/mandos/trunk : revision 24.1.10

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

54

struct in6_addr, inet_pton(),

55

connect() */

56

#include <assert.h> /* assert() */

57

#include <errno.h> /* perror(), errno */

58

#include <time.h> /* time() */

59

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

60

SIOCSIFFLAGS, if_indextoname(),

61

if_nametoindex(), IF_NAMESIZE */

62

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

63

getuid(), getgid(), setuid(),

64

setgid() */

65

#include <netinet/in.h>

66

#include <arpa/inet.h> /* inet_pton(), htons */

67

#include <iso646.h> /* not, and */

68

#include <argp.h> /* struct argp_option, error_t, struct

69

argp_state, struct argp,

70

argp_parse(), ARGP_KEY_ARG,

71

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

37

#include <stdio.h>

38

#include <assert.h>

39

#include <stdlib.h>

40

#include <time.h>

41

#include <net/if.h> /* if_nametoindex */

42

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

43

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

72

44

73

/* Avahi */

74

/* All Avahi types, constants and functions

75

Avahi*, avahi_*,

76

AVAHI_* */

77

45

#include <avahi-core/core.h>

78

46

#include <avahi-core/lookup.h>

79

47

#include <avahi-core/log.h>

81

49

#include <avahi-common/malloc.h>

82

50

#include <avahi-common/error.h>

83

51

84

/* GnuTLS */

85

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

86

gnutls_*

87

init_gnutls_session(),

88

GNUTLS_* */

89

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

90

GNUTLS_OPENPGP_FMT_BASE64 */

91

92

/* GPGME */

93

#include <gpgme.h> /* All GPGME types, constants and functions

94

gpgme_*

95

GPGME_PROTOCOL_OpenPGP,

96

GPG_ERR_NO_* */

52

//mandos client part

53

#include <sys/types.h> /* socket(), inet_pton() */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton() */

56

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

57

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

58

59

#include <unistd.h> /* close() */

60

#include <netinet/in.h>

61

#include <stdbool.h> /* true */

62

#include <string.h> /* memset */

63

#include <arpa/inet.h> /* inet_pton() */

64

#include <iso646.h> /* not */

65

66

// gpgme

67

#include <errno.h> /* perror() */

68

#include <gpgme.h>

69

70

// getopt long

71

#include <getopt.h>

97

72

98

73

#define BUFFER_SIZE 256

74

#define DH_BITS 1024

75

76

static const char *certdir = "/conf/conf.d/mandos";

77

static const char *certfile = "openpgp-client.txt";

78

static const char *certkey = "openpgp-client-key.txt";

99

79

100

80

bool debug = false;

101

static const char *keydir = "/conf/conf.d/mandos";

102

static const char mandos_protocol_version[] = "1";

103

const char *argp_program_version = "mandosclient 0.9";

104

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

105

106

/* Used for passing in values through the Avahi callback functions */

81

82

const char mandos_protocol_version[] = "1";

83

107

84

typedef struct {

108

85

AvahiSimplePoll *simple_poll;

109

86

AvahiServer *server;

110

87

gnutls_certificate_credentials_t cred;

111

88

unsigned int dh_bits;

112

gnutls_dh_params_t dh_params;

113

89

const char *priority;

114

90

} mandos_context;

115

91

116

/*

117

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

118

* "buffer_capacity" is how much is currently allocated,

119

* "buffer_length" is how much is already used.

120

*/

121

size_t adjustbuffer(char **buffer, size_t buffer_length,

92

size_t adjustbuffer(char *buffer, size_t buffer_length,

122

93

size_t buffer_capacity){

123

94

if (buffer_length + BUFFER_SIZE > buffer_capacity){

124

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

95

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

125

96

if (buffer == NULL){

126

97

return 0;

127

98

}

130

101

return buffer_capacity;

131

102

}

132

103

133

/*

134

* Decrypt OpenPGP data using keyrings in HOMEDIR.

