To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.2.86
- compare with another revision
- download diff
- download tarball
- view history from revision 237.2.86
- Committer: Teddy Hogeborn
- Date: 2009-02-25 01:14:29 UTC
- mto: (237.4.2 mandos-pipe-ipc) (24.1.137 mandos) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 254.
- Revision ID: teddy@fukt.bsnet.se-20090225011429-dwz2bj41zqn0w8eo
* initramfs-tools-hook: Add missing terminating `" when setting
mandos_user and mandos_group.
* mandos.conf.xml (SEE ALSO): Improved grammar.
mandos_user and mandos_group.
* mandos.conf.xml (SEE ALSO): Improved grammar.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
29
30
*/
30
31
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
32
34
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
33
37
#define _FILE_OFFSET_BITS 64
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
42
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sigaction,
84
sig_atomic_t */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
43
94
#include <avahi-core/core.h>
44
95
#include <avahi-core/lookup.h>
45
96
#include <avahi-core/log.h>
47
98
#include <avahi-common/malloc.h>
48
99
#include <avahi-common/error.h>
49
100
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt_long
69
#include <getopt.h>
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
70
117
71
118
#define BUFFER_SIZE 256
72
119
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
76
123
77
124
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
78
128
79
/* Used for passing in values through all the callback functions */
129
/* Used for passing in values through the Avahi callback functions */
80
130
typedef struct {
81
131
AvahiSimplePoll *simple_poll;
82
132
AvahiServer *server;
83
133
gnutls_certificate_credentials_t cred;
84
134
unsigned int dh_bits;
135
gnutls_dh_params_t dh_params;
85
136
const char *priority;
137
gpgme_ctx_t ctx;
86
138
} mandos_context;
87
139
88
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
89
char **new_packet,
90
const char *homedir){
91
gpgme_data_t dh_crypto, dh_plain;
92
gpgme_ctx_t ctx;
140
/* global context so signal handler can reach it*/
141
mandos_context mc = { .simple_poll = NULL, .server = NULL,
142
.dh_bits = 1024, .priority = "SECURE256"
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
145
/*
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
* bytes. "buffer_capacity" is how much is currently allocated,
148
* "buffer_length" is how much is already used.
149
*/
150
size_t incbuffer(char **buffer, size_t buffer_length,
151
size_t buffer_capacity){
152
if(buffer_length + BUFFER_SIZE > buffer_capacity){
153
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
154
if(buffer == NULL){
155
return 0;
156
}
157
buffer_capacity += BUFFER_SIZE;
158
}
159
return buffer_capacity;
160
}
161
162
/*
163
* Initialize GPGME.
164
*/
165
static bool init_gpgme(const char *seckey,
166
const char *pubkey, const char *tempdir){
167
int ret;
93
168
gpgme_error_t rc;
94
ssize_t ret;
95
ssize_t new_packet_capacity = 0;
96
ssize_t new_packet_length = 0;
97
169
gpgme_engine_info_t engine_info;
98
99
if (debug){
100
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
170
171
172
/*
173
* Helper function to insert pub and seckey to the engine keyring.
174
*/
175
bool import_key(const char *filename){
176
int fd;
177
gpgme_data_t pgp_data;
178
179
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
180
if(fd == -1){
181
perror("open");
182
return false;
183
}
184
185
rc = gpgme_data_new_from_fd(&pgp_data, fd);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
rc = gpgme_op_import(mc.ctx, pgp_data);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
ret = (int)TEMP_FAILURE_RETRY(close(fd));
200
if(ret == -1){
201
perror("close");
202
}
203
gpgme_data_release(pgp_data);
204
return true;
205
}
206
207
if(debug){
208
fprintf(stderr, "Initializing GPGME\n");
101
209
}
102
210
103
211
/* Init GPGME */
104
212
gpgme_check_version(NULL);
105
213
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
106
if (rc != GPG_ERR_NO_ERROR){
214
if(rc != GPG_ERR_NO_ERROR){
107
215
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
108
216
gpgme_strsource(rc), gpgme_strerror(rc));
109
return -1;
217
return false;
110
218
}
111
219
112
/* Set GPGME home directory */
113
rc = gpgme_get_engine_info (&engine_info);
114
if (rc != GPG_ERR_NO_ERROR){
220
/* Set GPGME home directory for the OpenPGP engine only */
221
rc = gpgme_get_engine_info(&engine_info);
222
if(rc != GPG_ERR_NO_ERROR){
115
223
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
116
224
gpgme_strsource(rc), gpgme_strerror(rc));
117
return -1;
225
return false;
118
226
}
119
227
while(engine_info != NULL){
120
228
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
121
229
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
122
engine_info->file_name, homedir);
230
engine_info->file_name, tempdir);
123
231
break;
124
232
}
125
233
engine_info = engine_info->next;
126
234
}
127
235
if(engine_info == NULL){
128
fprintf(stderr, "Could not set home dir to %s\n", homedir);
129
return -1;
130
}
131
132
/* Create new GPGME data buffer from packet buffer */
133
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
134
if (rc != GPG_ERR_NO_ERROR){
236
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
237
return false;
238
}
239
240
/* Create new GPGME "context" */
241
rc = gpgme_new(&(mc.ctx));
242
if(rc != GPG_ERR_NO_ERROR){
243
fprintf(stderr, "bad gpgme_new: %s: %s\n",
244
gpgme_strsource(rc), gpgme_strerror(rc));
245
return false;
246
}
247
248
if(not import_key(pubkey) or not import_key(seckey)){
249
return false;
250
}
251
252
return true;
253
}
254
255
/*
256
* Decrypt OpenPGP data.
