To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.75
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.75
- Committer: Teddy Hogeborn
- Date: 2009-02-12 19:08:35 UTC
- mto: (237.4.2 mandos-pipe-ipc) (24.1.137 mandos) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090212190835-dqv0piw2u254d0jc
* plugin-runner.c: Whitespace changes only.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), remove() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand(), strtof() */
44
#include <stdbool.h> /* bool, false, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, uid_t, gid_t, open(),
51
opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
inet_pton(), connect() */
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir()
57
*/
58
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
59
strtoimax() */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
41
90
#include <avahi-core/core.h>
42
91
#include <avahi-core/lookup.h>
43
92
#include <avahi-core/log.h>
45
94
#include <avahi-common/malloc.h>
46
95
#include <avahi-common/error.h>
47
96
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
68
113
69
114
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
71
115
72
static const char *certdir = "/conf/conf.d/mandos";
73
static const char *certfile = "openpgp-client.txt";
74
static const char *certkey = "openpgp-client-key.txt";
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
75
119
76
120
bool debug = false;
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
77
124
125
/* Used for passing in values through the Avahi callback functions */
78
126
typedef struct {
79
gnutls_session_t session;
127
AvahiSimplePoll *simple_poll;
128
AvahiServer *server;
80
129
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
81
131
gnutls_dh_params_t dh_params;
82
} encrypted_session;
83
84
85
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet,
87
const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
132
const char *priority;
89
133
gpgme_ctx_t ctx;
134
} mandos_context;
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
141
/*
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
145
*/
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
150
if(buffer == NULL){
151
return 0;
152
}
153
buffer_capacity += BUFFER_SIZE;
154
}
155
return buffer_capacity;
156
}
157
158
/*
159
* Initialize GPGME.
160
*/
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
163
int ret;
90
164
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
94
165
gpgme_engine_info_t engine_info;
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
166
167
168
/*
169
* Helper function to insert pub and seckey to the engine keyring.
170
*/
171
bool import_key(const char *filename){
172
int fd;
173
gpgme_data_t pgp_data;
174
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
if(fd == -1){
177
perror("open");
178
return false;
179
}
180
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
185
return false;
186
}
187
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
return false;
193
}
194
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
196
if(ret == -1){
197
perror("close");
198
}
199
gpgme_data_release(pgp_data);
200
return true;
201
}
202
203
if(debug){
204
fprintf(stderr, "Initializing GPGME\n");
98
205
}
99
206
100
207
/* Init GPGME */
101
208
gpgme_check_version(NULL);
102
209
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
103
if (rc != GPG_ERR_NO_ERROR){
210
if(rc != GPG_ERR_NO_ERROR){
104
211
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
105
212
gpgme_strsource(rc), gpgme_strerror(rc));
106
return -1;
213
return false;
107
214
}
108
215
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
112
219
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
113
220
gpgme_strsource(rc), gpgme_strerror(rc));
114
return -1;
221
return false;
115
222
}
116
223
while(engine_info != NULL){
117
224
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
118
225
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
119
engine_info->file_name, homedir);
226
engine_info->file_name, tempdir);
120
227
break;
121
228
}
122
229
engine_info = engine_info->next;
123
230
}
124
231
if(engine_info == NULL){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
233
return false;
234
}
235
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
241
return false;
242
}
243
244
if(not import_key(pubkey) or not import_key(seckey)){
245
return false;
246
}
247
248
return true;
249
}
250
251
/*
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
254
*/
