/mandos/trunk : revision 12

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-19 18:43:24 UTC
Revision ID: teddy@fukt.bsnet.se-20080719184324-iwhoa5in75xa0u2u

* mandos-clients.conf ([foo]/dn, [foo]/password, [braxen_client]/dn,
                       [braxen_client]/password): Removed.
  ([foo]/fingerprint, [braxen_client]/fingerprint): New.
  ([foo]/checker): New.
  ([foo]/secfile): New.
  ([braxen_client]/secret): New.

* server.py: New "--debug" option to set debug flag.  Removed "cert",
             "key", "ca", "crl", and "cred" variables.  Added default
             value for "checker" config file setting.  Do not pass
             credentials to IPv6_TCPServer constructor.
  (debug): New global debug flag.  Used by most debugging output code.
  (Client.__init__): Keyword argument "dn" replaced by "fingerprint",
                     "password" renamed to "secret", and "passfile"
                     renamed to "secfile".  New keyword argument
                     "checker". All callers changed.
  (Client.dn): Removed.
  (Client.fingerprint): New.
  (Client.password): Renamed to "secret"; all users changed.
  (Client.passfile): Renamed to "secfile"; all users changed.
  (Client.timeout, Client.interval): Changed to be properties; now
                                     automatically updates the
                                     "_timeout_milliseconds" and
                                     "_interval_milliseconds" values.
  (Client.timeout_milliseconds): Renamed to "_timeout_milliseconds".
  (Client.interval_milliseconds): Renamed to "_interval_milliseconds".
  (Client.check_command): New.
  (Client.start_checker): Use the new "check_command" attribute.
  (peer_certificate, fingerprint): New functions.

  (tcp_handler.handle): Use ClientSession with empty credentials
                        object instead of ServerSession.  Set gnutls
                        priority string.  Do not verify peer.  Use
                        fingerprint instead of DN when searching for
                        clients.  Bug fix: Loop sending data so even large
                        secret data strings are sent.
  (IPv6_TCPServer.credentials): Removed.
  (if_nametoindex): Do not import ctypes since that is now imported
                    globally.

files added:
client.cpp

files removed:
plugbasedclient.c

plugins.d

plugins.d/Makefile

plugins.d/mandosclient.c

plugins.d/passprompt.c

files modified:
Makefile

TODO

mandos-clients.conf

server.py

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* $Id$ */

/* PLEASE NOTE *

* This file demonstrates how to use Avahi's core API, this is

* the embeddable mDNS stack for embedded applications.

* End user applications should *not* use this API and should use

* the D-Bus or C APIs, please see

* client-browse-services.c and glib-integration.c

* I repeat, you probably do *not* want to use this example.

/***

This file is part of avahi.

avahi is free software; you can redistribute it and/or modify it

under the terms of the GNU Lesser General Public License as

published by the Free Software Foundation; either version 2.1 of the

License, or (at your option) any later version.

avahi is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY

or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General

Public License for more details.

You should have received a copy of the GNU Lesser General Public

License along with avahi; if not, write to the Free Software

Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

USA.

***/

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/simple-watch.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */

#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

#define DH_BITS 1024

typedef struct {

gnutls_session_t session;

gnutls_certificate_credentials_t cred;

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){

gpgme_data_t dh_crypto, dh_plain;

gpgme_ctx_t ctx;

gpgme_error_t rc;

ssize_t ret;

size_t new_packet_capacity = 0;

size_t new_packet_length = 0;

gpgme_engine_info_t engine_info;

/* Init GPGME */

gpgme_check_version(NULL);

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

/* Set GPGME home directory */

rc = gpgme_get_engine_info (&engine_info);

if (rc != GPG_ERR_NO_ERROR){

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

gpgme_strsource(rc), gpgme_strerror(rc));

100

return -1;

101

}

102

while(engine_info != NULL){

103

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

104

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

105

engine_info->file_name, homedir);

106

break;

107

}

108

engine_info = engine_info->next;

109

}

110

if(engine_info == NULL){

111

fprintf(stderr, "Could not set home dir to %s\n", homedir);

112

return -1;

113

}

114

115

/* Create new GPGME data buffer from packet buffer */

116

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

117

if (rc != GPG_ERR_NO_ERROR){

118

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

119

gpgme_strsource(rc), gpgme_strerror(rc));

