To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.11
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.11
- Committer: Björn Påhlsson
- Date: 2008-08-03 16:08:20 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 41.
- Revision ID: belorn@braxen-20080803160820-0tw2n3ufebh51e3i
Added support for protocol version handling
- files added:
- ca.pem
- files removed:
- COPYING
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
38
stdout, ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), asprintf(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
54
connect() */
55
#include <assert.h> /* assert() */
56
#include <errno.h> /* perror(), errno */
57
#include <time.h> /* time() */
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
SIOCSIFFLAGS, if_indextoname(),
60
if_nametoindex(), IF_NAMESIZE */
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
65
#include <arpa/inet.h> /* inet_pton(), htons */
66
#include <iso646.h> /* not, and */
67
#include <argp.h> /* struct argp_option, error_t, struct
68
argp_state, struct argp,
69
argp_parse(), ARGP_KEY_ARG,
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
71
72
/* Avahi */
73
/* All Avahi types, constants and functions
74
Avahi*, avahi_*,
75
AVAHI_* */
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
44
76
45
#include <avahi-core/core.h>
77
46
#include <avahi-core/lookup.h>
78
47
#include <avahi-core/log.h>
80
49
#include <avahi-common/malloc.h>
81
50
#include <avahi-common/error.h>
82
51
83
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
85
functions:
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and
94
functions:
95
gpgme_*
96
GPGME_PROTOCOL_OpenPGP,
97
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
98
72
99
73
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
100
79
101
80
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
103
static const char mandos_protocol_version[] = "1";
104
const char *argp_program_version = "password-request 1.0";
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
106
107
/* Used for passing in values through the Avahi callback functions */
81
82
const char mandos_protocol_version[] = "1";
83
108
84
typedef struct {
109
85
AvahiSimplePoll *simple_poll;
110
86
AvahiServer *server;
111
87
gnutls_certificate_credentials_t cred;
112
88
unsigned int dh_bits;
113
gnutls_dh_params_t dh_params;
114
89
const char *priority;
115
90
} mandos_context;
116
91
117
/*
118
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
119
* "buffer_capacity" is how much is currently allocated,
120
* "buffer_length" is how much is already used.
121
*/
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
123
93
size_t buffer_capacity){
124
94
if (buffer_length + BUFFER_SIZE > buffer_capacity){
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
126
96
if (buffer == NULL){
127
97
return 0;
128
98
}
131
101
return buffer_capacity;
132
102
}
133
103
134
/*
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
137
*/
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
141
106
const char *homedir){
142
107
gpgme_data_t dh_crypto, dh_plain;
143
108
gpgme_ctx_t ctx;
144
109
gpgme_error_t rc;
145
110
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
148
113
gpgme_engine_info_t engine_info;
149
114
150
115
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
152
117
}
153
118
154
119
/* Init GPGME */
160
125
return -1;
161
126
}
162
127
163
/* Set GPGME home directory for the OpenPGP engine only */
128
/* Set GPGME home directory */
164
129
rc = gpgme_get_engine_info (&engine_info);
165
130
if (rc != GPG_ERR_NO_ERROR){
166
131
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
176
141
engine_info = engine_info->next;
177
142
}
178
143
if(engine_info == NULL){
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
180
145
return -1;
181
146
}
182
147
183
/* Create new GPGME data buffer from memory cryptotext */
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
185
0);
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
186
150
if (rc != GPG_ERR_NO_ERROR){
187
151
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
188
152
gpgme_strsource(rc), gpgme_strerror(rc));
194
158
