To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.18
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.18
- Committer: Björn Påhlsson
- Date: 2008-08-04 20:45:38 UTC
- mfrom: (44 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 46.
- Revision ID: belorn@braxen-20080804204538-wom27iwv1fg8xiuh
Merge
added
removed
plugins.d/mandosclient.c
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
44
46
45
47
#include <avahi-core/core.h>
46
48
#include <avahi-core/lookup.h>
49
51
#include <avahi-common/malloc.h>
50
52
#include <avahi-common/error.h>
51
53
52
//mandos client part
54
/* Mandos client part */
53
55
#include <sys/types.h> /* socket(), inet_pton() */
54
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
57
struct in6_addr, inet_pton() */
62
64
#include <string.h> /* memset */
63
65
#include <arpa/inet.h> /* inet_pton() */
64
66
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
67
72
#include <errno.h> /* perror() */
68
73
#include <gpgme.h>
69
74
70
// getopt long
71
#include <getopt.h>
72
73
75
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
79
76
80
77
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char mandos_protocol_version[] = "1";
80
const char *argp_program_version = "mandosclient 0.9";
81
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
82
83
/* Used for passing in values through the Avahi callback functions */
84
84
typedef struct {
85
85
AvahiSimplePoll *simple_poll;
86
86
AvahiServer *server;
87
87
gnutls_certificate_credentials_t cred;
88
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
89
90
const char *priority;
90
91
} mandos_context;
91
92
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
93
/*
94
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
95
* "buffer_capacity" is how much is currently allocated,
96
* "buffer_length" is how much is already used.
97
*/
98
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
99
size_t buffer_capacity){
94
100
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
101
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
102
if (buffer == NULL){
97
103
return 0;
98
104
}
101
107
return buffer_capacity;
102
108
}
103
109
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
110
/*
111
* Decrypt OpenPGP data using keyrings in HOMEDIR.
112
* Returns -1 on error
113
*/
114
static ssize_t pgp_packet_decrypt (const char *cryptotext,
115
size_t crypto_size,
116
char **plaintext,
106
117
const char *homedir){
107
118
gpgme_data_t dh_crypto, dh_plain;
108
119
gpgme_ctx_t ctx;
109
120
gpgme_error_t rc;
110
121
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
122
size_t plaintext_capacity = 0;
123
ssize_t plaintext_length = 0;
113
124
gpgme_engine_info_t engine_info;
114
125
115
126
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
127
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
117
128
}
118
129
119
130
/* Init GPGME */
125
136
return -1;
126
137
}
127
138
128
/* Set GPGME home directory */
139
/* Set GPGME home directory for the OpenPGP engine only */
129
140
rc = gpgme_get_engine_info (&engine_info);
130
141
if (rc != GPG_ERR_NO_ERROR){
131
142
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
152
engine_info = engine_info->next;
142
153
}
143
154
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
155
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
145
156
return -1;
146
157
}
147
158
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
159
/* Create new GPGME data buffer from memory cryptotext */
160
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
161
0);
150
162
if (rc != GPG_ERR_NO_ERROR){
151
163
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
164
gpgme_strsource(rc), gpgme_strerror(rc));
158
170
if (rc != GPG_ERR_NO_ERROR){
159
171
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
gpgme_data_release(dh_crypto);
161
174
return -1;
162
175
}
163
176
166
179
if (rc != GPG_ERR_NO_ERROR){
167
180
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
181
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
182
plaintext_length = -1;
183
goto decrypt_end;
170
184
}
171
185
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
186
/* Decrypt data from the cryptotext data buffer to the plaintext
187
data buffer */
174
188
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
189
if (rc != GPG_ERR_NO_ERROR){
176
190
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
191
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
