94
45
#include <avahi-common/malloc.h>
95
46
#include <avahi-common/error.h>
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
101
init_gnutls_session(),
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
108
#include <gpgme.h> /* All GPGME types, constants and
111
GPGME_PROTOCOL_OpenPGP,
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
63
#include <errno.h> /* perror() */
114
69
#define BUFFER_SIZE 256
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
120
76
bool debug = false;
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
125
/* Used for passing in values through the Avahi callback functions */
127
AvahiSimplePoll *simple_poll;
79
gnutls_session_t session;
129
80
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
131
81
gnutls_dh_params_t dh_params;
132
const char *priority;
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
87
gpgme_data_t dh_crypto, dh_plain;
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
153
buffer_capacity += BUFFER_SIZE;
155
return buffer_capacity;
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
165
93
gpgme_engine_info_t engine_info;
169
* Helper function to insert pub and seckey to the engine keyring.
171
bool import_key(const char *filename){
173
gpgme_data_t pgp_data;
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
199
gpgme_data_release(pgp_data);
204
fprintf(stderr, "Initializing GPGME\n");
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
208
100
gpgme_check_version(NULL);
209
101
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
210
if(rc != GPG_ERR_NO_ERROR){
102
if (rc != GPG_ERR_NO_ERROR){
211
103
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
212
104
gpgme_strsource(rc), gpgme_strerror(rc));
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
108
/* Set GPGME home directory */
109
rc = gpgme_get_engine_info (&engine_info);
110
if (rc != GPG_ERR_NO_ERROR){
219
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
220
112
gpgme_strsource(rc), gpgme_strerror(rc));
223
115
while(engine_info != NULL){
224
116
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
225
117
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
226
engine_info->file_name, tempdir);
118
engine_info->file_name, homedir);
229
121
engine_info = engine_info->next;
231
123
if(engine_info == NULL){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
244
if(not import_key(pubkey) or not import_key(seckey)){
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
258
gpgme_data_t dh_crypto, dh_plain;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
271
if(rc != GPG_ERR_NO_ERROR){
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
130
if (rc != GPG_ERR_NO_ERROR){
272
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
273
132
gpgme_strsource(rc), gpgme_strerror(rc));
277
136
/* Create new empty GPGME data buffer for the plaintext */
278
137
rc = gpgme_data_new(&dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
138
if (rc != GPG_ERR_NO_ERROR){
280
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
281
140
gpgme_strsource(rc), gpgme_strerror(rc));
282
gpgme_data_release(dh_crypto);
286
/* Decrypt data from the cryptotext data buffer to the plaintext
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
144
/* Create new GPGME "context" */
145
rc = gpgme_new(&ctx);
146
if (rc != GPG_ERR_NO_ERROR){
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
148
gpgme_strsource(rc), gpgme_strerror(rc));
152
/* Decrypt data from the FILE pointer to the plaintext data
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
155
if (rc != GPG_ERR_NO_ERROR){
290
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
291
157
gpgme_strsource(rc), gpgme_strerror(rc));
292
plaintext_length = -1;
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
316
recipient = recipient->next;
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
gpgme_decrypt_result_t result;
167
result = gpgme_op_decrypt_result(ctx);
169
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
fprintf(stderr, "Unsupported algorithm: %s\n",
172
result->unsupported_algorithm);
173
fprintf(stderr, "Wrong key usage: %d\n",
174
result->wrong_key_usage);
175
if(result->file_name != NULL){
176
fprintf(stderr, "File name: %s\n", result->file_name);
178
gpgme_recipient_t recipient;
179
recipient = result->recipients;
181
while(recipient != NULL){
182
fprintf(stderr, "Public key algorithm: %s\n",
183
gpgme_pubkey_algo_name(recipient->pubkey_algo));
184
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
185
fprintf(stderr, "Secret key available: %s\n",
186
recipient->status == GPG_ERR_NO_SECKEY
188
recipient = recipient->next;
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
328
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
199
perror("pgpme_data_seek");
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
340
if(plaintext_capacity == 0){
342
plaintext_length = -1;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
208
if (*new_packet == NULL){
212
new_packet_capacity += BUFFER_SIZE;
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
348
217
/* Print the data, if any */
354
222
perror("gpgme_data_read");
355
plaintext_length = -1;
358
plaintext_length += ret;
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
366
fprintf(stderr, "\n");
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
225
new_packet_length += ret;
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
374
236
/* Delete the GPGME plaintext data buffer */
375
237
gpgme_data_release(dh_plain);
376
return plaintext_length;
238
return new_packet_length;
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
241
static const char * safer_gnutls_strerror (int value) {
242
const char *ret = gnutls_strerror (value);
383
244
ret = "(unknown)";
387
/* GnuTLS log function callback */
388
static void debuggnutls(__attribute__((unused)) int level,
390
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
250
fprintf(stderr, "%s", string);
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
253
int initgnutls(encrypted_session *es){
398
258
fprintf(stderr, "Initializing GnuTLS\n");
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
261
if ((ret = gnutls_global_init ())
262
!= GNUTLS_E_SUCCESS) {
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
409
/* "Use a log level over 10 to enable all debugging options."
