To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.10
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.10
- Committer: Björn Påhlsson
- Date: 2008-08-03 14:57:46 UTC
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 41.
- Revision ID: belorn@braxen-20080803145746-4boahihngi1uwjap
merge commit
- files added:
- ca.pem
- files removed:
- network-protocol.txt
- files renamed:
- mandos-client.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
46
44
47
45
#include <avahi-core/core.h>
48
46
#include <avahi-core/lookup.h>
51
49
#include <avahi-common/malloc.h>
52
50
#include <avahi-common/error.h>
53
51
54
/* Mandos client part */
52
//mandos client part
55
53
#include <sys/types.h> /* socket(), inet_pton() */
56
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
55
struct in6_addr, inet_pton() */
64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
65
66
// gpgme
72
67
#include <errno.h> /* perror() */
73
68
#include <gpgme.h>
74
69
70
// getopt long
71
#include <getopt.h>
72
75
73
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
76
79
77
80
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char mandos_protocol_version[] = "1";
80
const char *argp_program_version = "mandosclient 0.9";
81
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
82
83
/* Used for passing in values through the Avahi callback functions */
81
82
const char mandos_protocol_version[] = "1";
83
84
84
typedef struct {
85
85
AvahiSimplePoll *simple_poll;
86
86
AvahiServer *server;
87
87
gnutls_certificate_credentials_t cred;
88
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
90
89
const char *priority;
91
90
} mandos_context;
92
91
93
/*
94
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
95
* "buffer_capacity" is how much is currently allocated,
96
* "buffer_length" is how much is already used.
97
*/
98
size_t adjustbuffer(char **buffer, size_t buffer_length,
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
99
93
size_t buffer_capacity){
100
94
if (buffer_length + BUFFER_SIZE > buffer_capacity){
101
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
102
96
if (buffer == NULL){
103
97
return 0;
104
98
}
107
101
return buffer_capacity;
108
102
}
109
103
110
/*
111
* Decrypt OpenPGP data using keyrings in HOMEDIR.
112
* Returns -1 on error
113
*/
114
static ssize_t pgp_packet_decrypt (const char *cryptotext,
115
size_t crypto_size,
116
char **plaintext,
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
117
106
const char *homedir){
118
107
gpgme_data_t dh_crypto, dh_plain;
119
108
gpgme_ctx_t ctx;
120
109
gpgme_error_t rc;
121
110
ssize_t ret;
122
size_t plaintext_capacity = 0;
123
ssize_t plaintext_length = 0;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
124
113
gpgme_engine_info_t engine_info;
125
114
126
115
if (debug){
127
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
128
117
}
129
118
130
119
/* Init GPGME */
136
125
return -1;
137
126
}
138
127
139
/* Set GPGME home directory for the OpenPGP engine only */
128
/* Set GPGME home directory */
140
129
rc = gpgme_get_engine_info (&engine_info);
141
130
if (rc != GPG_ERR_NO_ERROR){
142
131
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
152
141
engine_info = engine_info->next;
153
142
}
154
143
if(engine_info == NULL){
155
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
156
145
return -1;
157
146
}
158
147
159
/* Create new GPGME data buffer from memory cryptotext */
160
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
161
0);
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
162
150
if (rc != GPG_ERR_NO_ERROR){
163
151
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
164
152
