/mandos/release : revision 37

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <inttypes.h> /* PRIu16 */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton(),

56

connect() */

57

#include <assert.h> /* assert() */

58

#include <errno.h> /* perror(), errno */

59

#include <time.h> /* time() */

60

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

61

SIOCSIFFLAGS, if_indextoname(),

62

if_nametoindex(), IF_NAMESIZE */

63

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

64

getuid(), getgid(), setuid(),

65

setgid() */

66

#include <netinet/in.h>

67

#include <arpa/inet.h> /* inet_pton(), htons */

68

#include <iso646.h> /* not, and */

69

#include <argp.h> /* struct argp_option, error_t, struct

70

argp_state, struct argp,

71

argp_parse(), ARGP_KEY_ARG,

72

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

73

74

/* Avahi */

75

/* All Avahi types, constants and functions

76

Avahi*, avahi_*,

77

AVAHI_* */

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

78

41

#include <avahi-core/core.h>

79

42

#include <avahi-core/lookup.h>

80

43

#include <avahi-core/log.h>

82

45

#include <avahi-common/malloc.h>

83

46

#include <avahi-common/error.h>

84

47

85

/* GnuTLS */

86

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

87

gnutls_*

88

init_gnutls_session(),

89

GNUTLS_* */

90

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

91

GNUTLS_OPENPGP_FMT_BASE64 */

92

93

/* GPGME */

94

#include <gpgme.h> /* All GPGME types, constants and functions

95

gpgme_*

96

GPGME_PROTOCOL_OpenPGP,

97

GPG_ERR_NO_* */

48

//mandos client part

49

#include <sys/types.h> /* socket(), inet_pton() */

50

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

51

struct in6_addr, inet_pton() */

52

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

53

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

54

55

#include <unistd.h> /* close() */

56

#include <netinet/in.h>

57

#include <stdbool.h> /* true */

58

#include <string.h> /* memset */

59

#include <arpa/inet.h> /* inet_pton() */

60

#include <iso646.h> /* not */

61

62

// gpgme

63

#include <errno.h> /* perror() */

64

#include <gpgme.h>

65

66

// getopt_long

67

#include <getopt.h>

98

68

99

69

#define BUFFER_SIZE 256

100

70

71

static int dh_bits = 1024;

72

73

static const char *keydir = "/conf/conf.d/mandos";

74

static const char *pubkeyfile = "pubkey.txt";

75

static const char *seckeyfile = "seckey.txt";

76

101

77

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

78

107

/* Used for passing in values through the Avahi callback functions */

79

/* Used for */

108

80

typedef struct {

109

AvahiSimplePoll *simple_poll;

110

AvahiServer *server;

81

gnutls_session_t session;

111

82

gnutls_certificate_credentials_t cred;

112

unsigned int dh_bits;

113

83

gnutls_dh_params_t dh_params;

114

const char *priority;

115

} mandos_context;

116

117

/*

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

*/

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

134

/*

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

137

*/

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

84

} encrypted_session;

85

86

87

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

88

char **new_packet,

141

89

const char *homedir){

142

90

gpgme_data_t dh_crypto, dh_plain;

143

91

gpgme_ctx_t ctx;

144

92

gpgme_error_t rc;

145

93

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

94

ssize_t new_packet_capacity = 0;

95

ssize_t new_packet_length = 0;

148

96

gpgme_engine_info_t engine_info;

149

97

150

98

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

99

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

152

100

}

153

101

154

102

/* Init GPGME */

160

108

return -1;

161

109

}

162

110

163

/* Set GPGME home directory for the OpenPGP engine only */

111

/* Set GPGME home directory */

164

112

rc = gpgme_get_engine_info (&engine_info);

165

113

if (rc != GPG_ERR_NO_ERROR){

166

114

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

176

124

engine_info = engine_info->next;

177

125

}

178

126

if(engine_info == NULL){

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

127

fprintf(stderr, "Could not set home dir to %s\n", homedir);

180

128

return -1;

181

129

}

182

130

183

/* Create new GPGME data buffer from memory cryptotext */

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

185

0);

131

/* Create new GPGME data buffer from packet buffer */

132

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

186

133

if (rc != GPG_ERR_NO_ERROR){

187

134

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

188

135

gpgme_strsource(rc), gpgme_strerror(rc));

194

141

if (rc != GPG_ERR_NO_ERROR){

195

142

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

196

143

gpgme_strsource(rc), gpgme_strerror(rc));

197

gpgme_data_release(dh_crypto);

198

144

return -1;

199

145

}

200

146

203

149

if (rc != GPG_ERR_NO_ERROR){

204

150

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

151

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

152

return -1;

208

153

}

209

154

210

/* Decrypt data from the cryptotext data buffer to the plaintext

211

data buffer */

155

/* Decrypt data from the FILE pointer to the plaintext data

156

buffer */

212

157

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

158

if (rc != GPG_ERR_NO_ERROR){

214

159

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

215

160

gpgme_strsource(rc), gpgme_strerror(rc));

