(root)/mandos/release
» Revision
237.2.26
(compared to revision 237.2.55)
: plugins.d/mandos-client.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.26
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.26
- Committer: Teddy Hogeborn
- Date: 2009-01-12 22:02:33 UTC
- mto: (24.1.123 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 245.
- Revision ID: teddy@fukt.bsnet.se-20090112220233-lawxo4uvyzb38u1f
* README (The Plugin System): Removed redundant text about options and
files for the plugins, this is now
documented in the manuals for the
plugins.
* plugins.d/mandos-client.c (main): Remove comment which was copied
from another program by mistake.
Use "sscanf" instead of "strtol"
to parse numbers; this uses the
correct type instead of casting.
Don't report errors when removing
temporary directory if directory
is already gone.
files for the plugins, this is now
documented in the manuals for the
plugins.
* plugins.d/mandos-client.c (main): Remove comment which was copied
from another program by mistake.
Use "sscanf" instead of "strtol"
to parse numbers; this uses the
correct type instead of casting.
Don't report errors when removing
temporary directory if directory
is already gone.
- files removed:
- debian/watch
- files renamed:
- mandos-ctl => mandos-list
- files modified:
- INSTALL
added
removed
plugins.d/mandos-client.c
36
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
37
38
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
39
stdout, ferror(), sscanf */
41
40
#include <stdint.h> /* uint16_t, uint32_t */
42
41
#include <stddef.h> /* NULL, size_t, ssize_t */
43
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
49
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
49
sockaddr_in6, PF_INET6,
51
50
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
51
uid_t, gid_t, open(), opendir(), DIR */
54
52
#include <sys/stat.h> /* open() */
55
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
54
struct in6_addr, inet_pton(),
57
55
connect() */
58
56
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16, SCNu16 */
62
59
#include <assert.h> /* assert() */
63
60
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
61
#include <time.h> /* time() */
65
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
63
SIOCSIFFLAGS, if_indextoname(),
67
64
if_nametoindex(), IF_NAMESIZE */
75
72
argp_state, struct argp,
76
73
argp_parse(), ARGP_KEY_ARG,
77
74
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
79
75
80
76
/* Avahi */
81
77
/* All Avahi types, constants and functions
94
90
gnutls_*
95
91
init_gnutls_session(),
96
92
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
93
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
99
94
GNUTLS_OPENPGP_FMT_BASE64 */
100
95
101
96
/* GPGME */
134
129
*/
135
130
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
131
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
132
if (buffer_length + BUFFER_SIZE > buffer_capacity){
138
133
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
134
if (buffer == NULL){
140
135
return 0;
141
136
}
142
137
buffer_capacity += BUFFER_SIZE;
155
150
156
151
157
152
/*
158
* Helper function to insert pub and seckey to the engine keyring.
153
* Helper function to insert pub and seckey to the enigne keyring.
159
154
*/
160
155
bool import_key(const char *filename){
161
156
int fd;
168
163
}
169
164
170
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
166
if (rc != GPG_ERR_NO_ERROR){
172
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
168
gpgme_strsource(rc), gpgme_strerror(rc));
174
169
return false;
175
170
}
176
171
177
172
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
173
if (rc != GPG_ERR_NO_ERROR){
179
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
175
gpgme_strsource(rc), gpgme_strerror(rc));
181
176
return false;
189
184
return true;
190
185
}
191
186
192
if(debug){
187
if (debug){
193
188
fprintf(stderr, "Initialize gpgme\n");
194
189
}
195
190
196
191
/* Init GPGME */
197
192
gpgme_check_version(NULL);
198
193
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
199
if(rc != GPG_ERR_NO_ERROR){
194
if (rc != GPG_ERR_NO_ERROR){
200
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
201
196
gpgme_strsource(rc), gpgme_strerror(rc));
202
197
return false;
203
198
}
204
199
205
200
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
201
rc = gpgme_get_engine_info (&engine_info);
202
if (rc != GPG_ERR_NO_ERROR){
208
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
209
204
gpgme_strsource(rc), gpgme_strerror(rc));
210
205
return false;
224
219
225
220
/* Create new GPGME "context" */
226
221
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
222
if (rc != GPG_ERR_NO_ERROR){
228
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
224
gpgme_strsource(rc), gpgme_strerror(rc));
230
225
return false;
231
226
}
232
227
233
if(not import_key(pubkey) or not import_key(seckey)){
228
if (not import_key(pubkey) or not import_key(seckey)){
234
229
return false;
235
230
}
236
231
241
236
* Decrypt OpenPGP data.
