int open_connection( SSL **ssl, SSL_CTX **ctx, char *server_addr, char *server_port)
{
BIO *conn;
long err;
char addr_buf[100] = "";
sprintf(addr_buf, "%s:%s", server_addr, server_port);
printf("[%s]\n",addr_buf);
*ctx = setup_client_ctx( );
conn = BIO_new_connect(addr_buf);
if (!conn)
handle_error("Error creating connection BIO");
if (BIO_do_connect(conn) <= 0)
handle_error("Error connecting to remote machine");
*ssl = SSL_new(*ctx);
SSL_set_bio(*ssl, conn, conn);
if (SSL_connect(*ssl) <= 0)
handle_error("Error connecting SSL object");
if ((err = post_connection_check(*ssl, SERVER)) != X509_V_OK)
{
fprintf(stderr, "-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
handle_error("Error checking SSL object after connection");
}
fprintf(stderr, "SSL Connection opened\n");
return 0;
}
void THREAD_CC server_thread(void *arg)
{
SSL *ssl = (SSL *)arg;
long err;
#ifndef WIN32
pthread_detach(pthread_self( ));
#endif
if (SSL_accept(ssl) <= 0)
int_error("Error accepting SSL connection");
if ((err = post_connection_check(ssl, CLIENT)) != X509_V_OK)
{
fprintf(stderr, "-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection");
}
fprintf(stderr, "SSL Connection opened\n");
if (do_server_loop(ssl))
SSL_shutdown(ssl);
else
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
ERR_remove_state(0);
#ifdef WIN32
_endthread( );
#endif
return 0;
}
static boolean connect_to_emergency_phr_list_loading_service(SSL **ssl_conn_ret)
{
BIO *bio_conn = NULL;
SSL_CTX *ctx = NULL;
int err;
char *hosts[1];
char phr_server_addr[IP_ADDRESS_LENGTH + PORT_NUMBER_LENGTH + 2];
// Connect to PHR Server
sprintf(phr_server_addr, "%s:%s", GLOBAL_phr_server_ip_addr, PHRSV_EMERGENCY_PHR_LIST_LOADING_PORT);
bio_conn = BIO_new_connect(phr_server_addr);
if(!bio_conn)
int_error("Creating BIO connection failed");
if(BIO_do_connect(bio_conn) <= 0)
{
fprintf(stderr, "Connecting to PHR server failed\n");
goto ERROR_AT_BIO_LAYER;
}
ctx = setup_client_ctx(EMS_CERTFILE_PATH, EMS_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
if(!(*ssl_conn_ret = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(*ssl_conn_ret, bio_conn, bio_conn);
if(SSL_connect(*ssl_conn_ret) <= 0)
{
fprintf(stderr, "Connecting SSL object failed\n");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = PHR_SERVER_CN;
if((err = post_connection_check(*ssl_conn_ret, hosts, 1, false, NULL)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Return value of *ssl_conn_ret
SSL_CTX_free(ctx);
ERR_remove_state(0);
return true;
ERROR_AT_BIO_LAYER:
BIO_free(bio_conn);
bio_conn = NULL;
ERR_remove_state(0);
return false;
ERROR_AT_SSL_LAYER:
SSL_cleanup(*ssl_conn_ret);
*ssl_conn_ret = NULL;
SSL_CTX_free(ctx);
ERR_remove_state(0);
return false;
}
static boolean connect_to_phr_transaction_log_synchronization_service(SSL **ssl_conn_ret)
{
BIO *bio_conn = NULL;
SSL_CTX *ctx = NULL;
int err;
char *hosts[1];
char audit_server_addr[IP_ADDRESS_LENGTH + PORT_NUMBER_LENGTH + 2];
// Connect to Audit Server
sprintf(audit_server_addr, "%s:%s", GLOBAL_audit_server_ip_addr, AS_PHR_TRANSACTION_LOG_SYNCHRONIZATION_PORT);
bio_conn = BIO_new_connect(audit_server_addr);
if(!bio_conn)
int_error("Creating BIO connection failed");
if(BIO_do_connect(bio_conn) <= 0)
{
fprintf(stderr, "Connecting to audit server failed\n");
goto ERROR_AT_BIO_LAYER;
}
ctx = setup_client_ctx(UA_CERTFILE_PATH, UA_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