gpgme_strsource(rc), gpgme_strerror(rc));
170
158
if (rc != GPG_ERR_NO_ERROR){
171
159
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
172
160
gpgme_strsource(rc), gpgme_strerror(rc));
173
gpgme_data_release(dh_crypto);
174
161
return -1;
175
162
}
176
163
179
166
if (rc != GPG_ERR_NO_ERROR){
180
167
fprintf(stderr, "bad gpgme_new: %s: %s\n",
181
168
gpgme_strsource(rc), gpgme_strerror(rc));
182
plaintext_length = -1;
183
goto decrypt_end;
169
return -1;
184
170
}
185
171
186
/* Decrypt data from the cryptotext data buffer to the plaintext
187
data buffer */
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
188
174
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
189
175
if (rc != GPG_ERR_NO_ERROR){
190
176
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
191
177
gpgme_strsource(rc), gpgme_strerror(rc));
192
plaintext_length = -1;
193
goto decrypt_end;
178
return -1;
194
179
}
195
180
196
181
if(debug){
197
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
198
183
}
199
184
200
185
if (debug){
201
186
gpgme_decrypt_result_t result;
202
187
result = gpgme_op_decrypt_result(ctx);
226
211
}
227
212
}
228
213
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
229
217
/* Seek back to the beginning of the GPGME plaintext data buffer */
230
218
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
231
219
perror("pgpme_data_seek");
232
plaintext_length = -1;
233
goto decrypt_end;
234
220
}
235
221
236
*plaintext = NULL;
222
*new_packet = 0;
237
223
while(true){
238
plaintext_capacity = adjustbuffer(plaintext,
239
(size_t)plaintext_length,
240
plaintext_capacity);
241
if (plaintext_capacity == 0){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
242
227
perror("adjustbuffer");
243
plaintext_length = -1;
244
goto decrypt_end;
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
245
231
}
246
232
247
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
248
234
BUFFER_SIZE);
249
235
/* Print the data, if any */
250
236
if (ret == 0){
251
/* EOF */
252
237
break;
253
238
}
254
239
if(ret < 0){
255
240
perror("gpgme_data_read");
256
plaintext_length = -1;
257
goto decrypt_end;
241
return -1;
258
242
}
259
plaintext_length += ret;
243
new_packet_length += ret;
260
244
}
261
245
262
if(debug){
263
fprintf(stderr, "Decrypted password is: ");
264
for(ssize_t i = 0; i < plaintext_length; i++){
265
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
266
}
267
fprintf(stderr, "\n");
268
}
269
270
decrypt_end:
271
272
/* Delete the GPGME cryptotext data buffer */
273
gpgme_data_release(dh_crypto);
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
274
253
275
254
/* Delete the GPGME plaintext data buffer */
276
255
gpgme_data_release(dh_plain);
277
return plaintext_length;
256
return new_packet_length;
278
257
}
279
258
280
259
static const char * safer_gnutls_strerror (int value) {
284
263
return ret;
285
264
}
286
265
287
/* GnuTLS log function callback */
288
266
static void debuggnutls(__attribute__((unused)) int level,
289
267
const char* string){
290
fprintf(stderr, "GnuTLS: %s", string);
268
fprintf(stderr, "%s", string);
291
269
}
292
270
293
static int init_gnutls_global(mandos_context *mc,
294
const char *pubkeyfile,
295
const char *seckeyfile){
271
static int initgnutls(mandos_context *mc){
272
const char *err;
296
273
int ret;
297
274
298
275
if(debug){
301
278
302
279
if ((ret = gnutls_global_init ())
303
280
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "GnuTLS global_init: %s\n",
305
safer_gnutls_strerror(ret));
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
306
282
return -1;
307
283
}
308
284
309
285
if (debug){
310
/* "Use a log level over 10 to enable all debugging options."
