To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.55
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.55
- Committer: Teddy Hogeborn
- Date: 2009-02-03 22:41:49 UTC
- mto: (24.1.131 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090203224149-fc1301jojmusbzlx
* Makefile (run-server): Use "--no-dbus" unconditionally.
* initramfs-tools-script: Correct tests for writable "/conf/conf.d".
* mandos: Add process ID number to logging messages.
(IPv6_TCPServer.server_bind): Use plain "raise".
(main): Do not try to handle SIGSEGV; it does not work. Use plain
"raise". Log KeyboardInterrupt and server exit.
* initramfs-tools-script: Correct tests for writable "/conf/conf.d".
* mandos: Add process ID number to logging messages.
(IPv6_TCPServer.server_bind): Use plain "raise".
(main): Do not try to handle SIGSEGV; it does not work. Use plain
"raise". Log KeyboardInterrupt and server exit.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
79
80
/* Avahi */
81
/* All Avahi types, constants and functions
82
Avahi*, avahi_*,
83
AVAHI_* */
42
84
#include <avahi-core/core.h>
43
85
#include <avahi-core/lookup.h>
44
86
#include <avahi-core/log.h>
46
88
#include <avahi-common/malloc.h>
47
89
#include <avahi-common/error.h>
48
90
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
91
/* GnuTLS */
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
93
functions:
94
gnutls_*
95
init_gnutls_session(),
96
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
100
101
/* GPGME */
102
#include <gpgme.h> /* All GPGME types, constants and
103
functions:
104
gpgme_*
105
GPGME_PROTOCOL_OpenPGP,
106
GPG_ERR_NO_* */
69
107
70
108
#define BUFFER_SIZE 256
71
#define DH_BITS 1024
72
109
73
const char *certdir = "/conf/conf.d/cryptkeyreq/";
74
const char *certfile = "openpgp-client.txt";
75
const char *certkey = "openpgp-client-key.txt";
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
76
113
77
114
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
118
119
/* Used for passing in values through the Avahi callback functions */
79
120
typedef struct {
80
gnutls_session_t session;
121
AvahiSimplePoll *simple_poll;
122
AvahiServer *server;
81
123
gnutls_certificate_credentials_t cred;
124
unsigned int dh_bits;
82
125
gnutls_dh_params_t dh_params;
83
} encrypted_session;
84
85
86
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
87
char **new_packet, const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
126
const char *priority;
89
127
gpgme_ctx_t ctx;
128
} mandos_context;
129
130
/*
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
134
*/
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
140
return 0;
141
}
142
buffer_capacity += BUFFER_SIZE;
143
}
144
return buffer_capacity;
145
}
146
147
/*
148
* Initialize GPGME.
149
*/
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
152
int ret;
90
153
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
94
154
gpgme_engine_info_t engine_info;
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
155
156
157
/*
158
* Helper function to insert pub and seckey to the engine keyring.
159
*/
160
bool import_key(const char *filename){
161
int fd;
162
gpgme_data_t pgp_data;
163
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
165
if(fd == -1){
166
perror("open");
167
return false;
168
}
169
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
174
return false;
175
}
176
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
181
return false;
182
}
183
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
185
if(ret == -1){
186
perror("close");
187
}
188
gpgme_data_release(pgp_data);
189
return true;
190
}
191
192
if(debug){
193
fprintf(stderr, "Initialize gpgme\n");
98
194
}
99
195
100
196
/* Init GPGME */
101
197
gpgme_check_version(NULL);
102
198
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
103
if (rc != GPG_ERR_NO_ERROR){
199
if(rc != GPG_ERR_NO_ERROR){
104
200
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
105
201
gpgme_strsource(rc), gpgme_strerror(rc));
106
return -1;
202
return false;
107
203
}
108
204
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
112
208
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
113
209
gpgme_strsource(rc), gpgme_strerror(rc));
114
return -1;
210
return false;
115
211
}
116
212
while(engine_info != NULL){
117
213
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
118
214
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
119
engine_info->file_name, homedir);
215
