/mandos/release : contents of plugins.d/mandosclient.c at revision 15

: (revision 15)

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

/* $Id$ */

/* PLEASE NOTE *
 * This file demonstrates how to use Avahi's core API, this is
 * the embeddable mDNS stack for embedded applications.
 *
 * End user applications should *not* use this API and should use
 * the D-Bus or C APIs, please see
 * client-browse-services.c and glib-integration.c
 * 
 * I repeat, you probably do *not* want to use this example.
 */

/***
  This file is part of avahi.
 
  avahi is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as
  published by the Free Software Foundation; either version 2.1 of the
  License, or (at your option) any later version.
 
  avahi is distributed in the hope that it will be useful, but WITHOUT
  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
  Public License for more details.
 
  You should have received a copy of the GNU Lesser General Public
  License along with avahi; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
  USA.
***/

#define _LARGEFILE_SOURCE
#define _FILE_OFFSET_BITS 64

#include <stdio.h>
#include <assert.h>
#include <stdlib.h>
#include <time.h>
#include <net/if.h>		/* if_nametoindex */

#include <avahi-core/core.h>
#include <avahi-core/lookup.h>
#include <avahi-core/log.h>
#include <avahi-common/simple-watch.h>
#include <avahi-common/malloc.h>
#include <avahi-common/error.h>

//mandos client part
#include <sys/types.h>		/* socket(), setsockopt(), inet_pton() */
#include <sys/socket.h>		/* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
#include <gnutls/gnutls.h>	/* ALL GNUTLS STUFF */
#include <gnutls/openpgp.h>	/* gnutls with openpgp stuff */

#include <unistd.h>		/* close() */
#include <netinet/in.h>
#include <stdbool.h>		/* true */
#include <string.h>		/* memset */
#include <arpa/inet.h>		/* inet_pton() */
#include <iso646.h>		/* not */

// gpgme
#include <errno.h>		/* perror() */
#include <gpgme.h>


#ifndef CERT_ROOT
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
#endif
#define CERTFILE CERT_ROOT "openpgp-client.txt"
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
#define BUFFER_SIZE 256
#define DH_BITS 1024

typedef struct {
  gnutls_session_t session;
  gnutls_certificate_credentials_t cred;
  gnutls_dh_params_t dh_params;
} encrypted_session;


ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
  gpgme_data_t dh_crypto, dh_plain;
  gpgme_ctx_t ctx;
  gpgme_error_t rc;
  ssize_t ret;
  size_t new_packet_capacity = 0;
  size_t new_packet_length = 0;
  gpgme_engine_info_t engine_info;

  /* Init GPGME */
  gpgme_check_version(NULL);
  gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
  
  /* Set GPGME home directory */
  rc = gpgme_get_engine_info (&engine_info);
  if (rc != GPG_ERR_NO_ERROR){
    fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
	    gpgme_strsource(rc), gpgme_strerror(rc));
    return -1;
  }
  while(engine_info != NULL){
    if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
      gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
			    engine_info->file_name, homedir);
      break;
    }
    engine_info = engine_info->next;
  }
  if(engine_info == NULL){
    fprintf(stderr, "Could not set home dir to %s\n", homedir);
    return -1;
  }
  
  /* Create new GPGME data buffer from packet buffer */
  rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
  if (rc != GPG_ERR_NO_ERROR){
    fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
	    gpgme_strsource(rc), gpgme_strerror(rc));
    return -1;
  }
  
  /* Create new empty GPGME data buffer for the plaintext */
  rc = gpgme_data_new(&dh_plain);
  if (rc != GPG_ERR_NO_ERROR){
    fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
	    gpgme_strsource(rc), gpgme_strerror(rc));
    return -1;
  }
  
  /* Create new GPGME "context" */
  rc = gpgme_new(&ctx);
  if (rc != GPG_ERR_NO_ERROR){
    fprintf(stderr, "bad gpgme_new: %s: %s\n",
	    gpgme_strsource(rc), gpgme_strerror(rc));
    return -1;
  }
  
