To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.55
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.55
- Committer: Teddy Hogeborn
- Date: 2009-02-03 22:41:49 UTC
- mto: (24.1.131 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090203224149-fc1301jojmusbzlx
* Makefile (run-server): Use "--no-dbus" unconditionally.
* initramfs-tools-script: Correct tests for writable "/conf/conf.d".
* mandos: Add process ID number to logging messages.
(IPv6_TCPServer.server_bind): Use plain "raise".
(main): Do not try to handle SIGSEGV; it does not work. Use plain
"raise". Log KeyboardInterrupt and server exit.
* initramfs-tools-script: Correct tests for writable "/conf/conf.d".
* mandos: Add process ID number to logging messages.
(IPv6_TCPServer.server_bind): Use plain "raise".
(main): Do not try to handle SIGSEGV; it does not work. Use plain
"raise". Log KeyboardInterrupt and server exit.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <sys/klog.h> /* klogctl() */
79
80
/* Avahi */
81
/* All Avahi types, constants and functions
82
Avahi*, avahi_*,
83
AVAHI_* */
43
84
#include <avahi-core/core.h>
44
85
#include <avahi-core/lookup.h>
45
86
#include <avahi-core/log.h>
47
88
#include <avahi-common/malloc.h>
48
89
#include <avahi-common/error.h>
49
90
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt_long
69
#include <getopt.h>
91
/* GnuTLS */
92
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
93
functions:
94
gnutls_*
95
init_gnutls_session(),
96
GNUTLS_* */
97
#include <gnutls/openpgp.h>
98
/* gnutls_certificate_set_openpgp_key_file(),
99
GNUTLS_OPENPGP_FMT_BASE64 */
100
101
/* GPGME */
102
#include <gpgme.h> /* All GPGME types, constants and
103
functions:
104
gpgme_*
105
GPGME_PROTOCOL_OpenPGP,
106
GPG_ERR_NO_* */
70
107
71
108
#define BUFFER_SIZE 256
72
109
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
110
#define PATHDIR "/conf/conf.d/mandos"
111
#define SECKEY "seckey.txt"
112
#define PUBKEY "pubkey.txt"
76
113
77
114
bool debug = false;
115
static const char mandos_protocol_version[] = "1";
116
const char *argp_program_version = "mandos-client " VERSION;
117
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
118
79
/* Used for passing in values through all the callback functions */
119
/* Used for passing in values through the Avahi callback functions */
80
120
typedef struct {
81
121
AvahiSimplePoll *simple_poll;
82
122
AvahiServer *server;
83
123
gnutls_certificate_credentials_t cred;
84
124
unsigned int dh_bits;
125
gnutls_dh_params_t dh_params;
85
126
const char *priority;
127
gpgme_ctx_t ctx;
86
128
} mandos_context;
87
129
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
90
const char *homedir){
91
gpgme_data_t dh_crypto, dh_plain;
92
gpgme_ctx_t ctx;
130
/*
131
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
132
* "buffer_capacity" is how much is currently allocated,
133
* "buffer_length" is how much is already used.
134
*/
135
size_t adjustbuffer(char **buffer, size_t buffer_length,
136
size_t buffer_capacity){
137
if(buffer_length + BUFFER_SIZE > buffer_capacity){
138
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
139
if(buffer == NULL){
140
return 0;
141
}
142
buffer_capacity += BUFFER_SIZE;
143
}
144
return buffer_capacity;
145
}
146
147
/*
148
* Initialize GPGME.
149
*/
150
static bool init_gpgme(mandos_context *mc, const char *seckey,
151
const char *pubkey, const char *tempdir){
152
int ret;
93
153
gpgme_error_t rc;
94
ssize_t ret;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
97
154
gpgme_engine_info_t engine_info;
98
99
if (debug){
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
155
156
157
/*
158
* Helper function to insert pub and seckey to the engine keyring.
159
*/
160
bool import_key(const char *filename){
161
int fd;
162
gpgme_data_t pgp_data;
163
164
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
165
if(fd == -1){
166
perror("open");
167
return false;
168
}
169
170
rc = gpgme_data_new_from_fd(&pgp_data, fd);
171
if(rc != GPG_ERR_NO_ERROR){
172
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
173
gpgme_strsource(rc), gpgme_strerror(rc));
174
return false;
175
}
176
177
rc = gpgme_op_import(mc->ctx, pgp_data);
178
if(rc != GPG_ERR_NO_ERROR){
179
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
180
gpgme_strsource(rc), gpgme_strerror(rc));
181
return false;
182
}
183
184
ret = (int)TEMP_FAILURE_RETRY(close(fd));
185
if(ret == -1){
186
perror("close");
187
}
188
gpgme_data_release(pgp_data);
189
return true;
190
}
191
192
if(debug){
193
fprintf(stderr, "Initialize gpgme\n");
101
194
}
102
195
103
196
/* Init GPGME */
104
197
gpgme_check_version(NULL);
105
198
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
106
if (rc != GPG_ERR_NO_ERROR){
199
if(rc != GPG_ERR_NO_ERROR){
107
200
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
108
201
gpgme_strsource(rc), gpgme_strerror(rc));
109
return -1;
202
return false;
110
203
}
111
204
112
/* Set GPGME home directory */
113
rc = gpgme_get_engine_info (&engine_info);
114
if (rc != GPG_ERR_NO_ERROR){
205
/* Set GPGME home directory for the OpenPGP engine only */
206
rc = gpgme_get_engine_info(&engine_info);
207
if(rc != GPG_ERR_NO_ERROR){
115
208
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
116
209
gpgme_strsource(rc), gpgme_strerror(rc));
117
return -1;
210
return false;
118
211
}
119
212
while(engine_info != NULL){
120
213
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
121
214
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
122
engine_info->file_name, homedir);
215
engine_info->file_name, tempdir);
123
216
break;
124
217
}
125
218
engine_info = engine_info->next;
126
219
}
127
220
if(engine_info == NULL){
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
129
return -1;
130
}
131
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
134
if (rc != GPG_ERR_NO_ERROR){
221
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
222
return false;
223
}
224
225
/* Create new GPGME "context" */
226
rc = gpgme_new(&(mc->ctx));
227
if(rc != GPG_ERR_NO_ERROR){
228
fprintf(stderr, "bad gpgme_new: %s: %s\n",
229
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
231
}
232
233
if(not import_key(pubkey) or not import_key(seckey)){
234
return false;
235
}
236
237
return true;
238
}
239
240
/*
241
* Decrypt OpenPGP data.
