To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 40
- compare with another revision
- download diff
- download tarball
- view history from revision 40
- Committer: Teddy Hogeborn
- Date: 2008-08-03 16:05:52 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803160552-mvqy5klry3wn57x1
* plugins.d/mandosclient.c (initgnutls): Moved "err" variable into its
own code block.
(start_mandos_communication): Moved call to "initgnutls" to
beginning. Renamed label "exit" to
"mandos_end". Bug fix: set return
code if failure to realloc buffer.
Close TLS session as early as
possible.
(resolve_callback): Also print interface number when debugging.
(main): Moved "debug_int" and "config" into their own respective
code blocks.
own code block.
(start_mandos_communication): Moved call to "initgnutls" to
beginning. Renamed label "exit" to
"mandos_end". Bug fix: set return
code if failure to realloc buffer.
Close TLS session as early as
possible.
(resolve_callback): Also print interface number when debugging.
(main): Moved "debug_int" and "config" into their own respective
code blocks.
- files added:
- server.conf
- files removed:
- plugins.d/Makefile
- files renamed:
- mandos-clients.conf => clients.conf
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* $Id$ */
2
3
/* PLEASE NOTE *
4
* This file demonstrates how to use Avahi's core API, this is
5
* the embeddable mDNS stack for embedded applications.
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
6
4
*
7
* End user applications should *not* use this API and should use
8
* the D-Bus or C APIs, please see
9
* client-browse-services.c and glib-integration.c
10
*
11
* I repeat, you probably do *not* want to use this example.
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
12
29
*/
13
30
14
/***
15
This file is part of avahi.
16
17
avahi is free software; you can redistribute it and/or modify it
18
under the terms of the GNU Lesser General Public License as
19
published by the Free Software Foundation; either version 2.1 of the
20
License, or (at your option) any later version.
21
22
avahi is distributed in the hope that it will be useful, but WITHOUT
23
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
24
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
25
Public License for more details.
26
27
You should have received a copy of the GNU Lesser General Public
28
License along with avahi; if not, write to the Free Software
29
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
30
USA.
31
***/
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
35
34
38
37
#include <stdlib.h>
39
38
#include <time.h>
40
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
41
44
42
45
#include <avahi-core/core.h>
43
46
#include <avahi-core/lookup.h>
46
49
#include <avahi-common/malloc.h>
47
50
#include <avahi-common/error.h>
48
51
49
//mandos client part
50
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
51
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
53
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
52
/* Mandos client part */
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
58
55
59
#include <unistd.h> /* close() */
56
60
#include <netinet/in.h>
58
62
#include <string.h> /* memset */
59
63
#include <arpa/inet.h> /* inet_pton() */
60
64
#include <iso646.h> /* not */
65
#include <net/if.h> /* IF_NAMESIZE */
61
66
62
// gpgme
67
/* GPGME */
63
68
#include <errno.h> /* perror() */
64
69
#include <gpgme.h>
65
70
71
/* getopt_long */
72
#include <getopt.h>
66
73
67
#ifndef CERT_ROOT
68
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
69
#endif
70
#define CERTFILE CERT_ROOT "openpgp-client.txt"
71
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
72
74
#define BUFFER_SIZE 256
73
#define DH_BITS 1024
74
75
76
static const char *keydir = "/conf/conf.d/mandos";
77
static const char *pubkeyfile = "pubkey.txt";
78
static const char *seckeyfile = "seckey.txt";
79
80
bool debug = false;
81
82
/* Used for passing in values through all the callback functions */
75
83
typedef struct {
76
gnutls_session_t session;
84
AvahiSimplePoll *simple_poll;
85
AvahiServer *server;
77
86
gnutls_certificate_credentials_t cred;
78
gnutls_dh_params_t dh_params;
79
} encrypted_session;
80
81
82
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
87
unsigned int dh_bits;
88
const char *priority;
89
} mandos_context;
90
91
/*
92
* Decrypt OpenPGP data using keyrings in HOMEDIR.
