To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 24.1.128
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.128
- Committer: Björn Påhlsson
- Date: 2009-01-19 06:55:59 UTC
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 250.
- Revision ID: belorn@braxen-20090119065559-vvflkj7ffxtn4ez4
fixed a bugg in mandos-ctl + added remove client option
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf */
40
#include <stdint.h> /* uint16_t, uint32_t */
41
#include <stddef.h> /* NULL, size_t, ssize_t */
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
43
srand() */
44
#include <stdbool.h> /* bool, true */
45
#include <string.h> /* memset(), strcmp(), strlen(),
46
strerror(), asprintf(), strcpy() */
47
#include <sys/ioctl.h> /* ioctl */
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
49
sockaddr_in6, PF_INET6,
50
SOCK_STREAM, INET6_ADDRSTRLEN,
51
uid_t, gid_t, open(), opendir(),
52
DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton(),
56
connect() */
57
#include <fcntl.h> /* open() */
58
#include <dirent.h> /* opendir(), struct dirent, readdir()
59
*/
60
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
61
#include <assert.h> /* assert() */
62
#include <errno.h> /* perror(), errno */
63
#include <time.h> /* time(), nanosleep() */
42
64
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
65
SIOCSIFFLAGS, if_indextoname(),
66
if_nametoindex(), IF_NAMESIZE */
67
#include <netinet/in.h>
68
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
69
getuid(), getgid(), setuid(),
70
setgid() */
71
#include <arpa/inet.h> /* inet_pton(), htons */
72
#include <iso646.h> /* not, and, or */
73
#include <argp.h> /* struct argp_option, error_t, struct
74
argp_state, struct argp,
75
argp_parse(), ARGP_KEY_ARG,
76
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
77
#include <sys/klog.h> /* klogctl() */
44
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
45
83
#include <avahi-core/core.h>
46
84
#include <avahi-core/lookup.h>
47
85
#include <avahi-core/log.h>
49
87
#include <avahi-common/malloc.h>
50
88
#include <avahi-common/error.h>
51
89
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
72
106
73
107
#define BUFFER_SIZE 256
74
108
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
78
112
79
113
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
80
117
81
/* Used for passing in values through all the callback functions */
118
/* Used for passing in values through the Avahi callback functions */
82
119
typedef struct {
83
120
AvahiSimplePoll *simple_poll;
84
121
AvahiServer *server;
85
122
gnutls_certificate_credentials_t cred;
86
123
unsigned int dh_bits;
124
gnutls_dh_params_t dh_params;
87
125
const char *priority;
126
gpgme_ctx_t ctx;
88
127
} mandos_context;
89
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
90
146
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
147
* Initialize GPGME.
93
148
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
98
gpgme_data_t dh_crypto, dh_plain;
99
gpgme_ctx_t ctx;
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
100
152
gpgme_error_t rc;
101
ssize_t ret;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
104
153
gpgme_engine_info_t engine_info;
105
154
106
if (debug){
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
108
193
}
109
194
110
195
/* Init GPGME */
111
196
gpgme_check_version(NULL);
112
197
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
113
if (rc != GPG_ERR_NO_ERROR){
198
if(rc != GPG_ERR_NO_ERROR){
114
199
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
115
200
gpgme_strsource(rc), gpgme_strerror(rc));
116
return -1;
201
return false;
117
202
}
118
203
119
/* Set GPGME home directory for the OpenPGP engine only */
120
rc = gpgme_get_engine_info (&engine_info);
121
if (rc != GPG_ERR_NO_ERROR){
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