257
* Returns -1 on error
258
*/
259
static ssize_t pgp_packet_decrypt(const char *cryptotext,
260
size_t crypto_size,
261
char **plaintext){
262
gpgme_data_t dh_crypto, dh_plain;
263
gpgme_error_t rc;
264
ssize_t ret;
265
size_t plaintext_capacity = 0;
266
ssize_t plaintext_length = 0;
267
268
if(debug){
269
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
270
}
271
272
/* Create new GPGME data buffer from memory cryptotext */
273
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
274
0);
275
if(rc != GPG_ERR_NO_ERROR){
135
276
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
136
277
gpgme_strsource(rc), gpgme_strerror(rc));
137
278
return -1;
139
280
140
281
/* Create new empty GPGME data buffer for the plaintext */
141
282
rc = gpgme_data_new(&dh_plain);
142
if (rc != GPG_ERR_NO_ERROR){
283
if(rc != GPG_ERR_NO_ERROR){
143
284
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
144
285
gpgme_strsource(rc), gpgme_strerror(rc));
145
return -1;
146
}
147
148
/* Create new GPGME "context" */
149
rc = gpgme_new(&ctx);
150
if (rc != GPG_ERR_NO_ERROR){
151
fprintf(stderr, "bad gpgme_new: %s: %s\n",
152
gpgme_strsource(rc), gpgme_strerror(rc));
153
return -1;
154
}
155
156
/* Decrypt data from the FILE pointer to the plaintext data
157
buffer */
158
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
159
if (rc != GPG_ERR_NO_ERROR){
286
gpgme_data_release(dh_crypto);
287
return -1;
288
}
289
290
/* Decrypt data from the cryptotext data buffer to the plaintext
291
data buffer */
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
160
294
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
161
295
gpgme_strsource(rc), gpgme_strerror(rc));
162
return -1;
296
plaintext_length = -1;
297
if(debug){
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
300
if(result == NULL){
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
302
} else {
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
309
}
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
312
if(recipient){
313
while(recipient != NULL){
314
fprintf(stderr, "Public key algorithm: %s\n",
315
gpgme_pubkey_algo_name(recipient->pubkey_algo));
316
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
317
fprintf(stderr, "Secret key available: %s\n",
318
recipient->status == GPG_ERR_NO_SECKEY
319
? "No" : "Yes");
320
recipient = recipient->next;
321
}
322
}
323
}
324
}
325
goto decrypt_end;
163
326
}
164
327
165
328
if(debug){
166
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
167
}
168
169
if (debug){
170
gpgme_decrypt_result_t result;
171
result = gpgme_op_decrypt_result(ctx);
172
if (result == NULL){
173
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
174
} else {
175
fprintf(stderr, "Unsupported algorithm: %s\n",
176
result->unsupported_algorithm);
177
fprintf(stderr, "Wrong key usage: %d\n",
178
result->wrong_key_usage);
179
if(result->file_name != NULL){
180
fprintf(stderr, "File name: %s\n", result->file_name);
181
}
182
gpgme_recipient_t recipient;
183
recipient = result->recipients;
184
if(recipient){
185
while(recipient != NULL){
186
fprintf(stderr, "Public key algorithm: %s\n",
187
gpgme_pubkey_algo_name(recipient->pubkey_algo));
188
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
189
fprintf(stderr, "Secret key available: %s\n",
190
recipient->status == GPG_ERR_NO_SECKEY
191
? "No" : "Yes");
192
recipient = recipient->next;
193
}
194
}
195
}
196
}
197
198
/* Delete the GPGME FILE pointer cryptotext data buffer */
199
gpgme_data_release(dh_crypto);
329
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
330
}
200
331
201
332
/* Seek back to the beginning of the GPGME plaintext data buffer */
202
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
203
perror("pgpme_data_seek");
333
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
334
perror("gpgme_data_seek");
335
plaintext_length = -1;
336
goto decrypt_end;
204
337
}
205
338
206
*new_packet = 0;
339
*plaintext = NULL;
207
340
while(true){
208
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
209
*new_packet = realloc(*new_packet,
210
(unsigned int)new_packet_capacity
211
+ BUFFER_SIZE);
212
if (*new_packet == NULL){
213
perror("realloc");
214
return -1;
215
}
216
new_packet_capacity += BUFFER_SIZE;
341
plaintext_capacity = incbuffer(plaintext,
342
(size_t)plaintext_length,
343
plaintext_capacity);
344
if(plaintext_capacity == 0){
345
perror("incbuffer");
346
plaintext_length = -1;
347
goto decrypt_end;
217
348
}
218
349
219
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
350
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
220
351
BUFFER_SIZE);
221
352
/* Print the data, if any */
222
if (ret == 0){
353
if(ret == 0){
354
/* EOF */
223
355
break;
224
356
}
225
357
if(ret < 0){
226
358
perror("gpgme_data_read");
227
return -1;
228
}
229
new_packet_length += ret;
230
}
231
232
/* FIXME: check characters before printing to screen so to not print
233
terminal control characters */
234
/* if(debug){ */
235
/* fprintf(stderr, "decrypted password is: "); */
236
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
237
/* fprintf(stderr, "\n"); */
238
/* } */
359
plaintext_length = -1;
360
goto decrypt_end;
361
}
362
plaintext_length += ret;
363
}
364
365
if(debug){
366
fprintf(stderr, "Decrypted password is: ");
367
for(ssize_t i = 0; i < plaintext_length; i++){
368
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
369
}
370
fprintf(stderr, "\n");
371
}
372
373
decrypt_end:
374
375
/* Delete the GPGME cryptotext data buffer */
376
gpgme_data_release(dh_crypto);
239
377
240
378
/* Delete the GPGME plaintext data buffer */
241
379
gpgme_data_release(dh_plain);
242
return new_packet_length;
380
return plaintext_length;
243
381
}
244
382
245
static const char * safer_gnutls_strerror (int value) {
246
const char *ret = gnutls_strerror (value);
247
if (ret == NULL)
383
static const char * safer_gnutls_strerror(int value){
384
const char *ret = gnutls_strerror(value); /* Spurious warning from
385
-Wunreachable-code */
386
if(ret == NULL)
248
387
ret = "(unknown)";
249
388
return ret;
250
389
}
251
390
391
/* GnuTLS log function callback */
252
392
static void debuggnutls(__attribute__((unused)) int level,
253
393
const char* string){
254
fprintf(stderr, "%s", string);
394
fprintf(stderr, "GnuTLS: %s", string);
255
395
}
256
396
257
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
258
gnutls_dh_params_t *dh_params){
259
const char *err;
397
static int init_gnutls_global(const char *pubkeyfilename,
398
const char *seckeyfilename){
260
399
int ret;
261
400
262
401
if(debug){
263
402
fprintf(stderr, "Initializing GnuTLS\n");
264
403
}
265
266
if ((ret = gnutls_global_init ())
267
!= GNUTLS_E_SUCCESS) {
268
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
404
405
ret = gnutls_global_init();
406
if(ret != GNUTLS_E_SUCCESS){
407
fprintf(stderr, "GnuTLS global_init: %s\n",
408
safer_gnutls_strerror(ret));
269
409
return -1;
270
410
}
271
411
272
if (debug){
412
if(debug){
413
/* "Use a log level over 10 to enable all debugging options."
