To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- ca.pem
- files removed:
- .bzrignore
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
38
stdout, ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), asprintf(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
54
connect() */
55
#include <assert.h> /* assert() */
56
#include <errno.h> /* perror(), errno */
57
#include <time.h> /* time() */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
58
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
SIOCSIFFLAGS, if_indextoname(),
60
if_nametoindex(), IF_NAMESIZE */
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
65
#include <arpa/inet.h> /* inet_pton(), htons */
66
#include <iso646.h> /* not, and */
67
#include <argp.h> /* struct argp_option, error_t, struct
68
argp_state, struct argp,
69
argp_parse(), ARGP_KEY_ARG,
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
43
SIOCSIFFLAGS */
71
44
72
/* Avahi */
73
/* All Avahi types, constants and functions
74
Avahi*, avahi_*,
75
AVAHI_* */
76
45
#include <avahi-core/core.h>
77
46
#include <avahi-core/lookup.h>
78
47
#include <avahi-core/log.h>
80
49
#include <avahi-common/malloc.h>
81
50
#include <avahi-common/error.h>
82
51
83
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
85
functions:
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and
94
functions:
95
gpgme_*
96
GPGME_PROTOCOL_OpenPGP,
97
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
98
72
99
73
#define BUFFER_SIZE 256
100
74
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
78
101
79
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
103
static const char mandos_protocol_version[] = "1";
104
const char *argp_program_version = "password-request 1.0";
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
106
80
107
/* Used for passing in values through the Avahi callback functions */
81
/* Used for passing in values through all the callback functions */
108
82
typedef struct {
109
83
AvahiSimplePoll *simple_poll;
110
84
AvahiServer *server;
111
85
gnutls_certificate_credentials_t cred;
112
86
unsigned int dh_bits;
113
gnutls_dh_params_t dh_params;
114
87
const char *priority;
115
88
} mandos_context;
116
89
117
/*
118
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
119
* "buffer_capacity" is how much is currently allocated,
120
* "buffer_length" is how much is already used.
121
*/
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
123
size_t buffer_capacity){
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
126
if (buffer == NULL){
127
return 0;
128
}
129
buffer_capacity += BUFFER_SIZE;
130
}
131
return buffer_capacity;
132
}
133
134
90
/*
135
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
92
* Returns -1 on error
143
99
gpgme_ctx_t ctx;
144
100
gpgme_error_t rc;
145
101
ssize_t ret;
146
size_t plaintext_capacity = 0;
102
ssize_t plaintext_capacity = 0;
147
103
ssize_t plaintext_length = 0;
148
104
gpgme_engine_info_t engine_info;
149
105
214
170
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
215
171
gpgme_strsource(rc), gpgme_strerror(rc));
216
172
plaintext_length = -1;
217
if (debug){
218
gpgme_decrypt_result_t result;
219
result = gpgme_op_decrypt_result(ctx);
220
if (result == NULL){
221
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
222
} else {
223
fprintf(stderr, "Unsupported algorithm: %s\n",
224
result->unsupported_algorithm);
225
fprintf(stderr, "Wrong key usage: %u\n",
226
result->wrong_key_usage);
227
if(result->file_name != NULL){
228
fprintf(stderr, "File name: %s\n", result->file_name);
229
}
230
gpgme_recipient_t recipient;
231
recipient = result->recipients;
232
if(recipient){
233
while(recipient != NULL){
234
fprintf(stderr, "Public key algorithm: %s\n",
235
gpgme_pubkey_algo_name(recipient->pubkey_algo));
236
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
237
fprintf(stderr, "Secret key available: %s\n",
238
recipient->status == GPG_ERR_NO_SECKEY
239
? "No" : "Yes");
240
recipient = recipient->next;
241
}
242
}
243
}
244
}
245
173
goto decrypt_end;
246
174
}
247
175
249
177
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
250
178
}
251
179
180
if (debug){
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
183
if (result == NULL){
