To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.7.33
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.33
- Committer: Teddy Hogeborn
- Date: 2011-07-13 02:24:39 UTC
- mfrom: (24.1.174 mandos)
- mto: (24.1.175 mandos) (237.12.2 mandos-persistent) (299.1.1 release) (300.1.1 release) (301.1.1 release)
- mto: This revision was merged to the branch mainline in revision 284.
- Revision ID: teddy@fukt.bsnet.se-20110713022439-wbv6kghshdsc2x24
Merge from Björn.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008-2011 Teddy Hogeborn
13
* Copyright © 2008-2011 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
33
34
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
34
37
#define _FILE_OFFSET_BITS 64
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno,
66
program_invocation_short_name */
67
#include <time.h> /* nanosleep(), time(), sleep() */
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
69
SIOCSIFFLAGS, if_indextoname(),
70
if_nametoindex(), IF_NAMESIZE */
71
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
73
*/
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
getuid(), getgid(), seteuid(),
76
setgid(), pause() */
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
#include <iso646.h> /* not, or, and */
79
#include <argp.h> /* struct argp_option, error_t, struct
80
argp_state, struct argp,
81
argp_parse(), ARGP_KEY_ARG,
82
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
83
#include <signal.h> /* sigemptyset(), sigaddset(),
84
sigaction(), SIGTERM, sig_atomic_t,
85
raise() */
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
89
#ifdef __linux__
90
#include <sys/klog.h> /* klogctl() */
91
#endif /* __linux__ */
92
93
/* Avahi */
94
/* All Avahi types, constants and functions
95
Avahi*, avahi_*,
96
AVAHI_* */
42
97
#include <avahi-core/core.h>
43
98
#include <avahi-core/lookup.h>
44
99
#include <avahi-core/log.h>
46
101
#include <avahi-common/malloc.h>
47
102
#include <avahi-common/error.h>
48
103
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
104
/* GnuTLS */
105
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
106
functions:
107
gnutls_*
108
init_gnutls_session(),
109
GNUTLS_* */
110
#include <gnutls/openpgp.h>
111
/* gnutls_certificate_set_openpgp_key_file(),
112
GNUTLS_OPENPGP_FMT_BASE64 */
113
114
/* GPGME */
115
#include <gpgme.h> /* All GPGME types, constants and
116
functions:
117
gpgme_*
118
GPGME_PROTOCOL_OpenPGP,
119
GPG_ERR_NO_* */
69
120
70
121
#define BUFFER_SIZE 256
71
#define DH_BITS 1024
72
122
73
const char *certdir = "/conf/conf.d/cryptkeyreq/";
74
const char *certfile = "openpgp-client.txt";
75
const char *certkey = "openpgp-client-key.txt";
123
#define PATHDIR "/conf/conf.d/mandos"
124
#define SECKEY "seckey.txt"
125
#define PUBKEY "pubkey.txt"
76
126
77
127
bool debug = false;
78
128
static const char mandos_protocol_version[] = "1";
129
const char *argp_program_version = "mandos-client " VERSION;
130
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
131
static const char sys_class_net[] = "/sys/class/net";
132
char *connect_to = NULL;
133
134
/* Doubly linked list that need to be circularly linked when used */
135
typedef struct server{
136
const char *ip;
137
uint16_t port;
138
AvahiIfIndex if_index;
139
int af;
140
struct timespec last_seen;
141
struct server *next;
142
struct server *prev;
143
} server;
144
145
/* Used for passing in values through the Avahi callback functions */
79
146
typedef struct {
80
gnutls_session_t session;
147
AvahiSimplePoll *simple_poll;
148
AvahiServer *server;
81
149
gnutls_certificate_credentials_t cred;
150
unsigned int dh_bits;
82
151
gnutls_dh_params_t dh_params;
83
} encrypted_session;
84
85
86
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
87
char **new_packet, const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
152
const char *priority;
89
153
gpgme_ctx_t ctx;
154
server *current_server;
155
} mandos_context;
156
157
/* global context so signal handler can reach it*/
158
mandos_context mc = { .simple_poll = NULL, .server = NULL,
159
.dh_bits = 1024, .priority = "SECURE256"
160
":!CTYPE-X.509:+CTYPE-OPENPGP",
161
.current_server = NULL };
162
163
sig_atomic_t quit_now = 0;
164
int signal_received = 0;
165
166
/* Function to use when printing errors */
167
void perror_plus(const char *print_text){
168
fprintf(stderr, "Mandos plugin %s: ",
169
program_invocation_short_name);
170
perror(print_text);
171
}
172
173
/*
174
* Make additional room in "buffer" for at least BUFFER_SIZE more
175
* bytes. "buffer_capacity" is how much is currently allocated,
176
* "buffer_length" is how much is already used.
177
*/
178
size_t incbuffer(char **buffer, size_t buffer_length,
179
size_t buffer_capacity){
180
if(buffer_length + BUFFER_SIZE > buffer_capacity){
181
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
182
if(buffer == NULL){
183
return 0;
184
}
185
buffer_capacity += BUFFER_SIZE;
186
}
187
return buffer_capacity;
188
}
189
190
int add_server(const char *ip, uint16_t port,
191
AvahiIfIndex if_index,
192
int af){
193
int ret;
194
server *new_server = malloc(sizeof(server));
195
if(new_server == NULL){
196
perror_plus("malloc");
197
return -1;
198
}
199
*new_server = (server){ .ip = strdup(ip),
200
.port = port,
201
.if_index = if_index,
202
.af = af };
203
if(new_server->ip == NULL){
204
perror_plus("strdup");
205
return -1;
206
}
207
/* unique case of first server */
208
if (mc.current_server == NULL){
209
new_server->next = new_server;
210
new_server->prev = new_server;
211
mc.current_server = new_server;
212
/* Placing the new server last in the list */
213
} else {
214
new_server->next = mc.current_server;
215
new_server->prev = mc.current_server->prev;
216
new_server->prev->next = new_server;
217
mc.current_server->prev = new_server;
218
}
219
ret = clock_gettime(CLOCK_MONOTONIC, &mc.current_server->last_seen);
220
if(ret == -1){
221
perror_plus("clock_gettime");
222
return -1;
223
}
224
return 0;
225
}
226
227
/*
228
* Initialize GPGME.
229
*/
230
static bool init_gpgme(const char *seckey,
231
const char *pubkey, const char *tempdir){
90
232
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
94
233
gpgme_engine_info_t engine_info;
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
234
235
236
/*
237
* Helper function to insert pub and seckey to the engine keyring.
238
*/
239
bool import_key(const char *filename){
240
int ret;
241
int fd;
242
gpgme_data_t pgp_data;
243
244
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
245
if(fd == -1){
246
perror_plus("open");
247
return false;
248
}
249
250
rc = gpgme_data_new_from_fd(&pgp_data, fd);
251
if(rc != GPG_ERR_NO_ERROR){
252
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
253
gpgme_strsource(rc), gpgme_strerror(rc));
254
return false;
255
}
256
257
rc = gpgme_op_import(mc.ctx, pgp_data);
258
if(rc != GPG_ERR_NO_ERROR){
259
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
260
gpgme_strsource(rc), gpgme_strerror(rc));
261
return false;
262
}
263
264
ret = (int)TEMP_FAILURE_RETRY(close(fd));
265
if(ret == -1){
266
perror_plus("close");
267
}
268
gpgme_data_release(pgp_data);
269
return true;
270
}
271
272
if(debug){
273
fprintf(stderr, "Initializing GPGME\n");
98
274
}
99
275
100
276
/* Init GPGME */
101
277
gpgme_check_version(NULL);
102
278
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
103
if (rc != GPG_ERR_NO_ERROR){
279
if(rc != GPG_ERR_NO_ERROR){
104
280
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
105
281
gpgme_strsource(rc), gpgme_strerror(rc));
106
return -1;
282
return false;
107
283
}
108
284
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
285
/* Set GPGME home directory for the OpenPGP engine only */
286
rc = gpgme_get_engine_info(&engine_info);
287
if(rc != GPG_ERR_NO_ERROR){
112
288
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
113
289
gpgme_strsource(rc), gpgme_strerror(rc));
114
return -1;
290
return false;
115
291
}
116
292
while(engine_info != NULL){
117
293
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
118
294
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
119
engine_info->file_name, homedir);
295
engine_info->file_name, tempdir);
120
296
break;
121
297
}
122
298
engine_info = engine_info->next;
123
299
}
124
300
if(engine_info == NULL){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
301
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
302
return false;
303
}
304
305
/* Create new GPGME "context" */
306
rc = gpgme_new(&(mc.ctx));
307
if(rc != GPG_ERR_NO_ERROR){
308
fprintf(stderr, "bad gpgme_new: %s: %s\n",
309
gpgme_strsource(rc), gpgme_strerror(rc));
310
return false;
311
}
312
313
if(not import_key(pubkey) or not import_key(seckey)){
314
return false;
315
}
316
317
return true;
318
}
319
320
/*
321
* Decrypt OpenPGP data.
