/mandos/trunk : revision 24.1.38

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Björn Påhlsson
Date: 2008-08-10 01:10:04 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 59.
Revision ID: belorn@braxen-20080810011004-4ngszt5wxu3opctk

changed description to better fit role

files added:
mandos-client.c

mandos-client.xml

mandos-clients.conf.xml

mandos.conf

mandos.conf.xml

mandos.xml

network-protocol.txt

plugins.d

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

client.cpp

crl.pem

key.pem

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* <http://avahi.org/browser/examples/core-browse-services.c>. This

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), memcpy(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

IFF_UP */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/simple-watch.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and functions

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

#define BUFFER_SIZE 256

100

bool debug = false;

101

static const char *keydir = "/conf/conf.d/mandos";

102

static const char mandos_protocol_version[] = "1";

103

const char *argp_program_version = "password-request 1.0";

104

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

105

106

/* Used for passing in values through the Avahi callback functions */

107

typedef struct {

108

AvahiSimplePoll *simple_poll;

109

AvahiServer *server;

110

gnutls_certificate_credentials_t cred;

111

unsigned int dh_bits;

112

gnutls_dh_params_t dh_params;

113

const char *priority;

114

} mandos_context;

115

116

117

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

118

* "buffer_capacity" is how much is currently allocated,

119

* "buffer_length" is how much is already used.

120

121

size_t adjustbuffer(char **buffer, size_t buffer_length,

122

size_t buffer_capacity){

123

if (buffer_length + BUFFER_SIZE > buffer_capacity){

124

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

125

if (buffer == NULL){

126

return 0;

127

}

128

buffer_capacity += BUFFER_SIZE;

129

}

130

return buffer_capacity;

131

}

132

133

134

* Decrypt OpenPGP data using keyrings in HOMEDIR.

135

* Returns -1 on error

136

137

static ssize_t pgp_packet_decrypt (const char *cryptotext,

138

size_t crypto_size,

139

char **plaintext,

140

const char *homedir){

141

gpgme_data_t dh_crypto, dh_plain;

142

gpgme_ctx_t ctx;

143

gpgme_error_t rc;

144

ssize_t ret;

145

size_t plaintext_capacity = 0;

146

ssize_t plaintext_length = 0;

147

gpgme_engine_info_t engine_info;

148

149

if (debug){

150

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

151

}

152

153

/* Init GPGME */

154

gpgme_check_version(NULL);

155

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

156

if (rc != GPG_ERR_NO_ERROR){

157

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

158

gpgme_strsource(rc), gpgme_strerror(rc));

159

return -1;

160

}

161

162

/* Set GPGME home directory for the OpenPGP engine only */

163

rc = gpgme_get_engine_info (&engine_info);

164

if (rc != GPG_ERR_NO_ERROR){

165

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

166

gpgme_strsource(rc), gpgme_strerror(rc));

167

return -1;

168

}

169

while(engine_info != NULL){

170

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

171

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

172

engine_info->file_name, homedir);

173

break;

174

}

175

engine_info = engine_info->next;

176

}

177

if(engine_info == NULL){

178

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

179

return -1;

180

}

181

182

/* Create new GPGME data buffer from memory cryptotext */

183

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

184

0);

185

if (rc != GPG_ERR_NO_ERROR){

186

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

187

gpgme_strsource(rc), gpgme_strerror(rc));

188

return -1;

189

}

190

191

/* Create new empty GPGME data buffer for the plaintext */

192

rc = gpgme_data_new(&dh_plain);

193

if (rc != GPG_ERR_NO_ERROR){

194

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

195

gpgme_strsource(rc), gpgme_strerror(rc));

196

gpgme_data_release(dh_crypto);

197

return -1;

198

}

199

200

/* Create new GPGME "context" */

201

rc = gpgme_new(&ctx);

202

if (rc != GPG_ERR_NO_ERROR){

203

fprintf(stderr, "bad gpgme_new: %s: %s\n",

204

gpgme_strsource(rc), gpgme_strerror(rc));

205

plaintext_length = -1;

206

goto decrypt_end;

