bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
1 |
extern "C" { |
2 |
#include <sys/types.h> //socket, setsockopt, bind, listen, accept, |
|
3 |
// inet_ntop, |
|
4 |
#include <sys/socket.h> //socket, setsockopt, bind, listen, accept, |
|
5 |
// inet_ntop |
|
6 |
#include <sys/ioctl.h> //ioctl, sockaddr_ll, ifreq |
|
7 |
#include <unistd.h> //write, close |
|
8 |
#include <netinet/ip.h> // sockaddr_in |
|
9 |
#include <gnutls/gnutls.h> |
|
10 |
#include <gnutls/x509.h> // gnutls_x509_crt_init, gnutls_x509_crt_import, gnutls_x509_crt_get_dn |
|
11 |
#include <arpa/inet.h> // inet_ntop, htons |
|
12 |
#include <net/if.h> //ifreq |
|
13 |
}
|
|
14 |
||
15 |
#include <cstdio> |
|
16 |
#include <cstring> |
|
17 |
#include <cerrno> |
|
18 |
#include <algorithm> // std::max |
|
19 |
#include <cstdlib> // exit() |
|
2
by Björn Påhlsson
Working client and server and password system |
20 |
#include <fstream> // std::ifstream |
21 |
#include <string> // std::string |
|
22 |
#include <map> // std::map |
|
23 |
#include <iostream> // cout |
|
24 |
#include <ostream> // << |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
25 |
|
26 |
#define SOCKET_ERR(err,s) if(err<0) {perror(s);exit(1);}
|
|
27 |
||
28 |
#define PORT 49001
|
|
29 |
#define KEYFILE "key.pem"
|
|
30 |
#define CERTFILE "cert.pem"
|
|
31 |
#define CAFILE "ca.pem"
|
|
32 |
#define CRLFILE "crl.pem"
|
|
33 |
#define DH_BITS 1024
|
|
34 |
||
2
by Björn Påhlsson
Working client and server and password system |
35 |
using std::string; |
36 |
using std::ifstream; |
|
37 |
using std::map; |
|
38 |
using std::cout; |
|
39 |
||
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
40 |
/* These are global */
|
41 |
gnutls_certificate_credentials_t x509_cred; |
|
2
by Björn Påhlsson
Working client and server and password system |
42 |
map<string,string> table; |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
43 |
|
44 |
static gnutls_dh_params_t dh_params; |
|
45 |
||
46 |
static int |
|
47 |
generate_dh_params () |
|
48 |
{
|
|
49 |
||
50 |
/* Generate Diffie Hellman parameters - for use with DHE |
|
51 |
* kx algorithms. These should be discarded and regenerated
|
|
52 |
* once a day, once a week or once a month. Depending on the
|
|
53 |
* security requirements.
|
|
54 |
*/
|
|
55 |
gnutls_dh_params_init (&dh_params); |
|
56 |
gnutls_dh_params_generate2 (dh_params, DH_BITS); |
|
57 |
||
58 |
return 0; |
|
59 |
}
|
|
60 |
||
61 |
gnutls_session_t
|
|
62 |
initialize_tls_session () |
|
63 |
{
|
|
64 |
gnutls_session_t session; |
|
65 |
||
66 |
gnutls_global_init (); |
|
67 |
||
68 |
gnutls_certificate_allocate_credentials (&x509_cred); |
|
69 |
gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, |
|
70 |
GNUTLS_X509_FMT_PEM); |
|
71 |
gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, |
|
72 |
GNUTLS_X509_FMT_PEM); |
|
73 |
gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, |
|
74 |
GNUTLS_X509_FMT_PEM); |
|
75 |
||
76 |
generate_dh_params (); |
|
77 |
gnutls_certificate_set_dh_params (x509_cred, dh_params); |
|
78 |
||
79 |
gnutls_init (&session, GNUTLS_SERVER); |
|
80 |
gnutls_set_default_priority (session); |
|
81 |
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); |
|
82 |
||
83 |
// request client certificate if any. |
|
84 |
||
85 |
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); |
|
86 |
gnutls_dh_set_prime_bits (session, DH_BITS); |
|
87 |
||
88 |
return session; |
|
89 |
}
|
|
90 |
||
91 |
||
92 |
void udpreply(int &sd){ |
|
93 |