192
plaintext_length = -1;
193
goto decrypt_end;
179
194
}
180
195
181
196
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
197
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
183
198
}
184
199
185
200
if (debug){
186
201
gpgme_decrypt_result_t result;
187
202
result = gpgme_op_decrypt_result(ctx);
211
226
}
212
227
}
213
228
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
217
229
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
230
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
231
perror("pgpme_data_seek");
232
plaintext_length = -1;
233
goto decrypt_end;
220
234
}
221
235
222
*new_packet = 0;
236
*plaintext = NULL;
223
237
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
238
plaintext_capacity = adjustbuffer(plaintext,
239
(size_t)plaintext_length,
240
plaintext_capacity);
241
if (plaintext_capacity == 0){
227
242
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
243
plaintext_length = -1;
244
goto decrypt_end;
231
245
}
232
246
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
247
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
248
BUFFER_SIZE);
235
249
/* Print the data, if any */
236
250
if (ret == 0){
251
/* EOF */
237
252
break;
238
253
}
239
254
if(ret < 0){
240
255
perror("gpgme_data_read");
241
return -1;
256
plaintext_length = -1;
257
goto decrypt_end;
242
258
}
243
new_packet_length += ret;
259
plaintext_length += ret;
244
260
}
245
261
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
262
if(debug){
263
fprintf(stderr, "Decrypted password is: ");
264
for(ssize_t i = 0; i < plaintext_length; i++){
265
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
266
}
267
fprintf(stderr, "\n");
268
}
269
270
decrypt_end:
271
272
/* Delete the GPGME cryptotext data buffer */
273
gpgme_data_release(dh_crypto);
253
274
254
275
/* Delete the GPGME plaintext data buffer */
255
276
gpgme_data_release(dh_plain);
256
return new_packet_length;
277
return plaintext_length;
257
278
}
258
279
259
280
static const char * safer_gnutls_strerror (int value) {
263
284
return ret;
264
285
}
265
286
287
/* GnuTLS log function callback */
266
288
static void debuggnutls(__attribute__((unused)) int level,
267
289
const char* string){
268
fprintf(stderr, "%s", string);
290
fprintf(stderr, "GnuTLS: %s", string);
269
291
}
270
292
271
static int initgnutls(mandos_context *mc){
272
const char *err;
293
static int init_gnutls_global(mandos_context *mc,
294
const char *pubkeyfile,
295
const char *seckeyfile){
273
296
int ret;
274
297
275
298
if(debug){
278
301
279
302
if ((ret = gnutls_global_init ())
280
303
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
fprintf (stderr, "GnuTLS global_init: %s\n",
305
safer_gnutls_strerror(ret));
282
306
return -1;
283
307
}
284
308
285
309
if (debug){
310
/* "Use a log level over 10 to enable all debugging options."
311
* - GnuTLS manual
312
*/
286
313
gnutls_global_set_log_level(11);
287
314
gnutls_global_set_log_function(debuggnutls);
288
315
}
289
316
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
317
/* OpenPGP credentials */
318
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
292
319
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
320
fprintf (stderr, "GnuTLS memory error: %s\n",
294
321
safer_gnutls_strerror(ret));
295
322
return -1;
296
323
}
297
324
298
325
if(debug){
299
326
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
327
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
328
seckeyfile);
302
329
}
303
330
304
331
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
332
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
306
333
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
334
fprintf(stderr,
335
"Error[%d] while reading the OpenPGP key pair ('%s',"
336
" '%s')\n", ret, pubkeyfile, seckeyfile);
337
fprintf(stdout, "The GnuTLS error is: %s\n",
312
338
safer_gnutls_strerror(ret));
313
339
return -1;
314
340
}
315
341
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
342
/* GnuTLS server initialization */
343
ret = gnutls_dh_params_init(&mc->dh_params);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
346
" %s\n", safer_gnutls_strerror(ret));
347
return -1;
348
}
349
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
350
if (ret != GNUTLS_E_SUCCESS) {
351
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
352
safer_gnutls_strerror(ret));
353
return -1;
354
}
355
356
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
