46
91
#include <avahi-common/malloc.h>
47
92
#include <avahi-common/error.h>
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
64
#include <errno.h> /* perror() */
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
95
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
98
init_gnutls_session(),
100
#include <gnutls/openpgp.h>
101
/* gnutls_certificate_set_openpgp_key_file(),
102
GNUTLS_OPENPGP_FMT_BASE64 */
105
#include <gpgme.h> /* All GPGME types, constants and
108
GPGME_PROTOCOL_OpenPGP,
75
111
#define BUFFER_SIZE 256
113
#define PATHDIR "/conf/conf.d/mandos"
114
#define SECKEY "seckey.txt"
115
#define PUBKEY "pubkey.txt"
78
117
bool debug = false;
118
static const char mandos_protocol_version[] = "1";
119
const char *argp_program_version = "mandos-client " VERSION;
120
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
122
/* Used for passing in values through the Avahi callback functions */
81
gnutls_session_t session;
124
AvahiSimplePoll *simple_poll;
82
126
gnutls_certificate_credentials_t cred;
127
unsigned int dh_bits;
83
128
gnutls_dh_params_t dh_params;
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
129
const char *priority;
133
/* global context so signal handler can reach it*/
137
* Make additional room in "buffer" for at least BUFFER_SIZE
138
* additional bytes. "buffer_capacity" is how much is currently
139
* allocated, "buffer_length" is how much is already used.
141
size_t incbuffer(char **buffer, size_t buffer_length,
142
size_t buffer_capacity){
143
if(buffer_length + BUFFER_SIZE > buffer_capacity){
144
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
148
buffer_capacity += BUFFER_SIZE;
150
return buffer_capacity;
156
static bool init_gpgme(const char *seckey,
157
const char *pubkey, const char *tempdir){
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
95
160
gpgme_engine_info_t engine_info;
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
164
* Helper function to insert pub and seckey to the engine keyring.
166
bool import_key(const char *filename){
168
gpgme_data_t pgp_data;
170
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
176
rc = gpgme_data_new_from_fd(&pgp_data, fd);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
183
rc = gpgme_op_import(mc.ctx, pgp_data);
184
if(rc != GPG_ERR_NO_ERROR){
185
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
186
gpgme_strsource(rc), gpgme_strerror(rc));
190
ret = (int)TEMP_FAILURE_RETRY(close(fd));
194
gpgme_data_release(pgp_data);
199
fprintf(stderr, "Initialize gpgme\n");
102
203
gpgme_check_version(NULL);
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
204
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
205
if(rc != GPG_ERR_NO_ERROR){
206
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
207
gpgme_strsource(rc), gpgme_strerror(rc));
105
/* Set GPGME home directory */
106
rc = gpgme_get_engine_info (&engine_info);
107
if (rc != GPG_ERR_NO_ERROR){
211
/* Set GPGME home directory for the OpenPGP engine only */
212
rc = gpgme_get_engine_info(&engine_info);
213
if(rc != GPG_ERR_NO_ERROR){
108
214
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
109
215
gpgme_strsource(rc), gpgme_strerror(rc));
112
218
while(engine_info != NULL){
113
219
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
114
220
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
115
engine_info->file_name, homedir);
221
engine_info->file_name, tempdir);
118
224
engine_info = engine_info->next;
120
226
if(engine_info == NULL){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
127
if (rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
231
/* Create new GPGME "context" */
232
rc = gpgme_new(&(mc.ctx));
233
if(rc != GPG_ERR_NO_ERROR){
234
fprintf(stderr, "bad gpgme_new: %s: %s\n",
235
gpgme_strsource(rc), gpgme_strerror(rc));
239
if(not import_key(pubkey) or not import_key(seckey)){
247
* Decrypt OpenPGP data.
