/mandos/release : revision 141

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

41

SIOCSIFFLAGS */

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(),

38

stdout, ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), asprintf(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

48

sockaddr_in6, PF_INET6,

49

SOCK_STREAM, INET6_ADDRSTRLEN,

50

uid_t, gid_t */

51

#include <inttypes.h> /* PRIu16 */

52

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

53

struct in6_addr, inet_pton(),

54

connect() */

55

#include <assert.h> /* assert() */

56

#include <errno.h> /* perror(), errno */

57

#include <time.h> /* time() */

42

58

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

43

SIOCSIFFLAGS */

59

SIOCSIFFLAGS, if_indextoname(),

60

if_nametoindex(), IF_NAMESIZE */

61

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

62

getuid(), getgid(), setuid(),

63

setgid() */

64

#include <netinet/in.h>

65

#include <arpa/inet.h> /* inet_pton(), htons */

66

#include <iso646.h> /* not, and */

67

#include <argp.h> /* struct argp_option, error_t, struct

68

argp_state, struct argp,

69

argp_parse(), ARGP_KEY_ARG,

70

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

44

71

72

/* Avahi */

73

/* All Avahi types, constants and functions

74

Avahi*, avahi_*,

75

AVAHI_* */

45

76

#include <avahi-core/core.h>

46

77

#include <avahi-core/lookup.h>

47

78

#include <avahi-core/log.h>

49

80

#include <avahi-common/malloc.h>

50

81

#include <avahi-common/error.h>

51

82

52

//mandos client part

53

#include <sys/types.h> /* socket(), inet_pton() */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton() */

56

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

57

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

58

59

#include <unistd.h> /* close() */

60

#include <netinet/in.h>

61

#include <stdbool.h> /* true */

62

#include <string.h> /* memset */

63

#include <arpa/inet.h> /* inet_pton() */

64

#include <iso646.h> /* not */

65

66

// gpgme

67

#include <errno.h> /* perror() */

68

#include <gpgme.h>

69

70

// getopt_long

71

#include <getopt.h>

83

/* GnuTLS */

84

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

85

functions:

86

gnutls_*

87

init_gnutls_session(),

88

GNUTLS_* */

89

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

90

GNUTLS_OPENPGP_FMT_BASE64 */

91

92

/* GPGME */

93

#include <gpgme.h> /* All GPGME types, constants and

94

functions:

95

gpgme_*

96

GPGME_PROTOCOL_OpenPGP,

97

GPG_ERR_NO_* */

72

98

73

99

#define BUFFER_SIZE 256

74

100

101

bool debug = false;

75

102

static const char *keydir = "/conf/conf.d/mandos";

76

static const char *pubkeyfile = "pubkey.txt";

77

static const char *seckeyfile = "seckey.txt";

78

79

bool debug = false;

80

81

/* Used for passing in values through all the callback functions */

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

82

108

typedef struct {

83

109

AvahiSimplePoll *simple_poll;

84

110

AvahiServer *server;

85

111

gnutls_certificate_credentials_t cred;

86

112

unsigned int dh_bits;

113

gnutls_dh_params_t dh_params;

87

114

const char *priority;

88

115

} mandos_context;

89

116

117

/*

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

*/

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

90

134

/*

91

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

92

136

* Returns -1 on error

99

143

gpgme_ctx_t ctx;

100

144

gpgme_error_t rc;

101

145

ssize_t ret;

102

ssize_t plaintext_capacity = 0;

146

size_t plaintext_capacity = 0;

103

147

ssize_t plaintext_length = 0;

104

148

gpgme_engine_info_t engine_info;

105

149

170

214

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

171

215

gpgme_strsource(rc), gpgme_strerror(rc));

172

216

plaintext_length = -1;

217

if (debug){

218

gpgme_decrypt_result_t result;

219

result = gpgme_op_decrypt_result(ctx);

220

if (result == NULL){

221

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

222

} else {

223

fprintf(stderr, "Unsupported algorithm: %s\n",

224

result->unsupported_algorithm);

225

fprintf(stderr, "Wrong key usage: %u\n",

226

result->wrong_key_usage);

227

if(result->file_name != NULL){

228

fprintf(stderr, "File name: %s\n", result->file_name);

229

}

230

gpgme_recipient_t recipient;

231

recipient = result->recipients;