207

}

208

209

/* Decrypt data from the cryptotext data buffer to the plaintext

210

data buffer */

211

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

212

if (rc != GPG_ERR_NO_ERROR){

213

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

214

gpgme_strsource(rc), gpgme_strerror(rc));

215

plaintext_length = -1;

216

goto decrypt_end;

217

}

218

219

if(debug){

220

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

221

}

222

223

if (debug){

224

gpgme_decrypt_result_t result;

225

result = gpgme_op_decrypt_result(ctx);

226

if (result == NULL){

227

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

228

} else {

229

fprintf(stderr, "Unsupported algorithm: %s\n",

230

result->unsupported_algorithm);

231

fprintf(stderr, "Wrong key usage: %d\n",

232

result->wrong_key_usage);

233

if(result->file_name != NULL){

234

fprintf(stderr, "File name: %s\n", result->file_name);

235

}

236

gpgme_recipient_t recipient;

237

recipient = result->recipients;

238

if(recipient){

239

while(recipient != NULL){

240

fprintf(stderr, "Public key algorithm: %s\n",

241

gpgme_pubkey_algo_name(recipient->pubkey_algo));

242

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

243

fprintf(stderr, "Secret key available: %s\n",

244

recipient->status == GPG_ERR_NO_SECKEY

245

? "No" : "Yes");

246

recipient = recipient->next;

247

}

248

}

249

}

250

}

251

252

/* Seek back to the beginning of the GPGME plaintext data buffer */

253

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

254

perror("pgpme_data_seek");

255

plaintext_length = -1;

256

goto decrypt_end;

257

}

258

259

*plaintext = NULL;

260

while(true){

261

plaintext_capacity = adjustbuffer(plaintext,

262

(size_t)plaintext_length,

263

plaintext_capacity);

264

if (plaintext_capacity == 0){

265

perror("adjustbuffer");

266

plaintext_length = -1;

267

goto decrypt_end;

268

}

269

270

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

271

BUFFER_SIZE);

272

/* Print the data, if any */

273

if (ret == 0){

274

/* EOF */

275

break;

276

}

277

if(ret < 0){

278

perror("gpgme_data_read");

279

plaintext_length = -1;

280

goto decrypt_end;

281

}

282

plaintext_length += ret;

283

}

284

285

if(debug){

286

fprintf(stderr, "Decrypted password is: ");

287

for(ssize_t i = 0; i < plaintext_length; i++){

288

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

289

}

290

fprintf(stderr, "\n");

291

}

292

293

decrypt_end:

294

295

/* Delete the GPGME cryptotext data buffer */

296

gpgme_data_release(dh_crypto);

297

298

/* Delete the GPGME plaintext data buffer */

299

gpgme_data_release(dh_plain);

300

return plaintext_length;

301

}

302

303

static const char * safer_gnutls_strerror (int value) {

304

const char *ret = gnutls_strerror (value);

305

if (ret == NULL)

306

ret = "(unknown)";

307

return ret;

308

}

309

310

/* GnuTLS log function callback */

311

static void debuggnutls(__attribute__((unused)) int level,

312

const char* string){

313

fprintf(stderr, "GnuTLS: %s", string);

314

}

315

316

static int init_gnutls_global(mandos_context *mc,

317

const char *pubkeyfile,

318

const char *seckeyfile){

319

int ret;

320

321

if(debug){

322

fprintf(stderr, "Initializing GnuTLS\n");

323

}

324

325

ret = gnutls_global_init();

326

if (ret != GNUTLS_E_SUCCESS) {

327

fprintf (stderr, "GnuTLS global_init: %s\n",

328

safer_gnutls_strerror(ret));

329

return -1;

330

}

331

332

if (debug){

333

/* "Use a log level over 10 to enable all debugging options."

