To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 13
- compare with another revision
- download diff
- download tarball
- view history from revision 13
- Committer: Björn Påhlsson
- Date: 2008-07-20 02:52:20 UTC
- Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6
Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server
- files added:
- plugins.d/Makefile
- files removed:
- server.conf
- files renamed:
- clients.conf => mandos-clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
1
/* $Id$ */
2
3
/* PLEASE NOTE *
4
* This file demonstrates how to use Avahi's core API, this is
5
* the embeddable mDNS stack for embedded applications.
4
6
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
7
* End user applications should *not* use this API and should use
8
* the D-Bus or C APIs, please see
9
* client-browse-services.c and glib-integration.c
10
*
11
* I repeat, you probably do *not* want to use this example.
29
12
*/
30
13
31
/* Needed by GPGME, specifically gpgme_data_seek() */
14
/***
15
This file is part of avahi.
16
17
avahi is free software; you can redistribute it and/or modify it
18
under the terms of the GNU Lesser General Public License as
19
published by the Free Software Foundation; either version 2.1 of the
20
License, or (at your option) any later version.
21
22
avahi is distributed in the hope that it will be useful, but WITHOUT
23
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
25
Public License for more details.
26
27
You should have received a copy of the GNU Lesser General Public
28
License along with avahi; if not, write to the Free Software
29
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
30
USA.
31
***/
32
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
37
38
#include <stdlib.h>
38
39
#include <time.h>
39
40
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
41
43
42
#include <avahi-core/core.h>
44
43
#include <avahi-core/lookup.h>
48
47
#include <avahi-common/error.h>
49
48
50
49
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
50
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
51
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
53
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
56
54
57
55
#include <unistd.h> /* close() */
58
56
#include <netinet/in.h>
65
63
#include <errno.h> /* perror() */
66
64
#include <gpgme.h>
67
65
68
// getopt_long
69
#include <getopt.h>
70
66
67
#ifndef CERT_ROOT
68
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
69
#endif
70
#define CERTFILE CERT_ROOT "openpgp-client.txt"
71
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
71
72
#define BUFFER_SIZE 256
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
76
77
bool debug = false;
78
79
/* Used for passing in values through all the callback functions */
73
#define DH_BITS 1024
74
80
75
typedef struct {
81
AvahiSimplePoll *simple_poll;
82
AvahiServer *server;
76
gnutls_session_t session;
83
77
gnutls_certificate_credentials_t cred;
84
unsigned int dh_bits;
85
const char *priority;
86
} mandos_context;
87
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
90
const char *homedir){
78
gnutls_dh_params_t dh_params;
79
} encrypted_session;
80
81
82
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
91
83
gpgme_data_t dh_crypto, dh_plain;
92
84
gpgme_ctx_t ctx;
93
85
gpgme_error_t rc;
94
86
ssize_t ret;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
87
size_t new_packet_capacity = 0;
88
size_t new_packet_length = 0;
97
89
gpgme_engine_info_t engine_info;
98
90
99
if (debug){
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
101
}
102
103
91
/* Init GPGME */
104
92
gpgme_check_version(NULL);
105
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
106
if (rc != GPG_ERR_NO_ERROR){
107
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
108
gpgme_strsource(rc), gpgme_strerror(rc));
109
return -1;
110
}
93
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
111
94
112
95
/* Set GPGME home directory */
113
96
rc = gpgme_get_engine_info (&engine_info);
153
136
return -1;
154
137
}
155
138
