116
281
/* Create new empty GPGME data buffer for the plaintext */
117
282
rc = gpgme_data_new(&dh_plain);
118
if (rc != GPG_ERR_NO_ERROR){
283
if(rc != GPG_ERR_NO_ERROR){
119
284
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
120
285
gpgme_strsource(rc), gpgme_strerror(rc));
124
/* Create new GPGME "context" */
125
rc = gpgme_new(&ctx);
126
if (rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "bad gpgme_new: %s: %s\n",
128
gpgme_strsource(rc), gpgme_strerror(rc));
132
/* Decrypt data from the FILE pointer to the plaintext data buffer */
133
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
134
if (rc != GPG_ERR_NO_ERROR){
286
gpgme_data_release(dh_crypto);
290
/* Decrypt data from the cryptotext data buffer to the plaintext
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
135
294
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
136
295
gpgme_strsource(rc), gpgme_strerror(rc));
296
plaintext_length = -1;
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
313
while(recipient != NULL){
314
fprintf(stderr, "Public key algorithm: %s\n",
315
gpgme_pubkey_algo_name(recipient->pubkey_algo));
316
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
317
fprintf(stderr, "Secret key available: %s\n",
318
recipient->status == GPG_ERR_NO_SECKEY
320
recipient = recipient->next;
141
fprintf(stderr, "decryption of gpg packet succeeded\n");
145
gpgme_decrypt_result_t result;
146
result = gpgme_op_decrypt_result(ctx);
148
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
150
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
151
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
152
if(result->file_name != NULL){
153
fprintf(stderr, "File name: %s\n", result->file_name);
155
gpgme_recipient_t recipient;
156
recipient = result->recipients;
158
while(recipient != NULL){
159
fprintf(stderr, "Public key algorithm: %s\n",
160
gpgme_pubkey_algo_name(recipient->pubkey_algo));
161
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
162
fprintf(stderr, "Secret key available: %s\n",
163
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
164
recipient = recipient->next;
170
/* Delete the GPGME FILE pointer cryptotext data buffer */
171
gpgme_data_release(dh_crypto);
329
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
173
332
/* Seek back to the beginning of the GPGME plaintext data buffer */
174
gpgme_data_seek(dh_plain, 0, SEEK_SET);
333
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
334
perror("gpgme_data_seek");
335
plaintext_length = -1;
178
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
179
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
180
if (*new_packet == NULL){
184
new_packet_capacity += BUFFER_SIZE;
341
plaintext_capacity = incbuffer(plaintext,
342
(size_t)plaintext_length,
344
if(plaintext_capacity == 0){
346
plaintext_length = -1;
187
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
350
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
188
352
/* Print the data, if any */
190
/* If password is empty, then a incorrect error will be printed */
194
358
perror("gpgme_data_read");
359
plaintext_length = -1;
197
new_packet_length += ret;
362
plaintext_length += ret;
201
fprintf(stderr, "decrypted password is: %s\n", *new_packet);
366
fprintf(stderr, "Decrypted password is: ");
367
for(ssize_t i = 0; i < plaintext_length; i++){
368
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
370
fprintf(stderr, "\n");
204
/* Delete the GPGME plaintext data buffer */
375
/* Delete the GPGME cryptotext data buffer */
376
gpgme_data_release(dh_crypto);
378
/* Delete the GPGME plaintext data buffer */
205
379
gpgme_data_release(dh_plain);
206
return new_packet_length;
380
return plaintext_length;
209
static const char * safer_gnutls_strerror (int value) {
210
const char *ret = gnutls_strerror (value);
383
static const char * safer_gnutls_strerror(int value){
384
const char *ret = gnutls_strerror(value); /* Spurious warning from
385
-Wunreachable-code */
212
387
ret = "(unknown)";
216
void debuggnutls(int level, const char* string){
217
fprintf(stderr, "%s", string);
391
/* GnuTLS log function callback */
392
static void debuggnutls(__attribute__((unused)) int level,
394
fprintf(stderr, "GnuTLS: %s", string);
220
int initgnutls(encrypted_session *es){
397
static int init_gnutls_global(const char *pubkeyfilename,
398
const char *seckeyfilename){
225
fprintf(stderr, "Initializing gnutls\n");
402
fprintf(stderr, "Initializing GnuTLS\n");
229
if ((ret = gnutls_global_init ())
230
!= GNUTLS_E_SUCCESS) {
231
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
405
ret = gnutls_global_init();
406
if(ret != GNUTLS_E_SUCCESS){
407
fprintf(stderr, "GnuTLS global_init: %s\n",
408
safer_gnutls_strerror(ret));
413
/* "Use a log level over 10 to enable all debugging options."
