/mandos/release : revision 36

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <inttypes.h> /* PRIu16 */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton(),

56

connect() */

57

#include <assert.h> /* assert() */

58

#include <errno.h> /* perror(), errno */

59

#include <time.h> /* time() */

60

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

61

SIOCSIFFLAGS, if_indextoname(),

62

if_nametoindex(), IF_NAMESIZE */

63

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

64

getuid(), getgid(), setuid(),

65

setgid() */

66

#include <netinet/in.h>

67

#include <arpa/inet.h> /* inet_pton(), htons */

68

#include <iso646.h> /* not, and */

69

#include <argp.h> /* struct argp_option, error_t, struct

70

argp_state, struct argp,

71

argp_parse(), ARGP_KEY_ARG,

72

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

73

74

/* Avahi */

75

/* All Avahi types, constants and functions

76

Avahi*, avahi_*,

77

AVAHI_* */

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

78

41

#include <avahi-core/core.h>

79

42

#include <avahi-core/lookup.h>

80

43

#include <avahi-core/log.h>

82

45

#include <avahi-common/malloc.h>

83

46

#include <avahi-common/error.h>

84

47

85

/* GnuTLS */

86

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

87

gnutls_*

88

init_gnutls_session(),

89

GNUTLS_* */

90

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

91

GNUTLS_OPENPGP_FMT_BASE64 */

92

93

/* GPGME */

94

#include <gpgme.h> /* All GPGME types, constants and functions

95

gpgme_*

96

GPGME_PROTOCOL_OpenPGP,

97

GPG_ERR_NO_* */

48

//mandos client part

49

#include <sys/types.h> /* socket(), inet_pton() */

50

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

51

struct in6_addr, inet_pton() */

52

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

53

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

54

55

#include <unistd.h> /* close() */

56

#include <netinet/in.h>

57

#include <stdbool.h> /* true */

58

#include <string.h> /* memset */

59

#include <arpa/inet.h> /* inet_pton() */

60

#include <iso646.h> /* not */

61

62

// gpgme

63

#include <errno.h> /* perror() */

64

#include <gpgme.h>

65

66

// getopt long

67

#include <getopt.h>

98

68

99

69

#define BUFFER_SIZE 256

70

#define DH_BITS 1024

71

72

static const char *certdir = "/conf/conf.d/mandos";

73

static const char *certfile = "openpgp-client.txt";

74

static const char *certkey = "openpgp-client-key.txt";

100

75

101

76

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

77

107

/* Used for passing in values through the Avahi callback functions */

108

78

typedef struct {

109

AvahiSimplePoll *simple_poll;

110

AvahiServer *server;

79

gnutls_session_t session;

111

80

gnutls_certificate_credentials_t cred;

112

unsigned int dh_bits;

113

81

gnutls_dh_params_t dh_params;

114

const char *priority;

115

} mandos_context;

116

117

/*

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

*/

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

134

/*

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

137

*/

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

82

} encrypted_session;

83

84

85

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

86

char **new_packet,

141

87

const char *homedir){

142

88

gpgme_data_t dh_crypto, dh_plain;

143

89

gpgme_ctx_t ctx;

144

90

gpgme_error_t rc;

145

91

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

92

ssize_t new_packet_capacity = 0;

93

ssize_t new_packet_length = 0;

148

94

gpgme_engine_info_t engine_info;

149

95

150

96

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

97

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

152

98

}

153

99

154

100

/* Init GPGME */

160

106

return -1;

161

107

}

162

108

163

/* Set GPGME home directory for the OpenPGP engine only */

109

/* Set GPGME home directory */

164

110

rc = gpgme_get_engine_info (&engine_info);

165

111

if (rc != GPG_ERR_NO_ERROR){

166

112

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

176

122

engine_info = engine_info->next;

177

123

}

178

124

if(engine_info == NULL){

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

125

fprintf(stderr, "Could not set home dir to %s\n", homedir);

180

126

return -1;

181

127

}

182

128

183

/* Create new GPGME data buffer from memory cryptotext */

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

185

0);

129

/* Create new GPGME data buffer from packet buffer */

130

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

186

131

if (rc != GPG_ERR_NO_ERROR){

187

132

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

188

133

gpgme_strsource(rc), gpgme_strerror(rc));

194

139

if (rc != GPG_ERR_NO_ERROR){

195

140

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

196

141

gpgme_strsource(rc), gpgme_strerror(rc));

197

gpgme_data_release(dh_crypto);

198

142

return -1;

199

143

}

200

144

203

147

if (rc != GPG_ERR_NO_ERROR){

204

148

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

149

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

150

return -1;

208

151

}

209

152

210

/* Decrypt data from the cryptotext data buffer to the plaintext

211

data buffer */

153

/* Decrypt data from the FILE pointer to the plaintext data

154

buffer */

212

155

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

156

if (rc != GPG_ERR_NO_ERROR){

214

157

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

215

158

gpgme_strsource(rc), gpgme_strerror(rc));