322
* Returns -1 on error
323
*/
324
static ssize_t pgp_packet_decrypt(const char *cryptotext,
325
size_t crypto_size,
326
char **plaintext){
327
gpgme_data_t dh_crypto, dh_plain;
328
gpgme_error_t rc;
329
ssize_t ret;
330
size_t plaintext_capacity = 0;
331
ssize_t plaintext_length = 0;
332
333
if(debug){
334
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
335
}
336
337
/* Create new GPGME data buffer from memory cryptotext */
338
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
339
0);
340
if(rc != GPG_ERR_NO_ERROR){
132
341
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
133
342
gpgme_strsource(rc), gpgme_strerror(rc));
134
343
return -1;
136
345
137
346
/* Create new empty GPGME data buffer for the plaintext */
138
347
rc = gpgme_data_new(&dh_plain);
139
if (rc != GPG_ERR_NO_ERROR){
348
if(rc != GPG_ERR_NO_ERROR){
140
349
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
141
350
gpgme_strsource(rc), gpgme_strerror(rc));
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
351
gpgme_data_release(dh_crypto);
352
return -1;
353
}
354
355
/* Decrypt data from the cryptotext data buffer to the plaintext
356
data buffer */
357
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
358
if(rc != GPG_ERR_NO_ERROR){
157
359
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
158
360
gpgme_strsource(rc), gpgme_strerror(rc));
159
return -1;
160
}
161
162
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
361
plaintext_length = -1;
362
if(debug){
363
gpgme_decrypt_result_t result;
364
result = gpgme_op_decrypt_result(mc.ctx);
365
if(result == NULL){
366
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
367
} else {
368
fprintf(stderr, "Unsupported algorithm: %s\n",
369
result->unsupported_algorithm);
370
fprintf(stderr, "Wrong key usage: %u\n",
371
result->wrong_key_usage);
372
if(result->file_name != NULL){
373
fprintf(stderr, "File name: %s\n", result->file_name);
374
}
375
gpgme_recipient_t recipient;
376
recipient = result->recipients;
182
377
while(recipient != NULL){
183
378
fprintf(stderr, "Public key algorithm: %s\n",
184
379
gpgme_pubkey_algo_name(recipient->pubkey_algo));
190
385
}
191
386
}
192
387
}
388
goto decrypt_end;
193
389
}
194
390
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
391
if(debug){
392
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
393
}
197
394
198
395
/* Seek back to the beginning of the GPGME plaintext data buffer */
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
396
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
397
perror_plus("gpgme_data_seek");
398
plaintext_length = -1;
399
goto decrypt_end;
201
400
}
202
401
203
*new_packet = 0;
402
*plaintext = NULL;
204
403
while(true){
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
404
plaintext_capacity = incbuffer(plaintext,
405
(size_t)plaintext_length,
406
plaintext_capacity);
407
if(plaintext_capacity == 0){
408
perror_plus("incbuffer");
409
plaintext_length = -1;
410
goto decrypt_end;
214
411
}
215
412
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
413
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
414
BUFFER_SIZE);
218
415
/* Print the data, if any */
219
if (ret == 0){
416
if(ret == 0){
417
/* EOF */
220
418
break;
221
419
}
222
420
if(ret < 0){
223
perror("gpgme_data_read");
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
421
perror_plus("gpgme_data_read");
422
plaintext_length = -1;
423
goto decrypt_end;
424
}
425
plaintext_length += ret;
426
}
427
428
if(debug){
429
fprintf(stderr, "Decrypted password is: ");
430
for(ssize_t i = 0; i < plaintext_length; i++){
431
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
432
}
433
fprintf(stderr, "\n");
434
}
435
436
decrypt_end:
437
438
/* Delete the GPGME cryptotext data buffer */
439
gpgme_data_release(dh_crypto);
236
440
237
441
/* Delete the GPGME plaintext data buffer */
238
442
gpgme_data_release(dh_plain);
239
return new_packet_length;
443
return plaintext_length;
240
444
}
241
445
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
446
static const char * safer_gnutls_strerror(int value){
447
const char *ret = gnutls_strerror(value); /* Spurious warning from
448
-Wunreachable-code */
449
if(ret == NULL)
245
450
ret = "(unknown)";
246
451
return ret;
247
452
}
248
453
249
void debuggnutls(__attribute__((unused)) int level,
250
const char* string){
251
fprintf(stderr, "%s", string);
454
/* GnuTLS log function callback */
455
static void debuggnutls(__attribute__((unused)) int level,
456
const char* string){
457
fprintf(stderr, "GnuTLS: %s", string);
252
458
}
253
459
254
int initgnutls(encrypted_session *es){
255
const char *err;
460
static int init_gnutls_global(const char *pubkeyfilename,
461
const char *seckeyfilename){
256
462
int ret;
257
463
258
464
if(debug){
259
465
fprintf(stderr, "Initializing GnuTLS\n");
260
466
}
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
467
468
ret = gnutls_global_init();
469
if(ret != GNUTLS_E_SUCCESS){
470
fprintf(stderr, "GnuTLS global_init: %s\n",
471
safer_gnutls_strerror(ret));
265
472
return -1;
266
473
}
267
268
if (debug){
474
475
if(debug){
476
/* "Use a log level over 10 to enable all debugging options."
