From 6b5ed8f62c53313d95f09bdadda85af256d4f19f Mon Sep 17 00:00:00 2001 From: Johannes Bauer Date: Wed, 23 Oct 2019 22:12:00 +0200 Subject: [PATCH] Remove unused code Old, now unused code removed entirely. --- client.c | 170 -------------------------------------------------- server.c | 185 +++---------------------------------------------------- 2 files changed, 7 insertions(+), 348 deletions(-) diff --git a/client.c b/client.c index 12c1f00..425cb25 100644 --- a/client.c +++ b/client.c @@ -43,176 +43,6 @@ #include "keydb.h" #include "uuid.h" -#if 0 -static const struct keydb_t *client_keydb; - -static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) { - log_msg(LLVL_DEBUG, "psk_client_callback: SSL %p, hint '%s'.", ssl, hint); - if (max_psk_len < PSK_SIZE_BYTES) { - log_msg(LLVL_ERROR, "Client error: max_psk_len too small."); - return 0; - } - if (max_identity_len < strlen(CLIENT_PSK_IDENTITY) + 1) { - log_msg(LLVL_ERROR, "Client error: max_identity_len too small."); - return 0; - } - - uint8_t parsed_uuid[16]; - if (!parse_uuid(parsed_uuid, hint)) { - log_msg(LLVL_ERROR, "Client error: given hint '%s' is not a valid UUID.", hint); - return 0; - } - - const struct keyentry_t *entry = keydb_find_entry_by_host_uuid(client_keydb, parsed_uuid); - if (!entry) { - log_msg(LLVL_ERROR, "Client error: server hint '%s' not present in database.", hint); - return 0; - } - - strncpy(identity, CLIENT_PSK_IDENTITY, max_identity_len); - memcpy(psk, entry->psk, PSK_SIZE_BYTES); - return PSK_SIZE_BYTES; -} - -static int tls_client_connect(const struct keyentry_t *keyentry, const char *host_port) { - struct generic_tls_ctx_t gctx; - create_generic_tls_context(&gctx, false); - - SSL_CTX_set_psk_client_callback(gctx.ctx, psk_client_callback); - - BIO *conn = BIO_new_ssl_connect(gctx.ctx); - if (!conn) { - log_openssl(LLVL_ERROR, "Cannot get SSL client connect BIO."); - return false; - } - - if (BIO_set_conn_hostname(conn, host_port) != 1) { - log_openssl(LLVL_ERROR, "Cannot set SSL client connect hostname/port."); - return false; - } - - SSL *ssl = NULL; - BIO_get_ssl(conn, &ssl); - if (!ssl) { - log_openssl(LLVL_ERROR, "Cannot get SSL client SSL context."); - return false; - } - - if (BIO_do_connect(conn) != 1) { - log_openssl(LLVL_ERROR, "Cannot perform SSL client connect."); - return false; - } - - if (BIO_do_handshake(conn) != 1) { - log_openssl(LLVL_ERROR, "Cannot perform SSL client handshake."); - return false; - } - - log_msg(LLVL_DEBUG, "Client successfully connected to server."); - for (int i = 0; i < MAX_DISKS_PER_HOST; i++) { - if (keyentry->disk_keys[i].occupied) { - log_msg(LLVL_DEBUG, "Client sending key #%d", i); - - struct msg_t msg; - memset(&msg, 0, sizeof(msg)); - memcpy(msg.disk_uuid, keyentry->disk_keys[i].disk_uuid, 16); - msg.passphrase_length = keyentry->disk_keys[i].passphrase_length; - memcpy(msg.passphrase, keyentry->disk_keys[i].passphrase, MAX_PASSPHRASE_LENGTH); - msg_to_nbo(&msg); - int txed = SSL_write(ssl, &msg, sizeof(msg)); - if (txed != sizeof(msg)) { - log_msg(LLVL_ERROR, "Truncated message sent: tried to send %d bytes, but only %d bytes went through. Aborting connection.", sizeof(msg), txed); - break; - } - } - } - BIO_free_all(conn); - free_generic_tls_context(&gctx); - return 0; -} - -static bool parse_announcement(const struct options_t *options, const struct sockaddr_in *peer_addr, const struct announcement_t *announcement) { - log_msg(LLVL_DEBUG, "Parsing possible announcement from %d.%d.%d.%d:%d", PRINTF_FORMAT_IP(peer_addr), ntohs(peer_addr->sin_port)); - const uint8_t expect_magic[16] = CLIENT_ANNOUNCE_MAGIC; - if (memcmp(announcement->magic, expect_magic, 16)) { - /* Magic number does not match, discard. */ - return false; - } - - const struct keyentry_t *keyentry = keydb_find_entry_by_host_uuid(client_keydb, announcement->host_uuid); - - char ascii_host_uuid[40]; - sprintf_uuid(ascii_host_uuid, announcement->host_uuid); - log_msg(LLVL_DEBUG, "Received valid announcement from %s host %s", (keyentry == NULL) ? "unknown" : "known", ascii_host_uuid); - - if (keyentry == NULL) { - /* The announcement is valid, but we don't know the client -- so we - * can't do anything further */ - return false; - } - - /* We know the server. But maybe we've already tried to contact them and - * therefore they're blacklisted for a certain period of time. Check this - * now (we don't want to spam servers with maybe invalid passphrases). */ - uint32_t ip = peer_addr->sin_addr.s_addr; - if (is_ip_blacklisted(ip)) { - log_msg(LLVL_DEBUG, "%d.