(root)/mandos/trunk
» Revision
24.1.50
(compared to revision 24.1.11)
: plugins.d/password-request.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 24.1.50
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.50
- Committer: Björn Påhlsson
- Date: 2008-08-14 01:32:34 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 75.
- Revision ID: belorn@braxen-20080814013234-qs0s608s3gxwb5t7
changed from using strtok to strsep
- files added:
- initramfs-tools-hook
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- plugbasedclient.c => mandos-client.c
- server.conf => mandos.conf
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- plugins.d/mandosclient.c => plugins.d/password-request.c
- files modified:
- Makefile
added
removed
plugins.d/password-request.c
34
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
54
connect() */
55
#include <assert.h> /* assert() */
56
#include <errno.h> /* perror(), errno */
57
#include <time.h> /* time() */
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
SIOCSIFFLAGS, if_indextoname(),
60
if_nametoindex(), IF_NAMESIZE */
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
65
#include <arpa/inet.h> /* inet_pton(), htons */
66
#include <iso646.h> /* not, and */
67
#include <argp.h> /* struct argp_option, error_t, struct
68
argp_state, struct argp,
69
argp_parse(), ARGP_KEY_ARG,
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
44
71
72
/* Avahi */
73
/* All Avahi types, constants and functions
74
Avahi*, avahi_*,
75
AVAHI_* */
45
76
#include <avahi-core/core.h>
46
77
#include <avahi-core/lookup.h>
47
78
#include <avahi-core/log.h>
49
80
#include <avahi-common/malloc.h>
50
81
#include <avahi-common/error.h>
51
82
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
83
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
85
gnutls_*
86
init_gnutls_session(),
87
GNUTLS_* */
88
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
89
GNUTLS_OPENPGP_FMT_BASE64 */
90
91
/* GPGME */
92
#include <gpgme.h> /* All GPGME types, constants and functions
93
gpgme_*
94
GPGME_PROTOCOL_OpenPGP,
95
GPG_ERR_NO_* */
72
96
73
97
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
79
98
80
99
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
100
static const char *keydir = "/conf/conf.d/mandos";
101
static const char mandos_protocol_version[] = "1";
102
const char *argp_program_version = "password-request 1.0";
103
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
104
105
/* Used for passing in values through the Avahi callback functions */
84
106
typedef struct {
85
107
AvahiSimplePoll *simple_poll;
86
108
AvahiServer *server;
87
109
gnutls_certificate_credentials_t cred;
88
110
unsigned int dh_bits;
111
gnutls_dh_params_t dh_params;
89
112
const char *priority;
90
113
} mandos_context;
91
114
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
115
/*
116
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
117
* "buffer_capacity" is how much is currently allocated,
118
* "buffer_length" is how much is already used.
119
*/
120
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
121
size_t buffer_capacity){
94
122
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
123
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
124
if (buffer == NULL){
97
125
return 0;
98
126
}
101
129
return buffer_capacity;
102
130
}
103
131
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
132
/*
133
* Decrypt OpenPGP data using keyrings in HOMEDIR.
