To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 2
- compare with another revision
- download diff
- download tarball
- view history from revision 2
- Committer: Björn Påhlsson
- Date: 2007-10-28 17:59:38 UTC
- Revision ID: belorn@tower-20071028175938-26b85eaa85b84771
Working client and server and password system
- files added:
- bad-ca.pem
- files removed:
- TODO
- plugins.d
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
13
*
14
* This program is free software: you can redistribute it and/or
15
* modify it under the terms of the GNU General Public License as
16
* published by the Free Software Foundation, either version 3 of the
17
* License, or (at your option) any later version.
18
*
19
* This program is distributed in the hope that it will be useful, but
20
* WITHOUT ANY WARRANTY; without even the implied warranty of
21
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22
* General Public License for more details.
23
*
24
* You should have received a copy of the GNU General Public License
25
* along with this program. If not, see
26
* <http://www.gnu.org/licenses/>.
27
*
28
* Contact the authors at <mandos@fukt.bsnet.se>.
29
*/
30
31
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _LARGEFILE_SOURCE
33
#define _FILE_OFFSET_BITS 64
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
46
47
#include <avahi-core/core.h>
48
#include <avahi-core/lookup.h>
49
#include <avahi-core/log.h>
50
#include <avahi-common/simple-watch.h>
51
#include <avahi-common/malloc.h>
52
#include <avahi-common/error.h>
53
54
/* Mandos client part */
55
#include <sys/types.h> /* socket(), inet_pton() */
56
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
struct in6_addr, inet_pton() */
58
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
59
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
60
61
#include <unistd.h> /* close() */
62
#include <netinet/in.h>
63
#include <stdbool.h> /* true */
64
#include <string.h> /* memset */
65
#include <arpa/inet.h> /* inet_pton() */
66
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
#include <argp.h> /* struct argp_option,
69
struct argp_state, struct argp,
70
argp_parse() */
71
/* GPGME */
72
#include <errno.h> /* perror() */
73
#include <gpgme.h>
74
75
#define BUFFER_SIZE 256
76
77
bool debug = false;
78
const char *keydir = "/conf/conf.d/mandos";
79
const char *argp_program_version = "mandosclient 0.9";
80
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
81
const char mandos_protocol_version[] = "1";
82
83
/* Used for passing in values through all the callback functions */
84
typedef struct {
85
AvahiSimplePoll *simple_poll;
86
AvahiServer *server;
87
gnutls_certificate_credentials_t cred;
88
unsigned int dh_bits;
89
gnutls_dh_params_t dh_params;
90
const char *priority;
91
} mandos_context;
92
93
size_t adjustbuffer(char **buffer, size_t buffer_length,
94
size_t buffer_capacity){
95
if (buffer_length + BUFFER_SIZE > buffer_capacity){
96
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
97
if (buffer == NULL){
98
return 0;
99
}
100
buffer_capacity += BUFFER_SIZE;
101
}
102
return buffer_capacity;
103
}
104
105
/*
106
* Decrypt OpenPGP data using keyrings in HOMEDIR.
