To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.8
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.8
- Committer: Björn Påhlsson
- Date: 2008-08-02 18:46:45 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802184645-t5i3yboc53gdas7m
plugbasedclient
Parse a single argument as a plus-separated list of options
Parse a single argument as a plus-separated list of options
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
35
#include <stdio.h>
38
36
#include <assert.h>
39
37
#include <stdlib.h>
40
38
#include <time.h>
41
39
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
46
42
47
43
#include <avahi-core/core.h>
48
44
#include <avahi-core/lookup.h>
51
47
#include <avahi-common/malloc.h>
52
48
#include <avahi-common/error.h>
53
49
54
/* Mandos client part */
50
//mandos client part
55
51
#include <sys/types.h> /* socket(), inet_pton() */
56
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
53
struct in6_addr, inet_pton() */
64
60
#include <string.h> /* memset */
65
61
#include <arpa/inet.h> /* inet_pton() */
66
62
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
63
64
// gpgme
72
65
#include <errno.h> /* perror() */
73
66
#include <gpgme.h>
74
67
68
// getopt long
69
#include <getopt.h>
70
75
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
73
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
76
77
77
78
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
static const char mandos_protocol_version[] = "1";
82
79
83
/* Used for passing in values through the Avahi callback functions */
84
80
typedef struct {
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
81
gnutls_session_t session;
87
82
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
89
83
gnutls_dh_params_t dh_params;
90
const char *priority;
91
} mandos_context;
92
93
/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
94
* "buffer_capacity" is how much is currently allocated,
95
* "buffer_length" is how much is already used. */
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
115
89
const char *homedir){
116
90
gpgme_data_t dh_crypto, dh_plain;
117
91
gpgme_ctx_t ctx;
118
92
gpgme_error_t rc;
119
93
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
122
96
gpgme_engine_info_t engine_info;
123
97
124
98
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
100
}
127
101
128
102
/* Init GPGME */
134
108
return -1;
135
109
}
136
110
137
/* Set GPGME home directory for the OpenPGP engine only */
111
/* Set GPGME home directory */
138
112
rc = gpgme_get_engine_info (&engine_info);
139
113
if (rc != GPG_ERR_NO_ERROR){
140
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
124
engine_info = engine_info->next;
151
125
}
152
126
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
128
return -1;
155
129
}
156
130
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
133
if (rc != GPG_ERR_NO_ERROR){
161
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
135
gpgme_strsource(rc), gpgme_strerror(rc));
168
141
if (rc != GPG_ERR_NO_ERROR){
169
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
143
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
144
return -1;
173
145
}
174
146
177
149
if (rc != GPG_ERR_NO_ERROR){
178
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
151
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
152
return -1;
182
153
}
183
154
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
186
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
158
if (rc != GPG_ERR_NO_ERROR){
188
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
160
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
161
return -1;
192
162
}
193
163
194
164
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
166
}
197
167
198
168
if (debug){
199
169
gpgme_decrypt_result_t result;
200
170
result = gpgme_op_decrypt_result(ctx);
224
194
}
225
195
}
226
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
199
227
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
202
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
203
}
233
204
234
*plaintext = NULL;
205
*new_packet = 0;
235
206
while(true){
236
plaintext_capacity = adjustbuffer(plaintext,
237
(size_t)plaintext_length,
238
plaintext_capacity);
239
if (plaintext_capacity == 0){
240
perror("adjustbuffer");
241
plaintext_length = -1;
242
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
243
216
}
244
217
245
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
246
219
BUFFER_SIZE);
247
220
/* Print the data, if any */
248
221
if (ret == 0){
249
/* EOF */
250
222
break;
251
223
}
252
224
if(ret < 0){
253
225
perror("gpgme_data_read");
254
plaintext_length = -1;
255
goto decrypt_end;
226
return -1;
256
227
}
257
plaintext_length += ret;
228
new_packet_length += ret;
258
229
}
259
230
260
if(debug){
261
fprintf(stderr, "Decrypted password is: ");
262
for(ssize_t i = 0; i < plaintext_length; i++){
263
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
264
}
265
fprintf(stderr, "\n");
266
}
267
268
decrypt_end:
269
270
/* Delete the GPGME cryptotext data buffer */
271
gpgme_data_release(dh_crypto);
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
272
238
273
239
/* Delete the GPGME plaintext data buffer */
274
240
gpgme_data_release(dh_plain);
275
return plaintext_length;
241
return new_packet_length;
276
242
}
277
243
278
244
static const char * safer_gnutls_strerror (int value) {
282
248
return ret;
283
249
}
284
250
285
/* GnuTLS log function callback */
286
251
static void debuggnutls(__attribute__((unused)) int level,
287
252
const char* string){
288
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
289
254
}
290
255
291
static int init_gnutls_global(mandos_context *mc,
292
const char *pubkeyfile,
293
const char *seckeyfile){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
294
258
int ret;
295
259
296
260
if(debug){
299
263
300
264
if ((ret = gnutls_global_init ())
301
265
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "GnuTLS global_init: %s\n",
303
safer_gnutls_strerror(ret));
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
267
return -1;
305
268
}
306
269
307
270
if (debug){
308
/* "Use a log level over 10 to enable all debugging options."
