To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.1
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.1
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- mto: (24.1.114 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 238.
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008 Teddy Hogeborn
13
* Copyright © 2008 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
59
#include <assert.h> /* assert() */
60
#include <errno.h> /* perror(), errno */
61
#include <time.h> /* time() */
44
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
63
SIOCSIFFLAGS, if_indextoname(),
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
67
getuid(), getgid(), setuid(),
68
setgid() */
69
#include <arpa/inet.h> /* inet_pton(), htons */
70
#include <iso646.h> /* not, and */
71
#include <argp.h> /* struct argp_option, error_t, struct
72
argp_state, struct argp,
73
argp_parse(), ARGP_KEY_ARG,
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
46
75
76
/* Avahi */
77
/* All Avahi types, constants and functions
78
Avahi*, avahi_*,
79
AVAHI_* */
47
80
#include <avahi-core/core.h>
48
81
#include <avahi-core/lookup.h>
49
82
#include <avahi-core/log.h>
51
84
#include <avahi-common/malloc.h>
52
85
#include <avahi-common/error.h>
53
86
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
struct in6_addr, inet_pton() */
58
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
60
61
#include <unistd.h> /* close() */
62
#include <netinet/in.h>
63
#include <stdbool.h> /* true */
64
#include <string.h> /* memset */
65
#include <arpa/inet.h> /* inet_pton() */
66
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
87
/* GnuTLS */
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
90
gnutls_*
91
init_gnutls_session(),
92
GNUTLS_* */
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
94
GNUTLS_OPENPGP_FMT_BASE64 */
68
95
69
96
/* GPGME */
70
#include <errno.h> /* perror() */
71
#include <gpgme.h>
72
73
/* getopt_long */
74
#include <getopt.h>
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
99
gpgme_*
100
GPGME_PROTOCOL_OpenPGP,
101
GPG_ERR_NO_* */
75
102
76
103
#define BUFFER_SIZE 256
77
104
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char *pubkeyfile = "pubkey.txt";
80
static const char *seckeyfile = "seckey.txt";
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
81
108
82
109
bool debug = false;
83
84
const char mandos_protocol_version[] = "1";
85
86
/* Used for passing in values through all the callback functions */
110
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
113
114
/* Used for passing in values through the Avahi callback functions */
87
115
typedef struct {
88
116
AvahiSimplePoll *simple_poll;
89
117
AvahiServer *server;
91
119
unsigned int dh_bits;
92
120
gnutls_dh_params_t dh_params;
93
121
const char *priority;
122
gpgme_ctx_t ctx;
94
123
} mandos_context;
95
124
125
/*
126
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
127
* "buffer_capacity" is how much is currently allocated,
128
* "buffer_length" is how much is already used.
129
*/
96
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
131
size_t buffer_capacity){
98
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
106
140
}
107
141
108
142
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
143
* Initialize GPGME.
111
144
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
116
gpgme_data_t dh_crypto, dh_plain;
117
gpgme_ctx_t ctx;
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
118
148
gpgme_error_t rc;
119
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
122
149
gpgme_engine_info_t engine_info;
123
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
124
187
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
188
fprintf(stderr, "Initialize gpgme\n");
126
189
}
127
190
128
191
/* Init GPGME */
131
194
if (rc != GPG_ERR_NO_ERROR){
132
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
133
196
gpgme_strsource(rc), gpgme_strerror(rc));
134
return -1;
197
return false;
135
198
}
136
199
137
/* Set GPGME home directory for the OpenPGP engine only */
200
/* Set GPGME home directory for the OpenPGP engine only */
138
201
rc = gpgme_get_engine_info (&engine_info);
139
202
if (rc != GPG_ERR_NO_ERROR){
