To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.6
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.6
- Committer: Björn Påhlsson
- Date: 2008-08-02 14:48:45 UTC
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802144845-sd6z98g9poztxffs
plugbasedclient
change uid to nobody:nogroup as default for all plugins
mandosclient
Takes up the interface if needed
change uid to nobody:nogroup as default for all plugins
mandosclient
Takes up the interface if needed
- files removed:
- server.conf
- files renamed:
- clients.conf => mandos-clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
13
13
*
14
14
* This program is free software: you can redistribute it and/or
15
15
* modify it under the terms of the GNU General Public License as
25
25
* along with this program. If not, see
26
26
* <http://www.gnu.org/licenses/>.
27
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
30
*/
30
31
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _FORTIFY_SOURCE 2
33
32
34
#define _LARGEFILE_SOURCE
33
35
#define _FILE_OFFSET_BITS 64
34
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
37
#include <stdio.h>
38
38
#include <assert.h>
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
46
44
47
45
#include <avahi-core/core.h>
48
46
#include <avahi-core/lookup.h>
51
49
#include <avahi-common/malloc.h>
52
50
#include <avahi-common/error.h>
53
51
54
/* Mandos client part */
52
//mandos client part
55
53
#include <sys/types.h> /* socket(), inet_pton() */
56
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
55
struct in6_addr, inet_pton() */
64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
65
69
/* GPGME */
66
// gpgme
70
67
#include <errno.h> /* perror() */
71
68
#include <gpgme.h>
72
69
73
/* getopt_long */
70
// getopt long
74
71
#include <getopt.h>
75
72
76
73
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
77
75
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char *pubkeyfile = "pubkey.txt";
80
static const char *seckeyfile = "seckey.txt";
76
const char *certdir = "/conf/conf.d/cryptkeyreq/";
77
const char *certfile = "openpgp-client.txt";
78
const char *certkey = "openpgp-client-key.txt";
81
79
82
80
bool debug = false;
83
81
84
const char mandos_protocol_version[] = "1";
85
86
/* Used for passing in values through all the callback functions */
87
82
typedef struct {
88
AvahiSimplePoll *simple_poll;
89
AvahiServer *server;
83
gnutls_session_t session;
90
84
gnutls_certificate_credentials_t cred;
91
unsigned int dh_bits;
92
85
gnutls_dh_params_t dh_params;
93
const char *priority;
94
} mandos_context;
95
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
86
} encrypted_session;
87
88
89
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
90
char **new_packet, const char *homedir){
116
91
gpgme_data_t dh_crypto, dh_plain;
117
92
gpgme_ctx_t ctx;
118
93
gpgme_error_t rc;
119
94
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
122
97
gpgme_engine_info_t engine_info;
123
98
124
99
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
101
}
127
102
128
103
/* Init GPGME */
134
109
return -1;
135
110
}
136
111
137
/* Set GPGME home directory for the OpenPGP engine only */
112
/* Set GPGME home directory */
138
113
rc = gpgme_get_engine_info (&engine_info);
139
114
if (rc != GPG_ERR_NO_ERROR){
140
115
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
125
engine_info = engine_info->next;
151
126
}
152
127
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
129
return -1;
155
130
}
156
131
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
134
if (rc != GPG_ERR_NO_ERROR){
161
135
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
136
gpgme_strsource(rc), gpgme_strerror(rc));
168
142
if (rc != GPG_ERR_NO_ERROR){
169
143
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
144
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
145
return -1;
173
146
}
174
147
177
150
if (rc != GPG_ERR_NO_ERROR){
178
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
152
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