216

plaintext_length = -1;

217

goto decrypt_end;

161

return -1;

218

162

}

219

163

220

164

if(debug){

221

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

165

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

222

166

}

223

167

224

168

if (debug){

225

169

gpgme_decrypt_result_t result;

226

170

result = gpgme_op_decrypt_result(ctx);

229

173

} else {

230

174

fprintf(stderr, "Unsupported algorithm: %s\n",

231

175

result->unsupported_algorithm);

232

fprintf(stderr, "Wrong key usage: %u\n",

176

fprintf(stderr, "Wrong key usage: %d\n",

233

177

result->wrong_key_usage);

234

178

if(result->file_name != NULL){

235

179

fprintf(stderr, "File name: %s\n", result->file_name);

250

194

}

251

195

}

252

196

197

/* Delete the GPGME FILE pointer cryptotext data buffer */

198

gpgme_data_release(dh_crypto);

199

253

200

/* Seek back to the beginning of the GPGME plaintext data buffer */

254

201

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

255

202

perror("pgpme_data_seek");

256

plaintext_length = -1;

257

goto decrypt_end;

258

203

}

259

204

260

*plaintext = NULL;

205

*new_packet = 0;

261

206

while(true){

262

plaintext_capacity = adjustbuffer(plaintext,

263

(size_t)plaintext_length,

264

plaintext_capacity);

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

267

plaintext_length = -1;

268

goto decrypt_end;

207

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

208

*new_packet = realloc(*new_packet,

209

(unsigned int)new_packet_capacity

210

+ BUFFER_SIZE);

211

if (*new_packet == NULL){

212

perror("realloc");

213

return -1;

214

}

215

new_packet_capacity += BUFFER_SIZE;

269

216

}

270

217

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

218

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

272

219

BUFFER_SIZE);

273

220

/* Print the data, if any */

274

221

if (ret == 0){

275

/* EOF */

276

222

break;

277

223

}

278

224

if(ret < 0){

279

225

perror("gpgme_data_read");

280

plaintext_length = -1;

281

goto decrypt_end;

226

return -1;

282

227

}

283

plaintext_length += ret;

228

new_packet_length += ret;

284

229

}

285

230

286

if(debug){

287

fprintf(stderr, "Decrypted password is: ");

288

for(ssize_t i = 0; i < plaintext_length; i++){

289

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

290

}

291

fprintf(stderr, "\n");

292

}

293

294

decrypt_end:

295

296

/* Delete the GPGME cryptotext data buffer */

297

gpgme_data_release(dh_crypto);

231

/* FIXME: check characters before printing to screen so to not print

232

terminal control characters */

233

/* if(debug){ */

234

/* fprintf(stderr, "decrypted password is: "); */

235

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

236

/* fprintf(stderr, "\n"); */

237

/* } */

298

238

299

239

/* Delete the GPGME plaintext data buffer */

300

240

gpgme_data_release(dh_plain);

301

return plaintext_length;

241

return new_packet_length;

302

242

}

303

243

304

244

static const char * safer_gnutls_strerror (int value) {

308

248

return ret;

309

249

}

310

250

311

/* GnuTLS log function callback */

312

251

static void debuggnutls(__attribute__((unused)) int level,

313

252

const char* string){

314

fprintf(stderr, "GnuTLS: %s", string);

253

fprintf(stderr, "%s", string);

315

254

}

316

255

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfile,

319

const char *seckeyfile){

256

static int initgnutls(encrypted_session *es){

257

const char *err;

320

258

int ret;

321

259

322

260

if(debug){

323

261

fprintf(stderr, "Initializing GnuTLS\n");

324

262

}

325

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

263

264

if ((ret = gnutls_global_init ())

265

!= GNUTLS_E_SUCCESS) {

266

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

330

267

return -1;

331

268

}

332

269

333

270

if (debug){

334

/* "Use a log level over 10 to enable all debugging options."

335

* - GnuTLS manual

336

*/

337

271

gnutls_global_set_log_level(11);

338

272

gnutls_global_set_log_function(debuggnutls);

339

273

}

340

274

341

/* OpenPGP credentials */

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n",

275

/* openpgp credentials */

276

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

277

!= GNUTLS_E_SUCCESS) {

278

fprintf (stderr, "memory error: %s\n",

345

279

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

347

280

return -1;

348

281

}

349

282

354

287

}

355

288

356

289

ret = gnutls_certificate_set_openpgp_key_file

357

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

290

(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

358

291

if (ret != GNUTLS_E_SUCCESS) {

359

fprintf(stderr,

360

"Error[%d] while reading the OpenPGP key pair ('%s',"

361

" '%s')\n", ret, pubkeyfile, seckeyfile);

362

fprintf(stdout, "The GnuTLS error is: %s\n",

292

fprintf

293

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

294

" '%s')\n",

295

ret, pubkeyfile, seckeyfile);

