246
void debuggnutls(__attribute__((unused)) int level,
248
fprintf(stderr, "%s", string);
281
/* GnuTLS log function callback */
282
static void debuggnutls(__attribute__((unused)) int level,
284
fprintf(stderr, "GnuTLS: %s", string);
251
int initgnutls(encrypted_session *es){
287
static int init_gnutls_global(mandos_context *mc,
288
const char *pubkeyfile,
289
const char *seckeyfile){
256
293
fprintf(stderr, "Initializing GnuTLS\n");
259
296
if ((ret = gnutls_global_init ())
260
297
!= GNUTLS_E_SUCCESS) {
261
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
298
fprintf (stderr, "GnuTLS global_init: %s\n",
299
safer_gnutls_strerror(ret));
304
/* "Use a log level over 10 to enable all debugging options."
266
307
gnutls_global_set_log_level(11);
267
308
gnutls_global_set_log_function(debuggnutls);
270
/* openpgp credentials */
271
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
311
/* OpenPGP credentials */
312
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
272
313
!= GNUTLS_E_SUCCESS) {
273
fprintf (stderr, "memory error: %s\n",
314
fprintf (stderr, "GnuTLS memory error: %s\n",
274
315
safer_gnutls_strerror(ret));
279
320
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
280
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
321
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
284
325
ret = gnutls_certificate_set_openpgp_key_file
285
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
326
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
286
327
if (ret != GNUTLS_E_SUCCESS) {
288
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
290
ret, CERTFILE, KEYFILE);
291
fprintf(stdout, "The Error is: %s\n",
329
"Error[%d] while reading the OpenPGP key pair ('%s',"
330
" '%s')\n", ret, pubkeyfile, seckeyfile);
331
fprintf(stdout, "The GnuTLS error is: %s\n",
292
332
safer_gnutls_strerror(ret));
296
//GnuTLS server initialization
297
if ((ret = gnutls_dh_params_init (&es->dh_params))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "Error in dh parameter initialization: %s\n",
300
safer_gnutls_strerror(ret));
304
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in prime generation: %s\n",
307
safer_gnutls_strerror(ret));
311
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
313
// GnuTLS session creation
314
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
315
!= GNUTLS_E_SUCCESS){
336
/* GnuTLS server initialization */
337
ret = gnutls_dh_params_init(&mc->dh_params);
338
if (ret != GNUTLS_E_SUCCESS) {
339
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
340
" %s\n", safer_gnutls_strerror(ret));
343
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
346
safer_gnutls_strerror(ret));
350
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
/* GnuTLS session creation */
358
ret = gnutls_init(session, GNUTLS_SERVER);
359
if (ret != GNUTLS_E_SUCCESS){
316
360
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
317
361
safer_gnutls_strerror(ret));
320
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
321
!= GNUTLS_E_SUCCESS) {
322
fprintf(stderr, "Syntax error at: %s\n", err);
323
fprintf(stderr, "GnuTLS error: %s\n",
324
safer_gnutls_strerror(ret));
366
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf(stderr, "Syntax error at: %s\n", err);
369
fprintf(stderr, "GnuTLS error: %s\n",
370
safer_gnutls_strerror(ret));
328
if ((ret = gnutls_credentials_set
329
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf(stderr, "Error setting a credentials set: %s\n",
375
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
332
379
safer_gnutls_strerror(ret));
336
383
/* ignore client certificate if any. */
337
gnutls_certificate_server_set_request (es->session,
384
gnutls_certificate_server_set_request (*session,
338
385
GNUTLS_CERT_IGNORE);
340
gnutls_dh_set_prime_bits (es->session, DH_BITS);
387
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
345
void empty_log(__attribute__((unused)) AvahiLogLevel level,
346
__attribute__((unused)) const char *txt){}
392
