/mandos/release : revision 58

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Teddy Hogeborn
Date: 2008-08-10 00:12:22 UTC
mfrom: (24.1.34 mandos)
Revision ID: teddy@fukt.bsnet.se-20080810001222-2apzjania6io2619

Merge.

files added:
mandos-client.xml

mandos-clients.conf.xml

mandos.conf.xml

mandos.xml

network-protocol.txt

plugins.d/password-prompt.xml

plugins.d/password-request.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

plugbasedclient.c => mandos-client.c

server.conf => mandos.conf

plugins.d/passprompt.c => plugins.d/password-prompt.c

plugins.d/mandosclient.c => plugins.d/password-request.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), memcpy(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

IFF_UP */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and functions

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

#define BUFFER_SIZE 256

#define DH_BITS 1024

100

bool debug = false;

101

static const char *keydir = "/conf/conf.d/mandos";

102

static const char mandos_protocol_version[] = "1";

103

const char *argp_program_version = "mandosclient 0.9";

104

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

105

106

/* Used for passing in values through the Avahi callback functions */

107

typedef struct {

gnutls_session_t session;

108

AvahiSimplePoll *simple_poll;

109

AvahiServer *server;

110

gnutls_certificate_credentials_t cred;

111

unsigned int dh_bits;

112

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

113

const char *priority;

114

} mandos_context;

115

116

117

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

118

* "buffer_capacity" is how much is currently allocated,

119

* "buffer_length" is how much is already used.

120

121

size_t adjustbuffer(char **buffer, size_t buffer_length,

122

size_t buffer_capacity){

123

if (buffer_length + BUFFER_SIZE > buffer_capacity){

124

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

125

if (buffer == NULL){

126

return 0;

127

}

128

buffer_capacity += BUFFER_SIZE;

129

}

130

return buffer_capacity;

131

}

132

133

134

* Decrypt OpenPGP data using keyrings in HOMEDIR.

135

* Returns -1 on error

136

137

static ssize_t pgp_packet_decrypt (const char *cryptotext,

138

size_t crypto_size,

139

char **plaintext,

140

const char *homedir){

141

gpgme_data_t dh_crypto, dh_plain;

142

gpgme_ctx_t ctx;

143

gpgme_error_t rc;

144

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

145

size_t plaintext_capacity = 0;

146

ssize_t plaintext_length = 0;

147

gpgme_engine_info_t engine_info;

148

149

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

150

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

151

}

100

152

101

153

/* Init GPGME */

102

154

gpgme_check_version(NULL);

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

155

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

156

if (rc != GPG_ERR_NO_ERROR){

157

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

158

gpgme_strsource(rc), gpgme_strerror(rc));

159

return -1;

160

}

104

161

105

/* Set GPGME home directory */

162

/* Set GPGME home directory for the OpenPGP engine only */

106

163

rc = gpgme_get_engine_info (&engine_info);

107

164

if (rc != GPG_ERR_NO_ERROR){

108

165

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

118

175

engine_info = engine_info->next;

119

176

}

120

177

if(engine_info == NULL){

121

fprintf(stderr, "Could not set home dir to %s\n", homedir);

178

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

122

179

return -1;

123

180

}

124

181

125

/* Create new GPGME data buffer from packet buffer */

126

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

182

/* Create new GPGME data buffer from memory cryptotext */

183

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

184

0);

127

185

if (rc != GPG_ERR_NO_ERROR){

128

186

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

129

187

gpgme_strsource(rc), gpgme_strerror(rc));

135

193

if (rc != GPG_ERR_NO_ERROR){

136

194

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

137

195

gpgme_strsource(rc), gpgme_strerror(rc));

196

gpgme_data_release(dh_crypto);

138

197

return -1;

139

198

}

140

199

143

202

if (rc != GPG_ERR_NO_ERROR){

144

203

fprintf(stderr, "bad gpgme_new: %s: %s\n",

145

204

gpgme_strsource(rc), gpgme_strerror(rc));

146

return -1;

205

plaintext_length = -1;

206

goto decrypt_end;

147

207

}

148

208

149

/* Decrypt data from the FILE pointer to the plaintext data

150

buffer */

209

/* Decrypt data from the cryptotext data buffer to the plaintext

210

data buffer */

151

211

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

152

212

if (rc != GPG_ERR_NO_ERROR){

153

213

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

154

214

gpgme_strsource(rc), gpgme_strerror(rc));