if(!(*ssl_conn_ret = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(*ssl_conn_ret, bio_conn, bio_conn);
if(SSL_connect(*ssl_conn_ret) <= 0)
{
fprintf(stderr, "Connecting SSL object failed\n");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = AUDIT_SERVER_CN;
if((err = post_connection_check(*ssl_conn_ret, hosts, 1, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Return value of *ssl_conn_ret
SSL_CTX_free(ctx);
ERR_remove_state(0);
return true;
ERROR_AT_BIO_LAYER:
BIO_free(bio_conn);
bio_conn = NULL;
ERR_remove_state(0);
return false;
ERROR_AT_SSL_LAYER:
SSL_cleanup(*ssl_conn_ret);
*ssl_conn_ret = NULL;
SSL_CTX_free(ctx);
ERR_remove_state(0);
return false;
}
void* conn_handler(void *arg)
{
long err;
SSL *ssl;
struct conn_ctx *ctx = (struct conn_ctx *)arg;
struct freeq_ctx *freeqctx = ctx->srvctx->freeqctx;
struct freeqd_state *fst = ctx->srvctx->fst;
BIO *client = ctx->client;
pthread_detach(pthread_self());
ssl = freeq_ssl_new(freeqctx);
SSL_set_bio(ssl, client, client);
if (SSL_accept(ssl) <= 0)
{
int_error("Error accepting SSL connection");
return NULL;
}
if ((err = post_connection_check(freeqctx, ssl, "localhost")) != X509_V_OK)
{
err(freeqctx, "error: peer certificate: %s\n", X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection");
}
BIO *buf_io, *ssl_bio;
buf_io = BIO_new(BIO_f_buffer());
ssl_bio = BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
BIO_push(buf_io, ssl_bio);
dbg(freeqctx, "ssl client connection opened\n");
if (generation_table_merge(freeqctx, fst, buf_io))
{
err(freeqctx, "table merge failed\n");
SSL_shutdown(ssl);
}
else
{
dbg(freeqctx, "table merged ok\n");
SSL_clear(ssl);
}
dbg(freeqctx, "ssl client connection closed\n");
SSL_free(ssl);
ERR_remove_state(0);
return 0;
}
static void
do_ssl_accept(connections_head_t *head, connection_t *conn)
{
long err;
int ret, ssl_err;
if (conn->accept == 0) { /* first invoke do_ssl_accept */
conn->ssl = SSL_new(head->ctx);
if (NULL == conn->ssl) {
perror("SSL_new");
goto error;
}
if (SSL_set_fd(conn->ssl, conn->fd) != 1) {
perror("SSL_set_fd");
goto error;
}
conn->accept = 1;
}
ret = SSL_accept(conn->ssl);
if (ret != 1) {
ssl_err = SSL_get_error(conn->ssl, ret);
if (ssl_err != SSL_ERROR_WANT_READ
&& ssl_err != SSL_ERROR_WANT_WRITE) {
ERROR_MSG("ssl_err is: %d\n", ssl_err);
ERROR_MSG("ssl_accept");
goto error;
}
/* called next epoll_wait loop */
return;
}
err = post_connection_check(conn->ssl, "192.168.1.10");
if (err != X509_V_OK) {
ERROR_MSG("post_connection_check error\n");
ERROR_MSG("-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
}
conn->handler = ssl_rdwr_handler;
error:
return;
}
int main_ssl(int argc, char **argv)
{
BIO *conn;
SSL *ssl;
SSL_CTX *ctx;
long err;
init_OpenSSL();
seed_prng();
ctx = setup_client_ctx();
fprintf(stderr, "SERVER= %s:%s\n", SERVER, PORT);
conn = BIO_new_connect(SERVER ":" PORT);
if (!conn)
int_error("Error creating connection BIO");
if (BIO_do_connect(conn) <= 0)
int_error("Error connecting to remote machine");
ssl = SSL_new(ctx);
SSL_set_bio(ssl, conn, conn);
if (SSL_connect(ssl) <= 0)
int_error("Error connecting SSL object");
if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) {
fprintf(stderr, "-Error: peer certificate: %s\n",
X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection");
}
fprintf(stderr, "SSL Connection opened\n");
if (do_client_loop(ssl))
SSL_shutdown(ssl);
else
SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl);
SSL_CTX_free(ctx);
return 0;
}
static boolean connect_to_restricted_level_phr_access_request_responding_service(SSL **ssl_conn_ret)
{
BIO *bio_conn = NULL;
SSL_CTX *ctx = NULL;
int err;
char *hosts[1];
char emergency_server_addr[IP_ADDRESS_LENGTH + PORT_NUMBER_LENGTH + 2];
// Connect to Emergency Server
sprintf(emergency_server_addr, "%s:%s", GLOBAL_emergency_server_ip_addr, EMS_RESTRICTED_LEVEL_PHR_ACCESS_REQUEST_RESPONDING_PORT);
bio_conn = BIO_new_connect(emergency_server_addr);
if(!bio_conn)
int_error("Creating BIO connection failed");
if(BIO_do_connect(bio_conn) <= 0)
{
backend_alert_msg_callback_handler("Connecting to emergency server failed");
goto ERROR_AT_BIO_LAYER;
}
/* Hash value is used for verifying an SSL certificate to make sure that certificate is a latest update version,
preventing a user uses a revoked certificate to feign to be a revoked one */
if(!verify_file_integrity(SSL_CERT_PATH, GLOBAL_ssl_cert_hash, CALCULATING_SSL_CERT_HASH_PATH))
{
// Notify alert message to user and then terminate the application
backend_fatal_alert_msg_handler_callback("Your SSL certificate is not verified.\nTo solve this, please contact an administrator.");
}
ctx = setup_client_ctx(SSL_CERT_PATH, GLOBAL_passwd, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
if(!(*ssl_conn_ret = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(*ssl_conn_ret, bio_conn, bio_conn);
if(SSL_connect(*ssl_conn_ret) <= 0)
{
backend_alert_msg_handler_callback("Connecting SSL object failed");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = EMERGENCY_SERVER_CN;
if((err = post_connection_check(*ssl_conn_ret, hosts, 1, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
backend_alert_msg_handler_callback("Checking SSL information failed");
goto ERROR_AT_SSL_LAYER;
}
// Return value of *ssl_conn_ret
SSL_CTX_free(ctx);
ERR_remove_state(0);
return true;
ERROR_AT_BIO_LAYER:
BIO_free(bio_conn);
bio_conn = NULL;
ERR_remove_state(0);
return false;
ERROR_AT_SSL_LAYER:
SSL_cleanup(*ssl_conn_ret);
*ssl_conn_ret = NULL;
SSL_CTX_free(ctx);
ERR_remove_state(0);
return false;
}
void *emergency_delegation_list_loading_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
int err;
char *host[1];
ctx = setup_server_ctx(EMS_CERTFILE_PATH, EMS_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(EMS_EMERGENCY_DELEGATION_LIST_LOADING_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
host[0] = USER_CN;
if((err = post_connection_check(ssl_client, host, 1, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Process types of request
if(!process_request(ssl_client))
goto ERROR_AT_SSL_LAYER;
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
void* sqlhandler(void *arg) {
char sql[MAX_MSG];
int ret, err;
SSL *ssl;
sqlite4_stmt *pStmt;
struct conn_ctx *conn = (struct conn_ctx *)arg;
struct freeq_ctx *freeqctx = conn->srvctx->freeqctx;
BIO *client = conn->client;
if (!(ssl = freeq_ssl_new(freeqctx)))
{
err(freeqctx, "couldn't allocate new ssl instance");
BIO_free_all(client);
free(conn);
pthread_exit(NULL);
}
SSL_set_bio(ssl, client, client);
if (SSL_accept(ssl) <= 0)
{
int_error("Error accepting SSL connection");
BIO_free_all(client);
free(conn);
pthread_exit(NULL);
}
if ((err = post_connection_check(freeqctx, ssl, "localhost")) != X509_V_OK)
{
err(freeqctx, "error: peer certificate: %s\n", X509_verify_cert_error_string(err));
