To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.10
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.10
- Committer: Björn Påhlsson
- Date: 2008-08-03 14:57:46 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 41.
- Revision ID: belorn@braxen-20080803145746-4boahihngi1uwjap
merge commit
added
removed
plugins.d/mandosclient.c
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
46
44
47
45
#include <avahi-core/core.h>
48
46
#include <avahi-core/lookup.h>
51
49
#include <avahi-common/malloc.h>
52
50
#include <avahi-common/error.h>
53
51
54
/* Mandos client part */
52
//mandos client part
55
53
#include <sys/types.h> /* socket(), inet_pton() */
56
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
55
struct in6_addr, inet_pton() */
64
62
#include <string.h> /* memset */
65
63
#include <arpa/inet.h> /* inet_pton() */
66
64
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
65
66
// gpgme
72
67
#include <errno.h> /* perror() */
73
68
#include <gpgme.h>
74
69
70
// getopt long
71
#include <getopt.h>
72
75
73
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
76
79
77
80
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char mandos_protocol_version[] = "1";
80
const char *argp_program_version = "mandosclient 0.9";
81
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
82
83
/* Used for passing in values through the Avahi callback functions */
81
82
const char mandos_protocol_version[] = "1";
83
84
84
typedef struct {
85
85
AvahiSimplePoll *simple_poll;
86
86
AvahiServer *server;
87
87
gnutls_certificate_credentials_t cred;
88
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
90
89
const char *priority;
91
90
} mandos_context;
92
91
93
/*
94
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
95
* "buffer_capacity" is how much is currently allocated,
96
* "buffer_length" is how much is already used.
97
*/
98
size_t adjustbuffer(char **buffer, size_t buffer_length,
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
99
93
size_t buffer_capacity){
100
94
if (buffer_length + BUFFER_SIZE > buffer_capacity){
101
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
102
96
if (buffer == NULL){
103
97
return 0;
104
98
}
107
101
return buffer_capacity;
108
102
}
109
103
110
/*
111
* Decrypt OpenPGP data using keyrings in HOMEDIR.
112
* Returns -1 on error
113
*/
114
static ssize_t pgp_packet_decrypt (const char *cryptotext,
115
size_t crypto_size,
116
char **plaintext,
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
117
106
const char *homedir){
118
107
gpgme_data_t dh_crypto, dh_plain;
119
108
gpgme_ctx_t ctx;
120
109
gpgme_error_t rc;
121
110
ssize_t ret;
122
size_t plaintext_capacity = 0;
123
ssize_t plaintext_length = 0;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
124
113
gpgme_engine_info_t engine_info;
125
114
126
115
if (debug){
127
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
128
117
}
129
118
130
119
/* Init GPGME */
136
125
return -1;
137
126
}
138
127
139
/* Set GPGME home directory for the OpenPGP engine only */
128
/* Set GPGME home directory */
140
129
rc = gpgme_get_engine_info (&engine_info);
141
130
if (rc != GPG_ERR_NO_ERROR){
142
131
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
152
141
engine_info = engine_info->next;
153
142
}
154
143
if(engine_info == NULL){
155
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
156
145
return -1;
157
146
}
158
147
159
/* Create new GPGME data buffer from memory cryptotext */
160
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
161
0);
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
162
150
if (rc != GPG_ERR_NO_ERROR){
163
151
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
164
152
