To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 21
- compare with another revision
- download diff
- download tarball
- view history from revision 21
- Committer: Teddy Hogeborn
- Date: 2008-07-21 15:34:44 UTC
- Revision ID: teddy@fukt.bsnet.se-20080721153444-lugbjkj1oq65ugq3
* Makefile (CFLAGS): Changed to use $(WARN), $(DEBUG), $(COVERAGE) and
$(LANGUAGE).
(WARN, DEBUG, COVERAGE, LANGUAGE): New.
(LDFLAGS): New; use $(COVERAGE)
* plugbasedclient.c: Added copyright header.
(process.buffer_size, process.buffer_length): Changed to "size_t".
(main): Cast arguments to malloc and realloc. Detect read errors
from processes.
* mandosclient.c: Added copyright header.
(interface): Moved to inside "main".
(gpg_packet_decrypt): Renamed to "pgp_packet_decrypt"; all callers
changed. Changed "new_packet_capacity" and
"new_packet_length" to be ssize_t. Cast
arguments to realloc.
(debuggnutls): Attribute "level" argument as unused.
(empty_log): Attribute "level" and "txt" arguments as unused.
(start_mandos_communication): New argument "if_index". Bug fix:
check ret, no tcp_sd, for errors from
setsockopt. Use "if_index" directly
instead of looking up the index. Loop
around fwrite until all data is written.
(resolve_callback): Attribute "txt", and "flags" as usused. Added
default case to switch. Also show server host
name. Call start_mandos_communication with
"interface".
(browse_callback): Added default case to switch.
(main): Variable "interface" moved here. Cast "srand" argument.
Bug fix: Call avahi_s_service_browser_new with index of
"interface", not "eth0".
* passprompt.c: Added copyright header.
(termination_handler): Attribute "signum" argument as unused.
$(LANGUAGE).
(WARN, DEBUG, COVERAGE, LANGUAGE): New.
(LDFLAGS): New; use $(COVERAGE)
* plugbasedclient.c: Added copyright header.
(process.buffer_size, process.buffer_length): Changed to "size_t".
(main): Cast arguments to malloc and realloc. Detect read errors
from processes.
* mandosclient.c: Added copyright header.
(interface): Moved to inside "main".
(gpg_packet_decrypt): Renamed to "pgp_packet_decrypt"; all callers
changed. Changed "new_packet_capacity" and
"new_packet_length" to be ssize_t. Cast
arguments to realloc.
(debuggnutls): Attribute "level" argument as unused.
(empty_log): Attribute "level" and "txt" arguments as unused.
(start_mandos_communication): New argument "if_index". Bug fix:
check ret, no tcp_sd, for errors from
setsockopt. Use "if_index" directly
instead of looking up the index. Loop
around fwrite until all data is written.
(resolve_callback): Attribute "txt", and "flags" as usused. Added
default case to switch. Also show server host
name. Call start_mandos_communication with
"interface".
(browse_callback): Added default case to switch.
(main): Variable "interface" moved here. Cast "srand" argument.
Bug fix: Call avahi_s_service_browser_new with index of
"interface", not "eth0".
* passprompt.c: Added copyright header.
(termination_handler): Attribute "signum" argument as unused.
- files removed:
- server.conf
- files renamed:
- clients.conf => mandos-clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
13
13
*
14
14
* This program is free software: you can redistribute it and/or
15
15
* modify it under the terms of the GNU General Public License as
25
25
* along with this program. If not, see
26
26
* <http://www.gnu.org/licenses/>.