155

return -1;

215

plaintext_length = -1;

216

goto decrypt_end;

156

217

}

157

218

158

219

if(debug){

159

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

220

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

160

221

}

161

222

162

223

if (debug){

163

224

gpgme_decrypt_result_t result;

164

225

result = gpgme_op_decrypt_result(ctx);

188

249

}

189

250

}

190

251

191

/* Delete the GPGME FILE pointer cryptotext data buffer */

192

gpgme_data_release(dh_crypto);

193

194

252

/* Seek back to the beginning of the GPGME plaintext data buffer */

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

197

*new_packet = 0;

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

}

258

259

*plaintext = NULL;

198

260

while(true){

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

200

*new_packet = realloc(*new_packet,

201

(unsigned int)new_packet_capacity

202

+ BUFFER_SIZE);

203

if (*new_packet == NULL){

204

perror("realloc");

205

return -1;

206

}

207

new_packet_capacity += BUFFER_SIZE;

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

208

268

}

209

269

210

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

271

BUFFER_SIZE);

212

272

/* Print the data, if any */

213

273

if (ret == 0){

274

/* EOF */

214

275

break;

215

276

}

216

277

if(ret < 0){

217

278

perror("gpgme_data_read");

218

return -1;

279

plaintext_length = -1;

280

goto decrypt_end;

219

281

}

220

new_packet_length += ret;

282

plaintext_length += ret;

221

283

}

222

284

223

/* FIXME: check characters before printing to screen so to not print

224

terminal control characters */

225

/* if(debug){ */

226

/* fprintf(stderr, "decrypted password is: "); */

227

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

228

/* fprintf(stderr, "\n"); */

229

/* } */

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

230

297

231

298

/* Delete the GPGME plaintext data buffer */

232

299

gpgme_data_release(dh_plain);

233

return new_packet_length;

300

return plaintext_length;

234

301

}

235

302

236

303

static const char * safer_gnutls_strerror (int value) {

240

307

return ret;

241

308

}

242

309

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

245

fprintf(stderr, "%s", string);

310

/* GnuTLS log function callback */

311

static void debuggnutls(__attribute__((unused)) int level,

312

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

246

314

}

247

315

248

int initgnutls(encrypted_session *es){

249

const char *err;

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfile,

318

const char *seckeyfile){

250

319

int ret;

251

320

252

321

if(debug){

253

322

fprintf(stderr, "Initializing GnuTLS\n");

254

323

}

255

324

256

if ((ret = gnutls_global_init ())

257

!= GNUTLS_E_SUCCESS) {

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

259

329

return -1;

260

330

}

261

331

262

332

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

263

336

gnutls_global_set_log_level(11);

264

337

gnutls_global_set_log_function(debuggnutls);

265

338

}

266

339

267

/* openpgp credentials */

268

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

269

!= GNUTLS_E_SUCCESS) {

270

fprintf (stderr, "memory error: %s\n",

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n",

271

344

safer_gnutls_strerror(ret));

345

gnutls_global_deinit ();

272

346

return -1;

273

347

}

274

348

275

349

if(debug){

276

350

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

351

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

352

seckeyfile);

279

353

}

280

354

281

355

ret = gnutls_certificate_set_openpgp_key_file

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

356

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

283

357

if (ret != GNUTLS_E_SUCCESS) {

284

fprintf

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

286

" '%s')\n",

287

ret, CERTFILE, KEYFILE);

288

fprintf(stdout, "The Error is: %s\n",

358

fprintf(stderr,

359

"Error[%d] while reading the OpenPGP key pair ('%s',"

360

" '%s')\n", ret, pubkeyfile, seckeyfile);

361

fprintf(stdout, "The GnuTLS error is: %s\n",

289

362

safer_gnutls_strerror(ret));

290

return -1;

291

}

292

293

//GnuTLS server initialization

294

if ((ret = gnutls_dh_params_init (&es->dh_params))

295

!= GNUTLS_E_SUCCESS) {

296

fprintf (stderr, "Error in dh parameter initialization: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

302

!= GNUTLS_E_SUCCESS) {

303

fprintf (stderr, "Error in prime generation: %s\n",

304

safer_gnutls_strerror(ret));

