To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 110
- compare with another revision
- download diff
- download tarball
- view history from revision 110
- Committer: Teddy Hogeborn
- Date: 2008-08-29 05:53:59 UTC
- Revision ID: teddy@fukt.bsnet.se-20080829055359-wkdasnyxtylmnxus
* mandos.xml (EXAMPLE): Replaced all occurences of command name with
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
plugins.d/password-request.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
36
38
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf */
38
stdout, ferror() */
40
39
#include <stdint.h> /* uint16_t, uint32_t */
41
40
#include <stddef.h> /* NULL, size_t, ssize_t */
42
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
48
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
48
sockaddr_in6, PF_INET6,
50
49
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(),
52
DIR */
53
#include <sys/stat.h> /* open() */
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
54
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
53
struct in6_addr, inet_pton(),
56
54
connect() */
57
#include <fcntl.h> /* open() */
58
#include <dirent.h> /* opendir(), struct dirent, readdir()
59
*/
60
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
61
55
#include <assert.h> /* assert() */
62
56
#include <errno.h> /* perror(), errno */
63
57
#include <time.h> /* time() */
64
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
65
59
SIOCSIFFLAGS, if_indextoname(),
66
60
if_nametoindex(), IF_NAMESIZE */
67
#include <netinet/in.h>
68
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
69
62
getuid(), getgid(), setuid(),
70
63
setgid() */
64
#include <netinet/in.h>
71
65
#include <arpa/inet.h> /* inet_pton(), htons */
72
#include <iso646.h> /* not, and, or */
66
#include <iso646.h> /* not, and */
73
67
#include <argp.h> /* struct argp_option, error_t, struct
74
68
argp_state, struct argp,
75
69
argp_parse(), ARGP_KEY_ARG,
92
86
gnutls_*
93
87
init_gnutls_session(),
94
88
GNUTLS_* */
95
#include <gnutls/openpgp.h>
96
/* gnutls_certificate_set_openpgp_key_file(),
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
97
90
GNUTLS_OPENPGP_FMT_BASE64 */
98
91
99
92
/* GPGME */
105
98
106
99
#define BUFFER_SIZE 256
107
100
108
#define PATHDIR "/conf/conf.d/mandos"
109
#define SECKEY "seckey.txt"
110
#define PUBKEY "pubkey.txt"
111
112
101
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
113
103
static const char mandos_protocol_version[] = "1";
114
const char *argp_program_version = "mandos-client " VERSION;
104
const char *argp_program_version = "password-request 1.0";
115
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
116
106
117
107
/* Used for passing in values through the Avahi callback functions */
122
112
unsigned int dh_bits;
123
113
gnutls_dh_params_t dh_params;
124
114
const char *priority;
125
gpgme_ctx_t ctx;
126
115
} mandos_context;
127
116
128
117
/*
132
121
*/
133
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
134
123
size_t buffer_capacity){
135
if(buffer_length + BUFFER_SIZE > buffer_capacity){
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
136
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
137
if(buffer == NULL){
126
if (buffer == NULL){
138
127
return 0;
139
128
}
140
129
buffer_capacity += BUFFER_SIZE;
143
132
}
144
133
145
134
/*
146
* Initialize GPGME.
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
147
137
*/
148
static bool init_gpgme(mandos_context *mc, const char *seckey,
149
const char *pubkey, const char *tempdir){
150
int ret;
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
141
const char *homedir){
142
gpgme_data_t dh_crypto, dh_plain;
143
gpgme_ctx_t ctx;
151
144
gpgme_error_t rc;
145
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
152
148
gpgme_engine_info_t engine_info;
153
149
154
155
/*
156
* Helper function to insert pub and seckey to the enigne keyring.
