To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- server.conf
- files removed:
- plugins.d/Makefile
- files renamed:
- mandos-clients.conf => clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
29
*/
19
30
31
/* Needed by GPGME, specifically gpgme_data_seek() */
20
32
#define _LARGEFILE_SOURCE
21
33
#define _FILE_OFFSET_BITS 64
22
34
25
37
#include <stdlib.h>
26
38
#include <time.h>
27
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
28
44
29
45
#include <avahi-core/core.h>
30
46
#include <avahi-core/lookup.h>
34
50
#include <avahi-common/error.h>
35
51
36
52
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
41
58
42
59
#include <unistd.h> /* close() */
43
60
#include <netinet/in.h>
50
67
#include <errno.h> /* perror() */
51
68
#include <gpgme.h>
52
69
70
// getopt_long
71
#include <getopt.h>
53
72
54
#ifndef CERT_ROOT
55
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
56
#endif
57
#define CERTFILE CERT_ROOT "openpgp-client.txt"
58
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
59
73
#define BUFFER_SIZE 256
60
#define DH_BITS 1024
74
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
61
78
62
79
bool debug = false;
63
80
81
/* Used for passing in values through all the callback functions */
64
82
typedef struct {
65
gnutls_session_t session;
83
AvahiSimplePoll *simple_poll;
84
AvahiServer *server;
66
85
gnutls_certificate_credentials_t cred;
67
gnutls_dh_params_t dh_params;
68
} encrypted_session;
69
70
71
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
86
unsigned int dh_bits;
87
const char *priority;
88
} mandos_context;
89
90
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
93
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
72
98
gpgme_data_t dh_crypto, dh_plain;
73
99
gpgme_ctx_t ctx;
74
100
gpgme_error_t rc;
75
101
ssize_t ret;
76
size_t new_packet_capacity = 0;
77
size_t new_packet_length = 0;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
78
104
gpgme_engine_info_t engine_info;
79
105
80
106
if (debug){
81
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
82
108
}
83
109
84
110
/* Init GPGME */
85
111
gpgme_check_version(NULL);
86
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
112
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
if (rc != GPG_ERR_NO_ERROR){
114
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
115
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
117
}
87
118
88
/* Set GPGME home directory */
119
/* Set GPGME home directory for the OpenPGP engine only */
89
120
rc = gpgme_get_engine_info (&engine_info);
90
121
if (rc != GPG_ERR_NO_ERROR){
91
122
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
101
132
engine_info = engine_info->next;
102
133
}
103
134
if(engine_info == NULL){
104
fprintf(stderr, "Could not set home dir to %s\n", homedir);
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
105
136
return -1;
106
137
}
107
138
108
/* Create new GPGME data buffer from packet buffer */
109
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
139
/* Create new GPGME data buffer from memory cryptotext */
140
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
141
0);
110
142
if (rc != GPG_ERR_NO_ERROR){
111
143
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
112
144
gpgme_strsource(rc), gpgme_strerror(rc));
118
150
if (rc != GPG_ERR_NO_ERROR){
119
151
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
120
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
gpgme_data_release(dh_crypto);
121
154
return -1;
122
155
}
123
156
126
159
if (rc != GPG_ERR_NO_ERROR){
127
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
128
161
gpgme_strsource(rc), gpgme_strerror(rc));
129
return -1;
162
plaintext_length = -1;
163
goto decrypt_end;
130
164
}
131
165
132
/* Decrypt data from the FILE pointer to the plaintext data buffer */
166
/* Decrypt data from the cryptotext data buffer to the plaintext
167
data buffer */
133
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
134
169
if (rc != GPG_ERR_NO_ERROR){
135
170
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
136
171
gpgme_strsource(rc), gpgme_strerror(rc));