242
237
* Returns -1 on error
243
238
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
248
243
gpgme_data_t dh_crypto, dh_plain;
249
244
gpgme_error_t rc;
250
245
ssize_t ret;
251
246
size_t plaintext_capacity = 0;
252
247
ssize_t plaintext_length = 0;
253
248
254
if(debug){
249
if (debug){
255
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
256
251
}
257
252
258
253
/* Create new GPGME data buffer from memory cryptotext */
259
254
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
260
255
0);
261
if(rc != GPG_ERR_NO_ERROR){
256
if (rc != GPG_ERR_NO_ERROR){
262
257
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
263
258
gpgme_strsource(rc), gpgme_strerror(rc));
264
259
return -1;
266
261
267
262
/* Create new empty GPGME data buffer for the plaintext */
268
263
rc = gpgme_data_new(&dh_plain);
269
if(rc != GPG_ERR_NO_ERROR){
264
if (rc != GPG_ERR_NO_ERROR){
270
265
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
271
266
gpgme_strsource(rc), gpgme_strerror(rc));
272
267
gpgme_data_release(dh_crypto);
276
271
/* Decrypt data from the cryptotext data buffer to the plaintext
277
272
data buffer */
278
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
274
if (rc != GPG_ERR_NO_ERROR){
280
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
281
276
gpgme_strsource(rc), gpgme_strerror(rc));
282
277
plaintext_length = -1;
283
if(debug){
278
if (debug){
284
279
gpgme_decrypt_result_t result;
285
280
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
281
if (result == NULL){
287
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
283
} else {
289
284
fprintf(stderr, "Unsupported algorithm: %s\n",
316
311
}
317
312
318
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
320
315
perror("gpgme_data_seek");
321
316
plaintext_length = -1;
322
317
goto decrypt_end;
327
322
plaintext_capacity = adjustbuffer(plaintext,
328
323
(size_t)plaintext_length,
329
324
plaintext_capacity);
330
if(plaintext_capacity == 0){
325
if (plaintext_capacity == 0){
331
326
perror("adjustbuffer");
332
327
plaintext_length = -1;
333
328
goto decrypt_end;
336
331
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
337
332
BUFFER_SIZE);
338
333
/* Print the data, if any */
339
if(ret == 0){
334
if (ret == 0){
340
335
/* EOF */
341
336
break;
342
337
}
366
361
return plaintext_length;
367
362
}
368
363
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
364
static const char * safer_gnutls_strerror (int value) {
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
366
if (ret == NULL)
373
367
ret = "(unknown)";
374
368
return ret;
375
369
}
390
384
}
391
385
392
386
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
387
if (ret != GNUTLS_E_SUCCESS) {
388
fprintf (stderr, "GnuTLS global_init: %s\n",
389
safer_gnutls_strerror(ret));
396
390
return -1;
397
391
}
398
392
399
if(debug){
393
if (debug){
400
394
/* "Use a log level over 10 to enable all debugging options."
401
395
* - GnuTLS manual
402
396
*/
406
400
407
401
/* OpenPGP credentials */
408
402
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
403
if (ret != GNUTLS_E_SUCCESS){
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
406
safer_gnutls_strerror(ret));
407
gnutls_global_deinit ();
416
408
return -1;
417
409
}
418
410
425
417
ret = gnutls_certificate_set_openpgp_key_file
426
418
(mc->cred, pubkeyfilename, seckeyfilename,
427
419
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
420
if (ret != GNUTLS_E_SUCCESS) {
429
421
fprintf(stderr,
430
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
436
428
437
429
/* GnuTLS server initialization */
438
430
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
431
if (ret != GNUTLS_E_SUCCESS) {
432
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
433
" %s\n", safer_gnutls_strerror(ret));
442
434
goto globalfail;
443
435
}
444
436
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
437
if (ret != GNUTLS_E_SUCCESS) {
438
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
439
safer_gnutls_strerror(ret));
448
440
goto globalfail;
449
441
}
450
442
465
457
int ret;
466
458
/* GnuTLS session creation */
467
459
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
460
if (ret != GNUTLS_E_SUCCESS){
469
461
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
470
462
safer_gnutls_strerror(ret));
471
463
}
473
465
{
474
466
const char *err;
475
467
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
468
if (ret != GNUTLS_E_SUCCESS) {
477
469
fprintf(stderr, "Syntax error at: %s\n", err);
478
470