477
* - GnuTLS manual
478
*/
269
479
gnutls_global_set_log_level(11);
270
480
gnutls_global_set_log_function(debuggnutls);
271
481
}
272
482
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
483
/* OpenPGP credentials */
484
ret = gnutls_certificate_allocate_credentials(&mc.cred);
485
if(ret != GNUTLS_E_SUCCESS){
486
fprintf(stderr, "GnuTLS memory error: %s\n",
487
safer_gnutls_strerror(ret));
488
gnutls_global_deinit();
278
489
return -1;
279
490
}
280
491
281
492
if(debug){
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
493
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
494
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
495
seckeyfilename);
285
496
}
286
497
287
498
ret = gnutls_certificate_set_openpgp_key_file
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
499
(mc.cred, pubkeyfilename, seckeyfilename,
500
GNUTLS_OPENPGP_FMT_BASE64);
501
if(ret != GNUTLS_E_SUCCESS){
502
fprintf(stderr,
503
"Error[%d] while reading the OpenPGP key pair ('%s',"
504
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
505
fprintf(stderr, "The GnuTLS error is: %s\n",
506
safer_gnutls_strerror(ret));
507
goto globalfail;
508
}
509
510
/* GnuTLS server initialization */
511
ret = gnutls_dh_params_init(&mc.dh_params);
512
if(ret != GNUTLS_E_SUCCESS){
513
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
514
" %s\n", safer_gnutls_strerror(ret));
515
goto globalfail;
516
}
517
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
518
if(ret != GNUTLS_E_SUCCESS){
519
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
520
safer_gnutls_strerror(ret));
521
goto globalfail;
522
}
523
524
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
525
526
return 0;
527
528
globalfail:
529
530
gnutls_certificate_free_credentials(mc.cred);
531
gnutls_global_deinit();
532
gnutls_dh_params_deinit(mc.dh_params);
533
return -1;
534
}
535
536
static int init_gnutls_session(gnutls_session_t *session){
537
int ret;
538
/* GnuTLS session creation */
539
do {
540
ret = gnutls_init(session, GNUTLS_SERVER);
541
if(quit_now){
542
return -1;
543
}
544
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
545
if(ret != GNUTLS_E_SUCCESS){
319
546
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
320
547
safer_gnutls_strerror(ret));
321
548
}
322
549
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
550
{
551
const char *err;
552
do {
553
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
554
if(quit_now){
555
gnutls_deinit(*session);
556
return -1;
557
}
558
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
559
if(ret != GNUTLS_E_SUCCESS){
560
fprintf(stderr, "Syntax error at: %s\n", err);
561
fprintf(stderr, "GnuTLS error: %s\n",
562
safer_gnutls_strerror(ret));
563
gnutls_deinit(*session);
564
return -1;
565
}
329
566
}
330
567
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
568
do {
569
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
570
mc.cred);
571
if(quit_now){
572
gnutls_deinit(*session);
573
return -1;
574
}
575
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
576
if(ret != GNUTLS_E_SUCCESS){
577
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
335
578
safer_gnutls_strerror(ret));
579
gnutls_deinit(*session);
336
580
return -1;
337
581
}
338
582
339
583
/* ignore client certificate if any. */
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
584
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
342
585
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
586
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
344
587
345
588
return 0;
346
589
}
347
590
348
void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
__attribute__((unused)) const char *txt){}
591
/* Avahi log function callback */
592
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
593
__attribute__((unused)) const char *txt){}
350
594
351
int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
353
int ret, tcp_sd;
354
struct sockaddr_in6 to;
355
encrypted_session es;
595
/* Called when a Mandos server is found */
596
static int start_mandos_communication(const char *ip, uint16_t port,
597
AvahiIfIndex if_index,
598
int af){
599
int ret, tcp_sd = -1;
600
ssize_t sret;
601
union {
602
struct sockaddr_in in;
603
struct sockaddr_in6 in6;
604
} to;
356
605
char *buffer = NULL;
357
char *decrypted_buffer;
606
char *decrypted_buffer = NULL;
358
607
size_t buffer_length = 0;
359
608
size_t buffer_capacity = 0;
360
ssize_t decrypted_buffer_size;
361
size_t written = 0;
362
int retval = 0;
363
char interface[IF_NAMESIZE];
364
365
if(debug){
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
368
}
369
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
371
if(tcp_sd < 0) {
372
perror("socket");
373
return -1;
374
}
375
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
378
perror("if_indextoname");
379
}
380
return -1;
381
}
382
383
if(debug){
384
fprintf(stderr, "Binding to interface %s\n", interface);
385
}
386
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
391
perror("inet_pton");
392
return -1;
393
}
609
size_t written;
610
int retval = -1;
611
gnutls_session_t session;
612
int pf; /* Protocol family */
613
614
errno = 0;
615
616
if(quit_now){
617
errno = EINTR;
618
return -1;
619
}
620
621
switch(af){
622
case AF_INET6:
623
pf = PF_INET6;
624
break;
625
case AF_INET:
626
pf = PF_INET;
627
break;
628
default:
629
fprintf(stderr, "Bad address family: %d\n", af);
630
errno = EINVAL;
631
return -1;
632
}
633
634
ret = init_gnutls_session(&session);
635
if(ret != 0){
636
return -1;
637
}
638
639
if(debug){
640
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
641
"\n", ip, port);
642
}
643
644
tcp_sd = socket(pf, SOCK_STREAM, 0);
645
if(tcp_sd < 0){
646
int e = errno;
647
perror_plus("socket");
648
errno = e;
649
goto mandos_end;
650
}
651
652
if(quit_now){
653
errno = EINTR;
654
goto mandos_end;
655
}
656
657
memset(&to, 0, sizeof(to));
658
if(af == AF_INET6){
659
to.in6.sin6_family = (sa_family_t)af;
660
ret = inet_pton(af, ip, &to.in6.sin6_addr);
661
} else { /* IPv4 */
662
to.in.sin_family = (sa_family_t)af;
663
ret = inet_pton(af, ip, &to.in.sin_addr);
664
}
665
if(ret < 0 ){
666
int e = errno;
667
perror_plus("inet_pton");
668
errno = e;
669
goto mandos_end;
670
}
394
671
if(ret == 0){
672
int e = errno;
395
673
fprintf(stderr, "Bad address: %s\n", ip);
396
return -1;
397
}
398
to.sin6_port = htons(port); /* Spurious warning */
674
errno = e;
675
goto mandos_end;
676
}
677
if(af == AF_INET6){
678
to.in6.sin6_port = htons(port); /* Spurious warnings from
679
-Wconversion and
680
-Wunreachable-code */
681
682
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
683
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
684
-Wunreachable-code*/
685
if(if_index == AVAHI_IF_UNSPEC){
686
fprintf(stderr, "An IPv6 link-local address is incomplete"
687
" without a network interface\n");
688
errno = EINVAL;
689
goto mandos_end;
690
}
691
/* Set the network interface number as scope */
692
to.in6.sin6_scope_id = (uint32_t)if_index;
693
}
694
} else {
695
to.in.sin_port = htons(port); /* Spurious warnings from
696
-Wconversion and
697
-Wunreachable-code */
698
}
399
699
400
to.sin6_scope_id = (uint32_t)if_index;
700
if(quit_now){
701
errno = EINTR;
702
goto mandos_end;
703
}
401
704
402
705
if(debug){
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
412
}
413
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
416
perror("connect");
417
return -1;
418
}
419
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
424
}
425
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
706
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
707
char interface[IF_NAMESIZE];
708
if(if_indextoname((unsigned int)if_index, interface) == NULL){
709
perror_plus("if_indextoname");
710
} else {
711
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
712
ip, interface, port);
713
}
714
} else {
715
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
716
port);
717
}
718
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
719
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
720
const char *pcret;
721
if(af == AF_INET6){
722
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
723
sizeof(addrstr));
724
} else {
725
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
726
sizeof(addrstr));
727
}
728
if(pcret == NULL){
729
perror_plus("inet_ntop");
730
} else {
731
if(strcmp(addrstr, ip) != 0){
732
fprintf(stderr, "Canonical address form: %s\n", addrstr);
733
}
734
}
735
}
736
737
if(quit_now){
738
errno = EINTR;
739
goto mandos_end;
740
}
741
742
if(af == AF_INET6){
743
ret = connect(tcp_sd, &to.in6, sizeof(to));
744
} else {
745
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
746
}
747
if(ret < 0){
748
if ((errno != ECONNREFUSED and errno != ENETUNREACH) or debug){
749
int e = errno;
750
perror_plus("connect");
751
errno = e;
752
}
753
goto mandos_end;
754
}
755
756
if(quit_now){
757
errno = EINTR;
758
goto mandos_end;
759
}
760
761
const char *out = mandos_protocol_version;
762
written = 0;
763
while(true){
764
size_t out_size = strlen(out);
765
