Main Page | Data Structures | File List | Data Fields | Globals

example_server.c File Reference


Detailed Description

RSA Keys

The file example_restore.c demonstrates how to create the public/private RSA keys. Only the RSA_MODULUS and RSA_PUBLIC sections are needed on the server. For security reasons, the RSA_PRIVATE must NOT be stored on the server. (Remember to represent the RSA_PUBLIC in hex.)

Certificate Authority

You can use a third-party Certificate Authority or you can create your own. To create your own CA, you will first need to setup OpenSSL. You will need to create a default_keyfile and a private_key file. The openssl.cnf default_keyfile can be created with the following command:
 openssl genrsa -out default_keyfile.pem 2048

The next command will create the private_key for openssl.cnf.

 openssl req -new -x509 -days 1825 -keyout private_key.pem -out cacert.pem

The cacert.pem will be the SSL_CLIENT_CERT distributed with the client. The client will use this to verify the signature of the server's certificate.

   <SSL_CLIENT_CERT>
       /usr/local/ssl/cacert.pem
   </SSL_CLIENT_CERT>

Server Key

Create a certificate request on behalf of the server. The server.key is the server's private key. The server.csr is the server's certificate request. The request will need to be signed using the private_key.pem from the previous step.

 openssl req -new -nodes -keyout server.key -out server.csr

The server will need the private key in the config file.

   <SSL_PRIVATE_KEY>
       /usr/local/ssl/server.key
   </SSL_PRIVATE_KEY>

Now, sign this certificate. The signed certificate will be used by the server for identification.

 openssl ca  -out server.crt -infiles server.csr

   <SSL_SERVER_CERT>
       /usr/local/ssl/server.crt
   </SSL_SERVER_CERT>

Server config file

   <ESCROW>
 
       <RSA_MODULUS> 
           00:c6:83:9f:08:79:d0:60:66:dc:52:52:c1:52:f4:
           60:8d:6e:40:57:60:ee:5a:9c:f4:28:9c:30:ca:05:
           e9:f7:82:2e:53:48:15:3b:47:89:cd:76:de:04:09:
           fe:fb:b9:48:63:e8:5c:dd:2e:60:b7:d6:47:34:4e:
           9b:1f:9b:9d:77
       </RSA_MODULUS>

       <RSA_PUBLIC> 
           10001 
       </RSA_PUBLIC>

       <SSL_SERVER_CERT> 
           /usr/local/ssl/server.crt
       </SSL_SERVER_CERT>

       <SSL_PRIVATE_KEY> 
           /usr/local/ssl/server.key
       </SSL_PRIVATE_KEY>

       <SERVER_NAME> 
           lagrange.wfunet.wfu.edu 
       </SERVER_NAME>

       <TCP_PORT> 
           1111 
       </TCP_PORT>

       <ADMIN_SUBNET_MASK> 
           10.255.255.255 
       </ADMIN_SUBNET_MASK>

       <LDAP_URI> ldaps://ldap.wfu.edu/ </LDAP_URI>
       <LDAP_DN>  o=WFU,c=US            </LDAP_DN>

       <MYSQL_DB>   wfu_mysql_db     </MYSQL_DB>
       <MYSQL_USER> wfu_mysql_user   </MYSQL_USER>
       <MYSQL_PASS> wfu_mysql_passwd </MYSQL_PASS>
       <MYSQL_HOST> localhost        </MYSQL_HOST>
       <MYSQL_PORT> 3306             </MYSQL_PORT>

   </ESCROW>

inetd.c

This is the server code.

/*
 * libwfu - A Key Escrow Client/Server and API for TrueCrypt.
 * Copyright (C) 2007 Wake Forest University
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or (at
 * your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
 *
 * Author: J. Mike Rollins <rollins@wfu.edu> and Carl Fulp <fulpc@wfu.edu>
 */

/*
 * This file is derived from a sample application provided in the OpenSSL source.
 * The sample application was written by Tim Hudson (tjh@cryptsoft.com)
 *     inetdserv.cpp  -  Minimal ssleay server for Unix inetd.conf
 *     30.9.1996, Sampo Kellomaki <sampo@iki.fi>
 */

#include <stdio.h>
#include <errno.h>

#include <openssl/rsa.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

#include "WFU.h"
#include "libconfig.h"

#include "common.h"
#include "server.h"
#include "server_parameters.h"


#include <unistd.h>
#include <signal.h>

#define TIMEOUT 60

#define WFU_ERR_SSL_NULL_X        (WFU_ERR_SSL_NULL | WFU_ERR_SSL)

void timeout(int sig)
  {
    WFU_log("Alarm signal received: Exiting.");
    exit(1);
  }

int main (int argc, char *argv[])
  {
    int err;
    SSL_CTX* ctx;
    SSL*     ssl;
    X509*    client_cert;
    char*    str;
    SSL_METHOD *meth;
    char configuration_file[WFU_MAX_FILE_NAME_LEN];
    char client_ip[WFU_MAX_IP_LEN];
  