gpgme_strsource(rc), gpgme_strerror(rc));
170
158
if (rc != GPG_ERR_NO_ERROR){
171
159
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
172
160
gpgme_strsource(rc), gpgme_strerror(rc));
173
gpgme_data_release(dh_crypto);
174
161
return -1;
175
162
}
176
163
179
166
if (rc != GPG_ERR_NO_ERROR){
180
167
fprintf(stderr, "bad gpgme_new: %s: %s\n",
181
168
gpgme_strsource(rc), gpgme_strerror(rc));
182
plaintext_length = -1;
183
goto decrypt_end;
169
return -1;
184
170
}
185
171
186
/* Decrypt data from the cryptotext data buffer to the plaintext
187
data buffer */
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
188
174
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
189
175
if (rc != GPG_ERR_NO_ERROR){
190
176
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
191
177
gpgme_strsource(rc), gpgme_strerror(rc));
192
plaintext_length = -1;
193
goto decrypt_end;
178
return -1;
194
179
}
195
180
196
181
if(debug){
197
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
198
183
}
199
184
200
185
if (debug){
201
186
gpgme_decrypt_result_t result;
202
187
result = gpgme_op_decrypt_result(ctx);
226
211
}
227
212
}
228
213
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
229
217
/* Seek back to the beginning of the GPGME plaintext data buffer */
230
218
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
231
219
perror("pgpme_data_seek");
232
plaintext_length = -1;
233
goto decrypt_end;
234
220
}
235
221
236
*plaintext = NULL;
222
*new_packet = 0;
237
223
while(true){
238
plaintext_capacity = adjustbuffer(plaintext,
239
(size_t)plaintext_length,
240
plaintext_capacity);
241
if (plaintext_capacity == 0){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
242
227
perror("adjustbuffer");
243
plaintext_length = -1;
244
goto decrypt_end;
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
245
231
}
246
232
247
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
248
234
BUFFER_SIZE);
249
235
/* Print the data, if any */
250
236
if (ret == 0){
251
/* EOF */
252
237
break;
253
238
}
254
239
if(ret < 0){
255
240
perror("gpgme_data_read");
256
plaintext_length = -1;
257
goto decrypt_end;
241
return -1;
258
242
}
259
plaintext_length += ret;
243
new_packet_length += ret;
260
244
}
261
245
262
if(debug){
263
fprintf(stderr, "Decrypted password is: ");
264
for(ssize_t i = 0; i < plaintext_length; i++){
265
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
266
}
267
fprintf(stderr, "\n");
268
}
269
270
decrypt_end:
271
272
/* Delete the GPGME cryptotext data buffer */
273
gpgme_data_release(dh_crypto);
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
274
253
275
254
/* Delete the GPGME plaintext data buffer */
276
255
gpgme_data_release(dh_plain);
277
return plaintext_length;
256
return new_packet_length;
278
257
}
279
258
280
259
static const char * safer_gnutls_strerror (int value) {
284
263
return ret;
285
264
}
286
265
287
/* GnuTLS log function callback */
288
266
static void debuggnutls(__attribute__((unused)) int level,
289
267
const char* string){
290
fprintf(stderr, "GnuTLS: %s", string);
268
fprintf(stderr, "%s", string);
291
269
}
292
270
293
static int init_gnutls_global(mandos_context *mc,
294
const char *pubkeyfile,
295
const char *seckeyfile){
271
static int initgnutls(mandos_context *mc){
272
const char *err;
296
273
int ret;
297
274
298
275
if(debug){
301
278
302
279
if ((ret = gnutls_global_init ())
303
280
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "GnuTLS global_init: %s\n",
305
safer_gnutls_strerror(ret));
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
306
282
return -1;
307
283
}
308
284
309
285
if (debug){
310
/* "Use a log level over 10 to enable all debugging options."