305

return -1;

306

}

307

308

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

309

310

// GnuTLS session creation

311

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

312

!= GNUTLS_E_SUCCESS){

363

goto globalfail;

364

}

365

366

/* GnuTLS server initialization */

367

ret = gnutls_dh_params_init(&mc->dh_params);

368

if (ret != GNUTLS_E_SUCCESS) {

369

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

370

" %s\n", safer_gnutls_strerror(ret));

371

goto globalfail;

372

}

373

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

376

safer_gnutls_strerror(ret));

377

goto globalfail;

378

}

379

380

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

381

382

return 0;

383

384

globalfail:

385

386

gnutls_certificate_free_credentials(mc->cred);

387

gnutls_global_deinit();

388

return -1;

389

390

}

391

392

static int init_gnutls_session(mandos_context *mc,

393

gnutls_session_t *session){

394

int ret;

395

/* GnuTLS session creation */

396

ret = gnutls_init(session, GNUTLS_SERVER);

397

if (ret != GNUTLS_E_SUCCESS){

313

398

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

314

399

safer_gnutls_strerror(ret));

315

400

}

316

401

317

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf(stderr, "Syntax error at: %s\n", err);

320

fprintf(stderr, "GnuTLS error: %s\n",

321

safer_gnutls_strerror(ret));

322

return -1;

402

{

403

const char *err;

404

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

405

if (ret != GNUTLS_E_SUCCESS) {

406

fprintf(stderr, "Syntax error at: %s\n", err);

407

fprintf(stderr, "GnuTLS error: %s\n",

408

safer_gnutls_strerror(ret));

409

gnutls_deinit (*session);

410

return -1;

411

}

323

412

}

324

413

325

if ((ret = gnutls_credentials_set

326

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Error setting a credentials set: %s\n",

414

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

415

mc->cred);

416

if (ret != GNUTLS_E_SUCCESS) {

417

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

329

418

safer_gnutls_strerror(ret));

419

gnutls_deinit (*session);

330

420

return -1;

331

421

}

332

422

333

423

/* ignore client certificate if any. */

334

gnutls_certificate_server_set_request (es->session,

424

gnutls_certificate_server_set_request (*session,

335

425

GNUTLS_CERT_IGNORE);

336

426

337

gnutls_dh_set_prime_bits (es->session, DH_BITS);

427

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

338

428

339

429

return 0;

340

430

}

341

431

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

432

/* Avahi log function callback */

433

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

434

__attribute__((unused)) const char *txt){}

344

435

345

int start_mandos_communication(const char *ip, uint16_t port,

346

AvahiIfIndex if_index){

436

/* Called when a Mandos server is found */

437

static int start_mandos_communication(const char *ip, uint16_t port,

438

AvahiIfIndex if_index,

439

mandos_context *mc){

347

440

int ret, tcp_sd;

348

struct sockaddr_in6 to;

349

encrypted_session es;

441

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

350

442

char *buffer = NULL;

351

443

char *decrypted_buffer;

352

444

size_t buffer_length = 0;

353

445

size_t buffer_capacity = 0;

354

446

ssize_t decrypted_buffer_size;

355

size_t written = 0;

447

size_t written;

356

448

int retval = 0;

357

449

char interface[IF_NAMESIZE];

450

gnutls_session_t session;

451

452

ret = init_gnutls_session (mc, &session);

453

if (ret != 0){

454

return -1;

455

}

358

456

359

457

if(debug){

360

458

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

366

464

perror("socket");

367

465

return -1;

368

466

}

369

370

if(if_indextoname((unsigned int)if_index, interface) == NULL){

371

if(debug){

467

468

if(debug){

469

if(if_indextoname((unsigned int)if_index, interface) == NULL){

372

470

perror("if_indextoname");

471

return -1;

373

472

}

374

return -1;

375

}

376

377

if(debug){

378

473

fprintf(stderr, "Binding to interface %s\n", interface);

379

474

}

380

475

381

476

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

477

to.in6.sin6_family = AF_INET6;

478

/* It would be nice to have a way to detect if we were passed an

479

IPv4 address here. Now we assume an IPv6 address. */

480

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

384

481

if (ret < 0 ){

385

482

perror("inet_pton");

386

483

return -1;

387

}

484

}

388

485

if(ret == 0){

389

486

fprintf(stderr, "Bad address: %s\n", ip);

