/mandos/trunk : revision 24.1.9

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Björn Påhlsson
Date: 2008-08-02 21:06:29 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 38.
Revision ID: belorn@braxen-20080802210629-p9jc5515yufcg4ge

not working midwork...

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
COPYING

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#define BUFFER_SIZE 256

#define DH_BITS 1024

static const char *certdir = "/conf/conf.d/mandos";

static const char *certfile = "openpgp-client.txt";

static const char *certkey = "openpgp-client-key.txt";

100

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

108

typedef struct {

109

AvahiSimplePoll *simple_poll;

110

AvahiServer *server;

111

gnutls_certificate_credentials_t cred;

112

unsigned int dh_bits;

113

gnutls_dh_params_t dh_params;

114

const char *priority;

115

} mandos_context;

116

117

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

134

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

136

* Returns -1 on error

137

138

static ssize_t pgp_packet_decrypt (const char *cryptotext,

139

size_t crypto_size,

140

char **plaintext,

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

141

const char *homedir){

142

gpgme_data_t dh_crypto, dh_plain;

143

gpgme_ctx_t ctx;

144

gpgme_error_t rc;

145

ssize_t ret;

146

size_t plaintext_capacity = 0;

147

ssize_t plaintext_length = 0;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

148

gpgme_engine_info_t engine_info;

149

150

if (debug){

151

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

100

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

152

101

}

153

102

154

103

/* Init GPGME */

160

109

return -1;

161

110

}

162

111

163

/* Set GPGME home directory for the OpenPGP engine only */

112

/* Set GPGME home directory */

164

113

rc = gpgme_get_engine_info (&engine_info);

165

114

if (rc != GPG_ERR_NO_ERROR){

166

115

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

176

125

engine_info = engine_info->next;

177

126

}

178

127

if(engine_info == NULL){

179

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

128

fprintf(stderr, "Could not set home dir to %s\n", homedir);

180

129

return -1;

181

130

}

182

131

183

/* Create new GPGME data buffer from memory cryptotext */

184

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

185

0);

132

/* Create new GPGME data buffer from packet buffer */

133

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

186

134

if (rc != GPG_ERR_NO_ERROR){

187

135

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

188

136

gpgme_strsource(rc), gpgme_strerror(rc));

194

142

if (rc != GPG_ERR_NO_ERROR){

195

143

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

196

144

gpgme_strsource(rc), gpgme_strerror(rc));

197

gpgme_data_release(dh_crypto);

198

145

return -1;

199

146

}

200

147

203

150

if (rc != GPG_ERR_NO_ERROR){

204

151

fprintf(stderr, "bad gpgme_new: %s: %s\n",

205

152

gpgme_strsource(rc), gpgme_strerror(rc));

206

plaintext_length = -1;

207

goto decrypt_end;

153

return -1;

208

154

}

209

155

210

/* Decrypt data from the cryptotext data buffer to the plaintext

211

data buffer */

156

/* Decrypt data from the FILE pointer to the plaintext data

157

buffer */

212

158

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

213

159

if (rc != GPG_ERR_NO_ERROR){

214

160

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

215

161

gpgme_strsource(rc), gpgme_strerror(rc));

216

plaintext_length = -1;

217

goto decrypt_end;

162

return -1;

218

163

}

219

164

220

165

if(debug){

221

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

166

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

222

167

}

223

168

224

169

if (debug){

225

170

gpgme_decrypt_result_t result;

226

171

result = gpgme_op_decrypt_result(ctx);

229

174

} else {

230

175

fprintf(stderr, "Unsupported algorithm: %s\n",

231

176

result->unsupported_algorithm);

232

fprintf(stderr, "Wrong key usage: %u\n",

177

fprintf(stderr, "Wrong key usage: %d\n",

233

178

result->wrong_key_usage);

234

179

if(result->file_name != NULL){

235

180

fprintf(stderr, "File name: %s\n", result->file_name);

250

195

}

251

196

}

252

197

198

/* Delete the GPGME FILE pointer cryptotext data buffer */

199

gpgme_data_release(dh_crypto);

200

253

201

/* Seek back to the beginning of the GPGME plaintext data buffer */

254

202

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

255

203

perror("pgpme_data_seek");

256

plaintext_length = -1;

257

goto decrypt_end;

258

204

}

259

205

260

*plaintext = NULL;

206

*new_packet = 0;

261

207

while(true){

262

plaintext_capacity = adjustbuffer(plaintext,

263

(size_t)plaintext_length,

264

plaintext_capacity);

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

267

plaintext_length = -1;

268

goto decrypt_end;

208

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

209

*new_packet = realloc(*new_packet,

210

(unsigned int)new_packet_capacity

211

+ BUFFER_SIZE);

