To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 31
- compare with another revision
- download diff
- download tarball
- view history from revision 31
- Committer: Teddy Hogeborn
- Date: 2008-08-01 06:33:15 UTC
- Revision ID: teddy@fukt.bsnet.se-20080801063315-4k33q3ek28hjc3tu
* plugins.d/plugbasedclient.c: Update include file comments.
(struct process.disable): Renamed to "disabled". All users changed.
(addarguments): Renamed to "addargument". All callers changed.
(doc, args_doc): Removed.
(main): Changed default "plugindir" to
"/conf/conf.d/mandos/plugins.d". Renamed "rfds_orig" to
"rfds_all"; all users changed. New "debug" and
"exitstatus" variables. New "--debug" option. Removed
unnecessary ".flags = 0" from all options. Changed so that
"--disable-plugin" only takes one plugin. Check for
non-existence of ":" in argument to "--options-for". Added
some debugging outputs. Set the FD_CLOEXEC flag on the
directory FD. More capable code for dealing with
disallowed plugin file name prefixes and suffixes. Bug
fix: check for some malloc failures. Moved allocating the
"struct process *new_process" to after the fork. Do
_exit() instead of exit() in the child.
* plugins.d/mandosclient.c: Updated contact information.
(struct process.disable): Renamed to "disabled". All users changed.
(addarguments): Renamed to "addargument". All callers changed.
(doc, args_doc): Removed.
(main): Changed default "plugindir" to
"/conf/conf.d/mandos/plugins.d". Renamed "rfds_orig" to
"rfds_all"; all users changed. New "debug" and
"exitstatus" variables. New "--debug" option. Removed
unnecessary ".flags = 0" from all options. Changed so that
"--disable-plugin" only takes one plugin. Check for
non-existence of ":" in argument to "--options-for". Added
some debugging outputs. Set the FD_CLOEXEC flag on the
directory FD. More capable code for dealing with
disallowed plugin file name prefixes and suffixes. Bug
fix: check for some malloc failures. Moved allocating the
"struct process *new_process" to after the fork. Do
_exit() instead of exit() in the child.
* plugins.d/mandosclient.c: Updated contact information.
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
35
#include <stdio.h>
38
36
#include <assert.h>
39
37
#include <stdlib.h>
40
38
#include <time.h>
41
39
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
40
47
41
#include <avahi-core/core.h>
48
42
#include <avahi-core/lookup.h>
51
45
#include <avahi-common/malloc.h>
52
46
#include <avahi-common/error.h>
53
47
54
/* Mandos client part */
48
//mandos client part
55
49
#include <sys/types.h> /* socket(), inet_pton() */
56
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
51
struct in6_addr, inet_pton() */
64
58
#include <string.h> /* memset */
65
59
#include <arpa/inet.h> /* inet_pton() */
66
60
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
61
62
// gpgme
72
63
#include <errno.h> /* perror() */
73
64
#include <gpgme.h>
74
65
66
// getopt long
67
#include <getopt.h>
68
75
69
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
76
75
77
76
bool debug = false;
78
static const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
static const char mandos_protocol_version[] = "1";
82
77
83
/* Used for passing in values through the Avahi callback functions */
84
78
typedef struct {
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
79
gnutls_session_t session;
87
80
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
89
81
gnutls_dh_params_t dh_params;
90
const char *priority;
91
} mandos_context;
92
93
/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
94
* "buffer_capacity" is how much is currently allocated,
95
* "buffer_length" is how much is already used. */
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
115
const char *homedir){
82
} encrypted_session;
83
84
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
116
87
gpgme_data_t dh_crypto, dh_plain;
117
88
gpgme_ctx_t ctx;
118
89
gpgme_error_t rc;
119
90
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
122
93
gpgme_engine_info_t engine_info;
123
94
124
95
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
97
}
127
98
128
99
