(root)/mandos/release
» Revision
237.2.71
(compared to revision 24.1.10)
: plugins.d/mandos-client.c
To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.71
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.71
- Committer: Teddy Hogeborn
- Date: 2009-02-09 19:26:19 UTC
- mto: (24.1.136 mandos) (237.4.2 mandos-pipe-ipc) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090209192619-7rse82x9pypq4ihk
* plugin-runner.c: Comment change.
* plugins.d/mandos-client.c: Comment changes.
(quit_now): New global flag.
(handle_sigterm): Only call avahi_simple_poll_quit once.
(main): Also handle SIGINT and SIGHUP.
* plugins.d/mandos-client.c: Comment changes.
(quit_now): New global flag.
(handle_sigterm): Only call avahi_simple_poll_quit once.
(main): Also handle SIGINT and SIGHUP.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
43
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
44
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
45
90
#include <avahi-core/core.h>
46
91
#include <avahi-core/lookup.h>
47
92
#include <avahi-core/log.h>
49
94
#include <avahi-common/malloc.h>
50
95
#include <avahi-common/error.h>
51
96
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt long
71
#include <getopt.h>
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
72
113
73
114
#define BUFFER_SIZE 256
74
#define DH_BITS 1024
75
115
76
static const char *certdir = "/conf/conf.d/mandos";
77
static const char *certfile = "openpgp-client.txt";
78
static const char *certkey = "openpgp-client-key.txt";
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
79
119
80
120
bool debug = false;
81
82
const char mandos_protocol_version[] = "1";
83
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
124
125
/* Used for passing in values through the Avahi callback functions */
84
126
typedef struct {
85
127
AvahiSimplePoll *simple_poll;
86
128
AvahiServer *server;
87
129
gnutls_certificate_credentials_t cred;
88
130
unsigned int dh_bits;
131
gnutls_dh_params_t dh_params;
89
132
const char *priority;
133
gpgme_ctx_t ctx;
90
134
} mandos_context;
91
135
92
size_t adjustbuffer(char *buffer, size_t buffer_length,
136
/* global context so signal handler can reach it*/
137
mandos_context mc;
138
139
/*
140
* Make additional room in "buffer" for at least BUFFER_SIZE more
141
* bytes. "buffer_capacity" is how much is currently allocated,
142
* "buffer_length" is how much is already used.
143
*/
144
size_t incbuffer(char **buffer, size_t buffer_length,
93
145
size_t buffer_capacity){
94
if (buffer_length + BUFFER_SIZE > buffer_capacity){
95
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
96
if (buffer == NULL){
146
if(buffer_length + BUFFER_SIZE > buffer_capacity){
147
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
148
if(buffer == NULL){
97
149
return 0;
98
150
}
99
151
buffer_capacity += BUFFER_SIZE;
101
153
return buffer_capacity;
102
154
}
103
155
104
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
105
char **new_packet,
106
const char *homedir){
107
gpgme_data_t dh_crypto, dh_plain;
108
gpgme_ctx_t ctx;
156
/*
157
* Initialize GPGME.
158
*/
159
static bool init_gpgme(const char *seckey,
160
const char *pubkey, const char *tempdir){
161
int ret;
109
162
gpgme_error_t rc;
110
ssize_t ret;
111
size_t new_packet_capacity = 0;
112
ssize_t new_packet_length = 0;
113
163
gpgme_engine_info_t engine_info;
114
115
if (debug){
116
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
164
165
166
/*
167
* Helper function to insert pub and seckey to the engine keyring.
168
*/
169
bool import_key(const char *filename){
170
int fd;
171
gpgme_data_t pgp_data;
172
173
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
174
if(fd == -1){
175
perror("open");
176
return false;
177
}
178
179
rc = gpgme_data_new_from_fd(&pgp_data, fd);
180
if(rc != GPG_ERR_NO_ERROR){
181
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
182
gpgme_strsource(rc), gpgme_strerror(rc));
183
return false;
184
}
185
186
rc = gpgme_op_import(mc.ctx, pgp_data);
187
if(rc != GPG_ERR_NO_ERROR){
188
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
189
gpgme_strsource(rc), gpgme_strerror(rc));
190
return false;
191
}
192
193
ret = (int)TEMP_FAILURE_RETRY(close(fd));
194
if(ret == -1){
195
perror("close");
196
}
197
gpgme_data_release(pgp_data);
198
return true;
199
}
200
201
if(debug){
202
fprintf(stderr, "Initializing GPGME\n");
117
203
}
118
204
119
205
/* Init GPGME */
120
206
gpgme_check_version(NULL);
121
207
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
122
if (rc != GPG_ERR_NO_ERROR){
208
if(rc != GPG_ERR_NO_ERROR){
123
209
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
124
210
gpgme_strsource(rc), gpgme_strerror(rc));
125
return -1;
211
return false;
126
212
}
127
213
128
/* Set GPGME home directory */
129
rc = gpgme_get_engine_info (&engine_info);
130
if (rc != GPG_ERR_NO_ERROR){
214
/* Set GPGME home directory for the OpenPGP engine only */
215
rc = gpgme_get_engine_info(&engine_info);
216
if(rc != GPG_ERR_NO_ERROR){
131
217
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
132
218
gpgme_strsource(rc), gpgme_strerror(rc));
133
return -1;
219
return false;
134
220
}
135
221
while(engine_info != NULL){
136
222
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
137
223
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
138
engine_info->file_name, homedir);
224
engine_info->file_name, tempdir);
139
225
break;
140
226
}
141
227
engine_info = engine_info->next;
142
228
}
143
229
if(engine_info == NULL){
144
fprintf(stderr, "Could not set home dir to %s\n", homedir);
145
return -1;
146
}
147
148
/* Create new GPGME data buffer from packet buffer */
149
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
150
if (rc != GPG_ERR_NO_ERROR){
230
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
231
return false;
232
}
233
234
/* Create new GPGME "context" */
235
rc = gpgme_new(&(mc.ctx));
236
if(rc != GPG_ERR_NO_ERROR){
237
fprintf(stderr, "bad gpgme_new: %s: %s\n",
238
gpgme_strsource(rc), gpgme_strerror(rc));
239
return false;
240
}
241
242
if(not import_key(pubkey) or not import_key(seckey)){
243
return false;
244
}
245
246
return true;
247
}
248
249
/*
250
* Decrypt OpenPGP data.