  /* Decrypt data from the FILE pointer to the plaintext data buffer */
  rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
  if (rc != GPG_ERR_NO_ERROR){
    fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
	    gpgme_strsource(rc), gpgme_strerror(rc));
    return -1;
  }
  
/*   gpgme_decrypt_result_t result; */
/*   result = gpgme_op_decrypt_result(ctx); */
/*   fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */
/*   fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */
/*   if(result->file_name != NULL){ */
/*     fprintf(stderr, "File name: %s\n", result->file_name); */
/*   } */
/*   gpgme_recipient_t recipient; */
/*   recipient = result->recipients; */
/*   if(recipient){ */
/*     while(recipient != NULL){ */
/*       fprintf(stderr, "Public key algorithm: %s\n", */
/* 	      gpgme_pubkey_algo_name(recipient->pubkey_algo)); */
/*       fprintf(stderr, "Key ID: %s\n", recipient->keyid); */
/*       fprintf(stderr, "Secret key available: %s\n", */
/* 	      recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */
/*       recipient = recipient->next; */
/*     } */
/*   } */

  /* Delete the GPGME FILE pointer cryptotext data buffer */
  gpgme_data_release(dh_crypto);
  
  /* Seek back to the beginning of the GPGME plaintext data buffer */
  gpgme_data_seek(dh_plain, 0, SEEK_SET);

  *new_packet = 0;
  while(true){
    if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
      *new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
      if (*new_packet == NULL){
	perror("realloc");
	return -1;
      }
      new_packet_capacity += BUFFER_SIZE;
    }
    
    ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
    /* Print the data, if any */
    if (ret == 0){
      /* If password is empty, then a incorrect error will be printed */
      break;
    }
    if(ret < 0){
      perror("gpgme_data_read");
      return -1;
    }
    new_packet_length += ret;
  }

   /* Delete the GPGME plaintext data buffer */
  gpgme_data_release(dh_plain);
  return new_packet_length;
}

static const char * safer_gnutls_strerror (int value) {
  const char *ret = gnutls_strerror (value);
  if (ret == NULL)
    ret = "(unknown)";
  return ret;
}

void debuggnutls(int level, const char* string){
  fprintf(stderr, "%s", string);
}

int initgnutls(encrypted_session *es){
  const char *err;
  int ret;
  
  if ((ret = gnutls_global_init ())
      != GNUTLS_E_SUCCESS) {
    fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
    return -1;
  }

  /* Uncomment to enable full debuggin on the gnutls library */
  /*   gnutls_global_set_log_level(11); */
  /*   gnutls_global_set_log_function(debuggnutls); */


  /* openpgp credentials */
  if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
      != GNUTLS_E_SUCCESS) {
    fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
    return -1;
  }

  ret = gnutls_certificate_set_openpgp_key_file
    (es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
  if (ret != GNUTLS_E_SUCCESS) {
    fprintf
      (stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
       ret, CERTFILE, KEYFILE);
    fprintf(stdout, "The Error is: %s\n",
	    safer_gnutls_strerror(ret));
    return -1;
  }

  //Gnutls server initialization
  if ((ret = gnutls_dh_params_init (&es->dh_params))
      != GNUTLS_E_SUCCESS) {
    fprintf (stderr, "Error in dh parameter initialization: %s\n",
	     safer_gnutls_strerror(ret));
    return -1;
  }

  if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
      != GNUTLS_E_SUCCESS) {
    fprintf (stderr, "Error in prime generation: %s\n",
	     safer_gnutls_strerror(ret));
    return -1;
  }

  gnutls_certificate_set_dh_params (es->cred, es->dh_params);