/* Avahi log function callback */
393
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
394
__attribute__((unused)) const char *txt){}
348
int start_mandos_communication(char *ip, uint16_t port,
349
unsigned int if_index){
396
/* Called when a Mandos server is found */
397
static int start_mandos_communication(const char *ip, uint16_t port,
398
AvahiIfIndex if_index,
351
401
struct sockaddr_in6 to;
352
encrypted_session es;
353
402
char *buffer = NULL;
354
403
char *decrypted_buffer;
355
404
size_t buffer_length = 0;
356
405
size_t buffer_capacity = 0;
357
406
ssize_t decrypted_buffer_size;
359
409
char interface[IF_NAMESIZE];
410
gnutls_session_t session;
411
gnutls_dh_params_t dh_params;
413
ret = init_gnutls_session (mc, &session);
362
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
419
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
365
423
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
502
decrypted_buffer += ret;
503
decrypted_buffer_size -= ret;
585
written += (size_t)ret;
505
587
free(decrypted_buffer);
514
fprintf(stderr, "Closing TLS session\n");
593
/* Shutdown procedure */
518
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
521
gnutls_deinit (es.session);
522
gnutls_certificate_free_credentials (es.cred);
598
gnutls_deinit (session);
599
gnutls_certificate_free_credentials (mc->cred);
523
600
gnutls_global_deinit ();
527
static AvahiSimplePoll *simple_poll = NULL;
528
static AvahiServer *server = NULL;
530
static void resolve_callback(
531
AvahiSServiceResolver *r,
532
AVAHI_GCC_UNUSED AvahiIfIndex interface,
533
AVAHI_GCC_UNUSED AvahiProtocol protocol,
534
AvahiResolverEvent event,
538
const char *host_name,
539
const AvahiAddress *address,
541
AVAHI_GCC_UNUSED AvahiStringList *txt,
542
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
543
AVAHI_GCC_UNUSED void* userdata) {
604
static void resolve_callback(AvahiSServiceResolver *r,
605
AvahiIfIndex interface,
606
AVAHI_GCC_UNUSED AvahiProtocol protocol,
607
AvahiResolverEvent event,
611
const char *host_name,
612
const AvahiAddress *address,
614
AVAHI_GCC_UNUSED AvahiStringList *txt,
615
AVAHI_GCC_UNUSED AvahiLookupResultFlags
618
mandos_context *mc = userdata;
619
assert(r); /* Spurious warning */
547
621
/* Called whenever a service has been resolved successfully or
552
626
case AVAHI_RESOLVER_FAILURE:
553
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
554
" type '%s' in domain '%s': %s\n", name, type, domain,
555
avahi_strerror(avahi_server_errno(server)));
627
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
628
" of type '%s' in domain '%s': %s\n", name, type, domain,
629
avahi_strerror(avahi_server_errno(mc->server)));
558
632
case AVAHI_RESOLVER_FOUND:
560
634
char ip[AVAHI_ADDRESS_STR_MAX];
561
635
avahi_address_snprint(ip, sizeof(ip), address);
563
fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",
564
host_name, ip, port);
637
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
638
" port %d\n", name, host_name, ip, interface, port);
566
int ret = start_mandos_communication(ip, port,
640
int ret = start_mandos_communication(ip, port, interface, mc);
570
642
exit(EXIT_SUCCESS);
576
646
avahi_s_service_resolver_free(r);
579
static void browse_callback(
580
AvahiSServiceBrowser *b,
581
AvahiIfIndex interface,
582
AvahiProtocol protocol,
583
AvahiBrowserEvent event,
587
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
AvahiServer *s = userdata;
593
/* Called whenever a new services becomes available on the LAN or
594
is removed from the LAN */
598
case AVAHI_BROWSER_FAILURE:
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(server)));
602
avahi_simple_poll_quit(simple_poll);
605
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
611
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, s)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(s)));
619
case AVAHI_BROWSER_REMOVE:
622
case AVAHI_BROWSER_ALL_FOR_NOW:
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
649
static void browse_callback( AvahiSServiceBrowser *b,
