To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 238
- compare with another revision
- download diff
- download tarball
- view history from revision 238
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008 Teddy Hogeborn
13
* Copyright © 2008 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
59
#include <assert.h> /* assert() */
60
#include <errno.h> /* perror(), errno */
61
#include <time.h> /* time() */
44
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
63
SIOCSIFFLAGS, if_indextoname(),
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
67
getuid(), getgid(), setuid(),
68
setgid() */
69
#include <arpa/inet.h> /* inet_pton(), htons */
70
#include <iso646.h> /* not, and */
71
#include <argp.h> /* struct argp_option, error_t, struct
72
argp_state, struct argp,
73
argp_parse(), ARGP_KEY_ARG,
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
46
75
76
/* Avahi */
77
/* All Avahi types, constants and functions
78
Avahi*, avahi_*,
79
AVAHI_* */
47
80
#include <avahi-core/core.h>
48
81
#include <avahi-core/lookup.h>
49
82
#include <avahi-core/log.h>
51
84
#include <avahi-common/malloc.h>
52
85
#include <avahi-common/error.h>
53
86
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
struct in6_addr, inet_pton() */
58
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
87
/* GnuTLS */
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
90
gnutls_*
91
init_gnutls_session(),
92
GNUTLS_* */
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
94
GNUTLS_OPENPGP_FMT_BASE64 */
60
95
61
#include <unistd.h> /* close() */
62
#include <netinet/in.h>
63
#include <stdbool.h> /* true */
64
#include <string.h> /* memset */
65
#include <arpa/inet.h> /* inet_pton() */
66
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
96
/* GPGME */
72
#include <errno.h> /* perror() */
73
#include <gpgme.h>
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
99
gpgme_*
100
GPGME_PROTOCOL_OpenPGP,
101
GPG_ERR_NO_* */
74
102
75
103
#define BUFFER_SIZE 256
76
104
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
108
77
109
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
110
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
80
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
static const char mandos_protocol_version[] = "1";
82
113
83
114
/* Used for passing in values through the Avahi callback functions */
84
115
typedef struct {
88
119
unsigned int dh_bits;
89
120
gnutls_dh_params_t dh_params;
90
121
const char *priority;
122
gpgme_ctx_t ctx;
91
123
} mandos_context;
92
124
93
/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
125
/*
126
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
94
127
* "buffer_capacity" is how much is currently allocated,
95
* "buffer_length" is how much is already used. */
128
* "buffer_length" is how much is already used.
129
*/
96
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
131
size_t buffer_capacity){
98
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
106
140
}
107
141
108
142
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
143
* Initialize GPGME.
111
144
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
116
gpgme_data_t dh_crypto, dh_plain;
117
gpgme_ctx_t ctx;
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
118
148
gpgme_error_t rc;
119
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
122
149
gpgme_engine_info_t engine_info;
123
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
124
187
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
188
fprintf(stderr, "Initialize gpgme\n");
126
189
}
127
190
128
191
/* Init GPGME */
131
194
if (rc != GPG_ERR_NO_ERROR){
132
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
133
196
gpgme_strsource(rc), gpgme_strerror(rc));
134
return -1;
197
return false;
135
198
}
136
199
137
/* Set GPGME home directory for the OpenPGP engine only */
200
