To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.76
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.76
- Committer: Teddy Hogeborn
- Date: 2009-02-12 23:17:14 UTC
- mto: (237.4.2 mandos-pipe-ipc) (24.1.137 mandos) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: teddy@fukt.bsnet.se-20090212231714-59wxtc7h3w7ss8v6
* plugins.d/mandos-client.c (browse_callback, main): Do not require
IPv6.
(main): Removed redundant initialization of "mc".
IPv6.
(main): Removed redundant initialization of "mc".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), remove() */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand(), strtof() */
44
#include <stdbool.h> /* bool, false, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, uid_t, gid_t, open(),
51
opendir(), DIR */
52
#include <sys/stat.h> /* open() */
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
54
inet_pton(), connect() */
55
#include <fcntl.h> /* open() */
56
#include <dirent.h> /* opendir(), struct dirent, readdir()
57
*/
58
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
59
strtoimax() */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
86
/* Avahi */
87
/* All Avahi types, constants and functions
88
Avahi*, avahi_*,
89
AVAHI_* */
43
90
#include <avahi-core/core.h>
44
91
#include <avahi-core/lookup.h>
45
92
#include <avahi-core/log.h>
47
94
#include <avahi-common/malloc.h>
48
95
#include <avahi-common/error.h>
49
96
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
97
/* GnuTLS */
98
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
99
functions:
100
gnutls_*
101
init_gnutls_session(),
102
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
105
GNUTLS_OPENPGP_FMT_BASE64 */
106
107
/* GPGME */
108
#include <gpgme.h> /* All GPGME types, constants and
109
functions:
110
gpgme_*
111
GPGME_PROTOCOL_OpenPGP,
112
GPG_ERR_NO_* */
70
113
71
114
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
73
115
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
77
119
78
120
bool debug = false;
121
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
123
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
79
124
125
/* Used for passing in values through the Avahi callback functions */
80
126
typedef struct {
81
gnutls_session_t session;
127
AvahiSimplePoll *simple_poll;
128
AvahiServer *server;
82
129
gnutls_certificate_credentials_t cred;
130
unsigned int dh_bits;
83
131
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
132
const char *priority;
91
133
gpgme_ctx_t ctx;
134
} mandos_context;
135
136
/* global context so signal handler can reach it*/
137
mandos_context mc = { .simple_poll = NULL, .server = NULL,
138
.dh_bits = 1024, .priority = "SECURE256"
139
":!CTYPE-X.509:+CTYPE-OPENPGP" };
140
141
/*
142
* Make additional room in "buffer" for at least BUFFER_SIZE more
143
* bytes. "buffer_capacity" is how much is currently allocated,
144
* "buffer_length" is how much is already used.
145
*/
146
size_t incbuffer(char **buffer, size_t buffer_length,
147
size_t buffer_capacity){
148
if(buffer_length + BUFFER_SIZE > buffer_capacity){
149
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
150
if(buffer == NULL){
151
return 0;
152
}
153
buffer_capacity += BUFFER_SIZE;
154
}
155
return buffer_capacity;
156
}
157
158
/*
159
* Initialize GPGME.
160
*/
161
static bool init_gpgme(const char *seckey,
162
const char *pubkey, const char *tempdir){
163
int ret;
92
164
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
96
165
gpgme_engine_info_t engine_info;
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
166
167
168
/*
169
* Helper function to insert pub and seckey to the engine keyring.
170
*/
171
bool import_key(const char *filename){
172
int fd;
173
gpgme_data_t pgp_data;
174
175
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
if(fd == -1){
177
perror("open");
178
return false;
179
}
180
181
rc = gpgme_data_new_from_fd(&pgp_data, fd);
182
if(rc != GPG_ERR_NO_ERROR){
183
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
184
gpgme_strsource(rc), gpgme_strerror(rc));
185
return false;
186
}
187
188
rc = gpgme_op_import(mc.ctx, pgp_data);
189
if(rc != GPG_ERR_NO_ERROR){
190
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
191
gpgme_strsource(rc), gpgme_strerror(rc));
192
return false;
193
}
194
195
ret = (int)TEMP_FAILURE_RETRY(close(fd));
196
if(ret == -1){
197
perror("close");
198
}
199
gpgme_data_release(pgp_data);
200
return true;
201
}
202
203
if(debug){
204
fprintf(stderr, "Initializing GPGME\n");
100
205
}
101
206
102
207
/* Init GPGME */
103
208
gpgme_check_version(NULL);
104
209
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
105
if (rc != GPG_ERR_NO_ERROR){
210
if(rc != GPG_ERR_NO_ERROR){
106
211
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
107
212
gpgme_strsource(rc), gpgme_strerror(rc));
108
return -1;
213
return false;
109
214
}
110
215
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
216
/* Set GPGME home directory for the OpenPGP engine only */
217
rc = gpgme_get_engine_info(&engine_info);
218
if(rc != GPG_ERR_NO_ERROR){
114
219
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
115
220
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
221
return false;
117
222
}
118
223
while(engine_info != NULL){
119
224
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
120
225
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
121
engine_info->file_name, homedir);
226
engine_info->file_name, tempdir);
122
227
break;
123
228
}
124
229
engine_info = engine_info->next;
125
230
}
126
231
if(engine_info == NULL){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
232
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
233
return false;
234
}
235
236
/* Create new GPGME "context" */
237
rc = gpgme_new(&(mc.ctx));
238
if(rc != GPG_ERR_NO_ERROR){
239
fprintf(stderr, "bad gpgme_new: %s: %s\n",
240
gpgme_strsource(rc), gpgme_strerror(rc));
241
return false;
242
}
243
244
if(not import_key(pubkey) or not import_key(seckey)){
245
return false;
246
}
247
248
return true;
249
}
250
251
/*
252
* Decrypt OpenPGP data.