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
256
size_t crypto_size,
257
char **plaintext){
258
gpgme_data_t dh_crypto, dh_plain;
259
gpgme_error_t rc;
260
ssize_t ret;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
263
264
if(debug){
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
266
}
267
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
270
0);
271
if(rc != GPG_ERR_NO_ERROR){
132
272
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
133
273
gpgme_strsource(rc), gpgme_strerror(rc));
134
274
return -1;
136
276
137
277
/* Create new empty GPGME data buffer for the plaintext */
138
278
rc = gpgme_data_new(&dh_plain);
139
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
140
280
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
141
281
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
282
gpgme_data_release(dh_crypto);
283
return -1;
284
}
285
286
/* Decrypt data from the cryptotext data buffer to the plaintext
287
data buffer */
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
157
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
158
291
gpgme_strsource(rc), gpgme_strerror(rc));
159
return -1;
292
plaintext_length = -1;
293
if(debug){
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
296
if(result == NULL){
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
298
} else {
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
305
}
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
308
if(recipient){
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
315
? "No" : "Yes");
316
recipient = recipient->next;
317
}
318
}
319
}
320
}
321
goto decrypt_end;
160
322
}
161
323
162
324
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
190
}
191
}
192
}
193
}
194
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
326
}
197
327
198
328
/* Seek back to the beginning of the GPGME plaintext data buffer */
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
332
goto decrypt_end;
201
333
}
202
334
203
*new_packet = 0;
335
*plaintext = NULL;
204
336
while(true){
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
339
plaintext_capacity);
340
if(plaintext_capacity == 0){
341
perror("incbuffer");
342
plaintext_length = -1;
343
goto decrypt_end;
214
344
}
215
345
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
347
BUFFER_SIZE);
218
348
/* Print the data, if any */
219
if (ret == 0){
349
if(ret == 0){
350
/* EOF */
220
351
break;
221
352
}
222
353
if(ret < 0){
223
354
perror("gpgme_data_read");
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
355
plaintext_length = -1;
356
goto decrypt_end;
357
}
358
plaintext_length += ret;
359
}
360
361
if(debug){
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
365
}
366
fprintf(stderr, "\n");
367
}
368
369
decrypt_end:
370
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
236
373
237
374
/* Delete the GPGME plaintext data buffer */
238
375
gpgme_data_release(dh_plain);
239
return new_packet_length;
376
return plaintext_length;
240
377
}
241
378
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
382
if(ret == NULL)
245
383
ret = "(unknown)";
246
384
return ret;
247
385
}
248
386
387
/* GnuTLS log function callback */
249
388
static void debuggnutls(__attribute__((unused)) int level,
250
389
const char* string){
251
fprintf(stderr, "%s", string);
390
fprintf(stderr, "GnuTLS: %s", string);
252
391
}
253
392
254
static int initgnutls(encrypted_session *es){
255
const char *err;
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
256
395
int ret;
257
396
258
397
if(debug){
259
398
fprintf(stderr, "Initializing GnuTLS\n");
260
399
}
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
400
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
265
405
return -1;
266
406
}
267
268
if (debug){
407
408
if(debug){
409
/* "Use a log level over 10 to enable all debugging options."
410
* - GnuTLS manual
411
*/
269
412
gnutls_global_set_log_level(11);
270
413
gnutls_global_set_log_function(debuggnutls);
271
414
}
272
415
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
420
from
421
-Wunreachable-code
422
*/
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
278
425
return -1;
279
426
}
280
427
281
428
if(debug){
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
431
seckeyfilename);
285
432
}
286
433
287
434
ret = gnutls_certificate_set_openpgp_key_file
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
438
fprintf(stderr,
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
443
goto globalfail;
444
}
445
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
