To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 38
- compare with another revision
- download diff
- download tarball
- view history from revision 38
- Committer: Teddy Hogeborn
- Date: 2008-08-03 01:09:36 UTC
- mfrom: (24.1.9 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080803010936-ujme8tgxceszfbi1
* plugbasedclient.c (main): New "--userid" and "--groupid" options.
Take an additional non-option argument and
parse it as a plus-separated and -prefixed
list of additional options.
* plugins.d/mandosclient.c (DH_BITS): Replaced with
"mandos_context.dh_bits". All
users changed.
(certdir): Renamed to "keydir". All users changed.
(certfile): Renamed to "pubkeyfile". All users changed.
(certkey): Renamed to "seckeyfile". All users changed.
(encrypted_session): Replaced with "mandos_context". All users
changed.
(initgnutls): Take additional "session" and "dh_params" arguments.
All callers changed.
(start_mandos_communication): Take additional "mc" argument. All
callers changed. Print target IPv6
address if different than supplied
string.
(simple_poll) Replaced with "mandos_context.simple_poll". All users
changed.
(server): Replaced with "mandos_context.server". All users changed.
(main): Default interface to "eth0". Rename "--certdir" to
"--keydir", "--certkey" to "--seckey", and "--certfile" to
"--pubkey". New options "--dh-bits" and "--priority". If
the interface is not up, bring it up.
Take an additional non-option argument and
parse it as a plus-separated and -prefixed
list of additional options.
* plugins.d/mandosclient.c (DH_BITS): Replaced with
"mandos_context.dh_bits". All
users changed.
(certdir): Renamed to "keydir". All users changed.
(certfile): Renamed to "pubkeyfile". All users changed.
(certkey): Renamed to "seckeyfile". All users changed.
(encrypted_session): Replaced with "mandos_context". All users
changed.
(initgnutls): Take additional "session" and "dh_params" arguments.
All callers changed.
(start_mandos_communication): Take additional "mc" argument. All
callers changed. Print target IPv6
address if different than supplied
string.
(simple_poll) Replaced with "mandos_context.simple_poll". All users
changed.
(server): Replaced with "mandos_context.server". All users changed.
(main): Default interface to "eth0". Rename "--certdir" to
"--keydir", "--certkey" to "--seckey", and "--certfile" to
"--pubkey". New options "--dh-bits" and "--priority". If
the interface is not up, bring it up.
- files added:
- ca.pem
- files removed:
- mandos-client.xml
- files renamed:
- mandos-client.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
struct in6_addr, inet_pton(),
55
connect() */
56
#include <assert.h> /* assert() */
57
#include <errno.h> /* perror(), errno */
58
#include <time.h> /* time() */
59
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
60
SIOCSIFFLAGS, if_indextoname(),
61
if_nametoindex(), IF_NAMESIZE */
62
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
63
getuid(), getgid(), setuid(),
64
setgid() */
65
#include <netinet/in.h>
66
#include <arpa/inet.h> /* inet_pton(), htons */
67
#include <iso646.h> /* not, and */
68
#include <argp.h> /* struct argp_option, error_t, struct
69
argp_state, struct argp,
70
argp_parse(), ARGP_KEY_ARG,
71
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
72
73
/* Avahi */
74
/* All Avahi types, constants and functions
75
Avahi*, avahi_*,
76
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
77
43
#include <avahi-core/core.h>
78
44
#include <avahi-core/lookup.h>
79
45
#include <avahi-core/log.h>
81
47
#include <avahi-common/malloc.h>
82
48
#include <avahi-common/error.h>
83
49
84
/* GnuTLS */
85
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
86
gnutls_*
87
init_gnutls_session(),
88
GNUTLS_* */
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
90
GNUTLS_OPENPGP_FMT_BASE64 */
91
92
/* GPGME */
93
#include <gpgme.h> /* All GPGME types, constants and functions
94
gpgme_*
95
GPGME_PROTOCOL_OpenPGP,
96
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt_long
69
#include <getopt.h>
97
70
98
71
#define BUFFER_SIZE 256
99
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
76
100
77
bool debug = false;
101
static const char *keydir = "/conf/conf.d/mandos";
102
static const char mandos_protocol_version[] = "1";
103
const char *argp_program_version = "mandosclient 1.0";
104
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
105
78
106
/* Used for passing in values through the Avahi callback functions */
79
/* Used for passing in values through all the callback functions */
107
80
typedef struct {
108
81
AvahiSimplePoll *simple_poll;
109
82
AvahiServer *server;
110
83
gnutls_certificate_credentials_t cred;
111
84
unsigned int dh_bits;
112
gnutls_dh_params_t dh_params;
113
85
const char *priority;
114
86
} mandos_context;
115
87
116
/*
117
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
118
* "buffer_capacity" is how much is currently allocated,
119
* "buffer_length" is how much is already used.
