/mandos/release : revision 24.1.9

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

54

struct in6_addr, inet_pton(),

55

connect() */

56

#include <assert.h> /* assert() */

57

#include <errno.h> /* perror(), errno */

58

#include <time.h> /* time() */

59

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

60

SIOCSIFFLAGS, if_indextoname(),

61

if_nametoindex(), IF_NAMESIZE */

62

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

63

getuid(), getgid(), setuid(),

64

setgid() */

65

#include <netinet/in.h>

66

#include <arpa/inet.h> /* inet_pton(), htons */

67

#include <iso646.h> /* not, and */

68

#include <argp.h> /* struct argp_option, error_t, struct

69

argp_state, struct argp,

70

argp_parse(), ARGP_KEY_ARG,

71

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

72

73

/* Avahi */

74

/* All Avahi types, constants and functions

75

Avahi*, avahi_*,

76

AVAHI_* */

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

41

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

42

77

43

#include <avahi-core/core.h>

78

44

#include <avahi-core/lookup.h>

79

45

#include <avahi-core/log.h>

81

47

#include <avahi-common/malloc.h>

82

48

#include <avahi-common/error.h>

83

49

84

/* GnuTLS */

85

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

86

gnutls_*

87

init_gnutls_session(),

88

GNUTLS_* */

89

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

90

GNUTLS_OPENPGP_FMT_BASE64 */

91

92

/* GPGME */

93

#include <gpgme.h> /* All GPGME types, constants and functions

94

gpgme_*

95

GPGME_PROTOCOL_OpenPGP,

96

GPG_ERR_NO_* */

50

//mandos client part

51

#include <sys/types.h> /* socket(), inet_pton() */

52

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

53

struct in6_addr, inet_pton() */

54

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

55

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

56

57

#include <unistd.h> /* close() */

58

#include <netinet/in.h>

59

#include <stdbool.h> /* true */

60

#include <string.h> /* memset */

61

#include <arpa/inet.h> /* inet_pton() */

62

#include <iso646.h> /* not */

63

64

// gpgme

65

#include <errno.h> /* perror() */

66

#include <gpgme.h>

67

68

// getopt long

69

#include <getopt.h>

97

70

98

71

#define BUFFER_SIZE 256

72

#define DH_BITS 1024

73

74

static const char *certdir = "/conf/conf.d/mandos";

75

static const char *certfile = "openpgp-client.txt";

76

static const char *certkey = "openpgp-client-key.txt";

99

77

100

78

bool debug = false;

101

static const char *keydir = "/conf/conf.d/mandos";

102

static const char mandos_protocol_version[] = "1";

103

const char *argp_program_version = "password-request 1.0";

104

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

105

79

106

/* Used for passing in values through the Avahi callback functions */

107

80

typedef struct {

108

81

AvahiSimplePoll *simple_poll;

109

82

AvahiServer *server;

110

83

gnutls_certificate_credentials_t cred;

111

84

unsigned int dh_bits;

112

gnutls_dh_params_t dh_params;

113

85

const char *priority;

114

86

} mandos_context;

115

87

116

/*

117

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

118

* "buffer_capacity" is how much is currently allocated,

119

* "buffer_length" is how much is already used.

120

*/

121

size_t adjustbuffer(char **buffer, size_t buffer_length,

122

size_t buffer_capacity){

123

if (buffer_length + BUFFER_SIZE > buffer_capacity){

124

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

125

if (buffer == NULL){

126

return 0;

127

}

128

buffer_capacity += BUFFER_SIZE;

129

}

130

return buffer_capacity;

131

}

132

133

/*

134

* Decrypt OpenPGP data using keyrings in HOMEDIR.

135

* Returns -1 on error

136

*/

137

static ssize_t pgp_packet_decrypt (const char *cryptotext,

138

size_t crypto_size,

139

char **plaintext,

88

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

89

char **new_packet,

140

90

const char *homedir){

141

91

gpgme_data_t dh_crypto, dh_plain;

142

92

gpgme_ctx_t ctx;

143

93

gpgme_error_t rc;

144

94

ssize_t ret;

145

size_t plaintext_capacity = 0;

146

ssize_t plaintext_length = 0;

95

ssize_t new_packet_capacity = 0;

96

ssize_t new_packet_length = 0;

147

97

gpgme_engine_info_t engine_info;

148

98

149

99

if (debug){

150

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

100

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

151

101

}

152

102

153

103

/* Init GPGME */

159

109

return -1;

