To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 51
- compare with another revision
- download diff
- download tarball
- view history from revision 51
- Committer: Teddy Hogeborn
- Date: 2008-08-09 01:39:09 UTC
- Revision ID: teddy@fukt.bsnet.se-20080809013909-n3i3ll1voycmmw7l
* clients.conf: Better comments.
(foo): Commented out and changed into a better example client.
(braxen_client): Removed.
(bar): New commented-out example client.
* mandos: Changed all log messages to be unicode strings.
(Client.fqdn): Renamed to "host". All users and documentation
changed.
(main): Exit immediately if no clients are defined.
* mandos.conf: Better comments.
(foo): Commented out and changed into a better example client.
(braxen_client): Removed.
(bar): New commented-out example client.
* mandos: Changed all log messages to be unicode strings.
(Client.fqdn): Renamed to "host". All users and documentation
changed.
(main): Exit immediately if no clients are defined.
* mandos.conf: Better comments.
- files added:
- mandos-client.xml
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- plugbasedclient.c => mandos-client.c
- server.conf => mandos.conf
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- plugins.d/mandosclient.c => plugins.d/password-request.c
- files modified:
- Makefile
added
removed
plugins.d/password-request.c
39
39
#include <stdlib.h>
40
40
#include <time.h>
41
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
44
46
45
47
#include <avahi-core/core.h>
46
48
#include <avahi-core/lookup.h>
49
51
#include <avahi-common/malloc.h>
50
52
#include <avahi-common/error.h>
51
53
52
//mandos client part
54
/* Mandos client part */
53
55
#include <sys/types.h> /* socket(), inet_pton() */
54
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
57
struct in6_addr, inet_pton() */
62
64
#include <string.h> /* memset */
63
65
#include <arpa/inet.h> /* inet_pton() */
64
66
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
67
72
#include <errno.h> /* perror() */
68
73
#include <gpgme.h>
69
74
70
// getopt long
71
#include <getopt.h>
72
73
75
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
79
76
80
77
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char mandos_protocol_version[] = "1";
80
const char *argp_program_version = "mandosclient 0.9";
81
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
82
83
/* Used for passing in values through the Avahi callback functions */
84
84
typedef struct {
85
85
AvahiSimplePoll *simple_poll;
86
86
AvahiServer *server;
87
87
gnutls_certificate_credentials_t cred;
88
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
89
90
const char *priority;
90
91
} mandos_context;
91
92
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
93
/*
94
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
95
* "buffer_capacity" is how much is currently allocated,
96
* "buffer_length" is how much is already used.
97
*/
98
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
99
size_t buffer_capacity){
94
100
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
101
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
102
if (buffer == NULL){
97
103
return 0;
98
104
}
101
107
return buffer_capacity;
102
108
}
103
109
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
110
/*
111
* Decrypt OpenPGP data using keyrings in HOMEDIR.