27
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
30
*/
30
31
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _FORTIFY_SOURCE 2
33
32
34
#define _LARGEFILE_SOURCE
33
35
#define _FILE_OFFSET_BITS 64
34
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
37
#include <stdio.h>
38
38
#include <assert.h>
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
42
47
43
#include <avahi-core/core.h>
48
44
#include <avahi-core/lookup.h>
51
47
#include <avahi-common/malloc.h>
52
48
#include <avahi-common/error.h>
53
49
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
50
//mandos client part
51
#include <sys/types.h> /* socket(), setsockopt(),
52
inet_pton() */
53
#include <sys/socket.h> /* socket(), setsockopt(),
54
struct sockaddr_in6,
57
55
struct in6_addr, inet_pton() */
58
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
65
66
// gpgme
72
67
#include <errno.h> /* perror() */
73
68
#include <gpgme.h>
74
69
70
// getopt long
71
#include <getopt.h>
72
73
#ifndef CERT_ROOT
74
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
75
#endif
76
#define CERTFILE CERT_ROOT "openpgp-client.txt"
77
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
75
78
#define BUFFER_SIZE 256
79
#define DH_BITS 1024
76
80
77
81
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
static const char mandos_protocol_version[] = "1";
82
82
83
/* Used for passing in values through the Avahi callback functions */
84
83
typedef struct {
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
84
gnutls_session_t session;
87
85
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
89
86
gnutls_dh_params_t dh_params;
90
const char *priority;
91
} mandos_context;
92
93
/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
94
* "buffer_capacity" is how much is currently allocated,
95
* "buffer_length" is how much is already used. */
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
87
} encrypted_session;
88
89
90
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
91
char **new_packet, const char *homedir){
116
92
gpgme_data_t dh_crypto, dh_plain;
117
93
gpgme_ctx_t ctx;
118
94
gpgme_error_t rc;
119
95
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
96
ssize_t new_packet_capacity = 0;
97
ssize_t new_packet_length = 0;
122
98
gpgme_engine_info_t engine_info;
123
99
124
100
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
101
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
102
}
127
103
128
104
/* Init GPGME */
129
105
gpgme_check_version(NULL);
130
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
131
if (rc != GPG_ERR_NO_ERROR){
132
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
133
gpgme_strsource(rc), gpgme_strerror(rc));
134
return -1;
135
}
106
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
136
107
137
/* Set GPGME home directory for the OpenPGP engine only */
108
/* Set GPGME home directory */
138
109
rc = gpgme_get_engine_info (&engine_info);
139
110
if (rc != GPG_ERR_NO_ERROR){
140
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
121
engine_info = engine_info->next;
151
122
}
152
123
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
125
return -1;
155
126
}
156
127
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
130
if (rc != GPG_ERR_NO_ERROR){
161
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
132
gpgme_strsource(rc), gpgme_strerror(rc));
168
138
if (rc != GPG_ERR_NO_ERROR){
169
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
140
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
141
return -1;
173
142
}
174
143
177
146
if (rc != GPG_ERR_NO_ERROR){
178
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
148
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
149
return -1;
182
150
}
183
151
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
186
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
155
if (rc != GPG_ERR_NO_ERROR){
188
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
157
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
158
return -1;
192
159
}
193
160
194
161
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
163
}
197
164
198
165
if (debug){
199
166
gpgme_decrypt_result_t result;
200
167
result = gpgme_op_decrypt_result(ctx);
224
191
}
225
192
}
226
193
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
196
227
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
}
233
234
*plaintext = NULL;
198
gpgme_data_seek(dh_plain, 0, SEEK_SET);
199
200
*new_packet = 0;
235
201
while(true){
236
plaintext_capacity = adjustbuffer(plaintext,
237
(size_t)plaintext_length,
238
plaintext_capacity);
239
if (plaintext_capacity == 0){
240
perror("adjustbuffer");
241
plaintext_length = -1;
242
goto decrypt_end;
202
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
203
*new_packet = realloc(*new_packet,
204
(unsigned int)new_packet_capacity
205
+ BUFFER_SIZE);
206
if (*new_packet == NULL){
207
perror("realloc");
208
return -1;
209
}
210
new_packet_capacity += BUFFER_SIZE;
243
211
}
244
212
245
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
213
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
246
214
BUFFER_SIZE);
247
215
/* Print the data, if any */
248
216
if (ret == 0){
249
/* EOF */
250
217
break;
251
218
}
252
219
if(ret < 0){
253
220
perror("gpgme_data_read");
254
plaintext_length = -1;
255
goto decrypt_end;
221
return -1;
256
222
}
257
plaintext_length += ret;
223
new_packet_length += ret;
258
224
}
259
225
260
if(debug){
261
fprintf(stderr, "Decrypted password is: ");
262
for(ssize_t i = 0; i < plaintext_length; i++){
263
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
264
}
265
fprintf(stderr, "\n");
266
}
267
268
decrypt_end:
269
270
/* Delete the GPGME cryptotext data buffer */
271
gpgme_data_release(dh_crypto);
226
/* FIXME: check characters before printing to screen so to not print
227
terminal control characters */
228
/* if(debug){ */
229
/* fprintf(stderr, "decrypted password is: "); */
230
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
231
/* fprintf(stderr, "\n"); */
232
/* } */
272
233
273
234
/* Delete the GPGME plaintext data buffer */
274
235
gpgme_data_release(dh_plain);
275
return plaintext_length;
236
return new_packet_length;
276
237
}
277
238
278
239
static const char * safer_gnutls_strerror (int value) {
282
243
return ret;
283
244
}
284
245
285
/* GnuTLS log function callback */
286
static void debuggnutls(__attribute__((unused)) int level,
287
const char* string){
288
fprintf(stderr, "GnuTLS: %s", string);
246
void debuggnutls(__attribute__((unused)) int level,
247
const char* string){
248
fprintf(stderr, "%s", string);
289
249
}
290
250
291
static int init_gnutls_global(mandos_context *mc,
292
const char *pubkeyfile,
293
const char *seckeyfile){
251
int initgnutls(encrypted_session *es){
252
const char *err;
294
253
int ret;
295
254
296
255
if(debug){
297
256
fprintf(stderr, "Initializing GnuTLS\n");
298
257
}
299
258
300
259
if ((ret = gnutls_global_init ())
301
260
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "GnuTLS global_init: %s\n",
303
safer_gnutls_strerror(ret));
261
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
262
return -1;
305
263
}
306
264
307
265
if (debug){
308
/* "Use a log level over 10 to enable all debugging options."
