/mandos/release : revision 237.7.29

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: teddy at bsnet
Date: 2011-03-21 19:34:39 UTC
mto: (24.1.171 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
mto: This revision was merged to the branch mainline in revision 284.
Revision ID: teddy@fukt.bsnet.se-20110321193439-lkj3kwvhmujd8lwv

* plugins.d/mandos-client.c (good_interface): Reject non-ARP
interfaces.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/***

This file is part of avahi.

avahi is free software; you can redistribute it and/or modify it

under the terms of the GNU Lesser General Public License as

published by the Free Software Foundation; either version 2.1 of the

License, or (at your option) any later version.

avahi is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY

or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General

Public License for more details.

You should have received a copy of the GNU Lesser General Public

License along with avahi; if not, write to the Free Software

Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

USA.

***/

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* <http://avahi.org/browser/examples/core-browse-services.c>. This

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#ifndef _LARGEFILE_SOURCE

#define _LARGEFILE_SOURCE

#endif

#ifndef _FILE_OFFSET_BITS

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#endif

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),

strtof(), abort() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, uid_t, gid_t, open(),

opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

inet_pton(), connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,

strtoimax() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time(), sleep() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,

INET_ADDRSTRLEN, INET6_ADDRSTRLEN

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), seteuid(),

setgid(), pause() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, or, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sig_atomic_t,

raise() */

#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,

EX_NOHOST, EX_IOERR, EX_PROTOCOL */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif /* __linux__ */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

100

#include <avahi-common/malloc.h>

101

#include <avahi-common/error.h>

102

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */

#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

103

/* GnuTLS */

104

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

105

functions:

106

gnutls_*

107

init_gnutls_session(),

108

GNUTLS_* */

109

#include <gnutls/openpgp.h>

110

/* gnutls_certificate_set_openpgp_key_file(),

111

GNUTLS_OPENPGP_FMT_BASE64 */

112

113

/* GPGME */

114

#include <gpgme.h> /* All GPGME types, constants and

115

functions:

116

gpgme_*

117

GPGME_PROTOCOL_OpenPGP,

118

GPG_ERR_NO_* */

119

120

#define BUFFER_SIZE 256

#define DH_BITS 1024

bool debug;

121

122

#define PATHDIR "/conf/conf.d/mandos"

123

#define SECKEY "seckey.txt"

124

#define PUBKEY "pubkey.txt"

125

126

bool debug = false;

127

static const char mandos_protocol_version[] = "1";

128

const char *argp_program_version = "mandos-client " VERSION;

129

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

130

static const char sys_class_net[] = "/sys/class/net";

131

char *connect_to = NULL;

132

133

/* Used for passing in values through the Avahi callback functions */

134

typedef struct {

gnutls_session_t session;

135

AvahiSimplePoll *simple_poll;

136

AvahiServer *server;

137

gnutls_certificate_credentials_t cred;

138

unsigned int dh_bits;

139

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){

gpgme_data_t dh_crypto, dh_plain;

140

const char *priority;

141

gpgme_ctx_t ctx;

142

} mandos_context;

143

144

/* global context so signal handler can reach it*/

145

mandos_context mc = { .simple_poll = NULL, .server = NULL,

146

.dh_bits = 1024, .priority = "SECURE256"

147

":!CTYPE-X.509:+CTYPE-OPENPGP" };

148

149

sig_atomic_t quit_now = 0;

150

int signal_received = 0;

151

152

153

* Make additional room in "buffer" for at least BUFFER_SIZE more

154

* bytes. "buffer_capacity" is how much is currently allocated,

155

* "buffer_length" is how much is already used.

156

157

size_t incbuffer(char **buffer, size_t buffer_length,

158

size_t buffer_capacity){

159

if(buffer_length + BUFFER_SIZE > buffer_capacity){

160

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

161

if(buffer == NULL){

162

return 0;

163

}

164

buffer_capacity += BUFFER_SIZE;

165

}

166

return buffer_capacity;

167

}

168

169

170

* Initialize GPGME.

171

172

static bool init_gpgme(const char *seckey,

173

const char *pubkey, const char *tempdir){

174

gpgme_error_t rc;

ssize_t ret;

size_t new_packet_capacity = 0;

size_t new_packet_length = 0;

175

gpgme_engine_info_t engine_info;

if (debug){

fprintf(stderr, "Attempting to decrypt password from gpg packet\n");

176

177

178

179

* Helper function to insert pub and seckey to the engine keyring.

180

181

bool import_key(const char *filename){

182

int ret;

183

int fd;

184

gpgme_data_t pgp_data;

185

186

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

187

if(fd == -1){

188

perror("open");

189

return false;

190

}

191

192

rc = gpgme_data_new_from_fd(&pgp_data, fd);

193

if(rc != GPG_ERR_NO_ERROR){

194

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

195

gpgme_strsource(rc), gpgme_strerror(rc));

196

return false;

197

}

198

199

rc = gpgme_op_import(mc.ctx, pgp_data);

200

if(rc != GPG_ERR_NO_ERROR){

201

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

202

gpgme_strsource(rc), gpgme_strerror(rc));

203

return false;

204

}

205

206

ret = (int)TEMP_FAILURE_RETRY(close(fd));

207

if(ret == -1){

208

perror("close");

209

}

210

gpgme_data_release(pgp_data);

211

return true;

212

}

213

214

if(debug){

215

fprintf(stderr, "Initializing GPGME\n");

216

}

217

218

/* Init GPGME */

219

gpgme_check_version(NULL);

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

220

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

221

if(rc != GPG_ERR_NO_ERROR){

222

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

223

gpgme_strsource(rc), gpgme_strerror(rc));

224

return false;

225

}

226

/* Set GPGME home directory */

rc = gpgme_get_engine_info (&engine_info);

if (rc != GPG_ERR_NO_ERROR){

227

/* Set GPGME home directory for the OpenPGP engine only */

228

rc = gpgme_get_engine_info(&engine_info);

229

if(rc != GPG_ERR_NO_ERROR){

230

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

231

gpgme_strsource(rc), gpgme_strerror(rc));

return -1;

232

return false;

233

}

234

while(engine_info != NULL){

235

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

236

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

engine_info->file_name, homedir);

237

engine_info->file_name, tempdir);

238

break;

100

239

}

101

240

engine_info = engine_info->next;

102

241

}

103

242

if(engine_info == NULL){

104

fprintf(stderr, "Could not set home dir to %s\n", homedir);

105

return -1;

106

}

107

108

/* Create new GPGME data buffer from packet buffer */

109

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

110

if (rc != GPG_ERR_NO_ERROR){

243

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

244

return false;

245

}

246

247

/* Create new GPGME "context" */

248

rc = gpgme_new(&(mc.ctx));

249

if(rc != GPG_ERR_NO_ERROR){

250

fprintf(stderr, "bad gpgme_new: %s: %s\n",

251

gpgme_strsource(rc), gpgme_strerror(rc));

252

return false;

253

}

254

255

if(not import_key(pubkey) or not import_key(seckey)){

256

return false;

257

}

258

259

return true;

260

}

261

262

263

* Decrypt OpenPGP data.

