To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 63
- compare with another revision
- download diff
- download tarball
- view history from revision 63
- Committer: Teddy Hogeborn
- Date: 2008-08-10 20:35:01 UTC
- mfrom: (24.1.42 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080810203501-euh3qcf1nopilksm
Merge.
- files added:
- mandos-client.xml
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- plugbasedclient.c => mandos-client.c
- server.conf => mandos.conf
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- plugins.d/mandosclient.c => plugins.d/password-request.c
- files modified:
- Makefile
added
removed
plugins.d/password-request.c
34
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <inttypes.h> /* PRIu16 */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton(),
56
connect() */
57
#include <assert.h> /* assert() */
58
#include <errno.h> /* perror(), errno */
59
#include <time.h> /* time() */
60
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
61
SIOCSIFFLAGS, if_indextoname(),
62
if_nametoindex(), IF_NAMESIZE */
63
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
64
getuid(), getgid(), setuid(),
65
setgid() */
66
#include <netinet/in.h>
67
#include <arpa/inet.h> /* inet_pton(), htons */
68
#include <iso646.h> /* not, and */
69
#include <argp.h> /* struct argp_option, error_t, struct
70
argp_state, struct argp,
71
argp_parse(), ARGP_KEY_ARG,
72
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
44
73
74
/* Avahi */
75
/* All Avahi types, constants and functions
76
Avahi*, avahi_*,
77
AVAHI_* */
45
78
#include <avahi-core/core.h>
46
79
#include <avahi-core/lookup.h>
47
80
#include <avahi-core/log.h>
49
82
#include <avahi-common/malloc.h>
50
83
#include <avahi-common/error.h>
51
84
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
85
/* GnuTLS */
86
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
87
gnutls_*
88
init_gnutls_session(),
89
GNUTLS_* */
90
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
91
GNUTLS_OPENPGP_FMT_BASE64 */
92
93
/* GPGME */
94
#include <gpgme.h> /* All GPGME types, constants and functions
95
gpgme_*
96
GPGME_PROTOCOL_OpenPGP,
97
GPG_ERR_NO_* */
72
98
73
99
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
79
100
80
101
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
102
static const char *keydir = "/conf/conf.d/mandos";
103
static const char mandos_protocol_version[] = "1";
104
const char *argp_program_version = "password-request 1.0";
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
106
107
/* Used for passing in values through the Avahi callback functions */
84
108
typedef struct {
85
109
AvahiSimplePoll *simple_poll;
86
110
AvahiServer *server;
87
111
gnutls_certificate_credentials_t cred;
88
112
unsigned int dh_bits;
113
gnutls_dh_params_t dh_params;
89
114
const char *priority;
90
115
} mandos_context;
91
116
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
117
/*
118
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
119
* "buffer_capacity" is how much is currently allocated,
120
* "buffer_length" is how much is already used.
121
*/
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
93
123
size_t buffer_capacity){
94
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
96
126
if (buffer == NULL){
97
127
return 0;
98
128
}
101
131
return buffer_capacity;
102
132
}
103
133
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
134
/*
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
137
*/
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
106
141
const char *homedir){
107
142
gpgme_data_t dh_crypto, dh_plain;
108
143
gpgme_ctx_t ctx;
109
144
gpgme_error_t rc;
110
145
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
113
148
gpgme_engine_info_t engine_info;
114
149
115
150
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
117
152
}
118
153
119
154
/* Init GPGME */
125
160
return -1;
126
161
}
127
162
128
/* Set GPGME home directory */
163
/* Set GPGME home directory for the OpenPGP engine only */
129
164
rc = gpgme_get_engine_info (&engine_info);
130
165
if (rc != GPG_ERR_NO_ERROR){
131
166
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
141
176
engine_info = engine_info->next;
142
177
}
143
178
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
145
180
return -1;
146
181
}
147
182
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