212

if (*new_packet == NULL){

213

perror("realloc");

214

return -1;

215

}

216

new_packet_capacity += BUFFER_SIZE;

269

217

}

270

218

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

219

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

272

220

BUFFER_SIZE);

273

221

/* Print the data, if any */

274

222

if (ret == 0){

275

/* EOF */

276

223

break;

277

224

}

278

225

if(ret < 0){

279

226

perror("gpgme_data_read");

280

plaintext_length = -1;

281

goto decrypt_end;

227

return -1;

282

228

}

283

plaintext_length += ret;

229

new_packet_length += ret;

284

230

}

285

231

286

if(debug){

287

fprintf(stderr, "Decrypted password is: ");

288

for(ssize_t i = 0; i < plaintext_length; i++){

289

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

290

}

291

fprintf(stderr, "\n");

292

}

293

294

decrypt_end:

295

296

/* Delete the GPGME cryptotext data buffer */

297

gpgme_data_release(dh_crypto);

232

/* FIXME: check characters before printing to screen so to not print

233

terminal control characters */

234

/* if(debug){ */

235

/* fprintf(stderr, "decrypted password is: "); */

236

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

237

/* fprintf(stderr, "\n"); */

238

/* } */

298

239

299

240

/* Delete the GPGME plaintext data buffer */

300

241

gpgme_data_release(dh_plain);

301

return plaintext_length;

242

return new_packet_length;

302

243

}

303

244

304

245

static const char * safer_gnutls_strerror (int value) {

305

const char *ret = gnutls_strerror (value); /* Spurious warning */

246

const char *ret = gnutls_strerror (value);

306

247

if (ret == NULL)

307

248

ret = "(unknown)";

308

249

return ret;

309

250

}

310

251

311

/* GnuTLS log function callback */

312

252

static void debuggnutls(__attribute__((unused)) int level,

313

253

const char* string){

314

fprintf(stderr, "GnuTLS: %s", string);

254

fprintf(stderr, "%s", string);

315

255

}

316

256

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfilename,

319

const char *seckeyfilename){

257

static int initgnutls(mandos_context *mc){

258

const char *err;

320

259

int ret;

321

260

322

261

if(debug){

323

262

fprintf(stderr, "Initializing GnuTLS\n");

324

263

}

325

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

264

265

if ((ret = gnutls_global_init ())

266

!= GNUTLS_E_SUCCESS) {

267

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

330

268

return -1;

331

269

}

332

270

333

271

if (debug){

334

/* "Use a log level over 10 to enable all debugging options."

335

* - GnuTLS manual

336

337

272

gnutls_global_set_log_level(11);

338

273

gnutls_global_set_log_function(debuggnutls);

339

274

}

340

275

341

/* OpenPGP credentials */

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

345

warning */

276

/* openpgp credentials */

277

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

278

!= GNUTLS_E_SUCCESS) {

279

fprintf (stderr, "memory error: %s\n",

346

280

safer_gnutls_strerror(ret));

347

gnutls_global_deinit ();

348

281

return -1;

349

282

}

350

283

351

284

if(debug){

352

285

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

353

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

354

seckeyfilename);

286

" and keyfile %s as GnuTLS credentials\n", certfile,

287

certkey);

355

288

}

356

289

357

290

ret = gnutls_certificate_set_openpgp_key_file

358

(mc->cred, pubkeyfilename, seckeyfilename,

359

GNUTLS_OPENPGP_FMT_BASE64);

291

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

360

292

if (ret != GNUTLS_E_SUCCESS) {

361

fprintf(stderr,

362

"Error[%d] while reading the OpenPGP key pair ('%s',"

363

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

364

fprintf(stdout, "The GnuTLS error is: %s\n",

293

fprintf

294

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

295

" '%s')\n",

296

ret, certfile, certkey);

297

fprintf(stdout, "The Error is: %s\n",

365

298

safer_gnutls_strerror(ret));

366

goto globalfail;

367

}

368

369

/* GnuTLS server initialization */

370

ret = gnutls_dh_params_init(&mc->dh_params);

371

if (ret != GNUTLS_E_SUCCESS) {

372

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

373

" %s\n", safer_gnutls_strerror(ret));

374

goto globalfail;

375

}

376

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

377

if (ret != GNUTLS_E_SUCCESS) {

378

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

379

safer_gnutls_strerror(ret));

380

goto globalfail;

381

}

382

383

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

384

385

return 0;

386

387

globalfail:

388

389

gnutls_certificate_free_credentials(mc->cred);

390

gnutls_global_deinit();

391

return -1;

392

393

}

394

395

static int init_gnutls_session(mandos_context *mc,

396

gnutls_session_t *session){

397

int ret;