451
goto globalfail;
452
}
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
457
goto globalfail;
458
}
459
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
462
return 0;
463
464
globalfail:
465
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
469
return -1;
470
}
471
472
static int init_gnutls_session(gnutls_session_t *session){
473
int ret;
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
319
477
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
320
478
safer_gnutls_strerror(ret));
321
479
}
322
480
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
481
{
482
const char *err;
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
489
return -1;
490
}
329
491
}
330
492
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
494
mc.cred);
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
497
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
336
499
return -1;
337
500
}
338
501
339
502
/* ignore client certificate if any. */
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
503
gnutls_certificate_server_set_request(*session,
504
GNUTLS_CERT_IGNORE);
342
505
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
344
507
345
508
return 0;
346
509
}
347
510
511
/* Avahi log function callback */
348
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
513
__attribute__((unused)) const char *txt){}
350
514
515
/* Called when a Mandos server is found */
351
516
static int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
517
AvahiIfIndex if_index,
518
int af){
353
519
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
520
ssize_t sret;
521
union {
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
524
} to;
356
525
char *buffer = NULL;
357
526
char *decrypted_buffer;
358
527
size_t buffer_length = 0;
359
528
size_t buffer_capacity = 0;
360
529
ssize_t decrypted_buffer_size;
361
size_t written = 0;
530
size_t written;
362
531
int retval = 0;
363
char interface[IF_NAMESIZE];
532
gnutls_session_t session;
533
int pf; /* Protocol family */
534
535
switch(af){
536
case AF_INET6:
537
pf = PF_INET6;
538
break;
539
case AF_INET:
540
pf = PF_INET;
541
break;
542
default:
543
fprintf(stderr, "Bad address family: %d\n", af);
544
return -1;
545
}
546
547
ret = init_gnutls_session(&session);
548
if(ret != 0){
549
return -1;
550
}
364
551
365
552
if(debug){
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
554
"\n", ip, port);
368
555
}
369
556
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
371
if(tcp_sd < 0) {
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
558
if(tcp_sd < 0){
372
559
perror("socket");
373
560
return -1;
374
561
}
375
562
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
378
perror("if_indextoname");
379
}
380
return -1;
381
}
382
383
if(debug){
384
fprintf(stderr, "Binding to interface %s\n", interface);
385
}
386
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
563
memset(&to, 0, sizeof(to));
564
if(af == AF_INET6){
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
567
} else { /* IPv4 */
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
570
}
571
if(ret < 0 ){
391
572
perror("inet_pton");
392
573
return -1;
393
}
574
}
394
575
if(ret == 0){
395
576
fprintf(stderr, "Bad address: %s\n", ip);
396
577
return -1;
397
578
}
398
to.sin6_port = htons(port); /* Spurious warning */
399
400
to.sin6_scope_id = (uint32_t)if_index;
579
if(af == AF_INET6){
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
581
-Wconversion and
582
-Wunreachable-code */
583
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
586
-Wunreachable-code*/
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
590
return -1;
591
}
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
594
}
595
} else {
596
to.in.sin_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
}
401
600
402
601
if(debug){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
606
} else {
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
609
}
610
} else {
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
port);
613
}
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
const char *pcret;
617
if(af == AF_INET6){
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
sizeof(addrstr));
620
} else {
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
sizeof(addrstr));
623
}
624
if(pcret == NULL){
625
perror("inet_ntop");
626
} else {
627
if(strcmp(addrstr, ip) != 0){
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
629
}
630
}
412
631
}
413
632
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
633
if(af == AF_INET6){