120
*/
121
size_t adjustbuffer(char **buffer, size_t buffer_length,
122
size_t buffer_capacity){
123
if (buffer_length + BUFFER_SIZE > buffer_capacity){
124
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
125
if (buffer == NULL){
126
return 0;
127
}
128
buffer_capacity += BUFFER_SIZE;
129
}
130
return buffer_capacity;
131
}
132
133
/*
134
* Decrypt OpenPGP data using keyrings in HOMEDIR.
135
* Returns -1 on error
136
*/
137
static ssize_t pgp_packet_decrypt (const char *cryptotext,
138
size_t crypto_size,
139
char **plaintext,
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
140
90
const char *homedir){
141
91
gpgme_data_t dh_crypto, dh_plain;
142
92
gpgme_ctx_t ctx;
143
93
gpgme_error_t rc;
144
94
ssize_t ret;
145
size_t plaintext_capacity = 0;
146
ssize_t plaintext_length = 0;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
147
97
gpgme_engine_info_t engine_info;
148
98
149
99
if (debug){
150
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
151
101
}
152
102
153
103
/* Init GPGME */
159
109
return -1;
160
110
}
161
111
162
/* Set GPGME home directory for the OpenPGP engine only */
112
/* Set GPGME home directory */
163
113
rc = gpgme_get_engine_info (&engine_info);
164
114
if (rc != GPG_ERR_NO_ERROR){
165
115
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
175
125
engine_info = engine_info->next;
176
126
}
177
127
if(engine_info == NULL){
178
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
179
129
return -1;
180
130
}
181
131
182
/* Create new GPGME data buffer from memory cryptotext */
183
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
184
0);
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
185
134
if (rc != GPG_ERR_NO_ERROR){
186
135
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
187
136
gpgme_strsource(rc), gpgme_strerror(rc));
193
142
if (rc != GPG_ERR_NO_ERROR){
194
143
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
195
144
gpgme_strsource(rc), gpgme_strerror(rc));
196
gpgme_data_release(dh_crypto);
197
145
return -1;
198
146
}
199
147
202
150
if (rc != GPG_ERR_NO_ERROR){
203
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
204
152
gpgme_strsource(rc), gpgme_strerror(rc));
205
plaintext_length = -1;
206
goto decrypt_end;
153
return -1;
207
154
}
208
155
209
/* Decrypt data from the cryptotext data buffer to the plaintext
210
data buffer */
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
211
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
212
159
if (rc != GPG_ERR_NO_ERROR){
213
160
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
214
161
gpgme_strsource(rc), gpgme_strerror(rc));
215
plaintext_length = -1;
216
goto decrypt_end;
162
return -1;
217
163
}
218
164
219
165
if(debug){
220
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
221
167
}
222
168
223
169
if (debug){
224
170
gpgme_decrypt_result_t result;
225
171
result = gpgme_op_decrypt_result(ctx);
249
195
}
250
196
}
251
197
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
200
252
201
/* Seek back to the beginning of the GPGME plaintext data buffer */
253
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
203
perror("pgpme_data_seek");
255
plaintext_length = -1;
256
goto decrypt_end;
257
204
}
258
205
259
*plaintext = NULL;
206
*new_packet = 0;
260
207
while(true){
261
plaintext_capacity = adjustbuffer(plaintext,
262
(size_t)plaintext_length,
263
plaintext_capacity);
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
266
plaintext_length = -1;
267
goto decrypt_end;
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
268
217
}
269
218
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
271
220
BUFFER_SIZE);
272
221
/* Print the data, if any */
273
222
if (ret == 0){
274
/* EOF */
275
223
break;
276
224
}
277
225
if(ret < 0){
278
226
perror("gpgme_data_read");
279
plaintext_length = -1;