357
358
return 0;
359
}
360
361
static int init_gnutls_session(mandos_context *mc,
362
gnutls_session_t *session){
363
int ret;
364
/* GnuTLS session creation */
365
ret = gnutls_init(session, GNUTLS_SERVER);
366
if (ret != GNUTLS_E_SUCCESS){
336
367
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
368
safer_gnutls_strerror(ret));
338
369
}
339
370
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
371
{
372
const char *err;
373
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf(stderr, "Syntax error at: %s\n", err);
376
fprintf(stderr, "GnuTLS error: %s\n",
377
safer_gnutls_strerror(ret));
378
return -1;
379
}
346
380
}
347
381
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
382
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
383
mc->cred);
384
if (ret != GNUTLS_E_SUCCESS) {
385
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
386
safer_gnutls_strerror(ret));
353
387
return -1;
354
388
}
355
389
356
390
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
391
gnutls_certificate_server_set_request (*session,
358
392
GNUTLS_CERT_IGNORE);
359
393
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
394
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
395
362
396
return 0;
363
397
}
364
398
399
/* Avahi log function callback */
365
400
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
401
__attribute__((unused)) const char *txt){}
367
402
403
/* Called when a Mandos server is found */
368
404
static int start_mandos_communication(const char *ip, uint16_t port,
369
405
AvahiIfIndex if_index,
370
406
mandos_context *mc){
371
407
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
408
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
409
char *buffer = NULL;
375
410
char *decrypted_buffer;
376
411
size_t buffer_length = 0;
379
414
size_t written;
380
415
int retval = 0;
381
416
char interface[IF_NAMESIZE];
417
gnutls_session_t session;
418
419
ret = init_gnutls_session (mc, &session);
420
if (ret != 0){
421
return -1;
422
}
382
423
383
424
if(debug){
384
425
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
393
434
394
435
if(debug){
395
436
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
437
perror("if_indextoname");
399
438
return -1;
400
439
}
401
402
440
fprintf(stderr, "Binding to interface %s\n", interface);
403
441
}
404
442
405
443
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
444
to.in6.sin6_family = AF_INET6;
445
/* It would be nice to have a way to detect if we were passed an
446
IPv4 address here. Now we assume an IPv6 address. */
447
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
448
if (ret < 0 ){
409
449
perror("inet_pton");
410
450
return -1;
411
}
451
}
412
452
if(ret == 0){
413
453
fprintf(stderr, "Bad address: %s\n", ip);
414
454
return -1;
415
455
}
416
to.sin6_port = htons(port); /* Spurious warning */
456
to.in6.sin6_port = htons(port); /* Spurious warning */
417
457
418
to.sin6_scope_id = (uint32_t)if_index;
458
to.in6.sin6_scope_id = (uint32_t)if_index;
419
459
420
460
if(debug){
421
461
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
462
char addrstr[INET6_ADDRSTRLEN] = "";
463
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
464
sizeof(addrstr)) == NULL){
465
perror("inet_ntop");
466
} else {
467
if(strcmp(addrstr, ip) != 0){
468
fprintf(stderr, "Canonical address form: %s\n", addrstr);
469
}
470
}
430
471
}
431
472
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
473
ret = connect(tcp_sd, &to.in, sizeof(to));
433
474
if (ret < 0){
434
475
perror("connect");
435
476
return -1;
436
477
}
437
478
438
char *out = mandos_protocol_version;
479
const char *out = mandos_protocol_version;
439
480
written = 0;
440
481
while (true){
441
482
size_t out_size = strlen(out);
444
485
if (ret == -1){
445
486
perror("write");
446
487
retval = -1;
447
goto end;
488
goto mandos_end;
448
489
}
449
written += ret;
490
written += (size_t)ret;
450
491
if(written < out_size){
451
492
continue;
452
493
} else {
459
500
}
460
501
}
461
502
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
471
503
if(debug){
472
504
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
505
}
474
506
475
ret = gnutls_handshake (es.session);
507
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
508
509
ret = gnutls_handshake (session);
476
510
477
511
if (ret != GNUTLS_E_SUCCESS){
478
512
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
513
