/**
* Main function that will be run by the scheduler.
*
* @param cls closure
* @param args remaining command-line arguments
* @param cfgfile name of the configuration file used (for saving, can be NULL!)
* @param cfg configuration
*/
static void
run (void *cls, char *const *args, const char *cfgfile,
const struct GNUNET_CONFIGURATION_Handle *cfg)
{
struct GNUNET_CRYPTO_RsaPrivateKey *pk;
struct GNUNET_CRYPTO_RsaPublicKeyBinaryEncoded pub;
struct GNUNET_PeerIdentity pid;
if (NULL == args[0])
{
fprintf (stderr, _("No hostkey file specified on command line\n"));
return;
}
if (0 != weak_random)
GNUNET_CRYPTO_random_disable_entropy_gathering ();
if (make_keys > 0)
{
create_keys (args[0]);
return;
}
pk = GNUNET_CRYPTO_rsa_key_create_from_file (args[0]);
if (NULL == pk)
return;
if (print_public_key)
{
char *s;
GNUNET_CRYPTO_rsa_key_get_public (pk, &pub);
s = GNUNET_CRYPTO_rsa_public_key_to_string (&pub);
fprintf (stdout, "%s\n", s);
GNUNET_free (s);
}
if (print_peer_identity)
{
struct GNUNET_CRYPTO_HashAsciiEncoded enc;
GNUNET_CRYPTO_rsa_key_get_public (pk, &pub);
GNUNET_CRYPTO_hash (&pub, sizeof (pub), &pid.hashPubKey);
GNUNET_CRYPTO_hash_to_enc (&pid.hashPubKey, &enc);
fprintf (stdout, "%s\n", enc.encoding);
}
if (print_short_identity)
{
struct GNUNET_CRYPTO_ShortHashAsciiEncoded enc;
struct GNUNET_CRYPTO_ShortHashCode sh;
GNUNET_CRYPTO_rsa_key_get_public (pk, &pub);
GNUNET_CRYPTO_short_hash (&pub, sizeof (pub), &sh);
GNUNET_CRYPTO_short_hash_to_enc (&sh, &enc);
fprintf (stdout, "%s\n", enc.short_encoding);
}
GNUNET_CRYPTO_rsa_key_free (pk);
}
static int read_or_create_log(const char *filename, const char *token,
uint8_t *salt, uint8_t *nonce, uint8_t *key_buf,
uint8_t **out_buf, int64_t *data_size)
{
int fd;
struct stat fileinfo;
int ret;
fd = open_log_file(filename);
if (fd == -1) {
goto fail;
}
ret = fstat(fd, &fileinfo);
if (fileinfo.st_size == 0) {
ret = create_salt(salt, SALT_SIZE);
if (ret != 0) goto fail_fd;
ret = create_salt(nonce, NONCE_SIZE);
if (ret != 0) goto fail_fd;
} else if (fileinfo.st_size < MIN_LOG_FILE_SIZE) {
goto fail_fd;
}
create_keys(token, salt, key_buf);
if (fileinfo.st_size > 0) {
ret = read_and_validate_log(fd, token, out_buf, data_size);
if ((ret != CAPSTONE_EXIT_SUCCESS) || !out_buf || !(*out_buf)) goto fail_fd;
}
return fd;
fail_fd:
close(fd);
fail:
return -1;
}
int main(int argc, const char *argv[])
{
static const char *server = NULL;
static const char *principal = NULL;
static const char *keytab = NULL;
static const char *enctypes_string = NULL;
static const char *binddn = NULL;
static const char *bindpw = NULL;
char *ldap_uri = NULL;
static const char *sasl_mech = NULL;
static const char *ca_cert_file = NULL;
int quiet = 0;
int askpass = 0;
int permitted_enctypes = 0;
int retrieve = 0;
struct poptOption options[] = {
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
_("Print as little as possible"), _("Output only on errors")},
{ "server", 's', POPT_ARG_STRING, &server, 0,
_("Contact this specific KDC Server"),
_("Server Name") },
{ "principal", 'p', POPT_ARG_STRING, &principal, 0,
_("The principal to get a keytab for (ex: ftp/[email protected])"),
_("Kerberos Service Principal Name") },
{ "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
_("The keytab file to append the new key to (will be "
"created if it does not exist)."),
_("Keytab File Name") },
{ "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0,
_("Encryption types to request"),
_("Comma separated encryption types list") },