236
416
gnutls_global_set_log_level(11);
237
417
gnutls_global_set_log_function(debuggnutls);
241
/* openpgp credentials */
242
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
243
!= GNUTLS_E_SUCCESS) {
244
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
420
/* OpenPGP credentials */
421
gnutls_certificate_allocate_credentials(&mc.cred);
422
if(ret != GNUTLS_E_SUCCESS){
423
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
427
safer_gnutls_strerror(ret));
428
gnutls_global_deinit();
249
fprintf(stderr, "Attempting to use openpgp certificate %s"
250
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
433
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
434
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
253
438
ret = gnutls_certificate_set_openpgp_key_file
254
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
255
if (ret != GNUTLS_E_SUCCESS) {
257
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
258
ret, CERTFILE, KEYFILE);
259
fprintf(stdout, "The Error is: %s\n",
260
safer_gnutls_strerror(ret));
264
//Gnutls server initialization
265
if ((ret = gnutls_dh_params_init (&es->dh_params))
266
!= GNUTLS_E_SUCCESS) {
267
fprintf (stderr, "Error in dh parameter initialization: %s\n",
268
safer_gnutls_strerror(ret));
272
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in prime generation: %s\n",
275
safer_gnutls_strerror(ret));
279
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
281
// Gnutls session creation
282
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
283
!= GNUTLS_E_SUCCESS){
284
fprintf(stderr, "Error in gnutls session initialization: %s\n",
285
safer_gnutls_strerror(ret));
288
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
289
!= GNUTLS_E_SUCCESS) {
290
fprintf(stderr, "Syntax error at: %s\n", err);
291
fprintf(stderr, "Gnutls error: %s\n",
292
safer_gnutls_strerror(ret));
296
if ((ret = gnutls_credentials_set
297
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf(stderr, "Error setting a credentials set: %s\n",
300
safer_gnutls_strerror(ret));
439
(mc.cred, pubkeyfilename, seckeyfilename,
440
GNUTLS_OPENPGP_FMT_BASE64);
441
if(ret != GNUTLS_E_SUCCESS){
443
"Error[%d] while reading the OpenPGP key pair ('%s',"
444
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
445
fprintf(stderr, "The GnuTLS error is: %s\n",
446
safer_gnutls_strerror(ret));
450
/* GnuTLS server initialization */
451
ret = gnutls_dh_params_init(&mc.dh_params);
452
if(ret != GNUTLS_E_SUCCESS){
453
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
454
" %s\n", safer_gnutls_strerror(ret));
457
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
458
if(ret != GNUTLS_E_SUCCESS){
459
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
460
safer_gnutls_strerror(ret));
464
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
470
gnutls_certificate_free_credentials(mc.cred);
471
gnutls_global_deinit();
472
gnutls_dh_params_deinit(mc.dh_params);
476
static int init_gnutls_session(gnutls_session_t *session){
478
/* GnuTLS session creation */
479
ret = gnutls_init(session, GNUTLS_SERVER);
480
if(ret != GNUTLS_E_SUCCESS){
481
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
482
safer_gnutls_strerror(ret));
487
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
488
if(ret != GNUTLS_E_SUCCESS){
489
fprintf(stderr, "Syntax error at: %s\n", err);
490
fprintf(stderr, "GnuTLS error: %s\n",
491
safer_gnutls_strerror(ret));
492
gnutls_deinit(*session);
497
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
499
if(ret != GNUTLS_E_SUCCESS){
500
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
501
safer_gnutls_strerror(ret));
502
gnutls_deinit(*session);
304
506
/* ignore client certificate if any. */
305
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
507
gnutls_certificate_server_set_request(*session,
307
gnutls_dh_set_prime_bits (es->session, DH_BITS);
510
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
312
void empty_log(AvahiLogLevel level, const char *txt){}
515
/* Avahi log function callback */
516
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