248
* Returns -1 on error
250
static ssize_t pgp_packet_decrypt(const char *cryptotext,
253
gpgme_data_t dh_crypto, dh_plain;
256
size_t plaintext_capacity = 0;
257
ssize_t plaintext_length = 0;
260
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
263
/* Create new GPGME data buffer from memory cryptotext */
264
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
266
if(rc != GPG_ERR_NO_ERROR){
128
267
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
129
268
gpgme_strsource(rc), gpgme_strerror(rc));
133
272
/* Create new empty GPGME data buffer for the plaintext */
134
273
rc = gpgme_data_new(&dh_plain);
135
if (rc != GPG_ERR_NO_ERROR){
274
if(rc != GPG_ERR_NO_ERROR){
136
275
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
137
276
gpgme_strsource(rc), gpgme_strerror(rc));
141
/* Create new GPGME "context" */
142
rc = gpgme_new(&ctx);
143
if (rc != GPG_ERR_NO_ERROR){
144
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
gpgme_strsource(rc), gpgme_strerror(rc));
149
/* Decrypt data from the FILE pointer to the plaintext data
151
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
152
if (rc != GPG_ERR_NO_ERROR){
277
gpgme_data_release(dh_crypto);
281
/* Decrypt data from the cryptotext data buffer to the plaintext
283
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
284
if(rc != GPG_ERR_NO_ERROR){
153
285
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
154
286
gpgme_strsource(rc), gpgme_strerror(rc));
287
plaintext_length = -1;
289
gpgme_decrypt_result_t result;
290
result = gpgme_op_decrypt_result(mc.ctx);
292
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
294
fprintf(stderr, "Unsupported algorithm: %s\n",
295
result->unsupported_algorithm);
296
fprintf(stderr, "Wrong key usage: %u\n",
297
result->wrong_key_usage);
298
if(result->file_name != NULL){
299
fprintf(stderr, "File name: %s\n", result->file_name);
301
gpgme_recipient_t recipient;
302
recipient = result->recipients;
304
while(recipient != NULL){
305
fprintf(stderr, "Public key algorithm: %s\n",
306
gpgme_pubkey_algo_name(recipient->pubkey_algo));
307
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
308
fprintf(stderr, "Secret key available: %s\n",
309
recipient->status == GPG_ERR_NO_SECKEY
311
recipient = recipient->next;
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
163
gpgme_decrypt_result_t result;
164
result = gpgme_op_decrypt_result(ctx);
166
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
168
fprintf(stderr, "Unsupported algorithm: %s\n",
169
result->unsupported_algorithm);
170
fprintf(stderr, "Wrong key usage: %d\n",
171
result->wrong_key_usage);
172
if(result->file_name != NULL){
173
fprintf(stderr, "File name: %s\n", result->file_name);
175
gpgme_recipient_t recipient;
176
recipient = result->recipients;
178
while(recipient != NULL){
179
fprintf(stderr, "Public key algorithm: %s\n",
180
gpgme_pubkey_algo_name(recipient->pubkey_algo));
181
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
182
fprintf(stderr, "Secret key available: %s\n",
183
recipient->status == GPG_ERR_NO_SECKEY
185
recipient = recipient->next;
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
320
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
194
323
/* Seek back to the beginning of the GPGME plaintext data buffer */
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
324
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
325
perror("gpgme_data_seek");
326
plaintext_length = -1;
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
203
if (*new_packet == NULL){
207
new_packet_capacity += BUFFER_SIZE;
332
plaintext_capacity = incbuffer(plaintext,
333
(size_t)plaintext_length,
335
if(plaintext_capacity == 0){
337
plaintext_length = -1;
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
341
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
212
343
/* Print the data, if any */
217
349
perror("gpgme_data_read");
220
new_packet_length += ret;