334

* - GnuTLS manual

335

336

gnutls_global_set_log_level(11);

337

gnutls_global_set_log_function(debuggnutls);

338

}

339

340

/* OpenPGP credentials */

341

gnutls_certificate_allocate_credentials(&mc->cred);

342

if (ret != GNUTLS_E_SUCCESS){

343

fprintf (stderr, "GnuTLS memory error: %s\n",

344

safer_gnutls_strerror(ret));

345

gnutls_global_deinit ();

346

return -1;

347

}

348

349

if(debug){

350

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

351

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

352

seckeyfile);

353

}

354

355

ret = gnutls_certificate_set_openpgp_key_file

356

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

357

if (ret != GNUTLS_E_SUCCESS) {

358

fprintf(stderr,

359

"Error[%d] while reading the OpenPGP key pair ('%s',"

360

" '%s')\n", ret, pubkeyfile, seckeyfile);

361

fprintf(stdout, "The GnuTLS error is: %s\n",

362

safer_gnutls_strerror(ret));

363

goto globalfail;

364

}

365

366

/* GnuTLS server initialization */

367

ret = gnutls_dh_params_init(&mc->dh_params);

368

if (ret != GNUTLS_E_SUCCESS) {

369

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

370

" %s\n", safer_gnutls_strerror(ret));

371

goto globalfail;

372

}

373

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

376

safer_gnutls_strerror(ret));

377

goto globalfail;

378

}

379

380

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

381

382

return 0;

383

384

globalfail:

385

386

gnutls_certificate_free_credentials(mc->cred);

387

gnutls_global_deinit();

388

return -1;

389

390

}

391

392

static int init_gnutls_session(mandos_context *mc,

393

gnutls_session_t *session){

394

int ret;

395

/* GnuTLS session creation */

396

ret = gnutls_init(session, GNUTLS_SERVER);

397

if (ret != GNUTLS_E_SUCCESS){

398

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

399

safer_gnutls_strerror(ret));

400

}

401

402

{

403

const char *err;

404

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

405

if (ret != GNUTLS_E_SUCCESS) {

406

fprintf(stderr, "Syntax error at: %s\n", err);

407

fprintf(stderr, "GnuTLS error: %s\n",

408

safer_gnutls_strerror(ret));

409

gnutls_deinit (*session);

410

return -1;

411

}

412

}

413

414

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

415

mc->cred);

416

if (ret != GNUTLS_E_SUCCESS) {

417

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

418

safer_gnutls_strerror(ret));

419

gnutls_deinit (*session);

420

return -1;

421

}

422

423

/* ignore client certificate if any. */

424

gnutls_certificate_server_set_request (*session,

425

GNUTLS_CERT_IGNORE);

426

427

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

428

429

return 0;

430

}

431

432

/* Avahi log function callback */

433

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

434

__attribute__((unused)) const char *txt){}

435

436

/* Called when a Mandos server is found */

437

static int start_mandos_communication(const char *ip, uint16_t port,

438

AvahiIfIndex if_index,

439

mandos_context *mc){

440

int ret, tcp_sd;

441

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

442

char *buffer = NULL;

443

char *decrypted_buffer;

444

size_t buffer_length = 0;

445

size_t buffer_capacity = 0;

446

ssize_t decrypted_buffer_size;

447

size_t written;

448

int retval = 0;

449

char interface[IF_NAMESIZE];

450

gnutls_session_t session;

451

452

ret = init_gnutls_session (mc, &session);

453

if (ret != 0){

454

return -1;

455

}

456

457

if(debug){

458

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

459

ip, port);

460

}

461

462

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

463

if(tcp_sd < 0) {

464

perror("socket");

465

return -1;

466

}

467

468

if(debug){

469

if(if_indextoname((unsigned int)if_index, interface) == NULL){

470

perror("if_indextoname");

471

return -1;

472

}

473

fprintf(stderr, "Binding to interface %s\n", interface);

474

}

475

476

memset(&to,0,sizeof(to)); /* Spurious warning */

477

to.in6.sin6_family = AF_INET6;

478

/* It would be nice to have a way to detect if we were passed an

479

IPv4 address here. Now we assume an IPv6 address. */

480

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

481

if (ret < 0 ){

482

perror("inet_pton");

483

return -1;

484

}

485

if(ret == 0){

486

fprintf(stderr, "Bad address: %s\n", ip);

487

return -1;

488

}

489

to.in6.sin6_port = htons(port); /* Spurious warning */

490

491

to.in6.sin6_scope_id = (uint32_t)if_index;

492

493

if(debug){

494

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

495

char addrstr[INET6_ADDRSTRLEN] = "";