137
return -1;
172
plaintext_length = -1;
173
goto decrypt_end;
138
174
}
139
175
140
176
if(debug){
141
fprintf(stderr, "decryption of gpg packet succeeded\n");
177
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
142
178
}
143
179
144
180
if (debug){
145
181
gpgme_decrypt_result_t result;
146
182
result = gpgme_op_decrypt_result(ctx);
147
183
if (result == NULL){
148
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
149
185
} else {
150
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
151
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
152
190
if(result->file_name != NULL){
153
191
fprintf(stderr, "File name: %s\n", result->file_name);
154
192
}
160
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
161
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
162
200
fprintf(stderr, "Secret key available: %s\n",
163
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
164
203
recipient = recipient->next;
165
204
}
166
205
}
167
206
}
168
207
}
169
208
170
/* Delete the GPGME FILE pointer cryptotext data buffer */
171
gpgme_data_release(dh_crypto);
172
173
209
/* Seek back to the beginning of the GPGME plaintext data buffer */
174
gpgme_data_seek(dh_plain, 0, SEEK_SET);
175
176
*new_packet = 0;
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
212
plaintext_length = -1;
213
goto decrypt_end;
214
}
215
216
*plaintext = NULL;
177
217
while(true){
178
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
179
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
180
if (*new_packet == NULL){
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
181
223
perror("realloc");
182
return -1;
224
plaintext_length = -1;
225
goto decrypt_end;
183
226
}
184
new_packet_capacity += BUFFER_SIZE;
227
plaintext_capacity += BUFFER_SIZE;
185
228
}
186
229
187
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
231
BUFFER_SIZE);
188
232
/* Print the data, if any */
189
233
if (ret == 0){
190
/* If password is empty, then a incorrect error will be printed */
234
/* EOF */
191
235
break;
192
236
}
193
237
if(ret < 0){
194
238
perror("gpgme_data_read");
195
return -1;
239
plaintext_length = -1;
240
goto decrypt_end;
196
241
}
197
new_packet_length += ret;
242
plaintext_length += ret;
198
243
}
199
244
200
245
if(debug){
201
fprintf(stderr, "decrypted password is: %s\n", *new_packet);
246
fprintf(stderr, "Decrypted password is: ");
247
for(size_t i = 0; i < plaintext_length; i++){
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
249
}
250
fprintf(stderr, "\n");
202
251
}
203
204
/* Delete the GPGME plaintext data buffer */
252
253
decrypt_end:
254
255
/* Delete the GPGME cryptotext data buffer */
256
gpgme_data_release(dh_crypto);
257
258
/* Delete the GPGME plaintext data buffer */
205
259
gpgme_data_release(dh_plain);
206
return new_packet_length;
260
return plaintext_length;
207
261
}
208
262
209
263
static const char * safer_gnutls_strerror (int value) {
213
267
return ret;
214
268
}
215
269
216
void debuggnutls(int level, const char* string){
270
static void debuggnutls(__attribute__((unused)) int level,
271
const char* string){
217
272
fprintf(stderr, "%s", string);
218
273
}
219
274
220
int initgnutls(encrypted_session *es){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
221
277
const char *err;
222
278
int ret;
223
279
224
280
if(debug){
225
fprintf(stderr, "Initializing gnutls\n");
281
fprintf(stderr, "Initializing GnuTLS\n");
226
282
}
227
283
228
229
284
if ((ret = gnutls_global_init ())
230
285
!= GNUTLS_E_SUCCESS) {
231
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
232
287
return -1;
233
288
}
234
289
235
290
if (debug){
236
291
gnutls_global_set_log_level(11);
237
292
gnutls_global_set_log_function(debuggnutls);
238
293
}
239
294
240
241
295
/* openpgp credentials */
242
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
243
297
!= GNUTLS_E_SUCCESS) {
244
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
245
300
return -1;
246
301
}
247
302
248
303
if(debug){
249
fprintf(stderr, "Attempting to use openpgp certificate %s"
250
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
251
307
}
