To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.49
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.49
- Committer: Teddy Hogeborn
- Date: 2009-01-26 23:47:44 UTC
- mto: (24.1.131 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090126234744-c19lb7zn1qsrcwmv
* debian/control (mandos/Depends): Added "python-gobject".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
41
83
#include <avahi-core/core.h>
42
84
#include <avahi-core/lookup.h>
43
85
#include <avahi-core/log.h>
45
87
#include <avahi-common/malloc.h>
46
88
#include <avahi-common/error.h>
47
89
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt_long
67
#include <getopt.h>
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
68
106
69
107
#define BUFFER_SIZE 256
70
108
71
static int dh_bits = 1024;
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
76
112
77
113
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
117
79
/* Used for */
118
/* Used for passing in values through the Avahi callback functions */
80
119
typedef struct {
81
gnutls_session_t session;
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
82
122
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
83
124
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
125
const char *priority;
91
126
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
92
152
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
96
153
gpgme_engine_info_t engine_info;
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
154
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
100
193
}
101
194
102
195
/* Init GPGME */
103
196
gpgme_check_version(NULL);
104
197
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
105
if (rc != GPG_ERR_NO_ERROR){
198
if(rc != GPG_ERR_NO_ERROR){
106
199
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
107
200
gpgme_strsource(rc), gpgme_strerror(rc));
108
return -1;
201
return false;
109
202
}
110
203
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
114
207
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
115
208
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
209
return false;
117
210
}
118
211
while(engine_info != NULL){
119
212
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
120
213
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
121
engine_info->file_name, homedir);
214
engine_info->file_name, tempdir);
122
215
break;
123
216
}
124
217
engine_info = engine_info->next;
125
218
}
126
219
if(engine_info == NULL){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
134
261
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
135
262
gpgme_strsource(rc), gpgme_strerror(rc));
136
263
return -1;
138
265
139
266
/* Create new empty GPGME data buffer for the plaintext */
140
267
rc = gpgme_data_new(&dh_plain);
141
if (rc != GPG_ERR_NO_ERROR){
268
if(rc != GPG_ERR_NO_ERROR){
142
269
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
270
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
159
279
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
280
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
307
}
308
}
309
}
310
goto decrypt_end;
162
311
}
163
312
164
313
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
192
}
193
}
194
}
195
}
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
199
316
200
317
/* Seek back to the beginning of the GPGME plaintext data buffer */
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
203
322
}
204
323
205
*new_packet = 0;
324
*plaintext = NULL;
206
325
while(true){
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
216
333
}
217
334
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
336
BUFFER_SIZE);
220
337
/* Print the data, if any */
221
if (ret == 0){
338
if(ret == 0){
339
/* EOF */
222
340
break;
223
341
}
224
342
if(ret < 0){
225
343
perror("gpgme_data_read");
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
344
plaintext_length = -1;
345
goto decrypt_end;
346
}
347
plaintext_length += ret;
348
}
349
