To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.16
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.16
- Committer: Björn Påhlsson
- Date: 2008-08-04 16:06:40 UTC
- mfrom: (42 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 44.
- Revision ID: belorn@braxen-20080804160640-omzss34wcs708i0e
merge
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
35
37
#include <stdio.h>
36
38
#include <assert.h>
37
39
#include <stdlib.h>
38
40
#include <time.h>
39
41
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
42
46
43
47
#include <avahi-core/core.h>
44
48
#include <avahi-core/lookup.h>
47
51
#include <avahi-common/malloc.h>
48
52
#include <avahi-common/error.h>
49
53
50
//mandos client part
54
/* Mandos client part */
51
55
#include <sys/types.h> /* socket(), inet_pton() */
52
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
57
struct in6_addr, inet_pton() */
60
64
#include <string.h> /* memset */
61
65
#include <arpa/inet.h> /* inet_pton() */
62
66
#include <iso646.h> /* not */
63
64
// gpgme
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
65
72
#include <errno.h> /* perror() */
66
73
#include <gpgme.h>
67
74
68
// getopt long
69
#include <getopt.h>
70
71
75
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
73
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
77
76
78
77
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
static const char mandos_protocol_version[] = "1";
79
82
83
/* Used for passing in values through the Avahi callback functions */
80
84
typedef struct {
81
gnutls_session_t session;
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
82
87
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
83
89
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
90
const char *priority;
91
} mandos_context;
92
93
/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
94
* "buffer_capacity" is how much is currently allocated,
95
* "buffer_length" is how much is already used. */
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
89
115
const char *homedir){
90
116
gpgme_data_t dh_crypto, dh_plain;
91
117
gpgme_ctx_t ctx;
92
118
gpgme_error_t rc;
93
119
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
96
122
gpgme_engine_info_t engine_info;
97
123
98
124
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
100
126
}
101
127
102
128
/* Init GPGME */
108
134
return -1;
109
135
}
110
136
111
/* Set GPGME home directory */
137
/* Set GPGME home directory for the OpenPGP engine only */
112
138
rc = gpgme_get_engine_info (&engine_info);
113
139
if (rc != GPG_ERR_NO_ERROR){
114
140
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
124
150
engine_info = engine_info->next;
125
151
}
126
152
if(engine_info == NULL){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
128
154
return -1;
129
155
}
130
156
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
133
160
if (rc != GPG_ERR_NO_ERROR){
134
161
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
135
162
gpgme_strsource(rc), gpgme_strerror(rc));
141
168
if (rc != GPG_ERR_NO_ERROR){
142
169
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
170
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
144
172
return -1;
145
173
}
146
174
149
177
if (rc != GPG_ERR_NO_ERROR){
150
178
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
179
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
180
plaintext_length = -1;
181
goto decrypt_end;
153
182
}
154
183
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
157
186
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
187
if (rc != GPG_ERR_NO_ERROR){
159
188
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
189
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
190
plaintext_length = -1;
191
goto decrypt_end;
162
192
}
163
193
164
194
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
166
196
}
167
197
168
198
if (debug){
169
199
gpgme_decrypt_result_t result;
170
200
result = gpgme_op_decrypt_result(ctx);
194
224
}
195
225
}
196
226
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
199
200
227
/* Seek back to the beginning of the GPGME plaintext data buffer */
201
228
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
229
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
203
232
}
204
233
205
*new_packet = 0;
234
*plaintext = NULL;
206
235
while(true){
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
236
plaintext_capacity = adjustbuffer(plaintext,
237
(size_t)plaintext_length,
238
plaintext_capacity);
239
if (plaintext_capacity == 0){
240
perror("adjustbuffer");
241
plaintext_length = -1;
242
goto decrypt_end;
216
243
}
217
244
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
245
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
246
BUFFER_SIZE);
220
247
/* Print the data, if any */
221
248
if (ret == 0){
249
/* EOF */
222
250
break;
223
251
}
224
252
if(ret < 0){
225
253
perror("gpgme_data_read");
226
return -1;
254
plaintext_length = -1;
255
goto decrypt_end;
227
256
}
228
new_packet_length += ret;
257
plaintext_length += ret;
229
258
}
230
259
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
260
if(debug){
261
fprintf(stderr, "Decrypted password is: ");
262
for(ssize_t i = 0; i < plaintext_length; i++){
263
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
264
}
265
fprintf(stderr, "\n");
266
}
267
268
decrypt_end:
269
270
/* Delete the GPGME cryptotext data buffer */
271
gpgme_data_release(dh_crypto);
238
272
239
273
/* Delete the GPGME plaintext data buffer */
240
274
gpgme_data_release(dh_plain);
241
return new_packet_length;
275
return plaintext_length;
242
276
}
243
277
244
278
static const char * safer_gnutls_strerror (int value) {
248
282
return ret;
249
283
}
250
284
285
/* GnuTLS log function callback */
251
286
static void debuggnutls(__attribute__((unused)) int level,
252
287
const char* string){
253
fprintf(stderr, "%s", string);
288
fprintf(stderr, "GnuTLS: %s", string);
254
289
}
255
290
256
static int initgnutls(encrypted_session *es){
257
const char *err;
291
static int init_gnutls_global(mandos_context *mc,
292
const char *pubkeyfile,
293
const char *seckeyfile){
258
294
int ret;
259
295
260
296
if(debug){
263
299
264
300
if ((ret = gnutls_global_init ())
265
301
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
302
fprintf (stderr, "GnuTLS global_init: %s\n",
303
safer_gnutls_strerror(ret));
267
304
return -1;
268
305
}
269
306
270
307
if (debug){
308
/* "Use a log level over 10 to enable all debugging options."
