To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.5
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.5
- Committer: Björn Påhlsson
- Date: 2008-07-31 16:20:47 UTC
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 30.
- Revision ID: belorn@braxen-20080731162047-lahe2b2prwjw8b2l
plugbasedclient:
Added support to disable plugins
Added support to change plugin directory
mandosclient.c
Fixed some funtion calls that lacked error handling
small bugfix
Added support to disable plugins
Added support to change plugin directory
mandosclient.c
Fixed some funtion calls that lacked error handling
small bugfix
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
8
8
* includes the following functions: "resolve_callback",
9
9
* "browse_callback", and parts of "main".
10
10
*
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
11
* Everything else is Copyright © 2007-2008 Teddy Hogeborn and Björn
12
* Påhlsson.
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
/* Needed by GPGME, specifically gpgme_data_seek() */
32
#define _FORTIFY_SOURCE 2
33
33
34
#define _LARGEFILE_SOURCE
34
35
#define _FILE_OFFSET_BITS 64
35
36
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
37
#include <stdio.h>
38
#include <assert.h>
39
#include <stdlib.h>
40
#include <time.h>
41
#include <net/if.h> /* if_nametoindex */
42
83
43
#include <avahi-core/core.h>
84
44
#include <avahi-core/lookup.h>
85
45
#include <avahi-core/log.h>
87
47
#include <avahi-common/malloc.h>
88
48
#include <avahi-common/error.h>
89
49
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
50
//mandos client part
51
#include <sys/types.h> /* socket(), inet_pton() */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton() */
54
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
55
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
56
57
#include <unistd.h> /* close() */
58
#include <netinet/in.h>
59
#include <stdbool.h> /* true */
60
#include <string.h> /* memset */
61
#include <arpa/inet.h> /* inet_pton() */
62
#include <iso646.h> /* not */
63
64
// gpgme
65
#include <errno.h> /* perror() */
66
#include <gpgme.h>
67
68
// getopt long
69
#include <getopt.h>
106
70
107
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
108
73
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
74
const char *certdir = "/conf/conf.d/cryptkeyreq/";
75
const char *certfile = "openpgp-client.txt";
76
const char *certkey = "openpgp-client-key.txt";
112
77
113
78
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
79
118
/* Used for passing in values through the Avahi callback functions */
119
80
typedef struct {
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
81
gnutls_session_t session;
122
82
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
124
83
gnutls_dh_params_t dh_params;
125
const char *priority;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
126
90
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
152
91
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
153
95
gpgme_engine_info_t engine_info;
154
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
96
97
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
193
99
}
194
100
195
101
/* Init GPGME */
196
102
gpgme_check_version(NULL);
197
103
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
if(rc != GPG_ERR_NO_ERROR){
104
if (rc != GPG_ERR_NO_ERROR){
199
105
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
200
106
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
107
return -1;
202
108
}
203
109
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
110
/* Set GPGME home directory */
111
rc = gpgme_get_engine_info (&engine_info);
112
if (rc != GPG_ERR_NO_ERROR){
207
113
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
208
114
gpgme_strsource(rc), gpgme_strerror(rc));
209
return false;
115
return -1;
210
116
}
211
117
while(engine_info != NULL){
212
118
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
213
119
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
214
engine_info->file_name, tempdir);
120
engine_info->file_name, homedir);
215
121
break;
216
122
}
217
123
