/mandos/release : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
plugins.d/Makefile

files removed:
server.conf

files renamed:
clients.conf => mandos-clients.conf

files modified:
Makefile

TODO

plugbasedclient.c

plugins.d/mandosclient.c

plugins.d/passprompt.c

server.py

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

/* $Id$ */

/* PLEASE NOTE *

* This file demonstrates how to use Avahi's core API, this is

* the embeddable mDNS stack for embedded applications.

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* <http://avahi.org/browser/examples/core-browse-services.c>. This

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* End user applications should *not* use this API and should use

* the D-Bus or C APIs, please see

* client-browse-services.c and glib-integration.c

* I repeat, you probably do *not* want to use this example.

/* Needed by GPGME, specifically gpgme_data_seek() */

/***

This file is part of avahi.

avahi is free software; you can redistribute it and/or modify it

under the terms of the GNU Lesser General Public License as

published by the Free Software Foundation; either version 2.1 of the

License, or (at your option) any later version.

avahi is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY

or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General

Public License for more details.

You should have received a copy of the GNU Lesser General Public

License along with avahi; if not, write to the Free Software

Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

USA.

***/

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* Mandos client part */

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */

#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

/* GPGME */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

bool debug = false;

const char *keydir = "/conf/conf.d/mandos";

const char *argp_program_version = "mandosclient 0.9";

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

const char mandos_protocol_version[] = "1";

/* Used for passing in values through all the callback functions */

#define DH_BITS 1024

typedef struct {

AvahiSimplePoll *simple_poll;

AvahiServer *server;

gnutls_session_t session;

gnutls_certificate_credentials_t cred;

unsigned int dh_bits;

gnutls_dh_params_t dh_params;

const char *priority;

} mandos_context;

size_t adjustbuffer(char **buffer, size_t buffer_length,

size_t buffer_capacity){

if (buffer_length + BUFFER_SIZE > buffer_capacity){

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

if (buffer == NULL){

return 0;

}

100

buffer_capacity += BUFFER_SIZE;

101

}

102

return buffer_capacity;

103

}

104

105

106

* Decrypt OpenPGP data using keyrings in HOMEDIR.

107

* Returns -1 on error

108

109

static ssize_t pgp_packet_decrypt (const char *cryptotext,

110

size_t crypto_size,

111

char **plaintext,

112

const char *homedir){

} encrypted_session;

ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){

113

gpgme_data_t dh_crypto, dh_plain;

114

gpgme_ctx_t ctx;

115

gpgme_error_t rc;

116

ssize_t ret;

117

size_t plaintext_capacity = 0;

118

ssize_t plaintext_length = 0;

size_t new_packet_capacity = 0;

size_t new_packet_length = 0;

119

gpgme_engine_info_t engine_info;

120

121

if (debug){

122

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

123

}

124

125

/* Init GPGME */

126

gpgme_check_version(NULL);

127

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

128

if (rc != GPG_ERR_NO_ERROR){

129

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

130

gpgme_strsource(rc), gpgme_strerror(rc));

131

return -1;

132

}

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

133

134

/* Set GPGME home directory for the OpenPGP engine only */

/* Set GPGME home directory */

135

rc = gpgme_get_engine_info (&engine_info);

136

if (rc != GPG_ERR_NO_ERROR){

137

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

147

108

engine_info = engine_info->next;

148

109

}

149

110

if(engine_info == NULL){

150

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

111

fprintf(stderr, "Could not set home dir to %s\n", homedir);

151

112

return -1;

152

113

}

153

114

154

/* Create new GPGME data buffer from memory cryptotext */

155

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

156

0);

115

/* Create new GPGME data buffer from packet buffer */

116

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

157

117

if (rc != GPG_ERR_NO_ERROR){

158

118

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

159

119

gpgme_strsource(rc), gpgme_strerror(rc));

165

125

if (rc != GPG_ERR_NO_ERROR){

166

126

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

167

127

gpgme_strsource(rc), gpgme_strerror(rc));

168

gpgme_data_release(dh_crypto);

169

128

return -1;

170

129

}

171

130

174

133

if (rc != GPG_ERR_NO_ERROR){

175

134

fprintf(stderr, "bad gpgme_new: %s: %s\n",

176

135

gpgme_strsource(rc), gpgme_strerror(rc));

177

plaintext_length = -1;

178

goto decrypt_end;

136

return -1;

179

137

}

180

138

181

/* Decrypt data from the cryptotext data buffer to the plaintext

182

data buffer */

139

/* Decrypt data from the FILE pointer to the plaintext data buffer */

183

140

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

184

141

if (rc != GPG_ERR_NO_ERROR){

185

142

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

186

143

gpgme_strsource(rc), gpgme_strerror(rc));

