/mandos/release : revision 24

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-22 01:59:47 UTC
Revision ID: teddy@fukt.bsnet.se-20080722015947-y7o6keji020nvrhw

* Makefile (OPTIMIZE): New; optimize for size.
(CFLAGS): Use $(OPTIMIZE).

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
COPYING

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* Påhlsson.

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _FORTIFY_SOURCE 2

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

#define DH_BITS 1024

100

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

108

typedef struct {

109

AvahiSimplePoll *simple_poll;

110

AvahiServer *server;

gnutls_session_t session;

111

gnutls_certificate_credentials_t cred;

112

unsigned int dh_bits;

113

gnutls_dh_params_t dh_params;

114

const char *priority;

115

} mandos_context;

116

117

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

134

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

137

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

141

const char *homedir){

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

148

gpgme_engine_info_t engine_info;

149

150

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

152

100

}

153

101

154

102

/* Init GPGME */

155

103

gpgme_check_version(NULL);

156

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

157

if (rc != GPG_ERR_NO_ERROR){

158

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

159

gpgme_strsource(rc), gpgme_strerror(rc));

160

return -1;

161

}

104

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

162

105

163

/* Set GPGME home directory for the OpenPGP engine only */

106

/* Set GPGME home directory */

164

107

rc = gpgme_get_engine_info (&engine_info);

165

108

if (rc != GPG_ERR_NO_ERROR){

166

109

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

176

119

engine_info = engine_info->next;

177

120

}

178

121

if(engine_info == NULL){

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

122

fprintf(stderr, "Could not set home dir to %s\n", homedir);

180

123

return -1;

181

124

}

182

125

183

/* Create new GPGME data buffer from memory cryptotext */

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

185

0);

126

/* Create new GPGME data buffer from packet buffer */

127

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

186

128

if (rc != GPG_ERR_NO_ERROR){

187

129

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

188

130

gpgme_strsource(rc), gpgme_strerror(rc));

194

136

if (rc != GPG_ERR_NO_ERROR){

195

137

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

196

138

gpgme_strsource(rc), gpgme_strerror(rc));

197

gpgme_data_release(dh_crypto);

198

139

return -1;

199

140

}

200

141

203

144

if (rc != GPG_ERR_NO_ERROR){

204

145

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

146

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

147

return -1;

208

148

}

209

149

210

/* Decrypt data from the cryptotext data buffer to the plaintext

211

data buffer */

150

/* Decrypt data from the FILE pointer to the plaintext data

151

buffer */

212

152

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

153

if (rc != GPG_ERR_NO_ERROR){

214

154

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

215

155

gpgme_strsource(rc), gpgme_strerror(rc));

216

plaintext_length = -1;

217

goto decrypt_end;

156

return -1;

218

157

}

219

158

220

159

if(debug){

221

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

160

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

222

161

}

223

162

224

163

if (debug){

225

164

gpgme_decrypt_result_t result;

226

165

result = gpgme_op_decrypt_result(ctx);

229

168

} else {

230

169

fprintf(stderr, "Unsupported algorithm: %s\n",

231

170

result->unsupported_algorithm);

232

fprintf(stderr, "Wrong key usage: %u\n",

171

fprintf(stderr, "Wrong key usage: %d\n",

233

172

result->wrong_key_usage);

234

173

if(result->file_name != NULL){

235

174

fprintf(stderr, "File name: %s\n", result->file_name);

250

189

}

251

190

}

252

191

192

/* Delete the GPGME FILE pointer cryptotext data buffer */

193

gpgme_data_release(dh_crypto);

194

253

195

/* Seek back to the beginning of the GPGME plaintext data buffer */

254

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

255

perror("pgpme_data_seek");

256

plaintext_length = -1;

257

goto decrypt_end;

258

}

259

260

*plaintext = NULL;

196

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

197

198

*new_packet = 0;

261

199

while(true){

262

plaintext_capacity = adjustbuffer(plaintext,

263

(size_t)plaintext_length,

264

plaintext_capacity);

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

267

plaintext_length = -1;

268

goto decrypt_end;

200

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

201

*new_packet = realloc(*new_packet,

202

(unsigned int)new_packet_capacity

203

+ BUFFER_SIZE);

204

if (*new_packet == NULL){

205

perror("realloc");

206

return -1;

207

}

208

new_packet_capacity += BUFFER_SIZE;

269

209

}

270

210

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

272

212

BUFFER_SIZE);