BIO_free_all(client);
free(conn);
pthread_exit(NULL);
}
BIO *b, *ssl_bio;
b = BIO_new(BIO_f_buffer());
ssl_bio = BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);
BIO_push(b, ssl_bio);
memset(sql, 0, MAX_MSG);
ret = BIO_gets(b, sql, MAX_MSG);
ret = sqlite4_prepare(pDb, sql, strlen(sql), &pStmt, 0);
if (ret != SQLITE4_OK)
{
dbg(freeqctx, "prepare failed for %s sending error, ret was %d\n", sql, ret);
//freeq_error_write_sock(freeqctx, sqlite4_errmsg(pDb), b);
dbg(freeqctx, sqlite4_errmsg(pDb));
//BIO_printf(b, "error: %s\n", sqlite4_errmsg(pDb));
sqlite4_finalize(pStmt);
//pthread_exit(FREEQ_ERR);
}
freeq_sqlite_to_bio(freeqctx, b, pStmt);
SSL_shutdown(ssl);
SSL_free(ssl);
BIO_free_all(client);
free(conn);
pthread_exit(FREEQ_OK);
}
void *phr_authority_list_loading_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
int err;
char *hosts[2];
ctx = setup_server_ctx(ESA_CERTFILE_PATH, ESA_CERTFILE_PASSWD, EMU_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(ESA_PHR_AUTHORITY_LIST_LOADING_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = ADMIN_CN;
hosts[1] = USER_CN;
if((err = post_connection_check(ssl_client, hosts, 2, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Serve the PHR authority list
if(!load_phr_authority_list(ssl_client))
goto ERROR_AT_SSL_LAYER;
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
void *access_permission_management_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
int err;
char *hosts[1];
ctx = setup_server_ctx(UA_CERTFILE_PATH, UA_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(UA_ACCESS_PERMISSION_MANAGEMENT_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = USER_CN;
if((err = post_connection_check(ssl_client, hosts, 1, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Process request
if(!process_request(ssl_client))
goto ERROR_AT_SSL_LAYER;
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
/*
* The main TCP accpet loop
*/
void
server_accept_loop()
{
fd_set *fdset;
int maxfd, i, ret, err;
int newsock;
struct sockaddr_in from;
socklen_t fromlen;
int handcheck = -1;
int sock;
char **addr = NULL;
int pfd[2];
fdset = NULL;
maxfd = 0;
signal(SIGPIPE, SIG_IGN);
signal(SIGTERM, ctr_c);
signal(SIGQUIT, ctr_c);
signal(SIGINT, ctr_c);
/* SSL preliminaries */
SSL_CTX* ctx;
SSL* ssl;
init_OpenSSL ();
seed_prng ();
/* We keep the certificate and key with the context. */
ctx = setup_server_ctx ();
addr = crv_cut(options.listen_addrs, " ");
for (i = 0; addr[i]; i++)
{
/* Prepare TCP socket for receiving connections (change user for ROOT if port < 1024 )*/
sock = crv_server_listen(options.num_ports, 5, addr[i], options.address_family, 1);
if (sock == -1) {
fprintf( stderr, "%s\n", "main(): server_listent() failed");
exit (EXIT_FAILURE);
}
/* Add comment (listening on several adress )*/
listen_socks[num_listen_socks] = sock;
num_listen_socks++;
}
for( i = 0; addr[i]; i++)
crv_free(addr[i]);
crv_free(addr);
for (i = 0; i < num_listen_socks; i++)
if (listen_socks[i] > maxfd)
maxfd = listen_socks[i];
/* loop */
for(;;)
{
newsock = -1;
int pid;
handcheck = -1;
if (fdset != NULL)
free(fdset);
fdset = (fd_set *) calloc(howmany(maxfd + 1, NFDBITS), sizeof(fd_mask));
for ( i = 0; i < num_listen_socks; i++)
FD_SET(listen_socks[i], fdset);
/* wait in select until there is a connection. */
ret = select(maxfd+1, fdset, NULL, NULL, NULL);
if (ret < 0 && errno != EINTR)