311
* - GnuTLS manual
312
*/
313
286
gnutls_global_set_log_level(11);
314
287
gnutls_global_set_log_function(debuggnutls);
315
288
}
316
289
317
/* OpenPGP credentials */
318
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
319
292
!= GNUTLS_E_SUCCESS) {
320
fprintf (stderr, "GnuTLS memory error: %s\n",
293
fprintf (stderr, "memory error: %s\n",
321
294
safer_gnutls_strerror(ret));
322
gnutls_global_deinit ();
323
295
return -1;
324
296
}
325
297
326
298
if(debug){
327
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
328
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
329
seckeyfile);
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
330
302
}
331
303
332
304
ret = gnutls_certificate_set_openpgp_key_file
333
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
334
306
if (ret != GNUTLS_E_SUCCESS) {
335
fprintf(stderr,
336
"Error[%d] while reading the OpenPGP key pair ('%s',"
337
" '%s')\n", ret, pubkeyfile, seckeyfile);
338
fprintf(stdout, "The GnuTLS error is: %s\n",
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
339
312
safer_gnutls_strerror(ret));
340
goto globalfail;
341
}
342
343
/* GnuTLS server initialization */
344
ret = gnutls_dh_params_init(&mc->dh_params);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
347
" %s\n", safer_gnutls_strerror(ret));
348
goto globalfail;
349
}
350
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
351
if (ret != GNUTLS_E_SUCCESS) {
352
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
353
safer_gnutls_strerror(ret));
354
goto globalfail;
355
}
356
357
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
358
359
return 0;
360
361
globalfail:
362
363
gnutls_certificate_free_credentials (mc->cred);
364
gnutls_global_deinit ();
365
return -1;
366
367
}
368
369
static int init_gnutls_session(mandos_context *mc,
370
gnutls_session_t *session){
371
int ret;
372
/* GnuTLS session creation */
373
ret = gnutls_init(session, GNUTLS_SERVER);
374
if (ret != GNUTLS_E_SUCCESS){
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
375
336
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
376
337
safer_gnutls_strerror(ret));
377
338
}
378
339
379
{
380
const char *err;
381
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Syntax error at: %s\n", err);
384
fprintf(stderr, "GnuTLS error: %s\n",
385
safer_gnutls_strerror(ret));
386
gnutls_deinit (*session);
387
return -1;
388
}
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
389
346
}
390
347
391
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
392
mc->cred);
393
if (ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
395
352
safer_gnutls_strerror(ret));
396
gnutls_deinit (*session);
397
353
return -1;
398
354
}
399
355
400
356
/* ignore client certificate if any. */
401
gnutls_certificate_server_set_request (*session,
357
gnutls_certificate_server_set_request (es->session,
402
358
GNUTLS_CERT_IGNORE);
403
359
404
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
405
361
406
362
return 0;
407
363
}
408
364
409
/* Avahi log function callback */
410
365
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
411
366
__attribute__((unused)) const char *txt){}
412
367
413
/* Called when a Mandos server is found */
414
368
static int start_mandos_communication(const char *ip, uint16_t port,
415
369
AvahiIfIndex if_index,
416
370
mandos_context *mc){
417
371
int ret, tcp_sd;
418
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
372
struct sockaddr_in6 to;
373
encrypted_session es;
419
374
char *buffer = NULL;
420
375
char *decrypted_buffer;
421
376
size_t buffer_length = 0;
424
379
size_t written;
425
380
int retval = 0;
426
381
char interface[IF_NAMESIZE];
427
gnutls_session_t session;
428
429
ret = init_gnutls_session (mc, &session);
430
if (ret != 0){
431
return -1;
432
}
433
382
434
383
if(debug){
435
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
444
393
445
394
if(debug){
446
395
if(if_indextoname((unsigned int)if_index, interface) == NULL){
447
perror("if_indextoname");
396
if(debug){
397
perror("if_indextoname");
398
}
448
399
return -1;
