(root)/mandos/trunk
» Revision
24.1.81
(compared to revision 237.2.7)
: plugins.d/password-request.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 24.1.81
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.81
- Committer: Björn Påhlsson
- Date: 2008-09-03 18:47:50 UTC
- mto: (24.1.154 mandos) (237.4.3 mandos-release)
- mto: This revision was merged to the branch mainline in revision 149.
- Revision ID: belorn@braxen-20080903184750-s0k0jrrq0lxiamwh
removed keyring pre-requirement for starting password-request.
Keys will now be imported in run-time to a run-time created keyring
Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.
Keys will now be imported in run-time to a run-time created keyring
Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
plugins.d/password-request.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
102
101
103
102
#define BUFFER_SIZE 256
104
103
104
/*
105
#define PATHDIR "/conf/conf.d/mandos"
106
*/
107
105
108
#define PATHDIR "/conf/conf.d/mandos"
106
109
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
110
#define PUBKEY "pupkey.txt"
108
111
109
112
bool debug = false;
110
113
static const char mandos_protocol_version[] = "1";
111
const char *argp_program_version = "mandos-client " VERSION;
114
const char *argp_program_version = "password-request 1.0";
112
115
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
113
116
114
117
/* Used for passing in values through the Avahi callback functions */
147
150
int ret;
148
151
gpgme_error_t rc;
149
152
gpgme_engine_info_t engine_info;
150
153
151
154
152
155
/*
153
156
* Helper function to insert pub and seckey to the enigne keyring.
156
159
int fd;
157
160
gpgme_data_t pgp_data;
158
161
159
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
162
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
163
if(fd == -1){
161
164
perror("open");
162
165
return false;
168
171
gpgme_strsource(rc), gpgme_strerror(rc));
169
172
return false;
170
173
}
171
174
172
175
rc = gpgme_op_import(mc->ctx, pgp_data);
173
176
if (rc != GPG_ERR_NO_ERROR){
174
177
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
178
gpgme_strsource(rc), gpgme_strerror(rc));
176
179
return false;
177
180
}
178
179
ret = (int)TEMP_FAILURE_RETRY(close(fd));
181
182
ret = TEMP_FAILURE_RETRY(close(fd));
180
183
if(ret == -1){
181
184
perror("close");
182
185
}
187
190
if (debug){
188
191
fprintf(stderr, "Initialize gpgme\n");
189
192
}
190
193
191
194
/* Init GPGME */
192
195
gpgme_check_version(NULL);
193
196
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
196
199
gpgme_strsource(rc), gpgme_strerror(rc));
197
200
return false;
198
201
}
199
202
200
203
/* Set GPGME home directory for the OpenPGP engine only */
201
204
rc = gpgme_get_engine_info (&engine_info);
202
205
if (rc != GPG_ERR_NO_ERROR){
216
219
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
220
return false;
218
221
}
219
222
220
223
/* Create new GPGME "context" */
221
224
rc = gpgme_new(&(mc->ctx));
222
225
if (rc != GPG_ERR_NO_ERROR){
312
315
313
316
/* Seek back to the beginning of the GPGME plaintext data buffer */
314
317
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
315
perror("gpgme_data_seek");
318
perror("pgpme_data_seek");
316
319
plaintext_length = -1;
317
320
goto decrypt_end;
318
321
}
342
345
}
343
346
plaintext_length += ret;
344
347
}
345
348
346
349
if(debug){
347
350
fprintf(stderr, "Decrypted password is: ");
348
351
for(ssize_t i = 0; i < plaintext_length; i++){
409
412
}
410
413
411
414
if(debug){
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
415
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
416
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
414
417
seckeyfilename);
415
418
}
416
419
441
444
}
442
445
443
446
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
444
447
445
448
return 0;
446
449
447
450
globalfail:
448
451
449
452
gnutls_certificate_free_credentials(mc->cred);
450
453
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
452
454
return -1;
455
453
456
}
454
457
455
458
static int init_gnutls_session(mandos_context *mc,
501
504
AvahiIfIndex if_index,
502
505
mandos_context *mc){
503
506
int ret, tcp_sd;
504
ssize_t sret;
505
507
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