232

if(recipient){

233

while(recipient != NULL){

234

fprintf(stderr, "Public key algorithm: %s\n",

235

gpgme_pubkey_algo_name(recipient->pubkey_algo));

236

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

237

fprintf(stderr, "Secret key available: %s\n",

238

recipient->status == GPG_ERR_NO_SECKEY

239

? "No" : "Yes");

240

recipient = recipient->next;

241

}

242

}

243

}

244

}

173

245

goto decrypt_end;

174

246

}

175

247

177

249

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

178

250

}

179

251

180

if (debug){

181

gpgme_decrypt_result_t result;

182

result = gpgme_op_decrypt_result(ctx);

183

if (result == NULL){

184

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

185

} else {

186

fprintf(stderr, "Unsupported algorithm: %s\n",

187

result->unsupported_algorithm);

188

fprintf(stderr, "Wrong key usage: %d\n",

189

result->wrong_key_usage);

190

if(result->file_name != NULL){

191

fprintf(stderr, "File name: %s\n", result->file_name);

192

}

193

gpgme_recipient_t recipient;

194

recipient = result->recipients;

195

if(recipient){

196

while(recipient != NULL){

197

fprintf(stderr, "Public key algorithm: %s\n",

198

gpgme_pubkey_algo_name(recipient->pubkey_algo));

199

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

200

fprintf(stderr, "Secret key available: %s\n",

201

recipient->status == GPG_ERR_NO_SECKEY

202

? "No" : "Yes");

203

recipient = recipient->next;

204

}

205

}

206

}

207

}

208

209

252

/* Seek back to the beginning of the GPGME plaintext data buffer */

210

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

211

254

perror("pgpme_data_seek");

215

258

216

259

*plaintext = NULL;

217

260

while(true){

218

if (plaintext_length + BUFFER_SIZE > plaintext_capacity){

219

*plaintext = realloc(*plaintext,

220

(unsigned int)plaintext_capacity

221

+ BUFFER_SIZE);

222

if (*plaintext == NULL){

223

perror("realloc");

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

224

266

plaintext_length = -1;

225

267

goto decrypt_end;

226

}

227

plaintext_capacity += BUFFER_SIZE;

228

268

}

229

269

230

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

244

284

245

285

if(debug){

246

286

fprintf(stderr, "Decrypted password is: ");

247

for(size_t i = 0; i < plaintext_length; i++){

287

for(ssize_t i = 0; i < plaintext_length; i++){

248

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

249

289

}

250

290

fprintf(stderr, "\n");

261

301

}

262

302

263

303

static const char * safer_gnutls_strerror (int value) {

264

const char *ret = gnutls_strerror (value);

304

const char *ret = gnutls_strerror (value); /* Spurious warning */

265

305

if (ret == NULL)

266

306

ret = "(unknown)";

267

307

return ret;

268

308

}

269

309

310

/* GnuTLS log function callback */

270

311

static void debuggnutls(__attribute__((unused)) int level,

271

312

const char* string){

272

fprintf(stderr, "%s", string);

313

fprintf(stderr, "GnuTLS: %s", string);

273

314

}

274

315

275

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

276

gnutls_dh_params_t *dh_params){

277

const char *err;

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfilename,

318

const char *seckeyfilename){

278

319

int ret;

279

320

280

321

if(debug){

281

322

fprintf(stderr, "Initializing GnuTLS\n");

282

323

}

283

284

if ((ret = gnutls_global_init ())

285

!= GNUTLS_E_SUCCESS) {

286

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

324

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

287

329

return -1;

288

330

}

289

331

290

332

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

*/

291

336

gnutls_global_set_log_level(11);

292

337

gnutls_global_set_log_function(debuggnutls);

293

338

}

294

339

295

/* openpgp credentials */

296

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

297

!= GNUTLS_E_SUCCESS) {

298

fprintf (stderr, "memory error: %s\n",

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

344

warning */

299

345

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

300

347

return -1;

301

348

}

302

349

303

350

if(debug){

304

351

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

305

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

306

seckeyfile);

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

353

seckeyfilename);

307

354

}

308

355

309

356

ret = gnutls_certificate_set_openpgp_key_file

310

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

357

(mc->cred, pubkeyfilename, seckeyfilename,

358

GNUTLS_OPENPGP_FMT_BASE64);

311

359

if (ret != GNUTLS_E_SUCCESS) {

312

fprintf

313

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

314

" '%s')\n",

315

ret, pubkeyfile, seckeyfile);