350
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
356
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
238
362
239
363
/* Delete the GPGME plaintext data buffer */
240
364
gpgme_data_release(dh_plain);
241
return new_packet_length;
365
return plaintext_length;
242
366
}
243
367
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
247
372
ret = "(unknown)";
248
373
return ret;
249
374
}
250
375
376
/* GnuTLS log function callback */
251
377
static void debuggnutls(__attribute__((unused)) int level,
252
378
const char* string){
253
fprintf(stderr, "%s", string);
379
fprintf(stderr, "GnuTLS: %s", string);
254
380
}
255
381
256
static int initgnutls(encrypted_session *es){
257
const char *err;
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
258
385
int ret;
259
386
260
387
if(debug){
261
388
fprintf(stderr, "Initializing GnuTLS\n");
262
389
}
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
267
395
return -1;
268
396
}
269
270
if (debug){
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
271
402
gnutls_global_set_log_level(11);
272
403
gnutls_global_set_log_function(debuggnutls);
273
404
}
274
405
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
280
415
return -1;
281
416
}
282
417
283
418
if(debug){
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
286
seckeyfile);
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
287
422
}
288
423
289
424
ret = gnutls_certificate_set_openpgp_key_file
290
(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, pubkeyfile, seckeyfile);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
321
468
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
469
safer_gnutls_strerror(ret));
323
470
}
324
471
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
331
482
}
332
483
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
337
488
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
338
490
return -1;
339
491
}
340
492
341
493
/* ignore client certificate if any. */
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
344
496
345
gnutls_dh_set_prime_bits (es->session, dh_bits);
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
346
498
347
499
return 0;
348
500
}
349
501
502
/* Avahi log function callback */
350
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
504
__attribute__((unused)) const char *txt){}
352
505
506
/* Called when a Mandos server is found */
353
507
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
508
AvahiIfIndex if_index,
509
mandos_context *mc){
355
510
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
358
513
char *buffer = NULL;
359
514
char *decrypted_buffer;
360
515
size_t buffer_length = 0;
361
516
size_t buffer_capacity = 0;
362
517
ssize_t decrypted_buffer_size;
363
size_t written = 0;
518
size_t written;
364
519
int retval = 0;
365
520
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
366
527
367
528
if(debug){
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
370
531
}
371
532
372
533
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
375
536
return -1;
376
537
}
377
538
378
if(if_indextoname((unsigned int)if_index, interface) == NULL){
379
if(debug){
539
if(debug){
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
541
perror("if_indextoname");
542
return -1;
381
543
}
382
return -1;
383
}
384
385
if(debug){
386
544
fprintf(stderr, "Binding to interface %s\n", interface);
387
545
}
388
546
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
393
553
perror("inet_pton");
394
554
return -1;
395
}
555
}
396
556
if(ret == 0){
397
557
fprintf(stderr, "Bad address: %s\n", ip);
398
558
return -1;
399
559
}
400
to.sin6_port = htons(port); /* Spurious warning */
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
401
563
402
to.sin6_scope_id = (uint32_t)if_index;
564
to.in6.sin6_scope_id = (uint32_t)if_index;
403
565
404
566
if(debug){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
406
569
char addrstr[INET6_ADDRSTRLEN] = "";
407