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
766
out_size - written));
767
if(ret == -1){
768
int e = errno;
769
perror_plus("write");
770
errno = e;
771
goto mandos_end;
772
}
773
written += (size_t)ret;
774
if(written < out_size){
775
continue;
776
} else {
777
if(out == mandos_protocol_version){
778
written = 0;
779
out = "\r\n";
780
} else {
781
break;
782
}
783
}
784
785
if(quit_now){
786
errno = EINTR;
787
goto mandos_end;
788
}
789
}
428
790
429
791
if(debug){
430
792
fprintf(stderr, "Establishing TLS session with %s\n", ip);
431
793
}
432
794
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
795
if(quit_now){
796
errno = EINTR;
797
goto mandos_end;
798
}
799
800
/* Spurious warning from -Wint-to-pointer-cast */
801
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
802
803
if(quit_now){
804
errno = EINTR;
805
goto mandos_end;
806
}
807
808
do {
809
ret = gnutls_handshake(session);
810
if(quit_now){
811
errno = EINTR;
812
goto mandos_end;
813
}
814
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
815
816
if(ret != GNUTLS_E_SUCCESS){
436
817
if(debug){
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
818
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
819
gnutls_perror(ret);
439
820
}
440
retval = -1;
441
goto exit;
821
errno = EPROTO;
822
goto mandos_end;
442
823
}
443
824
444
//Retrieve OpenPGP packet that contains the wanted password
825
/* Read OpenPGP packet that contains the wanted password */
445
826
446
827
if(debug){
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
828
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
448
829
ip);
449
830
}
450
831
451
832
while(true){
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
459
}
460
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
833
834
if(quit_now){
835
errno = EINTR;
836
goto mandos_end;
837
}
838
839
buffer_capacity = incbuffer(&buffer, buffer_length,
840
buffer_capacity);
841
if(buffer_capacity == 0){
842
int e = errno;
843
perror_plus("incbuffer");
844
errno = e;
845
goto mandos_end;
846
}
847
848
if(quit_now){
849
errno = EINTR;
850
goto mandos_end;
851
}
852
853
sret = gnutls_record_recv(session, buffer+buffer_length,
854
BUFFER_SIZE);
855
if(sret == 0){
464
856
break;
465
857
}
466
if (ret < 0){
467
switch(ret){
858
if(sret < 0){
859
switch(sret){
468
860
case GNUTLS_E_INTERRUPTED:
469
861
case GNUTLS_E_AGAIN:
470
862
break;
471
863
case GNUTLS_E_REHANDSHAKE:
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
476
retval = -1;
477
goto exit;
864
do {
865
ret = gnutls_handshake(session);
866
867
if(quit_now){
868
errno = EINTR;
869
goto mandos_end;
870
}
871
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
872
if(ret < 0){
873
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
874
gnutls_perror(ret);
875
errno = EPROTO;
876
goto mandos_end;
478
877
}
479
878
break;
480
879
default:
481
880
fprintf(stderr, "Unknown error while reading data from"
482
" encrypted session with mandos server\n");
483
retval = -1;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
881
" encrypted session with Mandos server\n");
882
gnutls_bye(session, GNUTLS_SHUT_RDWR);
883
errno = EIO;
884
goto mandos_end;
486
885
}
487
886
} else {
488
buffer_length += (size_t) ret;
489
}
490
}
491
492
if (buffer_length > 0){
887
buffer_length += (size_t) sret;
888
}
889
}
890
891
if(debug){
892
fprintf(stderr, "Closing TLS session\n");
893
}
894
895
if(quit_now){
896
errno = EINTR;
897
goto mandos_end;
898
}
899
900
do {
901
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
902
if(quit_now){
903
errno = EINTR;
904
goto mandos_end;
905
}
906
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
907
908
if(buffer_length > 0){
909
ssize_t decrypted_buffer_size;
493
910
decrypted_buffer_size = pgp_packet_decrypt(buffer,
494
911
buffer_length,
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
912
&decrypted_buffer);
913
if(decrypted_buffer_size >= 0){
914
915
written = 0;
498
916
while(written < (size_t) decrypted_buffer_size){
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
917
if(quit_now){
918
errno = EINTR;
919
goto mandos_end;
920
}
921
922
ret = (int)fwrite(decrypted_buffer + written, 1,
923
(size_t)decrypted_buffer_size - written,
924
stdout);
502
925
if(ret == 0 and ferror(stdout)){
926
int e = errno;
503
927
if(debug){
504
928
fprintf(stderr, "Error writing encrypted data: %s\n",
505
929
strerror(errno));
506
930
}
507
retval = -1;
508
break;
931
errno = e;
932
goto mandos_end;
509
933
}
510
934
written += (size_t)ret;
511
935
}
512
free(decrypted_buffer);
513
} else {
936
retval = 0;
937
}
938
}
939
940
/* Shutdown procedure */
941
942
mandos_end:
943
{
944
int e = errno;
945
free(decrypted_buffer);
946
free(buffer);
947
if(tcp_sd >= 0){
948
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
949
}
950
if(ret == -1){
951
if(e == 0){
952
e = errno;
953
}
954
perror_plus("close");
955
}
956
gnutls_deinit(session);
957
errno = e;
958
if(quit_now){
959
errno = EINTR;
514
960
retval = -1;
515
961
}
516
962
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
524
free(buffer);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
531
963
return retval;
532
964
}
533
965
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
966
static void resolve_callback(AvahiSServiceResolver *r,
967
AvahiIfIndex interface,
968
AvahiProtocol proto,
969
AvahiResolverEvent event,
970
const char *name,
971
const char *type,
972
const char *domain,
973
const char *host_name,
974
const AvahiAddress *address,
975
uint16_t port,
976
AVAHI_GCC_UNUSED AvahiStringList *txt,
977
AVAHI_GCC_UNUSED AvahiLookupResultFlags
978
flags,
979
AVAHI_GCC_UNUSED void* userdata){
980
assert(r);
553
981
554
982
/* Called whenever a service has been resolved successfully or
555
983
timed out */
556
984
557
switch (event) {
985
if(quit_now){
986
return;
987
}
988
989
switch(event){
558
990
default:
559
991
case AVAHI_RESOLVER_FAILURE:
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
992
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
993
" of type '%s' in domain '%s': %s\n", name, type, domain,
994
avahi_strerror(avahi_server_errno(mc.server)));
563
995
break;
564
996
565
997
case AVAHI_RESOLVER_FOUND:
567
999
char ip[AVAHI_ADDRESS_STR_MAX];
568
1000
avahi_address_snprint(ip, sizeof(ip), address);
569
1001
if(debug){
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
1002
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
1003
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1004
ip, (intmax_t)interface, port);
572
1005
}
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
1006
int ret = start_mandos_communication(ip, port, interface,
1007
avahi_proto_to_af(proto));
1008
if(ret == 0){
1009
avahi_simple_poll_quit(mc.simple_poll);
1010
} else {
1011
ret = add_server(ip, port, interface,
1012
avahi_proto_to_af(proto));
576
1013
}
577
1014
}
578
1015
}
579
1016
avahi_s_service_resolver_free(r);
580
1017
}
581
1018
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
1019
static void browse_callback(AvahiSServiceBrowser *b,
1020
AvahiIfIndex interface,
1021
AvahiProtocol protocol,
1022
AvahiBrowserEvent event,
1023
const char *name,
1024
const char *type,
1025
const char *domain,
1026
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1027
flags,
1028
AVAHI_GCC_UNUSED void* userdata){
1029
assert(b);
1030
1031
/* Called whenever a new services becomes available on the LAN or
1032
is removed from the LAN */
1033
1034
if(quit_now){
1035
return;
1036
}
1037
1038
switch(event){
1039
default:
1040
case AVAHI_BROWSER_FAILURE:
1041
1042
fprintf(stderr, "(Avahi browser) %s\n",
1043
avahi_strerror(avahi_server_errno(mc.server)));
1044
avahi_simple_poll_quit(mc.simple_poll);
1045
return;
1046
1047
case AVAHI_BROWSER_NEW:
1048
/* We ignore the returned Avahi resolver object. In the callback
1049
function we free it. If the Avahi server is terminated before
1050
the callback function is called the Avahi server will free the
1051
resolver for us. */
1052
1053
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1054
name, type, domain, protocol, 0,
1055
resolve_callback, NULL) == NULL)
1056
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
1057
name, avahi_strerror(avahi_server_errno(mc.server)));
1058
break;
1059
1060
case AVAHI_BROWSER_REMOVE:
1061
break;
1062
1063
case AVAHI_BROWSER_ALL_FOR_NOW:
1064
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1065
if(debug){
1066
fprintf(stderr, "No Mandos server found, still searching...\n");
1067
}
1068
break;
1069
}
1070
}
1071
1072
/* Signal handler that stops main loop after SIGTERM */
1073
static void handle_sigterm(int sig){
1074
if(quit_now){
1075
return;
1076
}
1077
quit_now = 1;
1078
signal_received = sig;
1079
int old_errno = errno;
1080
/* set main loop to exit */
1081
if(mc.simple_poll != NULL){
1082
avahi_simple_poll_quit(mc.simple_poll);
1083
}
1084
errno = old_errno;
1085
}
1086
1087
/*
1088
* This function determines if a directory entry in /sys/class/net
1089
* corresponds to an acceptable network device.
1090
* (This function is passed to scandir(3) as a filter function.)
