/mandos/release : revision 237.2.24

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-10 06:00:50 UTC
mto: (24.1.122 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 245.
Revision ID: teddy@fukt.bsnet.se-20090110060050-6v5y342fit0233pg

* plugins.d/askpass-fifo.c: Fix name in header.
* plugins.d/mandos-client.c: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/usplash.c: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Påhlsson.

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

#define _FORTIFY_SOURCE 2

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

100

GPGME_PROTOCOL_OpenPGP,

101

GPG_ERR_NO_* */

102

103

#define BUFFER_SIZE 256

#define DH_BITS 1024

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

#define SECKEY "seckey.txt"

107

#define PUBKEY "pubkey.txt"

108

109

bool debug = false;

110

static const char mandos_protocol_version[] = "1";

111

const char *argp_program_version = "mandos-client " VERSION;

112

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

113

114

/* Used for passing in values through the Avahi callback functions */

115

typedef struct {

gnutls_session_t session;

116

AvahiSimplePoll *simple_poll;

117

AvahiServer *server;

118

gnutls_certificate_credentials_t cred;

119

unsigned int dh_bits;

120

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

121

const char *priority;

122

gpgme_ctx_t ctx;

123

} mandos_context;

124

125

126

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

127

* "buffer_capacity" is how much is currently allocated,

128

* "buffer_length" is how much is already used.

129

130

size_t adjustbuffer(char **buffer, size_t buffer_length,

131

size_t buffer_capacity){

132

if (buffer_length + BUFFER_SIZE > buffer_capacity){

133

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

134

if (buffer == NULL){

135

return 0;

136

}

137

buffer_capacity += BUFFER_SIZE;

138

}

139

return buffer_capacity;

140

}

141

142

143

* Initialize GPGME.

144

145

static bool init_gpgme(mandos_context *mc, const char *seckey,

146

const char *pubkey, const char *tempdir){

147

int ret;

148

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

149

gpgme_engine_info_t engine_info;

150

151

152

153

* Helper function to insert pub and seckey to the enigne keyring.

154

155

bool import_key(const char *filename){

156

int fd;

157

gpgme_data_t pgp_data;

158

159

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

160

if(fd == -1){

161

perror("open");

162

return false;

163

}

164

165

rc = gpgme_data_new_from_fd(&pgp_data, fd);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return false;

170

}

171

172

rc = gpgme_op_import(mc->ctx, pgp_data);

173

if (rc != GPG_ERR_NO_ERROR){

174

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

175

gpgme_strsource(rc), gpgme_strerror(rc));

176

return false;

177

}

178

179

ret = (int)TEMP_FAILURE_RETRY(close(fd));

180

if(ret == -1){

181

perror("close");

182

}

183

gpgme_data_release(pgp_data);

184

return true;

185

}

186

187

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

188

fprintf(stderr, "Initialize gpgme\n");

100

189

}

101

190

102

191

/* Init GPGME */

103

192

gpgme_check_version(NULL);

104

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

193

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

194

if (rc != GPG_ERR_NO_ERROR){

195

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

196

gpgme_strsource(rc), gpgme_strerror(rc));

197

return false;

198

}

105

199

106

/* Set GPGME home directory */

200

/* Set GPGME home directory for the OpenPGP engine only */

107

201

rc = gpgme_get_engine_info (&engine_info);

108

202

if (rc != GPG_ERR_NO_ERROR){

109

203

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

110

204

gpgme_strsource(rc), gpgme_strerror(rc));

111

return -1;

205

return false;

112

206

}

113

207

while(engine_info != NULL){

114

208

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

115

209

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

116

engine_info->file_name, homedir);

210

engine_info->file_name, tempdir);

117

211

break;

118

212

}

119

213

engine_info = engine_info->next;

120

214

}

121

215

if(engine_info == NULL){

122

fprintf(stderr, "Could not set home dir to %s\n", homedir);

123

return -1;

124

}

125

126

/* Create new GPGME data buffer from packet buffer */

127

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

216

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

217

return false;

218

}

219

220

/* Create new GPGME "context" */

221

rc = gpgme_new(&(mc->ctx));

222

if (rc != GPG_ERR_NO_ERROR){

223

fprintf(stderr, "bad gpgme_new: %s: %s\n",

224

gpgme_strsource(rc), gpgme_strerror(rc));

225

return false;

226

}

227

228

if (not import_key(pubkey) or not import_key(seckey)){

229

return false;

230

}

231

232

return true;

233

}

234

235

236

* Decrypt OpenPGP data.

237

* Returns -1 on error

238

239

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

240

const char *cryptotext,

241

size_t crypto_size,

242

char **plaintext){

243

gpgme_data_t dh_crypto, dh_plain;

244

gpgme_error_t rc;

245

ssize_t ret;

246

size_t plaintext_capacity = 0;

247

ssize_t plaintext_length = 0;

248

249

if (debug){

250

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

251

}

252

253

/* Create new GPGME data buffer from memory cryptotext */

254

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

255

0);

128

256

if (rc != GPG_ERR_NO_ERROR){

129

257

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

130

258

gpgme_strsource(rc), gpgme_strerror(rc));

136

264

if (rc != GPG_ERR_NO_ERROR){

137

265

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

138

266

gpgme_strsource(rc), gpgme_strerror(rc));

139

return -1;

140

}

141

142

/* Create new GPGME "context" */

143

rc = gpgme_new(&ctx);