517
__attribute__((unused)) const char *txt){}
314
int start_mandos_communication(char *ip, uint16_t port){
519
/* Called when a Mandos server is found */
520
static int start_mandos_communication(const char *ip, uint16_t port,
521
AvahiIfIndex if_index,
316
struct sockaddr_in6 to;
317
encrypted_session es;
526
struct sockaddr_in in;
527
struct sockaddr_in6 in6;
318
529
char *buffer = NULL;
319
530
char *decrypted_buffer;
320
531
size_t buffer_length = 0;
321
532
size_t buffer_capacity = 0;
322
533
ssize_t decrypted_buffer_size;
324
const char interface[] = "eth0";
536
gnutls_session_t session;
537
int pf; /* Protocol family */
547
fprintf(stderr, "Bad address family: %d\n", af);
551
ret = init_gnutls_session(&session);
327
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
557
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
330
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
561
tcp_sd = socket(pf, SOCK_STREAM, 0);
332
563
perror("socket");
337
fprintf(stderr, "Binding to interface %s\n", interface);
340
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
342
perror("setsockopt bindtodevice");
346
memset(&to,0,sizeof(to));
347
to.sin6_family = AF_INET6;
348
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
567
memset(&to, 0, sizeof(to));
569
to.in6.sin6_family = (sa_family_t)af;
570
ret = inet_pton(af, ip, &to.in6.sin6_addr);
572
to.in.sin_family = (sa_family_t)af;
573
ret = inet_pton(af, ip, &to.in.sin_addr);
350
576
perror("inet_pton");
354
580
fprintf(stderr, "Bad address: %s\n", ip);
357
to.sin6_port = htons(port);
358
to.sin6_scope_id = if_nametoindex(interface);
584
to.in6.sin6_port = htons(port); /* Spurious warnings from
586
-Wunreachable-code */
588
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
589
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
591
if(if_index == AVAHI_IF_UNSPEC){
592
fprintf(stderr, "An IPv6 link-local address is incomplete"
593
" without a network interface\n");
596
/* Set the network interface number as scope */
597
to.in6.sin6_scope_id = (uint32_t)if_index;
600
to.in.sin_port = htons(port); /* Spurious warnings from
602
-Wunreachable-code */
361
fprintf(stderr, "Connection to: %s\n", ip);
606
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
607
char interface[IF_NAMESIZE];
608
if(if_indextoname((unsigned int)if_index, interface) == NULL){
609
perror("if_indextoname");
611
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
612
ip, interface, port);
615
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
618
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
619
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
622
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
625
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
631
if(strcmp(addrstr, ip) != 0){
632
fprintf(stderr, "Canonical address form: %s\n", addrstr);
364
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
638
ret = connect(tcp_sd, &to.in6, sizeof(to));
640
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
366
643
perror("connect");
370
ret = initgnutls (&es);
377
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
380
fprintf(stderr, "Establishing tls session with %s\n", ip);
384
ret = gnutls_handshake (es.session);
386
if (ret != GNUTLS_E_SUCCESS){
387
fprintf(stderr, "\n*** Handshake failed ***\n");
393
//Retrieve gpg packet that contains the wanted password
396
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
647
const char *out = mandos_protocol_version;
400
if (buffer_length + BUFFER_SIZE > buffer_capacity){
401
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
650
size_t out_size = strlen(out);
651
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
652
out_size - written));
658
written += (size_t)ret;
659
if(written < out_size){
662
if(out == mandos_protocol_version){
406
buffer_capacity += BUFFER_SIZE;
672
fprintf(stderr, "Establishing TLS session with %s\n", ip);
675
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
678
ret = gnutls_handshake(session);
679
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
681