/* Set GPGME home directory for the OpenPGP engine only */
138
201
rc = gpgme_get_engine_info (&engine_info);
139
202
if (rc != GPG_ERR_NO_ERROR){
140
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
204
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
205
return false;
143
206
}
144
207
while(engine_info != NULL){
145
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
146
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
147
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
148
211
break;
149
212
}
150
213
engine_info = engine_info->next;
151
214
}
152
215
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
154
return -1;
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
155
251
}
156
252
157
253
/* Create new GPGME data buffer from memory cryptotext */
172
268
return -1;
173
269
}
174
270
175
/* Create new GPGME "context" */
176
rc = gpgme_new(&ctx);
177
if (rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
182
}
183
184
271
/* Decrypt data from the cryptotext data buffer to the plaintext
185
272
data buffer */
186
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
187
274
if (rc != GPG_ERR_NO_ERROR){
188
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
276
gpgme_strsource(rc), gpgme_strerror(rc));
190
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
191
306
goto decrypt_end;
192
307
}
193
308
195
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
196
311
}
197
312
198
if (debug){
199
gpgme_decrypt_result_t result;
200
result = gpgme_op_decrypt_result(ctx);
201
if (result == NULL){
202
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
203
} else {
204
fprintf(stderr, "Unsupported algorithm: %s\n",
205
result->unsupported_algorithm);
206
fprintf(stderr, "Wrong key usage: %d\n",
207
result->wrong_key_usage);
208
if(result->file_name != NULL){
209
fprintf(stderr, "File name: %s\n", result->file_name);
210
}
211
gpgme_recipient_t recipient;
212
recipient = result->recipients;
213
if(recipient){
214
while(recipient != NULL){
215
fprintf(stderr, "Public key algorithm: %s\n",
216
gpgme_pubkey_algo_name(recipient->pubkey_algo));
217
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
218
fprintf(stderr, "Secret key available: %s\n",
219
recipient->status == GPG_ERR_NO_SECKEY
220
? "No" : "Yes");
221
recipient = recipient->next;
222
}
223
}
224
}
225
}
226
227
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
230
316
plaintext_length = -1;
231
317
goto decrypt_end;
232
318
}
256
342
}
257
343
plaintext_length += ret;
258
344
}
259
345
260
346
if(debug){
261
347
fprintf(stderr, "Decrypted password is: ");
262
348
for(ssize_t i = 0; i < plaintext_length; i++){
276
362
}
277
363
278
364
static const char * safer_gnutls_strerror (int value) {
279
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
280
366
if (ret == NULL)
281
367
ret = "(unknown)";
282
368
return ret;
289
375
}
290
376
291
377
static int init_gnutls_global(mandos_context *mc,
292
const char *pubkeyfile,
293
const char *seckeyfile){
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
294
380
int ret;
295
381
296
382
if(debug){
297
383
fprintf(stderr, "Initializing GnuTLS\n");
298
384
}
299
300
if ((ret = gnutls_global_init ())
301
!= GNUTLS_E_SUCCESS) {
385
386
ret = gnutls_global_init();
387
if (ret != GNUTLS_E_SUCCESS) {
302
388
fprintf (stderr, "GnuTLS global_init: %s\n",
303
389
safer_gnutls_strerror(ret));
304
390
return -1;
313
399
}
314
400
315
401
/* OpenPGP credentials */
316
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
317
!= GNUTLS_E_SUCCESS) {
318
fprintf (stderr, "GnuTLS memory error: %s\n",
402
gnutls_certificate_allocate_credentials(&mc->cred);
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
319
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
320
408
return -1;
321
409
}
322
410
323
411
if(debug){
324
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