144

if (rc != GPG_ERR_NO_ERROR){

145

fprintf(stderr, "bad gpgme_new: %s: %s\n",

146

gpgme_strsource(rc), gpgme_strerror(rc));

147

return -1;

148

}

149

150

/* Decrypt data from the FILE pointer to the plaintext data

151

buffer */

152

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

267

gpgme_data_release(dh_crypto);

268

return -1;

269

}

270

271

/* Decrypt data from the cryptotext data buffer to the plaintext

272

data buffer */

273

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

153

274

if (rc != GPG_ERR_NO_ERROR){

154

275

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

155

276

gpgme_strsource(rc), gpgme_strerror(rc));

156

return -1;

277

plaintext_length = -1;

278

if (debug){

279

gpgme_decrypt_result_t result;

280

result = gpgme_op_decrypt_result(mc->ctx);

281

if (result == NULL){

282

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

283

} else {

284

fprintf(stderr, "Unsupported algorithm: %s\n",

285

result->unsupported_algorithm);

286

fprintf(stderr, "Wrong key usage: %u\n",

287

result->wrong_key_usage);

288

if(result->file_name != NULL){

289

fprintf(stderr, "File name: %s\n", result->file_name);

290

}

291

gpgme_recipient_t recipient;

292

recipient = result->recipients;

293

if(recipient){

294

while(recipient != NULL){

295

fprintf(stderr, "Public key algorithm: %s\n",

296

gpgme_pubkey_algo_name(recipient->pubkey_algo));

297

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

298

fprintf(stderr, "Secret key available: %s\n",

299

recipient->status == GPG_ERR_NO_SECKEY

300

? "No" : "Yes");

301

recipient = recipient->next;

302

}

303

}

304

}

305

}

306

goto decrypt_end;

157

307

}

158

308

159

309

if(debug){

160

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

161

}

162

163

if (debug){

164

gpgme_decrypt_result_t result;

165

result = gpgme_op_decrypt_result(ctx);

166

if (result == NULL){

167

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

168

} else {

169

fprintf(stderr, "Unsupported algorithm: %s\n",

170

result->unsupported_algorithm);

171

fprintf(stderr, "Wrong key usage: %d\n",

172

result->wrong_key_usage);

173

if(result->file_name != NULL){

174

fprintf(stderr, "File name: %s\n", result->file_name);

175

}

176

gpgme_recipient_t recipient;

177

recipient = result->recipients;

178

if(recipient){

179

while(recipient != NULL){

180

fprintf(stderr, "Public key algorithm: %s\n",

181

gpgme_pubkey_algo_name(recipient->pubkey_algo));

182

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

183

fprintf(stderr, "Secret key available: %s\n",

184

recipient->status == GPG_ERR_NO_SECKEY

185

? "No" : "Yes");

186

recipient = recipient->next;

187

}

188

}

189

}

190

}

191

192

/* Delete the GPGME FILE pointer cryptotext data buffer */

193

gpgme_data_release(dh_crypto);

310

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

311

}

194

312

195

313

/* Seek back to the beginning of the GPGME plaintext data buffer */

196

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

197

198

*new_packet = 0;

314

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

315

perror("gpgme_data_seek");

316

plaintext_length = -1;

317

goto decrypt_end;

318

}

319

320

*plaintext = NULL;

199

321

while(true){

200

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

201

*new_packet = realloc(*new_packet,

202

(unsigned int)new_packet_capacity

203

+ BUFFER_SIZE);

204

if (*new_packet == NULL){

205

perror("realloc");

206

return -1;

207

}

208

new_packet_capacity += BUFFER_SIZE;

322

plaintext_capacity = adjustbuffer(plaintext,

323

(size_t)plaintext_length,

324

plaintext_capacity);

325

if (plaintext_capacity == 0){

326

perror("adjustbuffer");

327

plaintext_length = -1;

328

goto decrypt_end;

209

329

}

210

330

211

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

331

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

212

332

BUFFER_SIZE);

213

333

/* Print the data, if any */

214

334

if (ret == 0){

335

/* EOF */

215

336

break;

216

337

}

217

338

if(ret < 0){

218

339

perror("gpgme_data_read");

219

return -1;

220

}

221

new_packet_length += ret;

222

}

223

224

/* FIXME: check characters before printing to screen so to not print

225

terminal control characters */

226

/* if(debug){ */

227

/* fprintf(stderr, "decrypted password is: "); */

228

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

229

/* fprintf(stderr, "\n"); */

230

/* } */

340

plaintext_length = -1;

341

goto decrypt_end;

342

}

343

plaintext_length += ret;

344

}

345

346

if(debug){

347

fprintf(stderr, "Decrypted password is: ");

348

for(ssize_t i = 0; i < plaintext_length; i++){

349

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

350

}

351

fprintf(stderr, "\n");

352

}

353

354

decrypt_end:

355

356

/* Delete the GPGME cryptotext data buffer */

357

gpgme_data_release(dh_crypto);

231

358

232

359

/* Delete the GPGME plaintext data buffer */

233

360

gpgme_data_release(dh_plain);

234

return new_packet_length;

361

return plaintext_length;

235

362

}

236

363

237

364

static const char * safer_gnutls_strerror (int value) {

238

const char *ret = gnutls_strerror (value);

365

const char *ret = gnutls_strerror (value); /* Spurious warning */

239

366

if (ret == NULL)

240

367

ret = "(unknown)";

