/mandos/trunk : revision 143

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Teddy Hogeborn
Date: 2008-09-03 05:04:40 UTC
Revision ID: teddy@fukt.bsnet.se-20080903050440-7cwzxestx6pvdy1i

* Makefile (mandos.8): Add dependency on "overview.xml" and
                       "legalnotice.xml".
  (mandos-keygen.8): New target.
  (mandos-conf.5): Added dependency on "legalnotice.xml".
  (plugin-runner.8mandos): New target
  (plugins.d/password-request.8mandos): - '' -

* mandos-options.xml (priority): Make wording server/client neutral.

* plugins.d/password-request.c (main): Changed .arg fields of the argp
                                       options struct to be more
                                       consistent with the manual.

* plugins.d/password-request.xml (OVERVIEW): Moved to after "OPTIONS".
  (OPTIONS): Improved wording and names of replaceables.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf */

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

105

106

#define BUFFER_SIZE 256

107

100

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

113

103

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client " VERSION;

104

const char *argp_program_version = "password-request 1.0";

115

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

106

117

107

/* Used for passing in values through the Avahi callback functions */

122

112

unsigned int dh_bits;

123

113

gnutls_dh_params_t dh_params;

124

114

const char *priority;

125

gpgme_ctx_t ctx;

126

115

} mandos_context;

127

116

128

117

132

121

133

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

123

size_t buffer_capacity){

135

if(buffer_length + BUFFER_SIZE > buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if(buffer == NULL){

126

if (buffer == NULL){

138

127

return 0;

139

128

}

140

129

buffer_capacity += BUFFER_SIZE;

143

132

}

144

133

145

134

146

* Initialize GPGME.

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

147

137

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

141

const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

151

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

152

148

gpgme_engine_info_t engine_info;

153

149

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if(rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if(rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = (int)TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if(debug){

191

fprintf(stderr, "Initialize gpgme\n");

150

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

192

152

}

193

153

194

154

/* Init GPGME */

195

155

gpgme_check_version(NULL);

196

156

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if(rc != GPG_ERR_NO_ERROR){

157

if (rc != GPG_ERR_NO_ERROR){

198

158

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

159

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

160

return -1;

201

161

}

202

162

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info(&engine_info);

205

if(rc != GPG_ERR_NO_ERROR){

163

/* Set GPGME home directory for the OpenPGP engine only */

164

rc = gpgme_get_engine_info (&engine_info);

165

if (rc != GPG_ERR_NO_ERROR){

206

166

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

207

167

gpgme_strsource(rc), gpgme_strerror(rc));

208

return false;

168

return -1;

209

169

}

210

170

while(engine_info != NULL){

211

171

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

212

172

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

213

engine_info->file_name, tempdir);

173

engine_info->file_name, homedir);

214

174

break;

215

175

}

216

176

engine_info = engine_info->next;

217

177

}

218

178

if(engine_info == NULL){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if(rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if(not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if(debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

180

return -1;

254

181

}

255

182

256

183

/* Create new GPGME data buffer from memory cryptotext */

257

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

185

0);

259

if(rc != GPG_ERR_NO_ERROR){

186

if (rc != GPG_ERR_NO_ERROR){

260

187

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

261

188

gpgme_strsource(rc), gpgme_strerror(rc));

262

189

return -1;

264

191

265

192

/* Create new empty GPGME data buffer for the plaintext */

266

193

rc = gpgme_data_new(&dh_plain);

267

if(rc != GPG_ERR_NO_ERROR){

194

if (rc != GPG_ERR_NO_ERROR){

268

195

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

269

196

gpgme_strsource(rc), gpgme_strerror(rc));

270

197

gpgme_data_release(dh_crypto);

271

198

return -1;

272

199

}

273

200

201

/* Create new GPGME "context" */

202

rc = gpgme_new(&ctx);

203

if (rc != GPG_ERR_NO_ERROR){

204

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

208

}

209

274

210

/* Decrypt data from the cryptotext data buffer to the plaintext

275

211

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

277

if(rc != GPG_ERR_NO_ERROR){

212

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

if (rc != GPG_ERR_NO_ERROR){

278

214

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

279

215

gpgme_strsource(rc), gpgme_strerror(rc));

280

216

plaintext_length = -1;

281

if(debug){

217

if (debug){

282

218

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if(result == NULL){

219

result = gpgme_op_decrypt_result(ctx);

