/mandos/release : revision 237.2.34

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-01-15 05:27:55 UTC
mfrom: (246 mandos-release)
mto: (24.1.123 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 249.
Revision ID: teddy@fukt.bsnet.se-20090115052755-luw0gjx8727p24o3

Merge from release branch.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

100

#include <gpgme.h> /* All GPGME types, constants and

101

functions:

102

gpgme_*

103

GPGME_PROTOCOL_OpenPGP,

104

GPG_ERR_NO_* */

105

106

#define BUFFER_SIZE 256

#define DH_BITS 1024

107

static const char *certdir = "/conf/conf.d/mandos";

static const char *certfile = "openpgp-client.txt";

static const char *certkey = "openpgp-client-key.txt";

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client " VERSION;

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

gnutls_session_t session;

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

} encrypted_session;

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if(buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if(buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if(rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if(rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = (int)TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if(debug){

191

fprintf(stderr, "Initialize gpgme\n");

192

}

193

100

194

/* Init GPGME */

101

195

gpgme_check_version(NULL);

102

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

103

if (rc != GPG_ERR_NO_ERROR){

197

if(rc != GPG_ERR_NO_ERROR){

104

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

105

199

gpgme_strsource(rc), gpgme_strerror(rc));

106

return -1;

200

return false;

107

201

}

108

202

109

/* Set GPGME home directory */

110

rc = gpgme_get_engine_info (&engine_info);

111

if (rc != GPG_ERR_NO_ERROR){

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info(&engine_info);

205

if(rc != GPG_ERR_NO_ERROR){

112

206

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

113

207

gpgme_strsource(rc), gpgme_strerror(rc));

114

return -1;

208

return false;

115

209

}

116

210

while(engine_info != NULL){

117

211

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

118

212

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

119

engine_info->file_name, homedir);

213

engine_info->file_name, tempdir);

120

214

break;

121

215

}

122

216

engine_info = engine_info->next;

123

217

}

124

218

if(engine_info == NULL){

125

fprintf(stderr, "Could not set home dir to %s\n", homedir);

126

return -1;

127

}

128

129

/* Create new GPGME data buffer from packet buffer */

130

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

131

if (rc != GPG_ERR_NO_ERROR){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if(rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if(not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if(debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

259

if(rc != GPG_ERR_NO_ERROR){

132

260

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

133

261

gpgme_strsource(rc), gpgme_strerror(rc));

134

262

return -1;

136

264

137

265

/* Create new empty GPGME data buffer for the plaintext */

138

266

rc = gpgme_data_new(&dh_plain);

139

if (rc != GPG_ERR_NO_ERROR){

267

if(rc != GPG_ERR_NO_ERROR){

140

268

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

141

269

gpgme_strsource(rc), gpgme_strerror(rc));

142

return -1;

143

}

144

145

/* Create new GPGME "context" */

146

rc = gpgme_new(&ctx);

147

if (rc != GPG_ERR_NO_ERROR){

148

fprintf(stderr, "bad gpgme_new: %s: %s\n",

149

gpgme_strsource(rc), gpgme_strerror(rc));

150

return -1;

151

}

152

153

/* Decrypt data from the FILE pointer to the plaintext data

154

buffer */

155

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

156

if (rc != GPG_ERR_NO_ERROR){

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

277

if(rc != GPG_ERR_NO_ERROR){

157

278

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

158

279

gpgme_strsource(rc), gpgme_strerror(rc));

159

return -1;

280

plaintext_length = -1;

281

if(debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if(result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

306

}

307

}

308

}

309

goto decrypt_end;

160

310

}

161

311

162

312

if(debug){

163

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

164

}

165

166

if (debug){

167

gpgme_decrypt_result_t result;

168

result = gpgme_op_decrypt_result(ctx);

169

if (result == NULL){

170

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

171

} else {

172

fprintf(stderr, "Unsupported algorithm: %s\n",

173

result->unsupported_algorithm);

174

fprintf(stderr, "Wrong key usage: %d\n",

175

result->wrong_key_usage);

176

if(result->file_name != NULL){

177

fprintf(stderr, "File name: %s\n", result->file_name);

178

}

179

gpgme_recipient_t recipient;

180

recipient = result->recipients;

181

if(recipient){

182

while(recipient != NULL){

183

fprintf(stderr, "Public key algorithm: %s\n",

184

gpgme_pubkey_algo_name(recipient->pubkey_algo));

185

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

186

fprintf(stderr, "Secret key available: %s\n",

187

recipient->status == GPG_ERR_NO_SECKEY

188

? "No" : "Yes");

189

recipient = recipient->next;

190

}

191

}

192

}

193

}

194

195

/* Delete the GPGME FILE pointer cryptotext data buffer */

196

gpgme_data_release(dh_crypto);

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

197

315

198

316

/* Seek back to the beginning of the GPGME plaintext data buffer */

199

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

200

perror("pgpme_data_seek");

317

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

201

321

}

202

322

203

*new_packet = 0;

323

*plaintext = NULL;

204

324

while(true){

205

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

206

*new_packet = realloc(*new_packet,

207

(unsigned int)new_packet_capacity

208

+ BUFFER_SIZE);

209

if (*new_packet == NULL){

210

perror("realloc");

211

return -1;