216

plaintext_length = -1;

217

goto decrypt_end;

159

return -1;

218

160

}

219

161

220

162

if(debug){

221

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

163

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

222

164

}

223

165

224

166

if (debug){

225

167

gpgme_decrypt_result_t result;

226

168

result = gpgme_op_decrypt_result(ctx);

229

171

} else {

230

172

fprintf(stderr, "Unsupported algorithm: %s\n",

231

173

result->unsupported_algorithm);

232

fprintf(stderr, "Wrong key usage: %u\n",

174

fprintf(stderr, "Wrong key usage: %d\n",

233

175

result->wrong_key_usage);

234

176

if(result->file_name != NULL){

235

177

fprintf(stderr, "File name: %s\n", result->file_name);

250

192

}

251

193

}

252

194

195

/* Delete the GPGME FILE pointer cryptotext data buffer */

196

gpgme_data_release(dh_crypto);

197

253

198

/* Seek back to the beginning of the GPGME plaintext data buffer */

254

199

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

255

200

perror("pgpme_data_seek");

256

plaintext_length = -1;

257

goto decrypt_end;

258

201

}

259

202

260

*plaintext = NULL;

203

*new_packet = 0;

261

204

while(true){

262

plaintext_capacity = adjustbuffer(plaintext,

263

(size_t)plaintext_length,

264

plaintext_capacity);

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

267

plaintext_length = -1;

268

goto decrypt_end;

205

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

206

*new_packet = realloc(*new_packet,

207

(unsigned int)new_packet_capacity

208

+ BUFFER_SIZE);

209

if (*new_packet == NULL){

210

perror("realloc");

211

return -1;

212

}

213

new_packet_capacity += BUFFER_SIZE;

269

214

}

270

215

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

216

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

272

217

BUFFER_SIZE);

273

218

/* Print the data, if any */

274

219

if (ret == 0){

275

/* EOF */

276

220

break;

277

221

}

278

222

if(ret < 0){

279

223

perror("gpgme_data_read");

280

plaintext_length = -1;

281

goto decrypt_end;

224

return -1;

282

225

}

283

plaintext_length += ret;

226

new_packet_length += ret;

284

227

}

285

228

286

if(debug){

287

fprintf(stderr, "Decrypted password is: ");

288

for(ssize_t i = 0; i < plaintext_length; i++){

289

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

290

}

291

fprintf(stderr, "\n");

292

}

293

294

decrypt_end:

295

296

/* Delete the GPGME cryptotext data buffer */

297

gpgme_data_release(dh_crypto);

229

/* FIXME: check characters before printing to screen so to not print

230

terminal control characters */

231

/* if(debug){ */

232

/* fprintf(stderr, "decrypted password is: "); */

233

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

234

/* fprintf(stderr, "\n"); */

235

/* } */

298

236

299

237

/* Delete the GPGME plaintext data buffer */

300

238

gpgme_data_release(dh_plain);

301

return plaintext_length;

239

return new_packet_length;

302

240

}

303

241

304

242

static const char * safer_gnutls_strerror (int value) {

308

246

return ret;

309

247

}

310

248

311

/* GnuTLS log function callback */

312

249

static void debuggnutls(__attribute__((unused)) int level,

313

250

const char* string){

314

fprintf(stderr, "GnuTLS: %s", string);

251

fprintf(stderr, "%s", string);

315

252

}

316

253

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfile,

319

const char *seckeyfile){

254

static int initgnutls(encrypted_session *es){

255

const char *err;

320

256

int ret;

321

257

322

258

if(debug){

323

259

fprintf(stderr, "Initializing GnuTLS\n");

324

260

}

325

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

261

262

if ((ret = gnutls_global_init ())

263

!= GNUTLS_E_SUCCESS) {

264

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

330

265

return -1;

331

266

}

332

267

333

268

if (debug){

334

/* "Use a log level over 10 to enable all debugging options."

335

* - GnuTLS manual

336

*/

337

269

gnutls_global_set_log_level(11);

338

270

gnutls_global_set_log_function(debuggnutls);

339

271

}

340

272

341

/* OpenPGP credentials */

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n",

273

/* openpgp credentials */

274

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

275

!= GNUTLS_E_SUCCESS) {

276

fprintf (stderr, "memory error: %s\n",

345

277

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

347

278

return -1;

348

279

}

349

280

350

281

if(debug){

351

282

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

353

seckeyfile);

283

" and keyfile %s as GnuTLS credentials\n", certfile,

284

certkey);

354

285

}

355

286

356

287

ret = gnutls_certificate_set_openpgp_key_file

357

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

288

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

358

289

if (ret != GNUTLS_E_SUCCESS) {

359

fprintf(stderr,

360

"Error[%d] while reading the OpenPGP key pair ('%s',"

361

" '%s')\n", ret, pubkeyfile, seckeyfile);