134
* Returns -1 on error
135
*/
136
static ssize_t pgp_packet_decrypt (const char *cryptotext,
137
size_t crypto_size,
138
char **plaintext,
106
139
const char *homedir){
107
140
gpgme_data_t dh_crypto, dh_plain;
108
141
gpgme_ctx_t ctx;
109
142
gpgme_error_t rc;
110
143
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
144
size_t plaintext_capacity = 0;
145
ssize_t plaintext_length = 0;
113
146
gpgme_engine_info_t engine_info;
114
147
115
148
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
149
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
117
150
}
118
151
119
152
/* Init GPGME */
125
158
return -1;
126
159
}
127
160
128
/* Set GPGME home directory */
161
/* Set GPGME home directory for the OpenPGP engine only */
129
162
rc = gpgme_get_engine_info (&engine_info);
130
163
if (rc != GPG_ERR_NO_ERROR){
131
164
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
174
engine_info = engine_info->next;
142
175
}
143
176
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
177
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
145
178
return -1;
146
179
}
147
180
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
181
/* Create new GPGME data buffer from memory cryptotext */
182
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
183
0);
150
184
if (rc != GPG_ERR_NO_ERROR){
151
185
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
186
gpgme_strsource(rc), gpgme_strerror(rc));
158
192
if (rc != GPG_ERR_NO_ERROR){
159
193
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
194
gpgme_strsource(rc), gpgme_strerror(rc));
195
gpgme_data_release(dh_crypto);
161
196
return -1;
162
197
}
163
198
166
201
if (rc != GPG_ERR_NO_ERROR){
167
202
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
203
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
204
plaintext_length = -1;
205
goto decrypt_end;
170
206
}
171
207
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
208
/* Decrypt data from the cryptotext data buffer to the plaintext
209
data buffer */
174
210
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
211
if (rc != GPG_ERR_NO_ERROR){
176
212
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
213
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
214
plaintext_length = -1;
215
goto decrypt_end;
179
216
}
180
217
181
218
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
219
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
183
220
}
184
221
185
222
if (debug){
186
223
gpgme_decrypt_result_t result;
187
224
result = gpgme_op_decrypt_result(ctx);
190
227
} else {
191
228
fprintf(stderr, "Unsupported algorithm: %s\n",
192
229
result->unsupported_algorithm);
193
fprintf(stderr, "Wrong key usage: %d\n",
230
fprintf(stderr, "Wrong key usage: %u\n",
194
231
result->wrong_key_usage);
195
232
if(result->file_name != NULL){
196
233
fprintf(stderr, "File name: %s\n", result->file_name);
211
248
}
212
249
}
213
250
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
217
251
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
252
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
253
perror("pgpme_data_seek");
254
plaintext_length = -1;
255
goto decrypt_end;
220
256
}
221
257
222
*new_packet = 0;
258
*plaintext = NULL;
223
259
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
260
plaintext_capacity = adjustbuffer(plaintext,
261
(size_t)plaintext_length,
262
plaintext_capacity);
263
if (plaintext_capacity == 0){
227
264
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
265
plaintext_length = -1;
266
goto decrypt_end;
231
267
}
232
268
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
269
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
270
BUFFER_SIZE);
235
271
/* Print the data, if any */
236
272
if (ret == 0){
273
/* EOF */
237
274
break;
238
275
}
239
276
if(ret < 0){
240
277
perror("gpgme_data_read");
241
return -1;
278
plaintext_length = -1;
279
goto decrypt_end;
242
280
}
243
new_packet_length += ret;
281
plaintext_length += ret;
244
282
}
245
283
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
284
if(debug){
285
fprintf(stderr, "Decrypted password is: ");
286
for(ssize_t i = 0; i < plaintext_length; i++){
287
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
288
}
289
fprintf(stderr, "\n");
290
}
291
292
decrypt_end:
293
294
/* Delete the GPGME cryptotext data buffer */
295
gpgme_data_release(dh_crypto);
253
296
254
297
/* Delete the GPGME plaintext data buffer */
255
298
gpgme_data_release(dh_plain);
256
return new_packet_length;
299
return plaintext_length;
257
300
}
258
301
259
302
static const char * safer_gnutls_strerror (int value) {
263
306
return ret;
264
307
}
265
308
309
/* GnuTLS log function callback */
266
310
static void debuggnutls(__attribute__((unused)) int level,
267
311
const char* string){
268
fprintf(stderr, "%s", string);
312
fprintf(stderr, "GnuTLS: %s", string);
269
313
}
270
314
271
static int initgnutls(mandos_context *mc){
272
const char *err;
315
static int init_gnutls_global(mandos_context *mc,
316
const char *pubkeyfile,
317
const char *seckeyfile){
273
318
int ret;
274
319
275
320
if(debug){
276
321
fprintf(stderr, "Initializing GnuTLS\n");
277
322
}
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
323
324
ret = gnutls_global_init();
325
if (ret != GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "GnuTLS global_init: %s\n",
327
safer_gnutls_strerror(ret));
282
328
return -1;
283
329
}
284
330
285
331
if (debug){
332
/* "Use a log level over 10 to enable all debugging options."