fprintf(stderr, "GnuTLS error: %s\n",
479
471
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
472
gnutls_deinit (*session);
481
473
return -1;
482
474
}
483
475
}
484
476
485
477
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
478
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
479
if (ret != GNUTLS_E_SUCCESS) {
488
480
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
489
481
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
482
gnutls_deinit (*session);
491
483
return -1;
492
484
}
493
485
494
486
/* ignore client certificate if any. */
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
487
gnutls_certificate_server_set_request (*session,
488
GNUTLS_CERT_IGNORE);
497
489
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
490
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
499
491
500
492
return 0;
501
493
}
521
513
char interface[IF_NAMESIZE];
522
514
gnutls_session_t session;
523
515
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
516
ret = init_gnutls_session (mc, &session);
517
if (ret != 0){
526
518
return -1;
527
519
}
528
520
550
542
/* It would be nice to have a way to detect if we were passed an
551
543
IPv4 address here. Now we assume an IPv6 address. */
552
544
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
545
if (ret < 0 ){
554
546
perror("inet_pton");
555
547
return -1;
556
548
}
558
550
fprintf(stderr, "Bad address: %s\n", ip);
559
551
return -1;
560
552
}
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
553
to.in6.sin6_port = htons(port); /* Spurious warning */
564
554
565
555
to.in6.sin6_scope_id = (uint32_t)if_index;
566
556
579
569
}
580
570
581
571
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
572
if (ret < 0){
583
573
perror("connect");
584
574
return -1;
585
575
}
586
576
587
577
const char *out = mandos_protocol_version;
588
578
written = 0;
589
while(true){
579
while (true){
590
580
size_t out_size = strlen(out);
591
581
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
582
out_size - written));
593
if(ret == -1){
583
if (ret == -1){
594
584
perror("write");
595
585
retval = -1;
596
586
goto mandos_end;
599
589
if(written < out_size){
600
590
continue;
601
591
} else {
602
if(out == mandos_protocol_version){
592
if (out == mandos_protocol_version){
603
593
written = 0;
604
594
out = "\r\n";
605
595
} else {
612
602
fprintf(stderr, "Establishing TLS session with %s\n", ip);
613
603
}
614
604
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
605
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
616
606
617
607
do{
618
ret = gnutls_handshake(session);
608
ret = gnutls_handshake (session);
619
609
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
610
621
if(ret != GNUTLS_E_SUCCESS){
611
if (ret != GNUTLS_E_SUCCESS){
622
612
if(debug){
623
613
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
614
gnutls_perror (ret);
625
615
}
626
616
retval = -1;
627
617
goto mandos_end;
637
627
while(true){
638
628
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
629
buffer_capacity);
640
if(buffer_capacity == 0){
630
if (buffer_capacity == 0){
641
631
perror("adjustbuffer");
642
632
retval = -1;
643
633
goto mandos_end;
645
635
646
636
sret = gnutls_record_recv(session, buffer+buffer_length,
647
637
BUFFER_SIZE);
648
if(sret == 0){
638
if (sret == 0){
649
639
break;
650
640
}
651
if(sret < 0){
641
if (sret < 0){
652
642
switch(sret){
653
643
case GNUTLS_E_INTERRUPTED:
654
644
case GNUTLS_E_AGAIN:
655
645
break;
656
646
case GNUTLS_E_REHANDSHAKE:
657
647
do{
658
ret = gnutls_handshake(session);
648
ret = gnutls_handshake (session);
659
649
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
650
if (ret < 0){
661
651
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
652
gnutls_perror (ret);
663
653
retval = -1;
664
654
goto mandos_end;
665
655
}
668
658
fprintf(stderr, "Unknown error while reading data from"
669
659
" encrypted session with Mandos server\n");
670
660
retval = -1;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
661
gnutls_bye (session, GNUTLS_SHUT_RDWR);
672
662
goto mandos_end;
673
663
}
674
664
} else {
680
670
fprintf(stderr, "Closing TLS session\n");
681
671
}
682
672
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
673
gnutls_bye (session, GNUTLS_SHUT_RDWR);
684
674
685
if(buffer_length > 0){
675
if (buffer_length > 0){
686
676
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
687
677
buffer_length,
688
678
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
679
if (decrypted_buffer_size >= 0){