112
* Returns -1 on error
113
*/
114
static ssize_t pgp_packet_decrypt (const char *cryptotext,
115
size_t crypto_size,
116
char **plaintext,
106
117
const char *homedir){
107
118
gpgme_data_t dh_crypto, dh_plain;
108
119
gpgme_ctx_t ctx;
109
120
gpgme_error_t rc;
110
121
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
122
size_t plaintext_capacity = 0;
123
ssize_t plaintext_length = 0;
113
124
gpgme_engine_info_t engine_info;
114
125
115
126
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
127
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
117
128
}
118
129
119
130
/* Init GPGME */
125
136
return -1;
126
137
}
127
138
128
/* Set GPGME home directory */
139
/* Set GPGME home directory for the OpenPGP engine only */
129
140
rc = gpgme_get_engine_info (&engine_info);
130
141
if (rc != GPG_ERR_NO_ERROR){
131
142
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
152
engine_info = engine_info->next;
142
153
}
143
154
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
155
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
145
156
return -1;
146
157
}
147
158
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
159
/* Create new GPGME data buffer from memory cryptotext */
160
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
161
0);
150
162
if (rc != GPG_ERR_NO_ERROR){
151
163
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
164
gpgme_strsource(rc), gpgme_strerror(rc));
158
170
if (rc != GPG_ERR_NO_ERROR){
159
171
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
gpgme_data_release(dh_crypto);
161
174
return -1;
162
175
}
163
176
166
179
if (rc != GPG_ERR_NO_ERROR){
167
180
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
181
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
182
plaintext_length = -1;
183
goto decrypt_end;
170
184
}
171
185
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
186
/* Decrypt data from the cryptotext data buffer to the plaintext
187
data buffer */
174
188
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
189
if (rc != GPG_ERR_NO_ERROR){
176
190
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
191
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
192
plaintext_length = -1;
193
goto decrypt_end;
179
194
}
180
195
181
196
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
197
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
183
198
}
184
199
185
200
if (debug){
186
201
gpgme_decrypt_result_t result;
187
202
result = gpgme_op_decrypt_result(ctx);
211
226
}
212
227
}
213
228
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
217
229
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
230
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
231
perror("pgpme_data_seek");
232
plaintext_length = -1;
233
goto decrypt_end;
220
234
}
221
235
222
*new_packet = 0;
236
*plaintext = NULL;
223
237
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
238
plaintext_capacity = adjustbuffer(plaintext,
239
(size_t)plaintext_length,
240
plaintext_capacity);
241
if (plaintext_capacity == 0){
227
242
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
243
plaintext_length = -1;
244
goto decrypt_end;
231
245
}
232
246
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
247
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
248
BUFFER_SIZE);
235
249
/* Print the data, if any */
236
250
if (ret == 0){
251
/* EOF */
237
252
break;
238
253
}
239
254
if(ret < 0){
240
255
perror("gpgme_data_read");
241
return -1;
256
plaintext_length = -1;
257
goto decrypt_end;
242
258
}
243
new_packet_length += ret;
259
plaintext_length += ret;
244
260
}
245
261
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
262
if(debug){
263
fprintf(stderr, "Decrypted password is: ");
264
for(ssize_t i = 0; i < plaintext_length; i++){
265
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
266
}
267
fprintf(stderr, "\n");
268
}
269
270
decrypt_end:
271
272
/* Delete the GPGME cryptotext data buffer */
273
gpgme_data_release(dh_crypto);
253
274
254
275
/* Delete the GPGME plaintext data buffer */
255
276
gpgme_data_release(dh_plain);
256
return new_packet_length;
277
return plaintext_length;
257
278
}
258
279
259
280
static const char * safer_gnutls_strerror (int value) {
263
284
return ret;
264
285
}
265
286
287
/* GnuTLS log function callback */
266
288
static void debuggnutls(__attribute__((unused)) int level,
267
289
const char* string){
268
fprintf(stderr, "%s", string);
290
fprintf(stderr, "GnuTLS: %s", string);
269
291
}
270
292
271
static int initgnutls(mandos_context *mc){
272
const char *err;
293
static int init_gnutls_global(mandos_context *mc,
294
const char *pubkeyfile,
295
const char *seckeyfile){
273
296
int ret;
274
297
275
298
if(debug){
278
301
279
302
if ((ret = gnutls_global_init ())
280
303
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
304
fprintf (stderr, "GnuTLS global_init: %s\n",
305
safer_gnutls_strerror(ret));
282
306
return -1;
283
307
}
284
308
285
309
if (debug){
310
/* "Use a log level over 10 to enable all debugging options."