{ "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0,
_("Show the list of permitted encryption types and exit"),
_("Permitted Encryption Types") },
{ "password", 'P', POPT_ARG_NONE, &askpass, 0,
_("Asks for a non-random password to use for the principal"), NULL },
{ "binddn", 'D', POPT_ARG_STRING, &binddn, 0,
_("LDAP DN"), _("DN to bind as if not using kerberos") },
{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
_("LDAP password"), _("password to use if not using kerberos") },
{ "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0,
_("Path to the IPA CA certificate"), _("IPA CA certificate")},
{ "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0,
_("LDAP uri to connect to. Mutually exclusive with --server"),
_("url")},
{ "mech", 'Y', POPT_ARG_STRING, &sasl_mech, 0,
_("LDAP SASL bind mechanism if no bindd/bindpw"),
_("GSSAPI|EXTERNAL") },
{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
_("Retrieve current keys without changing them"), NULL },
POPT_AUTOHELP
POPT_TABLEEND
};
poptContext pc;
char *ktname;
char *password = NULL;
krb5_context krbctx;
krb5_ccache ccache;
krb5_principal uprinc = NULL;
krb5_principal sprinc;
krb5_error_code krberr;
struct keys_container keys = { 0 };
krb5_keytab kt;
int kvno;
int i, ret;
char *err_msg;
ret = init_gettext();
if (ret) {
fprintf(stderr, "Failed to load translations\n");
}
krberr = krb5_init_context(&krbctx);
if (krberr) {
fprintf(stderr, _("Kerberos context initialization failed\n"));
exit(1);
}
pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
ret = poptGetNextOpt(pc);
if (ret == -1 && permitted_enctypes &&
!(server || principal || keytab || quiet)) {
krb5_enctype *ktypes;
char enc[79]; /* fit std terminal or truncate */
krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
if (krberr) {
fprintf(stderr, _("No system preferred enctypes ?!\n"));
exit(1);
}
fprintf(stdout, _("Supported encryption types:\n"));
for (i = 0; ktypes[i]; i++) {
krberr = krb5_enctype_to_string(ktypes[i], enc, 79);
if (krberr) {
fprintf(stderr, _("Warning: "
"failed to convert type (#%d)\n"), i);
continue;
}
fprintf(stdout, "%s\n", enc);
}
ipa_krb5_free_ktypes(krbctx, ktypes);
exit (0);
}
if (ret != -1 || !principal || !keytab || permitted_enctypes) {
if (!quiet) {
poptPrintUsage(pc, stderr, 0);
}
exit(2);
}
if (NULL!=binddn && NULL==bindpw) {
fprintf(stderr,
_("Bind password required when using a bind DN.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(10);
}
if (NULL != binddn && NULL != sasl_mech) {
fprintf(stderr, _("Cannot specify both SASL mechanism "
"and bind DN simultaneously.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(2);
}
if (sasl_mech && check_sasl_mech(sasl_mech)) {
fprintf(stderr, _("Invalid SASL bind mechanism\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(2);
}
if (!binddn && !sasl_mech) {
sasl_mech = LDAP_SASL_GSSAPI;
}
if (server && ldap_uri) {
fprintf(stderr, _("Cannot specify server and LDAP uri "
"simultaneously.\n"));
if (!quiet)
poptPrintUsage(pc, stderr, 0);
exit(2);
}
if (!server && !ldap_uri) {
struct ipa_config *ipacfg = NULL;
ret = read_ipa_config(&ipacfg);
if (ret == 0) {
server = ipacfg->server_name;
ipacfg->server_name = NULL;
}
free(ipacfg);
if (!server) {
fprintf(stderr, _("Server name not provided and unavailable\n"));
exit(2);
}
}
if (server) {
ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri);
if (ret) {
exit(ret);
}
}
if (!ca_cert_file) {
ca_cert_file = DEFAULT_CA_CERT_FILE;
}