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
185
} else {
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
192
}
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
195
if(recipient){
196
while(recipient != NULL){
197
fprintf(stderr, "Public key algorithm: %s\n",
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
200
fprintf(stderr, "Secret key available: %s\n",
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
203
recipient = recipient->next;
204
}
205
}
206
}
207
}
208
252
209
/* Seek back to the beginning of the GPGME plaintext data buffer */
253
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
211
perror("pgpme_data_seek");
258
215
259
216
*plaintext = NULL;
260
217
while(true){
261
plaintext_capacity = adjustbuffer(plaintext,
262
(size_t)plaintext_length,
263
plaintext_capacity);
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
266
224
plaintext_length = -1;
267
225
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
268
228
}
269
229
270
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
284
244
285
245
if(debug){
286
246
fprintf(stderr, "Decrypted password is: ");
287
for(ssize_t i = 0; i < plaintext_length; i++){
247
for(size_t i = 0; i < plaintext_length; i++){
288
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
289
249
}
290
250
fprintf(stderr, "\n");
301
261
}
302
262
303
263
static const char * safer_gnutls_strerror (int value) {
304
const char *ret = gnutls_strerror (value); /* Spurious warning */
264
const char *ret = gnutls_strerror (value);
305
265
if (ret == NULL)
306
266
ret = "(unknown)";
307
267
return ret;
308
268
}
309
269
310
/* GnuTLS log function callback */
311
270
static void debuggnutls(__attribute__((unused)) int level,
312
271
const char* string){
313
fprintf(stderr, "GnuTLS: %s", string);
272
fprintf(stderr, "%s", string);
314
273
}
315
274
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfilename,
318
const char *seckeyfilename){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
319
278
int ret;
320
279
321
280
if(debug){
322
281
fprintf(stderr, "Initializing GnuTLS\n");
323
282
}
324
325
ret = gnutls_global_init();
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
329
287
return -1;
330
288
}
331
289
332
290
if (debug){
333
/* "Use a log level over 10 to enable all debugging options."
334
* - GnuTLS manual
335
*/
336
291
gnutls_global_set_log_level(11);
337
292
gnutls_global_set_log_function(debuggnutls);
338
293
}
339
294
340
/* OpenPGP credentials */
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
344
warning */
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
345
299
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
347
300
return -1;
348
301
}
349
302
350
303
if(debug){
351
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
353
seckeyfilename);
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
354
307
}
355
308
356
309
ret = gnutls_certificate_set_openpgp_key_file
357
(mc->cred, pubkeyfilename, seckeyfilename,
358
GNUTLS_OPENPGP_FMT_BASE64);
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
359
311
if (ret != GNUTLS_E_SUCCESS) {
360
fprintf(stderr,
361
"Error[%d] while reading the OpenPGP key pair ('%s',"
362
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
363
fprintf(stdout, "The GnuTLS error is: %s\n",
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
364
317
safer_gnutls_strerror(ret));
365
goto globalfail;
366
}
367
368
/* GnuTLS server initialization */
369
ret = gnutls_dh_params_init(&mc->dh_params);
370
if (ret != GNUTLS_E_SUCCESS) {
371
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
372
" %s\n", safer_gnutls_strerror(ret));
373
goto globalfail;
374
}
375
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
376
if (ret != GNUTLS_E_SUCCESS) {
377
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
378
safer_gnutls_strerror(ret));
379
goto globalfail;
380
}
381
382
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
383
384
return 0;
385
386
globalfail:
387
388
gnutls_certificate_free_credentials(mc->cred);
389
gnutls_global_deinit();
390
return -1;
391
392
}
393
394
static int init_gnutls_session(mandos_context *mc,
395
gnutls_session_t *session){
396
int ret;
397
/* GnuTLS session creation */
398