398

/* GnuTLS session creation */

399

ret = gnutls_init(session, GNUTLS_SERVER);

400

if (ret != GNUTLS_E_SUCCESS){

299

return -1;

300

}

301

302

//GnuTLS server initialization

303

if ((ret = gnutls_dh_params_init (&es->dh_params))

304

!= GNUTLS_E_SUCCESS) {

305

fprintf (stderr, "Error in dh parameter initialization: %s\n",

306

safer_gnutls_strerror(ret));

307

return -1;

308

}

309

310

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

311

!= GNUTLS_E_SUCCESS) {

312

fprintf (stderr, "Error in prime generation: %s\n",

313

safer_gnutls_strerror(ret));

314

return -1;

315

}

316

317

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

318

319

// GnuTLS session creation

320

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

321

!= GNUTLS_E_SUCCESS){

401

322

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

402

323

safer_gnutls_strerror(ret));

403

324

}

404

325

405

{

406

const char *err;

407

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

408

if (ret != GNUTLS_E_SUCCESS) {

409

fprintf(stderr, "Syntax error at: %s\n", err);

410

fprintf(stderr, "GnuTLS error: %s\n",

411

safer_gnutls_strerror(ret));

412

gnutls_deinit (*session);

413

return -1;

414

}

326

if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))

327

!= GNUTLS_E_SUCCESS) {

328

fprintf(stderr, "Syntax error at: %s\n", err);

329

fprintf(stderr, "GnuTLS error: %s\n",

330

safer_gnutls_strerror(ret));

331

return -1;

415

332

}

416

333

417

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

418

mc->cred);

419

if (ret != GNUTLS_E_SUCCESS) {

420

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

334

if ((ret = gnutls_credentials_set

335

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

336

!= GNUTLS_E_SUCCESS) {

337

fprintf(stderr, "Error setting a credentials set: %s\n",

421

338

safer_gnutls_strerror(ret));

422

gnutls_deinit (*session);

423

339

return -1;

424

340

}

425

341

426

342

/* ignore client certificate if any. */

427

gnutls_certificate_server_set_request (*session,

343

gnutls_certificate_server_set_request (es->session,

428

344

GNUTLS_CERT_IGNORE);

429

345

430

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

346

gnutls_dh_set_prime_bits (es->session, DH_BITS);

431

347

432

348

return 0;

433

349

}

434

350

435

/* Avahi log function callback */

436

351

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

437

352

__attribute__((unused)) const char *txt){}

438

353

439

/* Called when a Mandos server is found */

440

354

static int start_mandos_communication(const char *ip, uint16_t port,

441

355

AvahiIfIndex if_index,

442

356

mandos_context *mc){

443

357

int ret, tcp_sd;

444

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

358

struct sockaddr_in6 to;

359

encrypted_session es;

445

360

char *buffer = NULL;

446

361

char *decrypted_buffer;

447

362

size_t buffer_length = 0;

448

363

size_t buffer_capacity = 0;

449

364

ssize_t decrypted_buffer_size;

450

size_t written;

365

size_t written = 0;

451

366

int retval = 0;

452

367

char interface[IF_NAMESIZE];

453

gnutls_session_t session;

454

455

ret = init_gnutls_session (mc, &session);

456

if (ret != 0){

457

return -1;

458

}

459

368

460

369

if(debug){

461

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

462

"\n", ip, port);

370

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

371

ip, port);

463

372

}

464

373

465

374

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

470

379

471

380

if(debug){

472

381

if(if_indextoname((unsigned int)if_index, interface) == NULL){

473

perror("if_indextoname");

382

if(debug){

383

perror("if_indextoname");

384

}

474

385

return -1;

475

386

}

387

476

388

fprintf(stderr, "Binding to interface %s\n", interface);

477

389

}

478

390

479

memset(&to, 0, sizeof(to));

480

to.in6.sin6_family = AF_INET6;

481

/* It would be nice to have a way to detect if we were passed an

482

IPv4 address here. Now we assume an IPv6 address. */

483

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

391

memset(&to,0,sizeof(to)); /* Spurious warning */

392

to.sin6_family = AF_INET6;

393

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

484

394

if (ret < 0 ){

485

395

perror("inet_pton");

486

396

return -1;

487

}

397

}

488

398

if(ret == 0){

489

399

fprintf(stderr, "Bad address: %s\n", ip);

490

400

return -1;

491

401

}

492

to.in6.sin6_port = htons(port); /* Spurious warning */

402

to.sin6_port = htons(port); /* Spurious warning */

493

403

494

to.in6.sin6_scope_id = (uint32_t)if_index;

404

to.sin6_scope_id = (uint32_t)if_index;

495

405

496

406

if(debug){

497

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

498

port);

499

char addrstr[INET6_ADDRSTRLEN] = "";