220

if (result == NULL){

285

221

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

222

} else {

287

223

fprintf(stderr, "Unsupported algorithm: %s\n",

314

250

}

315

251

316

252

/* Seek back to the beginning of the GPGME plaintext data buffer */

317

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

perror("pgpme_data_seek");

319

255

plaintext_length = -1;

320

256

goto decrypt_end;

321

257

}

325

261

plaintext_capacity = adjustbuffer(plaintext,

326

262

(size_t)plaintext_length,

327

263

plaintext_capacity);

328

if(plaintext_capacity == 0){

264

if (plaintext_capacity == 0){

329

265

perror("adjustbuffer");

330

266

plaintext_length = -1;

331

267

goto decrypt_end;

334

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

335

271

BUFFER_SIZE);

336

272

/* Print the data, if any */

337

if(ret == 0){

273

if (ret == 0){

338

274

/* EOF */

339

275

break;

340

276

}

364

300

return plaintext_length;

365

301

}

366

302

367

static const char * safer_gnutls_strerror(int value) {

368

const char *ret = gnutls_strerror(value); /* Spurious warning from

369

-Wunreachable-code */

370

if(ret == NULL)

303

static const char * safer_gnutls_strerror (int value) {

304

const char *ret = gnutls_strerror (value); /* Spurious warning */

305

if (ret == NULL)

371

306

ret = "(unknown)";

372

307

return ret;

373

308

}

388

323

}

389

324

390

325

ret = gnutls_global_init();

391

if(ret != GNUTLS_E_SUCCESS) {

392

fprintf(stderr, "GnuTLS global_init: %s\n",

393

safer_gnutls_strerror(ret));

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

394

329

return -1;

395

330

}

396

331

397

if(debug){

332

if (debug){

398

333

/* "Use a log level over 10 to enable all debugging options."

399

334

* - GnuTLS manual

400

335

404

339

405

340

/* OpenPGP credentials */

406

341

gnutls_certificate_allocate_credentials(&mc->cred);

407

if(ret != GNUTLS_E_SUCCESS){

408

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

409

* from

410

* -Wunreachable-code

411

412

safer_gnutls_strerror(ret));

413

gnutls_global_deinit();

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

344

warning */

345

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

414

347

return -1;

415

348

}

416

349

417

350

if(debug){

418

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

419

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

351

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

352

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

420

353

seckeyfilename);

421

354

}

422

355

423

356

ret = gnutls_certificate_set_openpgp_key_file

424

357

(mc->cred, pubkeyfilename, seckeyfilename,

425

358

GNUTLS_OPENPGP_FMT_BASE64);

426

if(ret != GNUTLS_E_SUCCESS) {

359

if (ret != GNUTLS_E_SUCCESS) {

427

360

fprintf(stderr,

428

361

"Error[%d] while reading the OpenPGP key pair ('%s',"

429

362

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

430

fprintf(stderr, "The GnuTLS error is: %s\n",

363

fprintf(stdout, "The GnuTLS error is: %s\n",

431

364

safer_gnutls_strerror(ret));

432

365

goto globalfail;

433

366

}

434

367

435

368

/* GnuTLS server initialization */

436

369

ret = gnutls_dh_params_init(&mc->dh_params);

437

if(ret != GNUTLS_E_SUCCESS) {

438

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

439

" %s\n", safer_gnutls_strerror(ret));

370

if (ret != GNUTLS_E_SUCCESS) {

371

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

372

" %s\n", safer_gnutls_strerror(ret));

440

373

goto globalfail;

441

374

}

442

375

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

443

if(ret != GNUTLS_E_SUCCESS) {

444

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

445

safer_gnutls_strerror(ret));

376

if (ret != GNUTLS_E_SUCCESS) {

377

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

378

safer_gnutls_strerror(ret));

446

379

goto globalfail;

447

380

}

448

381

454

387

455

388

gnutls_certificate_free_credentials(mc->cred);

456

389

gnutls_global_deinit();

457

gnutls_dh_params_deinit(mc->dh_params);

458

390

return -1;

459

391

}

460

392

463

395

int ret;

464

396

/* GnuTLS session creation */

465

397

ret = gnutls_init(session, GNUTLS_SERVER);

466

if(ret != GNUTLS_E_SUCCESS){

398

if (ret != GNUTLS_E_SUCCESS){

467

399

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

468

400

safer_gnutls_strerror(ret));

469

401

}

471

403

{

472

404

const char *err;

473

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

474

if(ret != GNUTLS_E_SUCCESS) {

406

if (ret != GNUTLS_E_SUCCESS) {

475

407

fprintf(stderr, "Syntax error at: %s\n", err);