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
139
/* Decrypt data from the FILE pointer to the plaintext data buffer */
158
140
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
159
141
if (rc != GPG_ERR_NO_ERROR){
160
142
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
161
143
gpgme_strsource(rc), gpgme_strerror(rc));
162
144
return -1;
163
145
}
164
165
if(debug){
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
167
}
168
169
if (debug){
170
gpgme_decrypt_result_t result;
171
result = gpgme_op_decrypt_result(ctx);
172
if (result == NULL){
173
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
} else {
175
fprintf(stderr, "Unsupported algorithm: %s\n",
176
result->unsupported_algorithm);
177
fprintf(stderr, "Wrong key usage: %d\n",
178
result->wrong_key_usage);
179
if(result->file_name != NULL){
180
fprintf(stderr, "File name: %s\n", result->file_name);
181
}
182
gpgme_recipient_t recipient;
183
recipient = result->recipients;
184
if(recipient){
185
while(recipient != NULL){
186
fprintf(stderr, "Public key algorithm: %s\n",
187
gpgme_pubkey_algo_name(recipient->pubkey_algo));
188
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
189
fprintf(stderr, "Secret key available: %s\n",
190
recipient->status == GPG_ERR_NO_SECKEY
191
? "No" : "Yes");
192
recipient = recipient->next;
193
}
194
}
195
}
196
}
197
146
147
/* gpgme_decrypt_result_t result; */
148
/* result = gpgme_op_decrypt_result(ctx); */
149
/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */
150
/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */
151
/* if(result->file_name != NULL){ */
152
/* fprintf(stderr, "File name: %s\n", result->file_name); */
153
/* } */
154
/* gpgme_recipient_t recipient; */
155
/* recipient = result->recipients; */
156
/* if(recipient){ */
157
/* while(recipient != NULL){ */
158
/* fprintf(stderr, "Public key algorithm: %s\n", */
159
/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */
160
/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */
161
/* fprintf(stderr, "Secret key available: %s\n", */
162
/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */
163
/* recipient = recipient->next; */
164
/* } */
165
/* } */
166
198
167
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
168
gpgme_data_release(dh_crypto);
200
169
201
170
/* Seek back to the beginning of the GPGME plaintext data buffer */
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
203
perror("pgpme_data_seek");
204
}
205
171
gpgme_data_seek(dh_plain, 0, SEEK_SET);
172
206
173
*new_packet = 0;
207
174
while(true){
208
175
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
176
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
212
177
if (*new_packet == NULL){
213
178
perror("realloc");
214
179
return -1;
216
181
new_packet_capacity += BUFFER_SIZE;
217
182
}
218
183
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
220
BUFFER_SIZE);
184
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
221
185
/* Print the data, if any */
222
186
if (ret == 0){
187
/* If password is empty, then a incorrect error will be printed */
223
188
break;
224
189
}
225
190
if(ret < 0){
229
194
new_packet_length += ret;
230
195
}
231
196
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
239
240
/* Delete the GPGME plaintext data buffer */
197
/* Delete the GPGME plaintext data buffer */
241
198
gpgme_data_release(dh_plain);
242
199
return new_packet_length;
243
200
}
249
206
return ret;
250
207
}
251
208
252
static void debuggnutls(__attribute__((unused)) int level,
253
const char* string){
209
void debuggnutls(int level, const char* string){
254
210
fprintf(stderr, "%s", string);
255
211
}
256
212
257
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
258
gnutls_dh_params_t *dh_params){
213
int initgnutls(encrypted_session *es){
259
214
const char *err;
260
215
int ret;
261
216
262
if(debug){
263
fprintf(stderr, "Initializing GnuTLS\n");
264
}
265
266
217
if ((ret = gnutls_global_init ())
267
218
!= GNUTLS_E_SUCCESS) {
268
219
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
269
220
return -1;
