static int generate_dh_params(eventer_t e, int mask, void *cl, struct timeval *now) { int bits = (int)(intptr_t)cl; if(mask != EVENTER_ASYNCH_WORK) return 0; switch(bits) { case 1024: if(!dh1024_tmp) dh1024_tmp = load_dh_params(dh1024_file); if(!dh1024_tmp) { mtevL(mtev_notice, "Generating 1024 bit DH parameters.\n"); dh1024_tmp = DH_generate_parameters(1024, 2, NULL, NULL); mtevL(mtev_notice, "Finished generating 1024 bit DH parameters.\n"); save_dh_params(dh1024_tmp, dh1024_file); } break; case 2048: if(!dh2048_tmp) dh2048_tmp = load_dh_params(dh2048_file); if(!dh2048_tmp) { mtevL(mtev_notice, "Generating 2048 bit DH parameters.\n"); dh2048_tmp = DH_generate_parameters(2048, 2, NULL, NULL); mtevL(mtev_notice, "Finished generating 2048 bit DH parameters.\n"); save_dh_params(dh2048_tmp, dh2048_file); } break; default: mtevFatal(mtev_error, "Unexpected DH parameter request: %d\n", bits); } return 0; }
Gobby::CertificateManager::CertificateManager(Preferences& preferences): m_preferences(preferences), m_dh_params(NULL), m_key(NULL), m_certificates(NULL), m_credentials(NULL), m_key_error(NULL), m_certificate_error(NULL), m_trust_error(NULL) { m_conn_key_file = m_preferences.security.key_file. signal_changed().connect(sigc::mem_fun( *this, &CertificateManager::on_key_file_changed)); m_conn_certificate_file = m_preferences.security.certificate_file. signal_changed().connect(sigc::mem_fun( *this, &CertificateManager::on_certificate_file_changed)); m_preferences.security.use_system_trust.signal_changed().connect( sigc::mem_fun( *this, &CertificateManager::on_trusted_cas_changed)); m_preferences.security.trusted_cas.signal_changed().connect( sigc::mem_fun( *this, &CertificateManager::on_trusted_cas_changed)); m_preferences.security.authentication_enabled. signal_changed().connect( sigc::mem_fun( *this, &CertificateManager:: on_authentication_enabled_changed)); // TODO: Load these only on request, to improve the startup time load_dh_params(); load_key(); load_certificate(); load_trust(); make_credentials(); }
/* * Attach the EAP-TLS module. */ static int eaptls_attach(CONF_SECTION *cs, void **instance) { EAP_TLS_CONF *conf; eap_tls_t *inst; /* Store all these values in the data structure for later references */ inst = (eap_tls_t *)malloc(sizeof(*inst)); if (!inst) { radlog(L_ERR, "rlm_eap_tls: out of memory"); return -1; } memset(inst, 0, sizeof(*inst)); /* * Parse the config file & get all the configured values */ conf = (EAP_TLS_CONF *)malloc(sizeof(*conf)); if (conf == NULL) { radlog(L_ERR, "rlm_eap_tls: out of memory"); return -1; } memset(conf, 0, sizeof(*conf)); inst->conf = conf; if (cf_section_parse(cs, conf, module_config) < 0) { eaptls_detach(inst); return -1; } /* * Initialize TLS */ inst->ctx = init_tls_ctx(conf); if (inst->ctx == NULL) { eaptls_detach(inst); return -1; } if (load_dh_params(inst->ctx, conf->dh_file) < 0) { eaptls_detach(inst); return -1; } if (generate_eph_rsa_key(inst->ctx) < 0) { eaptls_detach(inst); return -1; } *instance = inst; return 0; }
