/mandos/trunk : revision 32

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-08-01 06:56:27 UTC
Revision ID: teddy@fukt.bsnet.se-20080801065627-2c7k4ydefjgacgnq

* plugins.d/plugbasedclient.c (set_cloexec_flag): New function.
(main): Use the set_cloexec_flag function. Move inserting of global
arguments to before the fork.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
mandos-client.xml

mandos-clients.conf.xml

mandos.conf.xml

mandos.xml

network-protocol.txt

plugins.d/password-prompt.xml

plugins.d/password-request.xml

files renamed:
mandos-client.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* Mandos client part */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

/* GPGME */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#define BUFFER_SIZE 256

#define DH_BITS 1024

const char *certdir = "/conf/conf.d/cryptkeyreq/";

const char *certfile = "openpgp-client.txt";

const char *certkey = "openpgp-client-key.txt";

bool debug = false;

static const char *keydir = "/conf/conf.d/mandos";

static const char mandos_protocol_version[] = "1";

const char *argp_program_version = "mandosclient 0.9";

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

/* Used for passing in values through the Avahi callback functions */

typedef struct {

AvahiSimplePoll *simple_poll;

AvahiServer *server;

gnutls_session_t session;

gnutls_certificate_credentials_t cred;

unsigned int dh_bits;

gnutls_dh_params_t dh_params;

const char *priority;

} mandos_context;

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

* "buffer_capacity" is how much is currently allocated,

* "buffer_length" is how much is already used.

size_t adjustbuffer(char **buffer, size_t buffer_length,

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

101

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

103

return 0;

104

}

105

buffer_capacity += BUFFER_SIZE;

106

}

107

return buffer_capacity;

108

}

109

110

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

113

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

117

const char *homedir){

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

118

gpgme_data_t dh_crypto, dh_plain;

119

gpgme_ctx_t ctx;

120

gpgme_error_t rc;

121

ssize_t ret;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

124

gpgme_engine_info_t engine_info;

125

126

if (debug){

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

128

}

129

130

/* Init GPGME */

136

105

return -1;

137

106

}

138

107

139

/* Set GPGME home directory for the OpenPGP engine only */

108

/* Set GPGME home directory */

140

109

rc = gpgme_get_engine_info (&engine_info);

141

110

if (rc != GPG_ERR_NO_ERROR){

142

111

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

152

121

engine_info = engine_info->next;

153

122

}

154

123

if(engine_info == NULL){

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

124

fprintf(stderr, "Could not set home dir to %s\n", homedir);

156

125

return -1;

157

126

}

158

127

159

/* Create new GPGME data buffer from memory cryptotext */

160

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

161

0);

128

/* Create new GPGME data buffer from packet buffer */

129

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

162

130

if (rc != GPG_ERR_NO_ERROR){

163

131

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

164

132

gpgme_strsource(rc), gpgme_strerror(rc));

170

138

if (rc != GPG_ERR_NO_ERROR){

171

139

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

172

140

gpgme_strsource(rc), gpgme_strerror(rc));

173

gpgme_data_release(dh_crypto);

174

141

return -1;

175

142

}

176

143

179

146

if (rc != GPG_ERR_NO_ERROR){

180

147

fprintf(stderr, "bad gpgme_new: %s: %s\n",

181

148

gpgme_strsource(rc), gpgme_strerror(rc));

182

plaintext_length = -1;

183

goto decrypt_end;

149

return -1;

184

150

}

185

151

186

/* Decrypt data from the cryptotext data buffer to the plaintext

187

data buffer */

152

/* Decrypt data from the FILE pointer to the plaintext data

153

buffer */

188

154

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

189

155

if (rc != GPG_ERR_NO_ERROR){

190

156

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

191

157

gpgme_strsource(rc), gpgme_strerror(rc));

192

plaintext_length = -1;

193

goto decrypt_end;

158

return -1;

194

159

}

195

160

196

161

if(debug){

197

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

162

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

198

163

}

199

164

200

165

if (debug){

201

166

gpgme_decrypt_result_t result;

202

167

result = gpgme_op_decrypt_result(ctx);

226

191

}

227

192

}

228

193

194

/* Delete the GPGME FILE pointer cryptotext data buffer */

195

gpgme_data_release(dh_crypto);

196

229

197

/* Seek back to the beginning of the GPGME plaintext data buffer */

230

198

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

231

199

perror("pgpme_data_seek");

232

plaintext_length = -1;

233

goto decrypt_end;

234

200

}

235

201

236

*plaintext = NULL;

202

*new_packet = 0;

237

203

while(true){

238

plaintext_capacity = adjustbuffer(plaintext,

239

(size_t)plaintext_length,

240

plaintext_capacity);

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

243

plaintext_length = -1;

244

goto decrypt_end;