270
221
}
271
272
if (debug){
273
gnutls_global_set_log_level(11);
274
gnutls_global_set_log_function(debuggnutls);
275
}
276
222
223
/* Uncomment to enable full debuggin on the gnutls library */
224
/* gnutls_global_set_log_level(11); */
225
/* gnutls_global_set_log_function(debuggnutls); */
226
227
277
228
/* openpgp credentials */
278
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
229
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
279
230
!= GNUTLS_E_SUCCESS) {
280
fprintf (stderr, "memory error: %s\n",
281
safer_gnutls_strerror(ret));
231
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
282
232
return -1;
283
233
}
284
285
if(debug){
286
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
287
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
288
seckeyfile);
289
}
290
234
291
235
ret = gnutls_certificate_set_openpgp_key_file
292
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
236
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
293
237
if (ret != GNUTLS_E_SUCCESS) {
294
238
fprintf
295
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
296
" '%s')\n",
297
ret, pubkeyfile, seckeyfile);
239
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
240
ret, CERTFILE, KEYFILE);
298
241
fprintf(stdout, "The Error is: %s\n",
299
242
safer_gnutls_strerror(ret));
300
243
return -1;
301
244
}
302
303
//GnuTLS server initialization
304
if ((ret = gnutls_dh_params_init(dh_params))
245
246
//Gnutls server initialization
247
if ((ret = gnutls_dh_params_init (&es->dh_params))
305
248
!= GNUTLS_E_SUCCESS) {
306
249
fprintf (stderr, "Error in dh parameter initialization: %s\n",
307
250
safer_gnutls_strerror(ret));
308
251
return -1;
309
252
}
310
311
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
253
254
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
312
255
!= GNUTLS_E_SUCCESS) {
313
256
fprintf (stderr, "Error in prime generation: %s\n",
314
257
safer_gnutls_strerror(ret));
315
258
return -1;
316
259
}
317
318
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
319
320
// GnuTLS session creation
321
if ((ret = gnutls_init(session, GNUTLS_SERVER))
260
261
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
262
263
// Gnutls session creation
264
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
322
265
!= GNUTLS_E_SUCCESS){
323
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
266
fprintf(stderr, "Error in gnutls session initialization: %s\n",
324
267
safer_gnutls_strerror(ret));
325
268
}
326
327
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
269
270
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
328
271
!= GNUTLS_E_SUCCESS) {
329
272
fprintf(stderr, "Syntax error at: %s\n", err);
330
fprintf(stderr, "GnuTLS error: %s\n",
273
fprintf(stderr, "Gnutls error: %s\n",
331
274
safer_gnutls_strerror(ret));
332
275
return -1;
333
276
}
334
335
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
336
mc->cred))
277
278
if ((ret = gnutls_credentials_set
279
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
337
280
!= GNUTLS_E_SUCCESS) {
338
281
fprintf(stderr, "Error setting a credentials set: %s\n",
339
282
safer_gnutls_strerror(ret));
340
283
return -1;
341
284
}
342
285
343
286
/* ignore client certificate if any. */
344
gnutls_certificate_server_set_request (*session,
345
GNUTLS_CERT_IGNORE);
287
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
346
288
347
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
289
gnutls_dh_set_prime_bits (es->session, DH_BITS);
348
290
349
291
return 0;
350
292
}
351
293
352
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
353
__attribute__((unused)) const char *txt){}
294
void empty_log(AvahiLogLevel level, const char *txt){}
354
295
355
static int start_mandos_communication(const char *ip, uint16_t port,
356
AvahiIfIndex if_index,
357
mandos_context *mc){
296
int start_mandos_communcation(char *ip, uint16_t port){
358
297
int ret, tcp_sd;
359
298
struct sockaddr_in6 to;
299
struct in6_addr ip_addr;
300
encrypted_session es;
360
301
char *buffer = NULL;
361
302