183
/* Create new GPGME data buffer from memory cryptotext */
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
185
0);
150
186
if (rc != GPG_ERR_NO_ERROR){
151
187
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
188
gpgme_strsource(rc), gpgme_strerror(rc));
158
194
if (rc != GPG_ERR_NO_ERROR){
159
195
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
196
gpgme_strsource(rc), gpgme_strerror(rc));
197
gpgme_data_release(dh_crypto);
161
198
return -1;
162
199
}
163
200
166
203
if (rc != GPG_ERR_NO_ERROR){
167
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
205
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
206
plaintext_length = -1;
207
goto decrypt_end;
170
208
}
171
209
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
210
/* Decrypt data from the cryptotext data buffer to the plaintext
211
data buffer */
174
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
213
if (rc != GPG_ERR_NO_ERROR){
176
214
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
215
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
216
plaintext_length = -1;
217
goto decrypt_end;
179
218
}
180
219
181
220
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
221
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
183
222
}
184
223
185
224
if (debug){
186
225
gpgme_decrypt_result_t result;
187
226
result = gpgme_op_decrypt_result(ctx);
190
229
} else {
191
230
fprintf(stderr, "Unsupported algorithm: %s\n",
192
231
result->unsupported_algorithm);
193
fprintf(stderr, "Wrong key usage: %d\n",
232
fprintf(stderr, "Wrong key usage: %u\n",
194
233
result->wrong_key_usage);
195
234
if(result->file_name != NULL){
196
235
fprintf(stderr, "File name: %s\n", result->file_name);
211
250
}
212
251
}
213
252
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
216
217
253
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
254
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
255
perror("pgpme_data_seek");
256
plaintext_length = -1;
257
goto decrypt_end;
220
258
}
221
259
222
*new_packet = 0;
260
*plaintext = NULL;
223
261
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
262
plaintext_capacity = adjustbuffer(plaintext,
263
(size_t)plaintext_length,
264
plaintext_capacity);
265
if (plaintext_capacity == 0){
227
266
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
267
plaintext_length = -1;
268
goto decrypt_end;
231
269
}
232
270
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
271
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
272
BUFFER_SIZE);
235
273
/* Print the data, if any */
236
274
if (ret == 0){
275
/* EOF */
237
276
break;
238
277
}
239
278
if(ret < 0){
240
279
perror("gpgme_data_read");
241
return -1;
280
plaintext_length = -1;
281
goto decrypt_end;
242
282
}
243
new_packet_length += ret;
283
plaintext_length += ret;
244
284
}
245
285
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
286
if(debug){
287
fprintf(stderr, "Decrypted password is: ");
288
for(ssize_t i = 0; i < plaintext_length; i++){
289
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
290
}
291
fprintf(stderr, "\n");
292
}
293
294
decrypt_end:
295
296
/* Delete the GPGME cryptotext data buffer */
297
gpgme_data_release(dh_crypto);
253
298
254
299
/* Delete the GPGME plaintext data buffer */
255
300
gpgme_data_release(dh_plain);
256
return new_packet_length;
301
return plaintext_length;
257
302
}
258
303
259
304
static const char * safer_gnutls_strerror (int value) {
263
308
return ret;
264
309
}
265
310
311
/* GnuTLS log function callback */
266
312
static void debuggnutls(__attribute__((unused)) int level,
267
313
const char* string){
268
fprintf(stderr, "%s", string);
314
fprintf(stderr, "GnuTLS: %s", string);
269
315
}
270
316
271
static int initgnutls(mandos_context *mc){
272
const char *err;
317
static int init_gnutls_global(mandos_context *mc,
318
const char *pubkeyfile,
319
const char *seckeyfile){
273
320
int ret;
274
321
275
322
if(debug){
276
323
fprintf(stderr, "Initializing GnuTLS\n");
277
324
}
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
325
326
ret = gnutls_global_init();
327
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf (stderr, "GnuTLS global_init: %s\n",
329
safer_gnutls_strerror(ret));
282
330
return -1;
283
331
}
284
332
285
333
if (debug){
334
/* "Use a log level over 10 to enable all debugging options."
