To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 36
- compare with another revision
- download diff
- download tarball
- view history from revision 36
- Committer: Teddy Hogeborn
- Date: 2008-08-02 14:33:47 UTC
- Revision ID: teddy@fukt.bsnet.se-20080802143347-u1m4zs1q0feu72ei
* TODO: Converted to org-mode style
* plugins.d/mandosclient.c (certdir): Changed to "/conf/conf.d/mandos/".
(certdir, certfile, certkey, pgp_packet_decrypt, debuggnutls,
initgnutls, empty_log, combinepath): Made static.
(combinepath): Rewritten to only get the argument string lengths
once. Do not print error message; leave that to
caller. All callers changed.
* plugins.d/mandosclient.c (certdir): Changed to "/conf/conf.d/mandos/".
(certdir, certfile, certkey, pgp_packet_decrypt, debuggnutls,
initgnutls, empty_log, combinepath): Made static.
(combinepath): Rewritten to only get the argument string lengths
once. Do not print error message; leave that to
caller. All callers changed.
- files added:
- ca.pem
- files removed:
- mandos-client.xml
- files renamed:
- mandos-client.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <assert.h> /* assert() */
57
#include <errno.h> /* perror(), errno */
58
#include <time.h> /* time() */
59
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
60
SIOCSIFFLAGS, if_indextoname(),
61
if_nametoindex(), IF_NAMESIZE */
62
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
63
getuid(), getgid(), setuid(),
64
setgid() */
65
#include <netinet/in.h>
66
#include <arpa/inet.h> /* inet_pton(), htons */
67
#include <iso646.h> /* not, and */
68
#include <argp.h> /* struct argp_option, error_t, struct
69
argp_state, struct argp,
70
argp_parse(), ARGP_KEY_ARG,
71
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
72
73
/* Avahi */
74
/* All Avahi types, constants and functions
75
Avahi*, avahi_*,
76
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
77
41
#include <avahi-core/core.h>
78
42
#include <avahi-core/lookup.h>
79
43
#include <avahi-core/log.h>
81
45
#include <avahi-common/malloc.h>
82
46
#include <avahi-common/error.h>
83
47
84
/* GnuTLS */
85
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and functions
94
gpgme_*
95
GPGME_PROTOCOL_OpenPGP,
96
GPG_ERR_NO_* */
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
97
68
98
69
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
72
static const char *certdir = "/conf/conf.d/mandos";
73
static const char *certfile = "openpgp-client.txt";
74
static const char *certkey = "openpgp-client-key.txt";
99
75
100
76
bool debug = false;
101
static const char *keydir = "/conf/conf.d/mandos";
102
static const char mandos_protocol_version[] = "1";
103
const char *argp_program_version = "mandosclient 0.9";
104
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
105
77
106
/* Used for passing in values through the Avahi callback functions */
107
78
typedef struct {
108
AvahiSimplePoll *simple_poll;
109
AvahiServer *server;
79
gnutls_session_t session;
110
80
gnutls_certificate_credentials_t cred;
111
unsigned int dh_bits;
112
81
gnutls_dh_params_t dh_params;
113
const char *priority;
114
} mandos_context;
115
116
/*
117
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
118
* "buffer_capacity" is how much is currently allocated,
119
* "buffer_length" is how much is already used.
120
*/
121
size_t adjustbuffer(char **buffer, size_t buffer_length,
122
size_t buffer_capacity){
123
if (buffer_length + BUFFER_SIZE > buffer_capacity){
124
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
125
if (buffer == NULL){
126
return 0;
127
}
128
buffer_capacity += BUFFER_SIZE;
129
}
130
return buffer_capacity;
131
}
132
133
/*
134
* Decrypt OpenPGP data using keyrings in HOMEDIR.