264

* Returns -1 on error

265

266

static ssize_t pgp_packet_decrypt(const char *cryptotext,

267

size_t crypto_size,

268

char **plaintext){

269

gpgme_data_t dh_crypto, dh_plain;

270

gpgme_error_t rc;

271

ssize_t ret;

272

size_t plaintext_capacity = 0;

273

ssize_t plaintext_length = 0;

274

275

if(debug){

276

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

277

}

278

279

/* Create new GPGME data buffer from memory cryptotext */

280

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

281

0);

282

if(rc != GPG_ERR_NO_ERROR){

111

283

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

112

284

gpgme_strsource(rc), gpgme_strerror(rc));

113

285

return -1;

115

287

116

288

/* Create new empty GPGME data buffer for the plaintext */

117

289

rc = gpgme_data_new(&dh_plain);

118

if (rc != GPG_ERR_NO_ERROR){

290

if(rc != GPG_ERR_NO_ERROR){

119

291

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

120

292

gpgme_strsource(rc), gpgme_strerror(rc));

121

return -1;

122

}

123

124

/* Create new GPGME "context" */

125

rc = gpgme_new(&ctx);

126

if (rc != GPG_ERR_NO_ERROR){

127

fprintf(stderr, "bad gpgme_new: %s: %s\n",

128

gpgme_strsource(rc), gpgme_strerror(rc));

129

return -1;

130

}

131

132

/* Decrypt data from the FILE pointer to the plaintext data buffer */

133

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

134

if (rc != GPG_ERR_NO_ERROR){

293

gpgme_data_release(dh_crypto);

294

return -1;

295

}

296

297

/* Decrypt data from the cryptotext data buffer to the plaintext

298

data buffer */

299

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

300

if(rc != GPG_ERR_NO_ERROR){

135

301

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

136

302

gpgme_strsource(rc), gpgme_strerror(rc));

137

return -1;

138

}

139

140

if(debug){

141

fprintf(stderr, "decryption of gpg packet succeeded\n");

142

}

143

144

if (debug){

145

gpgme_decrypt_result_t result;

146

result = gpgme_op_decrypt_result(ctx);

147

if (result == NULL){

148

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

149

} else {

150

fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);

151

fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);

152

if(result->file_name != NULL){

153

fprintf(stderr, "File name: %s\n", result->file_name);

154

}

155

gpgme_recipient_t recipient;

156

recipient = result->recipients;

157

if(recipient){

303

plaintext_length = -1;

304

if(debug){

305

gpgme_decrypt_result_t result;

306

result = gpgme_op_decrypt_result(mc.ctx);

307

if(result == NULL){

308

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

309

} else {

310

fprintf(stderr, "Unsupported algorithm: %s\n",

311

result->unsupported_algorithm);

312

fprintf(stderr, "Wrong key usage: %u\n",

313

result->wrong_key_usage);

314

if(result->file_name != NULL){

315

fprintf(stderr, "File name: %s\n", result->file_name);

316

}

317

gpgme_recipient_t recipient;

318

recipient = result->recipients;

158

319

while(recipient != NULL){

159

320

fprintf(stderr, "Public key algorithm: %s\n",

160

321

gpgme_pubkey_algo_name(recipient->pubkey_algo));

161

322

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

162

323

fprintf(stderr, "Secret key available: %s\n",

163

recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");

324

recipient->status == GPG_ERR_NO_SECKEY

325

? "No" : "Yes");

164

326

recipient = recipient->next;

165

327

}

166

328

}

167

329

}

330

goto decrypt_end;

168

331

}

169

332

170

/* Delete the GPGME FILE pointer cryptotext data buffer */

171

gpgme_data_release(dh_crypto);

333

if(debug){

334

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

335

}

172

336

173

337

/* Seek back to the beginning of the GPGME plaintext data buffer */

174

gpgme_data_seek(dh_plain, 0, SEEK_SET);

175

176

*new_packet = 0;

338

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

339

perror("gpgme_data_seek");

340

plaintext_length = -1;

341

goto decrypt_end;

342

}

343

344

*plaintext = NULL;

177

345

while(true){

178

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

179

*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);

180

if (*new_packet == NULL){

181

perror("realloc");

182

return -1;

183

}

184

new_packet_capacity += BUFFER_SIZE;

346

plaintext_capacity = incbuffer(plaintext,

347

(size_t)plaintext_length,

348

plaintext_capacity);

349

if(plaintext_capacity == 0){

350

perror("incbuffer");

351

plaintext_length = -1;

352

goto decrypt_end;

185

353

}

186

354

187

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);

355

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

356

BUFFER_SIZE);

188

357

/* Print the data, if any */

189

if (ret == 0){

190

/* If password is empty, then a incorrect error will be printed */

358

if(ret == 0){

359

/* EOF */

191

360

break;

192

361

}

193

362

if(ret < 0){

194

363

perror("gpgme_data_read");

195

return -1;

364

plaintext_length = -1;

365

goto decrypt_end;

196

366

}

197

new_packet_length += ret;

367

plaintext_length += ret;

198

368

}

199

369

200

370

if(debug){

201

fprintf(stderr, "decrypted password is: %s\n", *new_packet);

371

fprintf(stderr, "Decrypted password is: ");

372

for(ssize_t i = 0; i < plaintext_length; i++){

373

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

374

}

375

fprintf(stderr, "\n");

202

376

}

203

204

/* Delete the GPGME plaintext data buffer */

377

378

decrypt_end:

379

380

/* Delete the GPGME cryptotext data buffer */

381

gpgme_data_release(dh_crypto);

382

383

/* Delete the GPGME plaintext data buffer */

205

384

gpgme_data_release(dh_plain);

206

return new_packet_length;

385

return plaintext_length;

207

386

}

208

387

209

static const char * safer_gnutls_strerror (int value) {

210

const char *ret = gnutls_strerror (value);

211

if (ret == NULL)

388

static const char * safer_gnutls_strerror(int value){

389

const char *ret = gnutls_strerror(value); /* Spurious warning from

390

-Wunreachable-code */

391

if(ret == NULL)

212

392

ret = "(unknown)";

213

393

return ret;

214

394

}

215

395

216

void debuggnutls(int level, const char* string){

217

fprintf(stderr, "%s", string);

396

/* GnuTLS log function callback */

397

static void debuggnutls(__attribute__((unused)) int level,

398

const char* string){

399

fprintf(stderr, "GnuTLS: %s", string);

218

400

}

219

401

220

int initgnutls(encrypted_session *es){

221

const char *err;

402

static int init_gnutls_global(const char *pubkeyfilename,

403

const char *seckeyfilename){

222

404

int ret;

223

405

224

406

if(debug){

225

fprintf(stderr, "Initializing gnutls\n");

407

fprintf(stderr, "Initializing GnuTLS\n");

226

408

}

227

228

409

229

if ((ret = gnutls_global_init ())

230

!= GNUTLS_E_SUCCESS) {

231

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

410

ret = gnutls_global_init();

411

if(ret != GNUTLS_E_SUCCESS){

412

fprintf(stderr, "GnuTLS global_init: %s\n",

413

safer_gnutls_strerror(ret));

232

414

return -1;

233

415

}

234

235

if (debug){

416

417

if(debug){

418

/* "Use a log level over 10 to enable all debugging options."

419

* - GnuTLS manual

420

236

421

gnutls_global_set_log_level(11);

237

422

gnutls_global_set_log_function(debuggnutls);

238

423

}

239

424

240

241

/* openpgp credentials */

242

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

243

!= GNUTLS_E_SUCCESS) {

244

fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));

425

/* OpenPGP credentials */

426

gnutls_certificate_allocate_credentials(&mc.cred);

427

if(ret != GNUTLS_E_SUCCESS){

428

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

429

from

430

-Wunreachable-code

431

432

safer_gnutls_strerror(ret));

433

gnutls_global_deinit();

245

434

return -1;

246

435

}

247

436

248

437

if(debug){

249

fprintf(stderr, "Attempting to use openpgp certificate %s"

250

" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);

438

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

439

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

440

seckeyfilename);

251

441

}

252

442

253

443

ret = gnutls_certificate_set_openpgp_key_file

254

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

255

if (ret != GNUTLS_E_SUCCESS) {

256

fprintf

257

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",

258

ret, CERTFILE, KEYFILE);

259

fprintf(stdout, "The Error is: %s\n",

260

safer_gnutls_strerror(ret));

261

return -1;

262

}

263

264

//Gnutls server initialization

265

if ((ret = gnutls_dh_params_init (&es->dh_params))

266

!= GNUTLS_E_SUCCESS) {

267

fprintf (stderr, "Error in dh parameter initialization: %s\n",

268

safer_gnutls_strerror(ret));

269

return -1;

270

}

271

272

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

273

!= GNUTLS_E_SUCCESS) {

274

fprintf (stderr, "Error in prime generation: %s\n",

275

safer_gnutls_strerror(ret));

276

return -1;

277

}

278

279

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

280

281

// Gnutls session creation

282

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

283

!= GNUTLS_E_SUCCESS){

284

fprintf(stderr, "Error in gnutls session initialization: %s\n",

285

safer_gnutls_strerror(ret));

