To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to server.cpp
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Björn Påhlsson
- Date: 2007-10-20 21:38:25 UTC
- Revision ID: belorn@tower-20071020213825-abf6f0d1c33ee961
First working version with: IPv6, GnuTLS, X.509 certificates, DN
retrieval.
retrieval.
- files removed:
- clients.conf
- files modified:
- Makefile
added
removed
server.cpp
17
17
#include <cerrno>
18
18
#include <algorithm> // std::max
19
19
#include <cstdlib> // exit()
20
#include <fstream> // std::ifstream
21
#include <string> // std::string
22
#include <map> // std::map
23
#include <iostream> // cout
24
#include <ostream> // <<
25
20
26
21
#define SOCKET_ERR(err,s) if(err<0) {perror(s);exit(1);}
27
22
32
27
#define CRLFILE "crl.pem"
33
28
#define DH_BITS 1024
34
29
35
using std::string;
36
using std::ifstream;
37
using std::map;
38
using std::cout;
39
40
30
/* These are global */
41
31
gnutls_certificate_credentials_t x509_cred;
42
map<string,string> table;
43
32
44
33
static gnutls_dh_params_t dh_params;
45
34
109
98
110
99
}
111
100
112
void tcpreply(int sd, struct sockaddr_in6 *sa_cli, gnutls_session_t session){
113
101
void tcpreply(int sd, struct sockaddr_in6 sa_cli, gnutls_session_t session){
114
102
int ret;
115
103
unsigned int status;
116
104
char buffer[512];
117
int exit_status = 0;
118
char dn[128];
119
120
#define DIE(s){ exit_status = s; goto tcpreply_die; }
121
122
printf ("- TCP connection from %s, port %d\n",
123
inet_ntop (AF_INET6, &(sa_cli->sin6_addr), buffer,
124
sizeof (buffer)), ntohs (sa_cli->sin6_port));
105
106
printf ("- connection from %s, port %d\n",
107
inet_ntop (AF_INET6, &sa_cli.sin6_addr, buffer,
108
sizeof (buffer)), ntohs (sa_cli.sin6_port));
125
109
126
110
127
111
gnutls_transport_set_ptr (session, reinterpret_cast<gnutls_transport_ptr_t> (sd));
134
118
gnutls_deinit (session);
135
119
fprintf (stderr, "*** Handshake has failed (%s)\n\n",
136
120
gnutls_strerror (ret));
137
DIE(1);
121
exit(1);
138
122
}
139
123
printf ("- Handshake was completed\n");
140
124
141
125
//time to validate
142
126
127
ret = gnutls_certificate_verify_peers2 (session, &status);
128
129
if (ret < 0)
130
{
131
printf ("Verify failed\n");
132
exit(1);
133
}
134
135
if (status & GNUTLS_CERT_INVALID)
136
printf ("The certificate is not trusted.\n");
137
138
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
139
printf ("The certificate hasn't got a known issuer.\n");
140
141
if (status & GNUTLS_CERT_REVOKED)
142
printf ("The certificate has been revoked.\n");
143
143
144
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509){
144
145
printf("Recived certificate not X.509\n");
145
DIE(1);
146
exit(1);
146
147
}
147
148
{
148
149
const gnutls_datum_t *cert_list;
149
150
unsigned int cert_list_size = 0;
150
151
gnutls_x509_crt_t cert;
151
152
size_t size;
153
char dn[128];
152
154
153
155
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
154
156
155
157
printf ("Peer provided %d certificates.\n", cert_list_size);
156
158
157
159
if (cert_list_size == 0){
158
printf("No certificates recived\n");
159
DIE(1);
160
printf("No certificates recived\n"); //should never happen because verify_peers2 should fail if so
161
exit(1);
160
162
}
161
163
162
164
gnutls_x509_crt_init (&cert);
169
171
170
172
printf ("DN: %s\n", dn);
171
173
}
172
173
ret = gnutls_certificate_verify_peers2 (session, &status);
174
175
if (ret < 0){
176
printf ("Verify failed\n");
177
DIE(1);
178
}
179
174
180
if (status & (GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_REVOKED)) {
181
if (status & GNUTLS_CERT_INVALID) {
182
printf ("The certificate is not trusted.\n");
183
}
184
185
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND){
186
printf ("The certificate hasn't got a known issuer.\n");
