(root)/mandos/trunk
» Revision
24.1.34
(compared to revision 24.1.11)
: plugins.d/password-request.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 24.1.34
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.34
- Committer: Björn Påhlsson
- Date: 2008-08-10 00:07:55 UTC
- mfrom: (57 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 58.
- Revision ID: belorn@braxen-20080810000755-8njs8ag58cos29rh
merge
- files added:
- mandos-client.xml
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- plugbasedclient.c => mandos-client.c
- server.conf => mandos.conf
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- plugins.d/mandosclient.c => plugins.d/password-request.c
- files modified:
- Makefile
added
removed
plugins.d/password-request.c
34
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <assert.h> /* assert() */
57
#include <errno.h> /* perror(), errno */
58
#include <time.h> /* time() */
59
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
60
SIOCSIFFLAGS, if_indextoname(),
61
if_nametoindex(), IF_NAMESIZE */
62
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
63
getuid(), getgid(), setuid(),
64
setgid() */
65
#include <netinet/in.h>
66
#include <arpa/inet.h> /* inet_pton(), htons */
67
#include <iso646.h> /* not, and */
68
#include <argp.h> /* struct argp_option, error_t, struct
69
argp_state, struct argp,
70
argp_parse(), ARGP_KEY_ARG,
71
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
44
72
73
/* Avahi */
74
/* All Avahi types, constants and functions
75
Avahi*, avahi_*,
76
AVAHI_* */
45
77
#include <avahi-core/core.h>
46
78
#include <avahi-core/lookup.h>
47
79
#include <avahi-core/log.h>
49
81
#include <avahi-common/malloc.h>
50
82
#include <avahi-common/error.h>
51
83
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
84
/* GnuTLS */
85
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and functions
94
gpgme_*
95
GPGME_PROTOCOL_OpenPGP,
96
GPG_ERR_NO_* */
72
97
73
98
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
79
99
80
100
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
101
static const char *keydir = "/conf/conf.d/mandos";
102
static const char mandos_protocol_version[] = "1";
103
const char *argp_program_version = "mandosclient 0.9";
104
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
105
106
/* Used for passing in values through the Avahi callback functions */
84
107
typedef struct {
85
108
AvahiSimplePoll *simple_poll;
86
109
AvahiServer *server;
87
110
gnutls_certificate_credentials_t cred;
88
111
unsigned int dh_bits;
112
gnutls_dh_params_t dh_params;
89
113
const char *priority;
90
114
} mandos_context;
91
115
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
116
/*
117
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
118
* "buffer_capacity" is how much is currently allocated,
119
* "buffer_length" is how much is already used.
120
*/
121
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
122
size_t buffer_capacity){
94
123
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
124
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
125
if (buffer == NULL){
97
126
return 0;
98
127
}
101
130
return buffer_capacity;
102
131
}
103
132
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
133
/*
134
* Decrypt OpenPGP data using keyrings in HOMEDIR.
