libraries, you may need to
|
|
||||||
set the environment variable `LD_LIBRARY_PATH`. On Linux, if you did
|
|
||||||
not change the default installation path (such as `/usr/local/lib`),
|
|
||||||
running
|
|
||||||
|
|
||||||
$ ldconfig
|
|
||||||
|
|
||||||
or, if needed,
|
|
||||||
|
|
||||||
$ sudo ldconfig
|
|
||||||
|
|
||||||
should resolve the problem.
|
|
||||||
|
|
||||||
## End-To-End Tests ##
|
|
||||||
|
|
||||||
For end-to-end server-client tests, you will need to install Apache
|
|
||||||
and point the tests to it. See `test/README` for how to do so.
|
|
||||||
|
|
||||||
## Testing and Logging Options ##
|
|
||||||
|
|
||||||
Note that several tests write files on disk. The default directory for
|
|
||||||
storing temporary testdata is `/tmp`. You can change this by setting
|
|
||||||
`TMPDIR=<tmpdir>` for make.
|
|
||||||
|
|
||||||
End-to-end tests also create temporary certificate and server files in
|
|
||||||
`test/tmp`. All these files are cleaned up after a successful test
|
|
||||||
run.
|
|
||||||
|
|
||||||
For logging options, see
|
|
||||||
http://google-glog.googlecode.com/svn/trunk/doc/glog.html
|
|
||||||
|
|
||||||
By default, unit tests log to stderr, and log only messages with a FATAL level
|
|
||||||
(i.e., those that result in abnormal program termination).
|
|
||||||
You can override the defaults with command-line flags.
|
|
||||||
|
|
||||||
End-to-end tests log everything at INFO level and above.
|
|
214
vendor/github.com/google/certificate-transparency/cpp/third_party/curl/hostcheck.c
generated
vendored
214
vendor/github.com/google/certificate-transparency/cpp/third_party/curl/hostcheck.c
generated
vendored
|
@ -1,214 +0,0 @@
|
||||||
/***************************************************************************
|
|
||||||
* _ _ ____ _
|
|
||||||
* Project ___| | | | _ \| |
|
|
||||||
* / __| | | | |_) | |
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
* are also available at http://curl.haxx.se/docs/copyright.html.
|
|
||||||
*
|
|
||||||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
* copies of the Software, and permit persons to whom the Software is
|
|
||||||
* furnished to do so, under the terms of the COPYING file.
|
|
||||||
*
|
|
||||||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
* KIND, either express or implied.
|
|
||||||
*
|
|
||||||
***************************************************************************/
|
|
||||||
|
|
||||||
/* This file is an amalgamation of hostcheck.c and most of rawstr.c
|
|
||||||
from cURL. The contents of the COPYING file mentioned above are:
|
|
||||||
|
|
||||||
COPYRIGHT AND PERMISSION NOTICE
|
|
||||||
|
|
||||||
Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
|
|
||||||
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
Permission to use, copy, modify, and distribute this software for any purpose
|
|
||||||
with or without fee is hereby granted, provided that the above copyright
|
|
||||||
notice and this permission notice appear in all copies.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
|
|
||||||
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
|
||||||
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|
||||||
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
|
|
||||||
OR OTHER DEALINGS IN THE SOFTWARE.
|
|
||||||
|
|
||||||
Except as contained in this notice, the name of a copyright holder shall not
|
|
||||||
be used in advertising or otherwise to promote the sale, use or other dealings
|
|
||||||
in this Software without prior written authorization of the copyright holder.