506
508
char *buffer = NULL;
507
509
char *decrypted_buffer;
528
530
perror("socket");
529
531
return -1;
530
532
}
531
533
532
534
if(debug){
533
535
if(if_indextoname((unsigned int)if_index, interface) == NULL){
534
536
perror("if_indextoname");
573
575
perror("connect");
574
576
return -1;
575
577
}
576
578
577
579
const char *out = mandos_protocol_version;
578
580
written = 0;
579
581
while (true){
580
582
size_t out_size = strlen(out);
581
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
583
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
582
584
out_size - written));
583
585
if (ret == -1){
584
586
perror("write");
597
599
}
598
600
}
599
601
}
600
602
601
603
if(debug){
602
604
fprintf(stderr, "Establishing TLS session with %s\n", ip);
603
605
}
604
606
605
607
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
606
608
607
609
do{
608
610
ret = gnutls_handshake (session);
609
611
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
623
625
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
624
626
ip);
625
627
}
626
628
627
629
while(true){
628
630
buffer_capacity = adjustbuffer(&buffer, buffer_length,
629
631
buffer_capacity);
633
635
goto mandos_end;
634
636
}
635
637
636
sret = gnutls_record_recv(session, buffer+buffer_length,
637
BUFFER_SIZE);
638
if (sret == 0){
638
ret = gnutls_record_recv(session, buffer+buffer_length,
639
BUFFER_SIZE);
640
if (ret == 0){
639
641
break;
640
642
}
641
if (sret < 0){
642
switch(sret){
643
if (ret < 0){
644
switch(ret){
643
645
case GNUTLS_E_INTERRUPTED:
644
646
case GNUTLS_E_AGAIN:
645
647
break;
662
664
goto mandos_end;
663
665
}
664
666
} else {
665
buffer_length += (size_t) sret;
667
buffer_length += (size_t) ret;
666
668
}
667
669
}
668
670
704
706
705
707
mandos_end:
706
708
free(buffer);
707
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
709
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
708
710
if(ret == -1){
709
711
perror("close");
710
712
}
826
828
const char *pubkey = PATHDIR "/" PUBKEY;
827
829
828
830
mandos_context mc = { .simple_poll = NULL, .server = NULL,
829
.dh_bits = 1024, .priority = "SECURE256"
830
":!CTYPE-X.509:+CTYPE-OPENPGP" };
831
.dh_bits = 1024, .priority = "SECURE256"};
831
832
bool gnutls_initalized = false;
832
bool gpgme_initalized = false;
833
bool pgpme_initalized = false;
833
834
834
835
{
835
836
struct argp_option options[] = {
836
837
{ .name = "debug", .key = 128,
837
838
.doc = "Debug mode", .group = 3 },
838
839
{ .name = "connect", .key = 'c',
839
.arg = "ADDRESS:PORT",
840
.doc = "Connect directly to a specific Mandos server",
840
.arg = "IP",
841
.doc = "Connect directly to a sepcified mandos server",
841
842
.group = 1 },
842
843
{ .name = "interface", .key = 'i',
843
.arg = "NAME",
844
.doc = "Interface that will be used to search for Mandos"
845
" servers",
844
.arg = "INTERFACE",
845
.doc = "Interface that Avahi will conntect through",
846
846
.group = 1 },
847
847
{ .name = "seckey", .key = 's',
848
.arg = "FILE",
849
.doc = "OpenPGP secret key file base name",
848
.arg = "SECKEY",
849
.doc = "Secret openpgp key for gnutls authentication",
850
850
.group = 1 },
851
851
{ .name = "pubkey", .key = 'p',
852
.arg = "FILE",
853
.doc = "OpenPGP public key file base name",
852
.arg = "PUBKEY",
853
.doc = "Public openpgp key for gnutls authentication",
854
854
.group = 2 },
855
855
{ .name = "dh-bits", .key = 129,
856
856
.arg = "BITS",
857
.doc = "Bit length of the prime number used in the"
858
" Diffie-Hellman key exchange",
857
.doc = "dh-bits to use in gnutls communication",
859
858
.group = 2 },
860
859
{ .name = "priority", .key = 130,
861
.arg = "STRING",
862
.doc = "GnuTLS priority string for the TLS handshake",
863
.group = 1 },
860
.arg = "PRIORITY",
861
.doc = "GNUTLS priority", .group = 1 },
864
862
{ .name = NULL }
865
863
};
864
866
865
867
866
error_t parse_opt (int key, char *arg,
868
867
struct argp_state *state) {
869
868
/* Get the INPUT argument from `argp_parse', which we know is
870
869
a pointer to our plugin list pointer. */
871
870
switch (key) {
872
case 128: /* --debug */
871
case 128:
873
872
debug = true;
874
873
break;
875
case 'c': /* --connect */
874
case 'c':
876
875
connect_to = arg;
877
876