311
* - GnuTLS manual
312
*/
313
286
gnutls_global_set_log_level(11);
314
287
gnutls_global_set_log_function(debuggnutls);
315
288
}
316
289
317
/* OpenPGP credentials */
318
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
319
292
!= GNUTLS_E_SUCCESS) {
320
fprintf (stderr, "GnuTLS memory error: %s\n",
293
fprintf (stderr, "memory error: %s\n",
321
294
safer_gnutls_strerror(ret));
322
295
return -1;
323
296
}
324
297
325
298
if(debug){
326
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
327
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
328
seckeyfile);
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
329
302
}
330
303
331
304
ret = gnutls_certificate_set_openpgp_key_file
332
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
333
306
if (ret != GNUTLS_E_SUCCESS) {
334
fprintf(stderr,
335
"Error[%d] while reading the OpenPGP key pair ('%s',"
336
" '%s')\n", ret, pubkeyfile, seckeyfile);
337
fprintf(stdout, "The GnuTLS error is: %s\n",
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
338
312
safer_gnutls_strerror(ret));
339
313
return -1;
340
314
}
341
315
342
/* GnuTLS server initialization */
343
ret = gnutls_dh_params_init(&mc->dh_params);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
346
" %s\n", safer_gnutls_strerror(ret));
347
return -1;
348
}
349
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
350
if (ret != GNUTLS_E_SUCCESS) {
351
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
352
safer_gnutls_strerror(ret));
353
return -1;
354
}
355
356
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
357
358
return 0;
359
}
360
361
static int init_gnutls_session(mandos_context *mc,
362
gnutls_session_t *session){
363
int ret;
364
/* GnuTLS session creation */
365
ret = gnutls_init(session, GNUTLS_SERVER);
366
if (ret != GNUTLS_E_SUCCESS){
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
367
336
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
368
337
safer_gnutls_strerror(ret));
369
338
}
370
339
371
{
372
const char *err;
373
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf(stderr, "Syntax error at: %s\n", err);
376
fprintf(stderr, "GnuTLS error: %s\n",
377
safer_gnutls_strerror(ret));
378
return -1;
379
}
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
380
346
}
381
347
382
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
383
mc->cred);
384
if (ret != GNUTLS_E_SUCCESS) {
385
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
386
352
safer_gnutls_strerror(ret));
387
353
return -1;
388
354
}
389
355
390
356
/* ignore client certificate if any. */
391
gnutls_certificate_server_set_request (*session,
357
gnutls_certificate_server_set_request (es->session,
392
358
GNUTLS_CERT_IGNORE);
393
359
394
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
395
361
396
362
return 0;
397
363
}
398
364
399
/* Avahi log function callback */
400
365
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
401
366
__attribute__((unused)) const char *txt){}
402
367
403
/* Called when a Mandos server is found */
404
368
static int start_mandos_communication(const char *ip, uint16_t port,
405
369
AvahiIfIndex if_index,
406
370
mandos_context *mc){
407
371
int ret, tcp_sd;
408
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
372
struct sockaddr_in6 to;
373
encrypted_session es;
409
374
char *buffer = NULL;
410
375
char *decrypted_buffer;
411
376
size_t buffer_length = 0;
414
379
size_t written;
415
380
int retval = 0;
416
381
char interface[IF_NAMESIZE];
417
gnutls_session_t session;
418
419
ret = init_gnutls_session (mc, &session);
420
if (ret != 0){
421
return -1;
422
}
423
382
424
383
if(debug){
425
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
434
393
435
394
if(debug){
436
395
if(if_indextoname((unsigned int)if_index, interface) == NULL){
437
perror("if_indextoname");
396
if(debug){
397
perror("if_indextoname");
398
}
438
399
return -1;
439
400
}
401
440
402
fprintf(stderr, "Binding to interface %s\n", interface);
441
403
}
442
404
443
405