if (rc != GPG_ERR_NO_ERROR){
195
159
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
196
160
gpgme_strsource(rc), gpgme_strerror(rc));
197
gpgme_data_release(dh_crypto);
198
161
return -1;
199
162
}
200
163
203
166
if (rc != GPG_ERR_NO_ERROR){
204
167
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
168
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
169
return -1;
208
170
}
209
171
210
/* Decrypt data from the cryptotext data buffer to the plaintext
211
data buffer */
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
212
174
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
213
175
if (rc != GPG_ERR_NO_ERROR){
214
176
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
215
177
gpgme_strsource(rc), gpgme_strerror(rc));
216
plaintext_length = -1;
217
goto decrypt_end;
178
return -1;
218
179
}
219
180
220
181
if(debug){
221
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
222
183
}
223
184
224
185
if (debug){
225
186
gpgme_decrypt_result_t result;
226
187
result = gpgme_op_decrypt_result(ctx);
229
190
} else {
230
191
fprintf(stderr, "Unsupported algorithm: %s\n",
231
192
result->unsupported_algorithm);
232
fprintf(stderr, "Wrong key usage: %u\n",
193
fprintf(stderr, "Wrong key usage: %d\n",
233
194
result->wrong_key_usage);
234
195
if(result->file_name != NULL){
235
196
fprintf(stderr, "File name: %s\n", result->file_name);
250
211
}
251
212
}
252
213
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
253
217
/* Seek back to the beginning of the GPGME plaintext data buffer */
254
218
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
255
219
perror("pgpme_data_seek");
256
plaintext_length = -1;
257
goto decrypt_end;
258
220
}
259
221
260
*plaintext = NULL;
222
*new_packet = 0;
261
223
while(true){
262
plaintext_capacity = adjustbuffer(plaintext,
263
(size_t)plaintext_length,
264
plaintext_capacity);
265
if (plaintext_capacity == 0){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
266
227
perror("adjustbuffer");
267
plaintext_length = -1;
268
goto decrypt_end;
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
269
231
}
270
232
271
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
272
234
BUFFER_SIZE);
273
235
/* Print the data, if any */
274
236
if (ret == 0){
275
/* EOF */
276
237
break;
277
238
}
278
239
if(ret < 0){
279
240
perror("gpgme_data_read");
280
plaintext_length = -1;
281
goto decrypt_end;
241
return -1;
282
242
}
283
plaintext_length += ret;
243
new_packet_length += ret;
284
244
}
285
245
286
if(debug){
287
fprintf(stderr, "Decrypted password is: ");
288
for(ssize_t i = 0; i < plaintext_length; i++){
289
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
290
}
291
fprintf(stderr, "\n");
292
}
293
294
decrypt_end:
295
296
/* Delete the GPGME cryptotext data buffer */
297
gpgme_data_release(dh_crypto);
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
298
253
299
254
/* Delete the GPGME plaintext data buffer */
300
255
gpgme_data_release(dh_plain);
301
return plaintext_length;
256
return new_packet_length;
302
257
}
303
258
304
259
static const char * safer_gnutls_strerror (int value) {
305
const char *ret = gnutls_strerror (value); /* Spurious warning */
260
const char *ret = gnutls_strerror (value);
306
261
if (ret == NULL)
307
262
ret = "(unknown)";
308
263
return ret;
309
264
}
310
265
311
/* GnuTLS log function callback */
312
266
static void debuggnutls(__attribute__((unused)) int level,
313
267
const char* string){
314
fprintf(stderr, "GnuTLS: %s", string);
268
fprintf(stderr, "%s", string);
315
269
}
316
270
317
static int init_gnutls_global(mandos_context *mc,
318
const char *pubkeyfilename,
319
const char *seckeyfilename){
271
static int initgnutls(mandos_context *mc){
272
const char *err;
320
273
int ret;
321
274
322
275
if(debug){
323
276
fprintf(stderr, "Initializing GnuTLS\n");
324
277
}
325
326
ret = gnutls_global_init();
327
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf (stderr, "GnuTLS global_init: %s\n",
329
safer_gnutls_strerror(ret));
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
330
282
return -1;
331
283
}
332
284
333
285
if (debug){
334
/* "Use a log level over 10 to enable all debugging options."