242
* Returns -1 on error
243
*/
244
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
245
const char *cryptotext,
246
size_t crypto_size,
247
char **plaintext){
248
gpgme_data_t dh_crypto, dh_plain;
249
gpgme_error_t rc;
250
ssize_t ret;
251
size_t plaintext_capacity = 0;
252
ssize_t plaintext_length = 0;
253
254
if(debug){
255
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
256
}
257
258
/* Create new GPGME data buffer from memory cryptotext */
259
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
260
0);
261
if(rc != GPG_ERR_NO_ERROR){
135
262
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
136
263
gpgme_strsource(rc), gpgme_strerror(rc));
137
264
return -1;
139
266
140
267
/* Create new empty GPGME data buffer for the plaintext */
141
268
rc = gpgme_data_new(&dh_plain);
142
if (rc != GPG_ERR_NO_ERROR){
269
if(rc != GPG_ERR_NO_ERROR){
143
270
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
144
271
gpgme_strsource(rc), gpgme_strerror(rc));
145
return -1;
146
}
147
148
/* Create new GPGME "context" */
149
rc = gpgme_new(&ctx);
150
if (rc != GPG_ERR_NO_ERROR){
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
return -1;
154
}
155
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
159
if (rc != GPG_ERR_NO_ERROR){
272
gpgme_data_release(dh_crypto);
273
return -1;
274
}
275
276
/* Decrypt data from the cryptotext data buffer to the plaintext
277
data buffer */
278
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
279
if(rc != GPG_ERR_NO_ERROR){
160
280
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
161
281
gpgme_strsource(rc), gpgme_strerror(rc));
162
return -1;
282
plaintext_length = -1;
283
if(debug){
284
gpgme_decrypt_result_t result;
285
result = gpgme_op_decrypt_result(mc->ctx);
286
if(result == NULL){
287
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
288
} else {
289
fprintf(stderr, "Unsupported algorithm: %s\n",
290
result->unsupported_algorithm);
291
fprintf(stderr, "Wrong key usage: %u\n",
292
result->wrong_key_usage);
293
if(result->file_name != NULL){
294
fprintf(stderr, "File name: %s\n", result->file_name);
295
}
296
gpgme_recipient_t recipient;
297
recipient = result->recipients;
298
if(recipient){
299
while(recipient != NULL){
300
fprintf(stderr, "Public key algorithm: %s\n",
301
gpgme_pubkey_algo_name(recipient->pubkey_algo));
302
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
303
fprintf(stderr, "Secret key available: %s\n",
304
recipient->status == GPG_ERR_NO_SECKEY
305
? "No" : "Yes");
306
recipient = recipient->next;
307
}
308
}
309
}
310
}
311
goto decrypt_end;
163
312
}
164
313
165
314
if(debug){
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
167
}
168
169
if (debug){
170
gpgme_decrypt_result_t result;
171
result = gpgme_op_decrypt_result(ctx);
172
if (result == NULL){
173
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
} else {
175
fprintf(stderr, "Unsupported algorithm: %s\n",
176
result->unsupported_algorithm);
177
fprintf(stderr, "Wrong key usage: %d\n",
178
result->wrong_key_usage);
179
if(result->file_name != NULL){
180
fprintf(stderr, "File name: %s\n", result->file_name);
181
}
182
gpgme_recipient_t recipient;
183
recipient = result->recipients;
184
if(recipient){
185
while(recipient != NULL){
186
fprintf(stderr, "Public key algorithm: %s\n",
187
gpgme_pubkey_algo_name(recipient->pubkey_algo));
188
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
189
fprintf(stderr, "Secret key available: %s\n",
190
recipient->status == GPG_ERR_NO_SECKEY
191
? "No" : "Yes");
192
recipient = recipient->next;
193
}
194
}
195
}
196
}
197
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
315
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
316
}
200
317
201
318
/* Seek back to the beginning of the GPGME plaintext data buffer */
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
203
perror("pgpme_data_seek");
319
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
320
perror("gpgme_data_seek");
321
plaintext_length = -1;
322
goto decrypt_end;
204
323
}
205
324
206
*new_packet = 0;
325
*plaintext = NULL;
207
326
while(true){
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
327
plaintext_capacity = adjustbuffer(plaintext,
328
(size_t)plaintext_length,
329
plaintext_capacity);
330
if(plaintext_capacity == 0){
331
perror("adjustbuffer");
332
plaintext_length = -1;
333
goto decrypt_end;
217
334
}
218
335
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
220
337
BUFFER_SIZE);
221
338
/* Print the data, if any */
222
if (ret == 0){
339
if(ret == 0){
340
/* EOF */
223
341
break;
224
342
}
225
343
if(ret < 0){
226
344
perror("gpgme_data_read");
227
return -1;
228
}
229
new_packet_length += ret;
230
}
231
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
345
plaintext_length = -1;
346
goto decrypt_end;
347
}
348
plaintext_length += ret;
349
}
350
351
if(debug){
352
fprintf(stderr, "Decrypted password is: ");
353
for(ssize_t i = 0; i < plaintext_length; i++){
354
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
355
}
356
fprintf(stderr, "\n");
357
}
358
359
decrypt_end:
360
361
/* Delete the GPGME cryptotext data buffer */
362
gpgme_data_release(dh_crypto);
239
363
240
364
/* Delete the GPGME plaintext data buffer */
241
365
gpgme_data_release(dh_plain);
242
return new_packet_length;
366
return plaintext_length;
243
367
}
244
368
245
static const char * safer_gnutls_strerror (int value) {
246
const char *ret = gnutls_strerror (value);
247
if (ret == NULL)
369
static const char * safer_gnutls_strerror(int value) {
370
const char *ret = gnutls_strerror(value); /* Spurious warning from
371
-Wunreachable-code */
372
if(ret == NULL)
248
373
ret = "(unknown)";
249
374
return ret;
250
375
}
251
376
377
/* GnuTLS log function callback */
252
378
static void debuggnutls(__attribute__((unused)) int level,
253
379
const char* string){
254
fprintf(stderr, "%s", string);
380
fprintf(stderr, "GnuTLS: %s", string);
255
381
}
256
382
257
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
258
gnutls_dh_params_t *dh_params){
259
const char *err;
383
static int init_gnutls_global(mandos_context *mc,
384
const char *pubkeyfilename,
385
const char *seckeyfilename){
260
386
int ret;
261
387
262
388
if(debug){
263
389
fprintf(stderr, "Initializing GnuTLS\n");
264
390
}
265
266
if ((ret = gnutls_global_init ())
267
!= GNUTLS_E_SUCCESS) {
268
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
391
392
ret = gnutls_global_init();
393
if(ret != GNUTLS_E_SUCCESS) {
394
fprintf(stderr, "GnuTLS global_init: %s\n",
395
safer_gnutls_strerror(ret));
269
396
return -1;
270
397
}
271
398
272
if (debug){
399
if(debug){
400
/* "Use a log level over 10 to enable all debugging options."