memset(&to,0,sizeof(to)); /* Spurious warning */
444
to.in6.sin6_family = AF_INET6;
445
/* It would be nice to have a way to detect if we were passed an
446
IPv4 address here. Now we assume an IPv6 address. */
447
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
448
408
if (ret < 0 ){
449
409
perror("inet_pton");
450
410
return -1;
451
}
411
}
452
412
if(ret == 0){
453
413
fprintf(stderr, "Bad address: %s\n", ip);
454
414
return -1;
455
415
}
456
to.in6.sin6_port = htons(port); /* Spurious warning */
416
to.sin6_port = htons(port); /* Spurious warning */
457
417
458
to.in6.sin6_scope_id = (uint32_t)if_index;
418
to.sin6_scope_id = (uint32_t)if_index;
459
419
460
420
if(debug){
461
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
462
char addrstr[INET6_ADDRSTRLEN] = "";
463
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
464
sizeof(addrstr)) == NULL){
465
perror("inet_ntop");
466
} else {
467
if(strcmp(addrstr, ip) != 0){
468
fprintf(stderr, "Canonical address form: %s\n", addrstr);
469
}
470
}
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
471
430
}
472
431
473
ret = connect(tcp_sd, &to.in, sizeof(to));
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
474
433
if (ret < 0){
475
434
perror("connect");
476
435
return -1;
477
436
}
478
437
479
const char *out = mandos_protocol_version;
438
char *out = mandos_protocol_version;
480
439
written = 0;
481
440
while (true){
482
441
size_t out_size = strlen(out);
485
444
if (ret == -1){
486
445
perror("write");
487
446
retval = -1;
488
goto mandos_end;
447
goto end;
489
448
}
490
written += (size_t)ret;
449
written += ret;
491
450
if(written < out_size){
492
451
continue;
493
452
} else {
500
459
}
501
460
}
502
461
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
503
471
if(debug){
504
472
fprintf(stderr, "Establishing TLS session with %s\n", ip);
505
473
}
506
474
507
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
508
509
ret = gnutls_handshake (session);
475
ret = gnutls_handshake (es.session);
510
476
511
477
if (ret != GNUTLS_E_SUCCESS){
512
478
if(debug){
513
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
479
fprintf(stderr, "\n*** Handshake failed ***\n");
514
480
gnutls_perror (ret);
515
481
}
516
482
retval = -1;
517
goto mandos_end;
483
goto exit;
518
484
}
519
485
520
/* Read OpenPGP packet that contains the wanted password */
486
//Retrieve OpenPGP packet that contains the wanted password
521
487
522
488
if(debug){
523
489
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
525
491
}
526
492
527
493
while(true){
528
buffer_capacity = adjustbuffer(&buffer, buffer_length,
529
buffer_capacity);
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
530
495
if (buffer_capacity == 0){
531
496
perror("adjustbuffer");
532
497
retval = -1;
533
goto mandos_end;
498
goto exit;
534
499
}
535
500
536
ret = gnutls_record_recv(session, buffer+buffer_length,
537
BUFFER_SIZE);
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
538
503
if (ret == 0){
539
504
break;
540
505
}
544
509
case GNUTLS_E_AGAIN:
545
510
break;
546
511
case GNUTLS_E_REHANDSHAKE:
547
ret = gnutls_handshake (session);
512
ret = gnutls_handshake (es.session);
548
513
if (ret < 0){
549
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
514
fprintf(stderr, "\n*** Handshake failed ***\n");
550
515
gnutls_perror (ret);
551
516
retval = -1;
552
goto mandos_end;
517
goto exit;
553
518
}
554
519
break;
555
520
default:
556
521
fprintf(stderr, "Unknown error while reading data from"
557
" encrypted session with Mandos server\n");
522
" encrypted session with mandos server\n");
558
523
retval = -1;
559
gnutls_bye (session, GNUTLS_SHUT_RDWR);
560
goto mandos_end;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
561
526
}
562
527
} else {
563
528
buffer_length += (size_t) ret;
564
529
}
565
530
}
566
531
567
if(debug){
568
fprintf(stderr, "Closing TLS session\n");
569
}
570
571
gnutls_bye (session, GNUTLS_SHUT_RDWR);
572
573
532
if (buffer_length > 0){
574
533
