To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- server.conf
- files renamed:
- mandos-clients.conf => clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
29
*/
19
30
31
/* Needed by GPGME, specifically gpgme_data_seek() */
20
32
#define _LARGEFILE_SOURCE
21
33
#define _FILE_OFFSET_BITS 64
22
34
25
37
#include <stdlib.h>
26
38
#include <time.h>
27
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
28
44
29
45
#include <avahi-core/core.h>
30
46
#include <avahi-core/lookup.h>
34
50
#include <avahi-common/error.h>
35
51
36
52
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
41
58
42
59
#include <unistd.h> /* close() */
43
60
#include <netinet/in.h>
50
67
#include <errno.h> /* perror() */
51
68
#include <gpgme.h>
52
69
53
// getopt long
70
// getopt_long
54
71
#include <getopt.h>
55
72
56
#ifndef CERT_ROOT
57
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
58
#endif
59
#define CERTFILE CERT_ROOT "openpgp-client.txt"
60
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
61
73
#define BUFFER_SIZE 256
62
#define DH_BITS 1024
74
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
63
78
64
79
bool debug = false;
65
char *interface = "eth0";
66
80
81
/* Used for passing in values through all the callback functions */
67
82
typedef struct {
68
gnutls_session_t session;
83
AvahiSimplePoll *simple_poll;
84
AvahiServer *server;
69
85
gnutls_certificate_credentials_t cred;
70
gnutls_dh_params_t dh_params;
71
} encrypted_session;
72
73
74
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
86
unsigned int dh_bits;
87
const char *priority;
88
} mandos_context;
89
90
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
93
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
75
98
gpgme_data_t dh_crypto, dh_plain;
76
99
gpgme_ctx_t ctx;
77
100
gpgme_error_t rc;
78
101
ssize_t ret;
79
size_t new_packet_capacity = 0;
80
size_t new_packet_length = 0;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
81
104
gpgme_engine_info_t engine_info;
82
105
83
106
if (debug){
84
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
85
108
}
86
109
87
110
/* Init GPGME */
88
111
gpgme_check_version(NULL);
89
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
112
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
if (rc != GPG_ERR_NO_ERROR){
114
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
115
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
117
}
90
118
91
/* Set GPGME home directory */
119
/* Set GPGME home directory for the OpenPGP engine only */
92
120
rc = gpgme_get_engine_info (&engine_info);
93
121
if (rc != GPG_ERR_NO_ERROR){
94
122
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
104
132
engine_info = engine_info->next;
105
133
}
106
134
if(engine_info == NULL){
107
fprintf(stderr, "Could not set home dir to %s\n", homedir);
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
108
136
return -1;
109
137
}
110
138
111
/* Create new GPGME data buffer from packet buffer */
112
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
139
/* Create new GPGME data buffer from memory cryptotext */
140
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
141
0);
113
142
if (rc != GPG_ERR_NO_ERROR){
114
143
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
115
144
gpgme_strsource(rc), gpgme_strerror(rc));
121
150
if (rc != GPG_ERR_NO_ERROR){
122
151
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
123
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
gpgme_data_release(dh_crypto);
124
154
return -1;
125
155
}
126
156
129
159
if (rc != GPG_ERR_NO_ERROR){
130
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
131
161
gpgme_strsource(rc), gpgme_strerror(rc));
132
return -1;
162
plaintext_length = -1;
163
goto decrypt_end;
133
164
}
134
165
135
/* Decrypt data from the FILE pointer to the plaintext data buffer */
166
/* Decrypt data from the cryptotext data buffer to the plaintext
167
data buffer */
136
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
137
169
if (rc != GPG_ERR_NO_ERROR){
138
170
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