401
* - GnuTLS manual
402
*/
273
403
gnutls_global_set_log_level(11);
274
404
gnutls_global_set_log_function(debuggnutls);
275
405
}
276
406
277
/* openpgp credentials */
278
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
279
!= GNUTLS_E_SUCCESS) {
280
fprintf (stderr, "memory error: %s\n",
281
safer_gnutls_strerror(ret));
407
/* OpenPGP credentials */
408
gnutls_certificate_allocate_credentials(&mc->cred);
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
411
* from
412
* -Wunreachable-code
413
*/
414
safer_gnutls_strerror(ret));
415
gnutls_global_deinit();
282
416
return -1;
283
417
}
284
418
285
419
if(debug){
286
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
287
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
288
seckeyfile);
420
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
421
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
422
seckeyfilename);
289
423
}
290
424
291
425
ret = gnutls_certificate_set_openpgp_key_file
292
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
293
if (ret != GNUTLS_E_SUCCESS) {
294
fprintf
295
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
296
" '%s')\n",
297
ret, pubkeyfile, seckeyfile);
298
fprintf(stdout, "The Error is: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
//GnuTLS server initialization
304
if ((ret = gnutls_dh_params_init(dh_params))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in dh parameter initialization: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
312
!= GNUTLS_E_SUCCESS) {
313
fprintf (stderr, "Error in prime generation: %s\n",
314
safer_gnutls_strerror(ret));
315
return -1;
316
}
317
318
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
319
320
// GnuTLS session creation
321
if ((ret = gnutls_init(session, GNUTLS_SERVER))
322
!= GNUTLS_E_SUCCESS){
426
(mc->cred, pubkeyfilename, seckeyfilename,
427
GNUTLS_OPENPGP_FMT_BASE64);
428
if(ret != GNUTLS_E_SUCCESS) {
429
fprintf(stderr,
430
"Error[%d] while reading the OpenPGP key pair ('%s',"
431
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
432
fprintf(stderr, "The GnuTLS error is: %s\n",
433
safer_gnutls_strerror(ret));
434
goto globalfail;
435
}
436
437
/* GnuTLS server initialization */
438
ret = gnutls_dh_params_init(&mc->dh_params);
439
if(ret != GNUTLS_E_SUCCESS) {
440
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
441
" %s\n", safer_gnutls_strerror(ret));
442
goto globalfail;
443
}
444
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
445
if(ret != GNUTLS_E_SUCCESS) {
446
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
447
safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
451
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
452
453
return 0;
454
455
globalfail:
456
457
gnutls_certificate_free_credentials(mc->cred);
458
gnutls_global_deinit();
459
gnutls_dh_params_deinit(mc->dh_params);
460
return -1;
461
}
462
463
static int init_gnutls_session(mandos_context *mc,
464
gnutls_session_t *session){
465
int ret;
466
/* GnuTLS session creation */
467
ret = gnutls_init(session, GNUTLS_SERVER);
468
if(ret != GNUTLS_E_SUCCESS){
323
469
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
324
470
safer_gnutls_strerror(ret));
325
471
}
326
472
327
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Syntax error at: %s\n", err);
330
fprintf(stderr, "GnuTLS error: %s\n",
331
safer_gnutls_strerror(ret));
332
return -1;
473
{
474
const char *err;
475
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
476
if(ret != GNUTLS_E_SUCCESS) {
477
fprintf(stderr, "Syntax error at: %s\n", err);
478
fprintf(stderr, "GnuTLS error: %s\n",
479
safer_gnutls_strerror(ret));
480
gnutls_deinit(*session);
481
return -1;
482
}
333
483
}
334
484
335
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
336
mc->cred))
337
!= GNUTLS_E_SUCCESS) {
338
fprintf(stderr, "Error setting a credentials set: %s\n",
485
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
486
mc->cred);
487
if(ret != GNUTLS_E_SUCCESS) {
488
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
339
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
340
491
return -1;
341
492
}
342
493
343
494
/* ignore client certificate if any. */
344
gnutls_certificate_server_set_request (*session,
345
GNUTLS_CERT_IGNORE);
495
gnutls_certificate_server_set_request(*session,
496
GNUTLS_CERT_IGNORE);
346
497
347
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
498
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
348
499
349
500
return 0;
350
501
}
351
502
503
/* Avahi log function callback */
352
504
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
353
505
__attribute__((unused)) const char *txt){}
354
506
507
/* Called when a Mandos server is found */
355
508
static int start_mandos_communication(const char *ip, uint16_t port,
356
509
AvahiIfIndex if_index,
357
510
mandos_context *mc){
358
511
int ret, tcp_sd;
359
struct sockaddr_in6 to;
512
ssize_t sret;
513
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
360
514
char *buffer = NULL;
361
515
char *decrypted_buffer;
362
516
