To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 21
- compare with another revision
- download diff
- download tarball
- view history from revision 21
- Committer: Teddy Hogeborn
- Date: 2008-07-21 15:34:44 UTC
- Revision ID: teddy@fukt.bsnet.se-20080721153444-lugbjkj1oq65ugq3
* Makefile (CFLAGS): Changed to use $(WARN), $(DEBUG), $(COVERAGE) and
$(LANGUAGE).
(WARN, DEBUG, COVERAGE, LANGUAGE): New.
(LDFLAGS): New; use $(COVERAGE)
* plugbasedclient.c: Added copyright header.
(process.buffer_size, process.buffer_length): Changed to "size_t".
(main): Cast arguments to malloc and realloc. Detect read errors
from processes.
* mandosclient.c: Added copyright header.
(interface): Moved to inside "main".
(gpg_packet_decrypt): Renamed to "pgp_packet_decrypt"; all callers
changed. Changed "new_packet_capacity" and
"new_packet_length" to be ssize_t. Cast
arguments to realloc.
(debuggnutls): Attribute "level" argument as unused.
(empty_log): Attribute "level" and "txt" arguments as unused.
(start_mandos_communication): New argument "if_index". Bug fix:
check ret, no tcp_sd, for errors from
setsockopt. Use "if_index" directly
instead of looking up the index. Loop
around fwrite until all data is written.
(resolve_callback): Attribute "txt", and "flags" as usused. Added
default case to switch. Also show server host
name. Call start_mandos_communication with
"interface".
(browse_callback): Added default case to switch.
(main): Variable "interface" moved here. Cast "srand" argument.
Bug fix: Call avahi_s_service_browser_new with index of
"interface", not "eth0".
* passprompt.c: Added copyright header.
(termination_handler): Attribute "signum" argument as unused.
$(LANGUAGE).
(WARN, DEBUG, COVERAGE, LANGUAGE): New.
(LDFLAGS): New; use $(COVERAGE)
* plugbasedclient.c: Added copyright header.
(process.buffer_size, process.buffer_length): Changed to "size_t".
(main): Cast arguments to malloc and realloc. Detect read errors
from processes.
* mandosclient.c: Added copyright header.
(interface): Moved to inside "main".
(gpg_packet_decrypt): Renamed to "pgp_packet_decrypt"; all callers
changed. Changed "new_packet_capacity" and
"new_packet_length" to be ssize_t. Cast
arguments to realloc.
(debuggnutls): Attribute "level" argument as unused.
(empty_log): Attribute "level" and "txt" arguments as unused.
(start_mandos_communication): New argument "if_index". Bug fix:
check ret, no tcp_sd, for errors from
setsockopt. Use "if_index" directly
instead of looking up the index. Loop
around fwrite until all data is written.
(resolve_callback): Attribute "txt", and "flags" as usused. Added
default case to switch. Also show server host
name. Call start_mandos_communication with
"interface".
(browse_callback): Added default case to switch.
(main): Variable "interface" moved here. Cast "srand" argument.
Bug fix: Call avahi_s_service_browser_new with index of
"interface", not "eth0".
* passprompt.c: Added copyright header.
(termination_handler): Attribute "signum" argument as unused.
- files removed:
- server.conf
- files renamed:
- clients.conf => mandos-clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
13
13
*
14
14
* This program is free software: you can redistribute it and/or
15
15
* modify it under the terms of the GNU General Public License as
25
25
* along with this program. If not, see
26
26
* <http://www.gnu.org/licenses/>.
27
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
30
*/
30
31
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _FORTIFY_SOURCE 2
33
32
34
#define _LARGEFILE_SOURCE
33
35
#define _FILE_OFFSET_BITS 64
34
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
37
#include <stdio.h>
38
38
#include <assert.h>
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
42
47
43
#include <avahi-core/core.h>
48
44
#include <avahi-core/lookup.h>
51
47
#include <avahi-common/malloc.h>
52
48
#include <avahi-common/error.h>
53
49
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
50
//mandos client part
51
#include <sys/types.h> /* socket(), setsockopt(),
52
inet_pton() */
53
#include <sys/socket.h> /* socket(), setsockopt(),
54
struct sockaddr_in6,
57
55
struct in6_addr, inet_pton() */
58
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
65
66
// gpgme
72
67
#include <errno.h> /* perror() */
73
68
#include <gpgme.h>
74
69
70
// getopt long
71
#include <getopt.h>
72
73
#ifndef CERT_ROOT
74
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
75
#endif
76
#define CERTFILE CERT_ROOT "openpgp-client.txt"
77
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
75
78
#define BUFFER_SIZE 256
79
#define DH_BITS 1024
76
80
77
81
bool debug = false;
78
const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
const char mandos_protocol_version[] = "1";
82
82
83
/* Used for passing in values through all the callback functions */
84
83
typedef struct {
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
84
gnutls_session_t session;
87
85
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
89
86
gnutls_dh_params_t dh_params;
90
const char *priority;
91
} mandos_context;
92
93
size_t adjustbuffer(char **buffer, size_t buffer_length,
94
size_t buffer_capacity){
95
if (buffer_length + BUFFER_SIZE > buffer_capacity){
96
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
97
if (buffer == NULL){
98
return 0;
99
}
100
buffer_capacity += BUFFER_SIZE;
101
}
102
return buffer_capacity;
103
}
104
105
/*
106
* Decrypt OpenPGP data using keyrings in HOMEDIR.