139
171
gpgme_strsource(rc), gpgme_strerror(rc));
140
return -1;
172
plaintext_length = -1;
173
goto decrypt_end;
141
174
}
142
175
143
176
if(debug){
144
fprintf(stderr, "decryption of gpg packet succeeded\n");
177
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
145
178
}
146
179
147
180
if (debug){
148
181
gpgme_decrypt_result_t result;
149
182
result = gpgme_op_decrypt_result(ctx);
150
183
if (result == NULL){
151
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
152
185
} else {
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
155
190
if(result->file_name != NULL){
156
191
fprintf(stderr, "File name: %s\n", result->file_name);
157
192
}
163
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
164
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
165
200
fprintf(stderr, "Secret key available: %s\n",
166
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
167
203
recipient = recipient->next;
168
204
}
169
205
}
170
206
}
171
207
}
172
208
173
/* Delete the GPGME FILE pointer cryptotext data buffer */
174
gpgme_data_release(dh_crypto);
175
176
209
/* Seek back to the beginning of the GPGME plaintext data buffer */
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
178
179
*new_packet = 0;
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
212
plaintext_length = -1;
213
goto decrypt_end;
214
}
215
216
*plaintext = NULL;
180
217
while(true){
181
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
183
if (*new_packet == NULL){
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
184
223
perror("realloc");
185
return -1;
224
plaintext_length = -1;
225
goto decrypt_end;
186
226
}
187
new_packet_capacity += BUFFER_SIZE;
227
plaintext_capacity += BUFFER_SIZE;
188
228
}
189
229
190
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
231
BUFFER_SIZE);
191
232
/* Print the data, if any */
192
233
if (ret == 0){
193
/* If password is empty, then a incorrect error will be printed */
234
/* EOF */
194
235
break;
195
236
}
196
237
if(ret < 0){
197
238
perror("gpgme_data_read");
198
return -1;
239
plaintext_length = -1;
240
goto decrypt_end;
199
241
}
200
new_packet_length += ret;
242
plaintext_length += ret;
201
243
}
202
244
203
/* FIXME: check characters before printing to screen so to not print
204
terminal control characters */
205
/* if(debug){ */
206
/* fprintf(stderr, "decrypted password is: "); */
207
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
208
/* fprintf(stderr, "\n"); */
209
/* } */
245
if(debug){
246
fprintf(stderr, "Decrypted password is: ");
247
for(size_t i = 0; i < plaintext_length; i++){
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
249
}
250
fprintf(stderr, "\n");
251
}
252
253
decrypt_end:
254
255
/* Delete the GPGME cryptotext data buffer */
256
gpgme_data_release(dh_crypto);
210
257
211
258
/* Delete the GPGME plaintext data buffer */
212
259
gpgme_data_release(dh_plain);
213
return new_packet_length;
260
return plaintext_length;
214
261
}
215
262
216
263
static const char * safer_gnutls_strerror (int value) {
220
267
return ret;
221
268
}
222
269
223
void debuggnutls(int level, const char* string){
270
static void debuggnutls(__attribute__((unused)) int level,
271
const char* string){
224
272
fprintf(stderr, "%s", string);
225
273
}
226
274
227
int initgnutls(encrypted_session *es){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
228
277
const char *err;
229
278
int ret;
230
279
231
280
if(debug){
232
fprintf(stderr, "Initializing gnutls\n");
281
fprintf(stderr, "Initializing GnuTLS\n");
233
282
}
234
283
235
236
284
if ((ret = gnutls_global_init ())
237
285
!= GNUTLS_E_SUCCESS) {
238
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
239
287
return -1;
240
288
}
241
289
242
290
if (debug){
243
291
gnutls_global_set_log_level(11);
244
292
gnutls_global_set_log_function(debuggnutls);
245
293
}
246
294
247
248
295
/* openpgp credentials */
249
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
250
297
!= GNUTLS_E_SUCCESS) {
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
252
300