1091
*/
1092
int good_interface(const struct dirent *if_entry){
1093
ssize_t ssret;
1094
char *flagname = NULL;
1095
if(if_entry->d_name[0] == '.'){
1096
return 0;
1097
}
1098
int ret = asprintf(&flagname, "%s/%s/flags", sys_class_net,
1099
if_entry->d_name);
1100
if(ret < 0){
1101
perror_plus("asprintf");
1102
return 0;
1103
}
1104
int flags_fd = (int)TEMP_FAILURE_RETRY(open(flagname, O_RDONLY));
1105
if(flags_fd == -1){
1106
perror_plus("open");
1107
free(flagname);
1108
return 0;
1109
}
1110
free(flagname);
1111
typedef short ifreq_flags; /* ifreq.ifr_flags in netdevice(7) */
1112
/* read line from flags_fd */
1113
ssize_t to_read = 2+(sizeof(ifreq_flags)*2)+1; /* "0x1003\n" */
1114
char *flagstring = malloc((size_t)to_read+1); /* +1 for final \0 */
1115
flagstring[(size_t)to_read] = '\0';
1116
if(flagstring == NULL){
1117
perror_plus("malloc");
1118
close(flags_fd);
1119
return 0;
1120
}
1121
while(to_read > 0){
1122
ssret = (ssize_t)TEMP_FAILURE_RETRY(read(flags_fd, flagstring,
1123
(size_t)to_read));
1124
if(ssret == -1){
1125
perror_plus("read");
1126
free(flagstring);
1127
close(flags_fd);
1128
return 0;
1129
}
1130
to_read -= ssret;
1131
if(ssret == 0){
1132
break;
1133
}
1134
}
1135
close(flags_fd);
1136
intmax_t tmpmax;
1137
char *tmp;
1138
errno = 0;
1139
tmpmax = strtoimax(flagstring, &tmp, 0);
1140
if(errno != 0 or tmp == flagstring or (*tmp != '\0'
1141
and not (isspace(*tmp)))
1142
or tmpmax != (ifreq_flags)tmpmax){
1143
if(debug){
1144
fprintf(stderr, "Invalid flags \"%s\" for interface \"%s\"\n",
1145
flagstring, if_entry->d_name);
1146
}
1147
free(flagstring);
1148
return 0;
1149
}
1150
free(flagstring);
1151
ifreq_flags flags = (ifreq_flags)tmpmax;
1152
/* Reject the loopback device */
1153
if(flags & IFF_LOOPBACK){
1154
if(debug){
1155
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1156
if_entry->d_name);
1157
}
1158
return 0;
1159
}
1160
/* Accept point-to-point devices only if connect_to is specified */
1161
if(connect_to != NULL and (flags & IFF_POINTOPOINT)){
1162
if(debug){
1163
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1164
if_entry->d_name);
1165
}
1166
return 1;
1167
}
1168
/* Otherwise, reject non-broadcast-capable devices */
1169
if(not (flags & IFF_BROADCAST)){
1170
if(debug){
1171
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1172
if_entry->d_name);
1173
}
1174
return 0;
1175
}
1176
/* Reject non-ARP interfaces (including dummy interfaces) */
1177
if(flags & IFF_NOARP){
1178
if(debug){
1179
fprintf(stderr, "Rejecting non-ARP interface \"%s\"\n",
1180
if_entry->d_name);
1181
}
1182
return 0;
1183
}
1184
/* Accept this device */
1185
if(debug){
1186
fprintf(stderr, "Interface \"%s\" is acceptable\n",
1187
if_entry->d_name);
1188
}
1189
return 1;
1190
}
1191
1192
int notdotentries(const struct dirent *direntry){
1193
/* Skip "." and ".." */
1194
if(direntry->d_name[0] == '.'
1195
and (direntry->d_name[1] == '\0'
1196
or (direntry->d_name[1] == '.'
1197
and direntry->d_name[2] == '\0'))){
1198
return 0;
1199
}
1200
return 1;
1201
}
1202
1203
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval){
1204
int ret;
1205
struct timespec now;
1206
struct timespec waited_time;
1207
intmax_t block_time;
1208
1209
while(true){
1210
if(mc.current_server == NULL){
1211
if (debug){
1212
fprintf(stderr,
1213
"Wait until first server is found. No timeout!\n");
1214
}
1215
ret = avahi_simple_poll_iterate(s, -1);
1216
} else {
1217
if (debug){
1218
fprintf(stderr, "Check current_server if we should run it,"
1219
" or wait\n");
1220
}
1221
/* the current time */
1222
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1223
if(ret == -1){
1224
perror_plus("clock_gettime");
1225
return -1;
1226
}
1227
/* Calculating in ms how long time between now and server
1228
who we visted longest time ago. Now - last seen. */
1229
waited_time.tv_sec = (now.tv_sec
1230
- mc.current_server->last_seen.tv_sec);
1231
waited_time.tv_nsec = (now.tv_nsec
1232
- mc.current_server->last_seen.tv_nsec);
1233
/* total time is 10s/10,000ms.
1234
Converting to s from ms by dividing by 1,000,
1235
and ns to ms by dividing by 1,000,000. */
1236
block_time = ((retry_interval
1237
- ((intmax_t)waited_time.tv_sec * 1000))
1238
- ((intmax_t)waited_time.tv_nsec / 1000000));
1239
1240
if (debug){
1241
fprintf(stderr, "Blocking for %ld ms\n", block_time);
1242
}
1243
1244
if(block_time <= 0){
1245
ret = start_mandos_communication(mc.current_server->ip,
1246
mc.current_server->port,
1247
mc.current_server->if_index,
1248
mc.current_server->af);
1249
if(ret == 0){
1250
avahi_simple_poll_quit(mc.simple_poll);
1251
return 0;
1252
}
1253
ret = clock_gettime(CLOCK_MONOTONIC,
1254
&mc.current_server->last_seen);
1255
if(ret == -1){
1256
perror_plus("clock_gettime");
1257
return -1;
1258
}
1259
mc.current_server = mc.current_server->next;
1260
block_time = 0; /* Call avahi to find new Mandos
1261
servers, but don't block */
1262
}
1263
1264
ret = avahi_simple_poll_iterate(s, (int)block_time);
1265
}
1266
if(ret != 0){
1267
if (ret > 0 or errno != EINTR) {
1268
return (ret != 1) ? ret : 0;
1269
}
1270
}
1271
}
1272
}
1273
1274
int main(int argc, char *argv[]){
1275
AvahiSServiceBrowser *sb = NULL;
1276
int error;
1277
int ret;
1278
intmax_t tmpmax;
1279
char *tmp;
1280
int exitcode = EXIT_SUCCESS;
1281
const char *interface = "";
1282
struct ifreq network;
1283
int sd = -1;
1284
bool take_down_interface = false;
1285
uid_t uid;
1286
gid_t gid;
1287
char tempdir[] = "/tmp/mandosXXXXXX";
1288
bool tempdir_created = false;
1289
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1290
const char *seckey = PATHDIR "/" SECKEY;
1291
const char *pubkey = PATHDIR "/" PUBKEY;
1292
1293
bool gnutls_initialized = false;
1294
bool gpgme_initialized = false;
1295
float delay = 2.5f;
1296
double retry_interval = 10; /* 10s between trying a server and
1297
retrying the same server again */
1298
1299
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1300
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1301
1302
uid = getuid();
1303
gid = getgid();
1304
1305
/* Lower any group privileges we might have, just to be safe */
1306
errno = 0;
1307
ret = setgid(gid);
1308
if(ret == -1){
1309
perror_plus("setgid");
1310
}
1311
1312
/* Lower user privileges (temporarily) */
1313
errno = 0;
1314
ret = seteuid(uid);
1315
if(ret == -1){
1316
perror_plus("seteuid");
1317
}
1318
1319
if(quit_now){
1320
goto end;
1321
}
1322
1323
{
1324
struct argp_option options[] = {
1325
{ .name = "debug", .key = 128,
1326
.doc = "Debug mode", .group = 3 },
1327
{ .name = "connect", .key = 'c',
1328
.arg = "ADDRESS:PORT",
1329
.doc = "Connect directly to a specific Mandos server",
1330
.group = 1 },
1331
{ .name = "interface", .key = 'i',
1332
.arg = "NAME",
1333
.doc = "Network interface that will be used to search for"
1334
" Mandos servers",
1335
.group = 1 },
1336
{ .name = "seckey", .key = 's',
1337
.arg = "FILE",
1338
.doc = "OpenPGP secret key file base name",
1339
.group = 1 },
1340
{ .name = "pubkey", .key = 'p',
1341
.arg = "FILE",
1342
.doc = "OpenPGP public key file base name",
1343
.group = 2 },
1344
{ .name = "dh-bits", .key = 129,
1345
.arg = "BITS",
1346
.doc = "Bit length of the prime number used in the"
1347
" Diffie-Hellman key exchange",
1348
.group = 2 },
1349
{ .name = "priority", .key = 130,
1350
.arg = "STRING",
1351
.doc = "GnuTLS priority string for the TLS handshake",
1352
.group = 1 },
1353
{ .name = "delay", .key = 131,
1354
.arg = "SECONDS",
1355
.doc = "Maximum delay to wait for interface startup",
1356
.group = 2 },
1357
{ .name = "retry", .key = 132,
1358
.arg = "SECONDS",
1359
.doc = "Retry interval used when denied by the mandos server",
1360
.group = 2 },
1361
/*
1362
* These reproduce what we would get without ARGP_NO_HELP
1363
*/
1364
{ .name = "help", .key = '?',
1365
.doc = "Give this help list", .group = -1 },
1366
{ .name = "usage", .key = -3,
1367
.doc = "Give a short usage message", .group = -1 },
1368
{ .name = "version", .key = 'V',
1369
.doc = "Print program version", .group = -1 },
1370
{ .name = NULL }
1371
};
1372
1373
error_t parse_opt(int key, char *arg,
1374