187

plaintext_length = -1;

188

goto decrypt_end;

189

}

190

191

if(debug){

192

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

193

}

194

195

if (debug){

196

gpgme_decrypt_result_t result;

197

result = gpgme_op_decrypt_result(ctx);

198

if (result == NULL){

199

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

200

} else {

201

fprintf(stderr, "Unsupported algorithm: %s\n",

202

result->unsupported_algorithm);

203

fprintf(stderr, "Wrong key usage: %d\n",

204

result->wrong_key_usage);

205

if(result->file_name != NULL){

206

fprintf(stderr, "File name: %s\n", result->file_name);

207

}

208

gpgme_recipient_t recipient;

209

recipient = result->recipients;

210

if(recipient){

211

while(recipient != NULL){

212

fprintf(stderr, "Public key algorithm: %s\n",

213

gpgme_pubkey_algo_name(recipient->pubkey_algo));

214

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

215

fprintf(stderr, "Secret key available: %s\n",

216

recipient->status == GPG_ERR_NO_SECKEY

217

? "No" : "Yes");

218

recipient = recipient->next;

219

}

220

}

221

}

222

}

144

return -1;

145

}

146

147

/* gpgme_decrypt_result_t result; */

148

/* result = gpgme_op_decrypt_result(ctx); */

149

/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */

150

/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */

151

/* if(result->file_name != NULL){ */

152

/* fprintf(stderr, "File name: %s\n", result->file_name); */

153

/* } */

154

/* gpgme_recipient_t recipient; */

155

/* recipient = result->recipients; */

156

/* if(recipient){ */

157

/* while(recipient != NULL){ */

158

/* fprintf(stderr, "Public key algorithm: %s\n", */

159

/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */

160

/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */

161

/* fprintf(stderr, "Secret key available: %s\n", */

162

/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */

163

/* recipient = recipient->next; */

164

/* } */

165

/* } */

166

167

/* Delete the GPGME FILE pointer cryptotext data buffer */

168

gpgme_data_release(dh_crypto);

223

169

224

170

/* Seek back to the beginning of the GPGME plaintext data buffer */

225

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

226

perror("pgpme_data_seek");

227

plaintext_length = -1;

228

goto decrypt_end;

229

}

230

231

*plaintext = NULL;

171

gpgme_data_seek(dh_plain, 0, SEEK_SET);

172

173

*new_packet = 0;

232

174

while(true){

233

plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,

234

plaintext_capacity);

235

if (plaintext_capacity == 0){

236

perror("adjustbuffer");

237

plaintext_length = -1;

238

goto decrypt_end;

175

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

176

*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);

177

if (*new_packet == NULL){

178

perror("realloc");

179

return -1;

180

}

181

new_packet_capacity += BUFFER_SIZE;

239

182

}

240

183

241

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

242

BUFFER_SIZE);

184

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);

243

185

/* Print the data, if any */

244

186

if (ret == 0){

245

/* EOF */

187

/* If password is empty, then a incorrect error will be printed */

246

188

break;

247

189

}

248

190

if(ret < 0){

249

191

perror("gpgme_data_read");

250

plaintext_length = -1;

251

goto decrypt_end;

192

return -1;

252

193

}

253

plaintext_length += ret;

194

new_packet_length += ret;

254

195

}

255

196

256

if(debug){

257

fprintf(stderr, "Decrypted password is: ");

258

for(ssize_t i = 0; i < plaintext_length; i++){

259

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

260

}

261

fprintf(stderr, "\n");

262

}

263

264

decrypt_end:

265

266

/* Delete the GPGME cryptotext data buffer */

267

gpgme_data_release(dh_crypto);

268

269

/* Delete the GPGME plaintext data buffer */

197

/* Delete the GPGME plaintext data buffer */

270

198

gpgme_data_release(dh_plain);

271

return plaintext_length;

199

return new_packet_length;

272

200

}

273

201

274

202

static const char * safer_gnutls_strerror (int value) {

278

206

return ret;

279

207

}

280

208

281

/* GnuTLS log function callback */

282

static void debuggnutls(__attribute__((unused)) int level,

283

const char* string){

284

fprintf(stderr, "GnuTLS: %s", string);

209

void debuggnutls(int level, const char* string){

210

fprintf(stderr, "%s", string);

285

211

}

286

212

287

static int init_gnutls_global(mandos_context *mc,

288

const char *pubkeyfile,

289

const char *seckeyfile){

213

int initgnutls(encrypted_session *es){

214

const char *err;

290

215

int ret;

291

216

292

if(debug){

293

fprintf(stderr, "Initializing GnuTLS\n");

294

}

295

296

217

if ((ret = gnutls_global_init ())

297

218

!= GNUTLS_E_SUCCESS) {

298

fprintf (stderr, "GnuTLS global_init: %s\n",

299

safer_gnutls_strerror(ret));

219

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

300

220

return -1;

301

221

}

302

303

if (debug){

304

/* "Use a log level over 10 to enable all debugging options."

