/mandos/trunk : revision 53

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h>

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout, ferror() */

38

#include <stdint.h> /* uint16_t, uint32_t */

39

#include <stddef.h> /* NULL, size_t, ssize_t */

40

#include <stdlib.h> /* free() */

41

#include <stdbool.h> /* bool, true */

42

#include <string.h> /* memset(), strcmp(), strlen, strerror() */

43

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

44

SIOCSIFFLAGS */

45

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

46

sockaddr_in6, PF_INET6, SOCK_STREAM, INET6_ADDRSTRLEN */

47

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

48

struct in6_addr, inet_pton(),

49

connect() */

38

50

#include <assert.h>

39

#include <stdlib.h>

51

#include <errno.h> /* perror() */

40

52

#include <time.h>

41

#include <net/if.h> /* if_nametoindex */

42

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

43

SIOCSIFFLAGS */

44

53

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

45

SIOCSIFFLAGS */

54

SIOCSIFFLAGS, if_indextoname(),

55

if_nametoindex(), IF_NAMESIZE */

56

#include <unistd.h> /* close(), SEEK_SET, off_t, write()*/

57

#include <netinet/in.h>

58

#include <arpa/inet.h> /* inet_pton(), htons */

59

#include <iso646.h> /* not */

60

#include <argp.h> /* struct argp_option,

61

struct argp_state, struct argp,

62

argp_parse() */

46

63

47

#include <avahi-core/core.h>

64

/* Avahi */

65

#include <avahi-core/core.h> /* AvahiSimplePoll, AvahiServer,

66

AvahiIfIndex */

48

67

#include <avahi-core/lookup.h>

49

#include <avahi-core/log.h>

68

#include <avahi-core/log.h> /* AvahiLogLevel */

50

69

#include <avahi-common/simple-watch.h>

51

70

#include <avahi-common/malloc.h>

52

71

#include <avahi-common/error.h>

53

72

54

/* Mandos client part */

55

#include <sys/types.h> /* socket(), inet_pton() */

56

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

57

struct in6_addr, inet_pton() */

58

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

59

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

60

61

#include <unistd.h> /* close() */

62

#include <netinet/in.h>

63

#include <stdbool.h> /* true */

64

#include <string.h> /* memset */

65

#include <arpa/inet.h> /* inet_pton() */

66

#include <iso646.h> /* not */

67

#include <net/if.h> /* IF_NAMESIZE */

73

/* GnuTLS */

74

#include <gnutls/gnutls.h> /* gnutls_certificate_credentials_t,

75

gnutls_dh_params_t,

76

gnutls_strerror(),

77

gnutls_global_init(),

78

gnutls_global_set_log_level(),

79

gnutls_global_set_log_function(),

80

gnutls_certificate_allocate_credentials(),

81

gnutls_global_deinit(),

82

gnutls_dh_params_init(),

83

gnutls_dh_params_generate(),

84

gnutls_certificate_set_dh_params(),

85

gnutls_certificate_free_credentials(),

86

gnutls_session_t, gnutls_init(),

87

gnutls_priority_set_direct(),

88

gnutls_deinit(),

89

gnutls_credentials_set(),

90

gnutls_certificate_server_set_request(),

91

gnutls_dh_set_prime_bits(),

92

gnutls_transport_set_ptr(),

93

gnutls_transport_ptr_t,

94

gnutls_handshake(),

95

gnutls_record_recv()