252
308
253
309
ret = gnutls_certificate_set_openpgp_key_file
254
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
255
311
if (ret != GNUTLS_E_SUCCESS) {
256
312
fprintf
257
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
258
ret, CERTFILE, KEYFILE);
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
259
316
fprintf(stdout, "The Error is: %s\n",
260
317
safer_gnutls_strerror(ret));
261
318
return -1;
262
319
}
263
264
//Gnutls server initialization
265
if ((ret = gnutls_dh_params_init (&es->dh_params))
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
266
323
!= GNUTLS_E_SUCCESS) {
267
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
268
325
safer_gnutls_strerror(ret));
269
326
return -1;
270
327
}
271
272
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
273
330
!= GNUTLS_E_SUCCESS) {
274
331
fprintf (stderr, "Error in prime generation: %s\n",
275
332
safer_gnutls_strerror(ret));
276
333
return -1;
277
334
}
278
279
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
280
281
// Gnutls session creation
282
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
283
340
!= GNUTLS_E_SUCCESS){
284
fprintf(stderr, "Error in gnutls session initialization: %s\n",
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
285
342
safer_gnutls_strerror(ret));
286
343
}
287
288
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
344
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
289
346
!= GNUTLS_E_SUCCESS) {
290
347
fprintf(stderr, "Syntax error at: %s\n", err);
291
fprintf(stderr, "Gnutls error: %s\n",
348
fprintf(stderr, "GnuTLS error: %s\n",
292
349
safer_gnutls_strerror(ret));
293
350
return -1;
294
351
}
295
296
if ((ret = gnutls_credentials_set
297
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
352
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
298
355
!= GNUTLS_E_SUCCESS) {
299
356
fprintf(stderr, "Error setting a credentials set: %s\n",
300
357
safer_gnutls_strerror(ret));
301
358
return -1;
302
359
}
303
360
304
361
/* ignore client certificate if any. */
305
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
306
364
307
gnutls_dh_set_prime_bits (es->session, DH_BITS);
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
308
366
309
367
return 0;
310
368
}
311
369
312
void empty_log(AvahiLogLevel level, const char *txt){}
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
371
__attribute__((unused)) const char *txt){}
313
372
314
int start_mandos_communcation(char *ip, uint16_t port){
373
static int start_mandos_communication(const char *ip, uint16_t port,
374
AvahiIfIndex if_index,
375
mandos_context *mc){
315
376
int ret, tcp_sd;
316
377
struct sockaddr_in6 to;
317
struct in6_addr ip_addr;
318
encrypted_session es;
319
378
char *buffer = NULL;
320
379
char *decrypted_buffer;
321
380
size_t buffer_length = 0;
322
381
size_t buffer_capacity = 0;
323
382
ssize_t decrypted_buffer_size;
383
size_t written = 0;
324
384
int retval = 0;
325
const char interface[] = "eth0";
326
385
char interface[IF_NAMESIZE];
386
gnutls_session_t session;
387
gnutls_dh_params_t dh_params;
388
327
389
if(debug){
328
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
329
392
}
330
393
331
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
335
398
}
336
399
337
400
if(debug){
401
if(if_indextoname((unsigned int)if_index, interface) == NULL){
402
perror("if_indextoname");
403
return -1;
404
}
338
405
fprintf(stderr, "Binding to interface %s\n", interface);
339
406
}
340
341
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
342
if(tcp_sd < 0) {
343
perror("setsockopt bindtodevice");
344
return -1;
345
}
346
407
347
memset(&to,0,sizeof(to));
408
memset(&to,0,sizeof(to)); /* Spurious warning */
348
409
to.sin6_family = AF_INET6;
349
ret = inet_pton(AF_INET6, ip, &ip_addr);
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
350
411
if (ret < 0 ){
351
412
perror("inet_pton");
352
413
return -1;
353
}
414
}
354
415
if(ret == 0){
355
416
fprintf(stderr, "Bad address: %s\n", ip);
356
417
return -1;
357
418
}
358
to.sin6_port = htons(port);
359
to.sin6_scope_id = if_nametoindex(interface);
360
419