253
* Returns -1 on error
254
*/
255
static ssize_t pgp_packet_decrypt(const char *cryptotext,
256
size_t crypto_size,
257
char **plaintext){
258
gpgme_data_t dh_crypto, dh_plain;
259
gpgme_error_t rc;
260
ssize_t ret;
261
size_t plaintext_capacity = 0;
262
ssize_t plaintext_length = 0;
263
264
if(debug){
265
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
266
}
267
268
/* Create new GPGME data buffer from memory cryptotext */
269
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
270
0);
271
if(rc != GPG_ERR_NO_ERROR){
134
272
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
135
273
gpgme_strsource(rc), gpgme_strerror(rc));
136
274
return -1;
138
276
139
277
/* Create new empty GPGME data buffer for the plaintext */
140
278
rc = gpgme_data_new(&dh_plain);
141
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
142
280
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
143
281
gpgme_strsource(rc), gpgme_strerror(rc));
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
282
gpgme_data_release(dh_crypto);
283
return -1;
284
}
285
286
/* Decrypt data from the cryptotext data buffer to the plaintext
287
data buffer */
288
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
289
if(rc != GPG_ERR_NO_ERROR){
159
290
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
160
291
gpgme_strsource(rc), gpgme_strerror(rc));
161
return -1;
292
plaintext_length = -1;
293
if(debug){
294
gpgme_decrypt_result_t result;
295
result = gpgme_op_decrypt_result(mc.ctx);
296
if(result == NULL){
297
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
298
} else {
299
fprintf(stderr, "Unsupported algorithm: %s\n",
300
result->unsupported_algorithm);
301
fprintf(stderr, "Wrong key usage: %u\n",
302
result->wrong_key_usage);
303
if(result->file_name != NULL){
304
fprintf(stderr, "File name: %s\n", result->file_name);
305
}
306
gpgme_recipient_t recipient;
307
recipient = result->recipients;
308
if(recipient){
309
while(recipient != NULL){
310
fprintf(stderr, "Public key algorithm: %s\n",
311
gpgme_pubkey_algo_name(recipient->pubkey_algo));
312
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
313
fprintf(stderr, "Secret key available: %s\n",
314
recipient->status == GPG_ERR_NO_SECKEY
315
? "No" : "Yes");
316
recipient = recipient->next;
317
}
318
}
319
}
320
}
321
goto decrypt_end;
162
322
}
163
323
164
324
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
192
}
193
}
194
}
195
}
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
325
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
326
}
199
327
200
328
/* Seek back to the beginning of the GPGME plaintext data buffer */
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
329
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
330
perror("gpgme_data_seek");
331
plaintext_length = -1;
332
goto decrypt_end;
203
333
}
204
334
205
*new_packet = 0;
335
*plaintext = NULL;
206
336
while(true){
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
337
plaintext_capacity = incbuffer(plaintext,
338
(size_t)plaintext_length,
339
plaintext_capacity);
340
if(plaintext_capacity == 0){
341
perror("incbuffer");
342
plaintext_length = -1;
343
goto decrypt_end;
216
344
}
217
345
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
346
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
219
347
BUFFER_SIZE);
220
348
/* Print the data, if any */
221
if (ret == 0){
349
if(ret == 0){
350
/* EOF */
222
351
break;
223
352
}
224
353
if(ret < 0){
225
354
perror("gpgme_data_read");
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
355
plaintext_length = -1;
356
goto decrypt_end;
357
}
358
plaintext_length += ret;
359
}
360
361
if(debug){
362
fprintf(stderr, "Decrypted password is: ");
363
for(ssize_t i = 0; i < plaintext_length; i++){
364
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
365
}
366
fprintf(stderr, "\n");
367
}
368
369
decrypt_end:
370
371
/* Delete the GPGME cryptotext data buffer */
372
gpgme_data_release(dh_crypto);
238
373
239
374
/* Delete the GPGME plaintext data buffer */
240
375
gpgme_data_release(dh_plain);
241
return new_packet_length;
376
return plaintext_length;
242
377
}
243
378
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
379
static const char * safer_gnutls_strerror(int value){
380
const char *ret = gnutls_strerror(value); /* Spurious warning from
381
-Wunreachable-code */
382
if(ret == NULL)
247
383
ret = "(unknown)";
248
384
return ret;
249
385
}
250
386
387
/* GnuTLS log function callback */
251
388
static void debuggnutls(__attribute__((unused)) int level,
252
389
const char* string){
253
fprintf(stderr, "%s", string);
390
fprintf(stderr, "GnuTLS: %s", string);
254
391
}
255
392
256
static int initgnutls(encrypted_session *es){
257
const char *err;
393
static int init_gnutls_global(const char *pubkeyfilename,
394
const char *seckeyfilename){
258
395
int ret;
259
396
260
397
if(debug){
261
398
fprintf(stderr, "Initializing GnuTLS\n");
262
399
}
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
400
401
ret = gnutls_global_init();
402
if(ret != GNUTLS_E_SUCCESS){
403
fprintf(stderr, "GnuTLS global_init: %s\n",
404
safer_gnutls_strerror(ret));
267
405
return -1;
268
406
}
269
270
if (debug){
407
408
if(debug){
409
/* "Use a log level over 10 to enable all debugging options."