251
* Returns -1 on error
252
*/
253
static ssize_t pgp_packet_decrypt(const char *cryptotext,
254
size_t crypto_size,
255
char **plaintext){
256
gpgme_data_t dh_crypto, dh_plain;
257
gpgme_error_t rc;
258
ssize_t ret;
259
size_t plaintext_capacity = 0;
260
ssize_t plaintext_length = 0;
261
262
if(debug){
263
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
264
}
265
266
/* Create new GPGME data buffer from memory cryptotext */
267
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
268
0);
269
if(rc != GPG_ERR_NO_ERROR){
151
270
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
152
271
gpgme_strsource(rc), gpgme_strerror(rc));
153
272
return -1;
155
274
156
275
/* Create new empty GPGME data buffer for the plaintext */
157
276
rc = gpgme_data_new(&dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
277
if(rc != GPG_ERR_NO_ERROR){
159
278
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
160
279
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
162
}
163
164
/* Create new GPGME "context" */
165
rc = gpgme_new(&ctx);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_new: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return -1;
170
}
171
172
/* Decrypt data from the FILE pointer to the plaintext data
173
buffer */
174
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
175
if (rc != GPG_ERR_NO_ERROR){
280
gpgme_data_release(dh_crypto);
281
return -1;
282
}
283
284
/* Decrypt data from the cryptotext data buffer to the plaintext
285
data buffer */
286
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
287
if(rc != GPG_ERR_NO_ERROR){
176
288
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
177
289
gpgme_strsource(rc), gpgme_strerror(rc));
178
return -1;
290
plaintext_length = -1;
291
if(debug){
292
gpgme_decrypt_result_t result;
293
result = gpgme_op_decrypt_result(mc.ctx);
294
if(result == NULL){
295
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
296
} else {
297
fprintf(stderr, "Unsupported algorithm: %s\n",
298
result->unsupported_algorithm);
299
fprintf(stderr, "Wrong key usage: %u\n",
300
result->wrong_key_usage);
301
if(result->file_name != NULL){
302
fprintf(stderr, "File name: %s\n", result->file_name);
303
}
304
gpgme_recipient_t recipient;
305
recipient = result->recipients;
306
if(recipient){
307
while(recipient != NULL){
308
fprintf(stderr, "Public key algorithm: %s\n",
309
gpgme_pubkey_algo_name(recipient->pubkey_algo));
310
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
311
fprintf(stderr, "Secret key available: %s\n",
312
recipient->status == GPG_ERR_NO_SECKEY
313
? "No" : "Yes");
314
recipient = recipient->next;
315
}
316
}
317
}
318
}
319
goto decrypt_end;
179
320
}
180
321
181
322
if(debug){
182
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
183
}
184
185
if (debug){
186
gpgme_decrypt_result_t result;
187
result = gpgme_op_decrypt_result(ctx);
188
if (result == NULL){
189
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
190
} else {
191
fprintf(stderr, "Unsupported algorithm: %s\n",
192
result->unsupported_algorithm);
193
fprintf(stderr, "Wrong key usage: %d\n",
194
result->wrong_key_usage);
195
if(result->file_name != NULL){
196
fprintf(stderr, "File name: %s\n", result->file_name);
197
}
198
gpgme_recipient_t recipient;
199
recipient = result->recipients;
200
if(recipient){
201
while(recipient != NULL){
202
fprintf(stderr, "Public key algorithm: %s\n",
203
gpgme_pubkey_algo_name(recipient->pubkey_algo));
204
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
205
fprintf(stderr, "Secret key available: %s\n",
206
recipient->status == GPG_ERR_NO_SECKEY
207
? "No" : "Yes");
208
recipient = recipient->next;
209
}
210
}
211
}
212
}
213
214
/* Delete the GPGME FILE pointer cryptotext data buffer */
215
gpgme_data_release(dh_crypto);
323
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
324
}
216
325
217
326
/* Seek back to the beginning of the GPGME plaintext data buffer */
218
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
219
perror("pgpme_data_seek");
327
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
328
perror("gpgme_data_seek");
329
plaintext_length = -1;
330
goto decrypt_end;
220
331
}
221
332
222
*new_packet = 0;
333
*plaintext = NULL;
223
334
while(true){
224
new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,
225
new_packet_capacity);
226
if (new_packet_capacity == 0){
227
perror("adjustbuffer");
228
return -1;
229
}
230
new_packet_capacity += BUFFER_SIZE;
335
plaintext_capacity = incbuffer(plaintext,
336
(size_t)plaintext_length,
337
plaintext_capacity);
338
if(plaintext_capacity == 0){
339
perror("incbuffer");
340
plaintext_length = -1;
341
goto decrypt_end;
231
342
}
232
343
233
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
344
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
234
345
BUFFER_SIZE);
235
346
/* Print the data, if any */
236
if (ret == 0){
347
if(ret == 0){
348
/* EOF */
237
349
break;
238
350
}
239
351
if(ret < 0){
240
352
perror("gpgme_data_read");
241
return -1;
242
}
243
new_packet_length += ret;
244
}
245
246
/* FIXME: check characters before printing to screen so to not print
247
terminal control characters */
248
/* if(debug){ */
249
/* fprintf(stderr, "decrypted password is: "); */
250
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
251
/* fprintf(stderr, "\n"); */
252
/* } */
353
plaintext_length = -1;
354
goto decrypt_end;
355
}
356
plaintext_length += ret;
357
}
358
359
if(debug){
360
fprintf(stderr, "Decrypted password is: ");
361
for(ssize_t i = 0; i < plaintext_length; i++){
362
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
363
}
364
fprintf(stderr, "\n");
365
}
366
367
decrypt_end:
368
369
/* Delete the GPGME cryptotext data buffer */
370
gpgme_data_release(dh_crypto);
253
371
254
372
/* Delete the GPGME plaintext data buffer */
255
373
gpgme_data_release(dh_plain);
256
return new_packet_length;
374
return plaintext_length;
257
375
}
258
376
259
static const char * safer_gnutls_strerror (int value) {
260
const char *ret = gnutls_strerror (value);
261
if (ret == NULL)
377
static const char * safer_gnutls_strerror(int value){
378
const char *ret = gnutls_strerror(value); /* Spurious warning from
379
-Wunreachable-code */
380
if(ret == NULL)
262
381
ret = "(unknown)";
263
382
return ret;
264
383
}
265
384
385
/* GnuTLS log function callback */
266
386
static void debuggnutls(__attribute__((unused)) int level,
267
387
const char* string){
268
fprintf(stderr, "%s", string);
388
fprintf(stderr, "GnuTLS: %s", string);
269
389
}
270
390
271
static int initgnutls(mandos_context *mc){
272
const char *err;
391
static int init_gnutls_global(const char *pubkeyfilename,
392
const char *seckeyfilename){
273
393
int ret;
274
394
275
395
if(debug){
276
396
fprintf(stderr, "Initializing GnuTLS\n");
277
397
}
278
279
if ((ret = gnutls_global_init ())
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
398
399
ret = gnutls_global_init();
400
if(ret != GNUTLS_E_SUCCESS){
401
fprintf(stderr, "GnuTLS global_init: %s\n",
402
safer_gnutls_strerror(ret));
282
403
return -1;
283
404
}
284
285
if (debug){
405
406
if(debug){
407
/* "Use a log level over 10 to enable all debugging options."
