To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.7
- Committer: Björn Påhlsson
- Date: 2008-08-02 15:47:42 UTC
- mfrom: (36 mandos)
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802154742-pixsom1utki8x3yo
merge
- files added:
- ca.pem
- files removed:
- mandos-client.xml
- files renamed:
- mandos-client.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <assert.h> /* assert() */
57
#include <errno.h> /* perror(), errno */
58
#include <time.h> /* time() */
59
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
60
SIOCSIFFLAGS, if_indextoname(),
61
if_nametoindex(), IF_NAMESIZE */
62
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
63
getuid(), getgid(), setuid(),
64
setgid() */
65
#include <netinet/in.h>
66
#include <arpa/inet.h> /* inet_pton(), htons */
67
#include <iso646.h> /* not, and */
68
#include <argp.h> /* struct argp_option, error_t, struct
69
argp_state, struct argp,
70
argp_parse(), ARGP_KEY_ARG,
71
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
72
73
/* Avahi */
74
/* All Avahi types, constants and functions
75
Avahi*, avahi_*,
76
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
77
43
#include <avahi-core/core.h>
78
44
#include <avahi-core/lookup.h>
79
45
#include <avahi-core/log.h>
81
47
#include <avahi-common/malloc.h>
82
48
#include <avahi-common/error.h>
83
49
84
/* GnuTLS */
85
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and functions
94
gpgme_*
95
GPGME_PROTOCOL_OpenPGP,
96
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
97
70
98
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
73
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
99
77
100
78
bool debug = false;
101
static const char *keydir = "/conf/conf.d/mandos";
102
static const char mandos_protocol_version[] = "1";
103
const char *argp_program_version = "mandosclient 0.9";
104
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
105
79
106
/* Used for passing in values through the Avahi callback functions */
107
80
typedef struct {
108
AvahiSimplePoll *simple_poll;
109
AvahiServer *server;
81
gnutls_session_t session;
110
82
gnutls_certificate_credentials_t cred;
111
unsigned int dh_bits;
112
83
gnutls_dh_params_t dh_params;
113
const char *priority;
114
} mandos_context;
115
116
/*
117
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
118
* "buffer_capacity" is how much is currently allocated,
119
* "buffer_length" is how much is already used.
120
*/
121
size_t adjustbuffer(char **buffer, size_t buffer_length,
122
size_t buffer_capacity){
123
if (buffer_length + BUFFER_SIZE > buffer_capacity){
124
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
125
if (buffer == NULL){
126
return 0;
127
}
128
buffer_capacity += BUFFER_SIZE;
129
}
130
return buffer_capacity;
131
}
132
133
/*
134
* Decrypt OpenPGP data using keyrings in HOMEDIR.
135
* Returns -1 on error
136
*/
137
static ssize_t pgp_packet_decrypt (const char *cryptotext,
138
size_t crypto_size,
139
char **plaintext,
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
140
89
const char *homedir){
141
90
gpgme_data_t dh_crypto, dh_plain;
142
91
gpgme_ctx_t ctx;
143
92
gpgme_error_t rc;
144
93
ssize_t ret;
145
size_t plaintext_capacity = 0;
146
ssize_t plaintext_length = 0;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
147
96
gpgme_engine_info_t engine_info;
148
97
149
98
if (debug){
150
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
151
100
}
152
101
153
102
/* Init GPGME */
159
108
return -1;
160
109
}
161
110
162
/* Set GPGME home directory for the OpenPGP engine only */
111
/* Set GPGME home directory */
163
112
rc = gpgme_get_engine_info (&engine_info);
164
113
if (rc != GPG_ERR_NO_ERROR){
165
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
175
124
engine_info = engine_info->next;
176
125
}
177
126
if(engine_info == NULL){
178
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
179
128
return -1;
180
129
}
181
130
182
/* Create new GPGME data buffer from memory cryptotext */
183
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
184
0);
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
185
133
if (rc != GPG_ERR_NO_ERROR){
186
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
187
135
gpgme_strsource(rc), gpgme_strerror(rc));
193
141
if (rc != GPG_ERR_NO_ERROR){
194
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
195
143
gpgme_strsource(rc), gpgme_strerror(rc));