362

fprintf(stdout, "The GnuTLS error is: %s\n",

290

fprintf

291

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

292

" '%s')\n",

293

ret, certfile, certkey);

294

fprintf(stdout, "The Error is: %s\n",

363

295

safer_gnutls_strerror(ret));

364

goto globalfail;

365

}

366

367

/* GnuTLS server initialization */

368

ret = gnutls_dh_params_init(&mc->dh_params);

369

if (ret != GNUTLS_E_SUCCESS) {

370

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

371

" %s\n", safer_gnutls_strerror(ret));

372

goto globalfail;

373

}

374

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

375

if (ret != GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

377

safer_gnutls_strerror(ret));

378

goto globalfail;

379

}

380

381

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

382

383

return 0;

384

385

globalfail:

386

387

gnutls_certificate_free_credentials(mc->cred);

388

gnutls_global_deinit();

389

return -1;

390

391

}

392

393

static int init_gnutls_session(mandos_context *mc,

394

gnutls_session_t *session){

395

int ret;

396

/* GnuTLS session creation */

397

ret = gnutls_init(session, GNUTLS_SERVER);

398

if (ret != GNUTLS_E_SUCCESS){

296

return -1;

297

}

298

299

//GnuTLS server initialization

300

if ((ret = gnutls_dh_params_init (&es->dh_params))

301

!= GNUTLS_E_SUCCESS) {

302

fprintf (stderr, "Error in dh parameter initialization: %s\n",

303

safer_gnutls_strerror(ret));

304

return -1;

305

}

306

307

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

308

!= GNUTLS_E_SUCCESS) {

309

fprintf (stderr, "Error in prime generation: %s\n",

310

safer_gnutls_strerror(ret));

311

return -1;

312

}

313

314

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

315

316

// GnuTLS session creation

317

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

318

!= GNUTLS_E_SUCCESS){

399

319

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

400

320

safer_gnutls_strerror(ret));

401

321

}

402

322

403

{

404

const char *err;

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

406

if (ret != GNUTLS_E_SUCCESS) {

407

fprintf(stderr, "Syntax error at: %s\n", err);

408

fprintf(stderr, "GnuTLS error: %s\n",

409

safer_gnutls_strerror(ret));

410

gnutls_deinit (*session);

411

return -1;

412

}

323

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

324

!= GNUTLS_E_SUCCESS) {

325

fprintf(stderr, "Syntax error at: %s\n", err);

326

fprintf(stderr, "GnuTLS error: %s\n",

327

safer_gnutls_strerror(ret));

328

return -1;

413

329

}

414

330

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

416

mc->cred);

417

if (ret != GNUTLS_E_SUCCESS) {

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

331

if ((ret = gnutls_credentials_set

332

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

333

!= GNUTLS_E_SUCCESS) {

334

fprintf(stderr, "Error setting a credentials set: %s\n",

419

335

safer_gnutls_strerror(ret));

420

gnutls_deinit (*session);

421

336

return -1;

422

337

}

423

338

424

339

/* ignore client certificate if any. */

425

gnutls_certificate_server_set_request (*session,

340

gnutls_certificate_server_set_request (es->session,

426

341

GNUTLS_CERT_IGNORE);

427

342

428

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

343

gnutls_dh_set_prime_bits (es->session, DH_BITS);

429

344

430

345

return 0;

431

346

}

432

347

433

/* Avahi log function callback */

434

348

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

435

349

__attribute__((unused)) const char *txt){}

436

350

437

/* Called when a Mandos server is found */

438

351

static int start_mandos_communication(const char *ip, uint16_t port,

439

AvahiIfIndex if_index,

440

mandos_context *mc){

352

AvahiIfIndex if_index){

441

353

int ret, tcp_sd;

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

354

struct sockaddr_in6 to;

355

encrypted_session es;

443

356

char *buffer = NULL;

444

357

char *decrypted_buffer;

445

358

size_t buffer_length = 0;

446

359

size_t buffer_capacity = 0;

447

360

ssize_t decrypted_buffer_size;

448

size_t written;

361

size_t written = 0;

449

362

int retval = 0;

450

363

char interface[IF_NAMESIZE];

451

gnutls_session_t session;

452

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

455

return -1;

456

}

457

364

458

365

if(debug){

459

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

460

"\n", ip, port);

366

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

367

ip, port);

461

368

}

462

369

463

370

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

465

372

perror("socket");

466

373

return -1;

467

374

}

468

469

if(debug){

470

if(if_indextoname((unsigned int)if_index, interface) == NULL){

375

376

if(if_indextoname((unsigned int)if_index, interface) == NULL){

377

if(debug){

471

378

perror("if_indextoname");

472

return -1;

473

379

}

380

return -1;

381

}

382

383

if(debug){

474

384

fprintf(stderr, "Binding to interface %s\n", interface);

475

385

}

476

386

477

387

memset(&to,0,sizeof(to)); /* Spurious warning */

478

to.in6.sin6_family = AF_INET6;

