/mandos/release : revision 143

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Teddy Hogeborn
Date: 2008-09-03 05:04:40 UTC
Revision ID: teddy@fukt.bsnet.se-20080903050440-7cwzxestx6pvdy1i

* Makefile (mandos.8): Add dependency on "overview.xml" and
                       "legalnotice.xml".
  (mandos-keygen.8): New target.
  (mandos-conf.5): Added dependency on "legalnotice.xml".
  (plugin-runner.8mandos): New target
  (plugins.d/password-request.8mandos): - '' -

* mandos-options.xml (priority): Make wording server/client neutral.

* plugins.d/password-request.c (main): Changed .arg fields of the argp
                                       options struct to be more
                                       consistent with the manual.

* plugins.d/password-request.xml (OVERVIEW): Moved to after "OPTIONS".
  (OPTIONS): Improved wording and names of replaceables.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

default-mandos

init.d-mandos

mandos-list

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

102

103

#define BUFFER_SIZE 256

104

100

105

#define PATHDIR "/conf/conf.d/mandos"

106

#define SECKEY "seckey.txt"

107

#define PUBKEY "pubkey.txt"

108

109

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

110

103

static const char mandos_protocol_version[] = "1";

111

const char *argp_program_version = "mandos-client " VERSION;

104

const char *argp_program_version = "password-request 1.0";

112

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

113

106

114

107

/* Used for passing in values through the Avahi callback functions */

119

112

unsigned int dh_bits;

120

113

gnutls_dh_params_t dh_params;

121

114

const char *priority;

122

gpgme_ctx_t ctx;

123

115

} mandos_context;

124

116

125

117

140

132

}

141

133

142

134

143

* Initialize GPGME.

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

144

137

145

static bool init_gpgme(mandos_context *mc, const char *seckey,

146

const char *pubkey, const char *tempdir){

147

int ret;

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

141

const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

148

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

149

148

gpgme_engine_info_t engine_info;

150

149

151

152

153

* Helper function to insert pub and seckey to the enigne keyring.

154

155

bool import_key(const char *filename){

156

int fd;

157

gpgme_data_t pgp_data;

158

159

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

160

if(fd == -1){

161

perror("open");

162

return false;

163

}

164

165

rc = gpgme_data_new_from_fd(&pgp_data, fd);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return false;

170

}

171

172

rc = gpgme_op_import(mc->ctx, pgp_data);

173

if (rc != GPG_ERR_NO_ERROR){

174

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

175

gpgme_strsource(rc), gpgme_strerror(rc));

176

return false;

177

}

178

179

ret = TEMP_FAILURE_RETRY(close(fd));

180

if(ret == -1){

181

perror("close");

182

}

183

gpgme_data_release(pgp_data);

184

return true;

185

}

186

187

150

if (debug){

188

fprintf(stderr, "Initialize gpgme\n");

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

189

152

}

190

153

191

154

/* Init GPGME */

194

157

if (rc != GPG_ERR_NO_ERROR){

195

158

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

196

159

gpgme_strsource(rc), gpgme_strerror(rc));

197

return false;

160

return -1;

198

161

}

199

162

200

/* Set GPGME home directory for the OpenPGP engine only */

163

/* Set GPGME home directory for the OpenPGP engine only */

201

164

rc = gpgme_get_engine_info (&engine_info);

202

165

if (rc != GPG_ERR_NO_ERROR){

203

166

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

204

167

gpgme_strsource(rc), gpgme_strerror(rc));

205

return false;

168

return -1;

206

169

}

207

170

while(engine_info != NULL){

208

171

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

209

172

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

210

engine_info->file_name, tempdir);

173

engine_info->file_name, homedir);

211

174

break;

212

175

}

213

176

engine_info = engine_info->next;

214

177

}

215

178

if(engine_info == NULL){

216

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

217

return false;

218

}

219

220

/* Create new GPGME "context" */

221

rc = gpgme_new(&(mc->ctx));

222

if (rc != GPG_ERR_NO_ERROR){

223

fprintf(stderr, "bad gpgme_new: %s: %s\n",

224

gpgme_strsource(rc), gpgme_strerror(rc));

225

return false;

226

}

227

228

if (not import_key(pubkey) or not import_key(seckey)){

229

return false;

230

}

231

232

return true;

233

}

234

235

236

* Decrypt OpenPGP data.