135
* Returns -1 on error
136
*/
137
static ssize_t pgp_packet_decrypt (const char *cryptotext,
138
size_t crypto_size,
139
char **plaintext,
106
140
const char *homedir){
107
141
gpgme_data_t dh_crypto, dh_plain;
108
142
gpgme_ctx_t ctx;
109
143
gpgme_error_t rc;
110
144
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
145
size_t plaintext_capacity = 0;
146
ssize_t plaintext_length = 0;
113
147
gpgme_engine_info_t engine_info;
114
148
115
149
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
150
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
117
151
}
118
152
119
153
/* Init GPGME */
125
159
return -1;
126
160
}
127
161
128
/* Set GPGME home directory */
162
/* Set GPGME home directory for the OpenPGP engine only */
129
163
rc = gpgme_get_engine_info (&engine_info);
130
164
if (rc != GPG_ERR_NO_ERROR){
131
165
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
175
engine_info = engine_info->next;
142
176
}
143
177
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
178
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
145
179
return -1;
146
180
}
147
181
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
182
/* Create new GPGME data buffer from memory cryptotext */
183
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
184
0);
150
185
if (rc != GPG_ERR_NO_ERROR){
151
186
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
187
gpgme_strsource(rc), gpgme_strerror(rc));
158
193
if (rc != GPG_ERR_NO_ERROR){
159
194
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
gpgme_data_release(dh_crypto);
161
197
return -1;
162
198
}
163
199
166
202
if (rc != GPG_ERR_NO_ERROR){
167
203
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
204
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
205
plaintext_length = -1;
206
goto decrypt_end;
170
207
}
171
208
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
209
/* Decrypt data from the cryptotext data buffer to the plaintext
210
data buffer */
174
211
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
212
if (rc != GPG_ERR_NO_ERROR){
176
213
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
214
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
215
plaintext_length = -1;
216
goto decrypt_end;
179
217
}
180
218
181
219
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
220
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
183
221
}
184
222
185
223
if (debug){
186
224
gpgme_decrypt_result_t result;
187
225
result = gpgme_op_decrypt_result(ctx);
211
249
}
212
250
}
213
251
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
217
252
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
253
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
254
perror("pgpme_data_seek");
255
plaintext_length = -1;
256
goto decrypt_end;
220
257
}
221
258
222
*new_packet = 0;
259
*plaintext = NULL;
223
260
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
261
plaintext_capacity = adjustbuffer(plaintext,
262
(size_t)plaintext_length,
263
plaintext_capacity);
264
if (plaintext_capacity == 0){
227
265
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
266
plaintext_length = -1;
267
goto decrypt_end;
231
268
}
232
269
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
271
BUFFER_SIZE);
235
272
/* Print the data, if any */
236
273
if (ret == 0){
274
/* EOF */
237
275
break;
238
276
}
239
277
if(ret < 0){
240
278
perror("gpgme_data_read");
241
return -1;
279
plaintext_length = -1;
280
goto decrypt_end;
242
281
}
243
new_packet_length += ret;
282
plaintext_length += ret;
244
283
}
245
284
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
285
if(debug){
286
fprintf(stderr, "Decrypted password is: ");
287
for(ssize_t i = 0; i < plaintext_length; i++){
288
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
289
}
290
fprintf(stderr, "\n");
291
}
292
293
decrypt_end:
294
295
/* Delete the GPGME cryptotext data buffer */
296
gpgme_data_release(dh_crypto);
253
297
254
298
/* Delete the GPGME plaintext data buffer */
255
299
gpgme_data_release(dh_plain);
256
return new_packet_length;
300
return plaintext_length;
257
301
}
258
302
259
303
static const char * safer_gnutls_strerror (int value) {
263
307
return ret;
264
308
}
265
309
310
/* GnuTLS log function callback */
266
311
static void debuggnutls(__attribute__((unused)) int level,
267
312
const char* string){
268
fprintf(stderr, "%s", string);
313
fprintf(stderr, "GnuTLS: %s", string);
269
314
}
270
315
271
static int initgnutls(mandos_context *mc){
272
const char *err;
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfile,
318
const char *seckeyfile){
273
319
int ret;
274
320
275
321
if(debug){
276
322
fprintf(stderr, "Initializing GnuTLS\n");
277
323
}
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
324
325
ret = gnutls_global_init();
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
282
329
return -1;
283
330
}
284
331
285
332
if (debug){
333
/* "Use a log level over 10 to enable all debugging options."