309
* - GnuTLS manual
310
*/
311
271
gnutls_global_set_log_level(11);
312
272
gnutls_global_set_log_function(debuggnutls);
313
273
}
314
274
315
/* OpenPGP credentials */
316
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
317
277
!= GNUTLS_E_SUCCESS) {
318
fprintf (stderr, "GnuTLS memory error: %s\n",
278
fprintf (stderr, "memory error: %s\n",
319
279
safer_gnutls_strerror(ret));
320
280
return -1;
321
281
}
322
282
323
283
if(debug){
324
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
325
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
326
seckeyfile);
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
327
287
}
328
288
329
289
ret = gnutls_certificate_set_openpgp_key_file
330
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
331
291
if (ret != GNUTLS_E_SUCCESS) {
332
fprintf(stderr,
333
"Error[%d] while reading the OpenPGP key pair ('%s',"
334
" '%s')\n", ret, pubkeyfile, seckeyfile);
335
fprintf(stdout, "The GnuTLS error is: %s\n",
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
336
297
safer_gnutls_strerror(ret));
337
298
return -1;
338
299
}
339
300
340
/* GnuTLS server initialization */
341
ret = gnutls_dh_params_init(&mc->dh_params);
342
if (ret != GNUTLS_E_SUCCESS) {
343
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
344
" %s\n", safer_gnutls_strerror(ret));
345
return -1;
346
}
347
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
348
if (ret != GNUTLS_E_SUCCESS) {
349
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
350
safer_gnutls_strerror(ret));
351
return -1;
352
}
353
354
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
356
return 0;
357
}
358
359
static int init_gnutls_session(mandos_context *mc,
360
gnutls_session_t *session){
361
int ret;
362
/* GnuTLS session creation */
363
ret = gnutls_init(session, GNUTLS_SERVER);
364
if (ret != GNUTLS_E_SUCCESS){
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
365
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
366
322
safer_gnutls_strerror(ret));
367
323
}
368
324
369
{
370
const char *err;
371
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
372
if (ret != GNUTLS_E_SUCCESS) {
373
fprintf(stderr, "Syntax error at: %s\n", err);
374
fprintf(stderr, "GnuTLS error: %s\n",
375
safer_gnutls_strerror(ret));
376
return -1;
377
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
378
331
}
379
332
380
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
381
mc->cred);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
384
337
safer_gnutls_strerror(ret));
385
338
return -1;
386
339
}
387
340
388
341
/* ignore client certificate if any. */
389
gnutls_certificate_server_set_request (*session,
342
gnutls_certificate_server_set_request (es->session,
390
343
GNUTLS_CERT_IGNORE);
391
344
392
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
393
346
394
347
return 0;
395
348
}
396
349
397
/* Avahi log function callback */
398
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
399
351
__attribute__((unused)) const char *txt){}
400
352
401
/* Called when a Mandos server is found */
402
353
static int start_mandos_communication(const char *ip, uint16_t port,
403
AvahiIfIndex if_index,
404
mandos_context *mc){
354
AvahiIfIndex if_index){
405
355
int ret, tcp_sd;
406
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
407
358
char *buffer = NULL;
408
359
char *decrypted_buffer;
409
360
size_t buffer_length = 0;
410
361
size_t buffer_capacity = 0;
411
362
ssize_t decrypted_buffer_size;
412
size_t written;
363
size_t written = 0;
413
364
int retval = 0;
414
365
char interface[IF_NAMESIZE];
415
gnutls_session_t session;
416
417
ret = init_gnutls_session (mc, &session);
418
if (ret != 0){
419
return -1;
420
}
421
366
422
367
if(debug){
423
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
432
377
433
378
if(debug){
434
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
435
perror("if_indextoname");
380
if(debug){
381
perror("if_indextoname");
382
}
436
383
return -1;
437
384
}
385
438
386
fprintf(stderr, "Binding to interface %s\n", interface);
439
387
}
440
388
441
