To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 18
- compare with another revision
- download diff
- download tarball
- view history from revision 18
- Committer: Teddy Hogeborn
- Date: 2008-07-21 02:33:00 UTC
- Revision ID: teddy@fukt.bsnet.se-20080721023300-c4t0cq7sxit973py
* plugins.d/Makefile: Removed
* plugins.d/mandosclient.c (start_mandos_communcation): Bug fix: write
server IP
address to
"to" struct.
* plugins.d/mandosclient.c (start_mandos_communcation): Bug fix: write
server IP
address to
"to" struct.
- files removed:
- server.conf
- files renamed:
- clients.conf => mandos-clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
29
*/
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
30
19
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
20
#define _LARGEFILE_SOURCE
33
21
#define _FILE_OFFSET_BITS 64
34
22
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
23
#include <stdio.h>
38
24
#include <assert.h>
39
25
#include <stdlib.h>
40
26
#include <time.h>
41
27
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
28
47
29
#include <avahi-core/core.h>
48
30
#include <avahi-core/lookup.h>
51
33
#include <avahi-common/malloc.h>
52
34
#include <avahi-common/error.h>
53
35
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
struct in6_addr, inet_pton() */
58
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
36
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
60
41
61
42
#include <unistd.h> /* close() */
62
43
#include <netinet/in.h>
64
45
#include <string.h> /* memset */
65
46
#include <arpa/inet.h> /* inet_pton() */
66
47
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
48
69
/* GPGME */
49
// gpgme
70
50
#include <errno.h> /* perror() */
71
51
#include <gpgme.h>
72
52
73
/* getopt_long */
74
#include <getopt.h>
75
53
54
#ifndef CERT_ROOT
55
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
56
#endif
57
#define CERTFILE CERT_ROOT "openpgp-client.txt"
58
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
76
59
#define BUFFER_SIZE 256
77
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char *pubkeyfile = "pubkey.txt";
80
static const char *seckeyfile = "seckey.txt";
60
#define DH_BITS 1024
81
61
82
62
bool debug = false;
83
63
84
const char mandos_protocol_version[] = "1";
85
86
/* Used for passing in values through all the callback functions */
87
64
typedef struct {
88
AvahiSimplePoll *simple_poll;
89
AvahiServer *server;
65
gnutls_session_t session;
90
66
gnutls_certificate_credentials_t cred;
91
unsigned int dh_bits;
92
67
gnutls_dh_params_t dh_params;
93
const char *priority;
94
} mandos_context;
95
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
68
} encrypted_session;
69
70
71
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
116
72
gpgme_data_t dh_crypto, dh_plain;
117
73
gpgme_ctx_t ctx;
118
74
gpgme_error_t rc;
119
75
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
76
size_t new_packet_capacity = 0;
77
size_t new_packet_length = 0;
122
78
gpgme_engine_info_t engine_info;
123
79
124
80
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
81
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
126
82
}
127
83
128
84
/* Init GPGME */
129
85
gpgme_check_version(NULL);
130
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
131
if (rc != GPG_ERR_NO_ERROR){
132
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
133
gpgme_strsource(rc), gpgme_strerror(rc));
134
return -1;
135
}
86
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
136
87
137
/* Set GPGME home directory for the OpenPGP engine only */
88
/* Set GPGME home directory */
138
89
rc = gpgme_get_engine_info (&engine_info);
139
90
if (rc != GPG_ERR_NO_ERROR){
140
91
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
101
engine_info = engine_info->next;
151
102
}
152
103
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
104
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
105
return -1;
155
106
}
156
107
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
108
/* Create new GPGME data buffer from packet buffer */
109
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
110
if (rc != GPG_ERR_NO_ERROR){
161
111
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
112
gpgme_strsource(rc), gpgme_strerror(rc));
168
118
if (rc != GPG_ERR_NO_ERROR){
169
119
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
120
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
121
return -1;
173
122
}
174
123
177
126
if (rc != GPG_ERR_NO_ERROR){
178
127
