To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 24.1.7
- compare with another revision
- download diff
- download tarball
- view history from revision 24.1.7
- Committer: Björn Påhlsson
- Date: 2008-08-02 15:47:42 UTC
- mfrom: (36 mandos)
- mto: (237.7.1 mandos) (24.1.154 mandos)
- mto: This revision was merged to the branch mainline in revision 38.
- Revision ID: belorn@braxen-20080802154742-pixsom1utki8x3yo
merge
- files modified:
- TODO
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
35
#include <stdio.h>
38
36
#include <assert.h>
39
37
#include <stdlib.h>
40
38
#include <time.h>
41
39
#include <net/if.h> /* if_nametoindex */
42
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
43
SIOCSIFFLAGS */
44
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
45
SIOCSIFFLAGS */
40
#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
41
#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS
46
42
47
43
#include <avahi-core/core.h>
48
44
#include <avahi-core/lookup.h>
51
47
#include <avahi-common/malloc.h>
52
48
#include <avahi-common/error.h>
53
49
54
/* Mandos client part */
50
//mandos client part
55
51
#include <sys/types.h> /* socket(), inet_pton() */
56
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
57
53
struct in6_addr, inet_pton() */
64
60
#include <string.h> /* memset */
65
61
#include <arpa/inet.h> /* inet_pton() */
66
62
#include <iso646.h> /* not */
67
#include <net/if.h> /* IF_NAMESIZE */
68
63
69
/* GPGME */
64
// gpgme
70
65
#include <errno.h> /* perror() */
71
66
#include <gpgme.h>
72
67
73
/* getopt_long */
68
// getopt long
74
69
#include <getopt.h>
75
70
76
71
#define BUFFER_SIZE 256
72
#define DH_BITS 1024
77
73
78
static const char *keydir = "/conf/conf.d/mandos";
79
static const char *pubkeyfile = "pubkey.txt";
80
static const char *seckeyfile = "seckey.txt";
74
static const char *certdir = "/conf/conf.d/mandos";
75
static const char *certfile = "openpgp-client.txt";
76
static const char *certkey = "openpgp-client-key.txt";
81
77
82
78
bool debug = false;
83
79
84
const char mandos_protocol_version[] = "1";
85
86
/* Used for passing in values through all the callback functions */
87
80
typedef struct {
88
AvahiSimplePoll *simple_poll;
89
AvahiServer *server;
81
gnutls_session_t session;
90
82
gnutls_certificate_credentials_t cred;
91
unsigned int dh_bits;
92
83
gnutls_dh_params_t dh_params;
93
const char *priority;
94
} mandos_context;
95
96
size_t adjustbuffer(char **buffer, size_t buffer_length,
97
size_t buffer_capacity){
98
if (buffer_length + BUFFER_SIZE > buffer_capacity){
99
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
100
if (buffer == NULL){
101
return 0;
102
}
103
buffer_capacity += BUFFER_SIZE;
104
}
105
return buffer_capacity;
106
}
107
108
/*
109
* Decrypt OpenPGP data using keyrings in HOMEDIR.
