64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
72
67
#include <errno.h> /* perror() */
75
73
#define BUFFER_SIZE 256
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
77
80
bool debug = false;
78
const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
82
const char mandos_protocol_version[] = "1";
83
/* Used for passing in values through all the callback functions */
85
85
AvahiSimplePoll *simple_poll;
86
86
AvahiServer *server;
87
87
gnutls_certificate_credentials_t cred;
88
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
90
89
const char *priority;
93
size_t adjustbuffer(char **buffer, size_t buffer_length,
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
94
93
size_t buffer_capacity){
95
94
if (buffer_length + BUFFER_SIZE > buffer_capacity){
96
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
97
96
if (buffer == NULL){
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
224
217
/* Seek back to the beginning of the GPGME plaintext data buffer */
225
218
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
226
219
perror("pgpme_data_seek");
227
plaintext_length = -1;
233
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
235
if (plaintext_capacity == 0){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
236
227
perror("adjustbuffer");
237
plaintext_length = -1;
230
new_packet_capacity += BUFFER_SIZE;
241
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
243
235
/* Print the data, if any */
249
240
perror("gpgme_data_read");
250
plaintext_length = -1;
253
plaintext_length += ret;
243
new_packet_length += ret;
257
fprintf(stderr, "Decrypted password is: ");
258
for(ssize_t i = 0; i < plaintext_length; i++){
259
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
261
fprintf(stderr, "\n");
266
/* Delete the GPGME cryptotext data buffer */
267
gpgme_data_release(dh_crypto);
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
269
254
/* Delete the GPGME plaintext data buffer */
270
255
gpgme_data_release(dh_plain);
271
return plaintext_length;
256
return new_packet_length;
274
259
static const char * safer_gnutls_strerror (int value) {
296
279
if ((ret = gnutls_global_init ())
297
280
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "GnuTLS global_init: %s\n",
299
safer_gnutls_strerror(ret));
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
/* "Use a log level over 10 to enable all debugging options."
307
286
gnutls_global_set_log_level(11);
308
287
gnutls_global_set_log_function(debuggnutls);
311
/* OpenPGP credentials */
312
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
313
292
!= GNUTLS_E_SUCCESS) {
314
fprintf (stderr, "GnuTLS memory error: %s\n",
293
fprintf (stderr, "memory error: %s\n",
315
294
safer_gnutls_strerror(ret));
320
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
321
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
300
" and keyfile %s as GnuTLS credentials\n", certfile,
325
304
ret = gnutls_certificate_set_openpgp_key_file
326
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
327
306
if (ret != GNUTLS_E_SUCCESS) {
329
"Error[%d] while reading the OpenPGP key pair ('%s',"
330
" '%s')\n", ret, pubkeyfile, seckeyfile);
331
fprintf(stdout, "The GnuTLS error is: %s\n",
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
332
312
safer_gnutls_strerror(ret));
336
/* GnuTLS server initialization */
337
ret = gnutls_dh_params_init(&mc->dh_params);
338
if (ret != GNUTLS_E_SUCCESS) {
339
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
340
" %s\n", safer_gnutls_strerror(ret));
343
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
346
safer_gnutls_strerror(ret));
350
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
/* GnuTLS session creation */
358
ret = gnutls_init(session, GNUTLS_SERVER);
359
if (ret != GNUTLS_E_SUCCESS){
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
360
336
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
361
337
safer_gnutls_strerror(ret));
366
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf(stderr, "Syntax error at: %s\n", err);
369
fprintf(stderr, "GnuTLS error: %s\n",
370
safer_gnutls_strerror(ret));
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
375
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
379
352
safer_gnutls_strerror(ret));
383
356
/* ignore client certificate if any. */
384
gnutls_certificate_server_set_request (*session,
357
gnutls_certificate_server_set_request (es->session,
385
358
GNUTLS_CERT_IGNORE);
387
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
392
/* Avahi log function callback */
393
365
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
394
366
__attribute__((unused)) const char *txt){}
396
/* Called when a Mandos server is found */
397
368
static int start_mandos_communication(const char *ip, uint16_t port,