273

213

/* Print the data, if any */

274

214

if (ret == 0){

275

/* EOF */

276

215

break;

277

216

}

278

217

if(ret < 0){

279

218

perror("gpgme_data_read");

280

plaintext_length = -1;

281

goto decrypt_end;

219

return -1;

282

220

}

283

plaintext_length += ret;

221

new_packet_length += ret;

284

222

}

285

223

286

if(debug){

287

fprintf(stderr, "Decrypted password is: ");

288

for(ssize_t i = 0; i < plaintext_length; i++){

289

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

290

}

291

fprintf(stderr, "\n");

292

}

293

294

decrypt_end:

295

296

/* Delete the GPGME cryptotext data buffer */

297

gpgme_data_release(dh_crypto);

224

/* FIXME: check characters before printing to screen so to not print

225

terminal control characters */

226

/* if(debug){ */

227

/* fprintf(stderr, "decrypted password is: "); */

228

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

229

/* fprintf(stderr, "\n"); */

230

/* } */

298

231

299

232

/* Delete the GPGME plaintext data buffer */

300

233

gpgme_data_release(dh_plain);

301

return plaintext_length;

234

return new_packet_length;

302

235

}

303

236

304

237

static const char * safer_gnutls_strerror (int value) {

305

const char *ret = gnutls_strerror (value); /* Spurious warning */

238

const char *ret = gnutls_strerror (value);

306

239

if (ret == NULL)

307

240

ret = "(unknown)";

308

241

return ret;

309

242

}

310

243

311

/* GnuTLS log function callback */

312

static void debuggnutls(__attribute__((unused)) int level,

313

const char* string){

314

fprintf(stderr, "GnuTLS: %s", string);

244

void debuggnutls(__attribute__((unused)) int level,

245

const char* string){

246

fprintf(stderr, "%s", string);

315

247

}

316

248

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfilename,

319

const char *seckeyfilename){

249

int initgnutls(encrypted_session *es){

250

const char *err;

320

251

int ret;

321

252

322

253

if(debug){

323

254

fprintf(stderr, "Initializing GnuTLS\n");

324

255

}

325

256

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

257

if ((ret = gnutls_global_init ())

258

!= GNUTLS_E_SUCCESS) {

259

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

330

260

return -1;

331

261

}

332

262

333

263

if (debug){

334

/* "Use a log level over 10 to enable all debugging options."

335

* - GnuTLS manual

336

337

264

gnutls_global_set_log_level(11);

338

265

gnutls_global_set_log_function(debuggnutls);

339

266

}

340

267

341

/* OpenPGP credentials */

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

345

warning */

268

/* openpgp credentials */

269

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

270

!= GNUTLS_E_SUCCESS) {

271

fprintf (stderr, "memory error: %s\n",

346

272

safer_gnutls_strerror(ret));

347

gnutls_global_deinit ();

348

273

return -1;

349

274

}

350

275

351

276

if(debug){

352

277

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

353

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

354

seckeyfilename);

278

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

279

KEYFILE);

355

280

}

356

281

357

282

ret = gnutls_certificate_set_openpgp_key_file

358

(mc->cred, pubkeyfilename, seckeyfilename,

359

GNUTLS_OPENPGP_FMT_BASE64);

283

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

360

284

if (ret != GNUTLS_E_SUCCESS) {

361

fprintf(stderr,

362

"Error[%d] while reading the OpenPGP key pair ('%s',"

363

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

364

fprintf(stdout, "The GnuTLS error is: %s\n",

285

fprintf

286

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

287

" '%s')\n",

288

ret, CERTFILE, KEYFILE);

289

fprintf(stdout, "The Error is: %s\n",

365

290

safer_gnutls_strerror(ret));

366

goto globalfail;

367

}

368

369

/* GnuTLS server initialization */

370

ret = gnutls_dh_params_init(&mc->dh_params);

371

if (ret != GNUTLS_E_SUCCESS) {

372

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

373

" %s\n", safer_gnutls_strerror(ret));

374

goto globalfail;

375

}

376

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

377

if (ret != GNUTLS_E_SUCCESS) {

378

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

379

safer_gnutls_strerror(ret));

380

goto globalfail;

381

}

382

383

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

384

385

return 0;

386

387

globalfail:

388

389

gnutls_certificate_free_credentials(mc->cred);

390

gnutls_global_deinit();

391

return -1;

392

393

}

394

395

static int init_gnutls_session(mandos_context *mc,

396

gnutls_session_t *session){

397

int ret;