296

fprintf(stdout, "The Error is: %s\n",

363

297

safer_gnutls_strerror(ret));

364

goto globalfail;

365

}

366

367

/* GnuTLS server initialization */

368

ret = gnutls_dh_params_init(&mc->dh_params);

369

if (ret != GNUTLS_E_SUCCESS) {

370

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

371

" %s\n", safer_gnutls_strerror(ret));

372

goto globalfail;

373

}

374

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

375

if (ret != GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

377

safer_gnutls_strerror(ret));

378

goto globalfail;

379

}

380

381

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

382

383

return 0;

384

385

globalfail:

386

387

gnutls_certificate_free_credentials(mc->cred);

388

gnutls_global_deinit();

389

return -1;

390

391

}

392

393

static int init_gnutls_session(mandos_context *mc,

394

gnutls_session_t *session){

395

int ret;

396

/* GnuTLS session creation */

397

ret = gnutls_init(session, GNUTLS_SERVER);

398

if (ret != GNUTLS_E_SUCCESS){

298

return -1;

299

}

300

301

//GnuTLS server initialization

302

if ((ret = gnutls_dh_params_init (&es->dh_params))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in dh parameter initialization: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))

310

!= GNUTLS_E_SUCCESS) {

311

fprintf (stderr, "Error in prime generation: %s\n",

312

safer_gnutls_strerror(ret));

313

return -1;

314

}

315

316

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

317

318

// GnuTLS session creation

319

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

320

!= GNUTLS_E_SUCCESS){

399

321

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

400

322

safer_gnutls_strerror(ret));

401

323

}

402

324

403

{

404

const char *err;

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

406

if (ret != GNUTLS_E_SUCCESS) {

407

fprintf(stderr, "Syntax error at: %s\n", err);

408

fprintf(stderr, "GnuTLS error: %s\n",

409

safer_gnutls_strerror(ret));

410

gnutls_deinit (*session);

411

return -1;

412

}

325

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

326

!= GNUTLS_E_SUCCESS) {

327

fprintf(stderr, "Syntax error at: %s\n", err);

328

fprintf(stderr, "GnuTLS error: %s\n",

329

safer_gnutls_strerror(ret));

330

return -1;

413

331

}

414

332

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

416

mc->cred);

417

if (ret != GNUTLS_E_SUCCESS) {

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

333

if ((ret = gnutls_credentials_set

334

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

335

!= GNUTLS_E_SUCCESS) {

336

fprintf(stderr, "Error setting a credentials set: %s\n",

419

337

safer_gnutls_strerror(ret));

420

gnutls_deinit (*session);

421

338

return -1;

422

339

}

423

340

424

341

/* ignore client certificate if any. */

425

gnutls_certificate_server_set_request (*session,

342

gnutls_certificate_server_set_request (es->session,

426

343

GNUTLS_CERT_IGNORE);

427

344

428

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

345

gnutls_dh_set_prime_bits (es->session, dh_bits);

429

346

430

347

return 0;

431

348

}

432

349

433

/* Avahi log function callback */

434

350

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

435

351

__attribute__((unused)) const char *txt){}

436

352

437

/* Called when a Mandos server is found */

438

353

static int start_mandos_communication(const char *ip, uint16_t port,

439

AvahiIfIndex if_index,

440

mandos_context *mc){

354

AvahiIfIndex if_index){

441

355

int ret, tcp_sd;

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

356

struct sockaddr_in6 to;

357

encrypted_session es;

443

358

char *buffer = NULL;

444

359

char *decrypted_buffer;

445

360

size_t buffer_length = 0;

446

361

size_t buffer_capacity = 0;

447

362

ssize_t decrypted_buffer_size;

448

size_t written;

363

size_t written = 0;

449

364

int retval = 0;

450

365

char interface[IF_NAMESIZE];

451

gnutls_session_t session;

452

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

455

return -1;

456

}

457

366

458

367

if(debug){

459

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

460

"\n", ip, port);

368

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

369

ip, port);

461

370

}

462

371

463

372

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

465

374

perror("socket");

466

375

return -1;

467

376

}

468

469

if(debug){

470

if(if_indextoname((unsigned int)if_index, interface) == NULL){

377

378

if(if_indextoname((unsigned int)if_index, interface) == NULL){

379

if(debug){

471

380

perror("if_indextoname");

472

return -1;

473

381

}

382

return -1;

383

}

384

385

if(debug){

474

386

fprintf(stderr, "Binding to interface %s\n", interface);

475

387

}

476

388

477

389

memset(&to,0,sizeof(to)); /* Spurious warning */

478

to.in6.sin6_family = AF_INET6;

479

/* It would be nice to have a way to detect if we were passed an

480

IPv4 address here. Now we assume an IPv6 address. */

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

390

to.sin6_family = AF_INET6;