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
408
571
sizeof(addrstr)) == NULL){
409
572
perror("inet_ntop");
410
573
} else {
411
574
if(strcmp(addrstr, ip) != 0){
412
fprintf(stderr, "Canonical address form: %s\n",
413
addrstr, ntohs(to.sin6_port));
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
414
576
}
415
577
}
416
578
}
417
579
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
420
582
perror("connect");
421
583
return -1;
422
584
}
423
585
424
ret = initgnutls (&es);
425
if (ret != 0){
426
retval = -1;
427
return -1;
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
428
608
}
429
609
430
gnutls_transport_set_ptr (es.session,
431
(gnutls_transport_ptr_t) tcp_sd);
432
433
610
if(debug){
434
611
fprintf(stderr, "Establishing TLS session with %s\n", ip);
435
612
}
436
613
437
ret = gnutls_handshake (es.session);
438
439
if (ret != GNUTLS_E_SUCCESS){
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
440
621
if(debug){
441
fprintf(stderr, "\n*** Handshake failed ***\n");
442
gnutls_perror (ret);
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
443
624
}
444
625
retval = -1;
445
goto exit;
626
goto mandos_end;
446
627
}
447
628
448
//Retrieve OpenPGP packet that contains the wanted password
629
/* Read OpenPGP packet that contains the wanted password */
449
630
450
631
if(debug){
451
632
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
452
633
ip);
453
634
}
454
635
455
636
while(true){
456
if (buffer_length + BUFFER_SIZE > buffer_capacity){
457
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
458
if (buffer == NULL){
459
perror("realloc");
460
goto exit;
461
}
462
buffer_capacity += BUFFER_SIZE;
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
463
643
}
464
644
465
ret = gnutls_record_recv
466
(es.session, buffer+buffer_length, BUFFER_SIZE);
467
if (ret == 0){
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
468
648
break;
469
649
}
470
if (ret < 0){
471
switch(ret){
650
if(sret < 0){
651
switch(sret){
472
652
case GNUTLS_E_INTERRUPTED:
473
653
case GNUTLS_E_AGAIN:
474
654
break;
475
655
case GNUTLS_E_REHANDSHAKE:
476
ret = gnutls_handshake (es.session);
477
if (ret < 0){
478
fprintf(stderr, "\n*** Handshake failed ***\n");
479
gnutls_perror (ret);
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
480
662
retval = -1;
481
goto exit;
663
goto mandos_end;
482
664
}
483
665
break;
484
666
default:
485
667
fprintf(stderr, "Unknown error while reading data from"
486
" encrypted session with mandos server\n");
668
" encrypted session with Mandos server\n");
487
669
retval = -1;
488
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
489
goto exit;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
490
672
}
491
673
} else {
492
buffer_length += (size_t) ret;
674
buffer_length += (size_t) sret;
493
675
}
494
676
}
495
677
496
if (buffer_length > 0){
497
decrypted_buffer_size = pgp_packet_decrypt(buffer,
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
498
686
buffer_length,
499
&decrypted_buffer,
500
keydir);
501
if (decrypted_buffer_size >= 0){
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
502
690
while(written < (size_t) decrypted_buffer_size){
503
ret = (int)fwrite (decrypted_buffer + written, 1,
504
(size_t)decrypted_buffer_size - written,
505
stdout);
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
506
694
if(ret == 0 and ferror(stdout)){
507
695
if(debug){
508
696
fprintf(stderr, "Error writing encrypted data: %s\n",
517
705
} else {
518
706
retval = -1;
519
707
}
520
}
521
522
//shutdown procedure
523
524
if(debug){
525
fprintf(stderr, "Closing TLS session\n");
526
}
527
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
528
715
free(buffer);
529
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
530
exit:
531
close(tcp_sd);
532
gnutls_deinit (es.session);
533
gnutls_certificate_free_credentials (es.cred);
534
gnutls_global_deinit ();
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