650
AvahiIfIndex interface,
651
AvahiProtocol protocol,
652
AvahiBrowserEvent event,
656
AVAHI_GCC_UNUSED AvahiLookupResultFlags
659
mandos_context *mc = userdata;
660
assert(b); /* Spurious warning */
662
/* Called whenever a new services becomes available on the LAN or
663
is removed from the LAN */
667
case AVAHI_BROWSER_FAILURE:
669
fprintf(stderr, "(Avahi browser) %s\n",
670
avahi_strerror(avahi_server_errno(mc->server)));
671
avahi_simple_poll_quit(mc->simple_poll);
674
case AVAHI_BROWSER_NEW:
675
/* We ignore the returned Avahi resolver object. In the callback
676
function we free it. If the Avahi server is terminated before
677
the callback function is called the Avahi server will free the
680
if (!(avahi_s_service_resolver_new(mc->server, interface,
681
protocol, name, type, domain,
682
AVAHI_PROTO_INET6, 0,
683
resolve_callback, mc)))
684
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
685
name, avahi_strerror(avahi_server_errno(mc->server)));
688
case AVAHI_BROWSER_REMOVE:
691
case AVAHI_BROWSER_ALL_FOR_NOW:
692
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
fprintf(stderr, "No Mandos server found, still searching...\n");
628
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
629
AvahiServerConfig config;
700
/* Combines file name and path and returns the malloced new
701
string. some sane checks could/should be added */
702
static const char *combinepath(const char *first, const char *second){
703
size_t f_len = strlen(first);
704
size_t s_len = strlen(second);
705
char *tmp = malloc(f_len + s_len + 2);
710
memcpy(tmp, first, f_len); /* Spurious warning */
714
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
716
tmp[f_len + 1 + s_len] = '\0';
721
int main(int argc, char *argv[]){
630
722
AvahiSServiceBrowser *sb = NULL;
633
int returncode = EXIT_SUCCESS;
725
int exitcode = EXIT_SUCCESS;
634
726
const char *interface = "eth0";
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"interface", required_argument, 0, 'i'},
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
727
struct ifreq network;
731
char *connect_to = NULL;
732
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
733
const char *pubkeyfile = "pubkey.txt";
734
const char *seckeyfile = "seckey.txt";
735
mandos_context mc = { .simple_poll = NULL, .server = NULL,
736
.dh_bits = 1024, .priority = "SECURE256"};
739
struct argp_option options[] = {
740
{ .name = "debug", .key = 128,
741
.doc = "Debug mode", .group = 3 },
742
{ .name = "connect", .key = 'c',
744
.doc = "Connect directly to a sepcified mandos server", .group = 1 },
745
{ .name = "interface", .key = 'i',
747
.doc = "Interface that Avahi will conntect through", .group = 1 },
748
{ .name = "keydir", .key = 'd',
750
.doc = "Directory where the openpgp keyring is", .group = 1 },
751
{ .name = "seckey", .key = 's',
753
.doc = "Secret openpgp key for gnutls authentication", .group = 1 },
754
{ .name = "pubkey", .key = 'p',
756
.doc = "Public openpgp key for gnutls authentication", .group = 2 },
757
{ .name = "dh-bits", .key = 129,
759
.doc = "dh-bits to use in gnutls communication", .group = 2 },
760
{ .name = "priority", .key = 130,
762
.doc = "GNUTLS priority", .group = 1 },
767
error_t parse_opt (int key, char *arg, struct argp_state *state) {
768
/* Get the INPUT argument from `argp_parse', which we know is a
769
pointer to our plugin list pointer. */
791
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
806
return ARGP_ERR_UNKNOWN;
811
struct argp argp = { .options = options, .parser = parse_opt,
813
.doc = "Mandos client -- Get and decrypt passwords from mandos server" };
814
argp_parse (&argp, argc, argv, 0, 0, NULL);
817
pubkeyfile = combinepath(keydir, pubkeyfile);
818
if (pubkeyfile == NULL){
819
perror("combinepath");
820
exitcode = EXIT_FAILURE;
824
seckeyfile = combinepath(keydir, seckeyfile);
825
if (seckeyfile == NULL){
826
perror("combinepath");
830
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
832
fprintf(stderr, "init_gnutls_global\n");