496

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

497

sizeof(addrstr)) == NULL){

498

perror("inet_ntop");

499

} else {

500

if(strcmp(addrstr, ip) != 0){

501

fprintf(stderr, "Canonical address form: %s\n", addrstr);

502

}

503

}

504

}

505

506

ret = connect(tcp_sd, &to.in, sizeof(to));

507

if (ret < 0){

508

perror("connect");

509

return -1;

510

}

511

512

const char *out = mandos_protocol_version;

513

written = 0;

514

while (true){

515

size_t out_size = strlen(out);

516

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

517

out_size - written));

518

if (ret == -1){

519

perror("write");

520

retval = -1;

521

goto mandos_end;

522

}

523

written += (size_t)ret;

524

if(written < out_size){

525

continue;

526

} else {

527

if (out == mandos_protocol_version){

528

written = 0;

529

out = "\r\n";

530

} else {

531

break;

532

}

533

}

534

}

535

536

if(debug){

537

fprintf(stderr, "Establishing TLS session with %s\n", ip);

538

}

539

540

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

541

542

do{

543

ret = gnutls_handshake (session);

544

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

545

546

if (ret != GNUTLS_E_SUCCESS){

547

if(debug){

548

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

549

gnutls_perror (ret);

550

}

551

retval = -1;

552

goto mandos_end;

553

}

554

555

/* Read OpenPGP packet that contains the wanted password */

556

557

if(debug){

558

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

559

ip);

560

}

561

562

while(true){

563

buffer_capacity = adjustbuffer(&buffer, buffer_length,

564

buffer_capacity);

565

if (buffer_capacity == 0){

566

perror("adjustbuffer");

567

retval = -1;

568

goto mandos_end;

569

}

570

571

ret = gnutls_record_recv(session, buffer+buffer_length,

572

BUFFER_SIZE);

573

if (ret == 0){

574

break;

575

}

576

if (ret < 0){

577

switch(ret){

578

case GNUTLS_E_INTERRUPTED:

579

case GNUTLS_E_AGAIN:

580

break;

581

case GNUTLS_E_REHANDSHAKE:

582

do{

583

ret = gnutls_handshake (session);

584

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

585

if (ret < 0){

586

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

587

gnutls_perror (ret);

588

retval = -1;

589

goto mandos_end;

590

}

591

break;

592

default:

593

fprintf(stderr, "Unknown error while reading data from"

594

" encrypted session with Mandos server\n");

595

retval = -1;

596

gnutls_bye (session, GNUTLS_SHUT_RDWR);

597

goto mandos_end;

598

}

599

} else {

600

buffer_length += (size_t) ret;

601

}

602

}

603

604

if(debug){

605

fprintf(stderr, "Closing TLS session\n");

606

}

607

608

gnutls_bye (session, GNUTLS_SHUT_RDWR);

609

610

if (buffer_length > 0){

611

decrypted_buffer_size = pgp_packet_decrypt(buffer,

612

buffer_length,

613

&decrypted_buffer,

614

keydir);

615

if (decrypted_buffer_size >= 0){

616

written = 0;

617

while(written < (size_t) decrypted_buffer_size){

618

ret = (int)fwrite (decrypted_buffer + written, 1,

619

(size_t)decrypted_buffer_size - written,

620

stdout);

621

if(ret == 0 and ferror(stdout)){

622

if(debug){

623

fprintf(stderr, "Error writing encrypted data: %s\n",

624

strerror(errno));

625

}

626

retval = -1;

627

break;

628

}

629

written += (size_t)ret;

630

}

631

free(decrypted_buffer);

632

} else {

633

retval = -1;

634

}

635

}

636

637

/* Shutdown procedure */

638

639

mandos_end:

640

free(buffer);

641

close(tcp_sd);

642

gnutls_deinit (session);

643

return retval;

644

}

645

646

static void resolve_callback(AvahiSServiceResolver *r,

647

AvahiIfIndex interface,

648

AVAHI_GCC_UNUSED AvahiProtocol protocol,

649

AvahiResolverEvent event,

650

const char *name,

651

const char *type,

652

const char *domain,

653

const char *host_name,

654

const AvahiAddress *address,

655

uint16_t port,

656

AVAHI_GCC_UNUSED AvahiStringList *txt,

657

AVAHI_GCC_UNUSED AvahiLookupResultFlags

658

flags,

659

void* userdata) {

660

mandos_context *mc = userdata;

