To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.15
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.15
- Committer: Björn Påhlsson
- Date: 2008-08-04 15:50:45 UTC
- mfrom: (41 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 42.
- Revision ID: belorn@braxen-20080804155045-gnodwjn34v0a2vhr
merge
- files added:
- server.conf
- files renamed:
- mandos-clients.conf => clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
13
*
14
14
* This program is free software: you can redistribute it and/or
15
15
* modify it under the terms of the GNU General Public License as
25
25
* along with this program. If not, see
26
26
* <http://www.gnu.org/licenses/>.
27
27
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
28
* Contact the authors at <mandos@fukt.bsnet.se>.
30
29
*/
31
30
32
#define _FORTIFY_SOURCE 2
33
31
/* Needed by GPGME, specifically gpgme_data_seek() */
34
32
#define _LARGEFILE_SOURCE
35
33
#define _FILE_OFFSET_BITS 64
36
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
37
#include <stdio.h>
38
38
#include <assert.h>
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
42
46
43
47
#include <avahi-core/core.h>
44
48
#include <avahi-core/lookup.h>
47
51
#include <avahi-common/malloc.h>
48
52
#include <avahi-common/error.h>
49
53
50
//mandos client part
51
#include <sys/types.h> /* socket(), setsockopt(),
52
inet_pton() */
53
#include <sys/socket.h> /* socket(), setsockopt(),
54
struct sockaddr_in6,
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
57
struct in6_addr, inet_pton() */
56
58
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
59
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
62
64
#include <string.h> /* memset */
63
65
#include <arpa/inet.h> /* inet_pton() */
64
66
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
67
72
#include <errno.h> /* perror() */
68
73
#include <gpgme.h>
69
74
70
// getopt long
71
#include <getopt.h>
72
73
#ifndef CERT_ROOT
74
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
75
#endif
76
#define CERTFILE CERT_ROOT "openpgp-client.txt"
77
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
78
75
#define BUFFER_SIZE 256
79
#define DH_BITS 1024
80
76
81
77
bool debug = false;
78
const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
const char mandos_protocol_version[] = "1";
82
82
83
/* Used for passing in values through all the callback functions */
83
84
typedef struct {
84
gnutls_session_t session;
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
85
87
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
86
89
gnutls_dh_params_t dh_params;
87
} encrypted_session;
88
89
90
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
91
char **new_packet, const char *homedir){
90
const char *priority;
91
} mandos_context;
92
93
size_t adjustbuffer(char **buffer, size_t buffer_length,
94
size_t buffer_capacity){
95
if (buffer_length + BUFFER_SIZE > buffer_capacity){
96
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
97
if (buffer == NULL){
98
return 0;
99
}
100
buffer_capacity += BUFFER_SIZE;
101
}
102
return buffer_capacity;
103
}
104
105
/*
106
* Decrypt OpenPGP data using keyrings in HOMEDIR.
107
* Returns -1 on error
108
*/
109
static ssize_t pgp_packet_decrypt (const char *cryptotext,
110
size_t crypto_size,
111
char **plaintext,
112
const char *homedir){
92
113
gpgme_data_t dh_crypto, dh_plain;
93
114
gpgme_ctx_t ctx;
94
115
gpgme_error_t rc;
95
116
ssize_t ret;
96
ssize_t new_packet_capacity = 0;
97
ssize_t new_packet_length = 0;
117
size_t plaintext_capacity = 0;
118
ssize_t plaintext_length = 0;
98
119
gpgme_engine_info_t engine_info;
99
120
100
121
if (debug){
101
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
122
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
102
123
}
103
124
104
125
/* Init GPGME */
105
126
gpgme_check_version(NULL);
106
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
127
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
128
if (rc != GPG_ERR_NO_ERROR){
129
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
130
gpgme_strsource(rc), gpgme_strerror(rc));
131
return -1;
132
}
107
133
108
/* Set GPGME home directory */
134
/* Set GPGME home directory for the OpenPGP engine only */
109
135
rc = gpgme_get_engine_info (&engine_info);
110
136
if (rc != GPG_ERR_NO_ERROR){
111
137
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
121
147
engine_info = engine_info->next;
122
148
}
123
149
if(engine_info == NULL){
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
150
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
125
151
return -1;
126
152
}
127
153
