/mandos/release : revision 37

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

54

struct in6_addr, inet_pton(),

55

connect() */

56

#include <assert.h> /* assert() */

57

#include <errno.h> /* perror(), errno */

58

#include <time.h> /* time() */

59

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

60

SIOCSIFFLAGS, if_indextoname(),

61

if_nametoindex(), IF_NAMESIZE */

62

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

63

getuid(), getgid(), setuid(),

64

setgid() */

65

#include <netinet/in.h>

66

#include <arpa/inet.h> /* inet_pton(), htons */

67

#include <iso646.h> /* not, and */

68

#include <argp.h> /* struct argp_option, error_t, struct

69

argp_state, struct argp,

70

argp_parse(), ARGP_KEY_ARG,

71

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

72

73

/* Avahi */

74

/* All Avahi types, constants and functions

75

Avahi*, avahi_*,

76

AVAHI_* */

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

77

41

#include <avahi-core/core.h>

78

42

#include <avahi-core/lookup.h>

79

43

#include <avahi-core/log.h>

81

45

#include <avahi-common/malloc.h>

82

46

#include <avahi-common/error.h>

83

47

84

/* GnuTLS */

85

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

86

gnutls_*

87

init_gnutls_session(),

88

GNUTLS_* */

89

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

90

GNUTLS_OPENPGP_FMT_BASE64 */

91

92

/* GPGME */

93

#include <gpgme.h> /* All GPGME types, constants and functions

94

gpgme_*

95

GPGME_PROTOCOL_OpenPGP,

96

GPG_ERR_NO_* */

48

//mandos client part

49

#include <sys/types.h> /* socket(), inet_pton() */

50

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

51

struct in6_addr, inet_pton() */

52

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

53

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

54

55

#include <unistd.h> /* close() */

56

#include <netinet/in.h>

57

#include <stdbool.h> /* true */

58

#include <string.h> /* memset */

59

#include <arpa/inet.h> /* inet_pton() */

60

#include <iso646.h> /* not */

61

62

// gpgme

63

#include <errno.h> /* perror() */

64

#include <gpgme.h>

65

66

// getopt_long

67

#include <getopt.h>

97

68

98

69

#define BUFFER_SIZE 256

99

70

71

static int dh_bits = 1024;

72

73

static const char *keydir = "/conf/conf.d/mandos";

74

static const char *pubkeyfile = "pubkey.txt";

75

static const char *seckeyfile = "seckey.txt";

76

100

77

bool debug = false;

101

static const char *keydir = "/conf/conf.d/mandos";

102

static const char mandos_protocol_version[] = "1";

103

const char *argp_program_version = "mandosclient 0.9";

104

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

105

78

106

/* Used for passing in values through the Avahi callback functions */

79

/* Used for */

107

80

typedef struct {

108

AvahiSimplePoll *simple_poll;

109

AvahiServer *server;

81

gnutls_session_t session;

110

82

gnutls_certificate_credentials_t cred;

111

unsigned int dh_bits;

112

83

gnutls_dh_params_t dh_params;

113

const char *priority;

114

} mandos_context;

115

116

/*

117

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

118

* "buffer_capacity" is how much is currently allocated,

119

* "buffer_length" is how much is already used.

120

*/

121

size_t adjustbuffer(char **buffer, size_t buffer_length,

122

size_t buffer_capacity){

123

if (buffer_length + BUFFER_SIZE > buffer_capacity){

124

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

125

if (buffer == NULL){

126

return 0;

127

}

128

buffer_capacity += BUFFER_SIZE;

129

}

130

return buffer_capacity;

131

}

132

133

/*

134

* Decrypt OpenPGP data using keyrings in HOMEDIR.

135

* Returns -1 on error

136

*/

137

static ssize_t pgp_packet_decrypt (const char *cryptotext,

138

size_t crypto_size,

139

char **plaintext,

84

} encrypted_session;

85

86

87

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

88

char **new_packet,

140

89

const char *homedir){

141

90

gpgme_data_t dh_crypto, dh_plain;

142

91

gpgme_ctx_t ctx;

143

92

gpgme_error_t rc;

144

93

ssize_t ret;

145

size_t plaintext_capacity = 0;

146

ssize_t plaintext_length = 0;

94

ssize_t new_packet_capacity = 0;

95

ssize_t new_packet_length = 0;

147

96

gpgme_engine_info_t engine_info;

148

97

149

98

if (debug){

150

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

99

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

151

100

}

152

101

153

102

/* Init GPGME */

159

108

return -1;

160

109

}

161

110

162

/* Set GPGME home directory for the OpenPGP engine only */

111

/* Set GPGME home directory */

163

112

rc = gpgme_get_engine_info (&engine_info);