449
400
}
401
450
402
fprintf(stderr, "Binding to interface %s\n", interface);
451
403
}
452
404
453
405
memset(&to,0,sizeof(to)); /* Spurious warning */
454
to.in6.sin6_family = AF_INET6;
455
/* It would be nice to have a way to detect if we were passed an
456
IPv4 address here. Now we assume an IPv6 address. */
457
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
458
408
if (ret < 0 ){
459
409
perror("inet_pton");
460
410
return -1;
461
}
411
}
462
412
if(ret == 0){
463
413
fprintf(stderr, "Bad address: %s\n", ip);
464
414
return -1;
465
415
}
466
to.in6.sin6_port = htons(port); /* Spurious warning */
416
to.sin6_port = htons(port); /* Spurious warning */
467
417
468
to.in6.sin6_scope_id = (uint32_t)if_index;
418
to.sin6_scope_id = (uint32_t)if_index;
469
419
470
420
if(debug){
471
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
472
char addrstr[INET6_ADDRSTRLEN] = "";
473
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
474
sizeof(addrstr)) == NULL){
475
perror("inet_ntop");
476
} else {
477
if(strcmp(addrstr, ip) != 0){
478
fprintf(stderr, "Canonical address form: %s\n", addrstr);
479
}
480
}
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
481
430
}
482
431
483
ret = connect(tcp_sd, &to.in, sizeof(to));
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
484
433
if (ret < 0){
485
434
perror("connect");
486
435
return -1;
487
436
}
488
437
489
const char *out = mandos_protocol_version;
438
char *out = mandos_protocol_version;
490
439
written = 0;
491
440
while (true){
492
441
size_t out_size = strlen(out);
495
444
if (ret == -1){
496
445
perror("write");
497
446
retval = -1;
498
goto mandos_end;
447
goto end;
499
448
}
500
written += (size_t)ret;
449
written += ret;
501
450
if(written < out_size){
502
451
continue;
503
452
} else {
510
459
}
511
460
}
512
461
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
513
471
if(debug){
514
472
fprintf(stderr, "Establishing TLS session with %s\n", ip);
515
473
}
516
474
517
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
518
519
ret = gnutls_handshake (session);
475
ret = gnutls_handshake (es.session);
520
476
521
477
if (ret != GNUTLS_E_SUCCESS){
522
478
if(debug){
523
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
479
fprintf(stderr, "\n*** Handshake failed ***\n");
524
480
gnutls_perror (ret);
525
481
}
526
482
retval = -1;
527
goto mandos_end;
483
goto exit;
528
484
}
529
485
530
/* Read OpenPGP packet that contains the wanted password */
486
//Retrieve OpenPGP packet that contains the wanted password
531
487
532
488
if(debug){
533
489
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
535
491
}
536
492
537
493
while(true){
538
buffer_capacity = adjustbuffer(&buffer, buffer_length,
539
buffer_capacity);
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
540
495
if (buffer_capacity == 0){
541
496
perror("adjustbuffer");
542
497
retval = -1;
543
goto mandos_end;
498
goto exit;
544
499
}
545
500
546
ret = gnutls_record_recv(session, buffer+buffer_length,
547
BUFFER_SIZE);
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
548
503
if (ret == 0){
549
504
break;
550
505
}
554
509
case GNUTLS_E_AGAIN:
555
510
break;
556
511
case GNUTLS_E_REHANDSHAKE:
557
ret = gnutls_handshake (session);
512
ret = gnutls_handshake (es.session);
558
513
if (ret < 0){
559
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
514
fprintf(stderr, "\n*** Handshake failed ***\n");
560
515
gnutls_perror (ret);
561
516
retval = -1;
562
goto mandos_end;
517
goto exit;
563
518
}
564
519
break;
565
520
default:
566
521
fprintf(stderr, "Unknown error while reading data from"
567
" encrypted session with Mandos server\n");
522
" encrypted session with mandos server\n");
568
523
retval = -1;
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
goto mandos_end;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
571
526
}
572
527
} else {
573
528
buffer_length += (size_t) ret;
574
529
}
575
530
}
576
531
577
if(debug){
578
fprintf(stderr, "Closing TLS session\n");
579
}
580
581
gnutls_bye (session, GNUTLS_SHUT_RDWR);