204

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

205

*new_packet = realloc(*new_packet,

206

(unsigned int)new_packet_capacity

207

+ BUFFER_SIZE);

208

if (*new_packet == NULL){

209

perror("realloc");

210

return -1;

211

}

212

new_packet_capacity += BUFFER_SIZE;

245

213

}

246

214

247

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

215

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

248

216

BUFFER_SIZE);

249

217

/* Print the data, if any */

250

218

if (ret == 0){

251

/* EOF */

252

219

break;

253

220

}

254

221

if(ret < 0){

255

222

perror("gpgme_data_read");

256

plaintext_length = -1;

257

goto decrypt_end;

223

return -1;

258

224

}

259

plaintext_length += ret;

225

new_packet_length += ret;

260

226

}

261

227

262

if(debug){

263

fprintf(stderr, "Decrypted password is: ");

264

for(ssize_t i = 0; i < plaintext_length; i++){

265

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

266

}

267

fprintf(stderr, "\n");

268

}

269

270

decrypt_end:

271

272

/* Delete the GPGME cryptotext data buffer */

273

gpgme_data_release(dh_crypto);

228

/* FIXME: check characters before printing to screen so to not print

229

terminal control characters */

230

/* if(debug){ */

231

/* fprintf(stderr, "decrypted password is: "); */

232

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

233

/* fprintf(stderr, "\n"); */

234

/* } */

274

235

275

236

/* Delete the GPGME plaintext data buffer */

276

237

gpgme_data_release(dh_plain);

277

return plaintext_length;

238

return new_packet_length;

278

239

}

279

240

280

241

static const char * safer_gnutls_strerror (int value) {

284

245

return ret;

285

246

}

286

247

287

/* GnuTLS log function callback */

288

static void debuggnutls(__attribute__((unused)) int level,

289

const char* string){

290

fprintf(stderr, "GnuTLS: %s", string);

248

void debuggnutls(__attribute__((unused)) int level,

249

const char* string){

250

fprintf(stderr, "%s", string);

291

251

}

292

252

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

253

int initgnutls(encrypted_session *es){

254

const char *err;

296

255

int ret;

297

256

298

257

if(debug){

301

260

302

261

if ((ret = gnutls_global_init ())

303

262

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

263

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

306

264

return -1;

307

265

}

308

266

309

267

if (debug){

310

/* "Use a log level over 10 to enable all debugging options."

311

* - GnuTLS manual

312

313

268

gnutls_global_set_log_level(11);

314

269

gnutls_global_set_log_function(debuggnutls);

315

270

}

316

271

317

/* OpenPGP credentials */

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

272

/* openpgp credentials */

273

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

319

274

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

275

fprintf (stderr, "memory error: %s\n",

321

276

safer_gnutls_strerror(ret));

322

gnutls_global_deinit ();

323

277

return -1;

324

278

}

325

279

326

280

if(debug){

327

281

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

328

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

329

seckeyfile);

282

" and keyfile %s as GnuTLS credentials\n", certfile,

283

certkey);

330

284

}

331

285

332

286

ret = gnutls_certificate_set_openpgp_key_file

333

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

287

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

334

288

if (ret != GNUTLS_E_SUCCESS) {

335

fprintf(stderr,

336

"Error[%d] while reading the OpenPGP key pair ('%s',"

337

" '%s')\n", ret, pubkeyfile, seckeyfile);

338

fprintf(stdout, "The GnuTLS error is: %s\n",

289

fprintf

290

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

291

" '%s')\n",

292

ret, certfile, certkey);

293

fprintf(stdout, "The Error is: %s\n",

339

294

safer_gnutls_strerror(ret));

340

goto globalfail;

341

}

342

343

/* GnuTLS server initialization */

344

ret = gnutls_dh_params_init(&mc->dh_params);

345

if (ret != GNUTLS_E_SUCCESS) {

346

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

347

" %s\n", safer_gnutls_strerror(ret));

348

goto globalfail;

349

}

350

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

351

if (ret != GNUTLS_E_SUCCESS) {

352

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

353

safer_gnutls_strerror(ret));

354

goto globalfail;

355

}

356

357

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

358

359

return 0;

360

361

globalfail:

362

363

gnutls_certificate_free_credentials (mc->cred);

364

gnutls_global_deinit ();

365

return -1;

366

367

}

368

369

static int init_gnutls_session(mandos_context *mc,

370

gnutls_session_t *session){

371

int ret;

372

/* GnuTLS session creation */

373

ret = gnutls_init(session, GNUTLS_SERVER);

374

if (ret != GNUTLS_E_SUCCESS){

295

return -1;

296

}

297

298

//GnuTLS server initialization

299

if ((ret = gnutls_dh_params_init (&es->dh_params))