410
* - GnuTLS manual
411
*/
271
412
gnutls_global_set_log_level(11);
272
413
gnutls_global_set_log_function(debuggnutls);
273
414
}
274
415
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
416
/* OpenPGP credentials */
417
gnutls_certificate_allocate_credentials(&mc.cred);
418
if(ret != GNUTLS_E_SUCCESS){
419
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
420
from
421
-Wunreachable-code
422
*/
423
safer_gnutls_strerror(ret));
424
gnutls_global_deinit();
280
425
return -1;
281
426
}
282
427
283
428
if(debug){
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
429
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
430
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
431
seckeyfilename);
287
432
}
288
433
289
434
ret = gnutls_certificate_set_openpgp_key_file
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
435
(mc.cred, pubkeyfilename, seckeyfilename,
436
GNUTLS_OPENPGP_FMT_BASE64);
437
if(ret != GNUTLS_E_SUCCESS){
438
fprintf(stderr,
439
"Error[%d] while reading the OpenPGP key pair ('%s',"
440
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
441
fprintf(stderr, "The GnuTLS error is: %s\n",
442
safer_gnutls_strerror(ret));
443
goto globalfail;
444
}
445
446
/* GnuTLS server initialization */
447
ret = gnutls_dh_params_init(&mc.dh_params);
448
if(ret != GNUTLS_E_SUCCESS){
449
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
450
" %s\n", safer_gnutls_strerror(ret));
451
goto globalfail;
452
}
453
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
454
if(ret != GNUTLS_E_SUCCESS){
455
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
456
safer_gnutls_strerror(ret));
457
goto globalfail;
458
}
459
460
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
462
return 0;
463
464
globalfail:
465
466
gnutls_certificate_free_credentials(mc.cred);
467
gnutls_global_deinit();
468
gnutls_dh_params_deinit(mc.dh_params);
469
return -1;
470
}
471
472
static int init_gnutls_session(gnutls_session_t *session){
473
int ret;
474
/* GnuTLS session creation */
475
ret = gnutls_init(session, GNUTLS_SERVER);
476
if(ret != GNUTLS_E_SUCCESS){
321
477
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
322
478
safer_gnutls_strerror(ret));
323
479
}
324
480
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
481
{
482
const char *err;
483
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
484
if(ret != GNUTLS_E_SUCCESS){
485
fprintf(stderr, "Syntax error at: %s\n", err);
486
fprintf(stderr, "GnuTLS error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_deinit(*session);
489
return -1;
490
}
331
491
}
332
492
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
493
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
494
mc.cred);
495
if(ret != GNUTLS_E_SUCCESS){
496
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
337
497
safer_gnutls_strerror(ret));
498
gnutls_deinit(*session);
338
499
return -1;
339
500
}
340
501
341
502
/* ignore client certificate if any. */
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
503
gnutls_certificate_server_set_request(*session,
504
GNUTLS_CERT_IGNORE);
344
505
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
506
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
346
507
347
508
return 0;
348
509
}
349
510
511
/* Avahi log function callback */
350
512
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
351
513
__attribute__((unused)) const char *txt){}
352
514
515
/* Called when a Mandos server is found */
353
516
static int start_mandos_communication(const char *ip, uint16_t port,
354
AvahiIfIndex if_index){
517
AvahiIfIndex if_index,
518
int af){
355
519
int ret, tcp_sd;
356
struct sockaddr_in6 to;
357
encrypted_session es;
520
ssize_t sret;
521
union {
522
struct sockaddr_in in;
523
struct sockaddr_in6 in6;
524
} to;
358
525
char *buffer = NULL;
359
526
char *decrypted_buffer;
360
527
size_t buffer_length = 0;
361
528
size_t buffer_capacity = 0;
362
529
ssize_t decrypted_buffer_size;
363
size_t written = 0;
530
size_t written;
364
531
int retval = 0;
365
char interface[IF_NAMESIZE];
532
gnutls_session_t session;
533
int pf; /* Protocol family */
534
535
switch(af){
536
case AF_INET6:
537
pf = PF_INET6;
538
break;
539
case AF_INET:
540
pf = PF_INET;
541
break;
542
default:
543
fprintf(stderr, "Bad address family: %d\n", af);
544
return -1;
545
}
546
547
ret = init_gnutls_session(&session);
548
if(ret != 0){
549
return -1;
550
}
366
551
367
552
if(debug){
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
553
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
554
"\n", ip, port);
370
555
}
371
556
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
557
tcp_sd = socket(pf, SOCK_STREAM, 0);
558
if(tcp_sd < 0){
374
559
perror("socket");
375
560
return -1;
376
561
}
377
378
if(debug){
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
380
if(debug){
381
perror("if_indextoname");
382
}
383
return -1;
384
}
385
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
388
562
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
563