849
if_index = (AvahiIfIndex) if_nametoindex(interface);
851
fprintf(stderr, "No such interface: \"%s\"\n", interface);
855
if(connect_to != NULL){
856
/* Connect directly, do not use Zeroconf */
857
/* (Mainly meant for debugging) */
858
char *address = strrchr(connect_to, ':');
860
fprintf(stderr, "No colon in address\n");
861
exitcode = EXIT_FAILURE;
865
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
867
perror("Bad port number");
868
exitcode = EXIT_FAILURE;
872
address = connect_to;
873
ret = start_mandos_communication(address, port, if_index, &mc);
875
exitcode = EXIT_FAILURE;
877
exitcode = EXIT_SUCCESS;
882
/* If the interface is down, bring it up */
884
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
887
exitcode = EXIT_FAILURE;
890
strcpy(network.ifr_name, interface); /* Spurious warning */
891
ret = ioctl(sd, SIOCGIFFLAGS, &network);
893
perror("ioctl SIOCGIFFLAGS");
894
exitcode = EXIT_FAILURE;
897
if((network.ifr_flags & IFF_UP) == 0){
898
network.ifr_flags |= IFF_UP;
899
ret = ioctl(sd, SIOCSIFFLAGS, &network);
901
perror("ioctl SIOCSIFFLAGS");
902
exitcode = EXIT_FAILURE;
662
910
avahi_set_log_function(empty_log);
665
/* Initialize the psuedo-RNG */
913
/* Initialize the pseudo-RNG for Avahi */
666
914
srand((unsigned int) time(NULL));
668
/* Allocate main loop object */
669
if (!(simple_poll = avahi_simple_poll_new())) {
670
fprintf(stderr, "Failed to create simple poll object.\n");
675
/* Do not publish any local records */
676
avahi_server_config_init(&config);
677
config.publish_hinfo = 0;
678
config.publish_addresses = 0;
679
config.publish_workstation = 0;
680
config.publish_domain = 0;
682
/* Allocate a new server */
683
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
684
&config, NULL, NULL, &error);
686
/* Free the configuration data */
687
avahi_server_config_free(&config);
689
/* Check if creating the server object succeeded */
691
fprintf(stderr, "Failed to create server: %s\n",
916
/* Allocate main Avahi loop object */
917
mc.simple_poll = avahi_simple_poll_new();
918
if (mc.simple_poll == NULL) {
919
fprintf(stderr, "Avahi: Failed to create simple poll"
921
exitcode = EXIT_FAILURE;
926
AvahiServerConfig config;
927
/* Do not publish any local Zeroconf records */
928
avahi_server_config_init(&config);
929
config.publish_hinfo = 0;
930
config.publish_addresses = 0;
931
config.publish_workstation = 0;
932
config.publish_domain = 0;
934
/* Allocate a new server */
935
mc.server = avahi_server_new(avahi_simple_poll_get
936
(mc.simple_poll), &config, NULL,
939
/* Free the Avahi configuration data */
940
avahi_server_config_free(&config);
943
/* Check if creating the Avahi server object succeeded */
944
if (mc.server == NULL) {
945
fprintf(stderr, "Failed to create Avahi server: %s\n",
692
946
avahi_strerror(error));
693
returncode = EXIT_FAILURE;
947
exitcode = EXIT_FAILURE;
697
/* Create the service browser */
698
sb = avahi_s_service_browser_new(server,
700
if_nametoindex(interface),
951
/* Create the Avahi service browser */
952
sb = avahi_s_service_browser_new(mc.server, if_index,
701
953
AVAHI_PROTO_INET6,
702
954
"_mandos._tcp", NULL, 0,
703
browse_callback, server);
955
browse_callback, &mc);
705
957
fprintf(stderr, "Failed to create service browser: %s\n",
706
avahi_strerror(avahi_server_errno(server)));
707
returncode = EXIT_FAILURE;
958
avahi_strerror(avahi_server_errno(mc.server)));
959
exitcode = EXIT_FAILURE;
711
963
/* Run the main loop */
714
fprintf(stderr, "Starting avahi loop search\n");
966
fprintf(stderr, "Starting Avahi loop search\n");
717
avahi_simple_poll_loop(simple_poll);
969
avahi_simple_poll_loop(mc.simple_poll);
722
974
fprintf(stderr, "%s exiting\n", argv[0]);
725
977
/* Cleanup things */
727
979
avahi_s_service_browser_free(sb);
730
avahi_server_free(server);
733
avahi_simple_poll_free(simple_poll);
981
if (mc.server != NULL)
982
avahi_server_free(mc.server);
984
if (mc.simple_poll != NULL)
985
avahi_simple_poll_free(mc.simple_poll);