=== modified file 'Makefile' --- Makefile 2008-08-10 17:52:54 +0000 +++ Makefile 2008-08-07 21:45:41 +0000 @@ -11,28 +11,11 @@ CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) $(LANGUAGE) LDFLAGS=$(COVERAGE) -DOCBOOKTOMAN=xsltproc --nonet \ - --param man.charmap.use.subset 0 \ - --param make.year.ranges 1 \ - --param make.single.year.ranges 1 \ - --param man.output.quietly 1 \ - --param man.authors.section.enabled 0 - PROGS=mandos-client plugins.d/password-request plugins.d/password-prompt -DOCS=mandos.8 mandos-client.8mandos plugins.d/password-request.8mandos plugins.d/password-prompt.8mandos mandos.conf.5 mandos-clients.conf.5 objects=$(shell for p in $(PROGS); do echo $${p}.o; done) -all: $(PROGS) $(DOCS) - -%.5: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) - -%.8: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) - -%.8mandos: %.xml - cd $(shell dirname $^); $(DOCBOOKTOMAN) $(shell basename $^) +all: $(PROGS) mandos-client: mandos-client.o $(LINK.o) -lgnutls $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ @@ -46,7 +29,7 @@ .PHONY : all clean distclean run-client run-server clean: - -rm --force $(PROGS) $(objects) $(DOCS) core + -rm --force $(PROGS) $(objects) core distclean: clean mostlyclean: clean === modified file 'TODO' --- TODO 2008-08-10 16:13:23 +0000 +++ TODO 2008-08-07 21:45:41 +0000 @@ -1,66 +1,22 @@ -*- org -*- -* [#A] README file +* README file -* [#A] COPYING file +* COPYING file [[file:/usr/share/common-licenses/GPL-3][GPLv3]] * Mandos-client ** [#A] Man page: man8/mandos-client.8mandos -*** EXIT STATUS - Create this section -*** USAGE - Describe the plus sign syntax for passing options from crypttab -*** EXAMPLES - Examples of normal usage, debug usage, debugging single or all - plugins, examples of crypttab lines with plus syntax, etc. -*** FILES - Describe plugin directory -*** DIAGNOSTICS - Create this section -*** SECURITY - Create this section -*** NOTES - Create this section (if needed) -*** BUGS - Create this section -*** SEE ALSO - Refer to mandos(8), password-request(8mandos), and - password-prompt(8mandos) -** Use asprintf instead of malloc and strcat? +** [#A] check return codes of all system calls +** [#B] header files/symbols tally ** use strsep instead of strtok? ** use config file in addition to arguments ** pass things in environment, like device name, etc -** Fallback - As a fallback, if no plugins can be found or if all of them failed, - run getpass(3) itself. * Password-request ** [#A] Man page: man8/password-request.8mandos -*** DESCRIPTION - Move options to new OPTIONS section. - State that this command is not meant to be invoked directly, but - is run as a plugin from mandos-client(8) and only run in the - initrd environment, not the real system. -*** EXIT STATUS - Create this section -*** EXAMPLES - Examples of normal usage, debug usage, debugging by connecting - directly, etc. -*** FILES - Describe the key files and the key ring files. Also note that - they should normally have been automatically created. -*** DIAGNOSTICS - Create this section -*** SECURITY - Create this section -*** NOTES - Create this section (if needed) -*** BUGS - Create this section -*** SEE ALSO - Refer to mandos-client(8mandos) and password-prompt(8mandos) -** Use asprintf instead of malloc and memcpy? +** [#A] check return codes of all system calls +** [#B] header files/symbols tally ** IPv4 support ** use strsep instead of strtok? ** Do not depend on GPG key rings on disk @@ -69,63 +25,22 @@ * Password-prompt ** [#A] Man page: man8/password-prompt.8mandos -*** DESCRIPTION - Move options to new OPTIONS section. -*** EXIT STATUS - Create this section -*** EXAMPLES - Examples of normal usage, debug usage, with a prefix, etc. -*** DIAGNOSTICS - Create this section -*** SECURITY - Create this section - Not much to do here but it is noteworthy to state the danger of - not having a fallback option. -*** NOTES - Note that this is more or less a simple getpass(3) wrapper, even - though actual use of getpass(3) is not guaranteed. -*** BUGS - Create this section -*** SEE ALSO - Refer to mandos-client(8mandos) and password-request(8mandos) ** Use getpass(3)? - Man page says "obsolete", but [[info:libc:getpass][GNU LibC Manual: Reading Passwords]] - does not. See also [[http://sources.redhat.com/ml/libc-alpha/2003-05/msg00251.html][Marcus Brinkmann: Re: getpass obsolete?]] and - [[http://article.gmane.org/gmane.comp.lib.glibc.alpha/4906][Petter Reinholdtsen: Re: getpass obsolete?]], and especially also - [[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]] + [[info:libc:getpass][GNU LibC Manual: Reading Passwords]] -* Mandos (server) +* Server ** [#A] Command man page: man8/mandos.8 -*** DESCRIPTION - Move options to new OPTIONS section -*** EXIT STATUS - Create this section -*** EXAMPLES - Create this section -*** FILES - Describe briefly that the server gets global settings from - mandos.conf and clients from clients.conf, but refer to their man - pages for more details. -*** DIAGNOSTICS - Create this section -*** SECURITY - Create this section -*** NOTES - Create this section (if needed) -*** BUGS - Create this section -*** SEE ALSO - Refer to the client man page ** [#A] Config file man page: man5/mandos.conf (mandos.conf) ** [#A] Config file man page: man5/mandos-clients.conf (clients.conf) -** [#A] /etc/init.d/mandos-server :teddy: +** [#A] write PID file +** [#A] /etc/init.d/mandos-server +** Better comments in config files ** Log level ** /etc/mandos/clients.d/*.conf Watch this directory and add/remove/update clients? ** config for TXT record ** Run-time