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
128
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
129
return -1;
182
130
}
183
131
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
132
/* Decrypt data from the FILE pointer to the plaintext data buffer */
186
133
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
134
if (rc != GPG_ERR_NO_ERROR){
188
135
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
136
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
137
return -1;
192
138
}
193
139
194
140
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
141
fprintf(stderr, "decryption of gpg packet succeeded\n");
196
142
}
197
143
198
144
if (debug){
199
145
gpgme_decrypt_result_t result;
200
146
result = gpgme_op_decrypt_result(ctx);
201
147
if (result == NULL){
202
148
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
203
149
} else {
204
fprintf(stderr, "Unsupported algorithm: %s\n",
205
result->unsupported_algorithm);
206
fprintf(stderr, "Wrong key usage: %d\n",
207
result->wrong_key_usage);
150
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
151
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
208
152
if(result->file_name != NULL){
209
153
fprintf(stderr, "File name: %s\n", result->file_name);
210
154
}
216
160
gpgme_pubkey_algo_name(recipient->pubkey_algo));
217
161
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
218
162
fprintf(stderr, "Secret key available: %s\n",
219
recipient->status == GPG_ERR_NO_SECKEY
220
? "No" : "Yes");
163
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
221
164
recipient = recipient->next;
222
165
}
223
166
}
224
167
}
225
168
}
226
169
170
/* Delete the GPGME FILE pointer cryptotext data buffer */
171
gpgme_data_release(dh_crypto);
172
227
173
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
}
233
234
*plaintext = NULL;
174
gpgme_data_seek(dh_plain, 0, SEEK_SET);
175
176
*new_packet = 0;
235
177
while(true){
236
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
237
plaintext_capacity);
238
if (plaintext_capacity == 0){
239
perror("adjustbuffer");
240
plaintext_length = -1;
241
goto decrypt_end;
178
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
179
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
180
if (*new_packet == NULL){
181
perror("realloc");
182
return -1;
183
}
184
new_packet_capacity += BUFFER_SIZE;
242
185
}
243
186
244
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
245
BUFFER_SIZE);
187
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
246
188
/* Print the data, if any */
247
189
if (ret == 0){
248
/* EOF */
190
/* If password is empty, then a incorrect error will be printed */
249
191
break;
250
192
}
251
193
if(ret < 0){
252
194
perror("gpgme_data_read");
253
plaintext_length = -1;
254
goto decrypt_end;
195
return -1;
255
196
}
256
plaintext_length += ret;
197
new_packet_length += ret;
257
198
}
258
199
259
200
if(debug){
260
fprintf(stderr, "Decrypted password is: ");
261
for(ssize_t i = 0; i < plaintext_length; i++){
262
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
263
}
264
fprintf(stderr, "\n");
201
fprintf(stderr, "decrypted password is: %s\n", *new_packet);
265
202
}
266
267
decrypt_end:
268
269
/* Delete the GPGME cryptotext data buffer */
270
gpgme_data_release(dh_crypto);
271
272
/* Delete the GPGME plaintext data buffer */
203
204
/* Delete the GPGME plaintext data buffer */
273
205
gpgme_data_release(dh_plain);
274
return plaintext_length;
206
return new_packet_length;
275
207
}
276
208
277
209
static const char * safer_gnutls_strerror (int value) {
281
213
return ret;
282
214
}
283
215
284
/* GnuTLS log function callback */
285
static void debuggnutls(__attribute__((unused)) int level,
286
const char* string){
287
fprintf(stderr, "GnuTLS: %s", string);
216
void debuggnutls(int level, const char* string){
217
fprintf(stderr, "%s", string);
288
218
}
289
219
290
static int init_gnutls_global(mandos_context *mc){
220
int initgnutls(encrypted_session *es){
221
const char *err;
291
222
int ret;
292
223
293
224
if(debug){
294
fprintf(stderr, "Initializing GnuTLS\n");
225
fprintf(stderr, "Initializing gnutls\n");
295
226
}
296
227
228
297
229
if ((ret = gnutls_global_init ())
298
230
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "GnuTLS global_init: %s\n",
300
safer_gnutls_strerror(ret));
231
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
301
232
return -1;
302
233
}
303
234
304
235
if (debug){
305
/* "Use a log level over 10 to enable all debugging options."