479

/* It would be nice to have a way to detect if we were passed an

480

IPv4 address here. Now we assume an IPv6 address. */

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

388

to.sin6_family = AF_INET6;

389

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

482

390

if (ret < 0 ){

483

391

perror("inet_pton");

484

392

return -1;

485

}

393

}

486

394

if(ret == 0){

487

395

fprintf(stderr, "Bad address: %s\n", ip);

488

396

return -1;

489

397

}

490

to.in6.sin6_port = htons(port); /* Spurious warning */

398

to.sin6_port = htons(port); /* Spurious warning */

491

399

492

to.in6.sin6_scope_id = (uint32_t)if_index;

400

to.sin6_scope_id = (uint32_t)if_index;

493

401

494

402

if(debug){

495

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

496

port);

497

char addrstr[INET6_ADDRSTRLEN] = "";

498

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

499

sizeof(addrstr)) == NULL){

500

perror("inet_ntop");

501

} else {

502

if(strcmp(addrstr, ip) != 0){

503

fprintf(stderr, "Canonical address form: %s\n", addrstr);

504

}

505

}

403

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

404

/* char addrstr[INET6_ADDRSTRLEN]; */

405

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

406

/* sizeof(addrstr)) == NULL){ */

407

/* perror("inet_ntop"); */

408

/* } else { */

409

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

410

/* addrstr, ntohs(to.sin6_port)); */

411

/* } */

506

412

}

507

413

508

ret = connect(tcp_sd, &to.in, sizeof(to));

414

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

509

415

if (ret < 0){

510

416

perror("connect");

511

417

return -1;

512

418

}

513

514

const char *out = mandos_protocol_version;

515

written = 0;

516

while (true){

517

size_t out_size = strlen(out);

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

519

out_size - written));

520

if (ret == -1){

521

perror("write");

522

retval = -1;

523

goto mandos_end;

524

}

525

written += (size_t)ret;

526

if(written < out_size){

527

continue;

528

} else {

529

if (out == mandos_protocol_version){

530

written = 0;

531

out = "\r\n";

532

} else {

533

break;

534

}

535

}

419

420

ret = initgnutls (&es);

421

if (ret != 0){

422

retval = -1;

423

return -1;

536

424

}

537

425

426

gnutls_transport_set_ptr (es.session,

427

(gnutls_transport_ptr_t) tcp_sd);

428

538

429

if(debug){

539

430

fprintf(stderr, "Establishing TLS session with %s\n", ip);

540

431

}

541

432

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

543

544

do{

545

ret = gnutls_handshake (session);

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

433

ret = gnutls_handshake (es.session);

547

434

548

435

if (ret != GNUTLS_E_SUCCESS){

549

436

if(debug){

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

437

fprintf(stderr, "\n*** Handshake failed ***\n");

551

438

gnutls_perror (ret);

552

439

}

553

440

retval = -1;

554

goto mandos_end;

441

goto exit;

555

442

}

556

443

557

/* Read OpenPGP packet that contains the wanted password */

444

//Retrieve OpenPGP packet that contains the wanted password

558

445

559

446

if(debug){

560

447

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

562

449

}

563

450

564

451

while(true){

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

566

buffer_capacity);

567

if (buffer_capacity == 0){

568

perror("adjustbuffer");

569

retval = -1;

570

goto mandos_end;

452

if (buffer_length + BUFFER_SIZE > buffer_capacity){

453

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

454

if (buffer == NULL){

455

perror("realloc");

456

goto exit;

457

}

458

buffer_capacity += BUFFER_SIZE;

571

459

}

572

460

573

ret = gnutls_record_recv(session, buffer+buffer_length,

574

BUFFER_SIZE);

461

ret = gnutls_record_recv

462

(es.session, buffer+buffer_length, BUFFER_SIZE);

575

463

if (ret == 0){

576

464

break;

577

465

}

581

469

case GNUTLS_E_AGAIN:

582

470

break;

583

471

case GNUTLS_E_REHANDSHAKE:

584

do{

585

ret = gnutls_handshake (session);

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

472

ret = gnutls_handshake (es.session);

587

473

if (ret < 0){

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

474

fprintf(stderr, "\n*** Handshake failed ***\n");

589

475

gnutls_perror (ret);

590

476

retval = -1;

591

goto mandos_end;

477

goto exit;

592

478

}

593

479

break;

594

480

default:

595

481

fprintf(stderr, "Unknown error while reading data from"

596

" encrypted session with Mandos server\n");

482

" encrypted session with mandos server\n");

597

483

retval = -1;

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

599

goto mandos_end;

484

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

485

goto exit;

600

486

}

601

487

} else {

602

488

buffer_length += (size_t) ret;

603

489

}

604

490

}

605

491

606

if(debug){

607

fprintf(stderr, "Closing TLS session\n");

608

}

609

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

611

612

492

if (buffer_length > 0){

613

493

decrypted_buffer_size = pgp_packet_decrypt(buffer,

614

494

buffer_length,

615

495

&decrypted_buffer,

616

keydir);