|
|
||||||
*/
|
|
||||||
|
|
||||||
#include "hostcheck.h"
|
|
||||||
#include <string.h>
|
|
||||||
|
|
||||||
/* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because
|
|
||||||
its behavior is altered by the current locale. */
|
|
||||||
static char Curl_raw_toupper(char in) {
|
|
||||||
switch (in) {
|
|
||||||
case 'a':
|
|
||||||
return 'A';
|
|
||||||
case 'b':
|
|
||||||
return 'B';
|
|
||||||
case 'c':
|
|
||||||
return 'C';
|
|
||||||
case 'd':
|
|
||||||
return 'D';
|
|
||||||
case 'e':
|
|
||||||
return 'E';
|
|
||||||
case 'f':
|
|
||||||
return 'F';
|
|
||||||
case 'g':
|
|
||||||
return 'G';
|
|
||||||
case 'h':
|
|
||||||
return 'H';
|
|
||||||
case 'i':
|
|
||||||
return 'I';
|
|
||||||
case 'j':
|
|
||||||
return 'J';
|
|
||||||
case 'k':
|
|
||||||
return 'K';
|
|
||||||
case 'l':
|
|
||||||
return 'L';
|
|
||||||
case 'm':
|
|
||||||
return 'M';
|
|
||||||
case 'n':
|
|
||||||
return 'N';
|
|
||||||
case 'o':
|
|
||||||
return 'O';
|
|
||||||
case 'p':
|
|
||||||
return 'P';
|
|
||||||
case 'q':
|
|
||||||
return 'Q';
|
|
||||||
case 'r':
|
|
||||||
return 'R';
|
|
||||||
case 's':
|
|
||||||
return 'S';
|
|
||||||
case 't':
|
|
||||||
return 'T';
|
|
||||||
case 'u':
|
|
||||||
return 'U';
|
|
||||||
case 'v':
|
|
||||||
return 'V';
|
|
||||||
case 'w':
|
|
||||||
return 'W';
|
|
||||||
case 'x':
|
|
||||||
return 'X';
|
|
||||||
case 'y':
|
|
||||||
return 'Y';
|
|
||||||
case 'z':
|
|
||||||
return 'Z';
|
|
||||||
}
|
|
||||||
return in;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
|
|
||||||
* to be locale independent and only compare strings we know are safe for
|
|
||||||
* this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for
|
|
||||||
* some further explanation to why this function is necessary.
|
|
||||||
*
|
|
||||||
* The function is capable of comparing a-z case insensitively even for
|
|
||||||
* non-ascii.
|
|
||||||
*/
|
|
||||||
|
|
||||||
static int Curl_raw_equal(const char *first, const char *second) {
|
|
||||||
while (*first && *second) {
|
|
||||||
if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second))
|
|
||||||
/* get out of the loop as soon as they don't match */
|
|
||||||
break;
|
|
||||||
first++;
|
|
||||||
second++;
|
|
||||||
}
|
|
||||||
/* we do the comparison here (possibly again), just to make sure that if the
|
|
||||||
loop above is skipped because one of the strings reached zero, we must not
|
|
||||||
return this as a successful match */
|
|
||||||
return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
|
|
||||||
}
|
|
||||||
|
|
||||||
static int Curl_raw_nequal(const char *first, const char *second, size_t max) {
|
|
||||||
while (*first && *second && max) {
|
|
||||||
if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
max--;
|
|
||||||
first++;
|
|
||||||
second++;
|
|
||||||
}
|
|
||||||
if (0 == max)
|
|
||||||
return 1; /* they are equal this far */
|
|
||||||
|
|
||||||
return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Match a hostname against a wildcard pattern.
|
|
||||||
* E.g.
|
|
||||||
* "foo.host.com" matches "*.host.com".
|
|
||||||
*
|
|
||||||
* We use the matching rule described in RFC6125, section 6.4.3.
|
|
||||||
* http://tools.ietf.org/html/rfc6125#section-6.4.3
|
|
||||||
*/
|
|
||||||
|
|
||||||
static int hostmatch(const char *hostname, const char *pattern) {
|
|
||||||
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
|
|
||||||
int wildcard_enabled;
|
|
||||||
size_t prefixlen, suffixlen;
|
|
||||||
pattern_wildcard = strchr(pattern, '*');
|
|
||||||
if (pattern_wildcard == NULL)
|
|
||||||
return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH
|
|
||||||
: CURL_HOST_NOMATCH;
|
|
||||||
|
|
||||||
/* We require at least 2 dots in pattern to avoid too wide wildcard
|
|
||||||
match. */
|
|
||||||
wildcard_enabled = 1;
|
|
||||||
pattern_label_end = strchr(pattern, '.');
|
|
||||||
if (pattern_label_end == NULL ||
|
|
||||||
strchr(pattern_label_end + 1, '.') == NULL ||
|
|
||||||
pattern_wildcard > pattern_label_end ||
|
|
||||||
Curl_raw_nequal(pattern, "xn--", 4)) {
|
|
||||||
wildcard_enabled = 0;
|
|
||||||
}
|
|
||||||
if (!wildcard_enabled)
|
|
||||||
return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH
|
|
||||||
: CURL_HOST_NOMATCH;
|
|
||||||
|
|
||||||
hostname_label_end = strchr(hostname, '.');
|
|
||||||