96

gnutls_perror(), gnutls_bye(),

97

init_gnutls_session(),

98

GNUTLS_E_SUCCESS,

99

GNUTLS_CRD_CERTIFICATE,

100

GNUTLS_CERT_IGNORE,

101

GNUTLS_E_INTERRUPTED,

102

GNUTLS_E_AGAIN,

103

GNUTLS_E_REHANDSHAKE,

104

GNUTLS_SHUT_RDWR, */

105

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

106

GNUTLS_OPENPGP_FMT_BASE64 */

68

107

69

108

/* GPGME */

70

#include <errno.h> /* perror() */

71

#include <gpgme.h>

72

73

/* getopt_long */

74

#include <getopt.h>

109

#include <gpgme.h> /* gpgme_data_t, gpgme_ctx_t,

110

gpgme_error_t, gpgme_engine_info_t,

111

gpgme_check_version(),

112

gpgme_engine_check_version(),

113

gpgme_strsource(),

114

gpgme_strerror(),

115

gpgme_get_engine_info(),

116

gpgme_set_engine_info(),

117

gpgme_data_new_from_mem(),

118

gpgme_data_new(), gpgme_new(),

119

gpgme_op_decrypt(),

120

gpgme_decrypt_result_t,

121

gpgme_op_decrypt_result(),

122

gpgme_recipient_t,

123

gpgme_pubkey_algo_name(),

124

gpgme_data_seek(),

125

gpgme_data_read(),

126

gpgme_data_release()

127

GPGME_PROTOCOL_OpenPGP,

128

GPG_ERR_NO_ERROR,

129

GPG_ERR_NO_SECKEY, */

75

130

76

131

#define BUFFER_SIZE 256

77

132

133

bool debug = false;

78

134

static const char *keydir = "/conf/conf.d/mandos";

79

static const char *pubkeyfile = "pubkey.txt";

80

static const char *seckeyfile = "seckey.txt";

81

82

bool debug = false;

83

84

const char mandos_protocol_version[] = "1";

85

86

/* Used for passing in values through all the callback functions */

135

static const char mandos_protocol_version[] = "1";

136

const char *argp_program_version = "mandosclient 0.9";

137

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

138

139

/* Used for passing in values through the Avahi callback functions */

87

140

typedef struct {

88

141

AvahiSimplePoll *simple_poll;

89

142

AvahiServer *server;

93

146

const char *priority;

94

147

} mandos_context;

95

148

149

/*

150

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

151

* "buffer_capacity" is how much is currently allocated,

152

* "buffer_length" is how much is already used.

153

*/

96

154

size_t adjustbuffer(char **buffer, size_t buffer_length,

97

155

size_t buffer_capacity){

98

156

if (buffer_length + BUFFER_SIZE > buffer_capacity){

233

291

234

292

*plaintext = NULL;

235

293

while(true){

236

plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,

294

plaintext_capacity = adjustbuffer(plaintext,

295

(size_t)plaintext_length,

237

296

plaintext_capacity);

238

297

if (plaintext_capacity == 0){

239

298

perror("adjustbuffer");

287

346

fprintf(stderr, "GnuTLS: %s", string);

288

347

}

289

348

290

static int init_gnutls_global(mandos_context *mc){

349

static int init_gnutls_global(mandos_context *mc,

350

const char *pubkeyfile,

351

const char *seckeyfile){

291

352

int ret;

292

353

293

354

if(debug){

314

375

!= GNUTLS_E_SUCCESS) {

315

376

fprintf (stderr, "GnuTLS memory error: %s\n",

316

377

safer_gnutls_strerror(ret));

378

gnutls_global_deinit ();

317

379

return -1;

318

380

}

319

381

331

393

" '%s')\n", ret, pubkeyfile, seckeyfile);

332

394

fprintf(stdout, "The GnuTLS error is: %s\n",

333

395

safer_gnutls_strerror(ret));

334

return -1;

396

goto globalfail;

335

397

}

336

398

337

399

/* GnuTLS server initialization */

339

401

if (ret != GNUTLS_E_SUCCESS) {

340

402

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

341

403

" %s\n", safer_gnutls_strerror(ret));

342

return -1;

404

goto globalfail;

343

405

}

344

406

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

345

407

if (ret != GNUTLS_E_SUCCESS) {

346

408

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

347

409

safer_gnutls_strerror(ret));

348

return -1;

410

goto globalfail;

349

411

}

350

412

351

413

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

352

414

353

415

return 0;

416

417

globalfail:

418

419

gnutls_certificate_free_credentials(mc->cred);

420

gnutls_global_deinit();

421

return -1;

422

354

423

}

355

424

356

static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){

425

static int init_gnutls_session(mandos_context *mc,

426

gnutls_session_t *session){

357

427

int ret;

358

428

/* GnuTLS session creation */

359

429

ret = gnutls_init(session, GNUTLS_SERVER);