ret = gnutls_init(session, GNUTLS_SERVER);
399
if (ret != GNUTLS_E_SUCCESS){
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
400
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
401
342
safer_gnutls_strerror(ret));
402
343
}
403
344
404
{
405
const char *err;
406
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
407
if (ret != GNUTLS_E_SUCCESS) {
408
fprintf(stderr, "Syntax error at: %s\n", err);
409
fprintf(stderr, "GnuTLS error: %s\n",
410
safer_gnutls_strerror(ret));
411
gnutls_deinit (*session);
412
return -1;
413
}
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
414
351
}
415
352
416
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
417
mc->cred);
418
if (ret != GNUTLS_E_SUCCESS) {
419
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
420
357
safer_gnutls_strerror(ret));
421
gnutls_deinit (*session);
422
358
return -1;
423
359
}
424
360
431
367
return 0;
432
368
}
433
369
434
/* Avahi log function callback */
435
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
436
371
__attribute__((unused)) const char *txt){}
437
372
438
/* Called when a Mandos server is found */
439
373
static int start_mandos_communication(const char *ip, uint16_t port,
440
374
AvahiIfIndex if_index,
441
375
mandos_context *mc){
442
376
int ret, tcp_sd;
443
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
377
struct sockaddr_in6 to;
444
378
char *buffer = NULL;
445
379
char *decrypted_buffer;
446
380
size_t buffer_length = 0;
447
381
size_t buffer_capacity = 0;
448
382
ssize_t decrypted_buffer_size;
449
size_t written;
383
size_t written = 0;
450
384
int retval = 0;
451
385
char interface[IF_NAMESIZE];
452
386
gnutls_session_t session;
453
454
ret = init_gnutls_session (mc, &session);
455
if (ret != 0){
456
return -1;
457
}
387
gnutls_dh_params_t dh_params;
458
388
459
389
if(debug){
460
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
461
"\n", ip, port);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
462
392
}
463
393
464
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
475
405
fprintf(stderr, "Binding to interface %s\n", interface);
476
406
}
477
407
478
memset(&to, 0, sizeof(to));
479
to.in6.sin6_family = AF_INET6;
480
/* It would be nice to have a way to detect if we were passed an
481
IPv4 address here. Now we assume an IPv6 address. */
482
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
memset(&to,0,sizeof(to)); /* Spurious warning */
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
483
411
if (ret < 0 ){
484
412
perror("inet_pton");
485
413
return -1;
488
416
fprintf(stderr, "Bad address: %s\n", ip);
489
417
return -1;
490
418
}
491
to.in6.sin6_port = htons(port); /* Spurious warning */
419
to.sin6_port = htons(port); /* Spurious warning */
492
420
493
to.in6.sin6_scope_id = (uint32_t)if_index;
421
to.sin6_scope_id = (uint32_t)if_index;
494
422
495
423
if(debug){
496
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
497
port);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
498
425
char addrstr[INET6_ADDRSTRLEN] = "";
499
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
500
427
sizeof(addrstr)) == NULL){
501
428
perror("inet_ntop");
502
429
} else {
506
433
}
507
434
}
508
435
509
ret = connect(tcp_sd, &to.in, sizeof(to));
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
510
437
if (ret < 0){
511
438
perror("connect");
512
439
return -1;
513
440
}
514
515
const char *out = mandos_protocol_version;
516
written = 0;
517
while (true){
518
size_t out_size = strlen(out);
519
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
520
out_size - written));
521
if (ret == -1){
522
perror("write");
523
retval = -1;
524
goto mandos_end;
525
}
526
written += (size_t)ret;
527
if(written < out_size){
528
continue;
529
} else {
530
if (out == mandos_protocol_version){
531
written = 0;
532
out = "\r\n";
533
} else {
534
break;
535
}
536
}
441
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
537
446
}
538
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
539
450
if(debug){
540
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
541
452
}
542
453
543
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
544
545
do{
546
ret = gnutls_handshake (session);
547
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