311
* - GnuTLS manual
312
*/
286
313
gnutls_global_set_log_level(11);
287
314
gnutls_global_set_log_function(debuggnutls);
288
315
}
289
316
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
317
/* OpenPGP credentials */
318
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
292
319
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
320
fprintf (stderr, "GnuTLS memory error: %s\n",
294
321
safer_gnutls_strerror(ret));
322
gnutls_global_deinit ();
295
323
return -1;
296
324
}
297
325
298
326
if(debug){
299
327
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
328
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
329
seckeyfile);
302
330
}
303
331
304
332
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
333
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
306
334
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
335
fprintf(stderr,
336
"Error[%d] while reading the OpenPGP key pair ('%s',"
337
" '%s')\n", ret, pubkeyfile, seckeyfile);
338
fprintf(stdout, "The GnuTLS error is: %s\n",
312
339
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
340
goto globalfail;
341
}
342
343
/* GnuTLS server initialization */
344
ret = gnutls_dh_params_init(&mc->dh_params);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
347
" %s\n", safer_gnutls_strerror(ret));
348
goto globalfail;
349
}
350
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
351
if (ret != GNUTLS_E_SUCCESS) {
352
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
353
safer_gnutls_strerror(ret));
354
goto globalfail;
355
}
356
357
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
358
359
return 0;
360
361
globalfail:
362
363
gnutls_certificate_free_credentials (mc->cred);
364
gnutls_global_deinit ();
365
return -1;
366
367
}
368
369
static int init_gnutls_session(mandos_context *mc,
370
gnutls_session_t *session){
371
int ret;
372
/* GnuTLS session creation */
373
ret = gnutls_init(session, GNUTLS_SERVER);
374
if (ret != GNUTLS_E_SUCCESS){
336
375
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
376
safer_gnutls_strerror(ret));
338
377
}
339
378
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
379
{
380
const char *err;
381
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
382
if (ret != GNUTLS_E_SUCCESS) {
383
fprintf(stderr, "Syntax error at: %s\n", err);
384
fprintf(stderr, "GnuTLS error: %s\n",
385
safer_gnutls_strerror(ret));
386
gnutls_deinit (*session);
387
return -1;
388
}
346
389
}
347
390
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
391
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
392
mc->cred);
393
if (ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
395
safer_gnutls_strerror(ret));
396
gnutls_deinit (*session);
353
397
return -1;
354
398
}
355
399
356
400
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
401
gnutls_certificate_server_set_request (*session,
358
402
GNUTLS_CERT_IGNORE);
359
403
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
404
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
405
362
406
return 0;
363
407
}
364
408
409
/* Avahi log function callback */
365
410
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
411
__attribute__((unused)) const char *txt){}
367
412
413
/* Called when a Mandos server is found */
368
414
static int start_mandos_communication(const char *ip, uint16_t port,
369
415
AvahiIfIndex if_index,
370
416
mandos_context *mc){
371
417
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
418
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
419
char *buffer = NULL;
375
420
char *decrypted_buffer;
376
421
size_t buffer_length = 0;
379
424
size_t written;
380
425
int retval = 0;
381
426
char interface[IF_NAMESIZE];
427
gnutls_session_t session;
428
429
ret = init_gnutls_session (mc, &session);
430
if (ret != 0){
431
return -1;
432
}
382
433
383
434
if(debug){
384
435
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
393
444
394
445
if(debug){
395
446