316

fprintf(stdout, "The Error is: %s\n",

360

fprintf(stderr,

361

"Error[%d] while reading the OpenPGP key pair ('%s',"

362

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

363

fprintf(stdout, "The GnuTLS error is: %s\n",

317

364

safer_gnutls_strerror(ret));

318

return -1;

319

}

320

321

//GnuTLS server initialization

322

if ((ret = gnutls_dh_params_init(dh_params))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf (stderr, "Error in dh parameter initialization: %s\n",

325

safer_gnutls_strerror(ret));

326

return -1;

327

}

328

329

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf (stderr, "Error in prime generation: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

337

338

// GnuTLS session creation

339

if ((ret = gnutls_init(session, GNUTLS_SERVER))

340

!= GNUTLS_E_SUCCESS){

365

goto globalfail;

366

}

367

368

/* GnuTLS server initialization */

369

ret = gnutls_dh_params_init(&mc->dh_params);

370

if (ret != GNUTLS_E_SUCCESS) {

371

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

372

" %s\n", safer_gnutls_strerror(ret));

373

goto globalfail;

374

}

375

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

376

if (ret != GNUTLS_E_SUCCESS) {

377

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

378

safer_gnutls_strerror(ret));

379

goto globalfail;

380

}

381

382

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

383

384

return 0;

385

386

globalfail:

387

388

gnutls_certificate_free_credentials(mc->cred);

389

gnutls_global_deinit();

390

return -1;

391

392

}

393

394

static int init_gnutls_session(mandos_context *mc,

395

gnutls_session_t *session){

396

int ret;

397

/* GnuTLS session creation */

398

ret = gnutls_init(session, GNUTLS_SERVER);

399

if (ret != GNUTLS_E_SUCCESS){

341

400

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

342

401

safer_gnutls_strerror(ret));

343

402

}

344

403

345

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

346

!= GNUTLS_E_SUCCESS) {

347

fprintf(stderr, "Syntax error at: %s\n", err);

348

fprintf(stderr, "GnuTLS error: %s\n",

349

safer_gnutls_strerror(ret));

350

return -1;

404

{

405

const char *err;

406

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

407

if (ret != GNUTLS_E_SUCCESS) {

408

fprintf(stderr, "Syntax error at: %s\n", err);

409

fprintf(stderr, "GnuTLS error: %s\n",

410

safer_gnutls_strerror(ret));

411

gnutls_deinit (*session);

412

return -1;

413

}

351

414

}

352

415

353

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

354

mc->cred))

355

!= GNUTLS_E_SUCCESS) {

356

fprintf(stderr, "Error setting a credentials set: %s\n",

416

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

417

mc->cred);

418

if (ret != GNUTLS_E_SUCCESS) {

419

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

357

420

safer_gnutls_strerror(ret));

421

gnutls_deinit (*session);

358

422

return -1;

359

423

}

360

424

367

431

return 0;

368

432

}

369

433

434

/* Avahi log function callback */

370

435

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

371

436

__attribute__((unused)) const char *txt){}

372

437

438

/* Called when a Mandos server is found */

373

439

static int start_mandos_communication(const char *ip, uint16_t port,

374

440

AvahiIfIndex if_index,

375

441

mandos_context *mc){

376

442

int ret, tcp_sd;

377

struct sockaddr_in6 to;

443

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

378

444

char *buffer = NULL;

379

445

char *decrypted_buffer;

380

446

size_t buffer_length = 0;

381

447

size_t buffer_capacity = 0;

382

448

ssize_t decrypted_buffer_size;

383

size_t written = 0;

449

size_t written;

384

450

int retval = 0;

385

451

char interface[IF_NAMESIZE];

386

452

gnutls_session_t session;

387

gnutls_dh_params_t dh_params;

453

454

ret = init_gnutls_session (mc, &session);

455

if (ret != 0){

456

return -1;

457

}

388

458

389

459

if(debug){

390

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

391

ip, port);

460

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

461

"\n", ip, port);

392

462

}

393

463

394

464

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

405

475

fprintf(stderr, "Binding to interface %s\n", interface);

406

476

}

407

477

408

memset(&to,0,sizeof(to)); /* Spurious warning */

409

to.sin6_family = AF_INET6;

410

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

478

memset(&to, 0, sizeof(to));