476

408

fprintf(stderr, "GnuTLS error: %s\n",

477

409

safer_gnutls_strerror(ret));

478

gnutls_deinit(*session);

410

gnutls_deinit (*session);

479

411

return -1;

480

412

}

481

413

}

482

414

483

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

484

416

mc->cred);

485

if(ret != GNUTLS_E_SUCCESS) {

417

if (ret != GNUTLS_E_SUCCESS) {

486

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

487

419

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

420

gnutls_deinit (*session);

489

421

return -1;

490

422

}

491

423

492

424

/* ignore client certificate if any. */

493

gnutls_certificate_server_set_request(*session,

494

GNUTLS_CERT_IGNORE);

425

gnutls_certificate_server_set_request (*session,

426

GNUTLS_CERT_IGNORE);

495

427

496

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

428

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

497

429

498

430

return 0;

499

431

}

507

439

AvahiIfIndex if_index,

508

440

mandos_context *mc){

509

441

int ret, tcp_sd;

510

ssize_t sret;

511

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

512

443

char *buffer = NULL;

513

444

char *decrypted_buffer;

519

450

char interface[IF_NAMESIZE];

520

451

gnutls_session_t session;

521

452

522

ret = init_gnutls_session(mc, &session);

523

if(ret != 0){

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

524

455

return -1;

525

456

}

526

457

548

479

/* It would be nice to have a way to detect if we were passed an

549

480

IPv4 address here. Now we assume an IPv6 address. */

550

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

551

if(ret < 0 ){

482

if (ret < 0 ){

552

483

perror("inet_pton");

553

484

return -1;

554

485

}

556

487

fprintf(stderr, "Bad address: %s\n", ip);

557

488

return -1;

558

489

}

559

to.in6.sin6_port = htons(port); /* Spurious warnings from

560

-Wconversion and

561

-Wunreachable-code */

490

to.in6.sin6_port = htons(port); /* Spurious warning */

562

491

563

492

to.in6.sin6_scope_id = (uint32_t)if_index;

564

493

577

506

}

578

507

579

508

ret = connect(tcp_sd, &to.in, sizeof(to));

580

if(ret < 0){

509

if (ret < 0){

581

510

perror("connect");

582

511

return -1;

583

512

}

584

513

585

514

const char *out = mandos_protocol_version;

586

515

written = 0;

587

while(true){

516

while (true){

588

517

size_t out_size = strlen(out);

589

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

590

519

out_size - written));

591

if(ret == -1){

520

if (ret == -1){

592

521

perror("write");

593

522

retval = -1;

594

523

goto mandos_end;

597

526

if(written < out_size){

598

527

continue;

599

528

} else {

600

if(out == mandos_protocol_version){

529

if (out == mandos_protocol_version){

601

530

written = 0;

602

531

out = "\r\n";

603

532

} else {

610

539

fprintf(stderr, "Establishing TLS session with %s\n", ip);

611

540

}

612

541

613

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

614

543

615

544

do{

616

ret = gnutls_handshake(session);

545

ret = gnutls_handshake (session);

617

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

618

547

619

if(ret != GNUTLS_E_SUCCESS){

548

if (ret != GNUTLS_E_SUCCESS){

620

549

if(debug){

621

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

622

gnutls_perror(ret);

551

gnutls_perror (ret);

623

552

}

624

553

retval = -1;

625

554

goto mandos_end;

635

564

while(true){

636

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

637

566

buffer_capacity);

638

if(buffer_capacity == 0){

567

if (buffer_capacity == 0){

639

568

perror("adjustbuffer");

640

569

retval = -1;

641

570

goto mandos_end;

642

571

}

643

572

644

sret = gnutls_record_recv(session, buffer+buffer_length,

645

BUFFER_SIZE);

646

if(sret == 0){

573

ret = gnutls_record_recv(session, buffer+buffer_length,

574

BUFFER_SIZE);

575

if (ret == 0){

647

576

break;

648

577

}

649

if(sret < 0){

650

switch(sret){

578

if (ret < 0){

579

switch(ret){

651

580

case GNUTLS_E_INTERRUPTED:

652

581

case GNUTLS_E_AGAIN:

653

582

break;

654

583

case GNUTLS_E_REHANDSHAKE:

655

584

do{

656

ret = gnutls_handshake(session);

585

ret = gnutls_handshake (session);