309
* - GnuTLS manual
310
*/
311
266
gnutls_global_set_log_level(11);
312
267
gnutls_global_set_log_function(debuggnutls);
313
268
}
314
269
315
/* OpenPGP credentials */
316
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
270
/* openpgp credentials */
271
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
317
272
!= GNUTLS_E_SUCCESS) {
318
fprintf (stderr, "GnuTLS memory error: %s\n",
273
fprintf (stderr, "memory error: %s\n",
319
274
safer_gnutls_strerror(ret));
320
275
return -1;
321
276
}
322
277
323
278
if(debug){
324
279
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
325
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
326
seckeyfile);
280
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
281
KEYFILE);
327
282
}
328
283
329
284
ret = gnutls_certificate_set_openpgp_key_file
330
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
285
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
331
286
if (ret != GNUTLS_E_SUCCESS) {
332
fprintf(stderr,
333
"Error[%d] while reading the OpenPGP key pair ('%s',"
334
" '%s')\n", ret, pubkeyfile, seckeyfile);
335
fprintf(stdout, "The GnuTLS error is: %s\n",
287
fprintf
288
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
289
" '%s')\n",
290
ret, CERTFILE, KEYFILE);
291
fprintf(stdout, "The Error is: %s\n",
336
292
safer_gnutls_strerror(ret));
337
293
return -1;
338
294
}
339
295
340
/* GnuTLS server initialization */
341
ret = gnutls_dh_params_init(&mc->dh_params);
342
if (ret != GNUTLS_E_SUCCESS) {
343
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
344
" %s\n", safer_gnutls_strerror(ret));
345
return -1;
346
}
347
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
348
if (ret != GNUTLS_E_SUCCESS) {
349
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
350
safer_gnutls_strerror(ret));
351
return -1;
352
}
353
354
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
356
return 0;
357
}
358
359
static int init_gnutls_session(mandos_context *mc,
360
gnutls_session_t *session){
361
int ret;
362
/* GnuTLS session creation */
363
ret = gnutls_init(session, GNUTLS_SERVER);
364
if (ret != GNUTLS_E_SUCCESS){
296
//GnuTLS server initialization
297
if ((ret = gnutls_dh_params_init (&es->dh_params))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "Error in dh parameter initialization: %s\n",
300
safer_gnutls_strerror(ret));
301
return -1;
302
}
303
304
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in prime generation: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
312
313
// GnuTLS session creation
314
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
315
!= GNUTLS_E_SUCCESS){
365
316
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
366
317
safer_gnutls_strerror(ret));
367
318
}
368
319
369
{
370
const char *err;
371
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
372
if (ret != GNUTLS_E_SUCCESS) {
373
fprintf(stderr, "Syntax error at: %s\n", err);
374
fprintf(stderr, "GnuTLS error: %s\n",
375
safer_gnutls_strerror(ret));
376
return -1;
377
}
320
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
321
!= GNUTLS_E_SUCCESS) {
322
fprintf(stderr, "Syntax error at: %s\n", err);
323
fprintf(stderr, "GnuTLS error: %s\n",
324
safer_gnutls_strerror(ret));
325
return -1;
378
326
}
379
327
380
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
381
mc->cred);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
328
if ((ret = gnutls_credentials_set
329
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf(stderr, "Error setting a credentials set: %s\n",
384
332
safer_gnutls_strerror(ret));
385
333
return -1;
386
334
}
387
335
388
336
/* ignore client certificate if any. */
389
gnutls_certificate_server_set_request (*session,
337
gnutls_certificate_server_set_request (es->session,
390
338
GNUTLS_CERT_IGNORE);
391
339
392
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
340
gnutls_dh_set_prime_bits (es->session, DH_BITS);
393
341
394
342
return 0;
395
343
}
396
344
397
/* Avahi log function callback */
398
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
399
__attribute__((unused)) const char *txt){}
345
void empty_log(__attribute__((unused)) AvahiLogLevel level,
346
__attribute__((unused)) const char *txt){}
400
347
401
/* Called when a Mandos server is found */
402
static int start_mandos_communication(const char *ip, uint16_t port,