479

to.in6.sin6_family = AF_INET6;

480

/* It would be nice to have a way to detect if we were passed an

481

IPv4 address here. Now we assume an IPv6 address. */

482

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

411

483

if (ret < 0 ){

412

484

perror("inet_pton");

413

485

return -1;

416

488

fprintf(stderr, "Bad address: %s\n", ip);

417

489

return -1;

418

490

}

419

to.sin6_port = htons(port); /* Spurious warning */

491

to.in6.sin6_port = htons(port); /* Spurious warning */

420

492

421

to.sin6_scope_id = (uint32_t)if_index;

493

to.in6.sin6_scope_id = (uint32_t)if_index;

422

494

423

495

if(debug){

424

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

496

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

497

port);

425

498

char addrstr[INET6_ADDRSTRLEN] = "";

426

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

499

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

427

500

sizeof(addrstr)) == NULL){

428

501

perror("inet_ntop");

429

502

} else {

433

506

}

434

507

}

435

508

436

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

509

ret = connect(tcp_sd, &to.in, sizeof(to));

437

510

if (ret < 0){

438

511

perror("connect");

439

512

return -1;

440

513

}

441

442

ret = initgnutls (mc, &session, &dh_params);

443

if (ret != 0){

444

retval = -1;

445

return -1;

514

515

const char *out = mandos_protocol_version;

516

written = 0;

517

while (true){

518

size_t out_size = strlen(out);

519

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

520

out_size - written));

521

if (ret == -1){

522

perror("write");

523

retval = -1;

524

goto mandos_end;

525

}

526

written += (size_t)ret;

527

if(written < out_size){

528

continue;

529

} else {

530

if (out == mandos_protocol_version){

531

written = 0;

532

out = "\r\n";

533

} else {

534

break;

535

}

536

}

537

}

538

539

if(debug){

540

fprintf(stderr, "Establishing TLS session with %s\n", ip);

446

541

}

447

542

448

543

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

449

450

if(debug){

451

fprintf(stderr, "Establishing TLS session with %s\n", ip);

452

}

453

454

ret = gnutls_handshake (session);

544

545

do{

546

ret = gnutls_handshake (session);

547

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

455

548

456

549

if (ret != GNUTLS_E_SUCCESS){

457

550

if(debug){

458

fprintf(stderr, "\n*** Handshake failed ***\n");

551

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

459

552

gnutls_perror (ret);

460

553

}

461

554

retval = -1;

462

goto exit;

555

goto mandos_end;

463

556

}

464

557

465

//Retrieve OpenPGP packet that contains the wanted password

558

/* Read OpenPGP packet that contains the wanted password */

466

559

467

560

if(debug){

468

561

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

470

563

}

471

564

472

565

while(true){

473

if (buffer_length + BUFFER_SIZE > buffer_capacity){

474

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

475

if (buffer == NULL){

476

perror("realloc");

477

goto exit;

478

}

479

buffer_capacity += BUFFER_SIZE;

566

buffer_capacity = adjustbuffer(&buffer, buffer_length,

567

buffer_capacity);

568

if (buffer_capacity == 0){

569

perror("adjustbuffer");

570

retval = -1;

571

goto mandos_end;

480

572

}

481

573

482

574

ret = gnutls_record_recv(session, buffer+buffer_length,

490

582

case GNUTLS_E_AGAIN:

491

583

break;

492

584

case GNUTLS_E_REHANDSHAKE:

493

ret = gnutls_handshake (session);

585

do{

586

ret = gnutls_handshake (session);

587

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

494

588

if (ret < 0){

495

fprintf(stderr, "\n*** Handshake failed ***\n");

589

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

496

590

gnutls_perror (ret);

497

591

retval = -1;

498

goto exit;

592

goto mandos_end;

499

593

}

500

594

break;

501

595

default:

502

596

fprintf(stderr, "Unknown error while reading data from"

503

" encrypted session with mandos server\n");

597

" encrypted session with Mandos server\n");

504

598

retval = -1;

505

599

gnutls_bye (session, GNUTLS_SHUT_RDWR);

506

goto exit;

600

goto mandos_end;

507

601

}

508

602

} else {

509

603

buffer_length += (size_t) ret;

510

604

}

511

605

}

512

606

607

if(debug){

608

fprintf(stderr, "Closing TLS session\n");