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
350
plaintext_length = -1;
353
plaintext_length += ret;
357
fprintf(stderr, "Decrypted password is: ");
358
for(ssize_t i = 0; i < plaintext_length; i++){
359
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
361
fprintf(stderr, "\n");
366
/* Delete the GPGME cryptotext data buffer */
367
gpgme_data_release(dh_crypto);
231
369
/* Delete the GPGME plaintext data buffer */
232
370
gpgme_data_release(dh_plain);
233
return new_packet_length;
371
return plaintext_length;
236
static const char * safer_gnutls_strerror (int value) {
237
const char *ret = gnutls_strerror (value);
374
static const char * safer_gnutls_strerror(int value){
375
const char *ret = gnutls_strerror(value); /* Spurious warning from
376
-Wunreachable-code */
239
378
ret = "(unknown)";
243
void debuggnutls(__attribute__((unused)) int level,
245
fprintf(stderr, "%s", string);
382
/* GnuTLS log function callback */
383
static void debuggnutls(__attribute__((unused)) int level,
385
fprintf(stderr, "GnuTLS: %s", string);
248
int initgnutls(encrypted_session *es){
388
static int init_gnutls_global(const char *pubkeyfilename,
389
const char *seckeyfilename){
253
393
fprintf(stderr, "Initializing GnuTLS\n");
256
if ((ret = gnutls_global_init ())
257
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
396
ret = gnutls_global_init();
397
if(ret != GNUTLS_E_SUCCESS){
398
fprintf(stderr, "GnuTLS global_init: %s\n",
399
safer_gnutls_strerror(ret));
404
/* "Use a log level over 10 to enable all debugging options."
263
407
gnutls_global_set_log_level(11);
264
408
gnutls_global_set_log_function(debuggnutls);
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
269
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
271
safer_gnutls_strerror(ret));
411
/* OpenPGP credentials */
412
gnutls_certificate_allocate_credentials(&mc.cred);
413
if(ret != GNUTLS_E_SUCCESS){
414
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
418
safer_gnutls_strerror(ret));
419
gnutls_global_deinit();
276
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
424
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
425
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
281
429
ret = gnutls_certificate_set_openpgp_key_file
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
283
if (ret != GNUTLS_E_SUCCESS) {
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
289
safer_gnutls_strerror(ret));
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
430
(mc.cred, pubkeyfilename, seckeyfilename,
431
GNUTLS_OPENPGP_FMT_BASE64);
432
if(ret != GNUTLS_E_SUCCESS){
434
"Error[%d] while reading the OpenPGP key pair ('%s',"
435
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
436
fprintf(stderr, "The GnuTLS error is: %s\n",
437
safer_gnutls_strerror(ret));
441
/* GnuTLS server initialization */
442
ret = gnutls_dh_params_init(&mc.dh_params);
443
if(ret != GNUTLS_E_SUCCESS){
444
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
445
" %s\n", safer_gnutls_strerror(ret));
448
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
449
if(ret != GNUTLS_E_SUCCESS){
450
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
451
safer_gnutls_strerror(ret));
455
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
461
gnutls_certificate_free_credentials(mc.cred);
462
gnutls_global_deinit();
463
gnutls_dh_params_deinit(mc.dh_params);
467
static int init_gnutls_session(gnutls_session_t *session){
469
/* GnuTLS session creation */
470
ret = gnutls_init(session, GNUTLS_SERVER);
471
if(ret != GNUTLS_E_SUCCESS){
313
472
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
314
473
safer_gnutls_strerror(ret));
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
478
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
479
if(ret != GNUTLS_E_SUCCESS){
480
fprintf(stderr, "Syntax error at: %s\n", err);
481
fprintf(stderr, "GnuTLS error: %s\n",
482
safer_gnutls_strerror(ret));