325
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
326
seckeyfile);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
327
415
}
328
416
329
417
ret = gnutls_certificate_set_openpgp_key_file
330
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
331
420
if (ret != GNUTLS_E_SUCCESS) {
332
421
fprintf(stderr,
333
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
334
" '%s')\n", ret, pubkeyfile, seckeyfile);
335
fprintf(stdout, "The GnuTLS error is: %s\n",
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
336
425
safer_gnutls_strerror(ret));
337
return -1;
426
goto globalfail;
338
427
}
339
428
340
429
/* GnuTLS server initialization */
342
431
if (ret != GNUTLS_E_SUCCESS) {
343
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
344
433
" %s\n", safer_gnutls_strerror(ret));
345
return -1;
434
goto globalfail;
346
435
}
347
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
348
437
if (ret != GNUTLS_E_SUCCESS) {
349
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
350
439
safer_gnutls_strerror(ret));
351
return -1;
440
goto globalfail;
352
441
}
353
442
354
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
444
356
445
return 0;
446
447
globalfail:
448
449
gnutls_certificate_free_credentials(mc->cred);
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
return -1;
357
453
}
358
454
359
455
static int init_gnutls_session(mandos_context *mc,
373
469
fprintf(stderr, "Syntax error at: %s\n", err);
374
470
fprintf(stderr, "GnuTLS error: %s\n",
375
471
safer_gnutls_strerror(ret));
472
gnutls_deinit (*session);
376
473
return -1;
377
474
}
378
475
}
382
479
if (ret != GNUTLS_E_SUCCESS) {
383
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
384
481
safer_gnutls_strerror(ret));
482
gnutls_deinit (*session);
385
483
return -1;
386
484
}
387
485
420
518
}
421
519
422
520
if(debug){
423
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
424
ip, port);
521
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
522
"\n", ip, port);
425
523
}
426
524
427
525
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
429
527
perror("socket");
430
528
return -1;
431
529
}
432
530
433
531
if(debug){
434
532
if(if_indextoname((unsigned int)if_index, interface) == NULL){
435
533
perror("if_indextoname");
438
536
fprintf(stderr, "Binding to interface %s\n", interface);
439
537
}
440
538
441
memset(&to,0,sizeof(to)); /* Spurious warning */
539
memset(&to, 0, sizeof(to));
442
540
to.in6.sin6_family = AF_INET6;
443
541
/* It would be nice to have a way to detect if we were passed an
444
542
IPv4 address here. Now we assume an IPv6 address. */
451
549
fprintf(stderr, "Bad address: %s\n", ip);
452
550
return -1;
453
551
}
454
to.in6.sin6_port = htons(port); /* Spurious warning */
552
to.in6.sin6_port = htons(port); /* Spurious warning */
455
553
456
554
to.in6.sin6_scope_id = (uint32_t)if_index;
457
555
458
556
if(debug){
459
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
557
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
558
port);
460
559
char addrstr[INET6_ADDRSTRLEN] = "";
461
560
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
462
561
sizeof(addrstr)) == NULL){
473
572
perror("connect");
474
573
return -1;
475
574
}
476
575
477
576
const char *out = mandos_protocol_version;
478
577
written = 0;
479
578
while (true){
497
596
}
498
597
}
499
598
}
500
599
501
600
if(debug){
502
601
fprintf(stderr, "Establishing TLS session with %s\n", ip);
503
602
}
504
603
505
604
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
506
605
507
ret = gnutls_handshake (session);
606
do{
607
ret = gnutls_handshake (session);
608
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
508
609
509
610
if (ret != GNUTLS_E_SUCCESS){
510
611
if(debug){
521
622
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
522
623
ip);
523
624
}
524
625
525
626