212

}

213

new_packet_capacity += BUFFER_SIZE;

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if(plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

214

332

}

215

333

216

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

217

335

BUFFER_SIZE);

218

336

/* Print the data, if any */

219

if (ret == 0){

337

if(ret == 0){

338

/* EOF */

220

339

break;

221

340

}

222

341

if(ret < 0){

223

342

perror("gpgme_data_read");

224

return -1;

225

}

226

new_packet_length += ret;

227

}

228

229

/* FIXME: check characters before printing to screen so to not print

230

terminal control characters */

231

/* if(debug){ */

232

/* fprintf(stderr, "decrypted password is: "); */

233

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

234

/* fprintf(stderr, "\n"); */

235

/* } */

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

236

361

237

362

/* Delete the GPGME plaintext data buffer */

238

363

gpgme_data_release(dh_plain);

239

return new_packet_length;

364

return plaintext_length;

240

365

}

241

366

242

static const char * safer_gnutls_strerror (int value) {

243

const char *ret = gnutls_strerror (value);

244

if (ret == NULL)

367

static const char * safer_gnutls_strerror(int value) {

368

const char *ret = gnutls_strerror(value); /* Spurious warning from

369

-Wunreachable-code */

370

if(ret == NULL)

245

371

ret = "(unknown)";

246

372

return ret;

247

373

}

248

374

375

/* GnuTLS log function callback */

249

376

static void debuggnutls(__attribute__((unused)) int level,

250

377

const char* string){

251

fprintf(stderr, "%s", string);

378

fprintf(stderr, "GnuTLS: %s", string);

252

379

}

253

380

254

static int initgnutls(encrypted_session *es){

255

const char *err;

381

static int init_gnutls_global(mandos_context *mc,

382

const char *pubkeyfilename,

383

const char *seckeyfilename){

256

384

int ret;

257

385

258

386

if(debug){

259

387

fprintf(stderr, "Initializing GnuTLS\n");

260

388

}

261

262

if ((ret = gnutls_global_init ())

263

!= GNUTLS_E_SUCCESS) {

264

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

389

390

ret = gnutls_global_init();

391

if(ret != GNUTLS_E_SUCCESS) {

392

fprintf(stderr, "GnuTLS global_init: %s\n",

393

safer_gnutls_strerror(ret));

265

394

return -1;

266

395

}

267

268

if (debug){

396

397

if(debug){

398

/* "Use a log level over 10 to enable all debugging options."

399

* - GnuTLS manual

400

269

401

gnutls_global_set_log_level(11);

270

402

gnutls_global_set_log_function(debuggnutls);

271

403

}

272

404

273

/* openpgp credentials */

274

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

275

!= GNUTLS_E_SUCCESS) {

276

fprintf (stderr, "memory error: %s\n",

277

safer_gnutls_strerror(ret));

405

/* OpenPGP credentials */

406

gnutls_certificate_allocate_credentials(&mc->cred);

407

if(ret != GNUTLS_E_SUCCESS){

408

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

409

* from

410

* -Wunreachable-code

411

412

safer_gnutls_strerror(ret));

413

gnutls_global_deinit();

278

414

return -1;

279

415

}

280

416

281

417

if(debug){

282

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

283

" and keyfile %s as GnuTLS credentials\n", certfile,

284

certkey);

418

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

419

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

420

seckeyfilename);

285

421

}

286

422

287

423

ret = gnutls_certificate_set_openpgp_key_file

288

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

289

if (ret != GNUTLS_E_SUCCESS) {

290

fprintf

291

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

292

" '%s')\n",

293

ret, certfile, certkey);

294

fprintf(stdout, "The Error is: %s\n",

295

safer_gnutls_strerror(ret));

296

return -1;

297

}

298

299

//GnuTLS server initialization

300

if ((ret = gnutls_dh_params_init (&es->dh_params))

301

!= GNUTLS_E_SUCCESS) {

302

fprintf (stderr, "Error in dh parameter initialization: %s\n",

303

safer_gnutls_strerror(ret));

304

return -1;

305

}

306

307

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

308

!= GNUTLS_E_SUCCESS) {

309

fprintf (stderr, "Error in prime generation: %s\n",

310

safer_gnutls_strerror(ret));

311

return -1;

312

}

313

314

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

315

316

// GnuTLS session creation

317

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

318

!= GNUTLS_E_SUCCESS){

424

(mc->cred, pubkeyfilename, seckeyfilename,

425

GNUTLS_OPENPGP_FMT_BASE64);

426

if(ret != GNUTLS_E_SUCCESS) {

427

fprintf(stderr,

428

"Error[%d] while reading the OpenPGP key pair ('%s',"

429

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

430

fprintf(stderr, "The GnuTLS error is: %s\n",

431

safer_gnutls_strerror(ret));

432

goto globalfail;

433

}

434

435

/* GnuTLS server initialization */

436

ret = gnutls_dh_params_init(&mc->dh_params);

437

if(ret != GNUTLS_E_SUCCESS) {

438

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

439

" %s\n", safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

443

if(ret != GNUTLS_E_SUCCESS) {

444

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

445

safer_gnutls_strerror(ret));

446

goto globalfail;

447

}

448

449

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

450

451

return 0;

452

453

globalfail:

454

455

gnutls_certificate_free_credentials(mc->cred);