483
gnutls_deinit(*session);
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
488
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
490
if(ret != GNUTLS_E_SUCCESS){
491
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
329
492
safer_gnutls_strerror(ret));
493
gnutls_deinit(*session);
333
497
/* ignore client certificate if any. */
334
gnutls_certificate_server_set_request (es->session,
498
gnutls_certificate_server_set_request(*session,
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
501
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
506
/* Avahi log function callback */
507
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
508
__attribute__((unused)) const char *txt){}
345
int start_mandos_communication(const char *ip, uint16_t port,
346
unsigned int if_index){
510
/* Called when a Mandos server is found */
511
static int start_mandos_communication(const char *ip, uint16_t port,
512
AvahiIfIndex if_index,
348
struct sockaddr_in6 to;
349
encrypted_session es;
517
struct sockaddr_in in;
518
struct sockaddr_in6 in6;
350
520
char *buffer = NULL;
351
521
char *decrypted_buffer;
352
522
size_t buffer_length = 0;
353
523
size_t buffer_capacity = 0;
354
524
ssize_t decrypted_buffer_size;
357
char interface[IF_NAMESIZE];
527
gnutls_session_t session;
528
int pf; /* Protocol family */
538
fprintf(stderr, "Bad address family: %d\n", af);
542
ret = init_gnutls_session(&session);
360
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
548
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
364
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
552
tcp_sd = socket(pf, SOCK_STREAM, 0);
366
554
perror("socket");
370
if(if_indextoname(if_index, interface) == NULL){
372
perror("if_indextoname");
378
fprintf(stderr, "Binding to interface %s\n", interface);
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
558
memset(&to, 0, sizeof(to));
560
to.in6.sin6_family = (uint16_t)af;
561
ret = inet_pton(af, ip, &to.in6.sin6_addr);
563
to.in.sin_family = (sa_family_t)af;
564
ret = inet_pton(af, ip, &to.in.sin_addr);
385
567
perror("inet_pton");
389
571
fprintf(stderr, "Bad address: %s\n", ip);
392
to.sin6_port = htons(port); /* Spurious warning */
394
to.sin6_scope_id = (uint32_t)if_index;
575
to.in6.sin6_port = htons(port); /* Spurious warnings from
577
-Wunreachable-code */
579
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
580
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
582
if(if_index == AVAHI_IF_UNSPEC){
583
fprintf(stderr, "An IPv6 link-local address is incomplete"
584
" without a network interface\n");
587
/* Set the network interface number as scope */
588
to.in6.sin6_scope_id = (uint32_t)if_index;
591
to.in.sin_port = htons(port); /* Spurious warnings from
593
-Wunreachable-code */
397
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
597
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
598
char interface[IF_NAMESIZE];
599
if(if_indextoname((unsigned int)if_index, interface) == NULL){
600
perror("if_indextoname");
602
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
603
ip, interface, port);
606
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
609
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
610
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
613
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
616
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
622
if(strcmp(addrstr, ip) != 0){
623
fprintf(stderr, "Canonical address form: %s\n", addrstr);
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
629
ret = connect(tcp_sd, &to.in6, sizeof(to));
631
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
410
634
perror("connect");
414
ret = initgnutls (&es);
638
const char *out = mandos_protocol_version;
641
size_t out_size = strlen(out);
642
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
643
out_size - written));
649
written += (size_t)ret;
650
if(written < out_size){