93
* Returns -1 on error
94
*/
95
static ssize_t pgp_packet_decrypt (const char *cryptotext,
96
size_t crypto_size,
97
char **plaintext,
98
const char *homedir){
83
99
gpgme_data_t dh_crypto, dh_plain;
84
100
gpgme_ctx_t ctx;
85
101
gpgme_error_t rc;
86
102
ssize_t ret;
87
size_t new_packet_capacity = 0;
88
size_t new_packet_length = 0;
103
size_t plaintext_capacity = 0;
104
ssize_t plaintext_length = 0;
89
105
gpgme_engine_info_t engine_info;
90
106
107
if (debug){
108
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
109
}
110
91
111
/* Init GPGME */
92
112
gpgme_check_version(NULL);
93
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
114
if (rc != GPG_ERR_NO_ERROR){
115
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
116
gpgme_strsource(rc), gpgme_strerror(rc));
117
return -1;
118
}
94
119
95
/* Set GPGME home directory */
120
/* Set GPGME home directory for the OpenPGP engine only */
96
121
rc = gpgme_get_engine_info (&engine_info);
97
122
if (rc != GPG_ERR_NO_ERROR){
98
123
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
108
133
engine_info = engine_info->next;
109
134
}
110
135
if(engine_info == NULL){
111
fprintf(stderr, "Could not set home dir to %s\n", homedir);
136
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
112
137
return -1;
113
138
}
114
139
115
/* Create new GPGME data buffer from packet buffer */
116
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
140
/* Create new GPGME data buffer from memory cryptotext */
141
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
142
0);
117
143
if (rc != GPG_ERR_NO_ERROR){
118
144
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
119
145
gpgme_strsource(rc), gpgme_strerror(rc));
125
151
if (rc != GPG_ERR_NO_ERROR){
126
152
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
127
153
gpgme_strsource(rc), gpgme_strerror(rc));
154
gpgme_data_release(dh_crypto);
128
155
return -1;
129
156
}
130
157
133
160
if (rc != GPG_ERR_NO_ERROR){
134
161
fprintf(stderr, "bad gpgme_new: %s: %s\n",
135
162
gpgme_strsource(rc), gpgme_strerror(rc));
136
return -1;
163
plaintext_length = -1;
164
goto decrypt_end;
137
165
}
138
166
139
/* Decrypt data from the FILE pointer to the plaintext data buffer */
167
/* Decrypt data from the cryptotext data buffer to the plaintext
168
data buffer */
140
169
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
141
170
if (rc != GPG_ERR_NO_ERROR){
142
171
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
143
172
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* gpgme_decrypt_result_t result; */
148
/* result = gpgme_op_decrypt_result(ctx); */
149
/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */
150
/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */
151
/* if(result->file_name != NULL){ */
152
/* fprintf(stderr, "File name: %s\n", result->file_name); */
153
/* } */
154
/* gpgme_recipient_t recipient; */
155
/* recipient = result->recipients; */
156
/* if(recipient){ */
157
/* while(recipient != NULL){ */
158
/* fprintf(stderr, "Public key algorithm: %s\n", */
159
/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */
160
/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */
161
/* fprintf(stderr, "Secret key available: %s\n", */
162
/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */
163
/* recipient = recipient->next; */
164
/* } */
165
/* } */
166
167
/* Delete the GPGME FILE pointer cryptotext data buffer */
168
gpgme_data_release(dh_crypto);
173
plaintext_length = -1;
174
goto decrypt_end;
175
}
176
177
if(debug){
178
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
179
}
180
181
if (debug){
182
gpgme_decrypt_result_t result;
183
result = gpgme_op_decrypt_result(ctx);
184
if (result == NULL){
185
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
186
} else {
187
fprintf(stderr, "Unsupported algorithm: %s\n",
188
result->unsupported_algorithm);
189
fprintf(stderr, "Wrong key usage: %d\n",
190
result->wrong_key_usage);
191
if(result->file_name != NULL){
192
fprintf(stderr, "File name: %s\n", result->file_name);
193
}
194
gpgme_recipient_t recipient;
195
recipient = result->recipients;
196
if(recipient){
197
while(recipient != NULL){
198
fprintf(stderr, "Public key algorithm: %s\n",
199
gpgme_pubkey_algo_name(recipient->pubkey_algo));
200
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
201
fprintf(stderr, "Secret key available: %s\n",
202