153
return -1;
182
154
}
183
155
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
186
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
159
if (rc != GPG_ERR_NO_ERROR){
188
160
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
161
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
162
return -1;
192
163
}
193
164
194
165
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
167
}
197
168
198
169
if (debug){
199
170
gpgme_decrypt_result_t result;
200
171
result = gpgme_op_decrypt_result(ctx);
224
195
}
225
196
}
226
197
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
200
227
201
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
203
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
204
}
233
205
234
*plaintext = NULL;
206
*new_packet = 0;
235
207
while(true){
236
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
237
plaintext_capacity);
238
if (plaintext_capacity == 0){
239
perror("adjustbuffer");
240
plaintext_length = -1;
241
goto decrypt_end;
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
242
217
}
243
218
244
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
245
220
BUFFER_SIZE);
246
221
/* Print the data, if any */
247
222
if (ret == 0){
248
/* EOF */
249
223
break;
250
224
}
251
225
if(ret < 0){
252
226
perror("gpgme_data_read");
253
plaintext_length = -1;
254
goto decrypt_end;
227
return -1;
255
228
}
256
plaintext_length += ret;
229
new_packet_length += ret;
257
230
}
258
231
259
if(debug){
260
fprintf(stderr, "Decrypted password is: ");
261
for(ssize_t i = 0; i < plaintext_length; i++){
262
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
263
}
264
fprintf(stderr, "\n");
265
}
266
267
decrypt_end:
268
269
/* Delete the GPGME cryptotext data buffer */
270
gpgme_data_release(dh_crypto);
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
271
239
272
240
/* Delete the GPGME plaintext data buffer */
273
241
gpgme_data_release(dh_plain);
274
return plaintext_length;
242
return new_packet_length;
275
243
}
276
244
277
245
static const char * safer_gnutls_strerror (int value) {
281
249
return ret;
282
250
}
283
251
284
/* GnuTLS log function callback */
285
static void debuggnutls(__attribute__((unused)) int level,
286
const char* string){
287
fprintf(stderr, "GnuTLS: %s", string);
252
void debuggnutls(__attribute__((unused)) int level,
253
const char* string){
254
fprintf(stderr, "%s", string);
288
255
}
289
256
290
static int init_gnutls_global(mandos_context *mc){
257
int initgnutls(encrypted_session *es){
258
const char *err;
291
259
int ret;
292
260
293
261
if(debug){
296
264
297
265
if ((ret = gnutls_global_init ())
298
266
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "GnuTLS global_init: %s\n",
300
safer_gnutls_strerror(ret));
267
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
301
268
return -1;
302
269
}
303
270
304
271
if (debug){
305
/* "Use a log level over 10 to enable all debugging options."
306
* - GnuTLS manual
307
*/
308
272
gnutls_global_set_log_level(11);
309
273
gnutls_global_set_log_function(debuggnutls);
310
274
}
311
275
312
/* OpenPGP credentials */
313
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
276
/* openpgp credentials */
277
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
314
278
!= GNUTLS_E_SUCCESS) {
315
fprintf (stderr, "GnuTLS memory error: %s\n",
279
fprintf (stderr, "memory error: %s\n",
316
280
safer_gnutls_strerror(ret));
317
281
return -1;
318
282
}
319
283
320
284
if(debug){
321
285
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
322
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
323
seckeyfile);
286
" and keyfile %s as GnuTLS credentials\n", certfile,
287
certkey);
324
288
}
325
289
326
290
ret = gnutls_certificate_set_openpgp_key_file
327
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
291
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
328
292
if (ret != GNUTLS_E_SUCCESS) {
329
fprintf(stderr,
330
"Error[%d] while reading the OpenPGP key pair ('%s',"