690
680
written = 0;
691
681
while(written < (size_t) decrypted_buffer_size){
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
682
ret = (int)fwrite (decrypted_buffer + written, 1,
683
(size_t)decrypted_buffer_size - written,
684
stdout);
695
685
if(ret == 0 and ferror(stdout)){
696
686
if(debug){
697
687
fprintf(stderr, "Error writing encrypted data: %s\n",
718
708
if(ret == -1){
719
709
perror("close");
720
710
}
721
gnutls_deinit(session);
711
gnutls_deinit (session);
722
712
return retval;
723
713
}
724
714
742
732
/* Called whenever a service has been resolved successfully or
743
733
timed out */
744
734
745
switch(event) {
735
switch (event) {
746
736
default:
747
737
case AVAHI_RESOLVER_FAILURE:
748
738
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
756
746
avahi_address_snprint(ip, sizeof(ip), address);
757
747
if(debug){
758
748
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
749
PRIu16 ") on port %d\n", name, host_name, ip,
750
interface, port);
761
751
}
762
752
int ret = start_mandos_communication(ip, port, interface, mc);
763
if(ret == 0){
753
if (ret == 0){
764
754
avahi_simple_poll_quit(mc->simple_poll);
765
755
}
766
756
}
784
774
/* Called whenever a new services becomes available on the LAN or
785
775
is removed from the LAN */
786
776
787
switch(event) {
777
switch (event) {
788
778
default:
789
779
case AVAHI_BROWSER_FAILURE:
790
780
799
789
the callback function is called the Avahi server will free the
800
790
resolver for us. */
801
791
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
792
if (!(avahi_s_service_resolver_new(mc->server, interface,
803
793
protocol, name, type, domain,
804
794
AVAHI_PROTO_INET6, 0,
805
795
resolve_callback, mc)))
823
813
AvahiSServiceBrowser *sb = NULL;
824
814
int error;
825
815
int ret;
826
intmax_t tmpmax;
827
int numchars;
828
816
int exitcode = EXIT_SUCCESS;
829
817
const char *interface = "eth0";
830
818
struct ifreq network;
833
821
gid_t gid;
834
822
char *connect_to = NULL;
835
823
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
837
824
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
825
const char *seckey = PATHDIR "/" SECKEY;
839
826
const char *pubkey = PATHDIR "/" PUBKEY;
841
828
mandos_context mc = { .simple_poll = NULL, .server = NULL,
842
829
.dh_bits = 1024, .priority = "SECURE256"
843
830
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
831
bool gnutls_initalized = false;
832
bool gpgme_initalized = false;
847
833
848
834
{
849
835
struct argp_option options[] = {
875
861
.arg = "STRING",
876
862
.doc = "GnuTLS priority string for the TLS handshake",
877
863
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
864
{ .name = NULL }
883
865
};
884
866
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
867
error_t parse_opt (int key, char *arg,
868
struct argp_state *state) {
869
switch (key) {
888
870
case 128: /* --debug */
889
871
debug = true;
890
872
break;
901
883
pubkey = arg;
902
884
break;
903
885
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
886
ret = sscanf(arg, "%u", &mc.dh_bits);
887
if(ret == 0 or mc.dh_bits == 0){
907
888
fprintf(stderr, "Bad number of DH bits\n");
908
889
exit(EXIT_FAILURE);
909
890
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
891
break;
912
892
case 130: /* --priority */
913
893
mc.priority = arg;
914
894
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
895
case ARGP_KEY_ARG:
923
argp_usage(state);
896
argp_usage (state);
924
897
case ARGP_KEY_END:
925
898
break;
926
899
default:
933
906
.args_doc = "",
934
907
.doc = "Mandos client -- Get and decrypt"
935
908
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
909
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
910
if (ret == ARGP_ERR_UNKNOWN){
938
911
fprintf(stderr, "Unknown error while parsing arguments\n");
939
912
exitcode = EXIT_FAILURE;
940
913
goto end;
943
916
944
917
/* If the interface is down, bring it up */
945
918
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
919
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
920
if(sd < 0) {
955
921
perror("socket");
956
922
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
923
goto end;
962
924
}
963
925
strcpy(network.ifr_name, interface);
964
926
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
927
if(ret == -1){
966
928
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
929
exitcode = EXIT_FAILURE;
972
930
goto end;
973
931
}
977
935
if(ret == -1){
978
936
perror("ioctl SIOCSIFFLAGS");
979
937