char *decrypted_buffer;
362
303
size_t buffer_length = 0;
363
304
size_t buffer_capacity = 0;
364
305
ssize_t decrypted_buffer_size;
365
size_t written = 0;
366
306
int retval = 0;
367
char interface[IF_NAMESIZE];
368
gnutls_session_t session;
369
gnutls_dh_params_t dh_params;
370
371
if(debug){
372
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
373
ip, port);
374
}
307
375
308
376
309
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
377
310
if(tcp_sd < 0) {
378
311
perror("socket");
379
312
return -1;
380
313
}
381
382
if(debug){
383
if(if_indextoname((unsigned int)if_index, interface) == NULL){
384
perror("if_indextoname");
385
return -1;
386
}
387
fprintf(stderr, "Binding to interface %s\n", interface);
314
315
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
316
if(tcp_sd < 0) {
317
perror("setsockopt bindtodevice");
318
return -1;
388
319
}
389
320
390
memset(&to,0,sizeof(to)); /* Spurious warning */
321
memset(&to,0,sizeof(to));
391
322
to.sin6_family = AF_INET6;
392
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
323
ret = inet_pton(AF_INET6, ip, &ip_addr);
393
324
if (ret < 0 ){
394
325
perror("inet_pton");
395
326
return -1;
396
}
327
}
397
328
if(ret == 0){
398
329
fprintf(stderr, "Bad address: %s\n", ip);
399
330
return -1;
400
331
}
401
to.sin6_port = htons(port); /* Spurious warning */
402
403
to.sin6_scope_id = (uint32_t)if_index;
404
405
if(debug){
406
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
407
char addrstr[INET6_ADDRSTRLEN] = "";
408
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
409
sizeof(addrstr)) == NULL){
410
perror("inet_ntop");
411
} else {
412
if(strcmp(addrstr, ip) != 0){
413
fprintf(stderr, "Canonical address form: %s\n", addrstr);
414
}
415
}
416
}
332
to.sin6_port = htons(port);
333
to.sin6_scope_id = if_nametoindex("eth0");
417
334
418
335
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
336
if (ret < 0){
421
338
return -1;
422
339
}
423
340
424
ret = initgnutls (mc, &session, &dh_params);
341
ret = initgnutls (&es);
425
342
if (ret != 0){
426
343
retval = -1;
427
344
return -1;
428
345
}
429
430
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
431
432
if(debug){
433
fprintf(stderr, "Establishing TLS session with %s\n", ip);
434
}
435
436
ret = gnutls_handshake (session);
346
347
348
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
349
350
ret = gnutls_handshake (es.session);
437
351
438
352
if (ret != GNUTLS_E_SUCCESS){
439
if(debug){
440
fprintf(stderr, "\n*** Handshake failed ***\n");
441
gnutls_perror (ret);
442
}
353
fprintf(stderr, "\n*** Handshake failed ***\n");
354
gnutls_perror (ret);
443
355
retval = -1;
444
356
goto exit;
445
357
}
446
447
//Retrieve OpenPGP packet that contains the wanted password
448
449
if(debug){
450
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
451
ip);
452
}
453
358
359
//retrive password
454
360
while(true){
455
361
if (buffer_length + BUFFER_SIZE > buffer_capacity){
456
362
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
461
367
buffer_capacity += BUFFER_SIZE;
462
368
}
463
369
464
ret = gnutls_record_recv(session, buffer+buffer_length,
465
BUFFER_SIZE);
370
ret = gnutls_record_recv
371
(es.session, buffer+buffer_length, BUFFER_SIZE);
466
372
if (ret == 0){
467
373
break;
468
374
}
472
378
case GNUTLS_E_AGAIN:
473
379
break;
474
380
case GNUTLS_E_REHANDSHAKE:
475
ret = gnutls_handshake (session);
381
ret = gnutls_handshake (es.session);
476
382
if (ret < 0){
477
383
fprintf(stderr, "\n*** Handshake failed ***\n");
478
384
gnutls_perror (ret);
481
387
}
482
388
break;
483
389
default:
484
fprintf(stderr, "Unknown error while reading data from"
485
" encrypted session with mandos server\n");
390
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
486
391
retval = -1;
487
gnutls_bye (session, GNUTLS_SHUT_RDWR);
392
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
488
393
goto exit;
489
394
}
490
395
} else {
491
buffer_length += (size_t) ret;
396
buffer_length += ret;
492
397
}
493
398
}
494
399
495
400
if (buffer_length > 0){
496