280
goto decrypt_end;
227
return -1;
281
228
}
282
plaintext_length += ret;
229
new_packet_length += ret;
283
230
}
284
231
285
if(debug){
286
fprintf(stderr, "Decrypted password is: ");
287
for(ssize_t i = 0; i < plaintext_length; i++){
288
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
289
}
290
fprintf(stderr, "\n");
291
}
292
293
decrypt_end:
294
295
/* Delete the GPGME cryptotext data buffer */
296
gpgme_data_release(dh_crypto);
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
297
239
298
240
/* Delete the GPGME plaintext data buffer */
299
241
gpgme_data_release(dh_plain);
300
return plaintext_length;
242
return new_packet_length;
301
243
}
302
244
303
245
static const char * safer_gnutls_strerror (int value) {
307
249
return ret;
308
250
}
309
251
310
/* GnuTLS log function callback */
311
252
static void debuggnutls(__attribute__((unused)) int level,
312
253
const char* string){
313
fprintf(stderr, "GnuTLS: %s", string);
254
fprintf(stderr, "%s", string);
314
255
}
315
256
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfile,
318
const char *seckeyfile){
257
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
258
gnutls_dh_params_t *dh_params){
259
const char *err;
319
260
int ret;
320
261
321
262
if(debug){
322
263
fprintf(stderr, "Initializing GnuTLS\n");
323
264
}
324
325
ret = gnutls_global_init();
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
265
266
if ((ret = gnutls_global_init ())
267
!= GNUTLS_E_SUCCESS) {
268
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
329
269
return -1;
330
270
}
331
271
332
272
if (debug){
333
/* "Use a log level over 10 to enable all debugging options."
334
* - GnuTLS manual
335
*/
336
273
gnutls_global_set_log_level(11);
337
274
gnutls_global_set_log_function(debuggnutls);
338
275
}
339
276
340
/* OpenPGP credentials */
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n",
277
/* openpgp credentials */
278
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
279
!= GNUTLS_E_SUCCESS) {
280
fprintf (stderr, "memory error: %s\n",
344
281
safer_gnutls_strerror(ret));
345
gnutls_global_deinit ();
346
282
return -1;
347
283
}
348
284
355
291
ret = gnutls_certificate_set_openpgp_key_file
356
292
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
357
293
if (ret != GNUTLS_E_SUCCESS) {
358
fprintf(stderr,
359
"Error[%d] while reading the OpenPGP key pair ('%s',"
360
" '%s')\n", ret, pubkeyfile, seckeyfile);
361
fprintf(stdout, "The GnuTLS error is: %s\n",
294
fprintf
295
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
296
" '%s')\n",
297
ret, pubkeyfile, seckeyfile);
298
fprintf(stdout, "The Error is: %s\n",
362
299
safer_gnutls_strerror(ret));
363
goto globalfail;
364
}
365
366
/* GnuTLS server initialization */
367
ret = gnutls_dh_params_init(&mc->dh_params);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
370
" %s\n", safer_gnutls_strerror(ret));
371
goto globalfail;
372
}
373
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
374
if (ret != GNUTLS_E_SUCCESS) {
375
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
376
safer_gnutls_strerror(ret));
377
goto globalfail;
378
}
379
380
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
381
382
return 0;
383
384
globalfail:
385
386
gnutls_certificate_free_credentials(mc->cred);
387
gnutls_global_deinit();
388
return -1;
389
390
}
391
392
static int init_gnutls_session(mandos_context *mc,
393
gnutls_session_t *session){
394
int ret;
395
/* GnuTLS session creation */
396
ret = gnutls_init(session, GNUTLS_SERVER);
397
if (ret != GNUTLS_E_SUCCESS){
300
return -1;
301
}
302
303
//GnuTLS server initialization
304
if ((ret = gnutls_dh_params_init(dh_params))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in dh parameter initialization: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
312
!= GNUTLS_E_SUCCESS) {