300

!= GNUTLS_E_SUCCESS) {

301

fprintf (stderr, "Error in dh parameter initialization: %s\n",

302

safer_gnutls_strerror(ret));

303

return -1;

304

}

305

306

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

307

!= GNUTLS_E_SUCCESS) {

308

fprintf (stderr, "Error in prime generation: %s\n",

309

safer_gnutls_strerror(ret));

310

return -1;

311

}

312

313

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

314

315

// GnuTLS session creation

316

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

317

!= GNUTLS_E_SUCCESS){

375

318

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

376

319

safer_gnutls_strerror(ret));

377

320

}

378

321

379

{

380

const char *err;

381

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

382

if (ret != GNUTLS_E_SUCCESS) {

383

fprintf(stderr, "Syntax error at: %s\n", err);

384

fprintf(stderr, "GnuTLS error: %s\n",

385

safer_gnutls_strerror(ret));

386

gnutls_deinit (*session);

387

return -1;

388

}

322

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf(stderr, "Syntax error at: %s\n", err);

325

fprintf(stderr, "GnuTLS error: %s\n",

326

safer_gnutls_strerror(ret));

327

return -1;

389

328

}

390

329

391

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

392

mc->cred);

393

if (ret != GNUTLS_E_SUCCESS) {

394

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

330

if ((ret = gnutls_credentials_set

331

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

332

!= GNUTLS_E_SUCCESS) {

333

fprintf(stderr, "Error setting a credentials set: %s\n",

395

334

safer_gnutls_strerror(ret));

396

gnutls_deinit (*session);

397

335

return -1;

398

336

}

399

337

400

338

/* ignore client certificate if any. */

401

gnutls_certificate_server_set_request (*session,

339

gnutls_certificate_server_set_request (es->session,

402

340

GNUTLS_CERT_IGNORE);

403

341

404

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

342

gnutls_dh_set_prime_bits (es->session, DH_BITS);

405

343

406

344

return 0;

407

345

}

408

346

409

/* Avahi log function callback */

410

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

411

__attribute__((unused)) const char *txt){}

347

void empty_log(__attribute__((unused)) AvahiLogLevel level,

348

__attribute__((unused)) const char *txt){}

412

349

413

/* Called when a Mandos server is found */

414

static int start_mandos_communication(const char *ip, uint16_t port,

415

AvahiIfIndex if_index,

416

mandos_context *mc){

350

int start_mandos_communication(const char *ip, uint16_t port,

351

AvahiIfIndex if_index){

417

352

int ret, tcp_sd;

418

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

353

struct sockaddr_in6 to;

354

encrypted_session es;

419

355

char *buffer = NULL;

420

356

char *decrypted_buffer;

421

357

size_t buffer_length = 0;

422

358

size_t buffer_capacity = 0;

423

359

ssize_t decrypted_buffer_size;

424

size_t written;

360

size_t written = 0;

425

361

int retval = 0;

426

362

char interface[IF_NAMESIZE];

427

gnutls_session_t session;

428

429

ret = init_gnutls_session (mc, &session);

430

if (ret != 0){

431

return -1;

432

}

433

363

434

364

if(debug){

435

365

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

441

371

perror("socket");

442

372

return -1;

443

373

}

444

445

if(debug){

446

if(if_indextoname((unsigned int)if_index, interface) == NULL){

374

375

if(if_indextoname((unsigned int)if_index, interface) == NULL){

376

if(debug){

447

377

perror("if_indextoname");

448

return -1;

449

378

}

379

return -1;

380

}

381

382

if(debug){

450

383

fprintf(stderr, "Binding to interface %s\n", interface);

451

384

}

452

385

453

386

memset(&to,0,sizeof(to)); /* Spurious warning */

454

to.in6.sin6_family = AF_INET6;

455

/* It would be nice to have a way to detect if we were passed an

456

IPv4 address here. Now we assume an IPv6 address. */

457

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

387

to.sin6_family = AF_INET6;

388

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

458

389

if (ret < 0 ){

459

390

perror("inet_pton");

460

391

return -1;

461

}

392

}

462

393

if(ret == 0){

463

394

fprintf(stderr, "Bad address: %s\n", ip);

464

395

return -1;

465

396

}

466

to.in6.sin6_port = htons(port); /* Spurious warning */

397

to.sin6_port = htons(port); /* Spurious warning */

467

398

468

to.in6.sin6_scope_id = (uint32_t)if_index;

399

to.sin6_scope_id = (uint32_t)if_index;

469

400

470

401

if(debug){

471

402

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

472

char addrstr[INET6_ADDRSTRLEN] = "";

473

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

474

sizeof(addrstr)) == NULL){

475

perror("inet_ntop");

476

} else {

477

if(strcmp(addrstr, ip) != 0){

478

fprintf(stderr, "Canonical address form: %s\n", addrstr);

