To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to server.cpp
- browse files at revision 2.1.1
- compare with another revision
- download diff
- download tarball
- view history from revision 2.1.1
- Committer: Björn Påhlsson
- Date: 2008-01-18 21:18:26 UTC
- mto: This revision was merged to the branch mainline in revision 6.
- Revision ID: belorn@legolas-20080118211826-5rbwo54l4bwim5x2
Client:
[Working version in initrd for booting]
Added #ifdef DEBUG statements through out the program
Added support to keep bouth tcp and udp up at the same time
Catching several more error return codes that was unchecked.
Starts the Network interface during startup.
Added support for entering password on console
Added error handling, like looping until a password has been received.
Added cleanup handling so console state is always restored
removed:
Old server.cpp [see next version]
Test certificates
[Working version in initrd for booting]
Added #ifdef DEBUG statements through out the program
Added support to keep bouth tcp and udp up at the same time
Catching several more error return codes that was unchecked.
Starts the Network interface during startup.
Added support for entering password on console
Added error handling, like looping until a password has been received.
Added cleanup handling so console state is always restored
removed:
Old server.cpp [see next version]
Test certificates
- files removed:
- bad-ca.pem
- files modified:
- client.cpp
added
removed
server.cpp
1
extern "C" {
2
#include <sys/types.h> //socket, setsockopt, bind, listen, accept,
3
// inet_ntop,
4
#include <sys/socket.h> //socket, setsockopt, bind, listen, accept,
5
// inet_ntop
6
#include <sys/ioctl.h> //ioctl, sockaddr_ll, ifreq
7
#include <unistd.h> //write, close
8
#include <netinet/ip.h> // sockaddr_in
9
#include <gnutls/gnutls.h>
10
#include <gnutls/x509.h> // gnutls_x509_crt_init, gnutls_x509_crt_import, gnutls_x509_crt_get_dn
11
#include <arpa/inet.h> // inet_ntop, htons
12
#include <net/if.h> //ifreq
13
}
14
15
#include <cstdio>
16
#include <cstring>
17
#include <cerrno>
18
#include <algorithm> // std::max
19
#include <cstdlib> // exit()
20
#include <fstream> // std::ifstream
21
#include <string> // std::string
22
#include <map> // std::map
23
#include <iostream> // cout
24
#include <ostream> // <<
25
26
#define SOCKET_ERR(err,s) if(err<0) {perror(s);exit(1);}
27
28
#define PORT 49001
29
#define KEYFILE "key.pem"
30
#define CERTFILE "cert.pem"
31
#define CAFILE "ca.pem"
32
#define CRLFILE "crl.pem"
33
#define DH_BITS 1024
34
35
using std::string;
36
using std::ifstream;
37
using std::map;
38
using std::cout;
39
40
/* These are global */
41
gnutls_certificate_credentials_t x509_cred;
42
map<string,string> table;
43
44
static gnutls_dh_params_t dh_params;
45
46
static int
47
generate_dh_params ()
48
{
49
50
/* Generate Diffie Hellman parameters - for use with DHE
51
* kx algorithms. These should be discarded and regenerated
52
* once a day, once a week or once a month. Depending on the
53
* security requirements.
54
*/
55
gnutls_dh_params_init (&dh_params);
56
gnutls_dh_params_generate2 (dh_params, DH_BITS);
57
58
return 0;
59
}
60
61
gnutls_session_t
62
initialize_tls_session ()
63
{
64
gnutls_session_t session;
65
66
gnutls_global_init ();
67
68
gnutls_certificate_allocate_credentials (&x509_cred);
69
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,
70
GNUTLS_X509_FMT_PEM);
71
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,
72
GNUTLS_X509_FMT_PEM);
73
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,
74
GNUTLS_X509_FMT_PEM);
75
76
generate_dh_params ();
77
gnutls_certificate_set_dh_params (x509_cred, dh_params);
78
79
gnutls_init (&session, GNUTLS_SERVER);
80
gnutls_set_default_priority (session);
81
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);
82
83
// request client certificate if any.