309
* - GnuTLS manual
310
*/
271
311
gnutls_global_set_log_level(11);
272
312
gnutls_global_set_log_function(debuggnutls);
273
313
}
274
314
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
315
/* OpenPGP credentials */
316
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
277
317
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
318
fprintf (stderr, "GnuTLS memory error: %s\n",
279
319
safer_gnutls_strerror(ret));
280
320
return -1;
281
321
}
282
322
283
323
if(debug){
284
324
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
325
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
326
seckeyfile);
287
327
}
288
328
289
329
ret = gnutls_certificate_set_openpgp_key_file
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
330
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
291
331
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
332
fprintf(stderr,
333
"Error[%d] while reading the OpenPGP key pair ('%s',"
334
" '%s')\n", ret, pubkeyfile, seckeyfile);
335
fprintf(stdout, "The GnuTLS error is: %s\n",
297
336
safer_gnutls_strerror(ret));
298
337
return -1;
299
338
}
300
339
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
340
/* GnuTLS server initialization */
341
ret = gnutls_dh_params_init(&mc->dh_params);
342
if (ret != GNUTLS_E_SUCCESS) {
343
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
344
" %s\n", safer_gnutls_strerror(ret));
345
return -1;
346
}
347
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
348
if (ret != GNUTLS_E_SUCCESS) {
349
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
350
safer_gnutls_strerror(ret));
351
return -1;
352
}
353
354
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
356
return 0;
357
}
358
359
static int init_gnutls_session(mandos_context *mc,
360
gnutls_session_t *session){
361
int ret;
362
/* GnuTLS session creation */
363
ret = gnutls_init(session, GNUTLS_SERVER);
364
if (ret != GNUTLS_E_SUCCESS){
321
365
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
366
safer_gnutls_strerror(ret));
323
367
}
324
368
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
369
{
370
const char *err;
371
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
372
if (ret != GNUTLS_E_SUCCESS) {
373
fprintf(stderr, "Syntax error at: %s\n", err);
374
fprintf(stderr, "GnuTLS error: %s\n",
375
safer_gnutls_strerror(ret));
376
return -1;
377
}
331
378
}
332
379
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
380
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
381
mc->cred);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
337
384
safer_gnutls_strerror(ret));
338
385
return -1;
339
386
}
340
387
341
388
/* ignore client certificate if any. */
342
gnutls_certificate_server_set_request (es->session,
389
gnutls_certificate_server_set_request (*session,
343
390
GNUTLS_CERT_IGNORE);
344
391
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
392
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
346
393
347
394
return 0;
348
395
}
349
396
397
/* Avahi log function callback */
350
398
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
399
__attribute__((unused)) const char *txt){}
352
400
401
/* Called when a Mandos server is found */
353
402
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
403
AvahiIfIndex if_index,
404
mandos_context *mc){
355
405
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
406
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
358
407
char *buffer = NULL;
359
408
char *decrypted_buffer;
360
409
size_t buffer_length = 0;
361
410
size_t buffer_capacity = 0;
362
411
ssize_t decrypted_buffer_size;
363
size_t written = 0;
412
size_t written;
364
413
int retval = 0;
365
414
char interface[IF_NAMESIZE];
415
gnutls_session_t session;
416
417
ret = init_gnutls_session (mc, &session);
418
if (ret != 0){
419
return -1;
420
}
366
421
367
422
if(debug){
368
423
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
377
432
378
433
if(debug){
379
434
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
435
perror("if_indextoname");
383
436
return -1;
384
437
}
385
386
438