recipient->status == GPG_ERR_NO_SECKEY
203
? "No" : "Yes");
204
recipient = recipient->next;
205
}
206
}
207
}
208
}
169
209
170
210
/* Seek back to the beginning of the GPGME plaintext data buffer */
171
gpgme_data_seek(dh_plain, 0, SEEK_SET);
172
173
*new_packet = 0;
211
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
212
perror("pgpme_data_seek");
213
plaintext_length = -1;
214
goto decrypt_end;
215
}
216
217
*plaintext = NULL;
174
218
while(true){
175
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
176
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
177
if (*new_packet == NULL){
219
if (plaintext_length + BUFFER_SIZE
220
> (ssize_t) plaintext_capacity){
221
*plaintext = realloc(*plaintext, plaintext_capacity
222
+ BUFFER_SIZE);
223
if (*plaintext == NULL){
178
224
perror("realloc");
179
return -1;
225
plaintext_length = -1;
226
goto decrypt_end;
180
227
}
181
new_packet_capacity += BUFFER_SIZE;
228
plaintext_capacity += BUFFER_SIZE;
182
229
}
183
230
184
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
231
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
232
BUFFER_SIZE);
185
233
/* Print the data, if any */
186
234
if (ret == 0){
187
/* If password is empty, then a incorrect error will be printed */
235
/* EOF */
188
236
break;
189
237
}
190
238
if(ret < 0){
191
239
perror("gpgme_data_read");
192
return -1;
240
plaintext_length = -1;
241
goto decrypt_end;
193
242
}
194
new_packet_length += ret;
243
plaintext_length += ret;
195
244
}
196
245
197
/* Delete the GPGME plaintext data buffer */
246
if(debug){
247
fprintf(stderr, "Decrypted password is: ");
248
for(ssize_t i = 0; i < plaintext_length; i++){
249
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
250
}
251
fprintf(stderr, "\n");
252
}
253
254
decrypt_end:
255
256
/* Delete the GPGME cryptotext data buffer */
257
gpgme_data_release(dh_crypto);
258
259
/* Delete the GPGME plaintext data buffer */
198
260
gpgme_data_release(dh_plain);
199
return new_packet_length;
261
return plaintext_length;
200
262
}
201
263
202
264
static const char * safer_gnutls_strerror (int value) {
206
268
return ret;
207
269
}
208
270
209
void debuggnutls(int level, const char* string){
210
fprintf(stderr, "%s", string);
271
/* GnuTLS log function callback */
272
static void debuggnutls(__attribute__((unused)) int level,
273
const char* string){
274
fprintf(stderr, "GnuTLS: %s", string);
211
275
}
212
276
213
int initgnutls(encrypted_session *es){
214
const char *err;
277
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
278
gnutls_dh_params_t *dh_params){
215
279
int ret;
216
280
281
if(debug){
282
fprintf(stderr, "Initializing GnuTLS\n");
283
}
284
217
285
if ((ret = gnutls_global_init ())
218
286
!= GNUTLS_E_SUCCESS) {
219
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
287
fprintf (stderr, "GnuTLS global_init: %s\n",
288
safer_gnutls_strerror(ret));
220
289
return -1;
221
290
}
222
223
/* Uncomment to enable full debuggin on the gnutls library */
224
/* gnutls_global_set_log_level(11); */
225
/* gnutls_global_set_log_function(debuggnutls); */
226
227
228
/* openpgp credentials */
229
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
291
292
if (debug){
293
/* "Use a log level over 10 to enable all debugging options."
294
* - GnuTLS manual
295
*/
296
gnutls_global_set_log_level(11);
297
gnutls_global_set_log_function(debuggnutls);
298
}
299
300
/* OpenPGP credentials */
301
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
230
302
!= GNUTLS_E_SUCCESS) {
231
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
303
fprintf (stderr, "GnuTLS memory error: %s\n",
304
safer_gnutls_strerror(ret));
232
305
return -1;
233
306
}
234
307
308
if(debug){
309
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
310
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
311
seckeyfile);
312
}
313
235
314
ret = gnutls_certificate_set_openpgp_key_file
236
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
237
if (ret != GNUTLS_E_SUCCESS) {
238
fprintf
239
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
240
ret, CERTFILE, KEYFILE);
241
fprintf(stdout, "The Error is: %s\n",
242
safer_gnutls_strerror(ret));
243
return -1;
244
}
245
246
//Gnutls server initialization
247
if ((ret = gnutls_dh_params_init (&es->dh_params))
248
!= GNUTLS_E_SUCCESS) {
249
fprintf (stderr, "Error in dh parameter initialization: %s\n",
250
safer_gnutls_strerror(ret));