369

439

fprintf(stderr, "Syntax error at: %s\n", err);

370

440

fprintf(stderr, "GnuTLS error: %s\n",

371

441

safer_gnutls_strerror(ret));

442

gnutls_deinit (*session);

372

443

return -1;

373

444

}

374

445

}

378

449

if (ret != GNUTLS_E_SUCCESS) {

379

450

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

380

451

safer_gnutls_strerror(ret));

452

gnutls_deinit (*session);

381

453

return -1;

382

454

}

383

455

399

471

AvahiIfIndex if_index,

400

472

mandos_context *mc){

401

473

int ret, tcp_sd;

402

struct sockaddr_in6 to;

474

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

403

475

char *buffer = NULL;

404

476

char *decrypted_buffer;

405

477

size_t buffer_length = 0;

409

481

int retval = 0;

410

482

char interface[IF_NAMESIZE];

411

483

gnutls_session_t session;

412

gnutls_dh_params_t dh_params;

413

484

414

485

ret = init_gnutls_session (mc, &session);

415

486

if (ret != 0){

436

507

}

437

508

438

509

memset(&to,0,sizeof(to)); /* Spurious warning */

439

to.sin6_family = AF_INET6;

510

to.in6.sin6_family = AF_INET6;

440

511

/* It would be nice to have a way to detect if we were passed an

441

512

IPv4 address here. Now we assume an IPv6 address. */

442

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

513

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

443

514

if (ret < 0 ){

444

515

perror("inet_pton");

445

516

return -1;

448

519

fprintf(stderr, "Bad address: %s\n", ip);

449

520

return -1;

450

521

}

451

to.sin6_port = htons(port); /* Spurious warning */

522

to.in6.sin6_port = htons(port); /* Spurious warning */

452

523

453

to.sin6_scope_id = (uint32_t)if_index;

524

to.in6.sin6_scope_id = (uint32_t)if_index;

454

525

455

526

if(debug){

456

527

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

457

528

char addrstr[INET6_ADDRSTRLEN] = "";

458

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

529

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

459

530

sizeof(addrstr)) == NULL){

460

531

perror("inet_ntop");

461

532

} else {

465

536

}

466

537

}

467

538

468

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

539

ret = connect(tcp_sd, &to.in, sizeof(to));

469

540

if (ret < 0){

470

541

perror("connect");

471

542

return -1;

520

591

}

521

592

522

593

while(true){

523

buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);

594

buffer_capacity = adjustbuffer(&buffer, buffer_length,

595

buffer_capacity);

524

596

if (buffer_capacity == 0){

525

597

perror("adjustbuffer");

526

598

retval = -1;

597

669

free(buffer);

598

670

close(tcp_sd);

599

671

gnutls_deinit (session);

600

gnutls_certificate_free_credentials (mc->cred);

601

gnutls_global_deinit ();

602

672

return retval;

603

673

}

604

674

731

801

gid_t gid;

732

802

char *connect_to = NULL;

733

803

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

804

const char *pubkeyfile = "pubkey.txt";

805

const char *seckeyfile = "seckey.txt";

734

806

mandos_context mc = { .simple_poll = NULL, .server = NULL,

735

807

.dh_bits = 1024, .priority = "SECURE256"};

808

bool gnutls_initalized = false;

736

809

737

810

{

738

/* Temporary int to get the address of for getopt_long */

739

int debug_int = debug ? 1 : 0;

740

while (true){

741

struct option long_options[] = {

742

{"debug", no_argument, &debug_int, 1},

743

{"connect", required_argument, NULL, 'c'},

744

{"interface", required_argument, NULL, 'i'},

745

{"keydir", required_argument, NULL, 'd'},

746

{"seckey", required_argument, NULL, 's'},

747

{"pubkey", required_argument, NULL, 'p'},

748

{"dh-bits", required_argument, NULL, 'D'},

749

{"priority", required_argument, NULL, 'P'},

750

{0, 0, 0, 0} };

751

752

int option_index = 0;

753

ret = getopt_long (argc, argv, "i:", long_options,

754

&option_index);