if (hostname_label_end == NULL ||
|
|
||||||
!Curl_raw_equal(pattern_label_end, hostname_label_end))
|
|
||||||
return CURL_HOST_NOMATCH;
|
|
||||||
|
|
||||||
/* The wildcard must match at least one character, so the left-most
|
|
||||||
label of the hostname is at least as large as the left-most label
|
|
||||||
of the pattern. */
|
|
||||||
if (hostname_label_end - hostname < pattern_label_end - pattern)
|
|
||||||
return CURL_HOST_NOMATCH;
|
|
||||||
|
|
||||||
prefixlen = pattern_wildcard - pattern;
|
|
||||||
suffixlen = pattern_label_end - (pattern_wildcard + 1);
|
|
||||||
return Curl_raw_nequal(pattern, hostname, prefixlen) &&
|
|
||||||
Curl_raw_nequal(pattern_wildcard + 1,
|
|
||||||
hostname_label_end - suffixlen, suffixlen)
|
|
||||||
? CURL_HOST_MATCH
|
|
||||||
: CURL_HOST_NOMATCH;
|
|
||||||
}
|
|
||||||
|
|
||||||
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) {
|
|
||||||
if (!match_pattern || !*match_pattern || !hostname ||
|
|
||||||
!*hostname) /* sanity check */
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (Curl_raw_equal(hostname, match_pattern)) /* trivial case */
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
if (hostmatch(hostname, match_pattern) == CURL_HOST_MATCH)
|
|
||||||
return 1;
|
|
||||||
return 0;
|
|
||||||
}
|
|
29
vendor/github.com/google/certificate-transparency/cpp/third_party/curl/hostcheck.h
generated
vendored
29
vendor/github.com/google/certificate-transparency/cpp/third_party/curl/hostcheck.h
generated
vendored
|
@ -1,29 +0,0 @@
|
||||||
#ifndef HEADER_CURL_HOSTCHECK_H
|
|
||||||
#define HEADER_CURL_HOSTCHECK_H
|
|
||||||
/***************************************************************************
|
|
||||||
* _ _ ____ _
|
|
||||||
* Project ___| | | | _ \| |
|
|
||||||
* / __| | | | |_) | |
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
* are also available at http://curl.haxx.se/docs/copyright.html.
|
|
||||||
*
|
|
||||||
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
* copies of the Software, and permit persons to whom the Software is
|
|
||||||
* furnished to do so, under the terms of the COPYING file.
|
|
||||||
*
|
|
||||||
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
* KIND, either express or implied.
|
|
||||||
*
|
|
||||||
***************************************************************************/
|
|
||||||
|
|
||||||
#define CURL_HOST_NOMATCH 0
|
|
||||||
#define CURL_HOST_MATCH 1
|
|
||||||
int Curl_cert_hostcheck(const char* match_pattern, const char* hostname);
|
|
||||||
|
|
||||||
#endif /* HEADER_CURL_HOSTCHECK_H */
|
|
|
@ -1,180 +0,0 @@
|
||||||
/* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright (C) 2012, iSEC Partners.
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
||||||
this software and associated documentation files (the "Software"), to deal in
|
|
||||||
the Software without restriction, including without limitation the rights to
|
|
||||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
|
|
||||||
of the Software, and to permit persons to whom the Software is furnished to do
|
|
||||||
so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in all
|
|
||||||
copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Helper functions to perform basic hostname validation using OpenSSL.
|
|
||||||
*
|
|
||||||
* Please read "everything-you-wanted-to-know-about-openssl.pdf" before
|
|
||||||
* attempting to use this code. This whitepaper describes how the code works,
|
|
||||||
* how it should be used, and what its limitations are.
|
|
||||||
*
|
|
||||||
* Author: Alban Diquet
|
|
||||||
* License: See LICENSE
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
#include <openssl/x509v3.h>
|
|
||||||
#include <openssl/ssl.h>
|
|
||||||
|
|
||||||
#include "third_party/curl/hostcheck.h"
|
|
||||||
#include "third_party/isec_partners/openssl_hostname_validation.h"
|
|
||||||
|
|
||||||
#define HOSTNAME_MAX_SIZE 255
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Tries to find a match for hostname in the certificate's Common Name field.
|
|
||||||
*
|
|
||||||
* Returns MatchFound if a match was found.
|
|
||||||
* Returns MatchNotFound if no matches were found.
|
|
||||||
* Returns MalformedCertificate if the Common Name had a NUL character embedded
|
|
||||||
* in it.
|
|
||||||
* Returns Error if the Common Name could not be extracted.