286

}

287

288

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

289

!= GNUTLS_E_SUCCESS) {

290

fprintf(stderr, "Syntax error at: %s\n", err);

291

fprintf(stderr, "Gnutls error: %s\n",

292

safer_gnutls_strerror(ret));

293

return -1;

294

}

295

296

if ((ret = gnutls_credentials_set

297

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

298

!= GNUTLS_E_SUCCESS) {

299

fprintf(stderr, "Error setting a credentials set: %s\n",

300

safer_gnutls_strerror(ret));

301

return -1;

302

}

303

444

(mc.cred, pubkeyfilename, seckeyfilename,

445

GNUTLS_OPENPGP_FMT_BASE64);

446

if(ret != GNUTLS_E_SUCCESS){

447

fprintf(stderr,

448

"Error[%d] while reading the OpenPGP key pair ('%s',"

449

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

450

fprintf(stderr, "The GnuTLS error is: %s\n",

451

safer_gnutls_strerror(ret));

452

goto globalfail;

453

}

454

455

/* GnuTLS server initialization */

456

ret = gnutls_dh_params_init(&mc.dh_params);

457

if(ret != GNUTLS_E_SUCCESS){

458

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

459

" %s\n", safer_gnutls_strerror(ret));

460

goto globalfail;

461

}

462

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

463

if(ret != GNUTLS_E_SUCCESS){

464

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

465

safer_gnutls_strerror(ret));

466

goto globalfail;

467

}

468

469

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

470

471

return 0;

472

473

globalfail:

474

475

gnutls_certificate_free_credentials(mc.cred);

476

gnutls_global_deinit();

477

gnutls_dh_params_deinit(mc.dh_params);

478

return -1;

479

}

480

481

static int init_gnutls_session(gnutls_session_t *session){

482

int ret;

483

/* GnuTLS session creation */

484

do {

485

ret = gnutls_init(session, GNUTLS_SERVER);

486

if(quit_now){

487

return -1;

488

}

489

} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);

490

if(ret != GNUTLS_E_SUCCESS){

491

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

492

safer_gnutls_strerror(ret));

493

}

494

495

{

496

const char *err;

497

do {

498

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

499

if(quit_now){

500

gnutls_deinit(*session);

501

return -1;

502

}

503

} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);

504

if(ret != GNUTLS_E_SUCCESS){

505

fprintf(stderr, "Syntax error at: %s\n", err);

506

fprintf(stderr, "GnuTLS error: %s\n",

507

safer_gnutls_strerror(ret));

508

gnutls_deinit(*session);

509

return -1;

510

}

511

}

512

513

do {

514

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

515

mc.cred);

516

if(quit_now){

517

gnutls_deinit(*session);

518

return -1;

519

}

520

} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);

521

if(ret != GNUTLS_E_SUCCESS){

522

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

523

safer_gnutls_strerror(ret));

524

gnutls_deinit(*session);

525

return -1;

526

}

527

304

528

/* ignore client certificate if any. */

305

gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);

529

gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);

306

530

307

gnutls_dh_set_prime_bits (es->session, DH_BITS);

531

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

308

532

309

533

return 0;

310

534

}

311

535

312

void empty_log(AvahiLogLevel level, const char *txt){}

536

/* Avahi log function callback */

537

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

538

__attribute__((unused)) const char *txt){}

313

539

314

int start_mandos_communcation(char *ip, uint16_t port){

315

int ret, tcp_sd;

316

struct sockaddr_in6 to;

317

struct in6_addr ip_addr;

318

encrypted_session es;

540

/* Called when a Mandos server is found */

541

static int start_mandos_communication(const char *ip, uint16_t port,

542

AvahiIfIndex if_index,

543

int af){

544

int ret, tcp_sd = -1;

545

ssize_t sret;

546

union {

547

struct sockaddr_in in;

548

struct sockaddr_in6 in6;

549

} to;

319

550

char *buffer = NULL;

320

char *decrypted_buffer;

551

char *decrypted_buffer = NULL;

321

552

size_t buffer_length = 0;

322

553

size_t buffer_capacity = 0;

323

ssize_t decrypted_buffer_size;

324

int retval = 0;

325

const char interface[] = "eth0";

326

554

size_t written;

555

int retval = -1;

556

gnutls_session_t session;

557

int pf; /* Protocol family */

558

559

errno = 0;

560

561

if(quit_now){

562

errno = EINTR;

563

return -1;

564

}

565

566

switch(af){

567

case AF_INET6:

568

pf = PF_INET6;

569

break;

570

case AF_INET:

571

pf = PF_INET;

572

break;

573

default:

574

fprintf(stderr, "Bad address family: %d\n", af);

575

errno = EINVAL;

576

return -1;

577

}

578

579

ret = init_gnutls_session(&session);

580

if(ret != 0){

581

return -1;

582

}

583

327

584

if(debug){

328

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

585

fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16

586

"\n", ip, port);

329

587

}

330

588

331

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

332

if(tcp_sd < 0) {

589

tcp_sd = socket(pf, SOCK_STREAM, 0);

590

if(tcp_sd < 0){

591

int e = errno;

333

592

perror("socket");

334

return -1;

335

}

336

337

if(debug){

338

fprintf(stderr, "Binding to interface %s\n", interface);

339

}

340

341

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);

342

if(tcp_sd < 0) {

343

perror("setsockopt bindtodevice");

344

return -1;

345

}

346

347

memset(&to,0,sizeof(to));

348

to.sin6_family = AF_INET6;

349

ret = inet_pton(AF_INET6, ip, &ip_addr);

350

if (ret < 0 ){

593

errno = e;

594

goto mandos_end;

595

}

596

597

if(quit_now){

598

errno = EINTR;

599

goto mandos_end;

600

}

601

602

memset(&to, 0, sizeof(to));

603

if(af == AF_INET6){

604

to.in6.sin6_family = (sa_family_t)af;

605

ret = inet_pton(af, ip, &to.in6.sin6_addr);

606

} else { /* IPv4 */

607

to.in.sin_family = (sa_family_t)af;

608

ret = inet_pton(af, ip, &to.in.sin_addr);

609

}

610

if(ret < 0 ){

611

int e = errno;

351

612

perror("inet_pton");

352

return -1;

353

}

613

errno = e;

614

goto mandos_end;

615

}

354

616

if(ret == 0){

617

int e = errno;

355

618

fprintf(stderr, "Bad address: %s\n", ip);

356

return -1;

357

}

358

to.sin6_port = htons(port);

359

to.sin6_scope_id = if_nametoindex(interface);

360

361

if(debug){

362

fprintf(stderr, "Connection to: %s\n", ip);

363

}

364

365

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

366

if (ret < 0){

367

perror("connect");

368

return -1;

369

}

370

371

ret = initgnutls (&es);

372

if (ret != 0){

373

retval = -1;

374

return -1;

375

}

376

377

378

gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

379

380

if(debug){

381

fprintf(stderr, "Establishing tls session with %s\n", ip);

382

}

383

384

385

ret = gnutls_handshake (es.session);

386

387

if (ret != GNUTLS_E_SUCCESS){

388

fprintf(stderr, "\n*** Handshake failed ***\n");

389

gnutls_perror (ret);

390

retval = -1;

391

goto exit;

392

}

393

394

//Retrieve gpg packet that contains the wanted password

395

396

if(debug){

397

fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);

398

}

399

400

while(true){

401

if (buffer_length + BUFFER_SIZE > buffer_capacity){

402

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

403

if (buffer == NULL){

404

perror("realloc");

405

goto exit;

406

}

407

buffer_capacity += BUFFER_SIZE;

408

}

409

410

ret = gnutls_record_recv

411

(es.session, buffer+buffer_length, BUFFER_SIZE);

412

if (ret == 0){

619

errno = e;

620

goto mandos_end;

621

}

622

if(af == AF_INET6){

623

to.in6.sin6_port = htons(port); /* Spurious warnings from

624

-Wconversion and

625

-Wunreachable-code */

626

627

if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */

628

(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and

629

-Wunreachable-code*/

630

if(if_index == AVAHI_IF_UNSPEC){

631

fprintf(stderr, "An IPv6 link-local address is incomplete"

632

" without a network interface\n");

633

errno = EINVAL;

634

goto mandos_end;

635

}

636

/* Set the network interface number as scope */

637

to.in6.sin6_scope_id = (uint32_t)if_index;

638

}

639

} else {

640

to.in.sin_port = htons(port); /* Spurious warnings from

641

-Wconversion and

642

-Wunreachable-code */

643

}

644

645

if(quit_now){

646

errno = EINTR;

647

goto mandos_end;

648

}

649

650

if(debug){

651

if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){

652

char interface[IF_NAMESIZE];

653

if(if_indextoname((unsigned int)if_index, interface) == NULL){

654

perror("if_indextoname");

655

} else {

656

fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",

657

ip, interface, port);

658

}

659

} else {

660

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

661

port);

662

}

663

char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?