engine_info->file_name, tempdir);
120
216
break;
121
217
}
122
218
engine_info = engine_info->next;
123
219
}
124
220
if(engine_info == NULL){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
222
return false;
223
}
224
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
231
}
232
233
if(not import_key(pubkey) or not import_key(seckey)){
234
return false;
235
}
236
237
return true;
238
}
239
240
/*
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
243
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
248
gpgme_data_t dh_crypto, dh_plain;
249
gpgme_error_t rc;
250
ssize_t ret;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
253
254
if(debug){
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
256
}
257
258
/* Create new GPGME data buffer from memory cryptotext */
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
260
0);
261
if(rc != GPG_ERR_NO_ERROR){
132
262
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
133
263
gpgme_strsource(rc), gpgme_strerror(rc));
134
264
return -1;
136
266
137
267
/* Create new empty GPGME data buffer for the plaintext */
138
268
rc = gpgme_data_new(&dh_plain);
139
if (rc != GPG_ERR_NO_ERROR){
269
if(rc != GPG_ERR_NO_ERROR){
140
270
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
141
271
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
272
gpgme_data_release(dh_crypto);
273
return -1;
274
}
275
276
/* Decrypt data from the cryptotext data buffer to the plaintext
277
data buffer */
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
157
280
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
158
281
gpgme_strsource(rc), gpgme_strerror(rc));
159
return -1;
282
plaintext_length = -1;
283
if(debug){
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
} else {
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
295
}
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
298
if(recipient){
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
305
? "No" : "Yes");
306
recipient = recipient->next;
307
}
308
}
309
}
310
}
311
goto decrypt_end;
160
312
}
161
313
162
314
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
190
}
191
}
192
}
193
}
194
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
316
}
197
317
198
318
/* Seek back to the beginning of the GPGME plaintext data buffer */
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
321
plaintext_length = -1;
322
goto decrypt_end;
201
323
}
202
324
203
*new_packet = 0;
325
*plaintext = NULL;
204
326
while(true){
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
329
plaintext_capacity);
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
332
plaintext_length = -1;
333
goto decrypt_end;
214
334
}
215
335
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
337
BUFFER_SIZE);
218
338
/* Print the data, if any */
219
if (ret == 0){
339
if(ret == 0){
340
/* EOF */
220
341
break;
221
342
}
222
343
if(ret < 0){
223
344
perror("gpgme_data_read");
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
345
plaintext_length = -1;
346
goto decrypt_end;
347
}
348
plaintext_length += ret;
349
}
350
351
if(debug){
352
fprintf(stderr, "Decrypted password is: ");
353
for(ssize_t i = 0; i < plaintext_length; i++){
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
355
}
356
fprintf(stderr, "\n");
357
}
358
359
decrypt_end:
360
361
/* Delete the GPGME cryptotext data buffer */
362
gpgme_data_release(dh_crypto);
236
363
237
364
/* Delete the GPGME plaintext data buffer */
238
365
gpgme_data_release(dh_plain);
239
return new_packet_length;
366
return plaintext_length;
240
367
}
241
368
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
245
373
ret = "(unknown)";
246
374
return ret;
247
375
}
248
376
249
void debuggnutls(__attribute__((unused)) int level,
250
const char* string){
251
fprintf(stderr, "%s", string);
377
/* GnuTLS log function callback */
378
static void debuggnutls(__attribute__((unused)) int level,
379
const char* string){
380
fprintf(stderr, "GnuTLS: %s", string);
252
381
}
253
382
254
int initgnutls(encrypted_session *es){
255
const char *err;
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
256
386
int ret;
257
387
258
388
if(debug){
259
389
fprintf(stderr, "Initializing GnuTLS\n");
260
390
}
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
391
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
265
396
return -1;
266
397
}
267
268
if (debug){
398
399
if(debug){
400
/* "Use a log level over 10 to enable all debugging options."