size_t buffer_length = 0;
363
517
size_t buffer_capacity = 0;
364
518
ssize_t decrypted_buffer_size;
365
size_t written = 0;
519
size_t written;
366
520
int retval = 0;
367
521
char interface[IF_NAMESIZE];
368
522
gnutls_session_t session;
369
gnutls_dh_params_t dh_params;
523
524
ret = init_gnutls_session(mc, &session);
525
if(ret != 0){
526
return -1;
527
}
370
528
371
529
if(debug){
372
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
373
ip, port);
530
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
531
"\n", ip, port);
374
532
}
375
533
376
534
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
378
536
perror("socket");
379
537
return -1;
380
538
}
381
539
382
540
if(debug){
383
541
if(if_indextoname((unsigned int)if_index, interface) == NULL){
384
542
perror("if_indextoname");
387
545
fprintf(stderr, "Binding to interface %s\n", interface);
388
546
}
389
547
390
memset(&to,0,sizeof(to)); /* Spurious warning */
391
to.sin6_family = AF_INET6;
392
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
393
if (ret < 0 ){
548
memset(&to, 0, sizeof(to));
549
to.in6.sin6_family = AF_INET6;
550
/* It would be nice to have a way to detect if we were passed an
551
IPv4 address here. Now we assume an IPv6 address. */
552
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
553
if(ret < 0 ){
394
554
perror("inet_pton");
395
555
return -1;
396
556
}
398
558
fprintf(stderr, "Bad address: %s\n", ip);
399
559
return -1;
400
560
}
401
to.sin6_port = htons(port); /* Spurious warning */
561
to.in6.sin6_port = htons(port); /* Spurious warnings from
562
-Wconversion and
563
-Wunreachable-code */
402
564
403
to.sin6_scope_id = (uint32_t)if_index;
565
to.in6.sin6_scope_id = (uint32_t)if_index;
404
566
405
567
if(debug){
406
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
568
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
569
port);
407
570
char addrstr[INET6_ADDRSTRLEN] = "";
408
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
571
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
409
572
sizeof(addrstr)) == NULL){
410
573
perror("inet_ntop");
411
574
} else {
415
578
}
416
579
}
417
580
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
581
ret = connect(tcp_sd, &to.in, sizeof(to));
582
if(ret < 0){
420
583
perror("connect");
421
584
return -1;
422
585
}
423
586
424
ret = initgnutls (mc, &session, &dh_params);
425
if (ret != 0){
426
retval = -1;
427
return -1;
587
const char *out = mandos_protocol_version;
588
written = 0;
589
while(true){
590
size_t out_size = strlen(out);
591
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
592
out_size - written));
593
if(ret == -1){
594
perror("write");
595
retval = -1;
596
goto mandos_end;
597
}
598
written += (size_t)ret;
599
if(written < out_size){
600
continue;
601
} else {
602
if(out == mandos_protocol_version){
603
written = 0;
604
out = "\r\n";
605
} else {
606
break;
607
}
608
}
428
609
}
429
610
430
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
431
432
611
if(debug){
433
612
fprintf(stderr, "Establishing TLS session with %s\n", ip);
434
613
}
435
614
436
ret = gnutls_handshake (session);
437
438
if (ret != GNUTLS_E_SUCCESS){
615
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
616
617
do{
618
ret = gnutls_handshake(session);
619
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
620
621
if(ret != GNUTLS_E_SUCCESS){
439
622
if(debug){
440
fprintf(stderr, "\n*** Handshake failed ***\n");
441
gnutls_perror (ret);
623
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
624
gnutls_perror(ret);
442
625
}
443
626
retval = -1;
444
goto exit;
627
goto mandos_end;
445
628
}
446
629
447
//Retrieve OpenPGP packet that contains the wanted password
630
/* Read OpenPGP packet that contains the wanted password */
448
631
449
632
if(debug){
450
633
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
451
634
ip);
452
635
}
453
636
454
637
while(true){
455
if (buffer_length + BUFFER_SIZE > buffer_capacity){
456
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
if (buffer == NULL){
458
perror("realloc");
459
goto exit;
460
}
461
buffer_capacity += BUFFER_SIZE;
638
buffer_capacity = adjustbuffer(&buffer, buffer_length,
639
buffer_capacity);
640
if(buffer_capacity == 0){
641
perror("adjustbuffer");
642
retval = -1;
643
goto mandos_end;
462
644
}
463
645
464
ret = gnutls_record_recv(session, buffer+buffer_length,
465
BUFFER_SIZE);
466
if (ret == 0){
646
sret = gnutls_record_recv(session, buffer+buffer_length,
647
BUFFER_SIZE);
648
if(sret == 0){
467
649
break;
468
650
}
469
if (ret < 0){
470
switch(ret){
651
if(sret < 0){
652
switch(sret){
471
653
case GNUTLS_E_INTERRUPTED:
472
654
case GNUTLS_E_AGAIN:
473
655
break;
474
656
case GNUTLS_E_REHANDSHAKE:
475
ret = gnutls_handshake (session);
476
if (ret < 0){
477
fprintf(stderr, "\n*** Handshake failed ***\n");
478
gnutls_perror (ret);
657
do{
658
ret = gnutls_handshake(session);
659
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
660
if(ret < 0){
661
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