140
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
204
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
205
return false;
143
206
}
144
207
while(engine_info != NULL){
145
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
146
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
147
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
148
211
break;
149
212
}
150
213
engine_info = engine_info->next;
151
214
}
152
215
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
154
return -1;
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
155
251
}
156
252
157
253
/* Create new GPGME data buffer from memory cryptotext */
172
268
return -1;
173
269
}
174
270
175
/* Create new GPGME "context" */
176
rc = gpgme_new(&ctx);
177
if (rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
182
}
183
184
271
/* Decrypt data from the cryptotext data buffer to the plaintext
185
272
data buffer */
186
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
187
274
if (rc != GPG_ERR_NO_ERROR){
188
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
276
gpgme_strsource(rc), gpgme_strerror(rc));
190
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
191
306
goto decrypt_end;
192
307
}
193
308
195
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
196
311
}
197
312
198
if (debug){
199
gpgme_decrypt_result_t result;
200
result = gpgme_op_decrypt_result(ctx);
201
if (result == NULL){
202
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
203
} else {
204
fprintf(stderr, "Unsupported algorithm: %s\n",
205
result->unsupported_algorithm);
206
fprintf(stderr, "Wrong key usage: %d\n",
207
result->wrong_key_usage);
208
if(result->file_name != NULL){
209
fprintf(stderr, "File name: %s\n", result->file_name);
210
}
211
gpgme_recipient_t recipient;
212
recipient = result->recipients;
213
if(recipient){
214
while(recipient != NULL){
215
fprintf(stderr, "Public key algorithm: %s\n",
216
gpgme_pubkey_algo_name(recipient->pubkey_algo));
217
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
218
fprintf(stderr, "Secret key available: %s\n",
219
recipient->status == GPG_ERR_NO_SECKEY
220
? "No" : "Yes");
221
recipient = recipient->next;
222
}
223
}
224
}
225
}
226
227
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
230
316
plaintext_length = -1;
231
317
goto decrypt_end;
232
318
}
233
319
234
320
*plaintext = NULL;
235
321
while(true){
236
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
322
plaintext_capacity = adjustbuffer(plaintext,
323
(size_t)plaintext_length,
237
324
plaintext_capacity);
238
325
if (plaintext_capacity == 0){
239
326
perror("adjustbuffer");
255
342
}
256
343
plaintext_length += ret;
257
344
}
258
345
259
346
if(debug){
260
347
fprintf(stderr, "Decrypted password is: ");
261
348
for(ssize_t i = 0; i < plaintext_length; i++){
275
362
}
276
363
277
364
static const char * safer_gnutls_strerror (int value) {
278
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
279
366
if (ret == NULL)
280
367
ret = "(unknown)";
281
368
return ret;
287
374
fprintf(stderr, "GnuTLS: %s", string);
288
375
}
289
376
290
static int init_gnutls_global(mandos_context *mc){
377
static int init_gnutls_global(mandos_context *mc,
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
291
380
int ret;
292
381
293
382
if(debug){
294
383
fprintf(stderr, "Initializing GnuTLS\n");
295
384
}
296
297
if ((ret = gnutls_global_init ())
298
!= GNUTLS_E_SUCCESS) {
385
386
ret = gnutls_global_init();
387
if (ret != GNUTLS_E_SUCCESS) {
299
388
fprintf (stderr, "GnuTLS global_init: %s\n",
300
389
safer_gnutls_strerror(ret));
301
390
return -1;
310
399
}
311
400
312
401
/* OpenPGP credentials */
313
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
314
!= GNUTLS_E_SUCCESS) {
315
fprintf (stderr, "GnuTLS memory error: %s\n",
402
gnutls_certificate_allocate_credentials(&mc->cred);
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
316
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
317
408
return -1;
318
409
}
319
410
320
411
if(debug){
321
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
322
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
323
seckeyfile);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