237

* Returns -1 on error

238

239

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

240

const char *cryptotext,

241

size_t crypto_size,

242

char **plaintext){

243

gpgme_data_t dh_crypto, dh_plain;

244

gpgme_error_t rc;

245

ssize_t ret;

246

size_t plaintext_capacity = 0;

247

ssize_t plaintext_length = 0;

248

249

if (debug){

250

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

180

return -1;

251

181

}

252

182

253

183

/* Create new GPGME data buffer from memory cryptotext */

268

198

return -1;

269

199

}

270

200

201

/* Create new GPGME "context" */

202

rc = gpgme_new(&ctx);

203

if (rc != GPG_ERR_NO_ERROR){

204

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

208

}

209

271

210

/* Decrypt data from the cryptotext data buffer to the plaintext

272

211

data buffer */

273

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

212

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

274

213

if (rc != GPG_ERR_NO_ERROR){

275

214

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

276

215

gpgme_strsource(rc), gpgme_strerror(rc));

277

216

plaintext_length = -1;

278

217

if (debug){

279

218

gpgme_decrypt_result_t result;

280

result = gpgme_op_decrypt_result(mc->ctx);

219

result = gpgme_op_decrypt_result(ctx);

281

220

if (result == NULL){

282

221

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

283

222

} else {

312

251

313

252

/* Seek back to the beginning of the GPGME plaintext data buffer */

314

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

315

perror("gpgme_data_seek");

254

perror("pgpme_data_seek");

316

255

plaintext_length = -1;

317

256

goto decrypt_end;

318

257

}

409

348

}

410

349

411

350

if(debug){

412

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

413

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

351

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

414

353

seckeyfilename);

415

354

}

416

355

421

360

fprintf(stderr,

422

361

"Error[%d] while reading the OpenPGP key pair ('%s',"

423

362

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

424

fprintf(stderr, "The GnuTLS error is: %s\n",

363

fprintf(stdout, "The GnuTLS error is: %s\n",

425

364

safer_gnutls_strerror(ret));

426

365

goto globalfail;

427

366

}

448

387

449

388

gnutls_certificate_free_credentials(mc->cred);

450

389

gnutls_global_deinit();

451

gnutls_dh_params_deinit(mc->dh_params);

452

390

return -1;

453

391

}

454

392

672

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

673

611

674

612

if (buffer_length > 0){

675

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

613

decrypted_buffer_size = pgp_packet_decrypt(buffer,

676

614

buffer_length,

677

&decrypted_buffer);

615

&decrypted_buffer,

616

keydir);

678

617

if (decrypted_buffer_size >= 0){

679

618

written = 0;

680

619

while(written < (size_t) decrypted_buffer_size){

703

642

704

643

mandos_end:

705

644

free(buffer);

706

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

707

if(ret == -1){

708

perror("close");

709

}

645

close(tcp_sd);

710

646

gnutls_deinit (session);

711

647

return retval;

712

648

}

808

744

}

809

745

}

810

746

747

/* Combines file name and path and returns the malloced new

748

string. some sane checks could/should be added */

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

753

return NULL;

754

}

755

return tmp;

756

}

757

758

811

759

int main(int argc, char *argv[]){

812

760

AvahiSServiceBrowser *sb = NULL;

813

761

int error;

819

767

uid_t uid;

820

768

gid_t gid;

821

769

char *connect_to = NULL;

822

char tempdir[] = "/tmp/mandosXXXXXX";

823

770

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

824

const char *seckey = PATHDIR "/" SECKEY;

825

const char *pubkey = PATHDIR "/" PUBKEY;

826

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

827

775

mandos_context mc = { .simple_poll = NULL, .server = NULL,

828

776

.dh_bits = 1024, .priority = "SECURE256"

829

777

":!CTYPE-X.509:+CTYPE-OPENPGP" };

830

778

bool gnutls_initalized = false;

831

bool gpgme_initalized = false;

832

779

833

780

{

834

781

struct argp_option options[] = {

843

790

.doc = "Interface that will be used to search for Mandos"