609

}

610

611

gnutls_bye (session, GNUTLS_SHUT_RDWR);

612

513

613

if (buffer_length > 0){

514

614

decrypted_buffer_size = pgp_packet_decrypt(buffer,

515

615

buffer_length,

516

616

&decrypted_buffer,

517

617

keydir);

518

618

if (decrypted_buffer_size >= 0){

619

written = 0;

519

620

while(written < (size_t) decrypted_buffer_size){

520

621

ret = (int)fwrite (decrypted_buffer + written, 1,

521

622

(size_t)decrypted_buffer_size - written,

534

635

} else {

535

636

retval = -1;

536

637

}

537

}

538

539

//shutdown procedure

540

541

if(debug){

542

fprintf(stderr, "Closing TLS session\n");

543

}

544

638

} else {

639

retval = -1;

640

}

641

642

/* Shutdown procedure */

643

644

mandos_end:

545

645

free(buffer);

546

gnutls_bye (session, GNUTLS_SHUT_RDWR);

547

exit:

548

646

close(tcp_sd);

549

647

gnutls_deinit (session);

550

gnutls_certificate_free_credentials (mc->cred);

551

gnutls_global_deinit ();

552

648

return retval;

553

649

}

554

650

567

663

flags,

568

664

void* userdata) {

569

665

mandos_context *mc = userdata;

570

assert(r); /* Spurious warning */

666

assert(r);

571

667

572

668

/* Called whenever a service has been resolved successfully or

573

669

timed out */

575

671

switch (event) {

576

672

default:

577

673

case AVAHI_RESOLVER_FAILURE:

578

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

579

" type '%s' in domain '%s': %s\n", name, type, domain,

674

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

675

" of type '%s' in domain '%s': %s\n", name, type, domain,

580

676

avahi_strerror(avahi_server_errno(mc->server)));

581

677

break;

582

678

585

681

char ip[AVAHI_ADDRESS_STR_MAX];

586

682

avahi_address_snprint(ip, sizeof(ip), address);

587

683

if(debug){

588

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

589

" port %d\n", name, host_name, ip, port);

684

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

685

PRIu16 ") on port %d\n", name, host_name, ip,

686

interface, port);

590

687

}

591

688

int ret = start_mandos_communication(ip, port, interface, mc);

592

689

if (ret == 0){

593

exit(EXIT_SUCCESS);

690

avahi_simple_poll_quit(mc->simple_poll);

594

691

}

595

692

}

596

693

}

608

705

flags,

609

706

void* userdata) {

610

707

mandos_context *mc = userdata;

611

assert(b); /* Spurious warning */

708

assert(b);

612

709

613

710

/* Called whenever a new services becomes available on the LAN or

614

711

is removed from the LAN */

617

714

default:

618

715

case AVAHI_BROWSER_FAILURE:

619

716

620

fprintf(stderr, "(Browser) %s\n",

717

fprintf(stderr, "(Avahi browser) %s\n",

621

718

avahi_strerror(avahi_server_errno(mc->server)));

622

719

avahi_simple_poll_quit(mc->simple_poll);

623

720

return;

624

721

625

722

case AVAHI_BROWSER_NEW:

626

/* We ignore the returned resolver object. In the callback

627

function we free it. If the server is terminated before

628

the callback function is called the server will free

629

the resolver for us. */

723

/* We ignore the returned Avahi resolver object. In the callback

724

function we free it. If the Avahi server is terminated before

725

the callback function is called the Avahi server will free the

726

resolver for us. */

630

727

631

728

if (!(avahi_s_service_resolver_new(mc->server, interface,

632

729

protocol, name, type, domain,

633

730

AVAHI_PROTO_INET6, 0,

634

731

resolve_callback, mc)))

635

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

636

avahi_strerror(avahi_server_errno(mc->server)));

732

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

733

name, avahi_strerror(avahi_server_errno(mc->server)));

637

734

break;

638

735

639

736

case AVAHI_BROWSER_REMOVE:

641

738

642

739

case AVAHI_BROWSER_ALL_FOR_NOW:

643

740

case AVAHI_BROWSER_CACHE_EXHAUSTED:

741

if(debug){

742

fprintf(stderr, "No Mandos server found, still searching...\n");

743

}

644

744

break;