333
* - GnuTLS manual
334
*/
286
335
gnutls_global_set_log_level(11);
287
336
gnutls_global_set_log_function(debuggnutls);
288
337
}
289
338
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
339
/* OpenPGP credentials */
340
gnutls_certificate_allocate_credentials(&mc->cred);
341
if (ret != GNUTLS_E_SUCCESS){
342
fprintf (stderr, "GnuTLS memory error: %s\n",
294
343
safer_gnutls_strerror(ret));
344
gnutls_global_deinit ();
295
345
return -1;
296
346
}
297
347
298
348
if(debug){
299
349
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
350
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
351
seckeyfile);
302
352
}
303
353
304
354
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
355
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
306
356
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
357
fprintf(stderr,
358
"Error[%d] while reading the OpenPGP key pair ('%s',"
359
" '%s')\n", ret, pubkeyfile, seckeyfile);
360
fprintf(stdout, "The GnuTLS error is: %s\n",
312
361
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
362
goto globalfail;
363
}
364
365
/* GnuTLS server initialization */
366
ret = gnutls_dh_params_init(&mc->dh_params);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
369
" %s\n", safer_gnutls_strerror(ret));
370
goto globalfail;
371
}
372
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
373
if (ret != GNUTLS_E_SUCCESS) {
374
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
375
safer_gnutls_strerror(ret));
376
goto globalfail;
377
}
378
379
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
380
381
return 0;
382
383
globalfail:
384
385
gnutls_certificate_free_credentials(mc->cred);
386
gnutls_global_deinit();
387
return -1;
388
389
}
390
391
static int init_gnutls_session(mandos_context *mc,
392
gnutls_session_t *session){
393
int ret;
394
/* GnuTLS session creation */
395
ret = gnutls_init(session, GNUTLS_SERVER);
396
if (ret != GNUTLS_E_SUCCESS){
336
397
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
398
safer_gnutls_strerror(ret));
338
399
}
339
400
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
401
{
402
const char *err;
403
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
404
if (ret != GNUTLS_E_SUCCESS) {
405
fprintf(stderr, "Syntax error at: %s\n", err);
406
fprintf(stderr, "GnuTLS error: %s\n",
407
safer_gnutls_strerror(ret));
408
gnutls_deinit (*session);
409
return -1;
410
}
346
411
}
347
412
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
413
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
414
mc->cred);
415
if (ret != GNUTLS_E_SUCCESS) {
416
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
417
safer_gnutls_strerror(ret));
418
gnutls_deinit (*session);
353
419
return -1;
354
420
}
355
421
356
422
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
423
gnutls_certificate_server_set_request (*session,
358
424
GNUTLS_CERT_IGNORE);
359
425
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
426
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
427
362
428
return 0;
363
429
}
364
430
431
/* Avahi log function callback */
365
432
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
433
__attribute__((unused)) const char *txt){}
367
434
435
/* Called when a Mandos server is found */
368
436
static int start_mandos_communication(const char *ip, uint16_t port,
369
437
AvahiIfIndex if_index,
370
438
mandos_context *mc){
371
439
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
440
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
441
char *buffer = NULL;
375
442
char *decrypted_buffer;
376
443
size_t buffer_length = 0;
379
446
size_t written;
380
447
int retval = 0;
381
448
char interface[IF_NAMESIZE];
449
gnutls_session_t session;
450
451
ret = init_gnutls_session (mc, &session);
452
if (ret != 0){
453
return -1;
454
}
382
455
383
456
if(debug){