398

/* GnuTLS session creation */

399

ret = gnutls_init(session, GNUTLS_SERVER);

400

if (ret != GNUTLS_E_SUCCESS){

291

return -1;

292

}

293

294

//GnuTLS server initialization

295

if ((ret = gnutls_dh_params_init (&es->dh_params))

296

!= GNUTLS_E_SUCCESS) {

297

fprintf (stderr, "Error in dh parameter initialization: %s\n",

298

safer_gnutls_strerror(ret));

299

return -1;

300

}

301

302

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in prime generation: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

310

311

// GnuTLS session creation

312

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

313

!= GNUTLS_E_SUCCESS){

401

314

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

402

315

safer_gnutls_strerror(ret));

403

316

}

404

317

405

{

406

const char *err;

407

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

408

if (ret != GNUTLS_E_SUCCESS) {

409

fprintf(stderr, "Syntax error at: %s\n", err);

410

fprintf(stderr, "GnuTLS error: %s\n",

411

safer_gnutls_strerror(ret));

412

gnutls_deinit (*session);

413

return -1;

414

}

318

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf(stderr, "Syntax error at: %s\n", err);

321

fprintf(stderr, "GnuTLS error: %s\n",

322

safer_gnutls_strerror(ret));

323

return -1;

415

324

}

416

325

417

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

418

mc->cred);

419

if (ret != GNUTLS_E_SUCCESS) {

420

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

326

if ((ret = gnutls_credentials_set

327

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

328

!= GNUTLS_E_SUCCESS) {

329

fprintf(stderr, "Error setting a credentials set: %s\n",

421

330

safer_gnutls_strerror(ret));

422

gnutls_deinit (*session);

423

331

return -1;

424

332

}

425

333

426

334

/* ignore client certificate if any. */

427

gnutls_certificate_server_set_request (*session,

335

gnutls_certificate_server_set_request (es->session,

428

336

GNUTLS_CERT_IGNORE);

429

337

430

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

338

gnutls_dh_set_prime_bits (es->session, DH_BITS);

431

339

432

340

return 0;

433

341

}

434

342

435

/* Avahi log function callback */

436

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

437

__attribute__((unused)) const char *txt){}

343

void empty_log(__attribute__((unused)) AvahiLogLevel level,

344

__attribute__((unused)) const char *txt){}

438

345

439

/* Called when a Mandos server is found */

440

static int start_mandos_communication(const char *ip, uint16_t port,

441

AvahiIfIndex if_index,

442

mandos_context *mc){

346

int start_mandos_communication(const char *ip, uint16_t port,

347

unsigned int if_index){

443

348

int ret, tcp_sd;

444

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

349

struct sockaddr_in6 to;

350

encrypted_session es;

445

351

char *buffer = NULL;

446

352

char *decrypted_buffer;

447

353

size_t buffer_length = 0;

448

354

size_t buffer_capacity = 0;

449

355

ssize_t decrypted_buffer_size;

450

size_t written;

356

size_t written = 0;

451

357

int retval = 0;

452

358

char interface[IF_NAMESIZE];

453

gnutls_session_t session;

454

455

ret = init_gnutls_session (mc, &session);

456

if (ret != 0){

457

return -1;

458

}

459

359

460

360

if(debug){

461

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

462

"\n", ip, port);

361

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

463

362

}

464

363

465

364

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

467

366

perror("socket");

468

367

return -1;

469

368

}

470

471

if(debug){

472

if(if_indextoname((unsigned int)if_index, interface) == NULL){

369

370

if(if_indextoname(if_index, interface) == NULL){

371

if(debug){

473

372

perror("if_indextoname");

474

return -1;

475

373

}

374

return -1;

375

}

376

377

if(debug){

476

378

fprintf(stderr, "Binding to interface %s\n", interface);

477

379

}

478

380

479

memset(&to, 0, sizeof(to));

480

to.in6.sin6_family = AF_INET6;

481

/* It would be nice to have a way to detect if we were passed an

482

IPv4 address here. Now we assume an IPv6 address. */

483

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

484

384

if (ret < 0 ){

485

385

perror("inet_pton");

486

386

return -1;

487

}

387

}

488

388

if(ret == 0){

489

389

fprintf(stderr, "Bad address: %s\n", ip);

490

390

return -1;

491

391

}

492

to.in6.sin6_port = htons(port); /* Spurious warning */

392

to.sin6_port = htons(port); /* Spurious warning */

493

393

494

to.in6.sin6_scope_id = (uint32_t)if_index;