fprintf(stderr, "Binding to interface %s\n", interface);
387
439
}
388
440
389
441
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
442
to.in6.sin6_family = AF_INET6;
443
/* It would be nice to have a way to detect if we were passed an
444
IPv4 address here. Now we assume an IPv6 address. */
445
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
392
446
if (ret < 0 ){
393
447
perror("inet_pton");
394
448
return -1;
395
}
449
}
396
450
if(ret == 0){
397
451
fprintf(stderr, "Bad address: %s\n", ip);
398
452
return -1;
399
453
}
400
to.sin6_port = htons(port); /* Spurious warning */
454
to.in6.sin6_port = htons(port); /* Spurious warning */
401
455
402
to.sin6_scope_id = (uint32_t)if_index;
456
to.in6.sin6_scope_id = (uint32_t)if_index;
403
457
404
458
if(debug){
405
459
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
460
char addrstr[INET6_ADDRSTRLEN] = "";
461
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
462
sizeof(addrstr)) == NULL){
463
perror("inet_ntop");
464
} else {
465
if(strcmp(addrstr, ip) != 0){
466
fprintf(stderr, "Canonical address form: %s\n", addrstr);
467
}
468
}
414
469
}
415
470
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
471
ret = connect(tcp_sd, &to.in, sizeof(to));
417
472
if (ret < 0){
418
473
perror("connect");
419
474
return -1;
420
475
}
421
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
476
477
const char *out = mandos_protocol_version;
478
written = 0;
479
while (true){
480
size_t out_size = strlen(out);
481
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
482
out_size - written));
483
if (ret == -1){
484
perror("write");
485
retval = -1;
486
goto mandos_end;
487
}
488
written += (size_t)ret;
489
if(written < out_size){
490
continue;
491
} else {
492
if (out == mandos_protocol_version){
493
written = 0;
494
out = "\r\n";
495
} else {
496
break;
497
}
498
}
426
499
}
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
500
431
501
if(debug){
432
502
fprintf(stderr, "Establishing TLS session with %s\n", ip);
433
503
}
434
504
435
ret = gnutls_handshake (es.session);
505
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
506
507
ret = gnutls_handshake (session);
436
508
437
509
if (ret != GNUTLS_E_SUCCESS){
438
510
if(debug){
439
fprintf(stderr, "\n*** Handshake failed ***\n");
511
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
440
512
gnutls_perror (ret);
441
513
}
442
514
retval = -1;
443
goto exit;
515
goto mandos_end;
444
516
}
445
517
446
//Retrieve OpenPGP packet that contains the wanted password
518
/* Read OpenPGP packet that contains the wanted password */
447
519
448
520
if(debug){
449
521
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
451
523
}
452
524
453
525
while(true){
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
526
buffer_capacity = adjustbuffer(&buffer, buffer_length,
527
buffer_capacity);
528
if (buffer_capacity == 0){
529
perror("adjustbuffer");
530
retval = -1;
531
goto mandos_end;
461
532
}
462
533
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
534
ret = gnutls_record_recv(session, buffer+buffer_length,
535
BUFFER_SIZE);
465
536
if (ret == 0){
466
537
break;
467
538
}
471
542
case GNUTLS_E_AGAIN:
472
543
break;
473
544
case GNUTLS_E_REHANDSHAKE:
474
ret = gnutls_handshake (es.session);
545
ret = gnutls_handshake (session);
475
546
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
547
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
477
548
gnutls_perror (ret);
478
549
retval = -1;
479
goto exit;
550
goto mandos_end;
480
551
}
481
552
break;
482
553
default:
483
554
fprintf(stderr, "Unknown error while reading data from"
484
" encrypted session with mandos server\n");
555
" encrypted session with Mandos server\n");
485
556
retval = -1;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
557
gnutls_bye (session, GNUTLS_SHUT_RDWR);
558
goto mandos_end;
488
559
}
489
560
} else {
490
561
buffer_length += (size_t) ret;
491
562
}
492
563
}
493
564
565
if(debug){
566
fprintf(stderr, "Closing TLS session\n");
567
}
568
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
494
571
if (buffer_length > 0){