struct argp_state *state){
1375
errno = 0;
1376
switch(key){
1377
case 128: /* --debug */
1378
debug = true;
1379
break;
1380
case 'c': /* --connect */
1381
connect_to = arg;
1382
break;
1383
case 'i': /* --interface */
1384
interface = arg;
1385
break;
1386
case 's': /* --seckey */
1387
seckey = arg;
1388
break;
1389
case 'p': /* --pubkey */
1390
pubkey = arg;
1391
break;
1392
case 129: /* --dh-bits */
1393
errno = 0;
1394
tmpmax = strtoimax(arg, &tmp, 10);
1395
if(errno != 0 or tmp == arg or *tmp != '\0'
1396
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1397
argp_error(state, "Bad number of DH bits");
1398
}
1399
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1400
break;
1401
case 130: /* --priority */
1402
mc.priority = arg;
1403
break;
1404
case 131: /* --delay */
1405
errno = 0;
1406
delay = strtof(arg, &tmp);
1407
if(errno != 0 or tmp == arg or *tmp != '\0'){
1408
argp_error(state, "Bad delay");
1409
}
1410
case 132: /* --retry */
1411
errno = 0;
1412
retry_interval = strtod(arg, &tmp);
1413
if(errno != 0 or tmp == arg or *tmp != '\0'
1414
or (retry_interval * 1000) > INT_MAX){
1415
argp_error(state, "Bad retry interval");
1416
}
1417
break;
1418
/*
1419
* These reproduce what we would get without ARGP_NO_HELP
1420
*/
1421
case '?': /* --help */
1422
argp_state_help(state, state->out_stream,
1423
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1424
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1425
case -3: /* --usage */
1426
argp_state_help(state, state->out_stream,
1427
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1428
case 'V': /* --version */
1429
fprintf(state->out_stream, "%s\n", argp_program_version);
1430
exit(argp_err_exit_status);
1431
break;
1432
default:
1433
return ARGP_ERR_UNKNOWN;
1434
}
1435
return errno;
1436
}
1437
1438
struct argp argp = { .options = options, .parser = parse_opt,
1439
.args_doc = "",
1440
.doc = "Mandos client -- Get and decrypt"
1441
" passwords from a Mandos server" };
1442
ret = argp_parse(&argp, argc, argv,
1443
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1444
switch(ret){
1445
case 0:
1446
break;
1447
case ENOMEM:
600
1448
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
628
}
629
}
630
631
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
632
const char *combinepath(const char *first, const char *second){
633
char *tmp;
634
tmp = malloc(strlen(first) + strlen(second) + 2);
635
if (tmp == NULL){
636
perror("malloc");
637
return NULL;
638
}
639
strcpy(tmp, first);
640
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
641
strcat(tmp, "/");
642
}
643
strcat(tmp, second);
644
return tmp;
645
}
646
647
648
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1449
errno = ret;
1450
perror_plus("argp_parse");
1451
exitcode = EX_OSERR;
1452
goto end;
1453
case EINVAL:
1454
exitcode = EX_USAGE;
1455
goto end;
1456
}
1457
}
1458
1459
if(not debug){
1460
avahi_set_log_function(empty_log);
1461
}
1462
1463
if(interface[0] == '\0'){
1464
struct dirent **direntries;
1465
ret = scandir(sys_class_net, &direntries, good_interface,
1466
alphasort);
1467
if(ret >= 1){
1468
/* Pick the first good interface */
1469
interface = strdup(direntries[0]->d_name);
1470
if(debug){
1471
fprintf(stderr, "Using interface \"%s\"\n", interface);
1472
}
1473
if(interface == NULL){
1474
perror_plus("malloc");
1475
free(direntries);
1476
exitcode = EXIT_FAILURE;
1477
goto end;
1478
}
1479
free(direntries);
1480
} else {
1481
free(direntries);
1482
fprintf(stderr, "Could not find a network interface\n");
1483
exitcode = EXIT_FAILURE;
1484
goto end;
1485
}
1486
}
1487
1488
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1489
from the signal handler */
1490
/* Initialize the pseudo-RNG for Avahi */
1491
srand((unsigned int) time(NULL));
1492
mc.simple_poll = avahi_simple_poll_new();
1493
if(mc.simple_poll == NULL){
1494
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1495
exitcode = EX_UNAVAILABLE;
1496
goto end;
1497
}
1498
1499
sigemptyset(&sigterm_action.sa_mask);
1500
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1501
if(ret == -1){
1502
perror_plus("sigaddset");
1503
exitcode = EX_OSERR;
1504
goto end;
1505
}
1506
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1507
if(ret == -1){
1508
perror_plus("sigaddset");
1509
exitcode = EX_OSERR;
1510
goto end;
1511
}
1512
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1513
if(ret == -1){
1514
perror_plus("sigaddset");
1515
exitcode = EX_OSERR;
1516
goto end;
1517
}
1518
/* Need to check if the handler is SIG_IGN before handling:
1519
| [[info:libc:Initial Signal Actions]] |
1520
| [[info:libc:Basic Signal Handling]] |
1521
*/
1522
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1523
if(ret == -1){
1524
perror_plus("sigaction");
1525
return EX_OSERR;
1526
}
1527
if(old_sigterm_action.sa_handler != SIG_IGN){
1528
ret = sigaction(SIGINT, &sigterm_action, NULL);
1529
if(ret == -1){
1530
perror_plus("sigaction");
1531
exitcode = EX_OSERR;
1532
goto end;
1533
}
1534
}
1535
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1536
if(ret == -1){
1537
perror_plus("sigaction");
1538
return EX_OSERR;
1539
}
1540
if(old_sigterm_action.sa_handler != SIG_IGN){
1541
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1542
if(ret == -1){
1543
perror_plus("sigaction");
1544
exitcode = EX_OSERR;
1545
goto end;
1546
}
1547
}
1548
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1549
if(ret == -1){
1550
perror_plus("sigaction");
1551
return EX_OSERR;
1552
}
1553
if(old_sigterm_action.sa_handler != SIG_IGN){
1554
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1555
if(ret == -1){
1556
perror_plus("sigaction");
1557
exitcode = EX_OSERR;
1558
goto end;
1559
}
1560
}
1561
1562
/* If the interface is down, bring it up */
1563
if(strcmp(interface, "none") != 0){
1564
if_index = (AvahiIfIndex) if_nametoindex(interface);
1565
if(if_index == 0){
1566
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1567
exitcode = EX_UNAVAILABLE;
1568
goto end;
1569
}
1570
1571
if(quit_now){
1572
goto end;
1573
}
1574
1575
/* Re-raise priviliges */
1576
errno = 0;
1577
ret = seteuid(0);
1578
if(ret == -1){
1579
perror_plus("seteuid");
1580
}
1581
1582
#ifdef __linux__
1583
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1584
messages about the network interface to mess up the prompt */
1585
ret = klogctl(8, NULL, 5);
1586
bool restore_loglevel = true;
1587
if(ret == -1){
1588
restore_loglevel = false;
1589
perror_plus("klogctl");
1590
}
1591
#endif /* __linux__ */
1592
1593
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1594
if(sd < 0){
1595
perror_plus("socket");
1596
exitcode = EX_OSERR;
1597
#ifdef __linux__
1598
if(restore_loglevel){
1599
ret = klogctl(7, NULL, 0);
1600
if(ret == -1){
1601
perror_plus("klogctl");
1602
}
1603
}
1604
#endif /* __linux__ */
1605
/* Lower privileges */
1606
errno = 0;
1607
ret = seteuid(uid);
1608
if(ret == -1){
1609
perror_plus("seteuid");
1610
}
1611
goto end;
1612
}
1613
strcpy(network.ifr_name, interface);
1614
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1615
if(ret == -1){
1616
perror_plus("ioctl SIOCGIFFLAGS");
1617
#ifdef __linux__
1618
if(restore_loglevel){
1619
ret = klogctl(7, NULL, 0);
1620
if(ret == -1){
1621
perror_plus("klogctl");
1622
}
1623
}
1624
#endif /* __linux__ */
1625
exitcode = EX_OSERR;
1626
/* Lower privileges */
1627
errno = 0;
1628
ret = seteuid(uid);
1629
if(ret == -1){
1630
perror_plus("seteuid");
1631
}
1632
goto end;
1633
}
1634
if((network.ifr_flags & IFF_UP) == 0){
1635
network.ifr_flags |= IFF_UP;
1636
take_down_interface = true;
1637
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1638
if(ret == -1){
1639
take_down_interface = false;
1640
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1641
exitcode = EX_OSERR;
1642
#ifdef __linux__
1643
if(restore_loglevel){
1644
ret = klogctl(7, NULL, 0);
1645
if(ret == -1){
1646
perror_plus("klogctl");
1647
}
1648
}
1649
#endif /* __linux__ */
1650
/* Lower privileges */
1651
errno = 0;
1652
ret = seteuid(uid);
1653
if(ret == -1){
1654
perror_plus("seteuid");
1655
}
1656
goto end;
1657
}
1658
}
1659
/* Sleep checking until interface is running.