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
385
ip, port);
457
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
458
"\n", ip, port);
386
459
}
387
460
388
461
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
393
466
394
467
if(debug){
395
468
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
469
perror("if_indextoname");
399
470
return -1;
400
471
}
401
402
472
fprintf(stderr, "Binding to interface %s\n", interface);
403
473
}
404
474
405
475
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
476
to.in6.sin6_family = AF_INET6;
477
/* It would be nice to have a way to detect if we were passed an
478
IPv4 address here. Now we assume an IPv6 address. */
479
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
480
if (ret < 0 ){
409
481
perror("inet_pton");
410
482
return -1;
411
}
483
}
412
484
if(ret == 0){
413
485
fprintf(stderr, "Bad address: %s\n", ip);
414
486
return -1;
415
487
}
416
to.sin6_port = htons(port); /* Spurious warning */
488
to.in6.sin6_port = htons(port); /* Spurious warning */
417
489
418
to.sin6_scope_id = (uint32_t)if_index;
490
to.in6.sin6_scope_id = (uint32_t)if_index;
419
491
420
492
if(debug){
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
493
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
494
port);
495
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
497
sizeof(addrstr)) == NULL){
498
perror("inet_ntop");
499
} else {
500
if(strcmp(addrstr, ip) != 0){
501
fprintf(stderr, "Canonical address form: %s\n", addrstr);
502
}
503
}
430
504
}
431
505
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
506
ret = connect(tcp_sd, &to.in, sizeof(to));
433
507
if (ret < 0){
434
508
perror("connect");
435
509
return -1;
436
510
}
437
511
438
char *out = mandos_protocol_version;
512
const char *out = mandos_protocol_version;
439
513
written = 0;
440
514
while (true){
441
515
size_t out_size = strlen(out);
444
518
if (ret == -1){
445
519
perror("write");
446
520
retval = -1;
447
goto end;
521
goto mandos_end;
448
522
}
449
written += ret;
523
written += (size_t)ret;
450
524
if(written < out_size){
451
525
continue;
452
526
} else {
459
533
}
460
534
}
461
535
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
471
536
if(debug){
472
537
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
538
}
474
539
475
ret = gnutls_handshake (es.session);
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
476
545
477
546
if (ret != GNUTLS_E_SUCCESS){
478
547
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
549
gnutls_perror (ret);
481
550
}
482
551
retval = -1;
483
goto exit;
552
goto mandos_end;
484
553
}
485
554
486
//Retrieve OpenPGP packet that contains the wanted password
555
/* Read OpenPGP packet that contains the wanted password */
487
556
488
557
if(debug){
489
558
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
491
560
}
492
561
493
562
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
495
565
if (buffer_capacity == 0){
496
566
perror("adjustbuffer");
497
567
retval = -1;
498
goto exit;
568
goto mandos_end;
499
569
}
500
570
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
571
ret = gnutls_record_recv(session, buffer+buffer_length,
572
BUFFER_SIZE);
503
573
if (ret == 0){
504
574
break;
505
575
}
509
579
case GNUTLS_E_AGAIN:
510
580
break;
511
581
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
513
585
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
587
gnutls_perror (ret);
516
588
retval = -1;
517
goto exit;
589
goto mandos_end;
518
590
}
519
591
break;
520
592
default:
521
593
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
594
" encrypted session with Mandos server\n");
523
595
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
596
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
526
598
}
527
599
} else {
528
600
buffer_length += (size_t) ret;
529
601
}
530
602
}
531
603