389
memset(&to,0,sizeof(to)); /* Spurious warning */
442
to.in6.sin6_family = AF_INET6;
443
/* It would be nice to have a way to detect if we were passed an
444
IPv4 address here. Now we assume an IPv6 address. */
445
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
446
392
if (ret < 0 ){
447
393
perror("inet_pton");
448
394
return -1;
449
}
395
}
450
396
if(ret == 0){
451
397
fprintf(stderr, "Bad address: %s\n", ip);
452
398
return -1;
453
399
}
454
to.in6.sin6_port = htons(port); /* Spurious warning */
400
to.sin6_port = htons(port); /* Spurious warning */
455
401
456
to.in6.sin6_scope_id = (uint32_t)if_index;
402
to.sin6_scope_id = (uint32_t)if_index;
457
403
458
404
if(debug){
459
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
460
char addrstr[INET6_ADDRSTRLEN] = "";
461
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
462
sizeof(addrstr)) == NULL){
463
perror("inet_ntop");
464
} else {
465
if(strcmp(addrstr, ip) != 0){
466
fprintf(stderr, "Canonical address form: %s\n", addrstr);
467
}
468
}
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
469
414
}
470
415
471
ret = connect(tcp_sd, &to.in, sizeof(to));
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
472
417
if (ret < 0){
473
418
perror("connect");
474
419
return -1;
475
420
}
476
477
const char *out = mandos_protocol_version;
478
written = 0;
479
while (true){
480
size_t out_size = strlen(out);
481
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
482
out_size - written));
483
if (ret == -1){
484
perror("write");
485
retval = -1;
486
goto mandos_end;
487
}
488
written += (size_t)ret;
489
if(written < out_size){
490
continue;
491
} else {
492
if (out == mandos_protocol_version){
493
written = 0;
494
out = "\r\n";
495
} else {
496
break;
497
}
498
}
421
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
499
426
}
500
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
501
431
if(debug){
502
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
503
433
}
504
434
505
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
506
507
ret = gnutls_handshake (session);
435
ret = gnutls_handshake (es.session);
508
436
509
437
if (ret != GNUTLS_E_SUCCESS){
510
438
if(debug){
511
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
439
fprintf(stderr, "\n*** Handshake failed ***\n");
512
440
gnutls_perror (ret);
513
441
}
514
442
retval = -1;
515
goto mandos_end;
443
goto exit;
516
444
}
517
445
518
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
519
447
520
448
if(debug){
521
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
523
451
}
524
452
525
453
while(true){
526
buffer_capacity = adjustbuffer(&buffer, buffer_length,
527
buffer_capacity);
528
if (buffer_capacity == 0){
529
perror("adjustbuffer");
530
retval = -1;
531
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
532
461
}
533
462
534
ret = gnutls_record_recv(session, buffer+buffer_length,
535
BUFFER_SIZE);
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
536
465
if (ret == 0){
537
466
break;
538
467
}
542
471
case GNUTLS_E_AGAIN:
543
472
break;
544
473
case GNUTLS_E_REHANDSHAKE:
545
ret = gnutls_handshake (session);
474
ret = gnutls_handshake (es.session);
546
475
if (ret < 0){
547
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
476
fprintf(stderr, "\n*** Handshake failed ***\n");
548
477
gnutls_perror (ret);
549
478
retval = -1;
550
goto mandos_end;
479
goto exit;
551
480
}
552
481
break;
553
482
default:
554
483
fprintf(stderr, "Unknown error while reading data from"
555
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
556
485
retval = -1;
557
gnutls_bye (session, GNUTLS_SHUT_RDWR);
558
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
559
488
}
560
489
} else {
561
490
buffer_length += (size_t) ret;
562
491
}
563
492
}
564
493
565
if(debug){
566
fprintf(stderr, "Closing TLS session\n");
567
}
568
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
571
494
if (buffer_length > 0){
572
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
573
496
buffer_length,
574
497
&decrypted_buffer,
575
keydir);
498
certdir);