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
447
perror("if_indextoname");
399
448
return -1;
400
449
}
401
402
450
fprintf(stderr, "Binding to interface %s\n", interface);
403
451
}
404
452
405
453
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
454
to.in6.sin6_family = AF_INET6;
455
/* It would be nice to have a way to detect if we were passed an
456
IPv4 address here. Now we assume an IPv6 address. */
457
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
458
if (ret < 0 ){
409
459
perror("inet_pton");
410
460
return -1;
411
}
461
}
412
462
if(ret == 0){
413
463
fprintf(stderr, "Bad address: %s\n", ip);
414
464
return -1;
415
465
}
416
to.sin6_port = htons(port); /* Spurious warning */
466
to.in6.sin6_port = htons(port); /* Spurious warning */
417
467
418
to.sin6_scope_id = (uint32_t)if_index;
468
to.in6.sin6_scope_id = (uint32_t)if_index;
419
469
420
470
if(debug){
421
471
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
472
char addrstr[INET6_ADDRSTRLEN] = "";
473
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
474
sizeof(addrstr)) == NULL){
475
perror("inet_ntop");
476
} else {
477
if(strcmp(addrstr, ip) != 0){
478
fprintf(stderr, "Canonical address form: %s\n", addrstr);
479
}
480
}
430
481
}
431
482
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
483
ret = connect(tcp_sd, &to.in, sizeof(to));
433
484
if (ret < 0){
434
485
perror("connect");
435
486
return -1;
436
487
}
437
488
438
char *out = mandos_protocol_version;
489
const char *out = mandos_protocol_version;
439
490
written = 0;
440
491
while (true){
441
492
size_t out_size = strlen(out);
444
495
if (ret == -1){
445
496
perror("write");
446
497
retval = -1;
447
goto end;
498
goto mandos_end;
448
499
}
449
written += ret;
500
written += (size_t)ret;
450
501
if(written < out_size){
451
502
continue;
452
503
} else {
459
510
}
460
511
}
461
512
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
471
513
if(debug){
472
514
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
515
}
474
516
475
ret = gnutls_handshake (es.session);
517
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
518
519
ret = gnutls_handshake (session);
476
520
477
521
if (ret != GNUTLS_E_SUCCESS){
478
522
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
523
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
524
gnutls_perror (ret);
481
525
}
482
526
retval = -1;
483
goto exit;
527
goto mandos_end;
484
528
}
485
529
486
//Retrieve OpenPGP packet that contains the wanted password
530
/* Read OpenPGP packet that contains the wanted password */
487
531
488
532
if(debug){
489
533
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
491
535
}
492
536
493
537
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
538
buffer_capacity = adjustbuffer(&buffer, buffer_length,
539
buffer_capacity);
495
540
if (buffer_capacity == 0){
496
541
perror("adjustbuffer");
497
542
retval = -1;
498
goto exit;
543
goto mandos_end;
499
544
}
500
545
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
546
ret = gnutls_record_recv(session, buffer+buffer_length,
547
BUFFER_SIZE);
503
548
if (ret == 0){
504
549
break;
505
550
}
509
554
case GNUTLS_E_AGAIN:
510
555
break;
511
556
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
557
ret = gnutls_handshake (session);
513
558
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
559
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
560
gnutls_perror (ret);
516
561
retval = -1;
517
goto exit;
562
goto mandos_end;
518
563
}
519
564
break;
520
565
default:
521
566
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
567
" encrypted session with Mandos server\n");
523
568
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
569
gnutls_bye (session, GNUTLS_SHUT_RDWR);
570
goto mandos_end;
526
571
}
527
572
} else {
528
573
buffer_length += (size_t) ret;
529
574
}
530
575
}
531
576
577
if(debug){
578
fprintf(stderr, "Closing TLS session\n");
579
}
580
581