engine_info = engine_info->next;
218
124
}
219
125
if(engine_info == NULL){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
126
fprintf(stderr, "Could not set home dir to %s\n", homedir);
127
return -1;
128
}
129
130
/* Create new GPGME data buffer from packet buffer */
131
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
132
if (rc != GPG_ERR_NO_ERROR){
261
133
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
262
134
gpgme_strsource(rc), gpgme_strerror(rc));
263
135
return -1;
265
137
266
138
/* Create new empty GPGME data buffer for the plaintext */
267
139
rc = gpgme_data_new(&dh_plain);
268
if(rc != GPG_ERR_NO_ERROR){
140
if (rc != GPG_ERR_NO_ERROR){
269
141
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
270
142
gpgme_strsource(rc), gpgme_strerror(rc));
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
143
return -1;
144
}
145
146
/* Create new GPGME "context" */
147
rc = gpgme_new(&ctx);
148
if (rc != GPG_ERR_NO_ERROR){
149
fprintf(stderr, "bad gpgme_new: %s: %s\n",
150
gpgme_strsource(rc), gpgme_strerror(rc));
151
return -1;
152
}
153
154
/* Decrypt data from the FILE pointer to the plaintext data
155
buffer */
156
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
157
if (rc != GPG_ERR_NO_ERROR){
279
158
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
280
159
gpgme_strsource(rc), gpgme_strerror(rc));
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
160
return -1;
161
}
162
163
if(debug){
164
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
165
}
166
167
if (debug){
168
gpgme_decrypt_result_t result;
169
result = gpgme_op_decrypt_result(ctx);
170
if (result == NULL){
171
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
172
} else {
173
fprintf(stderr, "Unsupported algorithm: %s\n",
174
result->unsupported_algorithm);
175
fprintf(stderr, "Wrong key usage: %d\n",
176
result->wrong_key_usage);
177
if(result->file_name != NULL){
178
fprintf(stderr, "File name: %s\n", result->file_name);
179
}
180
gpgme_recipient_t recipient;
181
recipient = result->recipients;
182
if(recipient){
183
while(recipient != NULL){
184
fprintf(stderr, "Public key algorithm: %s\n",
185
gpgme_pubkey_algo_name(recipient->pubkey_algo));
186
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
187
fprintf(stderr, "Secret key available: %s\n",
188
recipient->status == GPG_ERR_NO_SECKEY
189
? "No" : "Yes");
190
recipient = recipient->next;
307
191
}
308
192
}
309
193
}
310
goto decrypt_end;
311
194
}
312
195
313
if(debug){
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
196
/* Delete the GPGME FILE pointer cryptotext data buffer */
197
gpgme_data_release(dh_crypto);
316
198
317
199
/* Seek back to the beginning of the GPGME plaintext data buffer */
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
200
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
201
perror("pgpme_data_seek");
322
202
}
323
203
324
*plaintext = NULL;
204
*new_packet = 0;
325
205
while(true){
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
206
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
207
*new_packet = realloc(*new_packet,
208
(unsigned int)new_packet_capacity
209
+ BUFFER_SIZE);
210
if (*new_packet == NULL){
211
perror("realloc");
212
return -1;
213
}
214
new_packet_capacity += BUFFER_SIZE;
333
215
}
334
216
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
217
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
218
BUFFER_SIZE);
337
219
/* Print the data, if any */
338
if(ret == 0){
339
/* EOF */
220
if (ret == 0){
340
221
break;
341
222
}
342
223
if(ret < 0){
343
224
perror("gpgme_data_read");
344
plaintext_length = -1;
345
goto decrypt_end;
346
}
347
plaintext_length += ret;
348
}
349
350
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
356
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
225
return -1;
226
}
227
new_packet_length += ret;
228
}
229
230
/* FIXME: check characters before printing to screen so to not print
231
terminal control characters */
232
/* if(debug){ */
233
/* fprintf(stderr, "decrypted password is: "); */
234
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
235
/* fprintf(stderr, "\n"); */