306
* - GnuTLS manual
307
*/
308
236
gnutls_global_set_log_level(11);
309
237
gnutls_global_set_log_function(debuggnutls);
310
238
}
311
239
312
/* OpenPGP credentials */
313
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
240
241
/* openpgp credentials */
242
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
314
243
!= GNUTLS_E_SUCCESS) {
315
fprintf (stderr, "GnuTLS memory error: %s\n",
316
safer_gnutls_strerror(ret));
244
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
317
245
return -1;
318
246
}
319
247
320
248
if(debug){
321
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
322
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
323
seckeyfile);
249
fprintf(stderr, "Attempting to use openpgp certificate %s"
250
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
324
251
}
325
252
326
253
ret = gnutls_certificate_set_openpgp_key_file
327
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
328
if (ret != GNUTLS_E_SUCCESS) {
329
fprintf(stderr,
330
"Error[%d] while reading the OpenPGP key pair ('%s',"
331
" '%s')\n", ret, pubkeyfile, seckeyfile);
332
fprintf(stdout, "The GnuTLS error is: %s\n",
333
safer_gnutls_strerror(ret));
334
return -1;
335
}
336
337
/* GnuTLS server initialization */
338
ret = gnutls_dh_params_init(&mc->dh_params);
339
if (ret != GNUTLS_E_SUCCESS) {
340
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
341
" %s\n", safer_gnutls_strerror(ret));
342
return -1;
343
}
344
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
347
safer_gnutls_strerror(ret));
348
return -1;
349
}
350
351
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
352
353
return 0;
354
}
355
356
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
int ret;
358
/* GnuTLS session creation */
359
ret = gnutls_init(session, GNUTLS_SERVER);
360
if (ret != GNUTLS_E_SUCCESS){
361
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
362
safer_gnutls_strerror(ret));
363
}
364
365
{
366
const char *err;
367
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf(stderr, "Syntax error at: %s\n", err);
370
fprintf(stderr, "GnuTLS error: %s\n",
371
safer_gnutls_strerror(ret));
372
return -1;
373
}
374
}
375
376
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
mc->cred);
378
if (ret != GNUTLS_E_SUCCESS) {
379
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
380
safer_gnutls_strerror(ret));
381
return -1;
382
}
383
254
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
255
if (ret != GNUTLS_E_SUCCESS) {
256
fprintf
257
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
258
ret, CERTFILE, KEYFILE);
259
fprintf(stdout, "The Error is: %s\n",
260
safer_gnutls_strerror(ret));
261
return -1;
262
}
263
264
//Gnutls server initialization
265
if ((ret = gnutls_dh_params_init (&es->dh_params))
266
!= GNUTLS_E_SUCCESS) {
267
fprintf (stderr, "Error in dh parameter initialization: %s\n",
268
safer_gnutls_strerror(ret));
269
return -1;
270
}
271
272
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in prime generation: %s\n",
275
safer_gnutls_strerror(ret));
276
return -1;
277
}
278
279
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
280
281
// Gnutls session creation
282
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
283
!= GNUTLS_E_SUCCESS){
284
fprintf(stderr, "Error in gnutls session initialization: %s\n",
285
safer_gnutls_strerror(ret));
286
}
287
288
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
289
!= GNUTLS_E_SUCCESS) {
290
fprintf(stderr, "Syntax error at: %s\n", err);
291
fprintf(stderr, "Gnutls error: %s\n",
292
safer_gnutls_strerror(ret));
293
return -1;
294
}
295
296
if ((ret = gnutls_credentials_set
297
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf(stderr, "Error setting a credentials set: %s\n",
300
safer_gnutls_strerror(ret));
301
return -1;
302
}
303
384
304
/* ignore client certificate if any. */
385
gnutls_certificate_server_set_request (*session,
386
GNUTLS_CERT_IGNORE);
305
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
387
306
388
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
307
gnutls_dh_set_prime_bits (es->session, DH_BITS);
389
308
390
309
return 0;
391
310
}
392
311
393
/* Avahi log function callback */
394
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