414
* - GnuTLS manual
415
*/
273
416
gnutls_global_set_log_level(11);
274
417
gnutls_global_set_log_function(debuggnutls);
275
418
}
276
419
277
/* openpgp credentials */
278
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
279
!= GNUTLS_E_SUCCESS) {
280
fprintf (stderr, "memory error: %s\n",
281
safer_gnutls_strerror(ret));
420
/* OpenPGP credentials */
421
gnutls_certificate_allocate_credentials(&mc.cred);
422
if(ret != GNUTLS_E_SUCCESS){
423
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
424
from
425
-Wunreachable-code
426
*/
427
safer_gnutls_strerror(ret));
428
gnutls_global_deinit();
282
429
return -1;
283
430
}
284
431
285
432
if(debug){
286
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
287
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
288
seckeyfile);
433
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
434
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
435
seckeyfilename);
289
436
}
290
437
291
438
ret = gnutls_certificate_set_openpgp_key_file
292
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
293
if (ret != GNUTLS_E_SUCCESS) {
294
fprintf
295
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
296
" '%s')\n",
297
ret, pubkeyfile, seckeyfile);
298
fprintf(stdout, "The Error is: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
//GnuTLS server initialization
304
if ((ret = gnutls_dh_params_init(dh_params))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf (stderr, "Error in dh parameter initialization: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
311
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
312
!= GNUTLS_E_SUCCESS) {
313
fprintf (stderr, "Error in prime generation: %s\n",
314
safer_gnutls_strerror(ret));
315
return -1;
316
}
317
318
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
319
320
// GnuTLS session creation
321
if ((ret = gnutls_init(session, GNUTLS_SERVER))
322
!= GNUTLS_E_SUCCESS){
439
(mc.cred, pubkeyfilename, seckeyfilename,
440
GNUTLS_OPENPGP_FMT_BASE64);
441
if(ret != GNUTLS_E_SUCCESS){
442
fprintf(stderr,
443
"Error[%d] while reading the OpenPGP key pair ('%s',"
444
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
445
fprintf(stderr, "The GnuTLS error is: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
/* GnuTLS server initialization */
451
ret = gnutls_dh_params_init(&mc.dh_params);
452
if(ret != GNUTLS_E_SUCCESS){
453
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
454
" %s\n", safer_gnutls_strerror(ret));
455
goto globalfail;
456
}
457
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
458
if(ret != GNUTLS_E_SUCCESS){
459
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
460
safer_gnutls_strerror(ret));
461
goto globalfail;
462
}
463
464
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
465
466
return 0;
467
468
globalfail:
469
470
gnutls_certificate_free_credentials(mc.cred);
471
gnutls_global_deinit();
472
gnutls_dh_params_deinit(mc.dh_params);
473
return -1;
474
}
475
476
static int init_gnutls_session(gnutls_session_t *session){
477
int ret;
478
/* GnuTLS session creation */
479
ret = gnutls_init(session, GNUTLS_SERVER);
480
if(ret != GNUTLS_E_SUCCESS){
323
481
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
324
482
safer_gnutls_strerror(ret));
325
483
}
326
484
327
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
328
!= GNUTLS_E_SUCCESS) {
329
fprintf(stderr, "Syntax error at: %s\n", err);
330
fprintf(stderr, "GnuTLS error: %s\n",
331
safer_gnutls_strerror(ret));
332
return -1;
485
{
486
const char *err;
487
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
488
if(ret != GNUTLS_E_SUCCESS){
489
fprintf(stderr, "Syntax error at: %s\n", err);
490
fprintf(stderr, "GnuTLS error: %s\n",
491
safer_gnutls_strerror(ret));
492
gnutls_deinit(*session);
493
return -1;
494
}
333
495
}
334
496
335
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
336
mc->cred))
337
!= GNUTLS_E_SUCCESS) {
338
fprintf(stderr, "Error setting a credentials set: %s\n",
497
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
498
mc.cred);
499
if(ret != GNUTLS_E_SUCCESS){
500
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
339
501
safer_gnutls_strerror(ret));
502
gnutls_deinit(*session);
340
503
return -1;
341
504
}
342
505
343
506
/* ignore client certificate if any. */
344
gnutls_certificate_server_set_request (*session,
345
GNUTLS_CERT_IGNORE);
507
gnutls_certificate_server_set_request(*session,
508
GNUTLS_CERT_IGNORE);
346
509
347
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
510
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
348
511
349
512
return 0;
350
513
}
351
514
515
/* Avahi log function callback */
352
516
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
353
517
__attribute__((unused)) const char *txt){}
354
518
519
/* Called when a Mandos server is found */
355
520
static int start_mandos_communication(const char *ip, uint16_t port,
356
521
AvahiIfIndex if_index,
357
mandos_context *mc){
522
int af){
358
523
int ret, tcp_sd;
359
struct sockaddr_in6 to;
524
ssize_t sret;
525
union {
526
struct sockaddr_in in;
527
struct sockaddr_in6 in6;
528
} to;
360
529
char *buffer = NULL;
361
530
char *decrypted_buffer;
362
531
size_t buffer_length = 0;
363
532
size_t buffer_capacity = 0;
364
533
ssize_t decrypted_buffer_size;
365
size_t written = 0;
534
size_t written;
366
535
int retval = 0;
367
char interface[IF_NAMESIZE];
368
536
gnutls_session_t session;
369
gnutls_dh_params_t dh_params;
537
int pf; /* Protocol family */
538
539
switch(af){
540
case AF_INET6:
541
pf = PF_INET6;
542
break;
543
case AF_INET:
544
pf = PF_INET;
545
break;
546
default:
547
fprintf(stderr, "Bad address family: %d\n", af);
548
return -1;
549
}
550
551
ret = init_gnutls_session(&session);
552
if(ret != 0){
553
return -1;
554
}
370
555
371
556
if(debug){
372
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
373
ip, port);
557
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