334
* - GnuTLS manual
335
*/
286
336
gnutls_global_set_log_level(11);
287
337
gnutls_global_set_log_function(debuggnutls);
288
338
}
289
339
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
340
/* OpenPGP credentials */
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n",
294
344
safer_gnutls_strerror(ret));
345
gnutls_global_deinit ();
295
346
return -1;
296
347
}
297
348
298
349
if(debug){
299
350
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
351
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
352
seckeyfile);
302
353
}
303
354
304
355
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
356
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
306
357
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
358
fprintf(stderr,
359
"Error[%d] while reading the OpenPGP key pair ('%s',"
360
" '%s')\n", ret, pubkeyfile, seckeyfile);
361
fprintf(stdout, "The GnuTLS error is: %s\n",
312
362
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
363
goto globalfail;
364
}
365
366
/* GnuTLS server initialization */
367
ret = gnutls_dh_params_init(&mc->dh_params);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
370
" %s\n", safer_gnutls_strerror(ret));
371
goto globalfail;
372
}
373
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
376
safer_gnutls_strerror(ret));
377
goto globalfail;
378
}
379
380
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
381
382
return 0;
383
384
globalfail:
385
386
gnutls_certificate_free_credentials(mc->cred);
387
gnutls_global_deinit();
388
return -1;
389
390
}
391
392
static int init_gnutls_session(mandos_context *mc,
393
gnutls_session_t *session){
394
int ret;
395
/* GnuTLS session creation */
396
ret = gnutls_init(session, GNUTLS_SERVER);
397
if (ret != GNUTLS_E_SUCCESS){
336
398
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
399
safer_gnutls_strerror(ret));
338
400
}
339
401
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
402
{
403
const char *err;
404
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
405
if (ret != GNUTLS_E_SUCCESS) {
406
fprintf(stderr, "Syntax error at: %s\n", err);
407
fprintf(stderr, "GnuTLS error: %s\n",
408
safer_gnutls_strerror(ret));
409
gnutls_deinit (*session);
410
return -1;
411
}
346
412
}
347
413
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
414
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
415
mc->cred);
416
if (ret != GNUTLS_E_SUCCESS) {
417
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
418
safer_gnutls_strerror(ret));
419
gnutls_deinit (*session);
353
420
return -1;
354
421
}
355
422
356
423
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
424
gnutls_certificate_server_set_request (*session,
358
425
GNUTLS_CERT_IGNORE);
359
426
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
427
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
428
362
429
return 0;
363
430
}
364
431
432
/* Avahi log function callback */
365
433
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
434
__attribute__((unused)) const char *txt){}
367
435
436
/* Called when a Mandos server is found */
368
437
static int start_mandos_communication(const char *ip, uint16_t port,
369
438
AvahiIfIndex if_index,
370
439
mandos_context *mc){
371
440
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
441
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
442
char *buffer = NULL;
375
443
char *decrypted_buffer;
376
444
size_t buffer_length = 0;
379
447
size_t written;
380
448
int retval = 0;
381
449
char interface[IF_NAMESIZE];
450
gnutls_session_t session;
451
452
ret = init_gnutls_session (mc, &session);
453
if (ret != 0){
454
return -1;
455
}
382
456
383
457
if(debug){
384
458
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
393
467
394
468
if(debug){
395
469
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
470
perror("if_indextoname");
399
471
return -1;
400
472
}
401
402
473
fprintf(stderr, "Binding to interface %s\n", interface);
403
474
}
404
475
405
476
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
477
to.in6.sin6_family = AF_INET6;
478
/* It would be nice to have a way to detect if we were passed an
479
IPv4 address here. Now we assume an IPv6 address. */
480
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
481
if (ret < 0 ){
409
482
perror("inet_pton");
410
483
return -1;
411
}
484
}
412
485
if(ret == 0){
413
486
fprintf(stderr, "Bad address: %s\n", ip);
414
487