395
__attribute__((unused)) const char *txt){}
312
void empty_log(AvahiLogLevel level, const char *txt){}
396
313
397
/* Called when a Mandos server is found */
398
static int start_mandos_communication(const char *ip, uint16_t port,
399
AvahiIfIndex if_index,
400
mandos_context *mc){
314
int start_mandos_communcation(char *ip, uint16_t port){
401
315
int ret, tcp_sd;
402
316
struct sockaddr_in6 to;
317
encrypted_session es;
403
318
char *buffer = NULL;
404
319
char *decrypted_buffer;
405
320
size_t buffer_length = 0;
406
321
size_t buffer_capacity = 0;
407
322
ssize_t decrypted_buffer_size;
408
size_t written;
409
323
int retval = 0;
410
char interface[IF_NAMESIZE];
411
gnutls_session_t session;
412
gnutls_dh_params_t dh_params;
413
414
ret = init_gnutls_session (mc, &session);
415
if (ret != 0){
416
return -1;
417
}
418
324
const char interface[] = "eth0";
325
419
326
if(debug){
420
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
421
ip, port);
327
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
422
328
}
423
329
424
330
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
428
334
}
429
335
430
336
if(debug){
431
if(if_indextoname((unsigned int)if_index, interface) == NULL){
432
perror("if_indextoname");
433
return -1;
434
}
435
337
fprintf(stderr, "Binding to interface %s\n", interface);
436
338
}
339
340
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
341
if(tcp_sd < 0) {
342
perror("setsockopt bindtodevice");
343
return -1;
344
}
437
345
438
memset(&to,0,sizeof(to)); /* Spurious warning */
346
memset(&to,0,sizeof(to));
439
347
to.sin6_family = AF_INET6;
440
/* It would be nice to have a way to detect if we were passed an
441
IPv4 address here. Now we assume an IPv6 address. */
442
348
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
443
349
if (ret < 0 ){
444
350
perror("inet_pton");
445
351
return -1;
446
}
352
}
447
353
if(ret == 0){
448
354
fprintf(stderr, "Bad address: %s\n", ip);
449
355
return -1;
450
356
}
451
to.sin6_port = htons(port); /* Spurious warning */
452
453
to.sin6_scope_id = (uint32_t)if_index;
454
357
to.sin6_port = htons(port);
358
to.sin6_scope_id = if_nametoindex(interface);
359
455
360
if(debug){
456
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
457
char addrstr[INET6_ADDRSTRLEN] = "";
458
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
459
sizeof(addrstr)) == NULL){
460
perror("inet_ntop");
461
} else {
462
if(strcmp(addrstr, ip) != 0){
463
fprintf(stderr, "Canonical address form: %s\n", addrstr);
464
}
465
}
361
fprintf(stderr, "Connection to: %s\n", ip);
466
362
}
467
363
468
364
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
470
366
perror("connect");
471
367
return -1;
472
368
}
369
370
ret = initgnutls (&es);
371
if (ret != 0){
372
retval = -1;
373
return -1;
374
}
375
376
377
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
473
378
474
const char *out = mandos_protocol_version;
475
written = 0;
476
while (true){
477
size_t out_size = strlen(out);
478
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
479
out_size - written));
480
if (ret == -1){
481
perror("write");
482
retval = -1;
483
goto mandos_end;
484
}
485
written += (size_t)ret;
486
if(written < out_size){
487
continue;
488
} else {
489
if (out == mandos_protocol_version){
490
written = 0;
491
out = "\r\n";
492
} else {
493
break;
494
}
495
}
496
}
497
498
379
if(debug){
499
fprintf(stderr, "Establishing TLS session with %s\n", ip);
380
fprintf(stderr, "Establishing tls session with %s\n", ip);
500
381
}
501
502
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
503
504
ret = gnutls_handshake (session);
382
383
384
ret = gnutls_handshake (es.session);
505
385
506
386
if (ret != GNUTLS_E_SUCCESS){
507
if(debug){
508
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
509
gnutls_perror (ret);
510
}
387
fprintf(stderr, "\n*** Handshake failed ***\n");
388
gnutls_perror (ret);
511
389
retval = -1;
512
goto mandos_end;
390
goto exit;
513
391
}
514
515
/* Read OpenPGP packet that contains the wanted password */
516
392
393
//Retrieve gpg packet that contains the wanted password
394
517
395
if(debug){
518
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