403
AvahiIfIndex if_index,
404
mandos_context *mc){
348
int start_mandos_communication(char *ip, uint16_t port,
349
unsigned int if_index){
405
350
int ret, tcp_sd;
406
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
351
struct sockaddr_in6 to;
352
encrypted_session es;
407
353
char *buffer = NULL;
408
354
char *decrypted_buffer;
409
355
size_t buffer_length = 0;
410
356
size_t buffer_capacity = 0;
411
357
ssize_t decrypted_buffer_size;
412
size_t written;
413
358
int retval = 0;
414
359
char interface[IF_NAMESIZE];
415
gnutls_session_t session;
416
417
ret = init_gnutls_session (mc, &session);
418
if (ret != 0){
419
return -1;
420
}
421
360
422
361
if(debug){
423
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
424
ip, port);
362
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
425
363
}
426
364
427
365
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
429
367
perror("socket");
430
368
return -1;
431
369
}
432
433
if(debug){
434
if(if_indextoname((unsigned int)if_index, interface) == NULL){
370
371
if(if_indextoname(if_index, interface) == NULL){
372
if(debug){
435
373
perror("if_indextoname");
436
return -1;
437
374
}
375
return -1;
376
}
377
378
if(debug){
438
379
fprintf(stderr, "Binding to interface %s\n", interface);
439
380
}
440
381
441
memset(&to,0,sizeof(to)); /* Spurious warning */
442
to.in6.sin6_family = AF_INET6;
443
/* It would be nice to have a way to detect if we were passed an
444
IPv4 address here. Now we assume an IPv6 address. */
445
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
382
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
383
if(ret < 0) {
384
perror("setsockopt bindtodevice");
385
return -1;
386
}
387
388
memset(&to,0,sizeof(to));
389
to.sin6_family = AF_INET6;
390
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
446
391
if (ret < 0 ){
447
392
perror("inet_pton");
448
393
return -1;
449
}
394
}
450
395
if(ret == 0){
451
396
fprintf(stderr, "Bad address: %s\n", ip);
452
397
return -1;
453
398
}
454
to.in6.sin6_port = htons(port); /* Spurious warning */
399
/* Spurious warnings for the next line, see for instance
400
<http://bugs.debian.org/488884> */
401
to.sin6_port = htons(port);
455
402
456
to.in6.sin6_scope_id = (uint32_t)if_index;
403
to.sin6_scope_id = (uint32_t)if_index;
457
404
458
405
if(debug){
459
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
460
char addrstr[INET6_ADDRSTRLEN] = "";
461
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
462
sizeof(addrstr)) == NULL){
463
perror("inet_ntop");
464
} else {
465
if(strcmp(addrstr, ip) != 0){
466
fprintf(stderr, "Canonical address form: %s\n", addrstr);
467
}
468
}
406
fprintf(stderr, "Connection to: %s\n", ip);
469
407
}
470
408
471
ret = connect(tcp_sd, &to.in, sizeof(to));
409
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
472
410
if (ret < 0){
473
411
perror("connect");
474
412
return -1;
475
413
}
476
477
const char *out = mandos_protocol_version;
478
written = 0;
479
while (true){
480
size_t out_size = strlen(out);
481
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
482
out_size - written));
483
if (ret == -1){
484
perror("write");
485
retval = -1;
486
goto mandos_end;
487
}
488
written += (size_t)ret;
489
if(written < out_size){
490
continue;
491
} else {
492
if (out == mandos_protocol_version){
493
written = 0;
494
out = "\r\n";
495
} else {
496
break;
497
}
498
}
414
415
ret = initgnutls (&es);
416
if (ret != 0){
417
retval = -1;
418
return -1;
499
419
}
500
420
421
gnutls_transport_set_ptr (es.session,
422
(gnutls_transport_ptr_t) tcp_sd);
423
501
424
if(debug){
502
425
fprintf(stderr, "Establishing TLS session with %s\n", ip);
503
426
}
504
427
505
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
506
507
ret = gnutls_handshake (session);
428
ret = gnutls_handshake (es.session);
508
429
509
430
if (ret != GNUTLS_E_SUCCESS){
510
if(debug){
511
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
512
gnutls_perror (ret);
513
}
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
514
433
retval = -1;
515
goto mandos_end;
434
goto exit;
516
435
}
517
436
518
/* Read OpenPGP packet that contains the wanted password */
437
//Retrieve OpenPGP packet that contains the wanted password
519
438
520
439
if(debug){
521
440
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
523
442
}
524
443