335
* - GnuTLS manual
336
*/
337
286
gnutls_global_set_log_level(11);
338
287
gnutls_global_set_log_function(debuggnutls);
339
288
}
340
289
341
/* OpenPGP credentials */
342
gnutls_certificate_allocate_credentials(&mc->cred);
343
if (ret != GNUTLS_E_SUCCESS){
344
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
345
warning */
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
346
294
safer_gnutls_strerror(ret));
347
gnutls_global_deinit ();
348
295
return -1;
349
296
}
350
297
351
298
if(debug){
352
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
353
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
354
seckeyfilename);
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
355
302
}
356
303
357
304
ret = gnutls_certificate_set_openpgp_key_file
358
(mc->cred, pubkeyfilename, seckeyfilename,
359
GNUTLS_OPENPGP_FMT_BASE64);
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
360
306
if (ret != GNUTLS_E_SUCCESS) {
361
fprintf(stderr,
362
"Error[%d] while reading the OpenPGP key pair ('%s',"
363
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
364
fprintf(stdout, "The GnuTLS error is: %s\n",
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
365
312
safer_gnutls_strerror(ret));
366
goto globalfail;
367
}
368
369
/* GnuTLS server initialization */
370
ret = gnutls_dh_params_init(&mc->dh_params);
371
if (ret != GNUTLS_E_SUCCESS) {
372
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
373
" %s\n", safer_gnutls_strerror(ret));
374
goto globalfail;
375
}
376
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
379
safer_gnutls_strerror(ret));
380
goto globalfail;
381
}
382
383
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
384
385
return 0;
386
387
globalfail:
388
389
gnutls_certificate_free_credentials(mc->cred);
390
gnutls_global_deinit();
391
return -1;
392
393
}
394
395
static int init_gnutls_session(mandos_context *mc,
396
gnutls_session_t *session){
397
int ret;
398
/* GnuTLS session creation */
399
ret = gnutls_init(session, GNUTLS_SERVER);
400
if (ret != GNUTLS_E_SUCCESS){
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
401
336
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
402
337
safer_gnutls_strerror(ret));
403
338
}
404
339
405
{
406
const char *err;
407
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
408
if (ret != GNUTLS_E_SUCCESS) {
409
fprintf(stderr, "Syntax error at: %s\n", err);
410
fprintf(stderr, "GnuTLS error: %s\n",
411
safer_gnutls_strerror(ret));
412
gnutls_deinit (*session);
413
return -1;
414
}
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
415
346
}
416
347
417
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
418
mc->cred);
419
if (ret != GNUTLS_E_SUCCESS) {
420
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
421
352
safer_gnutls_strerror(ret));
422
gnutls_deinit (*session);
423
353
return -1;
424
354
}
425
355
426
356
/* ignore client certificate if any. */
427
gnutls_certificate_server_set_request (*session,
357
gnutls_certificate_server_set_request (es->session,
428
358
GNUTLS_CERT_IGNORE);
429
359
430
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
431
361
432
362
return 0;
433
363
}
434
364
435
/* Avahi log function callback */
436
365
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
437
366
__attribute__((unused)) const char *txt){}
438
367
439
/* Called when a Mandos server is found */
440
368
static int start_mandos_communication(const char *ip, uint16_t port,
441
369
AvahiIfIndex if_index,
442
370
mandos_context *mc){
443
371
int ret, tcp_sd;
444
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
372
struct sockaddr_in6 to;
373
