2
This file is part of avahi.
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
1
/* -*- coding: utf-8 -*- */
3
* Mandos client - get and decrypt data from a Mandos server
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
28
* Contact the authors at <mandos@fukt.bsnet.se>.
31
/* Needed by GPGME, specifically gpgme_data_seek() */
20
32
#define _LARGEFILE_SOURCE
21
33
#define _FILE_OFFSET_BITS 64
34
48
#include <avahi-common/error.h>
36
50
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
42
57
#include <unistd.h> /* close() */
43
58
#include <netinet/in.h>
71
84
} encrypted_session;
74
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
75
90
gpgme_data_t dh_crypto, dh_plain;
79
size_t new_packet_capacity = 0;
80
size_t new_packet_length = 0;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
81
96
gpgme_engine_info_t engine_info;
84
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
88
103
gpgme_check_version(NULL);
89
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
105
if (rc != GPG_ERR_NO_ERROR){
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
107
gpgme_strsource(rc), gpgme_strerror(rc));
91
111
/* Set GPGME home directory */
92
112
rc = gpgme_get_engine_info (&engine_info);
150
171
if (result == NULL){
151
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
155
178
if(result->file_name != NULL){
156
179
fprintf(stderr, "File name: %s\n", result->file_name);
174
198
gpgme_data_release(dh_crypto);
176
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
181
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
183
211
if (*new_packet == NULL){
184
212
perror("realloc");
244
272
gnutls_global_set_log_function(debuggnutls);
248
275
/* openpgp credentials */
249
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
250
277
!= GNUTLS_E_SUCCESS) {
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
260
289
ret = gnutls_certificate_set_openpgp_key_file
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
262
291
if (ret != GNUTLS_E_SUCCESS) {
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
295
ret, certfile, certkey);
266
296
fprintf(stdout, "The Error is: %s\n",
267
297
safer_gnutls_strerror(ret));
271
//Gnutls server initialization
301
//GnuTLS server initialization
272
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
273
303
!= GNUTLS_E_SUCCESS) {
274
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
275
305
safer_gnutls_strerror(ret));
279
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
280
310
!= GNUTLS_E_SUCCESS) {
281
311
fprintf (stderr, "Error in prime generation: %s\n",
282
312
safer_gnutls_strerror(ret));
286
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
288
// Gnutls session creation
318
// GnuTLS session creation
289
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
290
320
!= GNUTLS_E_SUCCESS){
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
292
322
safer_gnutls_strerror(ret));
295
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
296
326
!= GNUTLS_E_SUCCESS) {
297
327
fprintf(stderr, "Syntax error at: %s\n", err);
298
fprintf(stderr, "Gnutls error: %s\n",
328
fprintf(stderr, "GnuTLS error: %s\n",
299
329
safer_gnutls_strerror(ret));
303
333
if ((ret = gnutls_credentials_set
304
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
305
335
!= GNUTLS_E_SUCCESS) {
307
337
safer_gnutls_strerror(ret));
311
341
/* ignore client certificate if any. */
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
314
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
319
void empty_log(AvahiLogLevel level, const char *txt){}
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
__attribute__((unused)) const char *txt){}
321
int start_mandos_communication(char *ip, uint16_t port){
353
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
323
356
struct sockaddr_in6 to;
324
357
encrypted_session es;
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
381
perror("if_indextoname");
343
386
fprintf(stderr, "Binding to interface %s\n", interface);
346
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
348
perror("setsockopt bindtodevice");
352
memset(&to,0,sizeof(to));
389
memset(&to,0,sizeof(to)); /* Spurious warning */
353
390
to.sin6_family = AF_INET6;
354
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
360
397
fprintf(stderr, "Bad address: %s\n", ip);
363
to.sin6_port = htons(port);
364
to.sin6_scope_id = if_nametoindex(interface);
400
to.sin6_port = htons(port); /* Spurious warning */
402
to.sin6_scope_id = (uint32_t)if_index;
367
fprintf(stderr, "Connection to: %s\n", ip);
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
370
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
383
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
386
fprintf(stderr, "Establishing tls session with %s\n", ip);
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
390
435
ret = gnutls_handshake (es.session);
392
437
if (ret != GNUTLS_E_SUCCESS){
393
fprintf(stderr, "\n*** Handshake failed ***\n");
439
fprintf(stderr, "\n*** Handshake failed ***\n");
399
//Retrieve gpg packet that contains the wanted password
446
//Retrieve OpenPGP packet that contains the wanted password
402
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
435