135
* Returns -1 on error
136
*/
137
static ssize_t pgp_packet_decrypt (const char *cryptotext,
138
size_t crypto_size,
139
char **plaintext,
82
} encrypted_session;
83
84
85
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet,
140
87
const char *homedir){
141
88
gpgme_data_t dh_crypto, dh_plain;
142
89
gpgme_ctx_t ctx;
143
90
gpgme_error_t rc;
144
91
ssize_t ret;
145
size_t plaintext_capacity = 0;
146
ssize_t plaintext_length = 0;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
147
94
gpgme_engine_info_t engine_info;
148
95
149
96
if (debug){
150
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
151
98
}
152
99
153
100
/* Init GPGME */
159
106
return -1;
160
107
}
161
108
162
/* Set GPGME home directory for the OpenPGP engine only */
109
/* Set GPGME home directory */
163
110
rc = gpgme_get_engine_info (&engine_info);
164
111
if (rc != GPG_ERR_NO_ERROR){
165
112
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
175
122
engine_info = engine_info->next;
176
123
}
177
124
if(engine_info == NULL){
178
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
179
126
return -1;
180
127
}
181
128
182
/* Create new GPGME data buffer from memory cryptotext */
183
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
184
0);
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
185
131
if (rc != GPG_ERR_NO_ERROR){
186
132
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
187
133
gpgme_strsource(rc), gpgme_strerror(rc));
193
139
if (rc != GPG_ERR_NO_ERROR){
194
140
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
195
141
gpgme_strsource(rc), gpgme_strerror(rc));
196
gpgme_data_release(dh_crypto);
197
142
return -1;
198
143
}
199
144
202
147
if (rc != GPG_ERR_NO_ERROR){
203
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
204
149
gpgme_strsource(rc), gpgme_strerror(rc));
205
plaintext_length = -1;
206
goto decrypt_end;
150
return -1;
207
151
}
208
152
209
/* Decrypt data from the cryptotext data buffer to the plaintext
210
data buffer */
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
211
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
212
156
if (rc != GPG_ERR_NO_ERROR){
213
157
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
214
158
gpgme_strsource(rc), gpgme_strerror(rc));
215
plaintext_length = -1;
216
goto decrypt_end;
159
return -1;
217
160
}
218
161
219
162
if(debug){
220
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
221
164
}
222
165
223
166
if (debug){
224
167
gpgme_decrypt_result_t result;
225
168
result = gpgme_op_decrypt_result(ctx);
249
192
}
250
193
}
251
194
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
197
252
198
/* Seek back to the beginning of the GPGME plaintext data buffer */
253
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
200
perror("pgpme_data_seek");
255
plaintext_length = -1;
256
goto decrypt_end;
257
201
}
258
202
259
*plaintext = NULL;
203
*new_packet = 0;
260
204
while(true){
261
plaintext_capacity = adjustbuffer(plaintext,
262
(size_t)plaintext_length,
263
plaintext_capacity);
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
266
plaintext_length = -1;
267
goto decrypt_end;
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
268
214
}
269
215
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
271
217
BUFFER_SIZE);
272
218
/* Print the data, if any */
273
219
if (ret == 0){
274
/* EOF */
275
220
break;
276
221
}
277
222
if(ret < 0){
278
223
perror("gpgme_data_read");
279
plaintext_length = -1;
280
goto decrypt_end;
224
return -1;
281
225
}
282
plaintext_length += ret;
226
new_packet_length += ret;
283
227
}
284
228
285
if(debug){
286
fprintf(stderr, "Decrypted password is: ");
287
for(ssize_t i = 0; i < plaintext_length; i++){
288
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
289
}
290
fprintf(stderr, "\n");
291
}
292
293
decrypt_end:
294
295
/* Delete the GPGME cryptotext data buffer */
296
gpgme_data_release(dh_crypto);
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
297
236
298
237
/* Delete the GPGME plaintext data buffer */
299
238
gpgme_data_release(dh_plain);
300
return plaintext_length;
239
return new_packet_length;
301
240
}
302
241
303
242
static const char * safer_gnutls_strerror (int value) {
307
246
return ret;
308
247
}
309
248
310
/* GnuTLS log function callback */
311
249
static void debuggnutls(__attribute__((unused)) int level,
312
250
const char* string){
313
fprintf(stderr, "GnuTLS: %s", string);
251
fprintf(stderr, "%s", string);
314
252
}
315
253
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfile,
318
const char *seckeyfile){
254
static int initgnutls(encrypted_session *es){
255
const char *err;
319
256
int ret;
320
257
321
258
if(debug){
322
259
fprintf(stderr, "Initializing GnuTLS\n");
323
260
}
324
325
ret = gnutls_global_init();
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
329
265
return -1;
330
266
}
331
267
332
268
if (debug){
333
/* "Use a log level over 10 to enable all debugging options."