496

certdir);

617

497

if (decrypted_buffer_size >= 0){

618

written = 0;

619

498

while(written < (size_t) decrypted_buffer_size){

620

499

ret = (int)fwrite (decrypted_buffer + written, 1,

621

500

(size_t)decrypted_buffer_size - written,

635

514

retval = -1;

636

515

}

637

516

}

638

639

/* Shutdown procedure */

640

641

mandos_end:

517

518

//shutdown procedure

519

520

if(debug){

521

fprintf(stderr, "Closing TLS session\n");

522

}

523

642

524

free(buffer);

525

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

526

exit:

643

527

close(tcp_sd);

644

gnutls_deinit (session);

528

gnutls_deinit (es.session);

529

gnutls_certificate_free_credentials (es.cred);

530

gnutls_global_deinit ();

645

531

return retval;

646

532

}

647

533

648

static void resolve_callback(AvahiSServiceResolver *r,

649

AvahiIfIndex interface,

650

AVAHI_GCC_UNUSED AvahiProtocol protocol,

651

AvahiResolverEvent event,

652

const char *name,

653

const char *type,

654

const char *domain,

655

const char *host_name,

656

const AvahiAddress *address,

657

uint16_t port,

658

AVAHI_GCC_UNUSED AvahiStringList *txt,

659

AVAHI_GCC_UNUSED AvahiLookupResultFlags

660

flags,

661

void* userdata) {

662

mandos_context *mc = userdata;

534

static AvahiSimplePoll *simple_poll = NULL;

535

static AvahiServer *server = NULL;

536

537

static void resolve_callback(

538

AvahiSServiceResolver *r,

539

AvahiIfIndex interface,

540

AVAHI_GCC_UNUSED AvahiProtocol protocol,

541

AvahiResolverEvent event,

542

const char *name,

543

const char *type,

544

const char *domain,

545

const char *host_name,

546

const AvahiAddress *address,

547

uint16_t port,

548

AVAHI_GCC_UNUSED AvahiStringList *txt,

549

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

550

AVAHI_GCC_UNUSED void* userdata) {

551

663

552

assert(r); /* Spurious warning */

664

553

665

554

/* Called whenever a service has been resolved successfully or

668

557

switch (event) {

669

558

default:

670

559

case AVAHI_RESOLVER_FAILURE:

671

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

672

" of type '%s' in domain '%s': %s\n", name, type, domain,

673

avahi_strerror(avahi_server_errno(mc->server)));

560

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

561

" type '%s' in domain '%s': %s\n", name, type, domain,

562

avahi_strerror(avahi_server_errno(server)));

674

563

break;

675

564

676

565

case AVAHI_RESOLVER_FOUND:

678

567

char ip[AVAHI_ADDRESS_STR_MAX];

679

568

avahi_address_snprint(ip, sizeof(ip), address);

680

569

if(debug){

681

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

682

PRIu16 ") on port %d\n", name, host_name, ip,

683

interface, port);

570

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

571

" port %d\n", name, host_name, ip, port);

684

572

}

685

int ret = start_mandos_communication(ip, port, interface, mc);

573

int ret = start_mandos_communication(ip, port, interface);

686

574

if (ret == 0){

687

575

exit(EXIT_SUCCESS);

688

576

}

691

579

avahi_s_service_resolver_free(r);

692

580

}

693

581

694

static void browse_callback( AvahiSServiceBrowser *b,

695

AvahiIfIndex interface,

696

AvahiProtocol protocol,

697

AvahiBrowserEvent event,

698

const char *name,

699

const char *type,

700

const char *domain,

701

AVAHI_GCC_UNUSED AvahiLookupResultFlags

702

flags,

703

void* userdata) {

704

mandos_context *mc = userdata;

705

assert(b); /* Spurious warning */

706

707

/* Called whenever a new services becomes available on the LAN or

708

is removed from the LAN */

709

710

switch (event) {

711

default:

712

case AVAHI_BROWSER_FAILURE:

713

714

fprintf(stderr, "(Avahi browser) %s\n",

715

avahi_strerror(avahi_server_errno(mc->server)));

716

avahi_simple_poll_quit(mc->simple_poll);

717

return;

718

719

case AVAHI_BROWSER_NEW:

720

/* We ignore the returned Avahi resolver object. In the callback

721

function we free it. If the Avahi server is terminated before

722

the callback function is called the Avahi server will free the

723

resolver for us. */

724

725

if (!(avahi_s_service_resolver_new(mc->server, interface,

726

protocol, name, type, domain,

727

AVAHI_PROTO_INET6, 0,

728

resolve_callback, mc)))

729

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

730

name, avahi_strerror(avahi_server_errno(mc->server)));

731

break;

732

733

case AVAHI_BROWSER_REMOVE:

734

break;

735

736

case AVAHI_BROWSER_ALL_FOR_NOW:

737

case AVAHI_BROWSER_CACHE_EXHAUSTED:

738

if(debug){

739

fprintf(stderr, "No Mandos server found, still searching...\n");

582

static void browse_callback(

583

AvahiSServiceBrowser *b,

584

AvahiIfIndex interface,

585

AvahiProtocol protocol,

586

AvahiBrowserEvent event,

587

const char *name,

588

const char *type,

589

const char *domain,

590

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

591

void* userdata) {

592

593

AvahiServer *s = userdata;

594

assert(b); /* Spurious warning */

595

596

/* Called whenever a new services becomes available on the LAN or

597

is removed from the LAN */

598

599

switch (event) {

600

default:

601

case AVAHI_BROWSER_FAILURE:

602

603

fprintf(stderr, "(Browser) %s\n",

604

avahi_strerror(avahi_server_errno(server)));

605

avahi_simple_poll_quit(simple_poll);

606

return;

607

608

case AVAHI_BROWSER_NEW:

609

/* We ignore the returned resolver object. In the callback

610

function we free it. If the server is terminated before

611

the callback function is called the server will free

612

the resolver for us. */

613

614

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

615

type, domain,

616

AVAHI_PROTO_INET6, 0,

617

resolve_callback, s)))

618

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

619

avahi_strerror(avahi_server_errno(s)));

620

break;

621

622

case AVAHI_BROWSER_REMOVE:

623

break;

624

625

case AVAHI_BROWSER_ALL_FOR_NOW:

626

case AVAHI_BROWSER_CACHE_EXHAUSTED:

627

break;

740

628

}

741

break;

742

}

743

629

}

744

630

745

631

/* Combines file name and path and returns the malloced new

752

638

return NULL;

753

639

}

754

640

if(f_len > 0){

755

memcpy(tmp, first, f_len); /* Spurious warning */

641

memcpy(tmp, first, f_len);

756

642

}

757

643

tmp[f_len] = '/';

758

644

if(s_len > 0){

759

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

645

memcpy(tmp + f_len + 1, second, s_len);

760

646

}

761

647

tmp[f_len + 1 + s_len] = '\0';

762

648

return tmp;

763

649

}

764

650

765

651

766

int main(int argc, char *argv[]){

652

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

653

AvahiServerConfig config;

767

654

AvahiSServiceBrowser *sb = NULL;

768

655

int error;

769

656

int ret;

770

int exitcode = EXIT_SUCCESS;

771

const char *interface = "eth0";

772

struct ifreq network;

773

int sd;

774

uid_t uid;

775

gid_t gid;

657

int returncode = EXIT_SUCCESS;

658

const char *interface = NULL;

659

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

776

660

char *connect_to = NULL;

777

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

778

const char *pubkeyfile = "pubkey.txt";

779

const char *seckeyfile = "seckey.txt";

780

mandos_context mc = { .simple_poll = NULL, .server = NULL,

781

.dh_bits = 1024, .priority = "SECURE256"};

782

bool gnutls_initalized = false;

783

784

{

785

struct argp_option options[] = {

786

{ .name = "debug", .key = 128,

787

.doc = "Debug mode", .group = 3 },

788

{ .name = "connect", .key = 'c',

789

.arg = "IP",

790

.doc = "Connect directly to a sepcified mandos server",

791

.group = 1 },

792

{ .name = "interface", .key = 'i',

793

.arg = "INTERFACE",

794

.doc = "Interface that Avahi will conntect through",

795

.group = 1 },

796

{ .name = "keydir", .key = 'd',

797

.arg = "KEYDIR",

798

.doc = "Directory where the openpgp keyring is",

799

.group = 1 },

800

{ .name = "seckey", .key = 's',

801

.arg = "SECKEY",

802

.doc = "Secret openpgp key for gnutls authentication",

803

.group = 1 },

804

{ .name = "pubkey", .key = 'p',

805

.arg = "PUBKEY",

806

.doc = "Public openpgp key for gnutls authentication",

807

.group = 2 },

808

{ .name = "dh-bits", .key = 129,

809

.arg = "BITS",

810

.doc = "dh-bits to use in gnutls communication",

811

.group = 2 },

812

{ .name = "priority", .key = 130,

813

.arg = "PRIORITY",

814

.doc = "GNUTLS priority", .group = 1 },

815

{ .name = NULL }

816

};

817

818

819

error_t parse_opt (int key, char *arg,

820

struct argp_state *state) {

821

/* Get the INPUT argument from `argp_parse', which we know is

822

a pointer to our plugin list pointer. */

823

switch (key) {

824

case 128:

825

debug = true;

826

break;

827

case 'c':

828

connect_to = arg;

829

break;

830

case 'i':

831

interface = arg;

832

break;

833

case 'd':

834

keydir = arg;

835

break;

836

case 's':

837

seckeyfile = arg;

838

break;

839

case 'p':

840

pubkeyfile = arg;

841

break;