576
499
if (decrypted_buffer_size >= 0){
577
written = 0;
578
500
while(written < (size_t) decrypted_buffer_size){
579
501
ret = (int)fwrite (decrypted_buffer + written, 1,
580
502
(size_t)decrypted_buffer_size - written,
594
516
retval = -1;
595
517
}
596
518
}
597
598
/* Shutdown procedure */
599
600
mandos_end:
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
601
526
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
602
529
close(tcp_sd);
603
gnutls_deinit (session);
604
gnutls_certificate_free_credentials (mc->cred);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
605
532
gnutls_global_deinit ();
606
533
return retval;
607
534
}
608
535
609
static void resolve_callback(AvahiSServiceResolver *r,
610
AvahiIfIndex interface,
611
AVAHI_GCC_UNUSED AvahiProtocol protocol,
612
AvahiResolverEvent event,
613
const char *name,
614
const char *type,
615
const char *domain,
616
const char *host_name,
617
const AvahiAddress *address,
618
uint16_t port,
619
AVAHI_GCC_UNUSED AvahiStringList *txt,
620
AVAHI_GCC_UNUSED AvahiLookupResultFlags
621
flags,
622
void* userdata) {
623
mandos_context *mc = userdata;
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
624
554
assert(r); /* Spurious warning */
625
555
626
556
/* Called whenever a service has been resolved successfully or
629
559
switch (event) {
630
560
default:
631
561
case AVAHI_RESOLVER_FAILURE:
632
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
633
" of type '%s' in domain '%s': %s\n", name, type, domain,
634
avahi_strerror(avahi_server_errno(mc->server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
635
565
break;
636
566
637
567
case AVAHI_RESOLVER_FOUND:
639
569
char ip[AVAHI_ADDRESS_STR_MAX];
640
570
avahi_address_snprint(ip, sizeof(ip), address);
641
571
if(debug){
642
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
643
" port %d\n", name, host_name, ip, interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
644
574
}
645
int ret = start_mandos_communication(ip, port, interface, mc);
575
int ret = start_mandos_communication(ip, port, interface);
646
576
if (ret == 0){
647
577
exit(EXIT_SUCCESS);
648
578
}
651
581
avahi_s_service_resolver_free(r);
652
582
}
653
583
654
static void browse_callback( AvahiSServiceBrowser *b,
655
AvahiIfIndex interface,
656
AvahiProtocol protocol,
657
AvahiBrowserEvent event,
658
const char *name,
659
const char *type,
660
const char *domain,
661
AVAHI_GCC_UNUSED AvahiLookupResultFlags
662
flags,
663
void* userdata) {
664
mandos_context *mc = userdata;
665
assert(b); /* Spurious warning */
666
667
/* Called whenever a new services becomes available on the LAN or
668
is removed from the LAN */
669
670
switch (event) {
671
default:
672
case AVAHI_BROWSER_FAILURE:
673
674
fprintf(stderr, "(Avahi browser) %s\n",
675
avahi_strerror(avahi_server_errno(mc->server)));
676
avahi_simple_poll_quit(mc->simple_poll);
677
return;
678
679
case AVAHI_BROWSER_NEW:
680
/* We ignore the returned Avahi resolver object. In the callback
681
function we free it. If the Avahi server is terminated before
682
the callback function is called the Avahi server will free the
683
resolver for us. */
684
685
if (!(avahi_s_service_resolver_new(mc->server, interface,
686
protocol, name, type, domain,
687
AVAHI_PROTO_INET6, 0,
688
resolve_callback, mc)))
689
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
690
name, avahi_strerror(avahi_server_errno(mc->server)));
691
break;
692
693
case AVAHI_BROWSER_REMOVE:
694
break;
695
696
case AVAHI_BROWSER_ALL_FOR_NOW:
697
case AVAHI_BROWSER_CACHE_EXHAUSTED:
698
if(debug){
699
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
700
630
}
701
break;
702
}
703
631
}
704
632
705
633
/* Combines file name and path and returns the malloced new
712
640
return NULL;
713
641
}
714
642
if(f_len > 0){
715
memcpy(tmp, first, f_len); /* Spurious warning */
643
memcpy(tmp, first, f_len);
716
644
}
717
645
tmp[f_len] = '/';
718
646
if(s_len > 0){
719
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
647
memcpy(tmp + f_len + 1, second, s_len);
720
648
}
721
649