391

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

482

392

if (ret < 0 ){

483

393

perror("inet_pton");

484

394

return -1;

485

}

395

}

486

396

if(ret == 0){

487

397

fprintf(stderr, "Bad address: %s\n", ip);

488

398

return -1;

489

399

}

490

to.in6.sin6_port = htons(port); /* Spurious warning */

400

to.sin6_port = htons(port); /* Spurious warning */

491

401

492

to.in6.sin6_scope_id = (uint32_t)if_index;

402

to.sin6_scope_id = (uint32_t)if_index;

493

403

494

404

if(debug){

495

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

496

port);

405

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

497

406

char addrstr[INET6_ADDRSTRLEN] = "";

498

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

407

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

499

408

sizeof(addrstr)) == NULL){

500

409

perror("inet_ntop");

501

410

} else {

502

411

if(strcmp(addrstr, ip) != 0){

503

fprintf(stderr, "Canonical address form: %s\n", addrstr);

412

fprintf(stderr, "Canonical address form: %s\n",

413

addrstr, ntohs(to.sin6_port));

504

414

}

505

415

}

506

416

}

507

417

508

ret = connect(tcp_sd, &to.in, sizeof(to));

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

509

419

if (ret < 0){

510

420

perror("connect");

511

421

return -1;

512

422

}

513

514

const char *out = mandos_protocol_version;

515

written = 0;

516

while (true){

517

size_t out_size = strlen(out);

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

519

out_size - written));

520

if (ret == -1){

521

perror("write");

522

retval = -1;

523

goto mandos_end;

524

}

525

written += (size_t)ret;

526

if(written < out_size){

527

continue;

528

} else {

529

if (out == mandos_protocol_version){

530

written = 0;

531

out = "\r\n";

532

} else {

533

break;

534

}

535

}

423

424

ret = initgnutls (&es);

425

if (ret != 0){

426

retval = -1;

427

return -1;

536

428

}

537

429

430

gnutls_transport_set_ptr (es.session,

431

(gnutls_transport_ptr_t) tcp_sd);

432

538

433

if(debug){

539

434

fprintf(stderr, "Establishing TLS session with %s\n", ip);

540

435

}

541

436

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

543

544

do{

545

ret = gnutls_handshake (session);

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

437

ret = gnutls_handshake (es.session);

547

438

548

439

if (ret != GNUTLS_E_SUCCESS){

549

440

if(debug){

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

441

fprintf(stderr, "\n*** Handshake failed ***\n");

551

442

gnutls_perror (ret);

552

443

}

553

444

retval = -1;

554

goto mandos_end;

445

goto exit;

555

446

}

556

447

557

/* Read OpenPGP packet that contains the wanted password */

448

//Retrieve OpenPGP packet that contains the wanted password

558

449

559

450

if(debug){

560

451

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

562

453

}

563

454

564

455

while(true){

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

566

buffer_capacity);

567

if (buffer_capacity == 0){

568

perror("adjustbuffer");

569

retval = -1;

570

goto mandos_end;

456

if (buffer_length + BUFFER_SIZE > buffer_capacity){

457

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

458

if (buffer == NULL){

459

perror("realloc");

460

goto exit;

461

}

462

buffer_capacity += BUFFER_SIZE;

571

463

}

572

464

573

ret = gnutls_record_recv(session, buffer+buffer_length,

574

BUFFER_SIZE);

465

ret = gnutls_record_recv

466

(es.session, buffer+buffer_length, BUFFER_SIZE);

575

467

if (ret == 0){

576

468

break;

577

469

}

581

473

case GNUTLS_E_AGAIN:

582

474

break;

583

475

case GNUTLS_E_REHANDSHAKE:

584

do{

585

ret = gnutls_handshake (session);

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

476

ret = gnutls_handshake (es.session);

587

477

if (ret < 0){

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

478

fprintf(stderr, "\n*** Handshake failed ***\n");

589

479

gnutls_perror (ret);

590

480

retval = -1;

591

goto mandos_end;

481

goto exit;

592

482

}

593

483

break;

594

484

default:

595

485

fprintf(stderr, "Unknown error while reading data from"

596

" encrypted session with Mandos server\n");

486

" encrypted session with mandos server\n");

597

487

retval = -1;

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

599

goto mandos_end;

488

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

489

goto exit;

600

490

}

601

491

} else {

602

492

buffer_length += (size_t) ret;

603

493

}

604

494

}

605

495

606

if(debug){

607

fprintf(stderr, "Closing TLS session\n");

608

}

609

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

611

612

496

if (buffer_length > 0){

613

497

decrypted_buffer_size = pgp_packet_decrypt(buffer,

614

498

buffer_length,

615

499

&decrypted_buffer,

616

500

keydir);

617

501

if (decrypted_buffer_size >= 0){

618

written = 0;

619

502

while(written < (size_t) decrypted_buffer_size){

620

503

ret = (int)fwrite (decrypted_buffer + written, 1,

621

504

(size_t)decrypted_buffer_size - written,

635

518

retval = -1;