479

}

480

}

403

/* char addrstr[INET6_ADDRSTRLEN]; */

404

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

405

/* sizeof(addrstr)) == NULL){ */

406

/* perror("inet_ntop"); */

407

/* } else { */

408

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

409

/* addrstr, ntohs(to.sin6_port)); */

410

/* } */

481

411

}

482

412

483

ret = connect(tcp_sd, &to.in, sizeof(to));

413

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

484

414

if (ret < 0){

485

415

perror("connect");

486

416

return -1;

487

417

}

488

489

const char *out = mandos_protocol_version;

490

written = 0;

491

while (true){

492

size_t out_size = strlen(out);

493

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

494

out_size - written));

495

if (ret == -1){

496

perror("write");

497

retval = -1;

498

goto mandos_end;

499

}

500

written += (size_t)ret;

501

if(written < out_size){

502

continue;

503

} else {

504

if (out == mandos_protocol_version){

505

written = 0;

506

out = "\r\n";

507

} else {

508

break;

509

}

510

}

418

419

ret = initgnutls (&es);

420

if (ret != 0){

421

retval = -1;

422

return -1;

511

423

}

512

424

425

gnutls_transport_set_ptr (es.session,

426

(gnutls_transport_ptr_t) tcp_sd);

427

513

428

if(debug){

514

429

fprintf(stderr, "Establishing TLS session with %s\n", ip);

515

430

}

516

431

517

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

518

519

ret = gnutls_handshake (session);

432

ret = gnutls_handshake (es.session);

520

433

521

434

if (ret != GNUTLS_E_SUCCESS){

522

435

if(debug){

523

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

436

fprintf(stderr, "\n*** Handshake failed ***\n");

524

437

gnutls_perror (ret);

525

438

}

526

439

retval = -1;

527

goto mandos_end;

440

goto exit;

528

441

}

529

442

530

/* Read OpenPGP packet that contains the wanted password */

443

//Retrieve OpenPGP packet that contains the wanted password

531

444

532

445

if(debug){

533

446

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

535

448

}

536

449

537

450

while(true){

538

buffer_capacity = adjustbuffer(&buffer, buffer_length,

539

buffer_capacity);

540

if (buffer_capacity == 0){

541

perror("adjustbuffer");

542

retval = -1;

543

goto mandos_end;

451

if (buffer_length + BUFFER_SIZE > buffer_capacity){

452

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

453

if (buffer == NULL){

454

perror("realloc");

455

goto exit;

456

}

457

buffer_capacity += BUFFER_SIZE;

544

458

}

545

459

546

ret = gnutls_record_recv(session, buffer+buffer_length,

547

BUFFER_SIZE);

460

ret = gnutls_record_recv

461

(es.session, buffer+buffer_length, BUFFER_SIZE);

548

462

if (ret == 0){

549

463

break;

550

464

}

554

468

case GNUTLS_E_AGAIN:

555

469

break;

556

470

case GNUTLS_E_REHANDSHAKE:

557

ret = gnutls_handshake (session);

471

ret = gnutls_handshake (es.session);

558

472

if (ret < 0){

559

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

473

fprintf(stderr, "\n*** Handshake failed ***\n");

560

474

gnutls_perror (ret);

561

475

retval = -1;

562

goto mandos_end;

476

goto exit;

563

477

}

564

478

break;

565

479

default:

566

480

fprintf(stderr, "Unknown error while reading data from"

567

" encrypted session with Mandos server\n");

481

" encrypted session with mandos server\n");

568

482

retval = -1;

569

gnutls_bye (session, GNUTLS_SHUT_RDWR);

570

goto mandos_end;

483

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

484

goto exit;

571

485

}

572

486

} else {

573

487

buffer_length += (size_t) ret;

574

488

}

575

489

}

576

490

577

if(debug){

578

fprintf(stderr, "Closing TLS session\n");

579

}

580

581

gnutls_bye (session, GNUTLS_SHUT_RDWR);

582

583

491

if (buffer_length > 0){

584

492

decrypted_buffer_size = pgp_packet_decrypt(buffer,

585

493

buffer_length,

586

494

&decrypted_buffer,

587

keydir);

495

certdir);

588

496

if (decrypted_buffer_size >= 0){

589

written = 0;

590

497

while(written < (size_t) decrypted_buffer_size){

591

498

ret = (int)fwrite (decrypted_buffer + written, 1,

592

499

(size_t)decrypted_buffer_size - written,

606

513

retval = -1;

607

514

}

608

515

}

609

610

/* Shutdown procedure */

611

612

mandos_end:

516

517

//shutdown procedure

518

519

if(debug){

520

fprintf(stderr, "Closing TLS session\n");

521

}

522

613

523

free(buffer);

524

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

525

exit:

614

526

close(tcp_sd);

615

gnutls_deinit (session);

527

gnutls_deinit (es.session);

528

gnutls_certificate_free_credentials (es.cred);

529

gnutls_global_deinit ();

616

530

return retval;

617

531

}

618

532

619

static void resolve_callback(AvahiSServiceResolver *r,

620

AvahiIfIndex interface,

621

AVAHI_GCC_UNUSED AvahiProtocol protocol,

622

AvahiResolverEvent event,

623

const char *name,

624

const char *type,

625

const char *domain,

626

const char *host_name,

627

const AvahiAddress *address,

628

uint16_t port,

629

AVAHI_GCC_UNUSED AvahiStringList *txt,

630

AVAHI_GCC_UNUSED AvahiLookupResultFlags

631

flags,

632

void* userdata) {

633

mandos_context *mc = userdata;

533

static AvahiSimplePoll *simple_poll = NULL;

534

static AvahiServer *server = NULL;

535

536

static void resolve_callback(

537

AvahiSServiceResolver *r,

538

AvahiIfIndex interface,

539

AVAHI_GCC_UNUSED AvahiProtocol protocol,

540

AvahiResolverEvent event,

541

const char *name,

542

const char *type,

543

const char *domain,

544

const char *host_name,

545

const AvahiAddress *address,

546

uint16_t port,

547

AVAHI_GCC_UNUSED AvahiStringList *txt,

548

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

549

AVAHI_GCC_UNUSED void* userdata) {

550

634

551

assert(r); /* Spurious warning */

635

552

636

553

/* Called whenever a service has been resolved successfully or

639

556

switch (event) {

640

557

default:

641

558

case AVAHI_RESOLVER_FAILURE:

642

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

643

" of type '%s' in domain '%s': %s\n", name, type, domain,

644

avahi_strerror(avahi_server_errno(mc->server)));

559

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

560

" type '%s' in domain '%s': %s\n", name, type, domain,

561

avahi_strerror(avahi_server_errno(server)));

645

562

break;

646

563

647

564

case AVAHI_RESOLVER_FOUND:

649

566

char ip[AVAHI_ADDRESS_STR_MAX];

650

567

avahi_address_snprint(ip, sizeof(ip), address);

651

568

if(debug){

652

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

653

" port %d\n", name, host_name, ip, interface, port);

569

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

570

" port %d\n", name, host_name, ip, port);

654

571

}

655

int ret = start_mandos_communication(ip, port, interface, mc);

572

int ret = start_mandos_communication(ip, port, interface);

656

573

if (ret == 0){

657

574

exit(EXIT_SUCCESS);

658

575

}

661

578

avahi_s_service_resolver_free(r);

662

579

}

663

580

664

static void browse_callback( AvahiSServiceBrowser *b,

665

AvahiIfIndex interface,

666

AvahiProtocol protocol,

667

AvahiBrowserEvent event,

668

const char *name,

669

const char *type,

670

const char *domain,

671

AVAHI_GCC_UNUSED AvahiLookupResultFlags

672

flags,

673

void* userdata) {

674

mandos_context *mc = userdata;

675

assert(b); /* Spurious warning */

676

677

/* Called whenever a new services becomes available on the LAN or

678

is removed from the LAN */

679

680

switch (event) {

681

default:

682

case AVAHI_BROWSER_FAILURE:

683

684

fprintf(stderr, "(Avahi browser) %s\n",

685

avahi_strerror(avahi_server_errno(mc->server)));

686

avahi_simple_poll_quit(mc->simple_poll);

687

return;

688

689

case AVAHI_BROWSER_NEW:

690

/* We ignore the returned Avahi resolver object. In the callback

691

function we free it. If the Avahi server is terminated before

692

the callback function is called the Avahi server will free the

693

resolver for us. */

694

695

if (!(avahi_s_service_resolver_new(mc->server, interface,

696

protocol, name, type, domain,

697

AVAHI_PROTO_INET6, 0,

698

resolve_callback, mc)))

699

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

700

name, avahi_strerror(avahi_server_errno(mc->server)));

701

break;

702

703

case AVAHI_BROWSER_REMOVE:

704

break;

705

706

case AVAHI_BROWSER_ALL_FOR_NOW:

707

case AVAHI_BROWSER_CACHE_EXHAUSTED:

708

if(debug){

709

fprintf(stderr, "No Mandos server found, still searching...\n");

581

static void browse_callback(

582

AvahiSServiceBrowser *b,

583

AvahiIfIndex interface,

584

AvahiProtocol protocol,

585

AvahiBrowserEvent event,

586

const char *name,

587

const char *type,

588

const char *domain,

589

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

590

void* userdata) {

591

592

AvahiServer *s = userdata;