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
514
gnutls_perror (ret);
481
515
}
482
516
retval = -1;
483
goto exit;
517
goto mandos_end;
484
518
}
485
519
486
//Retrieve OpenPGP packet that contains the wanted password
520
/* Read OpenPGP packet that contains the wanted password */
487
521
488
522
if(debug){
489
523
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
491
525
}
492
526
493
527
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
528
buffer_capacity = adjustbuffer(&buffer, buffer_length,
529
buffer_capacity);
495
530
if (buffer_capacity == 0){
496
531
perror("adjustbuffer");
497
532
retval = -1;
498
goto exit;
533
goto mandos_end;
499
534
}
500
535
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
536
ret = gnutls_record_recv(session, buffer+buffer_length,
537
BUFFER_SIZE);
503
538
if (ret == 0){
504
539
break;
505
540
}
509
544
case GNUTLS_E_AGAIN:
510
545
break;
511
546
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
547
ret = gnutls_handshake (session);
513
548
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
549
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
550
gnutls_perror (ret);
516
551
retval = -1;
517
goto exit;
552
goto mandos_end;
518
553
}
519
554
break;
520
555
default:
521
556
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
557
" encrypted session with Mandos server\n");
523
558
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
559
gnutls_bye (session, GNUTLS_SHUT_RDWR);
560
goto mandos_end;
526
561
}
527
562
} else {
528
563
buffer_length += (size_t) ret;
529
564
}
530
565
}
531
566
567
if(debug){
568
fprintf(stderr, "Closing TLS session\n");
569
}
570
571
gnutls_bye (session, GNUTLS_SHUT_RDWR);
572
532
573
if (buffer_length > 0){
533
574
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
575
buffer_length,
535
576
&decrypted_buffer,
536
certdir);
577
keydir);
537
578
if (decrypted_buffer_size >= 0){
538
579
written = 0;
539
580
while(written < (size_t) decrypted_buffer_size){
555
596
retval = -1;
556
597
}
557
598
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
599
600
/* Shutdown procedure */
601
602
mandos_end:
565
603
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
604
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
605
gnutls_deinit (session);
606
gnutls_certificate_free_credentials (mc->cred);
571
607
gnutls_global_deinit ();
572
608
return retval;
573
609
}
574
610
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
611
static void resolve_callback(AvahiSServiceResolver *r,
612
AvahiIfIndex interface,
613
AVAHI_GCC_UNUSED AvahiProtocol protocol,
614
AvahiResolverEvent event,
615
const char *name,
616
const char *type,
617
const char *domain,
618
const char *host_name,
619
const AvahiAddress *address,
620
uint16_t port,
621
AVAHI_GCC_UNUSED AvahiStringList *txt,
622
AVAHI_GCC_UNUSED AvahiLookupResultFlags
623
flags,
624
void* userdata) {
588
625
mandos_context *mc = userdata;
589
626
assert(r); /* Spurious warning */
590
627
594
631
switch (event) {
595
632
default:
596
633
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
634
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
635
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
636
avahi_strerror(avahi_server_errno(mc->server)));
600
637
break;
601
638
604
641
char ip[AVAHI_ADDRESS_STR_MAX];
605
642
avahi_address_snprint(ip, sizeof(ip), address);
606
643
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
644
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
645
" port %d\n", name, host_name, ip, interface, port);
609
646
}
610
647
int ret = start_mandos_communication(ip, port, interface, mc);
611
648
if (ret == 0){
623
660
const char *name,
624
661
const char *type,
625
662
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
663
AVAHI_GCC_UNUSED AvahiLookupResultFlags
664
flags,
627
665
void* userdata) {
628
666
mandos_context *mc = userdata;
629
667
assert(b); /* Spurious warning */
634
672
switch (event) {
635
673
default:
636
674
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
675
676
fprintf(stderr, "(Avahi browser) %s\n",
639
677
avahi_strerror(avahi_server_errno(mc->server)));
640
678
avahi_simple_poll_quit(mc->simple_poll);
641
679
return;
642
680
643
681
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
682
/* We ignore the returned Avahi resolver object. In the callback
683
function we free it. If the Avahi server is terminated before
684
the callback function is called the Avahi server will free the
