/mandos/trunk : revision 44

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-08-04 20:43:31 UTC
mfrom: (24.1.17 mandos)
Revision ID: teddy@fukt.bsnet.se-20080804204331-zgu42g8ii997h1l2

* ca.pem: Removed.
* cert.pem: - '' -
* client-cert.pem: - '' -
* client-key.pem: - '' -
* crl.pem: - '' -
* key.pem: - '' -

* plugins.d/mandosclient.c (start_mandos_communication): Change "to"
                                    to be a union.  All users changed.

* server.py: Changed log severity for many log messages.
  (Client.__init__): Take all config file settins as a dict instead of
                     as keyword arguments.

files added:
server.conf

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

files modified:
Makefile

TODO

plugbasedclient.c

plugins.d/mandosclient.c

plugins.d/passprompt.c

server.py

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* $Id$ */

/* PLEASE NOTE *

* This file demonstrates how to use Avahi's core API, this is

* the embeddable mDNS stack for embedded applications.

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* End user applications should *not* use this API and should use

* the D-Bus or C APIs, please see

* client-browse-services.c and glib-integration.c

* I repeat, you probably do *not* want to use this example.

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* <http://avahi.org/browser/examples/core-browse-services.c>. This

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/***

This file is part of avahi.

avahi is free software; you can redistribute it and/or modify it

under the terms of the GNU Lesser General Public License as

published by the Free Software Foundation; either version 2.1 of the

License, or (at your option) any later version.

avahi is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY

or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General

Public License for more details.

You should have received a copy of the GNU Lesser General Public

License along with avahi; if not, write to the Free Software

Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

USA.

***/

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */

#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */

/* Mandos client part */

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

/* GPGME */

#include <errno.h> /* perror() */

#include <gpgme.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

#define BUFFER_SIZE 256

#define DH_BITS 1024

bool debug = false;

static const char *keydir = "/conf/conf.d/mandos";

static const char mandos_protocol_version[] = "1";

const char *argp_program_version = "mandosclient 0.9";

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

/* Used for passing in values through the Avahi callback functions */

typedef struct {

gnutls_session_t session;

AvahiSimplePoll *simple_poll;

AvahiServer *server;

gnutls_certificate_credentials_t cred;

unsigned int dh_bits;

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){

const char *priority;

} mandos_context;

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

* "buffer_capacity" is how much is currently allocated,

* "buffer_length" is how much is already used.

size_t adjustbuffer(char **buffer, size_t buffer_length,

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

101

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

103

return 0;

104

}

105

buffer_capacity += BUFFER_SIZE;

106

}

107

return buffer_capacity;

108

}

109

110

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

113

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

117

const char *homedir){

118

gpgme_data_t dh_crypto, dh_plain;

119

gpgme_ctx_t ctx;

120

gpgme_error_t rc;

121

ssize_t ret;

size_t new_packet_capacity = 0;

size_t new_packet_length = 0;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

124

gpgme_engine_info_t engine_info;

125

126

if (debug){

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

128

}

129

130

/* Init GPGME */

131

gpgme_check_version(NULL);

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

132

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

133

if (rc != GPG_ERR_NO_ERROR){

134

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

135

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

137

}

138

/* Set GPGME home directory */

139

/* Set GPGME home directory for the OpenPGP engine only */

140

rc = gpgme_get_engine_info (&engine_info);

141

if (rc != GPG_ERR_NO_ERROR){

142

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

108

152

engine_info = engine_info->next;

109

153

}

110

154

if(engine_info == NULL){

111

fprintf(stderr, "Could not set home dir to %s\n", homedir);

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

112

156

return -1;

113

157

}

114

158

115

/* Create new GPGME data buffer from packet buffer */

116

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

159

/* Create new GPGME data buffer from memory cryptotext */

160

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

161

0);

117

162

if (rc != GPG_ERR_NO_ERROR){

118

163

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

119

164

gpgme_strsource(rc), gpgme_strerror(rc));

125

170

if (rc != GPG_ERR_NO_ERROR){

126

171

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

127

172

gpgme_strsource(rc), gpgme_strerror(rc));

173

gpgme_data_release(dh_crypto);

128

174

return -1;

129

175

}

130

176

133

179

if (rc != GPG_ERR_NO_ERROR){

134

180

fprintf(stderr, "bad gpgme_new: %s: %s\n",

135

181

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

182

plaintext_length = -1;

183

goto decrypt_end;