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
532
610
if (buffer_length > 0){
533
611
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
612
buffer_length,
535
613
&decrypted_buffer,
536
certdir);
614
keydir);
537
615
if (decrypted_buffer_size >= 0){
538
616
written = 0;
539
617
while(written < (size_t) decrypted_buffer_size){
555
633
retval = -1;
556
634
}
557
635
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
636
637
/* Shutdown procedure */
638
639
mandos_end:
565
640
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
641
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
642
gnutls_deinit (session);
572
643
return retval;
573
644
}
574
645
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
646
static void resolve_callback(AvahiSServiceResolver *r,
647
AvahiIfIndex interface,
648
AVAHI_GCC_UNUSED AvahiProtocol protocol,
649
AvahiResolverEvent event,
650
const char *name,
651
const char *type,
652
const char *domain,
653
const char *host_name,
654
const AvahiAddress *address,
655
uint16_t port,
656
AVAHI_GCC_UNUSED AvahiStringList *txt,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
588
660
mandos_context *mc = userdata;
589
661
assert(r); /* Spurious warning */
590
662
594
666
switch (event) {
595
667
default:
596
668
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
671
avahi_strerror(avahi_server_errno(mc->server)));
600
672
break;
601
673
604
676
char ip[AVAHI_ADDRESS_STR_MAX];
605
677
avahi_address_snprint(ip, sizeof(ip), address);
606
678
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
680
PRIu16 ") on port %d\n", name, host_name, ip,
681
interface, port);
609
682
}
610
683
int ret = start_mandos_communication(ip, port, interface, mc);
611
684
if (ret == 0){
612
exit(EXIT_SUCCESS);
685
avahi_simple_poll_quit(mc->simple_poll);
613
686
}
614
687
}
615
688
}
623
696
const char *name,
624
697
const char *type,
625
698
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
699
AVAHI_GCC_UNUSED AvahiLookupResultFlags
700
flags,
627
701
void* userdata) {
628
702
mandos_context *mc = userdata;
629
703
assert(b); /* Spurious warning */
634
708
switch (event) {
635
709
default:
636
710
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
711
712
fprintf(stderr, "(Avahi browser) %s\n",
639
713
avahi_strerror(avahi_server_errno(mc->server)));
640
714
avahi_simple_poll_quit(mc->simple_poll);
641
715
return;
642
716
643
717
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
718
/* We ignore the returned Avahi resolver object. In the callback
719
function we free it. If the Avahi server is terminated before
720
the callback function is called the Avahi server will free the
721
resolver for us. */
722
723
if (!(avahi_s_service_resolver_new(mc->server, interface,
724
protocol, name, type, domain,
651
725
AVAHI_PROTO_INET6, 0,
652
726
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
727
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
728
name, avahi_strerror(avahi_server_errno(mc->server)));
655
729
break;
656
730
657
731
case AVAHI_BROWSER_REMOVE:
658
732
break;
659
733
660
734
case AVAHI_BROWSER_ALL_FOR_NOW:
661
735
case AVAHI_BROWSER_CACHE_EXHAUSTED:
736
if(debug){
737
fprintf(stderr, "No Mandos server found, still searching...\n");
738
}
662
739
break;
663
740
}
664
741
}
673
750
return NULL;
674
751
}
675
752
if(f_len > 0){
676
memcpy(tmp, first, f_len);
753
memcpy(tmp, first, f_len); /* Spurious warning */
677
754
}
678
755
tmp[f_len] = '/';
679
756
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
757
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
681
758
}
682
759
tmp[f_len + 1 + s_len] = '\0';
683
760
return tmp;
684
761
}
685
762
686
763
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
764
int main(int argc, char *argv[]){
689
765
AvahiSServiceBrowser *sb = NULL;
690
766
int error;
691
767
int ret;
692
int returncode = EXIT_SUCCESS;