519
ip);
396
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
520
397
}
521
398
522
399
while(true){
523
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
524
if (buffer_capacity == 0){
525
perror("adjustbuffer");
526
retval = -1;
527
goto mandos_end;
400
if (buffer_length + BUFFER_SIZE > buffer_capacity){
401
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
402
if (buffer == NULL){
403
perror("realloc");
404
goto exit;
405
}
406
buffer_capacity += BUFFER_SIZE;
528
407
}
529
408
530
ret = gnutls_record_recv(session, buffer+buffer_length,
531
BUFFER_SIZE);
409
ret = gnutls_record_recv
410
(es.session, buffer+buffer_length, BUFFER_SIZE);
532
411
if (ret == 0){
533
412
break;
534
413
}
538
417
case GNUTLS_E_AGAIN:
539
418
break;
540
419
case GNUTLS_E_REHANDSHAKE:
541
ret = gnutls_handshake (session);
420
ret = gnutls_handshake (es.session);
542
421
if (ret < 0){
543
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
422
fprintf(stderr, "\n*** Handshake failed ***\n");
544
423
gnutls_perror (ret);
545
424
retval = -1;
546
goto mandos_end;
425
goto exit;
547
426
}
548
427
break;
549
428
default:
550
fprintf(stderr, "Unknown error while reading data from"
551
" encrypted session with Mandos server\n");
429
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
552
430
retval = -1;
553
gnutls_bye (session, GNUTLS_SHUT_RDWR);
554
goto mandos_end;
431
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
432
goto exit;
555
433
}
556
434
} else {
557
buffer_length += (size_t) ret;
435
buffer_length += ret;
558
436
}
559
437
}
560
438
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
565
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
567
439
if (buffer_length > 0){
568
decrypted_buffer_size = pgp_packet_decrypt(buffer,
569
buffer_length,
570
&decrypted_buffer,
571
keydir);
572
if (decrypted_buffer_size >= 0){
573
written = 0;
574
while(written < (size_t) decrypted_buffer_size){
575
ret = (int)fwrite (decrypted_buffer + written, 1,
576
(size_t)decrypted_buffer_size - written,
577
stdout);
578
if(ret == 0 and ferror(stdout)){
579
if(debug){
580
fprintf(stderr, "Error writing encrypted data: %s\n",
581
strerror(errno));
582
}
583
retval = -1;
584
break;
585
}
586
written += (size_t)ret;
587
}
440
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
441
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
588
442
free(decrypted_buffer);
589
443
} else {
590
444
retval = -1;
591
445
}
592
446
}
593
594
/* Shutdown procedure */
595
596
mandos_end:
447
448
//shutdown procedure
449
450
if(debug){
451
fprintf(stderr, "Closing tls session\n");
452
}
453
597
454
free(buffer);
455
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
456
exit:
598
457
close(tcp_sd);
599
gnutls_deinit (session);
600
gnutls_certificate_free_credentials (mc->cred);
458
gnutls_deinit (es.session);
459
gnutls_certificate_free_credentials (es.cred);
601
460
gnutls_global_deinit ();
602
461
return retval;
603
462
}
604
463
605
static void resolve_callback(AvahiSServiceResolver *r,
606
AvahiIfIndex interface,
607
AVAHI_GCC_UNUSED AvahiProtocol protocol,
608
AvahiResolverEvent event,
609
const char *name,
610
const char *type,
611
const char *domain,
612
const char *host_name,
613
const AvahiAddress *address,
614
uint16_t port,
615
AVAHI_GCC_UNUSED AvahiStringList *txt,
616
AVAHI_GCC_UNUSED AvahiLookupResultFlags
617
flags,
618
void* userdata) {
619
mandos_context *mc = userdata;
620
assert(r); /* Spurious warning */
621
622
/* Called whenever a service has been resolved successfully or
623
timed out */
624
625
switch (event) {
626
default:
627
case AVAHI_RESOLVER_FAILURE:
628
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
629
" of type '%s' in domain '%s': %s\n", name, type, domain,
630
avahi_strerror(avahi_server_errno(mc->server)));
631
break;
632
633
case AVAHI_RESOLVER_FOUND:
634
{
635
char ip[AVAHI_ADDRESS_STR_MAX];
636
avahi_address_snprint(ip, sizeof(ip), address);
637
if(debug){
638
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
639
" port %d\n", name, host_name, ip, interface, port);
640
}
641
int ret = start_mandos_communication(ip, port, interface, mc);
642
if (ret == 0){
643
exit(EXIT_SUCCESS);
644
}
645
}
646
}
647