110
* Returns -1 on error
111
*/
112
static ssize_t pgp_packet_decrypt (const char *cryptotext,
113
size_t crypto_size,
114
char **plaintext,
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
115
89
const char *homedir){
116
90
gpgme_data_t dh_crypto, dh_plain;
117
91
gpgme_ctx_t ctx;
118
92
gpgme_error_t rc;
119
93
ssize_t ret;
120
size_t plaintext_capacity = 0;
121
ssize_t plaintext_length = 0;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
122
96
gpgme_engine_info_t engine_info;
123
97
124
98
if (debug){
125
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
126
100
}
127
101
128
102
/* Init GPGME */
134
108
return -1;
135
109
}
136
110
137
/* Set GPGME home directory for the OpenPGP engine only */
111
/* Set GPGME home directory */
138
112
rc = gpgme_get_engine_info (&engine_info);
139
113
if (rc != GPG_ERR_NO_ERROR){
140
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
150
124
engine_info = engine_info->next;
151
125
}
152
126
if(engine_info == NULL){
153
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
154
128
return -1;
155
129
}
156
130
157
/* Create new GPGME data buffer from memory cryptotext */
158
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
159
0);
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
160
133
if (rc != GPG_ERR_NO_ERROR){
161
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
162
135
gpgme_strsource(rc), gpgme_strerror(rc));
168
141
if (rc != GPG_ERR_NO_ERROR){
169
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
170
143
gpgme_strsource(rc), gpgme_strerror(rc));
171
gpgme_data_release(dh_crypto);
172
144
return -1;
173
145
}
174
146
177
149
if (rc != GPG_ERR_NO_ERROR){
178
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
179
151
gpgme_strsource(rc), gpgme_strerror(rc));
180
plaintext_length = -1;
181
goto decrypt_end;
152
return -1;
182
153
}
183
154
184
/* Decrypt data from the cryptotext data buffer to the plaintext
185
data buffer */
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
186
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
187
158
if (rc != GPG_ERR_NO_ERROR){
188
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
189
160
gpgme_strsource(rc), gpgme_strerror(rc));
190
plaintext_length = -1;
191
goto decrypt_end;
161
return -1;
192
162
}
193
163
194
164
if(debug){
195
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
196
166
}
197
167
198
168
if (debug){
199
169
gpgme_decrypt_result_t result;
200
170
result = gpgme_op_decrypt_result(ctx);
224
194
}
225
195
}
226
196
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
199
227
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
228
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
229
202
perror("pgpme_data_seek");
230
plaintext_length = -1;
231
goto decrypt_end;
232
203
}
233
204
234
*plaintext = NULL;
205
*new_packet = 0;
235
206
while(true){
236
plaintext_capacity = adjustbuffer(plaintext, (size_t)plaintext_length,
237
plaintext_capacity);
238
if (plaintext_capacity == 0){
239
perror("adjustbuffer");
240
plaintext_length = -1;
241
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
242
216
}
243
217
244
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
245
219
BUFFER_SIZE);
246
220
/* Print the data, if any */
247
221
if (ret == 0){
248
/* EOF */
249
222
break;
250
223
}
251
224
if(ret < 0){
252
225
perror("gpgme_data_read");
253
plaintext_length = -1;
254
goto decrypt_end;
226
return -1;
255
227
}
256
plaintext_length += ret;
228
new_packet_length += ret;
257
229
}
258
230
259
if(debug){
260
fprintf(stderr, "Decrypted password is: ");
261
for(ssize_t i = 0; i < plaintext_length; i++){
262
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
263
}
264
fprintf(stderr, "\n");
265
}
266
267
decrypt_end:
268
269
/* Delete the GPGME cryptotext data buffer */
270
gpgme_data_release(dh_crypto);
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
271
238
272
239
/* Delete the GPGME plaintext data buffer */
273
240
gpgme_data_release(dh_plain);
274
return plaintext_length;
241
return new_packet_length;
275
242
}
276
243
277
244
static const char * safer_gnutls_strerror (int value) {
281
248
return ret;
282
249
}
283
250
284
/* GnuTLS log function callback */
285
251
static void debuggnutls(__attribute__((unused)) int level,
286
252
const char* string){
287
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
288
254
}
289
255
290
static int init_gnutls_global(mandos_context *mc){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
291
258
int ret;
292
259
293
260
if(debug){
296
263
297
264
if ((ret = gnutls_global_init ())
298
265
!= GNUTLS_E_SUCCESS) {
299
fprintf (stderr, "GnuTLS global_init: %s\n",
300
safer_gnutls_strerror(ret));
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
301
267
return -1;
302
268
}
303
269
304
270
if (debug){
305
/* "Use a log level over 10 to enable all debugging options."