decrypted_buffer_size = pgp_packet_decrypt(buffer,
575
534
buffer_length,
576
535
&decrypted_buffer,
577
keydir);
536
certdir);
578
537
if (decrypted_buffer_size >= 0){
579
538
written = 0;
580
539
while(written < (size_t) decrypted_buffer_size){
596
555
retval = -1;
597
556
}
598
557
}
599
600
/* Shutdown procedure */
601
602
mandos_end:
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
603
565
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
604
568
close(tcp_sd);
605
gnutls_deinit (session);
606
gnutls_certificate_free_credentials (mc->cred);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
607
571
gnutls_global_deinit ();
608
572
return retval;
609
573
}
610
574
611
static void resolve_callback(AvahiSServiceResolver *r,
612
AvahiIfIndex interface,
613
AVAHI_GCC_UNUSED AvahiProtocol protocol,
614
AvahiResolverEvent event,
615
const char *name,
616
const char *type,
617
const char *domain,
618
const char *host_name,
619
const AvahiAddress *address,
620
uint16_t port,
621
AVAHI_GCC_UNUSED AvahiStringList *txt,
622
AVAHI_GCC_UNUSED AvahiLookupResultFlags
623
flags,
624
void* userdata) {
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
625
588
mandos_context *mc = userdata;
626
589
assert(r); /* Spurious warning */
627
590
631
594
switch (event) {
632
595
default:
633
596
case AVAHI_RESOLVER_FAILURE:
634
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
635
" of type '%s' in domain '%s': %s\n", name, type, domain,
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
636
599
avahi_strerror(avahi_server_errno(mc->server)));
637
600
break;
638
601
641
604
char ip[AVAHI_ADDRESS_STR_MAX];
642
605
avahi_address_snprint(ip, sizeof(ip), address);
643
606
if(debug){
644
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
645
" port %d\n", name, host_name, ip, interface, port);
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
646
609
}
647
610
int ret = start_mandos_communication(ip, port, interface, mc);
648
611
if (ret == 0){
660
623
const char *name,
661
624
const char *type,
662
625
const char *domain,
663
AVAHI_GCC_UNUSED AvahiLookupResultFlags
664
flags,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
665
627
void* userdata) {
666
628
mandos_context *mc = userdata;
667
629
assert(b); /* Spurious warning */
672
634
switch (event) {
673
635
default:
674
636
case AVAHI_BROWSER_FAILURE:
675
676
fprintf(stderr, "(Avahi browser) %s\n",
637
638
fprintf(stderr, "(Browser) %s\n",
677
639
avahi_strerror(avahi_server_errno(mc->server)));
678
640
avahi_simple_poll_quit(mc->simple_poll);
679
641
return;
680
642
681
643
case AVAHI_BROWSER_NEW:
682
/* We ignore the returned Avahi resolver object. In the callback
683
function we free it. If the Avahi server is terminated before
684
the callback function is called the Avahi server will free the
685
resolver for us. */
686
687
if (!(avahi_s_service_resolver_new(mc->server, interface,
688
protocol, name, type, domain,
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
689
651
AVAHI_PROTO_INET6, 0,
690
652
resolve_callback, mc)))
691
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
692
name, avahi_strerror(avahi_server_errno(mc->server)));
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
693
655
break;
694
656
695
657
case AVAHI_BROWSER_REMOVE:
696
658
break;
697
659
698
660
case AVAHI_BROWSER_ALL_FOR_NOW:
699
661
case AVAHI_BROWSER_CACHE_EXHAUSTED:
700
if(debug){
701
fprintf(stderr, "No Mandos server found, still searching...\n");
702
}
703
662
break;
704
663
}
705
664
}
714
673
return NULL;
715
674
}
716
675
if(f_len > 0){
717
memcpy(tmp, first, f_len); /* Spurious warning */
676
memcpy(tmp, first, f_len);
718
677
}
719
678
tmp[f_len] = '/';
720
679
if(s_len > 0){
721
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
680
memcpy(tmp + f_len + 1, second, s_len);
722
681
}
723
682
tmp[f_len + 1 + s_len] = '\0';
724
683
return tmp;
725
684
}
726
685
727
686
728
int main(int argc, char *argv[]){
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
729
689