107
* Returns -1 on error
108
*/
109
static ssize_t pgp_packet_decrypt (const char *cryptotext,
110
size_t crypto_size,
111
char **plaintext,
112
const char *homedir){
113
gpgme_data_t dh_crypto, dh_plain;
114
gpgme_ctx_t ctx;
115
gpgme_error_t rc;
116
ssize_t ret;
117
size_t plaintext_capacity = 0;
118
ssize_t plaintext_length = 0;
119
gpgme_engine_info_t engine_info;
120
121
if (debug){
122
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
123
}
124
125
/* Init GPGME */
126
gpgme_check_version(NULL);
127
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
128
if (rc != GPG_ERR_NO_ERROR){
129
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
130
gpgme_strsource(rc), gpgme_strerror(rc));
131
return -1;
132
}
133
134
/* Set GPGME home directory for the OpenPGP engine only */
135
rc = gpgme_get_engine_info (&engine_info);
136
if (rc != GPG_ERR_NO_ERROR){
137
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
138
gpgme_strsource(rc), gpgme_strerror(rc));
139
return -1;
140
}
141
while(engine_info != NULL){
142
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
143
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
144
engine_info->file_name, homedir);
145
break;
146
}
147
engine_info = engine_info->next;
148
}
149
if(engine_info == NULL){
150
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
151
return -1;
152
}
153
154
/* Create new GPGME data buffer from memory cryptotext */
155
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
156
0);
157
if (rc != GPG_ERR_NO_ERROR){
158
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
159
gpgme_strsource(rc), gpgme_strerror(rc));
160
return -1;
161
}
162
163
/* Create new empty GPGME data buffer for the plaintext */
164
rc = gpgme_data_new(&dh_plain);
165
if (rc != GPG_ERR_NO_ERROR){
166
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
167
gpgme_strsource(rc), gpgme_strerror(rc));
168
gpgme_data_release(dh_crypto);
169
return -1;
170
}
171
172
/* Create new GPGME "context" */
173
rc = gpgme_new(&ctx);
174
if (rc != GPG_ERR_NO_ERROR){
175
fprintf(stderr, "bad gpgme_new: %s: %s\n",
176
gpgme_strsource(rc), gpgme_strerror(rc));
177
plaintext_length = -1;
178
goto decrypt_end;
179
}
180
181
/* Decrypt data from the cryptotext data buffer to the plaintext
182
data buffer */
183
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
184
if (rc != GPG_ERR_NO_ERROR){
185
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
186
gpgme_strsource(rc), gpgme_strerror(rc));
187
plaintext_length = -1;
188
goto decrypt_end;
189
}
190
191
if(debug){
192
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
193
}
194
195
if (debug){
196
gpgme_decrypt_result_t result;
197
result = gpgme_op_decrypt_result(ctx);
198
if (result == NULL){
199
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
200
} else {
201
fprintf(stderr, "Unsupported algorithm: %s\n",
202
result->unsupported_algorithm);
203
fprintf(stderr, "Wrong key usage: %d\n",
204
result->wrong_key_usage);
205
if(result->file_name != NULL){
206
fprintf(stderr, "File name: %s\n", result->file_name);
207
}
208
gpgme_recipient_t recipient;
209
recipient = result->recipients;
210
if(recipient){
211
while(recipient != NULL){
212
fprintf(stderr, "Public key algorithm: %s\n",
213
gpgme_pubkey_algo_name(recipient->pubkey_algo));
214
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
215
fprintf(stderr, "Secret key available: %s\n",
216
recipient->status == GPG_ERR_NO_SECKEY
217
? "No" : "Yes");
218
recipient = recipient->next;
219
}
220
}
221
}
222
}
223
224
/* Seek back to the beginning of the GPGME plaintext data buffer */
225
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
226
perror("pgpme_data_seek");
227
plaintext_length = -1;
228
goto decrypt_end;
229
}
230
231
*plaintext = NULL;
232
while(true){
233
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
234
plaintext_capacity);
235
if (plaintext_capacity == 0){
236
perror("adjustbuffer");
237
plaintext_length = -1;
238
goto decrypt_end;
239
}
240
241
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
242
BUFFER_SIZE);
243
/* Print the data, if any */
244
if (ret == 0){
245
/* EOF */
246
break;
247
}
248
if(ret < 0){
249
perror("gpgme_data_read");
250
plaintext_length = -1;
251
goto decrypt_end;
252
}
253
plaintext_length += ret;
254
}
255
256
if(debug){
257
fprintf(stderr, "Decrypted password is: ");
258
for(ssize_t i = 0; i < plaintext_length; i++){
259
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
260
}
261
fprintf(stderr, "\n");
262
}
263
264
decrypt_end:
265
266
/* Delete the GPGME cryptotext data buffer */
267
gpgme_data_release(dh_crypto);
268
269
/* Delete the GPGME plaintext data buffer */
270
gpgme_data_release(dh_plain);
271
return plaintext_length;
272
}
273
274
static const char * safer_gnutls_strerror (int value) {
275
const char *ret = gnutls_strerror (value);
276
if (ret == NULL)
277
ret = "(unknown)";
278
return ret;
279
}
280
281
/* GnuTLS log function callback */
282
static void debuggnutls(__attribute__((unused)) int level,
283
const char* string){
284
fprintf(stderr, "GnuTLS: %s", string);
285
}
286
287
static int init_gnutls_global(mandos_context *mc,
288
const char *pubkeyfile,
289
const char *seckeyfile){
290
int ret;
291
292
if(debug){
293
fprintf(stderr, "Initializing GnuTLS\n");
294
}
295
296
if ((ret = gnutls_global_init ())
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "GnuTLS global_init: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
if (debug){
304
/* "Use a log level over 10 to enable all debugging options."