gnutls_bye (session, GNUTLS_SHUT_RDWR);
582
532
583
if (buffer_length > 0){
533
584
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
585
buffer_length,
535
586
&decrypted_buffer,
536
certdir);
587
keydir);
537
588
if (decrypted_buffer_size >= 0){
538
589
written = 0;
539
590
while(written < (size_t) decrypted_buffer_size){
555
606
retval = -1;
556
607
}
557
608
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
609
610
/* Shutdown procedure */
611
612
mandos_end:
565
613
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
614
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
615
gnutls_deinit (session);
572
616
return retval;
573
617
}
574
618
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
619
static void resolve_callback(AvahiSServiceResolver *r,
620
AvahiIfIndex interface,
621
AVAHI_GCC_UNUSED AvahiProtocol protocol,
622
AvahiResolverEvent event,
623
const char *name,
624
const char *type,
625
const char *domain,
626
const char *host_name,
627
const AvahiAddress *address,
628
uint16_t port,
629
AVAHI_GCC_UNUSED AvahiStringList *txt,
630
AVAHI_GCC_UNUSED AvahiLookupResultFlags
631
flags,
632
void* userdata) {
588
633
mandos_context *mc = userdata;
589
634
assert(r); /* Spurious warning */
590
635
594
639
switch (event) {
595
640
default:
596
641
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
642
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
643
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
644
avahi_strerror(avahi_server_errno(mc->server)));
600
645
break;
601
646
604
649
char ip[AVAHI_ADDRESS_STR_MAX];
605
650
avahi_address_snprint(ip, sizeof(ip), address);
606
651
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
652
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
653
" port %d\n", name, host_name, ip, interface, port);
609
654
}
610
655
int ret = start_mandos_communication(ip, port, interface, mc);
611
656
if (ret == 0){
623
668
const char *name,
624
669
const char *type,
625
670
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
671
AVAHI_GCC_UNUSED AvahiLookupResultFlags
672
flags,
627
673
void* userdata) {
628
674
mandos_context *mc = userdata;
629
675
assert(b); /* Spurious warning */
634
680
switch (event) {
635
681
default:
636
682
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
683
684
fprintf(stderr, "(Avahi browser) %s\n",
639
685
avahi_strerror(avahi_server_errno(mc->server)));
640
686
avahi_simple_poll_quit(mc->simple_poll);
641
687
return;
642
688
643
689
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
690
/* We ignore the returned Avahi resolver object. In the callback
691
function we free it. If the Avahi server is terminated before
692
the callback function is called the Avahi server will free the
693
resolver for us. */
694
695
if (!(avahi_s_service_resolver_new(mc->server, interface,
696
protocol, name, type, domain,
651
697
AVAHI_PROTO_INET6, 0,
652
698
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
699
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
700
name, avahi_strerror(avahi_server_errno(mc->server)));
655
701
break;
656
702
657
703
case AVAHI_BROWSER_REMOVE:
658
704
break;
659
705
660
706
case AVAHI_BROWSER_ALL_FOR_NOW:
661
707
case AVAHI_BROWSER_CACHE_EXHAUSTED:
708
if(debug){
709
fprintf(stderr, "No Mandos server found, still searching...\n");
710
}
662
711
break;
663
712
}
664
713
}
673
722
return NULL;
674
723
}
675
724
if(f_len > 0){
676
memcpy(tmp, first, f_len);
725
memcpy(tmp, first, f_len); /* Spurious warning */
677
726
}
678
727
tmp[f_len] = '/';
679
728
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
729
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
681
730
}
682
731
tmp[f_len + 1 + s_len] = '\0';
683
732
return tmp;
684
733
}
685
734
686
735
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
736
int main(int argc, char *argv[]){
689
737
AvahiSServiceBrowser *sb = NULL;
690
738
int error;
691
739
int ret;
692
int returncode = EXIT_SUCCESS;