390

487

return -1;

391

488

}

392

to.sin6_port = htons(port); /* Spurious warning */

489

to.in6.sin6_port = htons(port); /* Spurious warning */

393

490

394

to.sin6_scope_id = (uint32_t)if_index;

491

to.in6.sin6_scope_id = (uint32_t)if_index;

395

492

396

493

if(debug){

397

494

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

398

/* char addrstr[INET6_ADDRSTRLEN]; */

399

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

400

/* sizeof(addrstr)) == NULL){ */

401

/* perror("inet_ntop"); */

402

/* } else { */

403

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

404

/* addrstr, ntohs(to.sin6_port)); */

405

/* } */

495

char addrstr[INET6_ADDRSTRLEN] = "";

496

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

497

sizeof(addrstr)) == NULL){

498

perror("inet_ntop");

499

} else {

500

if(strcmp(addrstr, ip) != 0){

501

fprintf(stderr, "Canonical address form: %s\n", addrstr);

502

}

503

}

406

504

}

407

505

408

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

506

ret = connect(tcp_sd, &to.in, sizeof(to));

409

507

if (ret < 0){

410

508

perror("connect");

411

509

return -1;

412

510

}

413

414

ret = initgnutls (&es);

415

if (ret != 0){

416

retval = -1;

417

return -1;

511

512

const char *out = mandos_protocol_version;

513

written = 0;

514

while (true){

515

size_t out_size = strlen(out);

516

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

517

out_size - written));

518

if (ret == -1){

519

perror("write");

520

retval = -1;

521

goto mandos_end;

522

}

523

written += (size_t)ret;

524

if(written < out_size){

525

continue;

526

} else {

527

if (out == mandos_protocol_version){

528

written = 0;

529

out = "\r\n";

530

} else {

531

break;

532

}

533

}

418

534

}

419

420

gnutls_transport_set_ptr (es.session,

421

(gnutls_transport_ptr_t) tcp_sd);

422

535

423

536

if(debug){

424

537

fprintf(stderr, "Establishing TLS session with %s\n", ip);

425

538

}

426

539

427

ret = gnutls_handshake (es.session);

540

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

541

542

do{

543

ret = gnutls_handshake (session);

544

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

428

545

429

546

if (ret != GNUTLS_E_SUCCESS){

430

547

if(debug){

431

fprintf(stderr, "\n*** Handshake failed ***\n");

548

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

432

549

gnutls_perror (ret);

433

550

}

434

551

retval = -1;

435

goto exit;

552

goto mandos_end;

436

553

}

437

554

438

//Retrieve OpenPGP packet that contains the wanted password

555

/* Read OpenPGP packet that contains the wanted password */

439

556

440

557

if(debug){

441

558

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

443

560

}

444

561

445

562

while(true){

446

if (buffer_length + BUFFER_SIZE > buffer_capacity){

447

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

448

if (buffer == NULL){

449

perror("realloc");

450

goto exit;

451

}

452

buffer_capacity += BUFFER_SIZE;

563

buffer_capacity = adjustbuffer(&buffer, buffer_length,

564

buffer_capacity);

565

if (buffer_capacity == 0){

566

perror("adjustbuffer");

567

retval = -1;

568

goto mandos_end;

453

569

}

454

570

455

ret = gnutls_record_recv

456

(es.session, buffer+buffer_length, BUFFER_SIZE);

571

ret = gnutls_record_recv(session, buffer+buffer_length,

572

BUFFER_SIZE);

457

573

if (ret == 0){

458

574

break;

459

575

}

463

579

case GNUTLS_E_AGAIN:

464

580

break;

465

581

case GNUTLS_E_REHANDSHAKE:

466

ret = gnutls_handshake (es.session);

582

do{

583

ret = gnutls_handshake (session);

584

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

467

585

if (ret < 0){

468

fprintf(stderr, "\n*** Handshake failed ***\n");

586

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

469

587

gnutls_perror (ret);

470

588

retval = -1;

471

goto exit;

589

goto mandos_end;

472

590

}

473

591

break;

474

592

default:

475

593

fprintf(stderr, "Unknown error while reading data from"

476

" encrypted session with mandos server\n");

594

" encrypted session with Mandos server\n");

477

595

retval = -1;