encrypted_session es;
445
374
char *buffer = NULL;
446
375
char *decrypted_buffer;
447
376
size_t buffer_length = 0;
450
379
size_t written;
451
380
int retval = 0;
452
381
char interface[IF_NAMESIZE];
453
gnutls_session_t session;
454
455
ret = init_gnutls_session (mc, &session);
456
if (ret != 0){
457
return -1;
458
}
459
382
460
383
if(debug){
461
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
462
"\n", ip, port);
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
385
ip, port);
463
386
}
464
387
465
388
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
470
393
471
394
if(debug){
472
395
if(if_indextoname((unsigned int)if_index, interface) == NULL){
473
perror("if_indextoname");
396
if(debug){
397
perror("if_indextoname");
398
}
474
399
return -1;
475
400
}
401
476
402
fprintf(stderr, "Binding to interface %s\n", interface);
477
403
}
478
404
479
memset(&to, 0, sizeof(to));
480
to.in6.sin6_family = AF_INET6;
481
/* It would be nice to have a way to detect if we were passed an
482
IPv4 address here. Now we assume an IPv6 address. */
483
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
405
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
484
408
if (ret < 0 ){
485
409
perror("inet_pton");
486
410
return -1;
487
}
411
}
488
412
if(ret == 0){
489
413
fprintf(stderr, "Bad address: %s\n", ip);
490
414
return -1;
491
415
}
492
to.in6.sin6_port = htons(port); /* Spurious warning */
416
to.sin6_port = htons(port); /* Spurious warning */
493
417
494
to.in6.sin6_scope_id = (uint32_t)if_index;
418
to.sin6_scope_id = (uint32_t)if_index;
495
419
496
420
if(debug){
497
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
498
port);
499
char addrstr[INET6_ADDRSTRLEN] = "";
500
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
501
sizeof(addrstr)) == NULL){
502
perror("inet_ntop");
503
} else {
504
if(strcmp(addrstr, ip) != 0){
505
fprintf(stderr, "Canonical address form: %s\n", addrstr);
506
}
507
}
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
508
430
}
509
431
510
ret = connect(tcp_sd, &to.in, sizeof(to));
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
511
433
if (ret < 0){
512
434
perror("connect");
513
435
return -1;
514
436
}
515
437
516
const char *out = mandos_protocol_version;
438
char *out = mandos_protocol_version;
517
439
written = 0;
518
440
while (true){
519
441
size_t out_size = strlen(out);
522
444
if (ret == -1){
523
445
perror("write");
524
446
retval = -1;
525
goto mandos_end;
447
goto end;
526
448
}
527
written += (size_t)ret;
449
written += ret;
528
450
if(written < out_size){
529
451
continue;
530
452
} else {
537
459
}
538
460
}
539
461
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
540
471
if(debug){
541
472
fprintf(stderr, "Establishing TLS session with %s\n", ip);
542
473
}
543
474
544
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
545
546
do{
547
ret = gnutls_handshake (session);
548
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
475
ret = gnutls_handshake (es.session);
549
476
550
477
if (ret != GNUTLS_E_SUCCESS){
551
478
if(debug){
552
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
479
fprintf(stderr, "\n*** Handshake failed ***\n");
553
480
gnutls_perror (ret);
554
481
}
555
482
retval = -1;
556
goto mandos_end;
483
goto exit;
557
484
}
558
485
559
/* Read OpenPGP packet that contains the wanted password */
486
//Retrieve OpenPGP packet that contains the wanted password
560
487
561
488
if(debug){
562
489
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
564
491
}
565
492
566
493
while(true){
567
buffer_capacity = adjustbuffer(&buffer, buffer_length,
568