251
return -1;
252
}
253
254
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
255
!= GNUTLS_E_SUCCESS) {
256
fprintf (stderr, "Error in prime generation: %s\n",
257
safer_gnutls_strerror(ret));
258
return -1;
259
}
260
261
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
262
263
// Gnutls session creation
264
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
265
!= GNUTLS_E_SUCCESS){
266
fprintf(stderr, "Error in gnutls session initialization: %s\n",
267
safer_gnutls_strerror(ret));
268
}
269
270
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
271
!= GNUTLS_E_SUCCESS) {
272
fprintf(stderr, "Syntax error at: %s\n", err);
273
fprintf(stderr, "Gnutls error: %s\n",
274
safer_gnutls_strerror(ret));
275
return -1;
276
}
277
278
if ((ret = gnutls_credentials_set
279
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
280
!= GNUTLS_E_SUCCESS) {
281
fprintf(stderr, "Error setting a credentials set: %s\n",
282
safer_gnutls_strerror(ret));
283
return -1;
284
}
285
315
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
316
if (ret != GNUTLS_E_SUCCESS) {
317
fprintf(stderr,
318
"Error[%d] while reading the OpenPGP key pair ('%s',"
319
" '%s')\n", ret, pubkeyfile, seckeyfile);
320
fprintf(stdout, "The GnuTLS error is: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
323
}
324
325
/* GnuTLS server initialization */
326
ret = gnutls_dh_params_init(dh_params);
327
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
329
" %s\n", safer_gnutls_strerror(ret));
330
return -1;
331
}
332
ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits);
333
if (ret != GNUTLS_E_SUCCESS) {
334
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
335
safer_gnutls_strerror(ret));
336
return -1;
337
}
338
339
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
340
341
/* GnuTLS session creation */
342
ret = gnutls_init(session, GNUTLS_SERVER);
343
if (ret != GNUTLS_E_SUCCESS){
344
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
345
safer_gnutls_strerror(ret));
346
}
347
348
{
349
const char *err;
350
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
351
if (ret != GNUTLS_E_SUCCESS) {
352
fprintf(stderr, "Syntax error at: %s\n", err);
353
fprintf(stderr, "GnuTLS error: %s\n",
354
safer_gnutls_strerror(ret));
355
return -1;
356
}
357
}
358
359
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
360
mc->cred);
361
if (ret != GNUTLS_E_SUCCESS) {
362
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
363
safer_gnutls_strerror(ret));
364
return -1;
365
}
366
286
367
/* ignore client certificate if any. */
287
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
368
gnutls_certificate_server_set_request (*session,
369
GNUTLS_CERT_IGNORE);
288
370
289
gnutls_dh_set_prime_bits (es->session, DH_BITS);
371
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
290
372
291
373
return 0;
292
374
}
293
375
294
void empty_log(AvahiLogLevel level, const char *txt){}
376
/* Avahi log function callback */
377
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
378
__attribute__((unused)) const char *txt){}
295
379
296
int start_mandos_communcation(char *ip, uint16_t port){
380
/* Called when a Mandos server is found */
381
static int start_mandos_communication(const char *ip, uint16_t port,
382
AvahiIfIndex if_index,
383
mandos_context *mc){
297
384
int ret, tcp_sd;
298
385
struct sockaddr_in6 to;
299
struct in6_addr ip_addr;
300
encrypted_session es;
301
386
char *buffer = NULL;
302
387
char *decrypted_buffer;
303
388
size_t buffer_length = 0;
304
389
size_t buffer_capacity = 0;
305
390
ssize_t decrypted_buffer_size;
391
size_t written = 0;
306
392
int retval = 0;
307
393
char interface[IF_NAMESIZE];
394
gnutls_session_t session;
395
gnutls_dh_params_t dh_params;
396
397
ret = initgnutls (mc, &session, &dh_params);
398
if (ret != 0){
399
return -1;
400
}
401
402
if(debug){
403
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
404
ip, port);
405
}
308
406
309
407
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
310
408
if(tcp_sd < 0) {
311
409
perror("socket");
312
410
return -1;
313
411
}
314
315
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
316
if(tcp_sd < 0) {
317
perror("setsockopt bindtodevice");
318
return -1;
412
413
if(debug){
414
if(if_indextoname((unsigned int)if_index, interface) == NULL){
415
perror("if_indextoname");
416
return -1;
417
}
418
fprintf(stderr, "Binding to interface %s\n", interface);