struct sockaddr_in6 sa_cli; |
|
94 |
int ret; |
|
95 |
char buffer[512]; |
|
96 |
||
97 |
{ |
|
98 |
socklen_t sa_cli_len = sizeof(sa_cli); |
|
99 |
ret = recvfrom(sd, buffer, 512,0, |
|
100 |
reinterpret_cast<sockaddr *>(& sa_cli), & sa_cli_len); |
|
101 |
SOCKET_ERR (ret, "recvfrom"); |
|
102 |
} |
|
103 |
||
104 |
if (strncmp(buffer,"Marco", 5) == 0){ |
|
105 |
ret = sendto(sd, "Polo", 4, 0, reinterpret_cast<sockaddr *>(& sa_cli), |
|
106 |
sizeof(sa_cli)); |
|
107 |
SOCKET_ERR (ret, "sendto"); |
|
108 |
} |
|
109 |
||
110 |
}
|
|
111 |
||
2
by Björn Påhlsson
Working client and server and password system |
112 |
void tcpreply(int sd, struct sockaddr_in6 *sa_cli, gnutls_session_t session){ |
113 |
||
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
114 |
int ret; |
115 |
unsigned int status; |
|
116 |
char buffer[512]; |
|
2
by Björn Påhlsson
Working client and server and password system |
117 |
int exit_status = 0; |
118 |
char dn[128]; |
|
119 |
||
120 |
#define DIE(s){ exit_status = s; goto tcpreply_die; }
|
|
121 |
||
122 |
printf ("- TCP connection from %s, port %d\n", |
|
123 |
inet_ntop (AF_INET6, &(sa_cli->sin6_addr), buffer, |
|
124 |
sizeof (buffer)), ntohs (sa_cli->sin6_port)); |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
125 |
|
126 |
|
|
127 |
gnutls_transport_set_ptr (session, reinterpret_cast<gnutls_transport_ptr_t> (sd)); |
|
128 |
|
|
129 |
||
130 |
ret = gnutls_handshake (session); |
|
131 |
if (ret < 0) |
|
132 |
{ |
|
133 |
close (sd); |
|
134 |
gnutls_deinit (session); |
|
135 |
fprintf (stderr, "*** Handshake has failed (%s)\n\n", |
|
136 |
gnutls_strerror (ret)); |
|
2
by Björn Påhlsson
Working client and server and password system |
137 |
DIE(1); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
138 |
} |
139 |
printf ("- Handshake was completed\n"); |
|
140 |
||
141 |
//time to validate |
|
142 |
||
143 |
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509){ |
|
144 |
printf("Recived certificate not X.509\n"); |
|
2
by Björn Påhlsson
Working client and server and password system |
145 |
DIE(1); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
146 |
} |
147 |
{ |
|
148 |
const gnutls_datum_t *cert_list; |
|
149 |
unsigned int cert_list_size = 0; |
|
150 |
gnutls_x509_crt_t cert; |
|
151 |
size_t size; |
|
152 |
|
|
153 |
cert_list = gnutls_certificate_get_peers (session, &cert_list_size); |
|
154 |
|
|
155 |
printf ("Peer provided %d certificates.\n", cert_list_size); |
|
156 |
|
|
157 |
if (cert_list_size == 0){ |
|
2
by Björn Påhlsson
Working client and server and password system |
158 |
printf("No certificates recived\n"); |
159 |
DIE(1); |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
160 |
} |
161 |
|
|
162 |
gnutls_x509_crt_init (&cert); |
|
163 |
|
|
164 |
// XXX -Checking only first cert, might want to check them all |
|
165 |
gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER); |
|
166 |
|
|
167 |
size = sizeof (dn); |
|
168 |
gnutls_x509_crt_get_dn (cert, dn, &size); |
|
169 |
|
|
170 |
printf ("DN: %s\n", dn); |
|
171 |
} |
|
2
by Björn Påhlsson
Working client and server and password system |
172 |
|
173 |
ret = gnutls_certificate_verify_peers2 (session, &status); |
|
174 |
||
175 |
if (ret < 0){ |
|
176 |
printf ("Verify failed\n"); |
|
177 |
DIE(1); |
|
178 |
} |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
179 |
|
2
by Björn Påhlsson
Working client and server and password system |
180 |
if (status & (GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_REVOKED)) { |