196
gpgme_data_release(dh_crypto);
197
144
return -1;
198
145
}
199
146
202
149
if (rc != GPG_ERR_NO_ERROR){
203
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
204
151
gpgme_strsource(rc), gpgme_strerror(rc));
205
plaintext_length = -1;
206
goto decrypt_end;
152
return -1;
207
153
}
208
154
209
/* Decrypt data from the cryptotext data buffer to the plaintext
210
data buffer */
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
211
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
212
158
if (rc != GPG_ERR_NO_ERROR){
213
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
214
160
gpgme_strsource(rc), gpgme_strerror(rc));
215
plaintext_length = -1;
216
goto decrypt_end;
161
return -1;
217
162
}
218
163
219
164
if(debug){
220
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
221
166
}
222
167
223
168
if (debug){
224
169
gpgme_decrypt_result_t result;
225
170
result = gpgme_op_decrypt_result(ctx);
249
194
}
250
195
}
251
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
199
252
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
253
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
202
perror("pgpme_data_seek");
255
plaintext_length = -1;
256
goto decrypt_end;
257
203
}
258
204
259
*plaintext = NULL;
205
*new_packet = 0;
260
206
while(true){
261
plaintext_capacity = adjustbuffer(plaintext,
262
(size_t)plaintext_length,
263
plaintext_capacity);
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
266
plaintext_length = -1;
267
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
268
216
}
269
217
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
271
219
BUFFER_SIZE);
272
220
/* Print the data, if any */
273
221
if (ret == 0){
274
/* EOF */
275
222
break;
276
223
}
277
224
if(ret < 0){
278
225
perror("gpgme_data_read");
279
plaintext_length = -1;
280
goto decrypt_end;
226
return -1;
281
227
}
282
plaintext_length += ret;
228
new_packet_length += ret;
283
229
}
284
230
285
if(debug){
286
fprintf(stderr, "Decrypted password is: ");
287
for(ssize_t i = 0; i < plaintext_length; i++){
288
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
289
}
290
fprintf(stderr, "\n");
291
}
292
293
decrypt_end:
294
295
/* Delete the GPGME cryptotext data buffer */
296
gpgme_data_release(dh_crypto);
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
297
238
298
239
/* Delete the GPGME plaintext data buffer */
299
240
gpgme_data_release(dh_plain);
300
return plaintext_length;
241
return new_packet_length;
301
242
}
302
243
303
244
static const char * safer_gnutls_strerror (int value) {
307
248
return ret;
308
249
}
309
250
310
/* GnuTLS log function callback */
311
251
static void debuggnutls(__attribute__((unused)) int level,
312
252
const char* string){
313
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
314
254
}
315
255
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfile,
318
const char *seckeyfile){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
319
258
int ret;
320
259
321
260
if(debug){
322
261
fprintf(stderr, "Initializing GnuTLS\n");
323
262
}
324
325
ret = gnutls_global_init();
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
329
267
return -1;
330
268
}
331
269
332
270
if (debug){
333
/* "Use a log level over 10 to enable all debugging options."
334
* - GnuTLS manual
335
*/
336
271
gnutls_global_set_log_level(11);
337
272
gnutls_global_set_log_function(debuggnutls);
338
273
}
339
274
340
/* OpenPGP credentials */
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n",
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
344
279
safer_gnutls_strerror(ret));
345
gnutls_global_deinit ();
346
280
return -1;
347
281
}
348
282
349
283
if(debug){
350
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
351
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
352
seckeyfile);
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
353
287
}
354
288
355
289
ret = gnutls_certificate_set_openpgp_key_file
356
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
357
291
if (ret != GNUTLS_E_SUCCESS) {
358
fprintf(stderr,
359
"Error[%d] while reading the OpenPGP key pair ('%s',"
360
" '%s')\n", ret, pubkeyfile, seckeyfile);
361
fprintf(stdout, "The GnuTLS error is: %s\n",
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
362
297
safer_gnutls_strerror(ret));
363
goto globalfail;
364
}
365
366
/* GnuTLS server initialization */
367