636

519

}

637

520

}

638

639

/* Shutdown procedure */

640

641

mandos_end:

521

522

//shutdown procedure

523

524

if(debug){

525

fprintf(stderr, "Closing TLS session\n");

526

}

527

642

528

free(buffer);

529

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

530

exit:

643

531

close(tcp_sd);

644

gnutls_deinit (session);

532

gnutls_deinit (es.session);

533

gnutls_certificate_free_credentials (es.cred);

534

gnutls_global_deinit ();

645

535

return retval;

646

536

}

647

537

648

static void resolve_callback(AvahiSServiceResolver *r,

649

AvahiIfIndex interface,

650

AVAHI_GCC_UNUSED AvahiProtocol protocol,

651

AvahiResolverEvent event,

652

const char *name,

653

const char *type,

654

const char *domain,

655

const char *host_name,

656

const AvahiAddress *address,

657

uint16_t port,

658

AVAHI_GCC_UNUSED AvahiStringList *txt,

659

AVAHI_GCC_UNUSED AvahiLookupResultFlags

660

flags,

661

void* userdata) {

662

mandos_context *mc = userdata;

538

static AvahiSimplePoll *simple_poll = NULL;

539

static AvahiServer *server = NULL;

540

541

static void resolve_callback(

542

AvahiSServiceResolver *r,

543

AvahiIfIndex interface,

544

AVAHI_GCC_UNUSED AvahiProtocol protocol,

545

AvahiResolverEvent event,

546

const char *name,

547

const char *type,

548

const char *domain,

549

const char *host_name,

550

const AvahiAddress *address,

551

uint16_t port,

552

AVAHI_GCC_UNUSED AvahiStringList *txt,

553

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

554

AVAHI_GCC_UNUSED void* userdata) {

555

663

556

assert(r); /* Spurious warning */

664

557

665

558

/* Called whenever a service has been resolved successfully or

668

561

switch (event) {

669

562

default:

670

563

case AVAHI_RESOLVER_FAILURE:

671

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

672

" of type '%s' in domain '%s': %s\n", name, type, domain,

673

avahi_strerror(avahi_server_errno(mc->server)));

564

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

565

" type '%s' in domain '%s': %s\n", name, type, domain,

566

avahi_strerror(avahi_server_errno(server)));

674

567

break;

675

568

676

569

case AVAHI_RESOLVER_FOUND:

678

571

char ip[AVAHI_ADDRESS_STR_MAX];

679

572

avahi_address_snprint(ip, sizeof(ip), address);

680

573

if(debug){

681

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

682

PRIu16 ") on port %d\n", name, host_name, ip,

683

interface, port);

574

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

575

" port %d\n", name, host_name, ip, port);

684

576

}

685

int ret = start_mandos_communication(ip, port, interface, mc);

577

int ret = start_mandos_communication(ip, port, interface);

686

578

if (ret == 0){

687

579

exit(EXIT_SUCCESS);

688

580

}

691

583

avahi_s_service_resolver_free(r);

692

584

}

693

585

694

static void browse_callback( AvahiSServiceBrowser *b,

695

AvahiIfIndex interface,

696

AvahiProtocol protocol,

697

AvahiBrowserEvent event,

698

const char *name,

699

const char *type,

700

const char *domain,

701

AVAHI_GCC_UNUSED AvahiLookupResultFlags

702

flags,

703

void* userdata) {

704

mandos_context *mc = userdata;

705

assert(b); /* Spurious warning */

706

707

/* Called whenever a new services becomes available on the LAN or

708

is removed from the LAN */

709

710

switch (event) {

711

default:

712

case AVAHI_BROWSER_FAILURE:

713

714

fprintf(stderr, "(Avahi browser) %s\n",

715

avahi_strerror(avahi_server_errno(mc->server)));

716

avahi_simple_poll_quit(mc->simple_poll);

717

return;

718

719

case AVAHI_BROWSER_NEW:

720

/* We ignore the returned Avahi resolver object. In the callback

721

function we free it. If the Avahi server is terminated before

722

the callback function is called the Avahi server will free the

723

resolver for us. */

724

725

if (!(avahi_s_service_resolver_new(mc->server, interface,

726

protocol, name, type, domain,

727

AVAHI_PROTO_INET6, 0,

728

resolve_callback, mc)))

729

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

730

name, avahi_strerror(avahi_server_errno(mc->server)));

731

break;

732

733

case AVAHI_BROWSER_REMOVE:

734

break;

735

736

case AVAHI_BROWSER_ALL_FOR_NOW:

737

case AVAHI_BROWSER_CACHE_EXHAUSTED:

738

if(debug){

739

fprintf(stderr, "No Mandos server found, still searching...\n");