160

110

}

161

111

162

/* Set GPGME home directory for the OpenPGP engine only */

112

/* Set GPGME home directory */

163

113

rc = gpgme_get_engine_info (&engine_info);

164

114

if (rc != GPG_ERR_NO_ERROR){

165

115

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

175

125

engine_info = engine_info->next;

176

126

}

177

127

if(engine_info == NULL){

178

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

128

fprintf(stderr, "Could not set home dir to %s\n", homedir);

179

129

return -1;

180

130

}

181

131

182

/* Create new GPGME data buffer from memory cryptotext */

183

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

184

0);

132

/* Create new GPGME data buffer from packet buffer */

133

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

185

134

if (rc != GPG_ERR_NO_ERROR){

186

135

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

187

136

gpgme_strsource(rc), gpgme_strerror(rc));

193

142

if (rc != GPG_ERR_NO_ERROR){

194

143

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

195

144

gpgme_strsource(rc), gpgme_strerror(rc));

196

gpgme_data_release(dh_crypto);

197

145

return -1;

198

146

}

199

147

202

150

if (rc != GPG_ERR_NO_ERROR){

203

151

fprintf(stderr, "bad gpgme_new: %s: %s\n",

204

152

gpgme_strsource(rc), gpgme_strerror(rc));

205

plaintext_length = -1;

206

goto decrypt_end;

153

return -1;

207

154

}

208

155

209

/* Decrypt data from the cryptotext data buffer to the plaintext

210

data buffer */

156

/* Decrypt data from the FILE pointer to the plaintext data

157

buffer */

211

158

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

212

159

if (rc != GPG_ERR_NO_ERROR){

213

160

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

214

161

gpgme_strsource(rc), gpgme_strerror(rc));

215

plaintext_length = -1;

216

goto decrypt_end;

162

return -1;

217

163

}

218

164

219

165

if(debug){

220

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

166

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

221

167

}

222

168

223

169

if (debug){

224

170

gpgme_decrypt_result_t result;

225

171

result = gpgme_op_decrypt_result(ctx);

249

195

}

250

196

}

251

197

198

/* Delete the GPGME FILE pointer cryptotext data buffer */

199

gpgme_data_release(dh_crypto);

200

252

201

/* Seek back to the beginning of the GPGME plaintext data buffer */

253

202

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

203

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

204

}

258

205

259

*plaintext = NULL;

206

*new_packet = 0;

260

207

while(true){

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

208

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

209

*new_packet = realloc(*new_packet,

210

(unsigned int)new_packet_capacity

211

+ BUFFER_SIZE);

212

if (*new_packet == NULL){

213

perror("realloc");

214

return -1;

215

}

216

new_packet_capacity += BUFFER_SIZE;

268

217

}

269

218

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

219

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

271

220

BUFFER_SIZE);

272

221

/* Print the data, if any */

273

222

if (ret == 0){

274

/* EOF */

275

223

break;

276

224

}

277

225

if(ret < 0){

278

226

perror("gpgme_data_read");

279

plaintext_length = -1;

280

goto decrypt_end;

227

return -1;

281

228

}

282

plaintext_length += ret;

229

new_packet_length += ret;

283

230

}

284

231

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

232

/* FIXME: check characters before printing to screen so to not print

233

terminal control characters */

234

/* if(debug){ */

235

/* fprintf(stderr, "decrypted password is: "); */

236

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

237

/* fprintf(stderr, "\n"); */

238

/* } */

297

239

298

240

/* Delete the GPGME plaintext data buffer */

299

241

gpgme_data_release(dh_plain);

300

return plaintext_length;

242

return new_packet_length;

301

243

}

302

244

303

245

static const char * safer_gnutls_strerror (int value) {

307

249

return ret;

308

250

}

309

251

310

/* GnuTLS log function callback */

311

252

static void debuggnutls(__attribute__((unused)) int level,

312

253

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

254

fprintf(stderr, "%s", string);

314

255

}

315

256

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfile,

318

const char *seckeyfile){

257

static int initgnutls(mandos_context *mc){

258

const char *err;

319

259

int ret;

320

260

321

261

if(debug){

322

262

fprintf(stderr, "Initializing GnuTLS\n");

323

263

}

324

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

264

265

if ((ret = gnutls_global_init ())

266

!= GNUTLS_E_SUCCESS) {

267

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

329

268

return -1;

330

269

}

331

270

332

271

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

*/

336

272

gnutls_global_set_log_level(11);

337

273

gnutls_global_set_log_function(debuggnutls);