305
* - GnuTLS manual
306
*/
307
gnutls_global_set_log_level(11);
308
gnutls_global_set_log_function(debuggnutls);
309
}
310
311
/* OpenPGP credentials */
312
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
313
!= GNUTLS_E_SUCCESS) {
314
fprintf (stderr, "GnuTLS memory error: %s\n",
315
safer_gnutls_strerror(ret));
316
return -1;
317
}
318
319
if(debug){
320
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
321
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
322
seckeyfile);
323
}
324
325
ret = gnutls_certificate_set_openpgp_key_file
326
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
327
if (ret != GNUTLS_E_SUCCESS) {
328
fprintf(stderr,
329
"Error[%d] while reading the OpenPGP key pair ('%s',"
330
" '%s')\n", ret, pubkeyfile, seckeyfile);
331
fprintf(stdout, "The GnuTLS error is: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
/* GnuTLS server initialization */
337
ret = gnutls_dh_params_init(&mc->dh_params);
338
if (ret != GNUTLS_E_SUCCESS) {
339
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
340
" %s\n", safer_gnutls_strerror(ret));
341
return -1;
342
}
343
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
344
if (ret != GNUTLS_E_SUCCESS) {
345
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
346
safer_gnutls_strerror(ret));
347
return -1;
348
}
349
350
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
351
352
return 0;
353
}
354
355
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
356
int ret;
357
/* GnuTLS session creation */
358
ret = gnutls_init(session, GNUTLS_SERVER);
359
if (ret != GNUTLS_E_SUCCESS){
360
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
361
safer_gnutls_strerror(ret));
362
}
363
364
{
365
const char *err;
366
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf(stderr, "Syntax error at: %s\n", err);
369
fprintf(stderr, "GnuTLS error: %s\n",
370
safer_gnutls_strerror(ret));
371
return -1;
372
}
373
}
374
375
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
376
mc->cred);
377
if (ret != GNUTLS_E_SUCCESS) {
378
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
379
safer_gnutls_strerror(ret));
380
return -1;
381
}
382
383
/* ignore client certificate if any. */
384
gnutls_certificate_server_set_request (*session,
385
GNUTLS_CERT_IGNORE);
386
387
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
388
389
return 0;
390
}
391
392
/* Avahi log function callback */
393
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
394
__attribute__((unused)) const char *txt){}
395
396
/* Called when a Mandos server is found */
397
static int start_mandos_communication(const char *ip, uint16_t port,
398
AvahiIfIndex if_index,
399
mandos_context *mc){
400
int ret, tcp_sd;
401
struct sockaddr_in6 to;
402
char *buffer = NULL;
403
char *decrypted_buffer;
404
size_t buffer_length = 0;
405
size_t buffer_capacity = 0;
406
ssize_t decrypted_buffer_size;
407
size_t written;
408
int retval = 0;
409
char interface[IF_NAMESIZE];
410
gnutls_session_t session;
411
gnutls_dh_params_t dh_params;
412
413
ret = init_gnutls_session (mc, &session);
414
if (ret != 0){
415
return -1;
416
}
417
418
if(debug){
419
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
420
ip, port);
421
}
422
423
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
424
if(tcp_sd < 0) {
425
perror("socket");
426
return -1;
427
}
428
429
if(debug){
430
if(if_indextoname((unsigned int)if_index, interface) == NULL){
431
perror("if_indextoname");
432
return -1;
433
}
434
fprintf(stderr, "Binding to interface %s\n", interface);
435
}
436
437