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
635
} else {
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
637
}
638
if(ret < 0){
416
639
perror("connect");
417
640
return -1;
418
641
}
419
642
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
643
const char *out = mandos_protocol_version;
644
written = 0;
645
while(true){
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
649
if(ret == -1){
650
perror("write");
651
retval = -1;
652
goto mandos_end;
653
}
654
written += (size_t)ret;
655
if(written < out_size){
656
continue;
657
} else {
658
if(out == mandos_protocol_version){
659
written = 0;
660
out = "\r\n";
661
} else {
662
break;
663
}
664
}
424
665
}
425
666
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
429
667
if(debug){
430
668
fprintf(stderr, "Establishing TLS session with %s\n", ip);
431
669
}
432
670
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
673
do{
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
676
677
if(ret != GNUTLS_E_SUCCESS){
436
678
if(debug){
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
680
gnutls_perror(ret);
439
681
}
440
682
retval = -1;
441
goto exit;
683
goto mandos_end;
442
684
}
443
685
444
//Retrieve OpenPGP packet that contains the wanted password
686
/* Read OpenPGP packet that contains the wanted password */
445
687
446
688
if(debug){
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
448
690
ip);
449
691
}
450
692
451
693
while(true){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
694
buffer_capacity = incbuffer(&buffer, buffer_length,
695
buffer_capacity);
696
if(buffer_capacity == 0){
697
perror("incbuffer");
698
retval = -1;
699
goto mandos_end;
459
700
}
460
701
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
702
sret = gnutls_record_recv(session, buffer+buffer_length,
703
BUFFER_SIZE);
704
if(sret == 0){
464
705
break;
465
706
}
466
if (ret < 0){
467
switch(ret){
707
if(sret < 0){
708
switch(sret){
468
709
case GNUTLS_E_INTERRUPTED:
469
710
case GNUTLS_E_AGAIN:
470
711
break;
471
712
case GNUTLS_E_REHANDSHAKE:
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
713
do{
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
716
if(ret < 0){
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
718
gnutls_perror(ret);
476
719
retval = -1;
477
goto exit;
720
goto mandos_end;
478
721
}
479
722
break;
480
723
default:
481
724
fprintf(stderr, "Unknown error while reading data from"
482
" encrypted session with mandos server\n");
725
" encrypted session with Mandos server\n");
483
726
retval = -1;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
728
goto mandos_end;
486
729
}
487
730
} else {
488
buffer_length += (size_t) ret;
731
buffer_length += (size_t) sret;
489
732
}
490
733
}
491
734
492
if (buffer_length > 0){
735
if(debug){
736
fprintf(stderr, "Closing TLS session\n");
737
}
738
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
740
741
if(buffer_length > 0){
493
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
494
743
buffer_length,
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
744
&decrypted_buffer);
745
if(decrypted_buffer_size >= 0){
746
written = 0;
498
747
while(written < (size_t) decrypted_buffer_size){
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
750
stdout);
502
751
if(ret == 0 and ferror(stdout)){
503
752
if(debug){
504
753
fprintf(stderr, "Error writing encrypted data: %s\n",
513
762
} else {
514
763
retval = -1;
515
764
}
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
765
} else {
766
retval = -1;
767
}
768
769
/* Shutdown procedure */
770
771
mandos_end:
524
772
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
773
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
774
if(ret == -1){
775
perror("close");
776
}
777
gnutls_deinit(session);
531
778
return retval;
532
779
}
533
780
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
781
static void resolve_callback(AvahiSServiceResolver *r,
782
AvahiIfIndex interface,
783
AvahiProtocol proto,
784
AvahiResolverEvent event,
785
const char *name,
786
const char *type,
787
const char *domain,
788
const char *host_name,
789
const AvahiAddress *address,
790
uint16_t port,
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
793
flags,
794
AVAHI_GCC_UNUSED void* userdata){
795
assert(r);
553
796
554
797
/* Called whenever a service has been resolved successfully or
555
798
timed out */
556
799
557
switch (event) {
800
switch(event){
558
801
default:
559
802
case AVAHI_RESOLVER_FAILURE:
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
805