582
583
532
if (buffer_length > 0){
584
533
decrypted_buffer_size = pgp_packet_decrypt(buffer,
585
534
buffer_length,
586
535
&decrypted_buffer,
587
keydir);
536
certdir);
588
537
if (decrypted_buffer_size >= 0){
589
538
written = 0;
590
539
while(written < (size_t) decrypted_buffer_size){
606
555
retval = -1;
607
556
}
608
557
}
609
610
/* Shutdown procedure */
611
612
mandos_end:
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
613
565
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
614
568
close(tcp_sd);
615
gnutls_deinit (session);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
616
572
return retval;
617
573
}
618
574
619
static void resolve_callback(AvahiSServiceResolver *r,
620
AvahiIfIndex interface,
621
AVAHI_GCC_UNUSED AvahiProtocol protocol,
622
AvahiResolverEvent event,
623
const char *name,
624
const char *type,
625
const char *domain,
626
const char *host_name,
627
const AvahiAddress *address,
628
uint16_t port,
629
AVAHI_GCC_UNUSED AvahiStringList *txt,
630
AVAHI_GCC_UNUSED AvahiLookupResultFlags
631
flags,
632
void* userdata) {
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
633
588
mandos_context *mc = userdata;
634
589
assert(r); /* Spurious warning */
635
590
639
594
switch (event) {
640
595
default:
641
596
case AVAHI_RESOLVER_FAILURE:
642
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
643
" of type '%s' in domain '%s': %s\n", name, type, domain,
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
644
599
avahi_strerror(avahi_server_errno(mc->server)));
645
600
break;
646
601
649
604
char ip[AVAHI_ADDRESS_STR_MAX];
650
605
avahi_address_snprint(ip, sizeof(ip), address);
651
606
if(debug){
652
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
653
" port %d\n", name, host_name, ip, interface, port);
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
654
609
}
655
610
int ret = start_mandos_communication(ip, port, interface, mc);
656
611
if (ret == 0){
668
623
const char *name,
669
624
const char *type,
670
625
const char *domain,
671
AVAHI_GCC_UNUSED AvahiLookupResultFlags
672
flags,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
673
627
void* userdata) {
674
628
mandos_context *mc = userdata;
675
629
assert(b); /* Spurious warning */
680
634
switch (event) {
681
635
default:
682
636
case AVAHI_BROWSER_FAILURE:
683
684
fprintf(stderr, "(Avahi browser) %s\n",
637
638
fprintf(stderr, "(Browser) %s\n",
685
639
avahi_strerror(avahi_server_errno(mc->server)));
686
640
avahi_simple_poll_quit(mc->simple_poll);
687
641
return;
688
642
689
643
case AVAHI_BROWSER_NEW:
690
/* We ignore the returned Avahi resolver object. In the callback
691
function we free it. If the Avahi server is terminated before
692
the callback function is called the Avahi server will free the
693
resolver for us. */
694
695
if (!(avahi_s_service_resolver_new(mc->server, interface,
696
protocol, name, type, domain,
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
697
651
AVAHI_PROTO_INET6, 0,
698
652
resolve_callback, mc)))
699
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
700
name, avahi_strerror(avahi_server_errno(mc->server)));
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
701
655
break;
702
656
703
657
case AVAHI_BROWSER_REMOVE:
704
658
break;
705
659
706
660
case AVAHI_BROWSER_ALL_FOR_NOW:
707
661
case AVAHI_BROWSER_CACHE_EXHAUSTED:
708
if(debug){
709
fprintf(stderr, "No Mandos server found, still searching...\n");
710
}
711
662
break;
712
663
}
713
664
}
722
673
return NULL;
723
674
}
724
675
if(f_len > 0){
725
memcpy(tmp, first, f_len); /* Spurious warning */
676
memcpy(tmp, first, f_len);
726
677
}
727
678
tmp[f_len] = '/';
728
679
if(s_len > 0){
729
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
680
memcpy(tmp + f_len + 1, second, s_len);
730
681
}
731
682
tmp[f_len + 1 + s_len] = '\0';
732
683
return tmp;
733
684
}
734
685
735
686
736
int main(int argc, char *argv[]){
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
737
689
AvahiSServiceBrowser *sb = NULL;
738
690
int error;
739
691
int ret;
740
int exitcode = EXIT_SUCCESS;
