To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 110
- compare with another revision
- download diff
- download tarball
- view history from revision 110
- Committer: Teddy Hogeborn
- Date: 2008-08-29 05:53:59 UTC
- Revision ID: teddy@fukt.bsnet.se-20080829055359-wkdasnyxtylmnxus
* mandos.xml (EXAMPLE): Replaced all occurences of command name with
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
plugins.d/password-request.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008-2011 Teddy Hogeborn
13
* Copyright © 2008-2011 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
34
40
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
36
42
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
38
stdout, ferror() */
44
39
#include <stdint.h> /* uint16_t, uint32_t */
45
40
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
49
44
#include <string.h> /* memset(), strcmp(), strlen(),
50
45
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
46
#include <sys/ioctl.h> /* ioctl */
52
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
48
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
57
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
53
struct in6_addr, inet_pton(),
54
connect() */
64
55
#include <assert.h> /* assert() */
65
56
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time(), sleep() */
57
#include <time.h> /* time() */
67
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
59
SIOCSIFFLAGS, if_indextoname(),
69
60
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
76
65
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
66
#include <iso646.h> /* not, and */
78
67
#include <argp.h> /* struct argp_option, error_t, struct
79
68
argp_state, struct argp,
80
69
argp_parse(), ARGP_KEY_ARG,
81
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
86
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
87
88
#ifdef __linux__
89
#include <sys/klog.h> /* klogctl() */
90
#endif /* __linux__ */
91
71
92
72
/* Avahi */
93
73
/* All Avahi types, constants and functions
106
86
gnutls_*
107
87
init_gnutls_session(),
108
88
GNUTLS_* */
109
#include <gnutls/openpgp.h>
110
/* gnutls_certificate_set_openpgp_key_file(),
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
111
90
GNUTLS_OPENPGP_FMT_BASE64 */
112
91
113
92
/* GPGME */
119
98
120
99
#define BUFFER_SIZE 256
121
100
122
#define PATHDIR "/conf/conf.d/mandos"
123
#define SECKEY "seckey.txt"
124
#define PUBKEY "pubkey.txt"
125
126
101
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
127
103
static const char mandos_protocol_version[] = "1";
128
const char *argp_program_version = "mandos-client " VERSION;
104
const char *argp_program_version = "password-request 1.0";
129
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
130
static const char sys_class_net[] = "/sys/class/net";
131
char *connect_to = NULL;
132
106
133
107
/* Used for passing in values through the Avahi callback functions */
134
108
typedef struct {
138
112
unsigned int dh_bits;
139
113
gnutls_dh_params_t dh_params;
140
114
const char *priority;
141
gpgme_ctx_t ctx;
142
115
} mandos_context;
143
116
144
/* global context so signal handler can reach it*/
145
mandos_context mc = { .simple_poll = NULL, .server = NULL,
146
.dh_bits = 1024, .priority = "SECURE256"
147
":!CTYPE-X.509:+CTYPE-OPENPGP" };
148
149
sig_atomic_t quit_now = 0;
150
int signal_received = 0;
151
152
117
/*
153
* Make additional room in "buffer" for at least BUFFER_SIZE more
154
* bytes. "buffer_capacity" is how much is currently allocated,
118
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
119
* "buffer_capacity" is how much is currently allocated,
155
120
* "buffer_length" is how much is already used.
156
121
*/
157
size_t incbuffer(char **buffer, size_t buffer_length,
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
158
123
size_t buffer_capacity){
159
if(buffer_length + BUFFER_SIZE > buffer_capacity){
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
160
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
161
if(buffer == NULL){
126
if (buffer == NULL){
162
127
return 0;
163
128
}
164
129
buffer_capacity += BUFFER_SIZE;
167
132
}
168
133
169
134
/*
170
* Initialize GPGME.
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
171
137
*/
172
static bool init_gpgme(const char *seckey,
173
const char *pubkey, const char *tempdir){
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
141
const char *homedir){
142
gpgme_data_t dh_crypto, dh_plain;
143
gpgme_ctx_t ctx;
174
144
gpgme_error_t rc;
145
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
175
148
gpgme_engine_info_t engine_info;
176
149
177
178
/*
179
* Helper function to insert pub and seckey to the engine keyring.
180
*/
181
bool import_key(const char *filename){
182
int ret;
183
int fd;
184
gpgme_data_t pgp_data;
185
186
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
187
if(fd == -1){
188
perror("open");
189
return false;
190
}
191
192
rc = gpgme_data_new_from_fd(&pgp_data, fd);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
rc = gpgme_op_import(mc.ctx, pgp_data);
200
if(rc != GPG_ERR_NO_ERROR){
201
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
202
gpgme_strsource(rc), gpgme_strerror(rc));
203
return false;
204
}
205
206
ret = (int)TEMP_FAILURE_RETRY(close(fd));
207
if(ret == -1){
208
perror("close");
209
}
210
gpgme_data_release(pgp_data);
211
return true;
212
}
213
214
if(debug){
215
fprintf(stderr, "Initializing GPGME\n");
150
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
216
152
}
217
153
218
154
/* Init GPGME */
219
155
gpgme_check_version(NULL);
220
156
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
221
if(rc != GPG_ERR_NO_ERROR){
157
if (rc != GPG_ERR_NO_ERROR){
222
158
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
223
159
gpgme_strsource(rc), gpgme_strerror(rc));
224
return false;
160
return -1;
225
161
}
226
162
227
/* Set GPGME home directory for the OpenPGP engine only */
228
rc = gpgme_get_engine_info(&engine_info);
229
if(rc != GPG_ERR_NO_ERROR){
163
/* Set GPGME home directory for the OpenPGP engine only */
164
rc = gpgme_get_engine_info (&engine_info);
165
if (rc != GPG_ERR_NO_ERROR){
230
166
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
231
167
gpgme_strsource(rc), gpgme_strerror(rc));
232
return false;
168
return -1;
233
169
}
234
170
while(engine_info != NULL){
235
171
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
236
172
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
237
engine_info->file_name, tempdir);
173
engine_info->file_name, homedir);
238
174
break;
239
175
}
240
176
engine_info = engine_info->next;
241
177
}
242
178
if(engine_info == NULL){
243
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
244
return false;
245
}
246
247
/* Create new GPGME "context" */
248
rc = gpgme_new(&(mc.ctx));
249
if(rc != GPG_ERR_NO_ERROR){
250
fprintf(stderr, "bad gpgme_new: %s: %s\n",
251
gpgme_strsource(rc), gpgme_strerror(rc));
252
return false;
253
}
254
255
if(not import_key(pubkey) or not import_key(seckey)){
256
return false;
257
}
258
259
return true;
260
}
261
262
/*
263
* Decrypt OpenPGP data.