return -1;
415
488
}
416
to.sin6_port = htons(port); /* Spurious warning */
489
to.in6.sin6_port = htons(port); /* Spurious warning */
417
490
418
to.sin6_scope_id = (uint32_t)if_index;
491
to.in6.sin6_scope_id = (uint32_t)if_index;
419
492
420
493
if(debug){
421
494
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
495
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
497
sizeof(addrstr)) == NULL){
498
perror("inet_ntop");
499
} else {
500
if(strcmp(addrstr, ip) != 0){
501
fprintf(stderr, "Canonical address form: %s\n", addrstr);
502
}
503
}
430
504
}
431
505
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
506
ret = connect(tcp_sd, &to.in, sizeof(to));
433
507
if (ret < 0){
434
508
perror("connect");
435
509
return -1;
436
510
}
437
511
438
char *out = mandos_protocol_version;
512
const char *out = mandos_protocol_version;
439
513
written = 0;
440
514
while (true){
441
515
size_t out_size = strlen(out);
444
518
if (ret == -1){
445
519
perror("write");
446
520
retval = -1;
447
goto end;
521
goto mandos_end;
448
522
}
449
written += ret;
523
written += (size_t)ret;
450
524
if(written < out_size){
451
525
continue;
452
526
} else {
459
533
}
460
534
}
461
535
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
471
536
if(debug){
472
537
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
538
}
474
539
475
ret = gnutls_handshake (es.session);
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
476
545
477
546
if (ret != GNUTLS_E_SUCCESS){
478
547
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
549
gnutls_perror (ret);
481
550
}
482
551
retval = -1;
483
goto exit;
552
goto mandos_end;
484
553
}
485
554
486
//Retrieve OpenPGP packet that contains the wanted password
555
/* Read OpenPGP packet that contains the wanted password */
487
556
488
557
if(debug){
489
558
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
491
560
}
492
561
493
562
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
495
565
if (buffer_capacity == 0){
496
566
perror("adjustbuffer");
497
567
retval = -1;
498
goto exit;
568
goto mandos_end;
499
569
}
500
570
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
571
ret = gnutls_record_recv(session, buffer+buffer_length,
572
BUFFER_SIZE);
503
573
if (ret == 0){
504
574
break;
505
575
}
509
579
case GNUTLS_E_AGAIN:
510
580
break;
511
581
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
513
585
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
587
gnutls_perror (ret);
516
588
retval = -1;
517
goto exit;
589
goto mandos_end;
518
590
}
519
591
break;
520
592
default:
521
593
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
594
" encrypted session with Mandos server\n");
523
595
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
596
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
526
598
}
527
599
} else {
528
600
buffer_length += (size_t) ret;
529
601
}
530
602
}
531
603
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
532
610
if (buffer_length > 0){
533
611
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
612
buffer_length,
535
613
&decrypted_buffer,
536
certdir);
614
keydir);
537
615
if (decrypted_buffer_size >= 0){
538
616
written = 0;
539
617
while(written < (size_t) decrypted_buffer_size){
555
633
retval = -1;
556
634
}
557
635
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
636
637
/* Shutdown procedure */
638
639
mandos_end:
565
640
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
641
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
642
gnutls_deinit (session);
572
643
return retval;
573
644
}
574
645
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
646
static void resolve_callback(AvahiSServiceResolver *r,
647
AvahiIfIndex interface,
648
AVAHI_GCC_UNUSED AvahiProtocol protocol,
649
AvahiResolverEvent event,
650
const char *name,
651
const char *type,
652
const char *domain,
653
const char *host_name,
654
const AvahiAddress *address,
655
uint16_t port,
656
AVAHI_GCC_UNUSED AvahiStringList *txt,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
588
660
mandos_context *mc = userdata;
589
661
assert(r); /* Spurious warning */
590
662
594
666
switch (event) {
595
667
default:
596
668
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
671
avahi_strerror(avahi_server_errno(mc->server)));
600
672
break;
601
673
604
676
char ip[AVAHI_ADDRESS_STR_MAX];
605
677
avahi_address_snprint(ip, sizeof(ip), address);