692
int returncode = EXIT_SUCCESS;
741
693
const char *interface = "eth0";
742
694
struct ifreq network;
743
695
int sd;
744
uid_t uid;
745
gid_t gid;
746
696
char *connect_to = NULL;
747
697
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
748
const char *pubkeyfile = "pubkey.txt";
749
const char *seckeyfile = "seckey.txt";
750
698
mandos_context mc = { .simple_poll = NULL, .server = NULL,
751
.dh_bits = 1024, .priority = "SECURE256"};
752
bool gnutls_initalized = false;
699
.dh_bits = 2048, .priority = "SECURE256"};
753
700
754
{
755
struct argp_option options[] = {
756
{ .name = "debug", .key = 128,
757
.doc = "Debug mode", .group = 3 },
758
{ .name = "connect", .key = 'c',
759
.arg = "IP",
760
.doc = "Connect directly to a sepcified mandos server",
761
.group = 1 },
762
{ .name = "interface", .key = 'i',
763
.arg = "INTERFACE",
764
.doc = "Interface that Avahi will conntect through",
765
.group = 1 },
766
{ .name = "keydir", .key = 'd',
767
.arg = "KEYDIR",
768
.doc = "Directory where the openpgp keyring is",
769
.group = 1 },
770
{ .name = "seckey", .key = 's',
771
.arg = "SECKEY",
772
.doc = "Secret openpgp key for gnutls authentication",
773
.group = 1 },
774
{ .name = "pubkey", .key = 'p',
775
.arg = "PUBKEY",
776
.doc = "Public openpgp key for gnutls authentication",
777
.group = 2 },
778
{ .name = "dh-bits", .key = 129,
779
.arg = "BITS",
780
.doc = "dh-bits to use in gnutls communication",
781
.group = 2 },
782
{ .name = "priority", .key = 130,
783
.arg = "PRIORITY",
784
.doc = "GNUTLS priority", .group = 1 },
785
{ .name = NULL }
786
};
787
788
789
error_t parse_opt (int key, char *arg,
790
struct argp_state *state) {
791
/* Get the INPUT argument from `argp_parse', which we know is
792
a pointer to our plugin list pointer. */
793
switch (key) {
794
case 128:
795
debug = true;
796
break;
797
case 'c':
798
connect_to = arg;
799
break;
800
case 'i':
801
interface = arg;
802
break;
803
case 'd':
804
keydir = arg;
805
break;
806
case 's':
807
seckeyfile = arg;
808
break;
809
case 'p':
810
pubkeyfile = arg;
811
break;
812
case 129:
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
813
742
errno = 0;
814
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
815
if (errno){
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
816
745
perror("strtol");
817
746
exit(EXIT_FAILURE);
818
747
}
819
break;
820
case 130:
821
mc.priority = arg;
822
break;
823
case ARGP_KEY_ARG:
824
argp_usage (state);
825
break;
826
case ARGP_KEY_END:
827
break;
828
default:
829
return ARGP_ERR_UNKNOWN;
748
mc.dh_bits = tmp;
830
749
}
831
return 0;
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
832
756
}
833
834
struct argp argp = { .options = options, .parser = parse_opt,
835
.args_doc = "",
836
.doc = "Mandos client -- Get and decrypt"
837
" passwords from mandos server" };
838
argp_parse (&argp, argc, argv, 0, 0, NULL);
839
}
840
841
pubkeyfile = combinepath(keydir, pubkeyfile);
842
if (pubkeyfile == NULL){
843
perror("combinepath");
844
exitcode = EXIT_FAILURE;
845
goto end;
846
}
847
848
seckeyfile = combinepath(keydir, seckeyfile);
849
if (seckeyfile == NULL){
850
perror("combinepath");
851
goto end;
852
}
853
854
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
855
if (ret == -1){
856
fprintf(stderr, "init_gnutls_global\n");
857
goto end;
858
} else {
859
gnutls_initalized = true;
860
}
861
862
uid = getuid();
863
gid = getgid();
864
865
ret = setuid(uid);
866
if (ret == -1){
867
perror("setuid");
868
}
869
870
setgid(gid);
871
if (ret == -1){
872
perror("setgid");
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
873
771
}
874
772
875
773
if_index = (AvahiIfIndex) if_nametoindex(interface);
884
782
char *address = strrchr(connect_to, ':');
885
783
if(address == NULL){
886
784
fprintf(stderr, "No colon in address\n");
887
exitcode = EXIT_FAILURE;
888
goto end;
785
exit(EXIT_FAILURE);
889
786
}
890
787
errno = 0;
891
788
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
892
789
if(errno){
893
790
perror("Bad port number");
894
exitcode = EXIT_FAILURE;
