32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), asprintf(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t, open(), opendir(), DIR */
51
#include <sys/stat.h> /* open() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir() */
57
#include <inttypes.h> /* PRIu16 */
58
#include <assert.h> /* assert() */
59
#include <errno.h> /* perror(), errno */
60
#include <time.h> /* time() */
42
61
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
62
SIOCSIFFLAGS, if_indextoname(),
63
if_nametoindex(), IF_NAMESIZE */
64
#include <netinet/in.h>
65
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
66
getuid(), getgid(), setuid(),
68
#include <arpa/inet.h> /* inet_pton(), htons */
69
#include <iso646.h> /* not, and */
70
#include <argp.h> /* struct argp_option, error_t, struct
71
argp_state, struct argp,
72
argp_parse(), ARGP_KEY_ARG,
73
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
76
/* All Avahi types, constants and functions
45
79
#include <avahi-core/core.h>
46
80
#include <avahi-core/lookup.h>
47
81
#include <avahi-core/log.h>
49
83
#include <avahi-common/malloc.h>
50
84
#include <avahi-common/error.h>
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
67
#include <errno.h> /* perror() */
87
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
90
init_gnutls_session(),
92
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
93
GNUTLS_OPENPGP_FMT_BASE64 */
96
#include <gpgme.h> /* All GPGME types, constants and
99
GPGME_PROTOCOL_OpenPGP,
73
102
#define BUFFER_SIZE 256
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
105
#define PATHDIR "/conf/conf.d/mandos"
108
#define PATHDIR "/conf/conf.d/mandos"
109
#define SECKEY "seckey.txt"
110
#define PUBKEY "pubkey.txt"
79
112
bool debug = false;
113
static const char mandos_protocol_version[] = "1";
114
const char *argp_program_version = "mandos-client 1.0";
115
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
/* Used for passing in values through all the callback functions */
117
/* Used for passing in values through the Avahi callback functions */
83
119
AvahiSimplePoll *simple_poll;
84
120
AvahiServer *server;
85
121
gnutls_certificate_credentials_t cred;
86
122
unsigned int dh_bits;
123
gnutls_dh_params_t dh_params;
87
124
const char *priority;
129
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
130
* "buffer_capacity" is how much is currently allocated,
131
* "buffer_length" is how much is already used.
133
size_t adjustbuffer(char **buffer, size_t buffer_length,
134
size_t buffer_capacity){
135
if (buffer_length + BUFFER_SIZE > buffer_capacity){
136
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
140
buffer_capacity += BUFFER_SIZE;
142
return buffer_capacity;
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
98
gpgme_data_t dh_crypto, dh_plain;
148
static bool init_gpgme(mandos_context *mc, const char *seckey,
149
const char *pubkey, const char *tempdir){
100
151
gpgme_error_t rc;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
104
152
gpgme_engine_info_t engine_info;
156
* Helper function to insert pub and seckey to the enigne keyring.
158
bool import_key(const char *filename){
160
gpgme_data_t pgp_data;
162
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
168
rc = gpgme_data_new_from_fd(&pgp_data, fd);
169
if (rc != GPG_ERR_NO_ERROR){
170
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
171
gpgme_strsource(rc), gpgme_strerror(rc));
175
rc = gpgme_op_import(mc->ctx, pgp_data);
176
if (rc != GPG_ERR_NO_ERROR){
177
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
178
gpgme_strsource(rc), gpgme_strerror(rc));
182
ret = TEMP_FAILURE_RETRY(close(fd));
186
gpgme_data_release(pgp_data);
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
191
fprintf(stderr, "Initialize gpgme\n");
113
197
if (rc != GPG_ERR_NO_ERROR){
114
198
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
115
199
gpgme_strsource(rc), gpgme_strerror(rc));
119
/* Set GPGME home directory for the OpenPGP engine only */
203
/* Set GPGME home directory for the OpenPGP engine only */
120
204
rc = gpgme_get_engine_info (&engine_info);
121
205
if (rc != GPG_ERR_NO_ERROR){
122
206
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
123
207
gpgme_strsource(rc), gpgme_strerror(rc));
126
210
while(engine_info != NULL){
127
211
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
128
212
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
129
engine_info->file_name, homedir);
213
engine_info->file_name, tempdir);
132
216
engine_info = engine_info->next;
134
218
if(engine_info == NULL){
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
219
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
223
/* Create new GPGME "context" */
224
rc = gpgme_new(&(mc->ctx));
225
if (rc != GPG_ERR_NO_ERROR){
226
fprintf(stderr, "bad gpgme_new: %s: %s\n",
227
gpgme_strsource(rc), gpgme_strerror(rc));
231
if (not import_key(pubkey) or not import_key(seckey)){
239
* Decrypt OpenPGP data.