236
/* } */
362
237
363
238
/* Delete the GPGME plaintext data buffer */
364
239
gpgme_data_release(dh_plain);
365
return plaintext_length;
240
return new_packet_length;
366
241
}
367
242
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
243
static const char * safer_gnutls_strerror (int value) {
244
const char *ret = gnutls_strerror (value);
245
if (ret == NULL)
372
246
ret = "(unknown)";
373
247
return ret;
374
248
}
375
249
376
/* GnuTLS log function callback */
377
static void debuggnutls(__attribute__((unused)) int level,
378
const char* string){
379
fprintf(stderr, "GnuTLS: %s", string);
250
void debuggnutls(__attribute__((unused)) int level,
251
const char* string){
252
fprintf(stderr, "%s", string);
380
253
}
381
254
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
255
int initgnutls(encrypted_session *es){
256
const char *err;
385
257
int ret;
386
258
387
259
if(debug){
388
260
fprintf(stderr, "Initializing GnuTLS\n");
389
261
}
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
262
263
if ((ret = gnutls_global_init ())
264
!= GNUTLS_E_SUCCESS) {
265
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
395
266
return -1;
396
267
}
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
268
269
if (debug){
402
270
gnutls_global_set_log_level(11);
403
271
gnutls_global_set_log_function(debuggnutls);
404
272
}
405
273
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
274
/* openpgp credentials */
275
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
276
!= GNUTLS_E_SUCCESS) {
277
fprintf (stderr, "memory error: %s\n",
278
safer_gnutls_strerror(ret));
415
279
return -1;
416
280
}
417
281
418
282
if(debug){
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
283
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
284
" and keyfile %s as GnuTLS credentials\n", certfile,
285
certkey);
422
286
}
423
287
424
288
ret = gnutls_certificate_set_openpgp_key_file
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
289
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
290
if (ret != GNUTLS_E_SUCCESS) {
291
fprintf
292
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
293
" '%s')\n",
294
ret, certfile, certkey);
295
fprintf(stdout, "The Error is: %s\n",
296
safer_gnutls_strerror(ret));
297
return -1;
298
}
299
300
//GnuTLS server initialization
301
if ((ret = gnutls_dh_params_init (&es->dh_params))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in dh parameter initialization: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
309
!= GNUTLS_E_SUCCESS) {
310
fprintf (stderr, "Error in prime generation: %s\n",
311
safer_gnutls_strerror(ret));
312
return -1;
313
}
314
315
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
316
317
// GnuTLS session creation
318
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
319
!= GNUTLS_E_SUCCESS){
468
320
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
469
321
safer_gnutls_strerror(ret));
470
322
}
471
323
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
324
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
325
!= GNUTLS_E_SUCCESS) {
326
fprintf(stderr, "Syntax error at: %s\n", err);
327
fprintf(stderr, "GnuTLS error: %s\n",
328
safer_gnutls_strerror(ret));
329
return -1;
482
330
}
483
331
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
332
if ((ret = gnutls_credentials_set
333
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
334
!= GNUTLS_E_SUCCESS) {
335
fprintf(stderr, "Error setting a credentials set: %s\n",
488
336
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
490
337
return -1;
491
338
}
492
339
493
340
/* ignore client certificate if any. */
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
341
gnutls_certificate_server_set_request (es->session,
342
GNUTLS_CERT_IGNORE);
496
343
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
344
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
345
499
346
return 0;
500
347
}
501
348
502
/* Avahi log function callback */
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
504
__attribute__((unused)) const char *txt){}
349
void empty_log(__attribute__((unused)) AvahiLogLevel level,