338

274

}

339

275

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n",

276

/* openpgp credentials */

277

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

278

!= GNUTLS_E_SUCCESS) {

279

fprintf (stderr, "memory error: %s\n",

344

280

safer_gnutls_strerror(ret));

345

gnutls_global_deinit ();

346

281

return -1;

347

282

}

348

283

349

284

if(debug){

350

285

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

351

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

352

seckeyfile);

286

" and keyfile %s as GnuTLS credentials\n", certfile,

287

certkey);

353

288

}

354

289

355

290

ret = gnutls_certificate_set_openpgp_key_file

356

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

291

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

357

292

if (ret != GNUTLS_E_SUCCESS) {

358

fprintf(stderr,

359

"Error[%d] while reading the OpenPGP key pair ('%s',"

360

" '%s')\n", ret, pubkeyfile, seckeyfile);

361

fprintf(stdout, "The GnuTLS error is: %s\n",

293

fprintf

294

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

295

" '%s')\n",

296

ret, certfile, certkey);

297

fprintf(stdout, "The Error is: %s\n",

362

298

safer_gnutls_strerror(ret));

363

goto globalfail;

364

}

365

366

/* GnuTLS server initialization */

367

ret = gnutls_dh_params_init(&mc->dh_params);

368

if (ret != GNUTLS_E_SUCCESS) {

369

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

370

" %s\n", safer_gnutls_strerror(ret));

371

goto globalfail;

372

}

373

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

376

safer_gnutls_strerror(ret));

377

goto globalfail;

378

}

379

380

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

381

382

return 0;

383

384

globalfail:

385

386

gnutls_certificate_free_credentials(mc->cred);

387

gnutls_global_deinit();

388

return -1;

389

390

}

391

392

static int init_gnutls_session(mandos_context *mc,

393

gnutls_session_t *session){

394

int ret;

395

/* GnuTLS session creation */

396

ret = gnutls_init(session, GNUTLS_SERVER);

397

if (ret != GNUTLS_E_SUCCESS){

299

return -1;

300

}

301

302

//GnuTLS server initialization

303

if ((ret = gnutls_dh_params_init (&es->dh_params))

304

!= GNUTLS_E_SUCCESS) {

305

fprintf (stderr, "Error in dh parameter initialization: %s\n",

306

safer_gnutls_strerror(ret));

307

return -1;

308

}

309

310

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

311

!= GNUTLS_E_SUCCESS) {

312

fprintf (stderr, "Error in prime generation: %s\n",

313

safer_gnutls_strerror(ret));

314

return -1;

315

}

316

317

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

318

319

// GnuTLS session creation

320

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

321

!= GNUTLS_E_SUCCESS){

398

322

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

399

323

safer_gnutls_strerror(ret));

400

324

}

401

325

402

{

403

const char *err;

404

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

405

if (ret != GNUTLS_E_SUCCESS) {

406

fprintf(stderr, "Syntax error at: %s\n", err);

407

fprintf(stderr, "GnuTLS error: %s\n",

408

safer_gnutls_strerror(ret));

409

gnutls_deinit (*session);

410

return -1;

411

}

326

if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Syntax error at: %s\n", err);

329

fprintf(stderr, "GnuTLS error: %s\n",

330

safer_gnutls_strerror(ret));

331

return -1;

412

332

}

413

333

414

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

415

mc->cred);

416

if (ret != GNUTLS_E_SUCCESS) {

417

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

334

if ((ret = gnutls_credentials_set

335

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

336

!= GNUTLS_E_SUCCESS) {

337

fprintf(stderr, "Error setting a credentials set: %s\n",

418

338

safer_gnutls_strerror(ret));

419

gnutls_deinit (*session);

420

339

return -1;

421

340

}

422

341

423

342

/* ignore client certificate if any. */

424

gnutls_certificate_server_set_request (*session,

343

gnutls_certificate_server_set_request (es->session,

425

344

GNUTLS_CERT_IGNORE);

426

345

427

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

346

gnutls_dh_set_prime_bits (es->session, DH_BITS);

428

347

429

348

return 0;

430

349

}

431

350

432

/* Avahi log function callback */

433

351

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

434

352

__attribute__((unused)) const char *txt){}

435

353

436

/* Called when a Mandos server is found */

437

354

static int start_mandos_communication(const char *ip, uint16_t port,

438

355

AvahiIfIndex if_index,

439

356

mandos_context *mc){

440

357

int ret, tcp_sd;

441

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

358

struct sockaddr_in6 to;