241

368

return ret;

242

369

}

243

370

244

void debuggnutls(__attribute__((unused)) int level,

245

const char* string){

246

fprintf(stderr, "%s", string);

371

/* GnuTLS log function callback */

372

static void debuggnutls(__attribute__((unused)) int level,

373

const char* string){

374

fprintf(stderr, "GnuTLS: %s", string);

247

375

}

248

376

249

int initgnutls(encrypted_session *es){

250

const char *err;

377

static int init_gnutls_global(mandos_context *mc,

378

const char *pubkeyfilename,

379

const char *seckeyfilename){

251

380

int ret;

252

381

253

382

if(debug){

254

383

fprintf(stderr, "Initializing GnuTLS\n");

255

384

}

256

385

257

if ((ret = gnutls_global_init ())

258

!= GNUTLS_E_SUCCESS) {

259

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

386

ret = gnutls_global_init();

387

if (ret != GNUTLS_E_SUCCESS) {

388

fprintf (stderr, "GnuTLS global_init: %s\n",

389

safer_gnutls_strerror(ret));

260

390

return -1;

261

391

}

262

392

263

393

if (debug){

394

/* "Use a log level over 10 to enable all debugging options."

395

* - GnuTLS manual

396

264

397

gnutls_global_set_log_level(11);

265

398

gnutls_global_set_log_function(debuggnutls);

266

399

}

267

400

268

/* openpgp credentials */

269

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

270

!= GNUTLS_E_SUCCESS) {

271

fprintf (stderr, "memory error: %s\n",

401

/* OpenPGP credentials */

402

gnutls_certificate_allocate_credentials(&mc->cred);

403

if (ret != GNUTLS_E_SUCCESS){

404

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

405

warning */

272

406

safer_gnutls_strerror(ret));

407

gnutls_global_deinit ();

273

408

return -1;

274

409

}

275

410

276

411

if(debug){

277

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

278

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

279

KEYFILE);

412

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

413

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

414

seckeyfilename);

280

415

}

281

416

282

417

ret = gnutls_certificate_set_openpgp_key_file

283

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

418

(mc->cred, pubkeyfilename, seckeyfilename,

419

GNUTLS_OPENPGP_FMT_BASE64);

284

420

if (ret != GNUTLS_E_SUCCESS) {

285

fprintf

286

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

287

" '%s')\n",

288

ret, CERTFILE, KEYFILE);

289

fprintf(stdout, "The Error is: %s\n",

421

fprintf(stderr,

422

"Error[%d] while reading the OpenPGP key pair ('%s',"

423

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

424

fprintf(stderr, "The GnuTLS error is: %s\n",

290

425

safer_gnutls_strerror(ret));

291

return -1;

292

}

293

294

//GnuTLS server initialization

295

if ((ret = gnutls_dh_params_init (&es->dh_params))

296

!= GNUTLS_E_SUCCESS) {

297

fprintf (stderr, "Error in dh parameter initialization: %s\n",

298

safer_gnutls_strerror(ret));

299

return -1;

300

}

301

302

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in prime generation: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

310

311

// GnuTLS session creation

312

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

313

!= GNUTLS_E_SUCCESS){

426

goto globalfail;

427

}

428

429

/* GnuTLS server initialization */

430

ret = gnutls_dh_params_init(&mc->dh_params);

431

if (ret != GNUTLS_E_SUCCESS) {

432

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

433

" %s\n", safer_gnutls_strerror(ret));

434

goto globalfail;

435

}

436

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

437

if (ret != GNUTLS_E_SUCCESS) {

438

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

439

safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

443

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

444

445

return 0;

446

447

globalfail:

448

449

gnutls_certificate_free_credentials(mc->cred);

450

gnutls_global_deinit();

451

gnutls_dh_params_deinit(mc->dh_params);

452

return -1;

453

}

454

455

static int init_gnutls_session(mandos_context *mc,

456

gnutls_session_t *session){

457

int ret;

458

/* GnuTLS session creation */

459

ret = gnutls_init(session, GNUTLS_SERVER);

460

if (ret != GNUTLS_E_SUCCESS){

314

461

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

315

462

safer_gnutls_strerror(ret));

316

463

}

317

464

318

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf(stderr, "Syntax error at: %s\n", err);

321

fprintf(stderr, "GnuTLS error: %s\n",

322

safer_gnutls_strerror(ret));

323

return -1;

465

{

466

const char *err;

467

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

468

if (ret != GNUTLS_E_SUCCESS) {

469

fprintf(stderr, "Syntax error at: %s\n", err);

470

fprintf(stderr, "GnuTLS error: %s\n",

471

safer_gnutls_strerror(ret));

472

gnutls_deinit (*session);

473

return -1;

474

}

324

475

}

325

476

326

if ((ret = gnutls_credentials_set

327

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

328

!= GNUTLS_E_SUCCESS) {

329

fprintf(stderr, "Error setting a credentials set: %s\n",

477

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

478

mc->cred);

479

if (ret != GNUTLS_E_SUCCESS) {

480

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

330

481

safer_gnutls_strerror(ret));

482

gnutls_deinit (*session);

331

483

return -1;

332

484

}

333

485

334

486

/* ignore client certificate if any. */

335

gnutls_certificate_server_set_request (es->session,

487

gnutls_certificate_server_set_request (*session,

336

488

GNUTLS_CERT_IGNORE);