135

* Returns -1 on error

136

*/

137

static ssize_t pgp_packet_decrypt (const char *cryptotext,

138

size_t crypto_size,

139

char **plaintext,

104

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

105

char **new_packet,

140

106

const char *homedir){

141

107

gpgme_data_t dh_crypto, dh_plain;

142

108

gpgme_ctx_t ctx;

143

109

gpgme_error_t rc;

144

110

ssize_t ret;

145

size_t plaintext_capacity = 0;

146

ssize_t plaintext_length = 0;

111

size_t new_packet_capacity = 0;

112

ssize_t new_packet_length = 0;

147

113

gpgme_engine_info_t engine_info;

148

114

149

115

if (debug){

150

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

116

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

151

117

}

152

118

153

119

/* Init GPGME */

159

125

return -1;

160

126

}

161

127

162

/* Set GPGME home directory for the OpenPGP engine only */

128

/* Set GPGME home directory */

163

129

rc = gpgme_get_engine_info (&engine_info);

164

130

if (rc != GPG_ERR_NO_ERROR){

165

131

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

175

141

engine_info = engine_info->next;

176

142

}

177

143

if(engine_info == NULL){

178

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

144

fprintf(stderr, "Could not set home dir to %s\n", homedir);

179

145

return -1;

180

146

}

181

147

182

/* Create new GPGME data buffer from memory cryptotext */

183

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

184

0);

148

/* Create new GPGME data buffer from packet buffer */

149

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

185

150

if (rc != GPG_ERR_NO_ERROR){

186

151

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

187

152

gpgme_strsource(rc), gpgme_strerror(rc));

193

158

if (rc != GPG_ERR_NO_ERROR){

194

159

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

195

160

gpgme_strsource(rc), gpgme_strerror(rc));

196

gpgme_data_release(dh_crypto);

197

161

return -1;

198

162

}

199

163

202

166

if (rc != GPG_ERR_NO_ERROR){

203

167

fprintf(stderr, "bad gpgme_new: %s: %s\n",

204

168

gpgme_strsource(rc), gpgme_strerror(rc));

205

plaintext_length = -1;

206

goto decrypt_end;

169

return -1;

207

170

}

208

171

209

/* Decrypt data from the cryptotext data buffer to the plaintext

210

data buffer */

172

/* Decrypt data from the FILE pointer to the plaintext data

173

buffer */

211

174

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

212

175

if (rc != GPG_ERR_NO_ERROR){

213

176

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

214

177

gpgme_strsource(rc), gpgme_strerror(rc));

215

plaintext_length = -1;

216

goto decrypt_end;

178

return -1;

217

179

}

218

180

219

181

if(debug){

220

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

182

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

221

183

}

222

184

223

185

if (debug){

224

186

gpgme_decrypt_result_t result;

225

187

result = gpgme_op_decrypt_result(ctx);

249

211

}

250

212

}

251

213

214

/* Delete the GPGME FILE pointer cryptotext data buffer */

215

gpgme_data_release(dh_crypto);

216

252

217

/* Seek back to the beginning of the GPGME plaintext data buffer */

253

218

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

219

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

220

}

258

221

259

*plaintext = NULL;

222

*new_packet = 0;

260

223

while(true){

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

224

new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,

225

new_packet_capacity);

226

if (new_packet_capacity == 0){

265

227

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

228

return -1;

229

}

230

new_packet_capacity += BUFFER_SIZE;

268

231

}

269

232

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

233

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

271

234

BUFFER_SIZE);

272

235

/* Print the data, if any */

273

236

if (ret == 0){

274

/* EOF */

275

237

break;

276

238

}

277

239

if(ret < 0){

278

240

perror("gpgme_data_read");

279

plaintext_length = -1;

280

goto decrypt_end;

241

return -1;

281

242

}

282

plaintext_length += ret;

243

new_packet_length += ret;

283

244

}

284

245

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

246

/* FIXME: check characters before printing to screen so to not print

247

terminal control characters */

248

/* if(debug){ */

249

/* fprintf(stderr, "decrypted password is: "); */

250

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

251

/* fprintf(stderr, "\n"); */

252

/* } */

297

253

298

254

/* Delete the GPGME plaintext data buffer */

299

255

gpgme_data_release(dh_plain);

300

return plaintext_length;

256

return new_packet_length;

301

257

}

302

258

303

259

static const char * safer_gnutls_strerror (int value) {

307

263

return ret;

308

264

}

309

265

310

/* GnuTLS log function callback */

311

266

static void debuggnutls(__attribute__((unused)) int level,

312

267

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

268

fprintf(stderr, "%s", string);

314

269

}

315

270

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfile,

318

const char *seckeyfile){

271

static int initgnutls(mandos_context *mc){

272

const char *err;

319

273

int ret;

320

274

321

275

if(debug){

322

276

fprintf(stderr, "Initializing GnuTLS\n");

323

277

}

324

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

278

279

if ((ret = gnutls_global_init ())

280

!= GNUTLS_E_SUCCESS) {

281

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

329

282

return -1;