408
* - GnuTLS manual
409
*/
286
410
gnutls_global_set_log_level(11);
287
411
gnutls_global_set_log_function(debuggnutls);
288
412
}
289
413
290
/* openpgp credentials */
291
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
292
!= GNUTLS_E_SUCCESS) {
293
fprintf (stderr, "memory error: %s\n",
294
safer_gnutls_strerror(ret));
414
/* OpenPGP credentials */
415
gnutls_certificate_allocate_credentials(&mc.cred);
416
if(ret != GNUTLS_E_SUCCESS){
417
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
418
from
419
-Wunreachable-code
420
*/
421
safer_gnutls_strerror(ret));
422
gnutls_global_deinit();
295
423
return -1;
296
424
}
297
425
298
426
if(debug){
299
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
300
" and keyfile %s as GnuTLS credentials\n", certfile,
301
certkey);
427
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
428
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
429
seckeyfilename);
302
430
}
303
431
304
432
ret = gnutls_certificate_set_openpgp_key_file
305
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
306
if (ret != GNUTLS_E_SUCCESS) {
307
fprintf
308
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
309
" '%s')\n",
310
ret, certfile, certkey);
311
fprintf(stdout, "The Error is: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
//GnuTLS server initialization
317
if ((ret = gnutls_dh_params_init (&es->dh_params))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf (stderr, "Error in dh parameter initialization: %s\n",
320
safer_gnutls_strerror(ret));
321
return -1;
322
}
323
324
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "Error in prime generation: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
329
}
330
331
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
332
333
// GnuTLS session creation
334
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
335
!= GNUTLS_E_SUCCESS){
433
(mc.cred, pubkeyfilename, seckeyfilename,
434
GNUTLS_OPENPGP_FMT_BASE64);
435
if(ret != GNUTLS_E_SUCCESS){
436
fprintf(stderr,
437
"Error[%d] while reading the OpenPGP key pair ('%s',"
438
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
439
fprintf(stderr, "The GnuTLS error is: %s\n",
440
safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
444
/* GnuTLS server initialization */
445
ret = gnutls_dh_params_init(&mc.dh_params);
446
if(ret != GNUTLS_E_SUCCESS){
447
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
448
" %s\n", safer_gnutls_strerror(ret));
449
goto globalfail;
450
}
451
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
452
if(ret != GNUTLS_E_SUCCESS){
453
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
454
safer_gnutls_strerror(ret));
455
goto globalfail;
456
}
457
458
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
459
460
return 0;
461
462
globalfail:
463
464
gnutls_certificate_free_credentials(mc.cred);
465
gnutls_global_deinit();
466
gnutls_dh_params_deinit(mc.dh_params);
467
return -1;
468
}
469
470
static int init_gnutls_session(gnutls_session_t *session){
471
int ret;
472
/* GnuTLS session creation */
473
ret = gnutls_init(session, GNUTLS_SERVER);
474
if(ret != GNUTLS_E_SUCCESS){
336
475
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
337
476
safer_gnutls_strerror(ret));
338
477
}
339
478
340
if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))
341
!= GNUTLS_E_SUCCESS) {
342
fprintf(stderr, "Syntax error at: %s\n", err);
343
fprintf(stderr, "GnuTLS error: %s\n",
344
safer_gnutls_strerror(ret));
345
return -1;
479
{
480
const char *err;
481
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
482
if(ret != GNUTLS_E_SUCCESS){
483
fprintf(stderr, "Syntax error at: %s\n", err);
484
fprintf(stderr, "GnuTLS error: %s\n",
485
safer_gnutls_strerror(ret));
486
gnutls_deinit(*session);
487
return -1;
488
}
346
489
}
347
490
348
if ((ret = gnutls_credentials_set
349
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
350
!= GNUTLS_E_SUCCESS) {
351
fprintf(stderr, "Error setting a credentials set: %s\n",
491
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
492
mc.cred);
493
if(ret != GNUTLS_E_SUCCESS){
494
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
352
495
safer_gnutls_strerror(ret));
496
gnutls_deinit(*session);
353
497
return -1;
354
498
}
355
499
356
500
/* ignore client certificate if any. */
357
gnutls_certificate_server_set_request (es->session,
358
GNUTLS_CERT_IGNORE);
501
gnutls_certificate_server_set_request(*session,
502
GNUTLS_CERT_IGNORE);
359
503
360
gnutls_dh_set_prime_bits (es->session, DH_BITS);
504
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
361
505
362
506
return 0;
363
507
}
364
508
509
/* Avahi log function callback */
365
510
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
366
511
__attribute__((unused)) const char *txt){}
367
512
513
/* Called when a Mandos server is found */
368
514
static int start_mandos_communication(const char *ip, uint16_t port,
369
515
AvahiIfIndex if_index,
370
mandos_context *mc){
516
int af){
371
517
int ret, tcp_sd;
372
struct sockaddr_in6 to;
373
encrypted_session es;
518
ssize_t sret;
519
union {
520
struct sockaddr_in in;
521
struct sockaddr_in6 in6;
522
} to;
374
523
char *buffer = NULL;
375
524
char *decrypted_buffer;
376
525
size_t buffer_length = 0;
378
527
ssize_t decrypted_buffer_size;
379
528
size_t written;
380
529
int retval = 0;
381
char interface[IF_NAMESIZE];
530
gnutls_session_t session;
531
int pf; /* Protocol family */
532
533
switch(af){
534
case AF_INET6:
535
pf = PF_INET6;
536
break;
537
case AF_INET:
538
pf = PF_INET;
539
break;
540
default:
541
fprintf(stderr, "Bad address family: %d\n", af);
542
return -1;
543
}
544
545
ret = init_gnutls_session(&session);
546
if(ret != 0){
547
return -1;
548
}
382
549
383
550
if(debug){
384
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
385
ip, port);
551
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
552
"\n", ip, port);
386
553
}
387
554
388
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
389
if(tcp_sd < 0) {
555
tcp_sd = socket(pf, SOCK_STREAM, 0);
556
if(tcp_sd < 0){
390
557