412
268
gnutls_global_set_log_level(11);
413
269
gnutls_global_set_log_function(debuggnutls);
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
434
286
ret = gnutls_certificate_set_openpgp_key_file
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
472
static int init_gnutls_session(gnutls_session_t *session){
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
288
if (ret != GNUTLS_E_SUCCESS) {
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
294
safer_gnutls_strerror(ret));
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
477
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
478
319
safer_gnutls_strerror(ret));
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
497
334
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
502
338
/* ignore client certificate if any. */
503
gnutls_certificate_server_set_request(*session,
339
gnutls_certificate_server_set_request (es->session,
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
511
/* Avahi log function callback */
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
513
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
515
/* Called when a Mandos server is found */
516
static int start_mandos_communication(const char *ip, uint16_t port,
517
AvahiIfIndex if_index,
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
353
struct sockaddr_in6 to;
354
encrypted_session es;
525
355
char *buffer = NULL;
526
356
char *decrypted_buffer;
527
357
size_t buffer_length = 0;
528
358
size_t buffer_capacity = 0;
529
359
ssize_t decrypted_buffer_size;
532
gnutls_session_t session;
533
int pf; /* Protocol family */
543
fprintf(stderr, "Bad address family: %d\n", af);
547
ret = init_gnutls_session(&session);
362
char interface[IF_NAMESIZE];
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
369
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
559
371
perror("socket");
563
memset(&to, 0, sizeof(to));
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
perror("if_indextoname");
383
fprintf(stderr, "Binding to interface %s\n", interface);
386
memset(&to,0,sizeof(to)); /* Spurious warning */
387
to.sin6_family = AF_INET6;
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
572
390
perror("inet_pton");
576
394
fprintf(stderr, "Bad address: %s\n", ip);
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
582
-Wunreachable-code */
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
596
to.in.sin_port = htons(port); /* Spurious warnings from
598
-Wunreachable-code */
397
to.sin6_port = htons(port); /* Spurious warning */
399
to.sin6_scope_id = (uint32_t)if_index;
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
627
if(strcmp(addrstr, ip) != 0){
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
639
415
perror("connect");
643
const char *out = mandos_protocol_version;
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
654
written += (size_t)ret;
655
if(written < out_size){
658
if(out == mandos_protocol_version){
419
ret = initgnutls (&es);
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
668
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
677
if(ret != GNUTLS_E_SUCCESS){
432
ret = gnutls_handshake (es.session);
434
if (ret != GNUTLS_E_SUCCESS){
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
436
fprintf(stderr, "\n*** Handshake failed ***\n");
686
/* Read OpenPGP packet that contains the wanted password */
443
//Retrieve OpenPGP packet that contains the wanted password
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
694
buffer_capacity = incbuffer(&buffer, buffer_length,
696
if(buffer_capacity == 0){
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
buffer_capacity += BUFFER_SIZE;
702
sret = gnutls_record_recv(session, buffer+buffer_length,
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
709
467
case GNUTLS_E_INTERRUPTED:
710
468
case GNUTLS_E_AGAIN:
712
470
case GNUTLS_E_REHANDSHAKE:
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
471
ret = gnutls_handshake (es.session);
473
fprintf(stderr, "\n*** Handshake failed ***\n");
724
480
fprintf(stderr, "Unknown error while reading data from"
725
" encrypted session with Mandos server\n");
481