535
721
return retval;
536
722
}
537
723
538
static AvahiSimplePoll *simple_poll = NULL;
539
static AvahiServer *server = NULL;
540
541
static void resolve_callback(
542
AvahiSServiceResolver *r,
543
AvahiIfIndex interface,
544
AVAHI_GCC_UNUSED AvahiProtocol protocol,
545
AvahiResolverEvent event,
546
const char *name,
547
const char *type,
548
const char *domain,
549
const char *host_name,
550
const AvahiAddress *address,
551
uint16_t port,
552
AVAHI_GCC_UNUSED AvahiStringList *txt,
553
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
554
AVAHI_GCC_UNUSED void* userdata) {
555
556
assert(r); /* Spurious warning */
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
557
740
558
741
/* Called whenever a service has been resolved successfully or
559
742
timed out */
560
743
561
switch (event) {
744
switch(event) {
562
745
default:
563
746
case AVAHI_RESOLVER_FAILURE:
564
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
565
" type '%s' in domain '%s': %s\n", name, type, domain,
566
avahi_strerror(avahi_server_errno(server)));
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
567
750
break;
568
751
569
752
case AVAHI_RESOLVER_FOUND:
571
754
char ip[AVAHI_ADDRESS_STR_MAX];
572
755
avahi_address_snprint(ip, sizeof(ip), address);
573
756
if(debug){
574
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
575
" port %d\n", name, host_name, ip, port);
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
576
760
}
577
int ret = start_mandos_communication(ip, port, interface);
578
if (ret == 0){
579
exit(EXIT_SUCCESS);
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
580
764
}
581
765
}
582
766
}
583
767
avahi_s_service_resolver_free(r);
584
768
}
585
769
586
static void browse_callback(
587
AvahiSServiceBrowser *b,
588
AvahiIfIndex interface,
589
AvahiProtocol protocol,
590
AvahiBrowserEvent event,
591
const char *name,
592
const char *type,
593
const char *domain,
594
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
595
void* userdata) {
596
597
AvahiServer *s = userdata;
598
assert(b); /* Spurious warning */
599
600
/* Called whenever a new services becomes available on the LAN or
601
is removed from the LAN */
602
603
switch (event) {
604
default:
605
case AVAHI_BROWSER_FAILURE:
606
607
fprintf(stderr, "(Browser) %s\n",
608
avahi_strerror(avahi_server_errno(server)));
609
avahi_simple_poll_quit(simple_poll);
610
return;
611
612
case AVAHI_BROWSER_NEW:
613
/* We ignore the returned resolver object. In the callback
614
function we free it. If the server is terminated before
615
the callback function is called the server will free
616
the resolver for us. */
617
618
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
619
type, domain,
620
AVAHI_PROTO_INET6, 0,
621
resolve_callback, s)))
622
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
623
avahi_strerror(avahi_server_errno(s)));
624
break;
625
626
case AVAHI_BROWSER_REMOVE:
627
break;
628
629
case AVAHI_BROWSER_ALL_FOR_NOW:
630
case AVAHI_BROWSER_CACHE_EXHAUSTED:
631
break;
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
632
816
}
633
}
634
635
/* Combines file name and path and returns the malloced new
636
string. some sane checks could/should be added */
637
static const char *combinepath(const char *first, const char *second){
638
size_t f_len = strlen(first);
639
size_t s_len = strlen(second);
640
char *tmp = malloc(f_len + s_len + 2);
641
if (tmp == NULL){
642
return NULL;
643
}
644
if(f_len > 0){
645
memcpy(tmp, first, f_len);
646
}
647
tmp[f_len] = '/';
648
if(s_len > 0){
649
memcpy(tmp + f_len + 1, second, s_len);
650
}
651
tmp[f_len + 1 + s_len] = '\0';
652
return tmp;
653
}
654
655
656
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
657
AvahiServerConfig config;
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
658
822
AvahiSServiceBrowser *sb = NULL;
659
823
int error;
660
824
int ret;
661
int debug_int = 0;
662
int returncode = EXIT_SUCCESS;
663