401
* - GnuTLS manual
402
*/
269
403
gnutls_global_set_log_level(11);
270
404
gnutls_global_set_log_function(debuggnutls);
271
405
}
272
406
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
278
416
return -1;
279
417
}
280
418
281
419
if(debug){
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
422
seckeyfilename);
285
423
}
286
424
287
425
ret = gnutls_certificate_set_openpgp_key_file
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
429
fprintf(stderr,
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
442
goto globalfail;
443
}
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
453
return 0;
454
455
globalfail:
456
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
460
return -1;
461
}
462
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
465
int ret;
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
319
469
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
320
470
safer_gnutls_strerror(ret));
321
471
}
322
472
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
473
{
474
const char *err;
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
481
return -1;
482
}
329
483
}
330
484
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
336
491
return -1;
337
492
}
338
493
339
494
/* ignore client certificate if any. */
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
342
497
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
344
499
345
500
return 0;
346
501
}
347
502
348
void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
__attribute__((unused)) const char *txt){}
503
/* Avahi log function callback */
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
505
__attribute__((unused)) const char *txt){}
350
506
351
int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
507
/* Called when a Mandos server is found */
508
static int start_mandos_communication(const char *ip, uint16_t port,
509
AvahiIfIndex if_index,
510
mandos_context *mc){
353
511
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
512
ssize_t sret;
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
356
514
char *buffer = NULL;
357
515
char *decrypted_buffer;
358
516
size_t buffer_length = 0;
359
517
size_t buffer_capacity = 0;
360
518
ssize_t decrypted_buffer_size;
361
size_t written = 0;
519
size_t written;
362
520
int retval = 0;
363
521
char interface[IF_NAMESIZE];
522
gnutls_session_t session;
523
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
526
return -1;
527
}
364
528
365
529
if(debug){
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
531
"\n", ip, port);
368
532
}
369
533
370
534
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
537
return -1;
374
538
}
375
539
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
540
if(debug){
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
378
542
perror("if_indextoname");
543
return -1;
379
544
}
380
return -1;
381
}
382
383
if(debug){
384
545
fprintf(stderr, "Binding to interface %s\n", interface);
385
546
}
386
547
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
391
554
perror("inet_pton");
392
555
return -1;
393
}
556
}
394
557
if(ret == 0){
395
558
fprintf(stderr, "Bad address: %s\n", ip);
396
559
return -1;
397
560
}
398
to.sin6_port = htons(port); /* Spurious warning */
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
399
564
400
to.sin6_scope_id = (uint32_t)if_index;
565
to.in6.sin6_scope_id = (uint32_t)if_index;
401
566
402
567
if(debug){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
569
port);
570
char addrstr[INET6_ADDRSTRLEN] = "";
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
572
sizeof(addrstr)) == NULL){
573
perror("inet_ntop");
574
} else {
575
if(strcmp(addrstr, ip) != 0){
576
fprintf(stderr, "Canonical address form: %s\n", addrstr);
577
}
578
}
412
579
}
413
580
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
581
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
416
583
perror("connect");
417
584
return -1;
418
585
}
419
586
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
587
const char *out = mandos_protocol_version;
588
written = 0;
589
while(true){
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
593
if(ret == -1){
594
perror("write");
595
retval = -1;
596
goto mandos_end;
597
}
598
written += (size_t)ret;
599
if(written < out_size){
600
continue;
601
} else {
602
if(out == mandos_protocol_version){
603
written = 0;
604
out = "\r\n";
605
} else {
606
break;
607
}
608
}
424
609
}
425
610
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
429
611
if(debug){
430
612
fprintf(stderr, "Establishing TLS session with %s\n", ip);
431
613
}
432
614
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
616
617
do{
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
621
if(ret != GNUTLS_E_SUCCESS){
436
622
if(debug){
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
439
625
}
440
626
retval = -1;
441
goto exit;
627
goto mandos_end;
442
628
}
443
629
444
//Retrieve OpenPGP packet that contains the wanted password
630
/* Read OpenPGP packet that contains the wanted password */
445
631
446
632