264
* Returns -1 on error
265
*/
266
static ssize_t pgp_packet_decrypt(const char *cryptotext,
267
size_t crypto_size,
268
char **plaintext){
269
gpgme_data_t dh_crypto, dh_plain;
270
gpgme_error_t rc;
271
ssize_t ret;
272
size_t plaintext_capacity = 0;
273
ssize_t plaintext_length = 0;
274
275
if(debug){
276
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
180
return -1;
277
181
}
278
182
279
183
/* Create new GPGME data buffer from memory cryptotext */
280
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
281
185
0);
282
if(rc != GPG_ERR_NO_ERROR){
186
if (rc != GPG_ERR_NO_ERROR){
283
187
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
284
188
gpgme_strsource(rc), gpgme_strerror(rc));
285
189
return -1;
287
191
288
192
/* Create new empty GPGME data buffer for the plaintext */
289
193
rc = gpgme_data_new(&dh_plain);
290
if(rc != GPG_ERR_NO_ERROR){
194
if (rc != GPG_ERR_NO_ERROR){
291
195
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
292
196
gpgme_strsource(rc), gpgme_strerror(rc));
293
197
gpgme_data_release(dh_crypto);
294
198
return -1;
295
199
}
296
200
201
/* Create new GPGME "context" */
202
rc = gpgme_new(&ctx);
203
if (rc != GPG_ERR_NO_ERROR){
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
208
}
209
297
210
/* Decrypt data from the cryptotext data buffer to the plaintext
298
211
data buffer */
299
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
300
if(rc != GPG_ERR_NO_ERROR){
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
213
if (rc != GPG_ERR_NO_ERROR){
301
214
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
302
215
gpgme_strsource(rc), gpgme_strerror(rc));
303
216
plaintext_length = -1;
304
if(debug){
217
if (debug){
305
218
gpgme_decrypt_result_t result;
306
result = gpgme_op_decrypt_result(mc.ctx);
307
if(result == NULL){
219
result = gpgme_op_decrypt_result(ctx);
220
if (result == NULL){
308
221
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
309
222
} else {
310
223
fprintf(stderr, "Unsupported algorithm: %s\n",
316
229
}
317
230
gpgme_recipient_t recipient;
318
231
recipient = result->recipients;
319
while(recipient != NULL){
320
fprintf(stderr, "Public key algorithm: %s\n",
321
gpgme_pubkey_algo_name(recipient->pubkey_algo));
322
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
323
fprintf(stderr, "Secret key available: %s\n",
324
recipient->status == GPG_ERR_NO_SECKEY
325
? "No" : "Yes");
326
recipient = recipient->next;
232
if(recipient){
233
while(recipient != NULL){
234
fprintf(stderr, "Public key algorithm: %s\n",
235
gpgme_pubkey_algo_name(recipient->pubkey_algo));
236
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
237
fprintf(stderr, "Secret key available: %s\n",
238
recipient->status == GPG_ERR_NO_SECKEY
239
? "No" : "Yes");
240
recipient = recipient->next;
241
}
327
242
}
328
243
}
329
244
}
335
250
}
336
251
337
252
/* Seek back to the beginning of the GPGME plaintext data buffer */
338
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
339
perror("gpgme_data_seek");
253
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
perror("pgpme_data_seek");
340
255
plaintext_length = -1;
341
256
goto decrypt_end;
342
257
}
343
258
344
259
*plaintext = NULL;
345
260
while(true){
346
plaintext_capacity = incbuffer(plaintext,
261
plaintext_capacity = adjustbuffer(plaintext,
347
262
(size_t)plaintext_length,
348
263
plaintext_capacity);
349
if(plaintext_capacity == 0){
350
perror("incbuffer");
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
351
266
plaintext_length = -1;
352
267
goto decrypt_end;
353
268
}
355
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
356
271
BUFFER_SIZE);
357
272
/* Print the data, if any */
358
if(ret == 0){
273
if (ret == 0){
359
274
/* EOF */
360
275
break;
361
276
}
366
281
}
367
282
plaintext_length += ret;
368
283
}
369
284
370
285
if(debug){
371
286
fprintf(stderr, "Decrypted password is: ");
372
287
for(ssize_t i = 0; i < plaintext_length; i++){
385
300
return plaintext_length;
386
301
}
387
302
388
static const char * safer_gnutls_strerror(int value){
389
const char *ret = gnutls_strerror(value); /* Spurious warning from
390
-Wunreachable-code */
391
if(ret == NULL)
303
static const char * safer_gnutls_strerror (int value) {
304
const char *ret = gnutls_strerror (value); /* Spurious warning */
305
if (ret == NULL)
392
306
ret = "(unknown)";
393
307
return ret;
394
308
}
399
313
fprintf(stderr, "GnuTLS: %s", string);
400
314
}
401
315
402
static int init_gnutls_global(const char *pubkeyfilename,
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfilename,
403
318
const char *seckeyfilename){
404
319
int ret;
405
320
408
323
}
409
324
410
325
ret = gnutls_global_init();
411
if(ret != GNUTLS_E_SUCCESS){
412
fprintf(stderr, "GnuTLS global_init: %s\n",
413
safer_gnutls_strerror(ret));
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
414
329
return -1;
415
330
}
416
331
417
if(debug){
332
if (debug){
418
333
/* "Use a log level over 10 to enable all debugging options."
419
334
* - GnuTLS manual
420
335
*/
423
338
}
424
339
425
340
/* OpenPGP credentials */
426
gnutls_certificate_allocate_credentials(&mc.cred);
427
if(ret != GNUTLS_E_SUCCESS){
428
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
429
from
430
-Wunreachable-code
431
*/
432
safer_gnutls_strerror(ret));
433
gnutls_global_deinit();
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
344
warning */
345
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
434
347
return -1;
435
348
}
436
349
437
350
if(debug){
438
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
439
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
440
353
seckeyfilename);
441
354
}
442
355
443
356
ret = gnutls_certificate_set_openpgp_key_file
444
(mc.cred, pubkeyfilename, seckeyfilename,
357
(mc->cred, pubkeyfilename, seckeyfilename,
445
358
GNUTLS_OPENPGP_FMT_BASE64);
446
if(ret != GNUTLS_E_SUCCESS){
359
if (ret != GNUTLS_E_SUCCESS) {
447
360
fprintf(stderr,
448
361
"Error[%d] while reading the OpenPGP key pair ('%s',"
449
362
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
450
fprintf(stderr, "The GnuTLS error is: %s\n",
363
fprintf(stdout, "The GnuTLS error is: %s\n",
451
364
safer_gnutls_strerror(ret));
452
365
goto globalfail;
453
366
}
454
367
455
368
/* GnuTLS server initialization */
456
ret = gnutls_dh_params_init(&mc.dh_params);
457
if(ret != GNUTLS_E_SUCCESS){
458
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
459
" %s\n", safer_gnutls_strerror(ret));
460
goto globalfail;
461
}
462
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
463
if(ret != GNUTLS_E_SUCCESS){
464
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
465
safer_gnutls_strerror(ret));
466
goto globalfail;
467
}
468
469
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
470
369
ret = gnutls_dh_params_init(&mc->dh_params);
370
if (ret != GNUTLS_E_SUCCESS) {
371
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
372
" %s\n", safer_gnutls_strerror(ret));
373
goto globalfail;
374
}
375
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
376
if (ret != GNUTLS_E_SUCCESS) {
377
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
378
safer_gnutls_strerror(ret));
379
goto globalfail;
380
}
381
382
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
383
471
384
return 0;
472
385
473
386
globalfail:
474
475
gnutls_certificate_free_credentials(mc.cred);
387
388
gnutls_certificate_free_credentials(mc->cred);
476
389
gnutls_global_deinit();
477
gnutls_dh_params_deinit(mc.dh_params);
478
390
return -1;
391
479
392
}
480
393
481
static int init_gnutls_session(gnutls_session_t *session){
394
static int init_gnutls_session(mandos_context *mc,
395
gnutls_session_t *session){
482
396
int ret;
483
397
/* GnuTLS session creation */
484
do {
485
ret = gnutls_init(session, GNUTLS_SERVER);
486
if(quit_now){
487
return -1;
488
}
489
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
490
if(ret != GNUTLS_E_SUCCESS){
398
ret = gnutls_init(session, GNUTLS_SERVER);
399
if (ret != GNUTLS_E_SUCCESS){
491
400
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
492
401
safer_gnutls_strerror(ret));
493
402
}
494
403
495
404
{
496
405
const char *err;
497
do {
498