ret = gnutls_dh_params_init(&mc->dh_params);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
370
" %s\n", safer_gnutls_strerror(ret));
371
goto globalfail;
372
}
373
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
376
safer_gnutls_strerror(ret));
377
goto globalfail;
378
}
379
380
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
381
382
return 0;
383
384
globalfail:
385
386
gnutls_certificate_free_credentials(mc->cred);
387
gnutls_global_deinit();
388
return -1;
389
390
}
391
392
static int init_gnutls_session(mandos_context *mc,
393
gnutls_session_t *session){
394
int ret;
395
/* GnuTLS session creation */
396
ret = gnutls_init(session, GNUTLS_SERVER);
397
if (ret != GNUTLS_E_SUCCESS){
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
398
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
399
322
safer_gnutls_strerror(ret));
400
323
}
401
324
402
{
403
const char *err;
404
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
405
if (ret != GNUTLS_E_SUCCESS) {
406
fprintf(stderr, "Syntax error at: %s\n", err);
407
fprintf(stderr, "GnuTLS error: %s\n",
408
safer_gnutls_strerror(ret));
409
gnutls_deinit (*session);
410
return -1;
411
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
412
331
}
413
332
414
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
415
mc->cred);
416
if (ret != GNUTLS_E_SUCCESS) {
417
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
418
337
safer_gnutls_strerror(ret));
419
gnutls_deinit (*session);
420
338
return -1;
421
339
}
422
340
423
341
/* ignore client certificate if any. */
424
gnutls_certificate_server_set_request (*session,
342
gnutls_certificate_server_set_request (es->session,
425
343
GNUTLS_CERT_IGNORE);
426
344
427
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
428
346
429
347
return 0;
430
348
}
431
349
432
/* Avahi log function callback */
433
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
434
351
__attribute__((unused)) const char *txt){}
435
352
436
/* Called when a Mandos server is found */
437
353
static int start_mandos_communication(const char *ip, uint16_t port,
438
AvahiIfIndex if_index,
439
mandos_context *mc){
354
AvahiIfIndex if_index){
440
355
int ret, tcp_sd;
441
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
442
358
char *buffer = NULL;
443
359
char *decrypted_buffer;
444
360
size_t buffer_length = 0;
445
361
size_t buffer_capacity = 0;
446
362
ssize_t decrypted_buffer_size;
447
size_t written;
363
size_t written = 0;
448
364
int retval = 0;
449
365
char interface[IF_NAMESIZE];
450
gnutls_session_t session;
451
452
ret = init_gnutls_session (mc, &session);
453
if (ret != 0){
454
return -1;
455
}
456
366
457
367
if(debug){
458
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
467
377
468
378
if(debug){
469
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
470
perror("if_indextoname");
380
if(debug){
381
perror("if_indextoname");
382
}
471
383
return -1;
472
384
}
385
473
386
fprintf(stderr, "Binding to interface %s\n", interface);
474
387
}
475
388
476
389
memset(&to,0,sizeof(to)); /* Spurious warning */
477
to.in6.sin6_family = AF_INET6;
478
/* It would be nice to have a way to detect if we were passed an
479
IPv4 address here. Now we assume an IPv6 address. */
480
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
481
392
if (ret < 0 ){
482
393
perror("inet_pton");
483
394
return -1;
484
}
395
}
485
396
if(ret == 0){
486
397
fprintf(stderr, "Bad address: %s\n", ip);
487
398
return -1;
488
399
}
489
to.in6.sin6_port = htons(port); /* Spurious warning */
400
to.sin6_port = htons(port); /* Spurious warning */
490
401
491
to.in6.sin6_scope_id = (uint32_t)if_index;
402
to.sin6_scope_id = (uint32_t)if_index;
492
403
493
404
if(debug){
494
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
495
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
497
sizeof(addrstr)) == NULL){
498
perror("inet_ntop");
499
} else {
500
if(strcmp(addrstr, ip) != 0){
501
fprintf(stderr, "Canonical address form: %s\n", addrstr);
502
}
503
}
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
504
414
}
505
415
506
ret = connect(tcp_sd, &to.in, sizeof(to));
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
507
417
if (ret < 0){
508
418
perror("connect");
509
419
return -1;
510
420
}
511
512
const char *out = mandos_protocol_version;
513
written = 0;
514
while (true){
515
size_t out_size = strlen(out);
516