|
|
||||||
*/
|
|
||||||
static HostnameValidationResult matches_common_name(const char *hostname,
|
|
||||||
const X509 *server_cert) {
|
|
||||||
int common_name_loc = -1;
|
|
||||||
X509_NAME_ENTRY *common_name_entry = NULL;
|
|
||||||
ASN1_STRING *common_name_asn1 = NULL;
|
|
||||||
char *common_name_str = NULL;
|
|
||||||
|
|
||||||
// Find the position of the CN field in the Subject field of the certificate
|
|
||||||
common_name_loc =
|
|
||||||
X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *)server_cert),
|
|
||||||
NID_commonName, -1);
|
|
||||||
if (common_name_loc < 0) {
|
|
||||||
return Error;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Extract the CN field
|
|
||||||
common_name_entry =
|
|
||||||
X509_NAME_get_entry(X509_get_subject_name((X509 *)server_cert),
|
|
||||||
common_name_loc);
|
|
||||||
if (common_name_entry == NULL) {
|
|
||||||
return Error;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert the CN field to a C string
|
|
||||||
common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
|
|
||||||
if (common_name_asn1 == NULL) {
|
|
||||||
return Error;
|
|
||||||
}
|
|
||||||
common_name_str = (char *)ASN1_STRING_data(common_name_asn1);
|
|
||||||
|
|
||||||
// Make sure there isn't an embedded NUL character in the CN
|
|
||||||
if ((size_t)ASN1_STRING_length(common_name_asn1) !=
|
|
||||||
strlen(common_name_str)) {
|
|
||||||
return MalformedCertificate;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Compare expected hostname with the CN
|
|
||||||
if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
|
|
||||||
return MatchFound;
|
|
||||||
} else {
|
|
||||||
return MatchNotFound;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Tries to find a match for hostname in the certificate's Subject Alternative
|
|
||||||
* Name extension.
|
|
||||||
*
|
|
||||||
* Returns MatchFound if a match was found.
|
|
||||||
* Returns MatchNotFound if no matches were found.
|
|
||||||
* Returns MalformedCertificate if any of the hostnames had a NUL character
|
|
||||||
* embedded in it.
|
|
||||||
* Returns NoSANPresent if the SAN extension was not present in the certificate.
|
|
||||||
*/
|
|
||||||
static HostnameValidationResult matches_subject_alternative_name(
|
|
||||||
const char *hostname, const X509 *server_cert) {
|
|
||||||
HostnameValidationResult result = MatchNotFound;
|
|
||||||
int i;
|
|
||||||
int san_names_nb = -1;
|
|
||||||
STACK_OF(GENERAL_NAME) *san_names = NULL;
|
|
||||||
|
|
||||||
// Try to extract the names within the SAN extension from the certificate
|
|
||||||
san_names =
|
|
||||||
X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL);
|
|
||||||
if (san_names == NULL) {
|
|
||||||
return NoSANPresent;
|
|
||||||
}
|
|
||||||
san_names_nb = sk_GENERAL_NAME_num(san_names);
|
|
||||||
|
|
||||||
// Check each name within the extension
|
|
||||||
for (i = 0; i < san_names_nb; i++) {
|
|
||||||
const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
|
|
||||||
|
|
||||||
if (current_name->type == GEN_DNS) {
|
|
||||||
// Current name is a DNS name, let's check it
|
|
||||||
char *dns_name = (char *)ASN1_STRING_data(current_name->d.dNSName);
|
|
||||||
|
|
||||||
// Make sure there isn't an embedded NUL character in the DNS name
|
|
||||||
if ((size_t)ASN1_STRING_length(current_name->d.dNSName) !=
|
|
||||||
strlen(dns_name)) {
|
|
||||||
result = MalformedCertificate;
|
|
||||||
break;
|
|
||||||
} else { // Compare expected hostname with the DNS name
|
|
||||||
if (Curl_cert_hostcheck(dns_name, hostname) == CURL_HOST_MATCH) {
|
|
||||||
result = MatchFound;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Validates the server's identity by looking for the expected hostname in the
|
|
||||||
* server's certificate. As described in RFC 6125, it first tries to find a
|
|
||||||
* match
|
|
||||||
* in the Subject Alternative Name extension. If the extension is not present in
|
|
||||||
* the certificate, it checks the Common Name instead.
|
|
||||||
*
|
|
||||||
* Returns MatchFound if a match was found.
|
|
||||||
* Returns MatchNotFound if no matches were found.
|
|
||||||
* Returns MalformedCertificate if any of the hostnames had a NUL character
|
|
||||||
* embedded in it.
|
|
||||||
* Returns Error if there was an error.