657

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

658

if(ret < 0){

587

if (ret < 0){

659

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

660

gnutls_perror(ret);

589

gnutls_perror (ret);

661

590

retval = -1;

662

591

goto mandos_end;

663

592

}

666

595

fprintf(stderr, "Unknown error while reading data from"

667

596

" encrypted session with Mandos server\n");

668

597

retval = -1;

669

gnutls_bye(session, GNUTLS_SHUT_RDWR);

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

670

599

goto mandos_end;

671

600

}

672

601

} else {

673

buffer_length += (size_t) sret;

602

buffer_length += (size_t) ret;

674

603

}

675

604

}

676

605

678

607

fprintf(stderr, "Closing TLS session\n");

679

608

}

680

609

681

gnutls_bye(session, GNUTLS_SHUT_RDWR);

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

682

611

683

if(buffer_length > 0){

684

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

612

if (buffer_length > 0){

613

decrypted_buffer_size = pgp_packet_decrypt(buffer,

685

614

buffer_length,

686

&decrypted_buffer);

687

if(decrypted_buffer_size >= 0){

615

&decrypted_buffer,

616

keydir);

617

if (decrypted_buffer_size >= 0){

688

618

written = 0;

689

619

while(written < (size_t) decrypted_buffer_size){

690

ret = (int)fwrite(decrypted_buffer + written, 1,

691

(size_t)decrypted_buffer_size - written,

692

stdout);

620

ret = (int)fwrite (decrypted_buffer + written, 1,

621

(size_t)decrypted_buffer_size - written,

622

stdout);

693

623

if(ret == 0 and ferror(stdout)){

694

624

if(debug){

695

625

fprintf(stderr, "Error writing encrypted data: %s\n",

712

642

713

643

mandos_end:

714

644

free(buffer);

715

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

716

if(ret == -1){

717

perror("close");

718

}

719

gnutls_deinit(session);

645

close(tcp_sd);

646

gnutls_deinit (session);

720

647

return retval;

721

648

}

722

649

740

667

/* Called whenever a service has been resolved successfully or

741

668

timed out */

742

669

743

switch(event) {

670

switch (event) {

744

671

default:

745

672

case AVAHI_RESOLVER_FAILURE:

746

673

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

754

681

avahi_address_snprint(ip, sizeof(ip), address);

755

682

if(debug){

756

683

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

757

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

758

ip, (intmax_t)interface, port);

684

PRIu16 ") on port %d\n", name, host_name, ip,

685

interface, port);

759

686

}

760

687

int ret = start_mandos_communication(ip, port, interface, mc);

761

if(ret == 0){

688

if (ret == 0){

762

689

avahi_simple_poll_quit(mc->simple_poll);

763

690

}

764

691

}

782

709

/* Called whenever a new services becomes available on the LAN or

783

710

is removed from the LAN */

784

711

785

switch(event) {

712

switch (event) {

786

713

default:

787

714

case AVAHI_BROWSER_FAILURE:

788

715

797

724

the callback function is called the Avahi server will free the

798

725

resolver for us. */

799

726

800

if(!(avahi_s_service_resolver_new(mc->server, interface,

727

if (!(avahi_s_service_resolver_new(mc->server, interface,

801

728

protocol, name, type, domain,

802

729

AVAHI_PROTO_INET6, 0,

803

730

resolve_callback, mc)))

817

744

}

818

745

}

819

746

747

/* Combines file name and path and returns the malloced new

748

string. some sane checks could/should be added */

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

753

return NULL;

754

}

755

return tmp;

756

}

757

758

820

759

int main(int argc, char *argv[]){

821

760

AvahiSServiceBrowser *sb = NULL;

822

761

int error;

823

762

int ret;

824

intmax_t tmpmax;

825

int numchars;

826

763

int exitcode = EXIT_SUCCESS;

827

764

const char *interface = "eth0";

828

765

struct ifreq network;

830

767

uid_t uid;

831

768

gid_t gid;

832

769

char *connect_to = NULL;

833

char tempdir[] = "/tmp/mandosXXXXXX";

834

770

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

835

const char *seckey = PATHDIR "/" SECKEY;

836

const char *pubkey = PATHDIR "/" PUBKEY;

837

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

838

775

mandos_context mc = { .simple_poll = NULL, .server = NULL,

839

776

.dh_bits = 1024, .priority = "SECURE256"

840

777

":!CTYPE-X.509:+CTYPE-OPENPGP" };

841

778

bool gnutls_initalized = false;

842

bool gpgme_initalized = false;