157
*/
158
bool import_key(const char *filename){
159
int fd;
160
gpgme_data_t pgp_data;
161
162
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
163
if(fd == -1){
164
perror("open");
165
return false;
166
}
167
168
rc = gpgme_data_new_from_fd(&pgp_data, fd);
169
if(rc != GPG_ERR_NO_ERROR){
170
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
171
gpgme_strsource(rc), gpgme_strerror(rc));
172
return false;
173
}
174
175
rc = gpgme_op_import(mc->ctx, pgp_data);
176
if(rc != GPG_ERR_NO_ERROR){
177
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
178
gpgme_strsource(rc), gpgme_strerror(rc));
179
return false;
180
}
181
182
ret = (int)TEMP_FAILURE_RETRY(close(fd));
183
if(ret == -1){
184
perror("close");
185
}
186
gpgme_data_release(pgp_data);
187
return true;
188
}
189
190
if(debug){
191
fprintf(stderr, "Initialize gpgme\n");
150
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
192
152
}
193
153
194
154
/* Init GPGME */
195
155
gpgme_check_version(NULL);
196
156
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
197
if(rc != GPG_ERR_NO_ERROR){
157
if (rc != GPG_ERR_NO_ERROR){
198
158
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
199
159
gpgme_strsource(rc), gpgme_strerror(rc));
200
return false;
160
return -1;
201
161
}
202
162
203
/* Set GPGME home directory for the OpenPGP engine only */
204
rc = gpgme_get_engine_info(&engine_info);
205
if(rc != GPG_ERR_NO_ERROR){
163
/* Set GPGME home directory for the OpenPGP engine only */
164
rc = gpgme_get_engine_info (&engine_info);
165
if (rc != GPG_ERR_NO_ERROR){
206
166
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
207
167
gpgme_strsource(rc), gpgme_strerror(rc));
208
return false;
168
return -1;
209
169
}
210
170
while(engine_info != NULL){
211
171
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
212
172
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
213
engine_info->file_name, tempdir);
173
engine_info->file_name, homedir);
214
174
break;
215
175
}
216
176
engine_info = engine_info->next;
217
177
}
218
178
if(engine_info == NULL){
219
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
220
return false;
221
}
222
223
/* Create new GPGME "context" */
224
rc = gpgme_new(&(mc->ctx));
225
if(rc != GPG_ERR_NO_ERROR){
226
fprintf(stderr, "bad gpgme_new: %s: %s\n",
227
gpgme_strsource(rc), gpgme_strerror(rc));
228
return false;
229
}
230
231
if(not import_key(pubkey) or not import_key(seckey)){
232
return false;
233
}
234
235
return true;
236
}
237
238
/*
239
* Decrypt OpenPGP data.
240
* Returns -1 on error
241
*/
242
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
243
const char *cryptotext,
244
size_t crypto_size,
245
char **plaintext){
246
gpgme_data_t dh_crypto, dh_plain;
247
gpgme_error_t rc;
248
ssize_t ret;
249
size_t plaintext_capacity = 0;
250
ssize_t plaintext_length = 0;
251
252
if(debug){
253
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
180
return -1;
254
181
}
255
182
256
183
/* Create new GPGME data buffer from memory cryptotext */
257
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
258
185
0);
259
if(rc != GPG_ERR_NO_ERROR){
186
if (rc != GPG_ERR_NO_ERROR){
260
187
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
261
188
gpgme_strsource(rc), gpgme_strerror(rc));
262
189
return -1;
264
191
265
192
/* Create new empty GPGME data buffer for the plaintext */
266
193
rc = gpgme_data_new(&dh_plain);
267
if(rc != GPG_ERR_NO_ERROR){
194
if (rc != GPG_ERR_NO_ERROR){
268
195
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
269
196
gpgme_strsource(rc), gpgme_strerror(rc));
270
197
gpgme_data_release(dh_crypto);
271
198
return -1;
272
199
}
273
200
201
/* Create new GPGME "context" */
202
rc = gpgme_new(&ctx);
203
if (rc != GPG_ERR_NO_ERROR){
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
208
}
209
274
210
/* Decrypt data from the cryptotext data buffer to the plaintext
275
211
data buffer */
276
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
277