586

static void browse_callback(

587

AvahiSServiceBrowser *b,

588

AvahiIfIndex interface,

589

AvahiProtocol protocol,

590

AvahiBrowserEvent event,

591

const char *name,

592

const char *type,

593

const char *domain,

594

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

595

void* userdata) {

596

597

AvahiServer *s = userdata;

598

assert(b); /* Spurious warning */

599

600

/* Called whenever a new services becomes available on the LAN or

601

is removed from the LAN */

602

603

switch (event) {

604

default:

605

case AVAHI_BROWSER_FAILURE:

606

607

fprintf(stderr, "(Browser) %s\n",

608

avahi_strerror(avahi_server_errno(server)));

609

avahi_simple_poll_quit(simple_poll);

610

return;

611

612

case AVAHI_BROWSER_NEW:

613

/* We ignore the returned resolver object. In the callback

614

function we free it. If the server is terminated before

615

the callback function is called the server will free

616

the resolver for us. */

617

618

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

619

type, domain,

620

AVAHI_PROTO_INET6, 0,

621

resolve_callback, s)))

622

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

623

avahi_strerror(avahi_server_errno(s)));

624

break;

625

626

case AVAHI_BROWSER_REMOVE:

627

break;

628

629

case AVAHI_BROWSER_ALL_FOR_NOW:

630

case AVAHI_BROWSER_CACHE_EXHAUSTED:

631

break;

740

632

}

741

break;

742

}

743

633

}

744

634

745

635

/* Combines file name and path and returns the malloced new

752

642

return NULL;

753

643

}

754

644

if(f_len > 0){

755

memcpy(tmp, first, f_len); /* Spurious warning */

645

memcpy(tmp, first, f_len);

756

646

}

757

647

tmp[f_len] = '/';

758

648

if(s_len > 0){

759

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

649

memcpy(tmp + f_len + 1, second, s_len);

760

650

}

761

651

tmp[f_len + 1 + s_len] = '\0';

762

652

return tmp;

763

653

}

764

654

765

655

766

int main(int argc, char *argv[]){

656

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

657

AvahiServerConfig config;

767

658

AvahiSServiceBrowser *sb = NULL;

768

659

int error;

769

660

int ret;

770

int exitcode = EXIT_SUCCESS;

771

const char *interface = "eth0";

772

struct ifreq network;

773

int sd;

774

uid_t uid;

775

gid_t gid;

661

int debug_int = 0;

662

int returncode = EXIT_SUCCESS;

663

const char *interface = NULL;

664

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

776

665

char *connect_to = NULL;

777

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

778

const char *pubkeyfile = "pubkey.txt";

779

const char *seckeyfile = "seckey.txt";

780

mandos_context mc = { .simple_poll = NULL, .server = NULL,

781

.dh_bits = 1024, .priority = "SECURE256"};

782

bool gnutls_initalized = false;

783

666

784

{

785

struct argp_option options[] = {

786

{ .name = "debug", .key = 128,

787

.doc = "Debug mode", .group = 3 },

788

{ .name = "connect", .key = 'c',

789

.arg = "IP",

790

.doc = "Connect directly to a sepcified mandos server",

791

.group = 1 },

792

{ .name = "interface", .key = 'i',

793

.arg = "INTERFACE",

794

.doc = "Interface that Avahi will conntect through",

795

.group = 1 },

796

{ .name = "keydir", .key = 'd',

797

.arg = "KEYDIR",

798

.doc = "Directory where the openpgp keyring is",

799

.group = 1 },

800

{ .name = "seckey", .key = 's',

801

.arg = "SECKEY",

802

.doc = "Secret openpgp key for gnutls authentication",

803

.group = 1 },

804

{ .name = "pubkey", .key = 'p',

805

.arg = "PUBKEY",

806

.doc = "Public openpgp key for gnutls authentication",

807

.group = 2 },

808

{ .name = "dh-bits", .key = 129,

809

.arg = "BITS",

810

.doc = "dh-bits to use in gnutls communication",

811

.group = 2 },

812

{ .name = "priority", .key = 130,

813

.arg = "PRIORITY",

814

.doc = "GNUTLS priority", .group = 1 },

815

{ .name = NULL }

816

};

817

818

819

error_t parse_opt (int key, char *arg,

820

struct argp_state *state) {

821

/* Get the INPUT argument from `argp_parse', which we know is

822

a pointer to our plugin list pointer. */

823

switch (key) {

824

case 128:

825

debug = true;

826

break;

827

case 'c':

828

connect_to = arg;

829

break;

830

case 'i':

831

interface = arg;

832

break;

833

case 'd':

834

keydir = arg;

835

break;

836

case 's':

837

seckeyfile = arg;

838

break;

839

case 'p':

840

pubkeyfile = arg;

841

break;

842

case 129:

843

errno = 0;

844

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

845

if (errno){

846

perror("strtol");

847

exit(EXIT_FAILURE);

848

}

849

break;

850

case 130:

851

mc.priority = arg;

852

break;