Log ( "WARNING", 0, "select: %.100s", strerror(errno));
for ( i = 0; i < num_listen_socks; i++)
if ( FD_ISSET(listen_socks[i], fdset)) {
fromlen = sizeof(from);
newsock = accept(listen_socks[i], (struct sockaddr *)&from, &fromlen);
if (newsock < 0) {
if (errno != EINTR && errno != EWOULDBLOCK )
Log ( "WARNING", 0, "accept: %.100s", strerror(errno));
continue;
}
if (received_sigterm) {
fprintf( stderr, "Received signal %d; terminating.\n",
(int) received_sigterm);
close_listen_socks();
unlink(options.pid);
return;
}
if (crv_unset_nonblock(newsock) == -1) {
Log ( "CRASH", 0, "Unset nonblock failed");
continue;
}
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx);
if ((ssl)==NULL) {
Log ( "CRASH", 0, "Create new ssl failed");
continue;
}
/* connect the SSL object with a file descriptor */
err = SSL_set_fd (ssl, newsock);
if ((err)==0) {
Log ( "CRASH", 0, "Put SSL on socket failed \n");
close(newsock);
continue;
}
/* TCP connection is ready. Do server side SSL. */
err = SSL_accept (ssl);
if ((err) <= 0) {
Log ("HACK", 0, "%s handcheck failed", inet_ntoa(from.sin_addr));
/* Free the allocated SSL structure */
SSL_free (ssl);
continue;
}
else {
handcheck = 0;
}
if ( handcheck != -1 )
{
/* Pipe creation */
if (pipe(pfd) == -1)
{
fprintf( stderr, "%s\n", "server_accept_loop(): pipe() failed");
return;
}
switch((pid = fork()))
{
/* fork() Error */
case -1:
Log ("CRASH", 0, "%s%s\n", "Error on fork() -> ", strerror(errno));
exit (EXIT_FAILURE);
/* First child process */
case 0:
/* Close socket that has been created in create_tcp_socket() */
close_listen_socks();
int result = 0;
/* Chroot process */
if (result != -1)
result = crv_drop_priv_perm_and_chroot (options.user , options.chroot_directory );
initialize_command_opt(&command);
command.addr = crv_strdup((const char *)inet_ntoa (from.sin_addr));
if (options.sec == 1) {
result = post_connection_check (ssl, command.addr);
if (result != X509_V_OK) {
Log ( "HACK", 0,
"-Error: peer certificate: %s\n",
X509_verify_cert_error_string (result));
result = -1;
}
}
/* Time initialisation */
gettimeofday (&tv1, NULL);
/* Get client name*/
char buff[SIZE];
command.user = recup_pseudo (ssl);
command.mail = recup_email (ssl);
/* Send client pseudo to father */
write(pfd[1], command.user, strlen(command.user)+1);
close(pfd[1]); /* close write side */
sleep(1);
memset(buff, 0, sizeof(buff));
/* Read repond from father */
(void)read(pfd[0], buff, SIZE);
close(pfd[0]);
/* Get father respond about client pseudo */
/* Les pipes sont à enlever car, la liste des utilisateurs autorisés
* sont contenue sur la base de données distante
if (!crv_strncmp(buff, "no_register")) {
Log ("WARNING", 0, "Username '%s' is not registered", command.user);
result = -1;
}
*/
printf("buff:%s\n", buff);
/* Get CMD info (comd name, sha1 file, begin, end) */
if (result != -1)
result = pre_authcon( ssl, (const char *)buff);
if ( result == -1)
Log ("WARNING", 0, "Can't set command options");
/* exec command give by client */
if (result != -1)
traitement_conec ( ssl);
/* Free command structure */
Free_cmd_struct();
/* Close Socket , tube */
shutdown (newsock, 2);
close (newsock);
/* Free the allocated SSL structure */
SSL_free (ssl);
/* Free the allocated SSL CONTEXT object */
SSL_CTX_free (ctx);
/* EXIT */
exit (EXIT_SUCCESS);
/* Father process */
default:
{
char *xpath = NULL;
char Buffer[SIZE];
/* Read client pseudo from son */