/* Init GPGME */
134
105
return -1;
135
106
}
136
107
137
/* Set GPGME home directory for the OpenPGP engine only */
108
/* Set GPGME home directory */
138
109
rc = gpgme_get_engine_info (&engine_info);
139
110
if (rc != GPG_ERR_NO_ERROR){
140
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
121
engine_info = engine_info->next;
151
122
}
152
123
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
125
return -1;
155
126
}
156
127
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
130
if (rc != GPG_ERR_NO_ERROR){
161
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
132
gpgme_strsource(rc), gpgme_strerror(rc));
168
138
if (rc != GPG_ERR_NO_ERROR){
169
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
140
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
141
return -1;
173
142
}
174
143
177
146
if (rc != GPG_ERR_NO_ERROR){
178
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
148
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
149
return -1;
182
150
}
183
151
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
186
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
155
if (rc != GPG_ERR_NO_ERROR){
188
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
157
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
158
return -1;
192
159
}
193
160
194
161
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
163
}
197
164
198
165
if (debug){
199
166
gpgme_decrypt_result_t result;
200
167
result = gpgme_op_decrypt_result(ctx);
224
191
}
225
192
}
226
193
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
196
227
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
199
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
200
}
233
201
234
*plaintext = NULL;
202
*new_packet = 0;
235
203
while(true){
236
plaintext_capacity = adjustbuffer(plaintext,
237
(size_t)plaintext_length,
238
plaintext_capacity);
239
if (plaintext_capacity == 0){
240
perror("adjustbuffer");
241
plaintext_length = -1;
242
goto decrypt_end;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
207
+ BUFFER_SIZE);
208
if (*new_packet == NULL){
209
perror("realloc");
210
return -1;
211
}
212
new_packet_capacity += BUFFER_SIZE;
243
213
}
244
214
245
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
246
216
BUFFER_SIZE);
247
217
/* Print the data, if any */
248
218
if (ret == 0){
249
/* EOF */
250
219
break;
251
220
}
252
221
if(ret < 0){
253
222
perror("gpgme_data_read");
254
plaintext_length = -1;
255
goto decrypt_end;
223
return -1;
256
224
}
257
plaintext_length += ret;
225
new_packet_length += ret;
258
226
}
259
227
260
if(debug){
261
fprintf(stderr, "Decrypted password is: ");
262
for(ssize_t i = 0; i < plaintext_length; i++){
263
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
264
}
265
fprintf(stderr, "\n");
266
}
267
268
decrypt_end:
269
270
/* Delete the GPGME cryptotext data buffer */
271
gpgme_data_release(dh_crypto);
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
230
/* if(debug){ */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
234
/* } */
272
235
273
236
/* Delete the GPGME plaintext data buffer */
274
237
gpgme_data_release(dh_plain);
275
return plaintext_length;
238
return new_packet_length;
276
239
}
277
240
278
241
static const char * safer_gnutls_strerror (int value) {
282
245
return ret;
283
246
}
284
247
285
/* GnuTLS log function callback */
286
static void debuggnutls(__attribute__((unused)) int level,
287
const char* string){
288
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
249
const char* string){
250
fprintf(stderr, "%s", string);
289
251
}
290
252
291
static int init_gnutls_global(mandos_context *mc,
292
const char *pubkeyfile,
293
const char *seckeyfile){
253
int initgnutls(encrypted_session *es){
254
const char *err;
294
255
int ret;
295
256
296
257
if(debug){
299
260
300
261
if ((ret = gnutls_global_init ())
301
262
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "GnuTLS global_init: %s\n",
303
safer_gnutls_strerror(ret));
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
264
return -1;
305
265
}
306
266
307
267
if (debug){
308
/* "Use a log level over 10 to enable all debugging options."