500

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

501

sizeof(addrstr)) == NULL){

502

perror("inet_ntop");

503

} else {

504

if(strcmp(addrstr, ip) != 0){

505

fprintf(stderr, "Canonical address form: %s\n", addrstr);

506

}

507

}

407

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

408

/* char addrstr[INET6_ADDRSTRLEN]; */

409

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

410

/* sizeof(addrstr)) == NULL){ */

411

/* perror("inet_ntop"); */

412

/* } else { */

413

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

414

/* addrstr, ntohs(to.sin6_port)); */

415

/* } */

508

416

}

509

417

510

ret = connect(tcp_sd, &to.in, sizeof(to));

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

511

419

if (ret < 0){

512

420

perror("connect");

513

421

return -1;

514

422

}

515

516

const char *out = mandos_protocol_version;

517

written = 0;

518

while (true){

519

size_t out_size = strlen(out);

520

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

521

out_size - written));

522

if (ret == -1){

523

perror("write");

524

retval = -1;

525

goto mandos_end;

526

}

527

written += (size_t)ret;

528

if(written < out_size){

529

continue;

530

} else {

531

if (out == mandos_protocol_version){

532

written = 0;

533

out = "\r\n";

534

} else {

535

break;

536

}

537

}

423

424

ret = initgnutls (&es);

425

if (ret != 0){

426

retval = -1;

427

return -1;

538

428

}

539

429

430

gnutls_transport_set_ptr (es.session,

431

(gnutls_transport_ptr_t) tcp_sd);

432

540

433

if(debug){

541

434

fprintf(stderr, "Establishing TLS session with %s\n", ip);

542

435

}

543

436

544

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

545

546

do{

547

ret = gnutls_handshake (session);

548

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

437

ret = gnutls_handshake (es.session);

549

438

550

439

if (ret != GNUTLS_E_SUCCESS){

551

440

if(debug){

552

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

441

fprintf(stderr, "\n*** Handshake failed ***\n");

553

442

gnutls_perror (ret);

554

443

}

555

444

retval = -1;

556

goto mandos_end;

445

goto exit;

557

446

}

558

447

559

/* Read OpenPGP packet that contains the wanted password */

448

//Retrieve OpenPGP packet that contains the wanted password

560

449

561

450

if(debug){

562

451

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

564

453

}

565

454

566

455

while(true){

567

buffer_capacity = adjustbuffer(&buffer, buffer_length,

568

buffer_capacity);

569

if (buffer_capacity == 0){

570

perror("adjustbuffer");

571

retval = -1;

572

goto mandos_end;

456

if (buffer_length + BUFFER_SIZE > buffer_capacity){

457

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

458

if (buffer == NULL){

459

perror("realloc");

460

goto exit;

461

}

462

buffer_capacity += BUFFER_SIZE;

573

463

}

574

464

575

ret = gnutls_record_recv(session, buffer+buffer_length,

576

BUFFER_SIZE);

465

ret = gnutls_record_recv

466

(es.session, buffer+buffer_length, BUFFER_SIZE);

577

467

if (ret == 0){

578

468

break;

579

469

}

583

473

case GNUTLS_E_AGAIN:

584

474

break;

585

475

case GNUTLS_E_REHANDSHAKE:

586

do{

587

ret = gnutls_handshake (session);

588

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

476

ret = gnutls_handshake (es.session);

589

477

if (ret < 0){

590

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

478

fprintf(stderr, "\n*** Handshake failed ***\n");

591

479

gnutls_perror (ret);

592

480

retval = -1;

593

goto mandos_end;

481

goto exit;

594

482

}

595

483

break;

596

484

default:

597

485

fprintf(stderr, "Unknown error while reading data from"

598

" encrypted session with Mandos server\n");

486

" encrypted session with mandos server\n");

599

487

retval = -1;

600

gnutls_bye (session, GNUTLS_SHUT_RDWR);

601

goto mandos_end;

488

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

489

goto exit;

602

490

}

603

491

} else {

604

492

buffer_length += (size_t) ret;

605

493

}

606

494

}

607

495

608

if(debug){

609

fprintf(stderr, "Closing TLS session\n");

610

}

611

612

gnutls_bye (session, GNUTLS_SHUT_RDWR);

613

614

496

if (buffer_length > 0){

615

497

decrypted_buffer_size = pgp_packet_decrypt(buffer,

616

498

buffer_length,

617

499

&decrypted_buffer,

618

keydir);

500

certdir);

619

501

if (decrypted_buffer_size >= 0){

620

written = 0;

621

502

while(written < (size_t) decrypted_buffer_size){

622

503

ret = (int)fwrite (decrypted_buffer + written, 1,

623

504

(size_t)decrypted_buffer_size - written,

637

518

retval = -1;