memset(&to,0,sizeof(to)); /* Spurious warning */
438
to.sin6_family = AF_INET6;
439
/* It would be nice to have a way to detect if we were passed an
440
IPv4 address here. Now we assume an IPv6 address. */
441
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
442
if (ret < 0 ){
443
perror("inet_pton");
444
return -1;
445
}
446
if(ret == 0){
447
fprintf(stderr, "Bad address: %s\n", ip);
448
return -1;
449
}
450
to.sin6_port = htons(port); /* Spurious warning */
451
452
to.sin6_scope_id = (uint32_t)if_index;
453
454
if(debug){
455
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
456
char addrstr[INET6_ADDRSTRLEN] = "";
457
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
458
sizeof(addrstr)) == NULL){
459
perror("inet_ntop");
460
} else {
461
if(strcmp(addrstr, ip) != 0){
462
fprintf(stderr, "Canonical address form: %s\n", addrstr);
463
}
464
}
465
}
466
467
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
468
if (ret < 0){
469
perror("connect");
470
return -1;
471
}
472
473
const char *out = mandos_protocol_version;
474
written = 0;
475
while (true){
476
size_t out_size = strlen(out);
477
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
478
out_size - written));
479
if (ret == -1){
480
perror("write");
481
retval = -1;
482
goto mandos_end;
483
}
484
written += (size_t)ret;
485
if(written < out_size){
486
continue;
487
} else {
488
if (out == mandos_protocol_version){
489
written = 0;
490
out = "\r\n";
491
} else {
492
break;
493
}
494
}
495
}
496
497
if(debug){
498
fprintf(stderr, "Establishing TLS session with %s\n", ip);
499
}
500
501
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
502
503
ret = gnutls_handshake (session);
504
505
if (ret != GNUTLS_E_SUCCESS){
506
if(debug){
507
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
508
gnutls_perror (ret);
509
}
510
retval = -1;
511
goto mandos_end;
512
}
513
514
/* Read OpenPGP packet that contains the wanted password */
515
516
if(debug){
517
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
518
ip);
519
}
520
521
while(true){
522
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
523
if (buffer_capacity == 0){
524
perror("adjustbuffer");
525
retval = -1;
526
goto mandos_end;
527
}
528
529
ret = gnutls_record_recv(session, buffer+buffer_length,
530
BUFFER_SIZE);
531
if (ret == 0){
532
break;
533
}
534
if (ret < 0){
535
switch(ret){
536
case GNUTLS_E_INTERRUPTED:
537
case GNUTLS_E_AGAIN:
538
break;
539
case GNUTLS_E_REHANDSHAKE:
540
ret = gnutls_handshake (session);
541
if (ret < 0){
542
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
543
gnutls_perror (ret);
544
retval = -1;
545
goto mandos_end;
546
}
547
break;
548
default:
549
fprintf(stderr, "Unknown error while reading data from"
550
" encrypted session with Mandos server\n");
551
retval = -1;
552
gnutls_bye (session, GNUTLS_SHUT_RDWR);
553
goto mandos_end;
554
}
555
} else {
556
buffer_length += (size_t) ret;
557
}
558
}
559
560
if(debug){
561
fprintf(stderr, "Closing TLS session\n");
562
}
563
564
gnutls_bye (session, GNUTLS_SHUT_RDWR);
565
566
if (buffer_length > 0){
567
decrypted_buffer_size = pgp_packet_decrypt(buffer,
568
buffer_length,
569
&decrypted_buffer,
570
keydir);
571
if (decrypted_buffer_size >= 0){
572
written = 0;
573
while(written < (size_t) decrypted_buffer_size){
574
ret = (int)fwrite (decrypted_buffer + written, 1,
575
(size_t)decrypted_buffer_size - written,
576
stdout);
577
if(ret == 0 and ferror(stdout)){
578
if(debug){
579
fprintf(stderr, "Error writing encrypted data: %s\n",
580
strerror(errno));
581