662
gnutls_perror(ret);
479
663
retval = -1;
480
goto exit;
664
goto mandos_end;
481
665
}
482
666
break;
483
667
default:
484
668
fprintf(stderr, "Unknown error while reading data from"
485
" encrypted session with mandos server\n");
669
" encrypted session with Mandos server\n");
486
670
retval = -1;
487
gnutls_bye (session, GNUTLS_SHUT_RDWR);
488
goto exit;
671
gnutls_bye(session, GNUTLS_SHUT_RDWR);
672
goto mandos_end;
489
673
}
490
674
} else {
491
buffer_length += (size_t) ret;
675
buffer_length += (size_t) sret;
492
676
}
493
677
}
494
678
495
if (buffer_length > 0){
496
decrypted_buffer_size = pgp_packet_decrypt(buffer,
679
if(debug){
680
fprintf(stderr, "Closing TLS session\n");
681
}
682
683
gnutls_bye(session, GNUTLS_SHUT_RDWR);
684
685
if(buffer_length > 0){
686
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
497
687
buffer_length,
498
&decrypted_buffer,
499
keydir);
500
if (decrypted_buffer_size >= 0){
688
&decrypted_buffer);
689
if(decrypted_buffer_size >= 0){
690
written = 0;
501
691
while(written < (size_t) decrypted_buffer_size){
502
ret = (int)fwrite (decrypted_buffer + written, 1,
503
(size_t)decrypted_buffer_size - written,
504
stdout);
692
ret = (int)fwrite(decrypted_buffer + written, 1,
693
(size_t)decrypted_buffer_size - written,
694
stdout);
505
695
if(ret == 0 and ferror(stdout)){
506
696
if(debug){
507
697
fprintf(stderr, "Error writing encrypted data: %s\n",
516
706
} else {
517
707
retval = -1;
518
708
}
519
}
520
521
//shutdown procedure
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
709
} else {
710
retval = -1;
711
}
712
713
/* Shutdown procedure */
714
715
mandos_end:
527
716
free(buffer);
528
gnutls_bye (session, GNUTLS_SHUT_RDWR);
529
exit:
530
close(tcp_sd);
531
gnutls_deinit (session);
532
gnutls_certificate_free_credentials (mc->cred);
533
gnutls_global_deinit ();
717
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
718
if(ret == -1){
719
perror("close");
720
}
721
gnutls_deinit(session);
534
722
return retval;
535
723
}
536
724
537
static void resolve_callback( AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
void* userdata) {
725
static void resolve_callback(AvahiSServiceResolver *r,
726
AvahiIfIndex interface,
727
AVAHI_GCC_UNUSED AvahiProtocol protocol,
728
AvahiResolverEvent event,
729
const char *name,
730
const char *type,
731
const char *domain,
732
const char *host_name,
733
const AvahiAddress *address,
734
uint16_t port,
735
AVAHI_GCC_UNUSED AvahiStringList *txt,
736
AVAHI_GCC_UNUSED AvahiLookupResultFlags
737
flags,
738
void* userdata) {
550
739
mandos_context *mc = userdata;
551
assert(r); /* Spurious warning */
740
assert(r);
552
741
553
742
/* Called whenever a service has been resolved successfully or
554
743
timed out */
555
744
556
switch (event) {
745
switch(event) {
557
746
default:
558
747
case AVAHI_RESOLVER_FAILURE:
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
748
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
749
" of type '%s' in domain '%s': %s\n", name, type, domain,
561
750
avahi_strerror(avahi_server_errno(mc->server)));
562
751
break;
563
752
566
755
char ip[AVAHI_ADDRESS_STR_MAX];
567
756
avahi_address_snprint(ip, sizeof(ip), address);
568
757
if(debug){
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
758
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
759
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
760
ip, (intmax_t)interface, port);
571
761
}
572
762
int ret = start_mandos_communication(ip, port, interface, mc);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
763
if(ret == 0){
764
avahi_simple_poll_quit(mc->simple_poll);
575
765
}
576
766
}
577
767
}
585
775
const char *name,
586
776
const char *type,
587
777
const char *domain,
588
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
778
AVAHI_GCC_UNUSED AvahiLookupResultFlags
779
flags,
589
780
void* userdata) {
590
781
mandos_context *mc = userdata;
591
assert(b); /* Spurious warning */
782
assert(b);
592
783
593
784
/* Called whenever a new services becomes available on the LAN or
594
785
is removed from the LAN */
595
786
596
switch (event) {
787
switch(event) {
597
788
default:
598
789
case AVAHI_BROWSER_FAILURE:
599
790
600
fprintf(stderr, "(Browser) %s\n",
791
fprintf(stderr, "(Avahi browser) %s\n",
601
792
avahi_strerror(avahi_server_errno(mc->server)));
602
793
avahi_simple_poll_quit(mc->simple_poll);
603
794
return;
604
795
605
796
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
797
/* We ignore the returned Avahi resolver object. In the callback
798
function we free it. If the Avahi server is terminated before
799
the callback function is called the Avahi server will free the
800
resolver for us. */
610
801
611
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
612
type, domain,
802
if(!(avahi_s_service_resolver_new(mc->server, interface,
803
protocol, name, type, domain,
613
804
AVAHI_PROTO_INET6, 0,
614
805
resolve_callback, mc)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(mc->server)));
806
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