558
"\n", ip, port);
374
559
}
375
560
376
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
377
if(tcp_sd < 0) {
561
tcp_sd = socket(pf, SOCK_STREAM, 0);
562
if(tcp_sd < 0){
378
563
perror("socket");
379
564
return -1;
380
565
}
381
382
if(debug){
383
if(if_indextoname((unsigned int)if_index, interface) == NULL){
384
perror("if_indextoname");
385
return -1;
386
}
387
fprintf(stderr, "Binding to interface %s\n", interface);
388
}
389
566
390
memset(&to,0,sizeof(to)); /* Spurious warning */
391
to.sin6_family = AF_INET6;
392
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
393
if (ret < 0 ){
567
memset(&to, 0, sizeof(to));
568
if(af == AF_INET6){
569
to.in6.sin6_family = (uint16_t)af;
570
ret = inet_pton(af, ip, &to.in6.sin6_addr);
571
} else { /* IPv4 */
572
to.in.sin_family = (sa_family_t)af;
573
ret = inet_pton(af, ip, &to.in.sin_addr);
574
}
575
if(ret < 0 ){
394
576
perror("inet_pton");
395
577
return -1;
396
578
}
398
580
fprintf(stderr, "Bad address: %s\n", ip);
399
581
return -1;
400
582
}
401
to.sin6_port = htons(port); /* Spurious warning */
402
403
to.sin6_scope_id = (uint32_t)if_index;
583
if(af == AF_INET6){
584
to.in6.sin6_port = htons(port); /* Spurious warnings from
585
-Wconversion and
586
-Wunreachable-code */
587
588
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
589
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
590
-Wunreachable-code*/
591
if(if_index == AVAHI_IF_UNSPEC){
592
fprintf(stderr, "An IPv6 link-local address is incomplete"
593
" without a network interface\n");
594
return -1;
595
}
596
/* Set the network interface number as scope */
597
to.in6.sin6_scope_id = (uint32_t)if_index;
598
}
599
} else {
600
to.in.sin_port = htons(port); /* Spurious warnings from
601
-Wconversion and
602
-Wunreachable-code */
603
}
404
604
405
605
if(debug){
406
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
407
char addrstr[INET6_ADDRSTRLEN] = "";
408
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
409
sizeof(addrstr)) == NULL){
606
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
607
char interface[IF_NAMESIZE];
608
if(if_indextoname((unsigned int)if_index, interface) == NULL){
609
perror("if_indextoname");
610
} else {
611
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
612
ip, interface, port);
613
}
614
} else {
615
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
616
port);
617
}
618
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
619
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
620
const char *pcret;
621
if(af == AF_INET6){
622
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
623
sizeof(addrstr));
624
} else {
625
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
626
sizeof(addrstr));
627
}
628
if(pcret == NULL){
410
629
perror("inet_ntop");
411
630
} else {
412
631
if(strcmp(addrstr, ip) != 0){
415
634
}
416
635
}
417
636
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
637
if(af == AF_INET6){
638
ret = connect(tcp_sd, &to.in6, sizeof(to));
639
} else {
640
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
641
}
642
if(ret < 0){
420
643
perror("connect");
421
644
return -1;
422
645
}
423
646
424
ret = initgnutls (mc, &session, &dh_params);
425
if (ret != 0){
426
retval = -1;
427
return -1;
647
const char *out = mandos_protocol_version;
648
written = 0;
649
while(true){
650
size_t out_size = strlen(out);
651
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
652
out_size - written));
653
if(ret == -1){
654
perror("write");
655
retval = -1;
656
goto mandos_end;
657
}
658
written += (size_t)ret;
659
if(written < out_size){
660
continue;
661
} else {
662
if(out == mandos_protocol_version){
663
written = 0;
664
out = "\r\n";
665
} else {
666
break;
667
}
668
}
428
669
}
429
670
430
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
431
432
671
if(debug){
433
672
fprintf(stderr, "Establishing TLS session with %s\n", ip);
434
673
}
435
674
436
ret = gnutls_handshake (session);
437
438
if (ret != GNUTLS_E_SUCCESS){
675
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
676
677
do{
678
ret = gnutls_handshake(session);
679
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
680
681
if(ret != GNUTLS_E_SUCCESS){
439
682
if(debug){
440
fprintf(stderr, "\n*** Handshake failed ***\n");
441
gnutls_perror (ret);
683
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
684
gnutls_perror(ret);
442
685
}
443
686
retval = -1;
444
goto exit;
687
goto mandos_end;
445
688
}
446
689
447
//Retrieve OpenPGP packet that contains the wanted password
690
/* Read OpenPGP packet that contains the wanted password */
448
691
449
692
if(debug){
450
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
693
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
451
694
ip);
452
695
}
453
696
454
697
while(true){
455
if (buffer_length + BUFFER_SIZE > buffer_capacity){
456
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
457
if (buffer == NULL){
458
perror("realloc");
459
goto exit;
460
}
461
buffer_capacity += BUFFER_SIZE;
698
buffer_capacity = incbuffer(&buffer, buffer_length,
699
buffer_capacity);
700
if(buffer_capacity == 0){
701
perror("incbuffer");
702
retval = -1;
703
goto mandos_end;
462
704
}
463
705
464
ret = gnutls_record_recv(session, buffer+buffer_length,
465
BUFFER_SIZE);
466
if (ret == 0){
706
sret = gnutls_record_recv(session, buffer+buffer_length,
707
BUFFER_SIZE);
708
if(sret == 0){
467
709
break;
468
710
}
469
if (ret < 0){
470
switch(ret){
711
if(sret < 0){
712
switch(sret){
471
713
case GNUTLS_E_INTERRUPTED:
472
714
case GNUTLS_E_AGAIN:
473
715
break;
474
716
case GNUTLS_E_REHANDSHAKE:
475
ret = gnutls_handshake (session);
476
if (ret < 0){
477
fprintf(stderr, "\n*** Handshake failed ***\n");
478
gnutls_perror (ret);
717
do{
718
ret = gnutls_handshake(session);
719
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
720
if(ret < 0){
721
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
722