394

to.sin6_scope_id = (uint32_t)if_index;

495

395

496

396

if(debug){

497

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

498

port);

499

char addrstr[INET6_ADDRSTRLEN] = "";

500

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

501

sizeof(addrstr)) == NULL){

502

perror("inet_ntop");

503

} else {

504

if(strcmp(addrstr, ip) != 0){

505

fprintf(stderr, "Canonical address form: %s\n", addrstr);

506

}

507

}

397

fprintf(stderr, "Connection to: %s\n", ip);

508

398

}

509

399

510

ret = connect(tcp_sd, &to.in, sizeof(to));

400

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

511

401

if (ret < 0){

512

402

perror("connect");

513

403

return -1;

514

404

}

515

516

const char *out = mandos_protocol_version;

517

written = 0;

518

while (true){

519

size_t out_size = strlen(out);

520

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

521

out_size - written));

522

if (ret == -1){

523

perror("write");

524

retval = -1;

525

goto mandos_end;

526

}

527

written += (size_t)ret;

528

if(written < out_size){

529

continue;

530

} else {

531

if (out == mandos_protocol_version){

532

written = 0;

533

out = "\r\n";

534

} else {

535

break;

536

}

537

}

405

406

ret = initgnutls (&es);

407

if (ret != 0){

408

retval = -1;

409

return -1;

538

410

}

539

411

412

gnutls_transport_set_ptr (es.session,

413

(gnutls_transport_ptr_t) tcp_sd);

414

540

415

if(debug){

541

416

fprintf(stderr, "Establishing TLS session with %s\n", ip);

542

417

}

543

418

544

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

545

546

do{

547

ret = gnutls_handshake (session);

548

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

419

ret = gnutls_handshake (es.session);

549

420

550

421

if (ret != GNUTLS_E_SUCCESS){

551

if(debug){

552

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

553

gnutls_perror (ret);

554

}

422

fprintf(stderr, "\n*** Handshake failed ***\n");

423

gnutls_perror (ret);

555

424

retval = -1;

556

goto mandos_end;

425

goto exit;

557

426

}

558

427

559

/* Read OpenPGP packet that contains the wanted password */

428

//Retrieve OpenPGP packet that contains the wanted password

560

429

561

430

if(debug){

562

431

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

564

433

}

565

434

566

435

while(true){

567

buffer_capacity = adjustbuffer(&buffer, buffer_length,

568

buffer_capacity);

569

if (buffer_capacity == 0){

570

perror("adjustbuffer");

571

retval = -1;

572

goto mandos_end;

436

if (buffer_length + BUFFER_SIZE > buffer_capacity){

437

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

438

if (buffer == NULL){

439

perror("realloc");

440

goto exit;

441

}

442

buffer_capacity += BUFFER_SIZE;

573

443

}

574

444

575

ret = gnutls_record_recv(session, buffer+buffer_length,

576

BUFFER_SIZE);

445

ret = gnutls_record_recv

446

(es.session, buffer+buffer_length, BUFFER_SIZE);

577

447

if (ret == 0){

578

448

break;

579

449

}

583

453

case GNUTLS_E_AGAIN:

584

454

break;

585

455

case GNUTLS_E_REHANDSHAKE:

586

do{

587

ret = gnutls_handshake (session);

588

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

456

ret = gnutls_handshake (es.session);

589

457

if (ret < 0){

590

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

458

fprintf(stderr, "\n*** Handshake failed ***\n");

591

459

gnutls_perror (ret);

592

460

retval = -1;

593

goto mandos_end;

461

goto exit;

594

462

}

595

463

break;

596

464

default:

597

465

fprintf(stderr, "Unknown error while reading data from"

598

" encrypted session with Mandos server\n");

466

" encrypted session with mandos server\n");

599

467

retval = -1;

600

gnutls_bye (session, GNUTLS_SHUT_RDWR);

601

goto mandos_end;

468

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

469

goto exit;

602

470

}

603

471

} else {

604

472

buffer_length += (size_t) ret;

605

473

}

606

474

}

607

475

608

if(debug){

609

fprintf(stderr, "Closing TLS session\n");

610

}

611

612

gnutls_bye (session, GNUTLS_SHUT_RDWR);

613

614

476

if (buffer_length > 0){

615

477

decrypted_buffer_size = pgp_packet_decrypt(buffer,

616

478

buffer_length,

617

479

&decrypted_buffer,

618

keydir);

480

CERT_ROOT);