359

encrypted_session es;

442

360

char *buffer = NULL;

443

361

char *decrypted_buffer;

444

362

size_t buffer_length = 0;

445

363

size_t buffer_capacity = 0;

446

364

ssize_t decrypted_buffer_size;

447

size_t written;

365

size_t written = 0;

448

366

int retval = 0;

449

367

char interface[IF_NAMESIZE];

450

gnutls_session_t session;

451

452

ret = init_gnutls_session (mc, &session);

453

if (ret != 0){

454

return -1;

455

}

456

368

457

369

if(debug){

458

370

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

467

379

468

380

if(debug){

469

381

if(if_indextoname((unsigned int)if_index, interface) == NULL){

470

perror("if_indextoname");

382

if(debug){

383

perror("if_indextoname");

384

}

471

385

return -1;

472

386

}

387

473

388

fprintf(stderr, "Binding to interface %s\n", interface);

474

389

}

475

390

476

391

memset(&to,0,sizeof(to)); /* Spurious warning */

477

to.in6.sin6_family = AF_INET6;

478

/* It would be nice to have a way to detect if we were passed an

479

IPv4 address here. Now we assume an IPv6 address. */

480

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

392

to.sin6_family = AF_INET6;

393

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

481

394

if (ret < 0 ){

482

395

perror("inet_pton");

483

396

return -1;

484

}

397

}

485

398

if(ret == 0){

486

399

fprintf(stderr, "Bad address: %s\n", ip);

487

400

return -1;

488

401

}

489

to.in6.sin6_port = htons(port); /* Spurious warning */

402

to.sin6_port = htons(port); /* Spurious warning */

490

403

491

to.in6.sin6_scope_id = (uint32_t)if_index;

404

to.sin6_scope_id = (uint32_t)if_index;

492

405

493

406

if(debug){

494

407

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

495

char addrstr[INET6_ADDRSTRLEN] = "";

496

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

497

sizeof(addrstr)) == NULL){

498

perror("inet_ntop");

499

} else {

500

if(strcmp(addrstr, ip) != 0){

501

fprintf(stderr, "Canonical address form: %s\n", addrstr);

502

}

503

}

408

/* char addrstr[INET6_ADDRSTRLEN]; */

409

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

410

/* sizeof(addrstr)) == NULL){ */

411

/* perror("inet_ntop"); */

412

/* } else { */

413

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

414

/* addrstr, ntohs(to.sin6_port)); */

415

/* } */

504

416

}

505

417

506

ret = connect(tcp_sd, &to.in, sizeof(to));

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

507

419

if (ret < 0){

508

420

perror("connect");

509

421

return -1;

510

422

}

511

512

const char *out = mandos_protocol_version;

513

written = 0;

514

while (true){

515

size_t out_size = strlen(out);

516

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

517

out_size - written));

518

if (ret == -1){

519

perror("write");

520

retval = -1;

521

goto mandos_end;

522

}

523

written += (size_t)ret;

524

if(written < out_size){

525

continue;

526

} else {

527

if (out == mandos_protocol_version){

528

written = 0;

529

out = "\r\n";

530

} else {

531

break;

532

}

533

}

423

424

ret = initgnutls (&es);

425

if (ret != 0){

426

retval = -1;

427

return -1;

534

428

}

535

429

430

gnutls_transport_set_ptr (es.session,

431

(gnutls_transport_ptr_t) tcp_sd);

432

536

433

if(debug){

537

434

fprintf(stderr, "Establishing TLS session with %s\n", ip);

538

435

}

539

436

540

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

541

542

do{

543

ret = gnutls_handshake (session);

544

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

437

ret = gnutls_handshake (es.session);

545

438

546

439

if (ret != GNUTLS_E_SUCCESS){

547

440

if(debug){

548

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

441

fprintf(stderr, "\n*** Handshake failed ***\n");

549

442

gnutls_perror (ret);

550

443

}

551

444

retval = -1;

552

goto mandos_end;

445

goto exit;

553

446

}

554

447

555

/* Read OpenPGP packet that contains the wanted password */

448

//Retrieve OpenPGP packet that contains the wanted password

556

449

557

450

if(debug){

558

451

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

560

453

}

561

454

562

455

while(true){

563

buffer_capacity = adjustbuffer(&buffer, buffer_length,

564

buffer_capacity);

565

if (buffer_capacity == 0){

566

perror("adjustbuffer");

567

retval = -1;

568

goto mandos_end;