164

113

if (rc != GPG_ERR_NO_ERROR){

165

114

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

175

124

engine_info = engine_info->next;

176

125

}

177

126

if(engine_info == NULL){

178

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

127

fprintf(stderr, "Could not set home dir to %s\n", homedir);

179

128

return -1;

180

129

}

181

130

182

/* Create new GPGME data buffer from memory cryptotext */

183

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

184

0);

131

/* Create new GPGME data buffer from packet buffer */

132

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

185

133

if (rc != GPG_ERR_NO_ERROR){

186

134

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

187

135

gpgme_strsource(rc), gpgme_strerror(rc));

193

141

if (rc != GPG_ERR_NO_ERROR){

194

142

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

195

143

gpgme_strsource(rc), gpgme_strerror(rc));

196

gpgme_data_release(dh_crypto);

197

144

return -1;

198

145

}

199

146

202

149

if (rc != GPG_ERR_NO_ERROR){

203

150

fprintf(stderr, "bad gpgme_new: %s: %s\n",

204

151

gpgme_strsource(rc), gpgme_strerror(rc));

205

plaintext_length = -1;

206

goto decrypt_end;

152

return -1;

207

153

}

208

154

209

/* Decrypt data from the cryptotext data buffer to the plaintext

210

data buffer */

155

/* Decrypt data from the FILE pointer to the plaintext data

156

buffer */

211

157

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

212

158

if (rc != GPG_ERR_NO_ERROR){

213

159

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

214

160

gpgme_strsource(rc), gpgme_strerror(rc));

215

plaintext_length = -1;

216

goto decrypt_end;

161

return -1;

217

162

}

218

163

219

164

if(debug){

220

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

165

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

221

166

}

222

167

223

168

if (debug){

224

169

gpgme_decrypt_result_t result;

225

170

result = gpgme_op_decrypt_result(ctx);

249

194

}

250

195

}

251

196

197

/* Delete the GPGME FILE pointer cryptotext data buffer */

198

gpgme_data_release(dh_crypto);

199

252

200

/* Seek back to the beginning of the GPGME plaintext data buffer */

253

201

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

202

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

203

}

258

204

259

*plaintext = NULL;

205

*new_packet = 0;

260

206

while(true){

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

207

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

208

*new_packet = realloc(*new_packet,

209

(unsigned int)new_packet_capacity

210

+ BUFFER_SIZE);

211

if (*new_packet == NULL){

212

perror("realloc");

213

return -1;

214

}

215

new_packet_capacity += BUFFER_SIZE;

268

216

}

269

217

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

218

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

271

219

BUFFER_SIZE);

272

220

/* Print the data, if any */

273

221

if (ret == 0){

274

/* EOF */

275

222

break;

276

223

}

277

224

if(ret < 0){

278

225

perror("gpgme_data_read");

279

plaintext_length = -1;

280

goto decrypt_end;

226

return -1;

281

227

}

282

plaintext_length += ret;

228

new_packet_length += ret;

283

229

}

284

230

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

231

/* FIXME: check characters before printing to screen so to not print

232

terminal control characters */

233

/* if(debug){ */

234

/* fprintf(stderr, "decrypted password is: "); */

235

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

236

/* fprintf(stderr, "\n"); */

237

/* } */

297

238

298

239

/* Delete the GPGME plaintext data buffer */

299

240

gpgme_data_release(dh_plain);

300

return plaintext_length;

241

return new_packet_length;

301

242

}

302

243

303

244

static const char * safer_gnutls_strerror (int value) {

307

248

return ret;

308

249

}

309

250

310

/* GnuTLS log function callback */

311

251

static void debuggnutls(__attribute__((unused)) int level,

312

252

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

253

fprintf(stderr, "%s", string);

314

254

}

315

255

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfile,

318

const char *seckeyfile){

256

static int initgnutls(encrypted_session *es){

257

const char *err;

319

258

int ret;

320

259

321

260

if(debug){

322

261

fprintf(stderr, "Initializing GnuTLS\n");

323

262

}

324

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

263

264

if ((ret = gnutls_global_init ())

265

!= GNUTLS_E_SUCCESS) {

266

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

329

267

return -1;

330

268

}

331

269

332

270

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

*/

336

271

gnutls_global_set_log_level(11);

337

272

gnutls_global_set_log_function(debuggnutls);

338

273

}

339

274

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n",

275

/* openpgp credentials */

276

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

277

!= GNUTLS_E_SUCCESS) {

278

fprintf (stderr, "memory error: %s\n",

344

279

safer_gnutls_strerror(ret));