137

184

}

138

185

139

/* Decrypt data from the FILE pointer to the plaintext data buffer */

186

/* Decrypt data from the cryptotext data buffer to the plaintext

187

data buffer */

140

188

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

141

189

if (rc != GPG_ERR_NO_ERROR){

142

190

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

143

191

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

145

}

146

147

/* gpgme_decrypt_result_t result; */

148

/* result = gpgme_op_decrypt_result(ctx); */

149

/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */

150

/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */

151

/* if(result->file_name != NULL){ */

152

/* fprintf(stderr, "File name: %s\n", result->file_name); */

153

/* } */

154

/* gpgme_recipient_t recipient; */

155

/* recipient = result->recipients; */

156

/* if(recipient){ */

157

/* while(recipient != NULL){ */

158

/* fprintf(stderr, "Public key algorithm: %s\n", */

159

/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */

160

/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */

161

/* fprintf(stderr, "Secret key available: %s\n", */

162

/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */

163

/* recipient = recipient->next; */

164

/* } */

165

/* } */

166

167

/* Delete the GPGME FILE pointer cryptotext data buffer */

168

gpgme_data_release(dh_crypto);

192

plaintext_length = -1;

193

goto decrypt_end;

194

}

195

196

if(debug){

197

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

198

}

199

200

if (debug){

201

gpgme_decrypt_result_t result;

202

result = gpgme_op_decrypt_result(ctx);

203

if (result == NULL){

204

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

205

} else {

206

fprintf(stderr, "Unsupported algorithm: %s\n",

207

result->unsupported_algorithm);

208

fprintf(stderr, "Wrong key usage: %d\n",

209

result->wrong_key_usage);

210

if(result->file_name != NULL){

211

fprintf(stderr, "File name: %s\n", result->file_name);

212

}

213

gpgme_recipient_t recipient;

214

recipient = result->recipients;

215

if(recipient){

216

while(recipient != NULL){

217

fprintf(stderr, "Public key algorithm: %s\n",

218

gpgme_pubkey_algo_name(recipient->pubkey_algo));

219

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

220

fprintf(stderr, "Secret key available: %s\n",

221

recipient->status == GPG_ERR_NO_SECKEY

222

? "No" : "Yes");

223

recipient = recipient->next;

224

}

225

}

226

}

227

}

169

228

170

229

/* Seek back to the beginning of the GPGME plaintext data buffer */

171

gpgme_data_seek(dh_plain, 0, SEEK_SET);

172

173

*new_packet = 0;

230

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

231

perror("pgpme_data_seek");

232

plaintext_length = -1;

233

goto decrypt_end;

234

}

235

236

*plaintext = NULL;

174

237

while(true){

175

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

176

*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);

177

if (*new_packet == NULL){

178

perror("realloc");

179

return -1;

180

}

181

new_packet_capacity += BUFFER_SIZE;

238

plaintext_capacity = adjustbuffer(plaintext,

239

(size_t)plaintext_length,

240

plaintext_capacity);

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

243

plaintext_length = -1;

244

goto decrypt_end;

182

245

}

183

246

184

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);

247

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

248

BUFFER_SIZE);

185

249

/* Print the data, if any */

186

250

if (ret == 0){

187

/* If password is empty, then a incorrect error will be printed */

251

/* EOF */

188

252

break;

189

253

}

190

254

if(ret < 0){

191

255

perror("gpgme_data_read");

192

return -1;

256

plaintext_length = -1;

257

goto decrypt_end;

193

258

}

194

new_packet_length += ret;

259

plaintext_length += ret;

195

260

}

196

261

197

/* Delete the GPGME plaintext data buffer */

262

if(debug){

263

fprintf(stderr, "Decrypted password is: ");

264

for(ssize_t i = 0; i < plaintext_length; i++){

265

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

266

}

267

fprintf(stderr, "\n");

268

}

269

270

decrypt_end:

271

272

/* Delete the GPGME cryptotext data buffer */

273

gpgme_data_release(dh_crypto);

274

275

/* Delete the GPGME plaintext data buffer */

198

276

gpgme_data_release(dh_plain);

199

return new_packet_length;

277

return plaintext_length;

200

278

}

201

279

202

280

static const char * safer_gnutls_strerror (int value) {

206

284

return ret;

207

285

}

208

286

209

void debuggnutls(int level, const char* string){

210

fprintf(stderr, "%s", string);

287

/* GnuTLS log function callback */

288

static void debuggnutls(__attribute__((unused)) int level,

289

const char* string){

290

fprintf(stderr, "GnuTLS: %s", string);

211

291

}

212

292

213

int initgnutls(encrypted_session *es){

214

const char *err;

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

215

296

int ret;

216

297

298

if(debug){

299

fprintf(stderr, "Initializing GnuTLS\n");

300

}

301

217

302

if ((ret = gnutls_global_init ())

218

303

!= GNUTLS_E_SUCCESS) {

219

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

220

306

return -1;

221

307

}

222

223

/* Uncomment to enable full debuggin on the gnutls library */

224

/* gnutls_global_set_log_level(11); */

225

/* gnutls_global_set_log_function(debuggnutls); */

226

227

228

/* openpgp credentials */

229

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

308

309

if (debug){

310

/* "Use a log level over 10 to enable all debugging options."