AvahiSServiceBrowser *sb = NULL;
730
690
int error;
731
691
int ret;
732
int exitcode = EXIT_SUCCESS;
692
int returncode = EXIT_SUCCESS;
733
693
const char *interface = "eth0";
734
694
struct ifreq network;
735
695
int sd;
736
uid_t uid;
737
gid_t gid;
738
696
char *connect_to = NULL;
739
697
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
740
const char *pubkeyfile = "pubkey.txt";
741
const char *seckeyfile = "seckey.txt";
742
698
mandos_context mc = { .simple_poll = NULL, .server = NULL,
743
.dh_bits = 1024, .priority = "SECURE256"};
699
.dh_bits = 2048, .priority = "SECURE256"};
744
700
745
{
746
struct argp_option options[] = {
747
{ .name = "debug", .key = 128,
748
.doc = "Debug mode", .group = 3 },
749
{ .name = "connect", .key = 'c',
750
.arg = "IP",
751
.doc = "Connect directly to a sepcified mandos server",
752
.group = 1 },
753
{ .name = "interface", .key = 'i',
754
.arg = "INTERFACE",
755
.doc = "Interface that Avahi will conntect through",
756
.group = 1 },
757
{ .name = "keydir", .key = 'd',
758
.arg = "KEYDIR",
759
.doc = "Directory where the openpgp keyring is",
760
.group = 1 },
761
{ .name = "seckey", .key = 's',
762
.arg = "SECKEY",
763
.doc = "Secret openpgp key for gnutls authentication",
764
.group = 1 },
765
{ .name = "pubkey", .key = 'p',
766
.arg = "PUBKEY",
767
.doc = "Public openpgp key for gnutls authentication",
768
.group = 2 },
769
{ .name = "dh-bits", .key = 129,
770
.arg = "BITS",
771
.doc = "dh-bits to use in gnutls communication",
772
.group = 2 },
773
{ .name = "priority", .key = 130,
774
.arg = "PRIORITY",
775
.doc = "GNUTLS priority", .group = 1 },
776
{ .name = NULL }
777
};
778
779
780
error_t parse_opt (int key, char *arg,
781
struct argp_state *state) {
782
/* Get the INPUT argument from `argp_parse', which we know is
783
a pointer to our plugin list pointer. */
784
switch (key) {
785
case 128:
786
debug = true;
787
break;
788
case 'c':
789
connect_to = arg;
790
break;
791
case 'i':
792
interface = arg;
793
break;
794
case 'd':
795
keydir = arg;
796
break;
797
case 's':
798
seckeyfile = arg;
799
break;
800
case 'p':
801
pubkeyfile = arg;
802
break;
803
case 129:
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
804
742
errno = 0;
805
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
806
if (errno){
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
807
745
perror("strtol");
808
746
exit(EXIT_FAILURE);
809
747
}
810
break;
811
case 130:
812
mc.priority = arg;
813
break;
814
case ARGP_KEY_ARG:
815
argp_usage (state);
816
break;
817
case ARGP_KEY_END:
818
break;
819
default:
820
return ARGP_ERR_UNKNOWN;
748
mc.dh_bits = tmp;
821
749
}
822
return 0;
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
823
756
}
824
825
struct argp argp = { .options = options, .parser = parse_opt,
826
.args_doc = "",
827
.doc = "Mandos client -- Get and decrypt"
828
" passwords from mandos server" };
829
argp_parse (&argp, argc, argv, 0, 0, NULL);
830
}
831
832
pubkeyfile = combinepath(keydir, pubkeyfile);
833
if (pubkeyfile == NULL){
834
perror("combinepath");
835
exitcode = EXIT_FAILURE;
836
goto end;
837
}
838
839
seckeyfile = combinepath(keydir, seckeyfile);
840
if (seckeyfile == NULL){
841
perror("combinepath");
842
goto end;
843
}
844
845
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
846
if (ret == -1){
847
fprintf(stderr, "init_gnutls_global\n");
848
goto end;
849
}
850
851
uid = getuid();
852
gid = getgid();
853
854
ret = setuid(uid);
855
if (ret == -1){
856
perror("setuid");
857
}
858
859
setgid(gid);
860
if (ret == -1){
861
perror("setgid");
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
862
771
}
863
772
864
773
if_index = (AvahiIfIndex) if_nametoindex(interface);
873
782
char *address = strrchr(connect_to, ':');
874
783
if(address == NULL){
875
784
fprintf(stderr, "No colon in address\n");
876
exitcode = EXIT_FAILURE;
877
goto end;
785
exit(EXIT_FAILURE);
878
786
}
879
787
errno = 0;
880
788
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
881
789