return -1;
253
301
}
254
302
255
303
if(debug){
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
258
307
}
259
308
260
309
ret = gnutls_certificate_set_openpgp_key_file
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
262
311
if (ret != GNUTLS_E_SUCCESS) {
263
312
fprintf
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
266
316
fprintf(stdout, "The Error is: %s\n",
267
317
safer_gnutls_strerror(ret));
268
318
return -1;
269
319
}
270
271
//Gnutls server initialization
272
if ((ret = gnutls_dh_params_init (&es->dh_params))
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
273
323
!= GNUTLS_E_SUCCESS) {
274
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
275
325
safer_gnutls_strerror(ret));
276
326
return -1;
277
327
}
278
279
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
280
330
!= GNUTLS_E_SUCCESS) {
281
331
fprintf (stderr, "Error in prime generation: %s\n",
282
332
safer_gnutls_strerror(ret));
283
333
return -1;
284
334
}
285
286
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
287
288
// Gnutls session creation
289
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
290
340
!= GNUTLS_E_SUCCESS){
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
292
342
safer_gnutls_strerror(ret));
293
343
}
294
295
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
344
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
296
346
!= GNUTLS_E_SUCCESS) {
297
347
fprintf(stderr, "Syntax error at: %s\n", err);
298
fprintf(stderr, "Gnutls error: %s\n",
348
fprintf(stderr, "GnuTLS error: %s\n",
299
349
safer_gnutls_strerror(ret));
300
350
return -1;
301
351
}
302
303
if ((ret = gnutls_credentials_set
304
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
352
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
305
355
!= GNUTLS_E_SUCCESS) {
306
356
fprintf(stderr, "Error setting a credentials set: %s\n",
307
357
safer_gnutls_strerror(ret));
308
358
return -1;
309
359
}
310
360
311
361
/* ignore client certificate if any. */
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
313
364
314
gnutls_dh_set_prime_bits (es->session, DH_BITS);
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
315
366
316
367
return 0;
317
368
}
318
369
319
void empty_log(AvahiLogLevel level, const char *txt){}
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
371
__attribute__((unused)) const char *txt){}
320
372
321
int start_mandos_communication(char *ip, uint16_t port){
373
static int start_mandos_communication(const char *ip, uint16_t port,
374
AvahiIfIndex if_index,
375
mandos_context *mc){
322
376
int ret, tcp_sd;
323
377
struct sockaddr_in6 to;
324
encrypted_session es;
325
378
char *buffer = NULL;
326
379
char *decrypted_buffer;
327
380
size_t buffer_length = 0;
328
381
size_t buffer_capacity = 0;
329
382
ssize_t decrypted_buffer_size;
383
size_t written = 0;
330
384
int retval = 0;
331
385
char interface[IF_NAMESIZE];
386
gnutls_session_t session;
387
gnutls_dh_params_t dh_params;
388
332
389
if(debug){
333
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
334
392
}
335
393
336
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
340
398
}
341
399
342
400
if(debug){
401
if(if_indextoname((unsigned int)if_index, interface) == NULL){
402
perror("if_indextoname");
403
return -1;
404
}
343
405
fprintf(stderr, "Binding to interface %s\n", interface);
344
406
}
345
346
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
347
if(tcp_sd < 0) {
348
perror("setsockopt bindtodevice");
349
return -1;
350
}
351
407
352
memset(&to,0,sizeof(to));
408
memset(&to,0,sizeof(to)); /* Spurious warning */
353
409
to.sin6_family = AF_INET6;
354
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
355
411
if (ret < 0 ){
356
412
perror("inet_pton");
357
413
return -1;
358
}
414
}
359
415
if(ret == 0){
360
416
fprintf(stderr, "Bad address: %s\n", ip);
361
417
return -1;
362
418
}
363
to.sin6_port = htons(port);
364
to.sin6_scope_id = if_nametoindex(interface);
365
419
to.sin6_port = htons(port); /* Spurious warning */
420
421
to.sin6_scope_id = (uint32_t)if_index;
422
366