while(true){
526
627
buffer_capacity = adjustbuffer(&buffer, buffer_length,
527
628
buffer_capacity);
542
643
case GNUTLS_E_AGAIN:
543
644
break;
544
645
case GNUTLS_E_REHANDSHAKE:
545
ret = gnutls_handshake (session);
646
do{
647
ret = gnutls_handshake (session);
648
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
546
649
if (ret < 0){
547
650
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
548
651
gnutls_perror (ret);
569
672
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
673
571
674
if (buffer_length > 0){
572
decrypted_buffer_size = pgp_packet_decrypt(buffer,
675
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
573
676
buffer_length,
574
&decrypted_buffer,
575
keydir);
677
&decrypted_buffer);
576
678
if (decrypted_buffer_size >= 0){
577
679
written = 0;
578
680
while(written < (size_t) decrypted_buffer_size){
593
695
} else {
594
696
retval = -1;
595
697
}
698
} else {
699
retval = -1;
596
700
}
597
701
598
702
/* Shutdown procedure */
599
703
600
704
mandos_end:
601
705
free(buffer);
602
close(tcp_sd);
706
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
707
if(ret == -1){
708
perror("close");
709
}
603
710
gnutls_deinit (session);
604
gnutls_certificate_free_credentials (mc->cred);
605
gnutls_global_deinit ();
606
711
return retval;
607
712
}
608
713
621
726
flags,
622
727
void* userdata) {
623
728
mandos_context *mc = userdata;
624
assert(r); /* Spurious warning */
729
assert(r);
625
730
626
731
/* Called whenever a service has been resolved successfully or
627
732
timed out */
639
744
char ip[AVAHI_ADDRESS_STR_MAX];
640
745
avahi_address_snprint(ip, sizeof(ip), address);
641
746
if(debug){
642
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
643
" port %d\n", name, host_name, ip, interface, port);
747
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
748
PRIu16 ") on port %d\n", name, host_name, ip,
749
interface, port);
644
750
}
645
751
int ret = start_mandos_communication(ip, port, interface, mc);
646
752
if (ret == 0){
647
exit(EXIT_SUCCESS);
753
avahi_simple_poll_quit(mc->simple_poll);
648
754
}
649
755
}
650
756
}
662
768
flags,
663
769
void* userdata) {
664
770
mandos_context *mc = userdata;
665
assert(b); /* Spurious warning */
771
assert(b);
666
772
667
773
/* Called whenever a new services becomes available on the LAN or
668
774
is removed from the LAN */
702
808
}
703
809
}
704
810
705
/* Combines file name and path and returns the malloced new
706
string. some sane checks could/should be added */
707
static const char *combinepath(const char *first, const char *second){
708
size_t f_len = strlen(first);
709
size_t s_len = strlen(second);
710
char *tmp = malloc(f_len + s_len + 2);
711
if (tmp == NULL){
712
return NULL;
713
}
714
if(f_len > 0){
715
memcpy(tmp, first, f_len); /* Spurious warning */
716
}
717
tmp[f_len] = '/';
718
if(s_len > 0){
719
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
720
}
721
tmp[f_len + 1 + s_len] = '\0';
722
return tmp;
723
}
724
725
726
811
int main(int argc, char *argv[]){
727
812
AvahiSServiceBrowser *sb = NULL;
728
813
int error;
734
819
uid_t uid;
735
820
gid_t gid;
736
821
char *connect_to = NULL;
822
char tempdir[] = "/tmp/mandosXXXXXX";
737
823
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
738
const char *pubkeyfile = "pubkey.txt";
739
const char *seckeyfile = "seckey.txt";
824
const char *seckey = PATHDIR "/" SECKEY;
825
const char *pubkey = PATHDIR "/" PUBKEY;
826
740
827
mandos_context mc = { .simple_poll = NULL, .server = NULL,
741
.dh_bits = 1024, .priority = "SECURE256"};
828
.dh_bits = 1024, .priority = "SECURE256"
829
":!CTYPE-X.509:+CTYPE-OPENPGP" };
830
bool gnutls_initalized = false;
831
bool gpgme_initalized = false;
742
832
743
833
{
744
834
struct argp_option options[] = {
745
835
{ .name = "debug", .key = 128,
746
836
.doc = "Debug mode", .group = 3 },
747
837