685
resolver for us. */
686
687
if (!(avahi_s_service_resolver_new(mc->server, interface,
688
protocol, name, type, domain,
651
689
AVAHI_PROTO_INET6, 0,
652
690
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
691
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
692
name, avahi_strerror(avahi_server_errno(mc->server)));
655
693
break;
656
694
657
695
case AVAHI_BROWSER_REMOVE:
658
696
break;
659
697
660
698
case AVAHI_BROWSER_ALL_FOR_NOW:
661
699
case AVAHI_BROWSER_CACHE_EXHAUSTED:
700
if(debug){
701
fprintf(stderr, "No Mandos server found, still searching...\n");
702
}
662
703
break;
663
704
}
664
705
}
673
714
return NULL;
674
715
}
675
716
if(f_len > 0){
676
memcpy(tmp, first, f_len);
717
memcpy(tmp, first, f_len); /* Spurious warning */
677
718
}
678
719
tmp[f_len] = '/';
679
720
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
721
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
681
722
}
682
723
tmp[f_len + 1 + s_len] = '\0';
683
724
return tmp;
684
725
}
685
726
686
727
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
728
int main(int argc, char *argv[]){
689
729
AvahiSServiceBrowser *sb = NULL;
690
730
int error;
691
731
int ret;
692
int returncode = EXIT_SUCCESS;
732
int exitcode = EXIT_SUCCESS;
693
733
const char *interface = "eth0";
694
734
struct ifreq network;
695
735
int sd;
736
uid_t uid;
737
gid_t gid;
696
738
char *connect_to = NULL;
697
739
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
740
const char *pubkeyfile = "pubkey.txt";
741
const char *seckeyfile = "seckey.txt";
698
742
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
743
.dh_bits = 1024, .priority = "SECURE256"};
700
744
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
745
{
746
struct argp_option options[] = {
747
{ .name = "debug", .key = 128,
748
.doc = "Debug mode", .group = 3 },
749
{ .name = "connect", .key = 'c',
750
.arg = "IP",
751
.doc = "Connect directly to a sepcified mandos server",
752
.group = 1 },
753
{ .name = "interface", .key = 'i',
754
.arg = "INTERFACE",
755
.doc = "Interface that Avahi will conntect through",
756
.group = 1 },
757
{ .name = "keydir", .key = 'd',
758
.arg = "KEYDIR",
759
.doc = "Directory where the openpgp keyring is",
760
.group = 1 },
761
{ .name = "seckey", .key = 's',
762
.arg = "SECKEY",
763
.doc = "Secret openpgp key for gnutls authentication",
764
.group = 1 },
765
{ .name = "pubkey", .key = 'p',
766
.arg = "PUBKEY",
767
.doc = "Public openpgp key for gnutls authentication",
768
.group = 2 },
769
{ .name = "dh-bits", .key = 129,
770
.arg = "BITS",
771
.doc = "dh-bits to use in gnutls communication",
772
.group = 2 },
773
{ .name = "priority", .key = 130,
774
.arg = "PRIORITY",
775
.doc = "GNUTLS priority", .group = 1 },
776
{ .name = NULL }
777
};
778
779
780
error_t parse_opt (int key, char *arg,
781
struct argp_state *state) {
782
/* Get the INPUT argument from `argp_parse', which we know is
783
a pointer to our plugin list pointer. */
784
switch (key) {
785
case 128:
786
debug = true;
787
break;
788
case 'c':
789
connect_to = arg;
790
break;
791
case 'i':
792
interface = arg;
793
break;
794
case 'd':
795
keydir = arg;
796
break;
797
case 's':
798
seckeyfile = arg;
799
break;
800
case 'p':
801
pubkeyfile = arg;
802
break;
803
case 129:
742
804
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
805
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
806
if (errno){
745
807
perror("strtol");
746
808
exit(EXIT_FAILURE);
747
809
}
748
mc.dh_bits = tmp;
810
break;
811
case 130:
812
mc.priority = arg;
813
break;
814
case ARGP_KEY_ARG:
815
argp_usage (state);
816
break;
817
case ARGP_KEY_END:
818
break;
819
default:
820
return ARGP_ERR_UNKNOWN;
749
821
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
822
return 0;
756
823
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
824
825
struct argp argp = { .options = options, .parser = parse_opt,
826
.args_doc = "",
827
.doc = "Mandos client -- Get and decrypt"
828
" passwords from mandos server" };
829
argp_parse (&argp, argc, argv, 0, 0, NULL);
830
}
831
832
pubkeyfile = combinepath(keydir, pubkeyfile);
833
if (pubkeyfile == NULL){
834
perror("combinepath");
835
exitcode = EXIT_FAILURE;
836
goto end;
837
}
838
839
seckeyfile = combinepath(keydir, seckeyfile);
840
if (seckeyfile == NULL){
841
perror("combinepath");
842
goto end;
843
}
844
845
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
846
if (ret == -1){
847