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
154
/* Create new GPGME data buffer from memory cryptotext */
155
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
156
0);
130
157
if (rc != GPG_ERR_NO_ERROR){
131
158
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
132
159
gpgme_strsource(rc), gpgme_strerror(rc));
138
165
if (rc != GPG_ERR_NO_ERROR){
139
166
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
140
167
gpgme_strsource(rc), gpgme_strerror(rc));
168
gpgme_data_release(dh_crypto);
141
169
return -1;
142
170
}
143
171
146
174
if (rc != GPG_ERR_NO_ERROR){
147
175
fprintf(stderr, "bad gpgme_new: %s: %s\n",
148
176
gpgme_strsource(rc), gpgme_strerror(rc));
149
return -1;
177
plaintext_length = -1;
178
goto decrypt_end;
150
179
}
151
180
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
181
/* Decrypt data from the cryptotext data buffer to the plaintext
182
data buffer */
154
183
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
155
184
if (rc != GPG_ERR_NO_ERROR){
156
185
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
157
186
gpgme_strsource(rc), gpgme_strerror(rc));
158
return -1;
187
plaintext_length = -1;
188
goto decrypt_end;
159
189
}
160
190
161
191
if(debug){
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
192
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
163
193
}
164
194
165
195
if (debug){
166
196
gpgme_decrypt_result_t result;
167
197
result = gpgme_op_decrypt_result(ctx);
191
221
}
192
222
}
193
223
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
196
197
224
/* Seek back to the beginning of the GPGME plaintext data buffer */
198
gpgme_data_seek(dh_plain, 0, SEEK_SET);
199
200
*new_packet = 0;
225
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
226
perror("pgpme_data_seek");
227
plaintext_length = -1;
228
goto decrypt_end;
229
}
230
231
*plaintext = NULL;
201
232
while(true){
202
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
203
*new_packet = realloc(*new_packet,
204
(unsigned int)new_packet_capacity
205
+ BUFFER_SIZE);
206
if (*new_packet == NULL){
207
perror("realloc");
208
return -1;
209
}
210
new_packet_capacity += BUFFER_SIZE;
233
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
234
plaintext_capacity);
235
if (plaintext_capacity == 0){
236
perror("adjustbuffer");
237
plaintext_length = -1;
238
goto decrypt_end;
211
239
}
212
240
213
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
241
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
214
242
BUFFER_SIZE);
215
243
/* Print the data, if any */
216
244
if (ret == 0){
245
/* EOF */
217
246
break;
218
247
}
219
248
if(ret < 0){
220
249
perror("gpgme_data_read");
221
return -1;
250
plaintext_length = -1;
251
goto decrypt_end;
222
252
}
223
new_packet_length += ret;
253
plaintext_length += ret;
224
254
}
225
255
226
/* FIXME: check characters before printing to screen so to not print
227
terminal control characters */
228
/* if(debug){ */
229
/* fprintf(stderr, "decrypted password is: "); */
230
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
231
/* fprintf(stderr, "\n"); */
232
/* } */
256
if(debug){
257
fprintf(stderr, "Decrypted password is: ");
258
for(ssize_t i = 0; i < plaintext_length; i++){
259
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
260
}
261
fprintf(stderr, "\n");
262
}
263
264
decrypt_end:
265
266
/* Delete the GPGME cryptotext data buffer */
267
gpgme_data_release(dh_crypto);
233
268
234
269
/* Delete the GPGME plaintext data buffer */
235
270
gpgme_data_release(dh_plain);
236
return new_packet_length;
271
return plaintext_length;
237
272
}
238
273
239
274
static const char * safer_gnutls_strerror (int value) {
243
278
return ret;
244
279
}
245
280
246
void debuggnutls(__attribute__((unused)) int level,
247
const char* string){
248
fprintf(stderr, "%s", string);
281
/* GnuTLS log function callback */
282
static void debuggnutls(__attribute__((unused)) int level,
283
const char* string){
284
fprintf(stderr, "GnuTLS: %s", string);
249
285
}
250
286
251
int initgnutls(encrypted_session *es){
252
const char *err;
287
static int init_gnutls_global(mandos_context *mc,
288
const char *pubkeyfile,
289
const char *seckeyfile){
253
290
int ret;
254
291
255
292
if(debug){
256
293
fprintf(stderr, "Initializing GnuTLS\n");
257
294
}
258
295
259
296
if ((ret = gnutls_global_init ())
260
297
!= GNUTLS_E_SUCCESS) {
261
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
298
fprintf (stderr, "GnuTLS global_init: %s\n",
299
safer_gnutls_strerror(ret));
262
300
return -1;
263
301
}
264
302
265
303
if (debug){
304
/* "Use a log level over 10 to enable all debugging options."