853

case ARGP_KEY_ARG:

854

argp_usage (state);

855

break;

856

case ARGP_KEY_END:

857

break;

858

default:

859

return ARGP_ERR_UNKNOWN;

860

}

861

return 0;

667

debug_int = debug ? 1 : 0;

668

while (true){

669

static struct option long_options[] = {

670

{"debug", no_argument, &debug_int, 1},

671

{"connect", required_argument, NULL, 'C'},

672

{"interface", required_argument, NULL, 'i'},

673

{"keydir", required_argument, NULL, 'd'},

674

{"seckey", required_argument, NULL, 'c'},

675

{"pubkey", required_argument, NULL, 'k'},

676

{"dh-bits", required_argument, NULL, 'D'},

677

{0, 0, 0, 0} };

678

679

int option_index = 0;

680

ret = getopt_long (argc, argv, "i:", long_options,

681

&option_index);

682

683

if (ret == -1){

684

break;

862

685

}

863

864

struct argp argp = { .options = options, .parser = parse_opt,

865

.args_doc = "",

866

.doc = "Mandos client -- Get and decrypt"

867

" passwords from mandos server" };

868

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

869

if (ret == ARGP_ERR_UNKNOWN){

870

fprintf(stderr, "Unkown error while parsing arguments\n");

871

exitcode = EXIT_FAILURE;

872

goto end;

686

687

switch(ret){

688

case 0:

689

break;

690

case 'i':

691

interface = optarg;

692

break;

693

case 'C':

694

connect_to = optarg;

695

break;

696

case 'd':

697

keydir = optarg;

698

break;

699

case 'c':

700

pubkeyfile = optarg;

701

break;

702

case 'k':

703

seckeyfile = optarg;

704

break;

705

case 'D':

706

dh_bits = atoi(optarg);

707

break;

708

case '?':

709

break

710

default:

711

exit(EXIT_FAILURE);

873

712

}

874

713

}

875

714

debug = debug_int ? true : false;

715

876

716

pubkeyfile = combinepath(keydir, pubkeyfile);

877

717

if (pubkeyfile == NULL){

878

718

perror("combinepath");

879

exitcode = EXIT_FAILURE;

880

goto end;

881

}

882

883

seckeyfile = combinepath(keydir, seckeyfile);

884

if (seckeyfile == NULL){

885

perror("combinepath");

886

goto end;

887

}

888

889

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

890

if (ret == -1){

891

fprintf(stderr, "init_gnutls_global\n");

892

goto end;

893

} else {

894

gnutls_initalized = true;

895

}

896

897

uid = getuid();

898

gid = getgid();

899

900

ret = setuid(uid);

901

if (ret == -1){

902

perror("setuid");

903

}

904

905

setgid(gid);

906

if (ret == -1){

907

perror("setgid");

908

}

909

910

if_index = (AvahiIfIndex) if_nametoindex(interface);

911

if(if_index == 0){

912

fprintf(stderr, "No such interface: \"%s\"\n", interface);

913

exit(EXIT_FAILURE);

719

goto exit;

720

}

721

722

if(interface != NULL){

723

if_index = (AvahiIfIndex) if_nametoindex(interface);

724

if(if_index == 0){

725

fprintf(stderr, "No such interface: \"%s\"\n", interface);

726

exit(EXIT_FAILURE);

727

}

914

728

}

915

729

916

730

if(connect_to != NULL){

919

733

char *address = strrchr(connect_to, ':');

920

734

if(address == NULL){

921

735

fprintf(stderr, "No colon in address\n");

922

exitcode = EXIT_FAILURE;

923

goto end;

736

exit(EXIT_FAILURE);

924

737

}

925

738

errno = 0;

926

739

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

927

740

if(errno){

928

741

perror("Bad port number");

929

exitcode = EXIT_FAILURE;

930

goto end;

742

exit(EXIT_FAILURE);

931

743

}

932

744

*address = '\0';

933

745

address = connect_to;

934

ret = start_mandos_communication(address, port, if_index, &mc);

746

ret = start_mandos_communication(address, port, if_index);

935

747

if(ret < 0){

936

exitcode = EXIT_FAILURE;

748

exit(EXIT_FAILURE);

937

749

} else {

938

exitcode = EXIT_SUCCESS;

750

exit(EXIT_SUCCESS);

939

751

}

940

goto end;

941

752

}

942

753

943

/* If the interface is down, bring it up */

944

{

945

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

946

if(sd < 0) {

947

perror("socket");

948

exitcode = EXIT_FAILURE;

949

goto end;

950

}

951

strcpy(network.ifr_name, interface); /* Spurious warning */

952

ret = ioctl(sd, SIOCGIFFLAGS, &network);

953

if(ret == -1){

954

perror("ioctl SIOCGIFFLAGS");

955

exitcode = EXIT_FAILURE;

956

goto end;