decrypted_buffer_size = pgp_packet_decrypt(buffer,
497
buffer_length,
498
&decrypted_buffer,
499
keydir);
500
if (decrypted_buffer_size >= 0){
501
while(written < (size_t) decrypted_buffer_size){
502
ret = (int)fwrite (decrypted_buffer + written, 1,
503
(size_t)decrypted_buffer_size - written,
504
stdout);
505
if(ret == 0 and ferror(stdout)){
506
if(debug){
507
fprintf(stderr, "Error writing encrypted data: %s\n",
508
strerror(errno));
509
}
510
retval = -1;
511
break;
512
}
513
written += (size_t)ret;
514
}
401
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){
402
retval = -1;
403
} else {
404
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
515
405
free(decrypted_buffer);
516
} else {
517
retval = -1;
518
406
}
519
407
}
520
408
409
free(buffer);
410
521
411
//shutdown procedure
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
527
free(buffer);
528
gnutls_bye (session, GNUTLS_SHUT_RDWR);
412
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
529
413
exit:
530
414
close(tcp_sd);
531
gnutls_deinit (session);
532
gnutls_certificate_free_credentials (mc->cred);
415
gnutls_deinit (es.session);
416
gnutls_certificate_free_credentials (es.cred);
533
417
gnutls_global_deinit ();
534
418
return retval;
535
419
}
536
420
537
static void resolve_callback( AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
void* userdata) {
550
mandos_context *mc = userdata;
551
assert(r); /* Spurious warning */
552
553
/* Called whenever a service has been resolved successfully or
554
timed out */
555
556
switch (event) {
557
default:
558
case AVAHI_RESOLVER_FAILURE:
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(mc->server)));
562
break;
563
564
case AVAHI_RESOLVER_FOUND:
565
{
566
char ip[AVAHI_ADDRESS_STR_MAX];
567
avahi_address_snprint(ip, sizeof(ip), address);
568
if(debug){
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
571
}
572
int ret = start_mandos_communication(ip, port, interface, mc);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
575
}
576
}
577
}
578
avahi_s_service_resolver_free(r);
579
}
580
581
static void browse_callback( AvahiSServiceBrowser *b,
582
AvahiIfIndex interface,
583
AvahiProtocol protocol,
584
AvahiBrowserEvent event,
585
const char *name,
586
const char *type,
587
const char *domain,
588
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
589
void* userdata) {
590
mandos_context *mc = userdata;
591
assert(b); /* Spurious warning */
592
593
/* Called whenever a new services becomes available on the LAN or
594
is removed from the LAN */
595
596
switch (event) {
597
default:
598
case AVAHI_BROWSER_FAILURE:
599
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(mc->server)));
602
avahi_simple_poll_quit(mc->simple_poll);
603
return;
604
605
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
610
611
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, mc)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(mc->server)));
617
break;
618
619
case AVAHI_BROWSER_REMOVE:
620
break;
621
622
case AVAHI_BROWSER_ALL_FOR_NOW:
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
624
break;
625
}
626
}
627
628
/* Combines file name and path and returns the malloced new
629
string. some sane checks could/should be added */
630
static const char *combinepath(const char *first, const char *second){
631
size_t f_len = strlen(first);
632
size_t s_len = strlen(second);
633
char *tmp = malloc(f_len + s_len + 2);
634
if (tmp == NULL){
635
return NULL;
636
}
637
if(f_len > 0){
638
memcpy(tmp, first, f_len); /* Spurious warning */
639
}
640
tmp[f_len] = '/';
641
if(s_len > 0){
642
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
643
}
644
tmp[f_len + 1 + s_len] = '\0';
645
return tmp;
646
}
647
421
static AvahiSimplePoll *simple_poll = NULL;
422
static AvahiServer *server = NULL;
423
424
static void resolve_callback(
425
AvahiSServiceResolver *r,
426
AVAHI_GCC_UNUSED AvahiIfIndex interface,
427
AVAHI_GCC_UNUSED AvahiProtocol protocol,
428
AvahiResolverEvent event,
429
const char *name,
430
const char *type,
431
const char *domain,
432
const char *host_name,