478

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

479

goto exit;

596

gnutls_bye (session, GNUTLS_SHUT_RDWR);

597

goto mandos_end;

480

598

}

481

599

} else {

482

600

buffer_length += (size_t) ret;

483

601

}

484

602

}

485

603

604

if(debug){

605

fprintf(stderr, "Closing TLS session\n");

606

}

607

608

gnutls_bye (session, GNUTLS_SHUT_RDWR);

609

486

610

if (buffer_length > 0){

487

611

decrypted_buffer_size = pgp_packet_decrypt(buffer,

488

612

buffer_length,

489

613

&decrypted_buffer,

490

CERT_ROOT);

614

keydir);

491

615

if (decrypted_buffer_size >= 0){

616

written = 0;

492

617

while(written < (size_t) decrypted_buffer_size){

493

618

ret = (int)fwrite (decrypted_buffer + written, 1,

494

619

(size_t)decrypted_buffer_size - written,

508

633

retval = -1;

509

634

}

510

635

}

511

512

//shutdown procedure

513

514

if(debug){

515

fprintf(stderr, "Closing TLS session\n");

516

}

517

636

637

/* Shutdown procedure */

638

639

mandos_end:

518

640

free(buffer);

519

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

520

exit:

521

641

close(tcp_sd);

522

gnutls_deinit (es.session);

523

gnutls_certificate_free_credentials (es.cred);

524

gnutls_global_deinit ();

642

gnutls_deinit (session);

525

643

return retval;

526

644

}

527

645

528

static AvahiSimplePoll *simple_poll = NULL;

529

static AvahiServer *server = NULL;

530

531

static void resolve_callback(

532

AvahiSServiceResolver *r,

533

AvahiIfIndex interface,

534

AVAHI_GCC_UNUSED AvahiProtocol protocol,

535

AvahiResolverEvent event,

536

const char *name,

537

const char *type,

538

const char *domain,

539

const char *host_name,

540

const AvahiAddress *address,

541

uint16_t port,

542

AVAHI_GCC_UNUSED AvahiStringList *txt,

543

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

544

AVAHI_GCC_UNUSED void* userdata) {

545

646

static void resolve_callback(AvahiSServiceResolver *r,

647

AvahiIfIndex interface,

648

AVAHI_GCC_UNUSED AvahiProtocol protocol,

649

AvahiResolverEvent event,

650

const char *name,

651

const char *type,

652

const char *domain,

653

const char *host_name,

654

const AvahiAddress *address,

655

uint16_t port,

656

AVAHI_GCC_UNUSED AvahiStringList *txt,

657

AVAHI_GCC_UNUSED AvahiLookupResultFlags

658

flags,

659

void* userdata) {

660

mandos_context *mc = userdata;

546

661

assert(r); /* Spurious warning */

547

662

548

663

/* Called whenever a service has been resolved successfully or

551

666

switch (event) {

552

667

default:

553

668

case AVAHI_RESOLVER_FAILURE:

554

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

555

" type '%s' in domain '%s': %s\n", name, type, domain,

556

avahi_strerror(avahi_server_errno(server)));

669

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

670

" of type '%s' in domain '%s': %s\n", name, type, domain,

671

avahi_strerror(avahi_server_errno(mc->server)));

557

672

break;

558

673

559

674

case AVAHI_RESOLVER_FOUND:

561

676

char ip[AVAHI_ADDRESS_STR_MAX];

562

677

avahi_address_snprint(ip, sizeof(ip), address);

563

678

if(debug){

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

565

" port %d\n", name, host_name, ip, port);

679

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

680

" port %d\n", name, host_name, ip, interface, port);

566

681

}

567

int ret = start_mandos_communication(ip, port, interface);

682

int ret = start_mandos_communication(ip, port, interface, mc);

568

683

if (ret == 0){

569

684

exit(EXIT_SUCCESS);

570

685

}

573

688

avahi_s_service_resolver_free(r);

574

689

}

575

690

576

static void browse_callback(

577

AvahiSServiceBrowser *b,

578

AvahiIfIndex interface,

579

AvahiProtocol protocol,

580

AvahiBrowserEvent event,

581

const char *name,

582

const char *type,

583

const char *domain,

584

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

585

void* userdata) {

586

587

AvahiServer *s = userdata;