107
* Returns -1 on error
108
*/
109
static ssize_t pgp_packet_decrypt (const char *cryptotext,
110
size_t crypto_size,
111
char **plaintext,
112
const char *homedir){
87
} encrypted_session;
88
89
90
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
91
char **new_packet, const char *homedir){
113
92
gpgme_data_t dh_crypto, dh_plain;
114
93
gpgme_ctx_t ctx;
115
94
gpgme_error_t rc;
116
95
ssize_t ret;
117
size_t plaintext_capacity = 0;
118
ssize_t plaintext_length = 0;
96
ssize_t new_packet_capacity = 0;
97
ssize_t new_packet_length = 0;
119
98
gpgme_engine_info_t engine_info;
120
99
121
100
if (debug){
122
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
101
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
123
102
}
124
103
125
104
/* Init GPGME */
126
105
gpgme_check_version(NULL);
127
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
128
if (rc != GPG_ERR_NO_ERROR){
129
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
130
gpgme_strsource(rc), gpgme_strerror(rc));
131
return -1;
132
}
106
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
133
107
134
/* Set GPGME home directory for the OpenPGP engine only */
108
/* Set GPGME home directory */
135
109
rc = gpgme_get_engine_info (&engine_info);
136
110
if (rc != GPG_ERR_NO_ERROR){
137
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
147
121
engine_info = engine_info->next;
148
122
}
149
123
if(engine_info == NULL){
150
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
151
125
return -1;
152
126
}
153
127
154
/* Create new GPGME data buffer from memory cryptotext */
155
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
156
0);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
157
130
if (rc != GPG_ERR_NO_ERROR){
158
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
159
132
gpgme_strsource(rc), gpgme_strerror(rc));
165
138
if (rc != GPG_ERR_NO_ERROR){
166
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
167
140
gpgme_strsource(rc), gpgme_strerror(rc));
168
gpgme_data_release(dh_crypto);
169
141
return -1;
170
142
}
171
143
174
146
if (rc != GPG_ERR_NO_ERROR){
175
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
176
148
gpgme_strsource(rc), gpgme_strerror(rc));
177
plaintext_length = -1;
178
goto decrypt_end;
149
return -1;
179
150
}
180
151
181
/* Decrypt data from the cryptotext data buffer to the plaintext
182
data buffer */
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
183
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
184
155
if (rc != GPG_ERR_NO_ERROR){
185
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
186
157
gpgme_strsource(rc), gpgme_strerror(rc));
187
plaintext_length = -1;
188
goto decrypt_end;
158
return -1;
189
159
}
190
160
191
161
if(debug){
192
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
193
163
}
194
164
195
165
if (debug){
196
166
gpgme_decrypt_result_t result;
197
167
result = gpgme_op_decrypt_result(ctx);
221
191
}
222
192
}
223
193
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
196
224
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
225
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
226
perror("pgpme_data_seek");
227
plaintext_length = -1;
228
goto decrypt_end;
229
}
230
231
*plaintext = NULL;
198
gpgme_data_seek(dh_plain, 0, SEEK_SET);
199
200
*new_packet = 0;
232
201
while(true){
233
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
234
plaintext_capacity);
235
if (plaintext_capacity == 0){
236
perror("adjustbuffer");
237
plaintext_length = -1;
238
goto decrypt_end;
202
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
203
*new_packet = realloc(*new_packet,
204
(unsigned int)new_packet_capacity
205
+ BUFFER_SIZE);
206
if (*new_packet == NULL){
207
perror("realloc");
208
return -1;
209
}
210
new_packet_capacity += BUFFER_SIZE;
239
211
}
240
212
241
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
213
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
242
214
BUFFER_SIZE);
243
215
/* Print the data, if any */
244
216
if (ret == 0){
245
/* EOF */
246
217
break;
247
218
}
248
219
if(ret < 0){
249
220
perror("gpgme_data_read");
250
plaintext_length = -1;
251
goto decrypt_end;
221
return -1;
252
222
}
253
plaintext_length += ret;
223
new_packet_length += ret;
254
224
}
255
225
256
if(debug){
257
fprintf(stderr, "Decrypted password is: ");
258
for(ssize_t i = 0; i < plaintext_length; i++){
259
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
260
}
261
fprintf(stderr, "\n");
262
}
263
264
decrypt_end:
265
266
/* Delete the GPGME cryptotext data buffer */