perror("socket");
391
558
return -1;
392
559
}
393
394
if(debug){
395
if(if_indextoname((unsigned int)if_index, interface) == NULL){
396
if(debug){
397
perror("if_indextoname");
398
}
399
return -1;
400
}
401
402
fprintf(stderr, "Binding to interface %s\n", interface);
403
}
404
560
405
memset(&to,0,sizeof(to)); /* Spurious warning */
406
to.sin6_family = AF_INET6;
407
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
408
if (ret < 0 ){
561
memset(&to, 0, sizeof(to));
562
if(af == AF_INET6){
563
to.in6.sin6_family = (uint16_t)af;
564
ret = inet_pton(af, ip, &to.in6.sin6_addr);
565
} else { /* IPv4 */
566
to.in.sin_family = (sa_family_t)af;
567
ret = inet_pton(af, ip, &to.in.sin_addr);
568
}
569
if(ret < 0 ){
409
570
perror("inet_pton");
410
571
return -1;
411
}
572
}
412
573
if(ret == 0){
413
574
fprintf(stderr, "Bad address: %s\n", ip);
414
575
return -1;
415
576
}
416
to.sin6_port = htons(port); /* Spurious warning */
417
418
to.sin6_scope_id = (uint32_t)if_index;
577
if(af == AF_INET6){
578
to.in6.sin6_port = htons(port); /* Spurious warnings from
579
-Wconversion and
580
-Wunreachable-code */
581
582
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
583
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
584
-Wunreachable-code*/
585
if(if_index == AVAHI_IF_UNSPEC){
586
fprintf(stderr, "An IPv6 link-local address is incomplete"
587
" without a network interface\n");
588
return -1;
589
}
590
/* Set the network interface number as scope */
591
to.in6.sin6_scope_id = (uint32_t)if_index;
592
}
593
} else {
594
to.in.sin_port = htons(port); /* Spurious warnings from
595
-Wconversion and
596
-Wunreachable-code */
597
}
419
598
420
599
if(debug){
421
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
422
/* char addrstr[INET6_ADDRSTRLEN]; */
423
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
424
/* sizeof(addrstr)) == NULL){ */
425
/* perror("inet_ntop"); */
426
/* } else { */
427
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
428
/* addrstr, ntohs(to.sin6_port)); */
429
/* } */
600
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
601
char interface[IF_NAMESIZE];
602
if(if_indextoname((unsigned int)if_index, interface) == NULL){
603
perror("if_indextoname");
604
} else {
605
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
606
ip, interface, port);
607
}
608
} else {
609
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
610
port);
611
}
612
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
613
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
614
const char *pcret;
615
if(af == AF_INET6){
616
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
617
sizeof(addrstr));
618
} else {
619
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
620
sizeof(addrstr));
621
}
622
if(pcret == NULL){
623
perror("inet_ntop");
624
} else {
625
if(strcmp(addrstr, ip) != 0){
626
fprintf(stderr, "Canonical address form: %s\n", addrstr);
627
}
628
}
430
629
}
431
630
432
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
433
if (ret < 0){
631
if(af == AF_INET6){
632
ret = connect(tcp_sd, &to.in6, sizeof(to));
633
} else {
634
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
635
}
636
if(ret < 0){
434
637
perror("connect");
435
638
return -1;
436
639
}
437
438
char *out = mandos_protocol_version;
640
641
const char *out = mandos_protocol_version;
439
642
written = 0;
440
while (true){
643
while(true){
441
644
size_t out_size = strlen(out);
442
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
645
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
443
646
out_size - written));
444
if (ret == -1){
647
if(ret == -1){
445
648
perror("write");
446
649
retval = -1;
447
goto end;
650
goto mandos_end;
448
651
}
449
written += ret;
652
written += (size_t)ret;
450
653
if(written < out_size){
451
654
continue;
452
655
} else {
453
if (out == mandos_protocol_version){
656
if(out == mandos_protocol_version){
454
657
written = 0;
455
658
out = "\r\n";
456
659
} else {
458
661
}
459
662
}
460
663
}
461
462
ret = initgnutls (&es);
463
if (ret != 0){
464
retval = -1;
465
return -1;
466
}
467
468
gnutls_transport_set_ptr (es.session,
469
(gnutls_transport_ptr_t) tcp_sd);
470
664
471
665
if(debug){
472
666
fprintf(stderr, "Establishing TLS session with %s\n", ip);
473
667
}
474
668
475
ret = gnutls_handshake (es.session);
476
477
if (ret != GNUTLS_E_SUCCESS){
669
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
670
671
do{
672
ret = gnutls_handshake(session);
673
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
674
675
if(ret != GNUTLS_E_SUCCESS){
478
676
if(debug){
479
fprintf(stderr, "\n*** Handshake failed ***\n");
480
gnutls_perror (ret);
677
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
678
gnutls_perror(ret);
481
679
}
482
680
retval = -1;
483
goto exit;
681
goto mandos_end;
484
682
}
485
683
486
//Retrieve OpenPGP packet that contains the wanted password
684
/* Read OpenPGP packet that contains the wanted password */
487
685
488
686
if(debug){
489
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
687
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
490
688
ip);
491
689
}
492
690
493
691
while(true){
494
buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);
495
if (buffer_capacity == 0){
496
perror("adjustbuffer");
692
buffer_capacity = incbuffer(&buffer, buffer_length,
693
buffer_capacity);
694
if(buffer_capacity == 0){
695
perror("incbuffer");
497
696
retval = -1;
498
goto exit;
697
goto mandos_end;
499
698
}
500
699
501
ret = gnutls_record_recv
502
(es.session, buffer+buffer_length, BUFFER_SIZE);
503
if (ret == 0){
700
sret = gnutls_record_recv(session, buffer+buffer_length,
701
BUFFER_SIZE);
702
if(sret == 0){
504
703
break;
505
704
}
506
if (ret < 0){
507
switch(ret){
705
if(sret < 0){
706
switch(sret){
508
707
case GNUTLS_E_INTERRUPTED:
509
708
case GNUTLS_E_AGAIN:
510
709
break;
511
710
case GNUTLS_E_REHANDSHAKE:
512
ret = gnutls_handshake (es.session);
513
if (ret < 0){
514
fprintf(stderr, "\n*** Handshake failed ***\n");
515
gnutls_perror (ret);
711
do{
712