842

case 129:

843

errno = 0;

844

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

845

if (errno){

846

perror("strtol");

847

exit(EXIT_FAILURE);

848

}

849

break;

850

case 130:

851

mc.priority = arg;

852

break;

853

case ARGP_KEY_ARG:

854

argp_usage (state);

855

break;

856

case ARGP_KEY_END:

857

break;

858

default:

859

return ARGP_ERR_UNKNOWN;

860

}

861

return 0;

862

}

863

864

struct argp argp = { .options = options, .parser = parse_opt,

865

.args_doc = "",

866

.doc = "Mandos client -- Get and decrypt"

867

" passwords from mandos server" };

868

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

869

if (ret == ARGP_ERR_UNKNOWN){

870

fprintf(stderr, "Unkown error while parsing arguments\n");

871

exitcode = EXIT_FAILURE;

872

goto end;

873

}

874

}

875

876

pubkeyfile = combinepath(keydir, pubkeyfile);

877

if (pubkeyfile == NULL){

878

perror("combinepath");

879

exitcode = EXIT_FAILURE;

880

goto end;

881

}

882

883

seckeyfile = combinepath(keydir, seckeyfile);

884

if (seckeyfile == NULL){

885

perror("combinepath");

886

goto end;

887

}

888

889

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

890

if (ret == -1){

891

fprintf(stderr, "init_gnutls_global\n");

892

goto end;

893

} else {

894

gnutls_initalized = true;

895

}

896

897

uid = getuid();

898

gid = getgid();

899

900

ret = setuid(uid);

901

if (ret == -1){

902

perror("setuid");

903

}

904

905

setgid(gid);

906

if (ret == -1){

907

perror("setgid");

908

}

909

910

if_index = (AvahiIfIndex) if_nametoindex(interface);

911

if(if_index == 0){

912

fprintf(stderr, "No such interface: \"%s\"\n", interface);

913

exit(EXIT_FAILURE);

661

662

while (true){

663

static struct option long_options[] = {

664

{"debug", no_argument, (int *)&debug, 1},

665

{"connect", required_argument, 0, 'C'},

666

{"interface", required_argument, 0, 'i'},

667

{"certdir", required_argument, 0, 'd'},

668

{"certkey", required_argument, 0, 'c'},

669

{"certfile", required_argument, 0, 'k'},

670

{0, 0, 0, 0} };

671

672

int option_index = 0;

673

ret = getopt_long (argc, argv, "i:", long_options,

674

&option_index);

675

676

if (ret == -1){

677

break;

678

}

679

680

switch(ret){

681

case 0:

682

break;

683

case 'i':

684

interface = optarg;

685

break;

686

case 'C':

687

connect_to = optarg;

688

break;

689

case 'd':

690

certdir = optarg;

691

break;

692

case 'c':

693

certfile = optarg;

694

break;

695

case 'k':

696

certkey = optarg;

697

break;

698

default:

699

exit(EXIT_FAILURE);

700

}

701

}

702

703

certfile = combinepath(certdir, certfile);

704

if (certfile == NULL){

705

perror("combinepath");

706

goto exit;

707

}

708

709

if(interface != NULL){

710

if_index = (AvahiIfIndex) if_nametoindex(interface);

711

if(if_index == 0){

712

fprintf(stderr, "No such interface: \"%s\"\n", interface);

713

exit(EXIT_FAILURE);

714

}

914

715

}

915

716

916

717

if(connect_to != NULL){

919

720

char *address = strrchr(connect_to, ':');

920

721

if(address == NULL){

921

722

fprintf(stderr, "No colon in address\n");

922

exitcode = EXIT_FAILURE;

923

goto end;

723

exit(EXIT_FAILURE);

924

724

}

925

725

errno = 0;

926

726

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

927

727

if(errno){

928

728

perror("Bad port number");

929

exitcode = EXIT_FAILURE;

930

goto end;

729

exit(EXIT_FAILURE);

931

730

}

932

731

*address = '\0';

933

732

address = connect_to;

934

ret = start_mandos_communication(address, port, if_index, &mc);

733

ret = start_mandos_communication(address, port, if_index);

935

734

if(ret < 0){

936

exitcode = EXIT_FAILURE;

735

exit(EXIT_FAILURE);

937

736

} else {

938

exitcode = EXIT_SUCCESS;

737

exit(EXIT_SUCCESS);

939

738

}

940

goto end;

941

739

}

942

740

943

/* If the interface is down, bring it up */

944

{

945

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

946

if(sd < 0) {

947

perror("socket");

948

exitcode = EXIT_FAILURE;

949

goto end;

950

}

951

strcpy(network.ifr_name, interface); /* Spurious warning */

952

ret = ioctl(sd, SIOCGIFFLAGS, &network);

953

if(ret == -1){

954

perror("ioctl SIOCGIFFLAGS");

955

exitcode = EXIT_FAILURE;

956

goto end;