if(rc != GPG_ERR_NO_ERROR){
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
213
if (rc != GPG_ERR_NO_ERROR){
278
214
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
279
215
gpgme_strsource(rc), gpgme_strerror(rc));
280
216
plaintext_length = -1;
281
if(debug){
217
if (debug){
282
218
gpgme_decrypt_result_t result;
283
result = gpgme_op_decrypt_result(mc->ctx);
284
if(result == NULL){
219
result = gpgme_op_decrypt_result(ctx);
220
if (result == NULL){
285
221
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
286
222
} else {
287
223
fprintf(stderr, "Unsupported algorithm: %s\n",
314
250
}
315
251
316
252
/* Seek back to the beginning of the GPGME plaintext data buffer */
317
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
318
perror("gpgme_data_seek");
253
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
perror("pgpme_data_seek");
319
255
plaintext_length = -1;
320
256
goto decrypt_end;
321
257
}
325
261
plaintext_capacity = adjustbuffer(plaintext,
326
262
(size_t)plaintext_length,
327
263
plaintext_capacity);
328
if(plaintext_capacity == 0){
264
if (plaintext_capacity == 0){
329
265
perror("adjustbuffer");
330
266
plaintext_length = -1;
331
267
goto decrypt_end;
334
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
335
271
BUFFER_SIZE);
336
272
/* Print the data, if any */
337
if(ret == 0){
273
if (ret == 0){
338
274
/* EOF */
339
275
break;
340
276
}
345
281
}
346
282
plaintext_length += ret;
347
283
}
348
284
349
285
if(debug){
350
286
fprintf(stderr, "Decrypted password is: ");
351
287
for(ssize_t i = 0; i < plaintext_length; i++){
364
300
return plaintext_length;
365
301
}
366
302
367
static const char * safer_gnutls_strerror(int value) {
368
const char *ret = gnutls_strerror(value); /* Spurious warning from
369
-Wunreachable-code */
370
if(ret == NULL)
303
static const char * safer_gnutls_strerror (int value) {
304
const char *ret = gnutls_strerror (value); /* Spurious warning */
305
if (ret == NULL)
371
306
ret = "(unknown)";
372
307
return ret;
373
308
}
388
323
}
389
324
390
325
ret = gnutls_global_init();
391
if(ret != GNUTLS_E_SUCCESS) {
392
fprintf(stderr, "GnuTLS global_init: %s\n",
393
safer_gnutls_strerror(ret));
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
394
329
return -1;
395
330
}
396
331
397
if(debug){
332
if (debug){
398
333
/* "Use a log level over 10 to enable all debugging options."
399
334
* - GnuTLS manual
400
335
*/
404
339
405
340
/* OpenPGP credentials */
406
341
gnutls_certificate_allocate_credentials(&mc->cred);
407
if(ret != GNUTLS_E_SUCCESS){
408
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
409
* from
410
* -Wunreachable-code
411
*/
412
safer_gnutls_strerror(ret));
413
gnutls_global_deinit();
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
344
warning */
345
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
414
347
return -1;
415
348
}
416
349
417
350
if(debug){
418
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
419
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
420
353
seckeyfilename);
421
354
}
422
355
423
356
ret = gnutls_certificate_set_openpgp_key_file
424
357
(mc->cred, pubkeyfilename, seckeyfilename,
425
358
GNUTLS_OPENPGP_FMT_BASE64);
426
if(ret != GNUTLS_E_SUCCESS) {
359
if (ret != GNUTLS_E_SUCCESS) {
427
360
fprintf(stderr,
428
361
"Error[%d] while reading the OpenPGP key pair ('%s',"
429
362
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
430
fprintf(stderr, "The GnuTLS error is: %s\n",
363
fprintf(stdout, "The GnuTLS error is: %s\n",
431
364
safer_gnutls_strerror(ret));
432
365
goto globalfail;
433
366
}
434
367
435
368
/* GnuTLS server initialization */
436
369
ret = gnutls_dh_params_init(&mc->dh_params);
437
if(ret != GNUTLS_E_SUCCESS) {
438
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
439
" %s\n", safer_gnutls_strerror(ret));
370
if (ret != GNUTLS_E_SUCCESS) {
371
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
372
" %s\n", safer_gnutls_strerror(ret));