gnutls_perror(ret);
479
723
retval = -1;
480
goto exit;
724
goto mandos_end;
481
725
}
482
726
break;
483
727
default:
484
728
fprintf(stderr, "Unknown error while reading data from"
485
" encrypted session with mandos server\n");
729
" encrypted session with Mandos server\n");
486
730
retval = -1;
487
gnutls_bye (session, GNUTLS_SHUT_RDWR);
488
goto exit;
731
gnutls_bye(session, GNUTLS_SHUT_RDWR);
732
goto mandos_end;
489
733
}
490
734
} else {
491
buffer_length += (size_t) ret;
735
buffer_length += (size_t) sret;
492
736
}
493
737
}
494
738
495
if (buffer_length > 0){
739
if(debug){
740
fprintf(stderr, "Closing TLS session\n");
741
}
742
743
gnutls_bye(session, GNUTLS_SHUT_RDWR);
744
745
if(buffer_length > 0){
496
746
decrypted_buffer_size = pgp_packet_decrypt(buffer,
497
747
buffer_length,
498
&decrypted_buffer,
499
keydir);
500
if (decrypted_buffer_size >= 0){
748
&decrypted_buffer);
749
if(decrypted_buffer_size >= 0){
750
written = 0;
501
751
while(written < (size_t) decrypted_buffer_size){
502
ret = (int)fwrite (decrypted_buffer + written, 1,
503
(size_t)decrypted_buffer_size - written,
504
stdout);
752
ret = (int)fwrite(decrypted_buffer + written, 1,
753
(size_t)decrypted_buffer_size - written,
754
stdout);
505
755
if(ret == 0 and ferror(stdout)){
506
756
if(debug){
507
757
fprintf(stderr, "Error writing encrypted data: %s\n",
516
766
} else {
517
767
retval = -1;
518
768
}
519
}
520
521
//shutdown procedure
522
523
if(debug){
524
fprintf(stderr, "Closing TLS session\n");
525
}
526
769
} else {
770
retval = -1;
771
}
772
773
/* Shutdown procedure */
774
775
mandos_end:
527
776
free(buffer);
528
gnutls_bye (session, GNUTLS_SHUT_RDWR);
529
exit:
530
close(tcp_sd);
531
gnutls_deinit (session);
532
gnutls_certificate_free_credentials (mc->cred);
533
gnutls_global_deinit ();
777
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
778
if(ret == -1){
779
perror("close");
780
}
781
gnutls_deinit(session);
534
782
return retval;
535
783
}
536
784
537
static void resolve_callback( AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
void* userdata) {
550
mandos_context *mc = userdata;
551
assert(r); /* Spurious warning */
785
static void resolve_callback(AvahiSServiceResolver *r,
786
AvahiIfIndex interface,
787
AvahiProtocol proto,
788
AvahiResolverEvent event,
789
const char *name,
790
const char *type,
791
const char *domain,
792
const char *host_name,
793
const AvahiAddress *address,
794
uint16_t port,
795
AVAHI_GCC_UNUSED AvahiStringList *txt,
796
AVAHI_GCC_UNUSED AvahiLookupResultFlags
797
flags,
798
AVAHI_GCC_UNUSED void* userdata){
799
assert(r);
552
800
553
801
/* Called whenever a service has been resolved successfully or
554
802
timed out */
555
803
556
switch (event) {
804
switch(event){
557
805
default:
558
806
case AVAHI_RESOLVER_FAILURE:
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(mc->server)));
807
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
808
" of type '%s' in domain '%s': %s\n", name, type, domain,
809
avahi_strerror(avahi_server_errno(mc.server)));
562
810
break;
563
811
564
812
case AVAHI_RESOLVER_FOUND:
566
814
char ip[AVAHI_ADDRESS_STR_MAX];
567
815
avahi_address_snprint(ip, sizeof(ip), address);
568
816
if(debug){
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
817
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
818
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
819
ip, (intmax_t)interface, port);
571
820
}
572
int ret = start_mandos_communication(ip, port, interface, mc);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
821
int ret = start_mandos_communication(ip, port, interface,
822
avahi_proto_to_af(proto));
823
if(ret == 0){
824
avahi_simple_poll_quit(mc.simple_poll);
575
825
}
576
826
}
577
827
}
578
828
avahi_s_service_resolver_free(r);
579
829
}
580
830
581
static void browse_callback( AvahiSServiceBrowser *b,
582
AvahiIfIndex interface,
583
AvahiProtocol protocol,
584
AvahiBrowserEvent event,
585
const char *name,
586
const char *type,
587
const char *domain,
588
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
589
void* userdata) {
590
mandos_context *mc = userdata;
591
assert(b); /* Spurious warning */
831
static void browse_callback(AvahiSServiceBrowser *b,
832
AvahiIfIndex interface,
833
AvahiProtocol protocol,
834
AvahiBrowserEvent event,
835
const char *name,
836
const char *type,
837
const char *domain,
838
AVAHI_GCC_UNUSED AvahiLookupResultFlags
839
flags,
840
AVAHI_GCC_UNUSED void* userdata){
841
assert(b);
592
842
593
843
/* Called whenever a new services becomes available on the LAN or
594
844
is removed from the LAN */
595
845
596
switch (event) {
846
switch(event){
597
847
default:
598
848
case AVAHI_BROWSER_FAILURE:
599
849
600
fprintf(stderr, "(Browser) %s\n",
601
avahi_strerror(avahi_server_errno(mc->server)));
602
avahi_simple_poll_quit(mc->simple_poll);
850
fprintf(stderr, "(Avahi browser) %s\n",
851
avahi_strerror(avahi_server_errno(mc.server)));
852
avahi_simple_poll_quit(mc.simple_poll);
603
853
return;
604
854
605
855
case AVAHI_BROWSER_NEW:
606
/* We ignore the returned resolver object. In the callback
607
function we free it. If the server is terminated before
608
the callback function is called the server will free
609
the resolver for us. */
856
/* We ignore the returned Avahi resolver object. In the callback
857
function we free it. If the Avahi server is terminated before
858
the callback function is called the Avahi server will free the
859
resolver for us. */
610
860
611
if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,
612
type, domain,
613
AVAHI_PROTO_INET6, 0,
614
resolve_callback, mc)))
615
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
616
avahi_strerror(avahi_server_errno(mc->server)));
861
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
862
name, type, domain, protocol, 0,
863
resolve_callback, NULL) == NULL)
864
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
865