240
* Returns -1 on error
242
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
243
const char *cryptotext,
246
gpgme_data_t dh_crypto, dh_plain;
249
size_t plaintext_capacity = 0;
250
ssize_t plaintext_length = 0;
253
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
139
256
/* Create new GPGME data buffer from memory cryptotext */
157
/* Create new GPGME "context" */
158
rc = gpgme_new(&ctx);
159
if (rc != GPG_ERR_NO_ERROR){
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
161
gpgme_strsource(rc), gpgme_strerror(rc));
162
plaintext_length = -1;
166
274
/* Decrypt data from the cryptotext data buffer to the plaintext
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
276
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
169
277
if (rc != GPG_ERR_NO_ERROR){
170
278
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
171
279
gpgme_strsource(rc), gpgme_strerror(rc));
172
280
plaintext_length = -1;
282
gpgme_decrypt_result_t result;
283
result = gpgme_op_decrypt_result(mc->ctx);
285
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
fprintf(stderr, "Unsupported algorithm: %s\n",
288
result->unsupported_algorithm);
289
fprintf(stderr, "Wrong key usage: %u\n",
290
result->wrong_key_usage);
291
if(result->file_name != NULL){
292
fprintf(stderr, "File name: %s\n", result->file_name);
294
gpgme_recipient_t recipient;
295
recipient = result->recipients;
297
while(recipient != NULL){
298
fprintf(stderr, "Public key algorithm: %s\n",
299
gpgme_pubkey_algo_name(recipient->pubkey_algo));
300
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
301
fprintf(stderr, "Secret key available: %s\n",
302
recipient->status == GPG_ERR_NO_SECKEY
304
recipient = recipient->next;
173
309
goto decrypt_end;
177
313
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
196
while(recipient != NULL){
197
fprintf(stderr, "Public key algorithm: %s\n",
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
200
fprintf(stderr, "Secret key available: %s\n",
201
recipient->status == GPG_ERR_NO_SECKEY
203
recipient = recipient->next;
209
316
/* Seek back to the beginning of the GPGME plaintext data buffer */
210
317
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
318
perror("gpgme_data_seek");
212
319
plaintext_length = -1;
213
320
goto decrypt_end;
216
323
*plaintext = NULL;
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
222
if (*plaintext == NULL){
325
plaintext_capacity = adjustbuffer(plaintext,
326
(size_t)plaintext_length,
328
if (plaintext_capacity == 0){
329
perror("adjustbuffer");
224
330
plaintext_length = -1;
225
331
goto decrypt_end;
227
plaintext_capacity += BUFFER_SIZE;
230
334
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
263
367
static const char * safer_gnutls_strerror (int value) {
264
const char *ret = gnutls_strerror (value);
368
const char *ret = gnutls_strerror (value); /* Spurious warning */
266
370
ret = "(unknown)";
374
/* GnuTLS log function callback */
270
375
static void debuggnutls(__attribute__((unused)) int level,
271
376
const char* string){
272
fprintf(stderr, "%s", string);
377
fprintf(stderr, "GnuTLS: %s", string);
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
380
static int init_gnutls_global(mandos_context *mc,
381
const char *pubkeyfilename,
382
const char *seckeyfilename){
281
386
fprintf(stderr, "Initializing GnuTLS\n");
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
389
ret = gnutls_global_init();
390
if (ret != GNUTLS_E_SUCCESS) {
391
fprintf (stderr, "GnuTLS global_init: %s\n",
392
safer_gnutls_strerror(ret));
397
/* "Use a log level over 10 to enable all debugging options."