" encrypted session with mandos server\n");
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
731
buffer_length += (size_t) sret;
487
buffer_length += (size_t) ret;
736
fprintf(stderr, "Closing TLS session\n");
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
741
if(buffer_length > 0){
491
if (buffer_length > 0){
742
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
745
if(decrypted_buffer_size >= 0){
496
if (decrypted_buffer_size >= 0){
747
497
while(written < (size_t) decrypted_buffer_size){
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
498
ret = (int)fwrite (decrypted_buffer + written, 1,
499
(size_t)decrypted_buffer_size - written,
751
501
if(ret == 0 and ferror(stdout)){
753
503
fprintf(stderr, "Error writing encrypted data: %s\n",
810
566
char ip[AVAHI_ADDRESS_STR_MAX];
811
567
avahi_address_snprint(ip, sizeof(ip), address);
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
820
avahi_simple_poll_quit(mc.simple_poll);
572
int ret = start_mandos_communication(ip, port, interface);
824
578
avahi_s_service_resolver_free(r);
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
836
AVAHI_GCC_UNUSED void* userdata){
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
844
case AVAHI_BROWSER_FAILURE:
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
857
if(!(avahi_s_service_resolver_new(mc.server, interface,
858
protocol, name, type, domain,
859
AVAHI_PROTO_INET6, 0,
860
resolve_callback, NULL)))
861
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
862
name, avahi_strerror(avahi_server_errno(mc.server)));
865
case AVAHI_BROWSER_REMOVE:
868
case AVAHI_BROWSER_ALL_FOR_NOW:
869
case AVAHI_BROWSER_CACHE_EXHAUSTED:
871
fprintf(stderr, "No Mandos server found, still searching...\n");
877
sig_atomic_t quit_now = 0;
879
/* stop main loop after sigterm has been called */
880
static void handle_sigterm(__attribute__((unused)) int sig){
885
int old_errno = errno;
886
if(mc.simple_poll != NULL){
887
avahi_simple_poll_quit(mc.simple_poll);
892
int main(int argc, char *argv[]){
893
AvahiSServiceBrowser *sb = NULL;
898
int exitcode = EXIT_SUCCESS;
899
const char *interface = "eth0";
900
struct ifreq network;
904
char *connect_to = NULL;
905
char tempdir[] = "/tmp/mandosXXXXXX";
906
bool tempdir_created = false;
907
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
908
const char *seckey = PATHDIR "/" SECKEY;
909
const char *pubkey = PATHDIR "/" PUBKEY;
911
/* Initialize Mandos context */
912
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
913
.dh_bits = 1024, .priority = "SECURE256"
914
":!CTYPE-X.509:+CTYPE-OPENPGP" };
915
bool gnutls_initialized = false;
916
bool gpgme_initialized = false;
919
struct sigaction old_sigterm_action;
920
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
923
struct argp_option options[] = {
924
{ .name = "debug", .key = 128,
925
.doc = "Debug mode", .group = 3 },
926
{ .name = "connect", .key = 'c',
927
.arg = "ADDRESS:PORT",
928
.doc = "Connect directly to a specific Mandos server",
930
{ .name = "interface", .key = 'i',
932
.doc = "Network interface that will be used to search for"
935
{ .name = "seckey", .key = 's',
937
.doc = "OpenPGP secret key file base name",
939
{ .name = "pubkey", .key = 'p',
941
.doc = "OpenPGP public key file base name",
943
{ .name = "dh-bits", .key = 129,
945
.doc = "Bit length of the prime number used in the"
946
" Diffie-Hellman key exchange",
948
{ .name = "priority", .key = 130,
950
.doc = "GnuTLS priority string for the TLS handshake",
952
{ .name = "delay", .key = 131,
954
.doc = "Maximum delay to wait for interface startup",
959
error_t parse_opt(int key, char *arg,
960
struct argp_state *state){
962
case 128: /* --debug */
965
case 'c': /* --connect */
968
case 'i': /* --interface */
971
case 's': /* --seckey */
974
case 'p': /* --pubkey */
977
case 129: /* --dh-bits */
978
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
979
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
980
or arg[numchars] != '\0'){
981
fprintf(stderr, "Bad number of DH bits\n");
984
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
986
case 130: /* --priority */
989
case 131: /* --delay */
990