895
goto end;
791
exit(EXIT_FAILURE);
896
792
}
897
793
*address = '\0';
898
794
address = connect_to;
899
ret = start_mandos_communication(address, port, if_index, &mc);
795
ret = start_mandos_communication(address, port, if_index);
900
796
if(ret < 0){
901
exitcode = EXIT_FAILURE;
797
exit(EXIT_FAILURE);
902
798
} else {
903
exitcode = EXIT_SUCCESS;
799
exit(EXIT_SUCCESS);
904
800
}
905
goto end;
906
801
}
907
802
908
/* If the interface is down, bring it up */
909
{
910
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
911
if(sd < 0) {
912
perror("socket");
913
exitcode = EXIT_FAILURE;
914
goto end;
915
}
916
strcpy(network.ifr_name, interface); /* Spurious warning */
917
ret = ioctl(sd, SIOCGIFFLAGS, &network);
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
918
820
if(ret == -1){
919
perror("ioctl SIOCGIFFLAGS");
920
exitcode = EXIT_FAILURE;
921
goto end;
922
}
923
if((network.ifr_flags & IFF_UP) == 0){
924
network.ifr_flags |= IFF_UP;
925
ret = ioctl(sd, SIOCSIFFLAGS, &network);
926
if(ret == -1){
927
perror("ioctl SIOCSIFFLAGS");
928
exitcode = EXIT_FAILURE;
929
goto end;
930
}
931
}
932
close(sd);
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
933
825
}
826
close(sd);
934
827
935
828
if (not debug){
936
829
avahi_set_log_function(empty_log);
937
830
}
938
831
939
/* Initialize the pseudo-RNG for Avahi */
832
/* Initialize the psuedo-RNG */
940
833
srand((unsigned int) time(NULL));
941
942
/* Allocate main Avahi loop object */
943
mc.simple_poll = avahi_simple_poll_new();
944
if (mc.simple_poll == NULL) {
945
fprintf(stderr, "Avahi: Failed to create simple poll"
946
" object.\n");
947
exitcode = EXIT_FAILURE;
948
goto end;
949
}
950
951
{
952
AvahiServerConfig config;
953
/* Do not publish any local Zeroconf records */
954
avahi_server_config_init(&config);
955
config.publish_hinfo = 0;
956
config.publish_addresses = 0;
957
config.publish_workstation = 0;
958
config.publish_domain = 0;
959
960
/* Allocate a new server */
961
mc.server = avahi_server_new(avahi_simple_poll_get
962
(mc.simple_poll), &config, NULL,
963
NULL, &error);
964
965
/* Free the Avahi configuration data */
966
avahi_server_config_free(&config);
967
}
968
969
/* Check if creating the Avahi server object succeeded */
970
if (mc.server == NULL) {
971
fprintf(stderr, "Failed to create Avahi server: %s\n",
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
972
859
avahi_strerror(error));
973
exitcode = EXIT_FAILURE;
974
goto end;
860
returncode = EXIT_FAILURE;
861
goto exit;
975
862
}
976
863
977
/* Create the Avahi service browser */
864
/* Create the service browser */
978
865
sb = avahi_s_service_browser_new(mc.server, if_index,
979
866
AVAHI_PROTO_INET6,
980
867
"_mandos._tcp", NULL, 0,
981
868
browse_callback, &mc);
982
if (sb == NULL) {
869
if (!sb) {
983
870
fprintf(stderr, "Failed to create service browser: %s\n",
984
871
avahi_strerror(avahi_server_errno(mc.server)));
985
exitcode = EXIT_FAILURE;
986
goto end;
872
returncode = EXIT_FAILURE;
873
goto exit;
987
874
}
988
875
989
876
/* Run the main loop */
990
877
991
878
if (debug){
992
fprintf(stderr, "Starting Avahi loop search\n");
879
fprintf(stderr, "Starting avahi loop search\n");
993
880
}
994
881
995
avahi_simple_poll_loop(mc.simple_poll);
882
avahi_simple_poll_loop(simple_poll);
996
883
997
end:
884
exit:
998
885
999
886
if (debug){
1000
887
fprintf(stderr, "%s exiting\n", argv[0]);
1001
888
}
1002
889
1003
890
/* Cleanup things */
1004
if (sb != NULL)
891
if (sb)
1005
892
avahi_s_service_browser_free(sb);
1006
893
1007
if (mc.server != NULL)
894
if (mc.server)
1008
895
avahi_server_free(mc.server);
1009
896
1010
if (mc.simple_poll != NULL)
1011
avahi_simple_poll_free(mc.simple_poll);
1012
free(pubkeyfile);
1013
free(seckeyfile);
1014
1015
if (gnutls_initalized){
1016
gnutls_certificate_free_credentials (mc.cred);
1017
gnutls_global_deinit ();
1018
}
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1019
901
1020
return exitcode;
902
return returncode;
1021
903
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0