/mandos/trunk : revision 28

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-29 03:35:39 UTC
Revision ID: teddy@fukt.bsnet.se-20080729033539-08zecoj3jwlkpjhw

* server.conf: New file.

* mandos-clients.conf: Renamed to clients.conf.

* Makefile (FORTIFY): New.
  (CFLAGS): Include $(FORTIFY).

* plugins.d/mandosclient.c (main): New "if_index" variable.  Bug fix:
                                   check if interface exists.  New
                                   "--connect" option.

* server.py (serviceInterface): Removed; replaced by
                                "AvahiService.interface".  All users
                                changed.
  (AvahiError, AvahiServiceError, AvahiGroupError): New exception
                                                    classes.
  (AvahiService): New class.
  (serviceName): Removed; replaced by "AvahiService.name".  All users
                 changed.
  (serviceType): Removed; replaced by "AvahiService.type".  All users
                 changed.
  (servicePort): Removed; replaced by "AvahiService.port".  All users
                 changed.
  (serviceTXT): Removed; replaced by "AvahiService.TXT".  All users
                changed.
  (domain): Removed; replaced by "AvahiService.domain".  All users
            changed.
  (host): Removed; replaced by "AvahiService.host".  All users
          changed.
  (rename_count): Removed; replaced by "AvahiService.rename_count" and
                 "AvahiService.max_renames".  All users changed.
  (Client.__init__): If no secret or secfile, raise TypeError instead
                     of RuntimeError.
  (Client.last_seen): Renamed to "Client.last_checked_ok".  All users
                      changed.
  (Client.stop, Client.stop_checker): Use "getattr" with default value
                                      instead of "hasattr".
  (Client.still_valid): Removed "now" argument.
  (Client.handle): Separate the "no client found" and "client invalid"
                   cases for clearer code.
  (IPv6_TCPServer.__init__): "options" argument replaced by
                             "settings".  All callers changed.
  (IPv6_TCPServer.options): Replaced by "IPv6_TCPServer.settings".
                            All users changed.
  (IPv6_TCPServer.server_bind): Use getattr instead of hasattr.
  (add_service): Removed; replaced by "AvahiService.add".  All callers
                 changed.
  (remove_service): Removed; replaced by "AvahiService.remove".  All
                    callers changed.
  (entry_group_state_changed): On entry group collision, call the new
                               AvahiService.rename method.  Raise
                               AvahiGroupError on group error.
  (if_nametoindex): Use ctypes.utils.find_library to locate the C
                    library.  Cache the result.  Loop on EINTR.
  (daemon): Use os.path.devnull to locate "/dev/null".
  (killme): Removed.  All callers changed to do "sys.exit()" instead,
            except where stated otherwise.
  (main): Removed "exitstatus".  Removed all default values from all
          non-bool options.  New option "--configdir".  New variables
          "server_defaults" and "server_settings", read from
          "%(configdir)s/server.conf".  Let any supplied command line
          options override server settings.   Variable "defaults"
          renamed to "client_defaults", which is read from
          "clients.conf" instead of "mandos-clients.conf".  New global
          AvahiService object "service" replaces old global variables.
          Catch AvahiError and exit with error if caught.

files modified:
TODO

plugbasedclient.c

plugins.d/mandosclient.c

plugins.d/passprompt.c

server.py

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

#define DH_BITS 1024

static const char *certdir = "/conf/conf.d/mandos";

static const char *certfile = "openpgp-client.txt";

static const char *certkey = "openpgp-client-key.txt";

bool debug = false;

typedef struct {

} encrypted_session;

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

const char *homedir){

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

gpgme_ctx_t ctx;

gpgme_error_t rc;

100

101

/* Init GPGME */

101

102

gpgme_check_version(NULL);

102

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

103

if (rc != GPG_ERR_NO_ERROR){

104

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

105

gpgme_strsource(rc), gpgme_strerror(rc));

106

return -1;

107

}

103

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

108

104

109

105

/* Set GPGME home directory */

110

106

rc = gpgme_get_engine_info (&engine_info);

196

192

gpgme_data_release(dh_crypto);

197

193

198

194

/* Seek back to the beginning of the GPGME plaintext data buffer */

199

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

200

perror("pgpme_data_seek");

201

}

202

195

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

196

203

197

*new_packet = 0;

204

198

while(true){

205

199

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

246

240

return ret;

247

241

}

248

242

249

static void debuggnutls(__attribute__((unused)) int level,

250

const char* string){

243

void debuggnutls(__attribute__((unused)) int level,

244

const char* string){

251

245

fprintf(stderr, "%s", string);

252

246

}

253

247

254

static int initgnutls(encrypted_session *es){

248

int initgnutls(encrypted_session *es){

255

249

const char *err;

256

250

int ret;

257

251

258

252

if(debug){

259

253

fprintf(stderr, "Initializing GnuTLS\n");

260

254

}

261

255

262

256

if ((ret = gnutls_global_init ())

263

257

!= GNUTLS_E_SUCCESS) {

264

258

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

280

274

281

275

if(debug){

282

276

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

283

" and keyfile %s as GnuTLS credentials\n", certfile,

284

certkey);

277

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

278

KEYFILE);

285

279

}

286

280

287

281

ret = gnutls_certificate_set_openpgp_key_file

288

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

282

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

289

283

if (ret != GNUTLS_E_SUCCESS) {

290

284

fprintf

291

285

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

292

286

" '%s')\n",

293

ret, certfile, certkey);