if(debug){
447
633
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
448
634
ip);
449
635
}
450
636
451
637
while(true){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
buffer_capacity);
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
642
retval = -1;
643
goto mandos_end;
459
644
}
460
645
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
646
sret = gnutls_record_recv(session, buffer+buffer_length,
647
BUFFER_SIZE);
648
if(sret == 0){
464
649
break;
465
650
}
466
if (ret < 0){
467
switch(ret){
651
if(sret < 0){
652
switch(sret){
468
653
case GNUTLS_E_INTERRUPTED:
469
654
case GNUTLS_E_AGAIN:
470
655
break;
471
656
case GNUTLS_E_REHANDSHAKE:
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
657
do{
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
476
663
retval = -1;
477
goto exit;
664
goto mandos_end;
478
665
}
479
666
break;
480
667
default:
481
668
fprintf(stderr, "Unknown error while reading data from"
482
" encrypted session with mandos server\n");
669
" encrypted session with Mandos server\n");
483
670
retval = -1;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
672
goto mandos_end;
486
673
}
487
674
} else {
488
buffer_length += (size_t) ret;
675
buffer_length += (size_t) sret;
489
676
}
490
677
}
491
678
492
if (buffer_length > 0){
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
679
if(debug){
680
fprintf(stderr, "Closing TLS session\n");
681
}
682
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
684
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
494
687
buffer_length,
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
688
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
690
written = 0;
498
691
while(written < (size_t) decrypted_buffer_size){
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
502
695
if(ret == 0 and ferror(stdout)){
503
696
if(debug){
504
697
fprintf(stderr, "Error writing encrypted data: %s\n",
513
706
} else {
514
707
retval = -1;
515
708
}
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
709
} else {
710
retval = -1;
711
}
712
713
/* Shutdown procedure */
714
715
mandos_end:
524
716
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
717
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
718
if(ret == -1){
719
perror("close");
720
}
721
gnutls_deinit(session);
531
722
return retval;
532
723
}
533
724
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
725
static void resolve_callback(AvahiSServiceResolver *r,
726
AvahiIfIndex interface,
727
AVAHI_GCC_UNUSED AvahiProtocol protocol,
728
AvahiResolverEvent event,
729
const char *name,
730
const char *type,
731
const char *domain,
732
const char *host_name,
733
const AvahiAddress *address,
734
uint16_t port,
735
AVAHI_GCC_UNUSED AvahiStringList *txt,
736
AVAHI_GCC_UNUSED AvahiLookupResultFlags
737
flags,
738
void* userdata) {
739
mandos_context *mc = userdata;
740
assert(r);
553
741
554
742
/* Called whenever a service has been resolved successfully or
555
743
timed out */
556
744
557
switch (event) {
745
switch(event) {
558
746
default:
559
747
case AVAHI_RESOLVER_FAILURE:
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
748
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
749
" of type '%s' in domain '%s': %s\n", name, type, domain,
750
avahi_strerror(avahi_server_errno(mc->server)));
563
751
break;
564
752
565
753
case AVAHI_RESOLVER_FOUND:
567
755
char ip[AVAHI_ADDRESS_STR_MAX];
568
756
avahi_address_snprint(ip, sizeof(ip), address);
569
757
if(debug){
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
572
761
}
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
762
int ret = start_mandos_communication(ip, port, interface, mc);
763
if(ret == 0){
764
avahi_simple_poll_quit(mc->simple_poll);
576
765
}
577
766
}
578
767
}
579
768
avahi_s_service_resolver_free(r);
580
769
}
581
770
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
771
static void browse_callback( AvahiSServiceBrowser *b,
772
AvahiIfIndex interface,
773
AvahiProtocol protocol,
774
AvahiBrowserEvent event,
775
const char *name,
776
const char *type,
777
const char *domain,
778
AVAHI_GCC_UNUSED AvahiLookupResultFlags
779
flags,
780
void* userdata) {
781
mandos_context *mc = userdata;
782
assert(b);
783
784
/* Called whenever a new services becomes available on the LAN or
785
is removed from the LAN */
786
787
switch(event) {
788
default:
789
case AVAHI_BROWSER_FAILURE:
790
791
fprintf(stderr, "(Avahi browser) %s\n",
792
avahi_strerror(avahi_server_errno(mc->server)));
793
avahi_simple_poll_quit(mc->simple_poll);
794
return;
795
796
case AVAHI_BROWSER_NEW:
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
800
resolver for us. */
801
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
803
protocol, name, type, domain,
804
AVAHI_PROTO_INET6, 0,
805
resolve_callback, mc)))
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
808
break;
809
810
case AVAHI_BROWSER_REMOVE:
811
break;
812
813
case AVAHI_BROWSER_ALL_FOR_NOW:
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
815
if(debug){
816