345

gnutls_global_deinit ();

346

280

return -1;

347

281

}

348

282

353

287

}

354

288

355

289

ret = gnutls_certificate_set_openpgp_key_file

356

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

290

(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

357

291

if (ret != GNUTLS_E_SUCCESS) {

358

fprintf(stderr,

359

"Error[%d] while reading the OpenPGP key pair ('%s',"

360

" '%s')\n", ret, pubkeyfile, seckeyfile);

361

fprintf(stdout, "The GnuTLS error is: %s\n",

292

fprintf

293

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

294

" '%s')\n",

295

ret, pubkeyfile, seckeyfile);

296

fprintf(stdout, "The Error is: %s\n",

362

297

safer_gnutls_strerror(ret));

363

goto globalfail;

364

}

365

366

/* GnuTLS server initialization */

367

ret = gnutls_dh_params_init(&mc->dh_params);

368

if (ret != GNUTLS_E_SUCCESS) {

369

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

370

" %s\n", safer_gnutls_strerror(ret));

371

goto globalfail;

372

}

373

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

376

safer_gnutls_strerror(ret));

377

goto globalfail;

378

}

379

380

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

381

382

return 0;

383

384

globalfail:

385

386

gnutls_certificate_free_credentials(mc->cred);

387

gnutls_global_deinit();

388

return -1;

389

390

}

391

392

static int init_gnutls_session(mandos_context *mc,

393

gnutls_session_t *session){

394

int ret;

395

/* GnuTLS session creation */

396

ret = gnutls_init(session, GNUTLS_SERVER);

397

if (ret != GNUTLS_E_SUCCESS){

298

return -1;

299

}

300

301

//GnuTLS server initialization

302

if ((ret = gnutls_dh_params_init (&es->dh_params))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in dh parameter initialization: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))

310

!= GNUTLS_E_SUCCESS) {

311

fprintf (stderr, "Error in prime generation: %s\n",

312

safer_gnutls_strerror(ret));

313

return -1;

314

}

315

316

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

317

318

// GnuTLS session creation

319

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

320

!= GNUTLS_E_SUCCESS){

398

321

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

399

322

safer_gnutls_strerror(ret));

400

323

}

401

324

402

{

403

const char *err;

404

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

405

if (ret != GNUTLS_E_SUCCESS) {

406

fprintf(stderr, "Syntax error at: %s\n", err);

407

fprintf(stderr, "GnuTLS error: %s\n",

408

safer_gnutls_strerror(ret));

409

gnutls_deinit (*session);

410

return -1;

411

}

325

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

326

!= GNUTLS_E_SUCCESS) {

327

fprintf(stderr, "Syntax error at: %s\n", err);

328

fprintf(stderr, "GnuTLS error: %s\n",

329

safer_gnutls_strerror(ret));

330

return -1;

412

331

}

413

332

414

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

415

mc->cred);

416

if (ret != GNUTLS_E_SUCCESS) {

417

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

333

if ((ret = gnutls_credentials_set

334

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

335

!= GNUTLS_E_SUCCESS) {

336

fprintf(stderr, "Error setting a credentials set: %s\n",

418

337

safer_gnutls_strerror(ret));

419

gnutls_deinit (*session);

420

338

return -1;

421

339

}

422

340

423

341

/* ignore client certificate if any. */

424

gnutls_certificate_server_set_request (*session,

342

gnutls_certificate_server_set_request (es->session,

425

343

GNUTLS_CERT_IGNORE);

426

344

427

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

345

gnutls_dh_set_prime_bits (es->session, dh_bits);

428

346

429

347

return 0;

430

348

}

431

349

432

/* Avahi log function callback */

433

350

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

434

351

__attribute__((unused)) const char *txt){}

435

352

436

/* Called when a Mandos server is found */

437

353

static int start_mandos_communication(const char *ip, uint16_t port,

438

AvahiIfIndex if_index,

439

mandos_context *mc){

354

AvahiIfIndex if_index){

440

355

int ret, tcp_sd;

441

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

356

struct sockaddr_in6 to;

357

encrypted_session es;

442

358

char *buffer = NULL;

443

359

char *decrypted_buffer;

444

360

size_t buffer_length = 0;

445

361

size_t buffer_capacity = 0;

446

362

ssize_t decrypted_buffer_size;

447

size_t written;

363

size_t written = 0;

448

364

int retval = 0;

449

365

char interface[IF_NAMESIZE];

450

gnutls_session_t session;

451

452

ret = init_gnutls_session (mc, &session);

453

if (ret != 0){

454

return -1;

455

}

456

366

457

367

if(debug){

458

368

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

464

374

perror("socket");