311

* - GnuTLS manual

312

313

gnutls_global_set_log_level(11);

314

gnutls_global_set_log_function(debuggnutls);

315

}

316

317

/* OpenPGP credentials */

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

230

319

!= GNUTLS_E_SUCCESS) {

231

fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));

320

fprintf (stderr, "GnuTLS memory error: %s\n",

321

safer_gnutls_strerror(ret));

232

322

return -1;

233

323

}

234

324

325

if(debug){

326

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

327

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

328

seckeyfile);

329

}

330

235

331

ret = gnutls_certificate_set_openpgp_key_file

236

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

237

if (ret != GNUTLS_E_SUCCESS) {

238

fprintf

239

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",

240

ret, CERTFILE, KEYFILE);

241

fprintf(stdout, "The Error is: %s\n",

242

safer_gnutls_strerror(ret));

243

return -1;

244

}

245

246

//Gnutls server initialization

247

if ((ret = gnutls_dh_params_init (&es->dh_params))

248

!= GNUTLS_E_SUCCESS) {

249

fprintf (stderr, "Error in dh parameter initialization: %s\n",

250

safer_gnutls_strerror(ret));

251

return -1;

252

}

253

254

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

255

!= GNUTLS_E_SUCCESS) {

256

fprintf (stderr, "Error in prime generation: %s\n",

257

safer_gnutls_strerror(ret));

258

return -1;

259

}

260

261

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

262

263

// Gnutls session creation

264

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

265

!= GNUTLS_E_SUCCESS){

266

fprintf(stderr, "Error in gnutls session initialization: %s\n",

267

safer_gnutls_strerror(ret));

268

}

269

270

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

271

!= GNUTLS_E_SUCCESS) {

272

fprintf(stderr, "Syntax error at: %s\n", err);

273

fprintf(stderr, "Gnutls error: %s\n",

274

safer_gnutls_strerror(ret));

275

return -1;

276

}

277

278

if ((ret = gnutls_credentials_set

279

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

280

!= GNUTLS_E_SUCCESS) {

281

fprintf(stderr, "Error setting a credentials set: %s\n",

282

safer_gnutls_strerror(ret));

283

return -1;

284

}

285

332

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

333

if (ret != GNUTLS_E_SUCCESS) {

334

fprintf(stderr,

335

"Error[%d] while reading the OpenPGP key pair ('%s',"

336

" '%s')\n", ret, pubkeyfile, seckeyfile);

337

fprintf(stdout, "The GnuTLS error is: %s\n",

338

safer_gnutls_strerror(ret));

339

return -1;

340

}

341

342

/* GnuTLS server initialization */

343

ret = gnutls_dh_params_init(&mc->dh_params);

344

if (ret != GNUTLS_E_SUCCESS) {

345

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

346

" %s\n", safer_gnutls_strerror(ret));

347

return -1;

348

}

349

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

350

if (ret != GNUTLS_E_SUCCESS) {

351

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

352

safer_gnutls_strerror(ret));

353

return -1;

354

}

355

356

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

357

358

return 0;

359

}

360

361

static int init_gnutls_session(mandos_context *mc,

362

gnutls_session_t *session){

363

int ret;

364

/* GnuTLS session creation */

365

ret = gnutls_init(session, GNUTLS_SERVER);

366

if (ret != GNUTLS_E_SUCCESS){

367

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

368

safer_gnutls_strerror(ret));

369

}

370

371

{

372

const char *err;

373

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

374

if (ret != GNUTLS_E_SUCCESS) {

375

fprintf(stderr, "Syntax error at: %s\n", err);

376

fprintf(stderr, "GnuTLS error: %s\n",

377

safer_gnutls_strerror(ret));

378

return -1;

379

}

380

}

381

382

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

383

mc->cred);

384

if (ret != GNUTLS_E_SUCCESS) {

385

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

386

safer_gnutls_strerror(ret));

387

return -1;

388

}

389

286

390

/* ignore client certificate if any. */

287

gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);

391

gnutls_certificate_server_set_request (*session,

392

GNUTLS_CERT_IGNORE);

288

393

289

gnutls_dh_set_prime_bits (es->session, DH_BITS);

394

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

290

395

291

396

return 0;

292

397

}

293

398

294

void empty_log(AvahiLogLevel level, const char *txt){}

399

/* Avahi log function callback */

400

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

401

__attribute__((unused)) const char *txt){}

295

402

296

int start_mandos_communcation(char *ip, uint16_t port){

403

/* Called when a Mandos server is found */

404

static int start_mandos_communication(const char *ip, uint16_t port,

405

AvahiIfIndex if_index,

406

mandos_context *mc){

297

407

int ret, tcp_sd;