588

assert(b); /* Spurious warning */

589

590

/* Called whenever a new services becomes available on the LAN or

591

is removed from the LAN */

592

593

switch (event) {

594

default:

595

case AVAHI_BROWSER_FAILURE:

596

597

fprintf(stderr, "(Browser) %s\n",

598

avahi_strerror(avahi_server_errno(server)));

599

avahi_simple_poll_quit(simple_poll);

600

return;

601

602

case AVAHI_BROWSER_NEW:

603

/* We ignore the returned resolver object. In the callback

604

function we free it. If the server is terminated before

605

the callback function is called the server will free

606

the resolver for us. */

607

608

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

609

type, domain,

610

AVAHI_PROTO_INET6, 0,

611

resolve_callback, s)))

612

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

613

avahi_strerror(avahi_server_errno(s)));

614

break;

615

616

case AVAHI_BROWSER_REMOVE:

617

break;

618

619

case AVAHI_BROWSER_ALL_FOR_NOW:

620

case AVAHI_BROWSER_CACHE_EXHAUSTED:

621

break;

691

static void browse_callback( AvahiSServiceBrowser *b,

692

AvahiIfIndex interface,

693

AvahiProtocol protocol,

694

AvahiBrowserEvent event,

695

const char *name,

696

const char *type,

697

const char *domain,

698

AVAHI_GCC_UNUSED AvahiLookupResultFlags

699

flags,

700

void* userdata) {

701

mandos_context *mc = userdata;

702

assert(b); /* Spurious warning */

703

704

/* Called whenever a new services becomes available on the LAN or

705

is removed from the LAN */

706

707

switch (event) {

708

default:

709

case AVAHI_BROWSER_FAILURE:

710

711

fprintf(stderr, "(Avahi browser) %s\n",

712

avahi_strerror(avahi_server_errno(mc->server)));

713

avahi_simple_poll_quit(mc->simple_poll);

714

return;

715

716

case AVAHI_BROWSER_NEW:

717

/* We ignore the returned Avahi resolver object. In the callback

718

function we free it. If the Avahi server is terminated before

719

the callback function is called the Avahi server will free the

720

resolver for us. */

721

722

if (!(avahi_s_service_resolver_new(mc->server, interface,

723

protocol, name, type, domain,

724

AVAHI_PROTO_INET6, 0,

725

resolve_callback, mc)))

726

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

727

name, avahi_strerror(avahi_server_errno(mc->server)));

728

break;

729

730

case AVAHI_BROWSER_REMOVE:

731

break;

732

733

case AVAHI_BROWSER_ALL_FOR_NOW:

734

case AVAHI_BROWSER_CACHE_EXHAUSTED:

735

if(debug){

736

fprintf(stderr, "No Mandos server found, still searching...\n");

622

737

}

623

}

624

625

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

626

AvahiServerConfig config;

738

break;

739

}

740

}

741

742

/* Combines file name and path and returns the malloced new

743

string. some sane checks could/should be added */

744

static const char *combinepath(const char *first, const char *second){

745

size_t f_len = strlen(first);

746

size_t s_len = strlen(second);

747

char *tmp = malloc(f_len + s_len + 2);

748

if (tmp == NULL){

749

return NULL;

750

}

751

if(f_len > 0){

752

memcpy(tmp, first, f_len); /* Spurious warning */

753

}

754

tmp[f_len] = '/';

755

if(s_len > 0){

756

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

757

}

758

tmp[f_len + 1 + s_len] = '\0';

759

return tmp;

760

}

761

762

763

int main(int argc, char *argv[]){

627

764

AvahiSServiceBrowser *sb = NULL;

628

765

int error;

629

766

int ret;

630

int returncode = EXIT_SUCCESS;

631

const char *interface = NULL;

767

int exitcode = EXIT_SUCCESS;

768

const char *interface = "eth0";

769

struct ifreq network;

770

int sd;

771

uid_t uid;

772

gid_t gid;

773

char *connect_to = NULL;

632

774

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

633

char *connect_to = NULL;

634

635

while (true){

636

static struct option long_options[] = {

637

{"debug", no_argument, (int *)&debug, 1},

638

{"connect", required_argument, 0, 'c'},

639

{"interface", required_argument, 0, 'i'},

640

{0, 0, 0, 0} };

641

642

int option_index = 0;