661

assert(r); /* Spurious warning */

662

663

/* Called whenever a service has been resolved successfully or

664

timed out */

665

666

switch (event) {

667

default:

668

case AVAHI_RESOLVER_FAILURE:

669

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

670

" of type '%s' in domain '%s': %s\n", name, type, domain,

671

avahi_strerror(avahi_server_errno(mc->server)));

672

break;

673

674

case AVAHI_RESOLVER_FOUND:

675

{

676

char ip[AVAHI_ADDRESS_STR_MAX];

677

avahi_address_snprint(ip, sizeof(ip), address);

678

if(debug){

679

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

680

" port %d\n", name, host_name, ip, interface, port);

681

}

682

int ret = start_mandos_communication(ip, port, interface, mc);

683

if (ret == 0){

684

exit(EXIT_SUCCESS);

685

}

686

}

687

}

688

avahi_s_service_resolver_free(r);

689

}

690

691

static void browse_callback( AvahiSServiceBrowser *b,

692

AvahiIfIndex interface,

693

AvahiProtocol protocol,

694

AvahiBrowserEvent event,

695

const char *name,

696

const char *type,

697

const char *domain,

698

AVAHI_GCC_UNUSED AvahiLookupResultFlags

699

flags,

700

void* userdata) {

701

mandos_context *mc = userdata;

702

assert(b); /* Spurious warning */

703

704

/* Called whenever a new services becomes available on the LAN or

705

is removed from the LAN */

706

707

switch (event) {

708

default:

709

case AVAHI_BROWSER_FAILURE:

710

711

fprintf(stderr, "(Avahi browser) %s\n",

712

avahi_strerror(avahi_server_errno(mc->server)));

713

avahi_simple_poll_quit(mc->simple_poll);

714

return;

715

716

case AVAHI_BROWSER_NEW:

717

/* We ignore the returned Avahi resolver object. In the callback

718

function we free it. If the Avahi server is terminated before

719

the callback function is called the Avahi server will free the

720

resolver for us. */

721

722

if (!(avahi_s_service_resolver_new(mc->server, interface,

723

protocol, name, type, domain,

724

AVAHI_PROTO_INET6, 0,

725

resolve_callback, mc)))

726

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

727

name, avahi_strerror(avahi_server_errno(mc->server)));

728

break;

729

730

case AVAHI_BROWSER_REMOVE:

731

break;

732

733

case AVAHI_BROWSER_ALL_FOR_NOW:

734

case AVAHI_BROWSER_CACHE_EXHAUSTED:

735

if(debug){

736

fprintf(stderr, "No Mandos server found, still searching...\n");

737

}

738

break;

739

}

740

}

741

742

/* Combines file name and path and returns the malloced new

743

string. some sane checks could/should be added */

744

static const char *combinepath(const char *first, const char *second){

745

size_t f_len = strlen(first);

746

size_t s_len = strlen(second);

747

char *tmp = malloc(f_len + s_len + 2);

748

if (tmp == NULL){

749

return NULL;

750

}

751

if(f_len > 0){

752

memcpy(tmp, first, f_len); /* Spurious warning */

753

}

754

tmp[f_len] = '/';

755

if(s_len > 0){

756

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

757

}

758

tmp[f_len + 1 + s_len] = '\0';

759

return tmp;

760

}

761

762

763

int main(int argc, char *argv[]){

764

AvahiSServiceBrowser *sb = NULL;

765

int error;

766

int ret;

767

int exitcode = EXIT_SUCCESS;

768

const char *interface = "eth0";

769

struct ifreq network;

770

int sd;

771

uid_t uid;

772

gid_t gid;

773

char *connect_to = NULL;

774

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

775

const char *pubkeyfile = "pubkey.txt";

776

const char *seckeyfile = "seckey.txt";

777

mandos_context mc = { .simple_poll = NULL, .server = NULL,

778

.dh_bits = 1024, .priority = "SECURE256"};

