33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
81
/* All Avahi types, constants and functions
39
#include <net/if.h> /* if_nametoindex */
84
41
#include <avahi-core/core.h>
85
42
#include <avahi-core/lookup.h>
86
43
#include <avahi-core/log.h>
88
45
#include <avahi-common/malloc.h>
89
46
#include <avahi-common/error.h>
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
95
init_gnutls_session(),
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
102
#include <gpgme.h> /* All GPGME types, constants and
105
GPGME_PROTOCOL_OpenPGP,
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
63
#include <errno.h> /* perror() */
108
69
#define BUFFER_SIZE 256
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
114
76
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
119
/* Used for passing in values through the Avahi callback functions */
121
AvahiSimplePoll *simple_poll;
79
gnutls_session_t session;
123
80
gnutls_certificate_credentials_t cred;
124
unsigned int dh_bits;
125
81
gnutls_dh_params_t dh_params;
126
const char *priority;
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
87
gpgme_data_t dh_crypto, dh_plain;
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
142
buffer_capacity += BUFFER_SIZE;
144
return buffer_capacity;
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
154
93
gpgme_engine_info_t engine_info;
158
* Helper function to insert pub and seckey to the engine keyring.
160
bool import_key(const char *filename){
162
gpgme_data_t pgp_data;
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
188
gpgme_data_release(pgp_data);
193
fprintf(stderr, "Initialize gpgme\n");
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
197
100
gpgme_check_version(NULL);
198
101
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
199
if(rc != GPG_ERR_NO_ERROR){
102
if (rc != GPG_ERR_NO_ERROR){
200
103
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
201
104
gpgme_strsource(rc), gpgme_strerror(rc));
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
108
/* Set GPGME home directory */
109
rc = gpgme_get_engine_info (&engine_info);
110
if (rc != GPG_ERR_NO_ERROR){
208
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
209
112
gpgme_strsource(rc), gpgme_strerror(rc));
212
115
while(engine_info != NULL){
213
116
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
214
117
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
215
engine_info->file_name, tempdir);
118
engine_info->file_name, homedir);
218
121
engine_info = engine_info->next;
220
123
if(engine_info == NULL){
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
233
if(not import_key(pubkey) or not import_key(seckey)){
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
248
gpgme_data_t dh_crypto, dh_plain;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
258
/* Create new GPGME data buffer from memory cryptotext */
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
261
if(rc != GPG_ERR_NO_ERROR){
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
130
if (rc != GPG_ERR_NO_ERROR){
262
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
263
132
gpgme_strsource(rc), gpgme_strerror(rc));
267
136
/* Create new empty GPGME data buffer for the plaintext */
268
137
rc = gpgme_data_new(&dh_plain);
269
if(rc != GPG_ERR_NO_ERROR){
138
if (rc != GPG_ERR_NO_ERROR){
270
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
271
140
gpgme_strsource(rc), gpgme_strerror(rc));
272
gpgme_data_release(dh_crypto);
276
/* Decrypt data from the cryptotext data buffer to the plaintext
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
144
/* Create new GPGME "context" */
145
rc = gpgme_new(&ctx);
146
if (rc != GPG_ERR_NO_ERROR){
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
148
gpgme_strsource(rc), gpgme_strerror(rc));
152
/* Decrypt data from the FILE pointer to the plaintext data
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
155
if (rc != GPG_ERR_NO_ERROR){
280
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
281
157
gpgme_strsource(rc), gpgme_strerror(rc));
282
plaintext_length = -1;
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
306
recipient = recipient->next;
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
gpgme_decrypt_result_t result;
167
result = gpgme_op_decrypt_result(ctx);
169
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
fprintf(stderr, "Unsupported algorithm: %s\n",
172
result->unsupported_algorithm);
173
fprintf(stderr, "Wrong key usage: %d\n",