267
gpgme_data_release(dh_crypto);
226
/* FIXME: check characters before printing to screen so to not print
227
terminal control characters */
228
/* if(debug){ */
229
/* fprintf(stderr, "decrypted password is: "); */
230
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
231
/* fprintf(stderr, "\n"); */
232
/* } */
268
233
269
234
/* Delete the GPGME plaintext data buffer */
270
235
gpgme_data_release(dh_plain);
271
return plaintext_length;
236
return new_packet_length;
272
237
}
273
238
274
239
static const char * safer_gnutls_strerror (int value) {
278
243
return ret;
279
244
}
280
245
281
/* GnuTLS log function callback */
282
static void debuggnutls(__attribute__((unused)) int level,
283
const char* string){
284
fprintf(stderr, "GnuTLS: %s", string);
246
void debuggnutls(__attribute__((unused)) int level,
247
const char* string){
248
fprintf(stderr, "%s", string);
285
249
}
286
250
287
static int init_gnutls_global(mandos_context *mc,
288
const char *pubkeyfile,
289
const char *seckeyfile){
251
int initgnutls(encrypted_session *es){
252
const char *err;
290
253
int ret;
291
254
292
255
if(debug){
293
256
fprintf(stderr, "Initializing GnuTLS\n");
294
257
}
295
258
296
259
if ((ret = gnutls_global_init ())
297
260
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "GnuTLS global_init: %s\n",
299
safer_gnutls_strerror(ret));
261
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
300
262
return -1;
301
263
}
302
264
303
265
if (debug){
304
/* "Use a log level over 10 to enable all debugging options."
305
* - GnuTLS manual
306
*/
307
266
gnutls_global_set_log_level(11);
308
267
gnutls_global_set_log_function(debuggnutls);
309
268
}
310
269
311
/* OpenPGP credentials */
312
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
270
/* openpgp credentials */
271
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
313
272
!= GNUTLS_E_SUCCESS) {
314
fprintf (stderr, "GnuTLS memory error: %s\n",
273
fprintf (stderr, "memory error: %s\n",
315
274
safer_gnutls_strerror(ret));
316
275
return -1;
317
276
}
318
277
319
278
if(debug){
320
279
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
321
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
322
seckeyfile);
280
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
281
KEYFILE);
323
282
}
324
283
325
284
ret = gnutls_certificate_set_openpgp_key_file
326
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
285
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
327
286
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf(stderr,
329
"Error[%d] while reading the OpenPGP key pair ('%s',"
330
" '%s')\n", ret, pubkeyfile, seckeyfile);
331
fprintf(stdout, "The GnuTLS error is: %s\n",
287
fprintf
288
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
289
" '%s')\n",
290
ret, CERTFILE, KEYFILE);
291
fprintf(stdout, "The Error is: %s\n",
332
292
safer_gnutls_strerror(ret));
333
293
return -1;
334
294
}
335
295
336
/* GnuTLS server initialization */
337
ret = gnutls_dh_params_init(&mc->dh_params);
338
if (ret != GNUTLS_E_SUCCESS) {
339
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
340
" %s\n", safer_gnutls_strerror(ret));
341
return -1;
342
}
343
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
346
safer_gnutls_strerror(ret));
347
return -1;
348
}
349
350
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
351
352
return 0;
353
}
354
355
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
356
int ret;
357
/* GnuTLS session creation */
358
ret = gnutls_init(session, GNUTLS_SERVER);
359
if (ret != GNUTLS_E_SUCCESS){
296
//GnuTLS server initialization
297
if ((ret = gnutls_dh_params_init (&es->dh_params))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "Error in dh parameter initialization: %s\n",
300
safer_gnutls_strerror(ret));
301
return -1;
302
}
303
304
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in prime generation: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
312
313
// GnuTLS session creation
314
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
315
!= GNUTLS_E_SUCCESS){
360
316
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
361
317
safer_gnutls_strerror(ret));
362
318
}
363
319
364
{
365
const char *err;
366
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf(stderr, "Syntax error at: %s\n", err);
369
fprintf(stderr, "GnuTLS error: %s\n",
370
safer_gnutls_strerror(ret));
371
return -1;
372
}
320
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
321
!= GNUTLS_E_SUCCESS) {
322