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
499
if(quit_now){
500
gnutls_deinit(*session);
501
return -1;
502
}
503
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
504
if(ret != GNUTLS_E_SUCCESS){
406
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
407
if (ret != GNUTLS_E_SUCCESS) {
505
408
fprintf(stderr, "Syntax error at: %s\n", err);
506
409
fprintf(stderr, "GnuTLS error: %s\n",
507
410
safer_gnutls_strerror(ret));
508
gnutls_deinit(*session);
411
gnutls_deinit (*session);
509
412
return -1;
510
413
}
511
414
}
512
415
513
do {
514
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
515
mc.cred);
516
if(quit_now){
517
gnutls_deinit(*session);
518
return -1;
519
}
520
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
521
if(ret != GNUTLS_E_SUCCESS){
416
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
417
mc->cred);
418
if (ret != GNUTLS_E_SUCCESS) {
522
419
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
523
420
safer_gnutls_strerror(ret));
524
gnutls_deinit(*session);
421
gnutls_deinit (*session);
525
422
return -1;
526
423
}
527
424
528
425
/* ignore client certificate if any. */
529
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
426
gnutls_certificate_server_set_request (*session,
427
GNUTLS_CERT_IGNORE);
530
428
531
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
429
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
532
430
533
431
return 0;
534
432
}
540
438
/* Called when a Mandos server is found */
541
439
static int start_mandos_communication(const char *ip, uint16_t port,
542
440
AvahiIfIndex if_index,
543
int af){
544
int ret, tcp_sd = -1;
545
ssize_t sret;
546
union {
547
struct sockaddr_in in;
548
struct sockaddr_in6 in6;
549
} to;
441
mandos_context *mc){
442
int ret, tcp_sd;
443
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
550
444
char *buffer = NULL;
551
char *decrypted_buffer = NULL;
445
char *decrypted_buffer;
552
446
size_t buffer_length = 0;
553
447
size_t buffer_capacity = 0;
448
ssize_t decrypted_buffer_size;
554
449
size_t written;
555
int retval = -1;
450
int retval = 0;
451
char interface[IF_NAMESIZE];
556
452
gnutls_session_t session;
557
int pf; /* Protocol family */
558
559
errno = 0;
560
561
if(quit_now){
562
errno = EINTR;
563
return -1;
564
}
565
566
switch(af){
567
case AF_INET6:
568
pf = PF_INET6;
569
break;
570
case AF_INET:
571
pf = PF_INET;
572
break;
573
default:
574
fprintf(stderr, "Bad address family: %d\n", af);
575
errno = EINVAL;
576
return -1;
577
}
578
579
ret = init_gnutls_session(&session);
580
if(ret != 0){
453
454
ret = init_gnutls_session (mc, &session);
455
if (ret != 0){
581
456
return -1;
582
457
}
583
458
584
459
if(debug){
585
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
460
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
586
461
"\n", ip, port);
587
462
}
588
463
589
tcp_sd = socket(pf, SOCK_STREAM, 0);
590
if(tcp_sd < 0){
591
int e = errno;
464
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
465
if(tcp_sd < 0) {
592
466
perror("socket");
593
errno = e;
594
goto mandos_end;
467
return -1;
595
468
}
596
597
if(quit_now){
598
errno = EINTR;
599
goto mandos_end;
469
470
if(debug){
471
if(if_indextoname((unsigned int)if_index, interface) == NULL){
472
perror("if_indextoname");
473
return -1;
474
}
475
fprintf(stderr, "Binding to interface %s\n", interface);
600
476
}
601
477
602
478
memset(&to, 0, sizeof(to));
603
if(af == AF_INET6){
604
to.in6.sin6_family = (sa_family_t)af;
605
ret = inet_pton(af, ip, &to.in6.sin6_addr);
606
} else { /* IPv4 */
607
to.in.sin_family = (sa_family_t)af;
608
ret = inet_pton(af, ip, &to.in.sin_addr);
609
}
610
if(ret < 0 ){
611
int e = errno;
479
to.in6.sin6_family = AF_INET6;
480
/* It would be nice to have a way to detect if we were passed an
481
IPv4 address here. Now we assume an IPv6 address. */
482
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
483
if (ret < 0 ){
612
484
perror("inet_pton");
613
errno = e;
614
goto mandos_end;
485
return -1;
615
486
}
616
487
if(ret == 0){
617
int e = errno;
618
488
fprintf(stderr, "Bad address: %s\n", ip);
619
errno = e;
620
goto mandos_end;
621
}
622
if(af == AF_INET6){
623
to.in6.sin6_port = htons(port); /* Spurious warnings from
624
-Wconversion and
625
-Wunreachable-code */
626
627
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
628
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
629
-Wunreachable-code*/
630
if(if_index == AVAHI_IF_UNSPEC){
631
fprintf(stderr, "An IPv6 link-local address is incomplete"
632
" without a network interface\n");
633
errno = EINVAL;
634
goto mandos_end;
635
}
636
/* Set the network interface number as scope */
637
to.in6.sin6_scope_id = (uint32_t)if_index;
638
}
639
} else {
640
to.in.sin_port = htons(port); /* Spurious warnings from
641
-Wconversion and
642
-Wunreachable-code */
643
}
489
return -1;
490
}
491
to.in6.sin6_port = htons(port); /* Spurious warning */
644
492
645
if(quit_now){
646
errno = EINTR;
647
goto mandos_end;
648
}
493
to.in6.sin6_scope_id = (uint32_t)if_index;
649
494
650
495
if(debug){
651
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
652
char interface[IF_NAMESIZE];
653
if(if_indextoname((unsigned int)if_index, interface) == NULL){
654
perror("if_indextoname");
655
} else {
656
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
657
ip, interface, port);
658
}
659
} else {
660
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
661
port);
662
}
663
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
664
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
665
const char *pcret;
666
if(af == AF_INET6){
667
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
668
sizeof(addrstr));
669
} else {
670
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
671
sizeof(addrstr));
672
}
673
if(pcret == NULL){
496
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
497
port);
498
char addrstr[INET6_ADDRSTRLEN] = "";
499
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
500
sizeof(addrstr)) == NULL){
674
501
perror("inet_ntop");
675
502
} else {
676
503
if(strcmp(addrstr, ip) != 0){
679
506
}
680
507
}
681
508
682
if(quit_now){
683
errno = EINTR;
684
goto mandos_end;
685
}
686
687
if(af == AF_INET6){
688
ret = connect(tcp_sd, &to.in6, sizeof(to));
689
} else {
690
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
691
}
692
if(ret < 0){
693
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
694
int e = errno;
695
perror("connect");
696
errno = e;
697
}
698
goto mandos_end;
699
}
700
701
if(quit_now){
702
errno = EINTR;
703
goto mandos_end;
704
}
705
509
ret = connect(tcp_sd, &to.in, sizeof(to));
510
if (ret < 0){
511
perror("connect");
512
return -1;
513
}
514
706
515
const char *out = mandos_protocol_version;
707
516
written = 0;
708
while(true){
517
while (true){
709
518
size_t out_size = strlen(out);
710
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
519
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
711
520
out_size - written));
712
if(ret == -1){
713
int e = errno;
521
if (ret == -1){
714
522
perror("write");
715
errno = e;
523
retval = -1;
716
524
goto mandos_end;
717
525
}
718
526
written += (size_t)ret;
719
527
if(written < out_size){
720
528
continue;
721
529
} else {
722
if(out == mandos_protocol_version){
530
if (out == mandos_protocol_version){
723
531
written = 0;
724
532
out = "\r\n";
725
533
} else {
726
534
break;
727
535
}
728
536
}
729
730
if(quit_now){
731
errno = EINTR;
732
goto mandos_end;
733
}
734
537
}
735
538
736
539
if(debug){
737
540
fprintf(stderr, "Establishing TLS session with %s\n", ip);
738
541
}
739
542
740
if(quit_now){
741
errno = EINTR;
742
goto mandos_end;
743
}
744
745
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
746
747
if(quit_now){
748
errno = EINTR;
749
goto mandos_end;
750
}
751
752
do {
753
ret = gnutls_handshake(session);
754
if(quit_now){
755
errno = EINTR;
756
goto mandos_end;
757
}
543
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
544
545
do{
546
ret = gnutls_handshake (session);
758
547
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
759
548
760
if(ret != GNUTLS_E_SUCCESS){
549
if (ret != GNUTLS_E_SUCCESS){
761
550
if(debug){
762
551
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