619

481

if (decrypted_buffer_size >= 0){

620

written = 0;

621

while(written < (size_t) decrypted_buffer_size){

482

while(written < decrypted_buffer_size){

622

483

ret = (int)fwrite (decrypted_buffer + written, 1,

623

484

(size_t)decrypted_buffer_size - written,

624

485

stdout);

637

498

retval = -1;

638

499

}

639

500

}

640

641

/* Shutdown procedure */

642

643

mandos_end:

501

502

//shutdown procedure

503

504

if(debug){

505

fprintf(stderr, "Closing TLS session\n");

506

}

507

644

508

free(buffer);

509

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

510

exit:

645

511

close(tcp_sd);

646

gnutls_deinit (session);

512

gnutls_deinit (es.session);

513

gnutls_certificate_free_credentials (es.cred);

514

gnutls_global_deinit ();

647

515

return retval;

648

516

}

649

517

650

static void resolve_callback(AvahiSServiceResolver *r,

651

AvahiIfIndex interface,

652

AVAHI_GCC_UNUSED AvahiProtocol protocol,

653

AvahiResolverEvent event,

654

const char *name,

655

const char *type,

656

const char *domain,

657

const char *host_name,

658

const AvahiAddress *address,

659

uint16_t port,

660

AVAHI_GCC_UNUSED AvahiStringList *txt,

661

AVAHI_GCC_UNUSED AvahiLookupResultFlags

662

flags,

663

void* userdata) {

664

mandos_context *mc = userdata;

665

assert(r);

518

static AvahiSimplePoll *simple_poll = NULL;

519

static AvahiServer *server = NULL;

520

521

static void resolve_callback(

522

AvahiSServiceResolver *r,

523

AvahiIfIndex interface,

524

AVAHI_GCC_UNUSED AvahiProtocol protocol,

525

AvahiResolverEvent event,

526

const char *name,

527

const char *type,

528

const char *domain,

529

const char *host_name,

530

const AvahiAddress *address,

531

uint16_t port,

532

AVAHI_GCC_UNUSED AvahiStringList *txt,

533

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

534

AVAHI_GCC_UNUSED void* userdata) {

535

536

assert(r); /* Spurious warning */

666

537

667

538

/* Called whenever a service has been resolved successfully or

668

539

timed out */

670

541

switch (event) {

671

542

default:

672

543

case AVAHI_RESOLVER_FAILURE:

673

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

674

" of type '%s' in domain '%s': %s\n", name, type, domain,

675

avahi_strerror(avahi_server_errno(mc->server)));

544

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

545

" type '%s' in domain '%s': %s\n", name, type, domain,

546

avahi_strerror(avahi_server_errno(server)));

676

547

break;

677

548

678

549

case AVAHI_RESOLVER_FOUND:

680

551

char ip[AVAHI_ADDRESS_STR_MAX];

681

552

avahi_address_snprint(ip, sizeof(ip), address);

682

553

if(debug){

683

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

684

PRIu16 ") on port %d\n", name, host_name, ip,

685

interface, port);

554

fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",

555

host_name, ip, port);

686

556

}

687

int ret = start_mandos_communication(ip, port, interface, mc);

557

int ret = start_mandos_communication(ip, port,

558

(unsigned int) interface);

688

559

if (ret == 0){

689

avahi_simple_poll_quit(mc->simple_poll);

560

exit(EXIT_SUCCESS);

561

} else {

562

exit(EXIT_FAILURE);

690

563

}

691

564

}

692

565

}

693

566

avahi_s_service_resolver_free(r);

694

567

}

695

568

696

static void browse_callback( AvahiSServiceBrowser *b,

697

AvahiIfIndex interface,

698

AvahiProtocol protocol,

699

AvahiBrowserEvent event,

700

const char *name,

701

const char *type,

702

const char *domain,

703

AVAHI_GCC_UNUSED AvahiLookupResultFlags

704

flags,

705

void* userdata) {

706

mandos_context *mc = userdata;

707

assert(b);

708

709

/* Called whenever a new services becomes available on the LAN or

710

is removed from the LAN */

711

712

switch (event) {

713

default:

714

case AVAHI_BROWSER_FAILURE:

715

716

fprintf(stderr, "(Avahi browser) %s\n",

717

avahi_strerror(avahi_server_errno(mc->server)));

718

avahi_simple_poll_quit(mc->simple_poll);

719

return;

720

721

case AVAHI_BROWSER_NEW:

722

/* We ignore the returned Avahi resolver object. In the callback

723

function we free it. If the Avahi server is terminated before

724

the callback function is called the Avahi server will free the

725

resolver for us. */

726

727

if (!(avahi_s_service_resolver_new(mc->server, interface,

728

protocol, name, type, domain,

729

AVAHI_PROTO_INET6, 0,

730

resolve_callback, mc)))

731

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

732

name, avahi_strerror(avahi_server_errno(mc->server)));

733

break;

734

735

case AVAHI_BROWSER_REMOVE:

736

break;

737

738

case AVAHI_BROWSER_ALL_FOR_NOW:

739

case AVAHI_BROWSER_CACHE_EXHAUSTED:

740

if(debug){

741

fprintf(stderr, "No Mandos server found, still searching...\n");

569

static void browse_callback(

570

AvahiSServiceBrowser *b,

571

AvahiIfIndex interface,

572

AvahiProtocol protocol,

573

AvahiBrowserEvent event,

574

const char *name,

575

const char *type,

576

const char *domain,

577

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

578

void* userdata) {

579

580

AvahiServer *s = userdata;

581

assert(b); /* Spurious warning */

582

583

/* Called whenever a new services becomes available on the LAN or

584

is removed from the LAN */

585

586

switch (event) {

587

default:

588

case AVAHI_BROWSER_FAILURE:

589

590

fprintf(stderr, "(Browser) %s\n",

591

avahi_strerror(avahi_server_errno(server)));

592

avahi_simple_poll_quit(simple_poll);

593

return;

594

595

case AVAHI_BROWSER_NEW:

596

/* We ignore the returned resolver object. In the callback

597

function we free it. If the server is terminated before

598

the callback function is called the server will free

599

the resolver for us. */

600

601

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

602

type, domain,

603

AVAHI_PROTO_INET6, 0,

604

resolve_callback, s)))

605

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

606

avahi_strerror(avahi_server_errno(s)));

607

break;

608

609

case AVAHI_BROWSER_REMOVE:

610

break;

611

612

case AVAHI_BROWSER_ALL_FOR_NOW:

613

case AVAHI_BROWSER_CACHE_EXHAUSTED:

614

break;

742

615

}

743

break;

744

}

745

}

746

747

/* Combines file name and path and returns the malloced new

748

string. some sane checks could/should be added */

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

753

return NULL;

754

}

755

return tmp;

756

}

757

758

759

int main(int argc, char *argv[]){

616

}

617

618

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

619

AvahiServerConfig config;

760

620

AvahiSServiceBrowser *sb = NULL;

761

621

int error;

762

622

int ret;

763

int exitcode = EXIT_SUCCESS;

623

int returncode = EXIT_SUCCESS;

764

624

const char *interface = "eth0";

765

struct ifreq network;

766

int sd;

767

uid_t uid;

768

gid_t gid;

769

char *connect_to = NULL;

770

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

775

mandos_context mc = { .simple_poll = NULL, .server = NULL,

776

.dh_bits = 1024, .priority = "SECURE256"};

777

bool gnutls_initalized = false;

778

779

{

780

struct argp_option options[] = {

781

{ .name = "debug", .key = 128,

782

.doc = "Debug mode", .group = 3 },

783

{ .name = "connect", .key = 'c',

784

.arg = "IP",

785

.doc = "Connect directly to a sepcified mandos server",

786

.group = 1 },

787

{ .name = "interface", .key = 'i',

788

.arg = "INTERFACE",

789

.doc = "Interface that Avahi will conntect through",

790

.group = 1 },

791

{ .name = "keydir", .key = 'd',

792

.arg = "KEYDIR",

793

.doc = "Directory where the openpgp keyring is",

794

.group = 1 },

795

{ .name = "seckey", .key = 's',

796

.arg = "SECKEY",

797

.doc = "Secret openpgp key for gnutls authentication",

798

.group = 1 },

799

{ .name = "pubkey", .key = 'p',

800

.arg = "PUBKEY",

801

.doc = "Public openpgp key for gnutls authentication",

802

.group = 2 },

803

{ .name = "dh-bits", .key = 129,

804

.arg = "BITS",

805

.doc = "dh-bits to use in gnutls communication",

806

.group = 2 },

807

{ .name = "priority", .key = 130,

808

.arg = "PRIORITY",

809

.doc = "GNUTLS priority", .group = 1 },

810

{ .name = NULL }

811

};