807
name, avahi_strerror(avahi_server_errno(mc->server)));
617
808
break;
618
809
619
810
case AVAHI_BROWSER_REMOVE:
621
812
622
813
case AVAHI_BROWSER_ALL_FOR_NOW:
623
814
case AVAHI_BROWSER_CACHE_EXHAUSTED:
815
if(debug){
816
fprintf(stderr, "No Mandos server found, still searching...\n");
817
}
624
818
break;
625
819
}
626
820
}
627
821
628
/* Combines file name and path and returns the malloced new
629
string. some sane checks could/should be added */
630
static const char *combinepath(const char *first, const char *second){
631
size_t f_len = strlen(first);
632
size_t s_len = strlen(second);
633
char *tmp = malloc(f_len + s_len + 2);
634
if (tmp == NULL){
635
return NULL;
636
}
637
if(f_len > 0){
638
memcpy(tmp, first, f_len); /* Spurious warning */
639
}
640
tmp[f_len] = '/';
641
if(s_len > 0){
642
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
643
}
644
tmp[f_len + 1 + s_len] = '\0';
645
return tmp;
646
}
647
648
649
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
650
AvahiServerConfig config;
822
int main(int argc, char *argv[]){
651
823
AvahiSServiceBrowser *sb = NULL;
652
824
int error;
653
825
int ret;
654
int debug_int;
655
int returncode = EXIT_SUCCESS;
826
intmax_t tmpmax;
827
int numchars;
828
int exitcode = EXIT_SUCCESS;
656
829
const char *interface = "eth0";
657
830
struct ifreq network;
658
831
int sd;
832
uid_t uid;
833
gid_t gid;
659
834
char *connect_to = NULL;
835
char tempdir[] = "/tmp/mandosXXXXXX";
836
bool tempdir_created = false;
660
837
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
838
const char *seckey = PATHDIR "/" SECKEY;
839
const char *pubkey = PATHDIR "/" PUBKEY;
840
661
841
mandos_context mc = { .simple_poll = NULL, .server = NULL,
662
.dh_bits = 1024, .priority = "SECURE256"};
663
664
debug_int = debug ? 1 : 0;
665
while (true){
666
struct option long_options[] = {
667
{"debug", no_argument, &debug_int, 1},
668
{"connect", required_argument, NULL, 'c'},
669
{"interface", required_argument, NULL, 'i'},
670
{"keydir", required_argument, NULL, 'd'},
671
{"seckey", required_argument, NULL, 's'},
672
{"pubkey", required_argument, NULL, 'p'},
673
{"dh-bits", required_argument, NULL, 'D'},
674
{"priority", required_argument, NULL, 'P'},
675
{0, 0, 0, 0} };
676
677
int option_index = 0;
678
ret = getopt_long (argc, argv, "i:", long_options,
679
&option_index);
680
681
if (ret == -1){
682
break;
683
}
684
685
switch(ret){
686
case 0:
687
break;
688
case 'i':
689
interface = optarg;
690
break;
691
case 'c':
692
connect_to = optarg;
693
break;
694
case 'd':
695
keydir = optarg;
696
break;
697
case 'p':
698
pubkeyfile = optarg;
699
break;
700
case 's':
701
seckeyfile = optarg;
702
break;
703
case 'D':
704
errno = 0;
705
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
706
if (errno){
707
perror("strtol");
708
exit(EXIT_FAILURE);
709
}
710
break;
711
case 'P':
712
mc.priority = optarg;
713
break;
714
case '?':
715
default:
716
exit(EXIT_FAILURE);
717
}
718
}
719
debug = debug_int ? true : false;
720
721
pubkeyfile = combinepath(keydir, pubkeyfile);
722
if (pubkeyfile == NULL){
723
perror("combinepath");
724
returncode = EXIT_FAILURE;
725
goto exit;
726
}
727
728
seckeyfile = combinepath(keydir, seckeyfile);
729
if (seckeyfile == NULL){
730
perror("combinepath");
731
goto exit;
842
.dh_bits = 1024, .priority = "SECURE256"
843
":!CTYPE-X.509:+CTYPE-OPENPGP" };
844
bool gnutls_initialized = false;
845
bool gpgme_initialized = false;
846
double delay = 2.5;
847
848
{
849
struct argp_option options[] = {
850
{ .name = "debug", .key = 128,
851
.doc = "Debug mode", .group = 3 },
852
{ .name = "connect", .key = 'c',
853
.arg = "ADDRESS:PORT",
854
.doc = "Connect directly to a specific Mandos server",
855
.group = 1 },
856
{ .name = "interface", .key = 'i',
857
.arg = "NAME",
858
.doc = "Interface that will be used to search for Mandos"
859
" servers",
860
.group = 1 },
861
{ .name = "seckey", .key = 's',
862
.arg = "FILE",
863
.doc = "OpenPGP secret key file base name",
864
.group = 1 },
865
{ .name = "pubkey", .key = 'p',
866
.arg = "FILE",
867
.doc = "OpenPGP public key file base name",
868
.group = 2 },
869
{ .name = "dh-bits", .key = 129,
870
.arg = "BITS",
871
.doc = "Bit length of the prime number used in the"
872
" Diffie-Hellman key exchange",
873
.group = 2 },
874
{ .name = "priority", .key = 130,
875
.arg = "STRING",
876
.doc = "GnuTLS priority string for the TLS handshake",
877
.group = 1 },
878
{ .name = "delay", .key = 131,
879
.arg = "SECONDS",
880
.doc = "Maximum delay to wait for interface startup",
881
.group = 2 },
882
{ .name = NULL }
883
};
884
885
error_t parse_opt(int key, char *arg,
886
struct argp_state *state) {
887
switch(key) {
888
case 128: /* --debug */
889
debug = true;
890
break;
891
case 'c': /* --connect */
892
connect_to = arg;
893
break;
894
case 'i': /* --interface */
895
interface = arg;
896
break;
897
case 's': /* --seckey */
898
seckey = arg;
899
break;
900
case 'p': /* --pubkey */
901
pubkey = arg;
902
break;
903
case 129: /* --dh-bits */