291
400
gnutls_global_set_log_level(11);
292
401
gnutls_global_set_log_function(debuggnutls);
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
404
/* OpenPGP credentials */
405
gnutls_certificate_allocate_credentials(&mc->cred);
406
if (ret != GNUTLS_E_SUCCESS){
407
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
299
409
safer_gnutls_strerror(ret));
410
gnutls_global_deinit ();
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
415
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
416
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
309
420
ret = gnutls_certificate_set_openpgp_key_file
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
421
(mc->cred, pubkeyfilename, seckeyfilename,
422
GNUTLS_OPENPGP_FMT_BASE64);
311
423
if (ret != GNUTLS_E_SUCCESS) {
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
425
"Error[%d] while reading the OpenPGP key pair ('%s',"
426
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
427
fprintf(stderr, "The GnuTLS error is: %s\n",
317
428
safer_gnutls_strerror(ret));
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
432
/* GnuTLS server initialization */
433
ret = gnutls_dh_params_init(&mc->dh_params);
434
if (ret != GNUTLS_E_SUCCESS) {
435
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
436
" %s\n", safer_gnutls_strerror(ret));
439
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
440
if (ret != GNUTLS_E_SUCCESS) {
441
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
442
safer_gnutls_strerror(ret));
446
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
gnutls_certificate_free_credentials(mc->cred);
453
gnutls_global_deinit();
454
gnutls_dh_params_deinit(mc->dh_params);
458
static int init_gnutls_session(mandos_context *mc,
459
gnutls_session_t *session){
461
/* GnuTLS session creation */
462
ret = gnutls_init(session, GNUTLS_SERVER);
463
if (ret != GNUTLS_E_SUCCESS){
341
464
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
342
465
safer_gnutls_strerror(ret));
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
470
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
471
if (ret != GNUTLS_E_SUCCESS) {
472
fprintf(stderr, "Syntax error at: %s\n", err);
473
fprintf(stderr, "GnuTLS error: %s\n",
474
safer_gnutls_strerror(ret));
475
gnutls_deinit (*session);
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
480
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
482
if (ret != GNUTLS_E_SUCCESS) {
483
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
357
484
safer_gnutls_strerror(ret));
485
gnutls_deinit (*session);
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
573
ret = connect(tcp_sd, &to.in, sizeof(to));
438
575
perror("connect");
442
ret = initgnutls (mc, &session, &dh_params);
579
const char *out = mandos_protocol_version;
582
size_t out_size = strlen(out);
583
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
584
out_size - written));
590
written += (size_t)ret;
591
if(written < out_size){
594
if (out == mandos_protocol_version){
604
fprintf(stderr, "Establishing TLS session with %s\n", ip);
448
607
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
454
ret = gnutls_handshake (session);
610
ret = gnutls_handshake (session);
611
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
456
613
if (ret != GNUTLS_E_SUCCESS){
458
fprintf(stderr, "\n*** Handshake failed ***\n");
615
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
459
616
gnutls_perror (ret);
465
//Retrieve OpenPGP packet that contains the wanted password
622
/* Read OpenPGP packet that contains the wanted password */
468
625
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
479
buffer_capacity += BUFFER_SIZE;
630
buffer_capacity = adjustbuffer(&buffer, buffer_length,
632
if (buffer_capacity == 0){
633
perror("adjustbuffer");
482
638
ret = gnutls_record_recv(session, buffer+buffer_length,
490
646
case GNUTLS_E_AGAIN:
492
648
case GNUTLS_E_REHANDSHAKE:
493
ret = gnutls_handshake (session);
650
ret = gnutls_handshake (session);
651
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
495
fprintf(stderr, "\n*** Handshake failed ***\n");
653
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
496
654
gnutls_perror (ret);
502
660
fprintf(stderr, "Unknown error while reading data from"
503
" encrypted session with mandos server\n");
661