456

if (buffer_length + BUFFER_SIZE > buffer_capacity){

457

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

458

if (buffer == NULL){

459

perror("realloc");

460

goto exit;

461

}

462

buffer_capacity += BUFFER_SIZE;

569

463

}

570

464

571

ret = gnutls_record_recv(session, buffer+buffer_length,

572

BUFFER_SIZE);

465

ret = gnutls_record_recv

466

(es.session, buffer+buffer_length, BUFFER_SIZE);

573

467

if (ret == 0){

574

468

break;

575

469

}

579

473

case GNUTLS_E_AGAIN:

580

474

break;

581

475

case GNUTLS_E_REHANDSHAKE:

582

do{

583

ret = gnutls_handshake (session);

584

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

476

ret = gnutls_handshake (es.session);

585

477

if (ret < 0){

586

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

478

fprintf(stderr, "\n*** Handshake failed ***\n");

587

479

gnutls_perror (ret);

588

480

retval = -1;

589

goto mandos_end;

481

goto exit;

590

482

}

591

483

break;

592

484

default:

593

485

fprintf(stderr, "Unknown error while reading data from"

594

" encrypted session with Mandos server\n");

486

" encrypted session with mandos server\n");

595

487

retval = -1;

596

gnutls_bye (session, GNUTLS_SHUT_RDWR);

597

goto mandos_end;

488

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

489

goto exit;

598

490

}

599

491

} else {

600

492

buffer_length += (size_t) ret;

601

493

}

602

494

}

603

495

604

if(debug){

605

fprintf(stderr, "Closing TLS session\n");

606

}

607

608

gnutls_bye (session, GNUTLS_SHUT_RDWR);

609

610

496

if (buffer_length > 0){

611

497

decrypted_buffer_size = pgp_packet_decrypt(buffer,

612

498

buffer_length,

613

499

&decrypted_buffer,

614

keydir);

500

certdir);

615

501

if (decrypted_buffer_size >= 0){

616

written = 0;

617

502

while(written < (size_t) decrypted_buffer_size){

618

503

ret = (int)fwrite (decrypted_buffer + written, 1,

619

504

(size_t)decrypted_buffer_size - written,

633

518

retval = -1;

634

519

}

635

520

}

636

637

/* Shutdown procedure */

638

639

mandos_end:

521

522

//shutdown procedure

523

524

if(debug){

525

fprintf(stderr, "Closing TLS session\n");

526

}

527

640

528

free(buffer);

529

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

530

exit:

641

531

close(tcp_sd);

642

gnutls_deinit (session);

532

gnutls_deinit (es.session);

533

gnutls_certificate_free_credentials (es.cred);

534

gnutls_global_deinit ();

643

535

return retval;

644

536

}

645

537

646

static void resolve_callback(AvahiSServiceResolver *r,

647

AvahiIfIndex interface,

648

AVAHI_GCC_UNUSED AvahiProtocol protocol,

649

AvahiResolverEvent event,

650

const char *name,

651

const char *type,

652

const char *domain,

653

const char *host_name,

654

const AvahiAddress *address,

655

uint16_t port,

656

AVAHI_GCC_UNUSED AvahiStringList *txt,

657

AVAHI_GCC_UNUSED AvahiLookupResultFlags

658

flags,

659

void* userdata) {

538

static void resolve_callback( AvahiSServiceResolver *r,

539

AvahiIfIndex interface,

540

AVAHI_GCC_UNUSED AvahiProtocol protocol,

541

AvahiResolverEvent event,

542

const char *name,

543

const char *type,

544

const char *domain,

545

const char *host_name,

546

const AvahiAddress *address,

547

uint16_t port,

548

AVAHI_GCC_UNUSED AvahiStringList *txt,

549

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

550

AVAHI_GCC_UNUSED void* userdata) {

660

551

mandos_context *mc = userdata;

661

552

assert(r); /* Spurious warning */

662

553

666

557

switch (event) {

667

558

default:

668

559

case AVAHI_RESOLVER_FAILURE:

669

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

670

" of type '%s' in domain '%s': %s\n", name, type, domain,

560

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

561

" type '%s' in domain '%s': %s\n", name, type, domain,

671

562

avahi_strerror(avahi_server_errno(mc->server)));

672

563

break;

673

564

676

567

char ip[AVAHI_ADDRESS_STR_MAX];

677

568

avahi_address_snprint(ip, sizeof(ip), address);

678

569

if(debug){

679

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

680

" port %d\n", name, host_name, ip, interface, port);

570

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

571

" port %d\n", name, host_name, ip, port);