buffer_capacity);
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
569
495
if (buffer_capacity == 0){
570
496
perror("adjustbuffer");
571
497
retval = -1;
572
goto mandos_end;
498
goto exit;
573
499
}
574
500
575
ret = gnutls_record_recv(session, buffer+buffer_length,
576
BUFFER_SIZE);
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
577
503
if (ret == 0){
578
504
break;
579
505
}
583
509
case GNUTLS_E_AGAIN:
584
510
break;
585
511
case GNUTLS_E_REHANDSHAKE:
586
do{
587
ret = gnutls_handshake (session);
588
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
512
ret = gnutls_handshake (es.session);
589
513
if (ret < 0){
590
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
514
fprintf(stderr, "\n*** Handshake failed ***\n");
591
515
gnutls_perror (ret);
592
516
retval = -1;
593
goto mandos_end;
517
goto exit;
594
518
}
595
519
break;
596
520
default:
597
521
fprintf(stderr, "Unknown error while reading data from"
598
" encrypted session with Mandos server\n");
522
" encrypted session with mandos server\n");
599
523
retval = -1;
600
gnutls_bye (session, GNUTLS_SHUT_RDWR);
601
goto mandos_end;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
602
526
}
603
527
} else {
604
528
buffer_length += (size_t) ret;
605
529
}
606
530
}
607
531
608
if(debug){
609
fprintf(stderr, "Closing TLS session\n");
610
}
611
612
gnutls_bye (session, GNUTLS_SHUT_RDWR);
613
614
532
if (buffer_length > 0){
615
533
decrypted_buffer_size = pgp_packet_decrypt(buffer,
616
534
buffer_length,
617
535
&decrypted_buffer,
618
keydir);
536
certdir);
619
537
if (decrypted_buffer_size >= 0){
620
538
written = 0;
621
539
while(written < (size_t) decrypted_buffer_size){
637
555
retval = -1;
638
556
}
639
557
}
640
641
/* Shutdown procedure */
642
643
mandos_end:
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
644
565
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
645
568
close(tcp_sd);
646
gnutls_deinit (session);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
647
572
return retval;
648
573
}
649
574
650
static void resolve_callback(AvahiSServiceResolver *r,
651
AvahiIfIndex interface,
652
AVAHI_GCC_UNUSED AvahiProtocol protocol,
653
AvahiResolverEvent event,
654
const char *name,
655
const char *type,
656
const char *domain,
657
const char *host_name,
658
const AvahiAddress *address,
659
uint16_t port,
660
AVAHI_GCC_UNUSED AvahiStringList *txt,
661
AVAHI_GCC_UNUSED AvahiLookupResultFlags
662
flags,
663
void* userdata) {
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
664
588
mandos_context *mc = userdata;
665
assert(r);
589
assert(r); /* Spurious warning */
666
590
667
591
/* Called whenever a service has been resolved successfully or
668
592
timed out */
670
594
switch (event) {
671
595
default:
672
596
case AVAHI_RESOLVER_FAILURE:
673
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
674
" of type '%s' in domain '%s': %s\n", name, type, domain,
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
675
599
avahi_strerror(avahi_server_errno(mc->server)));
676
600
break;
677
601
680
604
char ip[AVAHI_ADDRESS_STR_MAX];
681
605
avahi_address_snprint(ip, sizeof(ip), address);
682
606
if(debug){
683
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
684
PRIu16 ") on port %d\n", name, host_name, ip,
685
interface, port);
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
686
609
}
687
610
int ret = start_mandos_communication(ip, port, interface, mc);
688
611
if (ret == 0){
689
avahi_simple_poll_quit(mc->simple_poll);
612
exit(EXIT_SUCCESS);
690
613
}
691
614
}
692
615
}
700
623
const char *name,
701
624
const char *type,
702
625