440
373
goto globalfail;
441
374
}
442
375
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
443
if(ret != GNUTLS_E_SUCCESS) {
444
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
445
safer_gnutls_strerror(ret));
376
if (ret != GNUTLS_E_SUCCESS) {
377
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
378
safer_gnutls_strerror(ret));
446
379
goto globalfail;
447
380
}
448
381
449
382
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
450
383
451
384
return 0;
452
385
453
386
globalfail:
454
387
455
388
gnutls_certificate_free_credentials(mc->cred);
456
389
gnutls_global_deinit();
457
gnutls_dh_params_deinit(mc->dh_params);
458
390
return -1;
391
459
392
}
460
393
461
394
static int init_gnutls_session(mandos_context *mc,
463
396
int ret;
464
397
/* GnuTLS session creation */
465
398
ret = gnutls_init(session, GNUTLS_SERVER);
466
if(ret != GNUTLS_E_SUCCESS){
399
if (ret != GNUTLS_E_SUCCESS){
467
400
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
468
401
safer_gnutls_strerror(ret));
469
402
}
471
404
{
472
405
const char *err;
473
406
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
474
if(ret != GNUTLS_E_SUCCESS) {
407
if (ret != GNUTLS_E_SUCCESS) {
475
408
fprintf(stderr, "Syntax error at: %s\n", err);
476
409
fprintf(stderr, "GnuTLS error: %s\n",
477
410
safer_gnutls_strerror(ret));
478
gnutls_deinit(*session);
411
gnutls_deinit (*session);
479
412
return -1;
480
413
}
481
414
}
482
415
483
416
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
484
417
mc->cred);
485
if(ret != GNUTLS_E_SUCCESS) {
418
if (ret != GNUTLS_E_SUCCESS) {
486
419
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
487
420
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
421
gnutls_deinit (*session);
489
422
return -1;
490
423
}
491
424
492
425
/* ignore client certificate if any. */
493
gnutls_certificate_server_set_request(*session,
494
GNUTLS_CERT_IGNORE);
426
gnutls_certificate_server_set_request (*session,
427
GNUTLS_CERT_IGNORE);
495
428
496
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
429
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
497
430
498
431
return 0;
499
432
}
507
440
AvahiIfIndex if_index,
508
441
mandos_context *mc){
509
442
int ret, tcp_sd;
510
ssize_t sret;
511
443
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
512
444
char *buffer = NULL;
513
445
char *decrypted_buffer;
519
451
char interface[IF_NAMESIZE];
520
452
gnutls_session_t session;
521
453
522
ret = init_gnutls_session(mc, &session);
523
if(ret != 0){
454
ret = init_gnutls_session (mc, &session);
455
if (ret != 0){
524
456
return -1;
525
457
}
526
458
534
466
perror("socket");
535
467
return -1;
536
468
}
537
469
538
470
if(debug){
539
471
if(if_indextoname((unsigned int)if_index, interface) == NULL){
540
472
perror("if_indextoname");
548
480
/* It would be nice to have a way to detect if we were passed an
549
481
IPv4 address here. Now we assume an IPv6 address. */
550
482
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
551
if(ret < 0 ){
483
if (ret < 0 ){
552
484
perror("inet_pton");
553
485
return -1;
554
486
}
556
488
fprintf(stderr, "Bad address: %s\n", ip);
557
489
return -1;
558
490
}
559
to.in6.sin6_port = htons(port); /* Spurious warnings from
560
-Wconversion and
561
-Wunreachable-code */
491
to.in6.sin6_port = htons(port); /* Spurious warning */
562
492
563
493
to.in6.sin6_scope_id = (uint32_t)if_index;
564
494
577
507
}
578
508
579
509
ret = connect(tcp_sd, &to.in, sizeof(to));
580
if(ret < 0){
510
if (ret < 0){
581
511
perror("connect");
582
512
return -1;
583
513
}
584
514
585
515
const char *out = mandos_protocol_version;
586
516
written = 0;
587
while(true){
517
while (true){
588
518
size_t out_size = strlen(out);
589
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
519
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
590
520
out_size - written));
591
if(ret == -1){
521
if (ret == -1){
592
522
perror("write");
593
523
retval = -1;