763
gnutls_perror(ret);
552
gnutls_perror (ret);
764
553
}
765
errno = EPROTO;
554
retval = -1;
766
555
goto mandos_end;
767
556
}
768
557
769
558
/* Read OpenPGP packet that contains the wanted password */
770
559
771
560
if(debug){
772
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
561
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
773
562
ip);
774
563
}
775
564
776
565
while(true){
777
778
if(quit_now){
779
errno = EINTR;
780
goto mandos_end;
781
}
782
783
buffer_capacity = incbuffer(&buffer, buffer_length,
566
buffer_capacity = adjustbuffer(&buffer, buffer_length,
784
567
buffer_capacity);
785
if(buffer_capacity == 0){
786
int e = errno;
787
perror("incbuffer");
788
errno = e;
789
goto mandos_end;
790
}
791
792
if(quit_now){
793
errno = EINTR;
794
goto mandos_end;
795
}
796
797
sret = gnutls_record_recv(session, buffer+buffer_length,
798
BUFFER_SIZE);
799
if(sret == 0){
568
if (buffer_capacity == 0){
569
perror("adjustbuffer");
570
retval = -1;
571
goto mandos_end;
572
}
573
574
ret = gnutls_record_recv(session, buffer+buffer_length,
575
BUFFER_SIZE);
576
if (ret == 0){
800
577
break;
801
578
}
802
if(sret < 0){
803
switch(sret){
579
if (ret < 0){
580
switch(ret){
804
581
case GNUTLS_E_INTERRUPTED:
805
582
case GNUTLS_E_AGAIN:
806
583
break;
807
584
case GNUTLS_E_REHANDSHAKE:
808
do {
809
ret = gnutls_handshake(session);
810
811
if(quit_now){
812
errno = EINTR;
813
goto mandos_end;
814
}
585
do{
586
ret = gnutls_handshake (session);
815
587
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
816
if(ret < 0){
588
if (ret < 0){
817
589
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
818
gnutls_perror(ret);
819
errno = EPROTO;
590
gnutls_perror (ret);
591
retval = -1;
820
592
goto mandos_end;
821
593
}
822
594
break;
823
595
default:
824
596
fprintf(stderr, "Unknown error while reading data from"
825
597
" encrypted session with Mandos server\n");
826
gnutls_bye(session, GNUTLS_SHUT_RDWR);
827
errno = EIO;
598
retval = -1;
599
gnutls_bye (session, GNUTLS_SHUT_RDWR);
828
600
goto mandos_end;
829
601
}
830
602
} else {
831
buffer_length += (size_t) sret;
603
buffer_length += (size_t) ret;
832
604
}
833
605
}
834
606
836
608
fprintf(stderr, "Closing TLS session\n");
837
609
}
838
610
839
if(quit_now){
840
errno = EINTR;
841
goto mandos_end;
842
}
843
844
do {
845
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
846
if(quit_now){
847
errno = EINTR;
848
goto mandos_end;
849
}
850
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
851
852
if(buffer_length > 0){
853
ssize_t decrypted_buffer_size;
611
gnutls_bye (session, GNUTLS_SHUT_RDWR);
612
613
if (buffer_length > 0){
854
614
decrypted_buffer_size = pgp_packet_decrypt(buffer,
855
615
buffer_length,
856
&decrypted_buffer);
857
if(decrypted_buffer_size >= 0){
858
616
&decrypted_buffer,
617
keydir);
618
if (decrypted_buffer_size >= 0){
859
619
written = 0;
860
620
while(written < (size_t) decrypted_buffer_size){
861
if(quit_now){
862
errno = EINTR;
863
goto mandos_end;
864
}
865
866
ret = (int)fwrite(decrypted_buffer + written, 1,
867
(size_t)decrypted_buffer_size - written,
868
stdout);
621
ret = (int)fwrite (decrypted_buffer + written, 1,
622
(size_t)decrypted_buffer_size - written,
623
stdout);
869
624
if(ret == 0 and ferror(stdout)){
870
int e = errno;
871
625
if(debug){
872
626
fprintf(stderr, "Error writing encrypted data: %s\n",
873
627
strerror(errno));
874
628
}
875
errno = e;
876
goto mandos_end;
629
retval = -1;
630
break;
877
631
}
878
632
written += (size_t)ret;
879
633
}
880
retval = 0;
634
free(decrypted_buffer);
635
} else {
636
retval = -1;
881
637
}
638
} else {
639
retval = -1;
882
640
}
883
641
884
642
/* Shutdown procedure */
885
643
886
644
mandos_end:
887
{
888
int e = errno;
889
free(decrypted_buffer);
890
free(buffer);
891
if(tcp_sd >= 0){
892
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
893
}
894
if(ret == -1){
895
if(e == 0){
896
e = errno;
897
}
898
perror("close");
899
}
900
gnutls_deinit(session);
901
if(quit_now){
902
e = EINTR;
903
retval = -1;
904
}
905
errno = e;
906
}
645
free(buffer);
646
close(tcp_sd);
647
gnutls_deinit (session);
907
648
return retval;
908
649
}
909
650
910
651
static void resolve_callback(AvahiSServiceResolver *r,
911
652
AvahiIfIndex interface,
912
AvahiProtocol proto,
653
AVAHI_GCC_UNUSED AvahiProtocol protocol,
913
654
AvahiResolverEvent event,
914
655
const char *name,
915
656
const char *type,
920
661
AVAHI_GCC_UNUSED AvahiStringList *txt,
921
662
AVAHI_GCC_UNUSED AvahiLookupResultFlags
922
663
flags,
923
AVAHI_GCC_UNUSED void* userdata){
664
void* userdata) {
665
mandos_context *mc = userdata;
924
666
assert(r);
925
667
926
668
/* Called whenever a service has been resolved successfully or
927
669
timed out */
928
670
929
if(quit_now){
930
return;
931
}
932
933
switch(event){
671
switch (event) {
934
672
default:
935
673
case AVAHI_RESOLVER_FAILURE:
936
674
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
937
675
" of type '%s' in domain '%s': %s\n", name, type, domain,
938
avahi_strerror(avahi_server_errno(mc.server)));
676
avahi_strerror(avahi_server_errno(mc->server)));
939
677
break;
940
678
941
679
case AVAHI_RESOLVER_FOUND:
944
682
avahi_address_snprint(ip, sizeof(ip), address);
945
683
if(debug){
946
684
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
947
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
948
ip, (intmax_t)interface, port);
685
PRIu16 ") on port %d\n", name, host_name, ip,
686
interface, port);
949
687
}
950
int ret = start_mandos_communication(ip, port, interface,
951
avahi_proto_to_af(proto));
952
if(ret == 0){
953
avahi_simple_poll_quit(mc.simple_poll);
688
int ret = start_mandos_communication(ip, port, interface, mc);
689
if (ret == 0){
690
avahi_simple_poll_quit(mc->simple_poll);
954
691
}
955
692
}
956
693
}
957
694
avahi_s_service_resolver_free(r);
958
695
}
959
696
960
static void browse_callback(AvahiSServiceBrowser *b,
961
AvahiIfIndex interface,
962
AvahiProtocol protocol,
963
AvahiBrowserEvent event,
964
const char *name,
965
const char *type,
966
const char *domain,
967
AVAHI_GCC_UNUSED AvahiLookupResultFlags
968
flags,
969
AVAHI_GCC_UNUSED void* userdata){
697
static void browse_callback( AvahiSServiceBrowser *b,
698
AvahiIfIndex interface,
699
AvahiProtocol protocol,
700
AvahiBrowserEvent event,
701
const char *name,
702
const char *type,
703
const char *domain,
704
AVAHI_GCC_UNUSED AvahiLookupResultFlags
705
flags,
706
void* userdata) {
707
mandos_context *mc = userdata;
970
708
assert(b);
971
709
972
710
/* Called whenever a new services becomes available on the LAN or
973
711
is removed from the LAN */
974
712
975
if(quit_now){
976
return;
977
}
978
979
switch(event){
713
switch (event) {
980
714
default:
981
715
case AVAHI_BROWSER_FAILURE:
982
716
983
717
fprintf(stderr, "(Avahi browser) %s\n",
984
avahi_strerror(avahi_server_errno(mc.server)));
985
avahi_simple_poll_quit(mc.simple_poll);
718
avahi_strerror(avahi_server_errno(mc->server)));
719
avahi_simple_poll_quit(mc->simple_poll);
986
720
return;
987
721
988
722
case AVAHI_BROWSER_NEW:
991
725
the callback function is called the Avahi server will free the
992
726
resolver for us. */
993
727
994
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
995
name, type, domain, protocol, 0,
996
resolve_callback, NULL) == NULL)
728
if (!(avahi_s_service_resolver_new(mc->server, interface,
729
protocol, name, type, domain,
730
AVAHI_PROTO_INET6, 0,
731
resolve_callback, mc)))
997
732
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
998
name, avahi_strerror(avahi_server_errno(mc.server)));
733
name, avahi_strerror(avahi_server_errno(mc->server)));
999
734
break;
1000
735
1001
736
case AVAHI_BROWSER_REMOVE:
1010
745
}
1011
746
}
1012
747
1013
/* stop main loop after sigterm has been called */
1014
static void handle_sigterm(int sig){
1015
if(quit_now){
1016
return;
1017
}
1018
quit_now = 1;
1019
signal_received = sig;
1020
int old_errno = errno;
1021
if(mc.simple_poll != NULL){
1022
avahi_simple_poll_quit(mc.simple_poll);
1023
}
1024
errno = old_errno;
1025
}
1026
1027
/*
1028
* This function determines if a directory entry in /sys/class/net
1029
* corresponds to an acceptable network device.