tmp[f_len + 1 + s_len] = '\0';
722
650
return tmp;
723
651
}
724
652
725
653
726
int main(int argc, char *argv[]){
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
727
656
AvahiSServiceBrowser *sb = NULL;
728
657
int error;
729
658
int ret;
730
int exitcode = EXIT_SUCCESS;
659
int returncode = EXIT_SUCCESS;
731
660
const char *interface = "eth0";
732
661
struct ifreq network;
733
662
int sd;
734
uid_t uid;
735
gid_t gid;
736
663
char *connect_to = NULL;
737
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
738
const char *pubkeyfile = "pubkey.txt";
739
const char *seckeyfile = "seckey.txt";
740
mandos_context mc = { .simple_poll = NULL, .server = NULL,
741
.dh_bits = 1024, .priority = "SECURE256"};
742
743
{
744
struct argp_option options[] = {
745
{ .name = "debug", .key = 128,
746
.doc = "Debug mode", .group = 3 },
747
{ .name = "connect", .key = 'c',
748
.arg = "IP",
749
.doc = "Connect directly to a sepcified mandos server",
750
.group = 1 },
751
{ .name = "interface", .key = 'i',
752
.arg = "INTERFACE",
753
.doc = "Interface that Avahi will conntect through",
754
.group = 1 },
755
{ .name = "keydir", .key = 'd',
756
.arg = "KEYDIR",
757
.doc = "Directory where the openpgp keyring is",
758
.group = 1 },
759
{ .name = "seckey", .key = 's',
760
.arg = "SECKEY",
761
.doc = "Secret openpgp key for gnutls authentication",
762
.group = 1 },
763
{ .name = "pubkey", .key = 'p',
764
.arg = "PUBKEY",
765
.doc = "Public openpgp key for gnutls authentication",
766
.group = 2 },
767
{ .name = "dh-bits", .key = 129,
768
.arg = "BITS",
769
.doc = "dh-bits to use in gnutls communication",
770
.group = 2 },
771
{ .name = "priority", .key = 130,
772
.arg = "PRIORITY",
773
.doc = "GNUTLS priority", .group = 1 },
774
{ .name = NULL }
775
};
776
777
778
error_t parse_opt (int key, char *arg,
779
struct argp_state *state) {
780
/* Get the INPUT argument from `argp_parse', which we know is
781
a pointer to our plugin list pointer. */
782
switch (key) {
783
case 128:
784
debug = true;
785
break;
786
case 'c':
787
connect_to = arg;
788
break;
789
case 'i':
790
interface = arg;
791
break;
792
case 'd':
793
keydir = arg;
794
break;
795
case 's':
796
seckeyfile = arg;
797
break;
798
case 'p':
799
pubkeyfile = arg;
800
break;
801
case 129:
802
errno = 0;
803
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
804
if (errno){
805
perror("strtol");
806
exit(EXIT_FAILURE);
807
}
808
break;
809
case 130:
810
mc.priority = arg;
811
break;
812
case ARGP_KEY_ARG:
813
argp_usage (state);
814
break;
815
case ARGP_KEY_END:
816
break;
817
default:
818
return ARGP_ERR_UNKNOWN;
819
}
820
return 0;
821
}
822
823
struct argp argp = { .options = options, .parser = parse_opt,
824
.args_doc = "",
825
.doc = "Mandos client -- Get and decrypt"
826
" passwords from mandos server" };
827
argp_parse (&argp, argc, argv, 0, 0, NULL);
828
}
829
830
pubkeyfile = combinepath(keydir, pubkeyfile);
831
if (pubkeyfile == NULL){
832
perror("combinepath");
833
exitcode = EXIT_FAILURE;
834
goto end;
835
}
836
837
seckeyfile = combinepath(keydir, seckeyfile);
838
if (seckeyfile == NULL){
839
perror("combinepath");
840
goto end;
841
}
842
843
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
844
if (ret == -1){
845
fprintf(stderr, "init_gnutls_global\n");
846
goto end;
847
}
848
849
uid = getuid();
850
gid = getgid();
851
852
ret = setuid(uid);
853
if (ret == -1){
854
perror("setuid");
855
}
856
857
setgid(gid);
858
if (ret == -1){
859
perror("setgid");
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
860
719
}
861
720
862
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
871
730
char *address = strrchr(connect_to, ':');
872
731
if(address == NULL){
873
732
fprintf(stderr, "No colon in address\n");
874
exitcode = EXIT_FAILURE;
875
goto end;
733
exit(EXIT_FAILURE);
876
734
}
877
735
errno = 0;
878
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
879
737
if(errno){
880
738
perror("Bad port number");
881
exitcode = EXIT_FAILURE;
882
goto end;
739
exit(EXIT_FAILURE);
883
740
}
884
741
*address = '\0';
885
742
address = connect_to;