331
" '%s')\n", ret, pubkeyfile, seckeyfile);
332
fprintf(stdout, "The GnuTLS error is: %s\n",
293
fprintf
294
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
295
" '%s')\n",
296
ret, certfile, certkey);
297
fprintf(stdout, "The Error is: %s\n",
333
298
safer_gnutls_strerror(ret));
334
299
return -1;
335
300
}
336
301
337
/* GnuTLS server initialization */
338
ret = gnutls_dh_params_init(&mc->dh_params);
339
if (ret != GNUTLS_E_SUCCESS) {
340
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
341
" %s\n", safer_gnutls_strerror(ret));
342
return -1;
343
}
344
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
347
safer_gnutls_strerror(ret));
348
return -1;
349
}
350
351
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
352
353
return 0;
354
}
355
356
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
int ret;
358
/* GnuTLS session creation */
359
ret = gnutls_init(session, GNUTLS_SERVER);
360
if (ret != GNUTLS_E_SUCCESS){
302
//GnuTLS server initialization
303
if ((ret = gnutls_dh_params_init (&es->dh_params))
304
!= GNUTLS_E_SUCCESS) {
305
fprintf (stderr, "Error in dh parameter initialization: %s\n",
306
safer_gnutls_strerror(ret));
307
return -1;
308
}
309
310
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
311
!= GNUTLS_E_SUCCESS) {
312
fprintf (stderr, "Error in prime generation: %s\n",
313
safer_gnutls_strerror(ret));
314
return -1;
315
}
316
317
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
318
319
// GnuTLS session creation
320
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
321
!= GNUTLS_E_SUCCESS){
361
322
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
362
323
safer_gnutls_strerror(ret));
363
324
}
364
325
365
{
366
const char *err;
367
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf(stderr, "Syntax error at: %s\n", err);
370
fprintf(stderr, "GnuTLS error: %s\n",
371
safer_gnutls_strerror(ret));
372
return -1;
373
}
326
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Syntax error at: %s\n", err);
329
fprintf(stderr, "GnuTLS error: %s\n",
330
safer_gnutls_strerror(ret));
331
return -1;
374
332
}
375
333
376
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
mc->cred);
378
if (ret != GNUTLS_E_SUCCESS) {
379
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
334
if ((ret = gnutls_credentials_set
335
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
336
!= GNUTLS_E_SUCCESS) {
337
fprintf(stderr, "Error setting a credentials set: %s\n",
380
338
safer_gnutls_strerror(ret));
381
339
return -1;
382
340
}
383
341
384
342
/* ignore client certificate if any. */
385
gnutls_certificate_server_set_request (*session,
343
gnutls_certificate_server_set_request (es->session,
386
344
GNUTLS_CERT_IGNORE);
387
345
388
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
346
gnutls_dh_set_prime_bits (es->session, DH_BITS);
389
347
390
348
return 0;
391
349
}
392
350
393
/* Avahi log function callback */
394
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
395
__attribute__((unused)) const char *txt){}
351
void empty_log(__attribute__((unused)) AvahiLogLevel level,
352
__attribute__((unused)) const char *txt){}
396
353
397
/* Called when a Mandos server is found */
398
static int start_mandos_communication(const char *ip, uint16_t port,
399
AvahiIfIndex if_index,
400
mandos_context *mc){
354
int start_mandos_communication(const char *ip, uint16_t port,
355
unsigned int if_index){
401
356
int ret, tcp_sd;
402
357
struct sockaddr_in6 to;
358
encrypted_session es;
403
359
char *buffer = NULL;
404
360
char *decrypted_buffer;
405
361
size_t buffer_length = 0;
406
362
size_t buffer_capacity = 0;
407
363
ssize_t decrypted_buffer_size;
408
size_t written;
364
size_t written = 0;
409
365
int retval = 0;
410
366
char interface[IF_NAMESIZE];
411
gnutls_session_t session;
412
gnutls_dh_params_t dh_params;
413
414
ret = init_gnutls_session (mc, &session);
415
if (ret != 0){
416
return -1;
417
}
418
367
419
368
if(debug){
420
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