843

779

844

780

{

845

781

struct argp_option options[] = {

854

790

.doc = "Interface that will be used to search for Mandos"

855

791

" servers",

856

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "DIRECTORY",

795

.doc = "Directory to read the OpenPGP key files from",

796

.group = 1 },

857

797

{ .name = "seckey", .key = 's',

858

798

.arg = "FILE",

859

799

.doc = "OpenPGP secret key file base name",

874

814

{ .name = NULL }

875

815

};

876

816

877

error_t parse_opt(int key, char *arg,

878

struct argp_state *state) {

879

switch(key) {

817

error_t parse_opt (int key, char *arg,

818

struct argp_state *state) {

819

/* Get the INPUT argument from `argp_parse', which we know is

820

a pointer to our plugin list pointer. */

821

switch (key) {

880

822

case 128: /* --debug */

881

823

debug = true;

882

824

break;

886

828

case 'i': /* --interface */

887

829

interface = arg;

888

830

break;

831

case 'd': /* --keydir */

832

keydir = arg;

833

break;

889

834

case 's': /* --seckey */

890

seckey = arg;

835

seckeyname = arg;

891

836

break;

892

837

case 'p': /* --pubkey */

893

pubkey = arg;

838

pubkeyname = arg;

894

839

break;

895

840

case 129: /* --dh-bits */

896

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

897

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

898

or arg[numchars] != '\0'){

899

fprintf(stderr, "Bad number of DH bits\n");

841

errno = 0;

842

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

843

if (errno){

844

perror("strtol");

900

845

exit(EXIT_FAILURE);

901

846

}

902

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

903

847

break;

904

848

case 130: /* --priority */

905

849

mc.priority = arg;

906

850

break;

907

851

case ARGP_KEY_ARG:

908

argp_usage(state);

852

argp_usage (state);

909

853

case ARGP_KEY_END:

910

854

break;

911

855

default:

918

862

.args_doc = "",

919

863

.doc = "Mandos client -- Get and decrypt"

920

864

" passwords from a Mandos server" };

921

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

922

if(ret == ARGP_ERR_UNKNOWN){

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

923

867

fprintf(stderr, "Unknown error while parsing arguments\n");

924

868

exitcode = EXIT_FAILURE;

925

869

goto end;

926

870

}

927

871

}

928

872

873

pubkeyfilename = combinepath(keydir, pubkeyname);

874

if (pubkeyfilename == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfilename = combinepath(keydir, seckeyname);

881

if (seckeyfilename == NULL){

882

perror("combinepath");

883

exitcode = EXIT_FAILURE;

884

goto end;

885

}

886

887

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

888

if (ret == -1){

889

fprintf(stderr, "init_gnutls_global failed\n");

890

exitcode = EXIT_FAILURE;

891

goto end;

892

} else {

893

gnutls_initalized = true;

894

}

895

929

896

/* If the interface is down, bring it up */

930

897

{

931

898

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

950

917

goto end;

951

918

}

952

919

}

953

ret = (int)TEMP_FAILURE_RETRY(close(sd));

954

if(ret == -1){

955

perror("close");

956

}

920

close(sd);

957

921

}

958

922

959

923

uid = getuid();

960

924

gid = getgid();

961

925

962

926

ret = setuid(uid);

963

if(ret == -1){

927

if (ret == -1){

964

928

perror("setuid");

965

929

}

966

930

967

931

setgid(gid);

968

if(ret == -1){

932

if (ret == -1){

969

933

perror("setgid");

970

934

}

971

935

972

ret = init_gnutls_global(&mc, pubkey, seckey);

973

if(ret == -1){

974

fprintf(stderr, "init_gnutls_global failed\n");

975

exitcode = EXIT_FAILURE;

976

goto end;

977

} else {

978

gnutls_initalized = true;

979

}

980

981

if(mkdtemp(tempdir) == NULL){

982

perror("mkdtemp");

983

tempdir[0] = '\0';

984

goto end;

985

}

986

987

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

988

fprintf(stderr, "gpgme_initalized failed\n");

989

exitcode = EXIT_FAILURE;

990

goto end;

991

} else {

992

gpgme_initalized = true;

993

}

994

995

936

if_index = (AvahiIfIndex) if_nametoindex(interface);

996

937

if(if_index == 0){

997

938

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1007

948

exitcode = EXIT_FAILURE;

1008

949

goto end;

1009

950

}

1010

uint16_t port;

1011

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1012

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1013

or address[numchars+1] != '\0'){

1014

fprintf(stderr, "Bad port number\n");