638

519

}

639

520

}

640

641

/* Shutdown procedure */

642

643

mandos_end:

521

522

//shutdown procedure

523

524

if(debug){

525

fprintf(stderr, "Closing TLS session\n");

526

}

527

644

528

free(buffer);

529

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

530

exit:

645

531

close(tcp_sd);

646

gnutls_deinit (session);

532

gnutls_deinit (es.session);

533

gnutls_certificate_free_credentials (es.cred);

534

gnutls_global_deinit ();

647

535

return retval;

648

536

}

649

537

650

static void resolve_callback(AvahiSServiceResolver *r,

651

AvahiIfIndex interface,

652

AVAHI_GCC_UNUSED AvahiProtocol protocol,

653

AvahiResolverEvent event,

654

const char *name,

655

const char *type,

656

const char *domain,

657

const char *host_name,

658

const AvahiAddress *address,

659

uint16_t port,

660

AVAHI_GCC_UNUSED AvahiStringList *txt,

661

AVAHI_GCC_UNUSED AvahiLookupResultFlags

662

flags,

663

void* userdata) {

538

static void resolve_callback( AvahiSServiceResolver *r,

539

AvahiIfIndex interface,

540

AVAHI_GCC_UNUSED AvahiProtocol protocol,

541

AvahiResolverEvent event,

542

const char *name,

543

const char *type,

544

const char *domain,

545

const char *host_name,

546

const AvahiAddress *address,

547

uint16_t port,

548

AVAHI_GCC_UNUSED AvahiStringList *txt,

549

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

550

AVAHI_GCC_UNUSED void* userdata) {

664

551

mandos_context *mc = userdata;

665

assert(r);

552

assert(r); /* Spurious warning */

666

553

667

554

/* Called whenever a service has been resolved successfully or

668

555

timed out */

670

557

switch (event) {

671

558

default:

672

559

case AVAHI_RESOLVER_FAILURE:

673

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

674

" of type '%s' in domain '%s': %s\n", name, type, domain,

560

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

561

" type '%s' in domain '%s': %s\n", name, type, domain,

675

562

avahi_strerror(avahi_server_errno(mc->server)));

676

563

break;

677

564

680

567

char ip[AVAHI_ADDRESS_STR_MAX];

681

568

avahi_address_snprint(ip, sizeof(ip), address);

682

569

if(debug){

683

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

684

PRIu16 ") on port %d\n", name, host_name, ip,

685

interface, port);

570

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

571

" port %d\n", name, host_name, ip, port);

686

572

}

687

573

int ret = start_mandos_communication(ip, port, interface, mc);

688

574

if (ret == 0){

689

avahi_simple_poll_quit(mc->simple_poll);

575

exit(EXIT_SUCCESS);

690

576

}

691

577

}

692

578

}

700

586

const char *name,

701

587

const char *type,

702

588

const char *domain,

703

AVAHI_GCC_UNUSED AvahiLookupResultFlags

704

flags,

589

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

705

590

void* userdata) {

706

591

mandos_context *mc = userdata;

707

assert(b);

592

assert(b); /* Spurious warning */

708

593

709

594

/* Called whenever a new services becomes available on the LAN or

710

595

is removed from the LAN */

712

597

switch (event) {

713

598

default:

714

599

case AVAHI_BROWSER_FAILURE:

715

716

fprintf(stderr, "(Avahi browser) %s\n",

600

601

fprintf(stderr, "(Browser) %s\n",

717

602

avahi_strerror(avahi_server_errno(mc->server)));

718

603

avahi_simple_poll_quit(mc->simple_poll);

719

604

return;

720

605

721

606

case AVAHI_BROWSER_NEW:

722

/* We ignore the returned Avahi resolver object. In the callback

723

function we free it. If the Avahi server is terminated before

724

the callback function is called the Avahi server will free the

725

resolver for us. */

726

727

if (!(avahi_s_service_resolver_new(mc->server, interface,

728

protocol, name, type, domain,

607

/* We ignore the returned resolver object. In the callback

608

function we free it. If the server is terminated before

609

the callback function is called the server will free

610

the resolver for us. */

611

612

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

613

type, domain,

729

614

AVAHI_PROTO_INET6, 0,

730

615

resolve_callback, mc)))

731

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

732

name, avahi_strerror(avahi_server_errno(mc->server)));

616

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

617

avahi_strerror(avahi_server_errno(s)));

733

618

break;

734

619

735

620

case AVAHI_BROWSER_REMOVE:

736

621

break;

737

622

738

623

case AVAHI_BROWSER_ALL_FOR_NOW:

739

624

case AVAHI_BROWSER_CACHE_EXHAUSTED:

740

if(debug){

741

fprintf(stderr, "No Mandos server found, still searching...\n");

742

}

743

625

break;

744

626

}

745

627

}

746

628

747

629

/* Combines file name and path and returns the malloced new

748

630

string. some sane checks could/should be added */

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

631

static const char *combinepath(const char *first, const char *second){

632

size_t f_len = strlen(first);

633

size_t s_len = strlen(second);

634

char *tmp = malloc(f_len + s_len + 2);

635

if (tmp == NULL){

753

636

return NULL;

754

637

}

638

if(f_len > 0){

639

memcpy(tmp, first, f_len);

640

}

641

tmp[f_len] = '/';

642

if(s_len > 0){

643

memcpy(tmp + f_len + 1, second, s_len);

644

}

645

tmp[f_len + 1 + s_len] = '\0';

755

646

return tmp;

756

647

}

757

648

758

649

759

int main(int argc, char *argv[]){

650

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

651

AvahiServerConfig config;

760

652

AvahiSServiceBrowser *sb = NULL;

761

653

int error;

762

654

int ret;

763

int exitcode = EXIT_SUCCESS;

655

int returncode = EXIT_SUCCESS;

764

656

const char *interface = "eth0";

765

657

struct ifreq network;

766

658

int sd;

767

uid_t uid;

768

gid_t gid;

769

659

char *connect_to = NULL;

770

660

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

775

661

mandos_context mc = { .simple_poll = NULL, .server = NULL,

776

.dh_bits = 1024, .priority = "SECURE256"};

777

bool gnutls_initalized = false;

662

.dh_bits = 2048, .priority = "SECURE256"};

778

663

779

{

780

struct argp_option options[] = {

781

{ .name = "debug", .key = 128,

782

.doc = "Debug mode", .group = 3 },

783

{ .name = "connect", .key = 'c',

784

.arg = "IP",

785

.doc = "Connect directly to a sepcified mandos server",

786

.group = 1 },

787

{ .name = "interface", .key = 'i',

788

.arg = "INTERFACE",

789

.doc = "Interface that Avahi will conntect through",

790

.group = 1 },

791

{ .name = "keydir", .key = 'd',

792

.arg = "KEYDIR",

793

.doc = "Directory where the openpgp keyring is",

794

.group = 1 },

795

{ .name = "seckey", .key = 's',

796

.arg = "SECKEY",

797

.doc = "Secret openpgp key for gnutls authentication",

798

.group = 1 },

799

{ .name = "pubkey", .key = 'p',

800

.arg = "PUBKEY",

801

.doc = "Public openpgp key for gnutls authentication",

802

.group = 2 },

803

{ .name = "dh-bits", .key = 129,

804

.arg = "BITS",

805

.doc = "dh-bits to use in gnutls communication",

806

.group = 2 },

807

{ .name = "priority", .key = 130,

808

.arg = "PRIORITY",

809

.doc = "GNUTLS priority", .group = 1 },

810

{ .name = NULL }

811

};

812

813

814

error_t parse_opt (int key, char *arg,

815

struct argp_state *state) {

816

/* Get the INPUT argument from `argp_parse', which we know is

817

a pointer to our plugin list pointer. */

818

switch (key) {

819

case 128:

820

debug = true;

821

break;

822

case 'c':

823

connect_to = arg;

824

break;

825

case 'i':

826

interface = arg;

827

break;

828

case 'd':

829

keydir = arg;

830

break;

831

case 's':

832

seckeyname = arg;

833

break;

834

case 'p':

835

pubkeyname = arg;

836

break;

837

case 129:

664

while (true){

665

static struct option long_options[] = {

666

{"debug", no_argument, (int *)&debug, 1},

667

{"connect", required_argument, 0, 'C'},

668

{"interface", required_argument, 0, 'i'},

669

{"certdir", required_argument, 0, 'd'},

670

{"certkey", required_argument, 0, 'c'},

671

{"certfile", required_argument, 0, 'k'},

672

{"dh_bits", required_argument, 0, 'D'},

673

{"priority", required_argument, 0, 'p'},

674

{0, 0, 0, 0} };

675

676

int option_index = 0;

677

ret = getopt_long (argc, argv, "i:", long_options,

678

&option_index);

679

680

if (ret == -1){

681

break;

682

}

683

684

switch(ret){

685

case 0:

686

break;

687

case 'i':

688

interface = optarg;

689

break;

690

case 'C':

691

connect_to = optarg;

692

break;

693

case 'd':

694

certdir = optarg;

695

break;

696

case 'c':

697

certfile = optarg;

698

break;

699

case 'k':

700

certkey = optarg;

701

break;

702

case 'D':

703

{

704

long int tmp;

838

705

errno = 0;