|
|
||||||
*/
|
|
||||||
HostnameValidationResult validate_hostname(const char *hostname,
|
|
||||||
const X509 *server_cert) {
|
|
||||||
HostnameValidationResult result;
|
|
||||||
|
|
||||||
if ((hostname == NULL) || (server_cert == NULL))
|
|
||||||
return Error;
|
|
||||||
|
|
||||||
// First try the Subject Alternative Names extension
|
|
||||||
result = matches_subject_alternative_name(hostname, server_cert);
|
|
||||||
if (result == NoSANPresent) {
|
|
||||||
// Extension was not found: try the Common Name
|
|
||||||
result = matches_common_name(hostname, server_cert);
|
|
||||||
}
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
|
@ -1,59 +0,0 @@
|
||||||
/* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
|
|
||||||
|
|
||||||
/*
|
|
||||||
Copyright (C) 2012, iSEC Partners.
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
||||||
this software and associated documentation files (the "Software"), to deal in
|
|
||||||
the Software without restriction, including without limitation the rights to
|
|
||||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
|
|
||||||
of the Software, and to permit persons to whom the Software is furnished to do
|
|
||||||
so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in all
|
|
||||||
copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
SOFTWARE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Helper functions to perform basic hostname validation using OpenSSL.
|
|
||||||
*
|
|
||||||
* Please read "everything-you-wanted-to-know-about-openssl.pdf" before
|
|
||||||
* attempting to use this code. This whitepaper describes how the code works,
|
|
||||||
* how it should be used, and what its limitations are.
|
|
||||||
*
|
|
||||||
* Author: Alban Diquet
|
|
||||||
* License: See LICENSE
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
typedef enum {
|
|
||||||
MatchFound,
|
|
||||||
MatchNotFound,
|
|
||||||
NoSANPresent,
|
|
||||||
MalformedCertificate,
|
|
||||||
Error
|
|
||||||
} HostnameValidationResult;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Validates the server's identity by looking for the expected hostname in the
|
|
||||||
* server's certificate. As described in RFC 6125, it first tries to find a
|
|
||||||
* match
|
|
||||||
* in the Subject Alternative Name extension. If the extension is not present in
|
|
||||||
* the certificate, it checks the Common Name instead.
|
|
||||||
*
|
|
||||||
* Returns MatchFound if a match was found.
|
|
||||||
* Returns MatchNotFound if no matches were found.
|
|
||||||
* Returns MalformedCertificate if any of the hostnames had a NUL character
|
|
||||||
* embedded in it.
|
|
||||||
* Returns Error if there was an error.
|
|
||||||
*/
|
|
||||||
HostnameValidationResult validate_hostname(const char* hostname,
|
|
||||||
const X509* server_cert);
|
|
|
@ -1,12 +0,0 @@
|
||||||
#ifndef CERT_TRANS_VERSION_H_
|
|
||||||
#define CERT_TRANS_VERSION_H_
|
|
||||||
|
|
||||||
namespace cert_trans {
|
|
||||||
|
|
||||||
|
|
||||||
extern const char kBuildVersion[];
|
|
||||||
|
|
||||||
|
|
||||||
} // namespace cert_trans
|
|
||||||
|
|
||||||
#endif // CERT_TRANS_VERSION_H_
|
|
|
@ -1,320 +0,0 @@
|
||||||
syntax = "proto2";
|
|
||||||
|
|
||||||
package ct;
|
|
||||||
|
|
||||||
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
|
||||||
// These protocol buffers should be kept aligned with the I-D. //
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
|
||||||
|
|
||||||
// RFC 5246
|
|
||||||
message DigitallySigned {
|
|
||||||
enum HashAlgorithm {
|
|
||||||
NONE = 0;
|
|
||||||
MD5 = 1;
|
|
||||||
SHA1 = 2;
|
|
||||||
SHA224 = 3;
|
|
||||||
SHA256 = 4;
|
|
||||||
SHA384 = 5;
|
|
||||||
SHA512 = 6;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum SignatureAlgorithm {
|
|
||||||
ANONYMOUS = 0;
|
|
||||||
RSA = 1;
|
|
||||||
DSA = 2;
|
|
||||||
ECDSA = 3;
|
|
||||||
}
|
|
||||||
|
|
||||||
// 1 byte
|
|
||||||
optional HashAlgorithm hash_algorithm = 1 [ default = NONE ];
|
|
||||||
// 1 byte
|
|
||||||
optional SignatureAlgorithm sig_algorithm = 2 [ default = ANONYMOUS ];
|
|
||||||
// 0..2^16-1 bytes
|
|
||||||
optional bytes signature = 3;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum LogEntryType {
|
|
||||||
X509_ENTRY = 0;
|
|
||||||
PRECERT_ENTRY = 1;
|
|
||||||
PRECERT_ENTRY_V2 = 2;
|
|
||||||
// Not part of the I-D, and outside the valid range.