350
__attribute__((unused)) const char *txt){}
505
351
506
/* Called when a Mandos server is found */
507
static int start_mandos_communication(const char *ip, uint16_t port,
508
AvahiIfIndex if_index,
509
mandos_context *mc){
352
int start_mandos_communication(const char *ip, uint16_t port,
353
unsigned int if_index){
510
354
int ret, tcp_sd;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
355
struct sockaddr_in6 to;
356
encrypted_session es;
513
357
char *buffer = NULL;
514
358
char *decrypted_buffer;
515
359
size_t buffer_length = 0;
516
360
size_t buffer_capacity = 0;
517
361
ssize_t decrypted_buffer_size;
518
size_t written;
362
size_t written = 0;
519
363
int retval = 0;
520
364
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
527
365
528
366
if(debug){
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
367
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
531
368
}
532
369
533
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
536
373
return -1;
537
374
}
538
375
539
if(debug){
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(if_indextoname(if_index, interface) == NULL){
377
if(debug){
541
378
perror("if_indextoname");
542
return -1;
543
379
}
380
return -1;
381
}
382
383
if(debug){
544
384
fprintf(stderr, "Binding to interface %s\n", interface);
545
385
}
546
386
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
553
391
perror("inet_pton");
554
392
return -1;
555
}
393
}
556
394
if(ret == 0){
557
395
fprintf(stderr, "Bad address: %s\n", ip);
558
396
return -1;
559
397
}
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
398
to.sin6_port = htons(port); /* Spurious warning */
563
399
564
to.in6.sin6_scope_id = (uint32_t)if_index;
400
to.sin6_scope_id = (uint32_t)if_index;
565
401
566
402
if(debug){
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
569
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
571
sizeof(addrstr)) == NULL){
572
perror("inet_ntop");
573
} else {
574
if(strcmp(addrstr, ip) != 0){
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
576
}
577
}
403
fprintf(stderr, "Connection to: %s\n", ip);
578
404
}
579
405
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
406
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
407
if (ret < 0){
582
408
perror("connect");
583
409
return -1;
584
410
}
585
411
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
412
ret = initgnutls (&es);
413
if (ret != 0){
414
retval = -1;
415
return -1;
608
416
}
609
417
418
gnutls_transport_set_ptr (es.session,
419
(gnutls_transport_ptr_t) tcp_sd);
420
610
421
if(debug){
611
422
fprintf(stderr, "Establishing TLS session with %s\n", ip);
612
423
}
613
424
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
425
ret = gnutls_handshake (es.session);
426
427
if (ret != GNUTLS_E_SUCCESS){
621
428
if(debug){
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
429
fprintf(stderr, "\n*** Handshake failed ***\n");
430
gnutls_perror (ret);
624
431
}
625
432
retval = -1;
626
goto mandos_end;
433
goto exit;
627
434
}
628
435
629
/* Read OpenPGP packet that contains the wanted password */
436
//Retrieve OpenPGP packet that contains the wanted password
630
437
631
438
if(debug){
632
439
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
633
440
ip);
634
441
}
635
442
636
443
while(true){
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
444
if (buffer_length + BUFFER_SIZE > buffer_capacity){
445
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
446
if (buffer == NULL){
447
perror("realloc");
448
goto exit;
449
}
450
buffer_capacity += BUFFER_SIZE;
643
451
}
644
452
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
453
ret = gnutls_record_recv
454
(es.session, buffer+buffer_length, BUFFER_SIZE);
455
if (ret == 0){
648
456
break;
649
457
}
650
if(sret < 0){
651
switch(sret){
458
if (ret < 0){
459
switch(ret){
652
460
case GNUTLS_E_INTERRUPTED:
653
461
case GNUTLS_E_AGAIN:
654
462
break;
655
463
case GNUTLS_E_REHANDSHAKE:
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
464
ret = gnutls_handshake (es.session);
465
if (ret < 0){
466
fprintf(stderr, "\n*** Handshake failed ***\n");