664

INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";

665

const char *pcret;

666

if(af == AF_INET6){

667

pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,

668

sizeof(addrstr));

669

} else {

670

pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,

671

sizeof(addrstr));

672

}

673

if(pcret == NULL){

674

perror("inet_ntop");

675

} else {

676

if(strcmp(addrstr, ip) != 0){

677

fprintf(stderr, "Canonical address form: %s\n", addrstr);

678

}

679

}

680

}

681

682

if(quit_now){

683

errno = EINTR;

684

goto mandos_end;

685

}

686

687

if(af == AF_INET6){

688

ret = connect(tcp_sd, &to.in6, sizeof(to));

689

} else {

690

ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */

691

}

692

if(ret < 0){

693

if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){

694

int e = errno;

695

perror("connect");

696

errno = e;

697

}

698

goto mandos_end;

699

}

700

701

if(quit_now){

702

errno = EINTR;

703

goto mandos_end;

704

}

705

706

const char *out = mandos_protocol_version;

707

written = 0;

708

while(true){

709

size_t out_size = strlen(out);

710

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

711

out_size - written));

712

if(ret == -1){

713

int e = errno;

714

perror("write");

715

errno = e;

716

goto mandos_end;

717

}

718

written += (size_t)ret;

719

if(written < out_size){

720

continue;

721

} else {

722

if(out == mandos_protocol_version){

723

written = 0;

724

out = "\r\n";

725

} else {

726

break;

727

}

728

}

729

730

if(quit_now){

731

errno = EINTR;

732

goto mandos_end;

733

}

734

}

735

736

if(debug){

737

fprintf(stderr, "Establishing TLS session with %s\n", ip);

738

}

739

740

if(quit_now){

741

errno = EINTR;

742

goto mandos_end;

743

}

744

745

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

746

747

if(quit_now){

748

errno = EINTR;

749

goto mandos_end;

750

}

751

752

do {

753

ret = gnutls_handshake(session);

754

if(quit_now){

755

errno = EINTR;

756

goto mandos_end;

757

}

758

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

759

760

if(ret != GNUTLS_E_SUCCESS){

761

if(debug){

762

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

763

gnutls_perror(ret);

764

}

765

errno = EPROTO;

766

goto mandos_end;

767

}

768

769

/* Read OpenPGP packet that contains the wanted password */

770

771

if(debug){

772

fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",

773

ip);

774

}

775

776

while(true){

777

778

if(quit_now){

779

errno = EINTR;

780

goto mandos_end;

781

}

782

783

buffer_capacity = incbuffer(&buffer, buffer_length,

784

buffer_capacity);

785

if(buffer_capacity == 0){

786

int e = errno;

787

perror("incbuffer");

788

errno = e;

789

goto mandos_end;

790

}

791

792

if(quit_now){

793

errno = EINTR;

794

goto mandos_end;

795

}

796

797

sret = gnutls_record_recv(session, buffer+buffer_length,

798

BUFFER_SIZE);

799

if(sret == 0){

413

800

break;

414

801

}

415

if (ret < 0){

416

switch(ret){

802

if(sret < 0){

803

switch(sret){

417

804

case GNUTLS_E_INTERRUPTED:

418

805

case GNUTLS_E_AGAIN:

419

806

break;

420

807

case GNUTLS_E_REHANDSHAKE:

421

ret = gnutls_handshake (es.session);

422

if (ret < 0){

423

fprintf(stderr, "\n*** Handshake failed ***\n");

424

gnutls_perror (ret);

425

retval = -1;

426

goto exit;

808

do {

809

ret = gnutls_handshake(session);

810

811

if(quit_now){

812

errno = EINTR;

813

goto mandos_end;

814

}

815

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

816

if(ret < 0){

817

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

818

gnutls_perror(ret);

819

errno = EPROTO;

820

goto mandos_end;

427

821

}

428

822

break;

429

823

default:

430

fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");

431

retval = -1;

432

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

433

goto exit;

434

}

435

} else {

436

buffer_length += ret;

437

}

438

}

439

440

if (buffer_length > 0){

441

if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){

442

fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);

443

free(decrypted_buffer);

444

} else {

824

fprintf(stderr, "Unknown error while reading data from"

825

" encrypted session with Mandos server\n");

826

gnutls_bye(session, GNUTLS_SHUT_RDWR);

827

errno = EIO;

828

goto mandos_end;

829

}

830

} else {

831

buffer_length += (size_t) sret;

832

}

833

}

834

835

if(debug){

836

fprintf(stderr, "Closing TLS session\n");

837

}

838

839

if(quit_now){

840

errno = EINTR;

841

goto mandos_end;

842

}

843

844

do {

845

ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);

846

if(quit_now){

847

errno = EINTR;

848

goto mandos_end;

849

}

850

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

851

852

if(buffer_length > 0){

853

ssize_t decrypted_buffer_size;

854

decrypted_buffer_size = pgp_packet_decrypt(buffer,

855

buffer_length,

856

&decrypted_buffer);

857

if(decrypted_buffer_size >= 0){

858

859

written = 0;

860

while(written < (size_t) decrypted_buffer_size){

861

if(quit_now){

862

errno = EINTR;

863

goto mandos_end;

864

}

865

866

ret = (int)fwrite(decrypted_buffer + written, 1,

867

(size_t)decrypted_buffer_size - written,

868

stdout);

869

if(ret == 0 and ferror(stdout)){

870

int e = errno;

871

if(debug){

872

fprintf(stderr, "Error writing encrypted data: %s\n",

873

strerror(errno));

874

}

875

errno = e;

876

goto mandos_end;

877

}

878

written += (size_t)ret;

879

}

880

retval = 0;

881

}

882

}

883

884

/* Shutdown procedure */

885

886

mandos_end:

887

{

888

int e = errno;

889

free(decrypted_buffer);

890

free(buffer);

891

if(tcp_sd >= 0){

892

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

893

}

894

if(ret == -1){

895

if(e == 0){

896

e = errno;

897

}

898

perror("close");

899

}

900

gnutls_deinit(session);

901

if(quit_now){

902

e = EINTR;

445

903

retval = -1;

446

904

}

447

}

448

449

//shutdown procedure

450

451

if(debug){

452

fprintf(stderr, "Closing tls session\n");

453

}

454

455

free(buffer);

456

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

457

exit:

458

close(tcp_sd);

459

gnutls_deinit (es.session);

460

gnutls_certificate_free_credentials (es.cred);

461

gnutls_global_deinit ();

905

errno = e;

906

}

462

907

return retval;

463

908

}

464

909

465

static AvahiSimplePoll *simple_poll = NULL;

466

static AvahiServer *server = NULL;

467

468

static void resolve_callback(

469

AvahiSServiceResolver *r,

470

AVAHI_GCC_UNUSED AvahiIfIndex interface,

471

AVAHI_GCC_UNUSED AvahiProtocol protocol,

472

AvahiResolverEvent event,

473

const char *name,

474

const char *type,

475

const char *domain,

476

const char *host_name,

477

const AvahiAddress *address,

478

uint16_t port,

479

AvahiStringList *txt,

480

AvahiLookupResultFlags flags,

481

AVAHI_GCC_UNUSED void* userdata) {

482

483

assert(r);

484

485

/* Called whenever a service has been resolved successfully or timed out */

486

487

switch (event) {

488

case AVAHI_RESOLVER_FAILURE:

489

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));

490

break;

491

492

case AVAHI_RESOLVER_FOUND: {

493

char ip[AVAHI_ADDRESS_STR_MAX];