  // Gnutls session creation
  if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
      != GNUTLS_E_SUCCESS){
    fprintf(stderr, "Error in gnutls session initialization: %s\n",
	    safer_gnutls_strerror(ret));
  }

  if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
      != GNUTLS_E_SUCCESS) {
    fprintf(stderr, "Syntax error at: %s\n", err);
    fprintf(stderr, "Gnutls error: %s\n",
	    safer_gnutls_strerror(ret));
    return -1;
  }

  if ((ret = gnutls_credentials_set
       (es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
      != GNUTLS_E_SUCCESS) {
    fprintf(stderr, "Error setting a credentials set: %s\n",
	    safer_gnutls_strerror(ret));
    return -1;
  }

  /* ignore client certificate if any. */
  gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
  
  gnutls_dh_set_prime_bits (es->session, DH_BITS);
  
  return 0;
}

void empty_log(AvahiLogLevel level, const char *txt){}

int start_mandos_communcation(char *ip, uint16_t port){
  int ret, tcp_sd;
  struct sockaddr_in6 to;
  struct in6_addr ip_addr;
  encrypted_session es;
  char *buffer = NULL;
  char *decrypted_buffer;
  size_t buffer_length = 0;
  size_t buffer_capacity = 0;
  ssize_t decrypted_buffer_size;
  int retval = 0;

  
  tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
  if(tcp_sd < 0) {
    perror("socket");
    return -1;
  }
  
  ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
  if(tcp_sd < 0) {
    perror("setsockopt bindtodevice");
    return -1;
  }
  
  memset(&to,0,sizeof(to));
  to.sin6_family = AF_INET6;
  ret = inet_pton(AF_INET6, ip, &ip_addr);
  if (ret < 0 ){
    perror("inet_pton");
    return -1;
  }  
  if(ret == 0){
    fprintf(stderr, "Bad address: %s\n", ip);
    return -1;
  }
  to.sin6_port = htons(port);
  to.sin6_scope_id = if_nametoindex("eth0");
  
  ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
  if (ret < 0){
    perror("connect");
    return -1;
  }
  
  ret = initgnutls (&es);
  if (ret != 0){
    retval = -1;
    return -1;
  }
    
  
  gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

  ret = gnutls_handshake (es.session);
  
  if (ret != GNUTLS_E_SUCCESS){
    fprintf(stderr, "\n*** Handshake failed ***\n");
    gnutls_perror (ret);
    retval = -1;
    goto exit;
  }

  //retrive password
  while(true){
    if (buffer_length + BUFFER_SIZE > buffer_capacity){
      buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
      if (buffer == NULL){
	perror("realloc");
	goto exit;
      }
      buffer_capacity += BUFFER_SIZE;
    }
    
    ret = gnutls_record_recv
      (es.session, buffer+buffer_length, BUFFER_SIZE);
    if (ret == 0){
      break;
    }
    if (ret < 0){
      switch(ret){
      case GNUTLS_E_INTERRUPTED:
      case GNUTLS_E_AGAIN:
	break;
      case GNUTLS_E_REHANDSHAKE:
	ret = gnutls_handshake (es.session);
	if (ret < 0){
	  fprintf(stderr, "\n*** Handshake failed ***\n");
	  gnutls_perror (ret);
	  retval = -1;
	  goto exit;
	}
	break;
      default:
	fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
	retval = -1;
	gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
	goto exit;
      }
    } else {
      buffer_length += ret;
    }
  }

  if (buffer_length > 0){
    if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){
      retval = -1;
    } else {
      fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
      free(decrypted_buffer);
    }
  }

  free(buffer);

  //shutdown procedure
  gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
 exit:
  close(tcp_sd);
  gnutls_deinit (es.session);
  gnutls_certificate_free_credentials (es.cred);
  gnutls_global_deinit ();
  return retval;
}

static AvahiSimplePoll *simple_poll = NULL;
static AvahiServer *server = NULL;

static void resolve_callback(
    AvahiSServiceResolver *r,
    AVAHI_GCC_UNUSED AvahiIfIndex interface,
    AVAHI_GCC_UNUSED AvahiProtocol protocol,
    AvahiResolverEvent event,
    const char *name,
    const char *type,
    const char *domain,
    const char *host_name,
    const AvahiAddress *address,
    uint16_t port,
    AvahiStringList *txt,
    AvahiLookupResultFlags flags,
    AVAHI_GCC_UNUSED void* userdata) {
    
    assert(r);