name, avahi_strerror(avahi_server_errno(mc.server)));
617
866
break;
618
867
619
868
case AVAHI_BROWSER_REMOVE:
621
870
622
871
case AVAHI_BROWSER_ALL_FOR_NOW:
623
872
case AVAHI_BROWSER_CACHE_EXHAUSTED:
873
if(debug){
874
fprintf(stderr, "No Mandos server found, still searching...\n");
875
}
624
876
break;
625
877
}
626
878
}
627
879
628
/* Combines file name and path and returns the malloced new
629
string. some sane checks could/should be added */
630
static const char *combinepath(const char *first, const char *second){
631
size_t f_len = strlen(first);
632
size_t s_len = strlen(second);
633
char *tmp = malloc(f_len + s_len + 2);
634
if (tmp == NULL){
635
return NULL;
636
}
637
if(f_len > 0){
638
memcpy(tmp, first, f_len); /* Spurious warning */
639
}
640
tmp[f_len] = '/';
641
if(s_len > 0){
642
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
643
}
644
tmp[f_len + 1 + s_len] = '\0';
645
return tmp;
880
sig_atomic_t quit_now = 0;
881
882
/* stop main loop after sigterm has been called */
883
static void handle_sigterm(__attribute__((unused)) int sig){
884
if(quit_now){
885
return;
886
}
887
quit_now = 1;
888
int old_errno = errno;
889
if(mc.simple_poll != NULL){
890
avahi_simple_poll_quit(mc.simple_poll);
891
}
892
errno = old_errno;
646
893
}
647
894
648
649
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
650
AvahiServerConfig config;
651
AvahiSServiceBrowser *sb = NULL;
652
int error;
653
int ret;
654
int debug_int;
655
int returncode = EXIT_SUCCESS;
656
const char *interface = "eth0";
657
struct ifreq network;
658
int sd;
659
char *connect_to = NULL;
660
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
661
mandos_context mc = { .simple_poll = NULL, .server = NULL,
662
.dh_bits = 1024, .priority = "SECURE256"};
895
int main(int argc, char *argv[]){
896
AvahiSServiceBrowser *sb = NULL;
897
int error;
898
int ret;
899
intmax_t tmpmax;
900
char *tmp;
901
int exitcode = EXIT_SUCCESS;
902
const char *interface = "eth0";
903
struct ifreq network;
904
int sd;
905
uid_t uid;
906
gid_t gid;
907
char *connect_to = NULL;
908
char tempdir[] = "/tmp/mandosXXXXXX";
909
bool tempdir_created = false;
910
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
911
const char *seckey = PATHDIR "/" SECKEY;
912
const char *pubkey = PATHDIR "/" PUBKEY;
913
914
bool gnutls_initialized = false;
915
bool gpgme_initialized = false;
916
float delay = 2.5f;
917
918
struct sigaction old_sigterm_action;
919
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
920
921
{
922
struct argp_option options[] = {
923
{ .name = "debug", .key = 128,
924
.doc = "Debug mode", .group = 3 },
925
{ .name = "connect", .key = 'c',
926
.arg = "ADDRESS:PORT",
927
.doc = "Connect directly to a specific Mandos server",
928
.group = 1 },
929
{ .name = "interface", .key = 'i',
930
.arg = "NAME",
931
.doc = "Network interface that will be used to search for"
932
" Mandos servers",
933
.group = 1 },
934
{ .name = "seckey", .key = 's',
935
.arg = "FILE",
936
.doc = "OpenPGP secret key file base name",
937
.group = 1 },
938
{ .name = "pubkey", .key = 'p',
939
.arg = "FILE",
940
.doc = "OpenPGP public key file base name",
941
.group = 2 },
942
{ .name = "dh-bits", .key = 129,
943
.arg = "BITS",
944
.doc = "Bit length of the prime number used in the"
945
" Diffie-Hellman key exchange",
946
.group = 2 },
947
{ .name = "priority", .key = 130,
948
.arg = "STRING",
949
.doc = "GnuTLS priority string for the TLS handshake",
950
.group = 1 },
951
{ .name = "delay", .key = 131,
952
.arg = "SECONDS",
953
.doc = "Maximum delay to wait for interface startup",
954
.group = 2 },
955
{ .name = NULL }
956
};
663
957
664
debug_int = debug ? 1 : 0;
665
while (true){
666
struct option long_options[] = {
667
{"debug", no_argument, &debug_int, 1},
668
{"connect", required_argument, NULL, 'c'},
669
{"interface", required_argument, NULL, 'i'},
670
{"keydir", required_argument, NULL, 'd'},
671
{"seckey", required_argument, NULL, 's'},
672
{"pubkey", required_argument, NULL, 'p'},
673
{"dh-bits", required_argument, NULL, 'D'},
674
{"priority", required_argument, NULL, 'P'},
675
{0, 0, 0, 0} };
676
677
int option_index = 0;
678
ret = getopt_long (argc, argv, "i:", long_options,
679
&option_index);
680
681
if (ret == -1){
682
break;
683
}
684
685
switch(ret){
686
case 0:
687
break;
688
case 'i':
689
interface = optarg;
690
break;
691
case 'c':
692
connect_to = optarg;
693
break;
694
case 'd':
695
keydir = optarg;
696
break;
697
case 'p':
698
pubkeyfile = optarg;
699
break;
700
case 's':
701
seckeyfile = optarg;
702
break;
703
case 'D':
704
errno = 0;
705
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
706
if (errno){
707
perror("strtol");
708
exit(EXIT_FAILURE);
709
}
710
break;
711
case 'P':
712
mc.priority = optarg;
713
break;
714
case '?':
958
error_t parse_opt(int key, char *arg,
959
struct argp_state *state){
960
switch(key){
961
case 128: /* --debug */
962
debug = true;
963
break;
964
case 'c': /* --connect */
965
connect_to = arg;
966
break;
967
case 'i': /* --interface */
968
interface = arg;
969
break;
970
case 's': /* --seckey */
971
seckey = arg;
972
break;
973
case 'p': /* --pubkey */
974
pubkey = arg;
975
break;
976
case 129: /* --dh-bits */
977
errno = 0;
978
tmpmax = strtoimax(arg, &tmp, 10);
979
if(errno != 0 or tmp == arg or *tmp != '\0'
980
or tmpmax != (typeof(mc.dh_bits))tmpmax){
981
fprintf(stderr, "Bad number of DH bits\n");
982
exit(EXIT_FAILURE);
983
}
984
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
985
break;
986
case 130: /* --priority */
987
mc.priority = arg;
988
break;
989
case 131: /* --delay */
990
errno = 0;
991
delay = strtof(arg, &tmp);
992
if(errno != 0 or tmp == arg or *tmp != '\0'){
993
fprintf(stderr, "Bad delay\n");
994
exit(EXIT_FAILURE);
995
}
996
break;
997
case ARGP_KEY_ARG:
998
argp_usage(state);
999
case ARGP_KEY_END:
1000
break;
715
1001
default:
716
exit(EXIT_FAILURE);
717
}
718
}
719
debug = debug_int ? true : false;