653
if(out == mandos_protocol_version){
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
424
663
fprintf(stderr, "Establishing TLS session with %s\n", ip);
427
ret = gnutls_handshake (es.session);
429
if (ret != GNUTLS_E_SUCCESS){
666
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
669
ret = gnutls_handshake(session);
670
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
672
if(ret != GNUTLS_E_SUCCESS){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
674
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
438
//Retrieve OpenPGP packet that contains the wanted password
681
/* Read OpenPGP packet that contains the wanted password */
441
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
684
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
452
buffer_capacity += BUFFER_SIZE;
689
buffer_capacity = incbuffer(&buffer, buffer_length,
691
if(buffer_capacity == 0){
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
697
sret = gnutls_record_recv(session, buffer+buffer_length,
462
704
case GNUTLS_E_INTERRUPTED:
463
705
case GNUTLS_E_AGAIN:
465
707
case GNUTLS_E_REHANDSHAKE:
466
ret = gnutls_handshake (es.session);
468
fprintf(stderr, "\n*** Handshake failed ***\n");
709
ret = gnutls_handshake(session);
710
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
712
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
475
719
fprintf(stderr, "Unknown error while reading data from"
476
" encrypted session with mandos server\n");
720
" encrypted session with Mandos server\n");
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
722
gnutls_bye(session, GNUTLS_SHUT_RDWR);
482
buffer_length += (size_t) ret;
726
buffer_length += (size_t) sret;
486
if (buffer_length > 0){
731
fprintf(stderr, "Closing TLS session\n");
734
gnutls_bye(session, GNUTLS_SHUT_RDWR);
736
if(buffer_length > 0){
487
737
decrypted_buffer_size = pgp_packet_decrypt(buffer,
491
if (decrypted_buffer_size >= 0){
740
if(decrypted_buffer_size >= 0){
492
742
while(written < (size_t) decrypted_buffer_size){
493
ret = (int)fwrite (decrypted_buffer + written, 1,
494
(size_t)decrypted_buffer_size - written,
743
ret = (int)fwrite(decrypted_buffer + written, 1,
744
(size_t)decrypted_buffer_size - written,
496
746
if(ret == 0 and ferror(stdout)){
498
748
fprintf(stderr, "Error writing encrypted data: %s\n",
561
805
char ip[AVAHI_ADDRESS_STR_MAX];
562
806
avahi_address_snprint(ip, sizeof(ip), address);
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
808
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
809
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
810
ip, (intmax_t)interface, port);
567
int ret = start_mandos_communication(ip, port,
568
(unsigned int) interface);
812
int ret = start_mandos_communication(ip, port, interface,
813
avahi_proto_to_af(proto));
815
avahi_simple_poll_quit(mc.simple_poll);
574
819
avahi_s_service_resolver_free(r);
577
static void browse_callback(
578
AvahiSServiceBrowser *b,
579
AvahiIfIndex interface,
580
AvahiProtocol protocol,
581
AvahiBrowserEvent event,
585
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
588
AvahiServer *s = userdata;
589
assert(b); /* Spurious warning */
591
/* Called whenever a new services becomes available on the LAN or
592
is removed from the LAN */
596
case AVAHI_BROWSER_FAILURE:
598
fprintf(stderr, "(Browser) %s\n",
599
avahi_strerror(avahi_server_errno(server)));
600
avahi_simple_poll_quit(simple_poll);
603
case AVAHI_BROWSER_NEW:
604
/* We ignore the returned resolver object. In the callback
605
function we free it. If the server is terminated before
606
the callback function is called the server will free
607
the resolver for us. */
609
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
611
AVAHI_PROTO_INET6, 0,
612
resolve_callback, s)))
613
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
614
avahi_strerror(avahi_server_errno(s)));
617
case AVAHI_BROWSER_REMOVE:
620
case AVAHI_BROWSER_ALL_FOR_NOW:
621
case AVAHI_BROWSER_CACHE_EXHAUSTED:
822
static void browse_callback(AvahiSServiceBrowser *b,
823
AvahiIfIndex interface,
824
AvahiProtocol protocol,
825
AvahiBrowserEvent event,
829
AVAHI_GCC_UNUSED AvahiLookupResultFlags
831
__attribute__((unused)) void* userdata){
834
/* Called whenever a new services becomes available on the LAN or
835
is removed from the LAN */
839
case AVAHI_BROWSER_FAILURE:
841
fprintf(stderr, "(Avahi browser) %s\n",
842
avahi_strerror(avahi_server_errno(mc.server)));
843
avahi_simple_poll_quit(mc.simple_poll);
846
case AVAHI_BROWSER_NEW:
847
/* We ignore the returned Avahi resolver object. In the callback
848
function we free it. If the Avahi server is terminated before
849
the callback function is called the Avahi server will free the
852
if(!(avahi_s_service_resolver_new(mc.server, interface,
853
protocol, name, type, domain,
854
AVAHI_PROTO_INET6, 0,
855
resolve_callback, NULL)))
856
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
857
name, avahi_strerror(avahi_server_errno(mc.server)));
860
case AVAHI_BROWSER_REMOVE:
863
case AVAHI_BROWSER_ALL_FOR_NOW:
864
case AVAHI_BROWSER_CACHE_EXHAUSTED:
866
fprintf(stderr, "No Mandos server found, still searching...\n");
626
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
627
AvahiServerConfig config;
628
AvahiSServiceBrowser *sb = NULL;
631
int returncode = EXIT_SUCCESS;
632
const char *interface = "eth0";
633
unsigned int if_index;
634
char *connect_to = NULL;
872
static void handle_sigterm(__attribute__((unused)) int sig){
873
int old_errno = errno;
874
avahi_simple_poll_quit(mc.simple_poll);
878
int main(int argc, char *argv[]){
879
AvahiSServiceBrowser *sb = NULL;
884
int exitcode = EXIT_SUCCESS;
885
const char *interface = "eth0";
886
struct ifreq network;
890
char *connect_to = NULL;
891
char tempdir[] = "/tmp/mandosXXXXXX";
892
bool tempdir_created = false;
893
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
894
const char *seckey = PATHDIR "/" SECKEY;
895
const char *pubkey = PATHDIR "/" PUBKEY;
897
bool gnutls_initialized = false;
898
bool gpgme_initialized = false;
901
struct sigaction old_sigterm_action;
902
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
904
/* Initialize mandos context */
905
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
906
.dh_bits = 1024, .priority = "SECURE256"
907
":!CTYPE-X.509:+CTYPE-OPENPGP" };
910
struct argp_option options[] = {
911
{ .name = "debug", .key = 128,
912
.doc = "Debug mode", .group = 3 },
913
{ .name = "connect", .key = 'c',
914
.arg = "ADDRESS:PORT",
915
.doc = "Connect directly to a specific Mandos server",
917
{ .name = "interface", .key = 'i',
919
.doc = "Network interface that will be used to search for"
922
{ .name = "seckey", .key = 's',
924
.doc = "OpenPGP secret key file base name",
926
{ .name = "pubkey", .key = 'p',
928
.doc = "OpenPGP public key file base name",
930
{ .name = "dh-bits", .key = 129,
932
.doc = "Bit length of the prime number used in the"
933
" Diffie-Hellman key exchange",
935
{ .name = "priority", .key = 130,
937
.doc = "GnuTLS priority string for the TLS handshake",
939
{ .name = "delay", .key = 131,
941
.doc = "Maximum delay to wait for interface startup",
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"connect", required_argument, 0, 'c'},
640
{"interface", required_argument, 0, 'i'},
643
int option_index = 0;
644
ret = getopt_long (argc, argv, "i:", long_options,
946
error_t parse_opt(int key, char *arg,
947
struct argp_state *state){
949
case 128: /* --debug */
952
case 'c': /* --connect */
955
case 'i': /* --interface */
958
case 's': /* --seckey */
961
case 'p': /* --pubkey */
964
case 129: /* --dh-bits */
965
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
966
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
967
or arg[numchars] != '\0'){
968
fprintf(stderr, "Bad number of DH bits\n");
971
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