}
582
retval = -1;
583
break;
584
}
585
written += (size_t)ret;
586
}
587
free(decrypted_buffer);
588
} else {
589
retval = -1;
590
}
591
}
592
593
/* Shutdown procedure */
594
595
mandos_end:
596
free(buffer);
597
close(tcp_sd);
598
gnutls_deinit (session);
599
gnutls_certificate_free_credentials (mc->cred);
600
gnutls_global_deinit ();
601
return retval;
602
}
603
604
static void resolve_callback(AvahiSServiceResolver *r,
605
AvahiIfIndex interface,
606
AVAHI_GCC_UNUSED AvahiProtocol protocol,
607
AvahiResolverEvent event,
608
const char *name,
609
const char *type,
610
const char *domain,
611
const char *host_name,
612
const AvahiAddress *address,
613
uint16_t port,
614
AVAHI_GCC_UNUSED AvahiStringList *txt,
615
AVAHI_GCC_UNUSED AvahiLookupResultFlags
616
flags,
617
void* userdata) {
618
mandos_context *mc = userdata;
619
assert(r); /* Spurious warning */
620
621
/* Called whenever a service has been resolved successfully or
622
timed out */
623
624
switch (event) {
625
default:
626
case AVAHI_RESOLVER_FAILURE:
627
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
628
" of type '%s' in domain '%s': %s\n", name, type, domain,
629
avahi_strerror(avahi_server_errno(mc->server)));
630
break;
631
632
case AVAHI_RESOLVER_FOUND:
633
{
634
char ip[AVAHI_ADDRESS_STR_MAX];
635
avahi_address_snprint(ip, sizeof(ip), address);
636
if(debug){
637
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
638
" port %d\n", name, host_name, ip, interface, port);
639
}
640
int ret = start_mandos_communication(ip, port, interface, mc);
641
if (ret == 0){
642
exit(EXIT_SUCCESS);
643
}
644
}
645
}
646
avahi_s_service_resolver_free(r);
647
}
648
649
static void browse_callback( AvahiSServiceBrowser *b,
650
AvahiIfIndex interface,
651
AvahiProtocol protocol,
652
AvahiBrowserEvent event,
653
const char *name,
654
const char *type,
655
const char *domain,
656
AVAHI_GCC_UNUSED AvahiLookupResultFlags
657
flags,
658
void* userdata) {
659
mandos_context *mc = userdata;
660
assert(b); /* Spurious warning */
661
662
/* Called whenever a new services becomes available on the LAN or
663
is removed from the LAN */
664
665
switch (event) {
666
default:
667
case AVAHI_BROWSER_FAILURE:
668
669
fprintf(stderr, "(Avahi browser) %s\n",
670
avahi_strerror(avahi_server_errno(mc->server)));
671
avahi_simple_poll_quit(mc->simple_poll);
672
return;
673
674
case AVAHI_BROWSER_NEW:
675
/* We ignore the returned Avahi resolver object. In the callback
676
function we free it. If the Avahi server is terminated before
677
the callback function is called the Avahi server will free the
678
resolver for us. */
679
680
if (!(avahi_s_service_resolver_new(mc->server, interface,
681
protocol, name, type, domain,
682
AVAHI_PROTO_INET6, 0,
683
resolve_callback, mc)))
684
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
685
name, avahi_strerror(avahi_server_errno(mc->server)));
686
break;
687
688
case AVAHI_BROWSER_REMOVE:
689
break;
690
691
case AVAHI_BROWSER_ALL_FOR_NOW:
692
case AVAHI_BROWSER_CACHE_EXHAUSTED:
693
if(debug){
694
fprintf(stderr, "No Mandos server found, still searching...\n");
695
}
696
break;
697
}
698
}
699
700
/* Combines file name and path and returns the malloced new
701
string. some sane checks could/should be added */
702
static const char *combinepath(const char *first, const char *second){
703
size_t f_len = strlen(first);
704
size_t s_len = strlen(second);
705
char *tmp = malloc(f_len + s_len + 2);
706
if (tmp == NULL){
707
return NULL;
708
}
709
if(f_len > 0){
710
memcpy(tmp, first, f_len); /* Spurious warning */