334
* - GnuTLS manual
335
*/
336
269
gnutls_global_set_log_level(11);
337
270
gnutls_global_set_log_function(debuggnutls);
338
271
}
339
272
340
/* OpenPGP credentials */
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n",
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
344
277
safer_gnutls_strerror(ret));
345
gnutls_global_deinit ();
346
278
return -1;
347
279
}
348
280
349
281
if(debug){
350
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
351
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
352
seckeyfile);
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
353
285
}
354
286
355
287
ret = gnutls_certificate_set_openpgp_key_file
356
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
357
289
if (ret != GNUTLS_E_SUCCESS) {
358
fprintf(stderr,
359
"Error[%d] while reading the OpenPGP key pair ('%s',"
360
" '%s')\n", ret, pubkeyfile, seckeyfile);
361
fprintf(stdout, "The GnuTLS error is: %s\n",
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
362
295
safer_gnutls_strerror(ret));
363
goto globalfail;
364
}
365
366
/* GnuTLS server initialization */
367
ret = gnutls_dh_params_init(&mc->dh_params);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
370
" %s\n", safer_gnutls_strerror(ret));
371
goto globalfail;
372
}
373
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
376
safer_gnutls_strerror(ret));
377
goto globalfail;
378
}
379
380
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
381
382
return 0;
383
384
globalfail:
385
386
gnutls_certificate_free_credentials(mc->cred);
387
gnutls_global_deinit();
388
return -1;
389
390
}
391
392
static int init_gnutls_session(mandos_context *mc,
393
gnutls_session_t *session){
394
int ret;
395
/* GnuTLS session creation */
396
ret = gnutls_init(session, GNUTLS_SERVER);
397
if (ret != GNUTLS_E_SUCCESS){
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
398
319
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
399
320
safer_gnutls_strerror(ret));
400
321
}
401
322
402
{
403
const char *err;
404
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
405
if (ret != GNUTLS_E_SUCCESS) {
406
fprintf(stderr, "Syntax error at: %s\n", err);
407
fprintf(stderr, "GnuTLS error: %s\n",
408
safer_gnutls_strerror(ret));
409
gnutls_deinit (*session);
410
return -1;
411
}
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
412
329
}
413
330
414
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
415
mc->cred);
416
if (ret != GNUTLS_E_SUCCESS) {
417
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
418
335
safer_gnutls_strerror(ret));
419
gnutls_deinit (*session);
420
336
return -1;
421
337
}
422
338
423
339
/* ignore client certificate if any. */
424
gnutls_certificate_server_set_request (*session,
340
gnutls_certificate_server_set_request (es->session,
425
341
GNUTLS_CERT_IGNORE);
426
342
427
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
428
344
429
345
return 0;
430
346
}
431
347
432
/* Avahi log function callback */
433
348
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
434
349
__attribute__((unused)) const char *txt){}
435
350
436
/* Called when a Mandos server is found */
437
351
static int start_mandos_communication(const char *ip, uint16_t port,
438
AvahiIfIndex if_index,
439
mandos_context *mc){
352
AvahiIfIndex if_index){
440
353
int ret, tcp_sd;
441
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
354
struct sockaddr_in6 to;
355
encrypted_session es;
442
356
char *buffer = NULL;
443
357
char *decrypted_buffer;
444
358
size_t buffer_length = 0;
445
359
size_t buffer_capacity = 0;