465

375

return -1;

466

376

}

467

468

if(debug){

469

if(if_indextoname((unsigned int)if_index, interface) == NULL){

377

378

if(if_indextoname((unsigned int)if_index, interface) == NULL){

379

if(debug){

470

380

perror("if_indextoname");

471

return -1;

472

381

}

382

return -1;

383

}

384

385

if(debug){

473

386

fprintf(stderr, "Binding to interface %s\n", interface);

474

387

}

475

388

476

389

memset(&to,0,sizeof(to)); /* Spurious warning */

477

to.in6.sin6_family = AF_INET6;

478

/* It would be nice to have a way to detect if we were passed an

479

IPv4 address here. Now we assume an IPv6 address. */

480

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

390

to.sin6_family = AF_INET6;

391

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

481

392

if (ret < 0 ){

482

393

perror("inet_pton");

483

394

return -1;

484

}

395

}

485

396

if(ret == 0){

486

397

fprintf(stderr, "Bad address: %s\n", ip);

487

398

return -1;

488

399

}

489

to.in6.sin6_port = htons(port); /* Spurious warning */

400

to.sin6_port = htons(port); /* Spurious warning */

490

401

491

to.in6.sin6_scope_id = (uint32_t)if_index;

402

to.sin6_scope_id = (uint32_t)if_index;

492

403

493

404

if(debug){

494

405

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

495

406

char addrstr[INET6_ADDRSTRLEN] = "";

496

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

407

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

497

408

sizeof(addrstr)) == NULL){

498

409

perror("inet_ntop");

499

410

} else {

500

411

if(strcmp(addrstr, ip) != 0){

501

fprintf(stderr, "Canonical address form: %s\n", addrstr);

412

fprintf(stderr, "Canonical address form: %s\n",

413

addrstr, ntohs(to.sin6_port));

502

414

}

503

415

}

504

416

}

505

417

506

ret = connect(tcp_sd, &to.in, sizeof(to));

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

507

419

if (ret < 0){

508

420

perror("connect");

509

421

return -1;

510

422

}

511

512

const char *out = mandos_protocol_version;

513

written = 0;

514

while (true){

515

size_t out_size = strlen(out);

516

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

517

out_size - written));

518

if (ret == -1){

519

perror("write");

520

retval = -1;

521

goto mandos_end;

522

}

523

written += (size_t)ret;

524

if(written < out_size){

525

continue;

526

} else {

527

if (out == mandos_protocol_version){

528

written = 0;

529

out = "\r\n";

530

} else {

531

break;

532

}

533

}

423

424

ret = initgnutls (&es);

425

if (ret != 0){

426

retval = -1;

427

return -1;

534

428

}

535

429

430

gnutls_transport_set_ptr (es.session,

431

(gnutls_transport_ptr_t) tcp_sd);

432

536

433

if(debug){

537

434

fprintf(stderr, "Establishing TLS session with %s\n", ip);

538

435

}

539

436

540

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

541

542

do{

543

ret = gnutls_handshake (session);

544

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

437

ret = gnutls_handshake (es.session);

545

438

546

439

if (ret != GNUTLS_E_SUCCESS){

547

440

if(debug){

548

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

441

fprintf(stderr, "\n*** Handshake failed ***\n");

549

442

gnutls_perror (ret);

550

443

}

551

444

retval = -1;

552

goto mandos_end;

445

goto exit;

553

446

}

554

447

555

/* Read OpenPGP packet that contains the wanted password */

448

//Retrieve OpenPGP packet that contains the wanted password

556

449

557

450

if(debug){

558

451

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

560

453

}

561

454

562

455

while(true){

563

buffer_capacity = adjustbuffer(&buffer, buffer_length,

564

buffer_capacity);

565

if (buffer_capacity == 0){

566

perror("adjustbuffer");

567

retval = -1;

568

goto mandos_end;

456

if (buffer_length + BUFFER_SIZE > buffer_capacity){

457

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

458

if (buffer == NULL){

459

perror("realloc");

460

goto exit;

461

}

462

buffer_capacity += BUFFER_SIZE;

569

463

}

570

464

571

ret = gnutls_record_recv(session, buffer+buffer_length,

572

BUFFER_SIZE);

465

ret = gnutls_record_recv

466

(es.session, buffer+buffer_length, BUFFER_SIZE);

573

467

if (ret == 0){

574

468

break;

575

469

}

579

473

case GNUTLS_E_AGAIN:

580

474

break;

581

475

case GNUTLS_E_REHANDSHAKE:

582

do{

583

ret = gnutls_handshake (session);