319
419
}
320
420
321
memset(&to,0,sizeof(to));
421
memset(&to,0,sizeof(to)); /* Spurious warning */
322
422
to.sin6_family = AF_INET6;
323
ret = inet_pton(AF_INET6, ip, &ip_addr);
423
/* It would be nice to have a way to detect if we were passed an
424
IPv4 address here. Now we assume an IPv6 address. */
425
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
324
426
if (ret < 0 ){
325
427
perror("inet_pton");
326
428
return -1;
327
}
429
}
328
430
if(ret == 0){
329
431
fprintf(stderr, "Bad address: %s\n", ip);
330
432
return -1;
331
433
}
332
to.sin6_port = htons(port);
333
to.sin6_scope_id = if_nametoindex("eth0");
434
to.sin6_port = htons(port); /* Spurious warning */
435
436
to.sin6_scope_id = (uint32_t)if_index;
437
438
if(debug){
439
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
440
char addrstr[INET6_ADDRSTRLEN] = "";
441
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
442
sizeof(addrstr)) == NULL){
443
perror("inet_ntop");
444
} else {
445
if(strcmp(addrstr, ip) != 0){
446
fprintf(stderr, "Canonical address form: %s\n", addrstr);
447
}
448
}
449
}
334
450
335
451
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
336
452
if (ret < 0){
338
454
return -1;
339
455
}
340
456
341
ret = initgnutls (&es);
342
if (ret != 0){
343
retval = -1;
344
return -1;
457
if(debug){
458
fprintf(stderr, "Establishing TLS session with %s\n", ip);
345
459
}
346
347
348
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
349
350
ret = gnutls_handshake (es.session);
460
461
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
462
463
ret = gnutls_handshake (session);
351
464
352
465
if (ret != GNUTLS_E_SUCCESS){
353
fprintf(stderr, "\n*** Handshake failed ***\n");
354
gnutls_perror (ret);
466
if(debug){
467
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
468
gnutls_perror (ret);
469
}
355
470
retval = -1;
356
goto exit;
471
goto mandos_end;
472
}
473
474
/* Read OpenPGP packet that contains the wanted password */
475
476
if(debug){
477
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
478
ip);
357
479
}
358
480
359
//retrive password
360
481
while(true){
361
482
if (buffer_length + BUFFER_SIZE > buffer_capacity){
362
483
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
363
484
if (buffer == NULL){
364
485
perror("realloc");
365
goto exit;
486
retval = -1;
487
goto mandos_end;
366
488
}
367
489
buffer_capacity += BUFFER_SIZE;
368
490
}
369
491
370
ret = gnutls_record_recv
371
(es.session, buffer+buffer_length, BUFFER_SIZE);
492
ret = gnutls_record_recv(session, buffer+buffer_length,
493
BUFFER_SIZE);
372
494
if (ret == 0){
373
495
break;
374
496
}
378
500
case GNUTLS_E_AGAIN:
379
501
break;
380
502
case GNUTLS_E_REHANDSHAKE:
381
ret = gnutls_handshake (es.session);
503
ret = gnutls_handshake (session);
382
504
if (ret < 0){
383
fprintf(stderr, "\n*** Handshake failed ***\n");
505
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
384
506
gnutls_perror (ret);
385
507
retval = -1;
386
goto exit;
508
goto mandos_end;
387
509
}
388
510
break;
389
511
default:
390
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
512
fprintf(stderr, "Unknown error while reading data from"
513
" encrypted session with Mandos server\n");
391
514
retval = -1;
392
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
393
goto exit;
515
gnutls_bye (session, GNUTLS_SHUT_RDWR);
516
goto mandos_end;
394
517
}
395
518
} else {
396
buffer_length += ret;
519
buffer_length += (size_t) ret;
397
520
}
398
521
}
399
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
527
gnutls_bye (session, GNUTLS_SHUT_RDWR);
528
400
529
if (buffer_length > 0){
401
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){
530
decrypted_buffer_size = pgp_packet_decrypt(buffer,
531
buffer_length,
532
&decrypted_buffer,
533
keydir);
534
if (decrypted_buffer_size >= 0){
535
while(written < (size_t) decrypted_buffer_size){
536
ret = (int)fwrite (decrypted_buffer + written, 1,
537
(size_t)decrypted_buffer_size - written,
538
stdout);
539
if(ret == 0 and ferror(stdout)){
540
if(debug){
541
fprintf(stderr, "Error writing encrypted data: %s\n",
542
strerror(errno));
543
}
544
retval = -1;
545
break;
546
}
547
written += (size_t)ret;
548
}
549
free(decrypted_buffer);
550
} else {
402
551
retval = -1;
403
} else {
404
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
405
free(decrypted_buffer);
406
552
}
407
553
}
408
554