324
415
}
325
416
326
417
ret = gnutls_certificate_set_openpgp_key_file
327
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
328
420
if (ret != GNUTLS_E_SUCCESS) {
329
421
fprintf(stderr,
330
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
331
" '%s')\n", ret, pubkeyfile, seckeyfile);
332
fprintf(stdout, "The GnuTLS error is: %s\n",
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
333
425
safer_gnutls_strerror(ret));
334
return -1;
426
goto globalfail;
335
427
}
336
428
337
429
/* GnuTLS server initialization */
339
431
if (ret != GNUTLS_E_SUCCESS) {
340
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
341
433
" %s\n", safer_gnutls_strerror(ret));
342
return -1;
434
goto globalfail;
343
435
}
344
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
345
437
if (ret != GNUTLS_E_SUCCESS) {
346
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
347
439
safer_gnutls_strerror(ret));
348
return -1;
440
goto globalfail;
349
441
}
350
442
351
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
352
444
353
445
return 0;
446
447
globalfail:
448
449
gnutls_certificate_free_credentials(mc->cred);
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
return -1;
354
453
}
355
454
356
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
455
static int init_gnutls_session(mandos_context *mc,
456
gnutls_session_t *session){
357
457
int ret;
358
458
/* GnuTLS session creation */
359
459
ret = gnutls_init(session, GNUTLS_SERVER);
369
469
fprintf(stderr, "Syntax error at: %s\n", err);
370
470
fprintf(stderr, "GnuTLS error: %s\n",
371
471
safer_gnutls_strerror(ret));
472
gnutls_deinit (*session);
372
473
return -1;
373
474
}
374
475
}
378
479
if (ret != GNUTLS_E_SUCCESS) {
379
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
380
481
safer_gnutls_strerror(ret));
482
gnutls_deinit (*session);
381
483
return -1;
382
484
}
383
485
399
501
AvahiIfIndex if_index,
400
502
mandos_context *mc){
401
503
int ret, tcp_sd;
402
struct sockaddr_in6 to;
504
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
403
505
char *buffer = NULL;
404
506
char *decrypted_buffer;
405
507
size_t buffer_length = 0;
409
511
int retval = 0;
410
512
char interface[IF_NAMESIZE];
411
513
gnutls_session_t session;
412
gnutls_dh_params_t dh_params;
413
514
414
515
ret = init_gnutls_session (mc, &session);
415
516
if (ret != 0){
417
518
}
418
519
419
520
if(debug){
420
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
421
ip, port);
521
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
522
"\n", ip, port);
422
523
}
423
524
424
525
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
426
527
perror("socket");
427
528
return -1;
428
529
}
429
530
430
531
if(debug){
431
532
if(if_indextoname((unsigned int)if_index, interface) == NULL){
432
533
perror("if_indextoname");
435
536
fprintf(stderr, "Binding to interface %s\n", interface);
436
537
}
437
538
438
memset(&to,0,sizeof(to)); /* Spurious warning */
439
to.sin6_family = AF_INET6;
539
memset(&to, 0, sizeof(to));
540
to.in6.sin6_family = AF_INET6;
440
541
/* It would be nice to have a way to detect if we were passed an
441
542
IPv4 address here. Now we assume an IPv6 address. */
442
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
543
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
443
544
if (ret < 0 ){
444
545
perror("inet_pton");
445
546
return -1;
448
549
fprintf(stderr, "Bad address: %s\n", ip);
449
550
return -1;
450
551
}
451
to.sin6_port = htons(port); /* Spurious warning */
552
to.in6.sin6_port = htons(port); /* Spurious warning */
452
553
453
to.sin6_scope_id = (uint32_t)if_index;
554
to.in6.sin6_scope_id = (uint32_t)if_index;
454
555
455
556
if(debug){
456
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
557
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
558
port);
457
559
char addrstr[INET6_ADDRSTRLEN] = "";
458
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
560
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
459
561
sizeof(addrstr)) == NULL){
460
562
perror("inet_ntop");
461
563
} else {
465
567
}
466
568
}
467
569
468
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
570
ret = connect(tcp_sd, &to.in, sizeof(to));