446
360
ssize_t decrypted_buffer_size;
447
size_t written;
361
size_t written = 0;
448
362
int retval = 0;
449
363
char interface[IF_NAMESIZE];
450
gnutls_session_t session;
451
452
ret = init_gnutls_session (mc, &session);
453
if (ret != 0){
454
return -1;
455
}
456
364
457
365
if(debug){
458
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
464
372
perror("socket");
465
373
return -1;
466
374
}
467
468
if(debug){
469
if(if_indextoname((unsigned int)if_index, interface) == NULL){
375
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
470
378
perror("if_indextoname");
471
return -1;
472
379
}
380
return -1;
381
}
382
383
if(debug){
473
384
fprintf(stderr, "Binding to interface %s\n", interface);
474
385
}
475
386
476
387
memset(&to,0,sizeof(to)); /* Spurious warning */
477
to.in6.sin6_family = AF_INET6;
478
/* It would be nice to have a way to detect if we were passed an
479
IPv4 address here. Now we assume an IPv6 address. */
480
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
481
390
if (ret < 0 ){
482
391
perror("inet_pton");
483
392
return -1;
484
}
393
}
485
394
if(ret == 0){
486
395
fprintf(stderr, "Bad address: %s\n", ip);
487
396
return -1;
488
397
}
489
to.in6.sin6_port = htons(port); /* Spurious warning */
398
to.sin6_port = htons(port); /* Spurious warning */
490
399
491
to.in6.sin6_scope_id = (uint32_t)if_index;
400
to.sin6_scope_id = (uint32_t)if_index;
492
401
493
402
if(debug){
494
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
495
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
497
sizeof(addrstr)) == NULL){
498
perror("inet_ntop");
499
} else {
500
if(strcmp(addrstr, ip) != 0){
501
fprintf(stderr, "Canonical address form: %s\n", addrstr);
502
}
503
}
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
504
412
}
505
413
506
ret = connect(tcp_sd, &to.in, sizeof(to));
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
507
415
if (ret < 0){
508
416
perror("connect");
509
417
return -1;
510
418
}
511
512
const char *out = mandos_protocol_version;
513
written = 0;
514
while (true){
515
size_t out_size = strlen(out);
516
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
517
out_size - written));
518
if (ret == -1){
519
perror("write");
520
retval = -1;
521
goto mandos_end;
522
}
523
written += (size_t)ret;
524
if(written < out_size){
525
continue;
526
} else {
527
if (out == mandos_protocol_version){
528
written = 0;
529
out = "\r\n";
530
} else {
531
break;
532
}
533
}
419
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
534
424
}
535
425
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
536
429
if(debug){
537
430
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
431
}
539
432
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
433
ret = gnutls_handshake (es.session);
545
434
546
435
if (ret != GNUTLS_E_SUCCESS){
547
436
if(debug){
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
437
fprintf(stderr, "\n*** Handshake failed ***\n");
549
438
gnutls_perror (ret);
550
439
}
551
440
retval = -1;
552
goto mandos_end;
441
goto exit;
553
442
}
554
443
555
/* Read OpenPGP packet that contains the wanted password */
444
//Retrieve OpenPGP packet that contains the wanted password
556
445
557
446
if(debug){
558
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
560
449
}
561
450
562
451
while(true){
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
565
if (buffer_capacity == 0){
566
perror("adjustbuffer");
567
retval = -1;
568
goto mandos_end;
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
569
459
}