606
678
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
680
" port %d\n", name, host_name, ip, interface, port);
609
681
}
610
682
int ret = start_mandos_communication(ip, port, interface, mc);
611
683
if (ret == 0){
623
695
const char *name,
624
696
const char *type,
625
697
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
698
AVAHI_GCC_UNUSED AvahiLookupResultFlags
699
flags,
627
700
void* userdata) {
628
701
mandos_context *mc = userdata;
629
702
assert(b); /* Spurious warning */
634
707
switch (event) {
635
708
default:
636
709
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
710
711
fprintf(stderr, "(Avahi browser) %s\n",
639
712
avahi_strerror(avahi_server_errno(mc->server)));
640
713
avahi_simple_poll_quit(mc->simple_poll);
641
714
return;
642
715
643
716
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
717
/* We ignore the returned Avahi resolver object. In the callback
718
function we free it. If the Avahi server is terminated before
719
the callback function is called the Avahi server will free the
720
resolver for us. */
721
722
if (!(avahi_s_service_resolver_new(mc->server, interface,
723
protocol, name, type, domain,
651
724
AVAHI_PROTO_INET6, 0,
652
725
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
726
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
727
name, avahi_strerror(avahi_server_errno(mc->server)));
655
728
break;
656
729
657
730
case AVAHI_BROWSER_REMOVE:
658
731
break;
659
732
660
733
case AVAHI_BROWSER_ALL_FOR_NOW:
661
734
case AVAHI_BROWSER_CACHE_EXHAUSTED:
735
if(debug){
736
fprintf(stderr, "No Mandos server found, still searching...\n");
737
}
662
738
break;
663
739
}
664
740
}
673
749
return NULL;
674
750
}
675
751
if(f_len > 0){
676
memcpy(tmp, first, f_len);
752
memcpy(tmp, first, f_len); /* Spurious warning */
677
753
}
678
754
tmp[f_len] = '/';
679
755
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
756
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
681
757
}
682
758
tmp[f_len + 1 + s_len] = '\0';
683
759
return tmp;
684
760
}
685
761
686
762
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
763
int main(int argc, char *argv[]){
689
764
AvahiSServiceBrowser *sb = NULL;
690
765
int error;
691
766
int ret;
692
int returncode = EXIT_SUCCESS;
767
int exitcode = EXIT_SUCCESS;
693
768
const char *interface = "eth0";
694
769
struct ifreq network;
695
770
int sd;
771
uid_t uid;
772
gid_t gid;
696
773
char *connect_to = NULL;
697
774
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
775
const char *pubkeyfile = "pubkey.txt";
776
const char *seckeyfile = "seckey.txt";
698
777
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
778
.dh_bits = 1024, .priority = "SECURE256"};
779
bool gnutls_initalized = false;
700
780
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
781
{
782
struct argp_option options[] = {
783
{ .name = "debug", .key = 128,
784
.doc = "Debug mode", .group = 3 },
785
{ .name = "connect", .key = 'c',
786
.arg = "IP",
787
.doc = "Connect directly to a sepcified mandos server",
788
.group = 1 },
789
{ .name = "interface", .key = 'i',
790
.arg = "INTERFACE",
791
.doc = "Interface that Avahi will conntect through",
792
.group = 1 },
793
{ .name = "keydir", .key = 'd',
794
.arg = "KEYDIR",
795
.doc = "Directory where the openpgp keyring is",
796
.group = 1 },
797
{ .name = "seckey", .key = 's',
798
.arg = "SECKEY",
799
.doc = "Secret openpgp key for gnutls authentication",
800
.group = 1 },
801
{ .name = "pubkey", .key = 'p',
802
.arg = "PUBKEY",
803
.doc = "Public openpgp key for gnutls authentication",
804
.group = 2 },
805
{ .name = "dh-bits", .key = 129,
806
.arg = "BITS",
807
.doc = "dh-bits to use in gnutls communication",
808
.group = 2 },
809
{ .name = "priority", .key = 130,
810
.arg = "PRIORITY",
811
.doc = "GNUTLS priority", .group = 1 },
812
{ .name = NULL }
813
};
814
815
816
error_t parse_opt (int key, char *arg,
817
struct argp_state *state) {
818
/* Get the INPUT argument from `argp_parse', which we know is
819
a pointer to our plugin list pointer. */
820
switch (key) {
821
case 128:
822
debug = true;
823
break;
824
case 'c':
825
connect_to = arg;
826
break;
827
case 'i':
828
interface = arg;
829
break;
830
case 'd':
831
keydir = arg;
832
break;
833
case 's':
834
seckeyfile = arg;
835
break;
836
case 'p':
837
pubkeyfile = arg;
838
break;
839
case 129:
742
840
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