ret = gnutls_handshake(session);
713
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
714
if(ret < 0){
715
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
716
gnutls_perror(ret);
516
717
retval = -1;
517
goto exit;
718
goto mandos_end;
518
719
}
519
720
break;
520
721
default:
521
722
fprintf(stderr, "Unknown error while reading data from"
522
" encrypted session with mandos server\n");
723
" encrypted session with Mandos server\n");
523
724
retval = -1;
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
goto exit;
725
gnutls_bye(session, GNUTLS_SHUT_RDWR);
726
goto mandos_end;
526
727
}
527
728
} else {
528
buffer_length += (size_t) ret;
729
buffer_length += (size_t) sret;
529
730
}
530
731
}
531
732
532
if (buffer_length > 0){
733
if(debug){
734
fprintf(stderr, "Closing TLS session\n");
735
}
736
737
gnutls_bye(session, GNUTLS_SHUT_RDWR);
738
739
if(buffer_length > 0){
533
740
decrypted_buffer_size = pgp_packet_decrypt(buffer,
534
741
buffer_length,
535
&decrypted_buffer,
536
certdir);
537
if (decrypted_buffer_size >= 0){
742
&decrypted_buffer);
743
if(decrypted_buffer_size >= 0){
538
744
written = 0;
539
745
while(written < (size_t) decrypted_buffer_size){
540
ret = (int)fwrite (decrypted_buffer + written, 1,
541
(size_t)decrypted_buffer_size - written,
542
stdout);
746
ret = (int)fwrite(decrypted_buffer + written, 1,
747
(size_t)decrypted_buffer_size - written,
748
stdout);
543
749
if(ret == 0 and ferror(stdout)){
544
750
if(debug){
545
751
fprintf(stderr, "Error writing encrypted data: %s\n",
554
760
} else {
555
761
retval = -1;
556
762
}
557
}
558
559
//shutdown procedure
560
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
763
} else {
764
retval = -1;
765
}
766
767
/* Shutdown procedure */
768
769
mandos_end:
565
770
free(buffer);
566
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
567
exit:
568
close(tcp_sd);
569
gnutls_deinit (es.session);
570
gnutls_certificate_free_credentials (es.cred);
571
gnutls_global_deinit ();
771
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
772
if(ret == -1){
773
perror("close");
774
}
775
gnutls_deinit(session);
572
776
return retval;
573
777
}
574
778
575
static void resolve_callback( AvahiSServiceResolver *r,
576
AvahiIfIndex interface,
577
AVAHI_GCC_UNUSED AvahiProtocol protocol,
578
AvahiResolverEvent event,
579
const char *name,
580
const char *type,
581
const char *domain,
582
const char *host_name,
583
const AvahiAddress *address,
584
uint16_t port,
585
AVAHI_GCC_UNUSED AvahiStringList *txt,
586
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
587
AVAHI_GCC_UNUSED void* userdata) {
588
mandos_context *mc = userdata;
589
assert(r); /* Spurious warning */
779
static void resolve_callback(AvahiSServiceResolver *r,
780
AvahiIfIndex interface,
781
AvahiProtocol proto,
782
AvahiResolverEvent event,
783
const char *name,
784
const char *type,
785
const char *domain,
786
const char *host_name,
787
const AvahiAddress *address,
788
uint16_t port,
789
AVAHI_GCC_UNUSED AvahiStringList *txt,
790
AVAHI_GCC_UNUSED AvahiLookupResultFlags
791
flags,
792
AVAHI_GCC_UNUSED void* userdata){
793
assert(r);
590
794
591
795
/* Called whenever a service has been resolved successfully or
592
796
timed out */
593
797
594
switch (event) {
798
switch(event){
595
799
default:
596
800
case AVAHI_RESOLVER_FAILURE:
597
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
598
" type '%s' in domain '%s': %s\n", name, type, domain,
599
avahi_strerror(avahi_server_errno(mc->server)));
801
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
802
" of type '%s' in domain '%s': %s\n", name, type, domain,
803
avahi_strerror(avahi_server_errno(mc.server)));
600
804
break;
601
805
602
806
case AVAHI_RESOLVER_FOUND:
604
808
char ip[AVAHI_ADDRESS_STR_MAX];
605
809
avahi_address_snprint(ip, sizeof(ip), address);
606
810
if(debug){
607
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
608
" port %d\n", name, host_name, ip, port);
811
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
812
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
813
ip, (intmax_t)interface, port);
609
814
}
610
int ret = start_mandos_communication(ip, port, interface, mc);
611
if (ret == 0){
612
exit(EXIT_SUCCESS);
815
int ret = start_mandos_communication(ip, port, interface,
816
avahi_proto_to_af(proto));
817
if(ret == 0){
818
avahi_simple_poll_quit(mc.simple_poll);
613
819
}
614
820
}
615
821
}
616
822
avahi_s_service_resolver_free(r);
617
823
}
618
824
619
static void browse_callback( AvahiSServiceBrowser *b,
620
AvahiIfIndex interface,
621
AvahiProtocol protocol,
622
AvahiBrowserEvent event,
623
const char *name,
624
const char *type,
625
const char *domain,
626
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
627
void* userdata) {
628
mandos_context *mc = userdata;
629
assert(b); /* Spurious warning */
825
static void browse_callback(AvahiSServiceBrowser *b,
826
AvahiIfIndex interface,
827
AvahiProtocol protocol,
828
AvahiBrowserEvent event,
829
const char *name,
830
const char *type,
831
const char *domain,
832
AVAHI_GCC_UNUSED AvahiLookupResultFlags
833
flags,
834
AVAHI_GCC_UNUSED void* userdata){
835
assert(b);
630
836
631
837
/* Called whenever a new services becomes available on the LAN or
632
838
is removed from the LAN */
633
839
634
switch (event) {
840
switch(event){
635
841
default:
636
842
case AVAHI_BROWSER_FAILURE:
637
638
fprintf(stderr, "(Browser) %s\n",
639
avahi_strerror(avahi_server_errno(mc->server)));
640
avahi_simple_poll_quit(mc->simple_poll);
843
844
fprintf(stderr, "(Avahi browser) %s\n",
845
avahi_strerror(avahi_server_errno(mc.server)));
846
avahi_simple_poll_quit(mc.simple_poll);
641
847
return;
642
848
643
849
case AVAHI_BROWSER_NEW:
644
/* We ignore the returned resolver object. In the callback
645
function we free it. If the server is terminated before
646
the callback function is called the server will free
647
the resolver for us. */
648
649
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
650
type, domain,
850
/* We ignore the returned Avahi resolver object. In the callback