421
ip, port);
369
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
422
370
}
423
371
424
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
428
376
}
429
377
430
378
if(debug){
431
if(if_indextoname((unsigned int)if_index, interface) == NULL){
432
perror("if_indextoname");
379
if(if_indextoname(if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
433
383
return -1;
434
384
}
385
435
386
fprintf(stderr, "Binding to interface %s\n", interface);
436
387
}
437
388
438
389
memset(&to,0,sizeof(to)); /* Spurious warning */
439
390
to.sin6_family = AF_INET6;
440
/* It would be nice to have a way to detect if we were passed an
441
IPv4 address here. Now we assume an IPv6 address. */
442
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
443
392
if (ret < 0 ){
444
393
perror("inet_pton");
445
394
return -1;
446
}
395
}
447
396
if(ret == 0){
448
397
fprintf(stderr, "Bad address: %s\n", ip);
449
398
return -1;
453
402
to.sin6_scope_id = (uint32_t)if_index;
454
403
455
404
if(debug){
456
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
457
char addrstr[INET6_ADDRSTRLEN] = "";
458
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
459
sizeof(addrstr)) == NULL){
460
perror("inet_ntop");
461
} else {
462
if(strcmp(addrstr, ip) != 0){
463
fprintf(stderr, "Canonical address form: %s\n", addrstr);
464
}
465
}
405
fprintf(stderr, "Connection to: %s\n", ip);
466
406
}
467
407
468
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
470
410
perror("connect");
471
411
return -1;
472
412
}
473
474
const char *out = mandos_protocol_version;
475
written = 0;
476
while (true){
477
size_t out_size = strlen(out);
478
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
479
out_size - written));
480
if (ret == -1){
481
perror("write");
482
retval = -1;
483
goto mandos_end;
484
}
485
written += (size_t)ret;
486
if(written < out_size){
487
continue;
488
} else {
489
if (out == mandos_protocol_version){
490
written = 0;
491
out = "\r\n";
492
} else {
493
break;
494
}
495
}
413
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
496
418
}
497
419
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
498
423
if(debug){
499
424
fprintf(stderr, "Establishing TLS session with %s\n", ip);
500
425
}
501
426
502
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
503
504
ret = gnutls_handshake (session);
427
ret = gnutls_handshake (es.session);
505
428
506
429
if (ret != GNUTLS_E_SUCCESS){
507
430
if(debug){
508
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
431
fprintf(stderr, "\n*** Handshake failed ***\n");
509
432
gnutls_perror (ret);
510
433
}
511
434
retval = -1;
512
goto mandos_end;
435
goto exit;
513
436
}
514
437
515
/* Read OpenPGP packet that contains the wanted password */
438
//Retrieve OpenPGP packet that contains the wanted password
516
439
517
440
if(debug){
518
441
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
520
443
}
521
444
522
445
while(true){
523
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
524
if (buffer_capacity == 0){
525
perror("adjustbuffer");
526
retval = -1;
527
goto mandos_end;
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
if (buffer == NULL){
449
perror("realloc");
450
goto exit;
451
}
452
buffer_capacity += BUFFER_SIZE;
528
453
}
529
454
530
ret = gnutls_record_recv(session, buffer+buffer_length,
531
BUFFER_SIZE);
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
532
457
if (ret == 0){
533
458
break;
534
459
}
538
463
case GNUTLS_E_AGAIN:
539
464
break;
540
465
case GNUTLS_E_REHANDSHAKE:
541
ret = gnutls_handshake (session);
466
ret = gnutls_handshake (es.session);
542
467
if (ret < 0){
543
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
468
fprintf(stderr, "\n*** Handshake failed ***\n");
544
469
gnutls_perror (ret);
545
470
retval = -1;
546
goto mandos_end;
471
goto exit;
547
472
}
548
473
break;
549
474
default:
550
475
fprintf(stderr, "Unknown error while reading data from"
551
" encrypted session with Mandos server\n");
476
" encrypted session with mandos server\n");