495
572
decrypted_buffer_size = pgp_packet_decrypt(buffer,
496
573
buffer_length,
497
574
&decrypted_buffer,
498
certdir);
575
keydir);
499
576
if (decrypted_buffer_size >= 0){
577
written = 0;
500
578
while(written < (size_t) decrypted_buffer_size){
501
579
ret = (int)fwrite (decrypted_buffer + written, 1,
502
580
(size_t)decrypted_buffer_size - written,
516
594
retval = -1;
517
595
}
518
596
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
597
598
/* Shutdown procedure */
599
600
mandos_end:
526
601
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
602
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
603
gnutls_deinit (session);
604
gnutls_certificate_free_credentials (mc->cred);
532
605
gnutls_global_deinit ();
533
606
return retval;
534
607
}
535
608
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
609
static void resolve_callback(AvahiSServiceResolver *r,
610
AvahiIfIndex interface,
611
AVAHI_GCC_UNUSED AvahiProtocol protocol,
612
AvahiResolverEvent event,
613
const char *name,
614
const char *type,
615
const char *domain,
616
const char *host_name,
617
const AvahiAddress *address,
618
uint16_t port,
619
AVAHI_GCC_UNUSED AvahiStringList *txt,
620
AVAHI_GCC_UNUSED AvahiLookupResultFlags
621
flags,
622
void* userdata) {
623
mandos_context *mc = userdata;
554
624
assert(r); /* Spurious warning */
555
625
556
626
/* Called whenever a service has been resolved successfully or
559
629
switch (event) {
560
630
default:
561
631
case AVAHI_RESOLVER_FAILURE:
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
632
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
633
" of type '%s' in domain '%s': %s\n", name, type, domain,
634
avahi_strerror(avahi_server_errno(mc->server)));
565
635
break;
566
636
567
637
case AVAHI_RESOLVER_FOUND:
569
639
char ip[AVAHI_ADDRESS_STR_MAX];
570
640
avahi_address_snprint(ip, sizeof(ip), address);
571
641
if(debug){
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
642
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
643
" port %d\n", name, host_name, ip, interface, port);
574
644
}
575
int ret = start_mandos_communication(ip, port, interface);
645
int ret = start_mandos_communication(ip, port, interface, mc);
576
646
if (ret == 0){
577
647
exit(EXIT_SUCCESS);
578
648
}
581
651
avahi_s_service_resolver_free(r);
582
652
}
583
653
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
654
static void browse_callback( AvahiSServiceBrowser *b,
655
AvahiIfIndex interface,
656
AvahiProtocol protocol,
657
AvahiBrowserEvent event,
658
const char *name,
659
const char *type,
660
const char *domain,
661
AVAHI_GCC_UNUSED AvahiLookupResultFlags
662
flags,
663
void* userdata) {
664
mandos_context *mc = userdata;
665
assert(b); /* Spurious warning */
666
667
/* Called whenever a new services becomes available on the LAN or
668
is removed from the LAN */
669
670
switch (event) {
671
default:
672
case AVAHI_BROWSER_FAILURE:
673
674
fprintf(stderr, "(Avahi browser) %s\n",
675
avahi_strerror(avahi_server_errno(mc->server)));
676
avahi_simple_poll_quit(mc->simple_poll);
677
return;
678
679
case AVAHI_BROWSER_NEW:
680
/* We ignore the returned Avahi resolver object. In the callback
681
function we free it. If the Avahi server is terminated before
682
the callback function is called the Avahi server will free the
683
resolver for us. */
684
685
if (!(avahi_s_service_resolver_new(mc->server, interface,
686
protocol, name, type, domain,
687
AVAHI_PROTO_INET6, 0,
688
resolve_callback, mc)))
689
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
690
name, avahi_strerror(avahi_server_errno(mc->server)));
691
break;
692
693
case AVAHI_BROWSER_REMOVE:
694
break;
695
696
case AVAHI_BROWSER_ALL_FOR_NOW:
697
case AVAHI_BROWSER_CACHE_EXHAUSTED:
698
if(debug){
699
fprintf(stderr, "No Mandos server found, still searching...\n");
630
700
}
701
break;
702
}
631
703
}
632
704
633
705
/* Combines file name and path and returns the malloced new
640
712
return NULL;
641
713
}
642
714
if(f_len > 0){
643
memcpy(tmp, first, f_len);
715
memcpy(tmp, first, f_len); /* Spurious warning */