398
369
AvahiIfIndex if_index,
399
370
mandos_context *mc){
401
372
struct sockaddr_in6 to;
373
encrypted_session es;
402
374
char *buffer = NULL;
403
375
char *decrypted_buffer;
404
376
size_t buffer_length = 0;
455
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
456
char addrstr[INET6_ADDRSTRLEN] = "";
457
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
458
sizeof(addrstr)) == NULL){
461
if(strcmp(addrstr, ip) != 0){
462
fprintf(stderr, "Canonical address form: %s\n", addrstr);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
467
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
537
509
case GNUTLS_E_AGAIN:
539
511
case GNUTLS_E_REHANDSHAKE:
540
ret = gnutls_handshake (session);
512
ret = gnutls_handshake (es.session);
542
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
514
fprintf(stderr, "\n*** Handshake failed ***\n");
543
515
gnutls_perror (ret);
549
521
fprintf(stderr, "Unknown error while reading data from"
550
" encrypted session with Mandos server\n");
522
" encrypted session with mandos server\n");
552
gnutls_bye (session, GNUTLS_SHUT_RDWR);
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
556
528
buffer_length += (size_t) ret;
561
fprintf(stderr, "Closing TLS session\n");
564
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
532
if (buffer_length > 0){
567
533
decrypted_buffer_size = pgp_packet_decrypt(buffer,
569
535
&decrypted_buffer,
571
537
if (decrypted_buffer_size >= 0){
573
539
while(written < (size_t) decrypted_buffer_size){
593
/* Shutdown procedure */
562
fprintf(stderr, "Closing TLS session\n");
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
598
gnutls_deinit (session);
599
gnutls_certificate_free_credentials (mc->cred);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
600
571
gnutls_global_deinit ();
604
static void resolve_callback(AvahiSServiceResolver *r,
605
AvahiIfIndex interface,
606
AVAHI_GCC_UNUSED AvahiProtocol protocol,
607
AvahiResolverEvent event,
611
const char *host_name,
612
const AvahiAddress *address,
614
AVAHI_GCC_UNUSED AvahiStringList *txt,
615
AVAHI_GCC_UNUSED AvahiLookupResultFlags
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
582
const char *host_name,
583
const AvahiAddress *address,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
618
588
mandos_context *mc = userdata;
619
589
assert(r); /* Spurious warning */
667
636
case AVAHI_BROWSER_FAILURE:
669
fprintf(stderr, "(Avahi browser) %s\n",
638
fprintf(stderr, "(Browser) %s\n",
670
639
avahi_strerror(avahi_server_errno(mc->server)));
671
640
avahi_simple_poll_quit(mc->simple_poll);
674
643
case AVAHI_BROWSER_NEW:
675
/* We ignore the returned Avahi resolver object. In the callback
676
function we free it. If the Avahi server is terminated before
677
the callback function is called the Avahi server will free the
680
if (!(avahi_s_service_resolver_new(mc->server, interface,
681
protocol, name, type, domain,
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
682
651
AVAHI_PROTO_INET6, 0,
683
652
resolve_callback, mc)))
684
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
685
name, avahi_strerror(avahi_server_errno(mc->server)));
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
688
657
case AVAHI_BROWSER_REMOVE:
691
660
case AVAHI_BROWSER_ALL_FOR_NOW:
692
661
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
fprintf(stderr, "No Mandos server found, still searching...\n");
710
memcpy(tmp, first, f_len); /* Spurious warning */
676
memcpy(tmp, first, f_len);
712
678
tmp[f_len] = '/';
714
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
680
memcpy(tmp + f_len + 1, second, s_len);
716
682
tmp[f_len + 1 + s_len] = '\0';
721
int main(int argc, char *argv[]){
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
722
689
AvahiSServiceBrowser *sb = NULL;
725
int exitcode = EXIT_SUCCESS;
692
int returncode = EXIT_SUCCESS;
726
693
const char *interface = "eth0";
727
694
struct ifreq network;
731
696
char *connect_to = NULL;
732
697
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
733
const char *pubkeyfile = "pubkey.txt";
734
const char *seckeyfile = "seckey.txt";
735
698
mandos_context mc = { .simple_poll = NULL, .server = NULL,
736
.dh_bits = 1024, .priority = "SECURE256"};
699
.dh_bits = 2048, .priority = "SECURE256"};
739
struct argp_option options[] = {
740
{ .name = "debug", .key = 128,
741
.doc = "Debug mode", .group = 3 },
742
{ .name = "connect", .key = 'c',
744
.doc = "Connect directly to a sepcified mandos server", .group = 1 },
745
{ .name = "interface", .key = 'i',
747
.doc = "Interface that Avahi will conntect through", .group = 1 },
748
{ .name = "keydir", .key = 'd',
750
.doc = "Directory where the openpgp keyring is", .group = 1 },
751
{ .name = "seckey", .key = 's',
753