681

572

}

682

573

int ret = start_mandos_communication(ip, port, interface, mc);

683

574

if (ret == 0){

695

586

const char *name,

696

587

const char *type,

697

588

const char *domain,

698

AVAHI_GCC_UNUSED AvahiLookupResultFlags

699

flags,

589

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

700

590

void* userdata) {

701

591

mandos_context *mc = userdata;

702

592

assert(b); /* Spurious warning */

707

597

switch (event) {

708

598

default:

709

599

case AVAHI_BROWSER_FAILURE:

710

711

fprintf(stderr, "(Avahi browser) %s\n",

600

601

fprintf(stderr, "(Browser) %s\n",

712

602

avahi_strerror(avahi_server_errno(mc->server)));

713

603

avahi_simple_poll_quit(mc->simple_poll);

714

604

return;

715

605

716

606

case AVAHI_BROWSER_NEW:

717

/* We ignore the returned Avahi resolver object. In the callback

718

function we free it. If the Avahi server is terminated before

719

the callback function is called the Avahi server will free the

720

resolver for us. */

721

722

if (!(avahi_s_service_resolver_new(mc->server, interface,

723

protocol, name, type, domain,

607

/* We ignore the returned resolver object. In the callback

608

function we free it. If the server is terminated before

609

the callback function is called the server will free

610

the resolver for us. */

611

612

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

613

type, domain,

724

614

AVAHI_PROTO_INET6, 0,

725

615

resolve_callback, mc)))

726

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

727

name, avahi_strerror(avahi_server_errno(mc->server)));

616

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

617

avahi_strerror(avahi_server_errno(s)));

728

618

break;

729

619

730

620

case AVAHI_BROWSER_REMOVE:

731

621

break;

732

622

733

623

case AVAHI_BROWSER_ALL_FOR_NOW:

734

624

case AVAHI_BROWSER_CACHE_EXHAUSTED:

735

if(debug){

736

fprintf(stderr, "No Mandos server found, still searching...\n");

737

}

738

625

break;

739

626

}

740

627

}

749

636

return NULL;

750

637

}

751

638

if(f_len > 0){

752

memcpy(tmp, first, f_len); /* Spurious warning */

639

memcpy(tmp, first, f_len);

753

640

}

754

641

tmp[f_len] = '/';

755

642

if(s_len > 0){

756

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

643

memcpy(tmp + f_len + 1, second, s_len);

757

644

}

758

645

tmp[f_len + 1 + s_len] = '\0';

759

646

return tmp;

760

647

}

761

648

762

649

763

int main(int argc, char *argv[]){

650

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

651

AvahiServerConfig config;

764

652

AvahiSServiceBrowser *sb = NULL;

765

653

int error;

766

654

int ret;

767

int exitcode = EXIT_SUCCESS;

655

int returncode = EXIT_SUCCESS;

768

656

const char *interface = "eth0";

769

657

struct ifreq network;

770

658

int sd;

771

uid_t uid;

772

gid_t gid;

773

659

char *connect_to = NULL;

774

660

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

775

const char *pubkeyfile = "pubkey.txt";

776

const char *seckeyfile = "seckey.txt";

777

661

mandos_context mc = { .simple_poll = NULL, .server = NULL,

778

.dh_bits = 1024, .priority = "SECURE256"};

779

bool gnutls_initalized = false;

662

.dh_bits = 2048, .priority = "SECURE256"};

780

663

781

{

782

struct argp_option options[] = {

783

{ .name = "debug", .key = 128,

784

.doc = "Debug mode", .group = 3 },

785

{ .name = "connect", .key = 'c',

786

.arg = "IP",

787

.doc = "Connect directly to a sepcified mandos server",

788

.group = 1 },

789

{ .name = "interface", .key = 'i',

790

.arg = "INTERFACE",

791

.doc = "Interface that Avahi will conntect through",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "KEYDIR",

795

.doc = "Directory where the openpgp keyring is",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "SECKEY",

799

.doc = "Secret openpgp key for gnutls authentication",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "PUBKEY",

803

.doc = "Public openpgp key for gnutls authentication",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "dh-bits to use in gnutls communication",

808

.group = 2 },

809

{ .name = "priority", .key = 130,

810

.arg = "PRIORITY",

811

.doc = "GNUTLS priority", .group = 1 },

812

{ .name = NULL }

813

};

814

815

816

error_t parse_opt (int key, char *arg,

817

struct argp_state *state) {

818

/* Get the INPUT argument from `argp_parse', which we know is

819

a pointer to our plugin list pointer. */

820

switch (key) {

821

case 128:

822

debug = true;

823

break;

824

case 'c':

825

connect_to = arg;

826

break;

827

case 'i':

828

interface = arg;

829

break;

830

case 'd':

831

keydir = arg;

832

break;

833

case 's':

834

seckeyfile = arg;

835

break;

836

case 'p':

837

pubkeyfile = arg;

838

break;

839

case 129:

664

while (true){

665

static struct option long_options[] = {

666

{"debug", no_argument, (int *)&debug, 1},

667

{"connect", required_argument, 0, 'C'},

668

{"interface", required_argument, 0, 'i'},

669

{"certdir", required_argument, 0, 'd'},

670

{"certkey", required_argument, 0, 'c'},

671

{"certfile", required_argument, 0, 'k'},

672

{"dh_bits", required_argument, 0, 'D'},

673

{"priority", required_argument, 0, 'p'},

674

{0, 0, 0, 0} };

675

676

int option_index = 0;

677

ret = getopt_long (argc, argv, "i:", long_options,

678

&option_index);

679

680

if (ret == -1){

681

break;

682

}

683

684

switch(ret){

685

case 0:

686

break;

687

case 'i':

688

interface = optarg;

689

break;

690

case 'C':

691

connect_to = optarg;

692

break;

693

case 'd':

694

certdir = optarg;

695

break;

696

case 'c':

697

certfile = optarg;

698

break;

699

case 'k':

700

certkey = optarg;

701

break;

702

case 'D':

703

{

704

long int tmp;

840

705

errno = 0;

841

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

842

if (errno){

706

tmp = strtol(optarg, NULL, 10);

707

if (errno == ERANGE){

843

708

perror("strtol");

844

709

exit(EXIT_FAILURE);

845

710

}

846

break;

847

case 130:

848

mc.priority = arg;

849

break;

850

case ARGP_KEY_ARG:

851

argp_usage (state);

852

break;

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

711

mc.dh_bits = tmp;

857

712

}

858

return 0;

859

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unkown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

}

872

873

pubkeyfile = combinepath(keydir, pubkeyfile);

874

if (pubkeyfile == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfile = combinepath(keydir, seckeyfile);

881

if (seckeyfile == NULL){

882

perror("combinepath");

883

goto end;

884

}

885

886

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

887

if (ret == -1){

888

fprintf(stderr, "init_gnutls_global\n");

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

uid = getuid();

895

gid = getgid();

896

897

ret = setuid(uid);

898

if (ret == -1){

899

perror("setuid");

900

}

901

902

setgid(gid);

903

if (ret == -1){

904

perror("setgid");

713

break;

714

case 'p':

715

mc.priority = optarg;

716

break;

717

default:

718

exit(EXIT_FAILURE);

719

}

720

}

721

722

certfile = combinepath(certdir, certfile);

723

if (certfile == NULL){

724

perror("combinepath");

725

returncode = EXIT_FAILURE;

726

goto exit;

727

}

728

729

certkey = combinepath(certdir, certkey);

730

if (certkey == NULL){

731

perror("combinepath");

732

returncode = EXIT_FAILURE;

733

goto exit;

905

734

}

906

735

907

736

if_index = (AvahiIfIndex) if_nametoindex(interface);

916

745

char *address = strrchr(connect_to, ':');

917

746

if(address == NULL){

918

747

fprintf(stderr, "No colon in address\n");

919

exitcode = EXIT_FAILURE;

920

goto end;

748

exit(EXIT_FAILURE);

921

749

}

922

750

errno = 0;

923

751

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

924

752

if(errno){

925

753

perror("Bad port number");

926

exitcode = EXIT_FAILURE;

927

goto end;

754

exit(EXIT_FAILURE);

928

755

}

929

756

*address = '\0';

930

757

address = connect_to;

931

ret = start_mandos_communication(address, port, if_index, &mc);

758

ret = start_mandos_communication(address, port, if_index);

932

759

if(ret < 0){

933

exitcode = EXIT_FAILURE;

760

exit(EXIT_FAILURE);

934

761

} else {

935

exitcode = EXIT_SUCCESS;

762

exit(EXIT_SUCCESS);

936

763

}

937

goto end;

938

764

}

939

765

940

/* If the interface is down, bring it up */

941

{

942

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

943

if(sd < 0) {

944

perror("socket");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

strcpy(network.ifr_name, interface); /* Spurious warning */

949

ret = ioctl(sd, SIOCGIFFLAGS, &network);