309
* - GnuTLS manual
310
*/
311
268
gnutls_global_set_log_level(11);
312
269
gnutls_global_set_log_function(debuggnutls);
313
270
}
314
271
315
/* OpenPGP credentials */
316
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
317
274
!= GNUTLS_E_SUCCESS) {
318
fprintf (stderr, "GnuTLS memory error: %s\n",
275
fprintf (stderr, "memory error: %s\n",
319
276
safer_gnutls_strerror(ret));
320
277
return -1;
321
278
}
322
279
323
280
if(debug){
324
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
325
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
326
seckeyfile);
282
" and keyfile %s as GnuTLS credentials\n", certfile,
283
certkey);
327
284
}
328
285
329
286
ret = gnutls_certificate_set_openpgp_key_file
330
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
331
288
if (ret != GNUTLS_E_SUCCESS) {
332
fprintf(stderr,
333
"Error[%d] while reading the OpenPGP key pair ('%s',"
334
" '%s')\n", ret, pubkeyfile, seckeyfile);
335
fprintf(stdout, "The GnuTLS error is: %s\n",
289
fprintf
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
291
" '%s')\n",
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
336
294
safer_gnutls_strerror(ret));
337
295
return -1;
338
296
}
339
297
340
/* GnuTLS server initialization */
341
ret = gnutls_dh_params_init(&mc->dh_params);
342
if (ret != GNUTLS_E_SUCCESS) {
343
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
344
" %s\n", safer_gnutls_strerror(ret));
345
return -1;
346
}
347
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
348
if (ret != GNUTLS_E_SUCCESS) {
349
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
350
safer_gnutls_strerror(ret));
351
return -1;
352
}
353
354
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
355
356
return 0;
357
}
358
359
static int init_gnutls_session(mandos_context *mc,
360
gnutls_session_t *session){
361
int ret;
362
/* GnuTLS session creation */
363
ret = gnutls_init(session, GNUTLS_SERVER);
364
if (ret != GNUTLS_E_SUCCESS){
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
303
return -1;
304
}
305
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
310
return -1;
311
}
312
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
314
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
365
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
366
319
safer_gnutls_strerror(ret));
367
320
}
368
321
369
{
370
const char *err;
371
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
372
if (ret != GNUTLS_E_SUCCESS) {
373
fprintf(stderr, "Syntax error at: %s\n", err);
374
fprintf(stderr, "GnuTLS error: %s\n",
375
safer_gnutls_strerror(ret));
376
return -1;
377
}
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
327
return -1;
378
328
}
379
329
380
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
381
mc->cred);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
384
334
safer_gnutls_strerror(ret));
385
335
return -1;
386
336
}
387
337
388
338
/* ignore client certificate if any. */
389
gnutls_certificate_server_set_request (*session,
339
gnutls_certificate_server_set_request (es->session,
390
340
GNUTLS_CERT_IGNORE);
391
341
392
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
393
343
394
344
return 0;
395
345
}
396
346
397
/* Avahi log function callback */
398
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
399
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
400
349
401
/* Called when a Mandos server is found */
402
static int start_mandos_communication(const char *ip, uint16_t port,
403
AvahiIfIndex if_index,
404
mandos_context *mc){
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
405
352
int ret, tcp_sd;
406
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
353
struct sockaddr_in6 to;
354
encrypted_session es;
407
355
char *buffer = NULL;
408
356
char *decrypted_buffer;
409
357
size_t buffer_length = 0;
410
358
size_t buffer_capacity = 0;
411
359
ssize_t decrypted_buffer_size;
412
size_t written;
360
size_t written = 0;
413
361
int retval = 0;
414
362
char interface[IF_NAMESIZE];
415
gnutls_session_t session;