851
function we free it. If the Avahi server is terminated before
852
the callback function is called the Avahi server will free the
853
resolver for us. */
854
855
if(!(avahi_s_service_resolver_new(mc.server, interface,
856
protocol, name, type, domain,
651
857
AVAHI_PROTO_INET6, 0,
652
resolve_callback, mc)))
653
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
654
avahi_strerror(avahi_server_errno(s)));
858
resolve_callback, NULL)))
859
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
860
name, avahi_strerror(avahi_server_errno(mc.server)));
655
861
break;
656
862
657
863
case AVAHI_BROWSER_REMOVE:
658
864
break;
659
865
660
866
case AVAHI_BROWSER_ALL_FOR_NOW:
661
867
case AVAHI_BROWSER_CACHE_EXHAUSTED:
868
if(debug){
869
fprintf(stderr, "No Mandos server found, still searching...\n");
870
}
662
871
break;
663
872
}
664
873
}
665
874
666
/* Combines file name and path and returns the malloced new
667
string. some sane checks could/should be added */
668
static const char *combinepath(const char *first, const char *second){
669
size_t f_len = strlen(first);
670
size_t s_len = strlen(second);
671
char *tmp = malloc(f_len + s_len + 2);
672
if (tmp == NULL){
673
return NULL;
674
}
675
if(f_len > 0){
676
memcpy(tmp, first, f_len);
677
}
678
tmp[f_len] = '/';
679
if(s_len > 0){
680
memcpy(tmp + f_len + 1, second, s_len);
681
}
682
tmp[f_len + 1 + s_len] = '\0';
683
return tmp;
875
sig_atomic_t quit_now = 0;
876
877
static void handle_sigterm(__attribute__((unused)) int sig){
878
if(quit_now){
879
return;
880
}
881
quit_now = 1;
882
int old_errno = errno;
883
if(mc.simple_poll != NULL){
884
avahi_simple_poll_quit(mc.simple_poll);
885
}
886
errno = old_errno;
684
887
}
685
888
889
int main(int argc, char *argv[]){
890
AvahiSServiceBrowser *sb = NULL;
891
int error;
892
int ret;
893
intmax_t tmpmax;
894
int numchars;
895
int exitcode = EXIT_SUCCESS;
896
const char *interface = "eth0";
897
struct ifreq network;
898
int sd;
899
uid_t uid;
900
gid_t gid;
901
char *connect_to = NULL;
902
char tempdir[] = "/tmp/mandosXXXXXX";
903
bool tempdir_created = false;
904
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
905
const char *seckey = PATHDIR "/" SECKEY;
906
const char *pubkey = PATHDIR "/" PUBKEY;
907
908
/* Initialize Mandos context */
909
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
910
.dh_bits = 1024, .priority = "SECURE256"
911
":!CTYPE-X.509:+CTYPE-OPENPGP" };
912
bool gnutls_initialized = false;
913
bool gpgme_initialized = false;
914
double delay = 2.5;
686
915
687
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
688
AvahiServerConfig config;
689
AvahiSServiceBrowser *sb = NULL;
690
int error;
691
int ret;
692
int returncode = EXIT_SUCCESS;
693
const char *interface = "eth0";
694
struct ifreq network;
695
int sd;
696
char *connect_to = NULL;
697
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
698
mandos_context mc = { .simple_poll = NULL, .server = NULL,
699
.dh_bits = 2048, .priority = "SECURE256"};
916
struct sigaction old_sigterm_action;
917
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
918
919
{
920
struct argp_option options[] = {
921
{ .name = "debug", .key = 128,
922
.doc = "Debug mode", .group = 3 },
923
{ .name = "connect", .key = 'c',
924
.arg = "ADDRESS:PORT",
925
.doc = "Connect directly to a specific Mandos server",
926
.group = 1 },
927
{ .name = "interface", .key = 'i',
928
.arg = "NAME",
929
.doc = "Network interface that will be used to search for"
930
" Mandos servers",
931
.group = 1 },
932
{ .name = "seckey", .key = 's',
933
.arg = "FILE",
934
.doc = "OpenPGP secret key file base name",
935
.group = 1 },
936
{ .name = "pubkey", .key = 'p',
937
.arg = "FILE",
938
.doc = "OpenPGP public key file base name",
939
.group = 2 },
940
{ .name = "dh-bits", .key = 129,
941
.arg = "BITS",
942
.doc = "Bit length of the prime number used in the"
943
" Diffie-Hellman key exchange",
944
.group = 2 },
945
{ .name = "priority", .key = 130,
946
.arg = "STRING",
947
.doc = "GnuTLS priority string for the TLS handshake",
948
.group = 1 },
949
{ .name = "delay", .key = 131,
950
.arg = "SECONDS",
951
.doc = "Maximum delay to wait for interface startup",
952
.group = 2 },
953
{ .name = NULL }
954
};
700
955
701
while (true){
702
static struct option long_options[] = {
703
{"debug", no_argument, (int *)&debug, 1},
704
{"connect", required_argument, 0, 'C'},
705
{"interface", required_argument, 0, 'i'},
706
{"certdir", required_argument, 0, 'd'},
707
{"certkey", required_argument, 0, 'c'},
708
{"certfile", required_argument, 0, 'k'},
709
{"dh_bits", required_argument, 0, 'D'},
710
{"priority", required_argument, 0, 'p'},
711
{0, 0, 0, 0} };
712
713
int option_index = 0;
714
ret = getopt_long (argc, argv, "i:", long_options,
715
&option_index);
716
717
if (ret == -1){
718
break;
719
}
720
721
switch(ret){
722
case 0:
723
break;
724
case 'i':
725
interface = optarg;
726
break;
727
case 'C':
728
connect_to = optarg;
729
break;
730
case 'd':
731
certdir = optarg;
732
break;
733
case 'c':
734
certfile = optarg;
735
break;
736
case 'k':
737
certkey = optarg;
738
break;
739
case 'D':
740
{
741
long int tmp;
742
errno = 0;
743
tmp = strtol(optarg, NULL, 10);
744
if (errno == ERANGE){
745
perror("strtol");
746
exit(EXIT_FAILURE);
747
}
748
mc.dh_bits = tmp;
749
}
750
break;
751
case 'p':
752
mc.priority = optarg;
956
error_t parse_opt(int key, char *arg,
957
struct argp_state *state){
958
switch(key){
959
case 128: /* --debug */
960
debug = true;
961
break;
962
case 'c': /* --connect */
963
connect_to = arg;
964
break;
965
case 'i': /* --interface */
966
interface = arg;
967
break;
968
case 's': /* --seckey */
969
seckey = arg;
970
break;
971
case 'p': /* --pubkey */
972
pubkey = arg;
973
break;
974
case 129: /* --dh-bits */
975
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
976
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
977
or arg[numchars] != '\0'){
978
fprintf(stderr, "Bad number of DH bits\n");
979
exit(EXIT_FAILURE);
980
}
981
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