    /* Called whenever a service has been resolved successfully or timed out */

    switch (event) {
        case AVAHI_RESOLVER_FAILURE:
            fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
            break;

        case AVAHI_RESOLVER_FOUND: {
	  char ip[AVAHI_ADDRESS_STR_MAX];
            avahi_address_snprint(ip, sizeof(ip), address);
	    int ret = start_mandos_communcation(ip, port);
	    if (ret == 0){
	      exit(EXIT_SUCCESS);
	    } else {
	      exit(EXIT_FAILURE);
	    }
        }
    }
    avahi_s_service_resolver_free(r);
}

static void browse_callback(
    AvahiSServiceBrowser *b,
    AvahiIfIndex interface,
    AvahiProtocol protocol,
    AvahiBrowserEvent event,
    const char *name,
    const char *type,
    const char *domain,
    AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
    void* userdata) {
    
    AvahiServer *s = userdata;
    assert(b);

    /* Called whenever a new services becomes available on the LAN or is removed from the LAN */

    switch (event) {

        case AVAHI_BROWSER_FAILURE:
            
            fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
            avahi_simple_poll_quit(simple_poll);
            return;

        case AVAHI_BROWSER_NEW:
            /* We ignore the returned resolver object. In the callback
               function we free it. If the server is terminated before
               the callback function is called the server will free
               the resolver for us. */
            
            if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
                fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
            
            break;

        case AVAHI_BROWSER_REMOVE:
            break;

        case AVAHI_BROWSER_ALL_FOR_NOW:
        case AVAHI_BROWSER_CACHE_EXHAUSTED:
            break;
    }
}

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
    AvahiServerConfig config;
    AvahiSServiceBrowser *sb = NULL;
    int error;
    int ret = 1;

    avahi_set_log_function(empty_log);
    
    /* Initialize the psuedo-RNG */
    srand(time(NULL));

    /* Allocate main loop object */
    if (!(simple_poll = avahi_simple_poll_new())) {
        fprintf(stderr, "Failed to create simple poll object.\n");
        goto fail;
    }

    /* Do not publish any local records */
    avahi_server_config_init(&config);
    config.publish_hinfo = 0;
    config.publish_addresses = 0;
    config.publish_workstation = 0;
    config.publish_domain = 0;

/*     /\* Set a unicast DNS server for wide area DNS-SD *\/ */
/*     avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */
/*     config.n_wide_area_servers = 1; */
/*     config.enable_wide_area = 1; */
    
    /* Allocate a new server */
    server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

    /* Free the configuration data */
    avahi_server_config_free(&config);

    /* Check wether creating the server object succeeded */
    if (!server) {
        fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
        goto fail;
    }
    
    /* Create the service browser */
    if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
        fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
        goto fail;
    }
    
    /* Run the main loop */
    avahi_simple_poll_loop(simple_poll);
    
    ret = 0;
    
fail:
    
    /* Cleanup things */
    if (sb)
        avahi_s_service_browser_free(sb);
    
    if (server)
        avahi_server_free(server);

    if (simple_poll)
        avahi_simple_poll_free(simple_poll);