122
207
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
123
208
gpgme_strsource(rc), gpgme_strerror(rc));
124
return -1;
209
return false;
125
210
}
126
211
while(engine_info != NULL){
127
212
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
128
213
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
129
engine_info->file_name, homedir);
214
engine_info->file_name, tempdir);
130
215
break;
131
216
}
132
217
engine_info = engine_info->next;
133
218
}
134
219
if(engine_info == NULL){
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
136
return -1;
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
137
255
}
138
256
139
257
/* Create new GPGME data buffer from memory cryptotext */
140
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
141
259
0);
142
if (rc != GPG_ERR_NO_ERROR){
260
if(rc != GPG_ERR_NO_ERROR){
143
261
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
144
262
gpgme_strsource(rc), gpgme_strerror(rc));
145
263
return -1;
147
265
148
266
/* Create new empty GPGME data buffer for the plaintext */
149
267
rc = gpgme_data_new(&dh_plain);
150
if (rc != GPG_ERR_NO_ERROR){
268
if(rc != GPG_ERR_NO_ERROR){
151
269
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
152
270
gpgme_strsource(rc), gpgme_strerror(rc));
153
271
gpgme_data_release(dh_crypto);
154
272
return -1;
155
273
}
156
274
157
/* Create new GPGME "context" */
158
rc = gpgme_new(&ctx);
159
if (rc != GPG_ERR_NO_ERROR){
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
161
gpgme_strsource(rc), gpgme_strerror(rc));
162
plaintext_length = -1;
163
goto decrypt_end;
164
}
165
166
275
/* Decrypt data from the cryptotext data buffer to the plaintext
167
276
data buffer */
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
169
if (rc != GPG_ERR_NO_ERROR){
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
170
279
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
171
280
gpgme_strsource(rc), gpgme_strerror(rc));
172
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
307
}
308
}
309
}
173
310
goto decrypt_end;
174
311
}
175
312
177
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
178
315
}
179
316
180
if (debug){
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
183
if (result == NULL){
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
185
} else {
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
192
}
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
195
if(recipient){
196
while(recipient != NULL){
197
fprintf(stderr, "Public key algorithm: %s\n",
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
200
fprintf(stderr, "Secret key available: %s\n",
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
203
recipient = recipient->next;
204
}
205
}
206
}
207
}
208
209
317
/* Seek back to the beginning of the GPGME plaintext data buffer */
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
212
320
plaintext_length = -1;
213
321
goto decrypt_end;
214
322
}
215
323
216
324
*plaintext = NULL;
217
325
while(true){
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
224
331
plaintext_length = -1;
225
332
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
228
333
}
229
334
230
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
231
336
BUFFER_SIZE);
232
337
/* Print the data, if any */
233
if (ret == 0){
338
if(ret == 0){
234
339
/* EOF */
235
340
break;
236
341
}
241
346
}
242
347
plaintext_length += ret;
243
348
}
244
349
245
350
if(debug){
246
351
fprintf(stderr, "Decrypted password is: ");
247
for(size_t i = 0; i < plaintext_length; i++){
352
for(ssize_t i = 0; i < plaintext_length; i++){
248
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
249
354
}
250
355
fprintf(stderr, "\n");
260
365
return plaintext_length;
261
366
}
262
367
263
static const char * safer_gnutls_strerror (int value) {
264