313
fprintf (stderr, "Error in prime generation: %s\n",
314
safer_gnutls_strerror(ret));
315
return -1;
316
}
317
318
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
319
320
// GnuTLS session creation
321
if ((ret = gnutls_init(session, GNUTLS_SERVER))
322
!= GNUTLS_E_SUCCESS){
398
323
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
399
324
safer_gnutls_strerror(ret));
400
325
}
401
326
402
{
403
const char *err;
404
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
405
if (ret != GNUTLS_E_SUCCESS) {
406
fprintf(stderr, "Syntax error at: %s\n", err);
407
fprintf(stderr, "GnuTLS error: %s\n",
408
safer_gnutls_strerror(ret));
409
gnutls_deinit (*session);
410
return -1;
411
}
327
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Syntax error at: %s\n", err);
330
fprintf(stderr, "GnuTLS error: %s\n",
331
safer_gnutls_strerror(ret));
332
return -1;
412
333
}
413
334
414
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
415
mc->cred);
416
if (ret != GNUTLS_E_SUCCESS) {
417
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
336
mc->cred))
337
!= GNUTLS_E_SUCCESS) {
338
fprintf(stderr, "Error setting a credentials set: %s\n",
418
339
safer_gnutls_strerror(ret));
419
gnutls_deinit (*session);
420
340
return -1;
421
341
}
422
342
429
349
return 0;
430
350
}
431
351
432
/* Avahi log function callback */
433
352
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
434
353
__attribute__((unused)) const char *txt){}
435
354
436
/* Called when a Mandos server is found */
437
355
static int start_mandos_communication(const char *ip, uint16_t port,
438
356
AvahiIfIndex if_index,
439
357
mandos_context *mc){
440
358
int ret, tcp_sd;
441
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
359
struct sockaddr_in6 to;
442
360
char *buffer = NULL;
443
361
char *decrypted_buffer;
444
362
size_t buffer_length = 0;
445
363
size_t buffer_capacity = 0;
446
364
ssize_t decrypted_buffer_size;
447
size_t written;
365
size_t written = 0;
448
366
int retval = 0;
449
367
char interface[IF_NAMESIZE];
450
368
gnutls_session_t session;
451
452
ret = init_gnutls_session (mc, &session);
453
if (ret != 0){
454
return -1;
455
}
369
gnutls_dh_params_t dh_params;
456
370
457
371
if(debug){
458
372
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
474
388
}
475
389
476
390
memset(&to,0,sizeof(to)); /* Spurious warning */
477
to.in6.sin6_family = AF_INET6;
478
/* It would be nice to have a way to detect if we were passed an
479
IPv4 address here. Now we assume an IPv6 address. */
480
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
391
to.sin6_family = AF_INET6;
392
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
481
393
if (ret < 0 ){
482
394
perror("inet_pton");
483
395
return -1;
486
398
fprintf(stderr, "Bad address: %s\n", ip);
487
399
return -1;
488
400
}
489
to.in6.sin6_port = htons(port); /* Spurious warning */
401
to.sin6_port = htons(port); /* Spurious warning */
490
402
491
to.in6.sin6_scope_id = (uint32_t)if_index;
403
to.sin6_scope_id = (uint32_t)if_index;
492
404
493
405
if(debug){
494
406
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
495
407
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
408
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
497
409
sizeof(addrstr)) == NULL){
498
410
perror("inet_ntop");
499
411
} else {
503
415
}
504
416
}
505
417
506
ret = connect(tcp_sd, &to.in, sizeof(to));
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
507
419
if (ret < 0){
508
420
perror("connect");
509
421
return -1;
510
422
}
511
512
const char *out = mandos_protocol_version;
513
written = 0;
514
while (true){
515
size_t out_size = strlen(out);
516
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
517
out_size - written));
518
if (ret == -1){
519
perror("write");
520
retval = -1;
521
goto mandos_end;
522