{ .name = "connect", .key = 'c',
748
.arg = "IP",
749
.doc = "Connect directly to a sepcified mandos server",
838
.arg = "ADDRESS:PORT",
839
.doc = "Connect directly to a specific Mandos server",
750
840
.group = 1 },
751
841
{ .name = "interface", .key = 'i',
752
.arg = "INTERFACE",
753
.doc = "Interface that Avahi will conntect through",
754
.group = 1 },
755
{ .name = "keydir", .key = 'd',
756
.arg = "KEYDIR",
757
.doc = "Directory where the openpgp keyring is",
842
.arg = "NAME",
843
.doc = "Interface that will be used to search for Mandos"
844
" servers",
758
845
.group = 1 },
759
846
{ .name = "seckey", .key = 's',
760
.arg = "SECKEY",
761
.doc = "Secret openpgp key for gnutls authentication",
847
.arg = "FILE",
848
.doc = "OpenPGP secret key file base name",
762
849
.group = 1 },
763
850
{ .name = "pubkey", .key = 'p',
764
.arg = "PUBKEY",
765
.doc = "Public openpgp key for gnutls authentication",
851
.arg = "FILE",
852
.doc = "OpenPGP public key file base name",
766
853
.group = 2 },
767
854
{ .name = "dh-bits", .key = 129,
768
855
.arg = "BITS",
769
.doc = "dh-bits to use in gnutls communication",
856
.doc = "Bit length of the prime number used in the"
857
" Diffie-Hellman key exchange",
770
858
.group = 2 },
771
859
{ .name = "priority", .key = 130,
772
.arg = "PRIORITY",
773
.doc = "GNUTLS priority", .group = 1 },
860
.arg = "STRING",
861
.doc = "GnuTLS priority string for the TLS handshake",
862
.group = 1 },
774
863
{ .name = NULL }
775
864
};
776
777
865
778
866
error_t parse_opt (int key, char *arg,
779
867
struct argp_state *state) {
780
868
/* Get the INPUT argument from `argp_parse', which we know is
781
869
a pointer to our plugin list pointer. */
782
870
switch (key) {
783
case 128:
871
case 128: /* --debug */
784
872
debug = true;
785
873
break;
786
case 'c':
874
case 'c': /* --connect */
787
875
connect_to = arg;
788
876
break;
789
case 'i':
877
case 'i': /* --interface */
790
878
interface = arg;
791
879
break;
792
case 'd':
793
keydir = arg;
794
break;
795
case 's':
796
seckeyfile = arg;
797
break;
798
case 'p':
799
pubkeyfile = arg;
800
break;
801
case 129:
880
case 's': /* --seckey */
881
seckey = arg;
882
break;
883
case 'p': /* --pubkey */
884
pubkey = arg;
885
break;
886
case 129: /* --dh-bits */
802
887
errno = 0;
803
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
804
889
if (errno){
806
891
exit(EXIT_FAILURE);
807
892
}
808
893
break;
809
case 130:
894
case 130: /* --priority */
810
895
mc.priority = arg;
811
896
break;
812
897
case ARGP_KEY_ARG:
813
898
argp_usage (state);
899
case ARGP_KEY_END:
814
900
break;
815
case ARGP_KEY_END:
816
break;
817
901
default:
818
902
return ARGP_ERR_UNKNOWN;
819
903
}
820
904
return 0;
821
905
}
822
906
823
907
struct argp argp = { .options = options, .parser = parse_opt,
824
908
.args_doc = "",
825
909
.doc = "Mandos client -- Get and decrypt"
826
" passwords from mandos server" };
827
argp_parse (&argp, argc, argv, 0, 0, NULL);
828
}
829
830
pubkeyfile = combinepath(keydir, pubkeyfile);
831
if (pubkeyfile == NULL){
832
perror("combinepath");
833
exitcode = EXIT_FAILURE;
834
goto end;
835
}
836
837
seckeyfile = combinepath(keydir, seckeyfile);
838
if (seckeyfile == NULL){
839
perror("combinepath");
840
goto end;
841
}
842
843
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
844
if (ret == -1){
845
fprintf(stderr, "init_gnutls_global\n");
846
goto end;
847
}
848
910
" passwords from a Mandos server" };
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
912
if (ret == ARGP_ERR_UNKNOWN){
913
fprintf(stderr, "Unknown error while parsing arguments\n");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
919
/* If the interface is down, bring it up */
920
{
921
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
922
if(sd < 0) {
923
perror("socket");
924
exitcode = EXIT_FAILURE;
925
goto end;
926
}
927