643

ret = getopt_long (argc, argv, "i:", long_options,

644

&option_index);

645

646

if (ret == -1){

647

break;

648

}

649

650

switch(ret){

651

case 0:

652

break;

653

case 'i':

654

interface = optarg;

655

break;

656

case 'c':

657

connect_to = optarg;

658

break;

659

default:

660

exit(EXIT_FAILURE);

661

}

662

}

663

664

if(interface != NULL){

665

if_index = (AvahiIfIndex) if_nametoindex(interface);

666

if(if_index == 0){

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

668

exit(EXIT_FAILURE);

669

}

775

const char *pubkeyfile = "pubkey.txt";

776

const char *seckeyfile = "seckey.txt";

777

mandos_context mc = { .simple_poll = NULL, .server = NULL,

778

.dh_bits = 1024, .priority = "SECURE256"};

779

bool gnutls_initalized = false;

780

781

{

782

struct argp_option options[] = {

783

{ .name = "debug", .key = 128,

784

.doc = "Debug mode", .group = 3 },

785

{ .name = "connect", .key = 'c',

786

.arg = "IP",

787

.doc = "Connect directly to a sepcified mandos server",

788

.group = 1 },

789

{ .name = "interface", .key = 'i',

790

.arg = "INTERFACE",

791

.doc = "Interface that Avahi will conntect through",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "KEYDIR",

795

.doc = "Directory where the openpgp keyring is",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "SECKEY",

799

.doc = "Secret openpgp key for gnutls authentication",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "PUBKEY",

803

.doc = "Public openpgp key for gnutls authentication",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "dh-bits to use in gnutls communication",

808

.group = 2 },

809

{ .name = "priority", .key = 130,

810

.arg = "PRIORITY",

811

.doc = "GNUTLS priority", .group = 1 },

812

{ .name = NULL }

813

};

814

815

816

error_t parse_opt (int key, char *arg,

817

struct argp_state *state) {

818

/* Get the INPUT argument from `argp_parse', which we know is

819

a pointer to our plugin list pointer. */

820

switch (key) {

821

case 128:

822

debug = true;

823

break;

824

case 'c':

825

connect_to = arg;

826

break;

827

case 'i':

828

interface = arg;

829

break;

830

case 'd':

831

keydir = arg;

832

break;

833

case 's':

834

seckeyfile = arg;

835

break;

836

case 'p':

837

pubkeyfile = arg;

838

break;

839

case 129:

840

errno = 0;

841

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

842

if (errno){

843

perror("strtol");

844

exit(EXIT_FAILURE);

845

}

846

break;

847

case 130:

848

mc.priority = arg;

849

break;

850

case ARGP_KEY_ARG:

851

argp_usage (state);

852

break;

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

857

}

858

return 0;

859

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unkown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

}

872

873

pubkeyfile = combinepath(keydir, pubkeyfile);

874

if (pubkeyfile == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfile = combinepath(keydir, seckeyfile);

881

if (seckeyfile == NULL){

882

perror("combinepath");

883

goto end;

884

}

885

886

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

887

if (ret == -1){

888

fprintf(stderr, "init_gnutls_global\n");

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

uid = getuid();

895

gid = getgid();

896

897

ret = setuid(uid);

898

if (ret == -1){

899

perror("setuid");

900

}

901

902

setgid(gid);

903

if (ret == -1){

904

perror("setgid");

905

}

906

907

if_index = (AvahiIfIndex) if_nametoindex(interface);

908

if(if_index == 0){

909

fprintf(stderr, "No such interface: \"%s\"\n", interface);

910

exit(EXIT_FAILURE);

670

911

}

671

912

672

913

if(connect_to != NULL){

675

916

char *address = strrchr(connect_to, ':');

676

917

if(address == NULL){

677

918

fprintf(stderr, "No colon in address\n");

678

exit(EXIT_FAILURE);

919

exitcode = EXIT_FAILURE;

920

goto end;

679

921

}

680

922

errno = 0;

681

923

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

682

924

if(errno){

683

925

perror("Bad port number");

684

exit(EXIT_FAILURE);

926

exitcode = EXIT_FAILURE;

927

goto end;

685

928

}

686

929

*address = '\0';

687

930

address = connect_to;

688

ret = start_mandos_communication(address, port, if_index);

931

ret = start_mandos_communication(address, port, if_index, &mc);