174
result->wrong_key_usage);
175
if(result->file_name != NULL){
176
fprintf(stderr, "File name: %s\n", result->file_name);
178
gpgme_recipient_t recipient;
179
recipient = result->recipients;
181
while(recipient != NULL){
182
fprintf(stderr, "Public key algorithm: %s\n",
183
gpgme_pubkey_algo_name(recipient->pubkey_algo));
184
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
185
fprintf(stderr, "Secret key available: %s\n",
186
recipient->status == GPG_ERR_NO_SECKEY
188
recipient = recipient->next;
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
318
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
321
plaintext_length = -1;
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
199
perror("pgpme_data_seek");
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
332
plaintext_length = -1;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
208
if (*new_packet == NULL){
212
new_packet_capacity += BUFFER_SIZE;
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
338
217
/* Print the data, if any */
344
222
perror("gpgme_data_read");
345
plaintext_length = -1;
348
plaintext_length += ret;
352
fprintf(stderr, "Decrypted password is: ");
353
for(ssize_t i = 0; i < plaintext_length; i++){
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
356
fprintf(stderr, "\n");
361
/* Delete the GPGME cryptotext data buffer */
362
gpgme_data_release(dh_crypto);
225
new_packet_length += ret;
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
364
236
/* Delete the GPGME plaintext data buffer */
365
237
gpgme_data_release(dh_plain);
366
return plaintext_length;
238
return new_packet_length;
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
241
static const char * safer_gnutls_strerror (int value) {
242
const char *ret = gnutls_strerror (value);
373
244
ret = "(unknown)";
377
/* GnuTLS log function callback */
378
static void debuggnutls(__attribute__((unused)) int level,
380
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
250
fprintf(stderr, "%s", string);
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
253
int initgnutls(encrypted_session *es){
389
258
fprintf(stderr, "Initializing GnuTLS\n");
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
261
if ((ret = gnutls_global_init ())
262
!= GNUTLS_E_SUCCESS) {
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
400
/* "Use a log level over 10 to enable all debugging options."
403
268
gnutls_global_set_log_level(11);
404
269
gnutls_global_set_log_function(debuggnutls);
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
425
286
ret = gnutls_certificate_set_openpgp_key_file
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
288
if (ret != GNUTLS_E_SUCCESS) {
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
294
safer_gnutls_strerror(ret));
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
469
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
470
319
safer_gnutls_strerror(ret));
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
489
334
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
494
338
/* ignore client certificate if any. */
495
gnutls_certificate_server_set_request(*session,
339
gnutls_certificate_server_set_request (es->session,
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
503
/* Avahi log function callback */
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
505
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
507
/* Called when a Mandos server is found */
508
static int start_mandos_communication(const char *ip, uint16_t port,
509
AvahiIfIndex if_index,
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
353
struct sockaddr_in6 to;
354
encrypted_session es;
514
355
char *buffer = NULL;
515
356
char *decrypted_buffer;
516
357
size_t buffer_length = 0;
517
358
size_t buffer_capacity = 0;
518
359
ssize_t decrypted_buffer_size;
521
362
char interface[IF_NAMESIZE];
522
gnutls_session_t session;
524
ret = init_gnutls_session(mc, &session);
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
534
369
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
542
377
perror("if_indextoname");
545
383
fprintf(stderr, "Binding to interface %s\n", interface);
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
386
memset(&to,0,sizeof(to)); /* Spurious warning */
387
to.sin6_family = AF_INET6;
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
554
390
perror("inet_pton");
558
394
fprintf(stderr, "Bad address: %s\n", ip);
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