766

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

767

if(sd < 0) {

768

perror("socket");

769

returncode = EXIT_FAILURE;

770

goto exit;

771

}

772

strcpy(network.ifr_name, interface);

773

ret = ioctl(sd, SIOCGIFFLAGS, &network);

774

if(ret == -1){

775

776

perror("ioctl SIOCGIFFLAGS");

777

returncode = EXIT_FAILURE;

778

goto exit;

779

}

780

if((network.ifr_flags & IFF_UP) == 0){

781

network.ifr_flags |= IFF_UP;

782

ret = ioctl(sd, SIOCSIFFLAGS, &network);

950

783

if(ret == -1){

951

perror("ioctl SIOCGIFFLAGS");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

if((network.ifr_flags & IFF_UP) == 0){

956

network.ifr_flags |= IFF_UP;

957

ret = ioctl(sd, SIOCSIFFLAGS, &network);

958

if(ret == -1){

959

perror("ioctl SIOCSIFFLAGS");

960

exitcode = EXIT_FAILURE;

961

goto end;

962

}

963

}

964

close(sd);

784

perror("ioctl SIOCSIFFLAGS");

785

returncode = EXIT_FAILURE;

786

goto exit;

787

}

965

788

}

789

close(sd);

966

790

967

791

if (not debug){

968

792

avahi_set_log_function(empty_log);

969

793

}

970

794

971

/* Initialize the pseudo-RNG for Avahi */

795

/* Initialize the psuedo-RNG */

972

796

srand((unsigned int) time(NULL));

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

797

798

/* Allocate main loop object */

799

if (!(mc.simple_poll = avahi_simple_poll_new())) {

800

fprintf(stderr, "Failed to create simple poll object.\n");

801

returncode = EXIT_FAILURE;

802

goto exit;

803

}

804

805

/* Do not publish any local records */

806

avahi_server_config_init(&config);

807

config.publish_hinfo = 0;

808

config.publish_addresses = 0;

809

config.publish_workstation = 0;

810

config.publish_domain = 0;

811

812

/* Allocate a new server */

813

mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),

814

&config, NULL, NULL, &error);

815

816

/* Free the configuration data */

817

avahi_server_config_free(&config);

818

819

/* Check if creating the server object succeeded */

820

if (!mc.server) {

821

fprintf(stderr, "Failed to create server: %s\n",

1004

822

avahi_strerror(error));

1005

exitcode = EXIT_FAILURE;

1006

goto end;

823

returncode = EXIT_FAILURE;

824

goto exit;

1007

825

}

1008

826

1009

/* Create the Avahi service browser */

827

/* Create the service browser */

1010

828

sb = avahi_s_service_browser_new(mc.server, if_index,

1011

829

AVAHI_PROTO_INET6,

1012

830

"_mandos._tcp", NULL, 0,

1013

831

browse_callback, &mc);

1014

if (sb == NULL) {

832

if (!sb) {

1015

833

fprintf(stderr, "Failed to create service browser: %s\n",

1016

834

avahi_strerror(avahi_server_errno(mc.server)));

1017

exitcode = EXIT_FAILURE;

1018

goto end;

835

returncode = EXIT_FAILURE;

836

goto exit;

1019

837

}

1020

838

1021

839

/* Run the main loop */

1022

840

1023

841

if (debug){

1024

fprintf(stderr, "Starting Avahi loop search\n");

842

fprintf(stderr, "Starting avahi loop search\n");

1025

843

}

1026

844

1027

avahi_simple_poll_loop(mc.simple_poll);

845

avahi_simple_poll_loop(simple_poll);

1028

846

1029

end:

847

exit:

1030

848

1031

849

if (debug){

1032

850

fprintf(stderr, "%s exiting\n", argv[0]);

1033

851

}

1034

852

1035

853

/* Cleanup things */

1036

if (sb != NULL)

854

if (sb)

1037

855

avahi_s_service_browser_free(sb);

1038

856

1039

if (mc.server != NULL)

857

if (mc.server)

1040

858

avahi_server_free(mc.server);

1041

859

1042

if (mc.simple_poll != NULL)

1043

avahi_simple_poll_free(mc.simple_poll);

1044

free(pubkeyfile);

1045

free(seckeyfile);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

860

if (simple_poll)

861

avahi_simple_poll_free(simple_poll);

862

free(certfile);

863

free(certkey);

1051

864

1052

return exitcode;

865

return returncode;

1053

866

}