594
524
goto mandos_end;
597
527
if(written < out_size){
598
528
continue;
599
529
} else {
600
if(out == mandos_protocol_version){
530
if (out == mandos_protocol_version){
601
531
written = 0;
602
532
out = "\r\n";
603
533
} else {
605
535
}
606
536
}
607
537
}
608
538
609
539
if(debug){
610
540
fprintf(stderr, "Establishing TLS session with %s\n", ip);
611
541
}
612
542
613
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
614
543
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
544
615
545
do{
616
ret = gnutls_handshake(session);
546
ret = gnutls_handshake (session);
617
547
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
618
548
619
if(ret != GNUTLS_E_SUCCESS){
549
if (ret != GNUTLS_E_SUCCESS){
620
550
if(debug){
621
551
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
622
gnutls_perror(ret);
552
gnutls_perror (ret);
623
553
}
624
554
retval = -1;
625
555
goto mandos_end;
631
561
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
632
562
ip);
633
563
}
634
564
635
565
while(true){
636
566
buffer_capacity = adjustbuffer(&buffer, buffer_length,
637
567
buffer_capacity);
638
if(buffer_capacity == 0){
568
if (buffer_capacity == 0){
639
569
perror("adjustbuffer");
640
570
retval = -1;
641
571
goto mandos_end;
642
572
}
643
573
644
sret = gnutls_record_recv(session, buffer+buffer_length,
645
BUFFER_SIZE);
646
if(sret == 0){
574
ret = gnutls_record_recv(session, buffer+buffer_length,
575
BUFFER_SIZE);
576
if (ret == 0){
647
577
break;
648
578
}
649
if(sret < 0){
650
switch(sret){
579
if (ret < 0){
580
switch(ret){
651
581
case GNUTLS_E_INTERRUPTED:
652
582
case GNUTLS_E_AGAIN:
653
583
break;
654
584
case GNUTLS_E_REHANDSHAKE:
655
585
do{
656
ret = gnutls_handshake(session);
586
ret = gnutls_handshake (session);
657
587
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
658
if(ret < 0){
588
if (ret < 0){
659
589
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
660
gnutls_perror(ret);
590
gnutls_perror (ret);
661
591
retval = -1;
662
592
goto mandos_end;
663
593
}
666
596
fprintf(stderr, "Unknown error while reading data from"
667
597
" encrypted session with Mandos server\n");
668
598
retval = -1;
669
gnutls_bye(session, GNUTLS_SHUT_RDWR);
599
gnutls_bye (session, GNUTLS_SHUT_RDWR);
670
600
goto mandos_end;
671
601
}
672
602
} else {
673
buffer_length += (size_t) sret;
603
buffer_length += (size_t) ret;
674
604
}
675
605
}
676
606
678
608
fprintf(stderr, "Closing TLS session\n");
679
609
}
680
610
681
gnutls_bye(session, GNUTLS_SHUT_RDWR);
611
gnutls_bye (session, GNUTLS_SHUT_RDWR);
682
612
683
if(buffer_length > 0){
684
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
613
if (buffer_length > 0){
614
decrypted_buffer_size = pgp_packet_decrypt(buffer,
685
615
buffer_length,
686
&decrypted_buffer);
687
if(decrypted_buffer_size >= 0){
616
&decrypted_buffer,
617
keydir);
618
if (decrypted_buffer_size >= 0){
688
619
written = 0;
689
620
while(written < (size_t) decrypted_buffer_size){
690
ret = (int)fwrite(decrypted_buffer + written, 1,
691
(size_t)decrypted_buffer_size - written,
692
stdout);
621
ret = (int)fwrite (decrypted_buffer + written, 1,
622
(size_t)decrypted_buffer_size - written,
623
stdout);
693
624
if(ret == 0 and ferror(stdout)){
694
625
if(debug){
695
626
fprintf(stderr, "Error writing encrypted data: %s\n",
712
643
713
644
mandos_end:
714
645
free(buffer);
715
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
716
if(ret == -1){
717
perror("close");
718
}
719
gnutls_deinit(session);
646
close(tcp_sd);
647
gnutls_deinit (session);
720
648
return retval;
721
649
}
722
650
740
668
/* Called whenever a service has been resolved successfully or
741
669
timed out */
742
670
743
switch(event) {
671
switch (event) {
744
672
default:
745
673
case AVAHI_RESOLVER_FAILURE:
746
674
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
754
682
avahi_address_snprint(ip, sizeof(ip), address);
755
683
if(debug){
756
684
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