fprintf(stderr, "No Mandos server found, still searching...\n");
628
817
}
629
}
630
631
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
632
const char *combinepath(const char *first, const char *second){
633
char *tmp;
634
tmp = malloc(strlen(first) + strlen(second) + 2);
635
if (tmp == NULL){
636
perror("malloc");
637
return NULL;
638
}
639
strcpy(tmp, first);
640
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
641
strcat(tmp, "/");
642
}
643
strcat(tmp, second);
644
return tmp;
645
}
646
647
648
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
649
AvahiServerConfig config;
818
break;
819
}
820
}
821
822
int main(int argc, char *argv[]){
650
823
AvahiSServiceBrowser *sb = NULL;
651
824
int error;
652
825
int ret;
653
int returncode = EXIT_SUCCESS;
654
const char *interface = NULL;
826
intmax_t tmpmax;
827
int numchars;
828
int exitcode = EXIT_SUCCESS;
829
const char *interface = "eth0";
830
struct ifreq network;
831
int sd;
832
uid_t uid;
833
gid_t gid;
834
char *connect_to = NULL;
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
655
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
656
char *connect_to = NULL;
657
658
while (true){
659
static struct option long_options[] = {
660
{"debug", no_argument, (int *)&debug, 1},
661
{"connect", required_argument, 0, 'C'},
662
{"interface", required_argument, 0, 'i'},
663
{"certdir", required_argument, 0, 'd'},
664
{"certkey", required_argument, 0, 'c'},
665
{"certfile", required_argument, 0, 'k'},
666
{0, 0, 0, 0} };
667
668
int option_index = 0;
669
ret = getopt_long (argc, argv, "i:", long_options,
670
&option_index);
671
672
if (ret == -1){
673
break;
674
}
675
676
switch(ret){
677
case 0:
678
break;
679
case 'i':
680
interface = optarg;
681
break;
682
case 'C':
683
connect_to = optarg;
684
break;
685
case 'd':
686
certdir = optarg;
687
break;
688
case 'c':
689
certfile = optarg;
690
break;
691
case 'k':
692
certkey = optarg;
693
break;
694
default:
695
exit(EXIT_FAILURE);
696
}
697
}
698
699
certfile = combinepath(certdir, certfile);
700
if (certfile == NULL){
701
goto exit;
702
}
703
704
if(interface != NULL){
705
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
if(if_index == 0){
707
fprintf(stderr, "No such interface: \"%s\"\n", interface);
708
exit(EXIT_FAILURE);
709
}
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
840
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
847
848
{
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
855
.group = 1 },
856
{ .name = "interface", .key = 'i',
857
.arg = "NAME",
858
.doc = "Interface that will be used to search for Mandos"
859
" servers",
860
.group = 1 },
861
{ .name = "seckey", .key = 's',
862
.arg = "FILE",
863
.doc = "OpenPGP secret key file base name",
864
.group = 1 },
865
{ .name = "pubkey", .key = 'p',
866
.arg = "FILE",
867
.doc = "OpenPGP public key file base name",
868
.group = 2 },
869
{ .name = "dh-bits", .key = 129,
870
.arg = "BITS",
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
873
.group = 2 },
874
{ .name = "priority", .key = 130,
875
.arg = "STRING",
876
.doc = "GnuTLS priority string for the TLS handshake",
877
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
{ .name = NULL }
883
};
884
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
888
case 128: /* --debug */
889
debug = true;
890
break;
891
case 'c': /* --connect */
892
connect_to = arg;
893
break;
894
case 'i': /* --interface */
895
interface = arg;
896
break;
897
case 's': /* --seckey */
898
seckey = arg;
899
break;
900
case 'p': /* --pubkey */
901
pubkey = arg;
902
break;
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
908
exit(EXIT_FAILURE);
909
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
break;
912
case 130: /* --priority */
913
mc.priority = arg;
914
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
case ARGP_KEY_ARG:
923
argp_usage(state);
924
case ARGP_KEY_END:
925
break;
926
default:
927
return ARGP_ERR_UNKNOWN;
928
}
929
return 0;
930
}
931
932
struct argp argp = { .options = options, .parser = parse_opt,
933
.args_doc = "",
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
944
/* If the interface is down, bring it up */
945
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
if(sd < 0) {
955
perror("socket");
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
goto end;
962
}
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
if(ret == -1){
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
exitcode = EXIT_FAILURE;
972
goto end;
973
}
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
977
if(ret == -1){
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
goto end;
985
}
986
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
if(ret == -1){
1000
perror("close");
1001
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
}
1008
1009
uid = getuid();
1010
gid = getgid();
1011
1012
setgid(gid);
1013
if(ret == -1){
1014
perror("setgid");
1015
}
1016
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1026
goto end;
1027
} else {
1028
gnutls_initialized = true;
1029
}
1030
1031