839

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

840

if (errno){

706

tmp = strtol(optarg, NULL, 10);

707

if (errno == ERANGE){

841

708

perror("strtol");

842

709

exit(EXIT_FAILURE);

843

710

}

844

break;

845

case 130:

846

mc.priority = arg;

847

break;

848

case ARGP_KEY_ARG:

849

argp_usage (state);

850

case ARGP_KEY_END:

851

break;

852

default:

853

return ARGP_ERR_UNKNOWN;

854

}

855

return 0;

856

}

857

858

struct argp argp = { .options = options, .parser = parse_opt,

859

.args_doc = "",

860

.doc = "Mandos client -- Get and decrypt"

861

" passwords from mandos server" };

862

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

863

if (ret == ARGP_ERR_UNKNOWN){

864

fprintf(stderr, "Unknown error while parsing arguments\n");

865

exitcode = EXIT_FAILURE;

866

goto end;

867

}

868

}

869

870

pubkeyfilename = combinepath(keydir, pubkeyname);

871

if (pubkeyfilename == NULL){

872

perror("combinepath");

873

exitcode = EXIT_FAILURE;

874

goto end;

875

}

876

877

seckeyfilename = combinepath(keydir, seckeyname);

878

if (seckeyfilename == NULL){

879

perror("combinepath");

880

exitcode = EXIT_FAILURE;

881

goto end;

882

}

883

884

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

885

if (ret == -1){

886

fprintf(stderr, "init_gnutls_global failed\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

889

} else {

890

gnutls_initalized = true;

891

}

892

893

/* If the interface is down, bring it up */

894

{

895

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

896

if(sd < 0) {

897

perror("socket");

898

exitcode = EXIT_FAILURE;

899

goto end;

900

}

901

strcpy(network.ifr_name, interface);

902

ret = ioctl(sd, SIOCGIFFLAGS, &network);

903

if(ret == -1){

904

perror("ioctl SIOCGIFFLAGS");

905

exitcode = EXIT_FAILURE;

906

goto end;

907

}

908

if((network.ifr_flags & IFF_UP) == 0){

909

network.ifr_flags |= IFF_UP;

910

ret = ioctl(sd, SIOCSIFFLAGS, &network);

911

if(ret == -1){

912

perror("ioctl SIOCSIFFLAGS");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

}

917

close(sd);

918

}

919

920

uid = getuid();

921

gid = getgid();

922

923

ret = setuid(uid);

924

if (ret == -1){

925

perror("setuid");

926

}

927

928

setgid(gid);

929

if (ret == -1){

930

perror("setgid");

711

mc.dh_bits = tmp;

712

}

713

break;

714

case 'p':

715

mc.priority = optarg;

716

break;

717

default:

718

exit(EXIT_FAILURE);

719

}

720

}

721

722

certfile = combinepath(certdir, certfile);

723

if (certfile == NULL){

724

perror("combinepath");

725

returncode = EXIT_FAILURE;

726

goto exit;

727

}

728

729

certkey = combinepath(certdir, certkey);

730

if (certkey == NULL){

731

perror("combinepath");

732

returncode = EXIT_FAILURE;

733

goto exit;

931

734

}

932

735

933

736

if_index = (AvahiIfIndex) if_nametoindex(interface);

942

745

char *address = strrchr(connect_to, ':');

943

746

if(address == NULL){

944

747

fprintf(stderr, "No colon in address\n");

945

exitcode = EXIT_FAILURE;

946

goto end;

748

exit(EXIT_FAILURE);

947

749

}

948

750

errno = 0;

949

751

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

950

752

if(errno){

951

753

perror("Bad port number");

952

exitcode = EXIT_FAILURE;

953

goto end;

754

exit(EXIT_FAILURE);

954

755

}

955

756

*address = '\0';

956

757

address = connect_to;

957

ret = start_mandos_communication(address, port, if_index, &mc);

758

ret = start_mandos_communication(address, port, if_index);

958

759

if(ret < 0){

959

exitcode = EXIT_FAILURE;

760

exit(EXIT_FAILURE);

960

761

} else {

961

exitcode = EXIT_SUCCESS;

962

}

963

goto end;

964

}

762

exit(EXIT_SUCCESS);

763

}

764

}

765

766

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

767

if(sd < 0) {

768

perror("socket");

769

returncode = EXIT_FAILURE;

770

goto exit;

771

}

772

strcpy(network.ifr_name, interface);

773

ret = ioctl(sd, SIOCGIFFLAGS, &network);

774

if(ret == -1){

775

776

perror("ioctl SIOCGIFFLAGS");

777

returncode = EXIT_FAILURE;

778

goto exit;

779

}

780

if((network.ifr_flags & IFF_UP) == 0){

781

network.ifr_flags |= IFF_UP;