ret = sscanf(arg, "%lf%n", &delay, &numchars);
991
if(ret < 1 or arg[numchars] != '\0'){
992
fprintf(stderr, "Bad delay\n");
1001
return ARGP_ERR_UNKNOWN;
1006
struct argp argp = { .options = options, .parser = parse_opt,
1008
.doc = "Mandos client -- Get and decrypt"
1009
" passwords from a Mandos server" };
1010
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1011
if(ret == ARGP_ERR_UNKNOWN){
1012
fprintf(stderr, "Unknown error while parsing arguments\n");
1013
exitcode = EXIT_FAILURE;
1019
avahi_set_log_function(empty_log);
1022
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1023
from the signal handler */
1024
/* Initialize the pseudo-RNG for Avahi */
1025
srand((unsigned int) time(NULL));
1026
mc.simple_poll = avahi_simple_poll_new();
1027
if(mc.simple_poll == NULL){
1028
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1029
exitcode = EXIT_FAILURE;
1033
sigemptyset(&sigterm_action.sa_mask);
1034
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1036
perror("sigaddset");
1037
exitcode = EXIT_FAILURE;
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1052
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1054
perror("sigaction");
1055
exitcode = EXIT_FAILURE;
1059
/* If the interface is down, bring it up */
1060
if(interface[0] != '\0'){
1062
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1063
messages to mess up the prompt */
1064
ret = klogctl(8, NULL, 5);
1065
bool restore_loglevel = true;
1067
restore_loglevel = false;
1070
#endif /* __linux__ */
1072
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1075
exitcode = EXIT_FAILURE;
1077
if(restore_loglevel){
1078
ret = klogctl(7, NULL, 0);
1083
#endif /* __linux__ */
1086
strcpy(network.ifr_name, interface);
1087
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1089
perror("ioctl SIOCGIFFLAGS");
1091
if(restore_loglevel){
1092
ret = klogctl(7, NULL, 0);
1097
#endif /* __linux__ */
1098
exitcode = EXIT_FAILURE;
1101
if((network.ifr_flags & IFF_UP) == 0){
1102
network.ifr_flags |= IFF_UP;
1103
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1105
perror("ioctl SIOCSIFFLAGS");
1106
exitcode = EXIT_FAILURE;
1108
if(restore_loglevel){
1109
ret = klogctl(7, NULL, 0);
1114
#endif /* __linux__ */
1118
/* sleep checking until interface is running */
1119
for(int i=0; i < delay * 4; i++){
1120
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1122
perror("ioctl SIOCGIFFLAGS");
1123
} else if(network.ifr_flags & IFF_RUNNING){
1126
struct timespec sleeptime = { .tv_nsec = 250000000 };
1127
ret = nanosleep(&sleeptime, NULL);
1128
if(ret == -1 and errno != EINTR){
1129
perror("nanosleep");
1132
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1137
if(restore_loglevel){
1138
/* Restores kernel loglevel to default */
1139
ret = klogctl(7, NULL, 0);
1144
#endif /* __linux__ */
1161
ret = init_gnutls_global(pubkey, seckey);
1163
fprintf(stderr, "init_gnutls_global failed\n");
1164
exitcode = EXIT_FAILURE;
1167
gnutls_initialized = true;
1170
if(mkdtemp(tempdir) == NULL){
1174
tempdir_created = true;
1176
if(not init_gpgme(pubkey, seckey, tempdir)){
1177
fprintf(stderr, "init_gpgme failed\n");
1178
exitcode = EXIT_FAILURE;
1181
gpgme_initialized = true;
1184
if(interface[0] != '\0'){
1185
if_index = (AvahiIfIndex) if_nametoindex(interface);
1187
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1188
exitcode = EXIT_FAILURE;
1193
if(connect_to != NULL){
1194
/* Connect directly, do not use Zeroconf */
1195
/* (Mainly meant for debugging) */
1196
char *address = strrchr(connect_to, ':');
1197
if(address == NULL){
1198
fprintf(stderr, "No colon in address\n");
1199
exitcode = EXIT_FAILURE;
1203
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1204
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1205
or address[numchars+1] != '\0'){
1206
fprintf(stderr, "Bad port number\n");
1207
exitcode = EXIT_FAILURE;
1210
port = (uint16_t)tmpmax;
1212
address = connect_to;
1213
/* Colon in address indicates IPv6 */
1215
if(strchr(address, ':') != NULL){
1220
ret = start_mandos_communication(address, port, if_index, af);
1222
exitcode = EXIT_FAILURE;
1224
exitcode = EXIT_SUCCESS;