337

489

338

gnutls_dh_set_prime_bits (es->session, DH_BITS);

490

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

339

491

340

492

return 0;

341

493

}

342

494

343

void empty_log(__attribute__((unused)) AvahiLogLevel level,

344

__attribute__((unused)) const char *txt){}

495

/* Avahi log function callback */

496

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

497

__attribute__((unused)) const char *txt){}

345

498

346

int start_mandos_communication(const char *ip, uint16_t port,

347

unsigned int if_index){

499

/* Called when a Mandos server is found */

500

static int start_mandos_communication(const char *ip, uint16_t port,

501

AvahiIfIndex if_index,

502

mandos_context *mc){

348

503

int ret, tcp_sd;

349

struct sockaddr_in6 to;

350

encrypted_session es;

504

ssize_t sret;

505

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

351

506

char *buffer = NULL;

352

507

char *decrypted_buffer;

353

508

size_t buffer_length = 0;

354

509

size_t buffer_capacity = 0;

355

510

ssize_t decrypted_buffer_size;

356

size_t written = 0;

511

size_t written;

357

512

int retval = 0;

358

513

char interface[IF_NAMESIZE];

514

gnutls_session_t session;

515

516

ret = init_gnutls_session (mc, &session);

517

if (ret != 0){

518

return -1;

519

}

359

520

360

521

if(debug){

361

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

522

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

523

"\n", ip, port);

362

524

}

363

525

364

526

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

367

529

return -1;

368

530

}

369

531

370

if(if_indextoname(if_index, interface) == NULL){

371

if(debug){

532

if(debug){

533

if(if_indextoname((unsigned int)if_index, interface) == NULL){

372

534

perror("if_indextoname");

535

return -1;

373

536

}

374

return -1;

375

}

376

377

if(debug){

378

537

fprintf(stderr, "Binding to interface %s\n", interface);

379

538

}

380

539

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

540

memset(&to, 0, sizeof(to));

541

to.in6.sin6_family = AF_INET6;

542

/* It would be nice to have a way to detect if we were passed an

543

IPv4 address here. Now we assume an IPv6 address. */

544

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

384

545

if (ret < 0 ){

385

546

perror("inet_pton");

386

547

return -1;

387

}

548

}

388

549

if(ret == 0){

389

550

fprintf(stderr, "Bad address: %s\n", ip);

390

551

return -1;

391

552

}

392

to.sin6_port = htons(port); /* Spurious warning */

553

to.in6.sin6_port = htons(port); /* Spurious warning */

393

554

394

to.sin6_scope_id = (uint32_t)if_index;

555

to.in6.sin6_scope_id = (uint32_t)if_index;

395

556

396

557

if(debug){

397

fprintf(stderr, "Connection to: %s\n", ip);

558

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

559

port);

560

char addrstr[INET6_ADDRSTRLEN] = "";

561

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

562

sizeof(addrstr)) == NULL){

563

perror("inet_ntop");

564

} else {

565

if(strcmp(addrstr, ip) != 0){

566

fprintf(stderr, "Canonical address form: %s\n", addrstr);

567

}

568

}

398

569

}

399

570

400

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

571

ret = connect(tcp_sd, &to.in, sizeof(to));

401

572

if (ret < 0){

402

573

perror("connect");

403

574

return -1;

404

575

}

405

576

406

ret = initgnutls (&es);

407

if (ret != 0){

408

retval = -1;

409

return -1;

577

const char *out = mandos_protocol_version;

578

written = 0;

579

while (true){

580

size_t out_size = strlen(out);

581

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

582

out_size - written));

583

if (ret == -1){

584

perror("write");

585

retval = -1;

586

goto mandos_end;

587

}

588

written += (size_t)ret;

589

if(written < out_size){

590

continue;

591

} else {

592

if (out == mandos_protocol_version){

593

written = 0;

594

out = "\r\n";

595

} else {

596

break;

597

}

598

}

410

599

}

411

600

412

gnutls_transport_set_ptr (es.session,

413

(gnutls_transport_ptr_t) tcp_sd);

414

415

601

if(debug){

416

602

fprintf(stderr, "Establishing TLS session with %s\n", ip);

417

603

}

418

604

419

ret = gnutls_handshake (es.session);

605

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

606

607

do{

608

ret = gnutls_handshake (session);

609

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

420

610

421

611

if (ret != GNUTLS_E_SUCCESS){

422

fprintf(stderr, "\n*** Handshake failed ***\n");

423

gnutls_perror (ret);

612

if(debug){

613

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

614

gnutls_perror (ret);

615

}

424

616

retval = -1;

425

goto exit;

617

goto mandos_end;

426

618

}

427

619

428

//Retrieve OpenPGP packet that contains the wanted password

620

/* Read OpenPGP packet that contains the wanted password */

429

621

430

622

if(debug){

431

623

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

432

624

ip);

433

625

}

434

626

435

627

while(true){

436

if (buffer_length + BUFFER_SIZE > buffer_capacity){

437

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

438

if (buffer == NULL){

439

perror("realloc");

440

goto exit;

441

}

442

buffer_capacity += BUFFER_SIZE;

628

buffer_capacity = adjustbuffer(&buffer, buffer_length,

629

buffer_capacity);

630

if (buffer_capacity == 0){

631

perror("adjustbuffer");

632

retval = -1;

633

goto mandos_end;

443

634

}

444

635

445

ret = gnutls_record_recv

446

(es.session, buffer+buffer_length, BUFFER_SIZE);