456

gnutls_global_deinit();

457

gnutls_dh_params_deinit(mc->dh_params);

458

return -1;

459

}

460

461

static int init_gnutls_session(mandos_context *mc,

462

gnutls_session_t *session){

463

int ret;

464

/* GnuTLS session creation */

465

ret = gnutls_init(session, GNUTLS_SERVER);

466

if(ret != GNUTLS_E_SUCCESS){

319

467

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

320

468

safer_gnutls_strerror(ret));

321

469

}

322

470

323

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

324

!= GNUTLS_E_SUCCESS) {

325

fprintf(stderr, "Syntax error at: %s\n", err);

326

fprintf(stderr, "GnuTLS error: %s\n",

327

safer_gnutls_strerror(ret));

328

return -1;

471

{

472

const char *err;

473

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

474

if(ret != GNUTLS_E_SUCCESS) {

475

fprintf(stderr, "Syntax error at: %s\n", err);

476

fprintf(stderr, "GnuTLS error: %s\n",

477

safer_gnutls_strerror(ret));

478

gnutls_deinit(*session);

479

return -1;

480

}

329

481

}

330

482

331

if ((ret = gnutls_credentials_set

332

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

333

!= GNUTLS_E_SUCCESS) {

334

fprintf(stderr, "Error setting a credentials set: %s\n",

483

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

484

mc->cred);

485

if(ret != GNUTLS_E_SUCCESS) {

486

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

335

487

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

336

489

return -1;

337

490

}

338

491

339

492

/* ignore client certificate if any. */

340

gnutls_certificate_server_set_request (es->session,

341

GNUTLS_CERT_IGNORE);

493

gnutls_certificate_server_set_request(*session,

494

GNUTLS_CERT_IGNORE);

342

495

343

gnutls_dh_set_prime_bits (es->session, DH_BITS);

496

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

344

497

345

498

return 0;

346

499

}

347

500

501

/* Avahi log function callback */

348

502

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

349

503

__attribute__((unused)) const char *txt){}

350

504

505

/* Called when a Mandos server is found */

351

506

static int start_mandos_communication(const char *ip, uint16_t port,

352

AvahiIfIndex if_index){

507

AvahiIfIndex if_index,

508

mandos_context *mc){

353

509

int ret, tcp_sd;

354

struct sockaddr_in6 to;

355

encrypted_session es;

510

ssize_t sret;

511

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

356

512

char *buffer = NULL;

357

513

char *decrypted_buffer;

358

514

size_t buffer_length = 0;

359

515

size_t buffer_capacity = 0;

360

516

ssize_t decrypted_buffer_size;

361

size_t written = 0;

517

size_t written;

362

518

int retval = 0;

363

519

char interface[IF_NAMESIZE];

520

gnutls_session_t session;

521

522

ret = init_gnutls_session(mc, &session);

523

if(ret != 0){

524

return -1;

525

}

364

526

365

527

if(debug){

366

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

367

ip, port);

528

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

529

"\n", ip, port);

368

530

}

369

531

370

532

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

373

535

return -1;

374

536

}

375

537

376

if(if_indextoname((unsigned int)if_index, interface) == NULL){

377

if(debug){

538

if(debug){

539

if(if_indextoname((unsigned int)if_index, interface) == NULL){

378

540

perror("if_indextoname");

541

return -1;

379

542

}

380

return -1;

381

}

382

383

if(debug){

384

543

fprintf(stderr, "Binding to interface %s\n", interface);

385

544

}

386

545

387

memset(&to,0,sizeof(to)); /* Spurious warning */

388

to.sin6_family = AF_INET6;

389

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

390

if (ret < 0 ){

546

memset(&to, 0, sizeof(to));

547

to.in6.sin6_family = AF_INET6;

548

/* It would be nice to have a way to detect if we were passed an

549

IPv4 address here. Now we assume an IPv6 address. */

550

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

551

if(ret < 0 ){

391

552

perror("inet_pton");

392

553

return -1;

393

}

554

}

394

555

if(ret == 0){

395

556

fprintf(stderr, "Bad address: %s\n", ip);

396

557

return -1;

397

558

}

398

to.sin6_port = htons(port); /* Spurious warning */

559

to.in6.sin6_port = htons(port); /* Spurious warnings from

560

-Wconversion and

561

-Wunreachable-code */

399

562

400

to.sin6_scope_id = (uint32_t)if_index;

563

to.in6.sin6_scope_id = (uint32_t)if_index;

401

564

402

565

if(debug){

403

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

404

/* char addrstr[INET6_ADDRSTRLEN]; */

405

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

406

/* sizeof(addrstr)) == NULL){ */

407

/* perror("inet_ntop"); */

408

/* } else { */

409

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

410

/* addrstr, ntohs(to.sin6_port)); */

411

/* } */

566

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

567

port);

568

char addrstr[INET6_ADDRSTRLEN] = "";

569

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

570

sizeof(addrstr)) == NULL){

571

perror("inet_ntop");

572

} else {

573

if(strcmp(addrstr, ip) != 0){

574

fprintf(stderr, "Canonical address form: %s\n", addrstr);

575

}

576

}

412

577

}

413

578

414

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

415

if (ret < 0){

579

ret = connect(tcp_sd, &to.in, sizeof(to));

580

if(ret < 0){

416

581

perror("connect");