1030
* (This function is passed to scandir(3) as a filter function.)
1031
*/
1032
int good_interface(const struct dirent *if_entry){
1033
ssize_t ssret;
1034
char *flagname = NULL;
1035
if(if_entry->d_name[0] == '.'){
1036
return 0;
1037
}
1038
int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,
1039
if_entry->d_name);
748
/* Combines file name and path and returns the malloced new
749
string. some sane checks could/should be added */
750
static char *combinepath(const char *first, const char *second){
751
char *tmp;
752
int ret = asprintf(&tmp, "%s/%s", first, second);
1040
753
if(ret < 0){
1041
perror("asprintf");
1042
return 0;
1043
}
1044
int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));
1045
if(flags_fd == -1){
1046
perror("open");
1047
free(flagname);
1048
return 0;
1049
}
1050
free(flagname);
1051
typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */
1052
/* read line from flags_fd */
1053
ssize_t to_read = (sizeof(ifreq_flags)*2)+3; /* "0x1003\n" */
1054
char *flagstring = malloc((size_t)to_read+1); /* +1 for final \0 */
1055
flagstring[(size_t)to_read] = '\0';
1056
if(flagstring == NULL){
1057
perror("malloc");
1058
close(flags_fd);
1059
return 0;
1060
}
1061
while(to_read > 0){
1062
ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,
1063
(size_t)to_read));
1064
if(ssret == -1){
1065
perror("read");
1066
free(flagstring);
1067
close(flags_fd);
1068
return 0;
1069
}
1070
to_read -= ssret;
1071
if(ssret == 0){
1072
break;
1073
}
1074
}
1075
close(flags_fd);
1076
intmax_t tmpmax;
1077
char *tmp;
1078
errno = 0;
1079
tmpmax = strtoimax(flagstring, &tmp, 0);
1080
if(errno != 0 or tmp == flagstring or (*tmp != '\0'
1081
and not (isspace(*tmp)))
1082
or tmpmax != (ifreq_flags)tmpmax){
1083
if(debug){
1084
fprintf(stderr, "Invalid flags \"%s\" for interface \"%s\"\n",
1085
flagstring, if_entry->d_name);
1086
}
1087
free(flagstring);
1088
return 0;
1089
}
1090
free(flagstring);
1091
ifreq_flags flags = (ifreq_flags)tmpmax;
1092
/* Reject the loopback device */
1093
if(flags & IFF_LOOPBACK){
1094
if(debug){
1095
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1096
if_entry->d_name);
1097
}
1098
return 0;
1099
}
1100
/* Accept point-to-point devices only if connect_to is specified */
1101
if(connect_to != NULL and (flags & IFF_POINTOPOINT)){
1102
if(debug){
1103
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1104
if_entry->d_name);
1105
}
1106
return 1;
1107
}
1108
/* Otherwise, reject non-broadcast-capable devices */
1109
if(not (flags & IFF_BROADCAST)){
1110
if(debug){
1111
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1112
if_entry->d_name);
1113
}
1114
return 0;
1115
}
1116
/* Reject non-ARP interfaces (including dummy interfaces) */
1117
if(flags & IFF_NOARP){
1118
if(debug){
1119
fprintf(stderr, "Rejecting non-ARP interface \"%s\"\n",
1120
if_entry->d_name);
1121
}
1122
return 0;
1123
}
1124
/* Accept this device */
1125
if(debug){
1126
fprintf(stderr, "Interface \"%s\" is acceptable\n",
1127
if_entry->d_name);
1128
}
1129
return 1;
754
return NULL;
755
}
756
return tmp;
1130
757
}
1131
758
759
1132
760
int main(int argc, char *argv[]){
1133
AvahiSServiceBrowser *sb = NULL;
1134
int error;
1135
int ret;
1136
intmax_t tmpmax;
1137
char *tmp;
1138
int exitcode = EXIT_SUCCESS;
1139
const char *interface = "";
1140
struct ifreq network;
1141
int sd = -1;
1142
bool take_down_interface = false;
1143
uid_t uid;
1144
gid_t gid;
1145
char tempdir[] = "/tmp/mandosXXXXXX";
1146
bool tempdir_created = false;
1147
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1148
const char *seckey = PATHDIR "/" SECKEY;
1149
const char *pubkey = PATHDIR "/" PUBKEY;
1150
1151
bool gnutls_initialized = false;
1152
bool gpgme_initialized = false;
1153
float delay = 2.5f;
1154
1155
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1156
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1157
1158
uid = getuid();
1159
gid = getgid();
1160
1161
/* Lower any group privileges we might have, just to be safe */
1162
errno = 0;
1163
ret = setgid(gid);
1164
if(ret == -1){
1165
perror("setgid");
1166
}
1167
1168
/* Lower user privileges (temporarily) */
1169
errno = 0;
1170
ret = seteuid(uid);
1171
if(ret == -1){
1172
perror("seteuid");
1173
}
1174
1175
if(quit_now){
1176
goto end;
1177
}
1178
1179
{
1180
struct argp_option options[] = {
1181
{ .name = "debug", .key = 128,
1182
.doc = "Debug mode", .group = 3 },
1183
{ .name = "connect", .key = 'c',
1184
.arg = "ADDRESS:PORT",
1185
.doc = "Connect directly to a specific Mandos server",
1186
.group = 1 },
1187
{ .name = "interface", .key = 'i',
1188
.arg = "NAME",
1189
.doc = "Network interface that will be used to search for"
1190
" Mandos servers",
1191
.group = 1 },
1192
{ .name = "seckey", .key = 's',
1193
.arg = "FILE",
1194
.doc = "OpenPGP secret key file base name",
1195
.group = 1 },
1196
{ .name = "pubkey", .key = 'p',
1197
.arg = "FILE",
1198
.doc = "OpenPGP public key file base name",
1199
.group = 2 },
1200
{ .name = "dh-bits", .key = 129,
1201
.arg = "BITS",
1202
.doc = "Bit length of the prime number used in the"
1203
" Diffie-Hellman key exchange",
1204
.group = 2 },
1205
{ .name = "priority", .key = 130,
1206
.arg = "STRING",
1207
.doc = "GnuTLS priority string for the TLS handshake",
1208
.group = 1 },
1209
{ .name = "delay", .key = 131,
1210
.arg = "SECONDS",
1211
.doc = "Maximum delay to wait for interface startup",
1212
.group = 2 },
1213
/*
1214
* These reproduce what we would get without ARGP_NO_HELP
1215
*/
1216
{ .name = "help", .key = '?',
1217
.doc = "Give this help list", .group = -1 },
1218
{ .name = "usage", .key = -3,
1219
.doc = "Give a short usage message", .group = -1 },
1220
{ .name = "version", .key = 'V',
1221
.doc = "Print program version", .group = -1 },
1222
{ .name = NULL }
1223
};
1224
1225
error_t parse_opt(int key, char *arg,
1226
struct argp_state *state){
1227
errno = 0;
1228
switch(key){
1229
case 128: /* --debug */
1230
debug = true;
1231
break;
1232
case 'c': /* --connect */
1233
connect_to = arg;
1234
break;
1235
case 'i': /* --interface */
1236
interface = arg;
1237
break;
1238
case 's': /* --seckey */
1239
seckey = arg;
1240
break;
1241
case 'p': /* --pubkey */
1242
pubkey = arg;
1243
break;
1244
case 129: /* --dh-bits */
1245
errno = 0;
1246
tmpmax = strtoimax(arg, &tmp, 10);
1247
if(errno != 0 or tmp == arg or *tmp != '\0'
1248
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1249
argp_error(state, "Bad number of DH bits");
1250
}
1251
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1252
break;
1253
case 130: /* --priority */
1254
mc.priority = arg;
1255
break;
1256
case 131: /* --delay */
1257
errno = 0;
1258