    return ret;
}

13 by Björn Påhlsson Added following support:	1	/* $Id$ */
	2
	3	/* PLEASE NOTE *
	4	* This file demonstrates how to use Avahi's core API, this is
	5	* the embeddable mDNS stack for embedded applications.
	6	*
	7	* End user applications should not use this API and should use
	8	* the D-Bus or C APIs, please see
	9	* client-browse-services.c and glib-integration.c
	10	*
	11	* I repeat, you probably do not want to use this example.
	12	*/
	13
	14	/***
	15	This file is part of avahi.
	16
	17	avahi is free software; you can redistribute it and/or modify it
	18	under the terms of the GNU Lesser General Public License as
	19	published by the Free Software Foundation; either version 2.1 of the
	20	License, or (at your option) any later version.
	21
	22	avahi is distributed in the hope that it will be useful, but WITHOUT
	23	ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	24	or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
	25	Public License for more details.
	26
	27	You should have received a copy of the GNU Lesser General Public
	28	License along with avahi; if not, write to the Free Software
	29	Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
	30	USA.
	31	***/
	32
	33	#define _LARGEFILE_SOURCE
	34	#define _FILE_OFFSET_BITS 64
	35
	36	#include <stdio.h>
	37	#include <assert.h>
	38	#include <stdlib.h>
	39	#include <time.h>
	40	#include <net/if.h> /* if_nametoindex */
	41
	42	#include <avahi-core/core.h>
	43	#include <avahi-core/lookup.h>
	44	#include <avahi-core/log.h>
	45	#include <avahi-common/simple-watch.h>
	46	#include <avahi-common/malloc.h>
	47	#include <avahi-common/error.h>
	48
	49	//mandos client part
	50	#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
	51	#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
	52	#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
	53	#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
	54
	55	#include <unistd.h> /* close() */
	56	#include <netinet/in.h>
	57	#include <stdbool.h> /* true */
	58	#include <string.h> /* memset */
	59	#include <arpa/inet.h> /* inet_pton() */
	60	#include <iso646.h> /* not */
	61
	62	// gpgme
	63	#include <errno.h> /* perror() */
	64	#include <gpgme.h>
65
66
67	#ifndef CERT_ROOT
68	#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
69	#endif
70	#define CERTFILE CERT_ROOT "openpgp-client.txt"
71	#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
72	#define BUFFER_SIZE 256
73	#define DH_BITS 1024
74
75	typedef struct {
76	gnutls_session_t session;
77	gnutls_certificate_credentials_t cred;
78	gnutls_dh_params_t dh_params;
79	} encrypted_session;
80
81
82	ssize_t gpg_packet_decrypt (char packet, size_t packet_size, char new_packet, char homedir){
83	gpgme_data_t dh_crypto, dh_plain;
84	gpgme_ctx_t ctx;
85	gpgme_error_t rc;
86	ssize_t ret;
87	size_t new_packet_capacity = 0;
88	size_t new_packet_length = 0;
89	gpgme_engine_info_t engine_info;
90
91	/* Init GPGME */
92	gpgme_check_version(NULL);
93	gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
94
95	/* Set GPGME home directory */
96	rc = gpgme_get_engine_info (&engine_info);
97	if (rc != GPG_ERR_NO_ERROR){
98	fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
99	gpgme_strsource(rc), gpgme_strerror(rc));
100	return -1;
101	}
102	while(engine_info != NULL){
103	if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
104	gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
105	engine_info->file_name, homedir);
106	break;
107	}
108	engine_info = engine_info->next;
109	}
110	if(engine_info == NULL){
111	fprintf(stderr, "Could not set home dir to %s\n", homedir);
112	return -1;
113	}
114
115	/* Create new GPGME data buffer from packet buffer */
116	rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
117	if (rc != GPG_ERR_NO_ERROR){
118	fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
119	gpgme_strsource(rc), gpgme_strerror(rc));
120	return -1;
121	}
122
123	/* Create new empty GPGME data buffer for the plaintext */