720
721
pubkeyfile = combinepath(keydir, pubkeyfile);
722
if (pubkeyfile == NULL){
723
perror("combinepath");
724
returncode = EXIT_FAILURE;
725
goto exit;
726
}
727
728
seckeyfile = combinepath(keydir, seckeyfile);
729
if (seckeyfile == NULL){
730
perror("combinepath");
731
goto exit;
732
}
733
734
if_index = (AvahiIfIndex) if_nametoindex(interface);
735
if(if_index == 0){
736
fprintf(stderr, "No such interface: \"%s\"\n", interface);
737
exit(EXIT_FAILURE);
738
}
739
740
if(connect_to != NULL){
741
/* Connect directly, do not use Zeroconf */
742
/* (Mainly meant for debugging) */
743
char *address = strrchr(connect_to, ':');
744
if(address == NULL){
745
fprintf(stderr, "No colon in address\n");
746
exit(EXIT_FAILURE);
747
}
748
errno = 0;
749
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
750
if(errno){
751
perror("Bad port number");
752
exit(EXIT_FAILURE);
753
}
754
*address = '\0';
755
address = connect_to;
756
ret = start_mandos_communication(address, port, if_index, &mc);
757
if(ret < 0){
758
exit(EXIT_FAILURE);
759
} else {
760
exit(EXIT_SUCCESS);
761
}
762
}
1002
return ARGP_ERR_UNKNOWN;
1003
}
1004
return 0;
1005
}
1006
1007
struct argp argp = { .options = options, .parser = parse_opt,
1008
.args_doc = "",
1009
.doc = "Mandos client -- Get and decrypt"
1010
" passwords from a Mandos server" };
1011
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1012
if(ret == ARGP_ERR_UNKNOWN){
1013
fprintf(stderr, "Unknown error while parsing arguments\n");
1014
exitcode = EXIT_FAILURE;
1015
goto end;
1016
}
1017
}
1018
1019
if(not debug){
1020
avahi_set_log_function(empty_log);
1021
}
1022
1023
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1024
from the signal handler */
1025
/* Initialize the pseudo-RNG for Avahi */
1026
srand((unsigned int) time(NULL));
1027
mc.simple_poll = avahi_simple_poll_new();
1028
if(mc.simple_poll == NULL){
1029
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1030
exitcode = EXIT_FAILURE;
1031
goto end;
1032
}
1033
1034
sigemptyset(&sigterm_action.sa_mask);
1035
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1036
if(ret == -1){
1037
perror("sigaddset");
1038
exitcode = EXIT_FAILURE;
1039
goto end;
1040
}
1041
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1042
if(ret == -1){
1043
perror("sigaddset");
1044
exitcode = EXIT_FAILURE;
1045
goto end;
1046
}
1047
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1048
if(ret == -1){
1049
perror("sigaddset");
1050
exitcode = EXIT_FAILURE;
1051
goto end;
1052
}
1053
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1054
if(ret == -1){
1055
perror("sigaction");
1056
exitcode = EXIT_FAILURE;
1057
goto end;
1058
}
1059
1060
/* If the interface is down, bring it up */
1061
if(interface[0] != '\0'){
1062
#ifdef __linux__
1063
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1064
messages to mess up the prompt */
1065
ret = klogctl(8, NULL, 5);
1066
bool restore_loglevel = true;
1067
if(ret == -1){
1068
restore_loglevel = false;
1069
perror("klogctl");
1070
}
1071
#endif /* __linux__ */
763
1072
764
1073
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
765
if(sd < 0) {
1074
if(sd < 0){
766
1075
perror("socket");
767
returncode = EXIT_FAILURE;
768
goto exit;
1076
exitcode = EXIT_FAILURE;
1077
#ifdef __linux__
1078
if(restore_loglevel){
1079
ret = klogctl(7, NULL, 0);
1080
if(ret == -1){
1081
perror("klogctl");
1082
}
1083
}
1084
#endif /* __linux__ */
1085
goto end;
769
1086
}
770
strcpy(network.ifr_name, interface); /* Spurious warning */
1087
strcpy(network.ifr_name, interface);
771
1088
ret = ioctl(sd, SIOCGIFFLAGS, &network);
772
1089
if(ret == -1){
773
774
1090
perror("ioctl SIOCGIFFLAGS");
775
returncode = EXIT_FAILURE;
776
goto exit;
1091
#ifdef __linux__
1092
if(restore_loglevel){
1093
ret = klogctl(7, NULL, 0);
1094
if(ret == -1){
1095
perror("klogctl");
1096
}
1097
}
1098
#endif /* __linux__ */
1099
exitcode = EXIT_FAILURE;
1100
goto end;
777
1101
}
778
1102
if((network.ifr_flags & IFF_UP) == 0){
779
1103
network.ifr_flags |= IFF_UP;
780
1104
ret = ioctl(sd, SIOCSIFFLAGS, &network);
781
1105
if(ret == -1){
782
1106
perror("ioctl SIOCSIFFLAGS");
783
returncode = EXIT_FAILURE;
784
goto exit;
785
}
786
}
787
close(sd);
788
789
if (not debug){
790
avahi_set_log_function(empty_log);
791
}
792
793
/* Initialize the psuedo-RNG */
794
srand((unsigned int) time(NULL));
795
796
/* Allocate main loop object */
797
if (!(mc.simple_poll = avahi_simple_poll_new())) {
798
fprintf(stderr, "Failed to create simple poll object.\n");
799
returncode = EXIT_FAILURE;
800
goto exit;
801
}
802
803
/* Do not publish any local records */
1107
exitcode = EXIT_FAILURE;
1108
#ifdef __linux__
1109
if(restore_loglevel){
1110
ret = klogctl(7, NULL, 0);
1111
if(ret == -1){
1112
perror("klogctl");
1113
}
1114
}
1115
#endif /* __linux__ */
1116
goto end;
1117
}
1118
}
1119
/* sleep checking until interface is running */
1120
for(int i=0; i < delay * 4; i++){
1121
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1122
if(ret == -1){
1123
perror("ioctl SIOCGIFFLAGS");
1124
} else if(network.ifr_flags & IFF_RUNNING){
1125
break;
1126
}
1127
struct timespec sleeptime = { .tv_nsec = 250000000 };
1128
ret = nanosleep(&sleeptime, NULL);
1129
if(ret == -1 and errno != EINTR){
1130
perror("nanosleep");
1131
}
1132
}
1133
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1134
if(ret == -1){
1135
perror("close");
1136
}
1137
#ifdef __linux__
1138
if(restore_loglevel){
1139
/* Restores kernel loglevel to default */
1140
ret = klogctl(7, NULL, 0);
1141
if(ret == -1){
1142
perror("klogctl");
1143
}
1144
}
1145
#endif /* __linux__ */
1146
}
1147
1148
uid = getuid();
1149
gid = getgid();
1150
1151
errno = 0;
1152
setgid(gid);
1153
if(ret == -1){
1154
perror("setgid");
1155
}
1156
1157
ret = setuid(uid);
1158
if(ret == -1){
1159
perror("setuid");
1160
}
1161
1162
ret = init_gnutls_global(pubkey, seckey);
1163
if(ret == -1){