525
444
while(true){
526
buffer_capacity = adjustbuffer(&buffer, buffer_length,
527
buffer_capacity);
528
if (buffer_capacity == 0){
529
perror("adjustbuffer");
530
retval = -1;
531
goto mandos_end;
445
if (buffer_length + BUFFER_SIZE > buffer_capacity){
446
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
447
if (buffer == NULL){
448
perror("realloc");
449
goto exit;
450
}
451
buffer_capacity += BUFFER_SIZE;
532
452
}
533
453
534
ret = gnutls_record_recv(session, buffer+buffer_length,
535
BUFFER_SIZE);
454
ret = gnutls_record_recv
455
(es.session, buffer+buffer_length, BUFFER_SIZE);
536
456
if (ret == 0){
537
457
break;
538
458
}
542
462
case GNUTLS_E_AGAIN:
543
463
break;
544
464
case GNUTLS_E_REHANDSHAKE:
545
ret = gnutls_handshake (session);
465
ret = gnutls_handshake (es.session);
546
466
if (ret < 0){
547
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
467
fprintf(stderr, "\n*** Handshake failed ***\n");
548
468
gnutls_perror (ret);
549
469
retval = -1;
550
goto mandos_end;
470
goto exit;
551
471
}
552
472
break;
553
473
default:
554
474
fprintf(stderr, "Unknown error while reading data from"
555
" encrypted session with Mandos server\n");
475
" encrypted session with mandos server\n");
556
476
retval = -1;
557
gnutls_bye (session, GNUTLS_SHUT_RDWR);
558
goto mandos_end;
477
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
478
goto exit;
559
479
}
560
480
} else {
561
481
buffer_length += (size_t) ret;
562
482
}
563
483
}
564
484
565
if(debug){
566
fprintf(stderr, "Closing TLS session\n");
567
}
568
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
571
485
if (buffer_length > 0){
572
486
decrypted_buffer_size = pgp_packet_decrypt(buffer,
573
487
buffer_length,
574
488
&decrypted_buffer,
575
keydir);
489
CERT_ROOT);
576
490
if (decrypted_buffer_size >= 0){
577
written = 0;
578
while(written < (size_t) decrypted_buffer_size){
579
ret = (int)fwrite (decrypted_buffer + written, 1,
580
(size_t)decrypted_buffer_size - written,
581
stdout);
491
while(decrypted_buffer_size > 0){
492
ret = fwrite (decrypted_buffer, 1, (size_t)decrypted_buffer_size,
493
stdout);
582
494
if(ret == 0 and ferror(stdout)){
583
495
if(debug){
584
496
fprintf(stderr, "Error writing encrypted data: %s\n",
587
499
retval = -1;
588
500
break;
589
501
}
590
written += (size_t)ret;
502
decrypted_buffer += ret;
503
decrypted_buffer_size -= ret;
591
504
}
592
505
free(decrypted_buffer);
593
506
} else {
594
507
retval = -1;
595
508
}
596
509
}
597
598
/* Shutdown procedure */
599
600
mandos_end:
510
511
//shutdown procedure
512
513
if(debug){
514
fprintf(stderr, "Closing TLS session\n");
515
}
516
601
517
free(buffer);
518
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
519
exit:
602
520
close(tcp_sd);
603
gnutls_deinit (session);
604
gnutls_certificate_free_credentials (mc->cred);
521
gnutls_deinit (es.session);
522
gnutls_certificate_free_credentials (es.cred);
605
523
gnutls_global_deinit ();
606
524
return retval;
607
525
}
608
526
609
static void resolve_callback(AvahiSServiceResolver *r,
610
AvahiIfIndex interface,
611
AVAHI_GCC_UNUSED AvahiProtocol protocol,
612
AvahiResolverEvent event,
613
const char *name,
614
const char *type,
615
const char *domain,
616
const char *host_name,
617
const AvahiAddress *address,
618
uint16_t port,
619
AVAHI_GCC_UNUSED AvahiStringList *txt,
620
AVAHI_GCC_UNUSED AvahiLookupResultFlags
621
flags,
622
void* userdata) {
623
mandos_context *mc = userdata;
624
assert(r); /* Spurious warning */
625
527
static AvahiSimplePoll *simple_poll = NULL;
528
static AvahiServer *server = NULL;
529
530
static void resolve_callback(
531
AvahiSServiceResolver *r,
532
AVAHI_GCC_UNUSED AvahiIfIndex interface,
533
AVAHI_GCC_UNUSED AvahiProtocol protocol,
534
AvahiResolverEvent event,
535
const char *name,
536
const char *type,
537
const char *domain,
538
const char *host_name,
539
const AvahiAddress *address,
540
uint16_t port,
541
AVAHI_GCC_UNUSED AvahiStringList *txt,
542
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
543
AVAHI_GCC_UNUSED void* userdata) {
544
545
assert(r);
546
626
547
/* Called whenever a service has been resolved successfully or
627
548
timed out */
628
549
629
550
switch (event) {
630
551
default:
631
552
case AVAHI_RESOLVER_FAILURE:
632
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
633