delay = strtof(arg, &tmp);
1259
if(errno != 0 or tmp == arg or *tmp != '\0'){
1260
argp_error(state, "Bad delay");
1261
}
1262
break;
1263
/*
1264
* These reproduce what we would get without ARGP_NO_HELP
1265
*/
1266
case '?': /* --help */
1267
argp_state_help(state, state->out_stream,
1268
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1269
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1270
case -3: /* --usage */
1271
argp_state_help(state, state->out_stream,
1272
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1273
case 'V': /* --version */
1274
fprintf(state->out_stream, "%s\n", argp_program_version);
1275
exit(argp_err_exit_status);
1276
break;
1277
default:
1278
return ARGP_ERR_UNKNOWN;
1279
}
1280
return errno;
1281
}
1282
1283
struct argp argp = { .options = options, .parser = parse_opt,
1284
.args_doc = "",
1285
.doc = "Mandos client -- Get and decrypt"
1286
" passwords from a Mandos server" };
1287
ret = argp_parse(&argp, argc, argv,
1288
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1289
switch(ret){
1290
case 0:
1291
break;
1292
case ENOMEM:
1293
default:
1294
errno = ret;
1295
perror("argp_parse");
1296
exitcode = EX_OSERR;
1297
goto end;
1298
case EINVAL:
1299
exitcode = EX_USAGE;
1300
goto end;
1301
}
1302
}
1303
1304
if(not debug){
1305
avahi_set_log_function(empty_log);
1306
}
1307
1308
if(interface[0] == '\0'){
1309
struct dirent **direntries;
1310
ret = scandir(sys_class_net, &direntries, good_interface,
1311
alphasort);
1312
if(ret >= 1){
1313
/* Pick the first good interface */
1314
interface = strdup(direntries[0]->d_name);
1315
if(debug){
1316
fprintf(stderr, "Using interface \"%s\"\n", interface);
1317
}
1318
if(interface == NULL){
1319
perror("malloc");
1320
free(direntries);
761
AvahiSServiceBrowser *sb = NULL;
762
int error;
763
int ret;
764
int exitcode = EXIT_SUCCESS;
765
const char *interface = "eth0";
766
struct ifreq network;
767
int sd;
768
uid_t uid;
769
gid_t gid;
770
char *connect_to = NULL;
771
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
772
char *pubkeyfilename = NULL;
773
char *seckeyfilename = NULL;
774
const char *pubkeyname = "pubkey.txt";
775
const char *seckeyname = "seckey.txt";
776
mandos_context mc = { .simple_poll = NULL, .server = NULL,
777
.dh_bits = 1024, .priority = "SECURE256"};
778
bool gnutls_initalized = false;
779
780
{
781
struct argp_option options[] = {
782
{ .name = "debug", .key = 128,
783
.doc = "Debug mode", .group = 3 },
784
{ .name = "connect", .key = 'c',
785
.arg = "IP",
786
.doc = "Connect directly to a sepcified mandos server",
787
.group = 1 },
788
{ .name = "interface", .key = 'i',
789
.arg = "INTERFACE",
790
.doc = "Interface that Avahi will conntect through",
791
.group = 1 },
792
{ .name = "keydir", .key = 'd',
793
.arg = "KEYDIR",
794
.doc = "Directory where the openpgp keyring is",
795
.group = 1 },
796
{ .name = "seckey", .key = 's',
797
.arg = "SECKEY",
798
.doc = "Secret openpgp key for gnutls authentication",
799
.group = 1 },
800
{ .name = "pubkey", .key = 'p',
801
.arg = "PUBKEY",
802
.doc = "Public openpgp key for gnutls authentication",
803
.group = 2 },
804
{ .name = "dh-bits", .key = 129,
805
.arg = "BITS",
806
.doc = "dh-bits to use in gnutls communication",
807
.group = 2 },
808
{ .name = "priority", .key = 130,
809
.arg = "PRIORITY",
810
.doc = "GNUTLS priority", .group = 1 },
811
{ .name = NULL }
812
};
813
814
815
error_t parse_opt (int key, char *arg,
816
struct argp_state *state) {
817
/* Get the INPUT argument from `argp_parse', which we know is
818
a pointer to our plugin list pointer. */
819
switch (key) {
820
case 128:
821
debug = true;
822
break;
823
case 'c':
824
connect_to = arg;
825
break;
826
case 'i':
827
interface = arg;
828
break;
829
case 'd':
830
keydir = arg;
831
break;
832
case 's':
833
seckeyname = arg;
834
break;
835
case 'p':
836
pubkeyname = arg;
837
break;
838
case 129:
839
errno = 0;
840
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
841
if (errno){
842
perror("strtol");
843
exit(EXIT_FAILURE);
844
}
845
break;
846
case 130:
847
mc.priority = arg;
848
break;
849
case ARGP_KEY_ARG:
850
argp_usage (state);
851
case ARGP_KEY_END:
852
break;
853
default:
854
return ARGP_ERR_UNKNOWN;
855
}
856
return 0;
857
}
858
859
struct argp argp = { .options = options, .parser = parse_opt,
860
.args_doc = "",
861
.doc = "Mandos client -- Get and decrypt"
862
" passwords from mandos server" };
863
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
864
if (ret == ARGP_ERR_UNKNOWN){
865
fprintf(stderr, "Unknown error while parsing arguments\n");
1321
866
exitcode = EXIT_FAILURE;
1322
867
goto end;
1323
868
}
1324
free(direntries);
869
}
870
871
pubkeyfilename = combinepath(keydir, pubkeyname);
872
if (pubkeyfilename == NULL){
873
perror("combinepath");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
878
seckeyfilename = combinepath(keydir, seckeyname);
879
if (seckeyfilename == NULL){
880
perror("combinepath");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
885
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
886
if (ret == -1){
887
fprintf(stderr, "init_gnutls_global failed\n");
888
exitcode = EXIT_FAILURE;
889
goto end;
1325
890
} else {
1326
free(direntries);
1327
fprintf(stderr, "Could not find a network interface\n");
1328
exitcode = EXIT_FAILURE;
1329
goto end;
1330
}
1331
}
1332
1333
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1334
from the signal handler */
1335
/* Initialize the pseudo-RNG for Avahi */
1336
srand((unsigned int) time(NULL));
1337
mc.simple_poll = avahi_simple_poll_new();
1338
if(mc.simple_poll == NULL){
1339
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1340
exitcode = EX_UNAVAILABLE;
1341
goto end;
1342
}
1343
1344
sigemptyset(&sigterm_action.sa_mask);
1345
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1346
if(ret == -1){
1347
perror("sigaddset");
1348
exitcode = EX_OSERR;
1349
goto end;
1350
}
1351
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1352
if(ret == -1){
1353
perror("sigaddset");
1354
exitcode = EX_OSERR;
1355
goto end;
1356
}
1357
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1358
if(ret == -1){
1359
perror("sigaddset");
1360
exitcode = EX_OSERR;
1361
goto end;
1362
}
1363
/* Need to check if the handler is SIG_IGN before handling:
1364
| [[info:libc:Initial Signal Actions]] |
1365
| [[info:libc:Basic Signal Handling]] |
1366
*/
1367
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1368
if(ret == -1){
1369
perror("sigaction");
1370
return EX_OSERR;
1371
}
1372
if(old_sigterm_action.sa_handler != SIG_IGN){
1373
ret = sigaction(SIGINT, &sigterm_action, NULL);
1374
if(ret == -1){
1375
perror("sigaction");
1376