330

283

}

331

284

332

285

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

*/

336

286

gnutls_global_set_log_level(11);

337

287

gnutls_global_set_log_function(debuggnutls);

338

288

}

339

289

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n",

290

/* openpgp credentials */

291

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

292

!= GNUTLS_E_SUCCESS) {

293

fprintf (stderr, "memory error: %s\n",

344

294

safer_gnutls_strerror(ret));

345

gnutls_global_deinit ();

346

295

return -1;

347

296

}

348

297

349

298

if(debug){

350

299

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

351

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

352

seckeyfile);

300

" and keyfile %s as GnuTLS credentials\n", certfile,

301

certkey);

353

302

}

354

303

355

304

ret = gnutls_certificate_set_openpgp_key_file

356

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

305

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

357

306

if (ret != GNUTLS_E_SUCCESS) {

358

fprintf(stderr,

359

"Error[%d] while reading the OpenPGP key pair ('%s',"

360

" '%s')\n", ret, pubkeyfile, seckeyfile);

361

fprintf(stdout, "The GnuTLS error is: %s\n",

307

fprintf

308

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

309

" '%s')\n",

310

ret, certfile, certkey);

311

fprintf(stdout, "The Error is: %s\n",

362

312

safer_gnutls_strerror(ret));

363

goto globalfail;

364

}

365

366

/* GnuTLS server initialization */

367

ret = gnutls_dh_params_init(&mc->dh_params);

368

if (ret != GNUTLS_E_SUCCESS) {

369

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

370

" %s\n", safer_gnutls_strerror(ret));

371

goto globalfail;

372

}

373

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

376

safer_gnutls_strerror(ret));

377

goto globalfail;

378

}

379

380

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

381

382

return 0;

383

384

globalfail:

385

386

gnutls_certificate_free_credentials(mc->cred);

387

gnutls_global_deinit();

388

return -1;

389

390

}

391

392

static int init_gnutls_session(mandos_context *mc,

393

gnutls_session_t *session){

394

int ret;

395

/* GnuTLS session creation */

396

ret = gnutls_init(session, GNUTLS_SERVER);

397

if (ret != GNUTLS_E_SUCCESS){

313

return -1;

314

}

315

316

//GnuTLS server initialization

317

if ((ret = gnutls_dh_params_init (&es->dh_params))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf (stderr, "Error in dh parameter initialization: %s\n",

320

safer_gnutls_strerror(ret));

321

return -1;

322

}

323

324

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

325

!= GNUTLS_E_SUCCESS) {

326

fprintf (stderr, "Error in prime generation: %s\n",

327

safer_gnutls_strerror(ret));

328

return -1;

329

}

330

331

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

332

333

// GnuTLS session creation

334

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

335

!= GNUTLS_E_SUCCESS){

398

336

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

399

337

safer_gnutls_strerror(ret));

400

338

}

401

339

402

{

403

const char *err;

404

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

405

if (ret != GNUTLS_E_SUCCESS) {

406

fprintf(stderr, "Syntax error at: %s\n", err);

407

fprintf(stderr, "GnuTLS error: %s\n",

408

safer_gnutls_strerror(ret));

409

gnutls_deinit (*session);

410

return -1;

411

}

340

if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))

341

!= GNUTLS_E_SUCCESS) {

342

fprintf(stderr, "Syntax error at: %s\n", err);

343

fprintf(stderr, "GnuTLS error: %s\n",

344

safer_gnutls_strerror(ret));

345

return -1;

412

346

}

413

347

414

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

415

mc->cred);

416

if (ret != GNUTLS_E_SUCCESS) {

417

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

348

if ((ret = gnutls_credentials_set

349

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

350

!= GNUTLS_E_SUCCESS) {

351

fprintf(stderr, "Error setting a credentials set: %s\n",

418

352

safer_gnutls_strerror(ret));

419

gnutls_deinit (*session);

420

353

return -1;

421

354

}

422

355

423

356

/* ignore client certificate if any. */

424

gnutls_certificate_server_set_request (*session,

357

gnutls_certificate_server_set_request (es->session,

425

358

GNUTLS_CERT_IGNORE);

426

359

427

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

360

gnutls_dh_set_prime_bits (es->session, DH_BITS);

428

361

429

362

return 0;