124	rc = gpgme_data_new(&dh_plain);
125	if (rc != GPG_ERR_NO_ERROR){
126	fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
127	gpgme_strsource(rc), gpgme_strerror(rc));
128	return -1;
129	}
130
131	/* Create new GPGME "context" */
132	rc = gpgme_new(&ctx);
133	if (rc != GPG_ERR_NO_ERROR){
134	fprintf(stderr, "bad gpgme_new: %s: %s\n",
135	gpgme_strsource(rc), gpgme_strerror(rc));
136	return -1;
137	}
138
139	/* Decrypt data from the FILE pointer to the plaintext data buffer */
140	rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
141	if (rc != GPG_ERR_NO_ERROR){
142	fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
143	gpgme_strsource(rc), gpgme_strerror(rc));
144	return -1;
145	}
146
147	/* gpgme_decrypt_result_t result; */
148	/* result = gpgme_op_decrypt_result(ctx); */
149	/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */
150	/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */
151	/* if(result->file_name != NULL){ */
152	/* fprintf(stderr, "File name: %s\n", result->file_name); */
153	/* } */
154	/* gpgme_recipient_t recipient; */
155	/* recipient = result->recipients; */
156	/* if(recipient){ */
157	/* while(recipient != NULL){ */
158	/* fprintf(stderr, "Public key algorithm: %s\n", */
159	/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */
160	/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */
161	/* fprintf(stderr, "Secret key available: %s\n", */
162	/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */
163	/* recipient = recipient->next; */
164	/* } */
165	/* } */
166
167	/* Delete the GPGME FILE pointer cryptotext data buffer */
168	gpgme_data_release(dh_crypto);
169
170	/* Seek back to the beginning of the GPGME plaintext data buffer */
171	gpgme_data_seek(dh_plain, 0, SEEK_SET);
172
173	*new_packet = 0;
174	while(true){
175	if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
176	new_packet = realloc(new_packet, new_packet_capacity + BUFFER_SIZE);
177	if (*new_packet == NULL){
178	perror("realloc");
179	return -1;
180	}
181	new_packet_capacity += BUFFER_SIZE;
182	}
183
184	ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
185	/* Print the data, if any */
186	if (ret == 0){
187	/* If password is empty, then a incorrect error will be printed */
188	break;
189	}
190	if(ret < 0){
191	perror("gpgme_data_read");
192	return -1;
193	}
194	new_packet_length += ret;
195	}
196
197	/* Delete the GPGME plaintext data buffer */
198	gpgme_data_release(dh_plain);
199	return new_packet_length;
200	}
201
202	static const char * safer_gnutls_strerror (int value) {
203	const char *ret = gnutls_strerror (value);
204	if (ret == NULL)
205	ret = "(unknown)";
206	return ret;
207	}
208
209	void debuggnutls(int level, const char* string){
210	fprintf(stderr, "%s", string);
211	}
212
213	int initgnutls(encrypted_session *es){
214	const char *err;
215	int ret;
216
217	if ((ret = gnutls_global_init ())
218	!= GNUTLS_E_SUCCESS) {
219	fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
220	return -1;
221	}
222
223	/* Uncomment to enable full debuggin on the gnutls library */
224	/* gnutls_global_set_log_level(11); */
225	/* gnutls_global_set_log_function(debuggnutls); */
226
227
228	/* openpgp credentials */
229	if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
230	!= GNUTLS_E_SUCCESS) {
231	fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
232	return -1;
233	}
234
235	ret = gnutls_certificate_set_openpgp_key_file
236	(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
237	if (ret != GNUTLS_E_SUCCESS) {
238	fprintf
239	(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
240	ret, CERTFILE, KEYFILE);
241	fprintf(stdout, "The Error is: %s\n",
242	safer_gnutls_strerror(ret));
243	return -1;
244	}
245
246	//Gnutls server initialization
247	if ((ret = gnutls_dh_params_init (&es->dh_params))
248	!= GNUTLS_E_SUCCESS) {
249	fprintf (stderr, "Error in dh parameter initialization: %s\n",
250	safer_gnutls_strerror(ret));
251	return -1;
252	}
253
254	if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