584

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

476

ret = gnutls_handshake (es.session);

585

477

if (ret < 0){

586

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

478

fprintf(stderr, "\n*** Handshake failed ***\n");

587

479

gnutls_perror (ret);

588

480

retval = -1;

589

goto mandos_end;

481

goto exit;

590

482

}

591

483

break;

592

484

default:

593

485

fprintf(stderr, "Unknown error while reading data from"

594

" encrypted session with Mandos server\n");

486

" encrypted session with mandos server\n");

595

487

retval = -1;

596

gnutls_bye (session, GNUTLS_SHUT_RDWR);

597

goto mandos_end;

488

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

489

goto exit;

598

490

}

599

491

} else {

600

492

buffer_length += (size_t) ret;

601

493

}

602

494

}

603

495

604

if(debug){

605

fprintf(stderr, "Closing TLS session\n");

606

}

607

608

gnutls_bye (session, GNUTLS_SHUT_RDWR);

609

610

496

if (buffer_length > 0){

611

497

decrypted_buffer_size = pgp_packet_decrypt(buffer,

612

498

buffer_length,

613

499

&decrypted_buffer,

614

500

keydir);

615

501

if (decrypted_buffer_size >= 0){

616

written = 0;

617

502

while(written < (size_t) decrypted_buffer_size){

618

503

ret = (int)fwrite (decrypted_buffer + written, 1,

619

504

(size_t)decrypted_buffer_size - written,

633

518

retval = -1;

634

519

}

635

520

}

636

637

/* Shutdown procedure */

638

639

mandos_end:

521

522

//shutdown procedure

523

524

if(debug){

525

fprintf(stderr, "Closing TLS session\n");

526

}

527

640

528

free(buffer);

529

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

530

exit:

641

531

close(tcp_sd);

642

gnutls_deinit (session);

532

gnutls_deinit (es.session);

533

gnutls_certificate_free_credentials (es.cred);

534

gnutls_global_deinit ();

643

535

return retval;

644

536

}

645

537

646

static void resolve_callback(AvahiSServiceResolver *r,

647

AvahiIfIndex interface,

648

AVAHI_GCC_UNUSED AvahiProtocol protocol,

649

AvahiResolverEvent event,

650

const char *name,

651

const char *type,

652

const char *domain,

653

const char *host_name,

654

const AvahiAddress *address,

655

uint16_t port,

656

AVAHI_GCC_UNUSED AvahiStringList *txt,

657

AVAHI_GCC_UNUSED AvahiLookupResultFlags

658

flags,

659

void* userdata) {

660

mandos_context *mc = userdata;

538

static AvahiSimplePoll *simple_poll = NULL;

539

static AvahiServer *server = NULL;

540

541

static void resolve_callback(

542

AvahiSServiceResolver *r,

543

AvahiIfIndex interface,

544

AVAHI_GCC_UNUSED AvahiProtocol protocol,

545

AvahiResolverEvent event,

546

const char *name,

547

const char *type,

548

const char *domain,

549

const char *host_name,

550

const AvahiAddress *address,

551

uint16_t port,

552

AVAHI_GCC_UNUSED AvahiStringList *txt,

553

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

554

AVAHI_GCC_UNUSED void* userdata) {

555

661

556

assert(r); /* Spurious warning */

662

557

663

558

/* Called whenever a service has been resolved successfully or

666

561

switch (event) {

667

562

default:

668

563

case AVAHI_RESOLVER_FAILURE:

669

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

670

" of type '%s' in domain '%s': %s\n", name, type, domain,

671

avahi_strerror(avahi_server_errno(mc->server)));

564

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

565

" type '%s' in domain '%s': %s\n", name, type, domain,

566

avahi_strerror(avahi_server_errno(server)));

672

567

break;

673

568

674

569

case AVAHI_RESOLVER_FOUND:

676

571

char ip[AVAHI_ADDRESS_STR_MAX];

677

572

avahi_address_snprint(ip, sizeof(ip), address);

678

573

if(debug){

679

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

680

" port %d\n", name, host_name, ip, interface, port);

574

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

575

" port %d\n", name, host_name, ip, port);

681

576

}

682

int ret = start_mandos_communication(ip, port, interface, mc);

577

int ret = start_mandos_communication(ip, port, interface);

683

578

if (ret == 0){

684

579

exit(EXIT_SUCCESS);

685

580

}

688

583

avahi_s_service_resolver_free(r);

689

584

}

690

585

691

static void browse_callback( AvahiSServiceBrowser *b,

692

AvahiIfIndex interface,

693

AvahiProtocol protocol,

694

AvahiBrowserEvent event,

695

const char *name,

696

const char *type,

697

const char *domain,

698

AVAHI_GCC_UNUSED AvahiLookupResultFlags

699

flags,

700

void* userdata) {

701

mandos_context *mc = userdata;