812

813

814

error_t parse_opt (int key, char *arg,

815

struct argp_state *state) {

816

/* Get the INPUT argument from `argp_parse', which we know is

817

a pointer to our plugin list pointer. */

818

switch (key) {

819

case 128:

820

debug = true;

821

break;

822

case 'c':

823

connect_to = arg;

824

break;

825

case 'i':

826

interface = arg;

827

break;

828

case 'd':

829

keydir = arg;

830

break;

831

case 's':

832

seckeyname = arg;

833

break;

834

case 'p':

835

pubkeyname = arg;

836

break;

837

case 129:

838

errno = 0;

839

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

840

if (errno){

841

perror("strtol");

842

exit(EXIT_FAILURE);

843

}

844

break;

845

case 130:

846

mc.priority = arg;

847

break;

848

case ARGP_KEY_ARG:

849

argp_usage (state);

850

case ARGP_KEY_END:

851

break;

852

default:

853

return ARGP_ERR_UNKNOWN;

854

}

855

return 0;

856

}

857

858

struct argp argp = { .options = options, .parser = parse_opt,

859

.args_doc = "",

860

.doc = "Mandos client -- Get and decrypt"

861

" passwords from mandos server" };

862

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

863

if (ret == ARGP_ERR_UNKNOWN){

864

fprintf(stderr, "Unknown error while parsing arguments\n");

865

exitcode = EXIT_FAILURE;

866

goto end;

867

}

868

}

869

870

pubkeyfilename = combinepath(keydir, pubkeyname);

871

if (pubkeyfilename == NULL){

872

perror("combinepath");

873

exitcode = EXIT_FAILURE;

874

goto end;

875

}

876

877

seckeyfilename = combinepath(keydir, seckeyname);

878

if (seckeyfilename == NULL){

879

perror("combinepath");

880

exitcode = EXIT_FAILURE;

881

goto end;

882

}

883

884

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

885

if (ret == -1){

886

fprintf(stderr, "init_gnutls_global failed\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

889

} else {

890

gnutls_initalized = true;

891

}

892

893

/* If the interface is down, bring it up */

894

{

895

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

896

if(sd < 0) {

897

perror("socket");

898

exitcode = EXIT_FAILURE;

899

goto end;

900

}

901

strcpy(network.ifr_name, interface);

902

ret = ioctl(sd, SIOCGIFFLAGS, &network);

903

if(ret == -1){

904

perror("ioctl SIOCGIFFLAGS");

905

exitcode = EXIT_FAILURE;

906

goto end;

907

}

908

if((network.ifr_flags & IFF_UP) == 0){

909

network.ifr_flags |= IFF_UP;

910

ret = ioctl(sd, SIOCSIFFLAGS, &network);

911

if(ret == -1){

912

perror("ioctl SIOCSIFFLAGS");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

}

917

close(sd);

918

}

919

920

uid = getuid();

921

gid = getgid();

922

923

ret = setuid(uid);

924

if (ret == -1){

925

perror("setuid");

926

}

927

928

setgid(gid);

929

if (ret == -1){

930

perror("setgid");

931

}

932

933

if_index = (AvahiIfIndex) if_nametoindex(interface);

934

if(if_index == 0){

935

fprintf(stderr, "No such interface: \"%s\"\n", interface);

936

exit(EXIT_FAILURE);

937

}

938

939

if(connect_to != NULL){

940

/* Connect directly, do not use Zeroconf */

941

/* (Mainly meant for debugging) */

942

char *address = strrchr(connect_to, ':');

943

if(address == NULL){

944

fprintf(stderr, "No colon in address\n");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

errno = 0;

949

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

950

if(errno){

951

perror("Bad port number");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

*address = '\0';

956

address = connect_to;

957

ret = start_mandos_communication(address, port, if_index, &mc);

958

if(ret < 0){

959

exitcode = EXIT_FAILURE;

960

} else {

961

exitcode = EXIT_SUCCESS;

962

}

963

goto end;

625

626

while (true){

627

static struct option long_options[] = {

628

{"debug", no_argument, (int *)&debug, 1},

629

{"interface", required_argument, 0, 'i'},

630

{0, 0, 0, 0} };

631

632

int option_index = 0;

633

ret = getopt_long (argc, argv, "i:", long_options,

634

&option_index);

635

636

if (ret == -1){

637

break;

638

}

639

640

switch(ret){

641

case 0:

642

break;

643

case 'i':

644

interface = optarg;

645

break;

646

default:

647

exit(EXIT_FAILURE);

648

}

964

649

}

965

650

966

651

if (not debug){

967

652

avahi_set_log_function(empty_log);