711
}
712
tmp[f_len] = '/';
713
if(s_len > 0){
714
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
715
}
716
tmp[f_len + 1 + s_len] = '\0';
717
return tmp;
718
}
719
720
721
int main(int argc, char *argv[]){
722
AvahiSServiceBrowser *sb = NULL;
723
int error;
724
int ret;
725
int exitcode = EXIT_SUCCESS;
726
const char *interface = "eth0";
727
struct ifreq network;
728
int sd;
729
uid_t uid;
730
gid_t gid;
731
char *connect_to = NULL;
732
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
733
const char *pubkeyfile = "pubkey.txt";
734
const char *seckeyfile = "seckey.txt";
735
mandos_context mc = { .simple_poll = NULL, .server = NULL,
736
.dh_bits = 1024, .priority = "SECURE256"};
737
738
{
739
struct argp_option options[] = {
740
{ .name = "debug", .key = 128,
741
.doc = "Debug mode", .group = 3 },
742
{ .name = "connect", .key = 'c',
743
.arg = "IP",
744
.doc = "Connect directly to a sepcified mandos server", .group = 1 },
745
{ .name = "interface", .key = 'i',
746
.arg = "INTERFACE",
747
.doc = "Interface that Avahi will conntect through", .group = 1 },
748
{ .name = "keydir", .key = 'd',
749
.arg = "KEYDIR",
750
.doc = "Directory where the openpgp keyring is", .group = 1 },
751
{ .name = "seckey", .key = 's',
752
.arg = "SECKEY",
753
.doc = "Secret openpgp key for gnutls authentication", .group = 1 },
754
{ .name = "pubkey", .key = 'p',
755
.arg = "PUBKEY",
756
.doc = "Public openpgp key for gnutls authentication", .group = 2 },
757
{ .name = "dh-bits", .key = 129,
758
.arg = "BITS",
759
.doc = "dh-bits to use in gnutls communication", .group = 2 },
760
{ .name = "priority", .key = 130,
761
.arg = "PRIORITY",
762
.doc = "GNUTLS priority", .group = 1 },
763
{ .name = NULL }
764
};
765
766
767
error_t parse_opt (int key, char *arg, struct argp_state *state) {
768
/* Get the INPUT argument from `argp_parse', which we know is a
769
pointer to our plugin list pointer. */
770
switch (key) {
771
case 128:
772
debug = true;
773
break;
774
case 'c':
775
connect_to = arg;
776
break;
777
case 'i':
778
interface = arg;
779
break;
780
case 'd':
781
keydir = arg;
782
break;
783
case 's':
784
seckeyfile = arg;
785
break;
786
case 'p':
787
pubkeyfile = arg;
788
break;
789
case 129:
790
errno = 0;
791
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
792
if (errno){
793
perror("strtol");
794
exit(EXIT_FAILURE);
795
}
796
break;
797
case 130:
798
mc.priority = arg;
799
break;
800
case ARGP_KEY_ARG:
801
argp_usage (state);
802
break;
803
case ARGP_KEY_END:
804
break;
805
default:
806
return ARGP_ERR_UNKNOWN;
807
}
808
return 0;
809
}
810
811
struct argp argp = { .options = options, .parser = parse_opt,
812
.args_doc = "",
813
.doc = "Mandos client -- Get and decrypt passwords from mandos server" };
814
argp_parse (&argp, argc, argv, 0, 0, NULL);
815
}
816
817
pubkeyfile = combinepath(keydir, pubkeyfile);
818
if (pubkeyfile == NULL){
819
perror("combinepath");
820
exitcode = EXIT_FAILURE;
821
goto end;
822
}
823
824
seckeyfile = combinepath(keydir, seckeyfile);
825
if (seckeyfile == NULL){
826
perror("combinepath");
827
goto end;
828
}
829
830
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
831
if (ret == -1){
832
fprintf(stderr, "init_gnutls_global\n");
833
goto end;
834
}
835
836
uid = getuid();
837
gid = getgid();
838
839
ret = setuid(uid);
840
if (ret == -1){
841
perror("setuid");
842
}
843
844
setgid(gid);
845
if (ret == -1){
846
perror("setgid");
847
}
848
849
if_index = (AvahiIfIndex) if_nametoindex(interface);
850
if(if_index == 0){
851