430

363

}

431

364

432

/* Avahi log function callback */

433

365

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

434

366

__attribute__((unused)) const char *txt){}

435

367

436

/* Called when a Mandos server is found */

437

368

static int start_mandos_communication(const char *ip, uint16_t port,

438

369

AvahiIfIndex if_index,

439

370

mandos_context *mc){

440

371

int ret, tcp_sd;

441

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

372

struct sockaddr_in6 to;

373

encrypted_session es;

442

374

char *buffer = NULL;

443

375

char *decrypted_buffer;

444

376

size_t buffer_length = 0;

447

379

size_t written;

448

380

int retval = 0;

449

381

char interface[IF_NAMESIZE];

450

gnutls_session_t session;

451

452

ret = init_gnutls_session (mc, &session);

453

if (ret != 0){

454

return -1;

455

}

456

382

457

383

if(debug){

458

384

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

467

393

468

394

if(debug){

469

395

if(if_indextoname((unsigned int)if_index, interface) == NULL){

470

perror("if_indextoname");

396

if(debug){

397

perror("if_indextoname");

398

}

471

399

return -1;

472

400

}

401

473

402

fprintf(stderr, "Binding to interface %s\n", interface);

474

403

}

475

404

476

405

memset(&to,0,sizeof(to)); /* Spurious warning */

477

to.in6.sin6_family = AF_INET6;

478

/* It would be nice to have a way to detect if we were passed an

479

IPv4 address here. Now we assume an IPv6 address. */

480

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

406

to.sin6_family = AF_INET6;

407

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

481

408

if (ret < 0 ){

482

409

perror("inet_pton");

483

410

return -1;

484

}

411

}

485

412

if(ret == 0){

486

413

fprintf(stderr, "Bad address: %s\n", ip);

487

414

return -1;

488

415

}

489

to.in6.sin6_port = htons(port); /* Spurious warning */

416

to.sin6_port = htons(port); /* Spurious warning */

490

417

491

to.in6.sin6_scope_id = (uint32_t)if_index;

418

to.sin6_scope_id = (uint32_t)if_index;

492

419

493

420

if(debug){

494

421

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

495

char addrstr[INET6_ADDRSTRLEN] = "";

496

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

497

sizeof(addrstr)) == NULL){

498

perror("inet_ntop");

499

} else {

500

if(strcmp(addrstr, ip) != 0){

501

fprintf(stderr, "Canonical address form: %s\n", addrstr);

502

}

503

}

422

/* char addrstr[INET6_ADDRSTRLEN]; */

423

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

424

/* sizeof(addrstr)) == NULL){ */

425

/* perror("inet_ntop"); */

426

/* } else { */

427

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

428

/* addrstr, ntohs(to.sin6_port)); */

429

/* } */

504

430

}

505

431

506

ret = connect(tcp_sd, &to.in, sizeof(to));

432

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

507

433

if (ret < 0){

508

434

perror("connect");

509

435

return -1;

510

436

}

511

437

512

const char *out = mandos_protocol_version;

438

char *out = mandos_protocol_version;

513

439

written = 0;

514

440

while (true){

515

441

size_t out_size = strlen(out);

518

444

if (ret == -1){

519

445

perror("write");

520

446

retval = -1;

521

goto mandos_end;

447

goto end;

522

448

}

523

written += (size_t)ret;

449

written += ret;

524

450

if(written < out_size){

525

451

continue;

526

452

} else {

533

459

}

534

460

}

535

461

462

ret = initgnutls (&es);

463

if (ret != 0){

464

retval = -1;

465

return -1;

466

}

467

468

gnutls_transport_set_ptr (es.session,

469

(gnutls_transport_ptr_t) tcp_sd);

470

536

471

if(debug){

537

472

fprintf(stderr, "Establishing TLS session with %s\n", ip);

538

473

}

539

474

540

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

541

542

do{

543

ret = gnutls_handshake (session);

544

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

475

ret = gnutls_handshake (es.session);

545

476

546

477

if (ret != GNUTLS_E_SUCCESS){

547

478

if(debug){

548

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

479

fprintf(stderr, "\n*** Handshake failed ***\n");

549

480

gnutls_perror (ret);

550

481

}

551

482

retval = -1;

552

goto mandos_end;

483

goto exit;

553

484

}

554

485

555

/* Read OpenPGP packet that contains the wanted password */

486

//Retrieve OpenPGP packet that contains the wanted password

556

487

557

488

if(debug){

558

489

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

560

491

}

561

492

562

493

while(true){

563

buffer_capacity = adjustbuffer(&buffer, buffer_length,

564

buffer_capacity);