335
* - GnuTLS manual
336
*/
286
337
gnutls_global_set_log_level(11);
287
338
gnutls_global_set_log_function(debuggnutls);
288
339
}
289
340
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
341
/* OpenPGP credentials */
342
gnutls_certificate_allocate_credentials(&mc->cred);
343
if (ret != GNUTLS_E_SUCCESS){
344
fprintf (stderr, "GnuTLS memory error: %s\n",
294
345
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
295
347
return -1;
296
348
}
297
349
298
350
if(debug){
299
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
353
seckeyfile);
302
354
}
303
355
304
356
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
357
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
306
358
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
359
fprintf(stderr,
360
"Error[%d] while reading the OpenPGP key pair ('%s',"
361
" '%s')\n", ret, pubkeyfile, seckeyfile);
362
fprintf(stdout, "The GnuTLS error is: %s\n",
312
363
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
364
goto globalfail;
365
}
366
367
/* GnuTLS server initialization */
368
ret = gnutls_dh_params_init(&mc->dh_params);
369
if (ret != GNUTLS_E_SUCCESS) {
370
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
371
" %s\n", safer_gnutls_strerror(ret));
372
goto globalfail;
373
}
374
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
375
if (ret != GNUTLS_E_SUCCESS) {
376
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
377
safer_gnutls_strerror(ret));
378
goto globalfail;
379
}
380
381
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
382
383
return 0;
384
385
globalfail:
386
387
gnutls_certificate_free_credentials(mc->cred);
388
gnutls_global_deinit();
389
return -1;
390
391
}
392
393
static int init_gnutls_session(mandos_context *mc,
394
gnutls_session_t *session){
395
int ret;
396
/* GnuTLS session creation */
397
ret = gnutls_init(session, GNUTLS_SERVER);
398
if (ret != GNUTLS_E_SUCCESS){
336
399
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
400
safer_gnutls_strerror(ret));
338
401
}
339
402
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
403
{
404
const char *err;
405
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
406
if (ret != GNUTLS_E_SUCCESS) {
407
fprintf(stderr, "Syntax error at: %s\n", err);
408
fprintf(stderr, "GnuTLS error: %s\n",
409
safer_gnutls_strerror(ret));
410
gnutls_deinit (*session);
411
return -1;
412
}
346
413
}
347
414
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
415
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
416
mc->cred);
417
if (ret != GNUTLS_E_SUCCESS) {
418
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
419
safer_gnutls_strerror(ret));
420
gnutls_deinit (*session);
353
421
return -1;
354
422
}
355
423
356
424
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
425
gnutls_certificate_server_set_request (*session,
358
426
GNUTLS_CERT_IGNORE);
359
427
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
428
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
361
429
362
430
return 0;
363
431
}
364
432
433
/* Avahi log function callback */
365
434
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
435
__attribute__((unused)) const char *txt){}
367
436
437
/* Called when a Mandos server is found */
368
438
static int start_mandos_communication(const char *ip, uint16_t port,
369
439
AvahiIfIndex if_index,
370
440
mandos_context *mc){
371
441
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
442
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
374
443
char *buffer = NULL;
375
444
char *decrypted_buffer;
376
445
size_t buffer_length = 0;
379
448
size_t written;
380
449
int retval = 0;
381
450
char interface[IF_NAMESIZE];
451
gnutls_session_t session;
452
453
ret = init_gnutls_session (mc, &session);
454
if (ret != 0){
455
return -1;
456
}
382
457
383
458
if(debug){
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
385
ip, port);
459
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
460
"\n", ip, port);
386
461
}
387
462
388
463
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
393
468
394
469
if(debug){
395
470
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
471
perror("if_indextoname");
399
472
return -1;
400
473
}