904
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
905
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
906
or arg[numchars] != '\0'){
907
fprintf(stderr, "Bad number of DH bits\n");
908
exit(EXIT_FAILURE);
909
}
910
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
911
break;
912
case 130: /* --priority */
913
mc.priority = arg;
914
break;
915
case 131: /* --delay */
916
ret = sscanf(arg, "%lf%n", &delay, &numchars);
917
if(ret < 1 or arg[numchars] != '\0'){
918
fprintf(stderr, "Bad delay\n");
919
exit(EXIT_FAILURE);
920
}
921
break;
922
case ARGP_KEY_ARG:
923
argp_usage(state);
924
case ARGP_KEY_END:
925
break;
926
default:
927
return ARGP_ERR_UNKNOWN;
928
}
929
return 0;
930
}
931
932
struct argp argp = { .options = options, .parser = parse_opt,
933
.args_doc = "",
934
.doc = "Mandos client -- Get and decrypt"
935
" passwords from a Mandos server" };
936
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
937
if(ret == ARGP_ERR_UNKNOWN){
938
fprintf(stderr, "Unknown error while parsing arguments\n");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
944
/* If the interface is down, bring it up */
945
{
946
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
947
messages to mess up the prompt */
948
ret = klogctl(8, NULL, 5);
949
if(ret == -1){
950
perror("klogctl");
951
}
952
953
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
954
if(sd < 0) {
955
perror("socket");
956
exitcode = EXIT_FAILURE;
957
ret = klogctl(7, NULL, 0);
958
if(ret == -1){
959
perror("klogctl");
960
}
961
goto end;
962
}
963
strcpy(network.ifr_name, interface);
964
ret = ioctl(sd, SIOCGIFFLAGS, &network);
965
if(ret == -1){
966
perror("ioctl SIOCGIFFLAGS");
967
ret = klogctl(7, NULL, 0);
968
if(ret == -1){
969
perror("klogctl");
970
}
971
exitcode = EXIT_FAILURE;
972
goto end;
973
}
974
if((network.ifr_flags & IFF_UP) == 0){
975
network.ifr_flags |= IFF_UP;
976
ret = ioctl(sd, SIOCSIFFLAGS, &network);
977
if(ret == -1){
978
perror("ioctl SIOCSIFFLAGS");
979
exitcode = EXIT_FAILURE;
980
ret = klogctl(7, NULL, 0);
981
if(ret == -1){
982
perror("klogctl");
983
}
984
goto end;
985
}
986
}
987
/* sleep checking until interface is running */
988
for(int i=0; i < delay * 4; i++){
989
ret = ioctl(sd, SIOCGIFFLAGS, &network);
990
if(ret == -1){
991
perror("ioctl SIOCGIFFLAGS");
992
} else if(network.ifr_flags & IFF_RUNNING){
993
break;
994
}
995
struct timespec sleeptime = { .tv_nsec = 250000000 };
996
nanosleep(&sleeptime, NULL);
997
}
998
ret = (int)TEMP_FAILURE_RETRY(close(sd));
999
if(ret == -1){
1000
perror("close");
1001
}
1002
/* Restores kernel loglevel to default */
1003
ret = klogctl(7, NULL, 0);
1004
if(ret == -1){
1005
perror("klogctl");
1006
}
1007
}
1008
1009
uid = getuid();
1010
gid = getgid();
1011
1012
setgid(gid);
1013
if(ret == -1){
1014
perror("setgid");
1015
}
1016
1017
ret = setuid(uid);
1018
if(ret == -1){
1019
perror("setuid");
1020
}
1021
1022
ret = init_gnutls_global(&mc, pubkey, seckey);
1023
if(ret == -1){
1024
fprintf(stderr, "init_gnutls_global failed\n");
1025
exitcode = EXIT_FAILURE;
1026
goto end;
1027
} else {
1028
gnutls_initialized = true;
1029
}
1030
1031
if(mkdtemp(tempdir) == NULL){
1032
perror("mkdtemp");
1033
goto end;
1034
}
1035
tempdir_created = true;
1036
1037
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1038
fprintf(stderr, "init_gpgme failed\n");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
} else {
1042
gpgme_initialized = true;
732
1043
}
733
1044
734
1045
if_index = (AvahiIfIndex) if_nametoindex(interface);
735
1046
if(if_index == 0){
736
1047
fprintf(stderr, "No such interface: \"%s\"\n", interface);
737
exit(EXIT_FAILURE);
1048
exitcode = EXIT_FAILURE;
1049
goto end;
738
1050
}
739
1051
740
1052
if(connect_to != NULL){
743
1055
char *address = strrchr(connect_to, ':');
744
1056
if(address == NULL){
745
1057
fprintf(stderr, "No colon in address\n");
746
exit(EXIT_FAILURE);
747
}
748
errno = 0;
749
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
750
if(errno){
751
perror("Bad port number");
752
exit(EXIT_FAILURE);
753
}
1058
exitcode = EXIT_FAILURE;
1059
goto end;
1060
}
1061
uint16_t port;
1062
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1063
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1064
or address[numchars+1] != '\0'){
1065
fprintf(stderr, "Bad port number\n");
1066
exitcode = EXIT_FAILURE;
1067
goto end;
1068
}
1069
port = (uint16_t)tmpmax;
754
1070
*address = '\0';
755
1071
address = connect_to;
756
1072
ret = start_mandos_communication(address, port, if_index, &mc);
757
1073
if(ret < 0){
758
exit(EXIT_FAILURE);
1074
exitcode = EXIT_FAILURE;
759
1075
} else {
760
exit(EXIT_SUCCESS);
761
}
762
}
763
764
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
765
if(sd < 0) {
766
perror("socket");
767
returncode = EXIT_FAILURE;
768
goto exit;
769
}
770
strcpy(network.ifr_name, interface); /* Spurious warning */
771
ret = ioctl(sd, SIOCGIFFLAGS, &network);
772
if(ret == -1){
773
774
perror("ioctl SIOCGIFFLAGS");
775
returncode = EXIT_FAILURE;