563
-Wunreachable-code */
397
to.sin6_port = htons(port); /* Spurious warning */
565
to.in6.sin6_scope_id = (uint32_t)if_index;
399
to.sin6_scope_id = (uint32_t)if_index;
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
570
char addrstr[INET6_ADDRSTRLEN] = "";
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
572
sizeof(addrstr)) == NULL){
575
if(strcmp(addrstr, ip) != 0){
576
fprintf(stderr, "Canonical address form: %s\n", addrstr);
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
581
ret = connect(tcp_sd, &to.in, sizeof(to));
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
583
415
perror("connect");
587
const char *out = mandos_protocol_version;
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
598
written += (size_t)ret;
599
if(written < out_size){
602
if(out == mandos_protocol_version){
419
ret = initgnutls (&es);
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
612
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
621
if(ret != GNUTLS_E_SUCCESS){
432
ret = gnutls_handshake (es.session);
434
if (ret != GNUTLS_E_SUCCESS){
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
436
fprintf(stderr, "\n*** Handshake failed ***\n");
630
/* Read OpenPGP packet that contains the wanted password */
443
//Retrieve OpenPGP packet that contains the wanted password
633
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
buffer_capacity += BUFFER_SIZE;
646
sret = gnutls_record_recv(session, buffer+buffer_length,
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
653
467
case GNUTLS_E_INTERRUPTED:
654
468
case GNUTLS_E_AGAIN:
656
470
case GNUTLS_E_REHANDSHAKE:
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
471
ret = gnutls_handshake (es.session);
473
fprintf(stderr, "\n*** Handshake failed ***\n");
668
480
fprintf(stderr, "Unknown error while reading data from"
669
" encrypted session with Mandos server\n");
481
" encrypted session with mandos server\n");
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
675
buffer_length += (size_t) sret;
487
buffer_length += (size_t) ret;
680
fprintf(stderr, "Closing TLS session\n");
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
491
if (buffer_length > 0){
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
689
if(decrypted_buffer_size >= 0){
496
if (decrypted_buffer_size >= 0){
691
497
while(written < (size_t) decrypted_buffer_size){
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
498
ret = (int)fwrite (decrypted_buffer + written, 1,
499
(size_t)decrypted_buffer_size - written,
695
501
if(ret == 0 and ferror(stdout)){
697
503
fprintf(stderr, "Error writing encrypted data: %s\n",
755
566
char ip[AVAHI_ADDRESS_STR_MAX];
756
567
avahi_address_snprint(ip, sizeof(ip), address);
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
762
int ret = start_mandos_communication(ip, port, interface, mc);
764
avahi_simple_poll_quit(mc->simple_poll);
572
int ret = start_mandos_communication(ip, port, interface);
768
578
avahi_s_service_resolver_free(r);
771
static void browse_callback( AvahiSServiceBrowser *b,
772
AvahiIfIndex interface,
773
AvahiProtocol protocol,
774
AvahiBrowserEvent event,
778
AVAHI_GCC_UNUSED AvahiLookupResultFlags
781
mandos_context *mc = userdata;
784
/* Called whenever a new services becomes available on the LAN or
785
is removed from the LAN */
789
case AVAHI_BROWSER_FAILURE:
791
fprintf(stderr, "(Avahi browser) %s\n",
792
avahi_strerror(avahi_server_errno(mc->server)));
793
avahi_simple_poll_quit(mc->simple_poll);
796
case AVAHI_BROWSER_NEW:
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
803
protocol, name, type, domain,
804
AVAHI_PROTO_INET6, 0,
805
resolve_callback, mc)))
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
810
case AVAHI_BROWSER_REMOVE:
813
case AVAHI_BROWSER_ALL_FOR_NOW:
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
816
fprintf(stderr, "No Mandos server found, still searching...\n");
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
600
case AVAHI_BROWSER_FAILURE:
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
621
case AVAHI_BROWSER_REMOVE:
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
822
int main(int argc, char *argv[]){
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
633
tmp = malloc(strlen(first) + strlen(second) + 2);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
648
AvahiServerConfig config;
823
649
AvahiSServiceBrowser *sb = NULL;
828
int exitcode = EXIT_SUCCESS;
829
const char *interface = "eth0";