|
|
||||||
X_JSON_ENTRY = 32768; // Experimental, don't rely on this!
|
|
||||||
UNKNOWN_ENTRY_TYPE = 65536;
|
|
||||||
}
|
|
||||||
|
|
||||||
message X509ChainEntry {
|
|
||||||
// For V1 this entry just includes the certificate in the leaf_certificate
|
|
||||||
// field
|
|
||||||
// <1..2^24-1>
|
|
||||||
optional bytes leaf_certificate = 1;
|
|
||||||
// For V2 it includes the cert and key hash using CertInfo. The
|
|
||||||
// leaf_certificate field is not used
|
|
||||||
optional CertInfo cert_info = 3;
|
|
||||||
// <0..2^24-1>
|
|
||||||
// A chain from the leaf to a trusted root
|
|
||||||
// (excluding leaf and possibly root).
|
|
||||||
repeated bytes certificate_chain = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
// opaque TBSCertificate<1..2^16-1>;
|
|
||||||
// struct {
|
|
||||||
// opaque issuer_key_hash[32];
|
|
||||||
// TBSCertificate tbs_certificate;
|
|
||||||
// } PreCert;
|
|
||||||
// Retained for V1 API compatibility. May be removed in a future release.
|
|
||||||
message PreCert {
|
|
||||||
optional bytes issuer_key_hash = 1;
|
|
||||||
optional bytes tbs_certificate = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
// In V2 this is used for both certificates and precertificates in SCTs. It
|
|
||||||
// replaces PreCert and has the same structure. The older message remains for
|
|
||||||
// compatibility with existing code that depends on this proto.
|
|
||||||
message CertInfo {
|
|
||||||
optional bytes issuer_key_hash = 1;
|
|
||||||
optional bytes tbs_certificate = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
message PrecertChainEntry {
|
|
||||||
// <1..2^24-1>
|
|
||||||
optional bytes pre_certificate = 1;
|
|
||||||
// <0..2^24-1>
|
|
||||||
// The chain certifying the precertificate, as submitted by the CA.
|
|
||||||
repeated bytes precertificate_chain = 2;
|
|
||||||
|
|
||||||
// PreCert input to the SCT. Can be computed from the above.
|
|
||||||
// Store it alongside the entry data so that the signers don't have to
|
|
||||||
// parse certificates to recompute it.
|
|
||||||
optional PreCert pre_cert = 3;
|
|
||||||
// As above for V2 messages. Only one of these fields will be set in a
|
|
||||||
// valid message
|
|
||||||
optional CertInfo cert_info = 4;
|
|
||||||
}
|
|
||||||
|
|
||||||
message XJSONEntry {
|
|
||||||
optional string json = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(alcutter): Consider using extensions here instead.
|
|
||||||
message LogEntry {
|
|
||||||
optional LogEntryType type = 1 [ default = UNKNOWN_ENTRY_TYPE ];
|
|
||||||
|
|
||||||
optional X509ChainEntry x509_entry = 2;
|
|
||||||
|
|
||||||
optional PrecertChainEntry precert_entry = 3;
|
|
||||||
|
|
||||||
optional XJSONEntry x_json_entry = 4;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum SignatureType {
|
|
||||||
CERTIFICATE_TIMESTAMP = 0;
|
|
||||||
// TODO(ekasper): called tree_hash in I-D.
|
|
||||||
TREE_HEAD = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum Version {
|
|
||||||
V1 = 0;
|
|
||||||
V2 = 1;
|
|
||||||
// Not part of the I-D, and outside the valid range.
|
|
||||||
UNKNOWN_VERSION = 256;
|
|
||||||
}
|
|
||||||
|
|
||||||
message LogID {
|
|
||||||
// 32 bytes
|
|
||||||
optional bytes key_id = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SctExtension {
|
|
||||||
// Valid range is 0-65534
|
|
||||||
optional uint32 sct_extension_type = 1;
|
|
||||||
// Data is opaque and type specific. <0..2^16-1> bytes
|
|
||||||
optional bytes sct_extension_data = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(ekasper): implement support for id.
|
|
||||||
message SignedCertificateTimestamp {
|
|
||||||
optional Version version = 1 [ default = UNKNOWN_VERSION ];
|
|
||||||
optional LogID id = 2;
|
|
||||||
// UTC time in milliseconds, since January 1, 1970, 00:00.