447

if (ret == 0){

636

sret = gnutls_record_recv(session, buffer+buffer_length,

637

BUFFER_SIZE);

638

if (sret == 0){

448

639

break;

449

640

}

450

if (ret < 0){

451

switch(ret){

641

if (sret < 0){

642

switch(sret){

452

643

case GNUTLS_E_INTERRUPTED:

453

644

case GNUTLS_E_AGAIN:

454

645

break;

455

646

case GNUTLS_E_REHANDSHAKE:

456

ret = gnutls_handshake (es.session);

647

do{

648

ret = gnutls_handshake (session);

649

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

457

650

if (ret < 0){

458

fprintf(stderr, "\n*** Handshake failed ***\n");

651

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

459

652

gnutls_perror (ret);

460

653

retval = -1;

461

goto exit;

654

goto mandos_end;

462

655

}

463

656

break;

464

657

default:

465

658

fprintf(stderr, "Unknown error while reading data from"

466

" encrypted session with mandos server\n");

659

" encrypted session with Mandos server\n");

467

660

retval = -1;

468

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

469

goto exit;

661

gnutls_bye (session, GNUTLS_SHUT_RDWR);

662

goto mandos_end;

470

663

}

471

664

} else {

472

buffer_length += (size_t) ret;

665

buffer_length += (size_t) sret;

473

666

}

474

667

}

475

668

669

if(debug){

670

fprintf(stderr, "Closing TLS session\n");

671

}

672

673

gnutls_bye (session, GNUTLS_SHUT_RDWR);

674

476

675

if (buffer_length > 0){

477

decrypted_buffer_size = pgp_packet_decrypt(buffer,

676

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

478

677

buffer_length,

479

&decrypted_buffer,

480

CERT_ROOT);

678

&decrypted_buffer);

481

679

if (decrypted_buffer_size >= 0){

482

while(written < decrypted_buffer_size){

680

written = 0;

681

while(written < (size_t) decrypted_buffer_size){

483

682

ret = (int)fwrite (decrypted_buffer + written, 1,

484

683

(size_t)decrypted_buffer_size - written,

485

684

stdout);

497

696

} else {

498

697

retval = -1;

499

698

}

500

}

501

502

//shutdown procedure

503

504

if(debug){

505

fprintf(stderr, "Closing TLS session\n");

506

}

507

699

} else {

700

retval = -1;

701

}

702

703

/* Shutdown procedure */

704

705

mandos_end:

508

706

free(buffer);

509

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

510

exit:

511

close(tcp_sd);

512

gnutls_deinit (es.session);

513

gnutls_certificate_free_credentials (es.cred);

514

gnutls_global_deinit ();

707

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

708

if(ret == -1){

709

perror("close");

710

}

711

gnutls_deinit (session);

515

712

return retval;

516

713

}

517

714

518

static AvahiSimplePoll *simple_poll = NULL;

519

static AvahiServer *server = NULL;

520

521

static void resolve_callback(

522

AvahiSServiceResolver *r,

523

AvahiIfIndex interface,

524

AVAHI_GCC_UNUSED AvahiProtocol protocol,

525

AvahiResolverEvent event,

526

const char *name,

527

const char *type,

528

const char *domain,

529

const char *host_name,

530

const AvahiAddress *address,

531

uint16_t port,

532

AVAHI_GCC_UNUSED AvahiStringList *txt,

533

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

534

AVAHI_GCC_UNUSED void* userdata) {

535

536

assert(r); /* Spurious warning */

715

static void resolve_callback(AvahiSServiceResolver *r,

716

AvahiIfIndex interface,

717

AVAHI_GCC_UNUSED AvahiProtocol protocol,

718

AvahiResolverEvent event,

719

const char *name,

720

const char *type,

721

const char *domain,

722

const char *host_name,

723

const AvahiAddress *address,

724

uint16_t port,

725

AVAHI_GCC_UNUSED AvahiStringList *txt,

726

AVAHI_GCC_UNUSED AvahiLookupResultFlags

727

flags,

728

void* userdata) {

729

mandos_context *mc = userdata;

730

assert(r);

537

731

538

732

/* Called whenever a service has been resolved successfully or

539

733

timed out */

541

735

switch (event) {

542

736

default:

543

737

case AVAHI_RESOLVER_FAILURE:

544

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

545

" type '%s' in domain '%s': %s\n", name, type, domain,

546

avahi_strerror(avahi_server_errno(server)));

738

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

739

" of type '%s' in domain '%s': %s\n", name, type, domain,

740

avahi_strerror(avahi_server_errno(mc->server)));

547

741

break;

548

742

549

743

case AVAHI_RESOLVER_FOUND:

551

745

char ip[AVAHI_ADDRESS_STR_MAX];

552

746

avahi_address_snprint(ip, sizeof(ip), address);

553

747

if(debug){

554

fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",

555

host_name, ip, port);

748

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

749

PRIu16 ") on port %d\n", name, host_name, ip,

750

interface, port);

556

751

}

557

int ret = start_mandos_communication(ip, port,

558

(unsigned int) interface);

752

int ret = start_mandos_communication(ip, port, interface, mc);

559

753

if (ret == 0){

560

exit(EXIT_SUCCESS);

561

} else {

562

exit(EXIT_FAILURE);

754

avahi_simple_poll_quit(mc->simple_poll);