645

745

}

646

746

}

647

747

648

748

/* Combines file name and path and returns the malloced new

649

749

string. some sane checks could/should be added */

650

static const char *combinepath(const char *first, const char *second){

651

size_t f_len = strlen(first);

652

size_t s_len = strlen(second);

653

char *tmp = malloc(f_len + s_len + 2);

654

if (tmp == NULL){

750

static char *combinepath(const char *first, const char *second){

751

char *tmp;

752

int ret = asprintf(&tmp, "%s/%s", first, second);

753

if(ret < 0){

655

754

return NULL;

656

755

}

657

if(f_len > 0){

658

memcpy(tmp, first, f_len); /* Spurious warning */

659

}

660

tmp[f_len] = '/';

661

if(s_len > 0){

662

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

663

}

664

tmp[f_len + 1 + s_len] = '\0';

665

756

return tmp;

666

757

}

667

758

668

759

669

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

670

AvahiServerConfig config;

760

int main(int argc, char *argv[]){

671

761

AvahiSServiceBrowser *sb = NULL;

672

762

int error;

673

763

int ret;

674

int debug_int;

675

int returncode = EXIT_SUCCESS;

764

int exitcode = EXIT_SUCCESS;

676

765

const char *interface = "eth0";

677

766

struct ifreq network;

678

767

int sd;

768

uid_t uid;

769

gid_t gid;

679

770

char *connect_to = NULL;

680

771

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

772

char *pubkeyfilename = NULL;

773

char *seckeyfilename = NULL;

774

const char *pubkeyname = "pubkey.txt";

775

const char *seckeyname = "seckey.txt";

681

776

mandos_context mc = { .simple_poll = NULL, .server = NULL,

682

777

.dh_bits = 1024, .priority = "SECURE256"};

683

684

debug_int = debug ? 1 : 0;

685

while (true){

686

struct option long_options[] = {

687

{"debug", no_argument, &debug_int, 1},

688

{"connect", required_argument, NULL, 'c'},

689

{"interface", required_argument, NULL, 'i'},

690

{"keydir", required_argument, NULL, 'd'},

691

{"seckey", required_argument, NULL, 's'},

692

{"pubkey", required_argument, NULL, 'p'},

693

{"dh-bits", required_argument, NULL, 'D'},

694

{"priority", required_argument, NULL, 'P'},

695

{0, 0, 0, 0} };

696

697

int option_index = 0;

698

ret = getopt_long (argc, argv, "i:", long_options,

699

&option_index);

700

701

if (ret == -1){

702

break;

703

}

704

705

switch(ret){

706

case 0:

707

break;

708

case 'i':

709

interface = optarg;

710

break;

711

case 'c':

712

connect_to = optarg;

713

break;

714

case 'd':

715

keydir = optarg;

716

break;

717

case 'p':

718

pubkeyfile = optarg;

719

break;

720

case 's':

721

seckeyfile = optarg;

722

break;

723

case 'D':

724

errno = 0;

725

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

726

if (errno){

727

perror("strtol");

728

exit(EXIT_FAILURE);

729

}

730

break;

731

case 'P':

732

mc.priority = optarg;

733

break;

734

case '?':

735

default:

736

exit(EXIT_FAILURE);

737

}

738

}

739

debug = debug_int ? true : false;

740

741

pubkeyfile = combinepath(keydir, pubkeyfile);

742

if (pubkeyfile == NULL){

743

perror("combinepath");

744

returncode = EXIT_FAILURE;

745

goto exit;

746

}

747

748

seckeyfile = combinepath(keydir, seckeyfile);

749

if (seckeyfile == NULL){

750

perror("combinepath");

751

goto exit;

778

bool gnutls_initalized = false;

779

780

{

781

struct argp_option options[] = {

782

{ .name = "debug", .key = 128,

783

.doc = "Debug mode", .group = 3 },

784

{ .name = "connect", .key = 'c',

785

.arg = "IP",

786

.doc = "Connect directly to a sepcified mandos server",

787

.group = 1 },

788

{ .name = "interface", .key = 'i',

789

.arg = "INTERFACE",

790

.doc = "Interface that Avahi will conntect through",

791

.group = 1 },

792

{ .name = "keydir", .key = 'd',

793

.arg = "KEYDIR",

794

.doc = "Directory where the openpgp keyring is",

795

.group = 1 },

796

{ .name = "seckey", .key = 's',

797

.arg = "SECKEY",

798

.doc = "Secret openpgp key for gnutls authentication",

799

.group = 1 },

800

{ .name = "pubkey", .key = 'p',

801

.arg = "PUBKEY",

802

.doc = "Public openpgp key for gnutls authentication",

803

.group = 2 },

804

{ .name = "dh-bits", .key = 129,

805

.arg = "BITS",

806

.doc = "dh-bits to use in gnutls communication",

807

.group = 2 },

808

{ .name = "priority", .key = 130,

809

.arg = "PRIORITY",

810

.doc = "GNUTLS priority", .group = 1 },

811

{ .name = NULL }

812

};