/* * Attach the EAP-TLS module. */ static int eaptls_attach(CONF_SECTION *cs, void **instance) { EAP_TLS_CONF *conf; eap_tls_t *inst; /* Store all these values in the data structure for later references */ inst = (eap_tls_t *)malloc(sizeof(*inst)); if (!inst) { radlog(L_ERR, "rlm_eap_tls: out of memory"); return -1; } memset(inst, 0, sizeof(*inst)); /* * Parse the config file & get all the configured values */ conf = (EAP_TLS_CONF *)malloc(sizeof(*conf)); if (conf == NULL) { free(inst); radlog(L_ERR, "rlm_eap_tls: out of memory"); return -1; } memset(conf, 0, sizeof(*conf)); inst->conf = conf; if (cf_section_parse(cs, conf, module_config) < 0) { eaptls_detach(inst); return -1; } /* * The EAP RFC's say 1020, but we're less picky. */ if (conf->fragment_size < 100) { radlog(L_ERR, "rlm_eap_tls: Fragment size is too small."); eaptls_detach(inst); return -1; } /* * The maximum size for a RADIUS packet is 4096, * minus the header (20), Message-Authenticator (18), * and State (18), etc. results in about 4000 bytes of data * that can be devoted *solely* to EAP. */ if (conf->fragment_size > 4000) { radlog(L_ERR, "rlm_eap_tls: Fragment size is too large."); eaptls_detach(inst); return -1; } /* * Account for the EAP header (4), and the EAP-TLS header * (6), as per Section 4.2 of RFC 2716. What's left is * the maximum amount of data we read from a TLS buffer. */ conf->fragment_size -= 10; /* * This magic makes the administrators life HUGELY easier * on initial deployments. * * If the server starts up in debugging mode, AND the * bootstrap command is configured, AND it exists, AND * there is no server certificate */ if (conf->make_cert_command && (debug_flag >= 2)) { struct stat buf; if ((stat(conf->make_cert_command, &buf) == 0) && (stat(conf->certificate_file, &buf) < 0) && (errno == ENOENT) && (radius_exec_program(conf->make_cert_command, NULL, 1, NULL, 0, NULL, NULL, 0) != 0)) { eaptls_detach(inst); return -1; } } /* * Initialize TLS */ inst->ctx = init_tls_ctx(conf); if (inst->ctx == NULL) { eaptls_detach(inst); return -1; } #ifdef HAVE_OPENSSL_OCSP_H /* * Initialize OCSP Revocation Store */ if (conf->ocsp_enable) { inst->store = init_revocation_store(conf); if (inst->store == NULL) { eaptls_detach(inst); return -1; } } #endif HAVE_OPENSSL_OCSP_H if (load_dh_params(inst->ctx, conf->dh_file) < 0) { eaptls_detach(inst); return -1; } if (generate_eph_rsa_key(inst->ctx) < 0) { eaptls_detach(inst); return -1; } if (conf->verify_tmp_dir) { if (chmod(conf->verify_tmp_dir, S_IRWXU) < 0) { radlog(L_ERR, "rlm_eap_tls: Failed changing permissions on %s: %s", conf->verify_tmp_dir, strerror(errno)); eaptls_detach(inst); return -1; } } if (conf->verify_client_cert_cmd && !conf->verify_tmp_dir) { radlog(L_ERR, "rlm_eap_tls: You MUST set the verify directory in order to use verify_client_cmd"); eaptls_detach(inst); return -1; } *instance = inst; return 0; }