423
if(debug){
367
fprintf(stderr, "Connection to: %s\n", ip);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
425
char addrstr[INET6_ADDRSTRLEN] = "";
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
427
sizeof(addrstr)) == NULL){
428
perror("inet_ntop");
429
} else {
430
if(strcmp(addrstr, ip) != 0){
431
fprintf(stderr, "Canonical address form: %s\n", addrstr);
432
}
433
}
368
434
}
369
435
370
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
373
439
return -1;
374
440
}
375
441
376
ret = initgnutls (&es);
442
ret = initgnutls (mc, &session, &dh_params);
377
443
if (ret != 0){
378
444
retval = -1;
379
445
return -1;
380
446
}
381
382
383
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
384
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
385
450
if(debug){
386
fprintf(stderr, "Establishing tls session with %s\n", ip);
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
387
452
}
388
389
453
390
ret = gnutls_handshake (es.session);
454
ret = gnutls_handshake (session);
391
455
392
456
if (ret != GNUTLS_E_SUCCESS){
393
fprintf(stderr, "\n*** Handshake failed ***\n");
394
gnutls_perror (ret);
457
if(debug){
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
460
}
395
461
retval = -1;
396
462
goto exit;
397
463
}
398
399
//Retrieve gpg packet that contains the wanted password
400
464
465
//Retrieve OpenPGP packet that contains the wanted password
466
401
467
if(debug){
402
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
469
ip);
403
470
}
404
471
405
472
while(true){
412
479
buffer_capacity += BUFFER_SIZE;
413
480
}
414
481
415
ret = gnutls_record_recv
416
(es.session, buffer+buffer_length, BUFFER_SIZE);
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
417
484
if (ret == 0){
418
485
break;
419
486
}
423
490
case GNUTLS_E_AGAIN:
424
491
break;
425
492
case GNUTLS_E_REHANDSHAKE:
426
ret = gnutls_handshake (es.session);
493
ret = gnutls_handshake (session);
427
494
if (ret < 0){
428
495
fprintf(stderr, "\n*** Handshake failed ***\n");
429
496
gnutls_perror (ret);
432
499
}
433
500
break;
434
501
default:
435
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
502
fprintf(stderr, "Unknown error while reading data from"
503
" encrypted session with mandos server\n");
436
504
retval = -1;
437
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
438
506
goto exit;
439
507
}
440
508
} else {
441
buffer_length += ret;
509
buffer_length += (size_t) ret;
442
510
}
443
511
}
444
512
445
513
if (buffer_length > 0){
446
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
447
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
515
buffer_length,
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
519
while(written < (size_t) decrypted_buffer_size){
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
523
if(ret == 0 and ferror(stdout)){
524
if(debug){
525
fprintf(stderr, "Error writing encrypted data: %s\n",
526
strerror(errno));
527
}
528
retval = -1;
529
break;
530
}
531
written += (size_t)ret;
532
}
448
533
free(decrypted_buffer);
449
534
} else {
450
535
retval = -1;
454
539
//shutdown procedure
455
540
456
541
if(debug){
457
fprintf(stderr, "Closing tls session\n");
542
fprintf(stderr, "Closing TLS session\n");
458
543
}
459
544
460
545
free(buffer);
461
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
462
547
exit:
463
548
close(tcp_sd);
464
gnutls_deinit (es.session);
465
gnutls_certificate_free_credentials (es.cred);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
466
551
gnutls_global_deinit ();
467
552
return retval;
468
553
}
469
554
470
static AvahiSimplePoll *simple_poll = NULL;
471
static AvahiServer *server = NULL;
472
473
static void resolve_callback(
474
AvahiSServiceResolver *r,
475
AVAHI_GCC_UNUSED AvahiIfIndex interface,
476
AVAHI_GCC_UNUSED AvahiProtocol protocol,
477
AvahiResolverEvent event,
478
const char *name,
479
const char *type,
480
const char *domain,
481
const char *host_name,
482
const AvahiAddress *address,
483
uint16_t port,
484
AvahiStringList *txt,
485
AvahiLookupResultFlags flags,
486