memset(&to, 0, sizeof(to));
564
if(af == AF_INET6){
565
to.in6.sin6_family = (uint16_t)af;
566
ret = inet_pton(af, ip, &to.in6.sin6_addr);
567
} else { /* IPv4 */
568
to.in.sin_family = (sa_family_t)af;
569
ret = inet_pton(af, ip, &to.in.sin_addr);
570
}
571
if(ret < 0 ){
393
572
perror("inet_pton");
394
573
return -1;
395
}
574
}
396
575
if(ret == 0){
397
576
fprintf(stderr, "Bad address: %s\n", ip);
398
577
return -1;
399
578
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
579
if(af == AF_INET6){
580
to.in6.sin6_port = htons(port); /* Spurious warnings from
581
-Wconversion and
582
-Wunreachable-code */
583
584
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
585
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
586
-Wunreachable-code*/
587
if(if_index == AVAHI_IF_UNSPEC){
588
fprintf(stderr, "An IPv6 link-local address is incomplete"
589
" without a network interface\n");
590
return -1;
591
}
592
/* Set the network interface number as scope */
593
to.in6.sin6_scope_id = (uint32_t)if_index;
594
}
595
} else {
596
to.in.sin_port = htons(port); /* Spurious warnings from
597
-Wconversion and
598
-Wunreachable-code */
599
}
403
600
404
601
if(debug){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
602
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
603
char interface[IF_NAMESIZE];
604
if(if_indextoname((unsigned int)if_index, interface) == NULL){
605
perror("if_indextoname");
606
} else {
607
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
608
ip, interface, port);
609
}
610
} else {
611
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
port);
613
}
614
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
615
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
const char *pcret;
617
if(af == AF_INET6){
618
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
sizeof(addrstr));
620
} else {
621
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
sizeof(addrstr));
623
}
624
if(pcret == NULL){
625
perror("inet_ntop");
626
} else {
627
if(strcmp(addrstr, ip) != 0){
628
fprintf(stderr, "Canonical address form: %s\n", addrstr);
629
}
630
}
414
631
}
415
632
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
417
if (ret < 0){
633
if(af == AF_INET6){
634
ret = connect(tcp_sd, &to.in6, sizeof(to));
635
} else {
636
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
637
}
638
if(ret < 0){
418
639
perror("connect");
419
640
return -1;
420
641
}
421
642
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
643
const char *out = mandos_protocol_version;
644
written = 0;
645
while(true){
646
size_t out_size = strlen(out);
647
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
648
out_size - written));
649
if(ret == -1){
650
perror("write");
651
retval = -1;
652
goto mandos_end;
653
}
654
written += (size_t)ret;
655
if(written < out_size){
656
continue;
657
} else {
658
if(out == mandos_protocol_version){
659
written = 0;
660
out = "\r\n";
661
} else {
662
break;
663
}
664
}
426
665
}
427
666
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
431
667
if(debug){
432
668
fprintf(stderr, "Establishing TLS session with %s\n", ip);
433
669
}
434
670
435
ret = gnutls_handshake (es.session);
436
437
if (ret != GNUTLS_E_SUCCESS){
671
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
673
do{
674
ret = gnutls_handshake(session);
675
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
676
677
if(ret != GNUTLS_E_SUCCESS){
438
678
if(debug){
439
fprintf(stderr, "\n*** Handshake failed ***\n");
440
gnutls_perror (ret);
679
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
680
gnutls_perror(ret);
441
681
}
442
682
retval = -1;
443
goto exit;
683
goto mandos_end;
444
684
}
445
685
446
//Retrieve OpenPGP packet that contains the wanted password
686
/* Read OpenPGP packet that contains the wanted password */
447
687
448
688
if(debug){
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
689
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
450
690
ip);
451
691
}
452
692
453
693
while(true){
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
694
buffer_capacity = incbuffer(&buffer, buffer_length,
695
buffer_capacity);
696
if(buffer_capacity == 0){
697
perror("incbuffer");
698
retval = -1;
699
goto mandos_end;
461
700
}
462
701
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
465
if (ret == 0){
702
sret = gnutls_record_recv(session, buffer+buffer_length,
703
BUFFER_SIZE);
704
if(sret == 0){
466
705
break;
467
706
}
468
if (ret < 0){
469
switch(ret){
707
if(sret < 0){
708
switch(sret){
470
709
case GNUTLS_E_INTERRUPTED:
471
710
case GNUTLS_E_AGAIN:
472
711
break;
473
712
case GNUTLS_E_REHANDSHAKE:
474
ret = gnutls_handshake (es.session);
475
if (ret < 0){
476
fprintf(stderr, "\n*** Handshake failed ***\n");
477
gnutls_perror (ret);
713
do{
714
ret = gnutls_handshake(session);
715
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
716
if(ret < 0){
717
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
718
gnutls_perror(ret);
478
719
retval = -1;
479
goto exit;
720
goto mandos_end;
480
721
}
481
722