552
477
retval = -1;
553
gnutls_bye (session, GNUTLS_SHUT_RDWR);
554
goto mandos_end;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
555
480
}
556
481
} else {
557
482
buffer_length += (size_t) ret;
558
483
}
559
484
}
560
485
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
565
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
567
486
if (buffer_length > 0){
568
487
decrypted_buffer_size = pgp_packet_decrypt(buffer,
569
488
buffer_length,
570
489
&decrypted_buffer,
571
keydir);
490
certdir);
572
491
if (decrypted_buffer_size >= 0){
573
written = 0;
574
while(written < (size_t) decrypted_buffer_size){
492
while(written < (size_t)decrypted_buffer_size){
575
493
ret = (int)fwrite (decrypted_buffer + written, 1,
576
494
(size_t)decrypted_buffer_size - written,
577
495
stdout);
590
508
retval = -1;
591
509
}
592
510
}
593
594
/* Shutdown procedure */
595
596
mandos_end:
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
597
518
free(buffer);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
598
521
close(tcp_sd);
599
gnutls_deinit (session);
600
gnutls_certificate_free_credentials (mc->cred);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
601
524
gnutls_global_deinit ();
602
525
return retval;
603
526
}
604
527
605
static void resolve_callback(AvahiSServiceResolver *r,
606
AvahiIfIndex interface,
607
AVAHI_GCC_UNUSED AvahiProtocol protocol,
608
AvahiResolverEvent event,
609
const char *name,
610
const char *type,
611
const char *domain,
612
const char *host_name,
613
const AvahiAddress *address,
614
uint16_t port,
615
AVAHI_GCC_UNUSED AvahiStringList *txt,
616
AVAHI_GCC_UNUSED AvahiLookupResultFlags
617
flags,
618
void* userdata) {
619
mandos_context *mc = userdata;
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
620
546
assert(r); /* Spurious warning */
621
547
622
548
/* Called whenever a service has been resolved successfully or
625
551
switch (event) {
626
552
default:
627
553
case AVAHI_RESOLVER_FAILURE:
628
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
629
" of type '%s' in domain '%s': %s\n", name, type, domain,
630
avahi_strerror(avahi_server_errno(mc->server)));
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
631
557
break;
632
558
633
559
case AVAHI_RESOLVER_FOUND:
635
561
char ip[AVAHI_ADDRESS_STR_MAX];
636
562
avahi_address_snprint(ip, sizeof(ip), address);
637
563
if(debug){
638
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
639
" port %d\n", name, host_name, ip, interface, port);
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
640
566
}
641
int ret = start_mandos_communication(ip, port, interface, mc);
567
int ret = start_mandos_communication(ip, port,
568
(unsigned int) interface);
642
569
if (ret == 0){
643
570
exit(EXIT_SUCCESS);
644
571
}
647
574
avahi_s_service_resolver_free(r);
648
575
}
649
576
650
static void browse_callback( AvahiSServiceBrowser *b,
651
AvahiIfIndex interface,
652
AvahiProtocol protocol,
653
AvahiBrowserEvent event,
654
const char *name,
655
const char *type,
656
const char *domain,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
661
assert(b); /* Spurious warning */
662
663
/* Called whenever a new services becomes available on the LAN or
664
is removed from the LAN */
665
666
switch (event) {
667
default:
668
case AVAHI_BROWSER_FAILURE:
669
670
fprintf(stderr, "(Avahi browser) %s\n",
671
avahi_strerror(avahi_server_errno(mc->server)));
672
avahi_simple_poll_quit(mc->simple_poll);
673
return;
674
675
case AVAHI_BROWSER_NEW:
676
/* We ignore the returned Avahi resolver object. In the callback
677
function we free it. If the Avahi server is terminated before
678
the callback function is called the Avahi server will free the
679
resolver for us. */
680
681
if (!(avahi_s_service_resolver_new(mc->server, interface,
682
protocol, name, type, domain,
683
AVAHI_PROTO_INET6, 0,
684
resolve_callback, mc)))
685
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
686
name, avahi_strerror(avahi_server_errno(mc->server)));