469
571
if (ret < 0){
470
572
perror("connect");
471
573
return -1;
472
574
}
473
575
474
576
const char *out = mandos_protocol_version;
475
577
written = 0;
476
578
while (true){
494
596
}
495
597
}
496
598
}
497
599
498
600
if(debug){
499
601
fprintf(stderr, "Establishing TLS session with %s\n", ip);
500
602
}
501
603
502
604
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
503
605
504
ret = gnutls_handshake (session);
606
do{
607
ret = gnutls_handshake (session);
608
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
505
609
506
610
if (ret != GNUTLS_E_SUCCESS){
507
611
if(debug){
518
622
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
519
623
ip);
520
624
}
521
625
522
626
while(true){
523
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
627
buffer_capacity = adjustbuffer(&buffer, buffer_length,
628
buffer_capacity);
524
629
if (buffer_capacity == 0){
525
630
perror("adjustbuffer");
526
631
retval = -1;
538
643
case GNUTLS_E_AGAIN:
539
644
break;
540
645
case GNUTLS_E_REHANDSHAKE:
541
ret = gnutls_handshake (session);
646
do{
647
ret = gnutls_handshake (session);
648
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
542
649
if (ret < 0){
543
650
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
544
651
gnutls_perror (ret);
565
672
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
673
567
674
if (buffer_length > 0){
568
decrypted_buffer_size = pgp_packet_decrypt(buffer,
675
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
569
676
buffer_length,
570
&decrypted_buffer,
571
keydir);
677
&decrypted_buffer);
572
678
if (decrypted_buffer_size >= 0){
573
679
written = 0;
574
680
while(written < (size_t) decrypted_buffer_size){
589
695
} else {
590
696
retval = -1;
591
697
}
698
} else {
699
retval = -1;
592
700
}
593
701
594
702
/* Shutdown procedure */
595
703
596
704
mandos_end:
597
705
free(buffer);
598
close(tcp_sd);
706
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
707
if(ret == -1){
708
perror("close");
709
}
599
710
gnutls_deinit (session);
600
gnutls_certificate_free_credentials (mc->cred);
601
gnutls_global_deinit ();
602
711
return retval;
603
712
}
604
713
617
726
flags,
618
727
void* userdata) {
619
728
mandos_context *mc = userdata;
620
assert(r); /* Spurious warning */
729
assert(r);
621
730
622
731
/* Called whenever a service has been resolved successfully or
623
732
timed out */
635
744
char ip[AVAHI_ADDRESS_STR_MAX];
636
745
avahi_address_snprint(ip, sizeof(ip), address);
637
746
if(debug){
638
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
639
" port %d\n", name, host_name, ip, interface, port);
747
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
748
PRIu16 ") on port %d\n", name, host_name, ip,
749
interface, port);
640
750
}
641
751
int ret = start_mandos_communication(ip, port, interface, mc);
642
752
if (ret == 0){
643
exit(EXIT_SUCCESS);
753
avahi_simple_poll_quit(mc->simple_poll);
644
754
}
645
755
}
646
756
}
658
768
flags,
659
769
void* userdata) {
660
770
mandos_context *mc = userdata;
661
assert(b); /* Spurious warning */
771
assert(b);
662
772
663
773
/* Called whenever a new services becomes available on the LAN or
664
774
is removed from the LAN */
698
808
}
699
809
}
700
810
701
/* Combines file name and path and returns the malloced new
702
string. some sane checks could/should be added */
703
static const char *combinepath(const char *first, const char *second){
704
size_t f_len = strlen(first);
705
size_t s_len = strlen(second);
706
char *tmp = malloc(f_len + s_len + 2);
707
if (tmp == NULL){
708
return NULL;
709
}
710
if(f_len > 0){
711
memcpy(tmp, first, f_len); /* Spurious warning */
712
}
713
tmp[f_len] = '/';
714
if(s_len > 0){
715
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
716
}
717
tmp[f_len + 1 + s_len] = '\0';
718
return tmp;
719
}
720
721
722
811
int main(int argc, char *argv[]){
723
812
AvahiSServiceBrowser *sb = NULL;
724
813
int error;
730
819
uid_t uid;
731
820
gid_t gid;
732
821
char *connect_to = NULL;
822
char tempdir[] = "/tmp/mandosXXXXXX";
733
823
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
824
const char *seckey = PATHDIR "/" SECKEY;
825
const char *pubkey = PATHDIR "/" PUBKEY;