755

756

if (ret == -1){

811

struct argp_option options[] = {

812

{ .name = "debug", .key = 128,

813

.doc = "Debug mode", .group = 3 },

814

{ .name = "connect", .key = 'c',

815

.arg = "IP",

816

.doc = "Connect directly to a sepcified mandos server",

817

.group = 1 },

818

{ .name = "interface", .key = 'i',

819

.arg = "INTERFACE",

820

.doc = "Interface that Avahi will conntect through",

821

.group = 1 },

822

{ .name = "keydir", .key = 'd',

823

.arg = "KEYDIR",

824

.doc = "Directory where the openpgp keyring is",

825

.group = 1 },

826

{ .name = "seckey", .key = 's',

827

.arg = "SECKEY",

828

.doc = "Secret openpgp key for gnutls authentication",

829

.group = 1 },

830

{ .name = "pubkey", .key = 'p',

831

.arg = "PUBKEY",

832

.doc = "Public openpgp key for gnutls authentication",

833

.group = 2 },

834

{ .name = "dh-bits", .key = 129,

835

.arg = "BITS",

836

.doc = "dh-bits to use in gnutls communication",

837

.group = 2 },

838

{ .name = "priority", .key = 130,

839

.arg = "PRIORITY",

840

.doc = "GNUTLS priority", .group = 1 },

841

{ .name = NULL }

842

};

843

844

845

error_t parse_opt (int key, char *arg,

846

struct argp_state *state) {

847

/* Get the INPUT argument from `argp_parse', which we know is

848

a pointer to our plugin list pointer. */

849

switch (key) {

850

case 128:

851

debug = true;

757

852

break;

758

}

759

760

switch(ret){

761

case 0:

853

case 'c':

854

connect_to = arg;

762

855

break;

763

856

case 'i':

764

interface = optarg;

765

break;

766

case 'c':

767

connect_to = optarg;

857

interface = arg;

768

858

break;

769

859

case 'd':

770

keydir = optarg;

860

keydir = arg;

861

break;

862

case 's':

863

seckeyfile = arg;

771

864

break;

772

865

case 'p':

773

pubkeyfile = optarg;

774

break;

775

case 's':

776

seckeyfile = optarg;

777

break;

778

case 'D':

866

pubkeyfile = arg;

867

break;

868

case 129:

779

869

errno = 0;

780

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

870

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

781

871

if (errno){

782

872

perror("strtol");

783

873

exit(EXIT_FAILURE);

784

874

}

785

875

break;

786

case 'P':

787

mc.priority = optarg;

788

break;

789

case '?':

876

case 130:

877

mc.priority = arg;

878

break;

879

case ARGP_KEY_ARG:

880

argp_usage (state);

881

break;

882

case ARGP_KEY_END:

883

break;

790

884

default:

791

/* getopt_long() has already printed a message about the

792

unrcognized option, so just exit. */

793

exit(EXIT_FAILURE);

885

return ARGP_ERR_UNKNOWN;

794

886

}

887

return 0;

795

888

}

796

/* Set the global debug flag from the temporary int */

797

debug = debug_int ? true : false;

889

890

struct argp argp = { .options = options, .parser = parse_opt,

891

.args_doc = "",

892

.doc = "Mandos client -- Get and decrypt"

893

" passwords from mandos server" };

894

argp_parse (&argp, argc, argv, 0, 0, NULL);

798

895

}

799

896

800

897

pubkeyfile = combinepath(keydir, pubkeyfile);

801

898

if (pubkeyfile == NULL){

802

899

perror("combinepath");

810

907

goto end;

811

908

}

812

909

813

ret = init_gnutls_global(&mc);

910

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

814

911

if (ret == -1){

815

912

fprintf(stderr, "init_gnutls_global\n");

816

913

goto end;

914

} else {

915

gnutls_initalized = true;

817

916

}

818

917

819

918

uid = getuid();

968

1067

avahi_simple_poll_free(mc.simple_poll);

969

1068

free(pubkeyfile);

970

1069

free(seckeyfile);

1070

1071

if (gnutls_initalized){

1072

gnutls_certificate_free_credentials (mc.cred);

1073

gnutls_global_deinit ();

1074

}

971

1075

972

1076

return exitcode;

973

1077

}