830
struct ifreq network;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
834
655
char *connect_to = NULL;
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
856
{ .name = "interface", .key = 'i',
858
.doc = "Interface that will be used to search for Mandos"
861
{ .name = "seckey", .key = 's',
863
.doc = "OpenPGP secret key file base name",
865
{ .name = "pubkey", .key = 'p',
867
.doc = "OpenPGP public key file base name",
869
{ .name = "dh-bits", .key = 129,
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
874
{ .name = "priority", .key = 130,
876
.doc = "GnuTLS priority string for the TLS handshake",
878
{ .name = "delay", .key = 131,
880
.doc = "Maximum delay to wait for interface startup",
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
888
case 128: /* --debug */
891
case 'c': /* --connect */
894
case 'i': /* --interface */
897
case 's': /* --seckey */
900
case 'p': /* --pubkey */
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
912
case 130: /* --priority */
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
927
return ARGP_ERR_UNKNOWN;
932
struct argp argp = { .options = options, .parser = parse_opt,
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
944
/* If the interface is down, bring it up */
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
971
exitcode = EXIT_FAILURE;
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1028
gnutls_initialized = true;
1031
if(mkdtemp(tempdir) == NULL){
1035
tempdir_created = true;
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1042
gpgme_initialized = true;
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1048
exitcode = EXIT_FAILURE;
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1052
711
if(connect_to != NULL){
1055
714
char *address = strrchr(connect_to, ':');
1056
715
if(address == NULL){
1057
716
fprintf(stderr, "No colon in address\n");
1058
exitcode = EXIT_FAILURE;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1069
port = (uint16_t)tmpmax;
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
perror("Bad port number");
1070
725
*address = '\0';
1071
726
address = connect_to;
1072
ret = start_mandos_communication(address, port, if_index, &mc);
727
ret = start_mandos_communication(address, port, if_index);
1074
exitcode = EXIT_FAILURE;
1076
exitcode = EXIT_SUCCESS;
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
1082
741
avahi_set_log_function(empty_log);
1085
/* Initialize the pseudo-RNG for Avahi */
744
/* Initialize the psuedo-RNG */
1086
745
srand((unsigned int) time(NULL));
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1093
exitcode = EXIT_FAILURE;
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
754
/* Do not publish any local records */
755
avahi_server_config_init(&config);
756
config.publish_hinfo = 0;
757
config.publish_addresses = 0;
758
config.publish_workstation = 0;
759
config.publish_domain = 0;
761
/* Allocate a new server */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
765
/* Free the configuration data */
766
avahi_server_config_free(&config);
768
/* Check if creating the server object succeeded */
770
fprintf(stderr, "Failed to create server: %s\n",
1118
771
avahi_strerror(error));
1119
exitcode = EXIT_FAILURE;
772
returncode = EXIT_FAILURE;
1123
/* Create the Avahi service browser */
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
1125
778
AVAHI_PROTO_INET6,
1126
779
"_mandos._tcp", NULL, 0,
1127
browse_callback, &mc);
780
browse_callback, server);
1129
782
fprintf(stderr, "Failed to create service browser: %s\n",
1130
avahi_strerror(avahi_server_errno(mc.server)));
1131
exitcode = EXIT_FAILURE;
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
1135
788
/* Run the main loop */
1138
fprintf(stderr, "Starting Avahi loop search\n");
791
fprintf(stderr, "Starting avahi loop search\n");
794
avahi_simple_poll_loop(simple_poll);
1141
avahi_simple_poll_loop(mc.simple_poll);
1146
799
fprintf(stderr, "%s exiting\n", argv[0]);
1149
802
/* Cleanup things */
1151
804
avahi_s_service_browser_free(sb);
1153
if(mc.server != NULL)
1154
avahi_server_free(mc.server);
1156
if(mc.simple_poll != NULL)
1157
avahi_simple_poll_free(mc.simple_poll);
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1175
if(errno != ENOENT){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1198
ret = remove(fullname);
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
807
avahi_server_free(server);
810
avahi_simple_poll_free(simple_poll);