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
517
out_size - written));
518
if (ret == -1){
519
perror("write");
520
retval = -1;
521
goto mandos_end;
522
}
523
written += (size_t)ret;
524
if(written < out_size){
525
continue;
526
} else {
527
if (out == mandos_protocol_version){
528
written = 0;
529
out = "\r\n";
530
} else {
531
break;
532
}
533
}
421
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
534
426
}
535
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
536
431
if(debug){
537
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
433
}
539
434
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
435
ret = gnutls_handshake (es.session);
545
436
546
437
if (ret != GNUTLS_E_SUCCESS){
547
438
if(debug){
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
439
fprintf(stderr, "\n*** Handshake failed ***\n");
549
440
gnutls_perror (ret);
550
441
}
551
442
retval = -1;
552
goto mandos_end;
443
goto exit;
553
444
}
554
445
555
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
556
447
557
448
if(debug){
558
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
560
451
}
561
452
562
453
while(true){
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
565
if (buffer_capacity == 0){
566
perror("adjustbuffer");
567
retval = -1;
568
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
569
461
}
570
462
571
ret = gnutls_record_recv(session, buffer+buffer_length,
572
BUFFER_SIZE);
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
573
465
if (ret == 0){
574
466
break;
575
467
}
579
471
case GNUTLS_E_AGAIN:
580
472
break;
581
473
case GNUTLS_E_REHANDSHAKE:
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
474
ret = gnutls_handshake (es.session);
585
475
if (ret < 0){
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
476
fprintf(stderr, "\n*** Handshake failed ***\n");
587
477
gnutls_perror (ret);
588
478
retval = -1;
589
goto mandos_end;
479
goto exit;
590
480
}
591
481
break;
592
482
default:
593
483
fprintf(stderr, "Unknown error while reading data from"
594
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
595
485
retval = -1;
596
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
598
488
}
599
489
} else {
600
490
buffer_length += (size_t) ret;
601
491
}
602
492
}
603
493
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
610
494
if (buffer_length > 0){
611
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
612
496
buffer_length,
613
497
&decrypted_buffer,
614
keydir);
498
certdir);
615
499
if (decrypted_buffer_size >= 0){
616
written = 0;
617
500
while(written < (size_t) decrypted_buffer_size){
618
501
ret = (int)fwrite (decrypted_buffer + written, 1,
619
502
(size_t)decrypted_buffer_size - written,
633
516
retval = -1;
634
517
}
635
518
}
636
637
/* Shutdown procedure */
638
639
mandos_end:
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
640
526
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
641
529
close(tcp_sd);
642
gnutls_deinit (session);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
643
533
return retval;
644
534
}
645
535
646
static void resolve_callback(AvahiSServiceResolver *r,
647
AvahiIfIndex interface,
648
AVAHI_GCC_UNUSED AvahiProtocol protocol,
649
AvahiResolverEvent event,
650
const char *name,
651
const char *type,
652
const char *domain,
653
const char *host_name,
654
const AvahiAddress *address,
655
uint16_t port,
656
AVAHI_GCC_UNUSED AvahiStringList *txt,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
661
554
assert(r); /* Spurious warning */
662
555
663
556
/* Called whenever a service has been resolved successfully or
666
559
switch (event) {
667
560
default:
668
561
case AVAHI_RESOLVER_FAILURE:
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
671
avahi_strerror(avahi_server_errno(mc->server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
672
565
break;
673
566
674
567
case AVAHI_RESOLVER_FOUND:
676
569
char ip[AVAHI_ADDRESS_STR_MAX];
677
570
avahi_address_snprint(ip, sizeof(ip), address);
678
571
if(debug){
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
680
" port %d\n", name, host_name, ip, interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
681
574
}
682
int ret = start_mandos_communication(ip, port, interface, mc);
575
int ret = start_mandos_communication(ip, port, interface);
683
576
if (ret == 0){
684
577
exit(EXIT_SUCCESS);
685
578
}
688
581
avahi_s_service_resolver_free(r);