494

buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);

565

495

if (buffer_capacity == 0){

566

496

perror("adjustbuffer");

567

497

retval = -1;

568

goto mandos_end;

498

goto exit;

569

499

}

570

500

571

ret = gnutls_record_recv(session, buffer+buffer_length,

572

BUFFER_SIZE);

501

ret = gnutls_record_recv

502

(es.session, buffer+buffer_length, BUFFER_SIZE);

573

503

if (ret == 0){

574

504

break;

575

505

}

579

509

case GNUTLS_E_AGAIN:

580

510

break;

581

511

case GNUTLS_E_REHANDSHAKE:

582

do{

583

ret = gnutls_handshake (session);

584

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

512

ret = gnutls_handshake (es.session);

585

513

if (ret < 0){

586

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

514

fprintf(stderr, "\n*** Handshake failed ***\n");

587

515

gnutls_perror (ret);

588

516

retval = -1;

589

goto mandos_end;

517

goto exit;

590

518

}

591

519

break;

592

520

default:

593

521

fprintf(stderr, "Unknown error while reading data from"

594

" encrypted session with Mandos server\n");

522

" encrypted session with mandos server\n");

595

523

retval = -1;

596

gnutls_bye (session, GNUTLS_SHUT_RDWR);

597

goto mandos_end;

524

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

525

goto exit;

598

526

}

599

527

} else {

600

528

buffer_length += (size_t) ret;

601

529

}

602

530

}

603

531

604

if(debug){

605

fprintf(stderr, "Closing TLS session\n");

606

}

607

608

gnutls_bye (session, GNUTLS_SHUT_RDWR);

609

610

532

if (buffer_length > 0){

611

533

decrypted_buffer_size = pgp_packet_decrypt(buffer,

612

534

buffer_length,

613

535

&decrypted_buffer,

614

keydir);

536

certdir);

615

537

if (decrypted_buffer_size >= 0){

616

538

written = 0;

617

539

while(written < (size_t) decrypted_buffer_size){

633

555

retval = -1;

634

556

}

635

557

}

636

637

/* Shutdown procedure */

638

639

mandos_end:

558

559

//shutdown procedure

560

561

if(debug){

562

fprintf(stderr, "Closing TLS session\n");

563

}

564

640

565

free(buffer);

566

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

567

exit:

641

568

close(tcp_sd);

642

gnutls_deinit (session);

569

gnutls_deinit (es.session);

570

gnutls_certificate_free_credentials (es.cred);

571

gnutls_global_deinit ();

643

572

return retval;

644

573

}

645

574

646

static void resolve_callback(AvahiSServiceResolver *r,

647

AvahiIfIndex interface,

648

AVAHI_GCC_UNUSED AvahiProtocol protocol,

649

AvahiResolverEvent event,

650

const char *name,

651

const char *type,

652

const char *domain,

653

const char *host_name,

654

const AvahiAddress *address,

655

uint16_t port,

656

AVAHI_GCC_UNUSED AvahiStringList *txt,

657

AVAHI_GCC_UNUSED AvahiLookupResultFlags

658

flags,

659

void* userdata) {

575

static void resolve_callback( AvahiSServiceResolver *r,

576

AvahiIfIndex interface,

577

AVAHI_GCC_UNUSED AvahiProtocol protocol,

578

AvahiResolverEvent event,

579

const char *name,

580

const char *type,

581

const char *domain,

582

const char *host_name,

583

const AvahiAddress *address,

584

uint16_t port,

585

AVAHI_GCC_UNUSED AvahiStringList *txt,

586

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

587

AVAHI_GCC_UNUSED void* userdata) {

660

588

mandos_context *mc = userdata;

661

589

assert(r); /* Spurious warning */

662

590

666

594

switch (event) {

667

595

default:

668

596

case AVAHI_RESOLVER_FAILURE:

669

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

670

" of type '%s' in domain '%s': %s\n", name, type, domain,

597

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

598

" type '%s' in domain '%s': %s\n", name, type, domain,

671

599

avahi_strerror(avahi_server_errno(mc->server)));

672

600

break;

673

601

676

604

char ip[AVAHI_ADDRESS_STR_MAX];

677

605

avahi_address_snprint(ip, sizeof(ip), address);

678

606

if(debug){

679

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

680

" port %d\n", name, host_name, ip, interface, port);

607

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

608

" port %d\n", name, host_name, ip, port);

681

609

}

682

610

int ret = start_mandos_communication(ip, port, interface, mc);