555
/* Shutdown procedure */
556
557
mandos_end:
409
558
free(buffer);
410
411
//shutdown procedure
412
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
413
exit:
414
559
close(tcp_sd);
415
gnutls_deinit (es.session);
416
gnutls_certificate_free_credentials (es.cred);
560
gnutls_deinit (session);
561
gnutls_certificate_free_credentials (mc->cred);
417
562
gnutls_global_deinit ();
418
563
return retval;
419
564
}
420
565
421
static AvahiSimplePoll *simple_poll = NULL;
422
static AvahiServer *server = NULL;
423
424
static void resolve_callback(
425
AvahiSServiceResolver *r,
426
AVAHI_GCC_UNUSED AvahiIfIndex interface,
427
AVAHI_GCC_UNUSED AvahiProtocol protocol,
428
AvahiResolverEvent event,
429
const char *name,
430
const char *type,
431
const char *domain,
432
const char *host_name,
433
const AvahiAddress *address,
434
uint16_t port,
435
AvahiStringList *txt,
436
AvahiLookupResultFlags flags,
437
AVAHI_GCC_UNUSED void* userdata) {
438
439
assert(r);
440
441
/* Called whenever a service has been resolved successfully or timed out */
442
443
switch (event) {
444
case AVAHI_RESOLVER_FAILURE:
445
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
446
break;
447
448
case AVAHI_RESOLVER_FOUND: {
449
char ip[AVAHI_ADDRESS_STR_MAX];
450
avahi_address_snprint(ip, sizeof(ip), address);
451
int ret = start_mandos_communcation(ip, port);
452
if (ret == 0){
453
exit(EXIT_SUCCESS);
454
} else {
455
exit(EXIT_FAILURE);
456
}
457
}
458
}
459
avahi_s_service_resolver_free(r);
460
}
461
462
static void browse_callback(
463
AvahiSServiceBrowser *b,
464
AvahiIfIndex interface,
465
AvahiProtocol protocol,
466
AvahiBrowserEvent event,
467
const char *name,
468
const char *type,
469
const char *domain,
470
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
471
void* userdata) {
472
473
AvahiServer *s = userdata;
474
assert(b);
475
476
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
477
478
switch (event) {
479
480
case AVAHI_BROWSER_FAILURE:
481
482
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
483
avahi_simple_poll_quit(simple_poll);
484
return;
485
486
case AVAHI_BROWSER_NEW:
487
/* We ignore the returned resolver object. In the callback
488
function we free it. If the server is terminated before
489
the callback function is called the server will free
490
the resolver for us. */
491
492
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
493
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
494
495
break;
496
497
case AVAHI_BROWSER_REMOVE:
498
break;
499
500
case AVAHI_BROWSER_ALL_FOR_NOW:
501
case AVAHI_BROWSER_CACHE_EXHAUSTED:
502
break;
503
}
504
}
505
506
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
507
AvahiServerConfig config;
566
static void resolve_callback(AvahiSServiceResolver *r,
567
AvahiIfIndex interface,
568
AVAHI_GCC_UNUSED AvahiProtocol protocol,
569
AvahiResolverEvent event,
570
const char *name,
571
const char *type,
572
const char *domain,
573
const char *host_name,
574
const AvahiAddress *address,
575
uint16_t port,
576
AVAHI_GCC_UNUSED AvahiStringList *txt,
577
AVAHI_GCC_UNUSED AvahiLookupResultFlags
578
flags,
579
void* userdata) {
580
mandos_context *mc = userdata;
581
assert(r); /* Spurious warning */
582
583
/* Called whenever a service has been resolved successfully or
584
timed out */
585
586
switch (event) {
587
default:
588
case AVAHI_RESOLVER_FAILURE:
589
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
590
" of type '%s' in domain '%s': %s\n", name, type, domain,
591
avahi_strerror(avahi_server_errno(mc->server)));
592
break;
593
594
case AVAHI_RESOLVER_FOUND:
595
{
596
char ip[AVAHI_ADDRESS_STR_MAX];
597
avahi_address_snprint(ip, sizeof(ip), address);
598
if(debug){
599
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
600
" port %d\n", name, host_name, ip, interface, port);
601
}
602
int ret = start_mandos_communication(ip, port, interface, mc);
603
if (ret == 0){
604
exit(EXIT_SUCCESS);
605
}
606
}
607
}
608
avahi_s_service_resolver_free(r);
609
}
610
611
static void browse_callback( AvahiSServiceBrowser *b,
612
AvahiIfIndex interface,
613
AvahiProtocol protocol,
614
AvahiBrowserEvent event,
615
const char *name,
616
const char *type,
617
const char *domain,
618
AVAHI_GCC_UNUSED AvahiLookupResultFlags
619
flags,
620
void* userdata) {
621
mandos_context *mc = userdata;
622
assert(b); /* Spurious warning */
623
624