255	!= GNUTLS_E_SUCCESS) {
256	fprintf (stderr, "Error in prime generation: %s\n",
257	safer_gnutls_strerror(ret));
258	return -1;
259	}
260
261	gnutls_certificate_set_dh_params (es->cred, es->dh_params);
262
263	// Gnutls session creation
264	if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
265	!= GNUTLS_E_SUCCESS){
266	fprintf(stderr, "Error in gnutls session initialization: %s\n",
267	safer_gnutls_strerror(ret));
268	}
269
270	if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
271	!= GNUTLS_E_SUCCESS) {
272	fprintf(stderr, "Syntax error at: %s\n", err);
273	fprintf(stderr, "Gnutls error: %s\n",
274	safer_gnutls_strerror(ret));
275	return -1;
276	}
277
278	if ((ret = gnutls_credentials_set
279	(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
280	!= GNUTLS_E_SUCCESS) {
281	fprintf(stderr, "Error setting a credentials set: %s\n",
282	safer_gnutls_strerror(ret));
283	return -1;
284	}
285
286	/* ignore client certificate if any. */
287	gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
288
289	gnutls_dh_set_prime_bits (es->session, DH_BITS);
290
291	return 0;
292	}
293
294	void empty_log(AvahiLogLevel level, const char *txt){}
295
296	int start_mandos_communcation(char *ip, uint16_t port){
297	int ret, tcp_sd;
298	struct sockaddr_in6 to;
299	struct in6_addr ip_addr;
300	encrypted_session es;
301	char *buffer = NULL;
302	char *decrypted_buffer;
303	size_t buffer_length = 0;
304	size_t buffer_capacity = 0;
305	ssize_t decrypted_buffer_size;
306	int retval = 0;
307
308
309	tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
310	if(tcp_sd < 0) {
311	perror("socket");
312	return -1;
313	}
314
315	ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
316	if(tcp_sd < 0) {
317	perror("setsockopt bindtodevice");
318	return -1;
319	}
320
321	memset(&to,0,sizeof(to));
322	to.sin6_family = AF_INET6;
323	ret = inet_pton(AF_INET6, ip, &ip_addr);
324	if (ret < 0 ){
325	perror("inet_pton");
326	return -1;
327	}
328	if(ret == 0){
329	fprintf(stderr, "Bad address: %s\n", ip);
330	return -1;
331	}
332	to.sin6_port = htons(port);
333	to.sin6_scope_id = if_nametoindex("eth0");
334
335	ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
336	if (ret < 0){
337	perror("connect");
338	return -1;
339	}
340
341	ret = initgnutls (&es);
342	if (ret != 0){
343	retval = -1;
344	return -1;
345	}
346
347
348	gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
349
350	ret = gnutls_handshake (es.session);
351
352	if (ret != GNUTLS_E_SUCCESS){
353	fprintf(stderr, "\n* Handshake failed *\n");
354	gnutls_perror (ret);
355	retval = -1;
356	goto exit;
357	}
358
359	//retrive password
360	while(true){
361	if (buffer_length + BUFFER_SIZE > buffer_capacity){
362	buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
363	if (buffer == NULL){
364	perror("realloc");
365	goto exit;
366	}
367	buffer_capacity += BUFFER_SIZE;
368	}
369
370	ret = gnutls_record_recv
371	(es.session, buffer+buffer_length, BUFFER_SIZE);
372	if (ret == 0){
373	break;
374	}
375	if (ret < 0){
376	switch(ret){
377	case GNUTLS_E_INTERRUPTED:
378	case GNUTLS_E_AGAIN:
379	break;
380	case GNUTLS_E_REHANDSHAKE:
381	ret = gnutls_handshake (es.session);
382	if (ret < 0){
383	fprintf(stderr, "\n* Handshake failed *\n");
384	gnutls_perror (ret);
385	retval = -1;
386	goto exit;
387	}
388	break;
389	default:
390	fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
391	retval = -1;
392	gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
393	goto exit;
394	}
395	} else {
396	buffer_length += ret;
397	}
398	}
399
400	if (buffer_length > 0){
401	if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){
402	retval = -1;
403	} else {
404	fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
405	free(decrypted_buffer);
406	}
407	}
408
409	free(buffer);
410
411	//shutdown procedure
412	gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
413	exit:
414	close(tcp_sd);
415	gnutls_deinit (es.session);
416	gnutls_certificate_free_credentials (es.cred);