813

814

815

error_t parse_opt (int key, char *arg,

816

struct argp_state *state) {

817

/* Get the INPUT argument from `argp_parse', which we know is

818

a pointer to our plugin list pointer. */

819

switch (key) {

820

case 128:

821

debug = true;

822

break;

823

case 'c':

824

connect_to = arg;

825

break;

826

case 'i':

827

interface = arg;

828

break;

829

case 'd':

830

keydir = arg;

831

break;

832

case 's':

833

seckeyname = arg;

834

break;

835

case 'p':

836

pubkeyname = arg;

837

break;

838

case 129:

839

errno = 0;

840

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

841

if (errno){

842

perror("strtol");

843

exit(EXIT_FAILURE);

844

}

845

break;

846

case 130:

847

mc.priority = arg;

848

break;

849

case ARGP_KEY_ARG:

850

argp_usage (state);

851

case ARGP_KEY_END:

852

break;

853

default:

854

return ARGP_ERR_UNKNOWN;

855

}

856

return 0;

857

}

858

859

struct argp argp = { .options = options, .parser = parse_opt,

860

.args_doc = "",

861

.doc = "Mandos client -- Get and decrypt"

862

" passwords from mandos server" };

863

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

864

if (ret == ARGP_ERR_UNKNOWN){

865

fprintf(stderr, "Unknown error while parsing arguments\n");

866

exitcode = EXIT_FAILURE;

867

goto end;

868

}

869

}

870

871

pubkeyfilename = combinepath(keydir, pubkeyname);

872

if (pubkeyfilename == NULL){

873

perror("combinepath");

874

exitcode = EXIT_FAILURE;

875

goto end;

876

}

877

878

seckeyfilename = combinepath(keydir, seckeyname);

879

if (seckeyfilename == NULL){

880

perror("combinepath");

881

exitcode = EXIT_FAILURE;

882

goto end;

883

}

884

885

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

886

if (ret == -1){

887

fprintf(stderr, "init_gnutls_global failed\n");

888

exitcode = EXIT_FAILURE;

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

/* If the interface is down, bring it up */

895

{

896

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

897

if(sd < 0) {

898

perror("socket");

899

exitcode = EXIT_FAILURE;

900

goto end;

901

}

902

strcpy(network.ifr_name, interface);

903

ret = ioctl(sd, SIOCGIFFLAGS, &network);

904

if(ret == -1){

905

perror("ioctl SIOCGIFFLAGS");

906

exitcode = EXIT_FAILURE;

907

goto end;

908

}

909

if((network.ifr_flags & IFF_UP) == 0){

910

network.ifr_flags |= IFF_UP;

911

ret = ioctl(sd, SIOCSIFFLAGS, &network);

912

if(ret == -1){

913

perror("ioctl SIOCSIFFLAGS");

914

exitcode = EXIT_FAILURE;

915

goto end;

916

}

917

}

918

close(sd);

919

}

920

921

uid = getuid();

922

gid = getgid();

923

924

ret = setuid(uid);

925

if (ret == -1){

926

perror("setuid");

927

}

928

929

setgid(gid);

930

if (ret == -1){

931

perror("setgid");

752

932

}

753

933

754

934

if_index = (AvahiIfIndex) if_nametoindex(interface);

763

943

char *address = strrchr(connect_to, ':');

764

944

if(address == NULL){

765

945

fprintf(stderr, "No colon in address\n");

766

exit(EXIT_FAILURE);

946

exitcode = EXIT_FAILURE;

947

goto end;

767

948

}

768

949

errno = 0;

769

950

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

770

951

if(errno){

771

952

perror("Bad port number");

772

exit(EXIT_FAILURE);

953

exitcode = EXIT_FAILURE;

954

goto end;

773

955

}

774

956

*address = '\0';