306
* - GnuTLS manual
307
*/
308
271
gnutls_global_set_log_level(11);
309
272
gnutls_global_set_log_function(debuggnutls);
310
273
}
311
274
312
/* OpenPGP credentials */
313
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
314
277
!= GNUTLS_E_SUCCESS) {
315
fprintf (stderr, "GnuTLS memory error: %s\n",
278
fprintf (stderr, "memory error: %s\n",
316
279
safer_gnutls_strerror(ret));
317
280
return -1;
318
281
}
319
282
320
283
if(debug){
321
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
322
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
323
seckeyfile);
285
" and keyfile %s as GnuTLS credentials\n", certfile,
286
certkey);
324
287
}
325
288
326
289
ret = gnutls_certificate_set_openpgp_key_file
327
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
290
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
328
291
if (ret != GNUTLS_E_SUCCESS) {
329
fprintf(stderr,
330
"Error[%d] while reading the OpenPGP key pair ('%s',"
331
" '%s')\n", ret, pubkeyfile, seckeyfile);
332
fprintf(stdout, "The GnuTLS error is: %s\n",
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, certfile, certkey);
296
fprintf(stdout, "The Error is: %s\n",
333
297
safer_gnutls_strerror(ret));
334
298
return -1;
335
299
}
336
300
337
/* GnuTLS server initialization */
338
ret = gnutls_dh_params_init(&mc->dh_params);
339
if (ret != GNUTLS_E_SUCCESS) {
340
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
341
" %s\n", safer_gnutls_strerror(ret));
342
return -1;
343
}
344
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
345
if (ret != GNUTLS_E_SUCCESS) {
346
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
347
safer_gnutls_strerror(ret));
348
return -1;
349
}
350
351
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
352
353
return 0;
354
}
355
356
static int init_gnutls_session(mandos_context *mc, gnutls_session_t *session){
357
int ret;
358
/* GnuTLS session creation */
359
ret = gnutls_init(session, GNUTLS_SERVER);
360
if (ret != GNUTLS_E_SUCCESS){
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
361
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
362
322
safer_gnutls_strerror(ret));
363
323
}
364
324
365
{
366
const char *err;
367
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
368
if (ret != GNUTLS_E_SUCCESS) {
369
fprintf(stderr, "Syntax error at: %s\n", err);
370
fprintf(stderr, "GnuTLS error: %s\n",
371
safer_gnutls_strerror(ret));
372
return -1;
373
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
374
331
}
375
332
376
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
377
mc->cred);
378
if (ret != GNUTLS_E_SUCCESS) {
379
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
380
337
safer_gnutls_strerror(ret));
381
338
return -1;
382
339
}
383
340
384
341
/* ignore client certificate if any. */
385
gnutls_certificate_server_set_request (*session,
342
gnutls_certificate_server_set_request (es->session,
386
343
GNUTLS_CERT_IGNORE);
387
344
388
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
345
gnutls_dh_set_prime_bits (es->session, DH_BITS);
389
346
390
347
return 0;
391
348
}
392
349
393
/* Avahi log function callback */
394
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
395
351
__attribute__((unused)) const char *txt){}
396
352
397
/* Called when a Mandos server is found */
398
353
static int start_mandos_communication(const char *ip, uint16_t port,
399
AvahiIfIndex if_index,
400
mandos_context *mc){
354
AvahiIfIndex if_index){
401
355
int ret, tcp_sd;
402
356
struct sockaddr_in6 to;
357
encrypted_session es;
403
358
char *buffer = NULL;
404
359
char *decrypted_buffer;
405
360
size_t buffer_length = 0;
406
361
size_t buffer_capacity = 0;
407
362
ssize_t decrypted_buffer_size;
408
size_t written;
363
size_t written = 0;
409
364
int retval = 0;
410
365
char interface[IF_NAMESIZE];