const char *domain,
703
AVAHI_GCC_UNUSED AvahiLookupResultFlags
704
flags,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
705
627
void* userdata) {
706
628
mandos_context *mc = userdata;
707
assert(b);
629
assert(b); /* Spurious warning */
708
630
709
631
/* Called whenever a new services becomes available on the LAN or
710
632
is removed from the LAN */
712
634
switch (event) {
713
635
default:
714
636
case AVAHI_BROWSER_FAILURE:
715
716
fprintf(stderr, "(Avahi browser) %s\n",
637
638
fprintf(stderr, "(Browser) %s\n",
717
639
avahi_strerror(avahi_server_errno(mc->server)));
718
640
avahi_simple_poll_quit(mc->simple_poll);
719
641
return;
720
642
721
643
case AVAHI_BROWSER_NEW:
722
/* We ignore the returned Avahi resolver object. In the callback
723
function we free it. If the Avahi server is terminated before
724
the callback function is called the Avahi server will free the
725
resolver for us. */
726
727
if (!(avahi_s_service_resolver_new(mc->server, interface,
728
protocol, name, type, domain,
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
729
651
AVAHI_PROTO_INET6, 0,
730
652
resolve_callback, mc)))
731
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
732
name, avahi_strerror(avahi_server_errno(mc->server)));
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
733
655
break;
734
656
735
657
case AVAHI_BROWSER_REMOVE:
736
658
break;
737
659
738
660
case AVAHI_BROWSER_ALL_FOR_NOW:
739
661
case AVAHI_BROWSER_CACHE_EXHAUSTED:
740
if(debug){
741
fprintf(stderr, "No Mandos server found, still searching...\n");
742
}
743
662
break;
744
663
}
745
664
}
746
665
747
666
/* Combines file name and path and returns the malloced new
748
667
string. some sane checks could/should be added */
749
static char *combinepath(const char *first, const char *second){
750
char *tmp;
751
int ret = asprintf(&tmp, "%s/%s", first, second);
752
if(ret < 0){
668
static const char *combinepath(const char *first, const char *second){
669
size_t f_len = strlen(first);
670
size_t s_len = strlen(second);
671
char *tmp = malloc(f_len + s_len + 2);
672
if (tmp == NULL){
753
673
return NULL;
754
674
}
675
if(f_len > 0){
676
memcpy(tmp, first, f_len);
677
}
678
tmp[f_len] = '/';
679
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
681
}
682
tmp[f_len + 1 + s_len] = '\0';
755
683
return tmp;
756
684
}
757
685
758
686
759
int main(int argc, char *argv[]){
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
760
689
AvahiSServiceBrowser *sb = NULL;
761
690
int error;
762
691
int ret;
763
int exitcode = EXIT_SUCCESS;
692
int returncode = EXIT_SUCCESS;
764
693
const char *interface = "eth0";
765
694
struct ifreq network;
766
695
int sd;
767
uid_t uid;
768
gid_t gid;
769
696
char *connect_to = NULL;
770
697
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
771
char *pubkeyfilename = NULL;
772
char *seckeyfilename = NULL;
773
const char *pubkeyname = "pubkey.txt";
774
const char *seckeyname = "seckey.txt";
775
698
mandos_context mc = { .simple_poll = NULL, .server = NULL,
776
.dh_bits = 1024, .priority = "SECURE256"};
777
bool gnutls_initalized = false;
699
.dh_bits = 2048, .priority = "SECURE256"};
778
700
779
{
780
struct argp_option options[] = {
781
{ .name = "debug", .key = 128,
782
.doc = "Debug mode", .group = 3 },
783
{ .name = "connect", .key = 'c',
784
.arg = "IP",
785
.doc = "Connect directly to a sepcified mandos server",
786
.group = 1 },
787
{ .name = "interface", .key = 'i',
788
.arg = "INTERFACE",
789
.doc = "Interface that Avahi will conntect through",
790
.group = 1 },
791
{ .name = "keydir", .key = 'd',
792
.arg = "KEYDIR",
793