const char *interface = NULL;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
828
const char *interface = "eth0";
829
struct ifreq network;
830
int sd;
831
uid_t uid;
832
gid_t gid;
833
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
664
835
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
char *connect_to = NULL;
666
667
debug_int = debug ? 1 : 0;
668
while (true){
669
static struct option long_options[] = {
670
{"debug", no_argument, &debug_int, 1},
671
{"connect", required_argument, NULL, 'C'},
672
{"interface", required_argument, NULL, 'i'},
673
{"keydir", required_argument, NULL, 'd'},
674
{"seckey", required_argument, NULL, 'c'},
675
{"pubkey", required_argument, NULL, 'k'},
676
{"dh-bits", required_argument, NULL, 'D'},
677
{0, 0, 0, 0} };
678
679
int option_index = 0;
680
ret = getopt_long (argc, argv, "i:", long_options,
681
&option_index);
682
683
if (ret == -1){
684
break;
685
}
686
687
switch(ret){
688
case 0:
689
break;
690
case 'i':
691
interface = optarg;
692
break;
693
case 'C':
694
connect_to = optarg;
695
break;
696
case 'd':
697
keydir = optarg;
698
break;
699
case 'c':
700
pubkeyfile = optarg;
701
break;
702
case 'k':
703
seckeyfile = optarg;
704
break;
705
case 'D':
706
dh_bits = atoi(optarg);
707
break;
708
case '?':
709
break
710
default:
711
exit(EXIT_FAILURE);
712
}
713
}
714
debug = debug_int ? true : false;
715
716
pubkeyfile = combinepath(keydir, pubkeyfile);
717
if (pubkeyfile == NULL){
718
perror("combinepath");
719
goto exit;
720
}
721
722
if(interface != NULL){
723
if_index = (AvahiIfIndex) if_nametoindex(interface);
724
if(if_index == 0){
725
fprintf(stderr, "No such interface: \"%s\"\n", interface);
726
exit(EXIT_FAILURE);
727
}
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initialized = false;
843
bool gpgme_initialized = false;
844
845
{
846
struct argp_option options[] = {
847
{ .name = "debug", .key = 128,
848
.doc = "Debug mode", .group = 3 },
849
{ .name = "connect", .key = 'c',
850
.arg = "ADDRESS:PORT",
851
.doc = "Connect directly to a specific Mandos server",
852
.group = 1 },
853
{ .name = "interface", .key = 'i',
854
.arg = "NAME",
855
.doc = "Interface that will be used to search for Mandos"
856
" servers",
857
.group = 1 },
858
{ .name = "seckey", .key = 's',
859
.arg = "FILE",
860
.doc = "OpenPGP secret key file base name",
861
.group = 1 },
862
{ .name = "pubkey", .key = 'p',
863
.arg = "FILE",
864
.doc = "OpenPGP public key file base name",
865
.group = 2 },
866
{ .name = "dh-bits", .key = 129,
867
.arg = "BITS",
868
.doc = "Bit length of the prime number used in the"
869
" Diffie-Hellman key exchange",
870
.group = 2 },
871
{ .name = "priority", .key = 130,
872
.arg = "STRING",
873
.doc = "GnuTLS priority string for the TLS handshake",
874
.group = 1 },
875
{ .name = NULL }
876
};
877
878
error_t parse_opt(int key, char *arg,
879
struct argp_state *state) {
880
switch(key) {
881
case 128: /* --debug */
882
debug = true;
883
break;
884
case 'c': /* --connect */
885
connect_to = arg;
886
break;
887
case 'i': /* --interface */
888
interface = arg;
889
break;
890
case 's': /* --seckey */
891
seckey = arg;
892
break;
893
case 'p': /* --pubkey */
894
pubkey = arg;
895
break;
896
case 129: /* --dh-bits */
897
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
898
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
899
or arg[numchars] != '\0'){
900
fprintf(stderr, "Bad number of DH bits\n");
901
exit(EXIT_FAILURE);
902
}
903
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
904
break;
905
case 130: /* --priority */
906
mc.priority = arg;
907
break;
908
case ARGP_KEY_ARG:
909
argp_usage(state);
910
case ARGP_KEY_END:
911
break;
912
default:
913
return ARGP_ERR_UNKNOWN;
914
}
915
return 0;
916
}
917
918
struct argp argp = { .options = options, .parser = parse_opt,
919
.args_doc = "",
920
.doc = "Mandos client -- Get and decrypt"
921
" passwords from a Mandos server" };
922
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