416
417
ret = init_gnutls_session (mc, &session);
418
if (ret != 0){
419
return -1;
420
}
421
363
422
364
if(debug){
423
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
429
371
perror("socket");
430
372
return -1;
431
373
}
432
433
if(debug){
434
if(if_indextoname((unsigned int)if_index, interface) == NULL){
374
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(debug){
435
377
perror("if_indextoname");
436
return -1;
437
378
}
379
return -1;
380
}
381
382
if(debug){
438
383
fprintf(stderr, "Binding to interface %s\n", interface);
439
384
}
440
385
441
386
memset(&to,0,sizeof(to)); /* Spurious warning */
442
to.in6.sin6_family = AF_INET6;
443
/* It would be nice to have a way to detect if we were passed an
444
IPv4 address here. Now we assume an IPv6 address. */
445
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
387
to.sin6_family = AF_INET6;
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
446
389
if (ret < 0 ){
447
390
perror("inet_pton");
448
391
return -1;
449
}
392
}
450
393
if(ret == 0){
451
394
fprintf(stderr, "Bad address: %s\n", ip);
452
395
return -1;
453
396
}
454
to.in6.sin6_port = htons(port); /* Spurious warning */
397
to.sin6_port = htons(port); /* Spurious warning */
455
398
456
to.in6.sin6_scope_id = (uint32_t)if_index;
399
to.sin6_scope_id = (uint32_t)if_index;
457
400
458
401
if(debug){
459
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
460
char addrstr[INET6_ADDRSTRLEN] = "";
461
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
462
sizeof(addrstr)) == NULL){
463
perror("inet_ntop");
464
} else {
465
if(strcmp(addrstr, ip) != 0){
466
fprintf(stderr, "Canonical address form: %s\n", addrstr);
467
}
468
}
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
407
/* } else { */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
410
/* } */
469
411
}
470
412
471
ret = connect(tcp_sd, &to.in, sizeof(to));
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
472
414
if (ret < 0){
473
415
perror("connect");
474
416
return -1;
475
417
}
476
477
const char *out = mandos_protocol_version;
478
written = 0;
479
while (true){
480
size_t out_size = strlen(out);
481
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
482
out_size - written));
483
if (ret == -1){
484
perror("write");
485
retval = -1;
486
goto mandos_end;
487
}
488
written += (size_t)ret;
489
if(written < out_size){
490
continue;
491
} else {
492
if (out == mandos_protocol_version){
493
written = 0;
494
out = "\r\n";
495
} else {
496
break;
497
}
498
}
418
419
ret = initgnutls (&es);
420
if (ret != 0){
421
retval = -1;
422
return -1;
499
423
}
500
424
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
427
501
428
if(debug){
502
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
503
430
}
504
431
505
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
506
507
ret = gnutls_handshake (session);
432
ret = gnutls_handshake (es.session);
508
433
509
434
if (ret != GNUTLS_E_SUCCESS){
510
435
if(debug){
511
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
436
fprintf(stderr, "\n*** Handshake failed ***\n");
512
437
gnutls_perror (ret);
513
438
}
514
439
retval = -1;
515
goto mandos_end;
440
goto exit;
516
441
}
517
442
518
/* Read OpenPGP packet that contains the wanted password */
443
//Retrieve OpenPGP packet that contains the wanted password
519
444
520
445
if(debug){
521
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
523
448
}
524
449
525
450
while(true){
526
buffer_capacity = adjustbuffer(&buffer, buffer_length,
527
buffer_capacity);
528
if (buffer_capacity == 0){
529
perror("adjustbuffer");
530
retval = -1;
531
goto mandos_end;
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
453
if (buffer == NULL){
454
perror("realloc");
455
goto exit;
456
}
457
buffer_capacity += BUFFER_SIZE;
532
458
}
533
459
534
ret = gnutls_record_recv(session, buffer+buffer_length,
535
BUFFER_SIZE);
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
536
462
if (ret == 0){
537
463
break;
538
464
}
542
468
case GNUTLS_E_AGAIN:
543
469