689
582
}
690
583
691
static void browse_callback( AvahiSServiceBrowser *b,
692
AvahiIfIndex interface,
693
AvahiProtocol protocol,
694
AvahiBrowserEvent event,
695
const char *name,
696
const char *type,
697
const char *domain,
698
AVAHI_GCC_UNUSED AvahiLookupResultFlags
699
flags,
700
void* userdata) {
701
mandos_context *mc = userdata;
702
assert(b); /* Spurious warning */
703
704
/* Called whenever a new services becomes available on the LAN or
705
is removed from the LAN */
706
707
switch (event) {
708
default:
709
case AVAHI_BROWSER_FAILURE:
710
711
fprintf(stderr, "(Avahi browser) %s\n",
712
avahi_strerror(avahi_server_errno(mc->server)));
713
avahi_simple_poll_quit(mc->simple_poll);
714
return;
715
716
case AVAHI_BROWSER_NEW:
717
/* We ignore the returned Avahi resolver object. In the callback
718
function we free it. If the Avahi server is terminated before
719
the callback function is called the Avahi server will free the
720
resolver for us. */
721
722
if (!(avahi_s_service_resolver_new(mc->server, interface,
723
protocol, name, type, domain,
724
AVAHI_PROTO_INET6, 0,
725
resolve_callback, mc)))
726
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
727
name, avahi_strerror(avahi_server_errno(mc->server)));
728
break;
729
730
case AVAHI_BROWSER_REMOVE:
731
break;
732
733
case AVAHI_BROWSER_ALL_FOR_NOW:
734
case AVAHI_BROWSER_CACHE_EXHAUSTED:
735
if(debug){
736
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
737
630
}
738
break;
739
}
740
631
}
741
632
742
633
/* Combines file name and path and returns the malloced new
749
640
return NULL;
750
641
}
751
642
if(f_len > 0){
752
memcpy(tmp, first, f_len); /* Spurious warning */
643
memcpy(tmp, first, f_len);
753
644
}
754
645
tmp[f_len] = '/';
755
646
if(s_len > 0){
756
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
647
memcpy(tmp + f_len + 1, second, s_len);
757
648
}
758
649
tmp[f_len + 1 + s_len] = '\0';
759
650
return tmp;
760
651
}
761
652
762
653
763
int main(int argc, char *argv[]){
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
764
656
AvahiSServiceBrowser *sb = NULL;
765
657
int error;
766
658
int ret;
767
int exitcode = EXIT_SUCCESS;
659
int returncode = EXIT_SUCCESS;
768
660
const char *interface = "eth0";
769
661
struct ifreq network;
770
662
int sd;
771
uid_t uid;
772
gid_t gid;
773
663
char *connect_to = NULL;
774
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
775
const char *pubkeyfile = "pubkey.txt";
776
const char *seckeyfile = "seckey.txt";
777
mandos_context mc = { .simple_poll = NULL, .server = NULL,
778
.dh_bits = 1024, .priority = "SECURE256"};
779
bool gnutls_initalized = false;
780
781
{
782
struct argp_option options[] = {
783
{ .name = "debug", .key = 128,
784
.doc = "Debug mode", .group = 3 },
785
{ .name = "connect", .key = 'c',
786
.arg = "IP",
787
.doc = "Connect directly to a sepcified mandos server",
788
.group = 1 },
789
{ .name = "interface", .key = 'i',
790
.arg = "INTERFACE",
791
.doc = "Interface that Avahi will conntect through",
792
.group = 1 },
793
{ .name = "keydir", .key = 'd',
794
.arg = "KEYDIR",
795
.doc = "Directory where the openpgp keyring is",
796
.group = 1 },
797
{ .name = "seckey", .key = 's',
798
.arg = "SECKEY",
799
.doc = "Secret openpgp key for gnutls authentication",
800
.group = 1 },
801
{ .name = "pubkey", .key = 'p',
802
.arg = "PUBKEY",
803
.doc = "Public openpgp key for gnutls authentication",
804
.group = 2 },
805
{ .name = "dh-bits", .key = 129,
806
.arg = "BITS",
807
.doc = "dh-bits to use in gnutls communication",
808
.group = 2 },
809
{ .name = "priority", .key = 130,
810
.arg = "PRIORITY",
811
.doc = "GNUTLS priority", .group = 1 },
812
{ .name = NULL }
813
};
814
815
816
error_t parse_opt (int key, char *arg,
817
struct argp_state *state) {
818
/* Get the INPUT argument from `argp_parse', which we know is
819
a pointer to our plugin list pointer. */
820
switch (key) {
821
case 128:
822
debug = true;
823
break;
824
case 'c':
825
connect_to = arg;
826
break;
827
case 'i':
828
interface = arg;
829
break;
830
case 'd':
831
keydir = arg;
832
break;
833
case 's':
834
seckeyfile = arg;
835
break;
836
case 'p':
837
pubkeyfile = arg;
838
break;
839
case 129:
840
errno = 0;
841
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
842
if (errno){
843
perror("strtol");
844
exit(EXIT_FAILURE);
845
}
846
break;
847
case 130:
848
mc.priority = arg;