968

653

}

969

654

970

/* Initialize the pseudo-RNG for Avahi */

655

/* Initialize the psuedo-RNG */

971

656

srand((unsigned int) time(NULL));

972

973

/* Allocate main Avahi loop object */

974

mc.simple_poll = avahi_simple_poll_new();

975

if (mc.simple_poll == NULL) {

976

fprintf(stderr, "Avahi: Failed to create simple poll"

977

" object.\n");

978

exitcode = EXIT_FAILURE;

979

goto end;

980

}

981

982

{

983

AvahiServerConfig config;

984

/* Do not publish any local Zeroconf records */

985

avahi_server_config_init(&config);

986

config.publish_hinfo = 0;

987

config.publish_addresses = 0;

988

config.publish_workstation = 0;

989

config.publish_domain = 0;

990

991

/* Allocate a new server */

992

mc.server = avahi_server_new(avahi_simple_poll_get

993

(mc.simple_poll), &config, NULL,

994

NULL, &error);

995

996

/* Free the Avahi configuration data */

997

avahi_server_config_free(&config);

998

}

999

1000

/* Check if creating the Avahi server object succeeded */

1001

if (mc.server == NULL) {

1002

fprintf(stderr, "Failed to create Avahi server: %s\n",

657

658

/* Allocate main loop object */

659

if (!(simple_poll = avahi_simple_poll_new())) {

660

fprintf(stderr, "Failed to create simple poll object.\n");

661

662

goto exit;

663

}

664

665

/* Do not publish any local records */

666

avahi_server_config_init(&config);

667

config.publish_hinfo = 0;

668

config.publish_addresses = 0;

669

config.publish_workstation = 0;

670

config.publish_domain = 0;

671

672

/* Allocate a new server */

673

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

674

&config, NULL, NULL, &error);

675

676

/* Free the configuration data */

677

avahi_server_config_free(&config);

678

679

/* Check if creating the server object succeeded */

680

if (!server) {

681

fprintf(stderr, "Failed to create server: %s\n",

1003

682

avahi_strerror(error));

1004

exitcode = EXIT_FAILURE;

1005

goto end;

683

returncode = EXIT_FAILURE;

684

goto exit;

1006

685

}

1007

686

1008

/* Create the Avahi service browser */

1009

sb = avahi_s_service_browser_new(mc.server, if_index,

687

/* Create the service browser */

688

sb = avahi_s_service_browser_new(server,

689

(AvahiIfIndex)

690

if_nametoindex(interface),

1010

691

AVAHI_PROTO_INET6,

1011

692

"_mandos._tcp", NULL, 0,

1012

browse_callback, &mc);

1013

if (sb == NULL) {

693

browse_callback, server);

694

if (!sb) {

1014

695

fprintf(stderr, "Failed to create service browser: %s\n",

1015

avahi_strerror(avahi_server_errno(mc.server)));

1016

exitcode = EXIT_FAILURE;

1017

goto end;

696

avahi_strerror(avahi_server_errno(server)));

697

returncode = EXIT_FAILURE;

698

goto exit;

1018

699

}

1019

700

1020

701

/* Run the main loop */

1021

702

1022

703

if (debug){

1023

fprintf(stderr, "Starting Avahi loop search\n");

704

fprintf(stderr, "Starting avahi loop search\n");

1024

705

}

1025

706

1026

avahi_simple_poll_loop(mc.simple_poll);

707

avahi_simple_poll_loop(simple_poll);

1027

708

1028

end:

709

exit:

1029

710

1030

711

if (debug){

1031

712

fprintf(stderr, "%s exiting\n", argv[0]);

1032

713

}

1033

714

1034

715

/* Cleanup things */

1035

if (sb != NULL)

716

if (sb)

1036

717

avahi_s_service_browser_free(sb);

1037

718

1038

if (mc.server != NULL)

1039

avahi_server_free(mc.server);

1040

1041

if (mc.simple_poll != NULL)

1042

avahi_simple_poll_free(mc.simple_poll);

1043

free(pubkeyfilename);

1044

free(seckeyfilename);

1045

1046

if (gnutls_initalized){

1047

gnutls_certificate_free_credentials(mc.cred);

1048

gnutls_global_deinit ();

1049

}

1050

1051

return exitcode;

719

if (server)

720

avahi_server_free(server);

721

722

if (simple_poll)

723

avahi_simple_poll_free(simple_poll);

724

725

return returncode;

1052

726

}

Older »