776
goto exit;
777
}
778
if((network.ifr_flags & IFF_UP) == 0){
779
network.ifr_flags |= IFF_UP;
780
ret = ioctl(sd, SIOCSIFFLAGS, &network);
781
if(ret == -1){
782
perror("ioctl SIOCSIFFLAGS");
783
returncode = EXIT_FAILURE;
784
goto exit;
785
}
786
}
787
close(sd);
788
789
if (not debug){
1076
exitcode = EXIT_SUCCESS;
1077
}
1078
goto end;
1079
}
1080
1081
if(not debug){
790
1082
avahi_set_log_function(empty_log);
791
1083
}
792
1084
793
/* Initialize the psuedo-RNG */
1085
/* Initialize the pseudo-RNG for Avahi */
794
1086
srand((unsigned int) time(NULL));
795
796
/* Allocate main loop object */
797
if (!(mc.simple_poll = avahi_simple_poll_new())) {
798
fprintf(stderr, "Failed to create simple poll object.\n");
799
returncode = EXIT_FAILURE;
800
goto exit;
801
}
802
803
/* Do not publish any local records */
804
avahi_server_config_init(&config);
805
config.publish_hinfo = 0;
806
config.publish_addresses = 0;
807
config.publish_workstation = 0;
808
config.publish_domain = 0;
809
810
/* Allocate a new server */
811
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
812
&config, NULL, NULL, &error);
813
814
/* Free the configuration data */
815
avahi_server_config_free(&config);
816
817
/* Check if creating the server object succeeded */
818
if (!mc.server) {
819
fprintf(stderr, "Failed to create server: %s\n",
1087
1088
/* Allocate main Avahi loop object */
1089
mc.simple_poll = avahi_simple_poll_new();
1090
if(mc.simple_poll == NULL) {
1091
fprintf(stderr, "Avahi: Failed to create simple poll"
1092
" object.\n");
1093
exitcode = EXIT_FAILURE;
1094
goto end;
1095
}
1096
1097
{
1098
AvahiServerConfig config;
1099
/* Do not publish any local Zeroconf records */
1100
avahi_server_config_init(&config);
1101
config.publish_hinfo = 0;
1102
config.publish_addresses = 0;
1103
config.publish_workstation = 0;
1104
config.publish_domain = 0;
1105
1106
/* Allocate a new server */
1107
mc.server = avahi_server_new(avahi_simple_poll_get
1108
(mc.simple_poll), &config, NULL,
1109
NULL, &error);
1110
1111
/* Free the Avahi configuration data */
1112
avahi_server_config_free(&config);
1113
}
1114
1115
/* Check if creating the Avahi server object succeeded */
1116
if(mc.server == NULL) {
1117
fprintf(stderr, "Failed to create Avahi server: %s\n",
820
1118
avahi_strerror(error));
821
returncode = EXIT_FAILURE;
822
goto exit;
1119
exitcode = EXIT_FAILURE;
1120
goto end;
823
1121
}
824
1122
825
/* Create the service browser */
1123
/* Create the Avahi service browser */
826
1124
sb = avahi_s_service_browser_new(mc.server, if_index,
827
1125
AVAHI_PROTO_INET6,
828
1126
"_mandos._tcp", NULL, 0,
829
1127
browse_callback, &mc);
830
if (!sb) {
1128
if(sb == NULL) {
831
1129
fprintf(stderr, "Failed to create service browser: %s\n",
832
1130
avahi_strerror(avahi_server_errno(mc.server)));
833
returncode = EXIT_FAILURE;
834
goto exit;
1131
exitcode = EXIT_FAILURE;
1132
goto end;
835
1133
}
836
1134
837
1135
/* Run the main loop */
1136
1137
if(debug){
1138
fprintf(stderr, "Starting Avahi loop search\n");
1139
}
838
1140
839
if (debug){
840
fprintf(stderr, "Starting avahi loop search\n");
841
}
842
843
1141
avahi_simple_poll_loop(mc.simple_poll);
844
1142
845
exit:
846
847
if (debug){
1143
end:
1144
1145
if(debug){
848
1146
fprintf(stderr, "%s exiting\n", argv[0]);
849
1147
}
850
1148
851
1149
/* Cleanup things */
852
if (sb)
1150
if(sb != NULL)
853
1151
avahi_s_service_browser_free(sb);
854
1152
855
if (mc.server)
1153
if(mc.server != NULL)
856
1154
avahi_server_free(mc.server);
857
858
if (mc.simple_poll)
1155
1156
if(mc.simple_poll != NULL)
859
1157
avahi_simple_poll_free(mc.simple_poll);
860
free(pubkeyfile);
861
free(seckeyfile);
862
863
return returncode;
1158
1159
if(gnutls_initialized){
1160
gnutls_certificate_free_credentials(mc.cred);
1161
gnutls_global_deinit();
1162
gnutls_dh_params_deinit(mc.dh_params);
1163
}
1164
1165
if(gpgme_initialized){
1166
gpgme_release(mc.ctx);
1167
}
1168
1169
/* Removes the temp directory used by GPGME */
1170
if(tempdir_created){
1171
DIR *d;
1172
struct dirent *direntry;
1173
d = opendir(tempdir);
1174
if(d == NULL){
1175
if(errno != ENOENT){
1176
perror("opendir");
1177
}
1178
} else {
1179
while(true){
1180
direntry = readdir(d);
1181
if(direntry == NULL){
1182
break;
1183
}
1184
/* Skip "." and ".." */
1185
if(direntry->d_name[0] == '.'
1186
and (direntry->d_name[1] == '\0'
1187
or (direntry->d_name[1] == '.'
1188
and direntry->d_name[2] == '\0'))){
1189
continue;
1190
}
1191
char *fullname = NULL;
1192
ret = asprintf(&fullname, "%s/%s", tempdir,
1193
direntry->d_name);
1194
if(ret < 0){
1195
perror("asprintf");
1196
continue;
1197
}
1198
ret = remove(fullname);
1199
if(ret == -1){
1200
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1201
strerror(errno));
1202
}
1203
free(fullname);
1204
}
1205
closedir(d);
1206
}
1207
ret = rmdir(tempdir);
1208
if(ret == -1 and errno != ENOENT){
1209
perror("rmdir");
1210
}
1211
}
1212
1213
return exitcode;
864
1214
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0