break;
482
723
default:
483
724
fprintf(stderr, "Unknown error while reading data from"
484
" encrypted session with mandos server\n");
725
" encrypted session with Mandos server\n");
485
726
retval = -1;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
727
gnutls_bye(session, GNUTLS_SHUT_RDWR);
728
goto mandos_end;
488
729
}
489
730
} else {
490
buffer_length += (size_t) ret;
731
buffer_length += (size_t) sret;
491
732
}
492
733
}
493
734
494
if (buffer_length > 0){
735
if(debug){
736
fprintf(stderr, "Closing TLS session\n");
737
}
738
739
gnutls_bye(session, GNUTLS_SHUT_RDWR);
740
741
if(buffer_length > 0){
495
742
decrypted_buffer_size = pgp_packet_decrypt(buffer,
496
743
buffer_length,
497
&decrypted_buffer,
498
certdir);
499
if (decrypted_buffer_size >= 0){
744
&decrypted_buffer);
745
if(decrypted_buffer_size >= 0){
746
written = 0;
500
747
while(written < (size_t) decrypted_buffer_size){
501
ret = (int)fwrite (decrypted_buffer + written, 1,
502
(size_t)decrypted_buffer_size - written,
503
stdout);
748
ret = (int)fwrite(decrypted_buffer + written, 1,
749
(size_t)decrypted_buffer_size - written,
750
stdout);
504
751
if(ret == 0 and ferror(stdout)){
505
752
if(debug){
506
753
fprintf(stderr, "Error writing encrypted data: %s\n",
515
762
} else {
516
763
retval = -1;
517
764
}
518
}
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
765
} else {
766
retval = -1;
767
}
768
769
/* Shutdown procedure */
770
771
mandos_end:
526
772
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
529
close(tcp_sd);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
532
gnutls_global_deinit ();
773
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
774
if(ret == -1){
775
perror("close");
776
}
777
gnutls_deinit(session);
533
778
return retval;
534
779
}
535
780
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
554
assert(r); /* Spurious warning */
781
static void resolve_callback(AvahiSServiceResolver *r,
782
AvahiIfIndex interface,
783
AvahiProtocol proto,
784
AvahiResolverEvent event,
785
const char *name,
786
const char *type,
787
const char *domain,
788
const char *host_name,
789
const AvahiAddress *address,
790
uint16_t port,
791
AVAHI_GCC_UNUSED AvahiStringList *txt,
792
AVAHI_GCC_UNUSED AvahiLookupResultFlags
793
flags,
794
AVAHI_GCC_UNUSED void* userdata){
795
assert(r);
555
796
556
797
/* Called whenever a service has been resolved successfully or
557
798
timed out */
558
799
559
switch (event) {
800
switch(event){
560
801
default:
561
802
case AVAHI_RESOLVER_FAILURE:
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
803
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
804
" of type '%s' in domain '%s': %s\n", name, type, domain,
805
avahi_strerror(avahi_server_errno(mc.server)));
565
806
break;
566
807
567
808
case AVAHI_RESOLVER_FOUND:
569
810
char ip[AVAHI_ADDRESS_STR_MAX];
570
811
avahi_address_snprint(ip, sizeof(ip), address);
571
812
if(debug){
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
813
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
814
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
815
ip, (intmax_t)interface, port);
574
816
}
575
int ret = start_mandos_communication(ip, port, interface);
576
if (ret == 0){
577
exit(EXIT_SUCCESS);
817
int ret = start_mandos_communication(ip, port, interface,
818
avahi_proto_to_af(proto));
819
if(ret == 0){
820
avahi_simple_poll_quit(mc.simple_poll);
578
821
}
579
822
}
580
823
}
581
824
avahi_s_service_resolver_free(r);
582
825
}
583
826
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
827
static void browse_callback(AvahiSServiceBrowser *b,
828
AvahiIfIndex interface,
829
AvahiProtocol protocol,
830
AvahiBrowserEvent event,
831
const char *name,
832
const char *type,
833
const char *domain,
834
AVAHI_GCC_UNUSED AvahiLookupResultFlags
835
flags,
836
AVAHI_GCC_UNUSED void* userdata){
837
assert(b);
838
839
/* Called whenever a new services becomes available on the LAN or
840
is removed from the LAN */
841
842
switch(event){
843
default:
844
case AVAHI_BROWSER_FAILURE:
845
846
fprintf(stderr, "(Avahi browser) %s\n",
847
avahi_strerror(avahi_server_errno(mc.server)));
848
avahi_simple_poll_quit(mc.simple_poll);
849
return;
850
851
case AVAHI_BROWSER_NEW:
852
/* We ignore the returned Avahi resolver object. In the callback
853
function we free it. If the Avahi server is terminated before
854
the callback function is called the Avahi server will free the
855
resolver for us. */
856
857
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
858
name, type, domain, protocol, 0,
859
resolve_callback, NULL) == NULL)
860
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
861
name, avahi_strerror(avahi_server_errno(mc.server)));
862
break;
863
864
case AVAHI_BROWSER_REMOVE:
865
break;
866
867
case AVAHI_BROWSER_ALL_FOR_NOW:
868
case AVAHI_BROWSER_CACHE_EXHAUSTED:
869
if(debug){
870
fprintf(stderr, "No Mandos server found, still searching...\n");
630
871
}
631
}
632
633
/* Combines file name and path and returns the malloced new
634