683

611

if (ret == 0){

695

623

const char *name,

696

624

const char *type,

697

625

const char *domain,

698

AVAHI_GCC_UNUSED AvahiLookupResultFlags

699

flags,

626

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

700

627

void* userdata) {

701

628

mandos_context *mc = userdata;

702

629

assert(b); /* Spurious warning */

707

634

switch (event) {

708

635

default:

709

636

case AVAHI_BROWSER_FAILURE:

710

711

fprintf(stderr, "(Avahi browser) %s\n",

637

638

fprintf(stderr, "(Browser) %s\n",

712

639

avahi_strerror(avahi_server_errno(mc->server)));

713

640

avahi_simple_poll_quit(mc->simple_poll);

714

641

return;

715

642

716

643

case AVAHI_BROWSER_NEW:

717

/* We ignore the returned Avahi resolver object. In the callback

718

function we free it. If the Avahi server is terminated before

719

the callback function is called the Avahi server will free the

720

resolver for us. */

721

722

if (!(avahi_s_service_resolver_new(mc->server, interface,

723

protocol, name, type, domain,

644

/* We ignore the returned resolver object. In the callback

645

function we free it. If the server is terminated before

646

the callback function is called the server will free

647

the resolver for us. */

648

649

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

650

type, domain,

724

651

AVAHI_PROTO_INET6, 0,

725

652

resolve_callback, mc)))

726

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

727

name, avahi_strerror(avahi_server_errno(mc->server)));

653

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

654

avahi_strerror(avahi_server_errno(s)));

728

655

break;

729

656

730

657

case AVAHI_BROWSER_REMOVE:

731

658

break;

732

659

733

660

case AVAHI_BROWSER_ALL_FOR_NOW:

734

661

case AVAHI_BROWSER_CACHE_EXHAUSTED:

735

if(debug){

736

fprintf(stderr, "No Mandos server found, still searching...\n");

737

}

738

662

break;

739

663

}

740

664

}

749

673

return NULL;

750

674

}

751

675

if(f_len > 0){

752

memcpy(tmp, first, f_len); /* Spurious warning */

676

memcpy(tmp, first, f_len);

753

677

}

754

678

tmp[f_len] = '/';

755

679

if(s_len > 0){

756

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

680

memcpy(tmp + f_len + 1, second, s_len);

757

681

}

758

682

tmp[f_len + 1 + s_len] = '\0';

759

683

return tmp;

760

684

}

761

685

762

686

763

int main(int argc, char *argv[]){

687

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

688

AvahiServerConfig config;

764

689

AvahiSServiceBrowser *sb = NULL;

765

690

int error;

766

691

int ret;

767

int exitcode = EXIT_SUCCESS;

692

int returncode = EXIT_SUCCESS;

768

693

const char *interface = "eth0";

769

694

struct ifreq network;

770

695

int sd;

771

uid_t uid;

772

gid_t gid;

773

696

char *connect_to = NULL;

774

697

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

775

const char *pubkeyfile = "pubkey.txt";

776

const char *seckeyfile = "seckey.txt";

777

698

mandos_context mc = { .simple_poll = NULL, .server = NULL,

778

.dh_bits = 1024, .priority = "SECURE256"};

779

bool gnutls_initalized = false;

699

.dh_bits = 2048, .priority = "SECURE256"};

780

700

781

{

782

struct argp_option options[] = {

783

{ .name = "debug", .key = 128,

784

.doc = "Debug mode", .group = 3 },

785

{ .name = "connect", .key = 'c',

786

.arg = "IP",

787

.doc = "Connect directly to a sepcified mandos server",

788

.group = 1 },

789

{ .name = "interface", .key = 'i',

790

.arg = "INTERFACE",

791

.doc = "Interface that Avahi will conntect through",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "KEYDIR",

795

.doc = "Directory where the openpgp keyring is",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "SECKEY",

799

.doc = "Secret openpgp key for gnutls authentication",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "PUBKEY",

803

.doc = "Public openpgp key for gnutls authentication",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "dh-bits to use in gnutls communication",

808

.group = 2 },

809

{ .name = "priority", .key = 130,

810

.arg = "PRIORITY",

811

.doc = "GNUTLS priority", .group = 1 },

812

{ .name = NULL }

813

};

814

815

816

error_t parse_opt (int key, char *arg,

817

struct argp_state *state) {

818

/* Get the INPUT argument from `argp_parse', which we know is

819

a pointer to our plugin list pointer. */

820

switch (key) {

821

case 128:

822

debug = true;

823

break;

824

case 'c':

825

connect_to = arg;

826

break;

827

case 'i':

828

interface = arg;

829

break;

830

case 'd':

831

keydir = arg;

832

break;

833

case 's':

834

seckeyfile = arg;

835

break;

836

case 'p':

837

pubkeyfile = arg;

838

break;

839

case 129:

701

while (true){

702

static struct option long_options[] = {

703

{"debug", no_argument, (int *)&debug, 1},

704

{"connect", required_argument, 0, 'C'},

705

{"interface", required_argument, 0, 'i'},

706

{"certdir", required_argument, 0, 'd'},

707

{"certkey", required_argument, 0, 'c'},

708

{"certfile", required_argument, 0, 'k'},

709

{"dh_bits", required_argument, 0, 'D'},

710

{"priority", required_argument, 0, 'p'},

711

{0, 0, 0, 0} };

712

713

int option_index = 0;

714

ret = getopt_long (argc, argv, "i:", long_options,

715

&option_index);

716

717

if (ret == -1){

718

break;

719

}

720

721

switch(ret){

722

case 0:

723

break;

724

case 'i':

725

interface = optarg;

726

break;

727

case 'C':

728

connect_to = optarg;

729

break;

730

case 'd':

731

certdir = optarg;

732

break;

733

case 'c':

734

certfile = optarg;

735

break;

736

case 'k':

737

certkey = optarg;

738

break;

739

case 'D':

740

{

741

long int tmp;

840

742

errno = 0;

841

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

842

if (errno){

743

tmp = strtol(optarg, NULL, 10);

744

if (errno == ERANGE){

843

745

perror("strtol");

844

746

exit(EXIT_FAILURE);

845

747

}

846

break;

847

case 130:

848

mc.priority = arg;

849

break;

850

case ARGP_KEY_ARG:

851

argp_usage (state);

852

break;

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

748

mc.dh_bits = tmp;

857

749

}

858

return 0;

859

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unkown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

}

872

873

pubkeyfile = combinepath(keydir, pubkeyfile);

874

if (pubkeyfile == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfile = combinepath(keydir, seckeyfile);

881

if (seckeyfile == NULL){

882

perror("combinepath");

883

goto end;

884

}

885

886

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

887

if (ret == -1){

888

fprintf(stderr, "init_gnutls_global\n");

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

uid = getuid();

895

gid = getgid();

896

897

ret = setuid(uid);

898

if (ret == -1){

899

perror("setuid");

900

}

901

902

setgid(gid);

903

if (ret == -1){

904

perror("setgid");

750

break;

751

case 'p':

752

mc.priority = optarg;

753

break;

754

default:

755

exit(EXIT_FAILURE);

756

}

757

}

758

759

certfile = combinepath(certdir, certfile);

760

if (certfile == NULL){

761

perror("combinepath");

762

returncode = EXIT_FAILURE;

763

goto exit;

764

}

765

766

certkey = combinepath(certdir, certkey);

767

if (certkey == NULL){

768

perror("combinepath");

769

returncode = EXIT_FAILURE;

770

goto exit;

905

771

}

906

772

907

773

if_index = (AvahiIfIndex) if_nametoindex(interface);

916

782

char *address = strrchr(connect_to, ':');

917

783

if(address == NULL){

918

784

fprintf(stderr, "No colon in address\n");

919

exitcode = EXIT_FAILURE;

920

goto end;

785

exit(EXIT_FAILURE);

921

786

}

922

787

errno = 0;

923

788

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

924

789

if(errno){

925

790

perror("Bad port number");

926

exitcode = EXIT_FAILURE;

927

goto end;

791

exit(EXIT_FAILURE);

928

792

}

929

793

*address = '\0';

930

794

address = connect_to;

931

ret = start_mandos_communication(address, port, if_index, &mc);

795

ret = start_mandos_communication(address, port, if_index);

932

796

if(ret < 0){

933

exitcode = EXIT_FAILURE;

797

exit(EXIT_FAILURE);

934

798

} else {

935

exitcode = EXIT_SUCCESS;

799

exit(EXIT_SUCCESS);

936

800

}

937

goto end;

938

801

}

939

802

940

/* If the interface is down, bring it up */

941

{

942

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

943

if(sd < 0) {

944

perror("socket");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

strcpy(network.ifr_name, interface); /* Spurious warning */

949

ret = ioctl(sd, SIOCGIFFLAGS, &network);