644
716
}
645
717
tmp[f_len] = '/';
646
718
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
719
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
648
720
}
649
721
tmp[f_len + 1 + s_len] = '\0';
650
722
return tmp;
651
723
}
652
724
653
725
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
726
int main(int argc, char *argv[]){
656
727
AvahiSServiceBrowser *sb = NULL;
657
728
int error;
658
729
int ret;
659
int returncode = EXIT_SUCCESS;
730
int exitcode = EXIT_SUCCESS;
660
731
const char *interface = "eth0";
661
732
struct ifreq network;
662
733
int sd;
734
uid_t uid;
735
gid_t gid;
663
736
char *connect_to = NULL;
664
737
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
738
const char *pubkeyfile = "pubkey.txt";
739
const char *seckeyfile = "seckey.txt";
740
mandos_context mc = { .simple_poll = NULL, .server = NULL,
741
.dh_bits = 1024, .priority = "SECURE256"};
742
743
{
744
struct argp_option options[] = {
745
{ .name = "debug", .key = 128,
746
.doc = "Debug mode", .group = 3 },
747
{ .name = "connect", .key = 'c',
748
.arg = "IP",
749
.doc = "Connect directly to a sepcified mandos server",
750
.group = 1 },
751
{ .name = "interface", .key = 'i',
752
.arg = "INTERFACE",
753
.doc = "Interface that Avahi will conntect through",
754
.group = 1 },
755
{ .name = "keydir", .key = 'd',
756
.arg = "KEYDIR",
757
.doc = "Directory where the openpgp keyring is",
758
.group = 1 },
759
{ .name = "seckey", .key = 's',
760
.arg = "SECKEY",
761
.doc = "Secret openpgp key for gnutls authentication",
762
.group = 1 },
763
{ .name = "pubkey", .key = 'p',
764
.arg = "PUBKEY",
765
.doc = "Public openpgp key for gnutls authentication",
766
.group = 2 },
767
{ .name = "dh-bits", .key = 129,
768
.arg = "BITS",
769
.doc = "dh-bits to use in gnutls communication",
770
.group = 2 },
771
{ .name = "priority", .key = 130,
772
.arg = "PRIORITY",
773
.doc = "GNUTLS priority", .group = 1 },
774
{ .name = NULL }
775
};
776
777
778
error_t parse_opt (int key, char *arg,
779
struct argp_state *state) {
780
/* Get the INPUT argument from `argp_parse', which we know is
781
a pointer to our plugin list pointer. */
782
switch (key) {
783
case 128:
784
debug = true;
785
break;
786
case 'c':
787
connect_to = arg;
788
break;
789
case 'i':
790
interface = arg;
791
break;
792
case 'd':
793
keydir = arg;
794
break;
795
case 's':
796
seckeyfile = arg;
797
break;
798
case 'p':
799
pubkeyfile = arg;
800
break;
801
case 129:
802
errno = 0;
803
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
804
if (errno){
805
perror("strtol");
806
exit(EXIT_FAILURE);
807
}
808
break;
809
case 130:
810
mc.priority = arg;
811
break;
812
case ARGP_KEY_ARG:
813
argp_usage (state);
814
break;
815
case ARGP_KEY_END:
816
break;
817
default:
818
return ARGP_ERR_UNKNOWN;
819
}
820
return 0;
821
}
822
823
struct argp argp = { .options = options, .parser = parse_opt,
824
.args_doc = "",
825
.doc = "Mandos client -- Get and decrypt"
826
" passwords from mandos server" };
827
argp_parse (&argp, argc, argv, 0, 0, NULL);
828
}
829
830
pubkeyfile = combinepath(keydir, pubkeyfile);
831
if (pubkeyfile == NULL){
832
perror("combinepath");
833
exitcode = EXIT_FAILURE;
834
goto end;
835
}
836
837
seckeyfile = combinepath(keydir, seckeyfile);
838
if (seckeyfile == NULL){
839
perror("combinepath");
840
goto end;
841
}
842
843
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
844
if (ret == -1){
845
fprintf(stderr, "init_gnutls_global\n");
846
goto end;
847
}
848
849
uid = getuid();
850
gid = getgid();
851
852
ret = setuid(uid);
853
if (ret == -1){
854
perror("setuid");
855
}
856
857
setgid(gid);
858
if (ret == -1){
859
perror("setgid");
719
860
}
720
861
721
862
if_index = (AvahiIfIndex) if_nametoindex(interface);
730
871
char *address = strrchr(connect_to, ':');
731
872
if(address == NULL){
732
873
fprintf(stderr, "No colon in address\n");
733
exit(EXIT_FAILURE);
874
exitcode = EXIT_FAILURE;
875
goto end;
734
876
}
735
877
errno = 0;
736
878
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
879
if(errno){
738
880
perror("Bad port number");
739