avahi_strerror(avahi_server_errno(mc.server)));
563
806
break;
564
807
565
808
case AVAHI_RESOLVER_FOUND:
567
810
char ip[AVAHI_ADDRESS_STR_MAX];
568
811
avahi_address_snprint(ip, sizeof(ip), address);
569
812
if(debug){
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
572
816
}
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
819
if(ret == 0){
820
avahi_simple_poll_quit(mc.simple_poll);
576
821
}
577
822
}
578
823
}
579
824
avahi_s_service_resolver_free(r);
580
825
}
581
826
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
628
}
629
}
630
631
/* Combines file name and path and returns the malloced new
632
string. some sane checks could/should be added */
633
static const char *combinepath(const char *first, const char *second){
634
size_t f_len = strlen(first);
635
size_t s_len = strlen(second);
636
char *tmp = malloc(f_len + s_len + 2);
637
if (tmp == NULL){
638
return NULL;
639
}
640
if(f_len > 0){
641
memcpy(tmp, first, f_len);
642
}
643
tmp[f_len] = '/';
644
if(s_len > 0){
645
memcpy(tmp + f_len + 1, second, s_len);
646
}
647
tmp[f_len + 1 + s_len] = '\0';
648
return tmp;
649
}
650
651
652
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
831
const char *name,
832
const char *type,
833
const char *domain,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
835
flags,
836
AVAHI_GCC_UNUSED void* userdata){
837
assert(b);
838
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
841
842
switch(event){
843
default:
844
case AVAHI_BROWSER_FAILURE:
845
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
849
return;
850
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
855
resolver for us. */
856
857
if(!(avahi_s_service_resolver_new(mc.server, interface,
858
protocol, name, type, domain,
859
AVAHI_PROTO_INET6, 0,
860
resolve_callback, NULL)))
861
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
862
name, avahi_strerror(avahi_server_errno(mc.server)));
863
break;
864
865
case AVAHI_BROWSER_REMOVE:
866
break;
867
868
case AVAHI_BROWSER_ALL_FOR_NOW:
869
case AVAHI_BROWSER_CACHE_EXHAUSTED:
870
if(debug){
871
fprintf(stderr, "No Mandos server found, still searching...\n");
872
}
873
break;
874
}
875
}
876
877
sig_atomic_t quit_now = 0;
878
879
/* stop main loop after sigterm has been called */
880
static void handle_sigterm(__attribute__((unused)) int sig){
881
if(quit_now){
882
return;
883
}
884
quit_now = 1;
885
int old_errno = errno;
886
if(mc.simple_poll != NULL){
887
avahi_simple_poll_quit(mc.simple_poll);
888
}
889
errno = old_errno;
890
}
891
892
int main(int argc, char *argv[]){
893
AvahiSServiceBrowser *sb = NULL;
894
int error;
895
int ret;
896
intmax_t tmpmax;
897
char *tmp;
898
int exitcode = EXIT_SUCCESS;
899
const char *interface = "eth0";
900
struct ifreq network;
901
int sd;
902
uid_t uid;
903
gid_t gid;
904
char *connect_to = NULL;
905
char tempdir[] = "/tmp/mandosXXXXXX";
906
bool tempdir_created = false;
907
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
908
const char *seckey = PATHDIR "/" SECKEY;
909
const char *pubkey = PATHDIR "/" PUBKEY;
910
911
/* Initialize Mandos context */
912
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
913
.dh_bits = 1024, .priority = "SECURE256"
914
":!CTYPE-X.509:+CTYPE-OPENPGP" };
915
bool gnutls_initialized = false;
916
bool gpgme_initialized = false;
917
float delay = 2.5f;
918
919
struct sigaction old_sigterm_action;
920
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
921
922
{
923
struct argp_option options[] = {
924
{ .name = "debug", .key = 128,
925
.doc = "Debug mode", .group = 3 },
926
{ .name = "connect", .key = 'c',
927
.arg = "ADDRESS:PORT",
928
.doc = "Connect directly to a specific Mandos server",
929
.group = 1 },
930
{ .name = "interface", .key = 'i',
931
.arg = "NAME",
932
.doc = "Network interface that will be used to search for"
933
" Mandos servers",
934
.group = 1 },
935
{ .name = "seckey", .key = 's',
936
.arg = "FILE",
937
.doc = "OpenPGP secret key file base name",
938
.group = 1 },
939
{ .name = "pubkey", .key = 'p',
940
.arg = "FILE",
941
.doc = "OpenPGP public key file base name",
942
.group = 2 },
943
{ .name = "dh-bits", .key = 129,
944
.arg = "BITS",
945
.doc = "Bit length of the prime number used in the"
946
" Diffie-Hellman key exchange",
947
.group = 2 },
948
{ .name = "priority", .key = 130,
949
.arg = "STRING",
950
.doc = "GnuTLS priority string for the TLS handshake",
951
.group = 1 },
952
{ .name = "delay", .key = 131,
953
.arg = "SECONDS",
954
.doc = "Maximum delay to wait for interface startup",
955
.group = 2 },
956
{ .name = NULL }