to.sin6_port = htons(port); /* Spurious warning */
420
421
to.sin6_scope_id = (uint32_t)if_index;
422
361
423
if(debug){
362
fprintf(stderr, "Connection to: %s\n", ip);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
425
char addrstr[INET6_ADDRSTRLEN] = "";
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
427
sizeof(addrstr)) == NULL){
428
perror("inet_ntop");
429
} else {
430
if(strcmp(addrstr, ip) != 0){
431
fprintf(stderr, "Canonical address form: %s\n", addrstr);
432
}
433
}
363
434
}
364
435
365
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
368
439
return -1;
369
440
}
370
441
371
ret = initgnutls (&es);
442
ret = initgnutls (mc, &session, &dh_params);
372
443
if (ret != 0){
373
444
retval = -1;
374
445
return -1;
375
446
}
376
377
378
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
379
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
380
450
if(debug){
381
fprintf(stderr, "Establishing tls session with %s\n", ip);
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
382
452
}
383
384
453
385
ret = gnutls_handshake (es.session);
454
ret = gnutls_handshake (session);
386
455
387
456
if (ret != GNUTLS_E_SUCCESS){
388
fprintf(stderr, "\n*** Handshake failed ***\n");
389
gnutls_perror (ret);
457
if(debug){
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
460
}
390
461
retval = -1;
391
462
goto exit;
392
463
}
393
394
//Retrieve gpg packet that contains the wanted password
395
464
465
//Retrieve OpenPGP packet that contains the wanted password
466
396
467
if(debug){
397
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
469
ip);
398
470
}
399
471
400
472
while(true){
407
479
buffer_capacity += BUFFER_SIZE;
408
480
}
409
481
410
ret = gnutls_record_recv
411
(es.session, buffer+buffer_length, BUFFER_SIZE);
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
412
484
if (ret == 0){
413
485
break;
414
486
}
418
490
case GNUTLS_E_AGAIN:
419
491
break;
420
492
case GNUTLS_E_REHANDSHAKE:
421
ret = gnutls_handshake (es.session);
493
ret = gnutls_handshake (session);
422
494
if (ret < 0){
423
495
fprintf(stderr, "\n*** Handshake failed ***\n");
424
496
gnutls_perror (ret);
427
499
}
428
500
break;
429
501
default:
430
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
502
fprintf(stderr, "Unknown error while reading data from"
503
" encrypted session with mandos server\n");
431
504
retval = -1;
432
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
433
506
goto exit;
434
507
}
435
508
} else {
436
buffer_length += ret;
509
buffer_length += (size_t) ret;
437
510
}
438
511
}
439
512
440
513
if (buffer_length > 0){
441
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
442
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
515
buffer_length,
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
519
while(written < (size_t) decrypted_buffer_size){
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
523
if(ret == 0 and ferror(stdout)){
524
if(debug){
525
fprintf(stderr, "Error writing encrypted data: %s\n",
526
strerror(errno));
527
}
528
retval = -1;
529
break;
530
}
531
written += (size_t)ret;
532
}
443
533
free(decrypted_buffer);
444
534
} else {
445
535
retval = -1;
449
539
//shutdown procedure
450
540
451
541
if(debug){
452
fprintf(stderr, "Closing tls session\n");
542
fprintf(stderr, "Closing TLS session\n");
453
543
}
454
544
455
545
free(buffer);
456
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
457
547
exit:
458
548
close(tcp_sd);
459
gnutls_deinit (es.session);
460
gnutls_certificate_free_credentials (es.cred);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
461
551
gnutls_global_deinit ();
462
552
return retval;
463
553
}
464
554
465
static AvahiSimplePoll *simple_poll = NULL;
466
static AvahiServer *server = NULL;
467
468
static void resolve_callback(
469
AvahiSServiceResolver *r,
470
AVAHI_GCC_UNUSED AvahiIfIndex interface,
471
AVAHI_GCC_UNUSED AvahiProtocol protocol,
472
AvahiResolverEvent event,
473
const char *name,
474
const char *type,
475
const char *domain,
476
const char *host_name,
477
const AvahiAddress *address,
478
uint16_t port,
479
AvahiStringList *txt,
480