%d.%d.%d is currently blacklisted for %d seconds.", PRINTF_FORMAT_IP(peer_addr), BLACKLIST_ENTRY_TIMEOUT_SECS); - return false; - } else { - /* Blacklist for next time */ - blacklist_ip(ip); - } - - char destination_address[32]; - snprintf(destination_address, sizeof(destination_address) - 1, "%d.%d.%d.%d:%d", PRINTF_FORMAT_IP(peer_addr), options->port); - log_msg(LLVL_DEBUG, "Trying to connect to %s in order to transmit keys", destination_address); - - tls_client_connect(keyentry, destination_address); - return true; -} - -static bool tls_client(const struct keydb_t *keydb, const struct options_t *options) { - client_keydb = keydb; - - int sd = socket(AF_INET, SOCK_DGRAM, 0); - if (sd < 0) { - log_libc(LLVL_ERROR, "Unable to create UDP client socket(2)"); - return false; - } - - { - int value = 1; - setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &value, sizeof(value)); - } - - struct sockaddr_in local_addr; - local_addr.sin_family = AF_INET; - local_addr.sin_port = htons(options->port); - local_addr.sin_addr.s_addr = htonl(INADDR_ANY); - memset(local_addr.sin_zero, 0, sizeof(local_addr.sin_zero)); - - if (bind(sd, (struct sockaddr*)&local_addr, sizeof(local_addr))) { - log_libc(LLVL_ERROR, "Unable to bind(2) UDP client socket to port %d", options->port); - return false; - } - - int tries = 0; - while ((options->unlock_cnt == 0) || (tries < options->unlock_cnt)) { - uint8_t rxbuf[2048]; - struct sockaddr_in peer_addr; - socklen_t addr_size = sizeof(peer_addr); - int rxlen = recvfrom(sd, rxbuf, sizeof(rxbuf), 0, (struct sockaddr *)&peer_addr, &addr_size); - if (rxlen == sizeof(struct announcement_t)) { - if (parse_announcement(options, &peer_addr, (struct announcement_t*)rxbuf)) { - tries++; - } - } - } - - return true; -} -#endif - struct keyclient_t { const struct pgmopts_client_t *opts; struct keydb_t *keydb; diff --git a/server.c b/server.c index 21a80a6..503d7b6 100644 --- a/server.c +++ b/server.c @@ -48,6 +48,13 @@ #include "keydb.h" #include "signals.h" +struct client_ctx_t { + struct generic_tls_ctx_t *gctx; + const struct keydb_t *keydb; + const struct host_entry_t *host; + int fd; +}; + static int create_tcp_server_socket(int port) { int s; struct sockaddr_in addr; @@ -80,184 +87,6 @@ static int create_tcp_server_socket(int port) { return s; } -#if 0 -static const struct keyentry_t *server_key; - - - -static bool unlock_disk(const struct diskentry_t *disk, const uint8_t *passphrase, int passphrase_length) { - char ascii_uuid[40]; - sprintf_uuid(ascii_uuid, disk->disk_uuid); - log_msg(LLVL_INFO, "Trying to unlock disk %s with UUID %s", disk->devmapper_name, ascii_uuid); -#ifdef DEBUG - fprintf(stderr, "Using %d bytes key for unlocking: ", passphrase_length); - dump_hex(stderr, passphrase, passphrase_length); - fprintf(stderr, "\n"); -#endif - if (is_luks_device_opened(disk->devmapper_name)) { - log_msg(LLVL_INFO, "Disk %s already unlocked, nothing to do.", disk->devmapper_name, ascii_uuid); - return true; - } - return open_luks_device_pw(disk->disk_uuid, disk->devmapper_name, passphrase, passphrase_length); -} - -static bool all_disks_unlocked(const struct keyentry_t *keyentry) { - for (int i = 0; i < MAX_DISKS_PER_HOST; i++) { - if (keyentry->disk_keys[i].occupied && !is_luks_device_opened(keyentry->disk_keys[i].devmapper_name)) { - return false; - } - } - return true; -} - -static bool tls_server(const struct keyentry_t *key, const struct options_t *options) { - if (all_disks_unlocked(key)) { - log_msg(LLVL_INFO, "Starting of server not necessary, all disks already unlocked."); - return true; - } - - struct generic_tls_ctx_t gctx; - create_generic_tls_context(&gctx, true); - - server_key = key; - { - char