957

}

958

if((network.ifr_flags & IFF_UP) == 0){

959

network.ifr_flags |= IFF_UP;

960

ret = ioctl(sd, SIOCSIFFLAGS, &network);

961

if(ret == -1){

962

perror("ioctl SIOCSIFFLAGS");

963

exitcode = EXIT_FAILURE;

964

goto end;

965

}

966

}

967

close(sd);

741

certkey = combinepath(certdir, certkey);

742

if (certkey == NULL){

743

perror("combinepath");

744

goto exit;

968

745

}

969

746

970

747

if (not debug){

971

748

avahi_set_log_function(empty_log);

972

749

}

973

750

974

/* Initialize the pseudo-RNG for Avahi */

751

/* Initialize the psuedo-RNG */

975

752

srand((unsigned int) time(NULL));

976

977

/* Allocate main Avahi loop object */

978

mc.simple_poll = avahi_simple_poll_new();

979

if (mc.simple_poll == NULL) {

980

fprintf(stderr, "Avahi: Failed to create simple poll"

981

" object.\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

}

985

986

{

987

AvahiServerConfig config;

988

/* Do not publish any local Zeroconf records */

989

avahi_server_config_init(&config);

990

config.publish_hinfo = 0;

991

config.publish_addresses = 0;

992

config.publish_workstation = 0;

993

config.publish_domain = 0;

994

995

/* Allocate a new server */

996

mc.server = avahi_server_new(avahi_simple_poll_get

997

(mc.simple_poll), &config, NULL,

998

NULL, &error);

999

1000

/* Free the Avahi configuration data */

1001

avahi_server_config_free(&config);

1002

}

1003

1004

/* Check if creating the Avahi server object succeeded */

1005

if (mc.server == NULL) {

1006

fprintf(stderr, "Failed to create Avahi server: %s\n",

753

754

/* Allocate main loop object */

755

if (!(simple_poll = avahi_simple_poll_new())) {

756

fprintf(stderr, "Failed to create simple poll object.\n");

757

758

goto exit;

759

}

760

761

/* Do not publish any local records */

762

avahi_server_config_init(&config);

763

config.publish_hinfo = 0;

764

config.publish_addresses = 0;

765

config.publish_workstation = 0;

766

config.publish_domain = 0;

767

768

/* Allocate a new server */

769

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

770

&config, NULL, NULL, &error);

771

772

/* Free the configuration data */

773

avahi_server_config_free(&config);

774

775

/* Check if creating the server object succeeded */

776

if (!server) {

777

fprintf(stderr, "Failed to create server: %s\n",

1007

778

avahi_strerror(error));

1008

exitcode = EXIT_FAILURE;

1009

goto end;

779

returncode = EXIT_FAILURE;

780

goto exit;

1010

781

}

1011

782

1012

/* Create the Avahi service browser */

1013

sb = avahi_s_service_browser_new(mc.server, if_index,

783

/* Create the service browser */

784

sb = avahi_s_service_browser_new(server, if_index,

1014

785

AVAHI_PROTO_INET6,

1015

786

"_mandos._tcp", NULL, 0,

1016

browse_callback, &mc);

1017

if (sb == NULL) {

787

browse_callback, server);

788

if (!sb) {

1018

789

fprintf(stderr, "Failed to create service browser: %s\n",

1019

avahi_strerror(avahi_server_errno(mc.server)));

1020

exitcode = EXIT_FAILURE;

1021

goto end;

790

avahi_strerror(avahi_server_errno(server)));

791

returncode = EXIT_FAILURE;

792

goto exit;

1022

793

}

1023

794

1024

795

/* Run the main loop */

1025

796

1026

797

if (debug){

1027

fprintf(stderr, "Starting Avahi loop search\n");

798

fprintf(stderr, "Starting avahi loop search\n");

1028

799

}

1029

800

1030

avahi_simple_poll_loop(mc.simple_poll);

801

avahi_simple_poll_loop(simple_poll);

1031

802

1032

end:

803

exit:

1033

804

1034

805

if (debug){

1035

806

fprintf(stderr, "%s exiting\n", argv[0]);

1036

807

}

1037

808

1038

809

/* Cleanup things */

1039

if (sb != NULL)

810

if (sb)

1040

811

avahi_s_service_browser_free(sb);

1041

812

1042

if (mc.server != NULL)

1043

avahi_server_free(mc.server);

1044

1045

if (mc.simple_poll != NULL)

1046

avahi_simple_poll_free(mc.simple_poll);

1047

free(pubkeyfile);

1048

free(seckeyfile);

1049

1050

if (gnutls_initalized){

1051

gnutls_certificate_free_credentials(mc.cred);

1052

gnutls_global_deinit ();

1053

}

813

if (server)

814

avahi_server_free(server);

815

816

if (simple_poll)

817

avahi_simple_poll_free(simple_poll);

818

free(certfile);

819

free(certkey);

1054

820

1055

return exitcode;

821

return returncode;

1056

822

}