973
case 130: /* --priority */
976
case 131: /* --delay */
977
ret = sscanf(arg, "%lf%n", &delay, &numchars);
978
if(ret < 1 or arg[numchars] != '\0'){
979
fprintf(stderr, "Bad delay\n");
665
if_index = if_nametoindex(interface);
988
return ARGP_ERR_UNKNOWN;
993
struct argp argp = { .options = options, .parser = parse_opt,
995
.doc = "Mandos client -- Get and decrypt"
996
" passwords from a Mandos server" };
997
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
998
if(ret == ARGP_ERR_UNKNOWN){
999
fprintf(stderr, "Unknown error while parsing arguments\n");
1000
exitcode = EXIT_FAILURE;
1005
/* If the interface is down, bring it up */
1006
if(interface[0] != '\0'){
1008
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1009
messages to mess up the prompt */
1010
ret = klogctl(8, NULL, 5);
1011
bool restore_loglevel = true;
1013
restore_loglevel = false;
1018
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1021
exitcode = EXIT_FAILURE;
1023
if(restore_loglevel){
1024
ret = klogctl(7, NULL, 0);
1032
strcpy(network.ifr_name, interface);
1033
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1035
perror("ioctl SIOCGIFFLAGS");
1037
if(restore_loglevel){
1038
ret = klogctl(7, NULL, 0);
1044
exitcode = EXIT_FAILURE;
1047
if((network.ifr_flags & IFF_UP) == 0){
1048
network.ifr_flags |= IFF_UP;
1049
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1051
perror("ioctl SIOCSIFFLAGS");
1052
exitcode = EXIT_FAILURE;
1054
if(restore_loglevel){
1055
ret = klogctl(7, NULL, 0);
1064
/* sleep checking until interface is running */
1065
for(int i=0; i < delay * 4; i++){
1066
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1068
perror("ioctl SIOCGIFFLAGS");
1069
} else if(network.ifr_flags & IFF_RUNNING){
1072
struct timespec sleeptime = { .tv_nsec = 250000000 };
1073
ret = nanosleep(&sleeptime, NULL);
1074
if(ret == -1 and errno != EINTR){
1075
perror("nanosleep");
1078
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1083
if(restore_loglevel){
1084
/* Restores kernel loglevel to default */
1085
ret = klogctl(7, NULL, 0);
1107
ret = init_gnutls_global(pubkey, seckey);
1109
fprintf(stderr, "init_gnutls_global failed\n");
1110
exitcode = EXIT_FAILURE;
1113
gnutls_initialized = true;
1116
if(mkdtemp(tempdir) == NULL){
1120
tempdir_created = true;
1122
if(not init_gpgme(pubkey, seckey, tempdir)){
1123
fprintf(stderr, "init_gpgme failed\n");
1124
exitcode = EXIT_FAILURE;
1127
gpgme_initialized = true;
1130
if(interface[0] != '\0'){
1131
if_index = (AvahiIfIndex) if_nametoindex(interface);
666
1132
if(if_index == 0){
667
1133
fprintf(stderr, "No such interface: \"%s\"\n", interface);
671
if(connect_to != NULL){
672
/* Connect directly, do not use Zeroconf */
673
/* (Mainly meant for debugging) */
674
char *address = strrchr(connect_to, ':');
676
fprintf(stderr, "No colon in address\n");
680
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
682
perror("Bad port number");
686
address = connect_to;
687
ret = start_mandos_communication(address, port, if_index);
696
avahi_set_log_function(empty_log);
699
/* Initialize the psuedo-RNG */
700
srand((unsigned int) time(NULL));
702
/* Allocate main loop object */
703
if (!(simple_poll = avahi_simple_poll_new())) {
704
fprintf(stderr, "Failed to create simple poll object.\n");
709
/* Do not publish any local records */
1134
exitcode = EXIT_FAILURE;
1139
if(connect_to != NULL){
1140
/* Connect directly, do not use Zeroconf */
1141
/* (Mainly meant for debugging) */
1142
char *address = strrchr(connect_to, ':');
1143
if(address == NULL){
1144
fprintf(stderr, "No colon in address\n");
1145
exitcode = EXIT_FAILURE;
1149
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1150
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1151
or address[numchars+1] != '\0'){
1152
fprintf(stderr, "Bad port number\n");
1153
exitcode = EXIT_FAILURE;
1156
port = (uint16_t)tmpmax;
1158
address = connect_to;
1159
