/mandos/trunk : revision 91

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-request.c

Committer: Teddy Hogeborn
Date: 2008-08-19 23:44:17 UTC
Revision ID: teddy@fukt.bsnet.se-20080819234417-8dz5prw19ihrklx6

* Makefile (DOCBOOKTOMAN): Include all DocBook-to-manpage-related
                           commands here, and use it everywhere.
  (mandos.8, mandos.conf.5): New; also depend on "mandos-options.xml".

* mandos-keygen.xml: Removed OVERVIEW entity.  Add XInclude namespace.
  (OVERVIEW): Changed to do <xi:include/>.

* mandos-options.xml (<simplesect>): Changed to a <section>.
  ([@id="address"]): Reordered sentences.

* mandos.conf.xml (OPTIONS): Removed illegal <arg> tags.
  (EXAMPLE): Added empty example.

* mandos.xml (NETWORK PROTOCOL): Bug fix: Changed "1\r\en" back to
                                 "1\r\n".
  (CHECKING): Do not refer to the non-relevant mandos.conf(5) manual.

files added:
COPYING

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

plugins.d/mandosclient.c => plugins.d/password-request.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/password-request.c

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t */

#include <inttypes.h> /* PRIu16 */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <netinet/in.h>

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* Mandos client part */

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

/* GPGME */

#include <errno.h> /* perror() */

#include <gpgme.h>

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

GPG_ERR_NO_* */

#define BUFFER_SIZE 256

100

101

bool debug = false;

102

static const char *keydir = "/conf/conf.d/mandos";

103

static const char mandos_protocol_version[] = "1";

const char *argp_program_version = "mandosclient 0.9";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

205

229

} else {

206

230

fprintf(stderr, "Unsupported algorithm: %s\n",

207

231

result->unsupported_algorithm);

208

fprintf(stderr, "Wrong key usage: %d\n",

232

fprintf(stderr, "Wrong key usage: %u\n",

209

233

result->wrong_key_usage);

210

234

if(result->file_name != NULL){

211

235

fprintf(stderr, "File name: %s\n", result->file_name);

278

302

}

279

303

280

304

static const char * safer_gnutls_strerror (int value) {

281

const char *ret = gnutls_strerror (value);

305

const char *ret = gnutls_strerror (value); /* Spurious warning */

282

306

if (ret == NULL)

283

307

ret = "(unknown)";

284

308

return ret;

291

315

}

292

316

293

317

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

318

const char *pubkeyfilename,

319

const char *seckeyfilename){

296

320

int ret;

297

321

298

322

if(debug){

299

323

fprintf(stderr, "Initializing GnuTLS\n");

300

324

}

301

302

if ((ret = gnutls_global_init ())

303

!= GNUTLS_E_SUCCESS) {

325

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

304

328

fprintf (stderr, "GnuTLS global_init: %s\n",

305

329

safer_gnutls_strerror(ret));

306

330

return -1;

315

339

}

316

340

317

341

/* OpenPGP credentials */

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

345

warning */

321

346

safer_gnutls_strerror(ret));

347

gnutls_global_deinit ();

322

348

return -1;

323

349

}

324

350

325

351

if(debug){

326

352

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

327

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

328

seckeyfile);

353

" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,

354

seckeyfilename);

329

355

}

330

356

331

357

ret = gnutls_certificate_set_openpgp_key_file

332

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

358

(mc->cred, pubkeyfilename, seckeyfilename,

359

GNUTLS_OPENPGP_FMT_BASE64);

333

360

if (ret != GNUTLS_E_SUCCESS) {

334

361

fprintf(stderr,

335

362

"Error[%d] while reading the OpenPGP key pair ('%s',"

336

" '%s')\n", ret, pubkeyfile, seckeyfile);

363

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

337

364

fprintf(stdout, "The GnuTLS error is: %s\n",

338

365

safer_gnutls_strerror(ret));

339

return -1;

366

goto globalfail;

340

367

}

341

368

342

369

/* GnuTLS server initialization */

344

371

if (ret != GNUTLS_E_SUCCESS) {

345

372

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

346

373

" %s\n", safer_gnutls_strerror(ret));

347

return -1;

374

goto globalfail;

348

375

}

349

376

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

350

377

if (ret != GNUTLS_E_SUCCESS) {

351

378

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

352

379

safer_gnutls_strerror(ret));

353

return -1;

380

goto globalfail;

354

381

}

355

382

356

383

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

357

384

358

385

return 0;

386

387

globalfail:

388

389

gnutls_certificate_free_credentials(mc->cred);

390

gnutls_global_deinit();

391

return -1;

392

359

393

}

360

394

361

395

static int init_gnutls_session(mandos_context *mc,

375

409

fprintf(stderr, "Syntax error at: %s\n", err);