768
int exitcode = EXIT_SUCCESS;
693
769
const char *interface = "eth0";
694
770
struct ifreq network;
695
771
int sd;
772
uid_t uid;
773
gid_t gid;
696
774
char *connect_to = NULL;
697
775
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
776
const char *pubkeyfile = "pubkey.txt";
777
const char *seckeyfile = "seckey.txt";
698
778
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
779
.dh_bits = 1024, .priority = "SECURE256"};
780
bool gnutls_initalized = false;
700
781
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
782
{
783
struct argp_option options[] = {
784
{ .name = "debug", .key = 128,
785
.doc = "Debug mode", .group = 3 },
786
{ .name = "connect", .key = 'c',
787
.arg = "IP",
788
.doc = "Connect directly to a sepcified mandos server",
789
.group = 1 },
790
{ .name = "interface", .key = 'i',
791
.arg = "INTERFACE",
792
.doc = "Interface that Avahi will conntect through",
793
.group = 1 },
794
{ .name = "keydir", .key = 'd',
795
.arg = "KEYDIR",
796
.doc = "Directory where the openpgp keyring is",
797
.group = 1 },
798
{ .name = "seckey", .key = 's',
799
.arg = "SECKEY",
800
.doc = "Secret openpgp key for gnutls authentication",
801
.group = 1 },
802
{ .name = "pubkey", .key = 'p',
803
.arg = "PUBKEY",
804
.doc = "Public openpgp key for gnutls authentication",
805
.group = 2 },
806
{ .name = "dh-bits", .key = 129,
807
.arg = "BITS",
808
.doc = "dh-bits to use in gnutls communication",
809
.group = 2 },
810
{ .name = "priority", .key = 130,
811
.arg = "PRIORITY",
812
.doc = "GNUTLS priority", .group = 1 },
813
{ .name = NULL }
814
};
815
816
817
error_t parse_opt (int key, char *arg,
818
struct argp_state *state) {
819
/* Get the INPUT argument from `argp_parse', which we know is
820
a pointer to our plugin list pointer. */
821
switch (key) {
822
case 128:
823
debug = true;
824
break;
825
case 'c':
826
connect_to = arg;
827
break;
828
case 'i':
829
interface = arg;
830
break;
831
case 'd':
832
keydir = arg;
833
break;
834
case 's':
835
seckeyfile = arg;
836
break;
837
case 'p':
838
pubkeyfile = arg;
839
break;
840
case 129:
742
841
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
842
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
843
if (errno){
745
844
perror("strtol");
746
845
exit(EXIT_FAILURE);
747
846
}
748
mc.dh_bits = tmp;
749
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
847
break;
848
case 130:
849
mc.priority = arg;
850
break;
851
case ARGP_KEY_ARG:
852
argp_usage (state);
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
857
}
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unknown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
}
872
873
pubkeyfile = combinepath(keydir, pubkeyfile);
874
if (pubkeyfile == NULL){
875
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
878
}
879
880
seckeyfile = combinepath(keydir, seckeyfile);
881
if (seckeyfile == NULL){
882
perror("combinepath");
883
exitcode = EXIT_FAILURE;
884
goto end;
885
}
886
887
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
888
if (ret == -1){
889
fprintf(stderr, "init_gnutls_global failed\n");
890
exitcode = EXIT_FAILURE;
891
goto end;
892
} else {
893
gnutls_initalized = true;
894
}
895
896
/* If the interface is down, bring it up */
897
{
898
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
899
if(sd < 0) {
900
perror("socket");
901
exitcode = EXIT_FAILURE;
902
goto end;
903
}
904
strcpy(network.ifr_name, interface); /* Spurious warning */
905
ret = ioctl(sd, SIOCGIFFLAGS, &network);
906
if(ret == -1){
907
perror("ioctl SIOCGIFFLAGS");
908
exitcode = EXIT_FAILURE;
909
goto end;
910
}
911
if((network.ifr_flags & IFF_UP) == 0){
912
network.ifr_flags |= IFF_UP;
913
ret = ioctl(sd, SIOCSIFFLAGS, &network);
914
if(ret == -1){
915
perror("ioctl SIOCSIFFLAGS");
916
exitcode = EXIT_FAILURE;
917
goto end;
918
}
919
}
920
close(sd);