string. some sane checks could/should be added */
635
static const char *combinepath(const char *first, const char *second){
636
size_t f_len = strlen(first);
637
size_t s_len = strlen(second);
638
char *tmp = malloc(f_len + s_len + 2);
639
if (tmp == NULL){
640
return NULL;
641
}
642
if(f_len > 0){
643
memcpy(tmp, first, f_len);
644
}
645
tmp[f_len] = '/';
646
if(s_len > 0){
647
memcpy(tmp + f_len + 1, second, s_len);
648
}
649
tmp[f_len + 1 + s_len] = '\0';
650
return tmp;
651
}
652
653
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
656
AvahiSServiceBrowser *sb = NULL;
657
int error;
658
int ret;
659
int returncode = EXIT_SUCCESS;
660
const char *interface = "eth0";
661
struct ifreq network;
662
int sd;
663
char *connect_to = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
872
break;
873
}
874
}
875
876
sig_atomic_t quit_now = 0;
877
878
/* stop main loop after sigterm has been called */
879
static void handle_sigterm(__attribute__((unused)) int sig){
880
if(quit_now){
881
return;
882
}
883
quit_now = 1;
884
int old_errno = errno;
885
if(mc.simple_poll != NULL){
886
avahi_simple_poll_quit(mc.simple_poll);
887
}
888
errno = old_errno;
889
}
890
891
int main(int argc, char *argv[]){
892
AvahiSServiceBrowser *sb = NULL;
893
int error;
894
int ret;
895
intmax_t tmpmax;
896
char *tmp;
897
int exitcode = EXIT_SUCCESS;
898
const char *interface = "eth0";
899
struct ifreq network;
900
int sd;
901
uid_t uid;
902
gid_t gid;
903
char *connect_to = NULL;
904
char tempdir[] = "/tmp/mandosXXXXXX";
905
bool tempdir_created = false;
906
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
907
const char *seckey = PATHDIR "/" SECKEY;
908
const char *pubkey = PATHDIR "/" PUBKEY;
909
910
bool gnutls_initialized = false;
911
bool gpgme_initialized = false;
912
float delay = 2.5f;
913
914
struct sigaction old_sigterm_action;
915
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
916
917
{
918
struct argp_option options[] = {
919
{ .name = "debug", .key = 128,
920
.doc = "Debug mode", .group = 3 },
921
{ .name = "connect", .key = 'c',
922
.arg = "ADDRESS:PORT",
923
.doc = "Connect directly to a specific Mandos server",
924
.group = 1 },
925
{ .name = "interface", .key = 'i',
926
.arg = "NAME",
927
.doc = "Network interface that will be used to search for"
928
" Mandos servers",
929
.group = 1 },
930
{ .name = "seckey", .key = 's',
931
.arg = "FILE",
932
.doc = "OpenPGP secret key file base name",
933
.group = 1 },
934
{ .name = "pubkey", .key = 'p',
935
.arg = "FILE",
936
.doc = "OpenPGP public key file base name",
937
.group = 2 },
938
{ .name = "dh-bits", .key = 129,
939
.arg = "BITS",
940
.doc = "Bit length of the prime number used in the"
941
" Diffie-Hellman key exchange",
942
.group = 2 },
943
{ .name = "priority", .key = 130,
944
.arg = "STRING",
945
.doc = "GnuTLS priority string for the TLS handshake",
946
.group = 1 },
947
{ .name = "delay", .key = 131,
948
.arg = "SECONDS",
949
.doc = "Maximum delay to wait for interface startup",
950
.group = 2 },
951
{ .name = NULL }
952
};
665
953
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
954
error_t parse_opt(int key, char *arg,
955
struct argp_state *state){
956
switch(key){
957
case 128: /* --debug */
958
debug = true;
959
break;
960
case 'c': /* --connect */
961
connect_to = arg;
962
break;
963
case 'i': /* --interface */
964
interface = arg;
965
break;
966
case 's': /* --seckey */
967
seckey = arg;
968
break;
969
case 'p': /* --pubkey */
970
pubkey = arg;
971
break;
972
case 129: /* --dh-bits */
973
errno = 0;
974
tmpmax = strtoimax(arg, &tmp, 10);
975
if(errno != 0 or tmp == arg or *tmp != '\0'
976
or tmpmax != (typeof(mc.dh_bits))tmpmax){
977
fprintf(stderr, "Bad number of DH bits\n");
978
exit(EXIT_FAILURE);
979
}
980
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
981
break;
982
case 130: /* --priority */
983
mc.priority = arg;
984
break;
985
case 131: /* --delay */
986
errno = 0;
987
delay = strtof(arg, &tmp);
988
if(errno != 0 or tmp == arg or *tmp != '\0'){
989
fprintf(stderr, "Bad delay\n");
990
exit(EXIT_FAILURE);
991
}
992
break;
993
case ARGP_KEY_ARG:
994
argp_usage(state);
995
case ARGP_KEY_END:
701
996
break;
702
997
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
719
}
720
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
722
if(if_index == 0){
723
fprintf(stderr, "No such interface: \"%s\"\n", interface);
724
exit(EXIT_FAILURE);
725
}
726
727
if(connect_to != NULL){
728
/* Connect directly, do not use Zeroconf */
729
/* (Mainly meant for debugging) */
730
char *address = strrchr(connect_to, ':');
731
if(address == NULL){
732
fprintf(stderr, "No colon in address\n");
733
exit(EXIT_FAILURE);
734
}
735
errno = 0;
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
737
if(errno){
738
perror("Bad port number");
739
exit(EXIT_FAILURE);
740
}
741
*address = '\0';
742
address = connect_to;
743
ret = start_mandos_communication(address, port, if_index);
744
if(ret < 0){
745
exit(EXIT_FAILURE);
746
} else {
747
exit(EXIT_SUCCESS);
748
}
749
}
998