const char *ret = gnutls_strerror (value);
265
if (ret == NULL)
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
266
372
ret = "(unknown)";
267
373
return ret;
268
374
}
269
375
376
/* GnuTLS log function callback */
270
377
static void debuggnutls(__attribute__((unused)) int level,
271
378
const char* string){
272
fprintf(stderr, "%s", string);
379
fprintf(stderr, "GnuTLS: %s", string);
273
380
}
274
381
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
278
385
int ret;
279
386
280
387
if(debug){
281
388
fprintf(stderr, "Initializing GnuTLS\n");
282
389
}
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
287
395
return -1;
288
396
}
289
397
290
if (debug){
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
291
402
gnutls_global_set_log_level(11);
292
403
gnutls_global_set_log_function(debuggnutls);
293
404
}
294
405
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
300
415
return -1;
301
416
}
302
417
303
418
if(debug){
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
307
422
}
308
423
309
424
ret = gnutls_certificate_set_openpgp_key_file
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
311
if (ret != GNUTLS_E_SUCCESS) {
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
317
safer_gnutls_strerror(ret));
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
341
468
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
342
469
safer_gnutls_strerror(ret));
343
470
}
344
471
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
351
482
}
352
483
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
357
488
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
358
490
return -1;
359
491
}
360
492
361
493
/* ignore client certificate if any. */
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
364
496
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
366
498
367
499
return 0;
368
500
}
369
501
502
/* Avahi log function callback */
370
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
371
504
__attribute__((unused)) const char *txt){}
372
505
506
/* Called when a Mandos server is found */
373
507
static int start_mandos_communication(const char *ip, uint16_t port,
374
508
AvahiIfIndex if_index,
375
509
mandos_context *mc){
376
510
int ret, tcp_sd;
377
struct sockaddr_in6 to;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
378
513
char *buffer = NULL;
379
514
char *decrypted_buffer;
380
515
size_t buffer_length = 0;
381
516
size_t buffer_capacity = 0;
382
517
ssize_t decrypted_buffer_size;
383
size_t written = 0;
518
size_t written;
384
519
int retval = 0;
385
520
char interface[IF_NAMESIZE];
386
521
gnutls_session_t session;
387
gnutls_dh_params_t dh_params;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
388
527
389
528
if(debug){
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
392
531
}
393
532
394
533
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
396
535
perror("socket");
397
536
return -1;
398
537
}
399
538
400
539
if(debug){
401
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
402
541
perror("if_indextoname");
405
544
fprintf(stderr, "Binding to interface %s\n", interface);
406
545
}
407
546
408
memset(&to,0,sizeof(to)); /* Spurious warning */
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
411
if (ret < 0 ){
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
412
553
perror("inet_pton");
413
554
return -1;
414
555
}
416
557
fprintf(stderr, "Bad address: %s\n", ip);
417
558
return -1;
418
559
}
419
to.sin6_port = htons(port); /* Spurious warning */
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
420
563
421
to.sin6_scope_id = (uint32_t)if_index;
564
to.in6.sin6_scope_id = (uint32_t)if_index;
422
565
423
566
if(debug){
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
425
569
char addrstr[INET6_ADDRSTRLEN] = "";
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