298

struct sockaddr_in6 to;

299

struct in6_addr ip_addr;

300

encrypted_session es;

408

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

301

409

char *buffer = NULL;

302

410

char *decrypted_buffer;

303

411

size_t buffer_length = 0;

304

412

size_t buffer_capacity = 0;

305

413

ssize_t decrypted_buffer_size;

414

size_t written;

306

415

int retval = 0;

307

416

char interface[IF_NAMESIZE];

417

gnutls_session_t session;

418

419

ret = init_gnutls_session (mc, &session);

420

if (ret != 0){

421

return -1;

422

}

423

424

if(debug){

425

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

426

ip, port);

427

}

308

428

309

429

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

310

430

if(tcp_sd < 0) {

311

431

perror("socket");

312

432

return -1;

313

433

}

314

315

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

316

if(tcp_sd < 0) {

317

perror("setsockopt bindtodevice");

318

return -1;

434

435

if(debug){

436

if(if_indextoname((unsigned int)if_index, interface) == NULL){

437

perror("if_indextoname");

438

return -1;

439

}

440

fprintf(stderr, "Binding to interface %s\n", interface);

319

441

}

320

442

321

memset(&to,0,sizeof(to));

322

to.sin6_family = AF_INET6;

323

ret = inet_pton(AF_INET6, ip, &ip_addr);

443

memset(&to,0,sizeof(to)); /* Spurious warning */

444

to.in6.sin6_family = AF_INET6;

445

/* It would be nice to have a way to detect if we were passed an

446

IPv4 address here. Now we assume an IPv6 address. */

447

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

324

448

if (ret < 0 ){

325

449

perror("inet_pton");

326

450

return -1;

327

}

451

}

328

452

if(ret == 0){

329

453

fprintf(stderr, "Bad address: %s\n", ip);

330

454

return -1;

331

455

}

332

to.sin6_port = htons(port);

333

to.sin6_scope_id = if_nametoindex("eth0");

334

335

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

456

to.in6.sin6_port = htons(port); /* Spurious warning */

457

458

to.in6.sin6_scope_id = (uint32_t)if_index;

459

460

if(debug){

461

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

462

char addrstr[INET6_ADDRSTRLEN] = "";

463

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

464

sizeof(addrstr)) == NULL){

465

perror("inet_ntop");

466

} else {

467

if(strcmp(addrstr, ip) != 0){

468

fprintf(stderr, "Canonical address form: %s\n", addrstr);

469

}

470

}

471

}

472

473

ret = connect(tcp_sd, &to.in, sizeof(to));

336

474

if (ret < 0){

337

475

perror("connect");

338

476

return -1;

339

477

}

340

341

ret = initgnutls (&es);

342

if (ret != 0){

343

retval = -1;

344

return -1;

345

}

346

347

348

gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

349

478

350

ret = gnutls_handshake (es.session);

479

const char *out = mandos_protocol_version;

480

written = 0;

481

while (true){

482

size_t out_size = strlen(out);

483

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

484

out_size - written));

485

if (ret == -1){

486

perror("write");

487

retval = -1;

488

goto mandos_end;

489

}

490

written += (size_t)ret;

491

if(written < out_size){

492

continue;

493

} else {

494

if (out == mandos_protocol_version){

495

written = 0;

496

out = "\r\n";

497

} else {

498

break;

499

}

500

}

501

}

502

503

if(debug){

504

fprintf(stderr, "Establishing TLS session with %s\n", ip);

505

}

506

507

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

508

509

ret = gnutls_handshake (session);

351

510

352

511

if (ret != GNUTLS_E_SUCCESS){

353

fprintf(stderr, "\n*** Handshake failed ***\n");

354

gnutls_perror (ret);

512

if(debug){

513

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

514

gnutls_perror (ret);

515

}

355

516

retval = -1;

356

goto exit;

517

goto mandos_end;

518

}

519

520

/* Read OpenPGP packet that contains the wanted password */

521

522

if(debug){

523

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

524

ip);

357

525

}

358

526

359

//retrive password

360

527

while(true){

361

if (buffer_length + BUFFER_SIZE > buffer_capacity){

362

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

363

if (buffer == NULL){

364

perror("realloc");

365

goto exit;

366

}

367

buffer_capacity += BUFFER_SIZE;

528

buffer_capacity = adjustbuffer(&buffer, buffer_length,

529

buffer_capacity);

530

if (buffer_capacity == 0){

531

perror("adjustbuffer");

532

retval = -1;

533

goto mandos_end;

368

534

}

369

535

370

ret = gnutls_record_recv

371

(es.session, buffer+buffer_length, BUFFER_SIZE);