951

errno = 0;

952

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

953

if(errno){

954

perror("Bad port number");

1015

955

exitcode = EXIT_FAILURE;

1016

956

goto end;

1017

957

}

1018

port = (uint16_t)tmpmax;

1019

958

*address = '\0';

1020

959

address = connect_to;

1021

960

ret = start_mandos_communication(address, port, if_index, &mc);

1027

966

goto end;

1028

967

}

1029

968

1030

if(not debug){

969

if (not debug){

1031

970

avahi_set_log_function(empty_log);

1032

971

}

1033

972

1036

975

1037

976

/* Allocate main Avahi loop object */

1038

977

mc.simple_poll = avahi_simple_poll_new();

1039

if(mc.simple_poll == NULL) {

978

if (mc.simple_poll == NULL) {

1040

979

fprintf(stderr, "Avahi: Failed to create simple poll"

1041

980

" object.\n");

1042

981

exitcode = EXIT_FAILURE;

1062

1001

}

1063

1002

1064

1003

/* Check if creating the Avahi server object succeeded */

1065

if(mc.server == NULL) {

1004

if (mc.server == NULL) {

1066

1005

fprintf(stderr, "Failed to create Avahi server: %s\n",

1067

1006

avahi_strerror(error));

1068

1007

exitcode = EXIT_FAILURE;

1074

1013

AVAHI_PROTO_INET6,

1075

1014

"_mandos._tcp", NULL, 0,

1076

1015

browse_callback, &mc);

1077

if(sb == NULL) {

1016

if (sb == NULL) {

1078

1017

fprintf(stderr, "Failed to create service browser: %s\n",

1079

1018

avahi_strerror(avahi_server_errno(mc.server)));

1080

1019

exitcode = EXIT_FAILURE;

1083

1022

1084

1023

/* Run the main loop */

1085

1024

1086

if(debug){

1025

if (debug){

1087

1026

fprintf(stderr, "Starting Avahi loop search\n");

1088

1027

}

1089

1028

1091

1030

1092

1031

end:

1093

1032

1094

if(debug){

1033

if (debug){

1095

1034

fprintf(stderr, "%s exiting\n", argv[0]);

1096

1035

}

1097

1036

1098

1037

/* Cleanup things */

1099

if(sb != NULL)

1038

if (sb != NULL)

1100

1039

avahi_s_service_browser_free(sb);

1101

1040

1102

if(mc.server != NULL)

1041

if (mc.server != NULL)

1103

1042

avahi_server_free(mc.server);

1104

1043

1105

if(mc.simple_poll != NULL)

1044

if (mc.simple_poll != NULL)

1106

1045

avahi_simple_poll_free(mc.simple_poll);

1046

free(pubkeyfilename);

1047

free(seckeyfilename);

1107

1048

1108

if(gnutls_initalized){

1049

if (gnutls_initalized){

1109

1050

gnutls_certificate_free_credentials(mc.cred);

1110

gnutls_global_deinit();

1111

gnutls_dh_params_deinit(mc.dh_params);

1112

}

1113

1114

if(gpgme_initalized){

1115

gpgme_release(mc.ctx);

1116

}

1117

1118

/* Removes the temp directory used by GPGME */

1119

if(tempdir[0] != '\0'){

1120

DIR *d;

1121

struct dirent *direntry;

1122

d = opendir(tempdir);

1123

if(d == NULL){

1124

if(errno != ENOENT){

1125

perror("opendir");

1126

}

1127

} else {

1128

while(true){

1129

direntry = readdir(d);

1130

if(direntry == NULL){

1131

break;

1132

}

1133

if(direntry->d_type == DT_REG){

1134

char *fullname = NULL;

1135

ret = asprintf(&fullname, "%s/%s", tempdir,

1136

direntry->d_name);

1137

if(ret < 0){

1138

perror("asprintf");

1139

continue;

1140

}

1141

ret = unlink(fullname);

1142

if(ret == -1){

1143

fprintf(stderr, "unlink(\"%s\"): %s",

1144

fullname, strerror(errno));

1145

}

1146

free(fullname);

1147

}

1148

}

1149

closedir(d);

1150

}

1151

ret = rmdir(tempdir);

1152

if(ret == -1 and errno != ENOENT){

1153

perror("rmdir");

1154

}

1155

}

1156

1051

gnutls_global_deinit ();

1052

}

1053

1157

1054

return exitcode;

1158

1055

}

Older »