fprintf(stderr, "Syntax error at: %s\n", err);
323
fprintf(stderr, "GnuTLS error: %s\n",
324
safer_gnutls_strerror(ret));
325
return -1;
373
326
}
374
327
375
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
376
mc->cred);
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
328
if ((ret = gnutls_credentials_set
329
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf(stderr, "Error setting a credentials set: %s\n",
379
332
safer_gnutls_strerror(ret));
380
333
return -1;
381
334
}
382
335
383
336
/* ignore client certificate if any. */
384
gnutls_certificate_server_set_request (*session,
337
gnutls_certificate_server_set_request (es->session,
385
338
GNUTLS_CERT_IGNORE);
386
339
387
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
340
gnutls_dh_set_prime_bits (es->session, DH_BITS);
388
341
389
342
return 0;
390
343
}
391
344
392
/* Avahi log function callback */
393
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
394
__attribute__((unused)) const char *txt){}
345
void empty_log(__attribute__((unused)) AvahiLogLevel level,
346
__attribute__((unused)) const char *txt){}
395
347
396
/* Called when a Mandos server is found */
397
static int start_mandos_communication(const char *ip, uint16_t port,
398
AvahiIfIndex if_index,
399
mandos_context *mc){
348
int start_mandos_communication(char *ip, uint16_t port,
349
unsigned int if_index){
400
350
int ret, tcp_sd;
401
351
struct sockaddr_in6 to;
352
encrypted_session es;
402
353
char *buffer = NULL;
403
354
char *decrypted_buffer;
404
355
size_t buffer_length = 0;
405
356
size_t buffer_capacity = 0;
406
357
ssize_t decrypted_buffer_size;
407
size_t written;
408
358
int retval = 0;
409
359
char interface[IF_NAMESIZE];
410
gnutls_session_t session;
411
gnutls_dh_params_t dh_params;
412
413
ret = init_gnutls_session (mc, &session);
414
if (ret != 0){
415
return -1;
416
}
417
360
418
361
if(debug){
419
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
420
ip, port);
362
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
421
363
}
422
364
423
365
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
425
367
perror("socket");
426
368
return -1;
427
369
}
428
429
if(debug){
430
if(if_indextoname((unsigned int)if_index, interface) == NULL){
370
371
if(if_indextoname(if_index, interface) == NULL){
372
if(debug){
431
373
perror("if_indextoname");
432
return -1;
433
374
}
375
return -1;
376
}
377
378
if(debug){
434
379
fprintf(stderr, "Binding to interface %s\n", interface);
435
380
}
436
381
437
memset(&to,0,sizeof(to)); /* Spurious warning */
382
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
383
if(ret < 0) {
384
perror("setsockopt bindtodevice");
385
return -1;
386
}
387
388
memset(&to,0,sizeof(to));
438
389
to.sin6_family = AF_INET6;
439
/* It would be nice to have a way to detect if we were passed an
440
IPv4 address here. Now we assume an IPv6 address. */
441
390
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
442
391
if (ret < 0 ){
443
392
perror("inet_pton");
444
393
return -1;
445
}
394
}
446
395
if(ret == 0){
447
396
fprintf(stderr, "Bad address: %s\n", ip);
448
397
return -1;
449
398
}
450
to.sin6_port = htons(port); /* Spurious warning */
399
/* Spurious warnings for the next line, see for instance
400
<http://bugs.debian.org/488884> */
401
to.sin6_port = htons(port);
451
402
452
403
to.sin6_scope_id = (uint32_t)if_index;
453
404
454
405
if(debug){
455
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
456
char addrstr[INET6_ADDRSTRLEN] = "";
457
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
458
sizeof(addrstr)) == NULL){
459
perror("inet_ntop");
460
} else {
461
if(strcmp(addrstr, ip) != 0){
462
fprintf(stderr, "Canonical address form: %s\n", addrstr);
463
}
464
}
406
fprintf(stderr, "Connection to: %s\n", ip);
465
407
}
466
408
467
409
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
469
411
perror("connect");
470
412
return -1;
471
413
}
472
473
const char *out = mandos_protocol_version;
474
written = 0;
475
while (true){
476
size_t out_size = strlen(out);
477
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
478
out_size - written));
479
if (ret == -1){
480
perror("write");
481
retval = -1;
482
goto mandos_end;
483
}
484
written += (size_t)ret;
485
if(written < out_size){
486
continue;
487
} else {
488
if (out == mandos_protocol_version){
489
written = 0;
490
out = "\r\n";
491
} else {
492
break;
493
}
494
}
414
415
ret = initgnutls (&es);
416
if (ret != 0){
417
retval = -1;
418
return -1;
495
419
}
496
420
421
gnutls_transport_set_ptr (es.session,