982
break;
983
case 130: /* --priority */
984
mc.priority = arg;
985
break;
986
case 131: /* --delay */
987
ret = sscanf(arg, "%lf%n", &delay, &numchars);
988
if(ret < 1 or arg[numchars] != '\0'){
989
fprintf(stderr, "Bad delay\n");
990
exit(EXIT_FAILURE);
991
}
992
break;
993
case ARGP_KEY_ARG:
994
argp_usage(state);
995
case ARGP_KEY_END:
753
996
break;
754
997
default:
755
exit(EXIT_FAILURE);
756
}
757
}
758
759
certfile = combinepath(certdir, certfile);
760
if (certfile == NULL){
761
perror("combinepath");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
766
certkey = combinepath(certdir, certkey);
767
if (certkey == NULL){
768
perror("combinepath");
769
returncode = EXIT_FAILURE;
770
goto exit;
771
}
772
773
if_index = (AvahiIfIndex) if_nametoindex(interface);
774
if(if_index == 0){
775
fprintf(stderr, "No such interface: \"%s\"\n", interface);
776
exit(EXIT_FAILURE);
777
}
778
779
if(connect_to != NULL){
780
/* Connect directly, do not use Zeroconf */
781
/* (Mainly meant for debugging) */
782
char *address = strrchr(connect_to, ':');
783
if(address == NULL){
784
fprintf(stderr, "No colon in address\n");
785
exit(EXIT_FAILURE);
786
}
787
errno = 0;
788
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
789
if(errno){
790
perror("Bad port number");
791
exit(EXIT_FAILURE);
792
}
793
*address = '\0';
794
address = connect_to;
795
ret = start_mandos_communication(address, port, if_index);
796
if(ret < 0){
797
exit(EXIT_FAILURE);
798
} else {
799
exit(EXIT_SUCCESS);
800
}
801
}
998
return ARGP_ERR_UNKNOWN;
999
}
1000
return 0;
1001
}
1002
1003
struct argp argp = { .options = options, .parser = parse_opt,
1004
.args_doc = "",
1005
.doc = "Mandos client -- Get and decrypt"
1006
" passwords from a Mandos server" };
1007
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1008
if(ret == ARGP_ERR_UNKNOWN){
1009
fprintf(stderr, "Unknown error while parsing arguments\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
}
1014
1015
/* If the interface is down, bring it up */
1016
if(interface[0] != '\0'){
1017
#ifdef __linux__
1018
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1019
messages to mess up the prompt */
1020
ret = klogctl(8, NULL, 5);
1021
bool restore_loglevel = true;
1022
if(ret == -1){
1023
restore_loglevel = false;
1024
perror("klogctl");
1025
}
1026
#endif /* __linux__ */
802
1027
803
1028
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
804
if(sd < 0) {
1029
if(sd < 0){
805
1030
perror("socket");
806
returncode = EXIT_FAILURE;
807
goto exit;
1031
exitcode = EXIT_FAILURE;
1032
#ifdef __linux__
1033
if(restore_loglevel){
1034
ret = klogctl(7, NULL, 0);
1035
if(ret == -1){
1036
perror("klogctl");
1037
}
1038
}
1039
#endif /* __linux__ */
1040
goto end;
808
1041
}
809
strcpy(network.ifr_name, interface);
1042
strcpy(network.ifr_name, interface);
810
1043
ret = ioctl(sd, SIOCGIFFLAGS, &network);
811
1044
if(ret == -1){
812
813
1045
perror("ioctl SIOCGIFFLAGS");
814
returncode = EXIT_FAILURE;
815
goto exit;
1046
#ifdef __linux__
1047
if(restore_loglevel){
1048
ret = klogctl(7, NULL, 0);
1049
if(ret == -1){
1050
perror("klogctl");
1051
}
1052
}
1053
#endif /* __linux__ */
1054
exitcode = EXIT_FAILURE;
1055
goto end;
816
1056
}
817
1057
if((network.ifr_flags & IFF_UP) == 0){
818
1058
network.ifr_flags |= IFF_UP;
819
1059
ret = ioctl(sd, SIOCSIFFLAGS, &network);
820
1060
if(ret == -1){
821
1061
perror("ioctl SIOCSIFFLAGS");
822
returncode = EXIT_FAILURE;
823
goto exit;
824
}
825
}
826
close(sd);
827
828
if (not debug){
829
avahi_set_log_function(empty_log);
830
}
831
832
/* Initialize the psuedo-RNG */
833
srand((unsigned int) time(NULL));
834
835
/* Allocate main loop object */
836
if (!(mc.simple_poll = avahi_simple_poll_new())) {
837
fprintf(stderr, "Failed to create simple poll object.\n");
838
returncode = EXIT_FAILURE;
839
goto exit;
840
}
841
842
/* Do not publish any local records */
1062
exitcode = EXIT_FAILURE;
1063
#ifdef __linux__
1064
if(restore_loglevel){
1065
ret = klogctl(7, NULL, 0);
1066
if(ret == -1){
1067
perror("klogctl");
1068
}
1069
}
1070
#endif /* __linux__ */
1071
goto end;
1072
}
1073
}
1074
/* sleep checking until interface is running */
1075
for(int i=0; i < delay * 4; i++){
1076
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1077
if(ret == -1){
1078
perror("ioctl SIOCGIFFLAGS");
1079
} else if(network.ifr_flags & IFF_RUNNING){
1080
break;
1081
}
1082
struct timespec sleeptime = { .tv_nsec = 250000000 };
1083
ret = nanosleep(&sleeptime, NULL);
1084
if(ret == -1 and errno != EINTR){
1085
perror("nanosleep");
1086
}
1087
}
1088
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1089
if(ret == -1){
1090
perror("close");
1091
}
1092
#ifdef __linux__
1093
if(restore_loglevel){
1094
/* Restores kernel loglevel to default */
1095
ret = klogctl(7, NULL, 0);
1096
if(ret == -1){
1097
perror("klogctl");
1098
}
1099
}
1100
#endif /* __linux__ */
1101
}
1102
1103
uid = getuid();
1104
gid = getgid();
1105
1106
errno = 0;
1107
setgid(gid);
1108
if(ret == -1){
1109
perror("setgid");
1110
}
1111
1112
ret = setuid(uid);
1113
if(ret == -1){
1114
perror("setuid");
1115
}
1116
1117
ret = init_gnutls_global(pubkey, seckey);
1118
if(ret == -1){
1119
fprintf(stderr, "init_gnutls_global failed\n");
1120
exitcode = EXIT_FAILURE;
1121
goto end;
1122
} else {
1123
gnutls_initialized = true;
1124
}
1125
1126
if(mkdtemp(tempdir) == NULL){
1127
perror("mkdtemp");
1128
goto end;
1129
}
1130
tempdir_created = true;
1131
1132
if(not init_gpgme(pubkey, seckey, tempdir)){
1133
fprintf(stderr, "init_gpgme failed\n");
1134
exitcode = EXIT_FAILURE;
1135
goto end;
1136
} else {
1137
gpgme_initialized = true;
1138
}
1139
1140
if(interface[0] != '\0'){
1141
if_index = (AvahiIfIndex) if_nametoindex(interface);
1142
if(if_index == 0){
1143
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1144
exitcode = EXIT_FAILURE;
1145
goto end;
1146
}
1147
}
1148
1149
if(connect_to != NULL){
1150
/* Connect directly, do not use Zeroconf */
1151
/* (Mainly meant for debugging) */
1152
char *address = strrchr(connect_to, ':');