467
gnutls_perror (ret);
662
468
retval = -1;
663
goto mandos_end;
469
goto exit;
664
470
}
665
471
break;
666
472
default:
667
473
fprintf(stderr, "Unknown error while reading data from"
668
" encrypted session with Mandos server\n");
474
" encrypted session with mandos server\n");
669
475
retval = -1;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
476
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
477
goto exit;
672
478
}
673
479
} else {
674
buffer_length += (size_t) sret;
480
buffer_length += (size_t) ret;
675
481
}
676
482
}
677
483
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
484
if (buffer_length > 0){
485
decrypted_buffer_size = pgp_packet_decrypt(buffer,
686
486
buffer_length,
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
690
while(written < (size_t) decrypted_buffer_size){
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
487
&decrypted_buffer,
488
certdir);
489
if (decrypted_buffer_size >= 0){
490
while(written < decrypted_buffer_size){
491
ret = (int)fwrite (decrypted_buffer + written, 1,
492
(size_t)decrypted_buffer_size - written,
493
stdout);
694
494
if(ret == 0 and ferror(stdout)){
695
495
if(debug){
696
496
fprintf(stderr, "Error writing encrypted data: %s\n",
705
505
} else {
706
506
retval = -1;
707
507
}
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
508
}
509
510
//shutdown procedure
511
512
if(debug){
513
fprintf(stderr, "Closing TLS session\n");
514
}
515
715
516
free(buffer);
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
517
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
518
exit:
519
close(tcp_sd);
520
gnutls_deinit (es.session);
521
gnutls_certificate_free_credentials (es.cred);
522
gnutls_global_deinit ();
721
523
return retval;
722
524
}
723
525
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
526
static AvahiSimplePoll *simple_poll = NULL;
527
static AvahiServer *server = NULL;
528
529
static void resolve_callback(
530
AvahiSServiceResolver *r,
531
AvahiIfIndex interface,
532
AVAHI_GCC_UNUSED AvahiProtocol protocol,
533
AvahiResolverEvent event,
534
const char *name,
535
const char *type,
536
const char *domain,
537
const char *host_name,
538
const AvahiAddress *address,
539
uint16_t port,
540
AVAHI_GCC_UNUSED AvahiStringList *txt,
541
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
542
AVAHI_GCC_UNUSED void* userdata) {
543
544
assert(r); /* Spurious warning */
740
545
741
546
/* Called whenever a service has been resolved successfully or
742
547
timed out */
743
548
744
switch(event) {
549
switch (event) {
745
550
default:
746
551
case AVAHI_RESOLVER_FAILURE:
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
552
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
553
" type '%s' in domain '%s': %s\n", name, type, domain,
554
avahi_strerror(avahi_server_errno(server)));
750
555
break;
751
556
752
557
case AVAHI_RESOLVER_FOUND:
754
559
char ip[AVAHI_ADDRESS_STR_MAX];
755
560
avahi_address_snprint(ip, sizeof(ip), address);
756
561
if(debug){
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
562
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
563
" port %d\n", name, host_name, ip, port);
760
564
}
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
565
int ret = start_mandos_communication(ip, port,
566
(unsigned int) interface);
567
if (ret == 0){
568
exit(EXIT_SUCCESS);
764
569
}
765
570
}
766
571
}
767
572
avahi_s_service_resolver_free(r);
768
573
}
769
574
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
575
static void browse_callback(
576
AvahiSServiceBrowser *b,
577
AvahiIfIndex interface,
578
AvahiProtocol protocol,
579
AvahiBrowserEvent event,
580
const char *name,
581
const char *type,
582
const char *domain,
583
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
584
void* userdata) {
585
586
AvahiServer *s = userdata;
587
assert(b); /* Spurious warning */
588
589
/* Called whenever a new services becomes available on the LAN or
590
is removed from the LAN */
591
592
switch (event) {
593
default:
594
case AVAHI_BROWSER_FAILURE:
595
596
fprintf(stderr, "(Browser) %s\n",
597