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
938
goto end;
985
939
}
986
940
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
941
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
942
if(ret == -1){
1000
943
perror("close");
1001
944
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
945
}
1008
946
1009
947
uid = getuid();
1010
948
gid = getgid();
1011
949
950
ret = setuid(uid);
951
if (ret == -1){
952
perror("setuid");
953
}
954
1012
955
setgid(gid);
1013
if(ret == -1){
956
if (ret == -1){
1014
957
perror("setgid");
1015
958
}
1016
959
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
960
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
961
if (ret == -1){
1024
962
fprintf(stderr, "init_gnutls_global failed\n");
1025
963
exitcode = EXIT_FAILURE;
1026
964
goto end;
1027
965
} else {
1028
gnutls_initialized = true;
966
gnutls_initalized = true;
1029
967
}
1030
968
1031
969
if(mkdtemp(tempdir) == NULL){
1032
970
perror("mkdtemp");
971
tempdir[0] = '\0';
1033
972
goto end;
1034
973
}
1035
tempdir_created = true;
1036
974
1037
975
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
976
fprintf(stderr, "gpgme_initalized failed\n");
1039
977
exitcode = EXIT_FAILURE;
1040
978
goto end;
1041
979
} else {
1042
gpgme_initialized = true;
980
gpgme_initalized = true;
1043
981
}
1044
982
1045
983
if_index = (AvahiIfIndex) if_nametoindex(interface);
1046
984
if(if_index == 0){
1047
985
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
986
exit(EXIT_FAILURE);
1050
987
}
1051
988
1052
989
if(connect_to != NULL){
1059
996
goto end;
1060
997
}
1061
998
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
999
ret = sscanf(address+1, "%" SCNu16, &port);
1000
if(ret == 0 or port == 0){
1065
1001
fprintf(stderr, "Bad port number\n");
1066
1002
exitcode = EXIT_FAILURE;
1067
1003
goto end;
1068
1004
}
1069
port = (uint16_t)tmpmax;
1070
1005
*address = '\0';
1071
1006
address = connect_to;
1072
1007
ret = start_mandos_communication(address, port, if_index, &mc);
1078
1013
goto end;
1079
1014
}
1080
1015
1081
if(not debug){
1016
if (not debug){
1082
1017
avahi_set_log_function(empty_log);
1083
1018
}
1084
1019
1087
1022
1088
1023
/* Allocate main Avahi loop object */
1089
1024
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1025
if (mc.simple_poll == NULL) {
1091
1026
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
1027
" object.\n");
1093
1028
exitcode = EXIT_FAILURE;
1113
1048
}
1114
1049
1115
1050
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1051
if (mc.server == NULL) {
1117
1052
fprintf(stderr, "Failed to create Avahi server: %s\n",
1118
1053
avahi_strerror(error));
1119
1054
exitcode = EXIT_FAILURE;
1125
1060
AVAHI_PROTO_INET6,
1126
1061
"_mandos._tcp", NULL, 0,
1127
1062
browse_callback, &mc);
1128
if(sb == NULL) {
1063
if (sb == NULL) {
1129
1064
fprintf(stderr, "Failed to create service browser: %s\n",
1130
1065
avahi_strerror(avahi_server_errno(mc.server)));
1131
1066
exitcode = EXIT_FAILURE;
1134
1069
1135
1070
/* Run the main loop */
1136
1071
1137
if(debug){
1072
if (debug){
1138
1073
fprintf(stderr, "Starting Avahi loop search\n");
1139
1074
}
1140
1075
1141
1076
avahi_simple_poll_loop(mc.simple_poll);
1142
1077
1143
1078
end:
1144
1079
1145
if(debug){
1080
if (debug){
1146
1081
fprintf(stderr, "%s exiting\n", argv[0]);
1147
1082
}
1148
1083
1149
1084
/* Cleanup things */
1150
if(sb != NULL)
1085
if (sb != NULL)
1151
1086
avahi_s_service_browser_free(sb);
1152
1087
1153
if(mc.server != NULL)
1088
if (mc.server != NULL)
1154
1089
avahi_server_free(mc.server);
1155
1090
1156
if(mc.simple_poll != NULL)
1091
if (mc.simple_poll != NULL)
1157
1092
avahi_simple_poll_free(mc.simple_poll);
1158
1093
1159
if(gnutls_initialized){
1094
if (gnutls_initalized){
1160
1095
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1096
gnutls_global_deinit ();
1162
1097
gnutls_dh_params_deinit(mc.dh_params);
1163
1098
}
1164
1099
1165
if(gpgme_initialized){
1100
if(gpgme_initalized){
1166
1101
gpgme_release(mc.ctx);
1167
1102
}
1168
1103
1169
1104
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1105
if(tempdir[0] != '\0'){
1171
1106
DIR *d;
1172
1107
struct dirent *direntry;
1173
1108
d = opendir(tempdir);
1181
1116
if(direntry == NULL){
1182
1117
break;
1183
1118
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1204
1134
}
1205
1135
closedir(d);
1206
1136
}
1209
1139
perror("rmdir");
1210
1140
}
1211
1141
}
1212
1142
1213
1143
return exitcode;
1214
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0