401
402
474
fprintf(stderr, "Binding to interface %s\n", interface);
403
475
}
404
476
405
477
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
478
to.in6.sin6_family = AF_INET6;
479
/* It would be nice to have a way to detect if we were passed an
480
IPv4 address here. Now we assume an IPv6 address. */
481
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
408
482
if (ret < 0 ){
409
483
perror("inet_pton");
410
484
return -1;
411
}
485
}
412
486
if(ret == 0){
413
487
fprintf(stderr, "Bad address: %s\n", ip);
414
488
return -1;
415
489
}
416
to.sin6_port = htons(port); /* Spurious warning */
490
to.in6.sin6_port = htons(port); /* Spurious warning */
417
491
418
to.sin6_scope_id = (uint32_t)if_index;
492
to.in6.sin6_scope_id = (uint32_t)if_index;
419
493
420
494
if(debug){
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
495
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
496
port);
497
char addrstr[INET6_ADDRSTRLEN] = "";
498
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
499
sizeof(addrstr)) == NULL){
500
perror("inet_ntop");
501
} else {
502
if(strcmp(addrstr, ip) != 0){
503
fprintf(stderr, "Canonical address form: %s\n", addrstr);
504
}
505
}
430
506
}
431
507
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
508
ret = connect(tcp_sd, &to.in, sizeof(to));
433
509
if (ret < 0){
434
510
perror("connect");
435
511
return -1;
436
512
}
437
513
438
char *out = mandos_protocol_version;
514
const char *out = mandos_protocol_version;
439
515
written = 0;
440
516
while (true){
441
517
size_t out_size = strlen(out);
444
520
if (ret == -1){
445
521
perror("write");
446
522
retval = -1;
447
goto end;
523
goto mandos_end;
448
524
}
449
written += ret;
525
written += (size_t)ret;
450
526
if(written < out_size){
451
527
continue;
452
528
} else {
459
535
}
460
536
}
461
537
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
471
538
if(debug){
472
539
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
540
}
474
541
475
ret = gnutls_handshake (es.session);
542
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
543
544
do{
545
ret = gnutls_handshake (session);
546
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
476
547
477
548
if (ret != GNUTLS_E_SUCCESS){
478
549
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
550
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
480
551
gnutls_perror (ret);
481
552
}
482
553
retval = -1;
483
goto exit;
554
goto mandos_end;
484
555
}
485
556
486
//Retrieve OpenPGP packet that contains the wanted password
557
/* Read OpenPGP packet that contains the wanted password */
487
558
488
559
if(debug){
489
560
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
491
562
}
492
563
493
564
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
565
buffer_capacity = adjustbuffer(&buffer, buffer_length,
566
buffer_capacity);
495
567
if (buffer_capacity == 0){
496
568
perror("adjustbuffer");
497
569
retval = -1;
498
goto exit;
570
goto mandos_end;
499
571
}
500
572
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
573
ret = gnutls_record_recv(session, buffer+buffer_length,
574
BUFFER_SIZE);
503
575
if (ret == 0){
504
576
break;
505
577
}
509
581
case GNUTLS_E_AGAIN:
510
582
break;
511
583
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
584
do{
585
ret = gnutls_handshake (session);
586
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
513
587
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
588
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
515
589
gnutls_perror (ret);
516
590
retval = -1;
517
goto exit;
591
goto mandos_end;
518
592
}
519
593
break;
520
594
default:
521
595
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
596
" encrypted session with Mandos server\n");
523
597
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
598
gnutls_bye (session, GNUTLS_SHUT_RDWR);
599
goto mandos_end;
526
600
}
527
601
} else {
528
602
buffer_length += (size_t) ret;
529
603
}
530
604
}
531
605
606
if(debug){
607
fprintf(stderr, "Closing TLS session\n");
608
}
609
610
gnutls_bye (session, GNUTLS_SHUT_RDWR);
611
532
612
if (buffer_length > 0){
533
613
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
614
buffer_length,
535