.doc = "Directory where the openpgp keyring is",
794
.group = 1 },
795
{ .name = "seckey", .key = 's',
796
.arg = "SECKEY",
797
.doc = "Secret openpgp key for gnutls authentication",
798
.group = 1 },
799
{ .name = "pubkey", .key = 'p',
800
.arg = "PUBKEY",
801
.doc = "Public openpgp key for gnutls authentication",
802
.group = 2 },
803
{ .name = "dh-bits", .key = 129,
804
.arg = "BITS",
805
.doc = "dh-bits to use in gnutls communication",
806
.group = 2 },
807
{ .name = "priority", .key = 130,
808
.arg = "PRIORITY",
809
.doc = "GNUTLS priority", .group = 1 },
810
{ .name = NULL }
811
};
812
813
814
error_t parse_opt (int key, char *arg,
815
struct argp_state *state) {
816
/* Get the INPUT argument from `argp_parse', which we know is
817
a pointer to our plugin list pointer. */
818
switch (key) {
819
case 128:
820
debug = true;
821
break;
822
case 'c':
823
connect_to = arg;
824
break;
825
case 'i':
826
interface = arg;
827
break;
828
case 'd':
829
keydir = arg;
830
break;
831
case 's':
832
seckeyname = arg;
833
break;
834
case 'p':
835
pubkeyname = arg;
836
break;
837
case 129:
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
838
742
errno = 0;
839
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
840
if (errno){
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
841
745
perror("strtol");
842
746
exit(EXIT_FAILURE);
843
747
}
844
break;
845
case 130:
846
mc.priority = arg;
847
break;
848
case ARGP_KEY_ARG:
849
argp_usage (state);
850
case ARGP_KEY_END:
851
break;
852
default:
853
return ARGP_ERR_UNKNOWN;
854
}
855
return 0;
856
}
857
858
struct argp argp = { .options = options, .parser = parse_opt,
859
.args_doc = "",
860
.doc = "Mandos client -- Get and decrypt"
861
" passwords from mandos server" };
862
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
863
if (ret == ARGP_ERR_UNKNOWN){
864
fprintf(stderr, "Unknown error while parsing arguments\n");
865
exitcode = EXIT_FAILURE;
866
goto end;
867
}
868
}
869
870
pubkeyfilename = combinepath(keydir, pubkeyname);
871
if (pubkeyfilename == NULL){
872
perror("combinepath");
873
exitcode = EXIT_FAILURE;
874
goto end;
875
}
876
877
seckeyfilename = combinepath(keydir, seckeyname);
878
if (seckeyfilename == NULL){
879
perror("combinepath");
880
exitcode = EXIT_FAILURE;
881
goto end;
882
}
883
884
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
885
if (ret == -1){
886
fprintf(stderr, "init_gnutls_global failed\n");
887
exitcode = EXIT_FAILURE;
888
goto end;
889
} else {
890
gnutls_initalized = true;
891
}
892
893
/* If the interface is down, bring it up */
894
{
895
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
896
if(sd < 0) {
897
perror("socket");
898
exitcode = EXIT_FAILURE;
899
goto end;
900
}
901
strcpy(network.ifr_name, interface);
902
ret = ioctl(sd, SIOCGIFFLAGS, &network);
903
if(ret == -1){
904
perror("ioctl SIOCGIFFLAGS");
905
exitcode = EXIT_FAILURE;
906
goto end;
907
}
908
if((network.ifr_flags & IFF_UP) == 0){
909
network.ifr_flags |= IFF_UP;
910
ret = ioctl(sd, SIOCSIFFLAGS, &network);
911
if(ret == -1){
912
perror("ioctl SIOCSIFFLAGS");
913
exitcode = EXIT_FAILURE;
914
goto end;
915
}
916
}
917
close(sd);
918
}
919
920
uid = getuid();
921
gid = getgid();
922
923
ret = setuid(uid);
924
if (ret == -1){
925
perror("setuid");
926
}
927
928
setgid(gid);
929
if (ret == -1){
930
perror("setgid");
748
mc.dh_bits = tmp;
749
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
931
771
}
932
772
933
773
if_index = (AvahiIfIndex) if_nametoindex(interface);
942
782
char *address = strrchr(connect_to, ':');
943
783
if(address == NULL){
944
784
fprintf(stderr, "No colon in address\n");
945