181 |
if (status & GNUTLS_CERT_INVALID) { |
|
182 |
printf ("The certificate is not trusted.\n"); |
|
183 |
} |
|
184 |
|
|
185 |
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND){ |
|
186 |
printf ("The certificate hasn't got a known issuer.\n"); |
|
187 |
} |
|
188 |
|
|
189 |
if (status & GNUTLS_CERT_REVOKED){ |
|
190 |
printf ("The certificate has been revoked.\n"); |
|
191 |
} |
|
192 |
DIE(1); |
|
193 |
} |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
194 |
|
2
by Björn Påhlsson
Working client and server and password system |
195 |
if (table.find(dn) != table.end()){ |
196 |
gnutls_record_send (session, table[dn].c_str(), table[dn].size()); |
|
197 |
printf("Password sent to client\n"); |
|
198 |
} |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
199 |
else { |
2
by Björn Påhlsson
Working client and server and password system |
200 |
printf("dn not in list of allowed clients\n"); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
201 |
} |
2
by Björn Påhlsson
Working client and server and password system |
202 |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
203 |
|
2
by Björn Påhlsson
Working client and server and password system |
204 |
tcpreply_die: |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
205 |
gnutls_bye (session, GNUTLS_SHUT_WR); |
206 |
close(sd); |
|
207 |
gnutls_deinit (session); |
|
208 |
gnutls_certificate_free_credentials (x509_cred); |
|
209 |
gnutls_global_deinit (); |
|
2
by Björn Påhlsson
Working client and server and password system |
210 |
exit(exit_status); |
211 |
}
|
|
212 |
||
213 |
||
214 |
void badconfigparser(string file){ |
|
215 |
||
216 |
string dn; |
|
217 |
string pw; |
|
218 |
string pwfile; |
|
219 |
ifstream infile (file.c_str()); |
|
220 |
||
221 |
while(infile){ |
|
222 |
getline(infile, dn, '\n'); |
|
223 |
if(not infile){ |
|
224 |
break; |
|
225 |
} |
|
226 |
getline(infile, pw, '\n'); |
|
227 |
if(not infile){ |
|
228 |
break; |
|
229 |
} |
|
230 |
getline(infile, pwfile, '\n'); |
|
231 |
if(not infile){ |
|
232 |
break; |
|
233 |
} |
|
234 |
if(pw.empty()){ |
|
235 |
ifstream pwf(pwfile.c_str()); |
|
236 |
std::string tmp; |
|
237 |
||
238 |
while(true){ |
|
239 |
getline(pwf,tmp); |
|
240 |
if (not pwf){ |
|
241 |
break; |
|
242 |
} |
|
243 |
pw = pw + tmp + '\n'; |
|
244 |
} |
|
245 |
|
|
246 |
} |
|
247 |
table[dn]=pw; |
|
248 |
} |
|
249 |
infile.close(); |
|
250 |
}
|
|
251 |
|
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
252 |
|
253 |
||
254 |
int main (){ |
|
255 |
int ret, err, udp_listen_sd, tcp_listen_sd; |
|
256 |
struct sockaddr_in6 sa_serv; |
|
257 |
struct sockaddr_in6 sa_cli; |
|
258 |
||
259 |
int optval = 1; |
|
260 |
socklen_t client_len; |
|
261 |
||
262 |
gnutls_session_t session; |
|
263 |
||
264 |
fd_set rfds_orig; |
|
265 |
||
2
by Björn Påhlsson
Working client and server and password system |
266 |
badconfigparser(string("clients.conf")); |
267 |
||
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
268 |
session = initialize_tls_session (); |
269 |
||
2
by Björn Påhlsson
Working client and server and password system |
270 |
//UDP IPv6 socket creation |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
271 |
udp_listen_sd = socket (PF_INET6, SOCK_DGRAM, 0); |
272 |
SOCKET_ERR (udp_listen_sd, "socket"); |
|
273 |
||
274 |
memset (&sa_serv, '\0', sizeof (sa_serv)); |
|
275 |
sa_serv.sin6_family = AF_INET6; |
|
276 |
sa_serv.sin6_addr = in6addr_any; //XXX only listen to link local? |
|
277 |