563

755

}

564

756

}

565

757

}

566

758

avahi_s_service_resolver_free(r);

567

759

}

568

760

569

static void browse_callback(

570

AvahiSServiceBrowser *b,

571

AvahiIfIndex interface,

572

AvahiProtocol protocol,

573

AvahiBrowserEvent event,

574

const char *name,

575

const char *type,

576

const char *domain,

577

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

578

void* userdata) {

579

580

AvahiServer *s = userdata;

581

assert(b); /* Spurious warning */

582

583

/* Called whenever a new services becomes available on the LAN or

584

is removed from the LAN */

585

586

switch (event) {

587

default:

588

case AVAHI_BROWSER_FAILURE:

589

590

fprintf(stderr, "(Browser) %s\n",

591

avahi_strerror(avahi_server_errno(server)));

592

avahi_simple_poll_quit(simple_poll);

593

return;

594

595

case AVAHI_BROWSER_NEW:

596

/* We ignore the returned resolver object. In the callback

597

function we free it. If the server is terminated before

598

the callback function is called the server will free

599

the resolver for us. */

600

601

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

602

type, domain,

603

AVAHI_PROTO_INET6, 0,

604

resolve_callback, s)))

605

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

606

avahi_strerror(avahi_server_errno(s)));

607

break;

608

609

case AVAHI_BROWSER_REMOVE:

610

break;

611

612

case AVAHI_BROWSER_ALL_FOR_NOW:

613

case AVAHI_BROWSER_CACHE_EXHAUSTED:

614

break;

761

static void browse_callback( AvahiSServiceBrowser *b,

762

AvahiIfIndex interface,

763

AvahiProtocol protocol,

764

AvahiBrowserEvent event,

765

const char *name,

766

const char *type,

767

const char *domain,

768

AVAHI_GCC_UNUSED AvahiLookupResultFlags

769

flags,

770

void* userdata) {

771

mandos_context *mc = userdata;

772

assert(b);

773

774

/* Called whenever a new services becomes available on the LAN or

775

is removed from the LAN */

776

777

switch (event) {

778

default:

779

case AVAHI_BROWSER_FAILURE:

780

781

fprintf(stderr, "(Avahi browser) %s\n",

782

avahi_strerror(avahi_server_errno(mc->server)));

783

avahi_simple_poll_quit(mc->simple_poll);

784

return;

785

786

case AVAHI_BROWSER_NEW:

787

/* We ignore the returned Avahi resolver object. In the callback

788

function we free it. If the Avahi server is terminated before

789

the callback function is called the Avahi server will free the

790

resolver for us. */

791

792

if (!(avahi_s_service_resolver_new(mc->server, interface,

793

protocol, name, type, domain,

794

AVAHI_PROTO_INET6, 0,

795

resolve_callback, mc)))

796

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

797

name, avahi_strerror(avahi_server_errno(mc->server)));

798

break;

799

800

case AVAHI_BROWSER_REMOVE:

801

break;

802

803

case AVAHI_BROWSER_ALL_FOR_NOW:

804

case AVAHI_BROWSER_CACHE_EXHAUSTED:

805

if(debug){

806

fprintf(stderr, "No Mandos server found, still searching...\n");

615

807

}

808

break;

809

}

616

810

}

617

811

618

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

619

AvahiServerConfig config;

812

int main(int argc, char *argv[]){

620

813

AvahiSServiceBrowser *sb = NULL;

621

814

int error;

622

815

int ret;

623

int returncode = EXIT_SUCCESS;

816

int exitcode = EXIT_SUCCESS;

624

817

const char *interface = "eth0";

625

626

while (true){

627

static struct option long_options[] = {

628

{"debug", no_argument, (int *)&debug, 1},

629

{"interface", required_argument, 0, 'i'},

630

{0, 0, 0, 0} };

631

632

int option_index = 0;

633

ret = getopt_long (argc, argv, "i:", long_options,

634

&option_index);

635

636

if (ret == -1){

637

break;

638

}

639

640

switch(ret){

641

case 0:

642

break;

643

case 'i':

644

interface = optarg;

645

break;

646

default:

647

exit(EXIT_FAILURE);

648

}

818

struct ifreq network;

819

int sd;

820

uid_t uid;

821

gid_t gid;

822

char *connect_to = NULL;

823

char tempdir[] = "/tmp/mandosXXXXXX";

824

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

825

const char *seckey = PATHDIR "/" SECKEY;

826

const char *pubkey = PATHDIR "/" PUBKEY;

827

828

mandos_context mc = { .simple_poll = NULL, .server = NULL,

829

.dh_bits = 1024, .priority = "SECURE256"

830

":!CTYPE-X.509:+CTYPE-OPENPGP" };

831

bool gnutls_initalized = false;

832

bool gpgme_initalized = false;

833

834

{

835

struct argp_option options[] = {

836

{ .name = "debug", .key = 128,

837

.doc = "Debug mode", .group = 3 },

838

{ .name = "connect", .key = 'c',

839

.arg = "ADDRESS:PORT",

840

.doc = "Connect directly to a specific Mandos server",

841

.group = 1 },

842

{ .name = "interface", .key = 'i',

843

.arg = "NAME",

844

.doc = "Interface that will be used to search for Mandos"