779

bool gnutls_initalized = false;

780

781

{

782

struct argp_option options[] = {

783

{ .name = "debug", .key = 128,

784

.doc = "Debug mode", .group = 3 },

785

{ .name = "connect", .key = 'c',

786

.arg = "IP",

787

.doc = "Connect directly to a sepcified mandos server",

788

.group = 1 },

789

{ .name = "interface", .key = 'i',

790

.arg = "INTERFACE",

791

.doc = "Interface that Avahi will conntect through",

792

.group = 1 },

793

{ .name = "keydir", .key = 'd',

794

.arg = "KEYDIR",

795

.doc = "Directory where the openpgp keyring is",

796

.group = 1 },

797

{ .name = "seckey", .key = 's',

798

.arg = "SECKEY",

799

.doc = "Secret openpgp key for gnutls authentication",

800

.group = 1 },

801

{ .name = "pubkey", .key = 'p',

802

.arg = "PUBKEY",

803

.doc = "Public openpgp key for gnutls authentication",

804

.group = 2 },

805

{ .name = "dh-bits", .key = 129,

806

.arg = "BITS",

807

.doc = "dh-bits to use in gnutls communication",

808

.group = 2 },

809

{ .name = "priority", .key = 130,

810

.arg = "PRIORITY",

811

.doc = "GNUTLS priority", .group = 1 },

812

{ .name = NULL }

813

};

814

815

816

error_t parse_opt (int key, char *arg,

817

struct argp_state *state) {

818

/* Get the INPUT argument from `argp_parse', which we know is

819

a pointer to our plugin list pointer. */

820

switch (key) {

821

case 128:

822

debug = true;

823

break;

824

case 'c':

825

connect_to = arg;

826

break;

827

case 'i':

828

interface = arg;

829

break;

830

case 'd':

831

keydir = arg;

832

break;

833

case 's':

834

seckeyfile = arg;

835

break;

836

case 'p':

837

pubkeyfile = arg;

838

break;

839

case 129:

840

errno = 0;

841

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

842

if (errno){

843

perror("strtol");

844

exit(EXIT_FAILURE);

845

}

846

break;

847

case 130:

848

mc.priority = arg;

849

break;

850

case ARGP_KEY_ARG:

851

argp_usage (state);

852

break;

853

case ARGP_KEY_END:

854

break;

855

default:

856

return ARGP_ERR_UNKNOWN;

857

}

858

return 0;

859

}

860

861

struct argp argp = { .options = options, .parser = parse_opt,

862

.args_doc = "",

863

.doc = "Mandos client -- Get and decrypt"

864

" passwords from mandos server" };

865

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

866

if (ret == ARGP_ERR_UNKNOWN){

867

fprintf(stderr, "Unkown error while parsing arguments\n");

868

exitcode = EXIT_FAILURE;

869

goto end;

870

}

871

}

872

873

pubkeyfile = combinepath(keydir, pubkeyfile);

874

if (pubkeyfile == NULL){

875

perror("combinepath");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

880

seckeyfile = combinepath(keydir, seckeyfile);

881

if (seckeyfile == NULL){

882

perror("combinepath");

883

goto end;

884

}

885

886

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

887

if (ret == -1){

888

fprintf(stderr, "init_gnutls_global\n");

889

goto end;

890

} else {

891

gnutls_initalized = true;

892

}

893

894

uid = getuid();

895

gid = getgid();

896

897

ret = setuid(uid);

898

if (ret == -1){

899

perror("setuid");

900

}

901

902

setgid(gid);

903

if (ret == -1){

904

perror("setgid");

905

}

906

907

if_index = (AvahiIfIndex) if_nametoindex(interface);

908

if(if_index == 0){

909

fprintf(stderr, "No such interface: \"%s\"\n", interface);

910

exit(EXIT_FAILURE);

911

}

912

913

if(connect_to != NULL){

914

/* Connect directly, do not use Zeroconf */

915

/* (Mainly meant for debugging) */

916

char *address = strrchr(connect_to, ':');

917

if(address == NULL){

918

fprintf(stderr, "No colon in address\n");

919

exitcode = EXIT_FAILURE;

920

goto end;