int main(int argc, char** argv) { if(argc<4) { printf("Usage: ./wserver cert-file priv-key-file pub-key-file.\n"); exit(0); } else { CERTFILE = argv[1]; KEYFILE = argv[2]; PUBFILE = argv[3]; const char* PROMPT = "Enter password for Old Key file: "; if(argc == 5) { OLDKEY = argv[4]; PASSWORD = getpass(PROMPT); OLDPASS = (char*) calloc(1, strlen(PASSWORD)+1); strcpy(OLDPASS, PASSWORD); } PROMPT = "Enter password for Key file: "; PASSWORD = getpass(PROMPT); } int sock,s; BIO *sbio; SSL_CTX *ctx; SSL *ssl; int r; pid_t pid; char buf[BUFSIZZ]; char *owner = (char*) calloc(1,256); ctx=initialize_ctx(CERTFILE,KEYFILE,PASSWORD); load_dh_params(ctx,DHFILE); sock=tcp_listen(); if((s=accept(sock,0,0))<0) err_exit("Problem accepting"); sbio=BIO_new_socket(s,BIO_NOCLOSE); ssl=SSL_new(ctx); SSL_set_bio(ssl,sbio,sbio); SSL_set_verify(ssl,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); if((r=SSL_accept(ssl)<=0)) berr_exit("SSL accept error"); if(check_cert(ssl, ctx, &owner)<=0) { send_data(ssl, "Revoked"); printf("Connection Closed.\n"); close_SSL(ssl, sock); destroy_ctx(ctx); exit(0); } send_data(ssl, "Approved"); printf("User connected: %s\n", owner); if((pid=fork())){ close(s); } else { if(argc == 5) {recrypt();} while(1){ memset((void*)buf, 0, BUFSIZZ); if(rec_data(buf, ssl)>0) { printf("Command received: %s\n", buf); if(starts_with(buf, "PUT")){ put_file(ssl, buf, owner); } else if(starts_with(buf, "GET")){ get_file(ssl, buf, owner); } else if(starts_with(buf, "DELEGATE")){ delegate(ssl, buf, owner); } else if(starts_with(buf, "END")){ close_SSL(ssl, sock); break; } else { printf("Command not recognized\n"); } } else{ perror("Error receiving command\n"); break; } } } destroy_ctx(ctx); exit(0); }
void server(int protocol) { int sock,s; BIO *sbio; SSL_CTX *ctx; SSL *ssl; int r; pid_t pid; /* Build our SSL context*/ ctx=initialize_ctx(KEYFILE,PASSWORD); load_dh_params(ctx,DHFILE); SSL_CTX_set_cipher_list(ctx,"ALL"); long options = SSL_OP_NO_TICKET | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; int port; switch (protocol) { case SSL2_VERSION: options |= SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; port = 4434; break; case SSL3_VERSION: options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; port = 4435; break; case TLS1_VERSION: options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; port = 4436; break; case TLS1_1_VERSION: options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; port = 4437; break; case TLS1_2_VERSION: options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; port = 4438; break; default: err_exit("Unexpected protocol value"); } SSL_CTX_set_options(ctx, options); sock=tcp_listen(port); while(1){ if((s=accept(sock,0,0))<0) err_exit("Problem accepting"); if((pid=fork())){ close(s); } else { sbio=BIO_new_socket(s,BIO_NOCLOSE); ssl=SSL_new(ctx); SSL_set_bio(ssl,sbio,sbio); if((r=SSL_accept(ssl)<=0)) berr_exit("SSL accept error"); http_serve(ssl,s); exit(0); } } destroy_ctx(ctx); }
int main(int argc, char** argv) { extern dexpd_config conf0; int socknum = 0; int sock_id = 0; int wd = 0; int notify_fd = 0; int option_index = 0; char *peer_str; char c; int peer_num; pthread_t notify_th; pthread_t reconnect_th; pthread_t listenv6; struct sockaddr_in peer_addr; static struct option long_options[] = { {"dennis",no_argument,0, 'T'}, {0, 0, 0, 0} }; c = getopt_long (argc, argv, "T",long_options, &option_index); switch(c) { case 'T': dennis_tribute(); break; default: break; } socklen_t addr_len = sizeof(peer_addr); printf ("\n"); printf (" /\\\n"); printf (" /01\\\n"); printf (" /0011\\\n"); printf (" /000111\\ [[ Obsidian 0.1 == Clement Game 2011 ]]\n"); printf (" /00001111\\\n"); printf (" /0000011000\\\n"); printf (" \\0000000000/\n\n"); init_config(); if (conf0.use_tls) { printf("initializing TLS config...