avahi_s_service_resolver_free(r);
648
}
649
650
static void browse_callback( AvahiSServiceBrowser *b,
651
AvahiIfIndex interface,
652
AvahiProtocol protocol,
653
AvahiBrowserEvent event,
654
const char *name,
655
const char *type,
656
const char *domain,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
661
assert(b); /* Spurious warning */
662
663
/* Called whenever a new services becomes available on the LAN or
664
is removed from the LAN */
665
666
switch (event) {
667
default:
668
case AVAHI_BROWSER_FAILURE:
669
670
fprintf(stderr, "(Avahi browser) %s\n",
671
avahi_strerror(avahi_server_errno(mc->server)));
672
avahi_simple_poll_quit(mc->simple_poll);
673
return;
674
675
case AVAHI_BROWSER_NEW:
676
/* We ignore the returned Avahi resolver object. In the callback
677
function we free it. If the Avahi server is terminated before
678
the callback function is called the Avahi server will free the
679
resolver for us. */
680
681
if (!(avahi_s_service_resolver_new(mc->server, interface,
682
protocol, name, type, domain,
683
AVAHI_PROTO_INET6, 0,
684
resolve_callback, mc)))
685
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
686
name, avahi_strerror(avahi_server_errno(mc->server)));
687
break;
688
689
case AVAHI_BROWSER_REMOVE:
690
break;
691
692
case AVAHI_BROWSER_ALL_FOR_NOW:
693
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
if(debug){
695
fprintf(stderr, "No Mandos server found, still searching...\n");
696
}
697
break;
698
}
699
}
700
701
/* Combines file name and path and returns the malloced new
702
string. some sane checks could/should be added */
703
static const char *combinepath(const char *first, const char *second){
704
size_t f_len = strlen(first);
705
size_t s_len = strlen(second);
706
char *tmp = malloc(f_len + s_len + 2);
707
if (tmp == NULL){
708
return NULL;
709
}
710
if(f_len > 0){
711
memcpy(tmp, first, f_len); /* Spurious warning */
712
}
713
tmp[f_len] = '/';
714
if(s_len > 0){
715
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
716
}
717
tmp[f_len + 1 + s_len] = '\0';
718
return tmp;
719
}
720
721
722
int main(int argc, char *argv[]){
464
static AvahiSimplePoll *simple_poll = NULL;
465
static AvahiServer *server = NULL;
466
467
static void resolve_callback(
468
AvahiSServiceResolver *r,
469
AVAHI_GCC_UNUSED AvahiIfIndex interface,
470
AVAHI_GCC_UNUSED AvahiProtocol protocol,
471
AvahiResolverEvent event,
472
const char *name,
473
const char *type,
474
const char *domain,
475
const char *host_name,
476
const AvahiAddress *address,
477
uint16_t port,
478
AvahiStringList *txt,
479
AvahiLookupResultFlags flags,
480
AVAHI_GCC_UNUSED void* userdata) {
481
482
assert(r);
483
484
/* Called whenever a service has been resolved successfully or timed out */
485
486
switch (event) {
487
case AVAHI_RESOLVER_FAILURE:
488
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
489
break;
490
491
case AVAHI_RESOLVER_FOUND: {
492
char ip[AVAHI_ADDRESS_STR_MAX];
493
avahi_address_snprint(ip, sizeof(ip), address);
494
if(debug){
495
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
496
}
497
int ret = start_mandos_communcation(ip, port);
498
if (ret == 0){
499
exit(EXIT_SUCCESS);
500
} else {
501
exit(EXIT_FAILURE);
502
}
503
}
504
}
505
avahi_s_service_resolver_free(r);
506
}
507
508
static void browse_callback(
509
AvahiSServiceBrowser *b,
510
AvahiIfIndex interface,
511
AvahiProtocol protocol,
512
AvahiBrowserEvent event,
513
const char *name,
514
const char *type,
515
const char *domain,
516
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
517
void* userdata) {
518
519
AvahiServer *s = userdata;
520
assert(b);
521
522
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
523
524
switch (event) {
525
526
case AVAHI_BROWSER_FAILURE:
527
528
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
529
avahi_simple_poll_quit(simple_poll);
530
return;
531
532
case AVAHI_BROWSER_NEW:
533
/* We ignore the returned resolver object. In the callback
534
function we free it. If the server is terminated before
535
the callback function is called the server will free
536
the resolver for us. */
537
538
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
539
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