593

assert(b); /* Spurious warning */

594

595

/* Called whenever a new services becomes available on the LAN or

596

is removed from the LAN */

597

598

switch (event) {

599

default:

600

case AVAHI_BROWSER_FAILURE:

601

602

fprintf(stderr, "(Browser) %s\n",

603

avahi_strerror(avahi_server_errno(server)));

604

avahi_simple_poll_quit(simple_poll);

605

return;

606

607

case AVAHI_BROWSER_NEW:

608

/* We ignore the returned resolver object. In the callback

609

function we free it. If the server is terminated before

610

the callback function is called the server will free

611

the resolver for us. */

612

613

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

614

type, domain,

615

AVAHI_PROTO_INET6, 0,

616

resolve_callback, s)))

617

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

618

avahi_strerror(avahi_server_errno(s)));

619

break;

620

621

case AVAHI_BROWSER_REMOVE:

622

break;

623

624

case AVAHI_BROWSER_ALL_FOR_NOW:

625

case AVAHI_BROWSER_CACHE_EXHAUSTED:

626

break;

710

627

}

711

break;

712

}

713

628

}

714

629

715

/* Combines file name and path and returns the malloced new

716

string. some sane checks could/should be added */

717

static const char *combinepath(const char *first, const char *second){

718

size_t f_len = strlen(first);

719

size_t s_len = strlen(second);

720

char *tmp = malloc(f_len + s_len + 2);

630

/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */

631

const char *combinepath(const char *first, const char *second){

632

char *tmp;

633

tmp = malloc(strlen(first) + strlen(second) + 2);

721

634

if (tmp == NULL){

635

perror("malloc");

722

636

return NULL;

723

637

}

724

if(f_len > 0){

725

memcpy(tmp, first, f_len); /* Spurious warning */

726

}

727

tmp[f_len] = '/';

728

if(s_len > 0){

729

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

730

}

731

tmp[f_len + 1 + s_len] = '\0';

638

strcpy(tmp, first);

639

if (first[0] != '\0' and first[strlen(first) - 1] != '/'){

640

strcat(tmp, "/");

641

}

642

strcat(tmp, second);

732

643

return tmp;

733

644

}

734

645

735

646

736

int main(int argc, char *argv[]){

647

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

648

AvahiServerConfig config;

737

649

AvahiSServiceBrowser *sb = NULL;

738

650

int error;

739

651

int ret;

740

int exitcode = EXIT_SUCCESS;

741

const char *interface = "eth0";

742

struct ifreq network;

743

int sd;

744

uid_t uid;

745

gid_t gid;

652

int returncode = EXIT_SUCCESS;

653

const char *interface = NULL;

654

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

746

655

char *connect_to = NULL;

747

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

748

const char *pubkeyfile = "pubkey.txt";

749

const char *seckeyfile = "seckey.txt";

750

mandos_context mc = { .simple_poll = NULL, .server = NULL,

751

.dh_bits = 1024, .priority = "SECURE256"};

752

bool gnutls_initalized = false;

753

754

{

755

struct argp_option options[] = {

756

{ .name = "debug", .key = 128,

757

.doc = "Debug mode", .group = 3 },

758

{ .name = "connect", .key = 'c',

759

.arg = "IP",

760

.doc = "Connect directly to a sepcified mandos server",

761

.group = 1 },

762

{ .name = "interface", .key = 'i',

763

.arg = "INTERFACE",

764

.doc = "Interface that Avahi will conntect through",

765

.group = 1 },

766

{ .name = "keydir", .key = 'd',

767

.arg = "KEYDIR",

768

.doc = "Directory where the openpgp keyring is",

769

.group = 1 },

770

{ .name = "seckey", .key = 's',

771

.arg = "SECKEY",

772

.doc = "Secret openpgp key for gnutls authentication",

773

.group = 1 },

774

{ .name = "pubkey", .key = 'p',

775

.arg = "PUBKEY",

776

.doc = "Public openpgp key for gnutls authentication",

777

.group = 2 },

778

{ .name = "dh-bits", .key = 129,

779

.arg = "BITS",

780

.doc = "dh-bits to use in gnutls communication",

781

.group = 2 },

782

{ .name = "priority", .key = 130,

783

.arg = "PRIORITY",

784

.doc = "GNUTLS priority", .group = 1 },

785

{ .name = NULL }

786

};

787

788

789

error_t parse_opt (int key, char *arg,

790

struct argp_state *state) {

791

/* Get the INPUT argument from `argp_parse', which we know is

792

a pointer to our plugin list pointer. */

793

switch (key) {

794

case 128:

795

debug = true;

796

break;

797

case 'c':

798

connect_to = arg;

799

break;

800

case 'i':

801

interface = arg;

802

break;

803

case 'd':

804

keydir = arg;

805

break;

806

case 's':