" encrypted session with Mandos server\n");
505
663
gnutls_bye (session, GNUTLS_SHUT_RDWR);
509
667
buffer_length += (size_t) ret;
672
fprintf(stderr, "Closing TLS session\n");
675
gnutls_bye (session, GNUTLS_SHUT_RDWR);
513
677
if (buffer_length > 0){
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
678
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
518
681
if (decrypted_buffer_size >= 0){
519
683
while(written < (size_t) decrypted_buffer_size){
520
684
ret = (int)fwrite (decrypted_buffer + written, 1,
521
685
(size_t)decrypted_buffer_size - written,
618
781
case AVAHI_BROWSER_FAILURE:
620
fprintf(stderr, "(Browser) %s\n",
783
fprintf(stderr, "(Avahi browser) %s\n",
621
784
avahi_strerror(avahi_server_errno(mc->server)));
622
785
avahi_simple_poll_quit(mc->simple_poll);
625
788
case AVAHI_BROWSER_NEW:
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
789
/* We ignore the returned Avahi resolver object. In the callback
790
function we free it. If the Avahi server is terminated before
791
the callback function is called the Avahi server will free the
631
794
if (!(avahi_s_service_resolver_new(mc->server, interface,
632
795
protocol, name, type, domain,
633
796
AVAHI_PROTO_INET6, 0,
634
797
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
798
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
799
name, avahi_strerror(avahi_server_errno(mc->server)));
639
802
case AVAHI_BROWSER_REMOVE:
642
805
case AVAHI_BROWSER_ALL_FOR_NOW:
643
806
case AVAHI_BROWSER_CACHE_EXHAUSTED:
808
fprintf(stderr, "No Mandos server found, still searching...\n");
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
658
memcpy(tmp, first, f_len); /* Spurious warning */
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
664
tmp[f_len + 1 + s_len] = '\0';
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
814
int main(int argc, char *argv[]){
671
815
AvahiSServiceBrowser *sb = NULL;
675
int returncode = EXIT_SUCCESS;
818
int exitcode = EXIT_SUCCESS;
676
819
const char *interface = "eth0";
677
820
struct ifreq network;
679
824
char *connect_to = NULL;
825
char tempdir[] = "/tmp/mandosXXXXXX";
680
826
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
827
const char *seckey = PATHDIR "/" SECKEY;
828
const char *pubkey = PATHDIR "/" PUBKEY;
681
830
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
684
debug_int = debug ? 1 : 0;
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
732
mc.priority = optarg;
739
debug = debug_int ? true : false;
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
831
.dh_bits = 1024, .priority = "SECURE256"
832
":!CTYPE-X.509:+CTYPE-OPENPGP" };
833
bool gnutls_initalized = false;
834
bool gpgme_initalized = false;
837
struct argp_option options[] = {
838
{ .name = "debug", .key = 128,
839
.doc = "Debug mode", .group = 3 },
840
{ .name = "connect", .key = 'c',
841
.arg = "ADDRESS:PORT",
842
.doc = "Connect directly to a specific Mandos server",
844
{ .name = "interface", .key = 'i',
846
.doc = "Interface that will be used to search for Mandos"
849
{ .name = "seckey", .key = 's',
851
.doc = "OpenPGP secret key file base name",
853
{ .name = "pubkey", .key = 'p',
855
.doc = "OpenPGP public key file base name",
857
{ .name = "dh-bits", .key = 129,
859
.doc = "Bit length of the prime number used in the"
860
" Diffie-Hellman key exchange",
862
{ .name = "priority", .key = 130,
864
.doc = "GnuTLS priority string for the TLS handshake",
869
error_t parse_opt (int key, char *arg,
870
struct argp_state *state) {
871
/* Get the INPUT argument from `argp_parse', which we know is
872
a pointer to our plugin list pointer. */
874
case 128: /* --debug */
877
case 'c': /* --connect */
880
case 'i': /* --interface */
883
case 's': /* --seckey */
886
case 'p': /* --pubkey */
889
case 129: /* --dh-bits */
891
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
897
case 130: /* --priority */
905
return ARGP_ERR_UNKNOWN;
910
struct argp argp = { .options = options, .parser = parse_opt,
912
.doc = "Mandos client -- Get and decrypt"
913
" passwords from a Mandos server" };
914
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
915
if (ret == ARGP_ERR_UNKNOWN){
916
fprintf(stderr, "Unknown error while parsing arguments\n");
917
exitcode = EXIT_FAILURE;
922
/* If the interface is down, bring it up */
924