ascii_host_uuid[40]; - sprintf_uuid(ascii_host_uuid, key->host_uuid); - SSL_CTX_use_psk_identity_hint(gctx.ctx, ascii_host_uuid); - } - SSL_CTX_set_psk_server_callback(gctx.ctx, psk_server_callback); - - int tcp_sock = create_tcp_socket(options->port); - if (tcp_sock == -1) { - log_msg(LLVL_ERROR, "Cannot start server without server socket."); - free_generic_tls_context(&gctx); - return false; - } - - int udp_sock = create_udp_socket(); - if (tcp_sock == -1) { - log_msg(LLVL_ERROR, "Cannot broadcast without announcement UDP socket."); - close(tcp_sock); - free_generic_tls_context(&gctx); - return false; - } - - log_msg(LLVL_DEBUG, "Created listening socket on port %d", options->port); - int tries = 0; - int failed_broadcast_cnt = 0; - while ((options->unlock_cnt == 0) || (tries < options->unlock_cnt)) { - struct sockaddr_in addr; - unsigned int len = sizeof(addr); - - log_msg(LLVL_DEBUG, "Waiting for incoming connection..."); - if (!announce_waiting_message(udp_sock, options->port, key)) { - failed_broadcast_cnt++; - if ((options->max_broadcast_errs != 0) && (failed_broadcast_cnt >= options->max_broadcast_errs)) { - log_msg(LLVL_ERROR, "Too many broadcast errors, aborting. Network unavailable?"); - break; - } - } - if (!socket_wait_acceptable(tcp_sock, WAITING_MESSAGE_BROADCAST_INTERVAL_MILLISECONDS)) { - /* No connection pending, timeout. */ - continue; - } - - log_msg(LLVL_DEBUG, "Trying to accept connection..."); - int client = accept(tcp_sock, (struct sockaddr*)&addr, &len); - if (client < 0) { - log_libc(LLVL_ERROR, "Unable to accept(2)"); - close(udp_sock); - close(tcp_sock); - free_generic_tls_context(&gctx); - return false; - } - - SSL *ssl = SSL_new(gctx.ctx); - SSL_set_fd(ssl, client); - - if (SSL_accept(ssl) <= 0) { - ERR_print_errors_fp(stderr); - } else { - tries++; - log_msg(LLVL_DEBUG, "Client connected, waiting for data..."); - while (true) { - struct msg_t msg; - int rxlen = SSL_read(ssl, &msg, sizeof(msg)); - if (rxlen == 0) { - /* Client severed the connection */ - break; - } - if (rxlen != sizeof(msg)) { - log_msg(LLVL_ERROR, "Truncated message (%d bytes) received, terminating connection. Expected %d bytes.", rxlen, sizeof(msg)); - break; - } - msg_to_hbo(&msg); - - if ((msg.passphrase_length == 0) || (msg.passphrase_length > MAX_PASSPHRASE_LENGTH)) { - log_msg(LLVL_FATAL, "Client sent malformed message indicating illegal passphrase length of %d bytes. Aborting connection.", msg.passphrase_length); - break; - } - - /* Now check if this is one of they keys we're actually looking for */ - bool found = false; - for (int i = 0; i < MAX_DISKS_PER_HOST; i++) { - if (!memcmp(key->disk_keys[i].disk_uuid, msg.disk_uuid, 16)) { - bool success = unlock_disk(&key->disk_keys[i], msg.passphrase, msg.passphrase_length); - log_msg(LLVL_DEBUG, "Unlocking of disk was %s", success ? "successful" : "unsuccessful"); - found = true; - break; - } - } - if (!found) { - char ascii_uuid[40]; - sprintf_uuid(ascii_uuid, msg.disk_uuid); - log_msg(LLVL_INFO, "Client sent passphrase for UUID %s; we were not expecting it. Ignored.", ascii_uuid); - } - } - } - - SSL_free(ssl); - close(client); - - /* Connection closed */ - if (all_disks_unlocked(key)) { - log_msg(LLVL_INFO, "All disks successfully unlocked."); - break; - } else { - log_msg(LLVL_DEBUG, "At least one disk remains locked after communication."); - } - } - - close(udp_sock); - close(tcp_sock); - free_generic_tls_context(&gctx); - return true; -} -#endif - -#if 0 -static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { - if (max_psk_len < PSK_SIZE_BYTES) { - log_msg(LLVL_FATAL, "Server error: max_psk_len too small."); - return 0; - } - if (strcmp(identity, CLIENT_PSK_IDENTITY)) { - log_msg(LLVL_FATAL, "Server error: client identity '%s' unexpected (expected '%s').", identity, CLIENT_PSK_IDENTITY); - return 0; - } -// memcpy(psk, server_key->psk, PSK_SIZE_BYTES); - return PSK_SIZE_BYTES; -} -#endif - -struct client_ctx_t { - struct generic_tls_ctx_t *gctx; - const struct keydb_t *keydb; - const struct host_entry_t *host; - int fd; -}; - - static int psk_server_callback(SSL *ssl, const unsigned char *identity, size_t identity_len, SSL_SESSION **sessptr) { struct client_ctx_t *ctx = (struct client_ctx_t*)SSL_get_app_data(ssl);