}
523
written += (size_t)ret;
524
if(written < out_size){
525
continue;
526
} else {
527
if (out == mandos_protocol_version){
528
written = 0;
529
out = "\r\n";
530
} else {
531
break;
532
}
533
}
423
424
ret = initgnutls (mc, &session, &dh_params);
425
if (ret != 0){
426
retval = -1;
427
return -1;
534
428
}
535
429
430
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
431
536
432
if(debug){
537
433
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
434
}
539
435
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
436
ret = gnutls_handshake (session);
545
437
546
438
if (ret != GNUTLS_E_SUCCESS){
547
439
if(debug){
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
440
fprintf(stderr, "\n*** Handshake failed ***\n");
549
441
gnutls_perror (ret);
550
442
}
551
443
retval = -1;
552
goto mandos_end;
444
goto exit;
553
445
}
554
446
555
/* Read OpenPGP packet that contains the wanted password */
447
//Retrieve OpenPGP packet that contains the wanted password
556
448
557
449
if(debug){
558
450
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
560
452
}
561
453
562
454
while(true){
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
565
if (buffer_capacity == 0){
566
perror("adjustbuffer");
567
retval = -1;
568
goto mandos_end;
455
if (buffer_length + BUFFER_SIZE > buffer_capacity){
456
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
if (buffer == NULL){
458
perror("realloc");
459
goto exit;
460
}
461
buffer_capacity += BUFFER_SIZE;
569
462
}
570
463
571
464
ret = gnutls_record_recv(session, buffer+buffer_length,
579
472
case GNUTLS_E_AGAIN:
580
473
break;
581
474
case GNUTLS_E_REHANDSHAKE:
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
475
ret = gnutls_handshake (session);
585
476
if (ret < 0){
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
477
fprintf(stderr, "\n*** Handshake failed ***\n");
587
478
gnutls_perror (ret);
588
479
retval = -1;
589
goto mandos_end;
480
goto exit;
590
481
}
591
482
break;
592
483
default:
593
484
fprintf(stderr, "Unknown error while reading data from"
594
" encrypted session with Mandos server\n");
485
" encrypted session with mandos server\n");
595
486
retval = -1;
596
487
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
488
goto exit;
598
489
}
599
490
} else {
600
491
buffer_length += (size_t) ret;
601
492
}
602
493
}
603
494
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
610
495
if (buffer_length > 0){
611
496
decrypted_buffer_size = pgp_packet_decrypt(buffer,
612
497
buffer_length,
613
498
&decrypted_buffer,
614
499
keydir);
615
500
if (decrypted_buffer_size >= 0){
616
written = 0;
617
501
while(written < (size_t) decrypted_buffer_size){
618
502
ret = (int)fwrite (decrypted_buffer + written, 1,
619
503
(size_t)decrypted_buffer_size - written,
633
517
retval = -1;
634
518
}
635
519
}
636
637
/* Shutdown procedure */
638
639
mandos_end:
520
521
//shutdown procedure
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
640
527
free(buffer);
528
gnutls_bye (session, GNUTLS_SHUT_RDWR);
529
exit:
641
530
close(tcp_sd);
642
531
gnutls_deinit (session);
532
gnutls_certificate_free_credentials (mc->cred);
533
gnutls_global_deinit ();
643
534
return retval;
644
535
}
645
536
646
static void resolve_callback(AvahiSServiceResolver *r,
647
AvahiIfIndex interface,
648
AVAHI_GCC_UNUSED AvahiProtocol protocol,
649
AvahiResolverEvent event,
650
const char *name,
651
const char *type,
652
const char *domain,
653
const char *host_name,
654
const AvahiAddress *address,
655
uint16_t port,
656
AVAHI_GCC_UNUSED AvahiStringList *txt,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
537
static void resolve_callback( AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
void* userdata) {
660
550
mandos_context *mc = userdata;
661
551
assert(r); /* Spurious warning */
662
552
666
556