570
460
571
ret = gnutls_record_recv(session, buffer+buffer_length,
572
BUFFER_SIZE);
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
573
463
if (ret == 0){
574
464
break;
575
465
}
579
469
case GNUTLS_E_AGAIN:
580
470
break;
581
471
case GNUTLS_E_REHANDSHAKE:
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
472
ret = gnutls_handshake (es.session);
585
473
if (ret < 0){
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
474
fprintf(stderr, "\n*** Handshake failed ***\n");
587
475
gnutls_perror (ret);
588
476
retval = -1;
589
goto mandos_end;
477
goto exit;
590
478
}
591
479
break;
592
480
default:
593
481
fprintf(stderr, "Unknown error while reading data from"
594
" encrypted session with Mandos server\n");
482
" encrypted session with mandos server\n");
595
483
retval = -1;
596
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
598
486
}
599
487
} else {
600
488
buffer_length += (size_t) ret;
601
489
}
602
490
}
603
491
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
610
492
if (buffer_length > 0){
611
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
612
494
buffer_length,
613
495
&decrypted_buffer,
614
keydir);
496
certdir);
615
497
if (decrypted_buffer_size >= 0){
616
written = 0;
617
498
while(written < (size_t) decrypted_buffer_size){
618
499
ret = (int)fwrite (decrypted_buffer + written, 1,
619
500
(size_t)decrypted_buffer_size - written,
633
514
retval = -1;
634
515
}
635
516
}
636
637
/* Shutdown procedure */
638
639
mandos_end:
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
640
524
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
641
527
close(tcp_sd);
642
gnutls_deinit (session);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
643
531
return retval;
644
532
}
645
533
646
static void resolve_callback(AvahiSServiceResolver *r,
647
AvahiIfIndex interface,
648
AVAHI_GCC_UNUSED AvahiProtocol protocol,
649
AvahiResolverEvent event,
650
const char *name,
651
const char *type,
652
const char *domain,
653
const char *host_name,
654
const AvahiAddress *address,
655
uint16_t port,
656
AVAHI_GCC_UNUSED AvahiStringList *txt,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
661
552
assert(r); /* Spurious warning */
662
553
663
554
/* Called whenever a service has been resolved successfully or
666
557
switch (event) {
667
558
default:
668
559
case AVAHI_RESOLVER_FAILURE:
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
671
avahi_strerror(avahi_server_errno(mc->server)));
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
672
563
break;
673
564
674
565
case AVAHI_RESOLVER_FOUND:
676
567
char ip[AVAHI_ADDRESS_STR_MAX];
677
568
avahi_address_snprint(ip, sizeof(ip), address);
678
569
if(debug){
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
680
" port %d\n", name, host_name, ip, interface, port);
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
681
572
}
682
int ret = start_mandos_communication(ip, port, interface, mc);
573
int ret = start_mandos_communication(ip, port, interface);
683
574
if (ret == 0){
684
575
exit(EXIT_SUCCESS);
685
576
}
688
579
avahi_s_service_resolver_free(r);
689
580
}
690
581
691
static void browse_callback( AvahiSServiceBrowser *b,
692
AvahiIfIndex interface,
693
AvahiProtocol protocol,
694
AvahiBrowserEvent event,
695
const char *name,
696
const char *type,
697
const char *domain,
698
AVAHI_GCC_UNUSED AvahiLookupResultFlags
699
flags,
700
void* userdata) {
701
mandos_context *mc = userdata;
702
assert(b); /* Spurious warning */
703
704
/* Called whenever a new services becomes available on the LAN or