803

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

804

if(sd < 0) {

805

perror("socket");

806

returncode = EXIT_FAILURE;

807

goto exit;

808

}

809

strcpy(network.ifr_name, interface);

810

ret = ioctl(sd, SIOCGIFFLAGS, &network);

811

if(ret == -1){

812

813

perror("ioctl SIOCGIFFLAGS");

814

returncode = EXIT_FAILURE;

815

goto exit;

816

}

817

if((network.ifr_flags & IFF_UP) == 0){

818

network.ifr_flags |= IFF_UP;

819

ret = ioctl(sd, SIOCSIFFLAGS, &network);

950

820

if(ret == -1){

951

perror("ioctl SIOCGIFFLAGS");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

if((network.ifr_flags & IFF_UP) == 0){

956

network.ifr_flags |= IFF_UP;

957

ret = ioctl(sd, SIOCSIFFLAGS, &network);

958

if(ret == -1){

959

perror("ioctl SIOCSIFFLAGS");

960

exitcode = EXIT_FAILURE;

961

goto end;

962

}

963

}

964

close(sd);

821

perror("ioctl SIOCSIFFLAGS");

822

returncode = EXIT_FAILURE;

823

goto exit;

824

}

965

825

}

826

close(sd);

966

827

967

828

if (not debug){

968

829

avahi_set_log_function(empty_log);

969

830

}

970

831

971

/* Initialize the pseudo-RNG for Avahi */

832

/* Initialize the psuedo-RNG */

972

833

srand((unsigned int) time(NULL));

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

834

835

/* Allocate main loop object */

836

if (!(mc.simple_poll = avahi_simple_poll_new())) {

837

fprintf(stderr, "Failed to create simple poll object.\n");

838

returncode = EXIT_FAILURE;

839

goto exit;

840

}

841

842

/* Do not publish any local records */

843

avahi_server_config_init(&config);

844

config.publish_hinfo = 0;

845

config.publish_addresses = 0;

846

config.publish_workstation = 0;

847

config.publish_domain = 0;

848

849

/* Allocate a new server */

850

mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),

851

&config, NULL, NULL, &error);

852

853

/* Free the configuration data */

854

avahi_server_config_free(&config);

855

856

/* Check if creating the server object succeeded */

857

if (!mc.server) {

858

fprintf(stderr, "Failed to create server: %s\n",

1004

859

avahi_strerror(error));

1005

exitcode = EXIT_FAILURE;

1006

goto end;

860

returncode = EXIT_FAILURE;

861

goto exit;

1007

862

}

1008

863

1009

/* Create the Avahi service browser */

864

/* Create the service browser */

1010

865

sb = avahi_s_service_browser_new(mc.server, if_index,

1011

866

AVAHI_PROTO_INET6,

1012

867

"_mandos._tcp", NULL, 0,

1013

868

browse_callback, &mc);

1014

if (sb == NULL) {

869

if (!sb) {

1015

870

fprintf(stderr, "Failed to create service browser: %s\n",

1016

871

avahi_strerror(avahi_server_errno(mc.server)));

1017

exitcode = EXIT_FAILURE;

1018

goto end;

872

returncode = EXIT_FAILURE;

873

goto exit;

1019

874

}

1020

875

1021

876

/* Run the main loop */

1022

877

1023

878

if (debug){

1024

fprintf(stderr, "Starting Avahi loop search\n");

879

fprintf(stderr, "Starting avahi loop search\n");

1025

880

}

1026

881

1027

avahi_simple_poll_loop(mc.simple_poll);

882

avahi_simple_poll_loop(simple_poll);

1028

883

1029

end:

884

exit:

1030

885

1031

886

if (debug){

1032

887

fprintf(stderr, "%s exiting\n", argv[0]);

1033

888

}

1034

889

1035

890

/* Cleanup things */

1036

if (sb != NULL)

891

if (sb)

1037

892

avahi_s_service_browser_free(sb);

1038

893

1039

if (mc.server != NULL)

894

if (mc.server)

1040

895

avahi_server_free(mc.server);

1041

896

1042

if (mc.simple_poll != NULL)

1043

avahi_simple_poll_free(mc.simple_poll);

1044

free(pubkeyfile);

1045

free(seckeyfile);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

897

if (simple_poll)

898

avahi_simple_poll_free(simple_poll);

899

free(certfile);

900

free(certkey);

1051

901

1052

return exitcode;

902

return returncode;

1053

903

}