1
/* -*- coding: utf-8 -*- */
3
* Mandos client - get and decrypt data from a Mandos server
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
28
* Contact the authors at <mandos@fukt.bsnet.se>.
2
This file is part of avahi.
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
20
#define _LARGEFILE_SOURCE
33
21
#define _FILE_OFFSET_BITS 64
46
34
#include <avahi-common/error.h>
48
36
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
55
42
#include <unistd.h> /* close() */
56
43
#include <netinet/in.h>
82
71
} encrypted_session;
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
74
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
87
75
gpgme_data_t dh_crypto, dh_plain;
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
79
size_t new_packet_capacity = 0;
80
size_t new_packet_length = 0;
93
81
gpgme_engine_info_t engine_info;
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
84
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
100
88
gpgme_check_version(NULL);
101
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
102
if (rc != GPG_ERR_NO_ERROR){
103
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
104
gpgme_strsource(rc), gpgme_strerror(rc));
89
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
108
91
/* Set GPGME home directory */
109
92
rc = gpgme_get_engine_info (&engine_info);
168
150
if (result == NULL){
169
151
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
fprintf(stderr, "Unsupported algorithm: %s\n",
172
result->unsupported_algorithm);
173
fprintf(stderr, "Wrong key usage: %d\n",
174
result->wrong_key_usage);
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
175
155
if(result->file_name != NULL){
176
156
fprintf(stderr, "File name: %s\n", result->file_name);
195
174
gpgme_data_release(dh_crypto);
197
176
/* Seek back to the beginning of the GPGME plaintext data buffer */
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
199
perror("pgpme_data_seek");
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
204
181
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
208
183
if (*new_packet == NULL){
209
184
perror("realloc");
248
void debuggnutls(__attribute__((unused)) int level,
223
void debuggnutls(int level, const char* string){
250
224
fprintf(stderr, "%s", string);
253
227
int initgnutls(encrypted_session *es){
258
fprintf(stderr, "Initializing GnuTLS\n");
232
fprintf(stderr, "Initializing gnutls\n");
261
236
if ((ret = gnutls_global_init ())
262
237
!= GNUTLS_E_SUCCESS) {
263
238
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
269
244
gnutls_global_set_log_function(debuggnutls);
272
248
/* openpgp credentials */
273
249
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
250
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
286
260
ret = gnutls_certificate_set_openpgp_key_file
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
288
262
if (ret != GNUTLS_E_SUCCESS) {
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
ret, certfile, certkey);
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
293
266
fprintf(stdout, "The Error is: %s\n",
294
267
safer_gnutls_strerror(ret));
298
//GnuTLS server initialization
271
//Gnutls server initialization
299
272
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
273
!= GNUTLS_E_SUCCESS) {
301
274
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
275
safer_gnutls_strerror(ret));
306
279
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
280
!= GNUTLS_E_SUCCESS) {
308
281
fprintf (stderr, "Error in prime generation: %s\n",
309
282
safer_gnutls_strerror(ret));
313
286
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
// GnuTLS session creation
288
// Gnutls session creation
316
289
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
290
!= GNUTLS_E_SUCCESS){
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
319
292
safer_gnutls_strerror(ret));
322
295
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
296
!= GNUTLS_E_SUCCESS) {
324
297
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
298
fprintf(stderr, "Gnutls error: %s\n",
326
299
safer_gnutls_strerror(ret));
330
303
if ((ret = gnutls_credentials_set
331
304
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
305
!= GNUTLS_E_SUCCESS) {
334
307
safer_gnutls_strerror(ret));
338
311
/* ignore client certificate if any. */
339
gnutls_certificate_server_set_request (es->session,
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
342
314
gnutls_dh_set_prime_bits (es->session, DH_BITS);
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
319
void empty_log(AvahiLogLevel level, const char *txt){}
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
321
int start_mandos_communication(char *ip, uint16_t port){
353
323
struct sockaddr_in6 to;
354
324
encrypted_session es;
371
338
perror("socket");
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
perror("if_indextoname");
383
343
fprintf(stderr, "Binding to interface %s\n", interface);
346
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
348
perror("setsockopt bindtodevice");
386
memset(&to,0,sizeof(to)); /* Spurious warning */
352
memset(&to,0,sizeof(to));
387
353
to.sin6_family = AF_INET6;
388
354
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
394
360
fprintf(stderr, "Bad address: %s\n", ip);
397
to.sin6_port = htons(port); /* Spurious warning */
399
to.sin6_scope_id = (uint32_t)if_index;
363
to.sin6_port = htons(port);
364
to.sin6_scope_id = if_nametoindex(interface);
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
367
fprintf(stderr, "Connection to: %s\n", ip);
413
370
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
383
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
386