if (askpass && retrieve) {
fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
exit(2);
}
if (askpass) {
password = ask_password(krbctx);
if (!password) {
exit(2);
}
} else if (enctypes_string && strchr(enctypes_string, ':')) {
if (!quiet) {
fprintf(stderr, _("Warning: salt types are not honored"
" with randomized passwords (see opt. -P)\n"));
}
}
ret = asprintf(&ktname, "WRFILE:%s", keytab);
if (ret == -1) {
exit(3);
}
krberr = krb5_parse_name(krbctx, principal, &sprinc);
if (krberr) {
fprintf(stderr, _("Invalid Service Principal Name\n"));
exit(4);
}
if (NULL == bindpw && strcmp(sasl_mech, LDAP_SASL_GSSAPI) == 0) {
krberr = krb5_cc_default(krbctx, &ccache);
if (krberr) {
fprintf(stderr,
_("Kerberos Credential Cache not found. "
"Do you have a Kerberos Ticket?\n"));
exit(5);
}
krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
if (krberr) {
fprintf(stderr,
_("Kerberos User Principal not found. "
"Do you have a valid Credential Cache?\n"));
exit(6);
}
}
krberr = krb5_kt_resolve(krbctx, ktname, &kt);
if (krberr) {
fprintf(stderr, _("Failed to open Keytab\n"));
exit(7);
}
kvno = -1;
ret = ldap_get_keytab(krbctx, (retrieve == 0), password, enctypes_string,
ldap_uri, principal, uprinc, binddn, bindpw,
sasl_mech, ca_cert_file,
&keys, &kvno, &err_msg);
if (ret) {
if (!quiet && err_msg != NULL) {
fprintf(stderr, "%s", err_msg);
}
}
if (retrieve == 0 && kvno == -1) {
if (!quiet) {
fprintf(stderr,
_("Retrying with pre-4.0 keytab retrieval method...\n"));
}
/* create key material */
ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, &err_msg);
if (!ret) {
if (err_msg != NULL) {
fprintf(stderr, "%s", err_msg);
}
fprintf(stderr, _("Failed to create key material\n"));
exit(8);
}
kvno = ldap_set_keytab(krbctx, ldap_uri, principal, uprinc, binddn,
bindpw, sasl_mech, ca_cert_file, &keys);
}
if (kvno == -1) {
fprintf(stderr, _("Failed to get keytab\n"));
exit(9);
}
for (i = 0; i < keys.nkeys; i++) {
krb5_keytab_entry kt_entry;
memset((char *)&kt_entry, 0, sizeof(kt_entry));
kt_entry.principal = sprinc;
kt_entry.key = keys.ksdata[i].key;
kt_entry.vno = kvno;
krberr = krb5_kt_add_entry(krbctx, kt, &kt_entry);
if (krberr) {
fprintf(stderr,
_("Failed to add key to the keytab\n"));
exit (11);
}
}
free_keys_contents(krbctx, &keys);
krberr = krb5_kt_close(krbctx, kt);
if (krberr) {
fprintf(stderr, _("Failed to close the keytab\n"));
exit (12);
}
if (!quiet) {
fprintf(stderr,
_("Keytab successfully retrieved and stored in: %s\n"),
keytab);
}
exit(0);
}
int lnp_handle_key_exchange_ok(lnp_packet_p *packet, int content_length) {
lnp_key_exchange_ok_p key_exchange_ok;
int routing_entry_index;
int store_entry_index;
/* Reading packet */
if (parse_key_exchange_ok(&key_exchange_ok,
packet->content, content_length) == LNP_ERROR) {
liblog_debug(LAYER_NET, "packet format corrupted.");
return LNP_ERROR;
}
liblog_debug(LAYER_NET, "packet successfuly parsed.");
/* lock routing entry */
routing_entry_index = lnp_routing_entry_lock(packet->source);
if (routing_entry_index == LNP_LOOKUP_ERROR) {
//TODO
}
store_entry_index = routing_table[routing_entry_index].store_index;
if (lnp_key_store[store_entry_index].handshake_state !=
LNP_HANDSHAKE_EXCHANGING_KEYS) {
liblog_info(LAYER_NET, "public_key_exchange_ok dropped: "
"state must be LNP_HANDSHAKE_EXCHANGING_KEYS.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
lnp_key_store[store_entry_index].cipher =
lnp_cipher_search(key_exchange_ok.cipher);
lnp_key_store[store_entry_index].hash =