return ARGP_ERR_UNKNOWN;
999
}
1000
return 0;
1001
}
1002
1003
struct argp argp = { .options = options, .parser = parse_opt,
1004
.args_doc = "",
1005
.doc = "Mandos client -- Get and decrypt"
1006
" passwords from a Mandos server" };
1007
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1008
if(ret == ARGP_ERR_UNKNOWN){
1009
fprintf(stderr, "Unknown error while parsing arguments\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
}
1014
1015
if(not debug){
1016
avahi_set_log_function(empty_log);
1017
}
1018
1019
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1020
from the signal handler */
1021
/* Initialize the pseudo-RNG for Avahi */
1022
srand((unsigned int) time(NULL));
1023
mc.simple_poll = avahi_simple_poll_new();
1024
if(mc.simple_poll == NULL){
1025
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1026
exitcode = EXIT_FAILURE;
1027
goto end;
1028
}
1029
1030
sigemptyset(&sigterm_action.sa_mask);
1031
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1032
if(ret == -1){
1033
perror("sigaddset");
1034
exitcode = EXIT_FAILURE;
1035
goto end;
1036
}
1037
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1038
if(ret == -1){
1039
perror("sigaddset");
1040
exitcode = EXIT_FAILURE;
1041
goto end;
1042
}
1043
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1044
if(ret == -1){
1045
perror("sigaddset");
1046
exitcode = EXIT_FAILURE;
1047
goto end;
1048
}
1049
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1050
if(ret == -1){
1051
perror("sigaction");
1052
exitcode = EXIT_FAILURE;
1053
goto end;
1054
}
1055
1056
/* If the interface is down, bring it up */
1057
if(interface[0] != '\0'){
1058
#ifdef __linux__
1059
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1060
messages to mess up the prompt */
1061
ret = klogctl(8, NULL, 5);
1062
bool restore_loglevel = true;
1063
if(ret == -1){
1064
restore_loglevel = false;
1065
perror("klogctl");
1066
}
1067
#endif /* __linux__ */
750
1068
751
1069
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
1070
if(sd < 0){
753
1071
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
1072
exitcode = EXIT_FAILURE;
1073
#ifdef __linux__
1074
if(restore_loglevel){
1075
ret = klogctl(7, NULL, 0);
1076
if(ret == -1){
1077
perror("klogctl");
1078
}
1079
}
1080
#endif /* __linux__ */
1081
goto end;
756
1082
}
757
strcpy(network.ifr_name, interface);
1083
strcpy(network.ifr_name, interface);
758
1084
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
1085
if(ret == -1){
760
761
1086
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
1087
#ifdef __linux__
1088
if(restore_loglevel){
1089
ret = klogctl(7, NULL, 0);
1090
if(ret == -1){
1091
perror("klogctl");
1092
}
1093
}
1094
#endif /* __linux__ */
1095
exitcode = EXIT_FAILURE;
1096
goto end;
764
1097
}
765
1098
if((network.ifr_flags & IFF_UP) == 0){
766
1099
network.ifr_flags |= IFF_UP;
767
1100
ret = ioctl(sd, SIOCSIFFLAGS, &network);
768
1101
if(ret == -1){
769
1102
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
773
}
774
close(sd);
775
776
if (not debug){
777
avahi_set_log_function(empty_log);
778
}
779
780
/* Initialize the psuedo-RNG */
781
srand((unsigned int) time(NULL));
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
1103
exitcode = EXIT_FAILURE;
1104
#ifdef __linux__
1105
if(restore_loglevel){
1106
ret = klogctl(7, NULL, 0);
1107
if(ret == -1){
1108
perror("klogctl");
1109
}
1110
}
1111
#endif /* __linux__ */
1112
goto end;
1113
}
1114
}
1115
/* sleep checking until interface is running */
1116
for(int i=0; i < delay * 4; i++){
1117
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1118
if(ret == -1){
1119
perror("ioctl SIOCGIFFLAGS");
1120
} else if(network.ifr_flags & IFF_RUNNING){
1121
break;
1122
}
1123
struct timespec sleeptime = { .tv_nsec = 250000000 };
1124
ret = nanosleep(&sleeptime, NULL);
1125
if(ret == -1 and errno != EINTR){
1126
perror("nanosleep");
1127
}
1128
}
1129
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1130
if(ret == -1){
1131
perror("close");
1132
}
1133
#ifdef __linux__
1134
if(restore_loglevel){
1135
/* Restores kernel loglevel to default */
1136
ret = klogctl(7, NULL, 0);
1137
if(ret == -1){
1138
perror("klogctl");
1139
}
1140
}
1141
#endif /* __linux__ */
1142
}
1143
1144
uid = getuid();
1145
gid = getgid();
1146
1147
errno = 0;
1148
setgid(gid);
1149
if(ret == -1){
1150
perror("setgid");
1151
}
1152
1153
ret = setuid(uid);
1154
if(ret == -1){
1155
perror("setuid");
1156
}
1157
1158
ret = init_gnutls_global(pubkey, seckey);
1159
if(ret == -1){
1160
fprintf(stderr, "init_gnutls_global failed\n");
1161
exitcode = EXIT_FAILURE;
1162
goto end;
1163
} else {
1164
gnutls_initialized = true;
1165
}
1166
1167
if(mkdtemp(tempdir) == NULL){
1168
perror("mkdtemp");
1169
goto end;
1170
}
1171
tempdir_created = true;
1172
1173
if(not init_gpgme(pubkey, seckey, tempdir)){
1174
fprintf(stderr, "init_gpgme failed\n");
1175
exitcode = EXIT_FAILURE;
1176
goto end;
1177
} else {
1178
gpgme_initialized = true;
1179
}
1180
1181
if(interface[0] != '\0'){
1182