849
break;
850
case ARGP_KEY_ARG:
851
argp_usage (state);
852
break;
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
857
}
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unkown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
}
872
873
pubkeyfile = combinepath(keydir, pubkeyfile);
874
if (pubkeyfile == NULL){
875
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
878
}
879
880
seckeyfile = combinepath(keydir, seckeyfile);
881
if (seckeyfile == NULL){
882
perror("combinepath");
883
goto end;
884
}
885
886
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
887
if (ret == -1){
888
fprintf(stderr, "init_gnutls_global\n");
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
uid = getuid();
895
gid = getgid();
896
897
ret = setuid(uid);
898
if (ret == -1){
899
perror("setuid");
900
}
901
902
setgid(gid);
903
if (ret == -1){
904
perror("setgid");
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
905
719
}
906
720
907
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
916
730
char *address = strrchr(connect_to, ':');
917
731
if(address == NULL){
918
732
fprintf(stderr, "No colon in address\n");
919
exitcode = EXIT_FAILURE;
920
goto end;
733
exit(EXIT_FAILURE);
921
734
}
922
735
errno = 0;
923
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
924
737
if(errno){
925
738
perror("Bad port number");
926
exitcode = EXIT_FAILURE;
927
goto end;
739
exit(EXIT_FAILURE);
928
740
}
929
741
*address = '\0';
930
742
address = connect_to;
931
ret = start_mandos_communication(address, port, if_index, &mc);
743
ret = start_mandos_communication(address, port, if_index);
932
744
if(ret < 0){
933
exitcode = EXIT_FAILURE;
745
exit(EXIT_FAILURE);
934
746
} else {
935
exitcode = EXIT_SUCCESS;
747
exit(EXIT_SUCCESS);
936
748
}
937
goto end;
938
749
}
939
750
940
/* If the interface is down, bring it up */
941
{
942
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
943
if(sd < 0) {
944
perror("socket");
945
exitcode = EXIT_FAILURE;
946
goto end;
947
}
948
strcpy(network.ifr_name, interface); /* Spurious warning */
949
ret = ioctl(sd, SIOCGIFFLAGS, &network);
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
756
}
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
if(ret == -1){
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
950
768
if(ret == -1){
951
perror("ioctl SIOCGIFFLAGS");
952
exitcode = EXIT_FAILURE;
953
goto end;
954
}
955
if((network.ifr_flags & IFF_UP) == 0){
956
network.ifr_flags |= IFF_UP;
957
ret = ioctl(sd, SIOCSIFFLAGS, &network);
958
if(ret == -1){
959
perror("ioctl SIOCSIFFLAGS");
960
exitcode = EXIT_FAILURE;
961
goto end;
962
}
963
}
964
close(sd);
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
965
773
}
774
close(sd);
966
775
967
776
if (not debug){
968
777
avahi_set_log_function(empty_log);
969
778
}
970
779
971
/* Initialize the pseudo-RNG for Avahi */
780
/* Initialize the psuedo-RNG */
972
781
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
796
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
1004
807
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
808
returncode = EXIT_FAILURE;
809
goto exit;
1007
810
}
1008
811
1009
/* Create the Avahi service browser */
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
1011
814
AVAHI_PROTO_INET6,
1012
815
"_mandos._tcp", NULL, 0,
1013
browse_callback, &mc);
1014
if (sb == NULL) {
816
browse_callback, server);
817
if (!sb) {
1015
818
fprintf(stderr, "Failed to create service browser: %s\n",
1016
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
1019
822
}
1020
823
1021
824
/* Run the main loop */
1022
825
1023
826
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
827
fprintf(stderr, "Starting avahi loop search\n");
1025
828
}
1026
829
1027
avahi_simple_poll_loop(mc.simple_poll);
830
avahi_simple_poll_loop(simple_poll);
1028
831
1029
end:
832
exit:
1030
833
1031
834
if (debug){
1032
835
fprintf(stderr, "%s exiting\n", argv[0]);
1033
836
}
1034
837
1035
838
/* Cleanup things */
1036
if (sb != NULL)
839
if (sb)
1037
840
avahi_s_service_browser_free(sb);
1038
841
1039
if (mc.server != NULL)
1040
avahi_server_free(mc.server);
1041
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfile);
1045
free(seckeyfile);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
1051
849
1052
return exitcode;
850
return returncode;
1053
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0