615
&decrypted_buffer,
536
certdir);
616
keydir);
537
617
if (decrypted_buffer_size >= 0){
538
618
written = 0;
539
619
while(written < (size_t) decrypted_buffer_size){
555
635
retval = -1;
556
636
}
557
637
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
638
639
/* Shutdown procedure */
640
641
mandos_end:
565
642
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
643
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
644
gnutls_deinit (session);
572
645
return retval;
573
646
}
574
647
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
648
static void resolve_callback(AvahiSServiceResolver *r,
649
AvahiIfIndex interface,
650
AVAHI_GCC_UNUSED AvahiProtocol protocol,
651
AvahiResolverEvent event,
652
const char *name,
653
const char *type,
654
const char *domain,
655
const char *host_name,
656
const AvahiAddress *address,
657
uint16_t port,
658
AVAHI_GCC_UNUSED AvahiStringList *txt,
659
AVAHI_GCC_UNUSED AvahiLookupResultFlags
660
flags,
661
void* userdata) {
588
662
mandos_context *mc = userdata;
589
663
assert(r); /* Spurious warning */
590
664
594
668
switch (event) {
595
669
default:
596
670
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
671
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
672
" of type '%s' in domain '%s': %s\n", name, type, domain,
599
673
avahi_strerror(avahi_server_errno(mc->server)));
600
674
break;
601
675
604
678
char ip[AVAHI_ADDRESS_STR_MAX];
605
679
avahi_address_snprint(ip, sizeof(ip), address);
606
680
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
681
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
682
PRIu16 ") on port %d\n", name, host_name, ip,
683
interface, port);
609
684
}
610
685
int ret = start_mandos_communication(ip, port, interface, mc);
611
686
if (ret == 0){
623
698
const char *name,
624
699
const char *type,
625
700
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
701
AVAHI_GCC_UNUSED AvahiLookupResultFlags
702
flags,
627
703
void* userdata) {
628
704
mandos_context *mc = userdata;
629
705
assert(b); /* Spurious warning */
634
710
switch (event) {
635
711
default:
636
712
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
713
714
fprintf(stderr, "(Avahi browser) %s\n",
639
715
avahi_strerror(avahi_server_errno(mc->server)));
640
716
avahi_simple_poll_quit(mc->simple_poll);
641
717
return;
642
718
643
719
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
720
/* We ignore the returned Avahi resolver object. In the callback
721
function we free it. If the Avahi server is terminated before
722
the callback function is called the Avahi server will free the
723
resolver for us. */
724
725
if (!(avahi_s_service_resolver_new(mc->server, interface,
726
protocol, name, type, domain,
651
727
AVAHI_PROTO_INET6, 0,
652
728
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
729
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
730
name, avahi_strerror(avahi_server_errno(mc->server)));
655
731
break;
656
732
657
733
case AVAHI_BROWSER_REMOVE:
658
734
break;
659
735
660
736
case AVAHI_BROWSER_ALL_FOR_NOW:
661
737
case AVAHI_BROWSER_CACHE_EXHAUSTED:
738
if(debug){
739
fprintf(stderr, "No Mandos server found, still searching...\n");
740
}
662
741
break;
663
742
}
664
743
}
673
752
return NULL;
674
753
}
675
754
if(f_len > 0){
676
memcpy(tmp, first, f_len);
755
memcpy(tmp, first, f_len); /* Spurious warning */
677
756
}
678
757
tmp[f_len] = '/';
679
758
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
759
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
681
760
}
682
761
tmp[f_len + 1 + s_len] = '\0';
683
762
return tmp;
684
763
}
685
764
686
765
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
766
int main(int argc, char *argv[]){
689
767
AvahiSServiceBrowser *sb = NULL;
690
768
int error;
691
769
int ret;
692
int returncode = EXIT_SUCCESS;
770
int exitcode = EXIT_SUCCESS;
693
771
const char *interface = "eth0";
694
772
struct ifreq network;
695
773
int sd;
774
uid_t uid;
775
gid_t gid;
696
776
char *connect_to = NULL;
697
777
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
778
const char *pubkeyfile = "pubkey.txt";
779
const char *seckeyfile = "seckey.txt";
698
780
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