494

avahi_address_snprint(ip, sizeof(ip), address);

495

if(debug){

496

fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);

497

}

498

int ret = start_mandos_communcation(ip, port);

499

if (ret == 0){

500

exit(EXIT_SUCCESS);

501

} else {

502

exit(EXIT_FAILURE);

503

}

504

}

505

}

506

avahi_s_service_resolver_free(r);

507

}

508

509

static void browse_callback(

510

AvahiSServiceBrowser *b,

511

AvahiIfIndex interface,

512

AvahiProtocol protocol,

513

AvahiBrowserEvent event,

514

const char *name,

515

const char *type,

516

const char *domain,

517

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

518

void* userdata) {

519

520

AvahiServer *s = userdata;

521

assert(b);

522

523

/* Called whenever a new services becomes available on the LAN or is removed from the LAN */

524

525

switch (event) {

526

527

case AVAHI_BROWSER_FAILURE:

528

529

fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));

530

avahi_simple_poll_quit(simple_poll);

531

return;

532

533

case AVAHI_BROWSER_NEW:

534

/* We ignore the returned resolver object. In the callback

535

function we free it. If the server is terminated before

536

the callback function is called the server will free

537

the resolver for us. */

538

539

if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))

540

fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));

541

542

break;

543

544

case AVAHI_BROWSER_REMOVE:

545

break;

546

547

case AVAHI_BROWSER_ALL_FOR_NOW:

548

case AVAHI_BROWSER_CACHE_EXHAUSTED:

549

break;

550

}

551

}

552

553

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

910

static void resolve_callback(AvahiSServiceResolver *r,

911

AvahiIfIndex interface,

912

AvahiProtocol proto,

913

AvahiResolverEvent event,

914

const char *name,

915

const char *type,

916

const char *domain,

917

const char *host_name,

918

const AvahiAddress *address,

919

uint16_t port,

920

AVAHI_GCC_UNUSED AvahiStringList *txt,

921

AVAHI_GCC_UNUSED AvahiLookupResultFlags

922

flags,

923

AVAHI_GCC_UNUSED void* userdata){

924

assert(r);

925

926

/* Called whenever a service has been resolved successfully or

927

timed out */

928

929

if(quit_now){

930

return;

931

}

932

933

switch(event){

934

default:

935

case AVAHI_RESOLVER_FAILURE:

936

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

937

" of type '%s' in domain '%s': %s\n", name, type, domain,

938

avahi_strerror(avahi_server_errno(mc.server)));

939

break;

940

941

case AVAHI_RESOLVER_FOUND:

942

{

943

char ip[AVAHI_ADDRESS_STR_MAX];

944

avahi_address_snprint(ip, sizeof(ip), address);

945

if(debug){

946

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

947

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

948

ip, (intmax_t)interface, port);

949

}

950

int ret = start_mandos_communication(ip, port, interface,

951

avahi_proto_to_af(proto));

952

if(ret == 0){

953

avahi_simple_poll_quit(mc.simple_poll);

954

}

955

}

956

}

957

avahi_s_service_resolver_free(r);

958

}

959

960

static void browse_callback(AvahiSServiceBrowser *b,

961

AvahiIfIndex interface,

962

AvahiProtocol protocol,

963

AvahiBrowserEvent event,

964

const char *name,

965

const char *type,

966

const char *domain,

967

AVAHI_GCC_UNUSED AvahiLookupResultFlags

968

flags,

969

AVAHI_GCC_UNUSED void* userdata){

970

assert(b);

971

972

/* Called whenever a new services becomes available on the LAN or

973

is removed from the LAN */

974

975

if(quit_now){

976

return;

977

}

978

979

switch(event){

980

default:

981

case AVAHI_BROWSER_FAILURE:

982

983

fprintf(stderr, "(Avahi browser) %s\n",

984

avahi_strerror(avahi_server_errno(mc.server)));

985

avahi_simple_poll_quit(mc.simple_poll);

986

return;

987

988

case AVAHI_BROWSER_NEW:

989

/* We ignore the returned Avahi resolver object. In the callback

990

function we free it. If the Avahi server is terminated before

991

the callback function is called the Avahi server will free the

992

resolver for us. */

993

994

if(avahi_s_service_resolver_new(mc.server, interface, protocol,

995

name, type, domain, protocol, 0,

996

resolve_callback, NULL) == NULL)

997

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

998

name, avahi_strerror(avahi_server_errno(mc.server)));

999

break;

1000

1001

case AVAHI_BROWSER_REMOVE:

1002

break;

1003

1004

case AVAHI_BROWSER_ALL_FOR_NOW:

1005

case AVAHI_BROWSER_CACHE_EXHAUSTED:

1006

if(debug){

1007

fprintf(stderr, "No Mandos server found, still searching...\n");

1008

}

1009

break;

1010

}

1011

}

1012

1013

/* stop main loop after sigterm has been called */

1014

static void handle_sigterm(int sig){

1015

if(quit_now){

1016

return;

1017

}

1018

quit_now = 1;

1019

signal_received = sig;

1020

int old_errno = errno;

1021

if(mc.simple_poll != NULL){

1022

avahi_simple_poll_quit(mc.simple_poll);

1023

}

1024

errno = old_errno;

1025

}

1026

1027

1028

* This function determines if a directory entry in /sys/class/net

1029

* corresponds to an acceptable network device.

1030

* (This function is passed to scandir(3) as a filter function.)

1031

1032

int good_interface(const struct dirent *if_entry){

1033

ssize_t ssret;

1034

char *flagname = NULL;

1035

if(if_entry->d_name[0] == '.'){

1036

return 0;

1037

}

1038

int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,

1039

if_entry->d_name);

1040

if(ret < 0){

1041

perror("asprintf");

1042

return 0;

1043

}

1044

int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));

1045

if(flags_fd == -1){

1046

perror("open");

1047

free(flagname);

1048

return 0;

1049

}

1050

free(flagname);

1051

typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */

1052

/* read line from flags_fd */

1053

ssize_t to_read = (sizeof(ifreq_flags)*2)+3; /* "0x1003\n" */

1054

char *flagstring = malloc((size_t)to_read+1); /* +1 for final \0 */

1055

flagstring[(size_t)to_read] = '\0';

1056

if(flagstring == NULL){

1057

perror("malloc");

1058

close(flags_fd);

1059

return 0;

1060

}

1061

while(to_read > 0){

1062

ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,

1063

(size_t)to_read));

1064

if(ssret == -1){

1065

perror("read");

1066

free(flagstring);

1067

close(flags_fd);

1068

return 0;

1069

}

1070

to_read -= ssret;

1071

if(ssret == 0){

1072

break;

1073

}

1074

}

1075

close(flags_fd);

1076

intmax_t tmpmax;

1077

char *tmp;

1078

errno = 0;

1079

tmpmax = strtoimax(flagstring, &tmp, 0);

1080

if(errno != 0 or tmp == flagstring or (*tmp != '\0'

1081

and not (isspace(*tmp)))

1082

or tmpmax != (ifreq_flags)tmpmax){

1083

if(debug){

1084

fprintf(stderr, "Invalid flags \"%s\" for interface \"%s\"\n",

1085

flagstring, if_entry->d_name);

1086

}

1087

free(flagstring);

1088

return 0;

1089

}

1090

free(flagstring);

1091

ifreq_flags flags = (ifreq_flags)tmpmax;

1092

/* Reject the loopback device */

1093

if(flags & IFF_LOOPBACK){

1094

if(debug){

1095

fprintf(stderr, "Rejecting loopback interface \"%s\"\n",

1096

if_entry->d_name);

1097

}

1098

return 0;

1099

}

1100

/* Accept point-to-point devices only if connect_to is specified */

1101

if(connect_to != NULL and (flags & IFF_POINTOPOINT)){

1102

if(debug){

1103

fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",

1104

if_entry->d_name);

1105

}

1106

return 1;

1107

}

1108

/* Otherwise, reject non-broadcast-capable devices */

1109

if(not (flags & IFF_BROADCAST)){

1110

if(debug){

1111

fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",

1112

if_entry->d_name);

1113

}

1114

return 0;