689

932

if(ret < 0){

690

exit(EXIT_FAILURE);

933

exitcode = EXIT_FAILURE;

691

934

} else {

692

exit(EXIT_SUCCESS);

693

}

935

exitcode = EXIT_SUCCESS;

936

}

937

goto end;

938

}

939

940

/* If the interface is down, bring it up */

941

{

942

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

943

if(sd < 0) {

944

perror("socket");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

strcpy(network.ifr_name, interface); /* Spurious warning */

949

ret = ioctl(sd, SIOCGIFFLAGS, &network);

950

if(ret == -1){

951

perror("ioctl SIOCGIFFLAGS");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

if((network.ifr_flags & IFF_UP) == 0){

956

network.ifr_flags |= IFF_UP;

957

ret = ioctl(sd, SIOCSIFFLAGS, &network);

958

if(ret == -1){

959

perror("ioctl SIOCSIFFLAGS");

960

exitcode = EXIT_FAILURE;

961

goto end;

962

}

963

}

964

close(sd);

694

965

}

695

966

696

967

if (not debug){

697

968

avahi_set_log_function(empty_log);

698

969

}

699

970

700

/* Initialize the psuedo-RNG */

971

/* Initialize the pseudo-RNG for Avahi */

701

972

srand((unsigned int) time(NULL));

702

703

/* Allocate main loop object */

704

if (!(simple_poll = avahi_simple_poll_new())) {

705

fprintf(stderr, "Failed to create simple poll object.\n");

706

707

goto exit;

708

}

709

710

/* Do not publish any local records */

711

avahi_server_config_init(&config);

712

config.publish_hinfo = 0;

713

config.publish_addresses = 0;

714

config.publish_workstation = 0;

715

config.publish_domain = 0;

716

717

/* Allocate a new server */

718

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

719

&config, NULL, NULL, &error);

720

721

/* Free the configuration data */

722

avahi_server_config_free(&config);

723

724

/* Check if creating the server object succeeded */

725

if (!server) {

726

fprintf(stderr, "Failed to create server: %s\n",

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

727

1004

avahi_strerror(error));

728

returncode = EXIT_FAILURE;

729

goto exit;

1005

exitcode = EXIT_FAILURE;

1006

goto end;

730

1007

}

731

1008

732

/* Create the service browser */

733

sb = avahi_s_service_browser_new(server, if_index,

1009

/* Create the Avahi service browser */

1010

sb = avahi_s_service_browser_new(mc.server, if_index,

734

1011

AVAHI_PROTO_INET6,

735

1012

"_mandos._tcp", NULL, 0,

736

browse_callback, server);

737

if (!sb) {

1013

browse_callback, &mc);

1014

if (sb == NULL) {

738

1015

fprintf(stderr, "Failed to create service browser: %s\n",

739

avahi_strerror(avahi_server_errno(server)));

740

returncode = EXIT_FAILURE;

741

goto exit;

1016

avahi_strerror(avahi_server_errno(mc.server)));

1017

exitcode = EXIT_FAILURE;

1018

goto end;

742

1019

}

743

1020

744

1021

/* Run the main loop */

745

1022

746

1023

if (debug){

747

fprintf(stderr, "Starting avahi loop search\n");

1024

fprintf(stderr, "Starting Avahi loop search\n");

748

1025

}

749

1026

750

avahi_simple_poll_loop(simple_poll);

1027

avahi_simple_poll_loop(mc.simple_poll);

751

1028

752

exit:

1029

end:

753

1030

754

1031

if (debug){

755

1032

fprintf(stderr, "%s exiting\n", argv[0]);

756

1033

}

757

1034

758

1035

/* Cleanup things */

759

if (sb)

1036

if (sb != NULL)

760

1037

avahi_s_service_browser_free(sb);

761

1038

762

if (server)

763

avahi_server_free(server);

764

765

if (simple_poll)

766

avahi_simple_poll_free(simple_poll);

767

768

return returncode;

1039

if (mc.server != NULL)

1040

avahi_server_free(mc.server);

1041

1042

if (mc.simple_poll != NULL)

1043

avahi_simple_poll_free(mc.simple_poll);

1044

free(pubkeyfile);

1045

free(seckeyfile);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

1051

1052

return exitcode;

769

1053

}

Older »