1153
if(address == NULL){
1154
fprintf(stderr, "No colon in address\n");
1155
exitcode = EXIT_FAILURE;
1156
goto end;
1157
}
1158
uint16_t port;
1159
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1160
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1161
or address[numchars+1] != '\0'){
1162
fprintf(stderr, "Bad port number\n");
1163
exitcode = EXIT_FAILURE;
1164
goto end;
1165
}
1166
port = (uint16_t)tmpmax;
1167
*address = '\0';
1168
address = connect_to;
1169
/* Colon in address indicates IPv6 */
1170
int af;
1171
if(strchr(address, ':') != NULL){
1172
af = AF_INET6;
1173
} else {
1174
af = AF_INET;
1175
}
1176
ret = start_mandos_communication(address, port, if_index, af);
1177
if(ret < 0){
1178
exitcode = EXIT_FAILURE;
1179
} else {
1180
exitcode = EXIT_SUCCESS;
1181
}
1182
goto end;
1183
}
1184
1185
if(not debug){
1186
avahi_set_log_function(empty_log);
1187
}
1188
1189
/* Initialize the pseudo-RNG for Avahi */
1190
srand((unsigned int) time(NULL));
1191
1192
/* Allocate main Avahi loop object */
1193
mc.simple_poll = avahi_simple_poll_new();
1194
if(mc.simple_poll == NULL){
1195
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1199
1200
{
1201
AvahiServerConfig config;
1202
/* Do not publish any local Zeroconf records */
843
1203
avahi_server_config_init(&config);
844
1204
config.publish_hinfo = 0;
845
1205
config.publish_addresses = 0;
846
1206
config.publish_workstation = 0;
847
1207
config.publish_domain = 0;
848
1208
849
1209
/* Allocate a new server */
850
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
851
&config, NULL, NULL, &error);
852
853
/* Free the configuration data */
1210
mc.server = avahi_server_new(avahi_simple_poll_get
1211
(mc.simple_poll), &config, NULL,
1212
NULL, &error);
1213
1214
/* Free the Avahi configuration data */
854
1215
avahi_server_config_free(&config);
855
856
/* Check if creating the server object succeeded */
857
if (!mc.server) {
858
fprintf(stderr, "Failed to create server: %s\n",
859
avahi_strerror(error));
860
returncode = EXIT_FAILURE;
861
goto exit;
862
}
863
864
/* Create the service browser */
865
sb = avahi_s_service_browser_new(mc.server, if_index,
866
AVAHI_PROTO_INET6,
867
"_mandos._tcp", NULL, 0,
868
browse_callback, &mc);
869
if (!sb) {
870
fprintf(stderr, "Failed to create service browser: %s\n",
871
avahi_strerror(avahi_server_errno(mc.server)));
872
returncode = EXIT_FAILURE;
873
goto exit;
874
}
875
876
/* Run the main loop */
877
878
if (debug){
879
fprintf(stderr, "Starting avahi loop search\n");
880
}
881
882
avahi_simple_poll_loop(simple_poll);
883
884
exit:
885
886
if (debug){
887
fprintf(stderr, "%s exiting\n", argv[0]);
888
}
889
890
/* Cleanup things */
891
if (sb)
892
avahi_s_service_browser_free(sb);
893
894
if (mc.server)
895
avahi_server_free(mc.server);
896
897
if (simple_poll)
898
avahi_simple_poll_free(simple_poll);
899
free(certfile);
900
free(certkey);
901
902
return returncode;
1216
}
1217
1218
/* Check if creating the Avahi server object succeeded */
1219
if(mc.server == NULL){
1220
fprintf(stderr, "Failed to create Avahi server: %s\n",
1221
avahi_strerror(error));
1222
exitcode = EXIT_FAILURE;
1223
goto end;
1224
}
1225
1226
/* Create the Avahi service browser */
1227
sb = avahi_s_service_browser_new(mc.server, if_index,
1228
AVAHI_PROTO_INET6, "_mandos._tcp",
1229
NULL, 0, browse_callback, NULL);
1230
if(sb == NULL){
1231
fprintf(stderr, "Failed to create service browser: %s\n",
1232
avahi_strerror(avahi_server_errno(mc.server)));
1233
exitcode = EXIT_FAILURE;
1234
goto end;
1235
}
1236
1237
sigemptyset(&sigterm_action.sa_mask);
1238
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1239
if(ret == -1){
1240
perror("sigaddset");
1241
exitcode = EXIT_FAILURE;
1242
goto end;
1243
}
1244
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1245
if(ret == -1){
1246
perror("sigaddset");
1247
exitcode = EXIT_FAILURE;
1248
goto end;
1249
}
1250
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1251
if(ret == -1){
1252
perror("sigaddset");
1253
exitcode = EXIT_FAILURE;
1254
goto end;
1255
}
1256
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1257
if(ret == -1){
1258
perror("sigaction");
1259
exitcode = EXIT_FAILURE;
1260
goto end;
1261
}
1262
1263
/* Run the main loop */
1264
1265
if(debug){
1266
fprintf(stderr, "Starting Avahi loop search\n");
1267
}
1268
1269
avahi_simple_poll_loop(mc.simple_poll);
1270
1271
end:
1272
1273
if(debug){
1274
fprintf(stderr, "%s exiting\n", argv[0]);
1275
}
1276
1277
/* Cleanup things */
1278
if(sb != NULL)
1279
avahi_s_service_browser_free(sb);
1280
1281
if(mc.server != NULL)
1282
avahi_server_free(mc.server);
1283
1284
if(mc.simple_poll != NULL)
1285
avahi_simple_poll_free(mc.simple_poll);
1286
1287
if(gnutls_initialized){
1288
gnutls_certificate_free_credentials(mc.cred);
1289
gnutls_global_deinit();
1290
gnutls_dh_params_deinit(mc.dh_params);
1291
}
1292
1293
if(gpgme_initialized){
1294
gpgme_release(mc.ctx);
1295
}
1296
1297
/* Removes the temp directory used by GPGME */
1298
if(tempdir_created){
1299
DIR *d;
1300
struct dirent *direntry;
1301
d = opendir(tempdir);
1302
if(d == NULL){
1303
if(errno != ENOENT){
1304
perror("opendir");
1305
}
1306
} else {
1307
while(true){
1308
direntry = readdir(d);
1309
if(direntry == NULL){
1310
break;
1311
}
1312
/* Skip "." and ".." */
1313
if(direntry->d_name[0] == '.'
1314
and (direntry->d_name[1] == '\0'
1315
or (direntry->d_name[1] == '.'
1316
and direntry->d_name[2] == '\0'))){
1317
continue;
1318
}
1319
char *fullname = NULL;
1320
ret = asprintf(&fullname, "%s/%s", tempdir,
1321
direntry->d_name);
1322
if(ret < 0){
1323
perror("asprintf");
1324
continue;
1325
}
1326
ret = remove(fullname);
1327
if(ret == -1){
1328
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1329
strerror(errno));
1330
}
1331
free(fullname);
1332
}
1333
closedir(d);
1334
}
1335
ret = rmdir(tempdir);
1336
if(ret == -1 and errno != ENOENT){
1337
perror("rmdir");
1338
}
1339
}
1340
1341
return exitcode;
903
1342
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0