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
483
fprintf(stderr, "Unknown error while reading data from"
484
" encrypted session with mandos server\n");
437
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
441
buffer_length += ret;
490
buffer_length += (size_t) ret;
445
494
if (buffer_length > 0){
446
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
447
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
499
if (decrypted_buffer_size >= 0){
500
while(written < (size_t) decrypted_buffer_size){
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
504
if(ret == 0 and ferror(stdout)){
506
fprintf(stderr, "Error writing encrypted data: %s\n",
512
written += (size_t)ret;
448
514
free(decrypted_buffer);
481
547
const char *host_name,
482
548
const AvahiAddress *address,
484
AvahiStringList *txt,
485
AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
486
552
AVAHI_GCC_UNUSED void* userdata) {
490
/* Called whenever a service has been resolved successfully or timed out */
493
case AVAHI_RESOLVER_FAILURE:
494
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
497
case AVAHI_RESOLVER_FOUND: {
498
char ip[AVAHI_ADDRESS_STR_MAX];
499
avahi_address_snprint(ip, sizeof(ip), address);
501
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
503
int ret = start_mandos_communication(ip, port);
554
assert(r); /* Spurious warning */
556
/* Called whenever a service has been resolved successfully or
561
case AVAHI_RESOLVER_FAILURE:
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
567
case AVAHI_RESOLVER_FOUND:
569
char ip[AVAHI_ADDRESS_STR_MAX];
570
avahi_address_snprint(ip, sizeof(ip), address);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
575
int ret = start_mandos_communication(ip, port, interface);
511
avahi_s_service_resolver_free(r);
581
avahi_s_service_resolver_free(r);
514
584
static void browse_callback(
523
593
void* userdata) {
525
595
AvahiServer *s = userdata;
528
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
596
assert(b); /* Spurious warning */
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
532
case AVAHI_BROWSER_FAILURE:
534
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
535
avahi_simple_poll_quit(simple_poll);
538
case AVAHI_BROWSER_NEW:
539
/* We ignore the returned resolver object. In the callback
540
function we free it. If the server is terminated before
541
the callback function is called the server will free
542
the resolver for us. */
544
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
545
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
549
case AVAHI_BROWSER_REMOVE:
552
case AVAHI_BROWSER_ALL_FOR_NOW:
553
case AVAHI_BROWSER_CACHE_EXHAUSTED:
603
case AVAHI_BROWSER_FAILURE:
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
624
case AVAHI_BROWSER_REMOVE:
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
643
memcpy(tmp, first, f_len);
647
memcpy(tmp + f_len + 1, second, s_len);
649
tmp[f_len + 1 + s_len] = '\0';
558
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
559
655
AvahiServerConfig config;
560
656
AvahiSServiceBrowser *sb = NULL;
563
659
int returncode = EXIT_SUCCESS;
660
const char *interface = "eth0";
661
struct ifreq network;
663
char *connect_to = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
566
667
static struct option long_options[] = {
567
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
568
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
571
676
int option_index = 0;
572
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
677
ret = getopt_long (argc, argv, "i:", long_options,
582
688
interface = optarg;
585
703
exit(EXIT_FAILURE);
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
723
fprintf(stderr, "No such interface: \"%s\"\n", interface);
727
if(connect_to != NULL){
728
/* Connect directly, do not use Zeroconf */
729
/* (Mainly meant for debugging) */
730
char *address = strrchr(connect_to, ':');
732
fprintf(stderr, "No colon in address\n");
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
738
perror("Bad port number");
742
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
754
returncode = EXIT_FAILURE;
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
590
777
avahi_set_log_function(empty_log);
593
780
/* Initialize the psuedo-RNG */
781
srand((unsigned int) time(NULL));
596
783
/* Allocate main loop object */
597
784
if (!(simple_poll = avahi_simple_poll_new())) {
598
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
608
795
config.publish_domain = 0;
610
797
/* Allocate a new server */
611
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
613
801
/* Free the configuration data */
614
802
avahi_server_config_free(&config);
616
804
/* Check if creating the server object succeeded */
618
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
806
fprintf(stderr, "Failed to create server: %s\n",
807
avahi_strerror(error));
619
808
returncode = EXIT_FAILURE;
623
812
/* Create the service browser */
624
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
625
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
813
sb = avahi_s_service_browser_new(server, if_index,
815
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
818
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
626
820
returncode = EXIT_FAILURE;