702

assert(b); /* Spurious warning */

703

704

/* Called whenever a new services becomes available on the LAN or

705

is removed from the LAN */

706

707

switch (event) {

708

default:

709

case AVAHI_BROWSER_FAILURE:

710

711

fprintf(stderr, "(Avahi browser) %s\n",

712

avahi_strerror(avahi_server_errno(mc->server)));

713

avahi_simple_poll_quit(mc->simple_poll);

714

return;

715

716

case AVAHI_BROWSER_NEW:

717

/* We ignore the returned Avahi resolver object. In the callback

718

function we free it. If the Avahi server is terminated before

719

the callback function is called the Avahi server will free the

720

resolver for us. */

721

722

if (!(avahi_s_service_resolver_new(mc->server, interface,

723

protocol, name, type, domain,

724

AVAHI_PROTO_INET6, 0,

725

resolve_callback, mc)))

726

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

727

name, avahi_strerror(avahi_server_errno(mc->server)));

728

break;

729

730

case AVAHI_BROWSER_REMOVE:

731

break;

732

733

case AVAHI_BROWSER_ALL_FOR_NOW:

734

case AVAHI_BROWSER_CACHE_EXHAUSTED:

735

if(debug){

736

fprintf(stderr, "No Mandos server found, still searching...\n");

586

static void browse_callback(

587

AvahiSServiceBrowser *b,

588

AvahiIfIndex interface,

589

AvahiProtocol protocol,

590

AvahiBrowserEvent event,

591

const char *name,

592

const char *type,

593

const char *domain,

594

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

595

void* userdata) {

596

597

AvahiServer *s = userdata;

598

assert(b); /* Spurious warning */

599

600

/* Called whenever a new services becomes available on the LAN or

601

is removed from the LAN */

602

603

switch (event) {

604

default:

605

case AVAHI_BROWSER_FAILURE:

606

607

fprintf(stderr, "(Browser) %s\n",

608

avahi_strerror(avahi_server_errno(server)));

609

avahi_simple_poll_quit(simple_poll);

610

return;

611

612

case AVAHI_BROWSER_NEW:

613

/* We ignore the returned resolver object. In the callback

614

function we free it. If the server is terminated before

615

the callback function is called the server will free

616

the resolver for us. */

617

618

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

619

type, domain,

620

AVAHI_PROTO_INET6, 0,

621

resolve_callback, s)))

622

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

623

avahi_strerror(avahi_server_errno(s)));

624

break;

625

626

case AVAHI_BROWSER_REMOVE:

627

break;

628

629

case AVAHI_BROWSER_ALL_FOR_NOW:

630

case AVAHI_BROWSER_CACHE_EXHAUSTED:

631

break;

737

632

}

738

break;

739

}

740

633

}

741

634

742

635

/* Combines file name and path and returns the malloced new

749

642

return NULL;

750

643

}

751

644

if(f_len > 0){

752

memcpy(tmp, first, f_len); /* Spurious warning */

645

memcpy(tmp, first, f_len);

753

646

}

754

647

tmp[f_len] = '/';

755

648

if(s_len > 0){

756

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

649

memcpy(tmp + f_len + 1, second, s_len);

757

650

}

758

651

tmp[f_len + 1 + s_len] = '\0';

759

652

return tmp;

760

653

}

761

654

762

655

763

int main(int argc, char *argv[]){

656

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

657

AvahiServerConfig config;

764

658

AvahiSServiceBrowser *sb = NULL;

765

659

int error;

766

660

int ret;

767

int exitcode = EXIT_SUCCESS;

768

const char *interface = "eth0";

769

struct ifreq network;

770

int sd;

771

uid_t uid;

772

gid_t gid;

661

int debug_int = 0;

662

int returncode = EXIT_SUCCESS;

663

const char *interface = NULL;

664

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

773

665

char *connect_to = NULL;

774

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

775

const char *pubkeyfile = "pubkey.txt";

776

const char *seckeyfile = "seckey.txt";

777

mandos_context mc = { .simple_poll = NULL, .server = NULL,

778

.dh_bits = 1024, .priority = "SECURE256"};

779

bool gnutls_initalized = false;

780

666

781

{

782

struct argp_option options[] = {

783

{ .name = "debug", .key = 128,

784

.doc = "Debug mode", .group = 3 },

785

{ .name = "connect", .key = 'c',

786

.arg = "IP",

787

.doc = "Connect directly to a sepcified mandos server",

788

.group = 1 },

789

{ .name = "interface", .key = 'i',

790

.arg = "INTERFACE",

791

.doc = "Interface that Avahi will conntect through",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "KEYDIR",