536

ret = gnutls_record_recv(session, buffer+buffer_length,

537

BUFFER_SIZE);

372

538

if (ret == 0){

373

539

break;

374

540

}

378

544

case GNUTLS_E_AGAIN:

379

545

break;

380

546

case GNUTLS_E_REHANDSHAKE:

381

ret = gnutls_handshake (es.session);

547

ret = gnutls_handshake (session);

382

548

if (ret < 0){

383

fprintf(stderr, "\n*** Handshake failed ***\n");

549

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

384

550

gnutls_perror (ret);

385

551

retval = -1;

386

goto exit;

552

goto mandos_end;

387

553

}

388

554

break;

389

555

default:

390

fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");

556

fprintf(stderr, "Unknown error while reading data from"

557

" encrypted session with Mandos server\n");

391

558

retval = -1;

392

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

393

goto exit;

559

gnutls_bye (session, GNUTLS_SHUT_RDWR);

560

goto mandos_end;

394

561

}

395

562

} else {

396

buffer_length += ret;

563

buffer_length += (size_t) ret;

397

564

}

398

565

}

399

566

567

if(debug){

568

fprintf(stderr, "Closing TLS session\n");

569

}

570

571

gnutls_bye (session, GNUTLS_SHUT_RDWR);

572

400

573

if (buffer_length > 0){

401

if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){

402

retval = -1;

403

} else {

404

fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);

574

decrypted_buffer_size = pgp_packet_decrypt(buffer,

575

buffer_length,

576

&decrypted_buffer,

577

keydir);

578

if (decrypted_buffer_size >= 0){

579

written = 0;

580

while(written < (size_t) decrypted_buffer_size){

581

ret = (int)fwrite (decrypted_buffer + written, 1,

582

(size_t)decrypted_buffer_size - written,

583

stdout);

584

if(ret == 0 and ferror(stdout)){

585

if(debug){

586

fprintf(stderr, "Error writing encrypted data: %s\n",

587

strerror(errno));

588

}

589

retval = -1;

590

break;

591

}

592

written += (size_t)ret;

593

}

405

594

free(decrypted_buffer);

595

} else {

596

retval = -1;

406

597

}

407

598

}

408

599

600

/* Shutdown procedure */

601

602

mandos_end:

409

603

free(buffer);

410

411

//shutdown procedure

412

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

413

exit:

414

604

close(tcp_sd);

415

gnutls_deinit (es.session);

416

gnutls_certificate_free_credentials (es.cred);

605

gnutls_deinit (session);

606

gnutls_certificate_free_credentials (mc->cred);

417

607

gnutls_global_deinit ();

418

608

return retval;

419

609

}

420

610

421

static AvahiSimplePoll *simple_poll = NULL;

422

static AvahiServer *server = NULL;

423

424

static void resolve_callback(

425

AvahiSServiceResolver *r,

426

AVAHI_GCC_UNUSED AvahiIfIndex interface,

427

AVAHI_GCC_UNUSED AvahiProtocol protocol,

428

AvahiResolverEvent event,

429

const char *name,

430

const char *type,

431

const char *domain,

432

const char *host_name,

433

const AvahiAddress *address,

434

uint16_t port,

435

AvahiStringList *txt,

436

AvahiLookupResultFlags flags,

437

AVAHI_GCC_UNUSED void* userdata) {

438

439

assert(r);

440

441

/* Called whenever a service has been resolved successfully or timed out */

442

443

switch (event) {

444

case AVAHI_RESOLVER_FAILURE:

445

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));

446

break;

447

448

case AVAHI_RESOLVER_FOUND: {

449

char ip[AVAHI_ADDRESS_STR_MAX];

450

avahi_address_snprint(ip, sizeof(ip), address);

451

int ret = start_mandos_communcation(ip, port);

452

if (ret == 0){

453

exit(EXIT_SUCCESS);

454

} else {

455

exit(EXIT_FAILURE);

456

}

457

}

458

}

459

avahi_s_service_resolver_free(r);

460

}

461

462

static void browse_callback(

463

AvahiSServiceBrowser *b,

464

AvahiIfIndex interface,

465

AvahiProtocol protocol,

466

AvahiBrowserEvent event,

467

const char *name,

468

const char *type,

469

const char *domain,

470

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

471

void* userdata) {

472

473

AvahiServer *s = userdata;

474

assert(b);

475

476

/* Called whenever a new services becomes available on the LAN or is removed from the LAN */

477

478

switch (event) {

479

480

case AVAHI_BROWSER_FAILURE:

481

482

fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));

483

avahi_simple_poll_quit(simple_poll);

484

return;

485

486

case AVAHI_BROWSER_NEW:

487

/* We ignore the returned resolver object. In the callback

488

function we free it. If the server is terminated before

489

the callback function is called the server will free

490

the resolver for us. */

491

492

if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))