305

* - GnuTLS manual

306

307

gnutls_global_set_log_level(11);

308

gnutls_global_set_log_function(debuggnutls);

309

}

310

311

/* OpenPGP credentials */

312

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

222

223

/* Uncomment to enable full debuggin on the gnutls library */

224

/* gnutls_global_set_log_level(11); */

225

/* gnutls_global_set_log_function(debuggnutls); */

226

227

228

/* openpgp credentials */

229

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

313

230

!= GNUTLS_E_SUCCESS) {

314

fprintf (stderr, "GnuTLS memory error: %s\n",

315

safer_gnutls_strerror(ret));

231

fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));

316

232

return -1;

317

233

}

318

319

if(debug){

320

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

321

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

322

seckeyfile);

323

}

324

234

325

235

ret = gnutls_certificate_set_openpgp_key_file

326

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf(stderr,

329

"Error[%d] while reading the OpenPGP key pair ('%s',"

330

" '%s')\n", ret, pubkeyfile, seckeyfile);

331

fprintf(stdout, "The GnuTLS error is: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

/* GnuTLS server initialization */

337

ret = gnutls_dh_params_init(&mc->dh_params);

338

if (ret != GNUTLS_E_SUCCESS) {

339

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

340

" %s\n", safer_gnutls_strerror(ret));

341

return -1;

342

}

343

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

344

if (ret != GNUTLS_E_SUCCESS) {

345

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

346

safer_gnutls_strerror(ret));

347

return -1;

348

}

349

350

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

351

352

return 0;

353

}

354

355

static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){

356

int ret;

357

/* GnuTLS session creation */

358

ret = gnutls_init(session, GNUTLS_SERVER);

359

if (ret != GNUTLS_E_SUCCESS){

360

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

361

safer_gnutls_strerror(ret));

362

}

363

364

{

365

const char *err;

366

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

367

if (ret != GNUTLS_E_SUCCESS) {

368

fprintf(stderr, "Syntax error at: %s\n", err);

369

fprintf(stderr, "GnuTLS error: %s\n",

370

safer_gnutls_strerror(ret));

371

return -1;

372

}

373

}

374

375

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

376

mc->cred);

377

if (ret != GNUTLS_E_SUCCESS) {

378

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

379

safer_gnutls_strerror(ret));

380

return -1;

381

}

382

236

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

237

if (ret != GNUTLS_E_SUCCESS) {

238

fprintf

239

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",

240

ret, CERTFILE, KEYFILE);

241

fprintf(stdout, "The Error is: %s\n",

242

safer_gnutls_strerror(ret));

243

return -1;

244

}

245

246

//Gnutls server initialization

247

if ((ret = gnutls_dh_params_init (&es->dh_params))

248

!= GNUTLS_E_SUCCESS) {

249

fprintf (stderr, "Error in dh parameter initialization: %s\n",

250

safer_gnutls_strerror(ret));

251

return -1;

252

}

253

254

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

255

!= GNUTLS_E_SUCCESS) {

256

fprintf (stderr, "Error in prime generation: %s\n",

257

safer_gnutls_strerror(ret));

258

return -1;

259

}

260

261

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

262

263

// Gnutls session creation

264

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

265

!= GNUTLS_E_SUCCESS){

266

fprintf(stderr, "Error in gnutls session initialization: %s\n",

267

safer_gnutls_strerror(ret));

268

}

269

270

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

271

!= GNUTLS_E_SUCCESS) {

272

fprintf(stderr, "Syntax error at: %s\n", err);

273

fprintf(stderr, "Gnutls error: %s\n",

274

safer_gnutls_strerror(ret));

275

return -1;

276

}

277

278

if ((ret = gnutls_credentials_set

279

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

280

!= GNUTLS_E_SUCCESS) {

281

fprintf(stderr, "Error setting a credentials set: %s\n",

282

safer_gnutls_strerror(ret));

283

return -1;

284

}

285

383

286

/* ignore client certificate if any. */

384

gnutls_certificate_server_set_request (*session,

385

GNUTLS_CERT_IGNORE);

287

gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);

386

288

387

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

289

gnutls_dh_set_prime_bits (es->session, DH_BITS);

388

290

389

291

return 0;