427
571
sizeof(addrstr)) == NULL){
428
572
perror("inet_ntop");
429
573
} else {
433
577
}
434
578
}
435
579
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
437
if (ret < 0){
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
438
582
perror("connect");
439
583
return -1;
440
584
}
441
585
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
446
608
}
447
609
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
450
610
if(debug){
451
611
fprintf(stderr, "Establishing TLS session with %s\n", ip);
452
612
}
453
613
454
ret = gnutls_handshake (session);
455
456
if (ret != GNUTLS_E_SUCCESS){
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
457
621
if(debug){
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
460
624
}
461
625
retval = -1;
462
goto exit;
626
goto mandos_end;
463
627
}
464
628
465
//Retrieve OpenPGP packet that contains the wanted password
629
/* Read OpenPGP packet that contains the wanted password */
466
630
467
631
if(debug){
468
632
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
469
633
ip);
470
634
}
471
635
472
636
while(true){
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
480
643
}
481
644
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
484
if (ret == 0){
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
485
648
break;
486
649
}
487
if (ret < 0){
488
switch(ret){
650
if(sret < 0){
651
switch(sret){
489
652
case GNUTLS_E_INTERRUPTED:
490
653
case GNUTLS_E_AGAIN:
491
654
break;
492
655
case GNUTLS_E_REHANDSHAKE:
493
ret = gnutls_handshake (session);
494
if (ret < 0){
495
fprintf(stderr, "\n*** Handshake failed ***\n");
496
gnutls_perror (ret);
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
497
662
retval = -1;
498
goto exit;
663
goto mandos_end;
499
664
}
500
665
break;
501
666
default:
502
667
fprintf(stderr, "Unknown error while reading data from"
503
" encrypted session with mandos server\n");
668
" encrypted session with Mandos server\n");
504
669
retval = -1;
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
506
goto exit;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
507
672
}
508
673
} else {
509
buffer_length += (size_t) ret;
674
buffer_length += (size_t) sret;
510
675
}
511
676
}
512
677
513
if (buffer_length > 0){
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
515
686
buffer_length,
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
519
690
while(written < (size_t) decrypted_buffer_size){
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
523
694
if(ret == 0 and ferror(stdout)){
524
695
if(debug){
525
696
fprintf(stderr, "Error writing encrypted data: %s\n",
534
705
} else {
535
706
retval = -1;
536
707
}
537
}
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
545
715
free(buffer);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
548
close(tcp_sd);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
552
721
return retval;
553
722
}
554
723
567
736
flags,
568
737
void* userdata) {
569
738
mandos_context *mc = userdata;
570
assert(r); /* Spurious warning */
739
assert(r);
571
740
572
741
/* Called whenever a service has been resolved successfully or
573
742
timed out */
574
743
575
switch (event) {
744
switch(event) {
576
745
default:
577
746
case AVAHI_RESOLVER_FAILURE:
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
580
749
avahi_strerror(avahi_server_errno(mc->server)));
581
750
break;
582
751
585
754
char ip[AVAHI_ADDRESS_STR_MAX];
586
755
avahi_address_snprint(ip, sizeof(ip), address);
587
756
if(debug){
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
590
760
}
591
761
int ret = start_mandos_communication(ip, port, interface, mc);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
594
764
}
595
765
}
596
766
}
608
778
flags,
609
779
void* userdata) {
610
780
mandos_context *mc = userdata;
611
assert(b); /* Spurious warning */