757
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
758
ip, (intmax_t)interface, port);
685
PRIu16 ") on port %d\n", name, host_name, ip,
686
interface, port);
759
687
}
760
688
int ret = start_mandos_communication(ip, port, interface, mc);
761
if(ret == 0){
689
if (ret == 0){
762
690
avahi_simple_poll_quit(mc->simple_poll);
763
691
}
764
692
}
782
710
/* Called whenever a new services becomes available on the LAN or
783
711
is removed from the LAN */
784
712
785
switch(event) {
713
switch (event) {
786
714
default:
787
715
case AVAHI_BROWSER_FAILURE:
788
716
797
725
the callback function is called the Avahi server will free the
798
726
resolver for us. */
799
727
800
if(!(avahi_s_service_resolver_new(mc->server, interface,
728
if (!(avahi_s_service_resolver_new(mc->server, interface,
801
729
protocol, name, type, domain,
802
730
AVAHI_PROTO_INET6, 0,
803
731
resolve_callback, mc)))
817
745
}
818
746
}
819
747
748
/* Combines file name and path and returns the malloced new
749
string. some sane checks could/should be added */
750
static char *combinepath(const char *first, const char *second){
751
char *tmp;
752
int ret = asprintf(&tmp, "%s/%s", first, second);
753
if(ret < 0){
754
return NULL;
755
}
756
return tmp;
757
}
758
759
820
760
int main(int argc, char *argv[]){
821
761
AvahiSServiceBrowser *sb = NULL;
822
762
int error;
823
763
int ret;
824
intmax_t tmpmax;
825
int numchars;
826
764
int exitcode = EXIT_SUCCESS;
827
765
const char *interface = "eth0";
828
766
struct ifreq network;
830
768
uid_t uid;
831
769
gid_t gid;
832
770
char *connect_to = NULL;
833
char tempdir[] = "/tmp/mandosXXXXXX";
834
771
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
835
const char *seckey = PATHDIR "/" SECKEY;
836
const char *pubkey = PATHDIR "/" PUBKEY;
837
772
char *pubkeyfilename = NULL;
773
char *seckeyfilename = NULL;
774
const char *pubkeyname = "pubkey.txt";
775
const char *seckeyname = "seckey.txt";
838
776
mandos_context mc = { .simple_poll = NULL, .server = NULL,
839
.dh_bits = 1024, .priority = "SECURE256"
840
":!CTYPE-X.509:+CTYPE-OPENPGP" };
777
.dh_bits = 1024, .priority = "SECURE256"};
841
778
bool gnutls_initalized = false;
842
bool gpgme_initalized = false;
843
779
844
780
{
845
781
struct argp_option options[] = {
846
782
{ .name = "debug", .key = 128,
847
783
.doc = "Debug mode", .group = 3 },
848
784
{ .name = "connect", .key = 'c',
849
.arg = "ADDRESS:PORT",
850
.doc = "Connect directly to a specific Mandos server",
785
.arg = "IP",
786
.doc = "Connect directly to a sepcified mandos server",
851
787
.group = 1 },
852
788
{ .name = "interface", .key = 'i',
853
.arg = "NAME",
854
.doc = "Interface that will be used to search for Mandos"
855
" servers",
789
.arg = "INTERFACE",
790
.doc = "Interface that Avahi will conntect through",
791
.group = 1 },
792
{ .name = "keydir", .key = 'd',
793
.arg = "KEYDIR",
794
.doc = "Directory where the openpgp keyring is",
856
795
.group = 1 },
857
796
{ .name = "seckey", .key = 's',
858
.arg = "FILE",
859
.doc = "OpenPGP secret key file base name",
797
.arg = "SECKEY",
798
.doc = "Secret openpgp key for gnutls authentication",
860
799
.group = 1 },
861
800
{ .name = "pubkey", .key = 'p',
862
.arg = "FILE",
863
.doc = "OpenPGP public key file base name",
801
.arg = "PUBKEY",
802
.doc = "Public openpgp key for gnutls authentication",
864
803
.group = 2 },
865
804
{ .name = "dh-bits", .key = 129,
866
805
.arg = "BITS",
867
.doc = "Bit length of the prime number used in the"
868
" Diffie-Hellman key exchange",
806
.doc = "dh-bits to use in gnutls communication",
869
807
.group = 2 },
870
808
{ .name = "priority", .key = 130,
871
.arg = "STRING",
872
.doc = "GnuTLS priority string for the TLS handshake",
873
.group = 1 },
809
.arg = "PRIORITY",
810
.doc = "GNUTLS priority", .group = 1 },
874
811
{ .name = NULL }
875
812
};
813
876
814
877
error_t parse_opt(int key, char *arg,
878
struct argp_state *state) {
879