390

292

}

391

293

392

/* Avahi log function callback */

393

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

394

__attribute__((unused)) const char *txt){}

294

void empty_log(AvahiLogLevel level, const char *txt){}

395

295

396

/* Called when a Mandos server is found */

397

static int start_mandos_communication(const char *ip, uint16_t port,

398

AvahiIfIndex if_index,

399

mandos_context *mc){

296

int start_mandos_communcation(char *ip, uint16_t port){

400

297

int ret, tcp_sd;

401

298

struct sockaddr_in6 to;

299

struct in6_addr ip_addr;

300

encrypted_session es;

402

301

char *buffer = NULL;

403

302

char *decrypted_buffer;

404

303

size_t buffer_length = 0;

405

304

size_t buffer_capacity = 0;

406

305

ssize_t decrypted_buffer_size;

407

size_t written;

408

306

int retval = 0;

409

char interface[IF_NAMESIZE];

410

gnutls_session_t session;

411

gnutls_dh_params_t dh_params;

412

413

ret = init_gnutls_session (mc, &session);

414

if (ret != 0){

415

return -1;

416

}

417

418

if(debug){

419

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

420

ip, port);

421

}

307

422

308

423

309

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

424

310

if(tcp_sd < 0) {

425

311

perror("socket");

426

312

return -1;

427

313

}

428

429

if(debug){

430

if(if_indextoname((unsigned int)if_index, interface) == NULL){

431

perror("if_indextoname");

432

return -1;

433

}

434

fprintf(stderr, "Binding to interface %s\n", interface);

314

315

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

316

if(tcp_sd < 0) {

317

perror("setsockopt bindtodevice");

318

return -1;

435

319

}

436

320

437

memset(&to,0,sizeof(to)); /* Spurious warning */

321

memset(&to,0,sizeof(to));

438

322

to.sin6_family = AF_INET6;

439

/* It would be nice to have a way to detect if we were passed an

440

IPv4 address here. Now we assume an IPv6 address. */

441

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

323

ret = inet_pton(AF_INET6, ip, &ip_addr);

442

324

if (ret < 0 ){

443

325

perror("inet_pton");

444

326

return -1;

445

}

327

}

446

328

if(ret == 0){

447

329

fprintf(stderr, "Bad address: %s\n", ip);

448

330

return -1;

449

331

}

450

to.sin6_port = htons(port); /* Spurious warning */

451

452

to.sin6_scope_id = (uint32_t)if_index;

453

454

if(debug){

455

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

456

char addrstr[INET6_ADDRSTRLEN] = "";

457

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

458

sizeof(addrstr)) == NULL){

459

perror("inet_ntop");

460

} else {

461

if(strcmp(addrstr, ip) != 0){

462

fprintf(stderr, "Canonical address form: %s\n", addrstr);

463

}

464

}

465

}

332

to.sin6_port = htons(port);

333

to.sin6_scope_id = if_nametoindex("eth0");

466

334

467

335

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

468

336

if (ret < 0){

469

337

perror("connect");

470

338

return -1;

471

339

}

340

341

ret = initgnutls (&es);

342

if (ret != 0){

343

retval = -1;

344

return -1;

345

}

346

347

348

gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

472

349

473

const char *out = mandos_protocol_version;

474

written = 0;

475

while (true){

476

size_t out_size = strlen(out);

477

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

478

out_size - written));

479

if (ret == -1){

480

perror("write");

481

retval = -1;

482

goto mandos_end;

483

}

484

written += (size_t)ret;

485

if(written < out_size){

486

continue;

487

} else {

488

if (out == mandos_protocol_version){

489

written = 0;

490

out = "\r\n";

491

} else {

492

break;

493

}

494

}

495

}

496

497

if(debug){

498

fprintf(stderr, "Establishing TLS session with %s\n", ip);

499

}

500

501

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

502

503

ret = gnutls_handshake (session);

350

ret = gnutls_handshake (es.session);

504

351

505

352

if (ret != GNUTLS_E_SUCCESS){

506

if(debug){

507

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

508

gnutls_perror (ret);

509

}

353

fprintf(stderr, "\n*** Handshake failed ***\n");

354

gnutls_perror (ret);

510

355

retval = -1;

511

goto mandos_end;

512

}

513

514

/* Read OpenPGP packet that contains the wanted password */

515

516

if(debug){

517

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

518

ip);

356

goto exit;

519

357

}

520

358

359

//retrive password

521

360

while(true){

522

buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);

523

if (buffer_capacity == 0){

524

perror("adjustbuffer");

525

retval = -1;

526

goto mandos_end;

361

if (buffer_length + BUFFER_SIZE > buffer_capacity){

362

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

363

if (buffer == NULL){

364

perror("realloc");

365

goto exit;

366

}

367

buffer_capacity += BUFFER_SIZE;

527

368

}

528

369

529

ret = gnutls_record_recv(session, buffer+buffer_length,

530

BUFFER_SIZE);