781
assert(b);
612
782
613
783
/* Called whenever a new services becomes available on the LAN or
614
784
is removed from the LAN */
615
785
616
switch (event) {
786
switch(event) {
617
787
default:
618
788
case AVAHI_BROWSER_FAILURE:
619
789
620
fprintf(stderr, "(Browser) %s\n",
790
fprintf(stderr, "(Avahi browser) %s\n",
621
791
avahi_strerror(avahi_server_errno(mc->server)));
622
792
avahi_simple_poll_quit(mc->simple_poll);
623
793
return;
624
794
625
795
case AVAHI_BROWSER_NEW:
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
630
800
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
632
802
protocol, name, type, domain,
633
803
AVAHI_PROTO_INET6, 0,
634
804
resolve_callback, mc)))
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
637
807
break;
638
808
639
809
case AVAHI_BROWSER_REMOVE:
641
811
642
812
case AVAHI_BROWSER_ALL_FOR_NOW:
643
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
816
}
644
817
break;
645
818
}
646
819
}
647
820
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
668
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
821
int main(int argc, char *argv[]){
671
822
AvahiSServiceBrowser *sb = NULL;
672
823
int error;
673
824
int ret;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
676
828
const char *interface = "eth0";
677
829
struct ifreq network;
678
830
int sd;
831
uid_t uid;
832
gid_t gid;
679
833
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
680
835
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
681
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
682
.dh_bits = 1024, .priority = "SECURE256"};
683
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initalized = false;
843
bool gpgme_initalized = false;
844
double delay = 2.5;
845
846
{
847
struct argp_option options[] = {
848
{ .name = "debug", .key = 128,
849
.doc = "Debug mode", .group = 3 },
850
{ .name = "connect", .key = 'c',
851
.arg = "ADDRESS:PORT",
852
.doc = "Connect directly to a specific Mandos server",
853
.group = 1 },
854
{ .name = "interface", .key = 'i',
855
.arg = "NAME",
856
.doc = "Interface that will be used to search for Mandos"
857
" servers",
858
.group = 1 },
859
{ .name = "seckey", .key = 's',
860
.arg = "FILE",
861
.doc = "OpenPGP secret key file base name",
862
.group = 1 },
863
{ .name = "pubkey", .key = 'p',
864
.arg = "FILE",
865
.doc = "OpenPGP public key file base name",
866
.group = 2 },
867
{ .name = "dh-bits", .key = 129,
868
.arg = "BITS",
869
.doc = "Bit length of the prime number used in the"
870
" Diffie-Hellman key exchange",
871
.group = 2 },
872
{ .name = "priority", .key = 130,
873
.arg = "STRING",
874
.doc = "GnuTLS priority string for the TLS handshake",
875
.group = 1 },
876
{ .name = "delay", .key = 131,
877
.arg = "SECONDS",
878
.doc = "Maximum delay to wait for interface startup",
879
.group = 2 },
880
{ .name = NULL }
881
};
882
883
error_t parse_opt(int key, char *arg,
884
struct argp_state *state) {
885
switch(key) {
886
case 128: /* --debug */
887
debug = true;
888
break;
889
case 'c': /* --connect */
890
connect_to = arg;
891
break;
892
case 'i': /* --interface */
893
interface = arg;
894
break;
895
case 's': /* --seckey */
896
seckey = arg;
897
break;
898
case 'p': /* --pubkey */
899
pubkey = arg;
900
break;
901
case 129: /* --dh-bits */
902
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
903
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
904
or arg[numchars] != '\0'){
905
fprintf(stderr, "Bad number of DH bits\n");
906
exit(EXIT_FAILURE);
907
}
908
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
909
break;
910
case 130: /* --priority */
911
mc.priority = arg;
912
break;
913
case 131: /* --delay */
914
ret = sscanf(arg, "%lf%n", &delay, &numchars);
915
if(ret < 1 or arg[numchars] != '\0'){
916
fprintf(stderr, "Bad delay\n");
917