AvahiLookupResultFlags flags,
481
AVAHI_GCC_UNUSED void* userdata) {
482
483
assert(r);
484
485
/* Called whenever a service has been resolved successfully or timed out */
486
487
switch (event) {
488
case AVAHI_RESOLVER_FAILURE:
489
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
490
break;
491
492
case AVAHI_RESOLVER_FOUND: {
493
char ip[AVAHI_ADDRESS_STR_MAX];
494
avahi_address_snprint(ip, sizeof(ip), address);
495
if(debug){
496
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
497
}
498
int ret = start_mandos_communcation(ip, port);
499
if (ret == 0){
500
exit(EXIT_SUCCESS);
501
} else {
502
exit(EXIT_FAILURE);
503
}
504
}
505
}
506
avahi_s_service_resolver_free(r);
507
}
508
509
static void browse_callback(
510
AvahiSServiceBrowser *b,
511
AvahiIfIndex interface,
512
AvahiProtocol protocol,
513
AvahiBrowserEvent event,
514
const char *name,
515
const char *type,
516
const char *domain,
517
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
518
void* userdata) {
519
520
AvahiServer *s = userdata;
521
assert(b);
522
523
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
524
525
switch (event) {
526
527
case AVAHI_BROWSER_FAILURE:
528
529
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
530
avahi_simple_poll_quit(simple_poll);
531
return;
532
533
case AVAHI_BROWSER_NEW:
534
/* We ignore the returned resolver object. In the callback
535
function we free it. If the server is terminated before
536
the callback function is called the server will free
537
the resolver for us. */
538
539
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
540
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
541
542
break;
543
544
case AVAHI_BROWSER_REMOVE:
545
break;
546
547
case AVAHI_BROWSER_ALL_FOR_NOW:
548
case AVAHI_BROWSER_CACHE_EXHAUSTED:
549
break;
550
}
551
}
555
static void resolve_callback(AvahiSServiceResolver *r,
556
AvahiIfIndex interface,
557
AVAHI_GCC_UNUSED AvahiProtocol protocol,
558
AvahiResolverEvent event,
559
const char *name,
560
const char *type,
561
const char *domain,
562
const char *host_name,
563
const AvahiAddress *address,
564
uint16_t port,
565
AVAHI_GCC_UNUSED AvahiStringList *txt,
566
AVAHI_GCC_UNUSED AvahiLookupResultFlags
567
flags,
568
void* userdata) {
569
mandos_context *mc = userdata;
570
assert(r); /* Spurious warning */
571
572
/* Called whenever a service has been resolved successfully or
573
timed out */
574
575
switch (event) {
576
default:
577
case AVAHI_RESOLVER_FAILURE:
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
580
avahi_strerror(avahi_server_errno(mc->server)));
581
break;
582
583
case AVAHI_RESOLVER_FOUND:
584
{
585
char ip[AVAHI_ADDRESS_STR_MAX];
586
avahi_address_snprint(ip, sizeof(ip), address);
587
if(debug){
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
590
}
591
int ret = start_mandos_communication(ip, port, interface, mc);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
594
}
595
}
596
}
597
avahi_s_service_resolver_free(r);
598
}
599
600
static void browse_callback( AvahiSServiceBrowser *b,
601
AvahiIfIndex interface,
602
AvahiProtocol protocol,
603
AvahiBrowserEvent event,
604
const char *name,
605
const char *type,
606
const char *domain,
607
AVAHI_GCC_UNUSED AvahiLookupResultFlags
608
flags,
609
void* userdata) {
610
mandos_context *mc = userdata;
611
assert(b); /* Spurious warning */
612
613
/* Called whenever a new services becomes available on the LAN or
614
is removed from the LAN */
615
616
switch (event) {
617
default:
618
case AVAHI_BROWSER_FAILURE:
619
620
fprintf(stderr, "(Browser) %s\n",
621
avahi_strerror(avahi_server_errno(mc->server)));
622
avahi_simple_poll_quit(mc->simple_poll);
623
return;
624
625
case AVAHI_BROWSER_NEW:
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
630
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
632
protocol, name, type, domain,
633
AVAHI_PROTO_INET6, 0,
634
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
637
break;
638
639
case AVAHI_BROWSER_REMOVE:
640
break;
641
642
case AVAHI_BROWSER_ALL_FOR_NOW:
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
644
break;
645
}
646
}
647