\n"); conf0.ctx=(SSL_CTX*)initialize_ctx(conf0.tls_server_cert,"password"); load_dh_params(conf0.ctx,conf0.tls_server_dh); } printf("Loading catalog from %s...\n",conf0.data_dir); load_catalog(conf0.data_dir); printf("starting inotify events listener...\n"); //inotify init functions on datadir; notify_fd = inotify_init(); wd = inotify_add_watch(notify_fd, conf0.data_dir, IN_CLOSE_WRITE|IN_MOVED_TO); //starting a new thread for inotify events read pthread_create(¬ify_th,NULL,notify_thread,¬ify_fd); printf("initating connections with peers...\n"); connectAll(); pthread_create(&reconnect_th,NULL,reconnect_loop,NULL); printf("listening on %s:%d...\n",conf0.listening_addr,conf0.listening_port); socknum = create_socket(conf0.listening_addr,conf0.listening_port); if (conf0.use_ipv6) { printf("listening on %s:%d...\n",conf0.ipv6_listening_addr,conf0.listening_port); pthread_create(&listenv6,NULL,listen_v6,NULL); } while(1) { if((sock_id = accept(socknum,(struct sockaddr*)&peer_addr,&addr_len))<0) { fprintf(stderr,"ERROR: CANNOT ACCEPT NEW CONNECTION ON %s:%d",conf0.listening_addr,conf0.listening_port); } else { peer_str = inet_ntoa(peer_addr.sin_addr); printf("New Connection From %s\n",peer_str); //gerer la notion de public ici if ( (peer_num = isPeer(peer_str,sock_id)) < 0 && conf0.pub == 0) { fprintf(stderr,"ERROR: REMOTE HOST NOT In PEERS LIST\n"); close(sock_id); } else if (conf0.pub == 1) { printf("Notice: Accepting public connection for host %s\n",peer_str); createPeer(peer_str,sock_id,1); } else { conf0.peers[peer_num].ssl = NULL; pthread_create(&conf0.peers[peer_num].ioth,NULL,dexp_serv_ioth,(void*)&conf0.peers[peer_num]); } } } }
int main(int argc, char **argv) { int sock,s; BIO *sbio; SSL_CTX *ctx; SSL *ssl; int r; pid_t pid; extern char *optarg; int c; while((c=getopt(argc,argv,"cCxna:"))!=-1){ switch(c){ case 'c': client_auth=CLIENT_AUTH_REQUEST; break; case 'C': client_auth=CLIENT_AUTH_REQUIRE; break; case 'x': client_auth=CLIENT_AUTH_REHANDSHAKE; break; case 'n': fork_child=0; break; case 'a': if(!(ciphers=strdup(optarg))) err_exit("Out of memory"); break; } } /* Build our SSL context*/ ctx=initialize_ctx(KEYFILE,PASSWORD); load_dh_params(ctx,DHFILE); SSL_CTX_set_session_id_context(ctx, (void*)&s_server_session_id_context, sizeof s_server_session_id_context); /* Set our cipher list */ if(ciphers){ SSL_CTX_set_cipher_list(ctx,ciphers); } switch(client_auth){ case CLIENT_AUTH_REQUEST: SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,0); break; case CLIENT_AUTH_REQUIRE: SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); break; case CLIENT_AUTH_REHANDSHAKE: /* Do nothing */ break; } sock=tcp_listen(); while(1){ if((s=accept(sock,0,0))<0) err_exit("Problem accepting"); if(fork_child && (pid=fork())){ close(s); } else { sbio=BIO_new_socket(s,BIO_NOCLOSE); ssl=SSL_new(ctx); SSL_set_bio(ssl,sbio,sbio); if((r=SSL_accept(ssl)<=0)) berr_exit("SSL accept error"); http_serve(ssl,s); if(fork_child) exit(0); } } destroy_ctx(ctx); exit(0); }