/mandos/trunk : revision 24.1.162

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to server.cpp

Committer: Björn Påhlsson
Date: 2010-09-09 22:26:35 UTC
mfrom: (420 mandos-local)
mto: (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 421.
Revision ID: belorn@fukt.bsnet.se-20100909222635-whret31y90wjbh9w

merge

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
bad-ca.pem

bad-cert.pem

bad-client-cert.pem

bad-client-key.pem

bad-crl.pem

bad-key.pem

ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

clients.conf

crl.pem

key.pem

server.cpp

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

server.cpp

extern "C" {

#include <sys/types.h> //socket, setsockopt, bind, listen, accept,

// inet_ntop,

#include <sys/socket.h> //socket, setsockopt, bind, listen, accept,

// inet_ntop

#include <sys/ioctl.h> //ioctl, sockaddr_ll, ifreq

#include <unistd.h> //write, close

#include <netinet/ip.h> // sockaddr_in

#include <gnutls/gnutls.h>

#include <gnutls/x509.h> // gnutls_x509_crt_init, gnutls_x509_crt_import, gnutls_x509_crt_get_dn

#include <arpa/inet.h> // inet_ntop, htons

#include <net/if.h> //ifreq

}

#include <cstdio>

#include <cstring>

#include <cerrno>

#include <algorithm> // std::max

#include <cstdlib> // exit()

#include <fstream> // std::ifstream

#include <string> // std::string

#include <map> // std::map

#include <iostream> // cout

#include <ostream> // <<

#define SOCKET_ERR(err,s) if(err<0) {perror(s);exit(1);}

#define PORT 49001

#define KEYFILE "key.pem"

#define CERTFILE "cert.pem"

#define CAFILE "ca.pem"

#define CRLFILE "crl.pem"

#define DH_BITS 1024

using std::string;

using std::ifstream;

using std::map;

using std::cout;

/* These are global */

gnutls_certificate_credentials_t x509_cred;

map<string,string> table;

static gnutls_dh_params_t dh_params;

static int

generate_dh_params ()

{

/* Generate Diffie Hellman parameters - for use with DHE

* kx algorithms. These should be discarded and regenerated

* once a day, once a week or once a month. Depending on the

* security requirements.

gnutls_dh_params_init (&dh_params);

gnutls_dh_params_generate2 (dh_params, DH_BITS);

return 0;

}

gnutls_session_t

initialize_tls_session ()

{

gnutls_session_t session;

gnutls_global_init ();

gnutls_certificate_allocate_credentials (&x509_cred);

gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE,

GNUTLS_X509_FMT_PEM);

gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE,

GNUTLS_X509_FMT_PEM);

gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE,

GNUTLS_X509_FMT_PEM);

generate_dh_params ();

gnutls_certificate_set_dh_params (x509_cred, dh_params);

gnutls_init (&session, GNUTLS_SERVER);

gnutls_set_default_priority (session);

gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred);

// request client certificate if any.

gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);

gnutls_dh_set_prime_bits (session, DH_BITS);

return session;

}

void udpreply(int &sd){

struct sockaddr_in6 sa_cli;

int ret;

char buffer[512];

{

socklen_t sa_cli_len = sizeof(sa_cli);

ret = recvfrom(sd, buffer, 512,0,

100

reinterpret_cast<sockaddr *>(& sa_cli), & sa_cli_len);

101

SOCKET_ERR (ret, "recvfrom");

102

}

103

104

if (strncmp(buffer,"Marco", 5) == 0){

105

ret = sendto(sd, "Polo", 4, 0, reinterpret_cast<sockaddr *>(& sa_cli),

106

sizeof(sa_cli));

107

SOCKET_ERR (ret, "sendto");

108

}

109

110

}

111

112

void tcpreply(int sd, struct sockaddr_in6 *sa_cli, gnutls_session_t session){

113

114

int ret;

115

unsigned int status;

116

char buffer[512];

117

int exit_status = 0;

118

char dn[128];

119

120

#define DIE(s){ exit_status = s; goto tcpreply_die; }

121

122

printf ("- TCP connection from %s, port %d\n",

123

inet_ntop (AF_INET6, &(sa_cli->sin6_addr), buffer,

124

sizeof (buffer)), ntohs (sa_cli->sin6_port));

125

126

127

gnutls_transport_set_ptr (session, reinterpret_cast<gnutls_transport_ptr_t> (sd));

128

129

130

ret = gnutls_handshake (session);

131

if (ret < 0)

132

{

133

close (sd);

134

gnutls_deinit (session);

135

fprintf (stderr, "*** Handshake has failed (%s)\n\n",

136

gnutls_strerror (ret));

137

DIE(1);

138

}

139

printf ("- Handshake was completed\n");

140

141

//time to validate

142

143

if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509){

144

printf("Recived certificate not X.509\n");

145

DIE(1);

146

}

147

{

148

const gnutls_datum_t *cert_list;

149

unsigned int cert_list_size = 0;

150

gnutls_x509_crt_t cert;

151

size_t size;

152

153

cert_list = gnutls_certificate_get_peers (session, &cert_list_size);

154

155

printf ("Peer provided %d certificates.\n", cert_list_size);

156

157

if (cert_list_size == 0){

158

printf("No certificates recived\n");

159

DIE(1);

160

}

161

162

gnutls_x509_crt_init (&cert);

163

164

// XXX -Checking only first cert, might want to check them all

165

gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER);

166

167

size = sizeof (dn);

168

gnutls_x509_crt_get_dn (cert, dn, &size);

169

170

printf ("DN: %s\n", dn);

171

}

172

173

ret = gnutls_certificate_verify_peers2 (session, &status);

174

175

if (ret < 0){

176

printf ("Verify failed\n");