795

.doc = "Directory where the openpgp keyring is",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "SECKEY",

799

.doc = "Secret openpgp key for gnutls authentication",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "PUBKEY",

803

.doc = "Public openpgp key for gnutls authentication",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "dh-bits to use in gnutls communication",

808

.group = 2 },

809

{ .name = "priority", .key = 130,

810

.arg = "PRIORITY",

811

.doc = "GNUTLS priority", .group = 1 },

812

{ .name = NULL }

813

};

814

815

816

error_t parse_opt (int key, char *arg,

817

struct argp_state *state) {

818

/* Get the INPUT argument from `argp_parse', which we know is

819

a pointer to our plugin list pointer. */

820

switch (key) {

821

case 128:

822

debug = true;

823

break;

824

case 'c':

825

connect_to = arg;

826

break;

827

case 'i':

828

interface = arg;

829

break;

830

case 'd':

831

keydir = arg;

832

break;

833

case 's':

834

seckeyfile = arg;

835

break;

836

case 'p':

837

pubkeyfile = arg;

838

break;

839

case 129:

840

errno = 0;

841

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

842

if (errno){

843

perror("strtol");

844

exit(EXIT_FAILURE);

845

}

846

break;

847

case 130:

848

mc.priority = arg;

849

break;

850

case ARGP_KEY_ARG:

851

argp_usage (state);

852

break;

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

857

}

858

return 0;

667

debug_int = debug ? 1 : 0;

668

while (true){

669

static struct option long_options[] = {

670

{"debug", no_argument, &debug_int, 1},

671

{"connect", required_argument, NULL, 'C'},

672

{"interface", required_argument, NULL, 'i'},

673

{"keydir", required_argument, NULL, 'd'},

674

{"seckey", required_argument, NULL, 'c'},

675

{"pubkey", required_argument, NULL, 'k'},

676

{"dh-bits", required_argument, NULL, 'D'},

677

{0, 0, 0, 0} };

678

679

int option_index = 0;

680

ret = getopt_long (argc, argv, "i:", long_options,

681

&option_index);

682

683

if (ret == -1){

684

break;

859

685

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unkown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

686

687

switch(ret){

688

case 0:

689

break;

690

case 'i':

691

interface = optarg;

692

break;

693

case 'C':

694

connect_to = optarg;

695

break;

696

case 'd':

697

keydir = optarg;

698

break;

699

case 'c':

700

pubkeyfile = optarg;

701

break;

702

case 'k':

703

seckeyfile = optarg;

704

break;

705

case 'D':

706

dh_bits = atoi(optarg);

707

break;

708

case '?':

709

break

710

default:

711

exit(EXIT_FAILURE);

870

712

}

871

713

}

872

714

debug = debug_int ? true : false;

715

873

716

pubkeyfile = combinepath(keydir, pubkeyfile);

874

717

if (pubkeyfile == NULL){

875

718

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfile = combinepath(keydir, seckeyfile);

881

if (seckeyfile == NULL){

882

perror("combinepath");

883

goto end;

884

}

885

886

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

887

if (ret == -1){

888

fprintf(stderr, "init_gnutls_global\n");

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

uid = getuid();

895

gid = getgid();

896

897

ret = setuid(uid);

898

if (ret == -1){

899

perror("setuid");

900

}

901

902

setgid(gid);

903

if (ret == -1){

904

perror("setgid");

905

}

906

907

if_index = (AvahiIfIndex) if_nametoindex(interface);

908

if(if_index == 0){

909

fprintf(stderr, "No such interface: \"%s\"\n", interface);

910

exit(EXIT_FAILURE);

719

goto exit;

720

}

721

722

if(interface != NULL){

723

if_index = (AvahiIfIndex) if_nametoindex(interface);

724

if(if_index == 0){

725

fprintf(stderr, "No such interface: \"%s\"\n", interface);

726

exit(EXIT_FAILURE);

727

}

911

728

}

912

729

913

730

if(connect_to != NULL){

916

733

char *address = strrchr(connect_to, ':');

917

734

if(address == NULL){

918

735

fprintf(stderr, "No colon in address\n");

919

exitcode = EXIT_FAILURE;

920

goto end;

736

exit(EXIT_FAILURE);

921

737

}

922

738

errno = 0;

923

739

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

924

740

if(errno){

925

741

perror("Bad port number");

926

exitcode = EXIT_FAILURE;

927

goto end;

742

exit(EXIT_FAILURE);