370

ret = gnutls_record_recv

371

(es.session, buffer+buffer_length, BUFFER_SIZE);

531

372

if (ret == 0){

532

373

break;

533

374

}

537

378

case GNUTLS_E_AGAIN:

538

379

break;

539

380

case GNUTLS_E_REHANDSHAKE:

540

ret = gnutls_handshake (session);

381

ret = gnutls_handshake (es.session);

541

382

if (ret < 0){

542

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

383

fprintf(stderr, "\n*** Handshake failed ***\n");

543

384

gnutls_perror (ret);

544

385

retval = -1;

545

goto mandos_end;

386

goto exit;

546

387

}

547

388

break;

548

389

default:

549

fprintf(stderr, "Unknown error while reading data from"

550

" encrypted session with Mandos server\n");

390

fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");

551

391

retval = -1;

552

gnutls_bye (session, GNUTLS_SHUT_RDWR);

553

goto mandos_end;

392

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

393

goto exit;

554

394

}

555

395

} else {

556

buffer_length += (size_t) ret;

396

buffer_length += ret;

557

397

}

558

398

}

559

560

if(debug){

561

fprintf(stderr, "Closing TLS session\n");

562

}

563

564

gnutls_bye (session, GNUTLS_SHUT_RDWR);

565

399

566

400

if (buffer_length > 0){

567

decrypted_buffer_size = pgp_packet_decrypt(buffer,

568

buffer_length,

569

&decrypted_buffer,

570

keydir);

571

if (decrypted_buffer_size >= 0){

572

written = 0;

573

while(written < (size_t) decrypted_buffer_size){

574

ret = (int)fwrite (decrypted_buffer + written, 1,

575

(size_t)decrypted_buffer_size - written,

576

stdout);

577

if(ret == 0 and ferror(stdout)){

578

if(debug){

579

fprintf(stderr, "Error writing encrypted data: %s\n",

580

strerror(errno));

581

}

582

retval = -1;

583

break;

584

}

585

written += (size_t)ret;

586

}

401

if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){

402

retval = -1;

403

} else {

404

fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);

587

405

free(decrypted_buffer);

588

} else {

589

retval = -1;

590

406

}

591

407

}

592

593

/* Shutdown procedure */

594

595

mandos_end:

408

596

409

free(buffer);

410

411

//shutdown procedure

412

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

413

exit:

597

414

close(tcp_sd);

598

gnutls_deinit (session);

599

gnutls_certificate_free_credentials (mc->cred);

415

gnutls_deinit (es.session);

416

gnutls_certificate_free_credentials (es.cred);

600

417

gnutls_global_deinit ();

601

418

return retval;

602

419

}

603

420

604

static void resolve_callback(AvahiSServiceResolver *r,

605

AvahiIfIndex interface,

606

AVAHI_GCC_UNUSED AvahiProtocol protocol,

607

AvahiResolverEvent event,

608

const char *name,

609

const char *type,

610

const char *domain,

611

const char *host_name,

612

const AvahiAddress *address,

613

uint16_t port,

614

AVAHI_GCC_UNUSED AvahiStringList *txt,

615

AVAHI_GCC_UNUSED AvahiLookupResultFlags

616

flags,

617

void* userdata) {

618

mandos_context *mc = userdata;

619

assert(r); /* Spurious warning */

620

621

/* Called whenever a service has been resolved successfully or

622

timed out */

623

624

switch (event) {

625

default:

626

case AVAHI_RESOLVER_FAILURE:

627

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

628

" of type '%s' in domain '%s': %s\n", name, type, domain,

629

avahi_strerror(avahi_server_errno(mc->server)));

630

break;

631

632

case AVAHI_RESOLVER_FOUND:

633

{

634

char ip[AVAHI_ADDRESS_STR_MAX];

635

avahi_address_snprint(ip, sizeof(ip), address);

636

if(debug){

637

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

638

" port %d\n", name, host_name, ip, interface, port);

639

}

640

int ret = start_mandos_communication(ip, port, interface, mc);

641

if (ret == 0){

642

exit(EXIT_SUCCESS);

643

}

644

}

645

}

646

avahi_s_service_resolver_free(r);

647

}

648

649

static void browse_callback( AvahiSServiceBrowser *b,

650

AvahiIfIndex interface,

651

AvahiProtocol protocol,

652

AvahiBrowserEvent event,

653

const char *name,

654

const char *type,

655

const char *domain,

656

AVAHI_GCC_UNUSED AvahiLookupResultFlags

657

flags,

658

void* userdata) {

659

mandos_context *mc = userdata;

660

assert(b); /* Spurious warning */

661

662

/* Called whenever a new services becomes available on the LAN or

663

is removed from the LAN */

664

665

switch (event) {

666

default:

667

case AVAHI_BROWSER_FAILURE:

668

669

fprintf(stderr, "(Avahi browser) %s\n",

670

avahi_strerror(avahi_server_errno(mc->server)));

671

avahi_simple_poll_quit(mc->simple_poll);

672

return;

673

674

case AVAHI_BROWSER_NEW:

675

/* We ignore the returned Avahi resolver object. In the callback

676

function we free it. If the Avahi server is terminated before

677

the callback function is called the Avahi server will free the

678

resolver for us. */

679

680

if (!(avahi_s_service_resolver_new(mc->server, interface,

681

protocol, name, type, domain,

682

AVAHI_PROTO_INET6, 0,

683

resolve_callback, mc)))

684

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

685

name, avahi_strerror(avahi_server_errno(mc->server)));

686

break;

687

688

case AVAHI_BROWSER_REMOVE:

689

break;

690

691

case AVAHI_BROWSER_ALL_FOR_NOW:

692

case AVAHI_BROWSER_CACHE_EXHAUSTED:

693

if(debug){

694

fprintf(stderr, "No Mandos server found, still searching...\n");

695

}

696

break;

697

}

698

}

699

700

/* Combines file name and path and returns the malloced new

701

string. some sane checks could/should be added */

702

static const char *combinepath(const char *first, const char *second){

703

size_t f_len = strlen(first);

704

size_t s_len = strlen(second);

705

char *tmp = malloc(f_len + s_len + 2);

706

if (tmp == NULL){

707

return NULL;

708

}

709

if(f_len > 0){

710

memcpy(tmp, first, f_len); /* Spurious warning */

711

}

712

tmp[f_len] = '/';

713

if(s_len > 0){

714

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

715

}

716

tmp[f_len + 1 + s_len] = '\0';

717

return tmp;

718

}

719

720

721

int main(int argc, char *argv[]){

421

static AvahiSimplePoll *simple_poll = NULL;

422

static AvahiServer *server = NULL;

423

424

static void resolve_callback(

425

AvahiSServiceResolver *r,

426

AVAHI_GCC_UNUSED AvahiIfIndex interface,

427

AVAHI_GCC_UNUSED AvahiProtocol protocol,

428

AvahiResolverEvent event,

429

const char *name,

430

const char *type,

431

const char *domain,

432

const char *host_name,

433

const AvahiAddress *address,

434

uint16_t port,

435

AvahiStringList *txt,

436

AvahiLookupResultFlags flags,

437

AVAHI_GCC_UNUSED void* userdata) {

438

439

assert(r);

440

441

/* Called whenever a service has been resolved successfully or timed out */

442

443

switch (event) {

444

case AVAHI_RESOLVER_FAILURE:

445

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));

446

break;

447

448

case AVAHI_RESOLVER_FOUND: {

449

char ip[AVAHI_ADDRESS_STR_MAX];

450

avahi_address_snprint(ip, sizeof(ip), address);

451

int ret = start_mandos_communcation(ip, port);

452

if (ret == 0){

453

exit(EXIT_SUCCESS);

454

} else {

455

exit(EXIT_FAILURE);

456

}

457

}

458

}

459

avahi_s_service_resolver_free(r);

460

}

461

462

static void browse_callback(

463

AvahiSServiceBrowser *b,

464

AvahiIfIndex interface,

465

AvahiProtocol protocol,

466

AvahiBrowserEvent event,

467

const char *name,

468

const char *type,

469

const char *domain,

470

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

471

void* userdata) {

472

473

AvahiServer *s = userdata;

474

assert(b);

475

476

/* Called whenever a new services becomes available on the LAN or is removed from the LAN */

477

478

switch (event) {

479

480

case AVAHI_BROWSER_FAILURE:

481

482

fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));

483

avahi_simple_poll_quit(simple_poll);

484

return;

485

486

case AVAHI_BROWSER_NEW:

487

/* We ignore the returned resolver object. In the callback

488

function we free it. If the server is terminated before

489

the callback function is called the server will free

490

the resolver for us. */

491

492

if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))

493

fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));

494

495

break;

496

497

case AVAHI_BROWSER_REMOVE:

498

break;

499

500

case AVAHI_BROWSER_ALL_FOR_NOW:

501

case AVAHI_BROWSER_CACHE_EXHAUSTED:

502

break;

503

}

504

}

505

506

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

507

AvahiServerConfig config;

722

508

AvahiSServiceBrowser *sb = NULL;

723

509

int error;

724

int ret;

725

int exitcode = EXIT_SUCCESS;

726

const char *interface = "eth0";

727

struct ifreq network;

728

int sd;

729

uid_t uid;