921

}

922

errno = 0;

923

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

924

if(errno){

925

perror("Bad port number");

926

exitcode = EXIT_FAILURE;

927

goto end;

928

}

929

*address = '\0';

930

address = connect_to;

931

ret = start_mandos_communication(address, port, if_index, &mc);

932

if(ret < 0){

933

exitcode = EXIT_FAILURE;

934

} else {

935

exitcode = EXIT_SUCCESS;

936

}

937

goto end;

938

}

939

940

/* If the interface is down, bring it up */

941

{

942

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

943

if(sd < 0) {

944

perror("socket");

945

exitcode = EXIT_FAILURE;

946

goto end;

947

}

948

strcpy(network.ifr_name, interface); /* Spurious warning */

949

ret = ioctl(sd, SIOCGIFFLAGS, &network);

950

if(ret == -1){

951

perror("ioctl SIOCGIFFLAGS");

952

exitcode = EXIT_FAILURE;

953

goto end;

954

}

955

if((network.ifr_flags & IFF_UP) == 0){

956

network.ifr_flags |= IFF_UP;

957

ret = ioctl(sd, SIOCSIFFLAGS, &network);

958

if(ret == -1){

959

perror("ioctl SIOCSIFFLAGS");

960

exitcode = EXIT_FAILURE;

961

goto end;

962

}

963

}

964

close(sd);

965

}

966

967

if (not debug){

968

avahi_set_log_function(empty_log);

969

}

970

971

/* Initialize the pseudo-RNG for Avahi */

972

srand((unsigned int) time(NULL));

973

974

/* Allocate main Avahi loop object */

975

mc.simple_poll = avahi_simple_poll_new();

976

if (mc.simple_poll == NULL) {

977

fprintf(stderr, "Avahi: Failed to create simple poll"

978

" object.\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

}

982

983

{

984

AvahiServerConfig config;

985

/* Do not publish any local Zeroconf records */

986

avahi_server_config_init(&config);

987

config.publish_hinfo = 0;

988

config.publish_addresses = 0;

989

config.publish_workstation = 0;

990

config.publish_domain = 0;

991

992

/* Allocate a new server */

993

mc.server = avahi_server_new(avahi_simple_poll_get

994

(mc.simple_poll), &config, NULL,

995

NULL, &error);

996

997

/* Free the Avahi configuration data */

998

avahi_server_config_free(&config);

999

}

1000

1001

/* Check if creating the Avahi server object succeeded */

1002

if (mc.server == NULL) {

1003

fprintf(stderr, "Failed to create Avahi server: %s\n",

1004

avahi_strerror(error));

1005

exitcode = EXIT_FAILURE;

1006

goto end;

1007

}

1008

1009

/* Create the Avahi service browser */

1010

sb = avahi_s_service_browser_new(mc.server, if_index,

1011

AVAHI_PROTO_INET6,

1012

"_mandos._tcp", NULL, 0,

1013

browse_callback, &mc);

1014

if (sb == NULL) {

1015

fprintf(stderr, "Failed to create service browser: %s\n",

1016

avahi_strerror(avahi_server_errno(mc.server)));

1017

exitcode = EXIT_FAILURE;

1018

goto end;

1019

}

1020

1021

/* Run the main loop */

1022

1023

if (debug){

1024

fprintf(stderr, "Starting Avahi loop search\n");

1025

}

1026

1027

avahi_simple_poll_loop(mc.simple_poll);

1028

1029

end:

1030

1031

if (debug){

1032

fprintf(stderr, "%s exiting\n", argv[0]);

1033

}

1034

1035

/* Cleanup things */

1036

if (sb != NULL)

1037

avahi_s_service_browser_free(sb);

1038

1039

if (mc.server != NULL)

1040

avahi_server_free(mc.server);

1041

1042

if (mc.simple_poll != NULL)

1043

avahi_simple_poll_free(mc.simple_poll);

1044

free(pubkeyfile);

1045

free(seckeyfile);

1046

1047

if (gnutls_initalized){

1048

gnutls_certificate_free_credentials(mc.cred);

1049

gnutls_global_deinit ();

1050

}

1051

1052

return exitcode;

1053

}

Older »