.doc = "Secret openpgp key for gnutls authentication", .group = 1 },
754
{ .name = "pubkey", .key = 'p',
756
.doc = "Public openpgp key for gnutls authentication", .group = 2 },
757
{ .name = "dh-bits", .key = 129,
759
.doc = "dh-bits to use in gnutls communication", .group = 2 },
760
{ .name = "priority", .key = 130,
762
.doc = "GNUTLS priority", .group = 1 },
767
error_t parse_opt (int key, char *arg, struct argp_state *state) {
768
/* Get the INPUT argument from `argp_parse', which we know is a
769
pointer to our plugin list pointer. */
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
791
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
793
745
perror("strtol");
794
746
exit(EXIT_FAILURE);
806
return ARGP_ERR_UNKNOWN;
752
mc.priority = optarg;
811
struct argp argp = { .options = options, .parser = parse_opt,
813
.doc = "Mandos client -- Get and decrypt passwords from mandos server" };
814
argp_parse (&argp, argc, argv, 0, 0, NULL);
817
pubkeyfile = combinepath(keydir, pubkeyfile);
818
if (pubkeyfile == NULL){
819
perror("combinepath");
820
exitcode = EXIT_FAILURE;
824
seckeyfile = combinepath(keydir, seckeyfile);
825
if (seckeyfile == NULL){
826
perror("combinepath");
830
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
832
fprintf(stderr, "init_gnutls_global\n");
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
849
773
if_index = (AvahiIfIndex) if_nametoindex(interface);
858
782
char *address = strrchr(connect_to, ':');
859
783
if(address == NULL){
860
784
fprintf(stderr, "No colon in address\n");
861
exitcode = EXIT_FAILURE;
865
788
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
867
790
perror("Bad port number");
868
exitcode = EXIT_FAILURE;
872
794
address = connect_to;
873
ret = start_mandos_communication(address, port, if_index, &mc);
795
ret = start_mandos_communication(address, port, if_index);
875
exitcode = EXIT_FAILURE;
877
exitcode = EXIT_SUCCESS;
882
/* If the interface is down, bring it up */
884
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
887
exitcode = EXIT_FAILURE;
890
strcpy(network.ifr_name, interface); /* Spurious warning */
891
ret = ioctl(sd, SIOCGIFFLAGS, &network);
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
806
returncode = EXIT_FAILURE;
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
893
perror("ioctl SIOCGIFFLAGS");
894
exitcode = EXIT_FAILURE;
897
if((network.ifr_flags & IFF_UP) == 0){
898
network.ifr_flags |= IFF_UP;
899
ret = ioctl(sd, SIOCSIFFLAGS, &network);
901
perror("ioctl SIOCSIFFLAGS");
902
exitcode = EXIT_FAILURE;
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
910
829
avahi_set_log_function(empty_log);
913
/* Initialize the pseudo-RNG for Avahi */
832
/* Initialize the psuedo-RNG */
914
833
srand((unsigned int) time(NULL));
916
/* Allocate main Avahi loop object */
917
mc.simple_poll = avahi_simple_poll_new();
918
if (mc.simple_poll == NULL) {
919
fprintf(stderr, "Avahi: Failed to create simple poll"
921
exitcode = EXIT_FAILURE;
926
AvahiServerConfig config;
927
/* Do not publish any local Zeroconf records */
928
avahi_server_config_init(&config);
929
config.publish_hinfo = 0;
930
config.publish_addresses = 0;
931
config.publish_workstation = 0;
932
config.publish_domain = 0;
934
/* Allocate a new server */
935
mc.server = avahi_server_new(avahi_simple_poll_get
936
(mc.simple_poll), &config, NULL,
939
/* Free the Avahi configuration data */
940
avahi_server_config_free(&config);
943
/* Check if creating the Avahi server object succeeded */
944
if (mc.server == NULL) {
945
fprintf(stderr, "Failed to create Avahi server: %s\n",
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
856
/* Check if creating the server object succeeded */
858
fprintf(stderr, "Failed to create server: %s\n",
946
859
avahi_strerror(error));
947
exitcode = EXIT_FAILURE;
860
returncode = EXIT_FAILURE;
951
/* Create the Avahi service browser */
864
/* Create the service browser */
952
865
sb = avahi_s_service_browser_new(mc.server, if_index,
953
866
AVAHI_PROTO_INET6,
954
867
"_mandos._tcp", NULL, 0,
955
868
browse_callback, &mc);
957
870
fprintf(stderr, "Failed to create service browser: %s\n",
958
871
avahi_strerror(avahi_server_errno(mc.server)));
959
exitcode = EXIT_FAILURE;
872
returncode = EXIT_FAILURE;
963
876
/* Run the main loop */
966
fprintf(stderr, "Starting Avahi loop search\n");
879
fprintf(stderr, "Starting avahi loop search\n");
969
avahi_simple_poll_loop(mc.simple_poll);
882
avahi_simple_poll_loop(simple_poll);
974
887
fprintf(stderr, "%s exiting\n", argv[0]);
977
890
/* Cleanup things */
979
892
avahi_s_service_browser_free(sb);
981
if (mc.server != NULL)
982
895
avahi_server_free(mc.server);
984
if (mc.simple_poll != NULL)
985
avahi_simple_poll_free(mc.simple_poll);
898
avahi_simple_poll_free(simple_poll);