AVAHI_GCC_UNUSED void* userdata) {
487
488
assert(r);
489
490
/* Called whenever a service has been resolved successfully or timed out */
491
492
switch (event) {
493
case AVAHI_RESOLVER_FAILURE:
494
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
495
break;
496
497
case AVAHI_RESOLVER_FOUND: {
498
char ip[AVAHI_ADDRESS_STR_MAX];
499
avahi_address_snprint(ip, sizeof(ip), address);
500
if(debug){
501
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
502
}
503
int ret = start_mandos_communication(ip, port);
504
if (ret == 0){
505
exit(EXIT_SUCCESS);
506
} else {
507
exit(EXIT_FAILURE);
508
}
509
}
510
}
511
avahi_s_service_resolver_free(r);
512
}
513
514
static void browse_callback(
515
AvahiSServiceBrowser *b,
516
AvahiIfIndex interface,
517
AvahiProtocol protocol,
518
AvahiBrowserEvent event,
519
const char *name,
520
const char *type,
521
const char *domain,
522
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
523
void* userdata) {
524
525
AvahiServer *s = userdata;
526
assert(b);
527
528
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
529
530
switch (event) {
531
532
case AVAHI_BROWSER_FAILURE:
533
534
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
535
avahi_simple_poll_quit(simple_poll);
536
return;
537
538
case AVAHI_BROWSER_NEW:
539
/* We ignore the returned resolver object. In the callback
540
function we free it. If the server is terminated before
541
the callback function is called the server will free
542
the resolver for us. */
543
544
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
545
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
546
547
break;
548
549
case AVAHI_BROWSER_REMOVE:
550
break;
551
552
case AVAHI_BROWSER_ALL_FOR_NOW:
553
case AVAHI_BROWSER_CACHE_EXHAUSTED:
554
break;
555
}
556
}
555
static void resolve_callback(AvahiSServiceResolver *r,
556
AvahiIfIndex interface,
557
AVAHI_GCC_UNUSED AvahiProtocol protocol,
558
AvahiResolverEvent event,
559
const char *name,
560
const char *type,
561
const char *domain,
562
const char *host_name,
563
const AvahiAddress *address,
564
uint16_t port,
565
AVAHI_GCC_UNUSED AvahiStringList *txt,
566
AVAHI_GCC_UNUSED AvahiLookupResultFlags
567
flags,
568
void* userdata) {
569
mandos_context *mc = userdata;
570
assert(r); /* Spurious warning */
571
572
/* Called whenever a service has been resolved successfully or
573
timed out */
574
575
switch (event) {
576
default:
577
case AVAHI_RESOLVER_FAILURE:
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
580
avahi_strerror(avahi_server_errno(mc->server)));
581
break;
582
583
case AVAHI_RESOLVER_FOUND:
584
{
585
char ip[AVAHI_ADDRESS_STR_MAX];
586
avahi_address_snprint(ip, sizeof(ip), address);
587
if(debug){
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
590
}
591
int ret = start_mandos_communication(ip, port, interface, mc);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
594
}
595
}
596
}
597
avahi_s_service_resolver_free(r);
598
}
599
600
static void browse_callback( AvahiSServiceBrowser *b,
601
AvahiIfIndex interface,
602
AvahiProtocol protocol,
603
AvahiBrowserEvent event,
604
const char *name,
605
const char *type,
606
const char *domain,
607
AVAHI_GCC_UNUSED AvahiLookupResultFlags
608
flags,
609
void* userdata) {
610
mandos_context *mc = userdata;
611
assert(b); /* Spurious warning */
612
613
/* Called whenever a new services becomes available on the LAN or
614
is removed from the LAN */
615
616
switch (event) {
617
default:
618
case AVAHI_BROWSER_FAILURE:
619
620
fprintf(stderr, "(Browser) %s\n",
621
avahi_strerror(avahi_server_errno(mc->server)));
622
avahi_simple_poll_quit(mc->simple_poll);
623
return;
624
625
case AVAHI_BROWSER_NEW:
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
630
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
632
protocol, name, type, domain,
633
AVAHI_PROTO_INET6, 0,
634
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
637
break;
638
639
case AVAHI_BROWSER_REMOVE:
640
break;
641
642
case AVAHI_BROWSER_ALL_FOR_NOW:
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
644
break;
645
}