411
gnutls_session_t session;
412
gnutls_dh_params_t dh_params;
413
414
ret = init_gnutls_session (mc, &session);
415
if (ret != 0){
416
return -1;
417
}
418
366
419
367
if(debug){
420
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
429
377
430
378
if(debug){
431
379
if(if_indextoname((unsigned int)if_index, interface) == NULL){
432
perror("if_indextoname");
380
if(debug){
381
perror("if_indextoname");
382
}
433
383
return -1;
434
384
}
385
435
386
fprintf(stderr, "Binding to interface %s\n", interface);
436
387
}
437
388
438
389
memset(&to,0,sizeof(to)); /* Spurious warning */
439
390
to.sin6_family = AF_INET6;
440
/* It would be nice to have a way to detect if we were passed an
441
IPv4 address here. Now we assume an IPv6 address. */
442
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
443
392
if (ret < 0 ){
444
393
perror("inet_pton");
445
394
return -1;
446
}
395
}
447
396
if(ret == 0){
448
397
fprintf(stderr, "Bad address: %s\n", ip);
449
398
return -1;
454
403
455
404
if(debug){
456
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
457
char addrstr[INET6_ADDRSTRLEN] = "";
458
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
459
sizeof(addrstr)) == NULL){
460
perror("inet_ntop");
461
} else {
462
if(strcmp(addrstr, ip) != 0){
463
fprintf(stderr, "Canonical address form: %s\n", addrstr);
464
}
465
}
406
/* char addrstr[INET6_ADDRSTRLEN]; */
407
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
408
/* sizeof(addrstr)) == NULL){ */
409
/* perror("inet_ntop"); */
410
/* } else { */
411
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
412
/* addrstr, ntohs(to.sin6_port)); */
413
/* } */
466
414
}
467
415
468
416
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
470
418
perror("connect");
471
419
return -1;
472
420
}
473
474
const char *out = mandos_protocol_version;
475
written = 0;
476
while (true){
477
size_t out_size = strlen(out);
478
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
479
out_size - written));
480
if (ret == -1){
481
perror("write");
482
retval = -1;
483
goto mandos_end;
484
}
485
written += (size_t)ret;
486
if(written < out_size){
487
continue;
488
} else {
489
if (out == mandos_protocol_version){
490
written = 0;
491
out = "\r\n";
492
} else {
493
break;
494
}
495
}
421
422
ret = initgnutls (&es);
423
if (ret != 0){
424
retval = -1;
425
return -1;
496
426
}
497
427
428
gnutls_transport_set_ptr (es.session,
429
(gnutls_transport_ptr_t) tcp_sd);
430
498
431
if(debug){
499
432
fprintf(stderr, "Establishing TLS session with %s\n", ip);
500
433
}
501
434
502
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
503
504
ret = gnutls_handshake (session);
435
ret = gnutls_handshake (es.session);
505
436
506
437
if (ret != GNUTLS_E_SUCCESS){
507
438
if(debug){
508
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
439
fprintf(stderr, "\n*** Handshake failed ***\n");
509
440
gnutls_perror (ret);
510
441
}
511
442
retval = -1;
512
goto mandos_end;
443
goto exit;
513
444
}
514
445
515
/* Read OpenPGP packet that contains the wanted password */
446
//Retrieve OpenPGP packet that contains the wanted password
516
447
517
448
if(debug){
518
449
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
520
451
}
521
452
522
453
while(true){
523
buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity);
524
if (buffer_capacity == 0){
525
perror("adjustbuffer");
526
retval = -1;
527
goto mandos_end;
454
if (buffer_length + BUFFER_SIZE > buffer_capacity){
455
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
456
if (buffer == NULL){
457
perror("realloc");
458
goto exit;
459
}
460
buffer_capacity += BUFFER_SIZE;
528
461
}
529
462
530
ret = gnutls_record_recv(session, buffer+buffer_length,
531
BUFFER_SIZE);
463
ret = gnutls_record_recv
464
(es.session, buffer+buffer_length, BUFFER_SIZE);