/* Colon in address indicates IPv6 */
1161
if(strchr(address, ':') != NULL){
1166
ret = start_mandos_communication(address, port, if_index,
1169
exitcode = EXIT_FAILURE;
1171
exitcode = EXIT_SUCCESS;
1177
avahi_set_log_function(empty_log);
1180
/* Initialize the pseudo-RNG for Avahi */
1181
srand((unsigned int) time(NULL));
1183
/* Allocate main Avahi loop object */
1184
mc.simple_poll = avahi_simple_poll_new();
1185
if(mc.simple_poll == NULL){
1186
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1187
exitcode = EXIT_FAILURE;
1192
AvahiServerConfig config;
1193
/* Do not publish any local Zeroconf records */
710
1194
avahi_server_config_init(&config);
711
1195
config.publish_hinfo = 0;
712
1196
config.publish_addresses = 0;
713
1197
config.publish_workstation = 0;
714
1198
config.publish_domain = 0;
716
1200
/* Allocate a new server */
717
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
718
&config, NULL, NULL, &error);
720
/* Free the configuration data */
1201
mc.server = avahi_server_new(avahi_simple_poll_get
1202
(mc.simple_poll), &config, NULL,
1205
/* Free the Avahi configuration data */
721
1206
avahi_server_config_free(&config);
723
/* Check if creating the server object succeeded */
725
fprintf(stderr, "Failed to create server: %s\n",
726
avahi_strerror(error));
727
returncode = EXIT_FAILURE;
731
/* Create the service browser */
732
sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,
734
"_mandos._tcp", NULL, 0,
735
browse_callback, server);
737
fprintf(stderr, "Failed to create service browser: %s\n",
738
avahi_strerror(avahi_server_errno(server)));
739
returncode = EXIT_FAILURE;
743
/* Run the main loop */
746
fprintf(stderr, "Starting avahi loop search\n");
749
avahi_simple_poll_loop(simple_poll);
754
fprintf(stderr, "%s exiting\n", argv[0]);
759
avahi_s_service_browser_free(sb);
762
avahi_server_free(server);
765
avahi_simple_poll_free(simple_poll);
1209
/* Check if creating the Avahi server object succeeded */
1210
if(mc.server == NULL){
1211
fprintf(stderr, "Failed to create Avahi server: %s\n",
1212
avahi_strerror(error));
1213
exitcode = EXIT_FAILURE;
1217
/* Create the Avahi service browser */
1218
sb = avahi_s_service_browser_new(mc.server, if_index,
1219
AVAHI_PROTO_INET6, "_mandos._tcp",
1220
NULL, 0, browse_callback, NULL);
1222
fprintf(stderr, "Failed to create service browser: %s\n",
1223
avahi_strerror(avahi_server_errno(mc.server)));
1224
exitcode = EXIT_FAILURE;
1228
sigemptyset(&sigterm_action.sa_mask);
1229
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1231
perror("sigaddset");
1232
exitcode = EXIT_FAILURE;
1235
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1237
perror("sigaction");
1238
exitcode = EXIT_FAILURE;
1242
/* Run the main loop */
1245
fprintf(stderr, "Starting Avahi loop search\n");
1248
avahi_simple_poll_loop(mc.simple_poll);
1253
fprintf(stderr, "%s exiting\n", argv[0]);
1256
/* Cleanup things */
1258
avahi_s_service_browser_free(sb);
1260
if(mc.server != NULL)
1261
avahi_server_free(mc.server);
1263
if(mc.simple_poll != NULL)
1264
avahi_simple_poll_free(mc.simple_poll);
1266
if(gnutls_initialized){
1267
gnutls_certificate_free_credentials(mc.cred);
1268
gnutls_global_deinit();
1269
gnutls_dh_params_deinit(mc.dh_params);
1272
if(gpgme_initialized){
1273
gpgme_release(mc.ctx);
1276
/* Removes the temp directory used by GPGME */
1277
if(tempdir_created){
1279
struct dirent *direntry;
1280
d = opendir(tempdir);
1282
if(errno != ENOENT){
1287
direntry = readdir(d);
1288
if(direntry == NULL){
1291
/* Skip "." and ".." */
1292
if(direntry->d_name[0] == '.'
1293
and (direntry->d_name[1] == '\0'
1294
or (direntry->d_name[1] == '.'
1295
and direntry->d_name[2] == '\0'))){
1298
char *fullname = NULL;
1299
ret = asprintf(&fullname, "%s/%s", tempdir,
1305
ret = remove(fullname);
1307
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1314
ret = rmdir(tempdir);
1315
if(ret == -1 and errno != ENOENT){