if(ret != GNUTLS_E_SUCCESS){
683
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
690
/* Read OpenPGP packet that contains the wanted password */
693
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
698
buffer_capacity = incbuffer(&buffer, buffer_length,
700
if(buffer_capacity == 0){
409
ret = gnutls_record_recv
410
(es.session, buffer+buffer_length, BUFFER_SIZE);
706
sret = gnutls_record_recv(session, buffer+buffer_length,
416
713
case GNUTLS_E_INTERRUPTED:
417
714
case GNUTLS_E_AGAIN:
419
716
case GNUTLS_E_REHANDSHAKE:
420
ret = gnutls_handshake (es.session);
422
fprintf(stderr, "\n*** Handshake failed ***\n");
718
ret = gnutls_handshake(session);
719
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
721
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
429
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
728
fprintf(stderr, "Unknown error while reading data from"
729
" encrypted session with Mandos server\n");
431
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
731
gnutls_bye(session, GNUTLS_SHUT_RDWR);
435
buffer_length += ret;
735
buffer_length += (size_t) sret;
439
if (buffer_length > 0){
440
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
441
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
740
fprintf(stderr, "Closing TLS session\n");
743
gnutls_bye(session, GNUTLS_SHUT_RDWR);
745
if(buffer_length > 0){
746
decrypted_buffer_size = pgp_packet_decrypt(buffer,
749
if(decrypted_buffer_size >= 0){
751
while(written < (size_t) decrypted_buffer_size){
752
ret = (int)fwrite(decrypted_buffer + written, 1,
753
(size_t)decrypted_buffer_size - written,
755
if(ret == 0 and ferror(stdout)){
757
fprintf(stderr, "Error writing encrypted data: %s\n",
763
written += (size_t)ret;
442
765
free(decrypted_buffer);
451
fprintf(stderr, "Closing tls session\n");
773
/* Shutdown procedure */
455
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
458
gnutls_deinit (es.session);
459
gnutls_certificate_free_credentials (es.cred);
460
gnutls_global_deinit ();
777
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
781
gnutls_deinit(session);
464
static AvahiSimplePoll *simple_poll = NULL;
465
static AvahiServer *server = NULL;
467
static void resolve_callback(
468
AvahiSServiceResolver *r,
469
AVAHI_GCC_UNUSED AvahiIfIndex interface,
470
AVAHI_GCC_UNUSED AvahiProtocol protocol,
471
AvahiResolverEvent event,
475
const char *host_name,
476
const AvahiAddress *address,
478
AvahiStringList *txt,
479
AvahiLookupResultFlags flags,
480
AVAHI_GCC_UNUSED void* userdata) {
484
/* Called whenever a service has been resolved successfully or timed out */
487
case AVAHI_RESOLVER_FAILURE:
488
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
491
case AVAHI_RESOLVER_FOUND: {
492
char ip[AVAHI_ADDRESS_STR_MAX];
493
avahi_address_snprint(ip, sizeof(ip), address);
495
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
497
int ret = start_mandos_communication(ip, port);
505
avahi_s_service_resolver_free(r);
508
static void browse_callback(
509
AvahiSServiceBrowser *b,
510
AvahiIfIndex interface,
511
AvahiProtocol protocol,
512
AvahiBrowserEvent event,
516
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
519
AvahiServer *s = userdata;
522
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
526
case AVAHI_BROWSER_FAILURE:
528
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
529
avahi_simple_poll_quit(simple_poll);
532
case AVAHI_BROWSER_NEW:
533
/* We ignore the returned resolver object. In the callback
534
function we free it. If the server is terminated before
535
the callback function is called the server will free
536
the resolver for us. */
538
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
539
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
543
case AVAHI_BROWSER_REMOVE:
546
case AVAHI_BROWSER_ALL_FOR_NOW:
547
case AVAHI_BROWSER_CACHE_EXHAUSTED:
552
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
785
static void resolve_callback(AvahiSServiceResolver *r,
786
AvahiIfIndex interface,
788
AvahiResolverEvent event,
792
const char *host_name,
793
const AvahiAddress *address,