break;
544
470
case GNUTLS_E_REHANDSHAKE:
545
ret = gnutls_handshake (session);
471
ret = gnutls_handshake (es.session);
546
472
if (ret < 0){
547
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
473
fprintf(stderr, "\n*** Handshake failed ***\n");
548
474
gnutls_perror (ret);
549
475
retval = -1;
550
goto mandos_end;
476
goto exit;
551
477
}
552
478
break;
553
479
default:
554
480
fprintf(stderr, "Unknown error while reading data from"
555
" encrypted session with Mandos server\n");
481
" encrypted session with mandos server\n");
556
482
retval = -1;
557
gnutls_bye (session, GNUTLS_SHUT_RDWR);
558
goto mandos_end;
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
484
goto exit;
559
485
}
560
486
} else {
561
487
buffer_length += (size_t) ret;
562
488
}
563
489
}
564
490
565
if(debug){
566
fprintf(stderr, "Closing TLS session\n");
567
}
568
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
571
491
if (buffer_length > 0){
572
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
573
493
buffer_length,
574
494
&decrypted_buffer,
575
keydir);
495
certdir);
576
496
if (decrypted_buffer_size >= 0){
577
written = 0;
578
497
while(written < (size_t) decrypted_buffer_size){
579
498
ret = (int)fwrite (decrypted_buffer + written, 1,
580
499
(size_t)decrypted_buffer_size - written,
594
513
retval = -1;
595
514
}
596
515
}
597
598
/* Shutdown procedure */
599
600
mandos_end:
516
517
//shutdown procedure
518
519
if(debug){
520
fprintf(stderr, "Closing TLS session\n");
521
}
522
601
523
free(buffer);
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
exit:
602
526
close(tcp_sd);
603
gnutls_deinit (session);
604
gnutls_certificate_free_credentials (mc->cred);
527
gnutls_deinit (es.session);
528
gnutls_certificate_free_credentials (es.cred);
605
529
gnutls_global_deinit ();
606
530
return retval;
607
531
}
608
532
609
static void resolve_callback(AvahiSServiceResolver *r,
610
AvahiIfIndex interface,
611
AVAHI_GCC_UNUSED AvahiProtocol protocol,
612
AvahiResolverEvent event,
613
const char *name,
614
const char *type,
615
const char *domain,
616
const char *host_name,
617
const AvahiAddress *address,
618
uint16_t port,
619
AVAHI_GCC_UNUSED AvahiStringList *txt,
620
AVAHI_GCC_UNUSED AvahiLookupResultFlags
621
flags,
622
void* userdata) {
623
mandos_context *mc = userdata;
533
static AvahiSimplePoll *simple_poll = NULL;
534
static AvahiServer *server = NULL;
535
536
static void resolve_callback(
537
AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
AVAHI_GCC_UNUSED void* userdata) {
550
624
551
assert(r); /* Spurious warning */
625
552
626
553
/* Called whenever a service has been resolved successfully or
629
556
switch (event) {
630
557
default:
631
558
case AVAHI_RESOLVER_FAILURE:
632
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
633
" of type '%s' in domain '%s': %s\n", name, type, domain,
634
avahi_strerror(avahi_server_errno(mc->server)));
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(server)));
635
562
break;
636
563
637
564
case AVAHI_RESOLVER_FOUND:
639
566
char ip[AVAHI_ADDRESS_STR_MAX];
640
567
avahi_address_snprint(ip, sizeof(ip), address);
641
568
if(debug){
642
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
643
" port %d\n", name, host_name, ip, interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
644
571
}
645
int ret = start_mandos_communication(ip, port, interface, mc);
572
int ret = start_mandos_communication(ip, port, interface);
646
573
if (ret == 0){
647
574
exit(EXIT_SUCCESS);
648
575
}
651
578
avahi_s_service_resolver_free(r);
652
579
}
653
580
654
static void browse_callback( AvahiSServiceBrowser *b,
655
AvahiIfIndex interface,
656
AvahiProtocol protocol,
657
AvahiBrowserEvent event,
658
const char *name,
659
const char *type,
660
const char *domain,
661
AVAHI_GCC_UNUSED AvahiLookupResultFlags
662
flags,
663
void* userdata) {
664
mandos_context *mc = userdata;
665
assert(b); /* Spurious warning */
666
667
/* Called whenever a new services becomes available on the LAN or
668
is removed from the LAN */