if(mkdtemp(tempdir) == NULL){
1032
perror("mkdtemp");
1033
goto end;
1034
}
1035
tempdir_created = true;
1036
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
} else {
1042
gpgme_initialized = true;
1043
}
1044
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
1046
if(if_index == 0){
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
710
1050
}
711
1051
712
1052
if(connect_to != NULL){
715
1055
char *address = strrchr(connect_to, ':');
716
1056
if(address == NULL){
717
1057
fprintf(stderr, "No colon in address\n");
718
exit(EXIT_FAILURE);
719
}
720
errno = 0;
721
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
if(errno){
723
perror("Bad port number");
724
exit(EXIT_FAILURE);
725
}
1058
exitcode = EXIT_FAILURE;
1059
goto end;
1060
}
1061
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1067
goto end;
1068
}
1069
port = (uint16_t)tmpmax;
726
1070
*address = '\0';
727
1071
address = connect_to;
728
ret = start_mandos_communication(address, port, if_index);
1072
ret = start_mandos_communication(address, port, if_index, &mc);
729
1073
if(ret < 0){
730
exit(EXIT_FAILURE);
1074
exitcode = EXIT_FAILURE;
731
1075
} else {
732
exit(EXIT_SUCCESS);
1076
exitcode = EXIT_SUCCESS;
733
1077
}
734
}
735
736
certkey = combinepath(certdir, certkey);
737
if (certkey == NULL){
738
goto exit;
739
}
740
741
if (not debug){
1078
goto end;
1079
}
1080
1081
if(not debug){
742
1082
avahi_set_log_function(empty_log);
743
1083
}
744
1084
745
/* Initialize the psuedo-RNG */
1085
/* Initialize the pseudo-RNG for Avahi */
746
1086
srand((unsigned int) time(NULL));
747
748
/* Allocate main loop object */
749
if (!(simple_poll = avahi_simple_poll_new())) {
750
fprintf(stderr, "Failed to create simple poll object.\n");
751
752
goto exit;
753
}
754
755
/* Do not publish any local records */
756
avahi_server_config_init(&config);
757
config.publish_hinfo = 0;
758
config.publish_addresses = 0;
759
config.publish_workstation = 0;
760
config.publish_domain = 0;
761
762
/* Allocate a new server */
763
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
764
&config, NULL, NULL, &error);
765
766
/* Free the configuration data */
767
avahi_server_config_free(&config);
768
769
/* Check if creating the server object succeeded */
770
if (!server) {
771
fprintf(stderr, "Failed to create server: %s\n",
1087
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
" object.\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
1097
{
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1105
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1109
NULL, &error);
1110
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1113
}
1114
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
772
1118
avahi_strerror(error));
773
returncode = EXIT_FAILURE;
774
goto exit;
1119
exitcode = EXIT_FAILURE;
1120
goto end;
775
1121
}
776
1122
777
/* Create the service browser */
778
sb = avahi_s_service_browser_new(server, if_index,
1123
/* Create the Avahi service browser */
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
779
1125
AVAHI_PROTO_INET6,
780
1126
"_mandos._tcp", NULL, 0,
781
browse_callback, server);
782
if (!sb) {
1127
browse_callback, &mc);
1128
if(sb == NULL) {
783
1129
fprintf(stderr, "Failed to create service browser: %s\n",
784
avahi_strerror(avahi_server_errno(server)));
785
returncode = EXIT_FAILURE;
786
goto exit;
1130
avahi_strerror(avahi_server_errno(mc.server)));
1131
exitcode = EXIT_FAILURE;
1132
goto end;
787
1133
}
788
1134
789
1135
/* Run the main loop */
790
791
if (debug){
792
fprintf(stderr, "Starting avahi loop search\n");
1136
1137
if(debug){
1138
fprintf(stderr, "Starting Avahi loop search\n");
793
1139
}
794
795
avahi_simple_poll_loop(simple_poll);
796
797
exit:
798
1140
799
if (debug){
1141
avahi_simple_poll_loop(mc.simple_poll);
1142
1143
end:
1144
1145
if(debug){
800
1146
fprintf(stderr, "%s exiting\n", argv[0]);
801
1147
}
802
1148
803
1149
/* Cleanup things */
804
if (sb)
1150
if(sb != NULL)
805
1151
avahi_s_service_browser_free(sb);
806
1152
807
if (server)
808
avahi_server_free(server);
809
810
if (simple_poll)
811
avahi_simple_poll_free(simple_poll);
812
free(certfile);
813
free(certkey);
814
815
return returncode;
1153
if(mc.server != NULL)
1154
avahi_server_free(mc.server);
1155
1156
if(mc.simple_poll != NULL)
1157
avahi_simple_poll_free(mc.simple_poll);
1158
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1163
}
1164
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1167
}
1168
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1171
DIR *d;
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1174
if(d == NULL){
1175
if(errno != ENOENT){
1176
perror("opendir");
1177
}
1178
} else {
1179
while(true){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1182
break;
1183
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1204
}
1205
closedir(d);
1206
}
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
1209
perror("rmdir");
1210
}
1211
}
1212
1213
return exitcode;
816
1214
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0