730

gid_t gid;

731

char *connect_to = NULL;

732

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

733

const char *pubkeyfile = "pubkey.txt";

734

const char *seckeyfile = "seckey.txt";

735

mandos_context mc = { .simple_poll = NULL, .server = NULL,

736

.dh_bits = 1024, .priority = "SECURE256"};

737

738

{

739

struct argp_option options[] = {

740

{ .name = "debug", .key = 128,

741

.doc = "Debug mode", .group = 3 },

742

{ .name = "connect", .key = 'c',

743

.arg = "IP",

744

.doc = "Connect directly to a sepcified mandos server", .group = 1 },

745

{ .name = "interface", .key = 'i',

746

.arg = "INTERFACE",

747

.doc = "Interface that Avahi will conntect through", .group = 1 },

748

{ .name = "keydir", .key = 'd',

749

.arg = "KEYDIR",

750

.doc = "Directory where the openpgp keyring is", .group = 1 },

751

{ .name = "seckey", .key = 's',

752

.arg = "SECKEY",

753

.doc = "Secret openpgp key for gnutls authentication", .group = 1 },

754

{ .name = "pubkey", .key = 'p',

755

.arg = "PUBKEY",

756

.doc = "Public openpgp key for gnutls authentication", .group = 2 },

757

{ .name = "dh-bits", .key = 129,

758

.arg = "BITS",

759

.doc = "dh-bits to use in gnutls communication", .group = 2 },

760

{ .name = "priority", .key = 130,

761

.arg = "PRIORITY",

762

.doc = "GNUTLS priority", .group = 1 },

763

{ .name = NULL }

764

};

765

766

767

error_t parse_opt (int key, char *arg, struct argp_state *state) {

768

/* Get the INPUT argument from `argp_parse', which we know is a

769

pointer to our plugin list pointer. */

770

switch (key) {

771

case 128:

772

debug = true;

773

break;

774

case 'c':

775

connect_to = arg;

776

break;

777

case 'i':

778

interface = arg;

779

break;

780

case 'd':

781

keydir = arg;

782

break;

783

case 's':

784

seckeyfile = arg;

785

break;

786

case 'p':

787

pubkeyfile = arg;

788

break;

789

case 129:

790

errno = 0;

791

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

792

if (errno){

793

perror("strtol");

794

exit(EXIT_FAILURE);

795

}

796

break;

797

case 130:

798

mc.priority = arg;

799

break;

800

case ARGP_KEY_ARG:

801

argp_usage (state);

802

break;

803

case ARGP_KEY_END:

804

break;

805

default:

806

return ARGP_ERR_UNKNOWN;

807

}

808

return 0;

809

}

810

811

struct argp argp = { .options = options, .parser = parse_opt,

812

.args_doc = "",

813

.doc = "Mandos client -- Get and decrypt passwords from mandos server" };

814

argp_parse (&argp, argc, argv, 0, 0, NULL);

815

}

816

817

pubkeyfile = combinepath(keydir, pubkeyfile);

818

if (pubkeyfile == NULL){

819

perror("combinepath");

820

exitcode = EXIT_FAILURE;

821

goto end;

822

}

823

824

seckeyfile = combinepath(keydir, seckeyfile);

825

if (seckeyfile == NULL){

826

perror("combinepath");

827

goto end;

828

}

829

830

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

831

if (ret == -1){

832

fprintf(stderr, "init_gnutls_global\n");

833

goto end;

834

}

835

836

uid = getuid();

837

gid = getgid();

838

839

ret = setuid(uid);

840

if (ret == -1){

841

perror("setuid");

842

}

843

844

setgid(gid);

845

if (ret == -1){

846

perror("setgid");

847

}

848

849

if_index = (AvahiIfIndex) if_nametoindex(interface);

850

if(if_index == 0){

851

fprintf(stderr, "No such interface: \"%s\"\n", interface);

852

exit(EXIT_FAILURE);

853

}

854

855

if(connect_to != NULL){

856

/* Connect directly, do not use Zeroconf */

857

/* (Mainly meant for debugging) */

858

char *address = strrchr(connect_to, ':');

859

if(address == NULL){

860

fprintf(stderr, "No colon in address\n");

861

exitcode = EXIT_FAILURE;

862

goto end;

863

}

864

errno = 0;

865

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

866

if(errno){

867

perror("Bad port number");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

*address = '\0';

872

address = connect_to;

873

ret = start_mandos_communication(address, port, if_index, &mc);

874

if(ret < 0){

875

exitcode = EXIT_FAILURE;

876

} else {

877

exitcode = EXIT_SUCCESS;

878

}

879

goto end;

880

}

881

882

/* If the interface is down, bring it up */

883

{

884

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

885

if(sd < 0) {

886

perror("socket");