669
670
switch (event) {
671
default:
672
case AVAHI_BROWSER_FAILURE:
673
674
fprintf(stderr, "(Avahi browser) %s\n",
675
avahi_strerror(avahi_server_errno(mc->server)));
676
avahi_simple_poll_quit(mc->simple_poll);
677
return;
678
679
case AVAHI_BROWSER_NEW:
680
/* We ignore the returned Avahi resolver object. In the callback
681
function we free it. If the Avahi server is terminated before
682
the callback function is called the Avahi server will free the
683
resolver for us. */
684
685
if (!(avahi_s_service_resolver_new(mc->server, interface,
686
protocol, name, type, domain,
687
AVAHI_PROTO_INET6, 0,
688
resolve_callback, mc)))
689
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
690
name, avahi_strerror(avahi_server_errno(mc->server)));
691
break;
692
693
case AVAHI_BROWSER_REMOVE:
694
break;
695
696
case AVAHI_BROWSER_ALL_FOR_NOW:
697
case AVAHI_BROWSER_CACHE_EXHAUSTED:
698
if(debug){
699
fprintf(stderr, "No Mandos server found, still searching...\n");
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
586
const char *name,
587
const char *type,
588
const char *domain,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
void* userdata) {
591
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
594
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
597
598
switch (event) {
599
default:
600
case AVAHI_BROWSER_FAILURE:
601
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
605
return;
606
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
612
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
614
type, domain,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
619
break;
620
621
case AVAHI_BROWSER_REMOVE:
622
break;
623
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
626
break;
700
627
}
701
break;
702
}
703
628
}
704
629
705
/* Combines file name and path and returns the malloced new
706
string. some sane checks could/should be added */
707
static const char *combinepath(const char *first, const char *second){
708
size_t f_len = strlen(first);
709
size_t s_len = strlen(second);
710
char *tmp = malloc(f_len + s_len + 2);
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
632
char *tmp;
633
tmp = malloc(strlen(first) + strlen(second) + 2);
711
634
if (tmp == NULL){
635
perror("malloc");
712
636
return NULL;
713
637
}
714
if(f_len > 0){
715
memcpy(tmp, first, f_len); /* Spurious warning */
716
}
717
tmp[f_len] = '/';
718
if(s_len > 0){
719
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
720
}
721
tmp[f_len + 1 + s_len] = '\0';
638
strcpy(tmp, first);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
640
strcat(tmp, "/");
641
}
642
strcat(tmp, second);
722
643
return tmp;
723
644
}
724
645
725
646
726
int main(int argc, char *argv[]){
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
648
AvahiServerConfig config;
727
649
AvahiSServiceBrowser *sb = NULL;
728
650
int error;
729
651
int ret;
730
int exitcode = EXIT_SUCCESS;
731
const char *interface = "eth0";
732
struct ifreq network;
733
int sd;
734
uid_t uid;
735
gid_t gid;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
736
655
char *connect_to = NULL;
737
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
738
const char *pubkeyfile = "pubkey.txt";
739
const char *seckeyfile = "seckey.txt";
740
mandos_context mc = { .simple_poll = NULL, .server = NULL,
741
.dh_bits = 1024, .priority = "SECURE256"};
742
743
{
744
struct argp_option options[] = {
745
{ .name = "debug", .key = 128,
746
.doc = "Debug mode", .group = 3 },
747
{ .name = "connect", .key = 'c',
748
.arg = "IP",
749
.doc = "Connect directly to a sepcified mandos server",
750
.group = 1 },
751
{ .name = "interface", .key = 'i',
752
.arg = "INTERFACE",
753
.doc = "Interface that Avahi will conntect through",
754
.group = 1 },
755
{ .name = "keydir", .key = 'd',
756
.arg = "KEYDIR",
757
.doc = "Directory where the openpgp keyring is",
758
.group = 1 },
759
{ .name = "seckey", .key = 's',
760
.arg = "SECKEY",
761
.doc = "Secret openpgp key for gnutls authentication",
762