493

fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));

494

495

break;

496

497

case AVAHI_BROWSER_REMOVE:

498

break;

499

500

case AVAHI_BROWSER_ALL_FOR_NOW:

501

case AVAHI_BROWSER_CACHE_EXHAUSTED:

502

break;

503

}

504

}

505

506

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

507

AvahiServerConfig config;

611

static void resolve_callback(AvahiSServiceResolver *r,

612

AvahiIfIndex interface,

613

AVAHI_GCC_UNUSED AvahiProtocol protocol,

614

AvahiResolverEvent event,

615

const char *name,

616

const char *type,

617

const char *domain,

618

const char *host_name,

619

const AvahiAddress *address,

620

uint16_t port,

621

AVAHI_GCC_UNUSED AvahiStringList *txt,

622

AVAHI_GCC_UNUSED AvahiLookupResultFlags

623

flags,

624

void* userdata) {

625

mandos_context *mc = userdata;

626

assert(r); /* Spurious warning */

627

628

/* Called whenever a service has been resolved successfully or

629

timed out */

630

631

switch (event) {

632

default:

633

case AVAHI_RESOLVER_FAILURE:

634

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

635

" of type '%s' in domain '%s': %s\n", name, type, domain,

636

avahi_strerror(avahi_server_errno(mc->server)));

637

break;

638

639

case AVAHI_RESOLVER_FOUND:

640

{

641

char ip[AVAHI_ADDRESS_STR_MAX];

642

avahi_address_snprint(ip, sizeof(ip), address);

643

if(debug){

644

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

645

" port %d\n", name, host_name, ip, interface, port);

646

}

647

int ret = start_mandos_communication(ip, port, interface, mc);

648

if (ret == 0){

649

exit(EXIT_SUCCESS);

650

}

651

}

652

}

653

avahi_s_service_resolver_free(r);

654

}

655

656

static void browse_callback( AvahiSServiceBrowser *b,

657

AvahiIfIndex interface,

658

AvahiProtocol protocol,

659

AvahiBrowserEvent event,

660

const char *name,

661

const char *type,

662

const char *domain,

663

AVAHI_GCC_UNUSED AvahiLookupResultFlags

664

flags,

665

void* userdata) {

666

mandos_context *mc = userdata;

667

assert(b); /* Spurious warning */

668

669

/* Called whenever a new services becomes available on the LAN or

670

is removed from the LAN */

671

672

switch (event) {

673

default:

674

case AVAHI_BROWSER_FAILURE:

675

676

fprintf(stderr, "(Avahi browser) %s\n",

677

avahi_strerror(avahi_server_errno(mc->server)));

678

avahi_simple_poll_quit(mc->simple_poll);

679

return;

680

681

case AVAHI_BROWSER_NEW:

682

/* We ignore the returned Avahi resolver object. In the callback

683

function we free it. If the Avahi server is terminated before

684

the callback function is called the Avahi server will free the

685

resolver for us. */

686

687

if (!(avahi_s_service_resolver_new(mc->server, interface,

688

protocol, name, type, domain,

689

AVAHI_PROTO_INET6, 0,

690

resolve_callback, mc)))

691

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

692

name, avahi_strerror(avahi_server_errno(mc->server)));

693

break;

694

695

case AVAHI_BROWSER_REMOVE:

696

break;

697

698

case AVAHI_BROWSER_ALL_FOR_NOW:

699

case AVAHI_BROWSER_CACHE_EXHAUSTED:

700

if(debug){

701

fprintf(stderr, "No Mandos server found, still searching...\n");

702

}

703

break;

704

}

705

}

706

707

/* Combines file name and path and returns the malloced new

708

string. some sane checks could/should be added */

709

static const char *combinepath(const char *first, const char *second){

710

size_t f_len = strlen(first);

711

size_t s_len = strlen(second);

712

char *tmp = malloc(f_len + s_len + 2);

713

if (tmp == NULL){

714

return NULL;

715

}

716

if(f_len > 0){

717

memcpy(tmp, first, f_len); /* Spurious warning */

718

}

719

tmp[f_len] = '/';

720

if(s_len > 0){

721

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

722

}

723

tmp[f_len + 1 + s_len] = '\0';

724

return tmp;

725

}

726

727

728

int main(int argc, char *argv[]){

508

729

AvahiSServiceBrowser *sb = NULL;

509

730

int error;

510

int ret = 1;

511

512

avahi_set_log_function(empty_log);

513

514

/* Initialize the psuedo-RNG */

515

srand(time(NULL));

516

517

/* Allocate main loop object */

518

if (!(simple_poll = avahi_simple_poll_new())) {

519

fprintf(stderr, "Failed to create simple poll object.\n");