1660
Check every 0.25s, up to total time of delay */
1661
for(int i=0; i < delay * 4; i++){
1662
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1663
if(ret == -1){
1664
perror_plus("ioctl SIOCGIFFLAGS");
1665
} else if(network.ifr_flags & IFF_RUNNING){
1666
break;
1667
}
1668
struct timespec sleeptime = { .tv_nsec = 250000000 };
1669
ret = nanosleep(&sleeptime, NULL);
1670
if(ret == -1 and errno != EINTR){
1671
perror_plus("nanosleep");
1672
}
1673
}
1674
if(not take_down_interface){
1675
/* We won't need the socket anymore */
1676
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1677
if(ret == -1){
1678
perror_plus("close");
1679
}
1680
}
1681
#ifdef __linux__
1682
if(restore_loglevel){
1683
/* Restores kernel loglevel to default */
1684
ret = klogctl(7, NULL, 0);
1685
if(ret == -1){
1686
perror_plus("klogctl");
1687
}
1688
}
1689
#endif /* __linux__ */
1690
/* Lower privileges */
1691
errno = 0;
1692
if(take_down_interface){
1693
/* Lower privileges */
1694
ret = seteuid(uid);
1695
if(ret == -1){
1696
perror_plus("seteuid");
1697
}
1698
} else {
1699
/* Lower privileges permanently */
1700
ret = setuid(uid);
1701
if(ret == -1){
1702
perror_plus("setuid");
1703
}
1704
}
1705
}
1706
1707
if(quit_now){
1708
goto end;
1709
}
1710
1711
ret = init_gnutls_global(pubkey, seckey);
1712
if(ret == -1){
1713
fprintf(stderr, "init_gnutls_global failed\n");
1714
exitcode = EX_UNAVAILABLE;
1715
goto end;
1716
} else {
1717
gnutls_initialized = true;
1718
}
1719
1720
if(quit_now){
1721
goto end;
1722
}
1723
1724
if(mkdtemp(tempdir) == NULL){
1725
perror_plus("mkdtemp");
1726
goto end;
1727
}
1728
tempdir_created = true;
1729
1730
if(quit_now){
1731
goto end;
1732
}
1733
1734
if(not init_gpgme(pubkey, seckey, tempdir)){
1735
fprintf(stderr, "init_gpgme failed\n");
1736
exitcode = EX_UNAVAILABLE;
1737
goto end;
1738
} else {
1739
gpgme_initialized = true;
1740
}
1741
1742
if(quit_now){
1743
goto end;
1744
}
1745
1746
if(connect_to != NULL){
1747
/* Connect directly, do not use Zeroconf */
1748
/* (Mainly meant for debugging) */
1749
char *address = strrchr(connect_to, ':');
1750
if(address == NULL){
1751
fprintf(stderr, "No colon in address\n");
1752
exitcode = EX_USAGE;
1753
goto end;
1754
}
1755
1756
if(quit_now){
1757
goto end;
1758
}
1759
1760
uint16_t port;
1761
errno = 0;
1762
tmpmax = strtoimax(address+1, &tmp, 10);
1763
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1764
or tmpmax != (uint16_t)tmpmax){
1765
fprintf(stderr, "Bad port number\n");
1766
exitcode = EX_USAGE;
1767
goto end;
1768
}
1769
1770
if(quit_now){
1771
goto end;
1772
}
1773
1774
port = (uint16_t)tmpmax;
1775
*address = '\0';
1776
address = connect_to;
1777
/* Colon in address indicates IPv6 */
1778
int af;
1779
if(strchr(address, ':') != NULL){
1780
af = AF_INET6;
1781
} else {
1782
af = AF_INET;
1783
}
1784
1785
if(quit_now){
1786
goto end;
1787
}
1788
1789
while(not quit_now){
1790
ret = start_mandos_communication(address, port, if_index, af);
1791
if(quit_now or ret == 0){
1792
break;
1793
}
1794
sleep((int)retry_interval or 1);
1795
};
1796
1797
if (not quit_now){
1798
exitcode = EXIT_SUCCESS;
1799
}
1800
1801
goto end;
1802
}
1803
1804
if(quit_now){
1805
goto end;
1806
}
1807
1808
{
649
1809
AvahiServerConfig config;
650
AvahiSServiceBrowser *sb = NULL;
651
int error;
652
int ret;
653
int returncode = EXIT_SUCCESS;
654
const char *interface = NULL;
655
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
656
char *connect_to = NULL;
657
658
while (true){
659
static struct option long_options[] = {
660
{"debug", no_argument, (int *)&debug, 1},
661
{"connect", required_argument, 0, 'C'},
662
{"interface", required_argument, 0, 'i'},
663
{"certdir", required_argument, 0, 'd'},
664
{"certkey", required_argument, 0, 'c'},
665
{"certfile", required_argument, 0, 'k'},
666
{0, 0, 0, 0} };
667
668
int option_index = 0;
669
ret = getopt_long (argc, argv, "i:", long_options,
670
&option_index);
671
672
if (ret == -1){
673
break;
674
}
675
676
switch(ret){
677
case 0:
678
break;
679
case 'i':
680
interface = optarg;
681
break;
682
case 'C':
683
connect_to = optarg;
684
break;
685
case 'd':
686
certdir = optarg;
687
break;
688
case 'c':
689
certfile = optarg;
690
break;
691
case 'k':
692
certkey = optarg;
693
break;
694
default:
695
exit(EXIT_FAILURE);
696
}
697
}
698
699
certfile = combinepath(certdir, certfile);
700
if (certfile == NULL){
701
goto exit;
702
}
703
704
if(interface != NULL){
705
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
if(if_index == 0){
707
fprintf(stderr, "No such interface: \"%s\"\n", interface);
708
exit(EXIT_FAILURE);
709
}
710
}
711
712
if(connect_to != NULL){
713
/* Connect directly, do not use Zeroconf */
714
/* (Mainly meant for debugging) */
715
char *address = strrchr(connect_to, ':');
716
if(address == NULL){
717
fprintf(stderr, "No colon in address\n");
718
exit(EXIT_FAILURE);
719
}
720
errno = 0;
721
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
if(errno){
723
perror("Bad port number");
724
exit(EXIT_FAILURE);
725
}
726
*address = '\0';
727
address = connect_to;
728
ret = start_mandos_communication(address, port, if_index);
729
if(ret < 0){
730
exit(EXIT_FAILURE);
731
} else {
732
exit(EXIT_SUCCESS);
733
}
734
}
735
736
certkey = combinepath(certdir, certkey);
737
if (certkey == NULL){
738
goto exit;
739
}
740
741
if (not debug){
742
avahi_set_log_function(empty_log);
743
}
744
745
/* Initialize the psuedo-RNG */
746
srand((unsigned int) time(NULL));
747
748
/* Allocate main loop object */
749
if (!(simple_poll = avahi_simple_poll_new())) {
750
fprintf(stderr, "Failed to create simple poll object.\n");
751
752
goto exit;
753
}
754
755
/* Do not publish any local records */
1810
/* Do not publish any local Zeroconf records */
756
1811
avahi_server_config_init(&config);
757
1812
config.publish_hinfo = 0;
758
1813
config.publish_addresses = 0;