422
(gnutls_transport_ptr_t) tcp_sd);
423
497
424
if(debug){
498
425
fprintf(stderr, "Establishing TLS session with %s\n", ip);
499
426
}
500
427
501
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
502
503
ret = gnutls_handshake (session);
428
ret = gnutls_handshake (es.session);
504
429
505
430
if (ret != GNUTLS_E_SUCCESS){
506
if(debug){
507
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
508
gnutls_perror (ret);
509
}
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
510
433
retval = -1;
511
goto mandos_end;
434
goto exit;
512
435
}
513
436
514
/* Read OpenPGP packet that contains the wanted password */
437
//Retrieve OpenPGP packet that contains the wanted password
515
438
516
439
if(debug){
517
440
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
519
442
}
520
443
521
444
while(true){
522
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
523
if (buffer_capacity == 0){
524
perror("adjustbuffer");
525
retval = -1;
526
goto mandos_end;
445
if (buffer_length + BUFFER_SIZE > buffer_capacity){
446
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
447
if (buffer == NULL){
448
perror("realloc");
449
goto exit;
450
}
451
buffer_capacity += BUFFER_SIZE;
527
452
}
528
453
529
ret = gnutls_record_recv(session, buffer+buffer_length,
530
BUFFER_SIZE);
454
ret = gnutls_record_recv
455
(es.session, buffer+buffer_length, BUFFER_SIZE);
531
456
if (ret == 0){
532
457
break;
533
458
}
537
462
case GNUTLS_E_AGAIN:
538
463
break;
539
464
case GNUTLS_E_REHANDSHAKE:
540
ret = gnutls_handshake (session);
465
ret = gnutls_handshake (es.session);
541
466
if (ret < 0){
542
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
467
fprintf(stderr, "\n*** Handshake failed ***\n");
543
468
gnutls_perror (ret);
544
469
retval = -1;
545
goto mandos_end;
470
goto exit;
546
471
}
547
472
break;
548
473
default:
549
474
fprintf(stderr, "Unknown error while reading data from"
550
" encrypted session with Mandos server\n");
475
" encrypted session with mandos server\n");
551
476
retval = -1;
552
gnutls_bye (session, GNUTLS_SHUT_RDWR);
553
goto mandos_end;
477
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
478
goto exit;
554
479
}
555
480
} else {
556
481
buffer_length += (size_t) ret;
557
482
}
558
483
}
559
484
560
if(debug){
561
fprintf(stderr, "Closing TLS session\n");
562
}
563
564
gnutls_bye (session, GNUTLS_SHUT_RDWR);
565
566
485
if (buffer_length > 0){
567
486
decrypted_buffer_size = pgp_packet_decrypt(buffer,
568
487
buffer_length,
569
488
&decrypted_buffer,
570
keydir);
489
CERT_ROOT);
571
490
if (decrypted_buffer_size >= 0){
572
written = 0;
573
while(written < (size_t) decrypted_buffer_size){
574
ret = (int)fwrite (decrypted_buffer + written, 1,
575
(size_t)decrypted_buffer_size - written,
576
stdout);
491
while(decrypted_buffer_size > 0){
492
ret = fwrite (decrypted_buffer, 1, (size_t)decrypted_buffer_size,
493
stdout);
577
494
if(ret == 0 and ferror(stdout)){
578
495
if(debug){
579
496
fprintf(stderr, "Error writing encrypted data: %s\n",
582
499
retval = -1;
583
500
break;
584
501
}
585
written += (size_t)ret;
502
decrypted_buffer += ret;
503
decrypted_buffer_size -= ret;
586
504
}
587
505
free(decrypted_buffer);
588
506
} else {
589
507
retval = -1;
590
508
}
591
509
}
592
593
/* Shutdown procedure */
594
595
mandos_end:
510
511
//shutdown procedure
512
513
if(debug){
514
fprintf(stderr, "Closing TLS session\n");
515
}
516
596
517
free(buffer);
518
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
519
exit:
597
520
close(tcp_sd);
598
gnutls_deinit (session);
599
gnutls_certificate_free_credentials (mc->cred);
521
gnutls_deinit (es.session);
522
gnutls_certificate_free_credentials (es.cred);
600
523
gnutls_global_deinit ();
601
524
return retval;
602
525
}
603
526
604
static void resolve_callback(AvahiSServiceResolver *r,
605
AvahiIfIndex interface,
606
AVAHI_GCC_UNUSED AvahiProtocol protocol,
607
AvahiResolverEvent event,
608
const char *name,
609
const char *type,
610
const char *domain,
611
const char *host_name,
612
const AvahiAddress *address,
613
uint16_t port,
614
AVAHI_GCC_UNUSED AvahiStringList *txt,
615
AVAHI_GCC_UNUSED AvahiLookupResultFlags
616
flags,
617
void* userdata) {
618
mandos_context *mc = userdata;
619
assert(r); /* Spurious warning */
620
527
static AvahiSimplePoll *simple_poll = NULL;
528
static AvahiServer *server = NULL;
529
530
static void resolve_callback(
531
AvahiSServiceResolver *r,
532
AVAHI_GCC_UNUSED AvahiIfIndex interface,
533
AVAHI_GCC_UNUSED AvahiProtocol protocol,