187
}
188
189
if (status & GNUTLS_CERT_REVOKED){
190
printf ("The certificate has been revoked.\n");
191
}
192
DIE(1);
193
}
175
ret = gnutls_record_recv (session, buffer, sizeof(buffer));
194
176
195
if (table.find(dn) != table.end()){
196
gnutls_record_send (session, table[dn].c_str(), table[dn].size());
197
printf("Password sent to client\n");
198
}
177
if (ret > 0)
178
{
179
write(1, buffer, ret);
180
}
199
181
else {
200
printf("dn not in list of allowed clients\n");
182
fprintf (stderr, "\n*** Received corrupted "
183
"data(%d). Closing the connection.\n\n", ret);
201
184
}
202
203
185
204
tcpreply_die:
205
186
gnutls_bye (session, GNUTLS_SHUT_WR);
206
187
close(sd);
207
188
gnutls_deinit (session);
208
189
gnutls_certificate_free_credentials (x509_cred);
209
190
gnutls_global_deinit ();
210
exit(exit_status);
211
}
212
213
214
void badconfigparser(string file){
215
216
string dn;
217
string pw;
218
string pwfile;
219
ifstream infile (file.c_str());
220
221
while(infile){
222
getline(infile, dn, '\n');
223
if(not infile){
224
break;
225
}
226
getline(infile, pw, '\n');
227
if(not infile){
228
break;
229
}
230
getline(infile, pwfile, '\n');
231
if(not infile){
232
break;
233
}
234
if(pw.empty()){
235
ifstream pwf(pwfile.c_str());
236
std::string tmp;
237
238
while(true){
239
getline(pwf,tmp);
240
if (not pwf){
241
break;
242
}
243
pw = pw + tmp + '\n';
244
}
245
246
}
247
table[dn]=pw;
248
}
249
infile.close();
250
}
251
191
}
252
192
253
193
254
194
int main (){
263
203
264
204
fd_set rfds_orig;
265
205
266
badconfigparser(string("clients.conf"));
267
268
206
session = initialize_tls_session ();
269
207
270
//UDP IPv6 socket creation
208
//UDP socket creation
271
209
udp_listen_sd = socket (PF_INET6, SOCK_DGRAM, 0);
272
210
SOCKET_ERR (udp_listen_sd, "socket");
273
211
276
214
sa_serv.sin6_addr = in6addr_any; //XXX only listen to link local?
277
215
sa_serv.sin6_port = htons (PORT); /* Server Port number */
278
216
279
ret = setsockopt (udp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));
217
ret = setsockopt (udp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
280
218
SOCKET_ERR(ret,"setsockopt reuseaddr");
281
219
282
220
ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
295
233
//UDP socket creation done
296
234
297
235
298
//TCP IPv6 socket creation
236
//TCP socket creation
299
237
300
238
tcp_listen_sd = socket(PF_INET6, SOCK_STREAM, 0);
301
239
SOCKET_ERR(tcp_listen_sd,"socket");
303
241
setsockopt(tcp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
304
242
SOCKET_ERR(ret,"setsockopt bindtodevice");
305
243
306
ret = setsockopt (tcp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));
244
ret = setsockopt (tcp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (int));
307
245
SOCKET_ERR(ret,"setsockopt reuseaddr");
308
246
309
247
err = bind (tcp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv),
313
251
err = listen (tcp_listen_sd, 1024);
314
252
SOCKET_ERR (err, "listen");
315
253
316
//TCP IPv6 sockets creation done
254
//TCP sockets creation done
317
255
318
256
FD_ZERO(&rfds_orig);
319
257
FD_SET(udp_listen_sd, &rfds_orig);
332
270
}
333
271
334
272
if (FD_ISSET(tcp_listen_sd, &rfds)){
273
335
274
client_len = sizeof(sa_cli);
275
336
276
int sd = accept (tcp_listen_sd,
337
277
reinterpret_cast<struct sockaddr *> (& sa_cli),
338
278
&client_len);
339
279
SOCKET_ERR(sd,"accept"); //xxx not dieing when just connection abort
340
280
switch(fork()){
341
281
case 0:
342
tcpreply(sd, &sa_cli, session);
282
tcpreply(sd, sa_cli, session);
343
283
return 0;
344
284
break;
345
285
case -1:
353
293
}
354
294
}
355
295
}
356
296
357
297
close(tcp_listen_sd);
358
298
close(udp_listen_sd);
359
299
return 0;
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0