305
* - GnuTLS manual
306
*/
266
307
gnutls_global_set_log_level(11);
267
308
gnutls_global_set_log_function(debuggnutls);
268
309
}
269
310
270
/* openpgp credentials */
271
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
311
/* OpenPGP credentials */
312
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
272
313
!= GNUTLS_E_SUCCESS) {
273
fprintf (stderr, "memory error: %s\n",
314
fprintf (stderr, "GnuTLS memory error: %s\n",
274
315
safer_gnutls_strerror(ret));
275
316
return -1;
276
317
}
277
318
278
319
if(debug){
279
320
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
280
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
281
KEYFILE);
321
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
322
seckeyfile);
282
323
}
283
324
284
325
ret = gnutls_certificate_set_openpgp_key_file
285
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
326
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
286
327
if (ret != GNUTLS_E_SUCCESS) {
287
fprintf
288
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
289
" '%s')\n",
290
ret, CERTFILE, KEYFILE);
291
fprintf(stdout, "The Error is: %s\n",
328
fprintf(stderr,
329
"Error[%d] while reading the OpenPGP key pair ('%s',"
330
" '%s')\n", ret, pubkeyfile, seckeyfile);
331
fprintf(stdout, "The GnuTLS error is: %s\n",
292
332
safer_gnutls_strerror(ret));
293
333
return -1;
294
334
}
295
335
296
//GnuTLS server initialization
297
if ((ret = gnutls_dh_params_init (&es->dh_params))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "Error in dh parameter initialization: %s\n",
300
safer_gnutls_strerror(ret));
301
return -1;
302
}
303
304
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in prime generation: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
312
313
// GnuTLS session creation
314
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
315
!= GNUTLS_E_SUCCESS){
336
/* GnuTLS server initialization */
337
ret = gnutls_dh_params_init(&mc->dh_params);
338
if (ret != GNUTLS_E_SUCCESS) {
339
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
340
" %s\n", safer_gnutls_strerror(ret));
341
return -1;
342
}
343
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
346
safer_gnutls_strerror(ret));
347
return -1;
348
}
349
350
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
351
352
return 0;
353
}
354
355
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
356
int ret;
357
/* GnuTLS session creation */
358
ret = gnutls_init(session, GNUTLS_SERVER);
359
if (ret != GNUTLS_E_SUCCESS){
316
360
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
317
361
safer_gnutls_strerror(ret));
318
362
}
319
363
320
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
321
!= GNUTLS_E_SUCCESS) {
322
fprintf(stderr, "Syntax error at: %s\n", err);
323
fprintf(stderr, "GnuTLS error: %s\n",
324
safer_gnutls_strerror(ret));
325
return -1;
364
{
365
const char *err;
366
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf(stderr, "Syntax error at: %s\n", err);
369
fprintf(stderr, "GnuTLS error: %s\n",
370
safer_gnutls_strerror(ret));
371
return -1;
372
}
326
373
}
327
374
328
if ((ret = gnutls_credentials_set
329
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf(stderr, "Error setting a credentials set: %s\n",
375
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
376
mc->cred);
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
332
379
safer_gnutls_strerror(ret));
333
380
return -1;
334
381
}
335
382
336
383
/* ignore client certificate if any. */
337
gnutls_certificate_server_set_request (es->session,
384
gnutls_certificate_server_set_request (*session,
338
385
GNUTLS_CERT_IGNORE);
339
386
340
gnutls_dh_set_prime_bits (es->session, DH_BITS);
387
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
341
388
342
389
return 0;
343
390
}
344
391
345
void empty_log(__attribute__((unused)) AvahiLogLevel level,
346
__attribute__((unused)) const char *txt){}
392
/* Avahi log function callback */
393
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
394
__attribute__((unused)) const char *txt){}
347
395
348
int start_mandos_communication(char *ip, uint16_t port,
349
unsigned int if_index){
396
/* Called when a Mandos server is found */
397
static int start_mandos_communication(const char *ip, uint16_t port,
398