exit(EXIT_FAILURE);
918
}
919
break;
920
case ARGP_KEY_ARG:
921
argp_usage(state);
922
case ARGP_KEY_END:
923
break;
924
default:
925
return ARGP_ERR_UNKNOWN;
926
}
927
return 0;
928
}
929
930
struct argp argp = { .options = options, .parser = parse_opt,
931
.args_doc = "",
932
.doc = "Mandos client -- Get and decrypt"
933
" passwords from a Mandos server" };
934
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
935
if(ret == ARGP_ERR_UNKNOWN){
936
fprintf(stderr, "Unknown error while parsing arguments\n");
937
exitcode = EXIT_FAILURE;
938
goto end;
939
}
940
}
941
942
/* If the interface is down, bring it up */
943
{
944
// Lower kernel loglevel to KERN_NOTICE to avoid
945
// KERN_INFO messages to mess up the prompt
946
ret = klogctl(8, NULL, 5);
947
if(ret == -1){
948
perror("klogctl");
949
}
950
951
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
952
if(sd < 0) {
953
perror("socket");
954
exitcode = EXIT_FAILURE;
955
ret = klogctl(7, NULL, 0);
956
if(ret == -1){
957
perror("klogctl");
958
}
959
goto end;
960
}
961
strcpy(network.ifr_name, interface);
962
ret = ioctl(sd, SIOCGIFFLAGS, &network);
963
if(ret == -1){
964
perror("ioctl SIOCGIFFLAGS");
965
ret = klogctl(7, NULL, 0);
966
if(ret == -1){
967
perror("klogctl");
968
}
969
exitcode = EXIT_FAILURE;
970
goto end;
971
}
972
if((network.ifr_flags & IFF_UP) == 0){
973
network.ifr_flags |= IFF_UP;
974
ret = ioctl(sd, SIOCSIFFLAGS, &network);
975
if(ret == -1){
976
perror("ioctl SIOCSIFFLAGS");
977
exitcode = EXIT_FAILURE;
978
ret = klogctl(7, NULL, 0);
979
if(ret == -1){
980
perror("klogctl");
981
}
982
goto end;
983
}
984
}
985
// sleep checking until interface is running
986
for(int i=0; i < delay * 4; i++){
987
ret = ioctl(sd, SIOCGIFFLAGS, &network);
988
if(ret == -1){
989
perror("ioctl SIOCGIFFLAGS");
990
} else if(network.ifr_flags & IFF_RUNNING){
991
break;
992
}
993
struct timespec sleeptime = { .tv_nsec = 250000000 };
994
nanosleep(&sleeptime, NULL);
995
}
996
ret = (int)TEMP_FAILURE_RETRY(close(sd));
997
if(ret == -1){
998
perror("close");
999
}
1000
// Restores kernel loglevel to default
1001
ret = klogctl(7, NULL, 0);
1002
if(ret == -1){
1003
perror("klogctl");
1004
}
1005
}
1006
1007
uid = getuid();
1008
gid = getgid();
1009
1010
ret = setuid(uid);
1011
if(ret == -1){
1012
perror("setuid");
1013
}
1014
1015
setgid(gid);
1016
if(ret == -1){
1017
perror("setgid");
1018
}
1019
1020
ret = init_gnutls_global(&mc, pubkey, seckey);
1021
if(ret == -1){
1022
fprintf(stderr, "init_gnutls_global failed\n");
1023
exitcode = EXIT_FAILURE;
1024
goto end;
1025
} else {
1026
gnutls_initalized = true;
1027
}
1028
1029
if(mkdtemp(tempdir) == NULL){
1030
perror("mkdtemp");
1031
tempdir[0] = '\0';
1032
goto end;
1033
}
1034
1035
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1036
fprintf(stderr, "gpgme_initalized failed\n");
1037
exitcode = EXIT_FAILURE;
1038
goto end;
1039
} else {
1040
gpgme_initalized = true;
752
1041
}
753
1042
754
1043
if_index = (AvahiIfIndex) if_nametoindex(interface);
763
1052
char *address = strrchr(connect_to, ':');
764
1053
if(address == NULL){
765
1054
fprintf(stderr, "No colon in address\n");
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
uint16_t port;
1059
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1060
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1061
or address[numchars+1] != '\0'){
1062
fprintf(stderr, "Bad port number\n");
1063
exitcode = EXIT_FAILURE;
1064
goto end;
1065
}
1066
port = (uint16_t)tmpmax;
774
1067
*address = '\0';
775
1068
address = connect_to;
776
1069
ret = start_mandos_communication(address, port, if_index, &mc);
777
1070
if(ret < 0){
778
exit(EXIT_FAILURE);
1071
exitcode = EXIT_FAILURE;
779
1072
} else {
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
808
809
if (not debug){
1073
exitcode = EXIT_SUCCESS;
1074
}