540
541
break;
542
543
case AVAHI_BROWSER_REMOVE:
544
break;
545
546
case AVAHI_BROWSER_ALL_FOR_NOW:
547
case AVAHI_BROWSER_CACHE_EXHAUSTED:
548
break;
549
}
550
}
551
552
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
553
AvahiServerConfig config;
723
554
AvahiSServiceBrowser *sb = NULL;
555
const char db[] = "--debug";
724
556
int error;
725
int ret;
726
int exitcode = EXIT_SUCCESS;
727
const char *interface = "eth0";
728
struct ifreq network;
729
int sd;
730
uid_t uid;
731
gid_t gid;
732
char *connect_to = NULL;
733
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
734
mandos_context mc = { .simple_poll = NULL, .server = NULL,
735
.dh_bits = 1024, .priority = "SECURE256"};
736
737
{
738
/* Temporary int to get the address of for getopt_long */
739
int debug_int = debug ? 1 : 0;
740
while (true){
741
struct option long_options[] = {
742
{"debug", no_argument, &debug_int, 1},
743
{"connect", required_argument, NULL, 'c'},
744
{"interface", required_argument, NULL, 'i'},
745
{"keydir", required_argument, NULL, 'd'},
746
{"seckey", required_argument, NULL, 's'},
747
{"pubkey", required_argument, NULL, 'p'},
748
{"dh-bits", required_argument, NULL, 'D'},
749
{"priority", required_argument, NULL, 'P'},
750
{0, 0, 0, 0} };
751
752
int option_index = 0;
753
ret = getopt_long (argc, argv, "i:", long_options,
754
&option_index);
755
756
if (ret == -1){
757
break;
758
}
759
760
switch(ret){
761
case 0:
762
break;
763
case 'i':
764
interface = optarg;
765
break;
766
case 'c':
767
connect_to = optarg;
768
break;
769
case 'd':
770
keydir = optarg;
771
break;
772
case 'p':
773
pubkeyfile = optarg;
774
break;
775
case 's':
776
seckeyfile = optarg;
777
break;
778
case 'D':
779
errno = 0;
780
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
781
if (errno){
782
perror("strtol");
783
exit(EXIT_FAILURE);
557
int ret = 1;
558
int returncode = EXIT_SUCCESS;
559
char *basename = rindex(argv[0], '/');
560
if(basename == NULL){
561
basename = argv[0];
562
} else {
563
basename++;
564
}
565
566
char *program_name = malloc(strlen(basename) + sizeof(db));
567
568
if (program_name == NULL){
569
perror("argv[0]");
570
return EXIT_FAILURE;
571
}
572
573
program_name[0] = '\0';
574
575
for (int i = 1; i < argc; i++){
576
if (not strncmp(argv[i], db, 5)){
577
strcat(strcat(strcat(program_name, db ), "="), basename);
578
if(not strcmp(argv[i], db) or not strcmp(argv[i], program_name)){
579
debug = true;
784
580
}
785
break;
786
case 'P':
787
mc.priority = optarg;
788
break;
789
case '?':
790
default:
791
/* getopt_long() has already printed a message about the
792
unrcognized option, so just exit. */
793
exit(EXIT_FAILURE);
794
}
795
}
796
/* Set the global debug flag from the temporary int */
797
debug = debug_int ? true : false;
798
}
799
800
pubkeyfile = combinepath(keydir, pubkeyfile);
801
if (pubkeyfile == NULL){
802
perror("combinepath");
803
exitcode = EXIT_FAILURE;
804
goto end;
805
}
806
807
seckeyfile = combinepath(keydir, seckeyfile);
808
if (seckeyfile == NULL){
809
perror("combinepath");
810
goto end;
811
}
812
813
ret = init_gnutls_global(&mc);
814
if (ret == -1){
815
fprintf(stderr, "init_gnutls_global\n");
816
goto end;
817
}
818
819
uid = getuid();
820
gid = getgid();
821
822
ret = setuid(uid);
823
if (ret == -1){
824
perror("setuid");
825
}
826
827
setgid(gid);
828
if (ret == -1){
829
perror("setgid");
830
}
831
832
if_index = (AvahiIfIndex) if_nametoindex(interface);
833
if(if_index == 0){
834
fprintf(stderr, "No such interface: \"%s\"\n", interface);
835
exit(EXIT_FAILURE);
836
}
837
838
if(connect_to != NULL){
839
/* Connect directly, do not use Zeroconf */
840
/* (Mainly meant for debugging) */
841
char *address = strrchr(connect_to, ':');
842
if(address == NULL){
843
fprintf(stderr, "No colon in address\n");
844
exitcode = EXIT_FAILURE;
845
goto end;
846
}
847
errno = 0;
848
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
849
if(errno){
850
perror("Bad port number");
851
exitcode = EXIT_FAILURE;
852
goto end;
853
}
854
*address = '\0';
855
address = connect_to;
856
ret = start_mandos_communication(address, port, if_index, &mc);
857
if(ret < 0){
858
exitcode = EXIT_FAILURE;
859
} else {
860
exitcode = EXIT_SUCCESS;