AvahiIfIndex if_index,
399
mandos_context *mc){
350
400
int ret, tcp_sd;
351
401
struct sockaddr_in6 to;
352
encrypted_session es;
353
402
char *buffer = NULL;
354
403
char *decrypted_buffer;
355
404
size_t buffer_length = 0;
356
405
size_t buffer_capacity = 0;
357
406
ssize_t decrypted_buffer_size;
407
size_t written;
358
408
int retval = 0;
359
409
char interface[IF_NAMESIZE];
410
gnutls_session_t session;
411
gnutls_dh_params_t dh_params;
412
413
ret = init_gnutls_session (mc, &session);
414
if (ret != 0){
415
return -1;
416
}
360
417
361
418
if(debug){
362
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
419
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
420
ip, port);
363
421
}
364
422
365
423
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
367
425
perror("socket");
368
426
return -1;
369
427
}
370
371
if(if_indextoname(if_index, interface) == NULL){
372
if(debug){
428
429
if(debug){
430
if(if_indextoname((unsigned int)if_index, interface) == NULL){
373
431
perror("if_indextoname");
432
return -1;
374
433
}
375
return -1;
376
}
377
378
if(debug){
379
434
fprintf(stderr, "Binding to interface %s\n", interface);
380
435
}
381
436
382
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
383
if(ret < 0) {
384
perror("setsockopt bindtodevice");
385
return -1;
386
}
387
388
memset(&to,0,sizeof(to));
437
memset(&to,0,sizeof(to)); /* Spurious warning */
389
438
to.sin6_family = AF_INET6;
439
/* It would be nice to have a way to detect if we were passed an
440
IPv4 address here. Now we assume an IPv6 address. */
390
441
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
391
442
if (ret < 0 ){
392
443
perror("inet_pton");
393
444
return -1;
394
}
445
}
395
446
if(ret == 0){
396
447
fprintf(stderr, "Bad address: %s\n", ip);
397
448
return -1;
398
449
}
399
/* Spurious warnings for the next line, see for instance
400
<http://bugs.debian.org/488884> */
401
to.sin6_port = htons(port);
450
to.sin6_port = htons(port); /* Spurious warning */
402
451
403
452
to.sin6_scope_id = (uint32_t)if_index;
404
453
405
454
if(debug){
406
fprintf(stderr, "Connection to: %s\n", ip);
455
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
456
char addrstr[INET6_ADDRSTRLEN] = "";
457
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
458
sizeof(addrstr)) == NULL){
459
perror("inet_ntop");
460
} else {
461
if(strcmp(addrstr, ip) != 0){
462
fprintf(stderr, "Canonical address form: %s\n", addrstr);
463
}
464
}
407
465
}
408
466
409
467
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
411
469
perror("connect");
412
470
return -1;
413
471
}
414
415
ret = initgnutls (&es);
416
if (ret != 0){
417
retval = -1;
418
return -1;
472
473
const char *out = mandos_protocol_version;
474
written = 0;
475
while (true){
476
size_t out_size = strlen(out);
477
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
478
out_size - written));
479
if (ret == -1){
480
perror("write");
481
retval = -1;
482
goto mandos_end;
483
}
484
written += (size_t)ret;
485
if(written < out_size){
486
continue;
487
} else {
488
if (out == mandos_protocol_version){
489
written = 0;
490
out = "\r\n";
491
} else {
492
break;
493
}
494
}
419
495
}
420
421
gnutls_transport_set_ptr (es.session,
422
(gnutls_transport_ptr_t) tcp_sd);
423
496
424
497
if(debug){
425
498
fprintf(stderr, "Establishing TLS session with %s\n", ip);
426
499
}
427
500
428
ret = gnutls_handshake (es.session);
501
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
502
503
ret = gnutls_handshake (session);
429
504
430
505
if (ret != GNUTLS_E_SUCCESS){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
506
if(debug){
507
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
508
gnutls_perror (ret);
509
}
433
510
retval = -1;
434
goto exit;
511
goto mandos_end;
435
512
}
436
513
437
//Retrieve OpenPGP packet that contains the wanted password
514
/* Read OpenPGP packet that contains the wanted password */
438
515
439
516
if(debug){
440
517
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
442
519
}
443
520
444
521
while(true){
445
if (buffer_length + BUFFER_SIZE > buffer_capacity){
446
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
447
if (buffer == NULL){
448
perror("realloc");
449
goto exit;
450
}
451
buffer_capacity += BUFFER_SIZE;