120

return -1;

121

}

122

123

/* Create new empty GPGME data buffer for the plaintext */

124

rc = gpgme_data_new(&dh_plain);

125

if (rc != GPG_ERR_NO_ERROR){

126

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

127

gpgme_strsource(rc), gpgme_strerror(rc));

128

return -1;

129

}

130

131

/* Create new GPGME "context" */

132

rc = gpgme_new(&ctx);

133

if (rc != GPG_ERR_NO_ERROR){

134

fprintf(stderr, "bad gpgme_new: %s: %s\n",

135

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

137

}

138

139

/* Decrypt data from the FILE pointer to the plaintext data buffer */

140

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

141

if (rc != GPG_ERR_NO_ERROR){

142

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

143

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

145

}

146

147

/* gpgme_decrypt_result_t result; */

148

/* result = gpgme_op_decrypt_result(ctx); */

149

/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */

150

/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */

151

/* if(result->file_name != NULL){ */

152

/* fprintf(stderr, "File name: %s\n", result->file_name); */

153

/* } */

154

/* gpgme_recipient_t recipient; */

155

/* recipient = result->recipients; */

156

/* if(recipient){ */

157

/* while(recipient != NULL){ */

158

/* fprintf(stderr, "Public key algorithm: %s\n", */

159

/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */

160

/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */

161

/* fprintf(stderr, "Secret key available: %s\n", */

162

/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */

163

/* recipient = recipient->next; */

164

/* } */

165

/* } */

166

167

/* Delete the GPGME FILE pointer cryptotext data buffer */

168

gpgme_data_release(dh_crypto);

169

170

/* Seek back to the beginning of the GPGME plaintext data buffer */

171

gpgme_data_seek(dh_plain, 0, SEEK_SET);

172

173

*new_packet = 0;

174

while(true){

175

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

176

*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);

177

if (*new_packet == NULL){

178

perror("realloc");

179

return -1;

180

}

181

new_packet_capacity += BUFFER_SIZE;

182

}

183

184

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);

185

/* Print the data, if any */

186

if (ret == 0){

187

/* If password is empty, then a incorrect error will be printed */

188

break;

189

}

190

if(ret < 0){

191

perror("gpgme_data_read");

192

return -1;

193

}

194

new_packet_length += ret;

195

}

196

197

/* Delete the GPGME plaintext data buffer */

198

gpgme_data_release(dh_plain);

199

return new_packet_length;

200

}

201

202

static const char * safer_gnutls_strerror (int value) {

203

const char *ret = gnutls_strerror (value);

204

if (ret == NULL)

205

ret = "(unknown)";

206

return ret;

207

}

208

209

void debuggnutls(int level, const char* string){

210

fprintf(stderr, "%s", string);

211

}

212

213

int initgnutls(encrypted_session *es){

214

const char *err;

215

int ret;

216

217

if ((ret = gnutls_global_init ())

218

!= GNUTLS_E_SUCCESS) {

219

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

220

return -1;

221

}

222

223

/* Uncomment to enable full debuggin on the gnutls library */

224

/* gnutls_global_set_log_level(11); */

225

/* gnutls_global_set_log_function(debuggnutls); */

226

227

228

/* openpgp credentials */

229

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

230

!= GNUTLS_E_SUCCESS) {

231

fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));

232

return -1;

233

}

234

235

ret = gnutls_certificate_set_openpgp_key_file

236

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

237

if (ret != GNUTLS_E_SUCCESS) {

238

fprintf

239

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",

240

ret, CERTFILE, KEYFILE);

241

fprintf(stdout, "The Error is: %s\n",

242

safer_gnutls_strerror(ret));

243

return -1;

244

}

245

246

//Gnutls server initialization

247

if ((ret = gnutls_dh_params_init (&es->dh_params))

248

!= GNUTLS_E_SUCCESS) {

249

fprintf (stderr, "Error in dh parameter initialization: %s\n",

250

safer_gnutls_strerror(ret));

251

return -1;

252

}

253

254

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

255

!= GNUTLS_E_SUCCESS) {

256

fprintf (stderr, "Error in prime generation: %s\n",

257

safer_gnutls_strerror(ret));