1115

}

1116

/* Reject non-ARP interfaces (including dummy interfaces) */

1117

if(flags & IFF_NOARP){

1118

if(debug){

1119

fprintf(stderr, "Rejecting non-ARP interface \"%s\"\n",

1120

if_entry->d_name);

1121

}

1122

return 0;

1123

}

1124

/* Accept this device */

1125

if(debug){

1126

fprintf(stderr, "Interface \"%s\" is acceptable\n",

1127

if_entry->d_name);

1128

}

1129

return 1;

1130

}

1131

1132

int main(int argc, char *argv[]){

1133

AvahiSServiceBrowser *sb = NULL;

1134

int error;

1135

int ret;

1136

intmax_t tmpmax;

1137

char *tmp;

1138

int exitcode = EXIT_SUCCESS;

1139

const char *interface = "";

1140

struct ifreq network;

1141

int sd = -1;

1142

bool take_down_interface = false;

1143

uid_t uid;

1144

gid_t gid;

1145

char tempdir[] = "/tmp/mandosXXXXXX";

1146

bool tempdir_created = false;

1147

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

1148

const char *seckey = PATHDIR "/" SECKEY;

1149

const char *pubkey = PATHDIR "/" PUBKEY;

1150

1151

bool gnutls_initialized = false;

1152

bool gpgme_initialized = false;

1153

float delay = 2.5f;

1154

1155

struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };

1156

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

1157

1158

uid = getuid();

1159

gid = getgid();

1160

1161

/* Lower any group privileges we might have, just to be safe */

1162

errno = 0;

1163

ret = setgid(gid);

1164

if(ret == -1){

1165

perror("setgid");

1166

}

1167

1168

/* Lower user privileges (temporarily) */

1169

errno = 0;

1170

ret = seteuid(uid);

1171

if(ret == -1){

1172

perror("seteuid");

1173

}

1174

1175

if(quit_now){

1176

goto end;

1177

}

1178

1179

{

1180

struct argp_option options[] = {

1181

{ .name = "debug", .key = 128,

1182

.doc = "Debug mode", .group = 3 },

1183

{ .name = "connect", .key = 'c',

1184

.arg = "ADDRESS:PORT",

1185

.doc = "Connect directly to a specific Mandos server",

1186

.group = 1 },

1187

{ .name = "interface", .key = 'i',

1188

.arg = "NAME",

1189

.doc = "Network interface that will be used to search for"

1190

" Mandos servers",

1191

.group = 1 },

1192

{ .name = "seckey", .key = 's',

1193

.arg = "FILE",

1194

.doc = "OpenPGP secret key file base name",

1195

.group = 1 },

1196

{ .name = "pubkey", .key = 'p',

1197

.arg = "FILE",

1198

.doc = "OpenPGP public key file base name",

1199

.group = 2 },

1200

{ .name = "dh-bits", .key = 129,

1201

.arg = "BITS",

1202

.doc = "Bit length of the prime number used in the"

1203

" Diffie-Hellman key exchange",

1204

.group = 2 },

1205

{ .name = "priority", .key = 130,

1206

.arg = "STRING",

1207

.doc = "GnuTLS priority string for the TLS handshake",

1208

.group = 1 },

1209

{ .name = "delay", .key = 131,

1210

.arg = "SECONDS",

1211

.doc = "Maximum delay to wait for interface startup",

1212

.group = 2 },

1213

1214

* These reproduce what we would get without ARGP_NO_HELP

1215

1216

{ .name = "help", .key = '?',

1217

.doc = "Give this help list", .group = -1 },

1218

{ .name = "usage", .key = -3,

1219

.doc = "Give a short usage message", .group = -1 },

1220

{ .name = "version", .key = 'V',

1221

.doc = "Print program version", .group = -1 },

1222

{ .name = NULL }

1223

};

1224

1225

error_t parse_opt(int key, char *arg,

1226

struct argp_state *state){

1227

errno = 0;

1228

switch(key){

1229

case 128: /* --debug */

1230

debug = true;

1231

break;

1232

case 'c': /* --connect */

1233

connect_to = arg;

1234

break;

1235

case 'i': /* --interface */

1236

interface = arg;

1237

break;

1238

case 's': /* --seckey */

1239

seckey = arg;

1240

break;

1241

case 'p': /* --pubkey */

1242

pubkey = arg;

1243

break;

1244

case 129: /* --dh-bits */

1245

errno = 0;

1246

tmpmax = strtoimax(arg, &tmp, 10);

1247

if(errno != 0 or tmp == arg or *tmp != '\0'

1248

or tmpmax != (typeof(mc.dh_bits))tmpmax){

1249

argp_error(state, "Bad number of DH bits");

1250

}

1251

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

1252

break;

1253

case 130: /* --priority */

1254

mc.priority = arg;

1255

break;

1256

case 131: /* --delay */

1257

errno = 0;

1258

delay = strtof(arg, &tmp);

1259

if(errno != 0 or tmp == arg or *tmp != '\0'){

1260

argp_error(state, "Bad delay");

1261

}

1262

break;

1263

1264

* These reproduce what we would get without ARGP_NO_HELP

1265

1266

case '?': /* --help */

1267

argp_state_help(state, state->out_stream,

1268

(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)

1269

& ~(unsigned int)ARGP_HELP_EXIT_OK);

1270

case -3: /* --usage */

1271

argp_state_help(state, state->out_stream,

1272

ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);

1273

case 'V': /* --version */

1274

fprintf(state->out_stream, "%s\n", argp_program_version);

1275

exit(argp_err_exit_status);

1276

break;

1277

default:

1278

return ARGP_ERR_UNKNOWN;

1279

}

1280

return errno;

1281

}

1282

1283

struct argp argp = { .options = options, .parser = parse_opt,

1284

.args_doc = "",

1285

.doc = "Mandos client -- Get and decrypt"

1286

" passwords from a Mandos server" };

1287

ret = argp_parse(&argp, argc, argv,

1288

ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);

1289

switch(ret){

1290

case 0:

1291

break;

1292

case ENOMEM:

1293

default:

1294

errno = ret;

1295

perror("argp_parse");

1296

exitcode = EX_OSERR;

1297

goto end;

1298

case EINVAL:

1299

exitcode = EX_USAGE;

1300

goto end;

1301

}

1302

}

1303

1304

if(not debug){

1305

avahi_set_log_function(empty_log);

1306

}

1307

1308

if(interface[0] == '\0'){

1309

struct dirent **direntries;

1310

ret = scandir(sys_class_net, &direntries, good_interface,

1311

alphasort);

1312

if(ret >= 1){

1313

/* Pick the first good interface */

1314

interface = strdup(direntries[0]->d_name);

1315

if(debug){

1316

fprintf(stderr, "Using interface \"%s\"\n", interface);

1317

}

1318

if(interface == NULL){

1319

perror("malloc");

1320

free(direntries);

1321

exitcode = EXIT_FAILURE;

1322

goto end;

1323

}

1324

free(direntries);

1325

} else {

1326

free(direntries);

1327

fprintf(stderr, "Could not find a network interface\n");

1328

exitcode = EXIT_FAILURE;

1329

goto end;

1330

}

1331

}

1332

1333

/* Initialize Avahi early so avahi_simple_poll_quit() can be called

1334

from the signal handler */

1335

/* Initialize the pseudo-RNG for Avahi */

1336

srand((unsigned int) time(NULL));

1337

mc.simple_poll = avahi_simple_poll_new();

1338

if(mc.simple_poll == NULL){

1339

fprintf(stderr, "Avahi: Failed to create simple poll object.\n");

1340

exitcode = EX_UNAVAILABLE;

1341

goto end;

1342

}

1343

1344

sigemptyset(&sigterm_action.sa_mask);

1345

ret = sigaddset(&sigterm_action.sa_mask, SIGINT);

1346

if(ret == -1){

1347

perror("sigaddset");

1348

exitcode = EX_OSERR;

1349

goto end;

1350

}

1351

ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);

1352

if(ret == -1){

1353

perror("sigaddset");

1354

exitcode = EX_OSERR;

1355

goto end;

1356

}

1357

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1358

if(ret == -1){

1359

perror("sigaddset");

1360

exitcode = EX_OSERR;