.group = 1 },
763
{ .name = "pubkey", .key = 'p',
764
.arg = "PUBKEY",
765
.doc = "Public openpgp key for gnutls authentication",
766
.group = 2 },
767
{ .name = "dh-bits", .key = 129,
768
.arg = "BITS",
769
.doc = "dh-bits to use in gnutls communication",
770
.group = 2 },
771
{ .name = "priority", .key = 130,
772
.arg = "PRIORITY",
773
.doc = "GNUTLS priority", .group = 1 },
774
{ .name = NULL }
775
};
776
777
778
error_t parse_opt (int key, char *arg,
779
struct argp_state *state) {
780
/* Get the INPUT argument from `argp_parse', which we know is
781
a pointer to our plugin list pointer. */
782
switch (key) {
783
case 128:
784
debug = true;
785
break;
786
case 'c':
787
connect_to = arg;
788
break;
789
case 'i':
790
interface = arg;
791
break;
792
case 'd':
793
keydir = arg;
794
break;
795
case 's':
796
seckeyfile = arg;
797
break;
798
case 'p':
799
pubkeyfile = arg;
800
break;
801
case 129:
802
errno = 0;
803
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
804
if (errno){
805
perror("strtol");
806
exit(EXIT_FAILURE);
807
}
808
break;
809
case 130:
810
mc.priority = arg;
811
break;
812
case ARGP_KEY_ARG:
813
argp_usage (state);
814
break;
815
case ARGP_KEY_END:
816
break;
817
default:
818
return ARGP_ERR_UNKNOWN;
819
}
820
return 0;
821
}
822
823
struct argp argp = { .options = options, .parser = parse_opt,
824
.args_doc = "",
825
.doc = "Mandos client -- Get and decrypt"
826
" passwords from mandos server" };
827
argp_parse (&argp, argc, argv, 0, 0, NULL);
828
}
829
830
pubkeyfile = combinepath(keydir, pubkeyfile);
831
if (pubkeyfile == NULL){
832
perror("combinepath");
833
exitcode = EXIT_FAILURE;
834
goto end;
835
}
836
837
seckeyfile = combinepath(keydir, seckeyfile);
838
if (seckeyfile == NULL){
839
perror("combinepath");
840
goto end;
841
}
842
843
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
844
if (ret == -1){
845
fprintf(stderr, "init_gnutls_global\n");
846
goto end;
847
}
848
849
uid = getuid();
850
gid = getgid();
851
852
ret = setuid(uid);
853
if (ret == -1){
854
perror("setuid");
855
}
856
857
setgid(gid);
858
if (ret == -1){
859
perror("setgid");
860
}
861
862
if_index = (AvahiIfIndex) if_nametoindex(interface);
863
if(if_index == 0){
864
fprintf(stderr, "No such interface: \"%s\"\n", interface);
865
exit(EXIT_FAILURE);
656
657
while (true){
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
665
{0, 0, 0, 0} };
666
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
669
&option_index);
670
671
if (ret == -1){
672
break;
673
}
674
675
switch(ret){
676
case 0:
677
break;
678
case 'i':
679
interface = optarg;
680
break;
681
case 'C':
682
connect_to = optarg;
683
break;
684
case 'd':
685
certdir = optarg;
686
break;
687
case 'c':
688
certfile = optarg;
689
break;
690
case 'k':
691
certkey = optarg;
692
break;
693
default:
694
exit(EXIT_FAILURE);
695
}
696
}
697
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
700
goto exit;
701
}
702
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
705
if(if_index == 0){
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
707
exit(EXIT_FAILURE);
708
}
866
709
}
867
710
868
711
if(connect_to != NULL){
871
714
char *address = strrchr(connect_to, ':');
872
715
if(address == NULL){
873
716
fprintf(stderr, "No colon in address\n");
874
exitcode = EXIT_FAILURE;
875
goto end;
717
exit(EXIT_FAILURE);
876
718
}
877
719
errno = 0;
878
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
879
721
if(errno){
880
722
perror("Bad port number");
881
exitcode = EXIT_FAILURE;
882
goto end;
723
exit(EXIT_FAILURE);
883
724
}
884
725
*address = '\0';
885
726
address = connect_to;
886
ret = start_mandos_communication(address, port, if_index, &mc);
727
ret = start_mandos_communication(address, port, if_index);
887
728
if(ret < 0){
888
exitcode = EXIT_FAILURE;
729
exit(EXIT_FAILURE);
889
730
} else {
890
exitcode = EXIT_SUCCESS;
731
exit(EXIT_SUCCESS);
891
732
}
892
goto end;
893
733
}
894
734
895
/* If the interface is down, bring it up */
896
{
897
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