/* Called whenever a new services becomes available on the LAN or
625
is removed from the LAN */
626
627
switch (event) {
628
default:
629
case AVAHI_BROWSER_FAILURE:
630
631
fprintf(stderr, "(Avahi browser) %s\n",
632
avahi_strerror(avahi_server_errno(mc->server)));
633
avahi_simple_poll_quit(mc->simple_poll);
634
return;
635
636
case AVAHI_BROWSER_NEW:
637
/* We ignore the returned Avahi resolver object. In the callback
638
function we free it. If the Avahi server is terminated before
639
the callback function is called the Avahi server will free the
640
resolver for us. */
641
642
if (!(avahi_s_service_resolver_new(mc->server, interface,
643
protocol, name, type, domain,
644
AVAHI_PROTO_INET6, 0,
645
resolve_callback, mc)))
646
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
647
name, avahi_strerror(avahi_server_errno(mc->server)));
648
break;
649
650
case AVAHI_BROWSER_REMOVE:
651
break;
652
653
case AVAHI_BROWSER_ALL_FOR_NOW:
654
case AVAHI_BROWSER_CACHE_EXHAUSTED:
655
if(debug){
656
fprintf(stderr, "No Mandos server found, still searching...\n");
657
}
658
break;
659
}
660
}
661
662
/* Combines file name and path and returns the malloced new
663
string. some sane checks could/should be added */
664
static const char *combinepath(const char *first, const char *second){
665
size_t f_len = strlen(first);
666
size_t s_len = strlen(second);
667
char *tmp = malloc(f_len + s_len + 2);
668
if (tmp == NULL){
669
return NULL;
670
}
671
if(f_len > 0){
672
memcpy(tmp, first, f_len); /* Spurious warning */
673
}
674
tmp[f_len] = '/';
675
if(s_len > 0){
676
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
677
}
678
tmp[f_len + 1 + s_len] = '\0';
679
return tmp;
680
}
681
682
683
int main(int argc, char *argv[]){
508
684
AvahiSServiceBrowser *sb = NULL;
509
685
int error;
510
int ret = 1;
511
512
avahi_set_log_function(empty_log);
513
514
/* Initialize the psuedo-RNG */
515
srand(time(NULL));
516
517
/* Allocate main loop object */
518
if (!(simple_poll = avahi_simple_poll_new())) {
519
fprintf(stderr, "Failed to create simple poll object.\n");
520
goto fail;
521
}
522
523
/* Do not publish any local records */
524
avahi_server_config_init(&config);
525
config.publish_hinfo = 0;
526
config.publish_addresses = 0;
527
config.publish_workstation = 0;
528
config.publish_domain = 0;
529
530
/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */
531
/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */
532
/* config.n_wide_area_servers = 1; */
533
/* config.enable_wide_area = 1; */
534
535
/* Allocate a new server */
536
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
537
538
/* Free the configuration data */
539
avahi_server_config_free(&config);
540
541
/* Check wether creating the server object succeeded */
542
if (!server) {
543
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
544
goto fail;
545
}
546
547
/* Create the service browser */
548
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
549
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
550
goto fail;
686
int ret;
687
int exitcode = EXIT_SUCCESS;
688
const char *interface = "eth0";
689
struct ifreq network;
690
int sd;
691
char *connect_to = NULL;
692
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
693
mandos_context mc = { .simple_poll = NULL, .server = NULL,
694
.dh_bits = 1024, .priority = "SECURE256"};
695
696
{
697
/* Temporary int to get the address of for getopt_long */
698
int debug_int = debug ? 1 : 0;
699
while (true){
700
struct option long_options[] = {
701
{"debug", no_argument, &debug_int, 1},
702
{"connect", required_argument, NULL, 'c'},
703
{"interface", required_argument, NULL, 'i'},
704
{"keydir", required_argument, NULL, 'd'},
705
{"seckey", required_argument, NULL, 's'},
706
{"pubkey", required_argument, NULL, 'p'},
707
{"dh-bits", required_argument, NULL, 'D'},
708
{"priority", required_argument, NULL, 'P'},
709
{0, 0, 0, 0} };
710
711
int option_index = 0;
712
ret = getopt_long (argc, argv, "i:", long_options,
713
&option_index);
714
715
if (ret == -1){
716
break;
717
}
718
719
switch(ret){
720
case 0:
721
break;
722
case 'i':
723
interface = optarg;
724
break;
725
case 'c':
726
connect_to = optarg;
727
break;
728
case 'd':
729
keydir = optarg;
730
break;
731
case 'p':
732
pubkeyfile = optarg;
733
break;
734
case 's':
735
seckeyfile = optarg;
736
break;
737
case 'D':
738
errno = 0;
739
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