534
AvahiResolverEvent event,
535
const char *name,
536
const char *type,
537
const char *domain,
538
const char *host_name,
539
const AvahiAddress *address,
540
uint16_t port,
541
AVAHI_GCC_UNUSED AvahiStringList *txt,
542
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
543
AVAHI_GCC_UNUSED void* userdata) {
544
545
assert(r);
546
621
547
/* Called whenever a service has been resolved successfully or
622
548
timed out */
623
549
624
550
switch (event) {
625
551
default:
626
552
case AVAHI_RESOLVER_FAILURE:
627
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
628
" of type '%s' in domain '%s': %s\n", name, type, domain,
629
avahi_strerror(avahi_server_errno(mc->server)));
553
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
554
" type '%s' in domain '%s': %s\n", name, type, domain,
555
avahi_strerror(avahi_server_errno(server)));
630
556
break;
631
557
632
558
case AVAHI_RESOLVER_FOUND:
633
559
{
634
560
char ip[AVAHI_ADDRESS_STR_MAX];
635
561
avahi_address_snprint(ip, sizeof(ip), address);
636
562
if(debug){
637
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
638
" port %d\n", name, host_name, ip, interface, port);
563
fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",
564
host_name, ip, port);
639
565
}
640
int ret = start_mandos_communication(ip, port, interface, mc);
566
int ret = start_mandos_communication(ip, port,
567
(unsigned int)
568
interface);
641
569
if (ret == 0){
642
570
exit(EXIT_SUCCESS);
571
} else {
572
exit(EXIT_FAILURE);
643
573
}
644
574
}
645
575
}
646
576
avahi_s_service_resolver_free(r);
647
577
}
648
578
649
static void browse_callback( AvahiSServiceBrowser *b,
650
AvahiIfIndex interface,
651
AvahiProtocol protocol,
652
AvahiBrowserEvent event,
653
const char *name,
654
const char *type,
655
const char *domain,
656
AVAHI_GCC_UNUSED AvahiLookupResultFlags
657
flags,
658
void* userdata) {
659
mandos_context *mc = userdata;
660
assert(b); /* Spurious warning */
661
662
/* Called whenever a new services becomes available on the LAN or
663
is removed from the LAN */
664
665
switch (event) {
666
default:
667
case AVAHI_BROWSER_FAILURE:
668
669
fprintf(stderr, "(Avahi browser) %s\n",
670
avahi_strerror(avahi_server_errno(mc->server)));
671
avahi_simple_poll_quit(mc->simple_poll);
672
return;
673
674
case AVAHI_BROWSER_NEW:
675
/* We ignore the returned Avahi resolver object. In the callback
676
function we free it. If the Avahi server is terminated before
677
the callback function is called the Avahi server will free the
678
resolver for us. */
679
680
if (!(avahi_s_service_resolver_new(mc->server, interface,
681
protocol, name, type, domain,
682
AVAHI_PROTO_INET6, 0,
683
resolve_callback, mc)))
684
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
685
name, avahi_strerror(avahi_server_errno(mc->server)));
686
break;
687
688
case AVAHI_BROWSER_REMOVE:
689
break;
690
691
case AVAHI_BROWSER_ALL_FOR_NOW:
692
case AVAHI_BROWSER_CACHE_EXHAUSTED:
693
if(debug){
694
fprintf(stderr, "No Mandos server found, still searching...\n");
579
static void browse_callback(
580
AvahiSServiceBrowser *b,
581
AvahiIfIndex interface,
582
AvahiProtocol protocol,
583
AvahiBrowserEvent event,
584
const char *name,
585
const char *type,
586
const char *domain,
587
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
588
void* userdata) {
589
590
AvahiServer *s = userdata;
591
assert(b);
592
593
/* Called whenever a new services becomes available on the LAN or
594
is removed from the LAN */
595
596
switch (event) {
597
default:
598
case AVAHI_BROWSER_FAILURE:
599
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(server)));
602
avahi_simple_poll_quit(simple_poll);
603
return;
604
605
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
610
611
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, s)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(s)));
617
break;
618
619
case AVAHI_BROWSER_REMOVE:
620
break;
621
622
case AVAHI_BROWSER_ALL_FOR_NOW:
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
624
break;
695
625
}
696
break;
697
}
698
}
699
700
/* Combines file name and path and returns the malloced new
701
string. some sane checks could/should be added */
702
static const char *combinepath(const char *first, const char *second){
703
size_t f_len = strlen(first);
704
size_t s_len = strlen(second);
705
char *tmp = malloc(f_len + s_len + 2);
706
if (tmp == NULL){
707
return NULL;
708
}
709
if(f_len > 0){
710
memcpy(tmp, first, f_len); /* Spurious warning */
711
}
712
tmp[f_len] = '/';