646
}
647
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
557
668
558
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
559
670
AvahiServerConfig config;
560
671
AvahiSServiceBrowser *sb = NULL;
561
672
int error;
562
673
int ret;
674
int debug_int;
563
675
int returncode = EXIT_SUCCESS;
564
676
const char *interface = "eth0";
677
struct ifreq network;
678
int sd;
679
char *connect_to = NULL;
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
683
684
debug_int = debug ? 1 : 0;
565
685
while (true){
566
static struct option long_options[] = {
567
{"debug", no_argument, (int *)&debug, 1},
568
{"interface", required_argument, 0, 'i'},
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
569
695
{0, 0, 0, 0} };
570
696
571
697
int option_index = 0;
572
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
573
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
574
701
if (ret == -1){
575
702
break;
576
703
}
581
708
case 'i':
582
709
interface = optarg;
583
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
584
735
default:
585
736
exit(EXIT_FAILURE);
586
737
}
587
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
752
}
753
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
755
if(if_index == 0){
756
fprintf(stderr, "No such interface: \"%s\"\n", interface);
757
exit(EXIT_FAILURE);
758
}
759
760
if(connect_to != NULL){
761
/* Connect directly, do not use Zeroconf */
762
/* (Mainly meant for debugging) */
763
char *address = strrchr(connect_to, ':');
764
if(address == NULL){
765
fprintf(stderr, "No colon in address\n");
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
774
*address = '\0';
775
address = connect_to;
776
ret = start_mandos_communication(address, port, if_index, &mc);
777
if(ret < 0){
778
exit(EXIT_FAILURE);
779
} else {
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
588
808
589
809
if (not debug){
590
810
avahi_set_log_function(empty_log);
591
811
}
592
812
593
813
/* Initialize the psuedo-RNG */
594
srand(time(NULL));
814
srand((unsigned int) time(NULL));
595
815
596
816
/* Allocate main loop object */
597
if (!(simple_poll = avahi_simple_poll_new())) {
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
598
818
fprintf(stderr, "Failed to create simple poll object.\n");
599
819
returncode = EXIT_FAILURE;
600
820
goto exit;
601
821
}
602
822
608
828
config.publish_domain = 0;
609
829
610
830
/* Allocate a new server */
611
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
612
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
613
834
/* Free the configuration data */
614
835
avahi_server_config_free(&config);
615
836
616
837
/* Check if creating the server object succeeded */
617
if (!server) {
618
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
840
avahi_strerror(error));
619
841
returncode = EXIT_FAILURE;
620
842
goto exit;
621
843
}
622
844
623
845
/* Create the service browser */
624
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
625
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
846
sb = avahi_s_service_browser_new(mc.server, if_index,
847
AVAHI_PROTO_INET6,
848
"_mandos._tcp", NULL, 0,
849
browse_callback, &mc);
850
if (!sb) {
851
fprintf(stderr, "Failed to create service browser: %s\n",
852
avahi_strerror(avahi_server_errno(mc.server)));
626
853
returncode = EXIT_FAILURE;
627
854
goto exit;
628
855
}
633
860
fprintf(stderr, "Starting avahi loop search\n");
634
861
}
635
862
636
avahi_simple_poll_loop(simple_poll);
863
avahi_simple_poll_loop(mc.simple_poll);
637
864
638
exit:
865
exit:
639
866
640
867
if (debug){
641
868
fprintf(stderr, "%s exiting\n", argv[0]);
645
872
if (sb)
646
873
avahi_s_service_browser_free(sb);
647
874
648
if (server)
649
avahi_server_free(server);
650
651
if (simple_poll)
652
avahi_simple_poll_free(simple_poll);
653
875
if (mc.server)
876
avahi_server_free(mc.server);
877
878
if (mc.simple_poll)
879
avahi_simple_poll_free(mc.simple_poll);
880
free(pubkeyfile);
881
free(seckeyfile);
882
654
883
return returncode;
655
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0