1361

goto end;

1362

}

1363

/* Need to check if the handler is SIG_IGN before handling:

1364

| [[info:libc:Initial Signal Actions]] |

1365

| [[info:libc:Basic Signal Handling]] |

1366

1367

ret = sigaction(SIGINT, NULL, &old_sigterm_action);

1368

if(ret == -1){

1369

perror("sigaction");

1370

return EX_OSERR;

1371

}

1372

if(old_sigterm_action.sa_handler != SIG_IGN){

1373

ret = sigaction(SIGINT, &sigterm_action, NULL);

1374

if(ret == -1){

1375

perror("sigaction");

1376

exitcode = EX_OSERR;

1377

goto end;

1378

}

1379

}

1380

ret = sigaction(SIGHUP, NULL, &old_sigterm_action);

1381

if(ret == -1){

1382

perror("sigaction");

1383

return EX_OSERR;

1384

}

1385

if(old_sigterm_action.sa_handler != SIG_IGN){

1386

ret = sigaction(SIGHUP, &sigterm_action, NULL);

1387

if(ret == -1){

1388

perror("sigaction");

1389

exitcode = EX_OSERR;

1390

goto end;

1391

}

1392

}

1393

ret = sigaction(SIGTERM, NULL, &old_sigterm_action);

1394

if(ret == -1){

1395

perror("sigaction");

1396

return EX_OSERR;

1397

}

1398

if(old_sigterm_action.sa_handler != SIG_IGN){

1399

ret = sigaction(SIGTERM, &sigterm_action, NULL);

1400

if(ret == -1){

1401

perror("sigaction");

1402

exitcode = EX_OSERR;

1403

goto end;

1404

}

1405

}

1406

1407

/* If the interface is down, bring it up */

1408

if(strcmp(interface, "none") != 0){

1409

if_index = (AvahiIfIndex) if_nametoindex(interface);

1410

if(if_index == 0){

1411

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1412

exitcode = EX_UNAVAILABLE;

1413

goto end;

1414

}

1415

1416

if(quit_now){

1417

goto end;

1418

}

1419

1420

/* Re-raise priviliges */

1421

errno = 0;

1422

ret = seteuid(0);

1423

if(ret == -1){

1424

perror("seteuid");

1425

}

1426

1427

#ifdef __linux__

1428

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1429

messages about the network interface to mess up the prompt */

1430

ret = klogctl(8, NULL, 5);

1431

bool restore_loglevel = true;

1432

if(ret == -1){

1433

restore_loglevel = false;

1434

perror("klogctl");

1435

}

1436

#endif /* __linux__ */

1437

1438

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1439

if(sd < 0){

1440

perror("socket");

1441

exitcode = EX_OSERR;

1442

#ifdef __linux__

1443

if(restore_loglevel){

1444

ret = klogctl(7, NULL, 0);

1445

if(ret == -1){

1446

perror("klogctl");

1447

}

1448

}

1449

#endif /* __linux__ */

1450

/* Lower privileges */

1451

errno = 0;

1452

ret = seteuid(uid);

1453

if(ret == -1){

1454

perror("seteuid");

1455

}

1456

goto end;

1457

}

1458

strcpy(network.ifr_name, interface);

1459

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1460

if(ret == -1){

1461

perror("ioctl SIOCGIFFLAGS");

1462

#ifdef __linux__

1463

if(restore_loglevel){

1464

ret = klogctl(7, NULL, 0);

1465

if(ret == -1){

1466

perror("klogctl");

1467

}

1468

}

1469

#endif /* __linux__ */

1470

exitcode = EX_OSERR;

1471

/* Lower privileges */

1472

errno = 0;

1473

ret = seteuid(uid);

1474

if(ret == -1){

1475

perror("seteuid");

1476

}

1477

goto end;

1478

}

1479

if((network.ifr_flags & IFF_UP) == 0){

1480

network.ifr_flags |= IFF_UP;

1481

take_down_interface = true;

1482

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1483

if(ret == -1){

1484

take_down_interface = false;

1485

perror("ioctl SIOCSIFFLAGS +IFF_UP");

1486

exitcode = EX_OSERR;

1487

#ifdef __linux__

1488

if(restore_loglevel){

1489

ret = klogctl(7, NULL, 0);

1490

if(ret == -1){

1491

perror("klogctl");

1492

}

1493

}

1494

#endif /* __linux__ */

1495

/* Lower privileges */

1496

errno = 0;

1497

ret = seteuid(uid);

1498

if(ret == -1){

1499

perror("seteuid");

1500

}

1501

goto end;

1502

}

1503

}

1504

/* sleep checking until interface is running */

1505

for(int i=0; i < delay * 4; i++){

1506

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1507

if(ret == -1){

1508

perror("ioctl SIOCGIFFLAGS");

1509

} else if(network.ifr_flags & IFF_RUNNING){

1510

break;

1511

}

1512

struct timespec sleeptime = { .tv_nsec = 250000000 };

1513

ret = nanosleep(&sleeptime, NULL);

1514

if(ret == -1 and errno != EINTR){

1515

perror("nanosleep");

1516

}

1517

}

1518

if(not take_down_interface){

1519

/* We won't need the socket anymore */

1520

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1521

if(ret == -1){

1522

perror("close");

1523

}

1524

}

1525

#ifdef __linux__

1526

if(restore_loglevel){

1527

/* Restores kernel loglevel to default */

1528

ret = klogctl(7, NULL, 0);

1529

if(ret == -1){

1530

perror("klogctl");

1531

}

1532

}

1533

#endif /* __linux__ */

1534

/* Lower privileges */

1535

errno = 0;

1536

if(take_down_interface){

1537

/* Lower privileges */

1538

ret = seteuid(uid);

1539

if(ret == -1){

1540

perror("seteuid");

1541

}

1542

} else {

1543

/* Lower privileges permanently */

1544

ret = setuid(uid);

1545

if(ret == -1){

1546

perror("setuid");

1547

}

1548

}

1549

}

1550

1551

if(quit_now){

1552

goto end;

1553

}

1554

1555

ret = init_gnutls_global(pubkey, seckey);

1556

if(ret == -1){

1557

fprintf(stderr, "init_gnutls_global failed\n");

1558

exitcode = EX_UNAVAILABLE;

1559

goto end;

1560

} else {

1561

gnutls_initialized = true;

1562

}

1563

1564

if(quit_now){

1565

goto end;

1566

}

1567

1568

tempdir_created = true;

1569

if(mkdtemp(tempdir) == NULL){

1570

tempdir_created = false;

1571

perror("mkdtemp");

1572

goto end;

1573

}

1574

1575

if(quit_now){

1576

goto end;

1577

}

1578

1579

if(not init_gpgme(pubkey, seckey, tempdir)){

1580

fprintf(stderr, "init_gpgme failed\n");

1581

exitcode = EX_UNAVAILABLE;

1582

goto end;

1583

} else {

1584

gpgme_initialized = true;

1585

}

1586

1587

if(quit_now){

1588

goto end;

1589

}

1590

1591

if(connect_to != NULL){

1592

/* Connect directly, do not use Zeroconf */

1593

/* (Mainly meant for debugging) */

1594

char *address = strrchr(connect_to, ':');

1595

if(address == NULL){

1596

fprintf(stderr, "No colon in address\n");

1597

exitcode = EX_USAGE;

1598

goto end;

1599

}

1600

1601

if(quit_now){

1602

goto end;

1603

}

1604

1605

uint16_t port;

1606

errno = 0;

1607

tmpmax = strtoimax(address+1, &tmp, 10);

1608

if(errno != 0 or tmp == address+1 or *tmp != '\0'

1609

or tmpmax != (uint16_t)tmpmax){

1610

fprintf(stderr, "Bad port number\n");

1611

exitcode = EX_USAGE;

1612

goto end;

1613

}

1614

1615

if(quit_now){

1616

goto end;

1617

}

1618

1619

port = (uint16_t)tmpmax;

1620

*address = '\0';

1621

address = connect_to;

1622

/* Colon in address indicates IPv6 */

1623

int af;

1624

if(strchr(address, ':') != NULL){

1625

af = AF_INET6;

1626

} else {

1627

af = AF_INET;