if(errno){
882
790
perror("Bad port number");
883
exitcode = EXIT_FAILURE;
884
goto end;
791
exit(EXIT_FAILURE);
885
792
}
886
793
*address = '\0';
887
794
address = connect_to;
888
ret = start_mandos_communication(address, port, if_index, &mc);
795
ret = start_mandos_communication(address, port, if_index);
889
796
if(ret < 0){
890
exitcode = EXIT_FAILURE;
797
exit(EXIT_FAILURE);
891
798
} else {
892
exitcode = EXIT_SUCCESS;
799
exit(EXIT_SUCCESS);
893
800
}
894
goto end;
895
801
}
896
802
897
/* If the interface is down, bring it up */
898
{
899
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
900
if(sd < 0) {
901
perror("socket");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
strcpy(network.ifr_name, interface); /* Spurious warning */
906
ret = ioctl(sd, SIOCGIFFLAGS, &network);
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
907
820
if(ret == -1){
908
perror("ioctl SIOCGIFFLAGS");
909
exitcode = EXIT_FAILURE;
910
goto end;
911
}
912
if((network.ifr_flags & IFF_UP) == 0){
913
network.ifr_flags |= IFF_UP;
914
ret = ioctl(sd, SIOCSIFFLAGS, &network);
915
if(ret == -1){
916
perror("ioctl SIOCSIFFLAGS");
917
exitcode = EXIT_FAILURE;
918
goto end;
919
}
920
}
921
close(sd);
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
922
825
}
826
close(sd);
923
827
924
828
if (not debug){
925
829
avahi_set_log_function(empty_log);
926
830
}
927
831
928
/* Initialize the pseudo-RNG for Avahi */
832
/* Initialize the psuedo-RNG */
929
833
srand((unsigned int) time(NULL));
930
931
/* Allocate main Avahi loop object */
932
mc.simple_poll = avahi_simple_poll_new();
933
if (mc.simple_poll == NULL) {
934
fprintf(stderr, "Avahi: Failed to create simple poll"
935
" object.\n");
936
exitcode = EXIT_FAILURE;
937
goto end;
938
}
939
940
{
941
AvahiServerConfig config;
942
/* Do not publish any local Zeroconf records */
943
avahi_server_config_init(&config);
944
config.publish_hinfo = 0;
945
config.publish_addresses = 0;
946
config.publish_workstation = 0;
947
config.publish_domain = 0;
948
949
/* Allocate a new server */
950
mc.server = avahi_server_new(avahi_simple_poll_get
951
(mc.simple_poll), &config, NULL,
952
NULL, &error);
953
954
/* Free the Avahi configuration data */
955
avahi_server_config_free(&config);
956
}
957
958
/* Check if creating the Avahi server object succeeded */
959
if (mc.server == NULL) {
960
fprintf(stderr, "Failed to create Avahi server: %s\n",
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
961
859
avahi_strerror(error));
962
exitcode = EXIT_FAILURE;
963
goto end;
860
returncode = EXIT_FAILURE;
861
goto exit;
964
862
}
965
863
966
/* Create the Avahi service browser */
864
/* Create the service browser */
967
865
sb = avahi_s_service_browser_new(mc.server, if_index,
968
866
AVAHI_PROTO_INET6,
969
867
"_mandos._tcp", NULL, 0,
970
868
browse_callback, &mc);
971
if (sb == NULL) {
869
if (!sb) {
972
870
fprintf(stderr, "Failed to create service browser: %s\n",
973
871
avahi_strerror(avahi_server_errno(mc.server)));
974
exitcode = EXIT_FAILURE;
975
goto end;
872
returncode = EXIT_FAILURE;
873
goto exit;
976
874
}
977
875
978
876
/* Run the main loop */
979
877
980
878
if (debug){
981
fprintf(stderr, "Starting Avahi loop search\n");
879
fprintf(stderr, "Starting avahi loop search\n");
982
880
}
983
881
984
avahi_simple_poll_loop(mc.simple_poll);
882
avahi_simple_poll_loop(simple_poll);
985
883
986
end:
884
exit:
987
885
988
886
if (debug){
989
887
fprintf(stderr, "%s exiting\n", argv[0]);
990
888
}
991
889
992
890
/* Cleanup things */
993
if (sb != NULL)
891
if (sb)
994
892
avahi_s_service_browser_free(sb);
995
893
996
if (mc.server != NULL)
894
if (mc.server)
997
895
avahi_server_free(mc.server);
998
896
999
if (mc.simple_poll != NULL)
1000
avahi_simple_poll_free(mc.simple_poll);
1001
free(pubkeyfile);
1002
free(seckeyfile);
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1003
901
1004
return exitcode;
902
return returncode;
1005
903
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0