strcpy(network.ifr_name, interface);
928
ret = ioctl(sd, SIOCGIFFLAGS, &network);
929
if(ret == -1){
930
perror("ioctl SIOCGIFFLAGS");
931
exitcode = EXIT_FAILURE;
932
goto end;
933
}
934
if((network.ifr_flags & IFF_UP) == 0){
935
network.ifr_flags |= IFF_UP;
936
ret = ioctl(sd, SIOCSIFFLAGS, &network);
937
if(ret == -1){
938
perror("ioctl SIOCSIFFLAGS");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
ret = TEMP_FAILURE_RETRY(close(sd));
944
if(ret == -1){
945
perror("close");
946
}
947
}
948
849
949
uid = getuid();
850
950
gid = getgid();
851
951
852
952
ret = setuid(uid);
853
953
if (ret == -1){
854
954
perror("setuid");
859
959
perror("setgid");
860
960
}
861
961
962
ret = init_gnutls_global(&mc, pubkey, seckey);
963
if (ret == -1){
964
fprintf(stderr, "init_gnutls_global failed\n");
965
exitcode = EXIT_FAILURE;
966
goto end;
967
} else {
968
gnutls_initalized = true;
969
}
970
971
if(mkdtemp(tempdir) == NULL){
972
perror("mkdtemp");
973
tempdir[0] = '\0';
974
goto end;
975
}
976
977
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
978
fprintf(stderr, "gpgme_initalized failed\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
} else {
982
gpgme_initalized = true;
983
}
984
862
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
863
986
if(if_index == 0){
864
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
892
1015
goto end;
893
1016
}
894
1017
895
/* If the interface is down, bring it up */
896
{
897
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
898
if(sd < 0) {
899
perror("socket");
900
exitcode = EXIT_FAILURE;
901
goto end;
902
}
903
strcpy(network.ifr_name, interface); /* Spurious warning */
904
ret = ioctl(sd, SIOCGIFFLAGS, &network);
905
if(ret == -1){
906
perror("ioctl SIOCGIFFLAGS");
907
exitcode = EXIT_FAILURE;
908
goto end;
909
}
910
if((network.ifr_flags & IFF_UP) == 0){
911
network.ifr_flags |= IFF_UP;
912
ret = ioctl(sd, SIOCSIFFLAGS, &network);
913
if(ret == -1){
914
perror("ioctl SIOCSIFFLAGS");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
close(sd);
920
}
921
922
1018
if (not debug){
923
1019
avahi_set_log_function(empty_log);
924
1020
}
934
1030
exitcode = EXIT_FAILURE;
935
1031
goto end;
936
1032
}
937
1033
938
1034
{
939
1035
AvahiServerConfig config;
940
1036
/* Do not publish any local Zeroconf records */
943
1039
config.publish_addresses = 0;
944
1040
config.publish_workstation = 0;
945
1041
config.publish_domain = 0;
946
1042
947
1043
/* Allocate a new server */
948
1044
mc.server = avahi_server_new(avahi_simple_poll_get
949
1045
(mc.simple_poll), &config, NULL,
950
1046
NULL, &error);
951
1047
952
1048
/* Free the Avahi configuration data */
953
1049
avahi_server_config_free(&config);
954
1050
}
974
1070
}
975
1071
976
1072
/* Run the main loop */
977
1073
978
1074
if (debug){
979
1075
fprintf(stderr, "Starting Avahi loop search\n");
980
1076
}
982
1078
avahi_simple_poll_loop(mc.simple_poll);
983
1079
984
1080
end:
985
1081
986
1082
if (debug){
987
1083
fprintf(stderr, "%s exiting\n", argv[0]);
988
1084
}
993
1089
994
1090
if (mc.server != NULL)
995
1091
avahi_server_free(mc.server);
996
1092
997
1093
if (mc.simple_poll != NULL)
998
1094
avahi_simple_poll_free(mc.simple_poll);
999
free(pubkeyfile);
1000
free(seckeyfile);
1001
1095
1096
if (gnutls_initalized){
1097
gnutls_certificate_free_credentials(mc.cred);
1098
gnutls_global_deinit ();
1099
gnutls_dh_params_deinit(mc.dh_params);
1100
}
1101
1102
if(gpgme_initalized){
1103
gpgme_release(mc.ctx);
1104
}
1105
1106
/* Removes the temp directory used by GPGME */
1107
if(tempdir[0] != '\0'){
1108
DIR *d;
1109
struct dirent *direntry;
1110
d = opendir(tempdir);
1111
if(d == NULL){
1112
perror("opendir");
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1){
1139
perror("rmdir");
1140
}
1141
}
1142
1002
1143
return exitcode;
1003
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0