782

ret = ioctl(sd, SIOCSIFFLAGS, &network);

783

if(ret == -1){

784

perror("ioctl SIOCSIFFLAGS");

785

returncode = EXIT_FAILURE;

786

goto exit;

787

}

788

}

789

close(sd);

965

790

966

791

if (not debug){

967

792

avahi_set_log_function(empty_log);

968

793

}

969

794

970

/* Initialize the pseudo-RNG for Avahi */

795

/* Initialize the psuedo-RNG */

971

796

srand((unsigned int) time(NULL));

972

973

/* Allocate main Avahi loop object */

974

mc.simple_poll = avahi_simple_poll_new();

975

if (mc.simple_poll == NULL) {

976

fprintf(stderr, "Avahi: Failed to create simple poll"

977

" object.\n");

978

exitcode = EXIT_FAILURE;

979

goto end;

980

}

981

982

{

983

AvahiServerConfig config;

984

/* Do not publish any local Zeroconf records */

985

avahi_server_config_init(&config);

986

config.publish_hinfo = 0;

987

config.publish_addresses = 0;

988

config.publish_workstation = 0;

989

config.publish_domain = 0;

990

991

/* Allocate a new server */

992

mc.server = avahi_server_new(avahi_simple_poll_get

993

(mc.simple_poll), &config, NULL,

994

NULL, &error);

995

996

/* Free the Avahi configuration data */

997

avahi_server_config_free(&config);

998

}

999

1000

/* Check if creating the Avahi server object succeeded */

1001

if (mc.server == NULL) {

1002

fprintf(stderr, "Failed to create Avahi server: %s\n",

797

798

/* Allocate main loop object */

799

if (!(mc.simple_poll = avahi_simple_poll_new())) {

800

fprintf(stderr, "Failed to create simple poll object.\n");

801

returncode = EXIT_FAILURE;

802

goto exit;

803

}

804

805

/* Do not publish any local records */

806

avahi_server_config_init(&config);

807

config.publish_hinfo = 0;

808

config.publish_addresses = 0;

809

config.publish_workstation = 0;

810

config.publish_domain = 0;

811

812

/* Allocate a new server */

813

mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),

814

&config, NULL, NULL, &error);

815

816

/* Free the configuration data */

817

avahi_server_config_free(&config);

818

819

/* Check if creating the server object succeeded */

820

if (!mc.server) {

821

fprintf(stderr, "Failed to create server: %s\n",

1003

822

avahi_strerror(error));

1004

exitcode = EXIT_FAILURE;

1005

goto end;

823

returncode = EXIT_FAILURE;

824

goto exit;

1006

825

}

1007

826

1008

/* Create the Avahi service browser */

827

/* Create the service browser */

1009

828

sb = avahi_s_service_browser_new(mc.server, if_index,

1010

829

AVAHI_PROTO_INET6,

1011

830

"_mandos._tcp", NULL, 0,

1012

831

browse_callback, &mc);

1013

if (sb == NULL) {

832

if (!sb) {

1014

833

fprintf(stderr, "Failed to create service browser: %s\n",

1015

834

avahi_strerror(avahi_server_errno(mc.server)));

1016

exitcode = EXIT_FAILURE;

1017

goto end;

835

returncode = EXIT_FAILURE;

836

goto exit;

1018

837

}

1019

838

1020

839

/* Run the main loop */

1021

840

1022

841

if (debug){

1023

fprintf(stderr, "Starting Avahi loop search\n");

842

fprintf(stderr, "Starting avahi loop search\n");

1024

843

}

1025

844

1026

avahi_simple_poll_loop(mc.simple_poll);

845

avahi_simple_poll_loop(simple_poll);

1027

846

1028

end:

847

exit:

1029

848

1030

849

if (debug){

1031

850

fprintf(stderr, "%s exiting\n", argv[0]);

1032

851

}

1033

852

1034

853

/* Cleanup things */

1035

if (sb != NULL)

854

if (sb)

1036

855

avahi_s_service_browser_free(sb);

1037

856

1038

if (mc.server != NULL)

857

if (mc.server)

1039

858

avahi_server_free(mc.server);

1040

859

1041

if (mc.simple_poll != NULL)

1042

avahi_simple_poll_free(mc.simple_poll);

1043

free(pubkeyfilename);

1044

free(seckeyfilename);

1045

1046

if (gnutls_initalized){

1047

gnutls_certificate_free_credentials(mc.cred);

1048

gnutls_global_deinit ();

1049

}

860

if (simple_poll)

861

avahi_simple_poll_free(simple_poll);

862

free(certfile);

863

free(certkey);

1050

864

1051

return exitcode;

865

return returncode;

1052

866

}

Older »