fprintf(stderr, "init_gnutls_global\n");
848
goto end;
849
}
850
851
uid = getuid();
852
gid = getgid();
853
854
ret = setuid(uid);
855
if (ret == -1){
856
perror("setuid");
857
}
858
859
setgid(gid);
860
if (ret == -1){
861
perror("setgid");
771
862
}
772
863
773
864
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
873
char *address = strrchr(connect_to, ':');
783
874
if(address == NULL){
784
875
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
876
exitcode = EXIT_FAILURE;
877
goto end;
786
878
}
787
879
errno = 0;
788
880
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
881
if(errno){
790
882
perror("Bad port number");
791
exit(EXIT_FAILURE);
883
exitcode = EXIT_FAILURE;
884
goto end;
792
885
}
793
886
*address = '\0';
794
887
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
888
ret = start_mandos_communication(address, port, if_index, &mc);
796
889
if(ret < 0){
797
exit(EXIT_FAILURE);
890
exitcode = EXIT_FAILURE;
798
891
} else {
799
exit(EXIT_SUCCESS);
892
exitcode = EXIT_SUCCESS;
800
893
}
894
goto end;
801
895
}
802
896
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
897
/* If the interface is down, bring it up */
898
{
899
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
900
if(sd < 0) {
901
perror("socket");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
strcpy(network.ifr_name, interface); /* Spurious warning */
906
ret = ioctl(sd, SIOCGIFFLAGS, &network);
820
907
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
908
perror("ioctl SIOCGIFFLAGS");
909
exitcode = EXIT_FAILURE;
910
goto end;
911
}
912
if((network.ifr_flags & IFF_UP) == 0){
913
network.ifr_flags |= IFF_UP;
914
ret = ioctl(sd, SIOCSIFFLAGS, &network);
915
if(ret == -1){
916
perror("ioctl SIOCSIFFLAGS");
917
exitcode = EXIT_FAILURE;
918
goto end;
919
}
920
}
921
close(sd);
825
922
}
826
close(sd);
827
923
828
924
if (not debug){
829
925
avahi_set_log_function(empty_log);
830
926
}
831
927
832
/* Initialize the psuedo-RNG */
928
/* Initialize the pseudo-RNG for Avahi */
833
929
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
930
931
/* Allocate main Avahi loop object */
932
mc.simple_poll = avahi_simple_poll_new();
933
if (mc.simple_poll == NULL) {
934
fprintf(stderr, "Avahi: Failed to create simple poll"
935
" object.\n");
936
exitcode = EXIT_FAILURE;
937
goto end;
938
}
939
940
{
941
AvahiServerConfig config;
942
/* Do not publish any local Zeroconf records */
943
avahi_server_config_init(&config);
944
config.publish_hinfo = 0;
945
config.publish_addresses = 0;
946
config.publish_workstation = 0;
947
config.publish_domain = 0;
948
949
/* Allocate a new server */
950
mc.server = avahi_server_new(avahi_simple_poll_get
951
(mc.simple_poll), &config, NULL,
952
NULL, &error);
953
954
/* Free the Avahi configuration data */
955
avahi_server_config_free(&config);
956
}
957
958
/* Check if creating the Avahi server object succeeded */
959
if (mc.server == NULL) {
960
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
961
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
962
exitcode = EXIT_FAILURE;
963
goto end;
862
964
}
863
965
864
/* Create the service browser */
966
/* Create the Avahi service browser */
865
967
sb = avahi_s_service_browser_new(mc.server, if_index,
866
968
AVAHI_PROTO_INET6,
867
969
"_mandos._tcp", NULL, 0,
868
970
browse_callback, &mc);
869
if (!sb) {
971
if (sb == NULL) {
870
972
fprintf(stderr, "Failed to create service browser: %s\n",
871
973
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
974
exitcode = EXIT_FAILURE;
975
goto end;
874
976
}
875
977
876
978
/* Run the main loop */
877
979
878
980
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
981
fprintf(stderr, "Starting Avahi loop search\n");
880
982
}
881
983
882
avahi_simple_poll_loop(simple_poll);
984
avahi_simple_poll_loop(mc.simple_poll);
883
985
884
exit:
986
end:
885
987
886
988
if (debug){
887
989
fprintf(stderr, "%s exiting\n", argv[0]);
888
990
}
889
991
890
992
/* Cleanup things */
891
if (sb)
993
if (sb != NULL)
892
994
avahi_s_service_browser_free(sb);
893
995
894
if (mc.server)
996
if (mc.server != NULL)
895
997
avahi_server_free(mc.server);
896
998
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
999
if (mc.simple_poll != NULL)
1000
avahi_simple_poll_free(mc.simple_poll);
1001
free(pubkeyfile);
1002
free(seckeyfile);
901
1003
902
return returncode;
1004
return exitcode;
903
1005
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0