522
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
523
if (buffer_capacity == 0){
524
perror("adjustbuffer");
525
retval = -1;
526
goto mandos_end;
452
527
}
453
528
454
ret = gnutls_record_recv
455
(es.session, buffer+buffer_length, BUFFER_SIZE);
529
ret = gnutls_record_recv(session, buffer+buffer_length,
530
BUFFER_SIZE);
456
531
if (ret == 0){
457
532
break;
458
533
}
462
537
case GNUTLS_E_AGAIN:
463
538
break;
464
539
case GNUTLS_E_REHANDSHAKE:
465
ret = gnutls_handshake (es.session);
540
ret = gnutls_handshake (session);
466
541
if (ret < 0){
467
fprintf(stderr, "\n*** Handshake failed ***\n");
542
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
468
543
gnutls_perror (ret);
469
544
retval = -1;
470
goto exit;
545
goto mandos_end;
471
546
}
472
547
break;
473
548
default:
474
549
fprintf(stderr, "Unknown error while reading data from"
475
" encrypted session with mandos server\n");
550
" encrypted session with Mandos server\n");
476
551
retval = -1;
477
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
478
goto exit;
552
gnutls_bye (session, GNUTLS_SHUT_RDWR);
553
goto mandos_end;
479
554
}
480
555
} else {
481
556
buffer_length += (size_t) ret;
482
557
}
483
558
}
484
559
560
if(debug){
561
fprintf(stderr, "Closing TLS session\n");
562
}
563
564
gnutls_bye (session, GNUTLS_SHUT_RDWR);
565
485
566
if (buffer_length > 0){
486
567
decrypted_buffer_size = pgp_packet_decrypt(buffer,
487
568
buffer_length,
488
569
&decrypted_buffer,
489
CERT_ROOT);
570
keydir);
490
571
if (decrypted_buffer_size >= 0){
491
while(decrypted_buffer_size > 0){
492
ret = fwrite (decrypted_buffer, 1, (size_t)decrypted_buffer_size,
493
stdout);
572
written = 0;
573
while(written < (size_t) decrypted_buffer_size){
574
ret = (int)fwrite (decrypted_buffer + written, 1,
575
(size_t)decrypted_buffer_size - written,
576
stdout);
494
577
if(ret == 0 and ferror(stdout)){
495
578
if(debug){
496
579
fprintf(stderr, "Error writing encrypted data: %s\n",
499
582
retval = -1;
500
583
break;
501
584
}
502
decrypted_buffer += ret;
503
decrypted_buffer_size -= ret;
585
written += (size_t)ret;
504
586
}
505
587
free(decrypted_buffer);
506
588
} else {
507
589
retval = -1;
508
590
}
509
591
}
510
511
//shutdown procedure
512
513
if(debug){
514
fprintf(stderr, "Closing TLS session\n");
515
}
516
592
593
/* Shutdown procedure */
594
595
mandos_end:
517
596
free(buffer);
518
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
519
exit:
520
597
close(tcp_sd);
521
gnutls_deinit (es.session);
522
gnutls_certificate_free_credentials (es.cred);
598
gnutls_deinit (session);
599
gnutls_certificate_free_credentials (mc->cred);
523
600
gnutls_global_deinit ();
524
601
return retval;
525
602
}
526
603
527
static AvahiSimplePoll *simple_poll = NULL;
528
static AvahiServer *server = NULL;
529
530
static void resolve_callback(
531
AvahiSServiceResolver *r,
532
AVAHI_GCC_UNUSED AvahiIfIndex interface,
533
AVAHI_GCC_UNUSED AvahiProtocol protocol,
534
AvahiResolverEvent event,
535
const char *name,
536
const char *type,
537
const char *domain,
538
const char *host_name,
539
const AvahiAddress *address,
540
uint16_t port,
541
AVAHI_GCC_UNUSED AvahiStringList *txt,
542
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
543
AVAHI_GCC_UNUSED void* userdata) {
544
545
assert(r);
546
604
static void resolve_callback(AvahiSServiceResolver *r,
605
AvahiIfIndex interface,
606
AVAHI_GCC_UNUSED AvahiProtocol protocol,
607
AvahiResolverEvent event,
608
const char *name,
609
const char *type,
610
const char *domain,
611
const char *host_name,
612
const AvahiAddress *address,
613
uint16_t port,
614
AVAHI_GCC_UNUSED AvahiStringList *txt,
615
AVAHI_GCC_UNUSED AvahiLookupResultFlags
616
flags,
617
void* userdata) {
618
mandos_context *mc = userdata;
619
assert(r); /* Spurious warning */
620
547
621
/* Called whenever a service has been resolved successfully or
548
622
timed out */
549
623
550
624
switch (event) {
551
625
default:
552
626
case AVAHI_RESOLVER_FAILURE:
553
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
554
" type '%s' in domain '%s': %s\n", name, type, domain,
555
avahi_strerror(avahi_server_errno(server)));
627
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
628
" of type '%s' in domain '%s': %s\n", name, type, domain,