lnp_hash_search(key_exchange_ok.hash);
lnp_key_store[store_entry_index].mac =
lnp_mac_search(key_exchange_ok.mac);
/* Functions received don't support even the defaults. */
if (lnp_key_store[store_entry_index].cipher == NULL ||
lnp_key_store[store_entry_index].hash == NULL ||
lnp_key_store[store_entry_index].mac == NULL) {
liblog_error(LAYER_NET,
"received functions not supported, packet dropped.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
liblog_debug(LAYER_NET, "received functions are supported.");
// TODO decifrar
if (memcmp(lnp_key_store[store_entry_index].k_out,
key_exchange_ok.encrypted_k, LNP_K_LENGTH) != 0) {
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
/* Create all the keys. */
if (create_keys(store_entry_index) == LNP_ERROR) {
liblog_error(LAYER_NET, "error generating keys.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
};
lnp_key_store[store_entry_index].handshake_state =
LNP_HANDSHAKE_CONNECTED;
lnp_routing_entry_signal(routing_entry_index);
lnp_routing_entry_unlock(routing_entry_index);
return LNP_OK;
}
int lnp_handle_key_exchange(lnp_packet_p *packet, int content_length) {
lnp_key_exchange_p key_exchange;
int routing_entry_index;
int store_entry_index;
/* Reading packet */
if (parse_key_exchange(&key_exchange,
packet->content, content_length) == LNP_ERROR) {
liblog_debug(LAYER_NET, "packet format corrupted.");
return LNP_ERROR;
}
liblog_debug(LAYER_NET, "packet successfuly parsed.");
/* lock routing entry */
routing_entry_index = lnp_routing_entry_lock(packet->source);
if (routing_entry_index == LNP_LOOKUP_ERROR) {
//TODO
}
store_entry_index = routing_table[routing_entry_index].store_index;
if (lnp_key_store[store_entry_index].handshake_state !=
LNP_HANDSHAKE_BEING_CONNECTED) {
liblog_info(LAYER_NET, "public_key_exchange dropped: "
"state must be LNP_HANDSHAKE_BEING_CONNECTED.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
lnp_key_store[store_entry_index].cipher =
lnp_cipher_search(key_exchange.ciphers);
lnp_key_store[store_entry_index].hash =
lnp_hash_search(key_exchange.hashes);
lnp_key_store[store_entry_index].mac =
lnp_mac_search(key_exchange.macs);
/* Functions received don't support even the defaults. */
if (lnp_key_store[store_entry_index].cipher == NULL ||
lnp_key_store[store_entry_index].hash == NULL ||
lnp_key_store[store_entry_index].mac == NULL) {
liblog_error(LAYER_NET,
"received functions not supported, packet dropped.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
liblog_debug(LAYER_NET, "received functions are supported.");
// TODO decifrar
if (memcmp(lnp_key_store[store_entry_index].k_out,
key_exchange.encrypted_k_1, LNP_K_LENGTH) != 0) {
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
liblog_debug(LAYER_NET, "parameter k authenticated.");
// TODO decifrar
memcpy(lnp_key_store[store_entry_index].k_in,
key_exchange.encrypted_k_2, LNP_K_LENGTH);
/* Create all the keys. */
if (create_keys(store_entry_index) == LNP_ERROR) {
liblog_error(LAYER_NET, "error generating session keys.");
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
};
if (send_key_exchange_ok(packet->source, store_entry_index) == LNP_ERROR) {
lnp_routing_entry_unlock(routing_entry_index);
return LNP_ERROR;
}
lnp_key_store[store_entry_index].handshake_state =
LNP_HANDSHAKE_CONNECTED;
/*pthread_cond_broadcast(
&lnp_key_store[store_entry_index].handshake_condition);*/
/*lnp_routing_entry_signal(routing_entry_index);*/
lnp_routing_entry_unlock(routing_entry_index);
return LNP_OK;
}