|
|
||||||
optional uint64 timestamp = 3;
|
|
||||||
optional DigitallySigned signature = 4;
|
|
||||||
// V1 extensions
|
|
||||||
optional bytes extensions = 5;
|
|
||||||
// V2 extensions <0..2^16-1>. Must be ordered by type (lowest first)
|
|
||||||
repeated SctExtension sct_extension = 6;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SignedCertificateTimestampList {
|
|
||||||
// One or more SCTs, <1..2^16-1> bytes each
|
|
||||||
repeated bytes sct_list = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
enum MerkleLeafType {
|
|
||||||
TIMESTAMPED_ENTRY = 0;
|
|
||||||
UNKNOWN_LEAF_TYPE = 256;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SignedEntry {
|
|
||||||
// For V1 signed entries either the x509 or precert field will be set
|
|
||||||
optional bytes x509 = 1;
|
|
||||||
optional PreCert precert = 2;
|
|
||||||
optional bytes json = 3;
|
|
||||||
// For V2 all entries use the CertInfo field and the above fields are
|
|
||||||
// not set
|
|
||||||
optional CertInfo cert_info = 4;
|
|
||||||
}
|
|
||||||
|
|
||||||
message TimestampedEntry {
|
|
||||||
optional uint64 timestamp = 1;
|
|
||||||
optional LogEntryType entry_type = 2;
|
|
||||||
optional SignedEntry signed_entry = 3;
|
|
||||||
// V1 extensions
|
|
||||||
optional bytes extensions = 4;
|
|
||||||
// V2 extensions <0..2^16-1>. Must be ordered by type (lowest first)
|
|
||||||
repeated SctExtension sct_extension = 5;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Stuff that's hashed into a Merkle leaf.
|
|
||||||
message MerkleTreeLeaf {
|
|
||||||
// The version of the corresponding SCT.
|
|
||||||
optional Version version = 1 [ default = UNKNOWN_VERSION ];
|
|
||||||
optional MerkleLeafType type = 2 [ default = UNKNOWN_LEAF_TYPE ];
|
|
||||||
optional TimestampedEntry timestamped_entry = 3;
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(benl): No longer needed?
|
|
||||||
//
|
|
||||||
// Used by cpp/client/ct: it assembles the one from the I-D JSON
|
|
||||||
// protocol.
|
|
||||||
//
|
|
||||||
// Used by cpp/server/blob-server: it uses one to call a variant of
|
|
||||||
// LogLookup::AuditProof.
|
|
||||||
message MerkleAuditProof {
|
|
||||||
optional Version version = 1 [ default = UNKNOWN_VERSION ];
|
|
||||||
optional LogID id = 2;
|
|
||||||
optional int64 tree_size = 3;
|
|
||||||
optional uint64 timestamp = 4;
|
|
||||||
optional int64 leaf_index = 5;
|
|
||||||
repeated bytes path_node = 6;
|
|
||||||
optional DigitallySigned tree_head_signature = 7;
|
|
||||||
}
|
|
||||||
|
|
||||||
message ShortMerkleAuditProof {
|
|
||||||
required int64 leaf_index = 1;
|
|
||||||
repeated bytes path_node = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
|
||||||
// Finally, stuff that's not in the I-D but that we use internally //
|
|
||||||
// for logging entries and tree head state. //
|
|
||||||
////////////////////////////////////////////////////////////////////////////////
|
|
||||||
|
|
||||||
// TODO(alcutter): Come up with a better name :/
|
|
||||||
message LoggedEntryPB {
|
|
||||||
optional int64 sequence_number = 1;
|
|
||||||
optional bytes merkle_leaf_hash = 2;
|
|
||||||
message Contents {
|
|
||||||
optional SignedCertificateTimestamp sct = 1;
|
|
||||||
optional LogEntry entry = 2;
|
|
||||||
}
|
|
||||||
required Contents contents = 3;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SthExtension {
|
|
||||||
// Valid range is 0-65534
|
|
||||||
optional uint32 sth_extension_type = 1;
|
|
||||||
// Data is opaque and type specific <0..2^16-1> bytes
|
|
||||||
optional bytes sth_extension_data = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
message SignedTreeHead {
|
|
||||||
// The version of the tree head signature.
|
|
||||||
// (Note that each leaf has its own version, so a V2 tree
|
|
||||||
// can contain V1 leaves, too.