376

410

fprintf(stderr, "GnuTLS error: %s\n",

377

411

safer_gnutls_strerror(ret));

412

gnutls_deinit (*session);

378

413

return -1;

379

414

}

380

415

}

384

419

if (ret != GNUTLS_E_SUCCESS) {

385

420

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

386

421

safer_gnutls_strerror(ret));

422

gnutls_deinit (*session);

387

423

return -1;

388

424

}

389

425

422

458

}

423

459

424

460

if(debug){

425

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

426

ip, port);

461

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

462

"\n", ip, port);

427

463

}

428

464

429

465

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

440

476

fprintf(stderr, "Binding to interface %s\n", interface);

441

477

}

442

478

443

memset(&to,0,sizeof(to)); /* Spurious warning */

479

memset(&to, 0, sizeof(to));

444

480

to.in6.sin6_family = AF_INET6;

445

481

/* It would be nice to have a way to detect if we were passed an

446

482

IPv4 address here. Now we assume an IPv6 address. */

453

489

fprintf(stderr, "Bad address: %s\n", ip);

454

490

return -1;

455

491

}

456

to.in6.sin6_port = htons(port); /* Spurious warning */

492

to.in6.sin6_port = htons(port); /* Spurious warning */

457

493

458

494

to.in6.sin6_scope_id = (uint32_t)if_index;

459

495

460

496

if(debug){

461

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

497

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

498

port);

462

499

char addrstr[INET6_ADDRSTRLEN] = "";

463

500

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

464

501

sizeof(addrstr)) == NULL){

505

542

}

506

543

507

544

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

508

509

ret = gnutls_handshake (session);

545

546

do{

547

ret = gnutls_handshake (session);

548

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

510

549

511

550

if (ret != GNUTLS_E_SUCCESS){

512

551

if(debug){

544

583

case GNUTLS_E_AGAIN:

545

584

break;

546

585

case GNUTLS_E_REHANDSHAKE:

547

ret = gnutls_handshake (session);

586

do{

587

ret = gnutls_handshake (session);

588

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

548

589

if (ret < 0){

549

590

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

550

591

gnutls_perror (ret);

603

644

free(buffer);

604

645

close(tcp_sd);

605

646

gnutls_deinit (session);

606

gnutls_certificate_free_credentials (mc->cred);

607

gnutls_global_deinit ();

608

647

return retval;

609

648

}

610

649

623

662

flags,

624

663

void* userdata) {

625

664

mandos_context *mc = userdata;

626

assert(r); /* Spurious warning */

665

assert(r);

627

666

628

667

/* Called whenever a service has been resolved successfully or

629

668

timed out */

641

680

char ip[AVAHI_ADDRESS_STR_MAX];

642

681

avahi_address_snprint(ip, sizeof(ip), address);

643

682

if(debug){

644

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

645

" port %d\n", name, host_name, ip, interface, port);

683

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

684

PRIu16 ") on port %d\n", name, host_name, ip,

685

interface, port);

646

686

}

647

687

int ret = start_mandos_communication(ip, port, interface, mc);

648

688

if (ret == 0){

649

exit(EXIT_SUCCESS);

689

avahi_simple_poll_quit(mc->simple_poll);

650

690

}

651

691

}

652

692

}

664

704

flags,

665

705

void* userdata) {

666

706

mandos_context *mc = userdata;

667

assert(b); /* Spurious warning */

707

assert(b);

668

708

669

709

/* Called whenever a new services becomes available on the LAN or

670

710

is removed from the LAN */

706

746

707

747

/* Combines file name and path and returns the malloced new

708

748

string. some sane checks could/should be added */

709

static const char *combinepath(const char *first, const char *second){

710

size_t f_len = strlen(first);

711

size_t s_len = strlen(second);

712

char *tmp = malloc(f_len + s_len + 2);

713

if (tmp == NULL){

749

static char *combinepath(const char *first, const char *second){

750

char *tmp;

751

int ret = asprintf(&tmp, "%s/%s", first, second);

752

if(ret < 0){

714

753

return NULL;

715

754

}

716

if(f_len > 0){

717

memcpy(tmp, first, f_len); /* Spurious warning */

718

}

719

tmp[f_len] = '/';

720

if(s_len > 0){

721

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

722

}

723

tmp[f_len + 1 + s_len] = '\0';

724

755

return tmp;

725

756

}

726

757

737

768

gid_t gid;

738

769

char *connect_to = NULL;

739

770

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

740

const char *pubkeyfile = "pubkey.txt";

741

const char *seckeyfile = "seckey.txt";

771

char *pubkeyfilename = NULL;

772

char *seckeyfilename = NULL;

773

const char *pubkeyname = "pubkey.txt";

774

const char *seckeyname = "seckey.txt";