258

return -1;

259

}

260

261

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

262

263

// Gnutls session creation

264

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

265

!= GNUTLS_E_SUCCESS){

266

fprintf(stderr, "Error in gnutls session initialization: %s\n",

267

safer_gnutls_strerror(ret));

268

}

269

270

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

271

!= GNUTLS_E_SUCCESS) {

272

fprintf(stderr, "Syntax error at: %s\n", err);

273

fprintf(stderr, "Gnutls error: %s\n",

274

safer_gnutls_strerror(ret));

275

return -1;

276

}

277

278

if ((ret = gnutls_credentials_set

279

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

280

!= GNUTLS_E_SUCCESS) {

281

fprintf(stderr, "Error setting a credentials set: %s\n",

282

safer_gnutls_strerror(ret));

283

return -1;

284

}

285

286

/* ignore client certificate if any. */

287

gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);

288

289

gnutls_dh_set_prime_bits (es->session, DH_BITS);

290

291

return 0;

292

}

293

294

void empty_log(AvahiLogLevel level, const char *txt){}

295

296

int start_mandos_communcation(char *ip, uint16_t port){

297

int ret, tcp_sd;

298

struct sockaddr_in6 to;

299

struct in6_addr ip_addr;

300

encrypted_session es;

301

char *buffer = NULL;

302

char *decrypted_buffer;

303

size_t buffer_length = 0;

304

size_t buffer_capacity = 0;

305

ssize_t decrypted_buffer_size;

306

int retval = 0;

307

308

309

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

310

if(tcp_sd < 0) {

311

perror("socket");

312

return -1;

313

}

314

315

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

316

if(tcp_sd < 0) {

317

perror("setsockopt bindtodevice");

318

return -1;

319

}

320

321

memset(&to,0,sizeof(to));

322

to.sin6_family = AF_INET6;

323

ret = inet_pton(AF_INET6, ip, &ip_addr);

324

if (ret < 0 ){

325

perror("inet_pton");

326

return -1;

327

}

328

if(ret == 0){

329

fprintf(stderr, "Bad address: %s\n", ip);

330

return -1;

331

}

332

to.sin6_port = htons(port);

333

to.sin6_scope_id = if_nametoindex("eth0");

334

335

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

336

if (ret < 0){

337

perror("connect");

338

return -1;

339

}

340

341

ret = initgnutls (&es);

342

if (ret != 0){

343

retval = -1;

344

return -1;

345

}

346

347

348

gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

349

350

ret = gnutls_handshake (es.session);

351

352

if (ret != GNUTLS_E_SUCCESS){

353

fprintf(stderr, "\n*** Handshake failed ***\n");

354

gnutls_perror (ret);

355

retval = -1;

356

goto exit;

357

}

358

359

//retrive password

360

while(true){

361

if (buffer_length + BUFFER_SIZE > buffer_capacity){

362

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

363

if (buffer == NULL){

364

perror("realloc");

365

goto exit;

366

}

367

buffer_capacity += BUFFER_SIZE;

368

}

369

370

ret = gnutls_record_recv

371

(es.session, buffer+buffer_length, BUFFER_SIZE);

372

if (ret == 0){

373

break;

374

}

375

if (ret < 0){

376

switch(ret){

377

case GNUTLS_E_INTERRUPTED:

378

case GNUTLS_E_AGAIN:

379

break;

380

case GNUTLS_E_REHANDSHAKE:

381

ret = gnutls_handshake (es.session);

382

if (ret < 0){

383

fprintf(stderr, "\n*** Handshake failed ***\n");

384

gnutls_perror (ret);

385

retval = -1;

386

goto exit;

387

}

388

break;

389

default:

390

fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");

391

retval = -1;

392

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

393

goto exit;

394

}

395

} else {

396

buffer_length += ret;

397

}

398

}

399

400

if (buffer_length > 0){

401

if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){

402

retval = -1;

403

} else {

404

fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);

405

free(decrypted_buffer);

406

}

407

}

408

409

free(buffer);

410

411

//shutdown procedure

412

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

413

exit:

414

close(tcp_sd);

415

gnutls_deinit (es.session);