417

582

return -1;

418

583

}

419

584

420

ret = initgnutls (&es);

421

if (ret != 0){

422

retval = -1;

423

return -1;

585

const char *out = mandos_protocol_version;

586

written = 0;

587

while(true){

588

size_t out_size = strlen(out);

589

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

590

out_size - written));

591

if(ret == -1){

592

perror("write");

593

retval = -1;

594

goto mandos_end;

595

}

596

written += (size_t)ret;

597

if(written < out_size){

598

continue;

599

} else {

600

if(out == mandos_protocol_version){

601

written = 0;

602

out = "\r\n";

603

} else {

604

break;

605

}

606

}

424

607

}

425

608

426

gnutls_transport_set_ptr (es.session,

427

(gnutls_transport_ptr_t) tcp_sd);

428

429

609

if(debug){

430

610

fprintf(stderr, "Establishing TLS session with %s\n", ip);

431

611

}

432

612

433

ret = gnutls_handshake (es.session);

434

435

if (ret != GNUTLS_E_SUCCESS){

613

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

614

615

do{

616

ret = gnutls_handshake(session);

617

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

618

619

if(ret != GNUTLS_E_SUCCESS){

436

620

if(debug){

437

fprintf(stderr, "\n*** Handshake failed ***\n");

438

gnutls_perror (ret);

621

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

622

gnutls_perror(ret);

439

623

}

440

624

retval = -1;

441

goto exit;

625

goto mandos_end;

442

626

}

443

627

444

//Retrieve OpenPGP packet that contains the wanted password

628

/* Read OpenPGP packet that contains the wanted password */

445

629

446

630

if(debug){

447

631

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

448

632

ip);

449

633

}

450

634

451

635

while(true){

452

if (buffer_length + BUFFER_SIZE > buffer_capacity){

453

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

454

if (buffer == NULL){

455

perror("realloc");

456

goto exit;

457

}

458

buffer_capacity += BUFFER_SIZE;

636

buffer_capacity = adjustbuffer(&buffer, buffer_length,

637

buffer_capacity);

638

if(buffer_capacity == 0){

639

perror("adjustbuffer");

640

retval = -1;

641

goto mandos_end;

459

642

}

460

643

461

ret = gnutls_record_recv

462

(es.session, buffer+buffer_length, BUFFER_SIZE);

463

if (ret == 0){

644

sret = gnutls_record_recv(session, buffer+buffer_length,

645

BUFFER_SIZE);

646

if(sret == 0){

464

647

break;

465

648

}

466

if (ret < 0){

467

switch(ret){

649

if(sret < 0){

650

switch(sret){

468

651

case GNUTLS_E_INTERRUPTED:

469

652

case GNUTLS_E_AGAIN:

470

653

break;

471

654

case GNUTLS_E_REHANDSHAKE:

472

ret = gnutls_handshake (es.session);

473

if (ret < 0){

474

fprintf(stderr, "\n*** Handshake failed ***\n");

475

gnutls_perror (ret);

655

do{

656

ret = gnutls_handshake(session);

657

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

658

if(ret < 0){

659

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

660

gnutls_perror(ret);

476

661

retval = -1;

477

goto exit;

662

goto mandos_end;

478

663

}

479

664

break;

480

665

default:

481

666

fprintf(stderr, "Unknown error while reading data from"

482

" encrypted session with mandos server\n");

667

" encrypted session with Mandos server\n");

483

668

retval = -1;

484

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

485

goto exit;

669

gnutls_bye(session, GNUTLS_SHUT_RDWR);

670

goto mandos_end;

486

671

}

487

672

} else {

488

buffer_length += (size_t) ret;

673

buffer_length += (size_t) sret;

489

674

}

490

675

}

491

676

492

if (buffer_length > 0){

493

decrypted_buffer_size = pgp_packet_decrypt(buffer,

677

if(debug){

678

fprintf(stderr, "Closing TLS session\n");

679

}

680

681

gnutls_bye(session, GNUTLS_SHUT_RDWR);

682

683

if(buffer_length > 0){

684

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

494

685

buffer_length,

495

&decrypted_buffer,

496

certdir);

497

if (decrypted_buffer_size >= 0){

686

&decrypted_buffer);

687

if(decrypted_buffer_size >= 0){

688

written = 0;

498

689

while(written < (size_t) decrypted_buffer_size){

499

ret = (int)fwrite (decrypted_buffer + written, 1,

500

(size_t)decrypted_buffer_size - written,

501

stdout);

690

ret = (int)fwrite(decrypted_buffer + written, 1,

691

(size_t)decrypted_buffer_size - written,

692

stdout);

502

693

if(ret == 0 and ferror(stdout)){

503

694

if(debug){

504

695

fprintf(stderr, "Error writing encrypted data: %s\n",

513

704

} else {

514

705

retval = -1;

515

706

}

516

}

517

518

//shutdown procedure

519

520

if(debug){

521

fprintf(stderr, "Closing TLS session\n");

522

}

523

707

} else {

708

retval = -1;

709

}

710

711

/* Shutdown procedure */

712

713

mandos_end:

524

714

free(buffer);

525

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

526

exit:

527

close(tcp_sd);

528

gnutls_deinit (es.session);

529

gnutls_certificate_free_credentials (es.cred);