740
int exitcode = EXIT_SUCCESS;
693
741
const char *interface = "eth0";
694
742
struct ifreq network;
695
743
int sd;
744
uid_t uid;
745
gid_t gid;
696
746
char *connect_to = NULL;
697
747
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
748
const char *pubkeyfile = "pubkey.txt";
749
const char *seckeyfile = "seckey.txt";
698
750
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
751
.dh_bits = 1024, .priority = "SECURE256"};
752
bool gnutls_initalized = false;
700
753
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
754
{
755
struct argp_option options[] = {
756
{ .name = "debug", .key = 128,
757
.doc = "Debug mode", .group = 3 },
758
{ .name = "connect", .key = 'c',
759
.arg = "IP",
760
.doc = "Connect directly to a sepcified mandos server",
761
.group = 1 },
762
{ .name = "interface", .key = 'i',
763
.arg = "INTERFACE",
764
.doc = "Interface that Avahi will conntect through",
765
.group = 1 },
766
{ .name = "keydir", .key = 'd',
767
.arg = "KEYDIR",
768
.doc = "Directory where the openpgp keyring is",
769
.group = 1 },
770
{ .name = "seckey", .key = 's',
771
.arg = "SECKEY",
772
.doc = "Secret openpgp key for gnutls authentication",
773
.group = 1 },
774
{ .name = "pubkey", .key = 'p',
775
.arg = "PUBKEY",
776
.doc = "Public openpgp key for gnutls authentication",
777
.group = 2 },
778
{ .name = "dh-bits", .key = 129,
779
.arg = "BITS",
780
.doc = "dh-bits to use in gnutls communication",
781
.group = 2 },
782
{ .name = "priority", .key = 130,
783
.arg = "PRIORITY",
784
.doc = "GNUTLS priority", .group = 1 },
785
{ .name = NULL }
786
};
787
788
789
error_t parse_opt (int key, char *arg,
790
struct argp_state *state) {
791
/* Get the INPUT argument from `argp_parse', which we know is
792
a pointer to our plugin list pointer. */
793
switch (key) {
794
case 128:
795
debug = true;
796
break;
797
case 'c':
798
connect_to = arg;
799
break;
800
case 'i':
801
interface = arg;
802
break;
803
case 'd':
804
keydir = arg;
805
break;
806
case 's':
807
seckeyfile = arg;
808
break;
809
case 'p':
810
pubkeyfile = arg;
811
break;
812
case 129:
742
813
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
814
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
815
if (errno){
745
816
perror("strtol");
746
817
exit(EXIT_FAILURE);
747
818
}
748
mc.dh_bits = tmp;
819
break;
820
case 130:
821
mc.priority = arg;
822
break;
823
case ARGP_KEY_ARG:
824
argp_usage (state);
825
break;
826
case ARGP_KEY_END:
827
break;
828
default:
829
return ARGP_ERR_UNKNOWN;
749
830
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
831
return 0;
756
832
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
833
834
struct argp argp = { .options = options, .parser = parse_opt,
835
.args_doc = "",
836
.doc = "Mandos client -- Get and decrypt"
837
" passwords from mandos server" };
838
argp_parse (&argp, argc, argv, 0, 0, NULL);
839
}
840
841
pubkeyfile = combinepath(keydir, pubkeyfile);
842
if (pubkeyfile == NULL){
843
perror("combinepath");
844
exitcode = EXIT_FAILURE;
845
goto end;
846
}
847
848
seckeyfile = combinepath(keydir, seckeyfile);
849
if (seckeyfile == NULL){
850
perror("combinepath");
851
goto end;
852
}
853
854
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
855
if (ret == -1){
856
fprintf(stderr, "init_gnutls_global\n");
857
goto end;
858
} else {
859
gnutls_initalized = true;
860
}
861
862
uid = getuid();
863
gid = getgid();
864
865
ret = setuid(uid);
866
if (ret == -1){
867
perror("setuid");
868
}
869
870
setgid(gid);
871
if (ret == -1){
872
perror("setgid");
771
873
}
772
874
773
875
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
884
char *address = strrchr(connect_to, ':');
783
885
if(address == NULL){
784
886
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
887
exitcode = EXIT_FAILURE;
888
goto end;
786
889
}
787
890
errno = 0;
788
891
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
892
if(errno){
790
893
perror("Bad port number");