switch (event) {
667
557
default:
668
558
case AVAHI_RESOLVER_FAILURE:
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
671
561
avahi_strerror(avahi_server_errno(mc->server)));
672
562
break;
673
563
676
566
char ip[AVAHI_ADDRESS_STR_MAX];
677
567
avahi_address_snprint(ip, sizeof(ip), address);
678
568
if(debug){
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
680
" port %d\n", name, host_name, ip, interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
681
571
}
682
572
int ret = start_mandos_communication(ip, port, interface, mc);
683
573
if (ret == 0){
695
585
const char *name,
696
586
const char *type,
697
587
const char *domain,
698
AVAHI_GCC_UNUSED AvahiLookupResultFlags
699
flags,
588
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
700
589
void* userdata) {
701
590
mandos_context *mc = userdata;
702
591
assert(b); /* Spurious warning */
708
597
default:
709
598
case AVAHI_BROWSER_FAILURE:
710
599
711
fprintf(stderr, "(Avahi browser) %s\n",
600
fprintf(stderr, "(Browser) %s\n",
712
601
avahi_strerror(avahi_server_errno(mc->server)));
713
602
avahi_simple_poll_quit(mc->simple_poll);
714
603
return;
715
604
716
605
case AVAHI_BROWSER_NEW:
717
/* We ignore the returned Avahi resolver object. In the callback
718
function we free it. If the Avahi server is terminated before
719
the callback function is called the Avahi server will free the
720
resolver for us. */
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
721
610
722
if (!(avahi_s_service_resolver_new(mc->server, interface,
723
protocol, name, type, domain,
611
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
612
type, domain,
724
613
AVAHI_PROTO_INET6, 0,
725
614
resolve_callback, mc)))
726
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
727
name, avahi_strerror(avahi_server_errno(mc->server)));
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(mc->server)));
728
617
break;
729
618
730
619
case AVAHI_BROWSER_REMOVE:
732
621
733
622
case AVAHI_BROWSER_ALL_FOR_NOW:
734
623
case AVAHI_BROWSER_CACHE_EXHAUSTED:
735
if(debug){
736
fprintf(stderr, "No Mandos server found, still searching...\n");
737
}
738
624
break;
739
625
}
740
626
}
760
646
}
761
647
762
648
763
int main(int argc, char *argv[]){
649
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
650
AvahiServerConfig config;
764
651
AvahiSServiceBrowser *sb = NULL;
765
652
int error;
766
653
int ret;
767
int exitcode = EXIT_SUCCESS;
654
int debug_int;
655
int returncode = EXIT_SUCCESS;
768
656
const char *interface = "eth0";
769
657
struct ifreq network;
770
658
int sd;
771
uid_t uid;
772
gid_t gid;
773
659
char *connect_to = NULL;
774
660
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
775
const char *pubkeyfile = "pubkey.txt";
776
const char *seckeyfile = "seckey.txt";
777
661
mandos_context mc = { .simple_poll = NULL, .server = NULL,
778
662
.dh_bits = 1024, .priority = "SECURE256"};
779
bool gnutls_initalized = false;
780
663
781
{
782
struct argp_option options[] = {
783
{ .name = "debug", .key = 128,
784
.doc = "Debug mode", .group = 3 },
785
{ .name = "connect", .key = 'c',
786
.arg = "IP",
787
.doc = "Connect directly to a sepcified mandos server",
788
.group = 1 },
789
{ .name = "interface", .key = 'i',
790
.arg = "INTERFACE",
791
.doc = "Interface that Avahi will conntect through",
792
.group = 1 },
793
{ .name = "keydir", .key = 'd',
794
.arg = "KEYDIR",
795
.doc = "Directory where the openpgp keyring is",
796
.group = 1 },
797
{ .name = "seckey", .key = 's',
798
.arg = "SECKEY",
799
.doc = "Secret openpgp key for gnutls authentication",
800
.group = 1 },
801
{ .name = "pubkey", .key = 'p',
802
.arg = "PUBKEY",
803
.doc = "Public openpgp key for gnutls authentication",
804
.group = 2 },
805
{ .name = "dh-bits", .key = 129,
806
.arg = "BITS",
807
.doc = "dh-bits to use in gnutls communication",