713
if(s_len > 0){
714
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
715
}
716
tmp[f_len + 1 + s_len] = '\0';
717
return tmp;
718
}
719
720
721
int main(int argc, char *argv[]){
626
}
627
628
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
629
AvahiServerConfig config;
722
630
AvahiSServiceBrowser *sb = NULL;
723
631
int error;
724
632
int ret;
725
int exitcode = EXIT_SUCCESS;
633
int returncode = EXIT_SUCCESS;
726
634
const char *interface = "eth0";
727
struct ifreq network;
728
int sd;
729
uid_t uid;
730
gid_t gid;
731
char *connect_to = NULL;
732
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
733
const char *pubkeyfile = "pubkey.txt";
734
const char *seckeyfile = "seckey.txt";
735
mandos_context mc = { .simple_poll = NULL, .server = NULL,
736
.dh_bits = 1024, .priority = "SECURE256"};
737
738
{
739
struct argp_option options[] = {
740
{ .name = "debug", .key = 128,
741
.doc = "Debug mode", .group = 3 },
742
{ .name = "connect", .key = 'c',
743
.arg = "IP",
744
.doc = "Connect directly to a sepcified mandos server", .group = 1 },
745
{ .name = "interface", .key = 'i',
746
.arg = "INTERFACE",
747
.doc = "Interface that Avahi will conntect through", .group = 1 },
748
{ .name = "keydir", .key = 'd',
749
.arg = "KEYDIR",
750
.doc = "Directory where the openpgp keyring is", .group = 1 },
751
{ .name = "seckey", .key = 's',
752
.arg = "SECKEY",
753
.doc = "Secret openpgp key for gnutls authentication", .group = 1 },
754
{ .name = "pubkey", .key = 'p',
755
.arg = "PUBKEY",
756
.doc = "Public openpgp key for gnutls authentication", .group = 2 },
757
{ .name = "dh-bits", .key = 129,
758
.arg = "BITS",
759
.doc = "dh-bits to use in gnutls communication", .group = 2 },
760
{ .name = "priority", .key = 130,
761
.arg = "PRIORITY",
762
.doc = "GNUTLS priority", .group = 1 },
763
{ .name = NULL }
764
};
765
766
767
error_t parse_opt (int key, char *arg, struct argp_state *state) {
768
/* Get the INPUT argument from `argp_parse', which we know is a
769
pointer to our plugin list pointer. */
770
switch (key) {
771
case 128:
772
debug = true;
773
break;
774
case 'c':
775
connect_to = arg;
776
break;
777
case 'i':
778
interface = arg;
779
break;
780
case 'd':
781
keydir = arg;
782
break;
783
case 's':
784
seckeyfile = arg;
785
break;
786
case 'p':
787
pubkeyfile = arg;
788
break;
789
case 129:
790
errno = 0;
791
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
792
if (errno){
793
perror("strtol");
794
exit(EXIT_FAILURE);
795
}
796
break;
797
case 130:
798
mc.priority = arg;
799
break;
800
case ARGP_KEY_ARG:
801
argp_usage (state);
802
break;
803
case ARGP_KEY_END:
804
break;
805
default:
806
return ARGP_ERR_UNKNOWN;
807
}
808
return 0;
809
}
810
811
struct argp argp = { .options = options, .parser = parse_opt,
812
.args_doc = "",
813
.doc = "Mandos client -- Get and decrypt passwords from mandos server" };
814
argp_parse (&argp, argc, argv, 0, 0, NULL);
815
}
816
817
pubkeyfile = combinepath(keydir, pubkeyfile);
818
if (pubkeyfile == NULL){
819
perror("combinepath");
820
exitcode = EXIT_FAILURE;
821
goto end;
822
}
823
824
seckeyfile = combinepath(keydir, seckeyfile);
825
if (seckeyfile == NULL){
826
perror("combinepath");
827
goto end;
828
}
829
830
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
831
if (ret == -1){
832
fprintf(stderr, "init_gnutls_global\n");
833
goto end;
834
}
835
836
uid = getuid();
837
gid = getgid();
838
839
ret = setuid(uid);
840
if (ret == -1){
841
perror("setuid");
842
}
843
844
setgid(gid);
845
if (ret == -1){
846
perror("setgid");
847
}
848
849
if_index = (AvahiIfIndex) if_nametoindex(interface);
850
if(if_index == 0){
851
fprintf(stderr, "No such interface: \"%s\"\n", interface);
852
exit(EXIT_FAILURE);
853
}
854
855
if(connect_to != NULL){
856
/* Connect directly, do not use Zeroconf */
857
/* (Mainly meant for debugging) */
858
char *address = strrchr(connect_to, ':');
859
if(address == NULL){
860
fprintf(stderr, "No colon in address\n");
861
exitcode = EXIT_FAILURE;
862
goto end;
863
}
864
errno = 0;
865
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
866
if(errno){
867
perror("Bad port number");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
*address = '\0';
872
address = connect_to;
873
ret = start_mandos_communication(address, port, if_index, &mc);
874
if(ret < 0){
875
exitcode = EXIT_FAILURE;
876
} else {
877
exitcode = EXIT_SUCCESS;
878
}
879
goto end;
880
}
881
882
/* If the interface is down, bring it up */
883
{
884
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