communication with server - Probably using D-Bus - See also [[*Mandos-tools]] + probably using D-Bus ** Implement --foreground [[info:standards:Option%20Table][Table of Long Options]] ** Implement --socket @@ -134,33 +49,12 @@ * Mandos-tools/utilities All of this probably using D-Bus ** List clients +** Enable client ** Disable client -** Enable client * Installer -** DONE [#A] Change initrd.img file to not be publically readable - /etc/initramfs-tools/conf.d/mandos - UMASK=027 -** Update initrd.img after installation -** [#A] Create mandos user and group for server -** [#A] Create /var/run/mandos directory with perm and ownership - -* [#A] Package -** /etc/bash_completion.d/mandos -** /etc/initramfs-tools/hooks/mandos - [[file:/usr/share/doc/initramfs-tools/examples/example_hook][Example initramfs-tools hook script]] -*** Create GPG key ring files in initrd -** unperish -** bzr-builddeb - -* INSTALL file - -* Web site - -* Mailing list - -* Announce project on news - [[news:comp.os.linux.announce]] +** [#A] Change initrd.img file to not be publically readable +** [#A] Create GPG key ring files in initrd #+STARTUP: showall === modified file 'clients.conf' --- clients.conf 2008-08-09 01:39:09 +0000 +++ clients.conf 2008-07-29 03:35:39 +0000 @@ -1,66 +1,33 @@ -# Default settings for all clients. These values are the default -# values, so uncomment and change them if you want different ones. [DEFAULT] - -# How long until a client is considered invalid - that is, ineligible -# to get the data this server holds. -;timeout = 1h - -# How often to run the checker to confirm that a client is still up. -# Note: a new checker will not be started if an old one is still -# running. The server will wait for a checker to complete until the -# "timeout" above occurs, at which time the client will be marked -# invalid, and any running checker killed. -;interval = 5m - -# What command to run as "the checker". -;checker = fping -q -- %%(host)s - - -;#### -;# Example client named "foo" -;[foo] -; -;# OpenPGP key fingerprint for "foo" -;fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920 -; -;# This is base64-encoded binary data. It will be decoded and sent to -;# the client matching the above fingerprint. This should, of course, -;# be OpenPGP encrypted data, decryptable only by the client. -;secret = -; hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234 -; REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N -; Xl89vGvdU1XfhKkVm9MDLOgT5ECDPysDGHFPDhqHOSu3Kaw2DWMV/iH9vz -; 3Z20erVNbdcvyBnuojcoWO/6yfB5EQO0BXp7kcyy00USA3CjD5FGZdoQGI -; Tb8A/ar0tVA5crSQmaSotm6KmNLhrFnZ5BxX+TiE+eTUTqSloWRY6VAvqW -; QHC7OASxK5E6RXPBuFH5IohUA2Qbk5AHt99pYvsIPX88j2rWauOokoiKZo -; t/9leJ8VxO5l3wf/U64IH8bkPIoWmWZfd/nqh4uwGNbCgKMyT+AnvH7kMJ -; 3i7DivfWl2mKLV0PyPHUNva0VQxX6yYjcOhj1R6fCr/at8/NSLe2OhLchz -; dC+Ls9h+kvJXgF8Sisv+Wk/1RadPLFmraRlqvJwt6Ww21LpiXqXHV2mIgq -; WnR98YgSvUi3TJHrUQiNc9YyBzuRo0AjgG2C9qiE3FM+Y28+iQ/sR3+bFs -; zYuZKVTObqiIslwXu7imO0cvvFRgJF/6u3HNFQ4LUTGhiM3FQmC6NNlF3/ -; vJM2hwRDMcJqDd54Twx90Wh+tYz0z7QMsK4ANXWHHWHR0JchnLWmenzbtW -; 5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm -; 4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O -; QlnHIvPzEArRQLo= -; =iHhv -; -;# Host name; used only by the checker, not used by the server itself. -;host = foo.example.org -;#### - -;#### -;# Another example client, named "bar". -;[bar] -;# The fingerprint is not space or case sensitive -;fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27 -; -;# If "secret" is not specified, a file can be read for the data. -;;secfile = /etc/mandos/bar-secret.txt.asc -; -;# An IP address for host is also fine, if the checker accepts it. -;host = 192.0.2.3 -; -;# Parameters from the [DEFAULT] section can be overridden per client. -;interval = 5m -;#### +timeout = 1h +interval = 5m +checker = fping -q -- %%(fqdn)s + +# Example +[foo] +fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27 +secret = Base+64+encoded+OpenPGP+encrypted+data/= +# secfile = /etc/mandos/foo-secret.txt.asc +fqdn = foo.example.org +checker = fping -q -- %%(fqdn)s +timeout = 10m + +[braxen_client] +fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920 +secret = + hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234REJMVv + 7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+NXl89vGvdU1Xf + hKkVm9MDLOgT5ECDPysDGHFPDhqHOSu3Kaw2DWMV/iH9vz3Z20erVNbdcvyBnuoj + coWO/6yfB5EQO0BXp7kcyy00USA3CjD5FGZdoQGITb8A/ar0tVA5crSQmaSotm6K + mNLhrFnZ5BxX+TiE+eTUTqSloWRY6VAvqWQHC7OASxK5E6RXPBuFH5IohUA2Qbk5 + AHt99pYvsIPX88j2rWauOokoiKZot/9leJ8VxO5l3wf/U64IH8bkPIoWmWZfd/nq + h4uwGNbCgKMyT+AnvH7kMJ3i7DivfWl2mKLV0PyPHUNva0VQxX6yYjcOhj1R6fCr + /at8/NSLe2OhLchzdC+Ls9h+kvJXgF8Sisv+Wk/1RadPLFmraRlqvJwt6Ww21Lpi + XqXHV2mIgqWnR98YgSvUi3TJHrUQiNc9YyBzuRo0AjgG2C9qiE3FM+Y28+iQ/sR3 + +bFszYuZKVTObqiIslwXu7imO0cvvFRgJF/6u3HNFQ4LUTGhiM3FQmC6NNlF3/vJ + M2hwRDMcJqDd54Twx90Wh+tYz0z7QMsK4ANXWHHWHR0JchnLWmenzbtW5MHdW9AY + sNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm4T2zw4dxS5NswX + WU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2OQlnHIvPzEArRQLo= + =iHhv +fqdn = localhost +interval = 5m === modified file 'mandos' --- mandos 2008-08-10 16:13:23 +0000 +++ mandos 2008-08-07 21:45:41 +0000 @@ -61,20 +61,15 @@ from dbus.mainloop.glib import DBusGMainLoop import ctypes -version = "1.0" logger = logging.Logger('mandos') syslogger = logging.handlers.SysLogHandler\ - (facility = logging.handlers.SysLogHandler.LOG_DAEMON, - address = "/dev/log") + (facility = logging.handlers.SysLogHandler.LOG_DAEMON) syslogger.setFormatter(logging.Formatter\ - ('Mandos: %(levelname)s: %(message)s')) + ('%(levelname)s: %(message)s')) logger.addHandler(syslogger) +del syslogger -console = logging.StreamHandler() -console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:' - ' %(message)s')) -logger.addHandler(console) class AvahiError(Exception): def __init__(self, value): @@ -107,7 +102,7 @@ """ def __init__(self, interface = avahi.IF_UNSPEC, name = None, type = None, port = None, TXT = None, domain = "", - host = "", max_renames = 32768): + host = "", max_renames = 12): self.interface = interface self.name = name self.type = type @@ -127,9 +122,6 @@ raise AvahiServiceError("Too many renames") name = server.GetAlternativeServiceName(name) logger.error(u"Changing name to %r ...", name) - syslogger.setFormatter(logging.Formatter\ - ('Mandos (%s): %%(levelname)s:' - ' %%(message)s' % name)) self.remove() self.add() self.rename_count += 1 @@ -171,7 +163,7 @@ fingerprint: string (40 or 32 hexadecimal digits); used to uniquely identify the client secret: bytestring; sent verbatim (over TLS) to client - host: string; available for use by the checker command + fqdn: string (FQDN); available for use by the checker command created: datetime.datetime(); object creation, not client host last_checked_ok: datetime.datetime() or None if not yet checked OK timeout: datetime.timedelta(); How long from last_checked_ok @@ -238,7 +230,7 @@ else: raise TypeError(u"No secret or secfile for client %s" % self.name) - self.host = config.get("host", "") + self.fqdn = config.get("fqdn", "") self.created = datetime.datetime.now() self.last_checked_ok = None self.timeout = string_to_delta(config["timeout"]) @@ -267,7 +259,7 @@ The possibility that a client might be restarted is left open, but not currently used.""" # If this client doesn't have a secret, it is already stopped. - if hasattr(self, "secret") and self.secret: + if self.secret: logger.info(u"Stopping client %s", self.name) self.secret = None else: @@ -321,7 +313,7 @@ if self.checker is None: try: # In case check_command has exactly one % operator - command = self.check_command % self.host + command = self.check_command % self.fqdn except TypeError: # Escape attributes for the shell escaped_attrs = dict((key, re.escape(str(val))) @@ -354,7 +346,7 @@ self.checker_callback_tag = None if getattr(self, "checker", None) is None: return - logger.debug(u"Stopping checker for %(name)s", vars(self)) + logger.debug("Stopping checker for %(name)s", vars(self)) try: os.kill(self.checker.pid, signal.SIGTERM) #os.sleep(0.5) @@ -536,16 +528,9 @@ in6addr_any = "::" self.server_address = (in6addr_any, self.server_address[1]) - elif not self.server_address[1]: + elif self.server_address[1] is None: self.server_address = (self.server_address[0], 0) -# if self.settings["interface"]: -# self.server_address = (self.server_address[0], -# 0, # port -# 0, # flowinfo -# if_nametoindex -# (self.settings -# ["interface"])) return super(type(self), self).server_bind() @@ -658,7 +643,7 @@ global main_loop_started main_loop_started = False - parser = OptionParser(version = "%%prog %s" % version) + parser = OptionParser() parser.add_option("-i", "--interface", type="string", metavar="IF", help="Bind to interface IF") parser.add_option("-a", "--address", type="string", @@ -667,7 +652,7 @@ help="Port number to receive requests on") parser.add_option("--check", action="store_true", default=False, help="Run self-test") - parser.add_option("--debug", action="store_true", + parser.add_option("--debug", action="store_true", default=False, help="Debug mode; run in foreground and log to" " terminal") parser.add_option("--priority", type="string", help="GnuTLS" @@ -717,22 +702,10 @@ del options # Now we have our good server settings in "server_settings" - debug = server_settings["debug"] - - if not debug: - syslogger.setLevel(logging.WARNING) - console.setLevel(logging.WARNING) - - if server_settings["servicename"] != "Mandos": - syslogger.setFormatter(logging.Formatter\ - ('Mandos (%s): %%(levelname)s:' - ' %%(message)s' - % server_settings["servicename"])) - # Parse config file with clients client_defaults = { "timeout": "1h", "interval": "5m", - "checker": "fping -q -- %%(host)s", + "checker": "fping -q -- %%(fqdn)s", } client_config = ConfigParser.SafeConfigParser(client_defaults) client_config.read(os.path.join(server_settings["configdir"], @@ -756,6 +729,16 @@ avahi.DBUS_INTERFACE_SERVER ) # End of Avahi example code + debug = server_settings["debug"] + + if debug: + console = logging.StreamHandler() + # console.setLevel(logging.DEBUG) + console.setFormatter(logging.Formatter\ + ('%(levelname)s: %(message)s')) + logger.addHandler(console) + del console + clients = Set() def remove_from_clients(client): clients.remove(client) @@ -768,25 +751,10 @@ config = dict(client_config.items(section))) for section in client_config.sections())) - if not clients: - logger.critical(u"No clients defined") - sys.exit(1) if not debug: - logger.removeHandler(console) daemon() - pidfilename = "/var/run/mandos/mandos.pid" - pid = os.getpid() - try: - pidfile = open(pidfilename, "w") - pidfile.write(str(pid) + "\n") - pidfile.close() - del pidfile - except IOError, err: - logger.error(u"Could not write %s file with PID %d", - pidfilename, os.getpid()) - def cleanup(): "Cleanup function; run on exit" global group @@ -838,7 +806,7 @@ tcp_server.handle_request\ (*args[2:], **kwargs) or True) - logger.debug(u"Starting main loop") + logger.debug("Starting main loop") main_loop_started = True main_loop.run() except AvahiError, error: === modified file 'mandos-client.c' --- mandos-client.c 2008-08-10 