1075
goto end;
1076
}
1077
1078
if(not debug){
810
1079
avahi_set_log_function(empty_log);
811
1080
}
812
1081
813
/* Initialize the psuedo-RNG */
1082
/* Initialize the pseudo-RNG for Avahi */
814
1083
srand((unsigned int) time(NULL));
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1084
1085
/* Allocate main Avahi loop object */
1086
mc.simple_poll = avahi_simple_poll_new();
1087
if(mc.simple_poll == NULL) {
1088
fprintf(stderr, "Avahi: Failed to create simple poll"
1089
" object.\n");
1090
exitcode = EXIT_FAILURE;
1091
goto end;
1092
}
1093
1094
{
1095
AvahiServerConfig config;
1096
/* Do not publish any local Zeroconf records */
1097
avahi_server_config_init(&config);
1098
config.publish_hinfo = 0;
1099
config.publish_addresses = 0;
1100
config.publish_workstation = 0;
1101
config.publish_domain = 0;
1102
1103
/* Allocate a new server */
1104
mc.server = avahi_server_new(avahi_simple_poll_get
1105
(mc.simple_poll), &config, NULL,
1106
NULL, &error);
1107
1108
/* Free the Avahi configuration data */
1109
avahi_server_config_free(&config);
1110
}
1111
1112
/* Check if creating the Avahi server object succeeded */
1113
if(mc.server == NULL) {
1114
fprintf(stderr, "Failed to create Avahi server: %s\n",
840
1115
avahi_strerror(error));
841
returncode = EXIT_FAILURE;
842
goto exit;
1116
exitcode = EXIT_FAILURE;
1117
goto end;
843
1118
}
844
1119
845
/* Create the service browser */
1120
/* Create the Avahi service browser */
846
1121
sb = avahi_s_service_browser_new(mc.server, if_index,
847
1122
AVAHI_PROTO_INET6,
848
1123
"_mandos._tcp", NULL, 0,
849
1124
browse_callback, &mc);
850
if (!sb) {
1125
if(sb == NULL) {
851
1126
fprintf(stderr, "Failed to create service browser: %s\n",
852
1127
avahi_strerror(avahi_server_errno(mc.server)));
853
returncode = EXIT_FAILURE;
854
goto exit;
1128
exitcode = EXIT_FAILURE;
1129
goto end;
855
1130
}
856
1131
857
1132
/* Run the main loop */
1133
1134
if(debug){
1135
fprintf(stderr, "Starting Avahi loop search\n");
1136
}
858
1137
859
if (debug){
860
fprintf(stderr, "Starting avahi loop search\n");
861
}
862
863
1138
avahi_simple_poll_loop(mc.simple_poll);
864
1139
865
exit:
866
867
if (debug){
1140
end:
1141
1142
if(debug){
868
1143
fprintf(stderr, "%s exiting\n", argv[0]);
869
1144
}
870
1145
871
1146
/* Cleanup things */
872
if (sb)
1147
if(sb != NULL)
873
1148
avahi_s_service_browser_free(sb);
874
1149
875
if (mc.server)
1150
if(mc.server != NULL)
876
1151
avahi_server_free(mc.server);
877
878
if (mc.simple_poll)
1152
1153
if(mc.simple_poll != NULL)
879
1154
avahi_simple_poll_free(mc.simple_poll);
880
free(pubkeyfile);
881
free(seckeyfile);
882
883
return returncode;
1155
1156
if(gnutls_initalized){
1157
gnutls_certificate_free_credentials(mc.cred);
1158
gnutls_global_deinit();
1159
gnutls_dh_params_deinit(mc.dh_params);
1160
}
1161
1162
if(gpgme_initalized){
1163
gpgme_release(mc.ctx);
1164
}
1165
1166
/* Removes the temp directory used by GPGME */
1167
if(tempdir[0] != '\0'){
1168
DIR *d;
1169
struct dirent *direntry;
1170
d = opendir(tempdir);
1171
if(d == NULL){
1172
if(errno != ENOENT){
1173
perror("opendir");
1174
}
1175
} else {
1176
while(true){
1177
direntry = readdir(d);
1178
if(direntry == NULL){
1179
break;
1180
}
1181
if(direntry->d_type == DT_REG){
1182
char *fullname = NULL;
1183
ret = asprintf(&fullname, "%s/%s", tempdir,
1184
direntry->d_name);
1185
if(ret < 0){
1186
perror("asprintf");
1187
continue;
1188
}
1189
ret = unlink(fullname);
1190
if(ret == -1){
1191
fprintf(stderr, "unlink(\"%s\"): %s",
1192
fullname, strerror(errno));
1193
}
1194
free(fullname);
1195
}
1196
}
1197
closedir(d);
1198
}
1199
ret = rmdir(tempdir);
1200
if(ret == -1 and errno != ENOENT){
1201
perror("rmdir");
1202
}
1203
}
1204
1205
return exitcode;
884
1206
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0