705
is removed from the LAN */
706
707
switch (event) {
708
default:
709
case AVAHI_BROWSER_FAILURE:
710
711
fprintf(stderr, "(Avahi browser) %s\n",
712
avahi_strerror(avahi_server_errno(mc->server)));
713
avahi_simple_poll_quit(mc->simple_poll);
714
return;
715
716
case AVAHI_BROWSER_NEW:
717
/* We ignore the returned Avahi resolver object. In the callback
718
function we free it. If the Avahi server is terminated before
719
the callback function is called the Avahi server will free the
720
resolver for us. */
721
722
if (!(avahi_s_service_resolver_new(mc->server, interface,
723
protocol, name, type, domain,
724
AVAHI_PROTO_INET6, 0,
725
resolve_callback, mc)))
726
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
727
name, avahi_strerror(avahi_server_errno(mc->server)));
728
break;
729
730
case AVAHI_BROWSER_REMOVE:
731
break;
732
733
case AVAHI_BROWSER_ALL_FOR_NOW:
734
case AVAHI_BROWSER_CACHE_EXHAUSTED:
735
if(debug){
736
fprintf(stderr, "No Mandos server found, still searching...\n");
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
737
628
}
738
break;
739
}
740
629
}
741
630
742
631
/* Combines file name and path and returns the malloced new
749
638
return NULL;
750
639
}
751
640
if(f_len > 0){
752
memcpy(tmp, first, f_len); /* Spurious warning */
641
memcpy(tmp, first, f_len);
753
642
}
754
643
tmp[f_len] = '/';
755
644
if(s_len > 0){
756
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
645
memcpy(tmp + f_len + 1, second, s_len);
757
646
}
758
647
tmp[f_len + 1 + s_len] = '\0';
759
648
return tmp;
760
649
}
761
650
762
651
763
int main(int argc, char *argv[]){
652
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
653
AvahiServerConfig config;
764
654
AvahiSServiceBrowser *sb = NULL;
765
655
int error;
766
656
int ret;
767
int exitcode = EXIT_SUCCESS;
768
const char *interface = "eth0";
769
struct ifreq network;
770
int sd;
771
uid_t uid;
772
gid_t gid;
657
int returncode = EXIT_SUCCESS;
658
const char *interface = NULL;
659
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
773
660
char *connect_to = NULL;
774
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
775
const char *pubkeyfile = "pubkey.txt";
776
const char *seckeyfile = "seckey.txt";
777
mandos_context mc = { .simple_poll = NULL, .server = NULL,
778
.dh_bits = 1024, .priority = "SECURE256"};
779
bool gnutls_initalized = false;
780
781
{
782
struct argp_option options[] = {
783
{ .name = "debug", .key = 128,
784
.doc = "Debug mode", .group = 3 },
785
{ .name = "connect", .key = 'c',
786
.arg = "IP",
787
.doc = "Connect directly to a sepcified mandos server",
788
.group = 1 },
789
{ .name = "interface", .key = 'i',
790
.arg = "INTERFACE",
791
.doc = "Interface that Avahi will conntect through",
792
.group = 1 },
793
{ .name = "keydir", .key = 'd',
794
.arg = "KEYDIR",
795
.doc = "Directory where the openpgp keyring is",
796
.group = 1 },
797
{ .name = "seckey", .key = 's',
798
.arg = "SECKEY",
799
.doc = "Secret openpgp key for gnutls authentication",
800
.group = 1 },
801
{ .name = "pubkey", .key = 'p',
802
.arg = "PUBKEY",
803
.doc = "Public openpgp key for gnutls authentication",
804
.group = 2 },
805
{ .name = "dh-bits", .key = 129,
806
.arg = "BITS",
807
.doc = "dh-bits to use in gnutls communication",
808
.group = 2 },
809
{ .name = "priority", .key = 130,
810
.arg = "PRIORITY",
811
.doc = "GNUTLS priority", .group = 1 },
812
{ .name = NULL }
813
};
814
815
816
error_t parse_opt (int key, char *arg,
817
struct argp_state *state) {
818
/* Get the INPUT argument from `argp_parse', which we know is