530

gnutls_global_deinit ();

715

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

716

if(ret == -1){

717

perror("close");

718

}

719

gnutls_deinit(session);

531

720

return retval;

532

721

}

533

722

534

static AvahiSimplePoll *simple_poll = NULL;

535

static AvahiServer *server = NULL;

536

537

static void resolve_callback(

538

AvahiSServiceResolver *r,

539

AvahiIfIndex interface,

540

AVAHI_GCC_UNUSED AvahiProtocol protocol,

541

AvahiResolverEvent event,

542

const char *name,

543

const char *type,

544

const char *domain,

545

const char *host_name,

546

const AvahiAddress *address,

547

uint16_t port,

548

AVAHI_GCC_UNUSED AvahiStringList *txt,

549

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

550

AVAHI_GCC_UNUSED void* userdata) {

551

552

assert(r); /* Spurious warning */

723

static void resolve_callback(AvahiSServiceResolver *r,

724

AvahiIfIndex interface,

725

AVAHI_GCC_UNUSED AvahiProtocol protocol,

726

AvahiResolverEvent event,

727

const char *name,

728

const char *type,

729

const char *domain,

730

const char *host_name,

731

const AvahiAddress *address,

732

uint16_t port,

733

AVAHI_GCC_UNUSED AvahiStringList *txt,

734

AVAHI_GCC_UNUSED AvahiLookupResultFlags

735

flags,

736

void* userdata) {

737

mandos_context *mc = userdata;

738

assert(r);

553

739

554

740

/* Called whenever a service has been resolved successfully or

555

741

timed out */

556

742

557

switch (event) {

743

switch(event) {

558

744

default:

559

745

case AVAHI_RESOLVER_FAILURE:

560

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

561

" type '%s' in domain '%s': %s\n", name, type, domain,

562

avahi_strerror(avahi_server_errno(server)));

746

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

747

" of type '%s' in domain '%s': %s\n", name, type, domain,

748

avahi_strerror(avahi_server_errno(mc->server)));

563

749

break;

564

750

565

751

case AVAHI_RESOLVER_FOUND:

567

753

char ip[AVAHI_ADDRESS_STR_MAX];

568

754

avahi_address_snprint(ip, sizeof(ip), address);

569

755

if(debug){

570

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

571

" port %d\n", name, host_name, ip, port);

756

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

757

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

758

ip, (intmax_t)interface, port);

572

759

}

573

int ret = start_mandos_communication(ip, port, interface);

574

if (ret == 0){

575

exit(EXIT_SUCCESS);

760

int ret = start_mandos_communication(ip, port, interface, mc);

761

if(ret == 0){

762

avahi_simple_poll_quit(mc->simple_poll);

576

763

}

577

764

}

578

765

}

579

766

avahi_s_service_resolver_free(r);

580

767

}

581

768

582

static void browse_callback(

583

AvahiSServiceBrowser *b,

584

AvahiIfIndex interface,

585

AvahiProtocol protocol,

586

AvahiBrowserEvent event,

587

const char *name,

588

const char *type,

589

const char *domain,

590

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

591

void* userdata) {

592

593

AvahiServer *s = userdata;

594

assert(b); /* Spurious warning */

595

596

/* Called whenever a new services becomes available on the LAN or

597

is removed from the LAN */

598

599

switch (event) {

600

default:

601

case AVAHI_BROWSER_FAILURE:

602

603

fprintf(stderr, "(Browser) %s\n",

604

avahi_strerror(avahi_server_errno(server)));

605

avahi_simple_poll_quit(simple_poll);

606

return;

607

608

case AVAHI_BROWSER_NEW:

609

/* We ignore the returned resolver object. In the callback

610

function we free it. If the server is terminated before

611

the callback function is called the server will free

612

the resolver for us. */

613

614

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

615

type, domain,

616

AVAHI_PROTO_INET6, 0,

617

resolve_callback, s)))

618

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

619

avahi_strerror(avahi_server_errno(s)));

620

break;

621

622

case AVAHI_BROWSER_REMOVE:

623

break;

624

625

case AVAHI_BROWSER_ALL_FOR_NOW:

626

case AVAHI_BROWSER_CACHE_EXHAUSTED:

627

break;

769

static void browse_callback( AvahiSServiceBrowser *b,

770

AvahiIfIndex interface,

771

AvahiProtocol protocol,

772

AvahiBrowserEvent event,

773

const char *name,

774

const char *type,

775

const char *domain,

776

AVAHI_GCC_UNUSED AvahiLookupResultFlags

777

flags,

778

void* userdata) {

779

mandos_context *mc = userdata;

780

assert(b);

781

782

/* Called whenever a new services becomes available on the LAN or

783

is removed from the LAN */

784

785

switch(event) {

786

default:

787

case AVAHI_BROWSER_FAILURE:

788

789

fprintf(stderr, "(Avahi browser) %s\n",

790

avahi_strerror(avahi_server_errno(mc->server)));

791

avahi_simple_poll_quit(mc->simple_poll);

792

return;

793

794

case AVAHI_BROWSER_NEW:

795

/* We ignore the returned Avahi resolver object. In the callback

796

function we free it. If the Avahi server is terminated before

797

the callback function is called the Avahi server will free the

798

resolver for us. */

799

800

if(!(avahi_s_service_resolver_new(mc->server, interface,

801

protocol, name, type, domain,

802

AVAHI_PROTO_INET6, 0,

803

resolve_callback, mc)))