629
avahi_strerror(avahi_server_errno(mc->server)));
556
630
break;
557
631
558
632
case AVAHI_RESOLVER_FOUND:
559
633
{
560
634
char ip[AVAHI_ADDRESS_STR_MAX];
561
635
avahi_address_snprint(ip, sizeof(ip), address);
562
636
if(debug){
563
fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",
564
host_name, ip, port);
637
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
638
" port %d\n", name, host_name, ip, interface, port);
565
639
}
566
int ret = start_mandos_communication(ip, port,
567
(unsigned int)
568
interface);
640
int ret = start_mandos_communication(ip, port, interface, mc);
569
641
if (ret == 0){
570
642
exit(EXIT_SUCCESS);
571
} else {
572
exit(EXIT_FAILURE);
573
643
}
574
644
}
575
645
}
576
646
avahi_s_service_resolver_free(r);
577
647
}
578
648
579
static void browse_callback(
580
AvahiSServiceBrowser *b,
581
AvahiIfIndex interface,
582
AvahiProtocol protocol,
583
AvahiBrowserEvent event,
584
const char *name,
585
const char *type,
586
const char *domain,
587
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
588
void* userdata) {
589
590
AvahiServer *s = userdata;
591
assert(b);
592
593
/* Called whenever a new services becomes available on the LAN or
594
is removed from the LAN */
595
596
switch (event) {
597
default:
598
case AVAHI_BROWSER_FAILURE:
599
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(server)));
602
avahi_simple_poll_quit(simple_poll);
603
return;
604
605
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
610
611
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, s)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(s)));
617
break;
618
619
case AVAHI_BROWSER_REMOVE:
620
break;
621
622
case AVAHI_BROWSER_ALL_FOR_NOW:
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
624
break;
649
static void browse_callback( AvahiSServiceBrowser *b,
650
AvahiIfIndex interface,
651
AvahiProtocol protocol,
652
AvahiBrowserEvent event,
653
const char *name,
654
const char *type,
655
const char *domain,
656
AVAHI_GCC_UNUSED AvahiLookupResultFlags
657
flags,
658
void* userdata) {
659
mandos_context *mc = userdata;
660
assert(b); /* Spurious warning */
661
662
/* Called whenever a new services becomes available on the LAN or
663
is removed from the LAN */
664
665
switch (event) {
666
default:
667
case AVAHI_BROWSER_FAILURE:
668
669
fprintf(stderr, "(Avahi browser) %s\n",
670
avahi_strerror(avahi_server_errno(mc->server)));
671
avahi_simple_poll_quit(mc->simple_poll);
672
return;
673
674
case AVAHI_BROWSER_NEW:
675
/* We ignore the returned Avahi resolver object. In the callback
676
function we free it. If the Avahi server is terminated before
677
the callback function is called the Avahi server will free the
678
resolver for us. */
679
680
if (!(avahi_s_service_resolver_new(mc->server, interface,
681
protocol, name, type, domain,
682
AVAHI_PROTO_INET6, 0,
683
resolve_callback, mc)))
684
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
685
name, avahi_strerror(avahi_server_errno(mc->server)));
686
break;
687
688
case AVAHI_BROWSER_REMOVE:
689
break;
690
691
case AVAHI_BROWSER_ALL_FOR_NOW:
692
case AVAHI_BROWSER_CACHE_EXHAUSTED:
693
if(debug){
694
fprintf(stderr, "No Mandos server found, still searching...\n");
625
695
}
626
}
627
628
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
629
AvahiServerConfig config;
696
break;
697
}
698
}
699
700
/* Combines file name and path and returns the malloced new
701
string. some sane checks could/should be added */
702
static const char *combinepath(const char *first, const char *second){
703
size_t f_len = strlen(first);
704
size_t s_len = strlen(second);
705
char *tmp = malloc(f_len + s_len + 2);
706
if (tmp == NULL){
707
return NULL;
708
}
709
if(f_len > 0){
710
memcpy(tmp, first, f_len); /* Spurious warning */
711
}
712
tmp[f_len] = '/';
713
if(s_len > 0){
714
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
715
}
716
tmp[f_len + 1 + s_len] = '\0';
717
return tmp;
718
}
719
720
721
int main(int argc, char *argv[]){
630
722
AvahiSServiceBrowser *sb = NULL;
631
723
int error;
632
724
int ret;
633
int returncode = EXIT_SUCCESS;
725
int exitcode = EXIT_SUCCESS;
634
726
const char *interface = "eth0";
635
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"interface", required_argument, 0, 'i'},