819
a pointer to our plugin list pointer. */
820
switch (key) {
821
case 128:
822
debug = true;
823
break;
824
case 'c':
825
connect_to = arg;
826
break;
827
case 'i':
828
interface = arg;
829
break;
830
case 'd':
831
keydir = arg;
832
break;
833
case 's':
834
seckeyfile = arg;
835
break;
836
case 'p':
837
pubkeyfile = arg;
838
break;
839
case 129:
840
errno = 0;
841
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
842
if (errno){
843
perror("strtol");
844
exit(EXIT_FAILURE);
845
}
846
break;
847
case 130:
848
mc.priority = arg;
849
break;
850
case ARGP_KEY_ARG:
851
argp_usage (state);
852
break;
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
857
}
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unkown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
}
872
873
pubkeyfile = combinepath(keydir, pubkeyfile);
874
if (pubkeyfile == NULL){
875
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
878
}
879
880
seckeyfile = combinepath(keydir, seckeyfile);
881
if (seckeyfile == NULL){
882
perror("combinepath");
883
goto end;
884
}
885
886
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
887
if (ret == -1){
888
fprintf(stderr, "init_gnutls_global\n");
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
uid = getuid();
895
gid = getgid();
896
897
ret = setuid(uid);
898
if (ret == -1){
899
perror("setuid");
900
}
901
902
setgid(gid);
903
if (ret == -1){
904
perror("setgid");
905
}
906
907
if_index = (AvahiIfIndex) if_nametoindex(interface);
908
if(if_index == 0){
909
fprintf(stderr, "No such interface: \"%s\"\n", interface);
910
exit(EXIT_FAILURE);
661
662
while (true){
663
static struct option long_options[] = {
664
{"debug", no_argument, (int *)&debug, 1},
665
{"connect", required_argument, 0, 'C'},
666
{"interface", required_argument, 0, 'i'},
667
{"certdir", required_argument, 0, 'd'},
668
{"certkey", required_argument, 0, 'c'},
669
{"certfile", required_argument, 0, 'k'},
670
{0, 0, 0, 0} };
671
672
int option_index = 0;
673
ret = getopt_long (argc, argv, "i:", long_options,
674
&option_index);
675
676
if (ret == -1){
677
break;
678
}
679
680
switch(ret){
681
case 0:
682
break;
683
case 'i':
684
interface = optarg;
685
break;
686
case 'C':
687
connect_to = optarg;
688
break;
689
case 'd':
690
certdir = optarg;
691
break;
692
case 'c':
693
certfile = optarg;
694
break;
695
case 'k':
696
certkey = optarg;
697
break;
698
default:
699
exit(EXIT_FAILURE);
700
}
701
}
702
703
certfile = combinepath(certdir, certfile);
704
if (certfile == NULL){
705
perror("combinepath");
706
goto exit;
707
}
708
709
if(interface != NULL){
710
if_index = (AvahiIfIndex) if_nametoindex(interface);
711
if(if_index == 0){
712
fprintf(stderr, "No such interface: \"%s\"\n", interface);
713
exit(EXIT_FAILURE);
714
}
911
715
}
912
716
913
717
if(connect_to != NULL){
916
720
char *address = strrchr(connect_to, ':');
917
721
if(address == NULL){
918
722
fprintf(stderr, "No colon in address\n");
919
exitcode = EXIT_FAILURE;
920
goto end;
723
exit(EXIT_FAILURE);
921
724
}
922
725
errno = 0;
923
726
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
924
727
if(errno){
925
728
perror("Bad port number");
926
exitcode = EXIT_FAILURE;
927
goto end;
729
exit(EXIT_FAILURE);
928
730
}
929
731
*address = '\0';
930
732
address = connect_to;
931
ret = start_mandos_communication(address, port, if_index, &mc);
733
ret = start_mandos_communication(address, port, if_index);
932
734
if(ret < 0){
933
exitcode = EXIT_FAILURE;
735
exit(EXIT_FAILURE);
934
736
} else {
935