520

goto fail;

521

}

522

523

/* Do not publish any local records */

524

avahi_server_config_init(&config);

525

config.publish_hinfo = 0;

526

config.publish_addresses = 0;

527

config.publish_workstation = 0;

528

config.publish_domain = 0;

529

530

/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */

531

/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */

532

/* config.n_wide_area_servers = 1; */

533

/* config.enable_wide_area = 1; */

534

535

/* Allocate a new server */

536

server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

537

538

/* Free the configuration data */

539

avahi_server_config_free(&config);

540

541

/* Check wether creating the server object succeeded */

542

if (!server) {

543

fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));

544

goto fail;

545

}

546

547

/* Create the service browser */

548

if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {

549

fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));

550

goto fail;

731

int ret;

732

int exitcode = EXIT_SUCCESS;

733

const char *interface = "eth0";

734

struct ifreq network;

735

int sd;

736

uid_t uid;

737

gid_t gid;

738

char *connect_to = NULL;

739

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

740

const char *pubkeyfile = "pubkey.txt";

741

const char *seckeyfile = "seckey.txt";

742

mandos_context mc = { .simple_poll = NULL, .server = NULL,

743

.dh_bits = 1024, .priority = "SECURE256"};

744

745

{

746

struct argp_option options[] = {

747

{ .name = "debug", .key = 128,

748

.doc = "Debug mode", .group = 3 },

749

{ .name = "connect", .key = 'c',

750

.arg = "IP",

751

.doc = "Connect directly to a sepcified mandos server",

752

.group = 1 },

753

{ .name = "interface", .key = 'i',

754

.arg = "INTERFACE",

755

.doc = "Interface that Avahi will conntect through",

756

.group = 1 },

757

{ .name = "keydir", .key = 'd',

758

.arg = "KEYDIR",

759

.doc = "Directory where the openpgp keyring is",

760

.group = 1 },

761

{ .name = "seckey", .key = 's',

762

.arg = "SECKEY",

763

.doc = "Secret openpgp key for gnutls authentication",

764

.group = 1 },

765

{ .name = "pubkey", .key = 'p',

766

.arg = "PUBKEY",

767

.doc = "Public openpgp key for gnutls authentication",

768

.group = 2 },

769

{ .name = "dh-bits", .key = 129,

770

.arg = "BITS",

771

.doc = "dh-bits to use in gnutls communication",

772

.group = 2 },

773

{ .name = "priority", .key = 130,

774

.arg = "PRIORITY",

775

.doc = "GNUTLS priority", .group = 1 },

776

{ .name = NULL }

777

};

778

779

780

error_t parse_opt (int key, char *arg,

781

struct argp_state *state) {

782

/* Get the INPUT argument from `argp_parse', which we know is

783

a pointer to our plugin list pointer. */

784

switch (key) {

785

case 128:

786

debug = true;

787

break;

788

case 'c':

789

connect_to = arg;

790

break;

791

case 'i':

792

interface = arg;

793

break;

794

case 'd':

795

keydir = arg;

796

break;

797

case 's':

798

seckeyfile = arg;

799

break;

800

case 'p':

801

pubkeyfile = arg;

802

break;

803

case 129:

804

errno = 0;

805

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

806

if (errno){

807

perror("strtol");

808

exit(EXIT_FAILURE);

809

}

810

break;

811

case 130:

812

mc.priority = arg;

813

break;

814

case ARGP_KEY_ARG:

815

argp_usage (state);

816

break;

817

case ARGP_KEY_END:

818

break;

819

default:

820

return ARGP_ERR_UNKNOWN;

821

}

822

return 0;

823

}

824

825

struct argp argp = { .options = options, .parser = parse_opt,

826

.args_doc = "",

827

.doc = "Mandos client -- Get and decrypt"

828

" passwords from mandos server" };

829

argp_parse (&argp, argc, argv, 0, 0, NULL);

830

}

831

832

pubkeyfile = combinepath(keydir, pubkeyfile);

833

if (pubkeyfile == NULL){

834

perror("combinepath");

835

exitcode = EXIT_FAILURE;

836

goto end;

837

}

838

839

seckeyfile = combinepath(keydir, seckeyfile);

840

if (seckeyfile == NULL){

841

perror("combinepath");

842

goto end;

843

}

844

845

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

846

if (ret == -1){

847

fprintf(stderr, "init_gnutls_global\n");

848

goto end;

849

}

850

851

uid = getuid();

852

gid = getgid();

853

854

ret = setuid(uid);

855

if (ret == -1){

856

perror("setuid");

857

}

858

859

setgid(gid);

860

if (ret == -1){

861

perror("setgid");

862

}

863

864

if_index = (AvahiIfIndex) if_nametoindex(interface);