640
{0, 0, 0, 0} };
641
642
int option_index = 0;
643
ret = getopt_long (argc, argv, "i:", long_options,
644
&option_index);
645
646
if (ret == -1){
647
break;
648
}
649
650
switch(ret){
651
case 0:
652
break;
653
case 'i':
654
interface = optarg;
655
break;
656
default:
657
exit(EXIT_FAILURE);
658
}
727
struct ifreq network;
728
int sd;
729
uid_t uid;
730
gid_t gid;
731
char *connect_to = NULL;
732
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
733
const char *pubkeyfile = "pubkey.txt";
734
const char *seckeyfile = "seckey.txt";
735
mandos_context mc = { .simple_poll = NULL, .server = NULL,
736
.dh_bits = 1024, .priority = "SECURE256"};
737
738
{
739
struct argp_option options[] = {
740
{ .name = "debug", .key = 128,
741
.doc = "Debug mode", .group = 3 },
742
{ .name = "connect", .key = 'c',
743
.arg = "IP",
744
.doc = "Connect directly to a sepcified mandos server", .group = 1 },
745
{ .name = "interface", .key = 'i',
746
.arg = "INTERFACE",
747
.doc = "Interface that Avahi will conntect through", .group = 1 },
748
{ .name = "keydir", .key = 'd',
749
.arg = "KEYDIR",
750
.doc = "Directory where the openpgp keyring is", .group = 1 },
751
{ .name = "seckey", .key = 's',
752
.arg = "SECKEY",
753
.doc = "Secret openpgp key for gnutls authentication", .group = 1 },
754
{ .name = "pubkey", .key = 'p',
755
.arg = "PUBKEY",
756
.doc = "Public openpgp key for gnutls authentication", .group = 2 },
757
{ .name = "dh-bits", .key = 129,
758
.arg = "BITS",
759
.doc = "dh-bits to use in gnutls communication", .group = 2 },
760
{ .name = "priority", .key = 130,
761
.arg = "PRIORITY",
762
.doc = "GNUTLS priority", .group = 1 },
763
{ .name = NULL }
764
};
765
766
767
error_t parse_opt (int key, char *arg, struct argp_state *state) {
768
/* Get the INPUT argument from `argp_parse', which we know is a
769
pointer to our plugin list pointer. */
770
switch (key) {
771
case 128:
772
debug = true;
773
break;
774
case 'c':
775
connect_to = arg;
776
break;
777
case 'i':
778
interface = arg;
779
break;
780
case 'd':
781
keydir = arg;
782
break;
783
case 's':
784
seckeyfile = arg;
785
break;
786
case 'p':
787
pubkeyfile = arg;
788
break;
789
case 129:
790
errno = 0;
791
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
792
if (errno){
793
perror("strtol");
794
exit(EXIT_FAILURE);
795
}
796
break;
797
case 130:
798
mc.priority = arg;
799
break;
800
case ARGP_KEY_ARG:
801
argp_usage (state);
802
break;
803
case ARGP_KEY_END:
804
break;
805
default:
806
return ARGP_ERR_UNKNOWN;
807
}
808
return 0;
809
}
810
811
struct argp argp = { .options = options, .parser = parse_opt,
812
.args_doc = "",
813
.doc = "Mandos client -- Get and decrypt passwords from mandos server" };
814
argp_parse (&argp, argc, argv, 0, 0, NULL);
815
}
816
817
pubkeyfile = combinepath(keydir, pubkeyfile);
818
if (pubkeyfile == NULL){
819
perror("combinepath");
820
exitcode = EXIT_FAILURE;
821
goto end;
822
}
823
824
seckeyfile = combinepath(keydir, seckeyfile);
825
if (seckeyfile == NULL){
826
perror("combinepath");
827
goto end;
828
}
829
830
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
831
if (ret == -1){
832
fprintf(stderr, "init_gnutls_global\n");
833
goto end;
834
}
835
836
uid = getuid();
837
gid = getgid();
838
839
ret = setuid(uid);
840
if (ret == -1){
841
perror("setuid");
842
}
843
844
setgid(gid);
845
if (ret == -1){
846
perror("setgid");
847
}
848
849
if_index = (AvahiIfIndex) if_nametoindex(interface);
850
if(if_index == 0){
851
fprintf(stderr, "No such interface: \"%s\"\n", interface);
852
exit(EXIT_FAILURE);
853
}
854
855
if(connect_to != NULL){
856
/* Connect directly, do not use Zeroconf */
857
/* (Mainly meant for debugging) */
858
char *address = strrchr(connect_to, ':');
859
if(address == NULL){
860
fprintf(stderr, "No colon in address\n");
861
exitcode = EXIT_FAILURE;
862
goto end;
863
}
864
errno = 0;
865
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
866
if(errno){
867
perror("Bad port number");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
*address = '\0';
872
address = connect_to;
873
ret = start_mandos_communication(address, port, if_index, &mc);
874
if(ret < 0){
875
exitcode = EXIT_FAILURE;
876
} else {
877
exitcode = EXIT_SUCCESS;
878
}
879
goto end;