781
.dh_bits = 1024, .priority = "SECURE256"};
782
bool gnutls_initalized = false;
700
783
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
784
{
785
struct argp_option options[] = {
786
{ .name = "debug", .key = 128,
787
.doc = "Debug mode", .group = 3 },
788
{ .name = "connect", .key = 'c',
789
.arg = "IP",
790
.doc = "Connect directly to a sepcified mandos server",
791
.group = 1 },
792
{ .name = "interface", .key = 'i',
793
.arg = "INTERFACE",
794
.doc = "Interface that Avahi will conntect through",
795
.group = 1 },
796
{ .name = "keydir", .key = 'd',
797
.arg = "KEYDIR",
798
.doc = "Directory where the openpgp keyring is",
799
.group = 1 },
800
{ .name = "seckey", .key = 's',
801
.arg = "SECKEY",
802
.doc = "Secret openpgp key for gnutls authentication",
803
.group = 1 },
804
{ .name = "pubkey", .key = 'p',
805
.arg = "PUBKEY",
806
.doc = "Public openpgp key for gnutls authentication",
807
.group = 2 },
808
{ .name = "dh-bits", .key = 129,
809
.arg = "BITS",
810
.doc = "dh-bits to use in gnutls communication",
811
.group = 2 },
812
{ .name = "priority", .key = 130,
813
.arg = "PRIORITY",
814
.doc = "GNUTLS priority", .group = 1 },
815
{ .name = NULL }
816
};
817
818
819
error_t parse_opt (int key, char *arg,
820
struct argp_state *state) {
821
/* Get the INPUT argument from `argp_parse', which we know is
822
a pointer to our plugin list pointer. */
823
switch (key) {
824
case 128:
825
debug = true;
826
break;
827
case 'c':
828
connect_to = arg;
829
break;
830
case 'i':
831
interface = arg;
832
break;
833
case 'd':
834
keydir = arg;
835
break;
836
case 's':
837
seckeyfile = arg;
838
break;
839
case 'p':
840
pubkeyfile = arg;
841
break;
842
case 129:
742
843
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
844
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
845
if (errno){
745
846
perror("strtol");
746
847
exit(EXIT_FAILURE);
747
848
}
748
mc.dh_bits = tmp;
849
break;
850
case 130:
851
mc.priority = arg;
852
break;
853
case ARGP_KEY_ARG:
854
argp_usage (state);
855
break;
856
case ARGP_KEY_END:
857
break;
858
default:
859
return ARGP_ERR_UNKNOWN;
749
860
}
750
break;
751
case 'p':
752
mc.priority = optarg;
753
break;
754
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
861
return 0;
862
}
863
864
struct argp argp = { .options = options, .parser = parse_opt,
865
.args_doc = "",
866
.doc = "Mandos client -- Get and decrypt"
867
" passwords from mandos server" };
868
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
869
if (ret == ARGP_ERR_UNKNOWN){
870
fprintf(stderr, "Unkown error while parsing arguments\n");
871
exitcode = EXIT_FAILURE;
872
goto end;
873
}
874
}
875
876
pubkeyfile = combinepath(keydir, pubkeyfile);
877
if (pubkeyfile == NULL){
878
perror("combinepath");
879
exitcode = EXIT_FAILURE;
880
goto end;
881
}
882
883
seckeyfile = combinepath(keydir, seckeyfile);
884
if (seckeyfile == NULL){
885
perror("combinepath");
886
goto end;
887
}
888
889
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
890
if (ret == -1){
891
fprintf(stderr, "init_gnutls_global\n");
892
goto end;
893
} else {
894
gnutls_initalized = true;
895
}
896
897
uid = getuid();
898
gid = getgid();
899
900
ret = setuid(uid);
901
if (ret == -1){
902
perror("setuid");
903
}
904
905
setgid(gid);
906
if (ret == -1){
907
perror("setgid");
771
908
}
772
909
773
910
if_index = (AvahiIfIndex) if_nametoindex(interface);
782
919
char *address = strrchr(connect_to, ':');
783
920
if(address == NULL){
784
921
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
922
exitcode = EXIT_FAILURE;
923
goto end;
786
924
}
787
925
errno = 0;
788
926
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
927
if(errno){
790
928
perror("Bad port number");
791
exit(EXIT_FAILURE);
929
exitcode = EXIT_FAILURE;
930
goto end;
792
931
}
793
932
*address = '\0';
794
933
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
934
ret = start_mandos_communication(address, port, if_index, &mc);
796
935
if(ret < 0){
797
exit(EXIT_FAILURE);
936
exitcode = EXIT_FAILURE;
798
937
} else {
799
exit(EXIT_SUCCESS);
938
exitcode = EXIT_SUCCESS;
800
939
}
940
goto end;
801
941
}
802
942
803
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