928

743

}

929

744

*address = '\0';

930

745

address = connect_to;

931

ret = start_mandos_communication(address, port, if_index, &mc);

746

ret = start_mandos_communication(address, port, if_index);

932

747

if(ret < 0){

933

exitcode = EXIT_FAILURE;

748

exit(EXIT_FAILURE);

934

749

} else {

935

exitcode = EXIT_SUCCESS;

750

exit(EXIT_SUCCESS);

936

751

}

937

goto end;

938

752

}

939

753

940

/* If the interface is down, bring it up */

941

{

942

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

943

if(sd < 0) {

944

perror("socket");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

strcpy(network.ifr_name, interface); /* Spurious warning */

949

ret = ioctl(sd, SIOCGIFFLAGS, &network);

950

if(ret == -1){

951

perror("ioctl SIOCGIFFLAGS");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

if((network.ifr_flags & IFF_UP) == 0){

956

network.ifr_flags |= IFF_UP;

957

ret = ioctl(sd, SIOCSIFFLAGS, &network);

958

if(ret == -1){

959

perror("ioctl SIOCSIFFLAGS");

960

exitcode = EXIT_FAILURE;

961

goto end;

962

}

963

}

964

close(sd);

754

seckeyfile = combinepath(keydir, seckeyfile);

755

if (seckeyfile == NULL){

756

perror("combinepath");

757

goto exit;

965

758

}

966

759

967

760

if (not debug){

968

761

avahi_set_log_function(empty_log);

969

762

}

970

763

971

/* Initialize the pseudo-RNG for Avahi */

764

/* Initialize the psuedo-RNG */

972

765

srand((unsigned int) time(NULL));

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

766

767

/* Allocate main loop object */

768

if (!(simple_poll = avahi_simple_poll_new())) {

769

fprintf(stderr, "Failed to create simple poll object.\n");

770

771

goto exit;

772

}

773

774

/* Do not publish any local records */

775

avahi_server_config_init(&config);

776

config.publish_hinfo = 0;

777

config.publish_addresses = 0;

778

config.publish_workstation = 0;

779

config.publish_domain = 0;

780

781

/* Allocate a new server */

782

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

783

&config, NULL, NULL, &error);

784

785

/* Free the configuration data */

786

avahi_server_config_free(&config);

787

788

/* Check if creating the server object succeeded */

789

if (!server) {

790

fprintf(stderr, "Failed to create server: %s\n",

1004

791

avahi_strerror(error));

1005

exitcode = EXIT_FAILURE;

1006

goto end;

792

returncode = EXIT_FAILURE;

793

goto exit;

1007

794

}

1008

795

1009

/* Create the Avahi service browser */

1010

sb = avahi_s_service_browser_new(mc.server, if_index,

796

/* Create the service browser */

797

sb = avahi_s_service_browser_new(server, if_index,

1011

798

AVAHI_PROTO_INET6,

1012

799

"_mandos._tcp", NULL, 0,

1013

browse_callback, &mc);

1014

if (sb == NULL) {

800

browse_callback, server);

801

if (!sb) {

1015

802

fprintf(stderr, "Failed to create service browser: %s\n",

1016

avahi_strerror(avahi_server_errno(mc.server)));

1017

exitcode = EXIT_FAILURE;

1018

goto end;

803

avahi_strerror(avahi_server_errno(server)));

804

returncode = EXIT_FAILURE;

805

goto exit;

1019

806

}

1020

807

1021

808

/* Run the main loop */

1022

809

1023

810

if (debug){

1024

fprintf(stderr, "Starting Avahi loop search\n");

811

fprintf(stderr, "Starting avahi loop search\n");

1025

812

}

1026

813

1027

avahi_simple_poll_loop(mc.simple_poll);

814

avahi_simple_poll_loop(simple_poll);

1028

815

1029

end:

816

exit:

1030

817

1031

818

if (debug){

1032

819

fprintf(stderr, "%s exiting\n", argv[0]);

1033

820

}

1034

821

1035

822

/* Cleanup things */

1036

if (sb != NULL)

823

if (sb)

1037

824

avahi_s_service_browser_free(sb);

1038

825

1039

if (mc.server != NULL)

1040

avahi_server_free(mc.server);

826

if (server)

827

avahi_server_free(server);

1041

828

1042

if (mc.simple_poll != NULL)

1043

avahi_simple_poll_free(mc.simple_poll);

829

if (simple_poll)

830

avahi_simple_poll_free(simple_poll);

1044

831

free(pubkeyfile);

1045

832

free(seckeyfile);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

1051

833

1052

return exitcode;

834

return returncode;

1053

835

}