454
ret = gnutls_handshake (session);
548
455
549
456
if (ret != GNUTLS_E_SUCCESS){
550
457
if(debug){
551
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
458
fprintf(stderr, "\n*** Handshake failed ***\n");
552
459
gnutls_perror (ret);
553
460
}
554
461
retval = -1;
555
goto mandos_end;
462
goto exit;
556
463
}
557
464
558
/* Read OpenPGP packet that contains the wanted password */
465
//Retrieve OpenPGP packet that contains the wanted password
559
466
560
467
if(debug){
561
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
563
470
}
564
471
565
472
while(true){
566
buffer_capacity = adjustbuffer(&buffer, buffer_length,
567
buffer_capacity);
568
if (buffer_capacity == 0){
569
perror("adjustbuffer");
570
retval = -1;
571
goto mandos_end;
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
572
480
}
573
481
574
482
ret = gnutls_record_recv(session, buffer+buffer_length,
582
490
case GNUTLS_E_AGAIN:
583
491
break;
584
492
case GNUTLS_E_REHANDSHAKE:
585
do{
586
ret = gnutls_handshake (session);
587
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
493
ret = gnutls_handshake (session);
588
494
if (ret < 0){
589
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
495
fprintf(stderr, "\n*** Handshake failed ***\n");
590
496
gnutls_perror (ret);
591
497
retval = -1;
592
goto mandos_end;
498
goto exit;
593
499
}
594
500
break;
595
501
default:
596
502
fprintf(stderr, "Unknown error while reading data from"
597
" encrypted session with Mandos server\n");
503
" encrypted session with mandos server\n");
598
504
retval = -1;
599
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
600
goto mandos_end;
506
goto exit;
601
507
}
602
508
} else {
603
509
buffer_length += (size_t) ret;
604
510
}
605
511
}
606
512
607
if(debug){
608
fprintf(stderr, "Closing TLS session\n");
609
}
610
611
gnutls_bye (session, GNUTLS_SHUT_RDWR);
612
613
513
if (buffer_length > 0){
614
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
615
515
buffer_length,
616
516
&decrypted_buffer,
617
517
keydir);
618
518
if (decrypted_buffer_size >= 0){
619
written = 0;
620
519
while(written < (size_t) decrypted_buffer_size){
621
520
ret = (int)fwrite (decrypted_buffer + written, 1,
622
521
(size_t)decrypted_buffer_size - written,
635
534
} else {
636
535
retval = -1;
637
536
}
638
} else {
639
retval = -1;
640
}
641
642
/* Shutdown procedure */
643
644
mandos_end:
537
}
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
645
545
free(buffer);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
646
548
close(tcp_sd);
647
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
648
552
return retval;
649
553
}
650
554
663
567
flags,
664
568
void* userdata) {
665
569
mandos_context *mc = userdata;
666
assert(r);
570
assert(r); /* Spurious warning */
667
571
668
572
/* Called whenever a service has been resolved successfully or
669
573
timed out */
671
575
switch (event) {
672
576
default:
673
577
case AVAHI_RESOLVER_FAILURE:
674
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
675
" of type '%s' in domain '%s': %s\n", name, type, domain,
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
676
580
avahi_strerror(avahi_server_errno(mc->server)));
677
581
break;
678
582
681
585
char ip[AVAHI_ADDRESS_STR_MAX];
682
586
avahi_address_snprint(ip, sizeof(ip), address);
683
587
if(debug){
684
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
685
PRIu16 ") on port %d\n", name, host_name, ip,
686
interface, port);
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
687
590
}
688
591
int ret = start_mandos_communication(ip, port, interface, mc);
689
592
if (ret == 0){
690
avahi_simple_poll_quit(mc->simple_poll);
593
exit(EXIT_SUCCESS);
691
594
}
692
595
}
693
596
}
705
608
flags,
706
609
void* userdata) {
707
610
mandos_context *mc = userdata;
708
assert(b);
611
assert(b); /* Spurious warning */
709
612
710
613
/* Called whenever a new services becomes available on the LAN or
711
614
is removed from the LAN */
714
617
default:
715
618
case AVAHI_BROWSER_FAILURE:
716
619
717
fprintf(stderr, "(Avahi browser) %s\n",
620
fprintf(stderr, "(Browser) %s\n",
718
621
avahi_strerror(avahi_server_errno(mc->server)));
719
622
avahi_simple_poll_quit(mc->simple_poll);
720
623
return;
721