84
85
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
86
gnutls_dh_set_prime_bits (session, DH_BITS);
87
88
return session;
89
}
90
91
92
void udpreply(int &sd){
93
struct sockaddr_in6 sa_cli;
94
int ret;
95
char buffer[512];
96
97
{
98
socklen_t sa_cli_len = sizeof(sa_cli);
99
ret = recvfrom(sd, buffer, 512,0,
100
reinterpret_cast<sockaddr *>(& sa_cli), & sa_cli_len);
101
SOCKET_ERR (ret, "recvfrom");
102
}
103
104
if (strncmp(buffer,"Marco", 5) == 0){
105
ret = sendto(sd, "Polo", 4, 0, reinterpret_cast<sockaddr *>(& sa_cli),
106
sizeof(sa_cli));
107
SOCKET_ERR (ret, "sendto");
108
}
109
110
}
111
112
void tcpreply(int sd, struct sockaddr_in6 *sa_cli, gnutls_session_t session){
113
114
int ret;
115
unsigned int status;
116
char buffer[512];
117
int exit_status = 0;
118
char dn[128];
119
120
#define DIE(s){ exit_status = s; goto tcpreply_die; }
121
122
printf ("- TCP connection from %s, port %d\n",
123
inet_ntop (AF_INET6, &(sa_cli->sin6_addr), buffer,
124
sizeof (buffer)), ntohs (sa_cli->sin6_port));
125
126
127
gnutls_transport_set_ptr (session, reinterpret_cast<gnutls_transport_ptr_t> (sd));
128
129
130
ret = gnutls_handshake (session);
131
if (ret < 0)
132
{
133
close (sd);
134
gnutls_deinit (session);
135
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
136
gnutls_strerror (ret));
137
DIE(1);
138
}
139
printf ("- Handshake was completed\n");
140
141
//time to validate
142
143
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509){
144
printf("Recived certificate not X.509\n");
145
DIE(1);
146
}
147
{
148
const gnutls_datum_t *cert_list;
149
unsigned int cert_list_size = 0;
150
gnutls_x509_crt_t cert;
151
size_t size;
152
153
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
154
155
printf ("Peer provided %d certificates.\n", cert_list_size);
156
157
if (cert_list_size == 0){
158
printf("No certificates recived\n");
159
DIE(1);
160
}
161
162
gnutls_x509_crt_init (&cert);
163
164
// XXX -Checking only first cert, might want to check them all
165
gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER);
166
167
size = sizeof (dn);
168
gnutls_x509_crt_get_dn (cert, dn, &size);
169
170
printf ("DN: %s\n", dn);
171
}
172
173
ret = gnutls_certificate_verify_peers2 (session, &status);
174
175
if (ret < 0){
176
printf ("Verify failed\n");
177
DIE(1);
178
}
179
180
if (status & (GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_REVOKED)) {
181
if (status & GNUTLS_CERT_INVALID) {
182
printf ("The certificate is not trusted.\n");
183
}
184
185
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND){
186
printf ("The certificate hasn't got a known issuer.\n");
187
}
188
189
if (status & GNUTLS_CERT_REVOKED){
190
printf ("The certificate has been revoked.\n");
191
}
192
DIE(1);
193
}
194
195
if (table.find(dn) != table.end()){
196
gnutls_record_send (session, table[dn].c_str(), table[dn].size());
197
printf("Password sent to client\n");
198
}
199
else {
200
printf("dn not in list of allowed clients\n");
201
}
202
203
204
tcpreply_die:
205
gnutls_bye (session, GNUTLS_SHUT_WR);
206
close(sd);
207
gnutls_deinit (session);
208
gnutls_certificate_free_credentials (x509_cred);
209
gnutls_global_deinit ();
210
exit(exit_status);
211
}
212
213
214
void badconfigparser(string file){
215
216
string dn;
217
string pw;
218
string pwfile;
219
ifstream infile (file.c_str());
220
221
while(infile){
222
getline(infile, dn, '\n');