795
AVAHI_GCC_UNUSED AvahiStringList *txt,
796
AVAHI_GCC_UNUSED AvahiLookupResultFlags
798
AVAHI_GCC_UNUSED void* userdata){
801
/* Called whenever a service has been resolved successfully or
806
case AVAHI_RESOLVER_FAILURE:
807
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
808
" of type '%s' in domain '%s': %s\n", name, type, domain,
809
avahi_strerror(avahi_server_errno(mc.server)));
812
case AVAHI_RESOLVER_FOUND:
814
char ip[AVAHI_ADDRESS_STR_MAX];
815
avahi_address_snprint(ip, sizeof(ip), address);
817
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
818
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
819
ip, (intmax_t)interface, port);
821
int ret = start_mandos_communication(ip, port, interface,
822
avahi_proto_to_af(proto));
824
avahi_simple_poll_quit(mc.simple_poll);
828
avahi_s_service_resolver_free(r);
831
static void browse_callback(AvahiSServiceBrowser *b,
832
AvahiIfIndex interface,
833
AvahiProtocol protocol,
834
AvahiBrowserEvent event,
838
AVAHI_GCC_UNUSED AvahiLookupResultFlags
840
AVAHI_GCC_UNUSED void* userdata){
843
/* Called whenever a new services becomes available on the LAN or
844
is removed from the LAN */
848
case AVAHI_BROWSER_FAILURE:
850
fprintf(stderr, "(Avahi browser) %s\n",
851
avahi_strerror(avahi_server_errno(mc.server)));
852
avahi_simple_poll_quit(mc.simple_poll);
855
case AVAHI_BROWSER_NEW:
856
/* We ignore the returned Avahi resolver object. In the callback
857
function we free it. If the Avahi server is terminated before
858
the callback function is called the Avahi server will free the
861
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
862
name, type, domain, protocol, 0,
863
resolve_callback, NULL) == NULL)
864
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
865
name, avahi_strerror(avahi_server_errno(mc.server)));
868
case AVAHI_BROWSER_REMOVE:
871
case AVAHI_BROWSER_ALL_FOR_NOW:
872
case AVAHI_BROWSER_CACHE_EXHAUSTED:
874
fprintf(stderr, "No Mandos server found, still searching...\n");
880
sig_atomic_t quit_now = 0;
882
/* stop main loop after sigterm has been called */
883
static void handle_sigterm(__attribute__((unused)) int sig){
888
int old_errno = errno;
889
if(mc.simple_poll != NULL){
890
avahi_simple_poll_quit(mc.simple_poll);
895
int main(int argc, char *argv[]){
896
AvahiSServiceBrowser *sb = NULL;
901
int exitcode = EXIT_SUCCESS;
902
const char *interface = "eth0";
903
struct ifreq network;
907
char *connect_to = NULL;
908
char tempdir[] = "/tmp/mandosXXXXXX";
909
bool tempdir_created = false;
910
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
911
const char *seckey = PATHDIR "/" SECKEY;
912
const char *pubkey = PATHDIR "/" PUBKEY;
914
bool gnutls_initialized = false;
915
bool gpgme_initialized = false;
918
struct sigaction old_sigterm_action;
919
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
922
struct argp_option options[] = {
923
{ .name = "debug", .key = 128,
924
.doc = "Debug mode", .group = 3 },
925
{ .name = "connect", .key = 'c',
926
.arg = "ADDRESS:PORT",
927
.doc = "Connect directly to a specific Mandos server",
929
{ .name = "interface", .key = 'i',
931
.doc = "Network interface that will be used to search for"
934
{ .name = "seckey", .key = 's',
936
.doc = "OpenPGP secret key file base name",
938
{ .name = "pubkey", .key = 'p',
940
.doc = "OpenPGP public key file base name",
942
{ .name = "dh-bits", .key = 129,
944
.doc = "Bit length of the prime number used in the"
945
" Diffie-Hellman key exchange",
947
{ .name = "priority", .key = 130,
949
.doc = "GnuTLS priority string for the TLS handshake",
951
{ .name = "delay", .key = 131,
953
.doc = "Maximum delay to wait for interface startup",
958
error_t parse_opt(int key, char *arg,
959
struct argp_state *state){
961
case 128: /* --debug */
964
case 'c': /* --connect */
967
case 'i': /* --interface */
970
case 's': /* --seckey */
973
case 'p': /* --pubkey */
976
case 129: /* --dh-bits */
978
tmpmax = strtoimax(arg, &tmp, 10);
979
if(errno != 0 or tmp == arg or *tmp != '\0'
980
or tmpmax != (typeof(mc.dh_bits))tmpmax){
981
fprintf(stderr, "Bad number of DH bits\n");