804

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

805

name, avahi_strerror(avahi_server_errno(mc->server)));

806

break;

807

808

case AVAHI_BROWSER_REMOVE:

809

break;

810

811

case AVAHI_BROWSER_ALL_FOR_NOW:

812

case AVAHI_BROWSER_CACHE_EXHAUSTED:

813

if(debug){

814

fprintf(stderr, "No Mandos server found, still searching...\n");

628

815

}

629

}

630

631

/* Combines file name and path and returns the malloced new

632

string. some sane checks could/should be added */

633

static const char *combinepath(const char *first, const char *second){

634

size_t f_len = strlen(first);

635

size_t s_len = strlen(second);

636

char *tmp = malloc(f_len + s_len + 2);

637

if (tmp == NULL){

638

return NULL;

639

}

640

if(f_len > 0){

641

memcpy(tmp, first, f_len);

642

}

643

tmp[f_len] = '/';

644

if(s_len > 0){

645

memcpy(tmp + f_len + 1, second, s_len);

646

}

647

tmp[f_len + 1 + s_len] = '\0';

648

return tmp;

649

}

650

651

652

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

653

AvahiServerConfig config;

816

break;

817

}

818

}

819

820

int main(int argc, char *argv[]){

654

821

AvahiSServiceBrowser *sb = NULL;

655

822

int error;

656

823

int ret;

657

int returncode = EXIT_SUCCESS;

658

const char *interface = NULL;

824

intmax_t tmpmax;

825

int numchars;

826

int exitcode = EXIT_SUCCESS;

827

const char *interface = "eth0";

828

struct ifreq network;

829

int sd;

830

uid_t uid;

831

gid_t gid;

832

char *connect_to = NULL;

833

char tempdir[] = "/tmp/mandosXXXXXX";

659

834

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

660

char *connect_to = NULL;

661

662

while (true){

663

static struct option long_options[] = {

664

{"debug", no_argument, (int *)&debug, 1},

665

{"connect", required_argument, 0, 'C'},

666

{"interface", required_argument, 0, 'i'},

667

{"certdir", required_argument, 0, 'd'},

668

{"certkey", required_argument, 0, 'c'},

669

{"certfile", required_argument, 0, 'k'},

670

{0, 0, 0, 0} };

671

672

int option_index = 0;

673

ret = getopt_long (argc, argv, "i:", long_options,

674

&option_index);

675

676

if (ret == -1){

677

break;

678

}

679

680

switch(ret){

681

case 0:

682

break;

683

case 'i':

684

interface = optarg;

685

break;

686

case 'C':

687

connect_to = optarg;

688

break;

689

case 'd':

690

certdir = optarg;

691

break;

692

case 'c':

693

certfile = optarg;

694

break;

695

case 'k':

696

certkey = optarg;

697

break;

698

default:

699

exit(EXIT_FAILURE);

700

}

701

}

702

703

certfile = combinepath(certdir, certfile);

704

if (certfile == NULL){

705

perror("combinepath");

706

goto exit;

707

}

708

709

if(interface != NULL){

710

if_index = (AvahiIfIndex) if_nametoindex(interface);

711

if(if_index == 0){

712

fprintf(stderr, "No such interface: \"%s\"\n", interface);

713

exit(EXIT_FAILURE);

714

}

835

const char *seckey = PATHDIR "/" SECKEY;

836

const char *pubkey = PATHDIR "/" PUBKEY;

837

838

mandos_context mc = { .simple_poll = NULL, .server = NULL,

839

.dh_bits = 1024, .priority = "SECURE256"

840

":!CTYPE-X.509:+CTYPE-OPENPGP" };

841

bool gnutls_initalized = false;

842

bool gpgme_initalized = false;

843

844

{

845

struct argp_option options[] = {

846

{ .name = "debug", .key = 128,

847

.doc = "Debug mode", .group = 3 },

848

{ .name = "connect", .key = 'c',

849

.arg = "ADDRESS:PORT",

850

.doc = "Connect directly to a specific Mandos server",

851

.group = 1 },

852

{ .name = "interface", .key = 'i',

853

.arg = "NAME",

854

.doc = "Interface that will be used to search for Mandos"

855

" servers",

856

.group = 1 },

857

{ .name = "seckey", .key = 's',

858

.arg = "FILE",

859

.doc = "OpenPGP secret key file base name",

860

.group = 1 },

861

{ .name = "pubkey", .key = 'p',

862

.arg = "FILE",

863

.doc = "OpenPGP public key file base name",

864

.group = 2 },

865

{ .name = "dh-bits", .key = 129,

866

.arg = "BITS",

867

.doc = "Bit length of the prime number used in the"

868

" Diffie-Hellman key exchange",

869

.group = 2 },

870

{ .name = "priority", .key = 130,

871

.arg = "STRING",

872

.doc = "GnuTLS priority string for the TLS handshake",

873

.group = 1 },

874

{ .name = NULL }

875

};

876

877

error_t parse_opt(int key, char *arg,

878

struct argp_state *state) {

879

switch(key) {

880

case 128: /* --debug */

881

debug = true;

882

break;