if_index = (AvahiIfIndex) if_nametoindex(interface);
1183
if(if_index == 0){
1184
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1185
exitcode = EXIT_FAILURE;
1186
goto end;
1187
}
1188
}
1189
1190
if(connect_to != NULL){
1191
/* Connect directly, do not use Zeroconf */
1192
/* (Mainly meant for debugging) */
1193
char *address = strrchr(connect_to, ':');
1194
if(address == NULL){
1195
fprintf(stderr, "No colon in address\n");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1199
uint16_t port;
1200
errno = 0;
1201
tmpmax = strtoimax(address+1, &tmp, 10);
1202
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1203
or tmpmax != (uint16_t)tmpmax){
1204
fprintf(stderr, "Bad port number\n");
1205
exitcode = EXIT_FAILURE;
1206
goto end;
1207
}
1208
port = (uint16_t)tmpmax;
1209
*address = '\0';
1210
address = connect_to;
1211
/* Colon in address indicates IPv6 */
1212
int af;
1213
if(strchr(address, ':') != NULL){
1214
af = AF_INET6;
1215
} else {
1216
af = AF_INET;
1217
}
1218
ret = start_mandos_communication(address, port, if_index, af);
1219
if(ret < 0){
1220
exitcode = EXIT_FAILURE;
1221
} else {
1222
exitcode = EXIT_SUCCESS;
1223
}
1224
goto end;
1225
}
1226
1227
{
1228
AvahiServerConfig config;
1229
/* Do not publish any local Zeroconf records */
791
1230
avahi_server_config_init(&config);
792
1231
config.publish_hinfo = 0;
793
1232
config.publish_addresses = 0;
794
1233
config.publish_workstation = 0;
795
1234
config.publish_domain = 0;
796
1235
797
1236
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
1237
mc.server = avahi_server_new(avahi_simple_poll_get
1238
(mc.simple_poll), &config, NULL,
1239
NULL, &error);
1240
1241
/* Free the Avahi configuration data */
802
1242
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
807
avahi_strerror(error));
808
returncode = EXIT_FAILURE;
809
goto exit;
810
}
811
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
814
AVAHI_PROTO_INET6,
815
"_mandos._tcp", NULL, 0,
816
browse_callback, server);
817
if (!sb) {
818
fprintf(stderr, "Failed to create service browser: %s\n",
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
822
}
823
824
/* Run the main loop */
825
826
if (debug){
827
fprintf(stderr, "Starting avahi loop search\n");
828
}
829
830
avahi_simple_poll_loop(simple_poll);
831
832
exit:
833
834
if (debug){
835
fprintf(stderr, "%s exiting\n", argv[0]);
836
}
837
838
/* Cleanup things */
839
if (sb)
840
avahi_s_service_browser_free(sb);
841
842
if (server)
843
avahi_server_free(server);
844
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
849
850
return returncode;
1243
}
1244
1245
/* Check if creating the Avahi server object succeeded */
1246
if(mc.server == NULL){
1247
fprintf(stderr, "Failed to create Avahi server: %s\n",
1248
avahi_strerror(error));
1249
exitcode = EXIT_FAILURE;
1250
goto end;
1251
}
1252
1253
/* Create the Avahi service browser */
1254
sb = avahi_s_service_browser_new(mc.server, if_index,
1255
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1256
NULL, 0, browse_callback, NULL);
1257
if(sb == NULL){
1258
fprintf(stderr, "Failed to create service browser: %s\n",
1259
avahi_strerror(avahi_server_errno(mc.server)));
1260
exitcode = EXIT_FAILURE;
1261
goto end;
1262
}
1263
1264
/* Run the main loop */
1265
1266
if(debug){
1267
fprintf(stderr, "Starting Avahi loop search\n");
1268
}
1269
1270
avahi_simple_poll_loop(mc.simple_poll);
1271
1272
end:
1273
1274
if(debug){
1275
fprintf(stderr, "%s exiting\n", argv[0]);
1276
}
1277
1278
/* Cleanup things */
1279
if(sb != NULL)
1280
avahi_s_service_browser_free(sb);
1281
1282
if(mc.server != NULL)
1283
avahi_server_free(mc.server);
1284
1285
if(mc.simple_poll != NULL)
1286
avahi_simple_poll_free(mc.simple_poll);
1287
1288
if(gnutls_initialized){
1289
gnutls_certificate_free_credentials(mc.cred);
1290
gnutls_global_deinit();
1291
gnutls_dh_params_deinit(mc.dh_params);
1292
}
1293
1294
if(gpgme_initialized){
1295
gpgme_release(mc.ctx);
1296
}
1297
1298
/* Removes the temp directory used by GPGME */
1299
if(tempdir_created){
1300
DIR *d;
1301
struct dirent *direntry;
1302
d = opendir(tempdir);
1303
if(d == NULL){
1304
if(errno != ENOENT){
1305
perror("opendir");
1306
}
1307
} else {
1308
while(true){
1309
direntry = readdir(d);
1310
if(direntry == NULL){
1311
break;
1312
}
1313
/* Skip "." and ".." */
1314
if(direntry->d_name[0] == '.'
1315
and (direntry->d_name[1] == '\0'
1316
or (direntry->d_name[1] == '.'
1317
and direntry->d_name[2] == '\0'))){
1318
continue;
1319
}
1320
char *fullname = NULL;
1321
ret = asprintf(&fullname, "%s/%s", tempdir,
1322
direntry->d_name);
1323
if(ret < 0){
1324
perror("asprintf");
1325
continue;
1326
}
1327
ret = remove(fullname);
1328
if(ret == -1){
1329
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1330
strerror(errno));
1331
}
1332
free(fullname);
1333
}
1334
closedir(d);
1335
}
1336
ret = rmdir(tempdir);
1337
if(ret == -1 and errno != ENOENT){
1338
perror("rmdir");
1339
}
1340
}
1341
1342
return exitcode;
851
1343
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0