exit(EXIT_FAILURE);
881
exitcode = EXIT_FAILURE;
882
goto end;
740
883
}
741
884
*address = '\0';
742
885
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
886
ret = start_mandos_communication(address, port, if_index, &mc);
744
887
if(ret < 0){
745
exit(EXIT_FAILURE);
888
exitcode = EXIT_FAILURE;
746
889
} else {
747
exit(EXIT_SUCCESS);
890
exitcode = EXIT_SUCCESS;
748
891
}
892
goto end;
749
893
}
750
894
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
756
}
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
if(ret == -1){
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
895
/* If the interface is down, bring it up */
896
{
897
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
898
if(sd < 0) {
899
perror("socket");
900
exitcode = EXIT_FAILURE;
901
goto end;
902
}
903
strcpy(network.ifr_name, interface); /* Spurious warning */
904
ret = ioctl(sd, SIOCGIFFLAGS, &network);
768
905
if(ret == -1){
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
906
perror("ioctl SIOCGIFFLAGS");
907
exitcode = EXIT_FAILURE;
908
goto end;
909
}
910
if((network.ifr_flags & IFF_UP) == 0){
911
network.ifr_flags |= IFF_UP;
912
ret = ioctl(sd, SIOCSIFFLAGS, &network);
913
if(ret == -1){
914
perror("ioctl SIOCSIFFLAGS");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
close(sd);
773
920
}
774
close(sd);
775
921
776
922
if (not debug){
777
923
avahi_set_log_function(empty_log);
778
924
}
779
925
780
/* Initialize the psuedo-RNG */
926
/* Initialize the pseudo-RNG for Avahi */
781
927
srand((unsigned int) time(NULL));
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
796
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
928
929
/* Allocate main Avahi loop object */
930
mc.simple_poll = avahi_simple_poll_new();
931
if (mc.simple_poll == NULL) {
932
fprintf(stderr, "Avahi: Failed to create simple poll"
933
" object.\n");
934
exitcode = EXIT_FAILURE;
935
goto end;
936
}
937
938
{
939
AvahiServerConfig config;
940
/* Do not publish any local Zeroconf records */
941
avahi_server_config_init(&config);
942
config.publish_hinfo = 0;
943
config.publish_addresses = 0;
944
config.publish_workstation = 0;
945
config.publish_domain = 0;
946
947
/* Allocate a new server */
948
mc.server = avahi_server_new(avahi_simple_poll_get
949
(mc.simple_poll), &config, NULL,
950
NULL, &error);
951
952
/* Free the Avahi configuration data */
953
avahi_server_config_free(&config);
954
}
955
956
/* Check if creating the Avahi server object succeeded */
957
if (mc.server == NULL) {
958
fprintf(stderr, "Failed to create Avahi server: %s\n",
807
959
avahi_strerror(error));
808
returncode = EXIT_FAILURE;
809
goto exit;
960
exitcode = EXIT_FAILURE;
961
goto end;
810
962
}
811
963
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
964
/* Create the Avahi service browser */
965
sb = avahi_s_service_browser_new(mc.server, if_index,
814
966
AVAHI_PROTO_INET6,
815
967
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
817
if (!sb) {
968
browse_callback, &mc);
969
if (sb == NULL) {
818
970
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
971
avahi_strerror(avahi_server_errno(mc.server)));
972
exitcode = EXIT_FAILURE;
973
goto end;
822
974
}
823
975
824
976
/* Run the main loop */
825
977
826
978
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
979
fprintf(stderr, "Starting Avahi loop search\n");
828
980
}
829
981
830
avahi_simple_poll_loop(simple_poll);
982
avahi_simple_poll_loop(mc.simple_poll);
831
983
832
exit:
984
end:
833
985
834
986
if (debug){
835
987
fprintf(stderr, "%s exiting\n", argv[0]);
836
988
}
837
989
838
990
/* Cleanup things */
839
if (sb)
991
if (sb != NULL)
840
992
avahi_s_service_browser_free(sb);
841
993
842
if (server)
843
avahi_server_free(server);
994
if (mc.server != NULL)
995
avahi_server_free(mc.server);
844
996
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
997
if (mc.simple_poll != NULL)
998
avahi_simple_poll_free(mc.simple_poll);
999
free(pubkeyfile);
1000
free(seckeyfile);
849
1001
850
return returncode;
1002
return exitcode;
851
1003
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0