687
break;
688
689
case AVAHI_BROWSER_REMOVE:
690
break;
691
692
case AVAHI_BROWSER_ALL_FOR_NOW:
693
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
if(debug){
695
fprintf(stderr, "No Mandos server found, still searching...\n");
577
static void browse_callback(
578
AvahiSServiceBrowser *b,
579
AvahiIfIndex interface,
580
AvahiProtocol protocol,
581
AvahiBrowserEvent event,
582
const char *name,
583
const char *type,
584
const char *domain,
585
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
586
void* userdata) {
587
588
AvahiServer *s = userdata;
589
assert(b); /* Spurious warning */
590
591
/* Called whenever a new services becomes available on the LAN or
592
is removed from the LAN */
593
594
switch (event) {
595
default:
596
case AVAHI_BROWSER_FAILURE:
597
598
fprintf(stderr, "(Browser) %s\n",
599
avahi_strerror(avahi_server_errno(server)));
600
avahi_simple_poll_quit(simple_poll);
601
return;
602
603
case AVAHI_BROWSER_NEW:
604
/* We ignore the returned resolver object. In the callback
605
function we free it. If the server is terminated before
606
the callback function is called the server will free
607
the resolver for us. */
608
609
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
610
type, domain,
611
AVAHI_PROTO_INET6, 0,
612
resolve_callback, s)))
613
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
614
avahi_strerror(avahi_server_errno(s)));
615
break;
616
617
case AVAHI_BROWSER_REMOVE:
618
break;
619
620
case AVAHI_BROWSER_ALL_FOR_NOW:
621
case AVAHI_BROWSER_CACHE_EXHAUSTED:
622
break;
696
623
}
697
break;
698
}
699
624
}
700
625
701
/* Combines file name and path and returns the malloced new
702
string. some sane checks could/should be added */
703
static const char *combinepath(const char *first, const char *second){
704
size_t f_len = strlen(first);
705
size_t s_len = strlen(second);
706
char *tmp = malloc(f_len + s_len + 2);
626
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
627
const char *combinepath(const char *first, const char *second){
628
char *tmp;
629
tmp = malloc(strlen(first) + strlen(second) + 2);
707
630
if (tmp == NULL){
631
perror("malloc");
708
632
return NULL;
709
633
}
710
if(f_len > 0){
711
memcpy(tmp, first, f_len); /* Spurious warning */
712
}
713
tmp[f_len] = '/';
714
if(s_len > 0){
715
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
716
}
717
tmp[f_len + 1 + s_len] = '\0';
634
strcpy(tmp, first);
635
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
636
strcat(tmp, "/");
637
}
638
strcat(tmp, second);
718
639
return tmp;
719
640
}
720
641
721
642
722
int main(int argc, char *argv[]){
643
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
644
AvahiServerConfig config;
723
645
AvahiSServiceBrowser *sb = NULL;
724
646
int error;
725
647
int ret;
726
int exitcode = EXIT_SUCCESS;
648
int returncode = EXIT_SUCCESS;
727
649
const char *interface = "eth0";
728
650
struct ifreq network;
729
651
int sd;
730
uid_t uid;
731
gid_t gid;
732
char *connect_to = NULL;
733
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
734
mandos_context mc = { .simple_poll = NULL, .server = NULL,
735
.dh_bits = 1024, .priority = "SECURE256"};
736
737
{
738
/* Temporary int to get the address of for getopt_long */
739
int debug_int = debug ? 1 : 0;
740
while (true){
741
struct option long_options[] = {
742
{"debug", no_argument, &debug_int, 1},
743
{"connect", required_argument, NULL, 'c'},
744
{"interface", required_argument, NULL, 'i'},
745
{"keydir", required_argument, NULL, 'd'},
746
{"seckey", required_argument, NULL, 's'},
747
{"pubkey", required_argument, NULL, 'p'},
748
{"dh-bits", required_argument, NULL, 'D'},
749
{"priority", required_argument, NULL, 'P'},
750
{0, 0, 0, 0} };
751
752
int option_index = 0;
753
ret = getopt_long (argc, argv, "i:", long_options,
754
&option_index);
755
756
if (ret == -1){
757
break;
758
}
759
760
switch(ret){
761
case 0:
762
break;
763
case 'i':
764
interface = optarg;
765
break;
766
case 'c':
767
connect_to = optarg;