177

DIE(1);

178

}

179

180

if (status & (GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_REVOKED)) {

181

if (status & GNUTLS_CERT_INVALID) {

182

printf ("The certificate is not trusted.\n");

183

}

184

185

if (status & GNUTLS_CERT_SIGNER_NOT_FOUND){

186

printf ("The certificate hasn't got a known issuer.\n");

187

}

188

189

if (status & GNUTLS_CERT_REVOKED){

190

printf ("The certificate has been revoked.\n");

191

}

192

DIE(1);

193

}

194

195

if (table.find(dn) != table.end()){

196

gnutls_record_send (session, table[dn].c_str(), table[dn].size());

197

printf("Password sent to client\n");

198

}

199

else {

200

printf("dn not in list of allowed clients\n");

201

}

202

203

204

tcpreply_die:

205

gnutls_bye (session, GNUTLS_SHUT_WR);

206

close(sd);

207

gnutls_deinit (session);

208

gnutls_certificate_free_credentials (x509_cred);

209

gnutls_global_deinit ();

210

exit(exit_status);

211

}

212

213

214

void badconfigparser(string file){

215

216

string dn;

217

string pw;

218

string pwfile;

219

ifstream infile (file.c_str());

220

221

while(infile){

222

getline(infile, dn, '\n');

223

if(not infile){

224

break;

225

}

226

getline(infile, pw, '\n');

227

if(not infile){

228

break;

229

}

230

getline(infile, pwfile, '\n');

231

if(not infile){

232

break;

233

}

234

if(pw.empty()){

235

ifstream pwf(pwfile.c_str());

236

std::string tmp;

237

238

while(true){

239

getline(pwf,tmp);

240

if (not pwf){

241

break;

242

}

243

pw = pw + tmp + '\n';

244

}

245

246

}

247

table[dn]=pw;

248

}

249

infile.close();

250

}

251

252

253

254

int main (){

255

int ret, err, udp_listen_sd, tcp_listen_sd;

256

struct sockaddr_in6 sa_serv;

257

struct sockaddr_in6 sa_cli;

258

259

int optval = 1;

260

socklen_t client_len;

261

262

gnutls_session_t session;

263

264

fd_set rfds_orig;

265

266

badconfigparser(string("clients.conf"));

267

268

session = initialize_tls_session ();

269

270

//UDP IPv6 socket creation

271

udp_listen_sd = socket (PF_INET6, SOCK_DGRAM, 0);

272

SOCKET_ERR (udp_listen_sd, "socket");

273

274

memset (&sa_serv, '\0', sizeof (sa_serv));

275

sa_serv.sin6_family = AF_INET6;

276

sa_serv.sin6_addr = in6addr_any; //XXX only listen to link local?

277

sa_serv.sin6_port = htons (PORT); /* Server Port number */

278

279

ret = setsockopt (udp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));

280

SOCKET_ERR(ret,"setsockopt reuseaddr");

281

282

ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

283

SOCKET_ERR(ret,"setsockopt bindtodevice");

284

285

{

286

int flag = 1;

287

ret = setsockopt(udp_listen_sd, SOL_SOCKET, SO_BROADCAST, & flag, sizeof(flag));

288

SOCKET_ERR(ret,"setsockopt broadcast");

289

}

290

291

err = bind (udp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv),

292

sizeof (sa_serv));

293

SOCKET_ERR (err, "bind");

294

295

//UDP socket creation done

296

297

298

//TCP IPv6 socket creation

299

300

tcp_listen_sd = socket(PF_INET6, SOCK_STREAM, 0);

301

SOCKET_ERR(tcp_listen_sd,"socket");

302

303

setsockopt(tcp_listen_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

304

SOCKET_ERR(ret,"setsockopt bindtodevice");

305

306

ret = setsockopt (tcp_listen_sd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof (optval));

307

SOCKET_ERR(ret,"setsockopt reuseaddr");

308

309

err = bind (tcp_listen_sd, reinterpret_cast<const sockaddr *> (& sa_serv),

310

sizeof (sa_serv));

311

SOCKET_ERR (err, "bind");

312

313

err = listen (tcp_listen_sd, 1024);

314

SOCKET_ERR (err, "listen");

315

316

//TCP IPv6 sockets creation done

317

318

FD_ZERO(&rfds_orig);

319

FD_SET(udp_listen_sd, &rfds_orig);

320

FD_SET(tcp_listen_sd, &rfds_orig);

321

322

printf ("Server ready. Listening to port '%d' on UDP and TCP.\n\n", PORT);

323

324

for(;;){

325

fd_set rfds = rfds_orig;

326

327

ret = select(std::max(udp_listen_sd, tcp_listen_sd)+1, &rfds, 0, 0, 0);

328

SOCKET_ERR(ret,"select");

329

330

if (FD_ISSET(udp_listen_sd, &rfds)){

331

udpreply(udp_listen_sd);

332

}

333

334

if (FD_ISSET(tcp_listen_sd, &rfds)){

335

client_len = sizeof(sa_cli);

336

int sd = accept (tcp_listen_sd,

337

reinterpret_cast<struct sockaddr *> (& sa_cli),

338

&client_len);

339

SOCKET_ERR(sd,"accept"); //xxx not dieing when just connection abort

340

switch(fork()){

341

case 0:

342

tcpreply(sd, &sa_cli, session);

343

return 0;

344

break;

345

case -1:

346

perror("fork");

347

close(tcp_listen_sd);

348

close(udp_listen_sd);

349

return 1;

350

break;

351

default:

352

break;

353

}

354

}

355

}

356

357

close(tcp_listen_sd);

358

close(udp_listen_sd);

359

return 0;

360

361

}

Older »