845

" servers",

846

.group = 1 },

847

{ .name = "seckey", .key = 's',

848

.arg = "FILE",

849

.doc = "OpenPGP secret key file base name",

850

.group = 1 },

851

{ .name = "pubkey", .key = 'p',

852

.arg = "FILE",

853

.doc = "OpenPGP public key file base name",

854

.group = 2 },

855

{ .name = "dh-bits", .key = 129,

856

.arg = "BITS",

857

.doc = "Bit length of the prime number used in the"

858

" Diffie-Hellman key exchange",

859

.group = 2 },

860

{ .name = "priority", .key = 130,

861

.arg = "STRING",

862

.doc = "GnuTLS priority string for the TLS handshake",

863

.group = 1 },

864

{ .name = NULL }

865

};

866

867

error_t parse_opt (int key, char *arg,

868

struct argp_state *state) {

869

/* Get the INPUT argument from `argp_parse', which we know is

870

a pointer to our plugin list pointer. */

871

switch (key) {

872

case 128: /* --debug */

873

debug = true;

874

break;

875

case 'c': /* --connect */

876

connect_to = arg;

877

break;

878

case 'i': /* --interface */

879

interface = arg;

880

break;

881

case 's': /* --seckey */

882

seckey = arg;

883

break;

884

case 'p': /* --pubkey */

885

pubkey = arg;

886

break;

887

case 129: /* --dh-bits */

888

errno = 0;

889

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

890

if (errno){

891

perror("strtol");

892

exit(EXIT_FAILURE);

893

}

894

break;

895

case 130: /* --priority */

896

mc.priority = arg;

897

break;

898

case ARGP_KEY_ARG:

899

argp_usage (state);

900

case ARGP_KEY_END:

901

break;

902

default:

903

return ARGP_ERR_UNKNOWN;

904

}

905

return 0;

906

}

907

908

struct argp argp = { .options = options, .parser = parse_opt,

909

.args_doc = "",

910

.doc = "Mandos client -- Get and decrypt"

911

" passwords from a Mandos server" };

912

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

913

if (ret == ARGP_ERR_UNKNOWN){

914

fprintf(stderr, "Unknown error while parsing arguments\n");

915

exitcode = EXIT_FAILURE;

916

goto end;

917

}

918

}

919

920

/* If the interface is down, bring it up */

921

{

922

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

923

if(sd < 0) {

924

perror("socket");

925

exitcode = EXIT_FAILURE;

926

goto end;

927

}

928

strcpy(network.ifr_name, interface);

929

ret = ioctl(sd, SIOCGIFFLAGS, &network);

930

if(ret == -1){

931

perror("ioctl SIOCGIFFLAGS");

932

exitcode = EXIT_FAILURE;

933

goto end;

934

}

935

if((network.ifr_flags & IFF_UP) == 0){

936

network.ifr_flags |= IFF_UP;

937

ret = ioctl(sd, SIOCSIFFLAGS, &network);

938

if(ret == -1){

939

perror("ioctl SIOCSIFFLAGS");

940

exitcode = EXIT_FAILURE;

941

goto end;

942

}

943

}

944

ret = (int)TEMP_FAILURE_RETRY(close(sd));

945

if(ret == -1){

946

perror("close");

947

}

948

}

949

950

uid = getuid();

951

gid = getgid();

952

953

ret = setuid(uid);

954

if (ret == -1){

955

perror("setuid");

956

}

957

958

setgid(gid);

959

if (ret == -1){

960

perror("setgid");

961

}

962

963

ret = init_gnutls_global(&mc, pubkey, seckey);

964

if (ret == -1){

965

fprintf(stderr, "init_gnutls_global failed\n");

966

exitcode = EXIT_FAILURE;

967

goto end;

968

} else {

969

gnutls_initalized = true;

970

}

971

972

if(mkdtemp(tempdir) == NULL){

973

perror("mkdtemp");

974

tempdir[0] = '\0';

975

goto end;

976

}

977

978

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

979

fprintf(stderr, "gpgme_initalized failed\n");

980

exitcode = EXIT_FAILURE;

981

goto end;

982

} else {

983

gpgme_initalized = true;

984

}

985

986

if_index = (AvahiIfIndex) if_nametoindex(interface);

987

if(if_index == 0){

988

fprintf(stderr, "No such interface: \"%s\"\n", interface);

989

exit(EXIT_FAILURE);

990

}

991

992

if(connect_to != NULL){

993

/* Connect directly, do not use Zeroconf */

994

/* (Mainly meant for debugging) */

995

char *address = strrchr(connect_to, ':');

996

if(address == NULL){

997

fprintf(stderr, "No colon in address\n");

998

exitcode = EXIT_FAILURE;

999

goto end;

1000

}

1001

errno = 0;

1002

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1003

if(errno){

1004

perror("Bad port number");

1005

exitcode = EXIT_FAILURE;

1006

goto end;

1007

}

1008

*address = '\0';

1009

address = connect_to;

1010

ret = start_mandos_communication(address, port, if_index, &mc);

1011

if(ret < 0){

1012

exitcode = EXIT_FAILURE;

1013

} else {

1014

exitcode = EXIT_SUCCESS;

1015

}

1016

goto end;

649

1017

}

650

1018

651

1019

if (not debug){

652

1020

avahi_set_log_function(empty_log);

653

1021

}

654

1022

655

/* Initialize the psuedo-RNG */

1023

/* Initialize the pseudo-RNG for Avahi */

656

1024

srand((unsigned int) time(NULL));