883

case 'c': /* --connect */

884

connect_to = arg;

885

break;

886

case 'i': /* --interface */

887

interface = arg;

888

break;

889

case 's': /* --seckey */

890

seckey = arg;

891

break;

892

case 'p': /* --pubkey */

893

pubkey = arg;

894

break;

895

case 129: /* --dh-bits */

896

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

897

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

898

or arg[numchars] != '\0'){

899

fprintf(stderr, "Bad number of DH bits\n");

900

exit(EXIT_FAILURE);

901

}

902

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

903

break;

904

case 130: /* --priority */

905

mc.priority = arg;

906

break;

907

case ARGP_KEY_ARG:

908

argp_usage(state);

909

case ARGP_KEY_END:

910

break;

911

default:

912

return ARGP_ERR_UNKNOWN;

913

}

914

return 0;

915

}

916

917

struct argp argp = { .options = options, .parser = parse_opt,

918

.args_doc = "",

919

.doc = "Mandos client -- Get and decrypt"

920

" passwords from a Mandos server" };

921

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

922

if(ret == ARGP_ERR_UNKNOWN){

923

fprintf(stderr, "Unknown error while parsing arguments\n");

924

exitcode = EXIT_FAILURE;

925

goto end;

926

}

927

}

928

929

/* If the interface is down, bring it up */

930

{

931

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

932

if(sd < 0) {

933

perror("socket");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

strcpy(network.ifr_name, interface);

938

ret = ioctl(sd, SIOCGIFFLAGS, &network);

939

if(ret == -1){

940

perror("ioctl SIOCGIFFLAGS");

941

exitcode = EXIT_FAILURE;

942

goto end;

943

}

944

if((network.ifr_flags & IFF_UP) == 0){

945

network.ifr_flags |= IFF_UP;

946

ret = ioctl(sd, SIOCSIFFLAGS, &network);

947

if(ret == -1){

948

perror("ioctl SIOCSIFFLAGS");

949

exitcode = EXIT_FAILURE;

950

goto end;

951

}

952

}

953

ret = (int)TEMP_FAILURE_RETRY(close(sd));

954

if(ret == -1){

955

perror("close");

956

}

957

}

958

959

uid = getuid();

960

gid = getgid();

961

962

ret = setuid(uid);

963

if(ret == -1){

964

perror("setuid");

965

}

966

967

setgid(gid);

968

if(ret == -1){

969

perror("setgid");

970

}

971

972

ret = init_gnutls_global(&mc, pubkey, seckey);

973

if(ret == -1){

974

fprintf(stderr, "init_gnutls_global failed\n");

975

exitcode = EXIT_FAILURE;

976

goto end;

977

} else {

978

gnutls_initalized = true;

979

}

980

981

if(mkdtemp(tempdir) == NULL){

982

perror("mkdtemp");

983

tempdir[0] = '\0';

984

goto end;

985

}

986

987

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

988

fprintf(stderr, "gpgme_initalized failed\n");

989

exitcode = EXIT_FAILURE;

990

goto end;

991

} else {

992

gpgme_initalized = true;

993

}

994

995

if_index = (AvahiIfIndex) if_nametoindex(interface);

996

if(if_index == 0){

997

fprintf(stderr, "No such interface: \"%s\"\n", interface);

998

exit(EXIT_FAILURE);

715

999

}

716

1000

717

1001

if(connect_to != NULL){

720

1004

char *address = strrchr(connect_to, ':');

721

1005

if(address == NULL){

722

1006

fprintf(stderr, "No colon in address\n");

723

exit(EXIT_FAILURE);

724

}

725

errno = 0;

726

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

727

if(errno){

728

perror("Bad port number");

729

exit(EXIT_FAILURE);

730

}

1007

exitcode = EXIT_FAILURE;

1008

goto end;

1009

}

1010

uint16_t port;

1011

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1012

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1013

or address[numchars+1] != '\0'){

1014

fprintf(stderr, "Bad port number\n");

1015

exitcode = EXIT_FAILURE;

1016

goto end;

1017

}

1018

port = (uint16_t)tmpmax;

731

1019

*address = '\0';

732

1020

address = connect_to;

733

ret = start_mandos_communication(address, port, if_index);

1021

ret = start_mandos_communication(address, port, if_index, &mc);

734

1022

if(ret < 0){

735

exit(EXIT_FAILURE);

1023

exitcode = EXIT_FAILURE;

736

1024

} else {

737

exit(EXIT_SUCCESS);

1025

exitcode = EXIT_SUCCESS;

738

1026

}

739

}

740

741

certkey = combinepath(certdir, certkey);

742

if (certkey == NULL){

743

perror("combinepath");

744

goto exit;

745

}

746

747

if (not debug){

1027

goto end;

1028

}

1029

1030

if(not debug){

748

1031

avahi_set_log_function(empty_log);

749

1032

}

750

1033

751

/* Initialize the psuedo-RNG */

1034

/* Initialize the pseudo-RNG for Avahi */

752

1035

srand((unsigned int) time(NULL));

753

754

/* Allocate main loop object */

755

if (!(simple_poll = avahi_simple_poll_new())) {

756

fprintf(stderr, "Failed to create simple poll object.\n");

757

758

goto exit;

759

}

760

761

/* Do not publish any local records */

762

avahi_server_config_init(&config);