    /* Set the timeout */
    alarm(TIMEOUT);
    (void) signal(SIGALRM, (void*)timeout);
  
  
    if (argc != 2)
      {
        WFU_log("Error must provide a configuration file as the only argument to this program.");
        exit(1);
      } 
  
    memset(configuration_file,0,sizeof(configuration_file));
    strncpy(configuration_file,argv[1],WFU_MAX_FILE_NAME_LEN);
  
    //NOTE: check that file exists
    WFU_parse_config(configuration_file);
   
    struct sockaddr_in addr;
    int addr_len = sizeof(addr);
  
    if (! getpeername(fileno(stdin), (struct sockaddr *)&addr, &addr_len) != 0 )
      {
        str = inet_ntoa(addr.sin_addr);
  
        if (! str) 
          {
            WFU_log("Error obtaining IP address of client.");
            exit(1);
          }

        strncpy(client_ip, str, WFU_MAX_IP_LEN);
  
        snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"Connection from %s:%d\n", 
          client_ip, ntohs(addr.sin_port));
  
        WFU_log(NULL);
      }
    else
        WFU_CHK_RET("SERVER: getpeername() failed", WFU_ERR_SSL_NULL_X, 1);
  
    SSL_load_error_strings();
    SSLeay_add_ssl_algorithms();
    meth = SSLv23_method();
    ctx = SSL_CTX_new (meth);
  
    if (!ctx) 
      {
        WFU_log("SERVER: failed to init SSL Context.");
        exit(1);
      }
  
    WFU_debug("SERVER: Reading certificate file.");
  
    err = SSL_CTX_use_certificate_file   (ctx,  WFU_get_server_cert_file(), SSL_FILETYPE_PEM);
    WFU_CHK_NEG(err, "SERVER: use_certificate_file failed", WFU_ERR_SSL_NULL_X, 1);
  
    WFU_debug("SERVER: Reading private key file.");
    err = SSL_CTX_use_PrivateKey_file (ctx, WFU_get_server_privkey_file(),  SSL_FILETYPE_PEM);
    WFU_CHK_NEG(err, "SERVER: use_PrivateKey_file failed", WFU_ERR_SSL_NULL_X, 1);
  
    /* inetd has already opened the TCP connection, so we can get right
       down to business. */
  
    WFU_debug("SERVER: Creating new SSL context."); 
  
    ssl = SSL_new (ctx);  
    WFU_CHK_NULL(ssl, "SERVER: SSL structure is NULL", WFU_ERR_SSL_NULL_X, 1);
  
    SSL_set_fd (ssl,  fileno(stdin));

    WFU_debug("SERVER: Connecting to socket.");
    err = SSL_accept (ssl);
    if (err < 0)
      WFU_CHK_SSL_4(ssl, err, WFU_ERR_SSL_NULL_X, 1);
    
    /* Get the cipher - opt */
    
    snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: SSL connection using %s", SSL_get_cipher (ssl));
    WFU_debug(NULL);
  
    /* Get client's certificate (note: beware of dynamic allocation) - opt */
  
    client_cert = SSL_get_peer_certificate (ssl);
    if (client_cert != NULL) 
      {
        str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
        WFU_CHK_NULL(str, "SERVER: Null string", WFU_ERR_SSL_NULL_X, 1);
  
        snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: Client certificate subject: %s", str);
        WFU_debug(NULL);
    
        OPENSSL_free (str);
        
        str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
        WFU_CHK_NULL(str, "SERVER: Null string", WFU_ERR_SSL_NULL_X, 1);
    
        snprintf(wfu_log_buffer,LOG_BUFFER_SIZE,"SERVER: Client certificate issuer: %s", str);
        WFU_debug(NULL);
    
        OPENSSL_free (str);
        
        /* We could do all sorts of certificate verification stuff here before
           deallocating the certificate. */
        
        X509_free (client_cert);
      } 
    else
        WFU_debug("SERVER: Client does not have certificate.");
  

    WFU_debug("SERVER: Sending control over to the WFU_server_dispatch function.");
    (void) WFU_server_dispatch(ssl,client_ip);

    /* Clean up. */
    SSL_free (ssl);
    SSL_CTX_free (ctx);

    WFU_log("SERVER: normal exit.");

    return 0;
  }





Generated on Wed Oct 10 12:38:21 2007 for WFUCrypt by  doxygen 1.3.9.1