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
927
exitcode = EXIT_FAILURE;
930
strcpy(network.ifr_name, interface);
931
ret = ioctl(sd, SIOCGIFFLAGS, &network);
933
perror("ioctl SIOCGIFFLAGS");
934
exitcode = EXIT_FAILURE;
937
if((network.ifr_flags & IFF_UP) == 0){
938
network.ifr_flags |= IFF_UP;
939
ret = ioctl(sd, SIOCSIFFLAGS, &network);
941
perror("ioctl SIOCSIFFLAGS");
942
exitcode = EXIT_FAILURE;
946
ret = TEMP_FAILURE_RETRY(close(sd));
965
ret = init_gnutls_global(&mc, pubkey, seckey);
967
fprintf(stderr, "init_gnutls_global failed\n");
968
exitcode = EXIT_FAILURE;
971
gnutls_initalized = true;
974
if(mkdtemp(tempdir) == NULL){
980
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
981
fprintf(stderr, "gpgme_initalized failed\n");
982
exitcode = EXIT_FAILURE;
985
gpgme_initalized = true;
754
988
if_index = (AvahiIfIndex) if_nametoindex(interface);
763
997
char *address = strrchr(connect_to, ':');
764
998
if(address == NULL){
765
999
fprintf(stderr, "No colon in address\n");
1000
exitcode = EXIT_FAILURE;
769
1004
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
771
1006
perror("Bad port number");
1007
exitcode = EXIT_FAILURE;
774
1010
*address = '\0';
775
1011
address = connect_to;
776
1012
ret = start_mandos_communication(address, port, if_index, &mc);
1014
exitcode = EXIT_FAILURE;
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
787
returncode = EXIT_FAILURE;
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
1016
exitcode = EXIT_SUCCESS;
810
1022
avahi_set_log_function(empty_log);
813
/* Initialize the psuedo-RNG */
1025
/* Initialize the pseudo-RNG for Avahi */
814
1026
srand((unsigned int) time(NULL));
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
837
/* Check if creating the server object succeeded */
839
fprintf(stderr, "Failed to create server: %s\n",
1028
/* Allocate main Avahi loop object */
1029
mc.simple_poll = avahi_simple_poll_new();
1030
if (mc.simple_poll == NULL) {
1031
fprintf(stderr, "Avahi: Failed to create simple poll"
1033
exitcode = EXIT_FAILURE;
1038
AvahiServerConfig config;
1039
/* Do not publish any local Zeroconf records */
1040
avahi_server_config_init(&config);
1041
config.publish_hinfo = 0;
1042
config.publish_addresses = 0;
1043
config.publish_workstation = 0;
1044
config.publish_domain = 0;
1046
/* Allocate a new server */
1047
mc.server = avahi_server_new(avahi_simple_poll_get
1048
(mc.simple_poll), &config, NULL,
1051
/* Free the Avahi configuration data */
1052
avahi_server_config_free(&config);
1055
/* Check if creating the Avahi server object succeeded */
1056
if (mc.server == NULL) {
1057
fprintf(stderr, "Failed to create Avahi server: %s\n",
840
1058
avahi_strerror(error));
841
returncode = EXIT_FAILURE;
1059
exitcode = EXIT_FAILURE;
845
/* Create the service browser */
1063
/* Create the Avahi service browser */
846
1064
sb = avahi_s_service_browser_new(mc.server, if_index,
847
1065
AVAHI_PROTO_INET6,
848
1066
"_mandos._tcp", NULL, 0,
849
1067
browse_callback, &mc);
851
1069
fprintf(stderr, "Failed to create service browser: %s\n",
852
1070
avahi_strerror(avahi_server_errno(mc.server)));
853
returncode = EXIT_FAILURE;
1071
exitcode = EXIT_FAILURE;
857
1075
/* Run the main loop */
860
fprintf(stderr, "Starting avahi loop search\n");
1078
fprintf(stderr, "Starting Avahi loop search\n");
863
1081
avahi_simple_poll_loop(mc.simple_poll);
868
1086
fprintf(stderr, "%s exiting\n", argv[0]);
871
1089
/* Cleanup things */
873
1091
avahi_s_service_browser_free(sb);
1093
if (mc.server != NULL)
876
1094
avahi_server_free(mc.server);
1096
if (mc.simple_poll != NULL)
879
1097
avahi_simple_poll_free(mc.simple_poll);
1099
if (gnutls_initalized){
1100
gnutls_certificate_free_credentials(mc.cred);
1101
gnutls_global_deinit ();
1102
gnutls_dh_params_deinit(mc.dh_params);
1105
if(gpgme_initalized){
1106
gpgme_release(mc.ctx);
1109
/* Removes the temp directory used by GPGME */
1110
if(tempdir[0] != '\0'){
1112
struct dirent *direntry;
1113
d = opendir(tempdir);
1118
direntry = readdir(d);
1119
if(direntry == NULL){
1122
if (direntry->d_type == DT_REG){
1123
char *fullname = NULL;
1124
ret = asprintf(&fullname, "%s/%s", tempdir,
1130
ret = unlink(fullname);
1132
fprintf(stderr, "unlink(\"%s\"): %s",
1133
fullname, strerror(errno));
1140
ret = rmdir(tempdir);