avahi_strerror(avahi_server_errno(server)));
598
avahi_simple_poll_quit(simple_poll);
599
return;
600
601
case AVAHI_BROWSER_NEW:
602
/* We ignore the returned resolver object. In the callback
603
function we free it. If the server is terminated before
604
the callback function is called the server will free
605
the resolver for us. */
606
607
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
608
type, domain,
609
AVAHI_PROTO_INET6, 0,
610
resolve_callback, s)))
611
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
612
avahi_strerror(avahi_server_errno(s)));
613
break;
614
615
case AVAHI_BROWSER_REMOVE:
616
break;
617
618
case AVAHI_BROWSER_ALL_FOR_NOW:
619
case AVAHI_BROWSER_CACHE_EXHAUSTED:
620
break;
816
621
}
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
622
}
623
624
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
625
const char *combinepath(const char *first, const char *second){
626
char *tmp;
627
tmp = malloc(strlen(first) + strlen(second) + 2);
628
if (tmp == NULL){
629
perror("malloc");
630
return NULL;
631
}
632
strcpy(tmp, first);
633
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
634
strcat(tmp, "/");
635
}
636
strcat(tmp, second);
637
return tmp;
638
}
639
640
641
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
642
AvahiServerConfig config;
822
643
AvahiSServiceBrowser *sb = NULL;
823
644
int error;
824
645
int ret;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
646
int returncode = EXIT_SUCCESS;
828
647
const char *interface = "eth0";
829
struct ifreq network;
830
int sd;
831
uid_t uid;
832
gid_t gid;
833
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
835
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initialized = false;
843
bool gpgme_initialized = false;
844
845
{
846
struct argp_option options[] = {
847
{ .name = "debug", .key = 128,
848
.doc = "Debug mode", .group = 3 },
849
{ .name = "connect", .key = 'c',
850
.arg = "ADDRESS:PORT",
851
.doc = "Connect directly to a specific Mandos server",
852
.group = 1 },
853
{ .name = "interface", .key = 'i',
854
.arg = "NAME",
855
.doc = "Interface that will be used to search for Mandos"
856
" servers",
857
.group = 1 },
858
{ .name = "seckey", .key = 's',
859
.arg = "FILE",
860
.doc = "OpenPGP secret key file base name",
861
.group = 1 },
862
{ .name = "pubkey", .key = 'p',
863
.arg = "FILE",
864
.doc = "OpenPGP public key file base name",
865
.group = 2 },
866
{ .name = "dh-bits", .key = 129,
867
.arg = "BITS",
868
.doc = "Bit length of the prime number used in the"
869
" Diffie-Hellman key exchange",
870
.group = 2 },
871
{ .name = "priority", .key = 130,
872
.arg = "STRING",
873
.doc = "GnuTLS priority string for the TLS handshake",
874
.group = 1 },
875
{ .name = NULL }
876
};
877
878
error_t parse_opt(int key, char *arg,
879
struct argp_state *state) {
880
switch(key) {
881
case 128: /* --debug */
882
debug = true;
883
break;
884
case 'c': /* --connect */
885
connect_to = arg;
886
break;
887
case 'i': /* --interface */
888
interface = arg;
889
break;
890
case 's': /* --seckey */
891
seckey = arg;
892
break;
893
case 'p': /* --pubkey */
894
pubkey = arg;
895
break;
896
case 129: /* --dh-bits */
897
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
898
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
899
or arg[numchars] != '\0'){
900
fprintf(stderr, "Bad number of DH bits\n");
901
exit(EXIT_FAILURE);
902
}
903
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
904
break;
905
case 130: /* --priority */
906
mc.priority = arg;
907
break;
908
case ARGP_KEY_ARG:
909
argp_usage(state);
910
case ARGP_KEY_END:
911
break;
912
default:
913
return ARGP_ERR_UNKNOWN;
914
}
915
return 0;
916
}
917
918
struct argp argp = { .options = options, .parser = parse_opt,
919
.args_doc = "",
920
.doc = "Mandos client -- Get and decrypt"
921
" passwords from a Mandos server" };
922
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
923
if(ret == ARGP_ERR_UNKNOWN){
924
fprintf(stderr, "Unknown error while parsing arguments\n");
925
exitcode = EXIT_FAILURE;
926
goto end;
927
}
928
}
929
930
/* If the interface is down, bring it up */
931
{
932