861
}
862
goto end;
863
}
864
865
/* If the interface is down, bring it up */
866
{
867
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
868
if(sd < 0) {
869
perror("socket");
870
exitcode = EXIT_FAILURE;
871
goto end;
872
}
873
strcpy(network.ifr_name, interface); /* Spurious warning */
874
ret = ioctl(sd, SIOCGIFFLAGS, &network);
875
if(ret == -1){
876
perror("ioctl SIOCGIFFLAGS");
877
exitcode = EXIT_FAILURE;
878
goto end;
879
}
880
if((network.ifr_flags & IFF_UP) == 0){
881
network.ifr_flags |= IFF_UP;
882
ret = ioctl(sd, SIOCSIFFLAGS, &network);
883
if(ret == -1){
884
perror("ioctl SIOCSIFFLAGS");
885
exitcode = EXIT_FAILURE;
886
goto end;
887
}
888
}
889
close(sd);
890
}
891
581
}
582
}
583
free(program_name);
584
892
585
if (not debug){
893
586
avahi_set_log_function(empty_log);
894
587
}
895
588
896
/* Initialize the pseudo-RNG for Avahi */
897
srand((unsigned int) time(NULL));
898
899
/* Allocate main Avahi loop object */
900
mc.simple_poll = avahi_simple_poll_new();
901
if (mc.simple_poll == NULL) {
902
fprintf(stderr, "Avahi: Failed to create simple poll"
903
" object.\n");
904
exitcode = EXIT_FAILURE;
905
goto end;
906
}
907
908
{
909
AvahiServerConfig config;
910
/* Do not publish any local Zeroconf records */
911
avahi_server_config_init(&config);
912
config.publish_hinfo = 0;
913
config.publish_addresses = 0;
914
config.publish_workstation = 0;
915
config.publish_domain = 0;
916
917
/* Allocate a new server */
918
mc.server = avahi_server_new(avahi_simple_poll_get
919
(mc.simple_poll), &config, NULL,
920
NULL, &error);
921
922
/* Free the Avahi configuration data */
923
avahi_server_config_free(&config);
924
}
925
926
/* Check if creating the Avahi server object succeeded */
927
if (mc.server == NULL) {
928
fprintf(stderr, "Failed to create Avahi server: %s\n",
929
avahi_strerror(error));
930
exitcode = EXIT_FAILURE;
931
goto end;
932
}
933
934
/* Create the Avahi service browser */
935
sb = avahi_s_service_browser_new(mc.server, if_index,
936
AVAHI_PROTO_INET6,
937
"_mandos._tcp", NULL, 0,
938
browse_callback, &mc);
939
if (sb == NULL) {
940
fprintf(stderr, "Failed to create service browser: %s\n",
941
avahi_strerror(avahi_server_errno(mc.server)));
942
exitcode = EXIT_FAILURE;
943
goto end;
589
/* Initialize the psuedo-RNG */
590
srand(time(NULL));
591
592
/* Allocate main loop object */
593
if (!(simple_poll = avahi_simple_poll_new())) {
594
fprintf(stderr, "Failed to create simple poll object.\n");
595
596
goto exit;
597
}
598
599
/* Do not publish any local records */
600
avahi_server_config_init(&config);
601
config.publish_hinfo = 0;
602
config.publish_addresses = 0;
603
config.publish_workstation = 0;
604
config.publish_domain = 0;
605
606
/* Allocate a new server */
607
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
608
609
/* Free the configuration data */
610
avahi_server_config_free(&config);
611
612
/* Check if creating the server object succeeded */
613
if (!server) {
614
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
615
returncode = EXIT_FAILURE;
616
goto exit;
617
}
618
619
/* Create the service browser */
620
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
621
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
622
returncode = EXIT_FAILURE;
623
goto exit;
944
624
}
945
625
946
626
/* Run the main loop */
947
627
948
628
if (debug){
949
fprintf(stderr, "Starting Avahi loop search\n");
629
fprintf(stderr, "Starting avahi loop search\n");
950
630
}
951
631
952
avahi_simple_poll_loop(mc.simple_poll);
632
avahi_simple_poll_loop(simple_poll);
953
633
954
end:
634
exit:
955
635
956
636
if (debug){
957
637
fprintf(stderr, "%s exiting\n", argv[0]);
958
638
}
959
639
960
640
/* Cleanup things */
961
if (sb != NULL)
641
if (sb)
962
642
avahi_s_service_browser_free(sb);
963
643
964
if (mc.server != NULL)
965
avahi_server_free(mc.server);
966
967
if (mc.simple_poll != NULL)
968
avahi_simple_poll_free(mc.simple_poll);
969
free(pubkeyfile);
970
free(seckeyfile);
971
972
return exitcode;
644
if (server)
645
avahi_server_free(server);
646
647
if (simple_poll)
648
avahi_simple_poll_free(simple_poll);
649
650
return ret;
973
651
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0