287

ret, CERTFILE, KEYFILE);

294

288

fprintf(stdout, "The Error is: %s\n",

295

289

safer_gnutls_strerror(ret));

296

290

return -1;

345

339

return 0;

346

340

}

347

341

348

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

349

__attribute__((unused)) const char *txt){}

342

void empty_log(__attribute__((unused)) AvahiLogLevel level,

343

__attribute__((unused)) const char *txt){}

350

344

351

static int start_mandos_communication(const char *ip, uint16_t port,

352

AvahiIfIndex if_index){

345

int start_mandos_communication(const char *ip, uint16_t port,

346

unsigned int if_index){

353

347

int ret, tcp_sd;

354

348

struct sockaddr_in6 to;

355

349

encrypted_session es;

373

367

return -1;

374

368

}

375

369

376

if(if_indextoname((unsigned int)if_index, interface) == NULL){

370

if(if_indextoname(if_index, interface) == NULL){

377

371

if(debug){

378

372

perror("if_indextoname");

379

373

}

493

487

decrypted_buffer_size = pgp_packet_decrypt(buffer,

494

488

buffer_length,

495

489

&decrypted_buffer,

496

certdir);

490

CERT_ROOT);

497

491

if (decrypted_buffer_size >= 0){

498

492

while(written < (size_t) decrypted_buffer_size){

499

493

ret = (int)fwrite (decrypted_buffer + written, 1,

570

564

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

571

565

" port %d\n", name, host_name, ip, port);

572

566

}

573

int ret = start_mandos_communication(ip, port, interface);

567

int ret = start_mandos_communication(ip, port,

568

(unsigned int) interface);

574

569

if (ret == 0){

575

570

exit(EXIT_SUCCESS);

576

571

}

628

623

}

629

624

}

630

625

631

/* Combines file name and path and returns the malloced new

632

string. some sane checks could/should be added */

633

static const char *combinepath(const char *first, const char *second){

634

size_t f_len = strlen(first);

635

size_t s_len = strlen(second);

636

char *tmp = malloc(f_len + s_len + 2);

637

if (tmp == NULL){

638

return NULL;

639

}

640

if(f_len > 0){

641

memcpy(tmp, first, f_len);

642

}

643

tmp[f_len] = '/';

644

if(s_len > 0){

645

memcpy(tmp + f_len + 1, second, s_len);

646

}

647

tmp[f_len + 1 + s_len] = '\0';

648

return tmp;

649

}

650

651

652

626

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

653

627

AvahiServerConfig config;

654

628

AvahiSServiceBrowser *sb = NULL;

655

629

int error;

656

630

int ret;

657

631

int returncode = EXIT_SUCCESS;

658

const char *interface = NULL;

659

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

632

const char *interface = "eth0";

633

unsigned int if_index;

660

634

char *connect_to = NULL;

661

635

662

636

while (true){

663

637

static struct option long_options[] = {

664

638

{"debug", no_argument, (int *)&debug, 1},

665

{"connect", required_argument, 0, 'C'},

639

{"connect", required_argument, 0, 'c'},

666

640

{"interface", required_argument, 0, 'i'},

667

{"certdir", required_argument, 0, 'd'},

668

{"certkey", required_argument, 0, 'c'},

669

{"certfile", required_argument, 0, 'k'},

670

641

{0, 0, 0, 0} };

671

642

672

643

int option_index = 0;

683

654

case 'i':

684

655

interface = optarg;

685

656

break;

686

case 'C':

657

case 'c':

687

658

connect_to = optarg;

688

659

break;

689

case 'd':

690

certdir = optarg;

691

break;

692

case 'c':

693

certfile = optarg;

694

break;

695

case 'k':

696

certkey = optarg;

697

break;

698

660

default:

699

661

exit(EXIT_FAILURE);

700

662

}

701

663

}

702

664

703

certfile = combinepath(certdir, certfile);

704

if (certfile == NULL){

705

perror("combinepath");

706

goto exit;

707

}

708

709

if(interface != NULL){

710

if_index = (AvahiIfIndex) if_nametoindex(interface);

711

if(if_index == 0){

712

fprintf(stderr, "No such interface: \"%s\"\n", interface);

713

exit(EXIT_FAILURE);

714

}

665

if_index = if_nametoindex(interface);

666

if(if_index == 0){

667

fprintf(stderr, "No such interface: \"%s\"\n", interface);

668

exit(EXIT_FAILURE);

715

669

}

716

670

717

671

if(connect_to != NULL){

738

692

}

739

693

}

740

694

741

certkey = combinepath(certdir, certkey);

742

if (certkey == NULL){

743

perror("combinepath");

744

goto exit;

745

}

746

747

695

if (not debug){

748

696

avahi_set_log_function(empty_log);

749

697

}

781

729

}

782

730

783

731

/* Create the service browser */

784

sb = avahi_s_service_browser_new(server, if_index,

732

sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,

785

733

AVAHI_PROTO_INET6,

786

734

"_mandos._tcp", NULL, 0,

787

735

browse_callback, server);

815

763

816

764

if (simple_poll)

817

765

avahi_simple_poll_free(simple_poll);

818

free(certfile);

819

free(certkey);

820

766

821

767

return returncode;

822

768

}

Older »