957
};
958
959
error_t parse_opt(int key, char *arg,
960
struct argp_state *state){
961
switch(key){
962
case 128: /* --debug */
963
debug = true;
964
break;
965
case 'c': /* --connect */
966
connect_to = arg;
967
break;
968
case 'i': /* --interface */
969
interface = arg;
970
break;
971
case 's': /* --seckey */
972
seckey = arg;
973
break;
974
case 'p': /* --pubkey */
975
pubkey = arg;
976
break;
977
case 129: /* --dh-bits */
978
errno = 0;
979
tmpmax = strtoimax(arg, &tmp, 10);
980
if(errno != 0 or tmp == arg or *tmp != '\0'
981
or tmpmax != (typeof(mc.dh_bits))tmpmax){
982
fprintf(stderr, "Bad number of DH bits\n");
983
exit(EXIT_FAILURE);
984
}
985
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
986
break;
987
case 130: /* --priority */
988
mc.priority = arg;
989
break;
990
case 131: /* --delay */
991
errno = 0;
992
delay = strtof(arg, &tmp);
993
if(errno != 0 or tmp == arg or *tmp != '\0'){
994
fprintf(stderr, "Bad delay\n");
995
exit(EXIT_FAILURE);
996
}
997
break;
998
case ARGP_KEY_ARG:
999
argp_usage(state);
1000
case ARGP_KEY_END:
1001
break;
1002
default:
1003
return ARGP_ERR_UNKNOWN;
1004
}
1005
return 0;
1006
}
1007
1008
struct argp argp = { .options = options, .parser = parse_opt,
1009
.args_doc = "",
1010
.doc = "Mandos client -- Get and decrypt"
1011
" passwords from a Mandos server" };
1012
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1013
if(ret == ARGP_ERR_UNKNOWN){
1014
fprintf(stderr, "Unknown error while parsing arguments\n");
1015
exitcode = EXIT_FAILURE;
1016
goto end;
1017
}
1018
}
1019
1020
if(not debug){
1021
avahi_set_log_function(empty_log);
1022
}
1023
1024
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1025
from the signal handler */
1026
/* Initialize the pseudo-RNG for Avahi */
1027
srand((unsigned int) time(NULL));
1028
mc.simple_poll = avahi_simple_poll_new();
1029
if(mc.simple_poll == NULL){
1030
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1031
exitcode = EXIT_FAILURE;
1032
goto end;
1033
}
1034
1035
sigemptyset(&sigterm_action.sa_mask);
1036
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1037
if(ret == -1){
1038
perror("sigaddset");
1039
exitcode = EXIT_FAILURE;
1040
goto end;
1041
}
1042
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1043
if(ret == -1){
1044
perror("sigaddset");
1045
exitcode = EXIT_FAILURE;
1046
goto end;
1047
}
1048
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1049
if(ret == -1){
1050
perror("sigaddset");
1051
exitcode = EXIT_FAILURE;
1052
goto end;
1053
}
1054
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1055
if(ret == -1){
1056
perror("sigaction");
1057
exitcode = EXIT_FAILURE;
1058
goto end;
1059
}
1060
1061
/* If the interface is down, bring it up */
1062
if(interface[0] != '\0'){
1063
#ifdef __linux__
1064
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1065
messages to mess up the prompt */
1066
ret = klogctl(8, NULL, 5);
1067
bool restore_loglevel = true;
1068
if(ret == -1){
1069
restore_loglevel = false;
1070
perror("klogctl");
1071
}
1072
#endif /* __linux__ */
1073
1074
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1075
if(sd < 0){
1076
perror("socket");
1077
exitcode = EXIT_FAILURE;
1078
#ifdef __linux__
1079
if(restore_loglevel){
1080
ret = klogctl(7, NULL, 0);
1081
if(ret == -1){
1082
perror("klogctl");
1083
}
1084
}
1085
#endif /* __linux__ */
1086
goto end;
1087
}
1088
strcpy(network.ifr_name, interface);
1089
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1090
if(ret == -1){
1091
perror("ioctl SIOCGIFFLAGS");
1092
#ifdef __linux__
1093
if(restore_loglevel){
1094
ret = klogctl(7, NULL, 0);
1095
if(ret == -1){
1096
perror("klogctl");
1097
}
1098
}
1099
#endif /* __linux__ */
1100
exitcode = EXIT_FAILURE;
1101
goto end;
1102
}
1103
if((network.ifr_flags & IFF_UP) == 0){
1104
network.ifr_flags |= IFF_UP;
1105
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1106
if(ret == -1){
1107
perror("ioctl SIOCSIFFLAGS");
1108
exitcode = EXIT_FAILURE;
1109
#ifdef __linux__
1110
if(restore_loglevel){
1111
ret = klogctl(7, NULL, 0);
1112
if(ret == -1){
1113
perror("klogctl");
1114
}
1115
}
1116
#endif /* __linux__ */
1117
goto end;
1118
}
1119
}
1120
/* sleep checking until interface is running */
1121
for(int i=0; i < delay * 4; i++){
1122
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1123
if(ret == -1){
1124
perror("ioctl SIOCGIFFLAGS");
1125
} else if(network.ifr_flags & IFF_RUNNING){
1126
break;
1127
}
1128
struct timespec sleeptime = { .tv_nsec = 250000000 };
1129
ret = nanosleep(&sleeptime, NULL);