switch(key) {
880
case 128: /* --debug */
815
error_t parse_opt (int key, char *arg,
816
struct argp_state *state) {
817
/* Get the INPUT argument from `argp_parse', which we know is
818
a pointer to our plugin list pointer. */
819
switch (key) {
820
case 128:
881
821
debug = true;
882
822
break;
883
case 'c': /* --connect */
823
case 'c':
884
824
connect_to = arg;
885
825
break;
886
case 'i': /* --interface */
826
case 'i':
887
827
interface = arg;
888
828
break;
889
case 's': /* --seckey */
890
seckey = arg;
891
break;
892
case 'p': /* --pubkey */
893
pubkey = arg;
894
break;
895
case 129: /* --dh-bits */
896
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
897
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
898
or arg[numchars] != '\0'){
899
fprintf(stderr, "Bad number of DH bits\n");
829
case 'd':
830
keydir = arg;
831
break;
832
case 's':
833
seckeyname = arg;
834
break;
835
case 'p':
836
pubkeyname = arg;
837
break;
838
case 129:
839
errno = 0;
840
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
841
if (errno){
842
perror("strtol");
900
843
exit(EXIT_FAILURE);
901
844
}
902
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
903
845
break;
904
case 130: /* --priority */
846
case 130:
905
847
mc.priority = arg;
906
848
break;
907
849
case ARGP_KEY_ARG:
908
argp_usage(state);
850
argp_usage (state);
909
851
case ARGP_KEY_END:
910
852
break;
911
853
default:
913
855
}
914
856
return 0;
915
857
}
916
858
917
859
struct argp argp = { .options = options, .parser = parse_opt,
918
860
.args_doc = "",
919
861
.doc = "Mandos client -- Get and decrypt"
920
" passwords from a Mandos server" };
921
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
922
if(ret == ARGP_ERR_UNKNOWN){
862
" passwords from mandos server" };
863
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
864
if (ret == ARGP_ERR_UNKNOWN){
923
865
fprintf(stderr, "Unknown error while parsing arguments\n");
924
866
exitcode = EXIT_FAILURE;
925
867
goto end;
926
868
}
927
869
}
870
871
pubkeyfilename = combinepath(keydir, pubkeyname);
872
if (pubkeyfilename == NULL){
873
perror("combinepath");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
878
seckeyfilename = combinepath(keydir, seckeyname);
879
if (seckeyfilename == NULL){
880
perror("combinepath");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
885
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
886
if (ret == -1){
887
fprintf(stderr, "init_gnutls_global failed\n");
888
exitcode = EXIT_FAILURE;
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
928
893
929
894
/* If the interface is down, bring it up */
930
895
{
950
915
goto end;
951
916
}
952
917
}
953
ret = (int)TEMP_FAILURE_RETRY(close(sd));
954
if(ret == -1){
955
perror("close");
956
}
918
close(sd);
957
919
}
958
920
959
921
uid = getuid();
960
922
gid = getgid();
961
923
962
924
ret = setuid(uid);
963
if(ret == -1){
925
if (ret == -1){
964
926
perror("setuid");
965
927
}
966
928
967
929
setgid(gid);
968
if(ret == -1){
930
if (ret == -1){
969
931
perror("setgid");
970
932
}
971
933
972
ret = init_gnutls_global(&mc, pubkey, seckey);
973
if(ret == -1){
974
fprintf(stderr, "init_gnutls_global failed\n");
975
exitcode = EXIT_FAILURE;
976
goto end;
977
} else {
978
gnutls_initalized = true;
979
}
980
981
if(mkdtemp(tempdir) == NULL){
982
perror("mkdtemp");
983
tempdir[0] = '\0';
984
goto end;
985
}
986
987
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
988
fprintf(stderr, "gpgme_initalized failed\n");
989
exitcode = EXIT_FAILURE;
990
goto end;
991
} else {
992
gpgme_initalized = true;
993
}
994
995
934
if_index = (AvahiIfIndex) if_nametoindex(interface);
996
935
if(if_index == 0){
997
936
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1007
946
exitcode = EXIT_FAILURE;
1008
947
goto end;
1009
948
}
1010
uint16_t port;
1011
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1012
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1013
or address[numchars+1] != '\0'){