532
465
if (ret == 0){
533
466
break;
534
467
}
538
471
case GNUTLS_E_AGAIN:
539
472
break;
540
473
case GNUTLS_E_REHANDSHAKE:
541
ret = gnutls_handshake (session);
474
ret = gnutls_handshake (es.session);
542
475
if (ret < 0){
543
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
476
fprintf(stderr, "\n*** Handshake failed ***\n");
544
477
gnutls_perror (ret);
545
478
retval = -1;
546
goto mandos_end;
479
goto exit;
547
480
}
548
481
break;
549
482
default:
550
483
fprintf(stderr, "Unknown error while reading data from"
551
" encrypted session with Mandos server\n");
484
" encrypted session with mandos server\n");
552
485
retval = -1;
553
gnutls_bye (session, GNUTLS_SHUT_RDWR);
554
goto mandos_end;
486
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
487
goto exit;
555
488
}
556
489
} else {
557
490
buffer_length += (size_t) ret;
558
491
}
559
492
}
560
493
561
if(debug){
562
fprintf(stderr, "Closing TLS session\n");
563
}
564
565
gnutls_bye (session, GNUTLS_SHUT_RDWR);
566
567
494
if (buffer_length > 0){
568
495
decrypted_buffer_size = pgp_packet_decrypt(buffer,
569
496
buffer_length,
570
497
&decrypted_buffer,
571
keydir);
498
certdir);
572
499
if (decrypted_buffer_size >= 0){
573
written = 0;
574
500
while(written < (size_t) decrypted_buffer_size){
575
501
ret = (int)fwrite (decrypted_buffer + written, 1,
576
502
(size_t)decrypted_buffer_size - written,
590
516
retval = -1;
591
517
}
592
518
}
593
594
/* Shutdown procedure */
595
596
mandos_end:
519
520
//shutdown procedure
521
522
if(debug){
523
fprintf(stderr, "Closing TLS session\n");
524
}
525
597
526
free(buffer);
527
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
528
exit:
598
529
close(tcp_sd);
599
gnutls_deinit (session);
600
gnutls_certificate_free_credentials (mc->cred);
530
gnutls_deinit (es.session);
531
gnutls_certificate_free_credentials (es.cred);
601
532
gnutls_global_deinit ();
602
533
return retval;
603
534
}
604
535
605
static void resolve_callback(AvahiSServiceResolver *r,
606
AvahiIfIndex interface,
607
AVAHI_GCC_UNUSED AvahiProtocol protocol,
608
AvahiResolverEvent event,
609
const char *name,
610
const char *type,
611
const char *domain,
612
const char *host_name,
613
const AvahiAddress *address,
614
uint16_t port,
615
AVAHI_GCC_UNUSED AvahiStringList *txt,
616
AVAHI_GCC_UNUSED AvahiLookupResultFlags
617
flags,
618
void* userdata) {
619
mandos_context *mc = userdata;
536
static AvahiSimplePoll *simple_poll = NULL;
537
static AvahiServer *server = NULL;
538
539
static void resolve_callback(
540
AvahiSServiceResolver *r,
541
AvahiIfIndex interface,
542
AVAHI_GCC_UNUSED AvahiProtocol protocol,
543
AvahiResolverEvent event,
544
const char *name,
545
const char *type,
546
const char *domain,
547
const char *host_name,
548
const AvahiAddress *address,
549
uint16_t port,
550
AVAHI_GCC_UNUSED AvahiStringList *txt,
551
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
552
AVAHI_GCC_UNUSED void* userdata) {
553
620
554
assert(r); /* Spurious warning */
621
555
622
556
/* Called whenever a service has been resolved successfully or
625
559
switch (event) {
626
560
default:
627
561
case AVAHI_RESOLVER_FAILURE:
628
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
629
" of type '%s' in domain '%s': %s\n", name, type, domain,
630
avahi_strerror(avahi_server_errno(mc->server)));
562
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
563
" type '%s' in domain '%s': %s\n", name, type, domain,
564
avahi_strerror(avahi_server_errno(server)));
631
565
break;
632
566
633
567
case AVAHI_RESOLVER_FOUND:
635
569
char ip[AVAHI_ADDRESS_STR_MAX];
636
570
avahi_address_snprint(ip, sizeof(ip), address);
637
571
if(debug){
638
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"
639
" port %d\n", name, host_name, ip, interface, port);