805
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
808
}
809
strcpy(network.ifr_name, interface);
810
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
if(ret == -1){
812
813
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
816
}
817
if((network.ifr_flags & IFF_UP) == 0){
818
network.ifr_flags |= IFF_UP;
819
ret = ioctl(sd, SIOCSIFFLAGS, &network);
943
/* If the interface is down, bring it up */
944
{
945
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
946
if(sd < 0) {
947
perror("socket");
948
exitcode = EXIT_FAILURE;
949
goto end;
950
}
951
strcpy(network.ifr_name, interface); /* Spurious warning */
952
ret = ioctl(sd, SIOCGIFFLAGS, &network);
820
953
if(ret == -1){
821
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
954
perror("ioctl SIOCGIFFLAGS");
955
exitcode = EXIT_FAILURE;
956
goto end;
957
}
958
if((network.ifr_flags & IFF_UP) == 0){
959
network.ifr_flags |= IFF_UP;
960
ret = ioctl(sd, SIOCSIFFLAGS, &network);
961
if(ret == -1){
962
perror("ioctl SIOCSIFFLAGS");
963
exitcode = EXIT_FAILURE;
964
goto end;
965
}
966
}
967
close(sd);
825
968
}
826
close(sd);
827
969
828
970
if (not debug){
829
971
avahi_set_log_function(empty_log);
830
972
}
831
973
832
/* Initialize the psuedo-RNG */
974
/* Initialize the pseudo-RNG for Avahi */
833
975
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
843
avahi_server_config_init(&config);
844
config.publish_hinfo = 0;
845
config.publish_addresses = 0;
846
config.publish_workstation = 0;
847
config.publish_domain = 0;
848
849
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
854
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
976
977
/* Allocate main Avahi loop object */
978
mc.simple_poll = avahi_simple_poll_new();
979
if (mc.simple_poll == NULL) {
980
fprintf(stderr, "Avahi: Failed to create simple poll"
981
" object.\n");
982
exitcode = EXIT_FAILURE;
983
goto end;
984
}
985
986
{
987
AvahiServerConfig config;
988
/* Do not publish any local Zeroconf records */
989
avahi_server_config_init(&config);
990
config.publish_hinfo = 0;
991
config.publish_addresses = 0;
992
config.publish_workstation = 0;
993
config.publish_domain = 0;
994
995
/* Allocate a new server */
996
mc.server = avahi_server_new(avahi_simple_poll_get
997
(mc.simple_poll), &config, NULL,
998
NULL, &error);
999
1000
/* Free the Avahi configuration data */
1001
avahi_server_config_free(&config);
1002
}
1003
1004
/* Check if creating the Avahi server object succeeded */
1005
if (mc.server == NULL) {
1006
fprintf(stderr, "Failed to create Avahi server: %s\n",
859
1007
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
1008
exitcode = EXIT_FAILURE;
1009
goto end;
862
1010
}
863
1011
864
/* Create the service browser */
1012
/* Create the Avahi service browser */
865
1013
sb = avahi_s_service_browser_new(mc.server, if_index,
866
1014
AVAHI_PROTO_INET6,
867
1015
"_mandos._tcp", NULL, 0,
868
1016
browse_callback, &mc);
869
if (!sb) {
1017
if (sb == NULL) {
870
1018
fprintf(stderr, "Failed to create service browser: %s\n",
871
1019
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
1020
exitcode = EXIT_FAILURE;
1021
goto end;
874
1022
}
875
1023
876
1024
/* Run the main loop */
877
1025
878
1026
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
1027
fprintf(stderr, "Starting Avahi loop search\n");
880
1028
}
881
1029
882
avahi_simple_poll_loop(simple_poll);
1030
avahi_simple_poll_loop(mc.simple_poll);
883
1031
884
exit:
1032
end:
885
1033
886
1034
if (debug){
887
1035
fprintf(stderr, "%s exiting\n", argv[0]);
888
1036
}
889
1037
890
1038
/* Cleanup things */
891
if (sb)
1039
if (sb != NULL)
892
1040
avahi_s_service_browser_free(sb);
893
1041
894
if (mc.server)
1042
if (mc.server != NULL)
895
1043
avahi_server_free(mc.server);
896
1044
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
1045
if (mc.simple_poll != NULL)
1046
avahi_simple_poll_free(mc.simple_poll);
1047
free(pubkeyfile);
1048
free(seckeyfile);
1049
1050
if (gnutls_initalized){
1051
gnutls_certificate_free_credentials(mc.cred);
1052
gnutls_global_deinit ();
1053
}
901
1054
902
return returncode;
1055
return exitcode;
903
1056
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0