1014
fprintf(stderr, "Bad port number\n");
949
errno = 0;
950
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
951
if(errno){
952
perror("Bad port number");
1015
953
exitcode = EXIT_FAILURE;
1016
954
goto end;
1017
955
}
1018
port = (uint16_t)tmpmax;
1019
956
*address = '\0';
1020
957
address = connect_to;
1021
958
ret = start_mandos_communication(address, port, if_index, &mc);
1027
964
goto end;
1028
965
}
1029
966
1030
if(not debug){
967
if (not debug){
1031
968
avahi_set_log_function(empty_log);
1032
969
}
1033
970
1036
973
1037
974
/* Allocate main Avahi loop object */
1038
975
mc.simple_poll = avahi_simple_poll_new();
1039
if(mc.simple_poll == NULL) {
976
if (mc.simple_poll == NULL) {
1040
977
fprintf(stderr, "Avahi: Failed to create simple poll"
1041
978
" object.\n");
1042
979
exitcode = EXIT_FAILURE;
1043
980
goto end;
1044
981
}
1045
982
1046
983
{
1047
984
AvahiServerConfig config;
1048
985
/* Do not publish any local Zeroconf records */
1051
988
config.publish_addresses = 0;
1052
989
config.publish_workstation = 0;
1053
990
config.publish_domain = 0;
1054
991
1055
992
/* Allocate a new server */
1056
993
mc.server = avahi_server_new(avahi_simple_poll_get
1057
994
(mc.simple_poll), &config, NULL,
1058
995
NULL, &error);
1059
996
1060
997
/* Free the Avahi configuration data */
1061
998
avahi_server_config_free(&config);
1062
999
}
1063
1000
1064
1001
/* Check if creating the Avahi server object succeeded */
1065
if(mc.server == NULL) {
1002
if (mc.server == NULL) {
1066
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
1067
1004
avahi_strerror(error));
1068
1005
exitcode = EXIT_FAILURE;
1074
1011
AVAHI_PROTO_INET6,
1075
1012
"_mandos._tcp", NULL, 0,
1076
1013
browse_callback, &mc);
1077
if(sb == NULL) {
1014
if (sb == NULL) {
1078
1015
fprintf(stderr, "Failed to create service browser: %s\n",
1079
1016
avahi_strerror(avahi_server_errno(mc.server)));
1080
1017
exitcode = EXIT_FAILURE;
1082
1019
}
1083
1020
1084
1021
/* Run the main loop */
1085
1086
if(debug){
1022
1023
if (debug){
1087
1024
fprintf(stderr, "Starting Avahi loop search\n");
1088
1025
}
1089
1026
1090
1027
avahi_simple_poll_loop(mc.simple_poll);
1091
1028
1092
1029
end:
1093
1094
if(debug){
1030
1031
if (debug){
1095
1032
fprintf(stderr, "%s exiting\n", argv[0]);
1096
1033
}
1097
1034
1098
1035
/* Cleanup things */
1099
if(sb != NULL)
1036
if (sb != NULL)
1100
1037
avahi_s_service_browser_free(sb);
1101
1038
1102
if(mc.server != NULL)
1039
if (mc.server != NULL)
1103
1040
avahi_server_free(mc.server);
1104
1105
if(mc.simple_poll != NULL)
1041
1042
if (mc.simple_poll != NULL)
1106
1043
avahi_simple_poll_free(mc.simple_poll);
1107
1108
if(gnutls_initalized){
1044
free(pubkeyfilename);
1045
free(seckeyfilename);
1046
1047
if (gnutls_initalized){
1109
1048
gnutls_certificate_free_credentials(mc.cred);
1110
gnutls_global_deinit();
1111
gnutls_dh_params_deinit(mc.dh_params);
1112
}
1113
1114
if(gpgme_initalized){
1115
gpgme_release(mc.ctx);
1116
}
1117
1118
/* Removes the temp directory used by GPGME */
1119
if(tempdir[0] != '\0'){
1120
DIR *d;
1121
struct dirent *direntry;
1122
d = opendir(tempdir);
1123
if(d == NULL){
1124
if(errno != ENOENT){
1125
perror("opendir");
1126
}
1127
} else {
1128
while(true){
1129
direntry = readdir(d);
1130
if(direntry == NULL){
1131
break;
1132
}
1133
if(direntry->d_type == DT_REG){
1134
char *fullname = NULL;
1135
ret = asprintf(&fullname, "%s/%s", tempdir,
1136
direntry->d_name);
1137
if(ret < 0){
1138
perror("asprintf");
1139
continue;
1140
}
1141
ret = unlink(fullname);
1142
if(ret == -1){
1143
fprintf(stderr, "unlink(\"%s\"): %s",
1144
fullname, strerror(errno));
1145
}
1146
free(fullname);
1147
}
1148
}
1149
closedir(d);
1150
}
1151
ret = rmdir(tempdir);
1152
if(ret == -1 and errno != ENOENT){
1153
perror("rmdir");
1154
}
1155
}
1156
1049
gnutls_global_deinit ();
1050
}
1051
1157
1052
return exitcode;
1158
1053
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0