880
}
881
882
/* If the interface is down, bring it up */
883
{
884
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
885
if(sd < 0) {
886
perror("socket");
887
exitcode = EXIT_FAILURE;
888
goto end;
889
}
890
strcpy(network.ifr_name, interface); /* Spurious warning */
891
ret = ioctl(sd, SIOCGIFFLAGS, &network);
892
if(ret == -1){
893
perror("ioctl SIOCGIFFLAGS");
894
exitcode = EXIT_FAILURE;
895
goto end;
896
}
897
if((network.ifr_flags & IFF_UP) == 0){
898
network.ifr_flags |= IFF_UP;
899
ret = ioctl(sd, SIOCSIFFLAGS, &network);
900
if(ret == -1){
901
perror("ioctl SIOCSIFFLAGS");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
}
906
close(sd);
659
907
}
660
908
661
909
if (not debug){
662
910
avahi_set_log_function(empty_log);
663
911
}
664
912
665
/* Initialize the psuedo-RNG */
913
/* Initialize the pseudo-RNG for Avahi */
666
914
srand((unsigned int) time(NULL));
667
668
/* Allocate main loop object */
669
if (!(simple_poll = avahi_simple_poll_new())) {
670
fprintf(stderr, "Failed to create simple poll object.\n");
671
672
goto exit;
673
}
674
675
/* Do not publish any local records */
676
avahi_server_config_init(&config);
677
config.publish_hinfo = 0;
678
config.publish_addresses = 0;
679
config.publish_workstation = 0;
680
config.publish_domain = 0;
681
682
/* Allocate a new server */
683
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
684
&config, NULL, NULL, &error);
685
686
/* Free the configuration data */
687
avahi_server_config_free(&config);
688
689
/* Check if creating the server object succeeded */
690
if (!server) {
691
fprintf(stderr, "Failed to create server: %s\n",
915
916
/* Allocate main Avahi loop object */
917
mc.simple_poll = avahi_simple_poll_new();
918
if (mc.simple_poll == NULL) {
919
fprintf(stderr, "Avahi: Failed to create simple poll"
920
" object.\n");
921
exitcode = EXIT_FAILURE;
922
goto end;
923
}
924
925
{
926
AvahiServerConfig config;
927
/* Do not publish any local Zeroconf records */
928
avahi_server_config_init(&config);
929
config.publish_hinfo = 0;
930
config.publish_addresses = 0;
931
config.publish_workstation = 0;
932
config.publish_domain = 0;
933
934
/* Allocate a new server */
935
mc.server = avahi_server_new(avahi_simple_poll_get
936
(mc.simple_poll), &config, NULL,
937
NULL, &error);
938
939
/* Free the Avahi configuration data */
940
avahi_server_config_free(&config);
941
}
942
943
/* Check if creating the Avahi server object succeeded */
944
if (mc.server == NULL) {
945
fprintf(stderr, "Failed to create Avahi server: %s\n",
692
946
avahi_strerror(error));
693
returncode = EXIT_FAILURE;
694
goto exit;
947
exitcode = EXIT_FAILURE;
948
goto end;
695
949
}
696
950
697
/* Create the service browser */
698
sb = avahi_s_service_browser_new(server,
699
(AvahiIfIndex)
700
if_nametoindex(interface),
951
/* Create the Avahi service browser */
952
sb = avahi_s_service_browser_new(mc.server, if_index,
701
953
AVAHI_PROTO_INET6,
702
954
"_mandos._tcp", NULL, 0,
703
browse_callback, server);
704
if (!sb) {
955
browse_callback, &mc);
956
if (sb == NULL) {
705
957
fprintf(stderr, "Failed to create service browser: %s\n",
706
avahi_strerror(avahi_server_errno(server)));
707
returncode = EXIT_FAILURE;
708
goto exit;
958
avahi_strerror(avahi_server_errno(mc.server)));
959
exitcode = EXIT_FAILURE;
960
goto end;
709
961
}
710
962
711
963
/* Run the main loop */
712
964
713
965
if (debug){
714
fprintf(stderr, "Starting avahi loop search\n");
966
fprintf(stderr, "Starting Avahi loop search\n");
715
967
}
716
968
717
avahi_simple_poll_loop(simple_poll);
969
avahi_simple_poll_loop(mc.simple_poll);
718
970
719
exit:
971
end:
720
972
721
973
if (debug){
722
974
fprintf(stderr, "%s exiting\n", argv[0]);
723
975
}
724
976
725
977
/* Cleanup things */
726
if (sb)
978
if (sb != NULL)
727
979
avahi_s_service_browser_free(sb);
728
980
729
if (server)
730
avahi_server_free(server);
731
732
if (simple_poll)
733
avahi_simple_poll_free(simple_poll);
734
735
return returncode;
981
if (mc.server != NULL)
982
avahi_server_free(mc.server);
983
984
if (mc.simple_poll != NULL)
985
avahi_simple_poll_free(mc.simple_poll);
986
free(pubkeyfile);
987
free(seckeyfile);
988
989
return exitcode;
736
990
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0