223
if(not infile){
224
break;
225
}
226
getline(infile, pw, '\n');
227
if(not infile){
228
break;
229
}
230
getline(infile, pwfile, '\n');
231
if(not infile){
232
break;
233
}
234
if(pw.empty()){
235
ifstream pwf(pwfile.c_str());
236
std::string tmp;
237
238
while(true){
239
getline(pwf,tmp);
240
if (not pwf){
241
break;
242
}
243
pw = pw + tmp + '\n';
244
}
245
246
}
247
table[dn]=pw;
248
}
249
infile.close();
250
}
251
252
253
254
int main (){
255
int ret, err, udp_listen_sd, tcp_listen_sd;
256
struct sockaddr_in6 sa_serv;
257
struct sockaddr_in6 sa_cli;
258
259
int optval = 1;
260
socklen_t client_len;
261
262
gnutls_session_t session;
263
264
fd_set rfds_orig;
265
266
badconfigparser(string("clients.conf"));
267
268
session = initialize_tls_session ();
269
270
//UDP IPv6 socket creation
271
udp_listen_sd = socket (PF_INET6, SOCK_DGRAM, 0);
272
SOCKET_ERR (udp_listen_sd, "socket");
273
274
memset (&sa_serv, '\0', sizeof (sa_serv));
275
sa_serv.sin6_family = AF_INET6;
276
sa_serv.sin6_addr = in6addr_any; //XXX only listen to link local?
277
sa_serv.sin6_port = htons (PORT); /* Server Port number */
278
279
ret = setsockopt (udp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));
280
SOCKET_ERR(ret,"setsockopt reuseaddr");
281
282
ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
283
SOCKET_ERR(ret,"setsockopt bindtodevice");
284
285
{
286
int flag = 1;
287
ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BROADCAST, & flag, sizeof(flag));
288
SOCKET_ERR(ret,"setsockopt broadcast");
289
}
290
291
err = bind (udp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv),
292
sizeof (sa_serv));
293
SOCKET_ERR (err, "bind");
294
295
//UDP socket creation done
296
297
298
//TCP IPv6 socket creation
299
300
tcp_listen_sd = socket(PF_INET6, SOCK_STREAM, 0);
301
SOCKET_ERR(tcp_listen_sd,"socket");
302
303
setsockopt(tcp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
304
SOCKET_ERR(ret,"setsockopt bindtodevice");
305
306
ret = setsockopt (tcp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));
307
SOCKET_ERR(ret,"setsockopt reuseaddr");
308
309
err = bind (tcp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv),
310
sizeof (sa_serv));
311
SOCKET_ERR (err, "bind");
312
313
err = listen (tcp_listen_sd, 1024);
314
SOCKET_ERR (err, "listen");
315
316
//TCP IPv6 sockets creation done
317
318
FD_ZERO(&rfds_orig);
319
FD_SET(udp_listen_sd, &rfds_orig);
320
FD_SET(tcp_listen_sd, &rfds_orig);
321
322
printf ("Server ready. Listening to port '%d' on UDP and TCP.\n\n", PORT);
323
324
for(;;){
325
fd_set rfds = rfds_orig;
326
327
ret = select(std::max(udp_listen_sd, tcp_listen_sd)+1, &rfds, 0, 0, 0);
328
SOCKET_ERR(ret,"select");
329
330
if (FD_ISSET(udp_listen_sd, &rfds)){
331
udpreply(udp_listen_sd);
332
}
333
334
if (FD_ISSET(tcp_listen_sd, &rfds)){
335
client_len = sizeof(sa_cli);
336
int sd = accept (tcp_listen_sd,
337
reinterpret_cast<struct sockaddr *> (& sa_cli),
338
&client_len);
339
SOCKET_ERR(sd,"accept"); //xxx not dieing when just connection abort
340
switch(fork()){
341
case 0:
342
tcpreply(sd, &sa_cli, session);
343
return 0;
344
break;
345
case -1:
346
perror("fork");
347
close(tcp_listen_sd);
348
close(udp_listen_sd);
349
return 1;
350
break;
351
default:
352
break;
353
}
354
}
355
}
356
357
close(tcp_listen_sd);
358
close(udp_listen_sd);
359
return 0;
360
361
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0