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
933
if(sd < 0) {
934
perror("socket");
935
exitcode = EXIT_FAILURE;
936
goto end;
937
}
938
strcpy(network.ifr_name, interface);
939
ret = ioctl(sd, SIOCGIFFLAGS, &network);
940
if(ret == -1){
941
perror("ioctl SIOCGIFFLAGS");
942
exitcode = EXIT_FAILURE;
943
goto end;
944
}
945
if((network.ifr_flags & IFF_UP) == 0){
946
network.ifr_flags |= IFF_UP;
947
ret = ioctl(sd, SIOCSIFFLAGS, &network);
948
if(ret == -1){
949
perror("ioctl SIOCSIFFLAGS");
950
exitcode = EXIT_FAILURE;
951
goto end;
952
}
953
}
954
ret = (int)TEMP_FAILURE_RETRY(close(sd));
955
if(ret == -1){
956
perror("close");
957
}
958
}
959
960
uid = getuid();
961
gid = getgid();
962
963
ret = setuid(uid);
964
if(ret == -1){
965
perror("setuid");
966
}
967
968
setgid(gid);
969
if(ret == -1){
970
perror("setgid");
971
}
972
973
ret = init_gnutls_global(&mc, pubkey, seckey);
974
if(ret == -1){
975
fprintf(stderr, "init_gnutls_global failed\n");
976
exitcode = EXIT_FAILURE;
977
goto end;
978
} else {
979
gnutls_initialized = true;
980
}
981
982
if(mkdtemp(tempdir) == NULL){
983
perror("mkdtemp");
984
tempdir[0] = '\0';
985
goto end;
986
}
987
988
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
989
fprintf(stderr, "init_gpgme failed\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
} else {
993
gpgme_initialized = true;
994
}
995
996
if_index = (AvahiIfIndex) if_nametoindex(interface);
997
if(if_index == 0){
998
fprintf(stderr, "No such interface: \"%s\"\n", interface);
999
exit(EXIT_FAILURE);
1000
}
1001
1002
if(connect_to != NULL){
1003
/* Connect directly, do not use Zeroconf */
1004
/* (Mainly meant for debugging) */
1005
char *address = strrchr(connect_to, ':');
1006
if(address == NULL){
1007
fprintf(stderr, "No colon in address\n");
1008
exitcode = EXIT_FAILURE;
1009
goto end;
1010
}
1011
uint16_t port;
1012
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1013
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1014
or address[numchars+1] != '\0'){
1015
fprintf(stderr, "Bad port number\n");
1016
exitcode = EXIT_FAILURE;
1017
goto end;
1018
}
1019
port = (uint16_t)tmpmax;
1020
*address = '\0';
1021
address = connect_to;
1022
ret = start_mandos_communication(address, port, if_index, &mc);
1023
if(ret < 0){
1024
exitcode = EXIT_FAILURE;
1025
} else {
1026
exitcode = EXIT_SUCCESS;
1027
}
1028
goto end;
1029
}
1030
1031
if(not debug){
648
649
while (true){
650
static struct option long_options[] = {
651
{"debug", no_argument, (int *)&debug, 1},
652
{"interface", required_argument, 0, 'i'},
653
{"certdir", required_argument, 0, 'd'},
654
{"certkey", required_argument, 0, 'c'},
655
{"certfile", required_argument, 0, 'k'},
656
{0, 0, 0, 0} };
657
658
int option_index = 0;
659
ret = getopt_long (argc, argv, "i:", long_options,
660
&option_index);
661
662
if (ret == -1){
663
break;
664
}
665
666
switch(ret){
667
case 0:
668
break;
669
case 'i':
670
interface = optarg;
671
break;
672
case 'd':
673
certdir = optarg;
674
break;
675
case 'c':
676
certfile = optarg;
677
break;
678
case 'k':
679
certkey = optarg;
680
break;
681
default:
682
exit(EXIT_FAILURE);
683
}
684
}
685
686
certfile = combinepath(certdir, certfile);
687
if (certfile == NULL){
688
goto exit;
689
}
690
691
certkey = combinepath(certdir, certkey);
692
if (certkey == NULL){
693
goto exit;
694
}
695
696
if (not debug){
1032
697
avahi_set_log_function(empty_log);
1033
698
}
1034
699
1035
/* Initialize the pseudo-RNG for Avahi */
700
/* Initialize the psuedo-RNG */
1036
701
srand((unsigned int) time(NULL));
1037
1038
/* Allocate main Avahi loop object */
1039
mc.simple_poll = avahi_simple_poll_new();
1040
if(mc.simple_poll == NULL) {
1041
fprintf(stderr, "Avahi: Failed to create simple poll"
1042
" object.\n");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
1047
{
1048
AvahiServerConfig config;
1049
/* Do not publish any local Zeroconf records */
1050
avahi_server_config_init(&config);
1051
config.publish_hinfo = 0;
1052
config.publish_addresses = 0;
1053
config.publish_workstation = 0;
1054
config.publish_domain = 0;
1055
1056
/* Allocate a new server */