exitcode = EX_OSERR;
1377
goto end;
1378
}
1379
}
1380
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1381
if(ret == -1){
1382
perror("sigaction");
1383
return EX_OSERR;
1384
}
1385
if(old_sigterm_action.sa_handler != SIG_IGN){
1386
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1387
if(ret == -1){
1388
perror("sigaction");
1389
exitcode = EX_OSERR;
1390
goto end;
1391
}
1392
}
1393
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1394
if(ret == -1){
1395
perror("sigaction");
1396
return EX_OSERR;
1397
}
1398
if(old_sigterm_action.sa_handler != SIG_IGN){
1399
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1400
if(ret == -1){
1401
perror("sigaction");
1402
exitcode = EX_OSERR;
1403
goto end;
1404
}
1405
}
1406
1407
/* If the interface is down, bring it up */
1408
if(strcmp(interface, "none") != 0){
891
gnutls_initalized = true;
892
}
893
894
/* If the interface is down, bring it up */
895
{
896
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
897
if(sd < 0) {
898
perror("socket");
899
exitcode = EXIT_FAILURE;
900
goto end;
901
}
902
strcpy(network.ifr_name, interface);
903
ret = ioctl(sd, SIOCGIFFLAGS, &network);
904
if(ret == -1){
905
perror("ioctl SIOCGIFFLAGS");
906
exitcode = EXIT_FAILURE;
907
goto end;
908
}
909
if((network.ifr_flags & IFF_UP) == 0){
910
network.ifr_flags |= IFF_UP;
911
ret = ioctl(sd, SIOCSIFFLAGS, &network);
912
if(ret == -1){
913
perror("ioctl SIOCSIFFLAGS");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
close(sd);
919
}
920
921
uid = getuid();
922
gid = getgid();
923
924
ret = setuid(uid);
925
if (ret == -1){
926
perror("setuid");
927
}
928
929
setgid(gid);
930
if (ret == -1){
931
perror("setgid");
932
}
933
1409
934
if_index = (AvahiIfIndex) if_nametoindex(interface);
1410
935
if(if_index == 0){
1411
936
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1412
exitcode = EX_UNAVAILABLE;
1413
goto end;
1414
}
1415
1416
if(quit_now){
1417
goto end;
1418
}
1419
1420
/* Re-raise priviliges */
1421
errno = 0;
1422
ret = seteuid(0);
1423
if(ret == -1){
1424
perror("seteuid");
1425
}
1426
1427
#ifdef __linux__
1428
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1429
messages about the network interface to mess up the prompt */
1430
ret = klogctl(8, NULL, 5);
1431
bool restore_loglevel = true;
1432
if(ret == -1){
1433
restore_loglevel = false;
1434
perror("klogctl");
1435
}
1436
#endif /* __linux__ */
1437
1438
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1439
if(sd < 0){
1440
perror("socket");
1441
exitcode = EX_OSERR;
1442
#ifdef __linux__
1443
if(restore_loglevel){
1444
ret = klogctl(7, NULL, 0);
1445
if(ret == -1){
1446
perror("klogctl");
1447
}
1448
}
1449
#endif /* __linux__ */
1450
/* Lower privileges */
1451
errno = 0;
1452
ret = seteuid(uid);
1453
if(ret == -1){
1454
perror("seteuid");
1455
}
1456
goto end;
1457
}
1458
strcpy(network.ifr_name, interface);
1459
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1460
if(ret == -1){
1461
perror("ioctl SIOCGIFFLAGS");
1462
#ifdef __linux__
1463
if(restore_loglevel){
1464
ret = klogctl(7, NULL, 0);
1465
if(ret == -1){
1466
perror("klogctl");
1467
}
1468
}
1469
#endif /* __linux__ */
1470
exitcode = EX_OSERR;
1471
/* Lower privileges */
1472
errno = 0;
1473
ret = seteuid(uid);
1474
if(ret == -1){
1475
perror("seteuid");
1476
}
1477
goto end;
1478
}
1479
if((network.ifr_flags & IFF_UP) == 0){
1480
network.ifr_flags |= IFF_UP;
1481
take_down_interface = true;
1482
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1483
if(ret == -1){
1484
take_down_interface = false;
1485
perror("ioctl SIOCSIFFLAGS +IFF_UP");
1486
exitcode = EX_OSERR;
1487
#ifdef __linux__
1488
if(restore_loglevel){
1489
ret = klogctl(7, NULL, 0);
1490
if(ret == -1){
1491
perror("klogctl");
1492
}
1493
}
1494
#endif /* __linux__ */
1495
/* Lower privileges */
1496
errno = 0;
1497
ret = seteuid(uid);
1498
if(ret == -1){
1499
perror("seteuid");
1500
}
1501
goto end;
1502
}
1503
}
1504
/* sleep checking until interface is running */
1505
for(int i=0; i < delay * 4; i++){
1506
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1507
if(ret == -1){
1508
perror("ioctl SIOCGIFFLAGS");
1509
} else if(network.ifr_flags & IFF_RUNNING){
1510
break;
1511
}
1512
struct timespec sleeptime = { .tv_nsec = 250000000 };
1513
ret = nanosleep(&sleeptime, NULL);
1514
if(ret == -1 and errno != EINTR){
1515
perror("nanosleep");
1516
}
1517
}
1518
if(not take_down_interface){
1519
/* We won't need the socket anymore */
1520
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1521
if(ret == -1){
1522
perror("close");
1523
}
1524
}
1525
#ifdef __linux__
1526
if(restore_loglevel){
1527
/* Restores kernel loglevel to default */
1528
ret = klogctl(7, NULL, 0);
1529
if(ret == -1){
1530
perror("klogctl");
1531
}
1532
}
1533
#endif /* __linux__ */
1534
/* Lower privileges */
1535
errno = 0;
1536
if(take_down_interface){
1537
/* Lower privileges */
1538
ret = seteuid(uid);
1539
if(ret == -1){
1540
perror("seteuid");
1541
}
1542
} else {
1543
/* Lower privileges permanently */
1544
ret = setuid(uid);
1545
if(ret == -1){
1546
perror("setuid");
1547
}
1548
}
1549
}
1550
1551
if(quit_now){
1552
goto end;
1553
}
1554
1555
ret = init_gnutls_global(pubkey, seckey);
1556
if(ret == -1){
1557
fprintf(stderr, "init_gnutls_global failed\n");
1558
exitcode = EX_UNAVAILABLE;
1559
goto end;
1560
} else {
1561
gnutls_initialized = true;
1562
}
1563
1564
if(quit_now){
1565
goto end;
1566
}
1567
1568
tempdir_created = true;
1569
if(mkdtemp(tempdir) == NULL){
1570
tempdir_created = false;
1571
perror("mkdtemp");
1572
goto end;
1573
}
1574
1575
if(quit_now){
1576
goto end;
1577
}
1578
1579
if(not init_gpgme(pubkey, seckey, tempdir)){
1580
fprintf(stderr, "init_gpgme failed\n");
1581
exitcode = EX_UNAVAILABLE;
1582
goto end;
1583
} else {
1584
gpgme_initialized = true;
1585
}
1586
1587
if(quit_now){
1588
goto end;
1589
}
1590
1591
if(connect_to != NULL){
1592
/* Connect directly, do not use Zeroconf */
1593
/* (Mainly meant for debugging) */
1594
char *address = strrchr(connect_to, ':');
1595
if(address == NULL){
1596
fprintf(stderr, "No colon in address\n");
1597
exitcode = EX_USAGE;
1598
goto end;
1599
}
1600
1601
if(quit_now){
1602
goto end;
1603
}
1604
1605
uint16_t port;
1606
errno = 0;
1607
tmpmax = strtoimax(address+1, &tmp, 10);
1608
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1609
or tmpmax != (uint16_t)tmpmax){
1610
fprintf(stderr, "Bad port number\n");
1611
exitcode = EX_USAGE;
1612
goto end;
1613
}
1614
1615
if(quit_now){
1616
goto end;
1617
}
1618
1619
port = (uint16_t)tmpmax;
1620
*address = '\0';
1621
address = connect_to;
1622
/* Colon in address indicates IPv6 */
1623
int af;
1624