433
const AvahiAddress *address,
434
uint16_t port,
435
AvahiStringList *txt,
436
AvahiLookupResultFlags flags,
437
AVAHI_GCC_UNUSED void* userdata) {
438
439
assert(r);
440
441
/* Called whenever a service has been resolved successfully or timed out */
442
443
switch (event) {
444
case AVAHI_RESOLVER_FAILURE:
445
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
446
break;
447
448
case AVAHI_RESOLVER_FOUND: {
449
char ip[AVAHI_ADDRESS_STR_MAX];
450
avahi_address_snprint(ip, sizeof(ip), address);
451
int ret = start_mandos_communcation(ip, port);
452
if (ret == 0){
453
exit(EXIT_SUCCESS);
454
} else {
455
exit(EXIT_FAILURE);
456
}
457
}
458
}
459
avahi_s_service_resolver_free(r);
460
}
461
462
static void browse_callback(
463
AvahiSServiceBrowser *b,
464
AvahiIfIndex interface,
465
AvahiProtocol protocol,
466
AvahiBrowserEvent event,
467
const char *name,
468
const char *type,
469
const char *domain,
470
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
471
void* userdata) {
472
473
AvahiServer *s = userdata;
474
assert(b);
475
476
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
477
478
switch (event) {
479
480
case AVAHI_BROWSER_FAILURE:
481
482
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
483
avahi_simple_poll_quit(simple_poll);
484
return;
485
486
case AVAHI_BROWSER_NEW:
487
/* We ignore the returned resolver object. In the callback
488
function we free it. If the server is terminated before
489
the callback function is called the server will free
490
the resolver for us. */
491
492
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
493
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
494
495
break;
496
497
case AVAHI_BROWSER_REMOVE:
498
break;
499
500
case AVAHI_BROWSER_ALL_FOR_NOW:
501
case AVAHI_BROWSER_CACHE_EXHAUSTED:
502
break;
503
}
504
}
648
505
649
506
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
650
507
AvahiServerConfig config;
651
508
AvahiSServiceBrowser *sb = NULL;
652
509
int error;
653
int ret;
654
int debug_int;
655
int returncode = EXIT_SUCCESS;
656
const char *interface = "eth0";
657
struct ifreq network;
658
int sd;
659
char *connect_to = NULL;
660
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
661
mandos_context mc = { .simple_poll = NULL, .server = NULL,
662
.dh_bits = 1024, .priority = "SECURE256"};
663
664
debug_int = debug ? 1 : 0;
665
while (true){
666
struct option long_options[] = {
667
{"debug", no_argument, &debug_int, 1},
668
{"connect", required_argument, NULL, 'c'},
669
{"interface", required_argument, NULL, 'i'},
670
{"keydir", required_argument, NULL, 'd'},
671
{"seckey", required_argument, NULL, 's'},
672
{"pubkey", required_argument, NULL, 'p'},
673
{"dh-bits", required_argument, NULL, 'D'},
674
{"priority", required_argument, NULL, 'P'},
675
{0, 0, 0, 0} };
676
677
int option_index = 0;
678
ret = getopt_long (argc, argv, "i:", long_options,
679
&option_index);
680
681
if (ret == -1){
682
break;
683
}
684
685
switch(ret){
686
case 0:
687
break;
688
case 'i':
689
interface = optarg;
690
break;
691
case 'c':
692
connect_to = optarg;
693
break;
694
case 'd':
695
keydir = optarg;
696
break;
697
case 'p':
698
pubkeyfile = optarg;
699
break;
700
case 's':
701
seckeyfile = optarg;
702
break;
703
case 'D':
704
errno = 0;
705
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
706
if (errno){
707
perror("strtol");
708
exit(EXIT_FAILURE);
709
}
710
break;
711
case 'P':
712
mc.priority = optarg;
713
break;
714
case '?':
715
default:
716
exit(EXIT_FAILURE);
717
}
718
}
719
debug = debug_int ? true : false;
720
721
pubkeyfile = combinepath(keydir, pubkeyfile);
722
if (pubkeyfile == NULL){
723
perror("combinepath");
724
returncode = EXIT_FAILURE;
725
goto exit;
726
}
727
728
seckeyfile = combinepath(keydir, seckeyfile);
729
if (seckeyfile == NULL){
730
perror("combinepath");
731
goto exit;
732
}
733
734
if_index = (AvahiIfIndex) if_nametoindex(interface);
735
if(if_index == 0){
736
fprintf(stderr, "No such interface: \"%s\"\n", interface);
737
exit(EXIT_FAILURE);
738
}
739
740
if(connect_to != NULL){
741