898
if(sd < 0) {
899
perror("socket");
900
exitcode = EXIT_FAILURE;
901
goto end;
902
}
903
strcpy(network.ifr_name, interface); /* Spurious warning */
904
ret = ioctl(sd, SIOCGIFFLAGS, &network);
905
if(ret == -1){
906
perror("ioctl SIOCGIFFLAGS");
907
exitcode = EXIT_FAILURE;
908
goto end;
909
}
910
if((network.ifr_flags & IFF_UP) == 0){
911
network.ifr_flags |= IFF_UP;
912
ret = ioctl(sd, SIOCSIFFLAGS, &network);
913
if(ret == -1){
914
perror("ioctl SIOCSIFFLAGS");
915
exitcode = EXIT_FAILURE;
916
goto end;
917
}
918
}
919
close(sd);
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
737
goto exit;
920
738
}
921
739
922
740
if (not debug){
923
741
avahi_set_log_function(empty_log);
924
742
}
925
743
926
/* Initialize the pseudo-RNG for Avahi */
744
/* Initialize the psuedo-RNG */
927
745
srand((unsigned int) time(NULL));
928
929
/* Allocate main Avahi loop object */
930
mc.simple_poll = avahi_simple_poll_new();
931
if (mc.simple_poll == NULL) {
932
fprintf(stderr, "Avahi: Failed to create simple poll"
933
" object.\n");
934
exitcode = EXIT_FAILURE;
935
goto end;
936
}
937
938
{
939
AvahiServerConfig config;
940
/* Do not publish any local Zeroconf records */
941
avahi_server_config_init(&config);
942
config.publish_hinfo = 0;
943
config.publish_addresses = 0;
944
config.publish_workstation = 0;
945
config.publish_domain = 0;
946
947
/* Allocate a new server */
948
mc.server = avahi_server_new(avahi_simple_poll_get
949
(mc.simple_poll), &config, NULL,
950
NULL, &error);
951
952
/* Free the Avahi configuration data */
953
avahi_server_config_free(&config);
954
}
955
956
/* Check if creating the Avahi server object succeeded */
957
if (mc.server == NULL) {
958
fprintf(stderr, "Failed to create Avahi server: %s\n",
746
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
750
751
goto exit;
752
}
753
754
/* Do not publish any local records */
755
avahi_server_config_init(&config);
756
config.publish_hinfo = 0;
757
config.publish_addresses = 0;
758
config.publish_workstation = 0;
759
config.publish_domain = 0;
760
761
/* Allocate a new server */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
764
765
/* Free the configuration data */
766
avahi_server_config_free(&config);
767
768
/* Check if creating the server object succeeded */
769
if (!server) {
770
fprintf(stderr, "Failed to create server: %s\n",
959
771
avahi_strerror(error));
960
exitcode = EXIT_FAILURE;
961
goto end;
772
returncode = EXIT_FAILURE;
773
goto exit;
962
774
}
963
775
964
/* Create the Avahi service browser */
965
sb = avahi_s_service_browser_new(mc.server, if_index,
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
966
778
AVAHI_PROTO_INET6,
967
779
"_mandos._tcp", NULL, 0,
968
browse_callback, &mc);
969
if (sb == NULL) {
780
browse_callback, server);
781
if (!sb) {
970
782
fprintf(stderr, "Failed to create service browser: %s\n",
971
avahi_strerror(avahi_server_errno(mc.server)));
972
exitcode = EXIT_FAILURE;
973
goto end;
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
785
goto exit;
974
786
}
975
787
976
788
/* Run the main loop */
977
789
978
790
if (debug){
979
fprintf(stderr, "Starting Avahi loop search\n");
791
fprintf(stderr, "Starting avahi loop search\n");
980
792
}
981
793
982
avahi_simple_poll_loop(mc.simple_poll);
794
avahi_simple_poll_loop(simple_poll);
983
795
984
end:
796
exit:
985
797
986
798
if (debug){
987
799
fprintf(stderr, "%s exiting\n", argv[0]);
988
800
}
989
801
990
802
/* Cleanup things */
991
if (sb != NULL)
803
if (sb)
992
804
avahi_s_service_browser_free(sb);
993
805
994
if (mc.server != NULL)
995
avahi_server_free(mc.server);
806
if (server)
807
avahi_server_free(server);
996
808
997
if (mc.simple_poll != NULL)
998
avahi_simple_poll_free(mc.simple_poll);
999
free(pubkeyfile);
1000
free(seckeyfile);
809
if (simple_poll)
810
avahi_simple_poll_free(simple_poll);
811
free(certfile);
812
free(certkey);
1001
813
1002
return exitcode;
814
return returncode;
1003
815
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0