844

791

" servers",

845

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "DIRECTORY",

795

.doc = "Directory to read the OpenPGP key files from",

796

.group = 1 },

846

797

{ .name = "seckey", .key = 's',

847

798

.arg = "FILE",

848

799

.doc = "OpenPGP secret key file base name",

877

828

case 'i': /* --interface */

878

829

interface = arg;

879

830

break;

831

case 'd': /* --keydir */

832

keydir = arg;

833

break;

880

834

case 's': /* --seckey */

881

seckey = arg;

835

seckeyname = arg;

882

836

break;

883

837

case 'p': /* --pubkey */

884

pubkey = arg;

838

pubkeyname = arg;

885

839

break;

886

840

case 129: /* --dh-bits */

887

841

errno = 0;

916

870

}

917

871

}

918

872

873

pubkeyfilename = combinepath(keydir, pubkeyname);

874

if (pubkeyfilename == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfilename = combinepath(keydir, seckeyname);

881

if (seckeyfilename == NULL){

882

perror("combinepath");

883

exitcode = EXIT_FAILURE;

884

goto end;

885

}

886

887

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

888

if (ret == -1){

889

fprintf(stderr, "init_gnutls_global failed\n");

890

exitcode = EXIT_FAILURE;

891

goto end;

892

} else {

893

gnutls_initalized = true;

894

}

895

919

896

/* If the interface is down, bring it up */

920

897

{

921

898

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

940

917

goto end;

941

918

}

942

919

}

943

ret = TEMP_FAILURE_RETRY(close(sd));

944

if(ret == -1){

945

perror("close");

946

}

920

close(sd);

947

921

}

948

922

949

923

uid = getuid();

959

933

perror("setgid");

960

934

}

961

935

962

ret = init_gnutls_global(&mc, pubkey, seckey);

963

if (ret == -1){

964

fprintf(stderr, "init_gnutls_global failed\n");

965

exitcode = EXIT_FAILURE;

966

goto end;

967

} else {

968

gnutls_initalized = true;

969

}

970

971

if(mkdtemp(tempdir) == NULL){

972

perror("mkdtemp");

973

tempdir[0] = '\0';

974

goto end;

975

}

976

977

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

978

fprintf(stderr, "gpgme_initalized failed\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

} else {

982

gpgme_initalized = true;

983

}

984

985

936

if_index = (AvahiIfIndex) if_nametoindex(interface);

986

937

if(if_index == 0){

987

938

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1092

1043

1093

1044

if (mc.simple_poll != NULL)

1094

1045

avahi_simple_poll_free(mc.simple_poll);

1046

free(pubkeyfilename);

1047

free(seckeyfilename);

1095

1048

1096

1049

if (gnutls_initalized){

1097

1050

gnutls_certificate_free_credentials(mc.cred);

1098

1051

gnutls_global_deinit ();

1099

gnutls_dh_params_deinit(mc.dh_params);

1100

}

1101

1102

if(gpgme_initalized){

1103

gpgme_release(mc.ctx);

1104

}

1105

1106

/* Removes the temp directory used by GPGME */

1107

if(tempdir[0] != '\0'){

1108

DIR *d;

1109

struct dirent *direntry;

1110

d = opendir(tempdir);

1111

if(d == NULL){

1112

perror("opendir");

1113

} else {

1114

while(true){

1115

direntry = readdir(d);

1116

if(direntry == NULL){

1117

break;

1118

}

1119

if (direntry->d_type == DT_REG){

1120

char *fullname = NULL;

1121

ret = asprintf(&fullname, "%s/%s", tempdir,

1122

direntry->d_name);

1123

if(ret < 0){

1124

perror("asprintf");

1125

continue;

1126

}

1127

ret = unlink(fullname);

1128

if(ret == -1){

1129

fprintf(stderr, "unlink(\"%s\"): %s",

1130

fullname, strerror(errno));

1131

}

1132

free(fullname);

1133

}

1134

}

1135

closedir(d);

1136

}

1137

ret = rmdir(tempdir);

1138

if(ret == -1){

1139

perror("rmdir");

1140

}

1141

}

1142

1052

}

1053

1143

1054

return exitcode;

1144

1055

}

Older »