|
|
||||||
optional Version version = 1 [ default = UNKNOWN_VERSION ];
|
|
||||||
optional LogID id = 2;
|
|
||||||
optional uint64 timestamp = 3;
|
|
||||||
optional int64 tree_size = 4;
|
|
||||||
optional bytes sha256_root_hash = 5;
|
|
||||||
optional DigitallySigned signature = 6;
|
|
||||||
// Only supported in V2. <0..2^16-1>
|
|
||||||
repeated SthExtension sth_extension = 7;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Stuff the SSL client spits out from a connection.
|
|
||||||
message SSLClientCTData {
|
|
||||||
optional LogEntry reconstructed_entry = 1;
|
|
||||||
optional bytes certificate_sha256_hash = 2;
|
|
||||||
|
|
||||||
message SCTInfo {
|
|
||||||
// There is an entry + sct -> leaf hash mapping.
|
|
||||||
optional SignedCertificateTimestamp sct = 1;
|
|
||||||
optional bytes merkle_leaf_hash = 2;
|
|
||||||
}
|
|
||||||
repeated SCTInfo attached_sct_info = 3;
|
|
||||||
}
|
|
||||||
|
|
||||||
message ClusterNodeState {
|
|
||||||
optional string node_id = 1;
|
|
||||||
optional int64 contiguous_tree_size = 2 [deprecated = true];
|
|
||||||
optional SignedTreeHead newest_sth = 3;
|
|
||||||
optional SignedTreeHead current_serving_sth = 4;
|
|
||||||
|
|
||||||
// The following host_name/log_port pair are used to allow a log node to
|
|
||||||
// contact other nodes in the cluster, primarily for the purposes of
|
|
||||||
// replication.
|
|
||||||
// hostname/ip which can be used to contact [just] this log node
|
|
||||||
optional string hostname = 5;
|
|
||||||
// port on which this log node is listening.
|
|
||||||
optional int32 log_port = 6;
|
|
||||||
}
|
|
||||||
|
|
||||||
message ClusterControl {
|
|
||||||
optional bool accept_new_entries = 1 [ default = true ];
|
|
||||||
}
|
|
||||||
|
|
||||||
message ClusterConfig {
|
|
||||||
/////////////////////////////////
|
|
||||||
// This section of the config affects the selection of the cluster's current
|
|
||||||
// serving STH.
|
|
||||||
// The cluster will always attempt to determine the newest (and
|
|
||||||
// largest) possible STH which meets the constraints defined below from the
|
|
||||||
// set of STHs available at the individual cluster nodes.
|
|
||||||
// (Note that nodes with newer/larger STHs can, of course, serve
|
|
||||||
// earlier/smaller STHs.)
|
|
||||||
|
|
||||||
|
|
||||||
// The minimum number of nodes which must be able to serve a given STH.
|
|
||||||
// This setting allows you to configure the level of cluster resiliency
|
|
||||||
// against data (in the form of node/node database) loss.
|
|
||||||
// i.e.: Once an STH has been created, it must have been replicated to
|
|
||||||
// at least this many nodes before being considered as a candidate for
|
|
||||||
// the overall cluster serving STH.
|
|
||||||
optional int32 minimum_serving_nodes = 1;
|
|
||||||
|
|
||||||
// The minimum fraction of nodes which must be able to serve a given STH.
|
|
||||||
// This setting allows you to configure the serving capacity redundancy of
|
|
||||||
// your cluster.
|
|
||||||
// e.g. you determine you need 3 nodes to serve your expected peak traffic
|
|
||||||
// levels, but want to be over-provisioned by 25% to ensure the cluster will
|
|
||||||
// continue to be able to handle the traffic in the case of a single node
|
|
||||||
// failure, you might set this to 0.75 to ensure that any cluster-wide
|
|
||||||
// serving STH candidate must be servable from at least 3 of your 4 nodes.
|
|
||||||
optional double minimum_serving_fraction = 2;
|
|
||||||
/////////////////////////////////
|
|
||||||
|
|
||||||
// When the number of entries in the EtcedConsistentStore exceeds this value,
|
|
||||||
// the log server will reject all calls to add-[pre-]chain to protect itself
|
|
||||||
// and etcd.
|
|
||||||
optional double etcd_reject_add_pending_threshold = 3 [default = 30000];
|
|
||||||
}
|
|
||||||
|
|
||||||
message SequenceMapping {
|
|
||||||
message Mapping {
|
|
||||||
optional bytes entry_hash = 1;
|
|
||||||
optional int64 sequence_number = 2;
|
|
||||||
}
|
|
||||||
|
|
||||||
repeated Mapping mapping = 1;
|
|
||||||
}
|
|
Loading…
Reference in New Issue