fprintf(stderr, "No such interface: \"%s\"\n", interface);
852
exit(EXIT_FAILURE);
853
}
854
855
if(connect_to != NULL){
856
/* Connect directly, do not use Zeroconf */
857
/* (Mainly meant for debugging) */
858
char *address = strrchr(connect_to, ':');
859
if(address == NULL){
860
fprintf(stderr, "No colon in address\n");
861
exitcode = EXIT_FAILURE;
862
goto end;
863
}
864
errno = 0;
865
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
866
if(errno){
867
perror("Bad port number");
868
exitcode = EXIT_FAILURE;
869
goto end;
870
}
871
*address = '\0';
872
address = connect_to;
873
ret = start_mandos_communication(address, port, if_index, &mc);
874
if(ret < 0){
875
exitcode = EXIT_FAILURE;
876
} else {
877
exitcode = EXIT_SUCCESS;
878
}
879
goto end;
880
}
881
882
/* If the interface is down, bring it up */
883
{
884
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
885
if(sd < 0) {
886
perror("socket");
887
exitcode = EXIT_FAILURE;
888
goto end;
889
}
890
strcpy(network.ifr_name, interface); /* Spurious warning */
891
ret = ioctl(sd, SIOCGIFFLAGS, &network);
892
if(ret == -1){
893
perror("ioctl SIOCGIFFLAGS");
894
exitcode = EXIT_FAILURE;
895
goto end;
896
}
897
if((network.ifr_flags & IFF_UP) == 0){
898
network.ifr_flags |= IFF_UP;
899
ret = ioctl(sd, SIOCSIFFLAGS, &network);
900
if(ret == -1){
901
perror("ioctl SIOCSIFFLAGS");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
}
906
close(sd);
907
}
908
909
if (not debug){
910
avahi_set_log_function(empty_log);
911
}
912
913
/* Initialize the pseudo-RNG for Avahi */
914
srand((unsigned int) time(NULL));
915
916
/* Allocate main Avahi loop object */
917
mc.simple_poll = avahi_simple_poll_new();
918
if (mc.simple_poll == NULL) {
919
fprintf(stderr, "Avahi: Failed to create simple poll"
920
" object.\n");
921
exitcode = EXIT_FAILURE;
922
goto end;
923
}
924
925
{
926
AvahiServerConfig config;
927
/* Do not publish any local Zeroconf records */
928
avahi_server_config_init(&config);
929
config.publish_hinfo = 0;
930
config.publish_addresses = 0;
931
config.publish_workstation = 0;
932
config.publish_domain = 0;
933
934
/* Allocate a new server */
935
mc.server = avahi_server_new(avahi_simple_poll_get
936
(mc.simple_poll), &config, NULL,
937
NULL, &error);
938
939
/* Free the Avahi configuration data */
940
avahi_server_config_free(&config);
941
}
942
943
/* Check if creating the Avahi server object succeeded */
944
if (mc.server == NULL) {
945
fprintf(stderr, "Failed to create Avahi server: %s\n",
946
avahi_strerror(error));
947
exitcode = EXIT_FAILURE;
948
goto end;
949
}
950
951
/* Create the Avahi service browser */
952
sb = avahi_s_service_browser_new(mc.server, if_index,
953
AVAHI_PROTO_INET6,
954
"_mandos._tcp", NULL, 0,
955
browse_callback, &mc);
956
if (sb == NULL) {
957
fprintf(stderr, "Failed to create service browser: %s\n",
958
avahi_strerror(avahi_server_errno(mc.server)));
959
exitcode = EXIT_FAILURE;
960
goto end;
961
}
962
963
/* Run the main loop */
964
965
if (debug){
966
fprintf(stderr, "Starting Avahi loop search\n");
967
}
968
969
avahi_simple_poll_loop(mc.simple_poll);
970
971
end:
972
973
if (debug){
974
fprintf(stderr, "%s exiting\n", argv[0]);
975
}
976
977
/* Cleanup things */
978
if (sb != NULL)
979
avahi_s_service_browser_free(sb);
980
981
if (mc.server != NULL)
982
avahi_server_free(mc.server);
983
984
if (mc.simple_poll != NULL)
985
avahi_simple_poll_free(mc.simple_poll);
986
free(pubkeyfile);
987
free(seckeyfile);
988
989
return exitcode;
990
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0