" of type '%s' in domain '%s': %s\n", name, type, domain,
634
avahi_strerror(avahi_server_errno(mc->server)));
553
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
554
" type '%s' in domain '%s': %s\n", name, type, domain,
555
avahi_strerror(avahi_server_errno(server)));
635
556
break;
636
557
637
558
case AVAHI_RESOLVER_FOUND:
638
559
{
639
560
char ip[AVAHI_ADDRESS_STR_MAX];
640
561
avahi_address_snprint(ip, sizeof(ip), address);
641
562
if(debug){
642
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
643
" port %d\n", name, host_name, ip, interface, port);
563
fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",
564
host_name, ip, port);
644
565
}
645
int ret = start_mandos_communication(ip, port, interface, mc);
566
int ret = start_mandos_communication(ip, port,
567
(unsigned int)
568
interface);
646
569
if (ret == 0){
647
570
exit(EXIT_SUCCESS);
571
} else {
572
exit(EXIT_FAILURE);
648
573
}
649
574
}
650
575
}
651
576
avahi_s_service_resolver_free(r);
652
577
}
653
578
654
static void browse_callback( AvahiSServiceBrowser *b,
655
AvahiIfIndex interface,
656
AvahiProtocol protocol,
657
AvahiBrowserEvent event,
658
const char *name,
659
const char *type,
660
const char *domain,
661
AVAHI_GCC_UNUSED AvahiLookupResultFlags
662
flags,
663
void* userdata) {
664
mandos_context *mc = userdata;
665
assert(b); /* Spurious warning */
666
667
/* Called whenever a new services becomes available on the LAN or
668
is removed from the LAN */
669
670
switch (event) {
671
default:
672
case AVAHI_BROWSER_FAILURE:
673
674
fprintf(stderr, "(Avahi browser) %s\n",
675
avahi_strerror(avahi_server_errno(mc->server)));
676
avahi_simple_poll_quit(mc->simple_poll);
677
return;
678
679
case AVAHI_BROWSER_NEW:
680
/* We ignore the returned Avahi resolver object. In the callback
681
function we free it. If the Avahi server is terminated before
682
the callback function is called the Avahi server will free the
683
resolver for us. */
684
685
if (!(avahi_s_service_resolver_new(mc->server, interface,
686
protocol, name, type, domain,
687
AVAHI_PROTO_INET6, 0,
688
resolve_callback, mc)))
689
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
690
name, avahi_strerror(avahi_server_errno(mc->server)));
691
break;
692
693
case AVAHI_BROWSER_REMOVE:
694
break;
695
696
case AVAHI_BROWSER_ALL_FOR_NOW:
697
case AVAHI_BROWSER_CACHE_EXHAUSTED:
698
if(debug){
699
fprintf(stderr, "No Mandos server found, still searching...\n");
579
static void browse_callback(
580
AvahiSServiceBrowser *b,
581
AvahiIfIndex interface,
582
AvahiProtocol protocol,
583
AvahiBrowserEvent event,
584
const char *name,
585
const char *type,
586
const char *domain,
587
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
588
void* userdata) {
589
590
AvahiServer *s = userdata;
591
assert(b);
592
593
/* Called whenever a new services becomes available on the LAN or
594
is removed from the LAN */
595
596
switch (event) {
597
default:
598
case AVAHI_BROWSER_FAILURE:
599
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(server)));
602
avahi_simple_poll_quit(simple_poll);
603
return;
604
605
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
610
611
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, s)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(s)));
617
break;
618
619
case AVAHI_BROWSER_REMOVE:
620
break;
621
622
case AVAHI_BROWSER_ALL_FOR_NOW:
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
624
break;
700
625
}
701
break;
702
}
703
}
704
705
/* Combines file name and path and returns the malloced new
706
string. some sane checks could/should be added */
707
static const char *combinepath(const char *first, const char *second){
708
size_t f_len = strlen(first);
709
size_t s_len = strlen(second);
710
char *tmp = malloc(f_len + s_len + 2);
711
if (tmp == NULL){
712
return NULL;
713
}
714
if(f_len > 0){
715
memcpy(tmp, first, f_len); /* Spurious warning */
716
}
717
tmp[f_len] = '/';
718
if(s_len > 0){
719
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
720
}
721
tmp[f_len + 1 + s_len] = '\0';
722
return tmp;
723
}
724
725
726
int main(int argc, char *argv[]){
626
}
627
628
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
629
AvahiServerConfig config;
727
630
AvahiSServiceBrowser *sb = NULL;
728
631
int error;
729
632
int ret;
730
int exitcode = EXIT_SUCCESS;
633