break;
878
case 'i': /* --interface */
877
case 'i':
879
878
interface = arg;
880
879
break;
881
case 's': /* --seckey */
880
case 's':
882
881
seckey = arg;
883
882
break;
884
case 'p': /* --pubkey */
883
case 'p':
885
884
pubkey = arg;
886
885
break;
887
case 129: /* --dh-bits */
886
case 129:
888
887
errno = 0;
889
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
890
889
if (errno){
892
891
exit(EXIT_FAILURE);
893
892
}
894
893
break;
895
case 130: /* --priority */
894
case 130:
896
895
mc.priority = arg;
897
896
break;
898
897
case ARGP_KEY_ARG:
904
903
}
905
904
return 0;
906
905
}
907
906
908
907
struct argp argp = { .options = options, .parser = parse_opt,
909
908
.args_doc = "",
910
909
.doc = "Mandos client -- Get and decrypt"
911
" passwords from a Mandos server" };
910
" passwords from mandos server" };
912
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
913
912
if (ret == ARGP_ERR_UNKNOWN){
914
913
fprintf(stderr, "Unknown error while parsing arguments\n");
916
915
goto end;
917
916
}
918
917
}
918
919
ret = init_gnutls_global(&mc, pubkey, seckey);
920
if (ret == -1){
921
fprintf(stderr, "init_gnutls_global failed\n");
922
exitcode = EXIT_FAILURE;
923
goto end;
924
} else {
925
gnutls_initalized = true;
926
}
927
928
if(mkdtemp(tempdir) == NULL){
929
perror("mkdtemp");
930
tempdir[0] = '\0';
931
goto end;
932
}
933
934
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
935
fprintf(stderr, "pgpme_initalized failed\n");
936
exitcode = EXIT_FAILURE;
937
goto end;
938
} else {
939
pgpme_initalized = true;
940
}
919
941
920
942
/* If the interface is down, bring it up */
921
943
{
941
963
goto end;
942
964
}
943
965
}
944
ret = (int)TEMP_FAILURE_RETRY(close(sd));
966
ret = TEMP_FAILURE_RETRY(close(sd));
945
967
if(ret == -1){
946
968
perror("close");
947
969
}
960
982
perror("setgid");
961
983
}
962
984
963
ret = init_gnutls_global(&mc, pubkey, seckey);
964
if (ret == -1){
965
fprintf(stderr, "init_gnutls_global failed\n");
966
exitcode = EXIT_FAILURE;
967
goto end;
968
} else {
969
gnutls_initalized = true;
970
}
971
972
if(mkdtemp(tempdir) == NULL){
973
perror("mkdtemp");
974
tempdir[0] = '\0';
975
goto end;
976
}
977
978
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
979
fprintf(stderr, "gpgme_initalized failed\n");
980
exitcode = EXIT_FAILURE;
981
goto end;
982
} else {
983
gpgme_initalized = true;
984
}
985
986
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
987
986
if(if_index == 0){
988
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1031
1030
exitcode = EXIT_FAILURE;
1032
1031
goto end;
1033
1032
}
1034
1033
1035
1034
{
1036
1035
AvahiServerConfig config;
1037
1036
/* Do not publish any local Zeroconf records */
1040
1039
config.publish_addresses = 0;
1041
1040
config.publish_workstation = 0;
1042
1041
config.publish_domain = 0;
1043
1042
1044
1043
/* Allocate a new server */
1045
1044
mc.server = avahi_server_new(avahi_simple_poll_get
1046
1045
(mc.simple_poll), &config, NULL,
1047
1046
NULL, &error);
1048
1047
1049
1048
/* Free the Avahi configuration data */
1050
1049
avahi_server_config_free(&config);
1051
1050
}
1071
1070
}
1072
1071
1073
1072
/* Run the main loop */
1074
1073
1075
1074
if (debug){
1076
1075
fprintf(stderr, "Starting Avahi loop search\n");
1077
1076
}
1079
1078
avahi_simple_poll_loop(mc.simple_poll);
1080
1079
1081
1080
end:
1082
1081
1083
1082
if (debug){
1084
1083
fprintf(stderr, "%s exiting\n", argv[0]);
1085
1084
}
1090
1089
1091
1090
if (mc.server != NULL)
1092
1091
avahi_server_free(mc.server);
1093
1092
1094
1093
if (mc.simple_poll != NULL)
1095
1094
avahi_simple_poll_free(mc.simple_poll);
1096
1095
1097
1096
if (gnutls_initalized){
1098
1097
gnutls_certificate_free_credentials(mc.cred);
1099
1098
gnutls_global_deinit ();
1100
gnutls_dh_params_deinit(mc.dh_params);
1101
1099
}
1102
1103
if(gpgme_initalized){
1100
1101
if(pgpme_initalized){
1104
1102
gpgme_release(mc.ctx);
1105
1103
}
1106
1104
1107
1105
/* Removes the temp directory used by GPGME */
1108
1106
if(tempdir[0] != '\0'){
1109
1107
DIR *d;
1133
1131
free(fullname);
1134
1132
}
1135
1133
}
1136
closedir(d);
1137
1134
}
1138
1135
ret = rmdir(tempdir);
1139
1136
if(ret == -1){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0