sa_serv.sin6_port = htons (PORT); /* Server Port number */ |
|
278 |
||
2
by Björn Påhlsson
Working client and server and password system |
279 |
ret = setsockopt (udp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval)); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
280 |
SOCKET_ERR(ret,"setsockopt reuseaddr"); |
281 |
||
282 |
ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5); |
|
283 |
SOCKET_ERR(ret,"setsockopt bindtodevice"); |
|
284 |
||
285 |
{ |
|
286 |
int flag = 1; |
|
287 |
ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BROADCAST, & flag, sizeof(flag)); |
|
288 |
SOCKET_ERR(ret,"setsockopt broadcast"); |
|
289 |
} |
|
290 |
||
291 |
err = bind (udp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv), |
|
292 |
sizeof (sa_serv)); |
|
293 |
SOCKET_ERR (err, "bind"); |
|
294 |
||
295 |
//UDP socket creation done |
|
296 |
||
297 |
||
2
by Björn Påhlsson
Working client and server and password system |
298 |
//TCP IPv6 socket creation |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
299 |
|
300 |
tcp_listen_sd = socket(PF_INET6, SOCK_STREAM, 0); |
|
301 |
SOCKET_ERR(tcp_listen_sd,"socket"); |
|
302 |
||
303 |
setsockopt(tcp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5); |
|
304 |
SOCKET_ERR(ret,"setsockopt bindtodevice"); |
|
305 |
|
|
2
by Björn Påhlsson
Working client and server and password system |
306 |
ret = setsockopt (tcp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval)); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
307 |
SOCKET_ERR(ret,"setsockopt reuseaddr"); |
308 |
||
309 |
err = bind (tcp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv), |
|
310 |
sizeof (sa_serv)); |
|
311 |
SOCKET_ERR (err, "bind"); |
|
312 |
||
313 |
err = listen (tcp_listen_sd, 1024); |
|
314 |
SOCKET_ERR (err, "listen"); |
|
315 |
||
2
by Björn Påhlsson
Working client and server and password system |
316 |
//TCP IPv6 sockets creation done |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
317 |
|
318 |
FD_ZERO(&rfds_orig); |
|
319 |
FD_SET(udp_listen_sd, &rfds_orig); |
|
320 |
FD_SET(tcp_listen_sd, &rfds_orig); |
|
321 |
||
322 |
printf ("Server ready. Listening to port '%d' on UDP and TCP.\n\n", PORT); |
|
323 |
||
324 |
for(;;){ |
|
325 |
fd_set rfds = rfds_orig; |
|
326 |
||
327 |
ret = select(std::max(udp_listen_sd, tcp_listen_sd)+1, &rfds, 0, 0, 0); |
|
328 |
SOCKET_ERR(ret,"select"); |
|
329 |
||
330 |
if (FD_ISSET(udp_listen_sd, &rfds)){ |
|
331 |
udpreply(udp_listen_sd); |
|
332 |
} |
|
333 |
||
334 |
if (FD_ISSET(tcp_listen_sd, &rfds)){ |
|
335 |
client_len = sizeof(sa_cli); |
|
336 |
int sd = accept (tcp_listen_sd, |
|
337 |
reinterpret_cast<struct sockaddr *> (& sa_cli), |
|
338 |
&client_len); |
|
339 |
SOCKET_ERR(sd,"accept"); //xxx not dieing when just connection abort |
|
340 |
switch(fork()){ |
|
341 |
case 0: |
|
2
by Björn Påhlsson
Working client and server and password system |
342 |
tcpreply(sd, &sa_cli, session); |
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
343 |
return 0; |
344 |
break; |
|
345 |
case -1: |
|
346 |
perror("fork"); |
|
347 |
close(tcp_listen_sd); |
|
348 |
close(udp_listen_sd); |
|
349 |
return 1; |
|
350 |
break; |
|
351 |
default: |
|
352 |
break; |
|
353 |
} |
|
354 |
} |
|
355 |
} |
|
2
by Björn Påhlsson
Working client and server and password system |
356 |
|
1
by Björn Påhlsson
First working version with: IPv6, GnuTLS, X.509 certificates, DN |
357 |
close(tcp_listen_sd); |
358 |
close(udp_listen_sd); |
|
359 |
return 0; |
|
360 |
||
361 |
}
|