957

}

958

if((network.ifr_flags & IFF_UP) == 0){

959

network.ifr_flags |= IFF_UP;

960

ret = ioctl(sd, SIOCSIFFLAGS, &network);

961

if(ret == -1){

962

perror("ioctl SIOCSIFFLAGS");

963

exitcode = EXIT_FAILURE;

964

goto end;

965

}

966

}

967

close(sd);

754

seckeyfile = combinepath(keydir, seckeyfile);

755

if (seckeyfile == NULL){

756

perror("combinepath");

757

goto exit;

968

758

}

969

759

970

760

if (not debug){

971

761

avahi_set_log_function(empty_log);

972

762

}

973

763

974

/* Initialize the pseudo-RNG for Avahi */

764

/* Initialize the psuedo-RNG */

975

765

srand((unsigned int) time(NULL));

976

977

/* Allocate main Avahi loop object */

978

mc.simple_poll = avahi_simple_poll_new();

979

if (mc.simple_poll == NULL) {

980

fprintf(stderr, "Avahi: Failed to create simple poll"

981

" object.\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

}

985

986

{

987

AvahiServerConfig config;

988

/* Do not publish any local Zeroconf records */

989

avahi_server_config_init(&config);

990

config.publish_hinfo = 0;

991

config.publish_addresses = 0;

992

config.publish_workstation = 0;

993

config.publish_domain = 0;

994

995

/* Allocate a new server */

996

mc.server = avahi_server_new(avahi_simple_poll_get

997

(mc.simple_poll), &config, NULL,

998

NULL, &error);

999

1000

/* Free the Avahi configuration data */

1001

avahi_server_config_free(&config);

1002

}

1003

1004

/* Check if creating the Avahi server object succeeded */

1005

if (mc.server == NULL) {

1006

fprintf(stderr, "Failed to create Avahi server: %s\n",

766

767

/* Allocate main loop object */

768

if (!(simple_poll = avahi_simple_poll_new())) {

769

fprintf(stderr, "Failed to create simple poll object.\n");

770

771

goto exit;

772

}

773

774

/* Do not publish any local records */

775

avahi_server_config_init(&config);

776

config.publish_hinfo = 0;

777

config.publish_addresses = 0;

778

config.publish_workstation = 0;

779

config.publish_domain = 0;

780

781

/* Allocate a new server */

782

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

783

&config, NULL, NULL, &error);

784

785

/* Free the configuration data */

786

avahi_server_config_free(&config);

787

788

/* Check if creating the server object succeeded */

789

if (!server) {

790

fprintf(stderr, "Failed to create server: %s\n",

1007

791

avahi_strerror(error));

1008

exitcode = EXIT_FAILURE;

1009

goto end;

792

returncode = EXIT_FAILURE;

793

goto exit;

1010

794

}

1011

795

1012

/* Create the Avahi service browser */

1013

sb = avahi_s_service_browser_new(mc.server, if_index,

796

/* Create the service browser */

797

sb = avahi_s_service_browser_new(server, if_index,

1014

798

AVAHI_PROTO_INET6,

1015

799

"_mandos._tcp", NULL, 0,

1016

browse_callback, &mc);

1017

if (sb == NULL) {

800

browse_callback, server);

801

if (!sb) {

1018

802

fprintf(stderr, "Failed to create service browser: %s\n",

1019

avahi_strerror(avahi_server_errno(mc.server)));

1020

exitcode = EXIT_FAILURE;

1021

goto end;

803

avahi_strerror(avahi_server_errno(server)));

804

returncode = EXIT_FAILURE;

805

goto exit;

1022

806

}

1023

807

1024

808

/* Run the main loop */

1025

809

1026

810

if (debug){

1027

fprintf(stderr, "Starting Avahi loop search\n");

811

fprintf(stderr, "Starting avahi loop search\n");

1028

812

}

1029

813

1030

avahi_simple_poll_loop(mc.simple_poll);

814

avahi_simple_poll_loop(simple_poll);

1031

815

1032

end:

816

exit:

1033

817

1034

818

if (debug){

1035

819

fprintf(stderr, "%s exiting\n", argv[0]);

1036

820

}

1037

821

1038

822

/* Cleanup things */

1039

if (sb != NULL)

823

if (sb)

1040

824

avahi_s_service_browser_free(sb);

1041

825

1042

if (mc.server != NULL)

1043

avahi_server_free(mc.server);

826

if (server)

827

avahi_server_free(server);

1044

828

1045

if (mc.simple_poll != NULL)

1046

avahi_simple_poll_free(mc.simple_poll);

829

if (simple_poll)

830

avahi_simple_poll_free(simple_poll);

1047

831

free(pubkeyfile);

1048

832

free(seckeyfile);

1049

1050

if (gnutls_initalized){

1051

gnutls_certificate_free_credentials(mc.cred);

1052

gnutls_global_deinit ();

1053

}

1054

833

1055

return exitcode;

834

return returncode;

1056

835

}