775

957

address = connect_to;

776

958

ret = start_mandos_communication(address, port, if_index, &mc);

777

959

if(ret < 0){

778

exit(EXIT_FAILURE);

960

exitcode = EXIT_FAILURE;

779

961

} else {

780

exit(EXIT_SUCCESS);

781

}

782

}

783

784

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

785

if(sd < 0) {

786

perror("socket");

787

returncode = EXIT_FAILURE;

788

goto exit;

789

}

790

strcpy(network.ifr_name, interface); /* Spurious warning */

791

ret = ioctl(sd, SIOCGIFFLAGS, &network);

792

if(ret == -1){

793

794

perror("ioctl SIOCGIFFLAGS");

795

returncode = EXIT_FAILURE;

796

goto exit;

797

}

798

if((network.ifr_flags & IFF_UP) == 0){

799

network.ifr_flags |= IFF_UP;

800

ret = ioctl(sd, SIOCSIFFLAGS, &network);

801

if(ret == -1){

802

perror("ioctl SIOCSIFFLAGS");

803

returncode = EXIT_FAILURE;

804

goto exit;

805

}

806

}

807

close(sd);

962

exitcode = EXIT_SUCCESS;

963

}

964

goto end;

965

}

808

966

809

967

if (not debug){

810

968

avahi_set_log_function(empty_log);

811

969

}

812

970

813

/* Initialize the psuedo-RNG */

971

/* Initialize the pseudo-RNG for Avahi */

814

972

srand((unsigned int) time(NULL));

815

816

/* Allocate main loop object */

817

if (!(mc.simple_poll = avahi_simple_poll_new())) {

818

fprintf(stderr, "Failed to create simple poll object.\n");

819

returncode = EXIT_FAILURE;

820

goto exit;

821

}

822

823

/* Do not publish any local records */

824

avahi_server_config_init(&config);

825

config.publish_hinfo = 0;

826

config.publish_addresses = 0;

827

config.publish_workstation = 0;

828

config.publish_domain = 0;

829

830

/* Allocate a new server */

831

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

832

&config, NULL, NULL, &error);

833

834

/* Free the configuration data */

835

avahi_server_config_free(&config);

836

837

/* Check if creating the server object succeeded */

838

if (!mc.server) {

839

fprintf(stderr, "Failed to create server: %s\n",

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

840

1004

avahi_strerror(error));

841

returncode = EXIT_FAILURE;

842

goto exit;

1005

exitcode = EXIT_FAILURE;

1006

goto end;

843

1007

}

844

1008

845

/* Create the service browser */

1009

/* Create the Avahi service browser */

846

1010

sb = avahi_s_service_browser_new(mc.server, if_index,

847

1011

AVAHI_PROTO_INET6,

848

1012

"_mandos._tcp", NULL, 0,

849

1013

browse_callback, &mc);

850

if (!sb) {

1014

if (sb == NULL) {

851

1015

fprintf(stderr, "Failed to create service browser: %s\n",

852

1016

avahi_strerror(avahi_server_errno(mc.server)));

853

returncode = EXIT_FAILURE;

854

goto exit;

1017

exitcode = EXIT_FAILURE;

1018

goto end;

855

1019

}

856

1020

857

1021

/* Run the main loop */

858

1022

859

1023

if (debug){

860

fprintf(stderr, "Starting avahi loop search\n");

1024

fprintf(stderr, "Starting Avahi loop search\n");

861

1025

}

862

1026

863

1027

avahi_simple_poll_loop(mc.simple_poll);

864

1028

865

exit:

1029

end:

866

1030

867

1031

if (debug){

868

1032

fprintf(stderr, "%s exiting\n", argv[0]);

869

1033

}

870

1034

871

1035

/* Cleanup things */

872

if (sb)

1036

if (sb != NULL)

873

1037

avahi_s_service_browser_free(sb);

874

1038

875

if (mc.server)

1039

if (mc.server != NULL)

876

1040

avahi_server_free(mc.server);

877

1041

878

if (mc.simple_poll)

1042

if (mc.simple_poll != NULL)

879

1043

avahi_simple_poll_free(mc.simple_poll);

880

free(pubkeyfile);

881

free(seckeyfile);

1044

free(pubkeyfilename);

1045

free(seckeyfilename);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

882

1051

883

return returncode;

1052

return exitcode;

884

1053

}