921
}
922
923
uid = getuid();
924
gid = getgid();
925
926
ret = setuid(uid);
927
if (ret == -1){
928
perror("setuid");
929
}
930
931
setgid(gid);
932
if (ret == -1){
933
perror("setgid");
771
934
}
772
935
773
936
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
945
char *address = strrchr(connect_to, ':');
783
946
if(address == NULL){
784
947
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
948
exitcode = EXIT_FAILURE;
949
goto end;
786
950
}
787
951
errno = 0;
788
952
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
953
if(errno){
790
954
perror("Bad port number");
791
exit(EXIT_FAILURE);
955
exitcode = EXIT_FAILURE;
956
goto end;
792
957
}
793
958
*address = '\0';
794
959
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
960
ret = start_mandos_communication(address, port, if_index, &mc);
796
961
if(ret < 0){
797
exit(EXIT_FAILURE);
962
exitcode = EXIT_FAILURE;
798
963
} else {
799
exit(EXIT_SUCCESS);
800
}
801
}
802
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
825
}
826
close(sd);
964
exitcode = EXIT_SUCCESS;
965
}
966
goto end;
967
}
827
968
828
969
if (not debug){
829
970
avahi_set_log_function(empty_log);
830
971
}
831
972
832
/* Initialize the psuedo-RNG */
973
/* Initialize the pseudo-RNG for Avahi */
833
974
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
975
976
/* Allocate main Avahi loop object */
977
mc.simple_poll = avahi_simple_poll_new();
978
if (mc.simple_poll == NULL) {
979
fprintf(stderr, "Avahi: Failed to create simple poll"
980
" object.\n");
981
exitcode = EXIT_FAILURE;
982
goto end;
983
}
984
985
{
986
AvahiServerConfig config;
987
/* Do not publish any local Zeroconf records */
988
avahi_server_config_init(&config);
989
config.publish_hinfo = 0;
990
config.publish_addresses = 0;
991
config.publish_workstation = 0;
992
config.publish_domain = 0;
993
994
/* Allocate a new server */
995
mc.server = avahi_server_new(avahi_simple_poll_get
996
(mc.simple_poll), &config, NULL,
997
NULL, &error);
998
999
/* Free the Avahi configuration data */
1000
avahi_server_config_free(&config);
1001
}
1002
1003
/* Check if creating the Avahi server object succeeded */
1004
if (mc.server == NULL) {
1005
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
1006
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
1007
exitcode = EXIT_FAILURE;
1008
goto end;
862
1009
}
863
1010
864
/* Create the service browser */
1011
/* Create the Avahi service browser */
865
1012
sb = avahi_s_service_browser_new(mc.server, if_index,
866
1013
AVAHI_PROTO_INET6,
867
1014
"_mandos._tcp", NULL, 0,
868
1015
browse_callback, &mc);
869
if (!sb) {
1016
if (sb == NULL) {
870
1017
fprintf(stderr, "Failed to create service browser: %s\n",
871
1018
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
1019
exitcode = EXIT_FAILURE;
1020
goto end;
874
1021
}
875
1022
876
1023
/* Run the main loop */
877
1024
878
1025
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
1026
fprintf(stderr, "Starting Avahi loop search\n");
880
1027
}
881
1028
882
avahi_simple_poll_loop(simple_poll);
1029
avahi_simple_poll_loop(mc.simple_poll);
883
1030
884
exit:
1031
end:
885
1032
886
1033
if (debug){
887
1034
fprintf(stderr, "%s exiting\n", argv[0]);
888
1035
}
889
1036
890
1037
/* Cleanup things */
891
if (sb)
1038
if (sb != NULL)
892
1039
avahi_s_service_browser_free(sb);
893
1040
894
if (mc.server)
1041
if (mc.server != NULL)
895
1042
avahi_server_free(mc.server);
896
1043
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1044
if (mc.simple_poll != NULL)
1045
avahi_simple_poll_free(mc.simple_poll);
1046
free(pubkeyfile);
1047
free(seckeyfile);
1048
1049
if (gnutls_initalized){
1050
gnutls_certificate_free_credentials(mc.cred);
1051
gnutls_global_deinit ();
1052
}
901
1053
902
return returncode;
1054
return exitcode;
903
1055
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0