int returncode = EXIT_SUCCESS;
731
634
const char *interface = "eth0";
732
struct ifreq network;
733
int sd;
734
uid_t uid;
735
gid_t gid;
736
char *connect_to = NULL;
737
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
738
const char *pubkeyfile = "pubkey.txt";
739
const char *seckeyfile = "seckey.txt";
740
mandos_context mc = { .simple_poll = NULL, .server = NULL,
741
.dh_bits = 1024, .priority = "SECURE256"};
742
743
{
744
struct argp_option options[] = {
745
{ .name = "debug", .key = 128,
746
.doc = "Debug mode", .group = 3 },
747
{ .name = "connect", .key = 'c',
748
.arg = "IP",
749
.doc = "Connect directly to a sepcified mandos server",
750
.group = 1 },
751
{ .name = "interface", .key = 'i',
752
.arg = "INTERFACE",
753
.doc = "Interface that Avahi will conntect through",
754
.group = 1 },
755
{ .name = "keydir", .key = 'd',
756
.arg = "KEYDIR",
757
.doc = "Directory where the openpgp keyring is",
758
.group = 1 },
759
{ .name = "seckey", .key = 's',
760
.arg = "SECKEY",
761
.doc = "Secret openpgp key for gnutls authentication",
762
.group = 1 },
763
{ .name = "pubkey", .key = 'p',
764
.arg = "PUBKEY",
765
.doc = "Public openpgp key for gnutls authentication",
766
.group = 2 },
767
{ .name = "dh-bits", .key = 129,
768
.arg = "BITS",
769
.doc = "dh-bits to use in gnutls communication",
770
.group = 2 },
771
{ .name = "priority", .key = 130,
772
.arg = "PRIORITY",
773
.doc = "GNUTLS priority", .group = 1 },
774
{ .name = NULL }
775
};
776
777
778
error_t parse_opt (int key, char *arg,
779
struct argp_state *state) {
780
/* Get the INPUT argument from `argp_parse', which we know is
781
a pointer to our plugin list pointer. */
782
switch (key) {
783
case 128:
784
debug = true;
785
break;
786
case 'c':
787
connect_to = arg;
788
break;
789
case 'i':
790
interface = arg;
791
break;
792
case 'd':
793
keydir = arg;
794
break;
795
case 's':
796
seckeyfile = arg;
797
break;
798
case 'p':
799
pubkeyfile = arg;
800
break;
801
case 129:
802
errno = 0;
803
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
804
if (errno){
805
perror("strtol");
806
exit(EXIT_FAILURE);
807
}
808
break;
809
case 130:
810
mc.priority = arg;
811
break;
812
case ARGP_KEY_ARG:
813
argp_usage (state);
814
break;
815
case ARGP_KEY_END:
816
break;
817
default:
818
return ARGP_ERR_UNKNOWN;
819
}
820
return 0;
821
}
822
823
struct argp argp = { .options = options, .parser = parse_opt,
824
.args_doc = "",
825
.doc = "Mandos client -- Get and decrypt"
826
" passwords from mandos server" };
827
argp_parse (&argp, argc, argv, 0, 0, NULL);
828
}
829
830
pubkeyfile = combinepath(keydir, pubkeyfile);
831
if (pubkeyfile == NULL){
832
perror("combinepath");
833
exitcode = EXIT_FAILURE;
834
goto end;
835
}
836
837
seckeyfile = combinepath(keydir, seckeyfile);
838
if (seckeyfile == NULL){
839
perror("combinepath");
840
goto end;
841
}
842
843
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
844
if (ret == -1){
845
fprintf(stderr, "init_gnutls_global\n");
846
goto end;
847
}
848
849
uid = getuid();
850
gid = getgid();
851
852
ret = setuid(uid);
853
if (ret == -1){
854
perror("setuid");
855
}
856
857
setgid(gid);
858
if (ret == -1){
859
perror("setgid");
860
}
861
862
if_index = (AvahiIfIndex) if_nametoindex(interface);
863
if(if_index == 0){
864
fprintf(stderr, "No such interface: \"%s\"\n", interface);
865
exit(EXIT_FAILURE);
866
}
867
868
if(connect_to != NULL){
869
/* Connect directly, do not use Zeroconf */
870
/* (Mainly meant for debugging) */
871
char *address = strrchr(connect_to, ':');
872
if(address == NULL){
873
fprintf(stderr, "No colon in address\n");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
errno = 0;
878
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
879
if(errno){
880
perror("Bad port number");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
*address = '\0';
885
address = connect_to;
886
ret = start_mandos_communication(address, port, if_index, &mc);
887
if(ret < 0){
888
exitcode = EXIT_FAILURE;
889
} else {
890
exitcode = EXIT_SUCCESS;
891
}
892
goto end;
893
}
894
895
/* If the interface is down, bring it up */
896
{
897
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
898
if(sd < 0) {
899
perror("socket");
900
exitcode = EXIT_FAILURE;
901
goto end;
902
}
903
strcpy(network.ifr_name, interface); /* Spurious warning */
904
ret = ioctl(sd, SIOCGIFFLAGS, &network);