1130
if(ret == -1 and errno != EINTR){
1131
perror("nanosleep");
1132
}
1133
}
1134
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1135
if(ret == -1){
1136
perror("close");
1137
}
1138
#ifdef __linux__
1139
if(restore_loglevel){
1140
/* Restores kernel loglevel to default */
1141
ret = klogctl(7, NULL, 0);
1142
if(ret == -1){
1143
perror("klogctl");
1144
}
1145
}
1146
#endif /* __linux__ */
1147
}
1148
1149
uid = getuid();
1150
gid = getgid();
1151
1152
errno = 0;
1153
setgid(gid);
1154
if(ret == -1){
1155
perror("setgid");
1156
}
1157
1158
ret = setuid(uid);
1159
if(ret == -1){
1160
perror("setuid");
1161
}
1162
1163
ret = init_gnutls_global(pubkey, seckey);
1164
if(ret == -1){
1165
fprintf(stderr, "init_gnutls_global failed\n");
1166
exitcode = EXIT_FAILURE;
1167
goto end;
1168
} else {
1169
gnutls_initialized = true;
1170
}
1171
1172
if(mkdtemp(tempdir) == NULL){
1173
perror("mkdtemp");
1174
goto end;
1175
}
1176
tempdir_created = true;
1177
1178
if(not init_gpgme(pubkey, seckey, tempdir)){
1179
fprintf(stderr, "init_gpgme failed\n");
1180
exitcode = EXIT_FAILURE;
1181
goto end;
1182
} else {
1183
gpgme_initialized = true;
1184
}
1185
1186
if(interface[0] != '\0'){
1187
if_index = (AvahiIfIndex) if_nametoindex(interface);
1188
if(if_index == 0){
1189
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1190
exitcode = EXIT_FAILURE;
1191
goto end;
1192
}
1193
}
1194
1195
if(connect_to != NULL){
1196
/* Connect directly, do not use Zeroconf */
1197
/* (Mainly meant for debugging) */
1198
char *address = strrchr(connect_to, ':');
1199
if(address == NULL){
1200
fprintf(stderr, "No colon in address\n");
1201
exitcode = EXIT_FAILURE;
1202
goto end;
1203
}
1204
uint16_t port;
1205
errno = 0;
1206
tmpmax = strtoimax(address+1, &tmp, 10);
1207
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1208
or tmpmax != (uint16_t)tmpmax){
1209
fprintf(stderr, "Bad port number\n");
1210
exitcode = EXIT_FAILURE;
1211
goto end;
1212
}
1213
port = (uint16_t)tmpmax;
1214
*address = '\0';
1215
address = connect_to;
1216
/* Colon in address indicates IPv6 */
1217
int af;
1218
if(strchr(address, ':') != NULL){
1219
af = AF_INET6;
1220
} else {
1221
af = AF_INET;
1222
}
1223
ret = start_mandos_communication(address, port, if_index, af);
1224
if(ret < 0){
1225
exitcode = EXIT_FAILURE;
1226
} else {
1227
exitcode = EXIT_SUCCESS;
1228
}
1229
goto end;
1230
}
1231
1232
{
653
1233
AvahiServerConfig config;
654
AvahiSServiceBrowser *sb = NULL;
655
int error;
656
int ret;
657
int returncode = EXIT_SUCCESS;
658
const char *interface = NULL;
659
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
660
char *connect_to = NULL;
661
662
while (true){
663
static struct option long_options[] = {
664
{"debug", no_argument, (int *)&debug, 1},
665
{"connect", required_argument, 0, 'C'},
666
{"interface", required_argument, 0, 'i'},
667
{"certdir", required_argument, 0, 'd'},
668
{"certkey", required_argument, 0, 'c'},
669
{"certfile", required_argument, 0, 'k'},
670
{0, 0, 0, 0} };
671
672
int option_index = 0;
673
ret = getopt_long (argc, argv, "i:", long_options,
674
&option_index);
675
676
if (ret == -1){
677
break;
678
}
679
680
switch(ret){
681
case 0:
682
break;
683
case 'i':
684
interface = optarg;
685
break;
686
case 'C':
687
connect_to = optarg;
688
break;
689
case 'd':
690
certdir = optarg;
691
break;
692
case 'c':
693
certfile = optarg;
694
break;
695
case 'k':
696
certkey = optarg;
697
break;
698
default:
699
exit(EXIT_FAILURE);
700
}
701
}
702
703
certfile = combinepath(certdir, certfile);
704
if (certfile == NULL){
705
perror("combinepath");
706
goto exit;
707
}
708
709
if(interface != NULL){
710
if_index = (AvahiIfIndex) if_nametoindex(interface);
711
if(if_index == 0){
712
fprintf(stderr, "No such interface: \"%s\"\n", interface);
713
exit(EXIT_FAILURE);
714
}
715
}
716
717
if(connect_to != NULL){
718
/* Connect directly, do not use Zeroconf */
719
/* (Mainly meant for debugging) */
720
char *address = strrchr(connect_to, ':');
721
if(address == NULL){
722
fprintf(stderr, "No colon in address\n");
723
exit(EXIT_FAILURE);
724
}
725
errno = 0;
726
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
727
if(errno){
728
perror("Bad port number");
729
exit(EXIT_FAILURE);
730
}
731
*address = '\0';
732
address = connect_to;
733
ret = start_mandos_communication(address, port, if_index);
734
if(ret < 0){
735
exit(EXIT_FAILURE);
736
} else {
737
exit(EXIT_SUCCESS);
738
}
739
}
740
741
certkey = combinepath(certdir, certkey);
742
if (certkey == NULL){
743
perror("combinepath");