exitcode = EXIT_SUCCESS;
737
exit(EXIT_SUCCESS);
936
738
}
937
goto end;
938
739
}
939
740
940
/* If the interface is down, bring it up */
941
{
942
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
943
if(sd < 0) {
944
perror("socket");
945
exitcode = EXIT_FAILURE;
946
goto end;
947
}
948
strcpy(network.ifr_name, interface); /* Spurious warning */
949
ret = ioctl(sd, SIOCGIFFLAGS, &network);
950
if(ret == -1){
951
perror("ioctl SIOCGIFFLAGS");
952
exitcode = EXIT_FAILURE;
953
goto end;
954
}
955
if((network.ifr_flags & IFF_UP) == 0){
956
network.ifr_flags |= IFF_UP;
957
ret = ioctl(sd, SIOCSIFFLAGS, &network);
958
if(ret == -1){
959
perror("ioctl SIOCSIFFLAGS");
960
exitcode = EXIT_FAILURE;
961
goto end;
962
}
963
}
964
close(sd);
741
certkey = combinepath(certdir, certkey);
742
if (certkey == NULL){
743
perror("combinepath");
744
goto exit;
965
745
}
966
746
967
747
if (not debug){
968
748
avahi_set_log_function(empty_log);
969
749
}
970
750
971
/* Initialize the pseudo-RNG for Avahi */
751
/* Initialize the psuedo-RNG */
972
752
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
753
754
/* Allocate main loop object */
755
if (!(simple_poll = avahi_simple_poll_new())) {
756
fprintf(stderr, "Failed to create simple poll object.\n");
757
758
goto exit;
759
}
760
761
/* Do not publish any local records */
762
avahi_server_config_init(&config);
763
config.publish_hinfo = 0;
764
config.publish_addresses = 0;
765
config.publish_workstation = 0;
766
config.publish_domain = 0;
767
768
/* Allocate a new server */
769
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
770
&config, NULL, NULL, &error);
771
772
/* Free the configuration data */
773
avahi_server_config_free(&config);
774
775
/* Check if creating the server object succeeded */
776
if (!server) {
777
fprintf(stderr, "Failed to create server: %s\n",
1004
778
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
779
returncode = EXIT_FAILURE;
780
goto exit;
1007
781
}
1008
782
1009
/* Create the Avahi service browser */
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
783
/* Create the service browser */
784
sb = avahi_s_service_browser_new(server, if_index,
1011
785
AVAHI_PROTO_INET6,
1012
786
"_mandos._tcp", NULL, 0,
1013
browse_callback, &mc);
1014
if (sb == NULL) {
787
browse_callback, server);
788
if (!sb) {
1015
789
fprintf(stderr, "Failed to create service browser: %s\n",
1016
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
790
avahi_strerror(avahi_server_errno(server)));
791
returncode = EXIT_FAILURE;
792
goto exit;
1019
793
}
1020
794
1021
795
/* Run the main loop */
1022
796
1023
797
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
798
fprintf(stderr, "Starting avahi loop search\n");
1025
799
}
1026
800
1027
avahi_simple_poll_loop(mc.simple_poll);
801
avahi_simple_poll_loop(simple_poll);
1028
802
1029
end:
803
exit:
1030
804
1031
805
if (debug){
1032
806
fprintf(stderr, "%s exiting\n", argv[0]);
1033
807
}
1034
808
1035
809
/* Cleanup things */
1036
if (sb != NULL)
810
if (sb)
1037
811
avahi_s_service_browser_free(sb);
1038
812
1039
if (mc.server != NULL)
1040
avahi_server_free(mc.server);
1041
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfile);
1045
free(seckeyfile);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
813
if (server)
814
avahi_server_free(server);
815
816
if (simple_poll)
817
avahi_simple_poll_free(simple_poll);
818
free(certfile);
819
free(certkey);
1051
820
1052
return exitcode;
821
return returncode;
1053
822
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0