984
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
986
case 130: /* --priority */
989
case 131: /* --delay */
991
delay = strtof(arg, &tmp);
992
if(errno != 0 or tmp == arg or *tmp != '\0'){
993
fprintf(stderr, "Bad delay\n");
1002
return ARGP_ERR_UNKNOWN;
1007
struct argp argp = { .options = options, .parser = parse_opt,
1009
.doc = "Mandos client -- Get and decrypt"
1010
" passwords from a Mandos server" };
1011
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1012
if(ret == ARGP_ERR_UNKNOWN){
1013
fprintf(stderr, "Unknown error while parsing arguments\n");
1014
exitcode = EXIT_FAILURE;
1020
avahi_set_log_function(empty_log);
1023
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1024
from the signal handler */
1025
/* Initialize the pseudo-RNG for Avahi */
1026
srand((unsigned int) time(NULL));
1027
mc.simple_poll = avahi_simple_poll_new();
1028
if(mc.simple_poll == NULL){
1029
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1030
exitcode = EXIT_FAILURE;
1034
sigemptyset(&sigterm_action.sa_mask);
1035
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1037
perror("sigaddset");
1038
exitcode = EXIT_FAILURE;
1041
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1043
perror("sigaddset");
1044
exitcode = EXIT_FAILURE;
1047
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1049
perror("sigaddset");
1050
exitcode = EXIT_FAILURE;
1053
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1055
perror("sigaction");
1056
exitcode = EXIT_FAILURE;
1060
/* If the interface is down, bring it up */
1061
if(interface[0] != '\0'){
1063
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1064
messages to mess up the prompt */
1065
ret = klogctl(8, NULL, 5);
1066
bool restore_loglevel = true;
1068
restore_loglevel = false;
1071
#endif /* __linux__ */
1073
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1076
exitcode = EXIT_FAILURE;
1078
if(restore_loglevel){
1079
ret = klogctl(7, NULL, 0);
1084
#endif /* __linux__ */
1087
strcpy(network.ifr_name, interface);
1088
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1090
perror("ioctl SIOCGIFFLAGS");
1092
if(restore_loglevel){
1093
ret = klogctl(7, NULL, 0);
1098
#endif /* __linux__ */
1099
exitcode = EXIT_FAILURE;
1102
if((network.ifr_flags & IFF_UP) == 0){
1103
network.ifr_flags |= IFF_UP;
1104
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1106
perror("ioctl SIOCSIFFLAGS");
1107
exitcode = EXIT_FAILURE;
1109
if(restore_loglevel){
1110
ret = klogctl(7, NULL, 0);
1115
#endif /* __linux__ */
1119
/* sleep checking until interface is running */
1120
for(int i=0; i < delay * 4; i++){
1121
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1123
perror("ioctl SIOCGIFFLAGS");
1124
} else if(network.ifr_flags & IFF_RUNNING){
1127
struct timespec sleeptime = { .tv_nsec = 250000000 };
1128
ret = nanosleep(&sleeptime, NULL);
1129
if(ret == -1 and errno != EINTR){
1130
perror("nanosleep");
1133
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1138
if(restore_loglevel){
1139
/* Restores kernel loglevel to default */
1140
ret = klogctl(7, NULL, 0);
1145
#endif /* __linux__ */
1162
ret = init_gnutls_global(pubkey, seckey);
1164
fprintf(stderr, "init_gnutls_global failed\n");
1165
exitcode = EXIT_FAILURE;
1168
gnutls_initialized = true;
1171
if(mkdtemp(tempdir) == NULL){
1175
tempdir_created = true;
1177
if(not init_gpgme(pubkey, seckey, tempdir)){
1178
fprintf(stderr, "init_gpgme failed\n");
1179
exitcode = EXIT_FAILURE;
1182
gpgme_initialized = true;
1185
if(interface[0] != '\0'){
1186
if_index = (AvahiIfIndex) if_nametoindex(interface);
1188
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1189
exitcode = EXIT_FAILURE;
1194
if(connect_to != NULL){
1195
/* Connect directly, do not use Zeroconf */
1196
/* (Mainly meant for debugging) */
1197
char *address = strrchr(connect_to, ':');
1198
if(address == NULL){
1199
fprintf(stderr, "No colon in address\n");
1200
exitcode = EXIT_FAILURE;
1205
tmpmax = strtoimax(address+1, &tmp, 10);
1206
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1207
or tmpmax != (uint16_t)tmpmax){
1208