905
if(ret == -1){
906
perror("ioctl SIOCGIFFLAGS");
907
exitcode = EXIT_FAILURE;
908
goto end;
909
}
910
if((network.ifr_flags & IFF_UP) == 0){
911
network.ifr_flags |= IFF_UP;
912
ret = ioctl(sd, SIOCSIFFLAGS, &network);
913
if(ret == -1){
914
perror("ioctl SIOCSIFFLAGS");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
close(sd);
635
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"interface", required_argument, 0, 'i'},
640
{0, 0, 0, 0} };
641
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
644
&option_index);
645
646
if (ret == -1){
647
break;
648
}
649
650
switch(ret){
651
case 0:
652
break;
653
case 'i':
654
interface = optarg;
655
break;
656
default:
657
exit(EXIT_FAILURE);
658
}
920
659
}
921
660
922
661
if (not debug){
923
662
avahi_set_log_function(empty_log);
924
663
}
925
664
926
/* Initialize the pseudo-RNG for Avahi */
665
/* Initialize the psuedo-RNG */
927
666
srand((unsigned int) time(NULL));
928
929
/* Allocate main Avahi loop object */
930
mc.simple_poll = avahi_simple_poll_new();
931
if (mc.simple_poll == NULL) {
932
fprintf(stderr, "Avahi: Failed to create simple poll"
933
" object.\n");
934
exitcode = EXIT_FAILURE;
935
goto end;
936
}
937
938
{
939
AvahiServerConfig config;
940
/* Do not publish any local Zeroconf records */
941
avahi_server_config_init(&config);
942
config.publish_hinfo = 0;
943
config.publish_addresses = 0;
944
config.publish_workstation = 0;
945
config.publish_domain = 0;
946
947
/* Allocate a new server */
948
mc.server = avahi_server_new(avahi_simple_poll_get
949
(mc.simple_poll), &config, NULL,
950
NULL, &error);
951
952
/* Free the Avahi configuration data */
953
avahi_server_config_free(&config);
954
}
955
956
/* Check if creating the Avahi server object succeeded */
957
if (mc.server == NULL) {
958
fprintf(stderr, "Failed to create Avahi server: %s\n",
667
668
/* Allocate main loop object */
669
if (!(simple_poll = avahi_simple_poll_new())) {
670
fprintf(stderr, "Failed to create simple poll object.\n");
671
672
goto exit;
673
}
674
675
/* Do not publish any local records */
676
avahi_server_config_init(&config);
677
config.publish_hinfo = 0;
678
config.publish_addresses = 0;
679
config.publish_workstation = 0;
680
config.publish_domain = 0;
681
682
/* Allocate a new server */
683
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
684
&config, NULL, NULL, &error);
685
686
/* Free the configuration data */
687
avahi_server_config_free(&config);
688
689
/* Check if creating the server object succeeded */
690
if (!server) {
691
fprintf(stderr, "Failed to create server: %s\n",
959
692
avahi_strerror(error));
960
exitcode = EXIT_FAILURE;
961
goto end;
693
returncode = EXIT_FAILURE;
694
goto exit;
962
695
}
963
696
964
/* Create the Avahi service browser */
965
sb = avahi_s_service_browser_new(mc.server, if_index,
697
/* Create the service browser */
698
sb = avahi_s_service_browser_new(server,
699
(AvahiIfIndex)
700
if_nametoindex(interface),
966
701
AVAHI_PROTO_INET6,
967
702
"_mandos._tcp", NULL, 0,
968
browse_callback, &mc);
969
if (sb == NULL) {
703
browse_callback, server);
704
if (!sb) {
970
705
fprintf(stderr, "Failed to create service browser: %s\n",
971
avahi_strerror(avahi_server_errno(mc.server)));
972
exitcode = EXIT_FAILURE;
973
goto end;
706
avahi_strerror(avahi_server_errno(server)));
707
returncode = EXIT_FAILURE;
708
goto exit;
974
709
}
975
710
976
711
/* Run the main loop */
977
712
978
713
if (debug){
979
fprintf(stderr, "Starting Avahi loop search\n");
714
fprintf(stderr, "Starting avahi loop search\n");
980
715
}
981
716
982
avahi_simple_poll_loop(mc.simple_poll);
717
avahi_simple_poll_loop(simple_poll);
983
718
984
end:
719
exit:
985
720
986
721
if (debug){
987
722
fprintf(stderr, "%s exiting\n", argv[0]);
988
723
}
989
724
990
725
/* Cleanup things */
991
if (sb != NULL)
726
if (sb)
992
727
avahi_s_service_browser_free(sb);
993
728
994
if (mc.server != NULL)
995
avahi_server_free(mc.server);
996
997
if (mc.simple_poll != NULL)
998
avahi_simple_poll_free(mc.simple_poll);
999
free(pubkeyfile);
1000
free(seckeyfile);
1001
1002
return exitcode;
729
if (server)
730
avahi_server_free(server);
731
732
if (simple_poll)
733
avahi_simple_poll_free(simple_poll);
734
735
return returncode;
1003
736
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0