807

seckeyfile = arg;

808

break;

809

case 'p':

810

pubkeyfile = arg;

811

break;

812

case 129:

813

errno = 0;

814

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

815

if (errno){

816

perror("strtol");

817

exit(EXIT_FAILURE);

818

}

819

break;

820

case 130:

821

mc.priority = arg;

822

break;

823

case ARGP_KEY_ARG:

824

argp_usage (state);

825

break;

826

case ARGP_KEY_END:

827

break;

828

default:

829

return ARGP_ERR_UNKNOWN;

830

}

831

return 0;

832

}

833

834

struct argp argp = { .options = options, .parser = parse_opt,

835

.args_doc = "",

836

.doc = "Mandos client -- Get and decrypt"

837

" passwords from mandos server" };

838

argp_parse (&argp, argc, argv, 0, 0, NULL);

839

}

840

841

pubkeyfile = combinepath(keydir, pubkeyfile);

842

if (pubkeyfile == NULL){

843

perror("combinepath");

844

exitcode = EXIT_FAILURE;

845

goto end;

846

}

847

848

seckeyfile = combinepath(keydir, seckeyfile);

849

if (seckeyfile == NULL){

850

perror("combinepath");

851

goto end;

852

}

853

854

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

855

if (ret == -1){

856

fprintf(stderr, "init_gnutls_global\n");

857

goto end;

858

} else {

859

gnutls_initalized = true;

860

}

861

862

uid = getuid();

863

gid = getgid();

864

865

ret = setuid(uid);

866

if (ret == -1){

867

perror("setuid");

868

}

869

870

setgid(gid);

871

if (ret == -1){

872

perror("setgid");

873

}

874

875

if_index = (AvahiIfIndex) if_nametoindex(interface);

876

if(if_index == 0){

877

fprintf(stderr, "No such interface: \"%s\"\n", interface);

878

exit(EXIT_FAILURE);

656

657

while (true){

658

static struct option long_options[] = {

659

{"debug", no_argument, (int *)&debug, 1},

660

{"connect", required_argument, 0, 'C'},

661

{"interface", required_argument, 0, 'i'},

662

{"certdir", required_argument, 0, 'd'},

663

{"certkey", required_argument, 0, 'c'},

664

{"certfile", required_argument, 0, 'k'},

665

{0, 0, 0, 0} };

666

667

int option_index = 0;

668

ret = getopt_long (argc, argv, "i:", long_options,

669

&option_index);

670

671

if (ret == -1){

672

break;

673

}

674

675

switch(ret){

676

case 0:

677

break;

678

case 'i':

679

interface = optarg;

680

break;

681

case 'C':

682

connect_to = optarg;

683

break;

684

case 'd':

685

certdir = optarg;

686

break;

687

case 'c':

688

certfile = optarg;

689

break;

690

case 'k':

691

certkey = optarg;

692

break;

693

default:

694

exit(EXIT_FAILURE);

695

}

696

}

697

698

certfile = combinepath(certdir, certfile);

699

if (certfile == NULL){

700

goto exit;

701

}

702

703

if(interface != NULL){

704

if_index = (AvahiIfIndex) if_nametoindex(interface);

705

if(if_index == 0){

706

fprintf(stderr, "No such interface: \"%s\"\n", interface);

707

exit(EXIT_FAILURE);

708

}

879

709

}

880

710

881

711

if(connect_to != NULL){

884

714

char *address = strrchr(connect_to, ':');

885

715

if(address == NULL){

886

716

fprintf(stderr, "No colon in address\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

717

exit(EXIT_FAILURE);

889

718

}

890

719

errno = 0;

891

720

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

892

721

if(errno){

893

722

perror("Bad port number");

894

exitcode = EXIT_FAILURE;

895

goto end;

723

exit(EXIT_FAILURE);

896

724

}

897

725

*address = '\0';

898

726

address = connect_to;

899

ret = start_mandos_communication(address, port, if_index, &mc);

727

ret = start_mandos_communication(address, port, if_index);

900

728

if(ret < 0){

901

exitcode = EXIT_FAILURE;

729

exit(EXIT_FAILURE);

902

730

} else {

903

exitcode = EXIT_SUCCESS;

731

exit(EXIT_SUCCESS);

904

732

}

905

goto end;

906

733

}

907

734

908

/* If the interface is down, bring it up */

909

{

910

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

911

if(sd < 0) {

912

perror("socket");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

strcpy(network.ifr_name, interface); /* Spurious warning */

917

ret = ioctl(sd, SIOCGIFFLAGS, &network);

918

if(ret == -1){

919

perror("ioctl SIOCGIFFLAGS");

920

exitcode = EXIT_FAILURE;

921

goto end;

922

}

923

if((network.ifr_flags & IFF_UP) == 0){

924

network.ifr_flags |= IFF_UP;