923
if(ret == ARGP_ERR_UNKNOWN){
924
fprintf(stderr, "Unknown error while parsing arguments\n");
925
exitcode = EXIT_FAILURE;
926
goto end;
927
}
928
}
929
930
/* If the interface is down, bring it up */
931
{
932
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
933
if(sd < 0) {
934
perror("socket");
935
exitcode = EXIT_FAILURE;
936
goto end;
937
}
938
strcpy(network.ifr_name, interface);
939
ret = ioctl(sd, SIOCGIFFLAGS, &network);
940
if(ret == -1){
941
perror("ioctl SIOCGIFFLAGS");
942
exitcode = EXIT_FAILURE;
943
goto end;
944
}
945
if((network.ifr_flags & IFF_UP) == 0){
946
network.ifr_flags |= IFF_UP;
947
ret = ioctl(sd, SIOCSIFFLAGS, &network);
948
if(ret == -1){
949
perror("ioctl SIOCSIFFLAGS");
950
exitcode = EXIT_FAILURE;
951
goto end;
952
}
953
}
954
ret = (int)TEMP_FAILURE_RETRY(close(sd));
955
if(ret == -1){
956
perror("close");
957
}
958
}
959
960
uid = getuid();
961
gid = getgid();
962
963
ret = setuid(uid);
964
if(ret == -1){
965
perror("setuid");
966
}
967
968
setgid(gid);
969
if(ret == -1){
970
perror("setgid");
971
}
972
973
ret = init_gnutls_global(&mc, pubkey, seckey);
974
if(ret == -1){
975
fprintf(stderr, "init_gnutls_global failed\n");
976
exitcode = EXIT_FAILURE;
977
goto end;
978
} else {
979
gnutls_initialized = true;
980
}
981
982
if(mkdtemp(tempdir) == NULL){
983
perror("mkdtemp");
984
tempdir[0] = '\0';
985
goto end;
986
}
987
988
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
989
fprintf(stderr, "init_gpgme failed\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
} else {
993
gpgme_initialized = true;
994
}
995
996
if_index = (AvahiIfIndex) if_nametoindex(interface);
997
if(if_index == 0){
998
fprintf(stderr, "No such interface: \"%s\"\n", interface);
999
exit(EXIT_FAILURE);
728
1000
}
729
1001
730
1002
if(connect_to != NULL){
733
1005
char *address = strrchr(connect_to, ':');
734
1006
if(address == NULL){
735
1007
fprintf(stderr, "No colon in address\n");
736
exit(EXIT_FAILURE);
737
}
738
errno = 0;
739
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
740
if(errno){
741
perror("Bad port number");
742
exit(EXIT_FAILURE);
743
}
1008
exitcode = EXIT_FAILURE;
1009
goto end;
1010
}
1011
uint16_t port;
1012
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1013
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1014
or address[numchars+1] != '\0'){
1015
fprintf(stderr, "Bad port number\n");
1016
exitcode = EXIT_FAILURE;
1017
goto end;
1018
}
1019
port = (uint16_t)tmpmax;
744
1020
*address = '\0';
745
1021
address = connect_to;
746
ret = start_mandos_communication(address, port, if_index);
1022
ret = start_mandos_communication(address, port, if_index, &mc);
747
1023
if(ret < 0){
748
exit(EXIT_FAILURE);
1024
exitcode = EXIT_FAILURE;
749
1025
} else {
750
exit(EXIT_SUCCESS);
1026
exitcode = EXIT_SUCCESS;
751
1027
}
752
}
753
754
seckeyfile = combinepath(keydir, seckeyfile);
755
if (seckeyfile == NULL){
756
perror("combinepath");
757
goto exit;
758
}
759
760
if (not debug){
1028
goto end;
1029
}
1030
1031
if(not debug){
761
1032
avahi_set_log_function(empty_log);
762
1033
}
763
1034
764
/* Initialize the psuedo-RNG */
1035
/* Initialize the pseudo-RNG for Avahi */
765
1036
srand((unsigned int) time(NULL));
766
767
/* Allocate main loop object */
768
if (!(simple_poll = avahi_simple_poll_new())) {
769
fprintf(stderr, "Failed to create simple poll object.\n");
770
771
goto exit;
772
}
773
774
/* Do not publish any local records */
775
avahi_server_config_init(&config);
776
config.publish_hinfo = 0;
777
config.publish_addresses = 0;
778
config.publish_workstation = 0;
779
config.publish_domain = 0;
780
781
/* Allocate a new server */
782
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
783
&config, NULL, NULL, &error);
784
785
/* Free the configuration data */
786
avahi_server_config_free(&config);
787
788
/* Check if creating the server object succeeded */
789
if (!server) {
790