416

gnutls_certificate_free_credentials (es.cred);

417

gnutls_global_deinit ();

418

return retval;

419

}

420

421

static AvahiSimplePoll *simple_poll = NULL;

422

static AvahiServer *server = NULL;

423

424

static void resolve_callback(

425

AvahiSServiceResolver *r,

426

AVAHI_GCC_UNUSED AvahiIfIndex interface,

427

AVAHI_GCC_UNUSED AvahiProtocol protocol,

428

AvahiResolverEvent event,

429

const char *name,

430

const char *type,

431

const char *domain,

432

const char *host_name,

433

const AvahiAddress *address,

434

uint16_t port,

435

AvahiStringList *txt,

436

AvahiLookupResultFlags flags,

437

AVAHI_GCC_UNUSED void* userdata) {

438

439

assert(r);

440

441

/* Called whenever a service has been resolved successfully or timed out */

442

443

switch (event) {

444

case AVAHI_RESOLVER_FAILURE:

445

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));

446

break;

447

448

case AVAHI_RESOLVER_FOUND: {

449

char ip[AVAHI_ADDRESS_STR_MAX];

450

avahi_address_snprint(ip, sizeof(ip), address);

451

int ret = start_mandos_communcation(ip, port);

452

if (ret == 0){

453

exit(EXIT_SUCCESS);

454

} else {

455

exit(EXIT_FAILURE);

456

}

457

}

458

}

459

avahi_s_service_resolver_free(r);

460

}

461

462

static void browse_callback(

463

AvahiSServiceBrowser *b,

464

AvahiIfIndex interface,

465

AvahiProtocol protocol,

466

AvahiBrowserEvent event,

467

const char *name,

468

const char *type,

469

const char *domain,

470

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

471

void* userdata) {

472

473

AvahiServer *s = userdata;

474

assert(b);

475

476

/* Called whenever a new services becomes available on the LAN or is removed from the LAN */

477

478

switch (event) {

479

480

case AVAHI_BROWSER_FAILURE:

481

482

fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));

483

avahi_simple_poll_quit(simple_poll);

484

return;

485

486

case AVAHI_BROWSER_NEW:

487

/* We ignore the returned resolver object. In the callback

488

function we free it. If the server is terminated before

489

the callback function is called the server will free

490

the resolver for us. */

491

492

if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))

493

fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));

494

495

break;

496

497

case AVAHI_BROWSER_REMOVE:

498

break;

499

500

case AVAHI_BROWSER_ALL_FOR_NOW:

501

case AVAHI_BROWSER_CACHE_EXHAUSTED:

502

break;

503

}

504

}

505

506

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

507

AvahiServerConfig config;

508

AvahiSServiceBrowser *sb = NULL;

509

int error;

510

int ret = 1;

511

512

avahi_set_log_function(empty_log);

513

514

/* Initialize the psuedo-RNG */

515

srand(time(NULL));

516

517

/* Allocate main loop object */

518

if (!(simple_poll = avahi_simple_poll_new())) {

519

fprintf(stderr, "Failed to create simple poll object.\n");

520

goto fail;

521

}

522

523

/* Do not publish any local records */

524

avahi_server_config_init(&config);

525

config.publish_hinfo = 0;

526

config.publish_addresses = 0;

527

config.publish_workstation = 0;

528

config.publish_domain = 0;

529

530

/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */

531

/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */

532

/* config.n_wide_area_servers = 1; */

533

/* config.enable_wide_area = 1; */

534

535

/* Allocate a new server */

536

server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

537

538

/* Free the configuration data */

539

avahi_server_config_free(&config);

540

541

/* Check wether creating the server object succeeded */

542

if (!server) {

543

fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));

544

goto fail;

545

}

546

547

/* Create the service browser */

548

if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {

549

fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));

550

goto fail;

551

}

552

553

/* Run the main loop */

554

avahi_simple_poll_loop(simple_poll);

555

556

ret = 0;

557

558

fail:

559

560

/* Cleanup things */

561

if (sb)

562

avahi_s_service_browser_free(sb);

563

564

if (server)

565

avahi_server_free(server);

566

567

if (simple_poll)

568

avahi_simple_poll_free(simple_poll);

569

570

return ret;

571

}

Older »