791
exit(EXIT_FAILURE);
894
exitcode = EXIT_FAILURE;
895
goto end;
792
896
}
793
897
*address = '\0';
794
898
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
899
ret = start_mandos_communication(address, port, if_index, &mc);
796
900
if(ret < 0){
797
exit(EXIT_FAILURE);
901
exitcode = EXIT_FAILURE;
798
902
} else {
799
exit(EXIT_SUCCESS);
903
exitcode = EXIT_SUCCESS;
800
904
}
905
goto end;
801
906
}
802
907
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
908
/* If the interface is down, bring it up */
909
{
910
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
911
if(sd < 0) {
912
perror("socket");
913
exitcode = EXIT_FAILURE;
914
goto end;
915
}
916
strcpy(network.ifr_name, interface); /* Spurious warning */
917
ret = ioctl(sd, SIOCGIFFLAGS, &network);
820
918
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
919
perror("ioctl SIOCGIFFLAGS");
920
exitcode = EXIT_FAILURE;
921
goto end;
922
}
923
if((network.ifr_flags & IFF_UP) == 0){
924
network.ifr_flags |= IFF_UP;
925
ret = ioctl(sd, SIOCSIFFLAGS, &network);
926
if(ret == -1){
927
perror("ioctl SIOCSIFFLAGS");
928
exitcode = EXIT_FAILURE;
929
goto end;
930
}
931
}
932
close(sd);
825
933
}
826
close(sd);
827
934
828
935
if (not debug){
829
936
avahi_set_log_function(empty_log);
830
937
}
831
938
832
/* Initialize the psuedo-RNG */
939
/* Initialize the pseudo-RNG for Avahi */
833
940
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
941
942
/* Allocate main Avahi loop object */
943
mc.simple_poll = avahi_simple_poll_new();
944
if (mc.simple_poll == NULL) {
945
fprintf(stderr, "Avahi: Failed to create simple poll"
946
" object.\n");
947
exitcode = EXIT_FAILURE;
948
goto end;
949
}
950
951
{
952
AvahiServerConfig config;
953
/* Do not publish any local Zeroconf records */
954
avahi_server_config_init(&config);
955
config.publish_hinfo = 0;
956
config.publish_addresses = 0;
957
config.publish_workstation = 0;
958
config.publish_domain = 0;
959
960
/* Allocate a new server */
961
mc.server = avahi_server_new(avahi_simple_poll_get
962
(mc.simple_poll), &config, NULL,
963
NULL, &error);
964
965
/* Free the Avahi configuration data */
966
avahi_server_config_free(&config);
967
}
968
969
/* Check if creating the Avahi server object succeeded */
970
if (mc.server == NULL) {
971
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
972
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
973
exitcode = EXIT_FAILURE;
974
goto end;
862
975
}
863
976
864
/* Create the service browser */
977
/* Create the Avahi service browser */
865
978
sb = avahi_s_service_browser_new(mc.server, if_index,
866
979
AVAHI_PROTO_INET6,
867
980
"_mandos._tcp", NULL, 0,
868
981
browse_callback, &mc);
869
if (!sb) {
982
if (sb == NULL) {
870
983
fprintf(stderr, "Failed to create service browser: %s\n",
871
984
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
985
exitcode = EXIT_FAILURE;
986
goto end;
874
987
}
875
988
876
989
/* Run the main loop */
877
990
878
991
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
992
fprintf(stderr, "Starting Avahi loop search\n");
880
993
}
881
994
882
avahi_simple_poll_loop(simple_poll);
995
avahi_simple_poll_loop(mc.simple_poll);
883
996
884
exit:
997
end:
885
998
886
999
if (debug){
887
1000
fprintf(stderr, "%s exiting\n", argv[0]);
888
1001
}
889
1002
890
1003
/* Cleanup things */
891
if (sb)
1004
if (sb != NULL)
892
1005
avahi_s_service_browser_free(sb);
893
1006
894
if (mc.server)
1007
if (mc.server != NULL)
895
1008
avahi_server_free(mc.server);
896
1009
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1010
if (mc.simple_poll != NULL)
1011
avahi_simple_poll_free(mc.simple_poll);
1012
free(pubkeyfile);
1013
free(seckeyfile);
1014
1015
if (gnutls_initalized){
1016
gnutls_certificate_free_credentials (mc.cred);
1017
gnutls_global_deinit ();
1018
}
901
1019
902
return returncode;
1020
return exitcode;
903
1021
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0