(void)read(pfd[0], Buffer, SIZE);
//xpath = get_grp_list(Buffer);
close(pfd[0]); /* close read side */
if (xpath == NULL)
xpath = crv_strdup("no_register");
(void)crv_strncpy(Buffer, xpath, sizeof(Buffer));
(void)write(pfd[1], Buffer, strlen(Buffer)+1);
close(pfd[1]);
if (xpath != NULL)
crv_free(xpath);
SSL_free (ssl);
close(newsock);
}
} /* End of fork() */
} /* if handcheck is 0 */
} /* FD_ISSET */
} /* End of for() loop */
}
void *synchronization_responding_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
int err;
char *host[1];
ctx = setup_server_ctx(UA_CERTFILE_PATH, UA_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(UA_SYNCHRONIZATION_RESPONDING_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
host[0] = USER_AUTH_CN;
if((err = post_connection_check(ssl_client, host, 1, false, NULL)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Process the request
if(!process_request(ssl_client))
goto ERROR_AT_SSL_LAYER;
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
void *user_authentication_main(void *arg)
{
BIO *bio_acc = NULL;
BIO *bio_client = NULL;
SSL *ssl_client = NULL;
SSL_CTX *ctx = NULL;
char username[USER_NAME_LENGTH + 1];
char key_exchange_passwd[PASSWD_LENGTH + 1];
boolean is_admin_flag;
ctx = setup_server_ctx(UA_CERTFILE_PATH, UA_CERTFILE_PASSWD, PHR_ROOT_CA_ONLY_CERT_CERTFILE_PATH);
bio_acc = BIO_new_accept(UA_USER_AUTHENTICATION_PORT);
if(!bio_acc)
int_error("Creating server socket failed");
if(BIO_do_accept(bio_acc) <= 0)
int_error("Binding server socket failed");
for(;;)
{
if(BIO_do_accept(bio_acc) <= 0)
int_error("Accepting connection failed");
bio_client = BIO_pop(bio_acc);
// Verify the user
if(verify_authentication_request(bio_client, username, &is_admin_flag, key_exchange_passwd))
{
int err;
char *hosts[1];
// SSL certificate response
if(!ssl_cert_response(bio_client, username, is_admin_flag, key_exchange_passwd))
goto ERROR_AT_BIO_LAYER;
if(!(ssl_client = SSL_new(ctx)))
int_error("Creating SSL context failed");
SSL_set_bio(ssl_client, bio_client, bio_client);
if(SSL_accept(ssl_client) <= 0)
{
fprintf(stderr, "Accepting SSL connection failed\n");
goto ERROR_AT_SSL_LAYER;
}
hosts[0] = is_admin_flag ? ADMIN_CN : USER_CN;
if((err = post_connection_check(ssl_client, hosts, 1, true, GLOBAL_authority_name)) != X509_V_OK)
{
fprintf(stderr, "Checking peer certificate failed\n\"%s\"\n", X509_verify_cert_error_string(err));
goto ERROR_AT_SSL_LAYER;
}
// Verify the certificate owner
if(!verify_cert_owner(ssl_client, username, is_admin_flag))
goto ERROR_AT_SSL_LAYER;
// Record transaction login log
record_transaction_complete_login_log(ssl_client, username, is_admin_flag);
// Basic information response
if(!basic_info_response(ssl_client, username, is_admin_flag))
goto ERROR_AT_SSL_LAYER;
if(!is_admin_flag)
{
// CP-ABE private key response
if(!cpabe_private_key_response(ssl_client, username))
goto ERROR_AT_SSL_LAYER;
}
ERROR_AT_SSL_LAYER:
SSL_cleanup(ssl_client);
ssl_client = NULL;
ERR_remove_state(0);
continue;
ERROR_AT_BIO_LAYER:
BIO_free(bio_client);
bio_client = NULL;
ERR_remove_state(0);
}
else
{
fprintf(stderr, "Incorrect the verification information\n");
// Record transaction login log
record_transaction_incomplete_login_log(bio_client);
BIO_free(bio_client);
bio_client = NULL;
}
}
SSL_CTX_free(ctx);
ctx = NULL;
BIO_free(bio_acc);
bio_acc = NULL;
pthread_exit(NULL);
return NULL;
}