740
if (errno){
741
perror("strtol");
742
exit(EXIT_FAILURE);
743
}
744
break;
745
case 'P':
746
mc.priority = optarg;
747
break;
748
case '?':
749
default:
750
/* getopt_long() has already printed a message about the
751
unrcognized option, so just exit. */
752
exit(EXIT_FAILURE);
753
}
754
}
755
/* Set the global debug flag from the temporary int */
756
debug = debug_int ? true : false;
757
}
758
759
pubkeyfile = combinepath(keydir, pubkeyfile);
760
if (pubkeyfile == NULL){
761
perror("combinepath");
762
exitcode = EXIT_FAILURE;
763
goto end;
764
}
765
766
seckeyfile = combinepath(keydir, seckeyfile);
767
if (seckeyfile == NULL){
768
perror("combinepath");
769
goto end;
770
}
771
772
if_index = (AvahiIfIndex) if_nametoindex(interface);
773
if(if_index == 0){
774
fprintf(stderr, "No such interface: \"%s\"\n", interface);
775
exit(EXIT_FAILURE);
776
}
777
778
if(connect_to != NULL){
779
/* Connect directly, do not use Zeroconf */
780
/* (Mainly meant for debugging) */
781
char *address = strrchr(connect_to, ':');
782
if(address == NULL){
783
fprintf(stderr, "No colon in address\n");
784
exit(EXIT_FAILURE);
785
}
786
errno = 0;
787
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
788
if(errno){
789
perror("Bad port number");
790
exit(EXIT_FAILURE);
791
}
792
*address = '\0';
793
address = connect_to;
794
ret = start_mandos_communication(address, port, if_index, &mc);
795
if(ret < 0){
796
exit(EXIT_FAILURE);
797
} else {
798
exit(EXIT_SUCCESS);
799
}
800
}
801
802
/* If the interface is down, bring it up */
803
{
804
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
805
if(sd < 0) {
806
perror("socket");
807
exitcode = EXIT_FAILURE;
808
goto end;
809
}
810
strcpy(network.ifr_name, interface); /* Spurious warning */
811
ret = ioctl(sd, SIOCGIFFLAGS, &network);
812
if(ret == -1){
813
perror("ioctl SIOCGIFFLAGS");
814
exitcode = EXIT_FAILURE;
815
goto end;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
exitcode = EXIT_FAILURE;
823
goto end;
824
}
825
}
826
close(sd);
827
}
828
829
if (not debug){
830
avahi_set_log_function(empty_log);
831
}
832
833
/* Initialize the pseudo-RNG for Avahi */
834
srand((unsigned int) time(NULL));
835
836
/* Allocate main Avahi loop object */
837
mc.simple_poll = avahi_simple_poll_new();
838
if (mc.simple_poll == NULL) {
839
fprintf(stderr, "Avahi: Failed to create simple poll"
840
" object.\n");
841
exitcode = EXIT_FAILURE;
842
goto end;
843
}
844
845
{
846
AvahiServerConfig config;
847
/* Do not publish any local Zeroconf records */
848
avahi_server_config_init(&config);
849
config.publish_hinfo = 0;
850
config.publish_addresses = 0;
851
config.publish_workstation = 0;
852
config.publish_domain = 0;
853
854
/* Allocate a new server */
855
mc.server = avahi_server_new(avahi_simple_poll_get
856
(mc.simple_poll), &config, NULL,
857
NULL, &error);
858
859
/* Free the Avahi configuration data */
860
avahi_server_config_free(&config);
861
}
862
863
/* Check if creating the Avahi server object succeeded */
864
if (mc.server == NULL) {
865
fprintf(stderr, "Failed to create Avahi server: %s\n",
866
avahi_strerror(error));
867
exitcode = EXIT_FAILURE;
868
goto end;
869
}
870
871
/* Create the Avahi service browser */
872
sb = avahi_s_service_browser_new(mc.server, if_index,
873
AVAHI_PROTO_INET6,
874
"_mandos._tcp", NULL, 0,
875
browse_callback, &mc);
876
if (sb == NULL) {
877
fprintf(stderr, "Failed to create service browser: %s\n",
878
avahi_strerror(avahi_server_errno(mc.server)));
879
exitcode = EXIT_FAILURE;
880
goto end;
551
881
}
552
882
553
883
/* Run the main loop */
554
avahi_simple_poll_loop(simple_poll);
555
556
ret = 0;
557
558
fail:
884
885
if (debug){
886
fprintf(stderr, "Starting Avahi loop search\n");
887
}
888
889
avahi_simple_poll_loop(mc.simple_poll);
890
891
end:
892
893
if (debug){
894
fprintf(stderr, "%s exiting\n", argv[0]);
895
}
559
896
560
897
/* Cleanup things */
561
if (sb)
898
if (sb != NULL)
562
899
avahi_s_service_browser_free(sb);
563
900
564
if (server)
565
avahi_server_free(server);
566
567
if (simple_poll)
568
avahi_simple_poll_free(simple_poll);
569
570
return ret;
901
if (mc.server != NULL)
902
avahi_server_free(mc.server);
903
904
if (mc.simple_poll != NULL)
905
avahi_simple_poll_free(mc.simple_poll);
906
free(pubkeyfile);
907
free(seckeyfile);
908
909
return exitcode;
571
910
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0