657

658

/* Allocate main loop object */

659

if (!(simple_poll = avahi_simple_poll_new())) {

660

fprintf(stderr, "Failed to create simple poll object.\n");

661

662

goto exit;

663

}

664

665

/* Do not publish any local records */

666

avahi_server_config_init(&config);

667

config.publish_hinfo = 0;

668

config.publish_addresses = 0;

669

config.publish_workstation = 0;

670

config.publish_domain = 0;

671

672

/* Allocate a new server */

673

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

674

&config, NULL, NULL, &error);

675

676

/* Free the configuration data */

677

avahi_server_config_free(&config);

678

679

/* Check if creating the server object succeeded */

680

if (!server) {

681

fprintf(stderr, "Failed to create server: %s\n",

1025

1026

/* Allocate main Avahi loop object */

1027

mc.simple_poll = avahi_simple_poll_new();

1028

if (mc.simple_poll == NULL) {

1029

fprintf(stderr, "Avahi: Failed to create simple poll"

1030

" object.\n");

1031

exitcode = EXIT_FAILURE;

1032

goto end;

1033

}

1034

1035

{

1036

AvahiServerConfig config;

1037

/* Do not publish any local Zeroconf records */

1038

avahi_server_config_init(&config);

1039

config.publish_hinfo = 0;

1040

config.publish_addresses = 0;

1041

config.publish_workstation = 0;

1042

config.publish_domain = 0;

1043

1044

/* Allocate a new server */

1045

mc.server = avahi_server_new(avahi_simple_poll_get

1046

(mc.simple_poll), &config, NULL,

1047

NULL, &error);

1048

1049

/* Free the Avahi configuration data */

1050

avahi_server_config_free(&config);

1051

}

1052

1053

/* Check if creating the Avahi server object succeeded */

1054

if (mc.server == NULL) {

1055

fprintf(stderr, "Failed to create Avahi server: %s\n",

682

1056

avahi_strerror(error));

683

returncode = EXIT_FAILURE;

684

goto exit;

1057

exitcode = EXIT_FAILURE;

1058

goto end;

685

1059

}

686

1060

687

/* Create the service browser */

688

sb = avahi_s_service_browser_new(server,

689

(AvahiIfIndex)

690

if_nametoindex(interface),

1061

/* Create the Avahi service browser */

1062

sb = avahi_s_service_browser_new(mc.server, if_index,

691

1063

AVAHI_PROTO_INET6,

692

1064

"_mandos._tcp", NULL, 0,

693

browse_callback, server);

694

if (!sb) {

1065

browse_callback, &mc);

1066

if (sb == NULL) {

695

1067

fprintf(stderr, "Failed to create service browser: %s\n",

696

avahi_strerror(avahi_server_errno(server)));

697

returncode = EXIT_FAILURE;

698

goto exit;

1068

avahi_strerror(avahi_server_errno(mc.server)));

1069

exitcode = EXIT_FAILURE;

1070

goto end;

699

1071

}

700

1072

701

1073

/* Run the main loop */

702

1074

703

1075

if (debug){

704

fprintf(stderr, "Starting avahi loop search\n");

1076

fprintf(stderr, "Starting Avahi loop search\n");

705

1077

}

706

1078

707

avahi_simple_poll_loop(simple_poll);

708

709

exit:

710

1079

avahi_simple_poll_loop(mc.simple_poll);

1080

1081

end:

1082

711

1083

if (debug){

712

1084

fprintf(stderr, "%s exiting\n", argv[0]);

713

1085

}

714

1086

715

1087

/* Cleanup things */

716

if (sb)

1088

if (sb != NULL)

717

1089

avahi_s_service_browser_free(sb);

718

1090

719

if (server)

720

avahi_server_free(server);

721

722

if (simple_poll)

723

avahi_simple_poll_free(simple_poll);

724

725

return returncode;

1091

if (mc.server != NULL)

1092

avahi_server_free(mc.server);

1093

1094

if (mc.simple_poll != NULL)

1095

avahi_simple_poll_free(mc.simple_poll);

1096

1097

if (gnutls_initalized){

1098

gnutls_certificate_free_credentials(mc.cred);

1099

gnutls_global_deinit ();

1100

gnutls_dh_params_deinit(mc.dh_params);

1101

}

1102

1103

if(gpgme_initalized){

1104

gpgme_release(mc.ctx);

1105

}

1106

1107

/* Removes the temp directory used by GPGME */

1108

if(tempdir[0] != '\0'){

1109

DIR *d;

1110

struct dirent *direntry;

1111

d = opendir(tempdir);

1112

if(d == NULL){

1113

perror("opendir");

1114

} else {

1115

while(true){

1116

direntry = readdir(d);

1117

if(direntry == NULL){

1118

break;

1119

}

1120

if (direntry->d_type == DT_REG){

1121

char *fullname = NULL;

1122

ret = asprintf(&fullname, "%s/%s", tempdir,

1123

direntry->d_name);

1124

if(ret < 0){

1125

perror("asprintf");

1126

continue;

1127

}

1128

ret = unlink(fullname);

1129

if(ret == -1){

1130

fprintf(stderr, "unlink(\"%s\"): %s",

1131

fullname, strerror(errno));

1132

}

1133

free(fullname);

1134

}

1135

}

1136

closedir(d);

1137

}

1138

ret = rmdir(tempdir);

1139

if(ret == -1){

1140

perror("rmdir");

1141

}

1142

}

1143

1144

return exitcode;

726

1145

}

Older »