exitcode = EXIT_FAILURE;
946
goto end;
785
exit(EXIT_FAILURE);
947
786
}
948
787
errno = 0;
949
788
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
950
789
if(errno){
951
790
perror("Bad port number");
952
exitcode = EXIT_FAILURE;
953
goto end;
791
exit(EXIT_FAILURE);
954
792
}
955
793
*address = '\0';
956
794
address = connect_to;
957
ret = start_mandos_communication(address, port, if_index, &mc);
795
ret = start_mandos_communication(address, port, if_index);
958
796
if(ret < 0){
959
exitcode = EXIT_FAILURE;
797
exit(EXIT_FAILURE);
960
798
} else {
961
exitcode = EXIT_SUCCESS;
962
}
963
goto end;
964
}
799
exit(EXIT_SUCCESS);
800
}
801
}
802
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
825
}
826
close(sd);
965
827
966
828
if (not debug){
967
829
avahi_set_log_function(empty_log);
968
830
}
969
831
970
/* Initialize the pseudo-RNG for Avahi */
832
/* Initialize the psuedo-RNG */
971
833
srand((unsigned int) time(NULL));
972
973
/* Allocate main Avahi loop object */
974
mc.simple_poll = avahi_simple_poll_new();
975
if (mc.simple_poll == NULL) {
976
fprintf(stderr, "Avahi: Failed to create simple poll"
977
" object.\n");
978
exitcode = EXIT_FAILURE;
979
goto end;
980
}
981
982
{
983
AvahiServerConfig config;
984
/* Do not publish any local Zeroconf records */
985
avahi_server_config_init(&config);
986
config.publish_hinfo = 0;
987
config.publish_addresses = 0;
988
config.publish_workstation = 0;
989
config.publish_domain = 0;
990
991
/* Allocate a new server */
992
mc.server = avahi_server_new(avahi_simple_poll_get
993
(mc.simple_poll), &config, NULL,
994
NULL, &error);
995
996
/* Free the Avahi configuration data */
997
avahi_server_config_free(&config);
998
}
999
1000
/* Check if creating the Avahi server object succeeded */
1001
if (mc.server == NULL) {
1002
fprintf(stderr, "Failed to create Avahi server: %s\n",
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
1003
859
avahi_strerror(error));
1004
exitcode = EXIT_FAILURE;
1005
goto end;
860
returncode = EXIT_FAILURE;
861
goto exit;
1006
862
}
1007
863
1008
/* Create the Avahi service browser */
864
/* Create the service browser */
1009
865
sb = avahi_s_service_browser_new(mc.server, if_index,
1010
866
AVAHI_PROTO_INET6,
1011
867
"_mandos._tcp", NULL, 0,
1012
868
browse_callback, &mc);
1013
if (sb == NULL) {
869
if (!sb) {
1014
870
fprintf(stderr, "Failed to create service browser: %s\n",
1015
871
avahi_strerror(avahi_server_errno(mc.server)));
1016
exitcode = EXIT_FAILURE;
1017
goto end;
872
returncode = EXIT_FAILURE;
873
goto exit;
1018
874
}
1019
875
1020
876
/* Run the main loop */
1021
877
1022
878
if (debug){
1023
fprintf(stderr, "Starting Avahi loop search\n");
879
fprintf(stderr, "Starting avahi loop search\n");
1024
880
}
1025
881
1026
avahi_simple_poll_loop(mc.simple_poll);
882
avahi_simple_poll_loop(simple_poll);
1027
883
1028
end:
884
exit:
1029
885
1030
886
if (debug){
1031
887
fprintf(stderr, "%s exiting\n", argv[0]);
1032
888
}
1033
889
1034
890
/* Cleanup things */
1035
if (sb != NULL)
891
if (sb)
1036
892
avahi_s_service_browser_free(sb);
1037
893
1038
if (mc.server != NULL)
894
if (mc.server)
1039
895
avahi_server_free(mc.server);
1040
896
1041
if (mc.simple_poll != NULL)
1042
avahi_simple_poll_free(mc.simple_poll);
1043
free(pubkeyfilename);
1044
free(seckeyfilename);
1045
1046
if (gnutls_initalized){
1047
gnutls_certificate_free_credentials(mc.cred);
1048
gnutls_global_deinit ();
1049
}
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1050
901
1051
return exitcode;
902
return returncode;
1052
903
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0