768
break;
769
case 'd':
770
keydir = optarg;
771
break;
772
case 'p':
773
pubkeyfile = optarg;
774
break;
775
case 's':
776
seckeyfile = optarg;
777
break;
778
case 'D':
779
errno = 0;
780
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
781
if (errno){
782
perror("strtol");
783
exit(EXIT_FAILURE);
784
}
785
break;
786
case 'P':
787
mc.priority = optarg;
788
break;
789
case '?':
790
default:
791
/* getopt_long() has already printed a message about the
792
unrcognized option, so just exit. */
793
exit(EXIT_FAILURE);
794
}
795
}
796
/* Set the global debug flag from the temporary int */
797
debug = debug_int ? true : false;
798
}
799
800
pubkeyfile = combinepath(keydir, pubkeyfile);
801
if (pubkeyfile == NULL){
802
perror("combinepath");
803
exitcode = EXIT_FAILURE;
804
goto end;
805
}
806
807
seckeyfile = combinepath(keydir, seckeyfile);
808
if (seckeyfile == NULL){
809
perror("combinepath");
810
goto end;
811
}
812
813
ret = init_gnutls_global(&mc);
814
if (ret == -1){
815
fprintf(stderr, "init_gnutls_global\n");
816
goto end;
817
}
818
819
uid = getuid();
820
gid = getgid();
821
822
ret = setuid(uid);
823
if (ret == -1){
824
perror("setuid");
825
}
826
827
setgid(gid);
828
if (ret == -1){
829
perror("setgid");
830
}
831
832
if_index = (AvahiIfIndex) if_nametoindex(interface);
833
if(if_index == 0){
834
fprintf(stderr, "No such interface: \"%s\"\n", interface);
835
exit(EXIT_FAILURE);
836
}
837
838
if(connect_to != NULL){
839
/* Connect directly, do not use Zeroconf */
840
/* (Mainly meant for debugging) */
841
char *address = strrchr(connect_to, ':');
842
if(address == NULL){
843
fprintf(stderr, "No colon in address\n");
844
exitcode = EXIT_FAILURE;
845
goto end;
846
}
847
errno = 0;
848
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
849
if(errno){
850
perror("Bad port number");
851
exitcode = EXIT_FAILURE;
852
goto end;
853
}
854
*address = '\0';
855
address = connect_to;
856
ret = start_mandos_communication(address, port, if_index, &mc);
857
if(ret < 0){
858
exitcode = EXIT_FAILURE;
859
} else {
860
exitcode = EXIT_SUCCESS;
861
}
862
goto end;
863
}
864
865
/* If the interface is down, bring it up */
866
{
867
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
868
if(sd < 0) {
869
perror("socket");
870
exitcode = EXIT_FAILURE;
871
goto end;
872
}
873
strcpy(network.ifr_name, interface); /* Spurious warning */
874
ret = ioctl(sd, SIOCGIFFLAGS, &network);
652
653
while (true){
654
static struct option long_options[] = {
655
{"debug", no_argument, (int *)&debug, 1},
656
{"interface", required_argument, 0, 'i'},
657
{"certdir", required_argument, 0, 'd'},
658
{"certkey", required_argument, 0, 'c'},
659
{"certfile", required_argument, 0, 'k'},
660
{0, 0, 0, 0} };
661
662
int option_index = 0;
663
ret = getopt_long (argc, argv, "i:", long_options,
664
&option_index);
665
666
if (ret == -1){
667
break;
668
}
669
670
switch(ret){
671
case 0:
672
break;
673
case 'i':
674
interface = optarg;
675
break;
676
case 'd':
677
certdir = optarg;
678
break;
679
case 'c':
680
certfile = optarg;
681
break;
682
case 'k':
683
certkey = optarg;
684
break;
685
default:
686
exit(EXIT_FAILURE);
687
}
688
}
689
690
certfile = combinepath(certdir, certfile);
691
if (certfile == NULL){
692
returncode = EXIT_FAILURE;
693
goto exit;
694
}
695
696
certkey = combinepath(certdir, certkey);
697
if (certkey == NULL){
698
returncode = EXIT_FAILURE;
699
goto exit;
700
}
701
702
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
703
if(sd < 0) {
704
perror("socket");
705
returncode = EXIT_FAILURE;
706
goto exit;
707
}
708
strcpy(network.ifr_name, interface);
709
ret = ioctl(sd, SIOCGIFFLAGS, &network);
710
if(ret == -1){
711
712
perror("ioctl SIOCGIFFLAGS");
713
returncode = EXIT_FAILURE;
714
goto exit;
715
}
716
if((network.ifr_flags & IFF_UP) == 0){
717
network.ifr_flags |= IFF_UP;
718
ret = ioctl(sd, SIOCSIFFLAGS, &network);
875
719
if(ret == -1){
876
perror("ioctl SIOCGIFFLAGS");
877
exitcode = EXIT_FAILURE;
878
goto end;
879
}
880