808
.group = 2 },
809
{ .name = "priority", .key = 130,
810
.arg = "PRIORITY",
811
.doc = "GNUTLS priority", .group = 1 },
812
{ .name = NULL }
813
};
814
815
816
error_t parse_opt (int key, char *arg,
817
struct argp_state *state) {
818
/* Get the INPUT argument from `argp_parse', which we know is
819
a pointer to our plugin list pointer. */
820
switch (key) {
821
case 128:
822
debug = true;
823
break;
824
case 'c':
825
connect_to = arg;
826
break;
827
case 'i':
828
interface = arg;
829
break;
830
case 'd':
831
keydir = arg;
832
break;
833
case 's':
834
seckeyfile = arg;
835
break;
836
case 'p':
837
pubkeyfile = arg;
838
break;
839
case 129:
840
errno = 0;
841
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
842
if (errno){
843
perror("strtol");
844
exit(EXIT_FAILURE);
845
}
846
break;
847
case 130:
848
mc.priority = arg;
849
break;
850
case ARGP_KEY_ARG:
851
argp_usage (state);
852
break;
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
664
debug_int = debug ? 1 : 0;
665
while (true){
666
struct option long_options[] = {
667
{"debug", no_argument, &debug_int, 1},
668
{"connect", required_argument, NULL, 'c'},
669
{"interface", required_argument, NULL, 'i'},
670
{"keydir", required_argument, NULL, 'd'},
671
{"seckey", required_argument, NULL, 's'},
672
{"pubkey", required_argument, NULL, 'p'},
673
{"dh-bits", required_argument, NULL, 'D'},
674
{"priority", required_argument, NULL, 'P'},
675
{0, 0, 0, 0} };
676
677
int option_index = 0;
678
ret = getopt_long (argc, argv, "i:", long_options,
679
&option_index);
680
681
if (ret == -1){
682
break;
683
}
684
685
switch(ret){
686
case 0:
687
break;
688
case 'i':
689
interface = optarg;
690
break;
691
case 'c':
692
connect_to = optarg;
693
break;
694
case 'd':
695
keydir = optarg;
696
break;
697
case 'p':
698
pubkeyfile = optarg;
699
break;
700
case 's':
701
seckeyfile = optarg;
702
break;
703
case 'D':
704
errno = 0;
705
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
706
if (errno){
707
perror("strtol");
708
exit(EXIT_FAILURE);
857
709
}
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unkown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
710
break;
711
case 'P':
712
mc.priority = optarg;
713
break;
714
case '?':
715
default:
716
exit(EXIT_FAILURE);
870
717
}
871
718
}
872
719
debug = debug_int ? true : false;
720
873
721
pubkeyfile = combinepath(keydir, pubkeyfile);
874
722
if (pubkeyfile == NULL){
875
723
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
724
returncode = EXIT_FAILURE;
725
goto exit;
878
726
}
879
727
880
728
seckeyfile = combinepath(keydir, seckeyfile);
881
729
if (seckeyfile == NULL){
882
730
perror("combinepath");
883
goto end;
884
}
885
886
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
887
if (ret == -1){
888
fprintf(stderr, "init_gnutls_global\n");
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
uid = getuid();
895
gid = getgid();
896
897
ret = setuid(uid);
898
if (ret == -1){
899
perror("setuid");
900
}
901
902
setgid(gid);
903
if (ret == -1){
904
perror("setgid");
731
goto exit;
905
732
}
906
733
907
734
if_index = (AvahiIfIndex) if_nametoindex(interface);
916
743
char *address = strrchr(connect_to, ':');
917
744
if(address == NULL){
918
745
fprintf(stderr, "No colon in address\n");
919
exitcode = EXIT_FAILURE;
920
goto end;
746
exit(EXIT_FAILURE);
921
747
}
922
748
errno = 0;
923
749
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
924
750
if(errno){
925
751
perror("Bad port number");
926
exitcode = EXIT_FAILURE;
927
goto end;
752
exit(EXIT_FAILURE);
928
753
}
929
754
*address = '\0';
930
755
address = connect_to;
931
756
ret = start_mandos_communication(address, port, if_index, &mc);
932
757
if(ret < 0){
933
exitcode = EXIT_FAILURE;
758
exit(EXIT_FAILURE);
934
759
} else {
935
exitcode = EXIT_SUCCESS;
760