/* Connect directly, do not use Zeroconf */
742
/* (Mainly meant for debugging) */
743
char *address = strrchr(connect_to, ':');
744
if(address == NULL){
745
fprintf(stderr, "No colon in address\n");
746
exit(EXIT_FAILURE);
747
}
748
errno = 0;
749
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
750
if(errno){
751
perror("Bad port number");
752
exit(EXIT_FAILURE);
753
}
754
*address = '\0';
755
address = connect_to;
756
ret = start_mandos_communication(address, port, if_index, &mc);
757
if(ret < 0){
758
exit(EXIT_FAILURE);
759
} else {
760
exit(EXIT_SUCCESS);
761
}
762
}
763
764
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
765
if(sd < 0) {
766
perror("socket");
767
returncode = EXIT_FAILURE;
768
goto exit;
769
}
770
strcpy(network.ifr_name, interface); /* Spurious warning */
771
ret = ioctl(sd, SIOCGIFFLAGS, &network);
772
if(ret == -1){
773
774
perror("ioctl SIOCGIFFLAGS");
775
returncode = EXIT_FAILURE;
776
goto exit;
777
}
778
if((network.ifr_flags & IFF_UP) == 0){
779
network.ifr_flags |= IFF_UP;
780
ret = ioctl(sd, SIOCSIFFLAGS, &network);
781
if(ret == -1){
782
perror("ioctl SIOCSIFFLAGS");
783
returncode = EXIT_FAILURE;
784
goto exit;
785
}
786
}
787
close(sd);
788
789
if (not debug){
790
avahi_set_log_function(empty_log);
791
}
510
int ret = 1;
511
512
avahi_set_log_function(empty_log);
792
513
793
514
/* Initialize the psuedo-RNG */
794
srand((unsigned int) time(NULL));
515
srand(time(NULL));
795
516
796
517
/* Allocate main loop object */
797
if (!(mc.simple_poll = avahi_simple_poll_new())) {
518
if (!(simple_poll = avahi_simple_poll_new())) {
798
519
fprintf(stderr, "Failed to create simple poll object.\n");
799
returncode = EXIT_FAILURE;
800
goto exit;
520
goto fail;
801
521
}
802
522
803
523
/* Do not publish any local records */
807
527
config.publish_workstation = 0;
808
528
config.publish_domain = 0;
809
529
530
/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */
531
/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */
532
/* config.n_wide_area_servers = 1; */
533
/* config.enable_wide_area = 1; */
534
810
535
/* Allocate a new server */
811
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
812
&config, NULL, NULL, &error);
813
536
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
537
814
538
/* Free the configuration data */
815
539
avahi_server_config_free(&config);
816
817
/* Check if creating the server object succeeded */
818
if (!mc.server) {
819
fprintf(stderr, "Failed to create server: %s\n",
820
avahi_strerror(error));
821
returncode = EXIT_FAILURE;
822
goto exit;
540
541
/* Check wether creating the server object succeeded */
542
if (!server) {
543
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
544
goto fail;
823
545
}
824
546
825
547
/* Create the service browser */
826
sb = avahi_s_service_browser_new(mc.server, if_index,
827
AVAHI_PROTO_INET6,
828
"_mandos._tcp", NULL, 0,
829
browse_callback, &mc);
830
if (!sb) {
831
fprintf(stderr, "Failed to create service browser: %s\n",
832
avahi_strerror(avahi_server_errno(mc.server)));
833
returncode = EXIT_FAILURE;
834
goto exit;
548
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
549
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
550
goto fail;
835
551
}
836
552
837
553
/* Run the main loop */
838
839
if (debug){
840
fprintf(stderr, "Starting avahi loop search\n");
841
}
842
843
avahi_simple_poll_loop(mc.simple_poll);
844
845
exit:
846
847
if (debug){
848
fprintf(stderr, "%s exiting\n", argv[0]);
849
}
554
avahi_simple_poll_loop(simple_poll);
555
556
ret = 0;
557
558
fail:
850
559
851
560
/* Cleanup things */
852
561
if (sb)
853
562
avahi_s_service_browser_free(sb);
854
563
855
if (mc.server)
856
avahi_server_free(mc.server);
857
858
if (mc.simple_poll)
859
avahi_simple_poll_free(mc.simple_poll);
860
free(pubkeyfile);
861
free(seckeyfile);
862
863
return returncode;
564
if (server)
565
avahi_server_free(server);
566
567
if (simple_poll)
568
avahi_simple_poll_free(simple_poll);
569
570
return ret;
864
571
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0