865

if(if_index == 0){

866

fprintf(stderr, "No such interface: \"%s\"\n", interface);

867

exit(EXIT_FAILURE);

868

}

869

870

if(connect_to != NULL){

871

/* Connect directly, do not use Zeroconf */

872

/* (Mainly meant for debugging) */

873

char *address = strrchr(connect_to, ':');

874

if(address == NULL){

875

fprintf(stderr, "No colon in address\n");

876

exitcode = EXIT_FAILURE;

877

goto end;

878

}

879

errno = 0;

880

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

881

if(errno){

882

perror("Bad port number");

883

exitcode = EXIT_FAILURE;

884

goto end;

885

}

886

*address = '\0';

887

address = connect_to;

888

ret = start_mandos_communication(address, port, if_index, &mc);

889

if(ret < 0){

890

exitcode = EXIT_FAILURE;

891

} else {

892

exitcode = EXIT_SUCCESS;

893

}

894

goto end;

895

}

896

897

/* If the interface is down, bring it up */

898

{

899

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

900

if(sd < 0) {

901

perror("socket");

902

exitcode = EXIT_FAILURE;

903

goto end;

904

}

905

strcpy(network.ifr_name, interface); /* Spurious warning */

906

ret = ioctl(sd, SIOCGIFFLAGS, &network);

907

if(ret == -1){

908

perror("ioctl SIOCGIFFLAGS");

909

exitcode = EXIT_FAILURE;

910

goto end;

911

}

912

if((network.ifr_flags & IFF_UP) == 0){

913

network.ifr_flags |= IFF_UP;

914

ret = ioctl(sd, SIOCSIFFLAGS, &network);

915

if(ret == -1){

916

perror("ioctl SIOCSIFFLAGS");

917

exitcode = EXIT_FAILURE;

918

goto end;

919

}

920

}

921

close(sd);

922

}

923

924

if (not debug){

925

avahi_set_log_function(empty_log);

926

}

927

928

/* Initialize the pseudo-RNG for Avahi */

929

srand((unsigned int) time(NULL));

930

931

/* Allocate main Avahi loop object */

932

mc.simple_poll = avahi_simple_poll_new();

933

if (mc.simple_poll == NULL) {

934

fprintf(stderr, "Avahi: Failed to create simple poll"

935

" object.\n");

936

exitcode = EXIT_FAILURE;

937

goto end;

938

}

939

940

{

941

AvahiServerConfig config;

942

/* Do not publish any local Zeroconf records */

943

avahi_server_config_init(&config);

944

config.publish_hinfo = 0;

945

config.publish_addresses = 0;

946

config.publish_workstation = 0;

947

config.publish_domain = 0;

948

949

/* Allocate a new server */

950

mc.server = avahi_server_new(avahi_simple_poll_get

951

(mc.simple_poll), &config, NULL,

952

NULL, &error);

953

954

/* Free the Avahi configuration data */

955

avahi_server_config_free(&config);

956

}

957

958

/* Check if creating the Avahi server object succeeded */

959

if (mc.server == NULL) {

960

fprintf(stderr, "Failed to create Avahi server: %s\n",

961

avahi_strerror(error));

962

exitcode = EXIT_FAILURE;

963

goto end;

964

}

965

966

/* Create the Avahi service browser */

967

sb = avahi_s_service_browser_new(mc.server, if_index,

968

AVAHI_PROTO_INET6,

969

"_mandos._tcp", NULL, 0,

970

browse_callback, &mc);

971

if (sb == NULL) {

972

fprintf(stderr, "Failed to create service browser: %s\n",

973

avahi_strerror(avahi_server_errno(mc.server)));

974

exitcode = EXIT_FAILURE;

975

goto end;

551

976

}

552

977

553

978

/* Run the main loop */

554

avahi_simple_poll_loop(simple_poll);

555

556

ret = 0;

557

558

fail:

979

980

if (debug){

981

fprintf(stderr, "Starting Avahi loop search\n");

982

}

983

984

avahi_simple_poll_loop(mc.simple_poll);

985

986

end:

987

988

if (debug){

989

fprintf(stderr, "%s exiting\n", argv[0]);

990

}

559

991

560

992

/* Cleanup things */

561

if (sb)

993

if (sb != NULL)

562

994

avahi_s_service_browser_free(sb);

563

995

564

if (server)

565

avahi_server_free(server);

566

567

if (simple_poll)

568

avahi_simple_poll_free(simple_poll);

569

570

return ret;

996

if (mc.server != NULL)

997

avahi_server_free(mc.server);

998

999

if (mc.simple_poll != NULL)

1000

avahi_simple_poll_free(mc.simple_poll);

1001

free(pubkeyfile);

1002

free(seckeyfile);

1003

1004

return exitcode;

571

1005

}

Older »