885
if(sd < 0) {
886
perror("socket");
887
exitcode = EXIT_FAILURE;
888
goto end;
889
}
890
strcpy(network.ifr_name, interface); /* Spurious warning */
891
ret = ioctl(sd, SIOCGIFFLAGS, &network);
892
if(ret == -1){
893
perror("ioctl SIOCGIFFLAGS");
894
exitcode = EXIT_FAILURE;
895
goto end;
896
}
897
if((network.ifr_flags & IFF_UP) == 0){
898
network.ifr_flags |= IFF_UP;
899
ret = ioctl(sd, SIOCSIFFLAGS, &network);
900
if(ret == -1){
901
perror("ioctl SIOCSIFFLAGS");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
}
906
close(sd);
635
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"interface", required_argument, 0, 'i'},
640
{0, 0, 0, 0} };
641
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
644
&option_index);
645
646
if (ret == -1){
647
break;
648
}
649
650
switch(ret){
651
case 0:
652
break;
653
case 'i':
654
interface = optarg;
655
break;
656
default:
657
exit(EXIT_FAILURE);
658
}
907
659
}
908
660
909
661
if (not debug){
910
662
avahi_set_log_function(empty_log);
911
663
}
912
664
913
/* Initialize the pseudo-RNG for Avahi */
665
/* Initialize the psuedo-RNG */
914
666
srand((unsigned int) time(NULL));
915
916
/* Allocate main Avahi loop object */
917
mc.simple_poll = avahi_simple_poll_new();
918
if (mc.simple_poll == NULL) {
919
fprintf(stderr, "Avahi: Failed to create simple poll"
920
" object.\n");
921
exitcode = EXIT_FAILURE;
922
goto end;
923
}
924
925
{
926
AvahiServerConfig config;
927
/* Do not publish any local Zeroconf records */
928
avahi_server_config_init(&config);
929
config.publish_hinfo = 0;
930
config.publish_addresses = 0;
931
config.publish_workstation = 0;
932
config.publish_domain = 0;
933
934
/* Allocate a new server */
935
mc.server = avahi_server_new(avahi_simple_poll_get
936
(mc.simple_poll), &config, NULL,
937
NULL, &error);
938
939
/* Free the Avahi configuration data */
940
avahi_server_config_free(&config);
941
}
942
943
/* Check if creating the Avahi server object succeeded */
944
if (mc.server == NULL) {
945
fprintf(stderr, "Failed to create Avahi server: %s\n",
667
668
/* Allocate main loop object */
669
if (!(simple_poll = avahi_simple_poll_new())) {
670
fprintf(stderr, "Failed to create simple poll object.\n");
671
672
goto exit;
673
}
674
675
/* Do not publish any local records */
676
avahi_server_config_init(&config);
677
config.publish_hinfo = 0;
678
config.publish_addresses = 0;
679
config.publish_workstation = 0;
680
config.publish_domain = 0;
681
682
/* Allocate a new server */
683
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
684
&config, NULL, NULL, &error);
685
686
/* Free the configuration data */
687
avahi_server_config_free(&config);
688
689
/* Check if creating the server object succeeded */
690
if (!server) {
691
fprintf(stderr, "Failed to create server: %s\n",
946
692
avahi_strerror(error));
947
exitcode = EXIT_FAILURE;
948
goto end;
693
returncode = EXIT_FAILURE;
694
goto exit;
949
695
}
950
696
951
/* Create the Avahi service browser */
952
sb = avahi_s_service_browser_new(mc.server, if_index,
697
/* Create the service browser */
698
sb = avahi_s_service_browser_new(server,
699
(AvahiIfIndex)
700
if_nametoindex(interface),
953
701
AVAHI_PROTO_INET6,
954
702
"_mandos._tcp", NULL, 0,
955
browse_callback, &mc);
956
if (sb == NULL) {
703
browse_callback, server);
704
if (!sb) {
957
705
fprintf(stderr, "Failed to create service browser: %s\n",
958
avahi_strerror(avahi_server_errno(mc.server)));
959
exitcode = EXIT_FAILURE;
960
goto end;
706
avahi_strerror(avahi_server_errno(server)));
707
returncode = EXIT_FAILURE;
708
goto exit;
961
709
}
962
710
963
711
/* Run the main loop */
964
712
965
713
if (debug){
966
fprintf(stderr, "Starting Avahi loop search\n");
714
fprintf(stderr, "Starting avahi loop search\n");
967
715
}
968
716
969
avahi_simple_poll_loop(mc.simple_poll);
717
avahi_simple_poll_loop(simple_poll);
970
718
971
end:
719
exit:
972
720
973
721
if (debug){
974
722
fprintf(stderr, "%s exiting\n", argv[0]);
975
723
}
976
724
977
725
/* Cleanup things */
978
if (sb != NULL)
726
if (sb)
979
727
avahi_s_service_browser_free(sb);
980
728
981
if (mc.server != NULL)
982
avahi_server_free(mc.server);
983
984
if (mc.simple_poll != NULL)
985
avahi_simple_poll_free(mc.simple_poll);
986
free(pubkeyfile);
987
free(seckeyfile);
988
989
return exitcode;
729
if (server)
730
avahi_server_free(server);
731
732
if (simple_poll)
733
avahi_simple_poll_free(simple_poll);
734
735
return returncode;
990
736
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0