exit(EXIT_SUCCESS);
936
761
}
937
goto end;
938
762
}
939
763
940
/* If the interface is down, bring it up */
941
{
942
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
943
if(sd < 0) {
944
perror("socket");
945
exitcode = EXIT_FAILURE;
946
goto end;
947
}
948
strcpy(network.ifr_name, interface); /* Spurious warning */
949
ret = ioctl(sd, SIOCGIFFLAGS, &network);
764
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
765
if(sd < 0) {
766
perror("socket");
767
returncode = EXIT_FAILURE;
768
goto exit;
769
}
770
strcpy(network.ifr_name, interface); /* Spurious warning */
771
ret = ioctl(sd, SIOCGIFFLAGS, &network);
772
if(ret == -1){
773
774
perror("ioctl SIOCGIFFLAGS");
775
returncode = EXIT_FAILURE;
776
goto exit;
777
}
778
if((network.ifr_flags & IFF_UP) == 0){
779
network.ifr_flags |= IFF_UP;
780
ret = ioctl(sd, SIOCSIFFLAGS, &network);
950
781
if(ret == -1){
951
perror("ioctl SIOCGIFFLAGS");
952
exitcode = EXIT_FAILURE;
953
goto end;
954
}
955
if((network.ifr_flags & IFF_UP) == 0){
956
network.ifr_flags |= IFF_UP;
957
ret = ioctl(sd, SIOCSIFFLAGS, &network);
958
if(ret == -1){
959
perror("ioctl SIOCSIFFLAGS");
960
exitcode = EXIT_FAILURE;
961
goto end;
962
}
963
}
964
close(sd);
782
perror("ioctl SIOCSIFFLAGS");
783
returncode = EXIT_FAILURE;
784
goto exit;
785
}
965
786
}
787
close(sd);
966
788
967
789
if (not debug){
968
790
avahi_set_log_function(empty_log);
969
791
}
970
792
971
/* Initialize the pseudo-RNG for Avahi */
793
/* Initialize the psuedo-RNG */
972
794
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
795
796
/* Allocate main loop object */
797
if (!(mc.simple_poll = avahi_simple_poll_new())) {
798
fprintf(stderr, "Failed to create simple poll object.\n");
799
returncode = EXIT_FAILURE;
800
goto exit;
801
}
802
803
/* Do not publish any local records */
804
avahi_server_config_init(&config);
805
config.publish_hinfo = 0;
806
config.publish_addresses = 0;
807
config.publish_workstation = 0;
808
config.publish_domain = 0;
809
810
/* Allocate a new server */
811
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
812
&config, NULL, NULL, &error);
813
814
/* Free the configuration data */
815
avahi_server_config_free(&config);
816
817
/* Check if creating the server object succeeded */
818
if (!mc.server) {
819
fprintf(stderr, "Failed to create server: %s\n",
1004
820
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
821
returncode = EXIT_FAILURE;
822
goto exit;
1007
823
}
1008
824
1009
/* Create the Avahi service browser */
825
/* Create the service browser */
1010
826
sb = avahi_s_service_browser_new(mc.server, if_index,
1011
827
AVAHI_PROTO_INET6,
1012
828
"_mandos._tcp", NULL, 0,
1013
829
browse_callback, &mc);
1014
if (sb == NULL) {
830
if (!sb) {
1015
831
fprintf(stderr, "Failed to create service browser: %s\n",
1016
832
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
833
returncode = EXIT_FAILURE;
834
goto exit;
1019
835
}
1020
836
1021
837
/* Run the main loop */
1022
838
1023
839
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
840
fprintf(stderr, "Starting avahi loop search\n");
1025
841
}
1026
842
1027
843
avahi_simple_poll_loop(mc.simple_poll);
1028
844
1029
end:
845
exit:
1030
846
1031
847
if (debug){
1032
848
fprintf(stderr, "%s exiting\n", argv[0]);
1033
849
}
1034
850
1035
851
/* Cleanup things */
1036
if (sb != NULL)
852
if (sb)
1037
853
avahi_s_service_browser_free(sb);
1038
854
1039
if (mc.server != NULL)
855
if (mc.server)
1040
856
avahi_server_free(mc.server);
1041
857
1042
if (mc.simple_poll != NULL)
858
if (mc.simple_poll)
1043
859
avahi_simple_poll_free(mc.simple_poll);
1044
860
free(pubkeyfile);
1045
861
free(seckeyfile);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
1051
862
1052
return exitcode;
863
return returncode;
1053
864
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0