826
734
827
mandos_context mc = { .simple_poll = NULL, .server = NULL,
735
.dh_bits = 1024, .priority = "SECURE256"};
828
.dh_bits = 1024, .priority = "SECURE256"
829
":!CTYPE-X.509:+CTYPE-OPENPGP" };
830
bool gnutls_initalized = false;
831
bool gpgme_initalized = false;
736
832
737
833
{
738
/* Temporary int to get the address of for getopt_long */
739
int debug_int = debug ? 1 : 0;
740
while (true){
741
struct option long_options[] = {
742
{"debug", no_argument, &debug_int, 1},
743
{"connect", required_argument, NULL, 'c'},
744
{"interface", required_argument, NULL, 'i'},
745
{"keydir", required_argument, NULL, 'd'},
746
{"seckey", required_argument, NULL, 's'},
747
{"pubkey", required_argument, NULL, 'p'},
748
{"dh-bits", required_argument, NULL, 'D'},
749
{"priority", required_argument, NULL, 'P'},
750
{0, 0, 0, 0} };
751
752
int option_index = 0;
753
ret = getopt_long (argc, argv, "i:", long_options,
754
&option_index);
755
756
if (ret == -1){
757
break;
758
}
759
760
switch(ret){
761
case 0:
762
break;
763
case 'i':
764
interface = optarg;
765
break;
766
case 'c':
767
connect_to = optarg;
768
break;
769
case 'd':
770
keydir = optarg;
771
break;
772
case 'p':
773
pubkeyfile = optarg;
774
break;
775
case 's':
776
seckeyfile = optarg;
777
break;
778
case 'D':
834
struct argp_option options[] = {
835
{ .name = "debug", .key = 128,
836
.doc = "Debug mode", .group = 3 },
837
{ .name = "connect", .key = 'c',
838
.arg = "ADDRESS:PORT",
839
.doc = "Connect directly to a specific Mandos server",
840
.group = 1 },
841
{ .name = "interface", .key = 'i',
842
.arg = "NAME",
843
.doc = "Interface that will be used to search for Mandos"
844
" servers",
845
.group = 1 },
846
{ .name = "seckey", .key = 's',
847
.arg = "FILE",
848
.doc = "OpenPGP secret key file base name",
849
.group = 1 },
850
{ .name = "pubkey", .key = 'p',
851
.arg = "FILE",
852
.doc = "OpenPGP public key file base name",
853
.group = 2 },
854
{ .name = "dh-bits", .key = 129,
855
.arg = "BITS",
856
.doc = "Bit length of the prime number used in the"
857
" Diffie-Hellman key exchange",
858
.group = 2 },
859
{ .name = "priority", .key = 130,
860
.arg = "STRING",
861
.doc = "GnuTLS priority string for the TLS handshake",
862
.group = 1 },
863
{ .name = NULL }
864
};
865
866
error_t parse_opt (int key, char *arg,
867
struct argp_state *state) {
868
/* Get the INPUT argument from `argp_parse', which we know is
869
a pointer to our plugin list pointer. */
870
switch (key) {
871
case 128: /* --debug */
872
debug = true;
873
break;
874
case 'c': /* --connect */
875
connect_to = arg;
876
break;
877
case 'i': /* --interface */
878
interface = arg;
879
break;
880
case 's': /* --seckey */
881
seckey = arg;
882
break;
883
case 'p': /* --pubkey */
884
pubkey = arg;
885
break;
886
case 129: /* --dh-bits */
779
887
errno = 0;
780
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
781
889
if (errno){
782
890
perror("strtol");
783
891
exit(EXIT_FAILURE);
784
892
}
785
893
break;
786
case 'P':
787
mc.priority = optarg;
788
break;
789
case '?':
894
case 130: /* --priority */
895
mc.priority = arg;
896
break;
897
case ARGP_KEY_ARG:
898
argp_usage (state);
899
case ARGP_KEY_END:
900
break;
790
901
default:
791
/* getopt_long() has already printed a message about the
792
unrcognized option, so just exit. */
793
exit(EXIT_FAILURE);
794
}
795
}
796
/* Set the global debug flag from the temporary int */
797
debug = debug_int ? true : false;
798
}
799
800
pubkeyfile = combinepath(keydir, pubkeyfile);
801
if (pubkeyfile == NULL){
802
perror("combinepath");
803
exitcode = EXIT_FAILURE;
804
goto end;
805
}
806
807
seckeyfile = combinepath(keydir, seckeyfile);
808
if (seckeyfile == NULL){
809
perror("combinepath");
810
goto end;
811
}
812
813
ret = init_gnutls_global(&mc);
814
if (ret == -1){
815
fprintf(stderr, "init_gnutls_global\n");
816
goto end;
817
}
818
902
return ARGP_ERR_UNKNOWN;
903
}
904
return 0;
905
}
906
907
struct argp argp = { .options = options, .parser = parse_opt,
908
.args_doc = "",
909
.doc = "Mandos client -- Get and decrypt"
910
" passwords from a Mandos server" };
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
912
if (ret == ARGP_ERR_UNKNOWN){