if((network.ifr_flags & IFF_UP) == 0){
881
network.ifr_flags |= IFF_UP;
882
ret = ioctl(sd, SIOCSIFFLAGS, &network);
883
if(ret == -1){
884
perror("ioctl SIOCSIFFLAGS");
885
exitcode = EXIT_FAILURE;
886
goto end;
887
}
888
}
889
close(sd);
720
perror("ioctl SIOCSIFFLAGS");
721
returncode = EXIT_FAILURE;
722
goto exit;
723
}
890
724
}
725
close(sd);
891
726
892
727
if (not debug){
893
728
avahi_set_log_function(empty_log);
894
729
}
895
730
896
/* Initialize the pseudo-RNG for Avahi */
731
/* Initialize the psuedo-RNG */
897
732
srand((unsigned int) time(NULL));
898
899
/* Allocate main Avahi loop object */
900
mc.simple_poll = avahi_simple_poll_new();
901
if (mc.simple_poll == NULL) {
902
fprintf(stderr, "Avahi: Failed to create simple poll"
903
" object.\n");
904
exitcode = EXIT_FAILURE;
905
goto end;
906
}
907
908
{
909
AvahiServerConfig config;
910
/* Do not publish any local Zeroconf records */
911
avahi_server_config_init(&config);
912
config.publish_hinfo = 0;
913
config.publish_addresses = 0;
914
config.publish_workstation = 0;
915
config.publish_domain = 0;
916
917
/* Allocate a new server */
918
mc.server = avahi_server_new(avahi_simple_poll_get
919
(mc.simple_poll), &config, NULL,
920
NULL, &error);
921
922
/* Free the Avahi configuration data */
923
avahi_server_config_free(&config);
924
}
925
926
/* Check if creating the Avahi server object succeeded */
927
if (mc.server == NULL) {
928
fprintf(stderr, "Failed to create Avahi server: %s\n",
733
734
/* Allocate main loop object */
735
if (!(simple_poll = avahi_simple_poll_new())) {
736
fprintf(stderr, "Failed to create simple poll object.\n");
737
returncode = EXIT_FAILURE;
738
goto exit;
739
}
740
741
/* Do not publish any local records */
742
avahi_server_config_init(&config);
743
config.publish_hinfo = 0;
744
config.publish_addresses = 0;
745
config.publish_workstation = 0;
746
config.publish_domain = 0;
747
748
/* Allocate a new server */
749
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
750
&config, NULL, NULL, &error);
751
752
/* Free the configuration data */
753
avahi_server_config_free(&config);
754
755
/* Check if creating the server object succeeded */
756
if (!server) {
757
fprintf(stderr, "Failed to create server: %s\n",
929
758
avahi_strerror(error));
930
exitcode = EXIT_FAILURE;
931
goto end;
759
returncode = EXIT_FAILURE;
760
goto exit;
932
761
}
933
762
934
/* Create the Avahi service browser */
935
sb = avahi_s_service_browser_new(mc.server, if_index,
763
/* Create the service browser */
764
sb = avahi_s_service_browser_new(server,
765
(AvahiIfIndex)
766
if_nametoindex(interface),
936
767
AVAHI_PROTO_INET6,
937
768
"_mandos._tcp", NULL, 0,
938
browse_callback, &mc);
939
if (sb == NULL) {
769
browse_callback, server);
770
if (!sb) {
940
771
fprintf(stderr, "Failed to create service browser: %s\n",
941
avahi_strerror(avahi_server_errno(mc.server)));
942
exitcode = EXIT_FAILURE;
943
goto end;
772
avahi_strerror(avahi_server_errno(server)));
773
returncode = EXIT_FAILURE;
774
goto exit;
944
775
}
945
776
946
777
/* Run the main loop */
947
778
948
779
if (debug){
949
fprintf(stderr, "Starting Avahi loop search\n");
780
fprintf(stderr, "Starting avahi loop search\n");
950
781
}
951
782
952
avahi_simple_poll_loop(mc.simple_poll);
783
avahi_simple_poll_loop(simple_poll);
953
784
954
end:
785
exit:
955
786
956
787
if (debug){
957
788
fprintf(stderr, "%s exiting\n", argv[0]);
958
789
}
959
790
960
791
/* Cleanup things */
961
if (sb != NULL)
792
if (sb)
962
793
avahi_s_service_browser_free(sb);
963
794
964
if (mc.server != NULL)
965
avahi_server_free(mc.server);
795
if (server)
796
avahi_server_free(server);
966
797
967
if (mc.simple_poll != NULL)
968
avahi_simple_poll_free(mc.simple_poll);
969
free(pubkeyfile);
970
free(seckeyfile);
798
if (simple_poll)
799
avahi_simple_poll_free(simple_poll);
800
free(certfile);
801
free(certkey);
971
802
972
return exitcode;
803
return returncode;
973
804
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0