624
722
625
case AVAHI_BROWSER_NEW:
723
/* We ignore the returned Avahi resolver object. In the callback
724
function we free it. If the Avahi server is terminated before
725
the callback function is called the Avahi server will free the
726
resolver for us. */
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
727
630
728
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
729
632
protocol, name, type, domain,
730
633
AVAHI_PROTO_INET6, 0,
731
634
resolve_callback, mc)))
732
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
733
name, avahi_strerror(avahi_server_errno(mc->server)));
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
734
637
break;
735
638
736
639
case AVAHI_BROWSER_REMOVE:
738
641
739
642
case AVAHI_BROWSER_ALL_FOR_NOW:
740
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
741
if(debug){
742
fprintf(stderr, "No Mandos server found, still searching...\n");
743
}
744
644
break;
745
645
}
746
646
}
747
647
748
648
/* Combines file name and path and returns the malloced new
749
649
string. some sane checks could/should be added */
750
static char *combinepath(const char *first, const char *second){
751
char *tmp;
752
int ret = asprintf(&tmp, "%s/%s", first, second);
753
if(ret < 0){
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
754
655
return NULL;
755
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
756
665
return tmp;
757
666
}
758
667
759
668
760
int main(int argc, char *argv[]){
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
761
671
AvahiSServiceBrowser *sb = NULL;
762
672
int error;
763
673
int ret;
764
int exitcode = EXIT_SUCCESS;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
765
676
const char *interface = "eth0";
766
677
struct ifreq network;
767
678
int sd;
768
uid_t uid;
769
gid_t gid;
770
679
char *connect_to = NULL;
771
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
772
char *pubkeyfilename = NULL;
773
char *seckeyfilename = NULL;
774
const char *pubkeyname = "pubkey.txt";
775
const char *seckeyname = "seckey.txt";
776
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
777
682
.dh_bits = 1024, .priority = "SECURE256"};
778
bool gnutls_initalized = false;
779
780
{
781
struct argp_option options[] = {
782
{ .name = "debug", .key = 128,
783
.doc = "Debug mode", .group = 3 },
784
{ .name = "connect", .key = 'c',
785
.arg = "IP",
786
.doc = "Connect directly to a sepcified mandos server",
787
.group = 1 },
788
{ .name = "interface", .key = 'i',
789
.arg = "INTERFACE",
790
.doc = "Interface that Avahi will conntect through",
791
.group = 1 },
792
{ .name = "keydir", .key = 'd',
793
.arg = "KEYDIR",
794
.doc = "Directory where the openpgp keyring is",
795
.group = 1 },
796
{ .name = "seckey", .key = 's',
797
.arg = "SECKEY",
798
.doc = "Secret openpgp key for gnutls authentication",
799
.group = 1 },
800
{ .name = "pubkey", .key = 'p',
801
.arg = "PUBKEY",
802
.doc = "Public openpgp key for gnutls authentication",
803
.group = 2 },
804
{ .name = "dh-bits", .key = 129,
805
.arg = "BITS",
806
.doc = "dh-bits to use in gnutls communication",
807
.group = 2 },
808
{ .name = "priority", .key = 130,
809
.arg = "PRIORITY",
810
.doc = "GNUTLS priority", .group = 1 },
811
{ .name = NULL }
812
};
813
814
815
error_t parse_opt (int key, char *arg,
816
struct argp_state *state) {
817
/* Get the INPUT argument from `argp_parse', which we know is
818
a pointer to our plugin list pointer. */
819
switch (key) {
820
case 128:
821
debug = true;
822
break;
823
case 'c':
824
connect_to = arg;
825
break;
826
case 'i':
827
interface = arg;
828
break;
829
case 'd':
830
keydir = arg;
831
break;
832
case 's':
833
seckeyname = arg;
834
break;
835
case 'p':
836
pubkeyname = arg;
837
break;
838
case 129:
839
errno = 0;
840
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
841
if (errno){
842
perror("strtol");
843
exit(EXIT_FAILURE);
844
}
845
break;
846
case 130:
847
mc.priority = arg;
848
break;
849
case ARGP_KEY_ARG:
850
argp_usage (state);
851
case ARGP_KEY_END:
852
break;
853
default:
854
return ARGP_ERR_UNKNOWN;
855
}
856
return 0;
857
}
858
859
struct argp argp = { .options = options, .parser = parse_opt,
860
.args_doc = "",
861
.doc = "Mandos client -- Get and decrypt"
862
" passwords from mandos server" };