1164
fprintf(stderr, "init_gnutls_global failed\n");
1165
exitcode = EXIT_FAILURE;
1166
goto end;
1167
} else {
1168
gnutls_initialized = true;
1169
}
1170
1171
if(mkdtemp(tempdir) == NULL){
1172
perror("mkdtemp");
1173
goto end;
1174
}
1175
tempdir_created = true;
1176
1177
if(not init_gpgme(pubkey, seckey, tempdir)){
1178
fprintf(stderr, "init_gpgme failed\n");
1179
exitcode = EXIT_FAILURE;
1180
goto end;
1181
} else {
1182
gpgme_initialized = true;
1183
}
1184
1185
if(interface[0] != '\0'){
1186
if_index = (AvahiIfIndex) if_nametoindex(interface);
1187
if(if_index == 0){
1188
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1189
exitcode = EXIT_FAILURE;
1190
goto end;
1191
}
1192
}
1193
1194
if(connect_to != NULL){
1195
/* Connect directly, do not use Zeroconf */
1196
/* (Mainly meant for debugging) */
1197
char *address = strrchr(connect_to, ':');
1198
if(address == NULL){
1199
fprintf(stderr, "No colon in address\n");
1200
exitcode = EXIT_FAILURE;
1201
goto end;
1202
}
1203
uint16_t port;
1204
errno = 0;
1205
tmpmax = strtoimax(address+1, &tmp, 10);
1206
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1207
or tmpmax != (uint16_t)tmpmax){
1208
fprintf(stderr, "Bad port number\n");
1209
exitcode = EXIT_FAILURE;
1210
goto end;
1211
}
1212
port = (uint16_t)tmpmax;
1213
*address = '\0';
1214
address = connect_to;
1215
/* Colon in address indicates IPv6 */
1216
int af;
1217
if(strchr(address, ':') != NULL){
1218
af = AF_INET6;
1219
} else {
1220
af = AF_INET;
1221
}
1222
ret = start_mandos_communication(address, port, if_index, af);
1223
if(ret < 0){
1224
exitcode = EXIT_FAILURE;
1225
} else {
1226
exitcode = EXIT_SUCCESS;
1227
}
1228
goto end;
1229
}
1230
1231
{
1232
AvahiServerConfig config;
1233
/* Do not publish any local Zeroconf records */
804
1234
avahi_server_config_init(&config);
805
1235
config.publish_hinfo = 0;
806
1236
config.publish_addresses = 0;
807
1237
config.publish_workstation = 0;
808
1238
config.publish_domain = 0;
809
1239
810
1240
/* Allocate a new server */
811
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
812
&config, NULL, NULL, &error);
1241
mc.server = avahi_server_new(avahi_simple_poll_get
1242
(mc.simple_poll), &config, NULL,
1243
NULL, &error);
813
1244
814
/* Free the configuration data */
1245
/* Free the Avahi configuration data */
815
1246
avahi_server_config_free(&config);
816
817
/* Check if creating the server object succeeded */
818
if (!mc.server) {
819
fprintf(stderr, "Failed to create server: %s\n",
820
avahi_strerror(error));
821
returncode = EXIT_FAILURE;
822
goto exit;
823
}
824
825
/* Create the service browser */
826
sb = avahi_s_service_browser_new(mc.server, if_index,
827
AVAHI_PROTO_INET6,
828
"_mandos._tcp", NULL, 0,
829
browse_callback, &mc);
830
if (!sb) {
831
fprintf(stderr, "Failed to create service browser: %s\n",
832
avahi_strerror(avahi_server_errno(mc.server)));
833
returncode = EXIT_FAILURE;
834
goto exit;
835
}
836
837
/* Run the main loop */
838
839
if (debug){
840
fprintf(stderr, "Starting avahi loop search\n");
841
}
842
843
avahi_simple_poll_loop(mc.simple_poll);
844
845
exit:
846
847
if (debug){
848
fprintf(stderr, "%s exiting\n", argv[0]);
849
}
850
851
/* Cleanup things */
852
if (sb)
853
avahi_s_service_browser_free(sb);
854
855
if (mc.server)
856
avahi_server_free(mc.server);
857
858
if (mc.simple_poll)
859
avahi_simple_poll_free(mc.simple_poll);
860
free(pubkeyfile);
861
free(seckeyfile);
862
863
return returncode;
1247
}
1248
1249
/* Check if creating the Avahi server object succeeded */
1250
if(mc.server == NULL){
1251
fprintf(stderr, "Failed to create Avahi server: %s\n",
1252
avahi_strerror(error));
1253
exitcode = EXIT_FAILURE;
1254
goto end;
1255
}
1256
1257
/* Create the Avahi service browser */
1258
sb = avahi_s_service_browser_new(mc.server, if_index,
1259
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1260
NULL, 0, browse_callback, NULL);
1261
if(sb == NULL){
1262
fprintf(stderr, "Failed to create service browser: %s\n",
1263
avahi_strerror(avahi_server_errno(mc.server)));
1264
exitcode = EXIT_FAILURE;
1265
goto end;
1266
}
1267
1268
/* Run the main loop */
1269
1270
if(debug){
1271
fprintf(stderr, "Starting Avahi loop search\n");
1272
}
1273
1274
avahi_simple_poll_loop(mc.simple_poll);
1275
1276
end:
1277
1278
if(debug){
1279
fprintf(stderr, "%s exiting\n", argv[0]);
1280
}
1281
1282
/* Cleanup things */
1283
if(sb != NULL)
1284
avahi_s_service_browser_free(sb);
1285
1286
if(mc.server != NULL)
1287
avahi_server_free(mc.server);
1288
1289
if(mc.simple_poll != NULL)
1290
avahi_simple_poll_free(mc.simple_poll);
1291
1292
if(gnutls_initialized){
1293
gnutls_certificate_free_credentials(mc.cred);
1294
gnutls_global_deinit();
1295
gnutls_dh_params_deinit(mc.dh_params);
1296
}
1297
1298
if(gpgme_initialized){
1299
gpgme_release(mc.ctx);
1300
}
1301
1302
/* Removes the temp directory used by GPGME */
1303
if(tempdir_created){
1304
DIR *d;
1305
struct dirent *direntry;
1306
d = opendir(tempdir);
1307
if(d == NULL){
1308
if(errno != ENOENT){
1309
perror("opendir");
1310
}
1311
} else {
1312
while(true){
1313
direntry = readdir(d);
1314
if(direntry == NULL){
1315
break;
1316
}
1317
/* Skip "." and ".." */
1318
if(direntry->d_name[0] == '.'
1319
and (direntry->d_name[1] == '\0'
1320
or (direntry->d_name[1] == '.'
1321
and direntry->d_name[2] == '\0'))){
1322
continue;
1323
}
1324
char *fullname = NULL;
1325
ret = asprintf(&fullname, "%s/%s", tempdir,
1326
direntry->d_name);
1327
if(ret < 0){
1328
perror("asprintf");
1329
continue;
1330
}
1331
ret = remove(fullname);
1332
if(ret == -1){
1333
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1334
strerror(errno));
1335
}
1336
free(fullname);
1337
}
1338
closedir(d);
1339
}
1340
ret = rmdir(tempdir);
1341
if(ret == -1 and errno != ENOENT){
1342
perror("rmdir");
1343
}
1344
}
1345
1346
return exitcode;
864
1347
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0