886
ret = start_mandos_communication(address, port, if_index, &mc);
743
ret = start_mandos_communication(address, port, if_index);
887
744
if(ret < 0){
888
exitcode = EXIT_FAILURE;
745
exit(EXIT_FAILURE);
889
746
} else {
890
exitcode = EXIT_SUCCESS;
747
exit(EXIT_SUCCESS);
891
748
}
892
goto end;
893
749
}
894
750
895
/* If the interface is down, bring it up */
896
{
897
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
898
if(sd < 0) {
899
perror("socket");
900
exitcode = EXIT_FAILURE;
901
goto end;
902
}
903
strcpy(network.ifr_name, interface); /* Spurious warning */
904
ret = ioctl(sd, SIOCGIFFLAGS, &network);
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
756
}
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
if(ret == -1){
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
905
768
if(ret == -1){
906
perror("ioctl SIOCGIFFLAGS");
907
exitcode = EXIT_FAILURE;
908
goto end;
909
}
910
if((network.ifr_flags & IFF_UP) == 0){
911
network.ifr_flags |= IFF_UP;
912
ret = ioctl(sd, SIOCSIFFLAGS, &network);
913
if(ret == -1){
914
perror("ioctl SIOCSIFFLAGS");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
close(sd);
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
920
773
}
774
close(sd);
921
775
922
776
if (not debug){
923
777
avahi_set_log_function(empty_log);
924
778
}
925
779
926
/* Initialize the pseudo-RNG for Avahi */
780
/* Initialize the psuedo-RNG */
927
781
srand((unsigned int) time(NULL));
928
929
/* Allocate main Avahi loop object */
930
mc.simple_poll = avahi_simple_poll_new();
931
if (mc.simple_poll == NULL) {
932
fprintf(stderr, "Avahi: Failed to create simple poll"
933
" object.\n");
934
exitcode = EXIT_FAILURE;
935
goto end;
936
}
937
938
{
939
AvahiServerConfig config;
940
/* Do not publish any local Zeroconf records */
941
avahi_server_config_init(&config);
942
config.publish_hinfo = 0;
943
config.publish_addresses = 0;
944
config.publish_workstation = 0;
945
config.publish_domain = 0;
946
947
/* Allocate a new server */
948
mc.server = avahi_server_new(avahi_simple_poll_get
949
(mc.simple_poll), &config, NULL,
950
NULL, &error);
951
952
/* Free the Avahi configuration data */
953
avahi_server_config_free(&config);
954
}
955
956
/* Check if creating the Avahi server object succeeded */
957
if (mc.server == NULL) {
958
fprintf(stderr, "Failed to create Avahi server: %s\n",
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
796
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
959
807
avahi_strerror(error));
960
exitcode = EXIT_FAILURE;
961
goto end;
808
returncode = EXIT_FAILURE;
809
goto exit;
962
810
}
963
811
964
/* Create the Avahi service browser */
965
sb = avahi_s_service_browser_new(mc.server, if_index,
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
966
814
AVAHI_PROTO_INET6,
967
815
"_mandos._tcp", NULL, 0,
968
browse_callback, &mc);
969
if (sb == NULL) {
816
browse_callback, server);
817
if (!sb) {
970
818
fprintf(stderr, "Failed to create service browser: %s\n",
971
avahi_strerror(avahi_server_errno(mc.server)));
972
exitcode = EXIT_FAILURE;
973
goto end;
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
974
822
}
975
823
976
824
/* Run the main loop */
977
825
978
826
if (debug){
979
fprintf(stderr, "Starting Avahi loop search\n");
827
fprintf(stderr, "Starting avahi loop search\n");
980
828
}
981
829
982
avahi_simple_poll_loop(mc.simple_poll);
830
avahi_simple_poll_loop(simple_poll);
983
831
984
end:
832
exit:
985
833
986
834
if (debug){
987
835
fprintf(stderr, "%s exiting\n", argv[0]);
988
836
}
989
837
990
838
/* Cleanup things */
991
if (sb != NULL)
839
if (sb)
992
840
avahi_s_service_browser_free(sb);
993
841
994
if (mc.server != NULL)
995
avahi_server_free(mc.server);
842
if (server)
843
avahi_server_free(server);
996
844
997
if (mc.simple_poll != NULL)
998
avahi_simple_poll_free(mc.simple_poll);
999
free(pubkeyfile);
1000
free(seckeyfile);
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
1001
849
1002
return exitcode;
850
return returncode;
1003
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0