742

775

mandos_context mc = { .simple_poll = NULL, .server = NULL,

743

776

.dh_bits = 1024, .priority = "SECURE256"};

777

bool gnutls_initalized = false;

744

778

745

779

{

746

780

struct argp_option options[] = {

795

829

keydir = arg;

796

830

break;

797

831

case 's':

798

seckeyfile = arg;

832

seckeyname = arg;

799

833

break;

800

834

case 'p':

801

pubkeyfile = arg;

835

pubkeyname = arg;

802

836

break;

803

837

case 129:

804

838

errno = 0;

813

847

break;

814

848

case ARGP_KEY_ARG:

815

849

argp_usage (state);

850

case ARGP_KEY_END:

816

851

break;

817

case ARGP_KEY_END:

818

break;

819

852

default:

820

853

return ARGP_ERR_UNKNOWN;

821

854

}

826

859

.args_doc = "",

827

860

.doc = "Mandos client -- Get and decrypt"

828

861

" passwords from mandos server" };

829

argp_parse (&argp, argc, argv, 0, 0, NULL);

862

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

863

if (ret == ARGP_ERR_UNKNOWN){

864

fprintf(stderr, "Unknown error while parsing arguments\n");

865

exitcode = EXIT_FAILURE;

866

goto end;

867

}

830

868

}

831

869

832

pubkeyfile = combinepath(keydir, pubkeyfile);

833

if (pubkeyfile == NULL){

870

pubkeyfilename = combinepath(keydir, pubkeyname);

871

if (pubkeyfilename == NULL){

834

872

perror("combinepath");

835

873

exitcode = EXIT_FAILURE;

836

874

goto end;

837

875

}

838

876

839

seckeyfile = combinepath(keydir, seckeyfile);

840

if (seckeyfile == NULL){

877

seckeyfilename = combinepath(keydir, seckeyname);

878

if (seckeyfilename == NULL){

841

879

perror("combinepath");

880

exitcode = EXIT_FAILURE;

842

881

goto end;

843

882

}

844

883

845

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

884

ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);

846

885

if (ret == -1){

847

fprintf(stderr, "init_gnutls_global\n");

886

fprintf(stderr, "init_gnutls_global failed\n");

887

exitcode = EXIT_FAILURE;

848

888

goto end;

849

}

850

889

} else {

890

gnutls_initalized = true;

891

}

892

893

/* If the interface is down, bring it up */

894

{

895

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

896

if(sd < 0) {

897

perror("socket");

898

exitcode = EXIT_FAILURE;

899

goto end;

900

}

901

strcpy(network.ifr_name, interface);

902

ret = ioctl(sd, SIOCGIFFLAGS, &network);

903

if(ret == -1){

904

perror("ioctl SIOCGIFFLAGS");

905

exitcode = EXIT_FAILURE;

906

goto end;

907

}

908

if((network.ifr_flags & IFF_UP) == 0){

909

network.ifr_flags |= IFF_UP;

910

ret = ioctl(sd, SIOCSIFFLAGS, &network);

911

if(ret == -1){

912

perror("ioctl SIOCSIFFLAGS");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

}

917

close(sd);

918

}

919

851

920

uid = getuid();

852

921

gid = getgid();

853

922

854

923

ret = setuid(uid);

855

924

if (ret == -1){

856

925

perror("setuid");

894

963

goto end;

895

964

}

896

965

897

/* If the interface is down, bring it up */

898

{

899

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

900

if(sd < 0) {

901

perror("socket");

902

exitcode = EXIT_FAILURE;

903

goto end;

904

}

905

strcpy(network.ifr_name, interface); /* Spurious warning */

906

ret = ioctl(sd, SIOCGIFFLAGS, &network);

907

if(ret == -1){

908

perror("ioctl SIOCGIFFLAGS");

909

exitcode = EXIT_FAILURE;

910

goto end;

911

}

912

if((network.ifr_flags & IFF_UP) == 0){

913

network.ifr_flags |= IFF_UP;

914

ret = ioctl(sd, SIOCSIFFLAGS, &network);

915

if(ret == -1){

916

perror("ioctl SIOCSIFFLAGS");

917

exitcode = EXIT_FAILURE;

918

goto end;

919

}

920

}

921

close(sd);

922

}

923

924

966

if (not debug){

925

967

avahi_set_log_function(empty_log);

926

968

}

998

1040

999

1041

if (mc.simple_poll != NULL)

1000

1042

avahi_simple_poll_free(mc.simple_poll);

1001

free(pubkeyfile);

1002

free(seckeyfile);

1043

free(pubkeyfilename);

1044

free(seckeyfilename);

1045

1046

if (gnutls_initalized){

1047

gnutls_certificate_free_credentials(mc.cred);

1048

gnutls_global_deinit ();

1049

}

1003

1050

1004

1051

return exitcode;

1005

1052

}

Older »