887

exitcode = EXIT_FAILURE;

888

goto end;

889

}

890

strcpy(network.ifr_name, interface); /* Spurious warning */

891

ret = ioctl(sd, SIOCGIFFLAGS, &network);

892

if(ret == -1){

893

perror("ioctl SIOCGIFFLAGS");

894

exitcode = EXIT_FAILURE;

895

goto end;

896

}

897

if((network.ifr_flags & IFF_UP) == 0){

898

network.ifr_flags |= IFF_UP;

899

ret = ioctl(sd, SIOCSIFFLAGS, &network);

900

if(ret == -1){

901

perror("ioctl SIOCSIFFLAGS");

902

exitcode = EXIT_FAILURE;

903

goto end;

904

}

905

}

906

close(sd);

907

}

908

909

if (not debug){

910

avahi_set_log_function(empty_log);

911

}

912

913

/* Initialize the pseudo-RNG for Avahi */

914

srand((unsigned int) time(NULL));

915

916

/* Allocate main Avahi loop object */

917

mc.simple_poll = avahi_simple_poll_new();

918

if (mc.simple_poll == NULL) {

919

fprintf(stderr, "Avahi: Failed to create simple poll"

920

" object.\n");

921

exitcode = EXIT_FAILURE;

922

goto end;

923

}

924

925

{

926

AvahiServerConfig config;

927

/* Do not publish any local Zeroconf records */

928

avahi_server_config_init(&config);

929

config.publish_hinfo = 0;

930

config.publish_addresses = 0;

931

config.publish_workstation = 0;

932

config.publish_domain = 0;

933

934

/* Allocate a new server */

935

mc.server = avahi_server_new(avahi_simple_poll_get

936

(mc.simple_poll), &config, NULL,

937

NULL, &error);

938

939

/* Free the Avahi configuration data */

940

avahi_server_config_free(&config);

941

}

942

943

/* Check if creating the Avahi server object succeeded */

944

if (mc.server == NULL) {

945

fprintf(stderr, "Failed to create Avahi server: %s\n",

946

avahi_strerror(error));

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

/* Create the Avahi service browser */

952

sb = avahi_s_service_browser_new(mc.server, if_index,

953

AVAHI_PROTO_INET6,

954

"_mandos._tcp", NULL, 0,

955

browse_callback, &mc);

956

if (sb == NULL) {

957

fprintf(stderr, "Failed to create service browser: %s\n",

958

avahi_strerror(avahi_server_errno(mc.server)));

959

exitcode = EXIT_FAILURE;

960

goto end;

510

int ret = 1;

511

512

avahi_set_log_function(empty_log);

513

514

/* Initialize the psuedo-RNG */

515

srand(time(NULL));

516

517

/* Allocate main loop object */

518

if (!(simple_poll = avahi_simple_poll_new())) {

519

fprintf(stderr, "Failed to create simple poll object.\n");

520

goto fail;

521

}

522

523

/* Do not publish any local records */

524

avahi_server_config_init(&config);

525

config.publish_hinfo = 0;

526

config.publish_addresses = 0;

527

config.publish_workstation = 0;

528

config.publish_domain = 0;

529

530

/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */

531

/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */

532

/* config.n_wide_area_servers = 1; */

533

/* config.enable_wide_area = 1; */

534

535

/* Allocate a new server */

536

server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

537

538

/* Free the configuration data */

539

avahi_server_config_free(&config);

540

541

/* Check wether creating the server object succeeded */

542

if (!server) {

543

fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));

544

goto fail;

545

}

546

547

/* Create the service browser */

548

if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {

549

fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));

550

goto fail;

961

551

}

962

552

963

553

/* Run the main loop */

964

965

if (debug){

966

fprintf(stderr, "Starting Avahi loop search\n");

967

}

968

969

avahi_simple_poll_loop(mc.simple_poll);

970

971

end:

972

973

if (debug){

974

fprintf(stderr, "%s exiting\n", argv[0]);

975

}

554

avahi_simple_poll_loop(simple_poll);

555

556

ret = 0;

557

558

fail:

976

559

977

560

/* Cleanup things */

978

if (sb != NULL)

561

if (sb)

979

562

avahi_s_service_browser_free(sb);

980

563

981

if (mc.server != NULL)

982

avahi_server_free(mc.server);

983

984

if (mc.simple_poll != NULL)

985

avahi_simple_poll_free(mc.simple_poll);

986

free(pubkeyfile);

987

free(seckeyfile);

988

989

return exitcode;

564

if (server)

565

avahi_server_free(server);

566

567

if (simple_poll)

568

avahi_simple_poll_free(simple_poll);

569

570

return ret;

990

571

}

Older »