1057
mc.server = avahi_server_new(avahi_simple_poll_get
1058
(mc.simple_poll), &config, NULL,
1059
NULL, &error);
1060
1061
/* Free the Avahi configuration data */
1062
avahi_server_config_free(&config);
1063
}
1064
1065
/* Check if creating the Avahi server object succeeded */
1066
if(mc.server == NULL) {
1067
fprintf(stderr, "Failed to create Avahi server: %s\n",
702
703
/* Allocate main loop object */
704
if (!(simple_poll = avahi_simple_poll_new())) {
705
fprintf(stderr, "Failed to create simple poll object.\n");
706
707
goto exit;
708
}
709
710
/* Do not publish any local records */
711
avahi_server_config_init(&config);
712
config.publish_hinfo = 0;
713
config.publish_addresses = 0;
714
config.publish_workstation = 0;
715
config.publish_domain = 0;
716
717
/* Allocate a new server */
718
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
719
&config, NULL, NULL, &error);
720
721
/* Free the configuration data */
722
avahi_server_config_free(&config);
723
724
/* Check if creating the server object succeeded */
725
if (!server) {
726
fprintf(stderr, "Failed to create server: %s\n",
1068
727
avahi_strerror(error));
1069
exitcode = EXIT_FAILURE;
1070
goto end;
728
returncode = EXIT_FAILURE;
729
goto exit;
1071
730
}
1072
731
1073
/* Create the Avahi service browser */
1074
sb = avahi_s_service_browser_new(mc.server, if_index,
732
/* Create the service browser */
733
sb = avahi_s_service_browser_new(server,
734
(AvahiIfIndex)
735
if_nametoindex(interface),
1075
736
AVAHI_PROTO_INET6,
1076
737
"_mandos._tcp", NULL, 0,
1077
browse_callback, &mc);
1078
if(sb == NULL) {
738
browse_callback, server);
739
if (!sb) {
1079
740
fprintf(stderr, "Failed to create service browser: %s\n",
1080
avahi_strerror(avahi_server_errno(mc.server)));
1081
exitcode = EXIT_FAILURE;
1082
goto end;
741
avahi_strerror(avahi_server_errno(server)));
742
returncode = EXIT_FAILURE;
743
goto exit;
1083
744
}
1084
745
1085
746
/* Run the main loop */
1086
1087
if(debug){
1088
fprintf(stderr, "Starting Avahi loop search\n");
747
748
if (debug){
749
fprintf(stderr, "Starting avahi loop search\n");
1089
750
}
1090
751
1091
avahi_simple_poll_loop(mc.simple_poll);
1092
1093
end:
1094
1095
if(debug){
752
avahi_simple_poll_loop(simple_poll);
753
754
exit:
755
756
if (debug){
1096
757
fprintf(stderr, "%s exiting\n", argv[0]);
1097
758
}
1098
759
1099
760
/* Cleanup things */
1100
if(sb != NULL)
761
if (sb)
1101
762
avahi_s_service_browser_free(sb);
1102
763
1103
if(mc.server != NULL)
1104
avahi_server_free(mc.server);
1105
1106
if(mc.simple_poll != NULL)
1107
avahi_simple_poll_free(mc.simple_poll);
1108
1109
if(gnutls_initialized){
1110
gnutls_certificate_free_credentials(mc.cred);
1111
gnutls_global_deinit();
1112
gnutls_dh_params_deinit(mc.dh_params);
1113
}
1114
1115
if(gpgme_initialized){
1116
gpgme_release(mc.ctx);
1117
}
1118
1119
/* Removes the temp directory used by GPGME */
1120
if(tempdir[0] != '\0'){
1121
DIR *d;
1122
struct dirent *direntry;
1123
d = opendir(tempdir);
1124
if(d == NULL){
1125
if(errno != ENOENT){
1126
perror("opendir");
1127
}
1128
} else {
1129
while(true){
1130
direntry = readdir(d);
1131
if(direntry == NULL){
1132
break;
1133
}
1134
/* Skip "." and ".." */
1135
if(direntry->d_name[0] == '.'
1136
and (direntry->d_name[1] == '\0'
1137
or (direntry->d_name[1] == '.'
1138
and direntry->d_name[2] == '\0'))){
1139
continue;
1140
}
1141
char *fullname = NULL;
1142
ret = asprintf(&fullname, "%s/%s", tempdir,
1143
direntry->d_name);
1144
if(ret < 0){
1145
perror("asprintf");
1146
continue;
1147
}
1148
ret = remove(fullname);
1149
if(ret == -1){
1150
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1151
strerror(errno));
1152
}
1153
free(fullname);
1154
}
1155
closedir(d);
1156
}
1157
ret = rmdir(tempdir);
1158
if(ret == -1 and errno != ENOENT){
1159
perror("rmdir");
1160
}
1161
}
1162
1163
return exitcode;
764
if (server)
765
avahi_server_free(server);
766
767
if (simple_poll)
768
avahi_simple_poll_free(simple_poll);
769
free(certfile);
770
free(certkey);
771
772
return returncode;
1164
773
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0