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
552
668
553
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
554
670
AvahiServerConfig config;
555
671
AvahiSServiceBrowser *sb = NULL;
556
const char db[] = "--debug";
557
672
int error;
558
int ret = 1;
673
int ret;
674
int debug_int;
559
675
int returncode = EXIT_SUCCESS;
560
char *basename = rindex(argv[0], '/');
561
if(basename == NULL){
562
basename = argv[0];
563
} else {
564
basename++;
565
}
566
567
char *program_name = malloc(strlen(basename) + sizeof(db));
568
569
if (program_name == NULL){
570
perror("argv[0]");
571
return EXIT_FAILURE;
572
}
573
574
program_name[0] = '\0';
575
576
for (int i = 1; i < argc; i++){
577
if (not strncmp(argv[i], db, 5)){
578
strcat(strcat(strcat(program_name, db ), "="), basename);
579
if(not strcmp(argv[i], db) or not strcmp(argv[i], program_name)){
580
debug = true;
581
}
676
const char *interface = "eth0";
677
struct ifreq network;
678
int sd;
679
char *connect_to = NULL;
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
683
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
582
729
}
583
}
584
free(program_name);
585
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
752
}
753
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
755
if(if_index == 0){
756
fprintf(stderr, "No such interface: \"%s\"\n", interface);
757
exit(EXIT_FAILURE);
758
}
759
760
if(connect_to != NULL){
761
/* Connect directly, do not use Zeroconf */
762
/* (Mainly meant for debugging) */
763
char *address = strrchr(connect_to, ':');
764
if(address == NULL){
765
fprintf(stderr, "No colon in address\n");
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
774
*address = '\0';
775
address = connect_to;
776
ret = start_mandos_communication(address, port, if_index, &mc);
777
if(ret < 0){
778
exit(EXIT_FAILURE);
779
} else {
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
808
586
809
if (not debug){
587
810
avahi_set_log_function(empty_log);
588
811
}
589
812
590
813
/* Initialize the psuedo-RNG */
591
srand(time(NULL));
814
srand((unsigned int) time(NULL));
592
815
593
816
/* Allocate main loop object */
594
if (!(simple_poll = avahi_simple_poll_new())) {
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
595
818
fprintf(stderr, "Failed to create simple poll object.\n");
596
819
returncode = EXIT_FAILURE;
597
820
goto exit;
598
821
}
599
822
605
828
config.publish_domain = 0;
606
829
607
830
/* Allocate a new server */
608
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
609
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
610
834
/* Free the configuration data */
611
835
avahi_server_config_free(&config);
612
836
613
837
/* Check if creating the server object succeeded */
614
if (!server) {
615
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
840
avahi_strerror(error));
616
841
returncode = EXIT_FAILURE;
617
842
goto exit;
618
843
}
619
844
620
845
/* Create the service browser */
621
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
622
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
846
sb = avahi_s_service_browser_new(mc.server, if_index,
847
AVAHI_PROTO_INET6,
848
"_mandos._tcp", NULL, 0,
849
browse_callback, &mc);
850
if (!sb) {
851
fprintf(stderr, "Failed to create service browser: %s\n",
852
avahi_strerror(avahi_server_errno(mc.server)));
623
853
returncode = EXIT_FAILURE;
624
854
goto exit;
625
855
}
630
860
fprintf(stderr, "Starting avahi loop search\n");
631
861
}
632
862
633
avahi_simple_poll_loop(simple_poll);
863
avahi_simple_poll_loop(mc.simple_poll);
634
864
635
exit:
865
exit:
636
866
637
867
if (debug){
638
868
fprintf(stderr, "%s exiting\n", argv[0]);
642
872
if (sb)
643
873
avahi_s_service_browser_free(sb);
644
874
645
if (server)
646
avahi_server_free(server);
647
648
if (simple_poll)
649
avahi_simple_poll_free(simple_poll);
650
651
return ret;
875
if (mc.server)
876
avahi_server_free(mc.server);
877
878
if (mc.simple_poll)
879
avahi_simple_poll_free(mc.simple_poll);
880
free(pubkeyfile);
881
free(seckeyfile);
882
883
return returncode;
652
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0