fprintf(stderr, "Failed to create server: %s\n",
1037
1038
/* Allocate main Avahi loop object */
1039
mc.simple_poll = avahi_simple_poll_new();
1040
if(mc.simple_poll == NULL) {
1041
fprintf(stderr, "Avahi: Failed to create simple poll"
1042
" object.\n");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
1047
{
1048
AvahiServerConfig config;
1049
/* Do not publish any local Zeroconf records */
1050
avahi_server_config_init(&config);
1051
config.publish_hinfo = 0;
1052
config.publish_addresses = 0;
1053
config.publish_workstation = 0;
1054
config.publish_domain = 0;
1055
1056
/* Allocate a new server */
1057
mc.server = avahi_server_new(avahi_simple_poll_get
1058
(mc.simple_poll), &config, NULL,
1059
NULL, &error);
1060
1061
/* Free the Avahi configuration data */
1062
avahi_server_config_free(&config);
1063
}
1064
1065
/* Check if creating the Avahi server object succeeded */
1066
if(mc.server == NULL) {
1067
fprintf(stderr, "Failed to create Avahi server: %s\n",
791
1068
avahi_strerror(error));
792
returncode = EXIT_FAILURE;
793
goto exit;
1069
exitcode = EXIT_FAILURE;
1070
goto end;
794
1071
}
795
1072
796
/* Create the service browser */
797
sb = avahi_s_service_browser_new(server, if_index,
1073
/* Create the Avahi service browser */
1074
sb = avahi_s_service_browser_new(mc.server, if_index,
798
1075
AVAHI_PROTO_INET6,
799
1076
"_mandos._tcp", NULL, 0,
800
browse_callback, server);
801
if (!sb) {
1077
browse_callback, &mc);
1078
if(sb == NULL) {
802
1079
fprintf(stderr, "Failed to create service browser: %s\n",
803
avahi_strerror(avahi_server_errno(server)));
804
returncode = EXIT_FAILURE;
805
goto exit;
1080
avahi_strerror(avahi_server_errno(mc.server)));
1081
exitcode = EXIT_FAILURE;
1082
goto end;
806
1083
}
807
1084
808
1085
/* Run the main loop */
809
810
if (debug){
811
fprintf(stderr, "Starting avahi loop search\n");
1086
1087
if(debug){
1088
fprintf(stderr, "Starting Avahi loop search\n");
812
1089
}
813
1090
814
avahi_simple_poll_loop(simple_poll);
815
816
exit:
817
818
if (debug){
1091
avahi_simple_poll_loop(mc.simple_poll);
1092
1093
end:
1094
1095
if(debug){
819
1096
fprintf(stderr, "%s exiting\n", argv[0]);
820
1097
}
821
1098
822
1099
/* Cleanup things */
823
if (sb)
1100
if(sb != NULL)
824
1101
avahi_s_service_browser_free(sb);
825
1102
826
if (server)
827
avahi_server_free(server);
828
829
if (simple_poll)
830
avahi_simple_poll_free(simple_poll);
831
free(pubkeyfile);
832
free(seckeyfile);
833
834
return returncode;
1103
if(mc.server != NULL)
1104
avahi_server_free(mc.server);
1105
1106
if(mc.simple_poll != NULL)
1107
avahi_simple_poll_free(mc.simple_poll);
1108
1109
if(gnutls_initialized){
1110
gnutls_certificate_free_credentials(mc.cred);
1111
gnutls_global_deinit();
1112
gnutls_dh_params_deinit(mc.dh_params);
1113
}
1114
1115
if(gpgme_initialized){
1116
gpgme_release(mc.ctx);
1117
}
1118
1119
/* Removes the temp directory used by GPGME */
1120
if(tempdir[0] != '\0'){
1121
DIR *d;
1122
struct dirent *direntry;
1123
d = opendir(tempdir);
1124
if(d == NULL){
1125
if(errno != ENOENT){
1126
perror("opendir");
1127
}
1128
} else {
1129
while(true){
1130
direntry = readdir(d);
1131
if(direntry == NULL){
1132
break;
1133
}
1134
/* Skip "." and ".." */
1135
if(direntry->d_name[0] == '.'
1136
and (direntry->d_name[1] == '\0'
1137
or (direntry->d_name[1] == '.'
1138
and direntry->d_name[2] == '\0'))){
1139
continue;
1140
}
1141
char *fullname = NULL;
1142
ret = asprintf(&fullname, "%s/%s", tempdir,
1143
direntry->d_name);
1144
if(ret < 0){
1145
perror("asprintf");
1146
continue;
1147
}
1148
ret = remove(fullname);
1149
if(ret == -1){
1150
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1151
strerror(errno));
1152
}
1153
free(fullname);
1154
}
1155
closedir(d);
1156
}
1157
ret = rmdir(tempdir);
1158
if(ret == -1 and errno != ENOENT){
1159
perror("rmdir");
1160
}
1161
}
1162
1163
return exitcode;
835
1164
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0