fprintf(stderr, "Establishing tls session with %s\n", ip);
432
390
ret = gnutls_handshake (es.session);
434
392
if (ret != GNUTLS_E_SUCCESS){
436
fprintf(stderr, "\n*** Handshake failed ***\n");
393
fprintf(stderr, "\n*** Handshake failed ***\n");
443
//Retrieve OpenPGP packet that contains the wanted password
399
//Retrieve gpg packet that contains the wanted password
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
402
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
480
fprintf(stderr, "Unknown error while reading data from"
481
" encrypted session with mandos server\n");
435
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
483
437
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
buffer_length += (size_t) ret;
441
buffer_length += ret;
491
445
if (buffer_length > 0){
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
496
if (decrypted_buffer_size >= 0){
497
while(written < (size_t) decrypted_buffer_size){
498
ret = (int)fwrite (decrypted_buffer + written, 1,
499
(size_t)decrypted_buffer_size - written,
501
if(ret == 0 and ferror(stdout)){
503
fprintf(stderr, "Error writing encrypted data: %s\n",
509
written += (size_t)ret;
446
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
447
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
511
448
free(decrypted_buffer);
544
481
const char *host_name,
545
482
const AvahiAddress *address,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
484
AvahiStringList *txt,
485
AvahiLookupResultFlags flags,
549
486
AVAHI_GCC_UNUSED void* userdata) {
551
assert(r); /* Spurious warning */
553
/* Called whenever a service has been resolved successfully or
558
case AVAHI_RESOLVER_FAILURE:
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(server)));
564
case AVAHI_RESOLVER_FOUND:
566
char ip[AVAHI_ADDRESS_STR_MAX];
567
avahi_address_snprint(ip, sizeof(ip), address);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
572
int ret = start_mandos_communication(ip, port, interface);
490
/* Called whenever a service has been resolved successfully or timed out */
493
case AVAHI_RESOLVER_FAILURE:
494
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
497
case AVAHI_RESOLVER_FOUND: {
498
char ip[AVAHI_ADDRESS_STR_MAX];
499
avahi_address_snprint(ip, sizeof(ip), address);
501
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
503
int ret = start_mandos_communication(ip, port);
578
avahi_s_service_resolver_free(r);
511
avahi_s_service_resolver_free(r);
581
514
static void browse_callback(
590
523
void* userdata) {
592
525
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
528
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
600
case AVAHI_BROWSER_FAILURE:
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
621
case AVAHI_BROWSER_REMOVE:
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
532
case AVAHI_BROWSER_FAILURE:
534
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
535
avahi_simple_poll_quit(simple_poll);
538
case AVAHI_BROWSER_NEW:
539
/* We ignore the returned resolver object. In the callback
540
function we free it. If the server is terminated before
541
the callback function is called the server will free
542
the resolver for us. */
544
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
545
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
549
case AVAHI_BROWSER_REMOVE:
552
case AVAHI_BROWSER_ALL_FOR_NOW:
553
case AVAHI_BROWSER_CACHE_EXHAUSTED:
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
633
tmp = malloc(strlen(first) + strlen(second) + 2);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
647
558
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
648
559
AvahiServerConfig config;
649
560
AvahiSServiceBrowser *sb = NULL;
652
563
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
655
char *connect_to = NULL;
658
566
static struct option long_options[] = {
659
567
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
568
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
667
571
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
572
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
679
582
interface = optarg;
694
585
exit(EXIT_FAILURE);
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
711
if(connect_to != NULL){
712
/* Connect directly, do not use Zeroconf */
713
/* (Mainly meant for debugging) */
714
char *address = strrchr(connect_to, ':');
716
fprintf(stderr, "No colon in address\n");
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
perror("Bad port number");
726
address = connect_to;
727
ret = start_mandos_communication(address, port, if_index);
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
741
590
avahi_set_log_function(empty_log);
744
593
/* Initialize the psuedo-RNG */
745
srand((unsigned int) time(NULL));
747
596
/* Allocate main loop object */
748
597
if (!(simple_poll = avahi_simple_poll_new())) {
759
608
config.publish_domain = 0;
761
610
/* Allocate a new server */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
611
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
765
613
/* Free the configuration data */
766
614
avahi_server_config_free(&config);
768
616
/* Check if creating the server object succeeded */
770
fprintf(stderr, "Failed to create server: %s\n",
771
avahi_strerror(error));
618
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
772
619
returncode = EXIT_FAILURE;
776
623
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
779
"_mandos._tcp", NULL, 0,
780
browse_callback, server);
782
fprintf(stderr, "Failed to create service browser: %s\n",
783
avahi_strerror(avahi_server_errno(server)));
624
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
625
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
784
626
returncode = EXIT_FAILURE;