1628

}

1629

1630

if(quit_now){

1631

goto end;

1632

}

1633

1634

while(not quit_now){

1635

ret = start_mandos_communication(address, port, if_index, af);

1636

if(quit_now or ret == 0){

1637

break;

1638

}

1639

sleep(15);

1640

};

1641

1642

if (not quit_now){

1643

exitcode = EXIT_SUCCESS;

1644

}

1645

1646

goto end;

1647

}

1648

1649

if(quit_now){

1650

goto end;

1651

}

1652

1653

{

554

1654

AvahiServerConfig config;

555

AvahiSServiceBrowser *sb = NULL;

556

const char db[] = "--debug";

557

int error;

558

int ret = 1;

559

int returncode = EXIT_SUCCESS;

560

char *basename = rindex(argv[0], '/');

561

if(basename == NULL){

562

basename = argv[0];

563

} else {

564

basename++;

565

}

566

567

char *program_name = malloc(strlen(basename) + sizeof(db));

568

569

if (program_name == NULL){

570

perror("argv[0]");

571

return EXIT_FAILURE;

572

}

573

574

program_name[0] = '\0';

575

576

for (int i = 1; i < argc; i++){

577

if (not strncmp(argv[i], db, 5)){

578

strcat(strcat(strcat(program_name, db ), "="), basename);

579

if(not strcmp(argv[i], db) or not strcmp(argv[i], program_name)){

580

debug = true;

581

}

582

}

583

}

584

free(program_name);

585

586

if (not debug){

587

avahi_set_log_function(empty_log);

588

}

589

590

/* Initialize the psuedo-RNG */

591

srand(time(NULL));

592

593

/* Allocate main loop object */

594

if (!(simple_poll = avahi_simple_poll_new())) {

595

fprintf(stderr, "Failed to create simple poll object.\n");

596

597

goto exit;

598

}

599

600

/* Do not publish any local records */

1655

/* Do not publish any local Zeroconf records */

601

1656

avahi_server_config_init(&config);

602

1657

config.publish_hinfo = 0;

603

1658

config.publish_addresses = 0;

604

1659

config.publish_workstation = 0;

605

1660

config.publish_domain = 0;

606

1661

607

1662

/* Allocate a new server */

608

server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

609

610

/* Free the configuration data */

1663

mc.server = avahi_server_new(avahi_simple_poll_get

1664

(mc.simple_poll), &config, NULL,

1665

NULL, &error);

1666

1667

/* Free the Avahi configuration data */

611

1668

avahi_server_config_free(&config);

612

613

/* Check if creating the server object succeeded */

614

if (!server) {

615

fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));

616

returncode = EXIT_FAILURE;

617

goto exit;

618

}

619

620

/* Create the service browser */

621

if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {

622

fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));

623

returncode = EXIT_FAILURE;

624

goto exit;

625

}

626

627

/* Run the main loop */

628

629

if (debug){

630

fprintf(stderr, "Starting avahi loop search\n");

631

}

632

633

avahi_simple_poll_loop(simple_poll);

634

635

exit:

636

637

if (debug){

638

fprintf(stderr, "%s exiting\n", argv[0]);

639

}

640

641

/* Cleanup things */

642

if (sb)

643

avahi_s_service_browser_free(sb);

644

645

if (server)

646

avahi_server_free(server);

647

648

if (simple_poll)

649

avahi_simple_poll_free(simple_poll);

650

651

return ret;

1669

}

1670

1671

/* Check if creating the Avahi server object succeeded */

1672

if(mc.server == NULL){

1673

fprintf(stderr, "Failed to create Avahi server: %s\n",

1674

avahi_strerror(error));

1675

exitcode = EX_UNAVAILABLE;

1676

goto end;

1677

}

1678

1679

if(quit_now){

1680

goto end;

1681

}

1682

1683

/* Create the Avahi service browser */

1684

sb = avahi_s_service_browser_new(mc.server, if_index,

1685

AVAHI_PROTO_UNSPEC, "_mandos._tcp",

1686

NULL, 0, browse_callback, NULL);

1687

if(sb == NULL){

1688

fprintf(stderr, "Failed to create service browser: %s\n",

1689

avahi_strerror(avahi_server_errno(mc.server)));

1690

exitcode = EX_UNAVAILABLE;

1691

goto end;

1692

}

1693

1694

if(quit_now){

1695

goto end;

1696

}

1697

1698

/* Run the main loop */

1699

1700

if(debug){

1701

fprintf(stderr, "Starting Avahi loop search\n");

1702

}

1703

1704

avahi_simple_poll_loop(mc.simple_poll);

1705

1706

end:

1707

1708

if(debug){

1709

fprintf(stderr, "%s exiting\n", argv[0]);

1710

}

1711

1712

/* Cleanup things */

1713

if(sb != NULL)

1714

avahi_s_service_browser_free(sb);

1715

1716

if(mc.server != NULL)

1717

avahi_server_free(mc.server);

1718

1719

if(mc.simple_poll != NULL)

1720

avahi_simple_poll_free(mc.simple_poll);

1721

1722

if(gnutls_initialized){

1723

gnutls_certificate_free_credentials(mc.cred);

1724

gnutls_global_deinit();

1725

gnutls_dh_params_deinit(mc.dh_params);

1726

}

1727

1728

if(gpgme_initialized){

1729

gpgme_release(mc.ctx);

1730

}

1731

1732

/* Take down the network interface */

1733

if(take_down_interface){

1734

/* Re-raise priviliges */

1735

errno = 0;

1736

ret = seteuid(0);

1737

if(ret == -1){

1738

perror("seteuid");

1739

}

1740

if(geteuid() == 0){

1741

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1742

if(ret == -1){

1743

perror("ioctl SIOCGIFFLAGS");

1744

} else if(network.ifr_flags & IFF_UP) {

1745

network.ifr_flags &= ~(short)IFF_UP; /* clear flag */

1746

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1747

if(ret == -1){

1748

perror("ioctl SIOCSIFFLAGS -IFF_UP");

1749

}

1750

}

1751

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1752

if(ret == -1){

1753

perror("close");

1754

}

1755

/* Lower privileges permanently */

1756

errno = 0;

1757

ret = setuid(uid);

1758

if(ret == -1){

1759

perror("setuid");

1760

}

1761

}

1762

}

1763

1764

/* Removes the temp directory used by GPGME */

1765

if(tempdir_created){

1766

DIR *d;

1767

struct dirent *direntry;

1768

d = opendir(tempdir);

1769

if(d == NULL){

1770

if(errno != ENOENT){

1771

perror("opendir");

1772

}

1773

} else {

1774

while(true){

1775

direntry = readdir(d);

1776

if(direntry == NULL){

1777

break;

1778

}

1779

/* Skip "." and ".." */

1780

if(direntry->d_name[0] == '.'

1781

and (direntry->d_name[1] == '\0'

1782

or (direntry->d_name[1] == '.'

1783

and direntry->d_name[2] == '\0'))){

1784

continue;

1785

}

1786

char *fullname = NULL;

1787

ret = asprintf(&fullname, "%s/%s", tempdir,

1788

direntry->d_name);

1789

if(ret < 0){

1790

perror("asprintf");

1791

continue;

1792

}

1793

ret = remove(fullname);

1794

if(ret == -1){

1795

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1796

strerror(errno));

1797

}

1798

free(fullname);

1799

}

1800

closedir(d);

1801

}

1802

ret = rmdir(tempdir);

1803

if(ret == -1 and errno != ENOENT){

1804

perror("rmdir");

1805

}

1806

}

1807

1808

if(quit_now){

1809

sigemptyset(&old_sigterm_action.sa_mask);

1810

old_sigterm_action.sa_handler = SIG_DFL;

1811

ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,

1812

&old_sigterm_action,

1813

NULL));

1814

if(ret == -1){

1815

perror("sigaction");

1816

}

1817

do {

1818

ret = raise(signal_received);

1819

} while(ret != 0 and errno == EINTR);

1820

if(ret != 0){

1821

perror("raise");

1822

abort();

1823

}

1824

TEMP_FAILURE_RETRY(pause());

1825

}

1826

1827

return exitcode;

652

1828

}

Older »