913
fprintf(stderr, "Unknown error while parsing arguments\n");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
919
/* If the interface is down, bring it up */
920
{
921
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
922
if(sd < 0) {
923
perror("socket");
924
exitcode = EXIT_FAILURE;
925
goto end;
926
}
927
strcpy(network.ifr_name, interface);
928
ret = ioctl(sd, SIOCGIFFLAGS, &network);
929
if(ret == -1){
930
perror("ioctl SIOCGIFFLAGS");
931
exitcode = EXIT_FAILURE;
932
goto end;
933
}
934
if((network.ifr_flags & IFF_UP) == 0){
935
network.ifr_flags |= IFF_UP;
936
ret = ioctl(sd, SIOCSIFFLAGS, &network);
937
if(ret == -1){
938
perror("ioctl SIOCSIFFLAGS");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
ret = TEMP_FAILURE_RETRY(close(sd));
944
if(ret == -1){
945
perror("close");
946
}
947
}
948
819
949
uid = getuid();
820
950
gid = getgid();
821
951
822
952
ret = setuid(uid);
823
953
if (ret == -1){
824
954
perror("setuid");
829
959
perror("setgid");
830
960
}
831
961
962
ret = init_gnutls_global(&mc, pubkey, seckey);
963
if (ret == -1){
964
fprintf(stderr, "init_gnutls_global failed\n");
965
exitcode = EXIT_FAILURE;
966
goto end;
967
} else {
968
gnutls_initalized = true;
969
}
970
971
if(mkdtemp(tempdir) == NULL){
972
perror("mkdtemp");
973
tempdir[0] = '\0';
974
goto end;
975
}
976
977
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
978
fprintf(stderr, "gpgme_initalized failed\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
} else {
982
gpgme_initalized = true;
983
}
984
832
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
833
986
if(if_index == 0){
834
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
862
1015
goto end;
863
1016
}
864
1017
865
/* If the interface is down, bring it up */
866
{
867
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
868
if(sd < 0) {
869
perror("socket");
870
exitcode = EXIT_FAILURE;
871
goto end;
872
}
873
strcpy(network.ifr_name, interface); /* Spurious warning */
874
ret = ioctl(sd, SIOCGIFFLAGS, &network);
875
if(ret == -1){
876
perror("ioctl SIOCGIFFLAGS");
877
exitcode = EXIT_FAILURE;
878
goto end;
879
}
880
if((network.ifr_flags & IFF_UP) == 0){
881
network.ifr_flags |= IFF_UP;
882
ret = ioctl(sd, SIOCSIFFLAGS, &network);
883
if(ret == -1){
884
perror("ioctl SIOCSIFFLAGS");
885
exitcode = EXIT_FAILURE;
886
goto end;
887
}
888
}
889
close(sd);
890
}
891
892
1018
if (not debug){
893
1019
avahi_set_log_function(empty_log);
894
1020
}
904
1030
exitcode = EXIT_FAILURE;
905
1031
goto end;
906
1032
}
907
1033
908
1034
{
909
1035
AvahiServerConfig config;
910
1036
/* Do not publish any local Zeroconf records */
913
1039
config.publish_addresses = 0;
914
1040
config.publish_workstation = 0;
915
1041
config.publish_domain = 0;
916
1042
917
1043
/* Allocate a new server */
918
1044
mc.server = avahi_server_new(avahi_simple_poll_get
919
1045
(mc.simple_poll), &config, NULL,
920
1046
NULL, &error);
921
1047
922
1048
/* Free the Avahi configuration data */
923
1049
avahi_server_config_free(&config);
924
1050
}
944
1070
}
945
1071
946
1072
/* Run the main loop */
947
1073
948
1074
if (debug){
949
1075
fprintf(stderr, "Starting Avahi loop search\n");
950
1076
}
952
1078
avahi_simple_poll_loop(mc.simple_poll);
953
1079
954
1080
end:
955
1081
956
1082
if (debug){
957
1083
fprintf(stderr, "%s exiting\n", argv[0]);
958
1084
}
963
1089
964
1090
if (mc.server != NULL)
965
1091
avahi_server_free(mc.server);
966
1092
967
1093
if (mc.simple_poll != NULL)
968
1094
avahi_simple_poll_free(mc.simple_poll);
969
free(pubkeyfile);
970
free(seckeyfile);
971
1095
1096
if (gnutls_initalized){
1097
gnutls_certificate_free_credentials(mc.cred);
1098
gnutls_global_deinit ();
1099
gnutls_dh_params_deinit(mc.dh_params);
1100
}
1101
1102
if(gpgme_initalized){
1103
gpgme_release(mc.ctx);
1104
}
1105
1106
/* Removes the temp directory used by GPGME */
1107
if(tempdir[0] != '\0'){
1108
DIR *d;
1109
struct dirent *direntry;
1110
d = opendir(tempdir);
1111
if(d == NULL){
1112
perror("opendir");
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1){
1139
perror("rmdir");
1140
}
1141
}
1142
972
1143
return exitcode;
973
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0