744
goto exit;
745
}
746
747
if (not debug){
748
avahi_set_log_function(empty_log);
749
}
750
751
/* Initialize the psuedo-RNG */
752
srand((unsigned int) time(NULL));
753
754
/* Allocate main loop object */
755
if (!(simple_poll = avahi_simple_poll_new())) {
756
fprintf(stderr, "Failed to create simple poll object.\n");
757
758
goto exit;
759
}
760
761
/* Do not publish any local records */
1234
/* Do not publish any local Zeroconf records */
762
1235
avahi_server_config_init(&config);
763
1236
config.publish_hinfo = 0;
764
1237
config.publish_addresses = 0;
765
1238
config.publish_workstation = 0;
766
1239
config.publish_domain = 0;
767
1240
768
1241
/* Allocate a new server */
769
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
770
&config, NULL, NULL, &error);
771
772
/* Free the configuration data */
1242
mc.server = avahi_server_new(avahi_simple_poll_get
1243
(mc.simple_poll), &config, NULL,
1244
NULL, &error);
1245
1246
/* Free the Avahi configuration data */
773
1247
avahi_server_config_free(&config);
774
775
/* Check if creating the server object succeeded */
776
if (!server) {
777
fprintf(stderr, "Failed to create server: %s\n",
778
avahi_strerror(error));
779
returncode = EXIT_FAILURE;
780
goto exit;
781
}
782
783
/* Create the service browser */
784
sb = avahi_s_service_browser_new(server, if_index,
785
AVAHI_PROTO_INET6,
786
"_mandos._tcp", NULL, 0,
787
browse_callback, server);
788
if (!sb) {
789
fprintf(stderr, "Failed to create service browser: %s\n",
790
avahi_strerror(avahi_server_errno(server)));
791
returncode = EXIT_FAILURE;
792
goto exit;
793
}
794
795
/* Run the main loop */
796
797
if (debug){
798
fprintf(stderr, "Starting avahi loop search\n");
799
}
800
801
avahi_simple_poll_loop(simple_poll);
802
803
exit:
804
805
if (debug){
806
fprintf(stderr, "%s exiting\n", argv[0]);
807
}
808
809
/* Cleanup things */
810
if (sb)
811
avahi_s_service_browser_free(sb);
812
813
if (server)
814
avahi_server_free(server);
815
816
if (simple_poll)
817
avahi_simple_poll_free(simple_poll);
818
free(certfile);
819
free(certkey);
820
821
return returncode;
1248
}
1249
1250
/* Check if creating the Avahi server object succeeded */
1251
if(mc.server == NULL){
1252
fprintf(stderr, "Failed to create Avahi server: %s\n",
1253
avahi_strerror(error));
1254
exitcode = EXIT_FAILURE;
1255
goto end;
1256
}
1257
1258
/* Create the Avahi service browser */
1259
sb = avahi_s_service_browser_new(mc.server, if_index,
1260
AVAHI_PROTO_INET6, "_mandos._tcp",
1261
NULL, 0, browse_callback, NULL);
1262
if(sb == NULL){
1263
fprintf(stderr, "Failed to create service browser: %s\n",
1264
avahi_strerror(avahi_server_errno(mc.server)));
1265
exitcode = EXIT_FAILURE;
1266
goto end;
1267
}
1268
1269
/* Run the main loop */
1270
1271
if(debug){
1272
fprintf(stderr, "Starting Avahi loop search\n");
1273
}
1274
1275
avahi_simple_poll_loop(mc.simple_poll);
1276
1277
end:
1278
1279
if(debug){
1280
fprintf(stderr, "%s exiting\n", argv[0]);
1281
}
1282
1283
/* Cleanup things */
1284
if(sb != NULL)
1285
avahi_s_service_browser_free(sb);
1286
1287
if(mc.server != NULL)
1288
avahi_server_free(mc.server);
1289
1290
if(mc.simple_poll != NULL)
1291
avahi_simple_poll_free(mc.simple_poll);
1292
1293
if(gnutls_initialized){
1294
gnutls_certificate_free_credentials(mc.cred);
1295
gnutls_global_deinit();
1296
gnutls_dh_params_deinit(mc.dh_params);
1297
}
1298
1299
if(gpgme_initialized){
1300
gpgme_release(mc.ctx);
1301
}
1302
1303
/* Removes the temp directory used by GPGME */
1304
if(tempdir_created){
1305
DIR *d;
1306
struct dirent *direntry;
1307
d = opendir(tempdir);
1308
if(d == NULL){
1309
if(errno != ENOENT){
1310
perror("opendir");
1311
}
1312
} else {
1313
while(true){
1314
direntry = readdir(d);
1315
if(direntry == NULL){
1316
break;
1317
}
1318
/* Skip "." and ".." */
1319
if(direntry->d_name[0] == '.'
1320
and (direntry->d_name[1] == '\0'
1321
or (direntry->d_name[1] == '.'
1322
and direntry->d_name[2] == '\0'))){
1323
continue;
1324
}
1325
char *fullname = NULL;
1326
ret = asprintf(&fullname, "%s/%s", tempdir,
1327
direntry->d_name);
1328
if(ret < 0){
1329
perror("asprintf");
1330
continue;
1331
}
1332
ret = remove(fullname);
1333
if(ret == -1){
1334
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1335
strerror(errno));
1336
}
1337
free(fullname);
1338
}
1339
closedir(d);
1340
}
1341
ret = rmdir(tempdir);
1342
if(ret == -1 and errno != ENOENT){
1343
perror("rmdir");
1344
}
1345
}
1346
1347
return exitcode;
822
1348
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0