863
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
864
if (ret == ARGP_ERR_UNKNOWN){
865
fprintf(stderr, "Unknown error while parsing arguments\n");
866
exitcode = EXIT_FAILURE;
867
goto end;
868
}
869
}
870
871
pubkeyfilename = combinepath(keydir, pubkeyname);
872
if (pubkeyfilename == NULL){
873
perror("combinepath");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
878
seckeyfilename = combinepath(keydir, seckeyname);
879
if (seckeyfilename == NULL){
880
perror("combinepath");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
885
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
886
if (ret == -1){
887
fprintf(stderr, "init_gnutls_global failed\n");
888
exitcode = EXIT_FAILURE;
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
/* If the interface is down, bring it up */
895
{
896
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
897
if(sd < 0) {
898
perror("socket");
899
exitcode = EXIT_FAILURE;
900
goto end;
901
}
902
strcpy(network.ifr_name, interface);
903
ret = ioctl(sd, SIOCGIFFLAGS, &network);
904
if(ret == -1){
905
perror("ioctl SIOCGIFFLAGS");
906
exitcode = EXIT_FAILURE;
907
goto end;
908
}
909
if((network.ifr_flags & IFF_UP) == 0){
910
network.ifr_flags |= IFF_UP;
911
ret = ioctl(sd, SIOCSIFFLAGS, &network);
912
if(ret == -1){
913
perror("ioctl SIOCSIFFLAGS");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
close(sd);
919
}
920
921
uid = getuid();
922
gid = getgid();
923
924
ret = setuid(uid);
925
if (ret == -1){
926
perror("setuid");
927
}
928
929
setgid(gid);
930
if (ret == -1){
931
perror("setgid");
683
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
932
752
}
933
753
934
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
943
763
char *address = strrchr(connect_to, ':');
944
764
if(address == NULL){
945
765
fprintf(stderr, "No colon in address\n");
946
exitcode = EXIT_FAILURE;
947
goto end;
766
exit(EXIT_FAILURE);
948
767
}
949
768
errno = 0;
950
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
951
770
if(errno){
952
771
perror("Bad port number");
953
exitcode = EXIT_FAILURE;
954
goto end;
772
exit(EXIT_FAILURE);
955
773
}
956
774
*address = '\0';
957
775
address = connect_to;
958
776
ret = start_mandos_communication(address, port, if_index, &mc);
959
777
if(ret < 0){
960
exitcode = EXIT_FAILURE;
778
exit(EXIT_FAILURE);
961
779
} else {
962
exitcode = EXIT_SUCCESS;
963
}
964
goto end;
965
}
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
966
808
967
809
if (not debug){
968
810
avahi_set_log_function(empty_log);
969
811
}
970
812
971
/* Initialize the pseudo-RNG for Avahi */
813
/* Initialize the psuedo-RNG */
972
814
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1004
840
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
841
returncode = EXIT_FAILURE;
842
goto exit;
1007
843
}
1008
844
1009
/* Create the Avahi service browser */
845
/* Create the service browser */
1010
846
sb = avahi_s_service_browser_new(mc.server, if_index,
1011
847
AVAHI_PROTO_INET6,
1012
848
"_mandos._tcp", NULL, 0,
1013
849
browse_callback, &mc);
1014
if (sb == NULL) {
850
if (!sb) {
1015
851
fprintf(stderr, "Failed to create service browser: %s\n",
1016
852
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
853
returncode = EXIT_FAILURE;
854
goto exit;
1019
855
}
1020
856
1021
857
/* Run the main loop */
1022
858
1023
859
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
860
fprintf(stderr, "Starting avahi loop search\n");
1025
861
}
1026
862
1027
863
avahi_simple_poll_loop(mc.simple_poll);
1028
864
1029
end:
865
exit:
1030
866
1031
867
if (debug){
1032
868
fprintf(stderr, "%s exiting\n", argv[0]);
1033
869
}
1034
870
1035
871
/* Cleanup things */
1036
if (sb != NULL)
872
if (sb)
1037
873
avahi_s_service_browser_free(sb);
1038
874
1039
if (mc.server != NULL)
875
if (mc.server)
1040
876
avahi_server_free(mc.server);
1041
877
1042
if (mc.simple_poll != NULL)
878
if (mc.simple_poll)
1043
879
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfilename);
1045
free(seckeyfilename);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
880
free(pubkeyfile);
881
free(seckeyfile);
1051
882
1052
return exitcode;
883
return returncode;
1053
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0