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
600
case AVAHI_BROWSER_FAILURE:
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
621
case AVAHI_BROWSER_REMOVE:
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
633
tmp = malloc(strlen(first) + strlen(second) + 2);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1230
648
AvahiServerConfig config;
1231
/* Do not publish any local Zeroconf records */
649
AvahiSServiceBrowser *sb = NULL;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
655
char *connect_to = NULL;
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
711
if(connect_to != NULL){
712
/* Connect directly, do not use Zeroconf */
713
/* (Mainly meant for debugging) */
714
char *address = strrchr(connect_to, ':');
716
fprintf(stderr, "No colon in address\n");
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
perror("Bad port number");
726
address = connect_to;
727
ret = start_mandos_communication(address, port, if_index);
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
741
avahi_set_log_function(empty_log);
744
/* Initialize the psuedo-RNG */
745
srand((unsigned int) time(NULL));
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
754
/* Do not publish any local records */
1232
755
avahi_server_config_init(&config);
1233
756
config.publish_hinfo = 0;
1234
757
config.publish_addresses = 0;
1235
758
config.publish_workstation = 0;
1236
759
config.publish_domain = 0;
1238
761
/* Allocate a new server */
1239
mc.server = avahi_server_new(avahi_simple_poll_get
1240
(mc.simple_poll), &config, NULL,
1243
/* Free the Avahi configuration data */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
765
/* Free the configuration data */
1244
766
avahi_server_config_free(&config);
1247
/* Check if creating the Avahi server object succeeded */
1248
if(mc.server == NULL){
1249
fprintf(stderr, "Failed to create Avahi server: %s\n",
1250
avahi_strerror(error));
1251
exitcode = EXIT_FAILURE;
1255
/* Create the Avahi service browser */
1256
sb = avahi_s_service_browser_new(mc.server, if_index,
1257
AVAHI_PROTO_INET6, "_mandos._tcp",
1258
NULL, 0, browse_callback, NULL);
1260
fprintf(stderr, "Failed to create service browser: %s\n",
1261
avahi_strerror(avahi_server_errno(mc.server)));
1262
exitcode = EXIT_FAILURE;
1266
/* Run the main loop */
1269
fprintf(stderr, "Starting Avahi loop search\n");
1272
avahi_simple_poll_loop(mc.simple_poll);
1277
fprintf(stderr, "%s exiting\n", argv[0]);
1280
/* Cleanup things */
1282
avahi_s_service_browser_free(sb);
1284
if(mc.server != NULL)
1285
avahi_server_free(mc.server);
1287
if(mc.simple_poll != NULL)
1288
avahi_simple_poll_free(mc.simple_poll);
1290
if(gnutls_initialized){
1291
gnutls_certificate_free_credentials(mc.cred);
1292
gnutls_global_deinit();
1293
gnutls_dh_params_deinit(mc.dh_params);
1296
if(gpgme_initialized){
1297
gpgme_release(mc.ctx);
1300
/* Removes the temp directory used by GPGME */
1301
if(tempdir_created){
1303
struct dirent *direntry;
1304
d = opendir(tempdir);
1306
if(errno != ENOENT){
1311
direntry = readdir(d);
1312
if(direntry == NULL){
1315
/* Skip "." and ".." */
1316
if(direntry->d_name[0] == '.'
1317
and (direntry->d_name[1] == '\0'
1318
or (direntry->d_name[1] == '.'
1319
and direntry->d_name[2] == '\0'))){
1322
char *fullname = NULL;
1323
ret = asprintf(&fullname, "%s/%s", tempdir,
1329
ret = remove(fullname);
1331
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1338
ret = rmdir(tempdir);
1339
if(ret == -1 and errno != ENOENT){
768
/* Check if creating the server object succeeded */
770
fprintf(stderr, "Failed to create server: %s\n",
771
avahi_strerror(error));
772
returncode = EXIT_FAILURE;
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
779
"_mandos._tcp", NULL, 0,
780
browse_callback, server);
782
fprintf(stderr, "Failed to create service browser: %s\n",
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
788
/* Run the main loop */
791
fprintf(stderr, "Starting avahi loop search\n");
794
avahi_simple_poll_loop(simple_poll);
799
fprintf(stderr, "%s exiting\n", argv[0]);
804
avahi_s_service_browser_free(sb);
807
avahi_server_free(server);
810
avahi_simple_poll_free(simple_poll);