763

config.publish_hinfo = 0;

764

config.publish_addresses = 0;

765

config.publish_workstation = 0;

766

config.publish_domain = 0;

767

768

/* Allocate a new server */

769

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

770

&config, NULL, NULL, &error);

771

772

/* Free the configuration data */

773

avahi_server_config_free(&config);

774

775

/* Check if creating the server object succeeded */

776

if (!server) {

777

fprintf(stderr, "Failed to create server: %s\n",

1036

1037

/* Allocate main Avahi loop object */

1038

mc.simple_poll = avahi_simple_poll_new();

1039

if(mc.simple_poll == NULL) {

1040

fprintf(stderr, "Avahi: Failed to create simple poll"

1041

" object.\n");

1042

exitcode = EXIT_FAILURE;

1043

goto end;

1044

}

1045

1046

{

1047

AvahiServerConfig config;

1048

/* Do not publish any local Zeroconf records */

1049

avahi_server_config_init(&config);

1050

config.publish_hinfo = 0;

1051

config.publish_addresses = 0;

1052

config.publish_workstation = 0;

1053

config.publish_domain = 0;

1054

1055

/* Allocate a new server */

1056

mc.server = avahi_server_new(avahi_simple_poll_get

1057

(mc.simple_poll), &config, NULL,

1058

NULL, &error);

1059

1060

/* Free the Avahi configuration data */

1061

avahi_server_config_free(&config);

1062

}

1063

1064

/* Check if creating the Avahi server object succeeded */

1065

if(mc.server == NULL) {

1066

fprintf(stderr, "Failed to create Avahi server: %s\n",

778

1067

avahi_strerror(error));

779

returncode = EXIT_FAILURE;

780

goto exit;

1068

exitcode = EXIT_FAILURE;

1069

goto end;

781

1070

}

782

1071

783

/* Create the service browser */

784

sb = avahi_s_service_browser_new(server, if_index,

1072

/* Create the Avahi service browser */

1073

sb = avahi_s_service_browser_new(mc.server, if_index,

785

1074

AVAHI_PROTO_INET6,

786

1075

"_mandos._tcp", NULL, 0,

787

browse_callback, server);

788

if (!sb) {

1076

browse_callback, &mc);

1077

if(sb == NULL) {

789

1078

fprintf(stderr, "Failed to create service browser: %s\n",

790

avahi_strerror(avahi_server_errno(server)));

791

returncode = EXIT_FAILURE;

792

goto exit;

1079

avahi_strerror(avahi_server_errno(mc.server)));

1080

exitcode = EXIT_FAILURE;

1081

goto end;

793

1082

}

794

1083

795

1084

/* Run the main loop */

796

797

if (debug){

798

fprintf(stderr, "Starting avahi loop search\n");

1085

1086

if(debug){

1087

fprintf(stderr, "Starting Avahi loop search\n");

799

1088

}

800

1089

801

avahi_simple_poll_loop(simple_poll);

802

803

exit:

804

805

if (debug){

1090

avahi_simple_poll_loop(mc.simple_poll);

1091

1092

end:

1093

1094

if(debug){

806

1095

fprintf(stderr, "%s exiting\n", argv[0]);

807

1096

}

808

1097

809

1098

/* Cleanup things */

810

if (sb)

1099

if(sb != NULL)

811

1100

avahi_s_service_browser_free(sb);

812

1101

813

if (server)

814

avahi_server_free(server);

815

816

if (simple_poll)

817

avahi_simple_poll_free(simple_poll);

818

free(certfile);

819

free(certkey);

820

821

return returncode;

1102

if(mc.server != NULL)

1103

avahi_server_free(mc.server);

1104

1105

if(mc.simple_poll != NULL)

1106

avahi_simple_poll_free(mc.simple_poll);

1107

1108

if(gnutls_initalized){

1109

gnutls_certificate_free_credentials(mc.cred);

1110

gnutls_global_deinit();

1111

gnutls_dh_params_deinit(mc.dh_params);

1112

}

1113

1114

if(gpgme_initalized){

1115

gpgme_release(mc.ctx);

1116

}

1117

1118

/* Removes the temp directory used by GPGME */

1119

if(tempdir[0] != '\0'){

1120

DIR *d;

1121

struct dirent *direntry;

1122

d = opendir(tempdir);

1123

if(d == NULL){

1124

if(errno != ENOENT){

1125

perror("opendir");

1126

}

1127

} else {

1128

while(true){

1129

direntry = readdir(d);

1130

if(direntry == NULL){

1131

break;

1132

}

1133

if(direntry->d_type == DT_REG){

1134

char *fullname = NULL;

1135

ret = asprintf(&fullname, "%s/%s", tempdir,

1136

direntry->d_name);

1137

if(ret < 0){

1138

perror("asprintf");

1139

continue;

1140

}

1141

ret = unlink(fullname);

1142

if(ret == -1){

1143

fprintf(stderr, "unlink(\"%s\"): %s",

1144

fullname, strerror(errno));

1145

}

1146

free(fullname);

1147

}

1148

}

1149

closedir(d);

1150

}

1151

ret = rmdir(tempdir);

1152

if(ret == -1 and errno != ENOENT){

1153

perror("rmdir");

1154

}

1155

}

1156

1157

return exitcode;

822

1158

}

Older »