759
1814
config.publish_workstation = 0;
760
1815
config.publish_domain = 0;
761
1816
762
1817
/* Allocate a new server */
763
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
764
&config, NULL, NULL, &error);
765
766
/* Free the configuration data */
1818
mc.server = avahi_server_new(avahi_simple_poll_get
1819
(mc.simple_poll), &config, NULL,
1820
NULL, &error);
1821
1822
/* Free the Avahi configuration data */
767
1823
avahi_server_config_free(&config);
768
769
/* Check if creating the server object succeeded */
770
if (!server) {
771
fprintf(stderr, "Failed to create server: %s\n",
772
avahi_strerror(error));
773
returncode = EXIT_FAILURE;
774
goto exit;
775
}
776
777
/* Create the service browser */
778
sb = avahi_s_service_browser_new(server, if_index,
779
AVAHI_PROTO_INET6,
780
"_mandos._tcp", NULL, 0,
781
browse_callback, server);
782
if (!sb) {
783
fprintf(stderr, "Failed to create service browser: %s\n",
784
avahi_strerror(avahi_server_errno(server)));
785
returncode = EXIT_FAILURE;
786
goto exit;
787
}
788
789
/* Run the main loop */
790
791
if (debug){
792
fprintf(stderr, "Starting avahi loop search\n");
793
}
794
795
avahi_simple_poll_loop(simple_poll);
796
797
exit:
798
799
if (debug){
800
fprintf(stderr, "%s exiting\n", argv[0]);
801
}
802
803
/* Cleanup things */
804
if (sb)
805
avahi_s_service_browser_free(sb);
806
807
if (server)
808
avahi_server_free(server);
809
810
if (simple_poll)
811
avahi_simple_poll_free(simple_poll);
812
free(certfile);
813
free(certkey);
814
815
return returncode;
1824
}
1825
1826
/* Check if creating the Avahi server object succeeded */
1827
if(mc.server == NULL){
1828
fprintf(stderr, "Failed to create Avahi server: %s\n",
1829
avahi_strerror(error));
1830
exitcode = EX_UNAVAILABLE;
1831
goto end;
1832
}
1833
1834
if(quit_now){
1835
goto end;
1836
}
1837
1838
/* Create the Avahi service browser */
1839
sb = avahi_s_service_browser_new(mc.server, if_index,
1840
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1841
NULL, 0, browse_callback, NULL);
1842
if(sb == NULL){
1843
fprintf(stderr, "Failed to create service browser: %s\n",
1844
avahi_strerror(avahi_server_errno(mc.server)));
1845
exitcode = EX_UNAVAILABLE;
1846
goto end;
1847
}
1848
1849
if(quit_now){
1850
goto end;
1851
}
1852
1853
/* Run the main loop */
1854
1855
if(debug){
1856
fprintf(stderr, "Starting Avahi loop search\n");
1857
}
1858
1859
ret = avahi_loop_with_timeout(mc.simple_poll,
1860
(int)(retry_interval * 1000));
1861
if(debug){
1862
fprintf(stderr, "avahi_loop_with_timeout exited %s\n",
1863
(ret == 0) ? "successfully" : "with error");
1864
}
1865
1866
end:
1867
1868
if(debug){
1869
fprintf(stderr, "%s exiting\n", argv[0]);
1870
}
1871
1872
/* Cleanup things */
1873
if(sb != NULL)
1874
avahi_s_service_browser_free(sb);
1875
1876
if(mc.server != NULL)
1877
avahi_server_free(mc.server);
1878
1879
if(mc.simple_poll != NULL)
1880
avahi_simple_poll_free(mc.simple_poll);
1881
1882
if(gnutls_initialized){
1883
gnutls_certificate_free_credentials(mc.cred);
1884
gnutls_global_deinit();
1885
gnutls_dh_params_deinit(mc.dh_params);
1886
}
1887
1888
if(gpgme_initialized){
1889
gpgme_release(mc.ctx);
1890
}
1891
1892
/* Cleans up the circular linked list of Mandos servers the client
1893
has seen */
1894
if(mc.current_server != NULL){
1895
mc.current_server->prev->next = NULL;
1896
while(mc.current_server != NULL){
1897
server *next = mc.current_server->next;
1898
free(mc.current_server);
1899
mc.current_server = next;
1900
}
1901
}
1902
1903
/* Take down the network interface */
1904
if(take_down_interface){
1905
/* Re-raise priviliges */
1906
errno = 0;
1907
ret = seteuid(0);
1908
if(ret == -1){
1909
perror_plus("seteuid");
1910
}
1911
if(geteuid() == 0){
1912
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1913
if(ret == -1){
1914
perror_plus("ioctl SIOCGIFFLAGS");
1915
} else if(network.ifr_flags & IFF_UP) {
1916
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1917
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1918
if(ret == -1){
1919
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
1920
}
1921
}
1922
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1923
if(ret == -1){
1924
perror_plus("close");
1925
}
1926
/* Lower privileges permanently */
1927
errno = 0;
1928
ret = setuid(uid);
1929
if(ret == -1){
1930
perror_plus("setuid");
1931
}
1932
}
1933
}
1934
1935
/* Removes the GPGME temp directory and all files inside */
1936
if(tempdir_created){
1937
struct dirent **direntries = NULL;
1938
struct dirent *direntry = NULL;
1939
ret = scandir(tempdir, &direntries, notdotentries, alphasort);
1940
if (ret > 0){
1941
for(int i = 0; i < ret; i++){
1942
direntry = direntries[i];
1943
char *fullname = NULL;
1944
ret = asprintf(&fullname, "%s/%s", tempdir,
1945
direntry->d_name);
1946
if(ret < 0){
1947
perror_plus("asprintf");
1948
continue;
1949
}
1950
ret = remove(fullname);
1951
if(ret == -1){
1952
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1953
strerror(errno));
1954
}
1955
free(fullname);
1956
}
1957
}
1958
1959
/* need to be cleaned even if ret == 0 because man page doesn't
1960
specify */
1961
free(direntries);
1962
if (ret == -1){
1963
perror_plus("scandir");
1964
}
1965
ret = rmdir(tempdir);
1966
if(ret == -1 and errno != ENOENT){
1967
perror_plus("rmdir");
1968
}
1969
}
1970
1971
if(quit_now){
1972
sigemptyset(&old_sigterm_action.sa_mask);
1973
old_sigterm_action.sa_handler = SIG_DFL;
1974
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1975
&old_sigterm_action,
1976
NULL));
1977
if(ret == -1){
1978
perror_plus("sigaction");
1979
}
1980
do {
1981
ret = raise(signal_received);
1982
} while(ret != 0 and errno == EINTR);
1983
if(ret != 0){
1984
perror_plus("raise");
1985
abort();
1986
}
1987
TEMP_FAILURE_RETRY(pause());
1988
}
1989
1990
return exitcode;
816
1991
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0