417	gnutls_global_deinit ();
418	return retval;
419	}
420
421	static AvahiSimplePoll *simple_poll = NULL;
422	static AvahiServer *server = NULL;
423
424	static void resolve_callback(
425	AvahiSServiceResolver *r,
426	AVAHI_GCC_UNUSED AvahiIfIndex interface,
427	AVAHI_GCC_UNUSED AvahiProtocol protocol,
428	AvahiResolverEvent event,
429	const char *name,
430	const char *type,
431	const char *domain,
432	const char *host_name,
433	const AvahiAddress *address,
434	uint16_t port,
435	AvahiStringList *txt,
436	AvahiLookupResultFlags flags,
437	AVAHI_GCC_UNUSED void* userdata) {
438
439	assert(r);
440
441	/* Called whenever a service has been resolved successfully or timed out */
442
443	switch (event) {
444	case AVAHI_RESOLVER_FAILURE:
445	fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
446	break;
447
448	case AVAHI_RESOLVER_FOUND: {
449	char ip[AVAHI_ADDRESS_STR_MAX];
450	avahi_address_snprint(ip, sizeof(ip), address);
451	int ret = start_mandos_communcation(ip, port);
452	if (ret == 0){
453	exit(EXIT_SUCCESS);
454	} else {
455	exit(EXIT_FAILURE);
456	}
457	}
458	}
459	avahi_s_service_resolver_free(r);
460	}
461
462	static void browse_callback(
463	AvahiSServiceBrowser *b,
464	AvahiIfIndex interface,
465	AvahiProtocol protocol,
466	AvahiBrowserEvent event,
467	const char *name,
468	const char *type,
469	const char *domain,
470	AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
471	void* userdata) {
472
473	AvahiServer *s = userdata;
474	assert(b);
475
476	/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
477
478	switch (event) {
479
480	case AVAHI_BROWSER_FAILURE:
481
482	fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
483	avahi_simple_poll_quit(simple_poll);
484	return;
485
486	case AVAHI_BROWSER_NEW:
487	/* We ignore the returned resolver object. In the callback
488	function we free it. If the server is terminated before
489	the callback function is called the server will free
490	the resolver for us. */
491
492	if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
493	fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
494
495	break;
496
497	case AVAHI_BROWSER_REMOVE:
498	break;
499
500	case AVAHI_BROWSER_ALL_FOR_NOW:
501	case AVAHI_BROWSER_CACHE_EXHAUSTED:
502	break;
503	}
504	}
505
506	int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
507	AvahiServerConfig config;
508	AvahiSServiceBrowser *sb = NULL;
509	int error;
510	int ret = 1;
511
512	avahi_set_log_function(empty_log);
513
514	/* Initialize the psuedo-RNG */
515	srand(time(NULL));
516
517	/* Allocate main loop object */
518	if (!(simple_poll = avahi_simple_poll_new())) {
519	fprintf(stderr, "Failed to create simple poll object.\n");
520	goto fail;
521	}
522
523	/* Do not publish any local records */
524	avahi_server_config_init(&config);
525	config.publish_hinfo = 0;
526	config.publish_addresses = 0;
527	config.publish_workstation = 0;
528	config.publish_domain = 0;
529
530	/* /\* Set a unicast DNS server for wide area DNS-SD \/ /
531	/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */
532	/* config.n_wide_area_servers = 1; */
533	/* config.enable_wide_area = 1; */
534
535	/* Allocate a new server */
536	server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
537
538	/* Free the configuration data */
539	avahi_server_config_free(&config);
540
541	/* Check wether creating the server object succeeded */
542	if (!server) {
543	fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
544	goto fail;
545	}
546
547	/* Create the service browser */
548	if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
549	fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
550	goto fail;
551	}
552
553	/* Run the main loop */
554	avahi_simple_poll_loop(simple_poll);
555
556	ret = 0;
557
558	fail:
559
560	/* Cleanup things */
561	if (sb)
562	avahi_s_service_browser_free(sb);
563
564	if (server)
565	avahi_server_free(server);
566
567	if (simple_poll)
568	avahi_simple_poll_free(simple_poll);
569
570	return ret;
571	}