925

ret = ioctl(sd, SIOCSIFFLAGS, &network);

926

if(ret == -1){

927

perror("ioctl SIOCSIFFLAGS");

928

exitcode = EXIT_FAILURE;

929

goto end;

930

}

931

}

932

close(sd);

735

certkey = combinepath(certdir, certkey);

736

if (certkey == NULL){

737

goto exit;

933

738

}

934

739

935

740

if (not debug){

936

741

avahi_set_log_function(empty_log);

937

742

}

938

743

939

/* Initialize the pseudo-RNG for Avahi */

744

/* Initialize the psuedo-RNG */

940

745

srand((unsigned int) time(NULL));

941

942

/* Allocate main Avahi loop object */

943

mc.simple_poll = avahi_simple_poll_new();

944

if (mc.simple_poll == NULL) {

945

fprintf(stderr, "Avahi: Failed to create simple poll"

946

" object.\n");

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

{

952

AvahiServerConfig config;

953

/* Do not publish any local Zeroconf records */

954

avahi_server_config_init(&config);

955

config.publish_hinfo = 0;

956

config.publish_addresses = 0;

957

config.publish_workstation = 0;

958

config.publish_domain = 0;

959

960

/* Allocate a new server */

961

mc.server = avahi_server_new(avahi_simple_poll_get

962

(mc.simple_poll), &config, NULL,

963

NULL, &error);

964

965

/* Free the Avahi configuration data */

966

avahi_server_config_free(&config);

967

}

968

969

/* Check if creating the Avahi server object succeeded */

970

if (mc.server == NULL) {

971

fprintf(stderr, "Failed to create Avahi server: %s\n",

746

747

/* Allocate main loop object */

748

if (!(simple_poll = avahi_simple_poll_new())) {

749

fprintf(stderr, "Failed to create simple poll object.\n");

750

751

goto exit;

752

}

753

754

/* Do not publish any local records */

755

avahi_server_config_init(&config);

756

config.publish_hinfo = 0;

757

config.publish_addresses = 0;

758

config.publish_workstation = 0;

759

config.publish_domain = 0;

760

761

/* Allocate a new server */

762

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

763

&config, NULL, NULL, &error);

764

765

/* Free the configuration data */

766

avahi_server_config_free(&config);

767

768

/* Check if creating the server object succeeded */

769

if (!server) {

770

fprintf(stderr, "Failed to create server: %s\n",

972

771

avahi_strerror(error));

973

exitcode = EXIT_FAILURE;

974

goto end;

772

returncode = EXIT_FAILURE;

773

goto exit;

975

774

}

976

775

977

/* Create the Avahi service browser */

978

sb = avahi_s_service_browser_new(mc.server, if_index,

776

/* Create the service browser */

777

sb = avahi_s_service_browser_new(server, if_index,

979

778

AVAHI_PROTO_INET6,

980

779

"_mandos._tcp", NULL, 0,

981

browse_callback, &mc);

982

if (sb == NULL) {

780

browse_callback, server);

781

if (!sb) {

983

782

fprintf(stderr, "Failed to create service browser: %s\n",

984

avahi_strerror(avahi_server_errno(mc.server)));

985

exitcode = EXIT_FAILURE;

986

goto end;

783

avahi_strerror(avahi_server_errno(server)));

784

returncode = EXIT_FAILURE;

785

goto exit;

987

786

}

988

787

989

788

/* Run the main loop */

990

789

991

790

if (debug){

992

fprintf(stderr, "Starting Avahi loop search\n");

791

fprintf(stderr, "Starting avahi loop search\n");

993

792

}

994

793

995

avahi_simple_poll_loop(mc.simple_poll);

794

avahi_simple_poll_loop(simple_poll);

996

795

997

end:

796

exit:

998

797

999

798

if (debug){

1000

799

fprintf(stderr, "%s exiting\n", argv[0]);

1001

800

}

1002

801

1003

802

/* Cleanup things */

1004

if (sb != NULL)

803

if (sb)

1005

804

avahi_s_service_browser_free(sb);

1006

805

1007

if (mc.server != NULL)

1008

avahi_server_free(mc.server);

1009

1010

if (mc.simple_poll != NULL)

1011

avahi_simple_poll_free(mc.simple_poll);

1012

free(pubkeyfile);

1013

free(seckeyfile);

1014

1015

if (gnutls_initalized){

1016

gnutls_certificate_free_credentials (mc.cred);

1017

gnutls_global_deinit ();

1018

}

806

if (server)

807

avahi_server_free(server);

808

809

if (simple_poll)

810

avahi_simple_poll_free(simple_poll);

811

free(certfile);

812

free(certkey);

1019

813

1020

return exitcode;

814

return returncode;

1021

815

}

Older »