if(strchr(address, ':') != NULL){
1625
af = AF_INET6;
1626
} else {
1627
af = AF_INET;
1628
}
1629
1630
if(quit_now){
1631
goto end;
1632
}
1633
1634
while(not quit_now){
1635
ret = start_mandos_communication(address, port, if_index, af);
1636
if(quit_now or ret == 0){
1637
break;
1638
}
1639
sleep(15);
1640
};
1641
1642
if (not quit_now){
1643
exitcode = EXIT_SUCCESS;
1644
}
1645
1646
goto end;
1647
}
1648
1649
if(quit_now){
1650
goto end;
1651
}
1652
1653
{
1654
AvahiServerConfig config;
1655
/* Do not publish any local Zeroconf records */
1656
avahi_server_config_init(&config);
1657
config.publish_hinfo = 0;
1658
config.publish_addresses = 0;
1659
config.publish_workstation = 0;
1660
config.publish_domain = 0;
1661
1662
/* Allocate a new server */
1663
mc.server = avahi_server_new(avahi_simple_poll_get
1664
(mc.simple_poll), &config, NULL,
1665
NULL, &error);
1666
1667
/* Free the Avahi configuration data */
1668
avahi_server_config_free(&config);
1669
}
1670
1671
/* Check if creating the Avahi server object succeeded */
1672
if(mc.server == NULL){
1673
fprintf(stderr, "Failed to create Avahi server: %s\n",
1674
avahi_strerror(error));
1675
exitcode = EX_UNAVAILABLE;
1676
goto end;
1677
}
1678
1679
if(quit_now){
1680
goto end;
1681
}
1682
1683
/* Create the Avahi service browser */
1684
sb = avahi_s_service_browser_new(mc.server, if_index,
1685
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1686
NULL, 0, browse_callback, NULL);
1687
if(sb == NULL){
1688
fprintf(stderr, "Failed to create service browser: %s\n",
1689
avahi_strerror(avahi_server_errno(mc.server)));
1690
exitcode = EX_UNAVAILABLE;
1691
goto end;
1692
}
1693
1694
if(quit_now){
1695
goto end;
1696
}
1697
1698
/* Run the main loop */
1699
1700
if(debug){
1701
fprintf(stderr, "Starting Avahi loop search\n");
1702
}
1703
1704
avahi_simple_poll_loop(mc.simple_poll);
1705
937
exit(EXIT_FAILURE);
938
}
939
940
if(connect_to != NULL){
941
/* Connect directly, do not use Zeroconf */
942
/* (Mainly meant for debugging) */
943
char *address = strrchr(connect_to, ':');
944
if(address == NULL){
945
fprintf(stderr, "No colon in address\n");
946
exitcode = EXIT_FAILURE;
947
goto end;
948
}
949
errno = 0;
950
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
951
if(errno){
952
perror("Bad port number");
953
exitcode = EXIT_FAILURE;
954
goto end;
955
}
956
*address = '\0';
957
address = connect_to;
958
ret = start_mandos_communication(address, port, if_index, &mc);
959
if(ret < 0){
960
exitcode = EXIT_FAILURE;
961
} else {
962
exitcode = EXIT_SUCCESS;
963
}
964
goto end;
965
}
966
967
if (not debug){
968
avahi_set_log_function(empty_log);
969
}
970
971
/* Initialize the pseudo-RNG for Avahi */
972
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
1004
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
1007
}
1008
1009
/* Create the Avahi service browser */
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
1011
AVAHI_PROTO_INET6,
1012
"_mandos._tcp", NULL, 0,
1013
browse_callback, &mc);
1014
if (sb == NULL) {
1015
fprintf(stderr, "Failed to create service browser: %s\n",
1016
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
1019
}
1020
1021
/* Run the main loop */
1022
1023
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
1025
}
1026
1027
avahi_simple_poll_loop(mc.simple_poll);
1028
1706
1029
end:
1707
1708
if(debug){
1709
fprintf(stderr, "%s exiting\n", argv[0]);
1710
}
1711
1712
/* Cleanup things */
1713
if(sb != NULL)
1714
avahi_s_service_browser_free(sb);
1715
1716
if(mc.server != NULL)
1717
avahi_server_free(mc.server);
1718
1719
if(mc.simple_poll != NULL)
1720
avahi_simple_poll_free(mc.simple_poll);
1721
1722
if(gnutls_initialized){
1723
gnutls_certificate_free_credentials(mc.cred);
1724
gnutls_global_deinit();
1725
gnutls_dh_params_deinit(mc.dh_params);
1726
}
1727
1728
if(gpgme_initialized){
1729
gpgme_release(mc.ctx);
1730
}
1731
1732
/* Take down the network interface */
1733
if(take_down_interface){
1734
/* Re-raise priviliges */
1735
errno = 0;
1736
ret = seteuid(0);
1737
if(ret == -1){
1738
perror("seteuid");
1739
}
1740
if(geteuid() == 0){
1741
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1742
if(ret == -1){
1743
perror("ioctl SIOCGIFFLAGS");
1744
} else if(network.ifr_flags & IFF_UP) {
1745
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1746
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1747
if(ret == -1){
1748
perror("ioctl SIOCSIFFLAGS -IFF_UP");
1749
}
1750
}
1751
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1752
if(ret == -1){
1753
perror("close");
1754
}
1755
/* Lower privileges permanently */
1756
errno = 0;
1757
ret = setuid(uid);
1758
if(ret == -1){
1759
perror("setuid");
1760
}
1761
}
1762
}
1763
1764
/* Removes the temp directory used by GPGME */
1765
if(tempdir_created){
1766
DIR *d;
1767
struct dirent *direntry;
1768
d = opendir(tempdir);
1769
if(d == NULL){
1770
if(errno != ENOENT){
1771
perror("opendir");
1772
}
1773
} else {
1774
while(true){
1775
direntry = readdir(d);
1776
if(direntry == NULL){
1777
break;
1778
}
1779
/* Skip "." and ".." */
1780
if(direntry->d_name[0] == '.'
1781
and (direntry->d_name[1] == '\0'
1782
or (direntry->d_name[1] == '.'
1783
and direntry->d_name[2] == '\0'))){
1784
continue;
1785
}
1786
char *fullname = NULL;
1787
ret = asprintf(&fullname, "%s/%s", tempdir,
1788
direntry->d_name);
1789
if(ret < 0){
1790
perror("asprintf");
1791
continue;
1792
}
1793
ret = remove(fullname);
1794
if(ret == -1){
1795
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1796
strerror(errno));
1797
}
1798
free(fullname);
1799
}
1800
closedir(d);
1801
}
1802
ret = rmdir(tempdir);
1803
if(ret == -1 and errno != ENOENT){
1804
perror("rmdir");
1805
}
1806
}
1807
1808
if(quit_now){
1809
sigemptyset(&old_sigterm_action.sa_mask);
1810
old_sigterm_action.sa_handler = SIG_DFL;
1811
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1812
&old_sigterm_action,
1813
NULL));
1814
if(ret == -1){
1815
perror("sigaction");
1816
}
1817
do {
1818
ret = raise(signal_received);
1819
} while(ret != 0 and errno == EINTR);
1820
if(ret != 0){
1821
perror("raise");
1822
abort();
1823
}
1824
TEMP_FAILURE_RETRY(pause());
1825
}
1826
1827
return exitcode;
1030
1031
if (debug){
1032
fprintf(stderr, "%s exiting\n", argv[0]);
1033
}
1034
1035
/* Cleanup things */
1036
if (sb != NULL)
1037
avahi_s_service_browser_free(sb);
1038
1039
if (mc.server != NULL)
1040
avahi_server_free(mc.server);
1041
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfilename);
1045
free(seckeyfilename);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
1051
1052
return exitcode;
1828
1053
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0