841
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
842
if (errno){
745
843
perror("strtol");
746
844
exit(EXIT_FAILURE);
747
845
}
748
mc.dh_bits = tmp;
846
break;
847
case 130:
848
mc.priority = arg;
849
break;
850
case ARGP_KEY_ARG:
851
argp_usage (state);
852
break;
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
749
857
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unkown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
}
872
873
pubkeyfile = combinepath(keydir, pubkeyfile);
874
if (pubkeyfile == NULL){
875
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
878
}
879
880
seckeyfile = combinepath(keydir, seckeyfile);
881
if (seckeyfile == NULL){
882
perror("combinepath");
883
goto end;
884
}
885
886
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
887
if (ret == -1){
888
fprintf(stderr, "init_gnutls_global\n");
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
uid = getuid();
895
gid = getgid();
896
897
ret = setuid(uid);
898
if (ret == -1){
899
perror("setuid");
900
}
901
902
setgid(gid);
903
if (ret == -1){
904
perror("setgid");
771
905
}
772
906
773
907
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
916
char *address = strrchr(connect_to, ':');
783
917
if(address == NULL){
784
918
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
919
exitcode = EXIT_FAILURE;
920
goto end;
786
921
}
787
922
errno = 0;
788
923
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
924
if(errno){
790
925
perror("Bad port number");
791
exit(EXIT_FAILURE);
926
exitcode = EXIT_FAILURE;
927
goto end;
792
928
}
793
929
*address = '\0';
794
930
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
931
ret = start_mandos_communication(address, port, if_index, &mc);
796
932
if(ret < 0){
797
exit(EXIT_FAILURE);
933
exitcode = EXIT_FAILURE;
798
934
} else {
799
exit(EXIT_SUCCESS);
935
exitcode = EXIT_SUCCESS;
800
936
}
937
goto end;
801
938
}
802
939
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
940
/* If the interface is down, bring it up */
941
{
942
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
943
if(sd < 0) {
944
perror("socket");
945
exitcode = EXIT_FAILURE;
946
goto end;
947
}
948
strcpy(network.ifr_name, interface); /* Spurious warning */
949
ret = ioctl(sd, SIOCGIFFLAGS, &network);
820
950
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
951
perror("ioctl SIOCGIFFLAGS");
952
exitcode = EXIT_FAILURE;
953
goto end;
954
}
955
if((network.ifr_flags & IFF_UP) == 0){
956
network.ifr_flags |= IFF_UP;
957
ret = ioctl(sd, SIOCSIFFLAGS, &network);
958
if(ret == -1){
959
perror("ioctl SIOCSIFFLAGS");
960
exitcode = EXIT_FAILURE;
961
goto end;
962
}
963
}
964
close(sd);
825
965
}
826
close(sd);
827
966
828
967
if (not debug){
829
968
avahi_set_log_function(empty_log);
830
969
}
831
970
832
/* Initialize the psuedo-RNG */
971
/* Initialize the pseudo-RNG for Avahi */
833
972
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
1004
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
1005
exitcode = EXIT_FAILURE;
1006
goto end;
862
1007
}
863
1008
864
/* Create the service browser */
1009
/* Create the Avahi service browser */
865
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
866
1011
AVAHI_PROTO_INET6,
867
1012
"_mandos._tcp", NULL, 0,
868
1013
browse_callback, &mc);
869
if (!sb) {
1014
if (sb == NULL) {
870
1015
fprintf(stderr, "Failed to create service browser: %s\n",
871
1016
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
1017
exitcode = EXIT_FAILURE;
1018
goto end;
874
1019
}
875
1020
876
1021
/* Run the main loop */
877
1022
878
1023
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
1024
fprintf(stderr, "Starting Avahi loop search\n");
880
1025
}
881
1026
882
avahi_simple_poll_loop(simple_poll);
1027
avahi_simple_poll_loop(mc.simple_poll);
883
1028
884
exit:
1029
end:
885
1030
886
1031
if (debug){
887
1032
fprintf(stderr, "%s exiting\n", argv[0]);
888
1033
}
889
1034
890
1035
/* Cleanup things */
891
if (sb)
1036
if (sb != NULL)
892
1037
avahi_s_service_browser_free(sb);
893
1038
894
if (mc.server)
1039
if (mc.server != NULL)
895
1040
avahi_server_free(mc.server);
896
1041
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfile);
1045
free(seckeyfile);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
901
1051
902
return returncode;
1052
return exitcode;
903
1053
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0