03:32:42 +0000 +++ mandos-client.c 2008-08-07 21:45:41 +0000 @@ -23,52 +23,35 @@ #define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */ -#include /* size_t, NULL */ -#include /* malloc(), exit(), EXIT_FAILURE, - EXIT_SUCCESS, realloc() */ -#include /* bool, true, false */ -#include /* perror, popen(), fileno(), - fprintf(), stderr, STDOUT_FILENO */ -#include /* DIR, opendir(), stat(), struct - stat, waitpid(), WIFEXITED(), - WEXITSTATUS(), wait(), pid_t, - uid_t, gid_t, getuid(), getgid(), - dirfd() */ -#include /* fd_set, select(), FD_ZERO(), - FD_SET(), FD_ISSET(), FD_CLR */ -#include /* wait(), waitpid(), WIFEXITED(), - WEXITSTATUS() */ -#include /* struct stat, stat(), S_ISREG() */ +#include /* popen(), fileno(), fprintf(), + stderr, STDOUT_FILENO */ #include /* and, or, not */ +#include /* DIR, opendir(), stat(), + struct stat, waitpid(), + WIFEXITED(), WEXITSTATUS(), + wait() */ +#include /* wait() */ #include /* DIR, struct dirent, opendir(), - readdir(), closedir(), dirfd() */ + readdir(), closedir() */ +#include /* struct stat, stat(), S_ISREG() */ #include /* struct stat, stat(), S_ISREG(), - fcntl(), setuid(), setgid(), - F_GETFD, F_SETFD, FD_CLOEXEC, - access(), pipe(), fork(), close() - dup2, STDOUT_FILENO, _exit(), - execv(), write(), read(), - close() */ -#include /* fcntl(), F_GETFD, F_SETFD, - FD_CLOEXEC */ -#include /* strtok, strlen(), strcpy(), - strcat() */ + fcntl() */ +#include /* fcntl() */ +#include /* NULL */ +#include /* EXIT_FAILURE */ +#include /* fd_set, select(), FD_ZERO(), + FD_SET(), FD_ISSET() */ +#include /* strlen(), strcpy(), strcat() */ +#include /* true */ +#include /* waitpid(), WIFEXITED(), + WEXITSTATUS() */ #include /* errno */ -#include /* struct argp_option, struct - argp_state, struct argp, - argp_parse(), ARGP_ERR_UNKNOWN, - ARGP_KEY_END, ARGP_KEY_ARG, error_t */ -#include /* struct sigaction, sigemptyset(), - sigaddset(), sigaction(), - sigprocmask(), SIG_BLOCK, SIGCHLD, - SIG_UNBLOCK, kill() */ -#include /* errno, EBADF */ +#include /* struct argp_option, + struct argp_state, struct argp, + argp_parse() */ #define BUFFER_SIZE 256 -const char *argp_program_version = "mandos-client 1.0"; -const char *argp_program_bug_address = ""; - struct process; typedef struct process{ @@ -147,6 +130,9 @@ return fcntl(fd, F_SETFD, ret | FD_CLOEXEC); } +const char *argp_program_version = "plugbasedclient 0.9"; +const char *argp_program_bug_address = ""; + process *process_list = NULL; /* Mark a process as completed when it exits, and save its exit @@ -155,10 +141,6 @@ process *proc = process_list; int status; pid_t pid = wait(&status); - if(pid == -1){ - perror("wait"); - return; - } while(proc != NULL and proc->pid != pid){ proc = proc->next; } @@ -290,12 +272,7 @@ .args_doc = "[+PLUS_SEPARATED_OPTIONS]", .doc = "Mandos plugin runner -- Run plugins" }; - ret = argp_parse (&argp, argc, argv, 0, 0, &plugin_list); - if (ret == ARGP_ERR_UNKNOWN){ - fprintf(stderr, "Unkown error while parsing arguments\n"); - exitstatus = EXIT_FAILURE; - goto end; - } + argp_parse (&argp, argc, argv, 0, 0, &plugin_list); if(plus_options){ /* This is a mangled argument in the form of @@ -319,7 +296,7 @@ plus_argv = realloc(plus_argv, sizeof(char *) * ((unsigned int) new_argc + 1)); if(plus_argv == NULL){ - perror("realloc"); + perror("malloc"); exitstatus = EXIT_FAILURE; goto end; } @@ -327,12 +304,7 @@ plus_argv[new_argc] = NULL; arg = strtok(NULL, delims); /* Get next argument */ } - ret = argp_parse (&argp, new_argc, plus_argv, 0, 0, &plugin_list); - if (ret == ARGP_ERR_UNKNOWN){ - fprintf(stderr, "Unkown error while parsing arguments\n"); - exitstatus = EXIT_FAILURE; - goto end; - } + argp_parse (&argp, new_argc, plus_argv, 0, 0, &plugin_list); } if(debug){ @@ -382,11 +354,6 @@ // All directory entries have been processed if(dirst == NULL){ - if (errno == EBADF){ - perror("readdir"); - exitstatus = EXIT_FAILURE; - goto end; - } break; } @@ -447,12 +414,7 @@ strcat(filename, "/"); /* Spurious warning */ strcat(filename, dirst->d_name); /* Spurious warning */ - ret = stat(filename, &st); - if (ret == -1){ - perror("stat"); - exitstatus = EXIT_FAILURE; - goto end; - } + stat(filename, &st); if (not S_ISREG(st.st_mode) or (access(filename, X_OK) != 0)){ if(debug){ @@ -518,12 +480,7 @@ perror("sigprocmask"); _exit(EXIT_FAILURE); } - - ret = dup2(pipefd[1], STDOUT_FILENO); /* replace our stdout */ - if(ret == -1){ - perror("dup2"); - _exit(EXIT_FAILURE); - } + dup2(pipefd[1], STDOUT_FILENO); /* replace our stdout */ if(dirfd(dir) < 0){ /* If dir has no file descriptor, we could not set FD_CLOEXEC @@ -581,7 +538,7 @@ closedir(dir); dir = NULL; - + if (process_list == NULL){ fprintf(stderr, "No plugin processes started, exiting\n"); exitstatus = EXIT_FAILURE; @@ -606,16 +563,13 @@ /* Bad exit by plugin */ if(debug){ if(WIFEXITED(proc->status)){ - fprintf(stderr, "Plugin %u exited with status %d\n", - (unsigned int) (proc->pid), - WEXITSTATUS(proc->status)); + fprintf(stderr, "Plugin %d exited with status %d\n", + proc->pid, WEXITSTATUS(proc->status)); } else if(WIFSIGNALED(proc->status)) { - fprintf(stderr, "Plugin %u killed by signal %d\n", - (unsigned int) (proc->pid), - WTERMSIG(proc->status)); + fprintf(stderr, "Plugin %d killed by signal %d\n", + proc->pid, WTERMSIG(proc->status)); } else if(WCOREDUMP(proc->status)){ - fprintf(stderr, "Plugin %d dumped core\n", - (unsigned int) (proc->pid)); + fprintf(stderr, "Plugin %d dumped core\n", proc->pid); } } /* Remove the plugin */ @@ -725,11 +679,7 @@ for(process *next; process_list != NULL; process_list = next){ next = process_list->next; close(process_list->fd); - ret = kill(process_list->pid, SIGTERM); - if(ret == -1 and errno != ESRCH){ - /* set-uid proccesses migth not get closed */ - perror("kill"); - } + kill(process_list->pid, SIGTERM); free(process_list->buffer); free(process_list); } === removed file 'mandos-client.xml' --- mandos-client.xml 2008-08-10 01:10:04 +0000 +++ mandos-client.xml 1970-01-01 00:00:00 +0000 @@ -1,223 +0,0 @@ - - - - -]> - - - - &COMMANDNAME; - - &COMMANDNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &COMMANDNAME; - 8mandos - - - - &COMMANDNAME; - - get password for encrypted rootdisk - - - - - - &COMMANDNAME; - --global-optionsOPTIONS - --options-forPLUGIN:OPTIONS - --disablePLUGIN - --groupidID - --useridID - --plugin-dirDIRECTORY - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --usage - - - &COMMANDNAME; - --version - - - - - DESCRIPTION - - &COMMANDNAME; is a plugin runner that waits - for any of its plugins to return sucessfull with a password, and - passes it to cryptsetup as stdout message. This command is not - meant to be invoked directly, but is instead meant to be run by - cryptsetup by being specified in /etc/crypttab as a keyscript - and subsequlently started in the initrd environment. See - crypttab - 5 for more information on - keyscripts. - - - - plugins is looked for in the plugins directory which by default will be - /conf/conf.d/mandos/plugins.d if not changed by option --plugin-dir. - - - - OPTIONS - - - -g,--global-options - OPTIONS - - - Global options given to all plugins as additional start - arguments. Options are specified with a -o flag followed - by a comma separated string of options. - - - - - - -o, --options-for - PLUGIN:OPTION - - - - Plugin specific options given to the plugin as additional - start arguments. Options are specified with a -o flag - followed by a comma separated string of options. - - - - - - -d, --disable - PLUGIN - - - - Disable a specific plugin - - - - - - --groupid ID - - - - Group ID the plugins will run as - - - - - - --userid ID - - - - User ID the plugins will run as - - - - - - --plugin-dir DIRECTORY - - - - Specify a different plugin directory - - - - - - --debug - - - Debug mode - - - - - - -?, --help - - - Gives a help message - - - - - - --usage - - - Gives a short usage message - - - - - - -V, --version - - - Prints the program version - - - - - - === removed file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2008-08-09 01:39:09 +0000 +++ mandos-clients.conf.xml 1970-01-01 00:00:00 +0000 @@ -1,250 +0,0 @@ - - - - -/etc/mandos/clients.conf"> -]> - - - - &CONFNAME; - - &CONFNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &CONFNAME; - 5 - - - - &CONFNAME; - - Configuration file for Mandos clients - - - - - - &CONFPATH; - - - - - DESCRIPTION - - The file &CONFPATH; is the configuration file for mandos where - each client that will be abel to use the service need to be - specified. The configuration file is looked on at the startup of - the service, so to reenable timedout clients one need to only - restart the server. The format starts with a section under [] - which is eather [DEFAULT] or a client - name. Values is set through the use of VAR = VALUE pair. Values - may not be empty. - - - - - DEFAULTS - - The paramters for [DEFAULT] are: - - - - - - timeout - - - This option allows you to override the default timeout - that clients will get. By default mandos will use 1hr. - - - - - - interval - - - This option allows you to override the default interval - used between checkups for disconnected clients. By default - mandos will use 5m. - - - - - - checker - - - This option allows you to override the default shell - command that the server will use to check up if the client - is still up. By default mandos will "fping -q -- %%(host)s" - - - - - - - - - CLIENTS - - The paramters for clients are: - - - - - - fingerprint - - - This option sets the openpgp fingerprint that identifies - the public certificate that clients authenticates themself - through gnutls. The string need to be in hex-decimal form. - - - - - - secret - - - Base 64 encoded OpenPGP encrypted password encrypted by - the clients openpgp certificate. - - - - - - secfile - - - Base 64 encoded OpenPGP encrypted password encrypted by - the clients openpgp certificate as a binary file. - - - - - - host - - - Host name that can be used in for checking that the client is up. - - - - - - checker - - - Shell command that the server will use to check up if a - client is still up. - - - - - - timeout - - - Duration that a client can be down whitout be removed from - the client list. - - - - - - - - - EXAMPLES - - -[DEFAULT] -timeout = 1h -interval = 5m -checker = fping -q -- %%(host)s - -[example_client] -fingerprint = 7788 2722 5BA7 DE53 9C5A 7CFA 59CF F7CD BD9A 5920 - -secret = - hQIOA6QdEjBs2L/HEAf/TCyrDe5Xnm9esa+Pb/vWF9CUqfn4srzVgSu234 - REJMVv7lBSrPE2132Lmd2gqF1HeLKDJRSVxJpt6xoWOChGHg+TMyXDxK+N - Xl89vGvdU1XfhKkVm9MDLOgT5ECDPysDGHFPDhqHOSu3Kaw2DWMV/iH9vz - 3Z20erVNbdcvyBnuojcoWO/6yfB5EQO0BXp7kcyy00USA3CjD5FGZdoQGI - Tb8A/ar0tVA5crSQmaSotm6KmNLhrFnZ5BxX+TiE+eTUTqSloWRY6VAvqW - QHC7OASxK5E6RXPBuFH5IohUA2Qbk5AHt99pYvsIPX88j2rWauOokoiKZo - t/9leJ8VxO5l3wf/U64IH8bkPIoWmWZfd/nqh4uwGNbCgKMyT+AnvH7kMJ - 3i7DivfWl2mKLV0PyPHUNva0VQxX6yYjcOhj1R6fCr/at8/NSLe2OhLchz - dC+Ls9h+kvJXgF8Sisv+Wk/1RadPLFmraRlqvJwt6Ww21LpiXqXHV2mIgq - WnR98YgSvUi3TJHrUQiNc9YyBzuRo0AjgG2C9qiE3FM+Y28+iQ/sR3+bFs - zYuZKVTObqiIslwXu7imO0cvvFRgJF/6u3HNFQ4LUTGhiM3FQmC6NNlF3/ - vJM2hwRDMcJqDd54Twx90Wh+tYz0z7QMsK4ANXWHHWHR0JchnLWmenzbtW - 5MHdW9AYsNJZAQSOpirE4Xi31CSlWAi9KV+cUCmWF5zOFy1x23P6PjdaRm - 4T2zw4dxS5NswXWU0sVEXxjs6PYxuIiCTL7vdpx8QjBkrPWDrAbcMyBr2O - QlnHIvPzEArRQLo= - =iHhv - -host = localhost -interval = 5m - - - - - - FILES - - The file described here is &CONFPATH; - - - === modified file 'mandos.conf' --- mandos.conf 2008-08-09 01:39:09 +0000 +++ mandos.conf 2008-08-07 21:45:41 +0000 @@ -1,38 +1,7 @@ -# This file must have exactly one section named "server". [server] - -# These are the default values for the server, uncomment and change -# them if needed. - - -# If "interface" is set, the server will only listen to a specific -# network interface. -;interface = - - -# If "address" is set, the server will only listen to a specific -# address. This must currently be an IPv6 address; an IPv4 address -# can be specified using the "::FFFF:192.0.2.3" syntax. Also, if this -# is a link-local address, an interface should be set above. -;address = - - -# If "port" is set, the server to bind to that port. By default, the -# server will listen to an arbitrary port. -;port = - - -# If "debug" is true, the server will run in the foreground and print -# a lot of debugging information. -;debug = False - - -# GnuTLS priority for the TLS handshake. See gnutls_priority_init(3). -;priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP - - -# Zeroconf service name. You need to change this if you for some -# reason want to run more than one server on the same *host*. -# If there are name collisions on the same *network*, the server will -# rename itself to "Mandos #2", etc. -;servicename = Mandos +#interface = +#address = +#port = +#debug = +#priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP +#servicename = Mandos === removed file 'mandos.conf.xml' --- mandos.conf.xml 2008-08-08 01:31:58 +0000 +++ mandos.conf.xml 1970-01-01 00:00:00 +0000 @@ -1,189 +0,0 @@ - - - - -/etc/mandos/mandos.conf"> -]> - - - - &CONFNAME; - - &CONFNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &CONFNAME; - 5 - - - - &CONFNAME; - - Configuration file for Mandos - - - - - - &CONFPATH; - - - - - DESCRIPTION - - The file &CONFPATH; is a simple configuration file for mandos - and is looked on at startup of the service. The configuration - file must start with [server]. The format for - the rest is a simple VAR = VALUE pair. Values may not be empty. - - - - The paramters are: - - - - - interface - - - This option allows you to override the default network - interfaces. By default mandos will not bind to any - specific interface but instead use default avahi-server - behaviour. - - - - - - address - - - This option allows you to override the default network - address. By default mandos will not bind to any - specific address but instead use default avahi-server - behaviour. - - - - - - port - - - This option allows you to override the default port to - listen on. By default mandos will not specify any specific - port and instead use a random port given by the OS from - the use of INADDR_ANY. - - - - - - debug - - - This option allows you to modify debug mode with a true/false - boolean value. By default is debug set to false. - - - - - - priority - - - This option allows you to override the default gnutls - priority that will be used in gnutls session. See - gnutls_priority_init - 3for - more information on gnutls priority strings. - - - - - - servicename - - - This option allows you to override the default Zeroconf - service name use to announce mandos as a avahi service. By - default mandos will use "Mandos". - - - - - - - - - EXAMPLES - - - [server] - # A configuration example - interface = eth0 - address = 2001:DB8: - port = 1025 - debug = true - priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP - servicename = Mandos - - - - - - FILES - - The file described here is &CONFPATH; - - - === removed file 'mandos.xml' --- mandos.xml 2008-08-10 00:18:25 +0000 +++ mandos.xml 1970-01-01 00:00:00 +0000 @@ -1,209 +0,0 @@ - - - - -]> - - - - &COMMANDNAME; - - &COMMANDNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &COMMANDNAME; - 8 - - - - &COMMANDNAME; - - Sends encrypted passwords to authenticated mandos clients - - - - - - &COMMANDNAME; - --interfaceIF - --addressADDRESS - --portPORT - --priorityPRIORITY - --servicenameNAME - --configdirDIRECTORY - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --version - - - &COMMANDNAME; - --check - - - - - DESCRIPTION - - &COMMANDNAME; is a server daemon that handels - incomming passwords request for passwords. Mandos use avahi to - announce the service, and through gnutls authenticates - clients. Any authenticated client is then given its encrypted - password. - - - - - -h, --help - - - show a help message and exit - - - - - - -i, --interface - IF - - - Bind to interface IF - - - - - - -a, --address - ADDRESS - - - Address to listen for requests on - - - - - - -p, --port - PORT - - - Port number to receive requests on - - - - - - --check - - - Run self-test on the server - - - - - - --debug - - - Debug mode - - - - - - --priority - PRIORITY - - - GnuTLS priority string. See - gnutls_priority_init - 3 - - - - - - --servicename NAME - - - - Zeroconf service name - - - - - - --configdir DIR - - - - Directory to search for configuration files - - - - - - --version - - - Prints the program version - - - - - - - === modified file 'plugins.d/password-prompt.c' --- plugins.d/password-prompt.c 2008-08-10 00:21:08 +0000 +++ plugins.d/password-prompt.c 2008-08-07 21:45:41 +0000 @@ -33,7 +33,7 @@ sigaction, sigemptyset(), sigaction(), sigaddset(), SIGINT, SIGQUIT, SIGHUP, SIGTERM */ -#include /* NULL, size_t, ssize_t */ +#include /* NULL, size_t */ #include /* ssize_t */ #include /* EXIT_SUCCESS, EXIT_FAILURE, getopt_long */ @@ -44,15 +44,13 @@ #include /* or, not */ #include /* bool, false, true */ #include /* strlen, rindex, strncmp, strcmp */ -#include /* struct argp_option, struct - argp_state, struct argp, - argp_parse(), error_t, - ARGP_KEY_ARG, ARGP_KEY_END, - ARGP_ERR_UNKNOWN */ +#include /* struct argp_option, + struct argp_state, struct argp, + argp_parse() */ volatile bool quit_now = false; bool debug = false; -const char *argp_program_version = "password-prompt 1.0"; +const char *argp_program_version = "passprompt 0.9"; const char *argp_program_bug_address = ""; static void termination_handler(__attribute__((unused))int signum){ @@ -103,11 +101,7 @@ struct argp argp = { .options = options, .parser = parse_opt, .args_doc = "", .doc = "Mandos Passprompt -- Provides a passprompt" }; - ret = argp_parse (&argp, argc, argv, 0, 0, NULL); - if (ret == ARGP_ERR_UNKNOWN){ - fprintf(stderr, "Unkown error while parsing arguments\n"); - return EXIT_FAILURE; - } + argp_parse (&argp, argc, argv, 0, 0, NULL); } if (debug){ @@ -125,43 +119,16 @@ sigaddset(&new_action.sa_mask, SIGINT); sigaddset(&new_action.sa_mask, SIGHUP); sigaddset(&new_action.sa_mask, SIGTERM); - ret = sigaction(SIGINT, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGINT, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGHUP, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGHUP, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGTERM, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGTERM, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - return EXIT_FAILURE; - } - } - + sigaction(SIGINT, NULL, &old_action); + if (old_action.sa_handler != SIG_IGN) + sigaction(SIGINT, &new_action, NULL); + sigaction(SIGHUP, NULL, &old_action); + if (old_action.sa_handler != SIG_IGN) + sigaction(SIGHUP, &new_action, NULL); + sigaction(SIGTERM, NULL, &old_action); + if (old_action.sa_handler != SIG_IGN) + sigaction(SIGTERM, &new_action, NULL); + if (debug){ fprintf(stderr, "Removing echo flag from terminal attributes\n"); === removed file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2008-08-10 00:07:24 +0000 +++ plugins.d/password-prompt.xml 1970-01-01 00:00:00 +0000 @@ -1,153 +0,0 @@ - - - - -]> - - - - &COMMANDNAME; - - &COMMANDNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &COMMANDNAME; - 8mandos - - - - &COMMANDNAME; - - Passprompt for luks during boot sequence - - - - - - &COMMANDNAME; - --prefixPREFIX - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --usage - - - &COMMANDNAME; - --version - - - - - DESCRIPTION - - &COMMANDNAME; is a terminal program that ask for - passwords during boot sequence. It is a plugin to - mandos, and is used as a fallback and - alternative to retriving passwords from a mandos server. During - boot sequence the user is prompted for the disk password, and - when a password is given it then gets forwarded to - LUKS. - - - - - -p, --prefix=PREFIX - - - - Prefix used before the passprompt - - - - - - --debug - - - Debug mode - - - - - - -?, --help - - - Gives a help message - - - - - - --usage - - - Gives a short usage message - - - - - - -V, --version - - - Prints the program version - - - - - - === modified file 'plugins.d/password-request.c' --- plugins.d/password-request.c 2008-08-10 03:32:42 +0000 +++ plugins.d/password-request.c 2008-08-07 21:45:41 +0000 @@ -34,47 +34,16 @@ #define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */ -#include /* fprintf(), stderr, fwrite(), stdout, - ferror() */ -#include /* uint16_t, uint32_t */ -#include /* NULL, size_t, ssize_t */ -#include /* free(), EXIT_SUCCESS, EXIT_FAILURE, - srand() */ -#include /* bool, true */ -#include /* memset(), strcmp(), strlen(), - strerror(), memcpy(), strcpy() */ -#include /* ioctl */ -#include /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS, - IFF_UP */ -#include /* socket(), inet_pton(), sockaddr, - sockaddr_in6, PF_INET6, - SOCK_STREAM, INET6_ADDRSTRLEN, - uid_t, gid_t */ -#include /* PRIu16 */ -#include /* socket(), struct sockaddr_in6, - struct in6_addr, inet_pton(), - connect() */ -#include /* assert() */ -#include /* perror(), errno */ -#include /* time() */ +#include +#include +#include +#include +#include /* if_nametoindex */ +#include /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, + SIOCSIFFLAGS */ #include /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, - SIOCSIFFLAGS, if_indextoname(), - if_nametoindex(), IF_NAMESIZE */ -#include /* close(), SEEK_SET, off_t, write(), - getuid(), getgid(), setuid(), - setgid() */ -#include -#include /* inet_pton(), htons */ -#include /* not, and */ -#include /* struct argp_option, error_t, struct - argp_state, struct argp, - argp_parse(), ARGP_KEY_ARG, - ARGP_KEY_END, ARGP_ERR_UNKNOWN */ + SIOCSIFFLAGS */ -/* Avahi */ -/* All Avahi types, constants and functions - Avahi*, avahi_*, - AVAHI_* */ #include #include #include @@ -82,26 +51,33 @@ #include #include -/* GnuTLS */ -#include /* All GnuTLS types, constants and functions - gnutls_* - init_gnutls_session(), - GNUTLS_* */ -#include /* gnutls_certificate_set_openpgp_key_file(), - GNUTLS_OPENPGP_FMT_BASE64 */ +/* Mandos client part */ +#include /* socket(), inet_pton() */ +#include /* socket(), struct sockaddr_in6, + struct in6_addr, inet_pton() */ +#include /* All GnuTLS stuff */ +#include /* GnuTLS with openpgp stuff */ +#include /* close() */ +#include +#include /* true */ +#include /* memset */ +#include /* inet_pton() */ +#include /* not */ +#include /* IF_NAMESIZE */ +#include /* struct argp_option, + struct argp_state, struct argp, + argp_parse() */ /* GPGME */ -#include /* All GPGME types, constants and functions - gpgme_* - GPGME_PROTOCOL_OpenPGP, - GPG_ERR_NO_* */ +#include /* perror() */ +#include #define BUFFER_SIZE 256 bool debug = false; static const char *keydir = "/conf/conf.d/mandos"; static const char mandos_protocol_version[] = "1"; -const char *argp_program_version = "password-request 1.0"; +const char *argp_program_version = "mandosclient 0.9"; const char *argp_program_bug_address = ""; /* Used for passing in values through the Avahi callback functions */ @@ -229,7 +205,7 @@ } else { fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); - fprintf(stderr, "Wrong key usage: %u\n", + fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); if(result->file_name != NULL){ fprintf(stderr, "File name: %s\n", result->file_name); @@ -322,9 +298,9 @@ if(debug){ fprintf(stderr, "Initializing GnuTLS\n"); } - - ret = gnutls_global_init(); - if (ret != GNUTLS_E_SUCCESS) { + + if ((ret = gnutls_global_init ()) + != GNUTLS_E_SUCCESS) { fprintf (stderr, "GnuTLS global_init: %s\n", safer_gnutls_strerror(ret)); return -1; @@ -339,8 +315,8 @@ } /* OpenPGP credentials */ - gnutls_certificate_allocate_credentials(&mc->cred); - if (ret != GNUTLS_E_SUCCESS){ + if ((ret = gnutls_certificate_allocate_credentials (&mc->cred)) + != GNUTLS_E_SUCCESS) { fprintf (stderr, "GnuTLS memory error: %s\n", safer_gnutls_strerror(ret)); gnutls_global_deinit (); @@ -384,8 +360,8 @@ globalfail: - gnutls_certificate_free_credentials(mc->cred); - gnutls_global_deinit(); + gnutls_certificate_free_credentials (mc->cred); + gnutls_global_deinit (); return -1; } @@ -456,8 +432,8 @@ } if(debug){ - fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16 - "\n", ip, port); + fprintf(stderr, "Setting up a tcp connection to %s, port %d\n", + ip, port); } tcp_sd = socket(PF_INET6, SOCK_STREAM, 0); @@ -492,8 +468,7 @@ to.in6.sin6_scope_id = (uint32_t)if_index; if(debug){ - fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip, - port); + fprintf(stderr, "Connection to: %s, port %d\n", ip, port); char addrstr[INET6_ADDRSTRLEN] = ""; if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr, sizeof(addrstr)) == NULL){ @@ -540,10 +515,8 @@ } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd); - - do{ - ret = gnutls_handshake (session); - } while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED); + + ret = gnutls_handshake (session); if (ret != GNUTLS_E_SUCCESS){ if(debug){ @@ -581,9 +554,7 @@ case GNUTLS_E_AGAIN: break; case GNUTLS_E_REHANDSHAKE: - do{ - ret = gnutls_handshake (session); - } while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED); + ret = gnutls_handshake (session); if (ret < 0){ fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n"); gnutls_perror (ret); @@ -678,9 +649,8 @@ char ip[AVAHI_ADDRESS_STR_MAX]; avahi_address_snprint(ip, sizeof(ip), address); if(debug){ - fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %" - PRIu16 ") on port %d\n", name, host_name, ip, - interface, port); + fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on" + " port %d\n", name, host_name, ip, interface, port); } int ret = start_mandos_communication(ip, port, interface, mc); if (ret == 0){ @@ -865,12 +835,7 @@ .args_doc = "", .doc = "Mandos client -- Get and decrypt" " passwords from mandos server" }; - ret = argp_parse (&argp, argc, argv, 0, 0, NULL); - if (ret == ARGP_ERR_UNKNOWN){ - fprintf(stderr, "Unkown error while parsing arguments\n"); - exitcode = EXIT_FAILURE; - goto end; - } + argp_parse (&argp, argc, argv, 0, 0, NULL); } pubkeyfile = combinepath(keydir, pubkeyfile); @@ -1048,7 +1013,7 @@ free(seckeyfile); if (gnutls_initalized){ - gnutls_certificate_free_credentials(mc.cred); + gnutls_certificate_free_credentials (mc.cred); gnutls_global_deinit (); } === removed file 'plugins.d/password-request.xml' --- plugins.d/password-request.xml 2008-08-10 00:07:24 +0000 +++ plugins.d/password-request.xml 1970-01-01 00:00:00 +0000 @@ -1,217 +0,0 @@ - - - - -]> - - - - &COMMANDNAME; - - &COMMANDNAME; - &VERSION; - - - Björn - Påhlsson -
- belorn@fukt.bsnet.se -
- - - Teddy - Hogeborn -
- teddy@fukt.bsnet.se -
- - - - 2008 - Teddy Hogeborn & Björn Påhlsson - - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - - - - - &COMMANDNAME; - 8mandos - - - - &COMMANDNAME; - - Client for mandos - - - - - - &COMMANDNAME; - --connectIP - --keydirKEYDIR - --interfaceINTERFACE - --pubkeyPUBKEY - --seckeySECKEY - --priorityPRIORITY - --dh-bitsBITS - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --usage - - - &COMMANDNAME; - --version - - - - - DESCRIPTION - - &COMMANDNAME; is a mandos plugin that works - like a client program that through avahi detects mandos servers, - sets up a gnutls connect and request a encrypted password. Any - passwords given is automaticly decrypted and passed to - cryptsetup. - - - - - -c, --connect= - IP - - - Connect directly to a sepcified mandos server - - - - - - -d, --keydir= - KEYDIR - - - Directory where the openpgp keyring is - - - - - - -i, --interface= - INTERFACE - - - Interface that Avahi will conntect through - - - - - - -p, --pubkey= - PUBKEY - - - Public openpgp key for gnutls authentication - - - - - - -s, --seckey= - SECKEY - - - Secret openpgp key for gnutls authentication - - - - - - --priority=PRIORITY - - - - GNUTLS priority - - - - - - --dh-bits=BITS - - - - dh-bits to use in gnutls communication - - - - - - --debug - - - Debug mode - - - - - - -?, --help - - - Gives a help message - - - - - - --usage - - - Gives a short usage message - - - - - - -V, --version - - - Prints the program version - - - - - -