fprintf(stderr, "Bad port number\n");
1209
exitcode = EXIT_FAILURE;
1212
port = (uint16_t)tmpmax;
1214
address = connect_to;
1215
/* Colon in address indicates IPv6 */
1217
if(strchr(address, ':') != NULL){
1222
ret = start_mandos_communication(address, port, if_index, af);
1224
exitcode = EXIT_FAILURE;
1226
exitcode = EXIT_SUCCESS;
553
1232
AvahiServerConfig config;
554
AvahiSServiceBrowser *sb = NULL;
555
const char db[] = "--debug";
558
int returncode = EXIT_SUCCESS;
559
char *basename = rindex(argv[0], '/');
560
if(basename == NULL){
566
char *program_name = malloc(strlen(basename) + sizeof(db));
568
if (program_name == NULL){
573
program_name[0] = '\0';
575
for (int i = 1; i < argc; i++){
576
if (not strncmp(argv[i], db, 5)){
577
strcat(strcat(strcat(program_name, db ), "="), basename);
578
if(not strcmp(argv[i], db) or not strcmp(argv[i], program_name)){
586
avahi_set_log_function(empty_log);
589
/* Initialize the psuedo-RNG */
592
/* Allocate main loop object */
593
if (!(simple_poll = avahi_simple_poll_new())) {
594
fprintf(stderr, "Failed to create simple poll object.\n");
599
/* Do not publish any local records */
1233
/* Do not publish any local Zeroconf records */
600
1234
avahi_server_config_init(&config);
601
1235
config.publish_hinfo = 0;
602
1236
config.publish_addresses = 0;
603
1237
config.publish_workstation = 0;
604
1238
config.publish_domain = 0;
606
1240
/* Allocate a new server */
607
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
609
/* Free the configuration data */
1241
mc.server = avahi_server_new(avahi_simple_poll_get
1242
(mc.simple_poll), &config, NULL,
1245
/* Free the Avahi configuration data */
610
1246
avahi_server_config_free(&config);
612
/* Check if creating the server object succeeded */
614
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
615
returncode = EXIT_FAILURE;
619
/* Create the service browser */
620
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
621
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
622
returncode = EXIT_FAILURE;
626
/* Run the main loop */
629
fprintf(stderr, "Starting avahi loop search\n");
632
avahi_simple_poll_loop(simple_poll);
637
fprintf(stderr, "%s exiting\n", argv[0]);
642
avahi_s_service_browser_free(sb);
645
avahi_server_free(server);
648
avahi_simple_poll_free(simple_poll);
1249
/* Check if creating the Avahi server object succeeded */
1250
if(mc.server == NULL){
1251
fprintf(stderr, "Failed to create Avahi server: %s\n",
1252
avahi_strerror(error));
1253
exitcode = EXIT_FAILURE;
1257
/* Create the Avahi service browser */
1258
sb = avahi_s_service_browser_new(mc.server, if_index,
1259
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1260
NULL, 0, browse_callback, NULL);
1262
fprintf(stderr, "Failed to create service browser: %s\n",
1263
avahi_strerror(avahi_server_errno(mc.server)));
1264
exitcode = EXIT_FAILURE;
1268
/* Run the main loop */
1271
fprintf(stderr, "Starting Avahi loop search\n");
1274
avahi_simple_poll_loop(mc.simple_poll);
1279
fprintf(stderr, "%s exiting\n", argv[0]);
1282
/* Cleanup things */
1284
avahi_s_service_browser_free(sb);
1286
if(mc.server != NULL)
1287
avahi_server_free(mc.server);
1289
if(mc.simple_poll != NULL)
1290
avahi_simple_poll_free(mc.simple_poll);
1292
if(gnutls_initialized){
1293
gnutls_certificate_free_credentials(mc.cred);
1294
gnutls_global_deinit();
1295
gnutls_dh_params_deinit(mc.dh_params);
1298
if(gpgme_initialized){
1299
gpgme_release(mc.ctx);
1302
/* Removes the temp directory used by GPGME */
1303
if(tempdir_created){
1305
struct dirent *direntry;
1306
d = opendir(tempdir);
1308
if(errno != ENOENT){
1313
direntry = readdir(d);
1314
if(direntry == NULL){
1317
/* Skip "." and ".." */
1318
if(direntry->d_name[0] == '.'
1319
and (direntry->d_name[1] == '\0'
1320
or (direntry->d_name[1] == '.'
1321
and direntry->d_name[2] == '\0'))){
1324
char *fullname = NULL;
1325
ret = asprintf(&fullname, "%s/%s", tempdir,
1331
ret = remove(fullname);
1333
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1340
ret = rmdir(tempdir);
1341
if(ret == -1 and errno != ENOENT){