572
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
573
" port %d\n", name, host_name, ip, port);
640
574
}
641
int ret = start_mandos_communication(ip, port, interface, mc);
575
int ret = start_mandos_communication(ip, port, interface);
642
576
if (ret == 0){
643
577
exit(EXIT_SUCCESS);
644
578
}
647
581
avahi_s_service_resolver_free(r);
648
582
}
649
583
650
static void browse_callback( AvahiSServiceBrowser *b,
651
AvahiIfIndex interface,
652
AvahiProtocol protocol,
653
AvahiBrowserEvent event,
654
const char *name,
655
const char *type,
656
const char *domain,
657
AVAHI_GCC_UNUSED AvahiLookupResultFlags
658
flags,
659
void* userdata) {
660
mandos_context *mc = userdata;
661
assert(b); /* Spurious warning */
662
663
/* Called whenever a new services becomes available on the LAN or
664
is removed from the LAN */
665
666
switch (event) {
667
default:
668
case AVAHI_BROWSER_FAILURE:
669
670
fprintf(stderr, "(Avahi browser) %s\n",
671
avahi_strerror(avahi_server_errno(mc->server)));
672
avahi_simple_poll_quit(mc->simple_poll);
673
return;
674
675
case AVAHI_BROWSER_NEW:
676
/* We ignore the returned Avahi resolver object. In the callback
677
function we free it. If the Avahi server is terminated before
678
the callback function is called the Avahi server will free the
679
resolver for us. */
680
681
if (!(avahi_s_service_resolver_new(mc->server, interface,
682
protocol, name, type, domain,
683
AVAHI_PROTO_INET6, 0,
684
resolve_callback, mc)))
685
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
686
name, avahi_strerror(avahi_server_errno(mc->server)));
687
break;
688
689
case AVAHI_BROWSER_REMOVE:
690
break;
691
692
case AVAHI_BROWSER_ALL_FOR_NOW:
693
case AVAHI_BROWSER_CACHE_EXHAUSTED:
694
if(debug){
695
fprintf(stderr, "No Mandos server found, still searching...\n");
584
static void browse_callback(
585
AvahiSServiceBrowser *b,
586
AvahiIfIndex interface,
587
AvahiProtocol protocol,
588
AvahiBrowserEvent event,
589
const char *name,
590
const char *type,
591
const char *domain,
592
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
593
void* userdata) {
594
595
AvahiServer *s = userdata;
596
assert(b); /* Spurious warning */
597
598
/* Called whenever a new services becomes available on the LAN or
599
is removed from the LAN */
600
601
switch (event) {
602
default:
603
case AVAHI_BROWSER_FAILURE:
604
605
fprintf(stderr, "(Browser) %s\n",
606
avahi_strerror(avahi_server_errno(server)));
607
avahi_simple_poll_quit(simple_poll);
608
return;
609
610
case AVAHI_BROWSER_NEW:
611
/* We ignore the returned resolver object. In the callback
612
function we free it. If the server is terminated before
613
the callback function is called the server will free
614
the resolver for us. */
615
616
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
617
type, domain,
618
AVAHI_PROTO_INET6, 0,
619
resolve_callback, s)))
620
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
621
avahi_strerror(avahi_server_errno(s)));
622
break;
623
624
case AVAHI_BROWSER_REMOVE:
625
break;
626
627
case AVAHI_BROWSER_ALL_FOR_NOW:
628
case AVAHI_BROWSER_CACHE_EXHAUSTED:
629
break;
696
630
}
697
break;
698
}
699
631
}
700
632
701
633
/* Combines file name and path and returns the malloced new
708
640
return NULL;
709
641
}
710
642
if(f_len > 0){
711
memcpy(tmp, first, f_len); /* Spurious warning */
643
memcpy(tmp, first, f_len);
712
644
}
713
645
tmp[f_len] = '/';
714
646
if(s_len > 0){
715
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
647
memcpy(tmp + f_len + 1, second, s_len);
716
648
}
717
649
tmp[f_len + 1 + s_len] = '\0';
718
650
return tmp;
719
651
}
720
652
721
653
722
int main(int argc, char *argv[]){
654
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
655
AvahiServerConfig config;
723
656
AvahiSServiceBrowser *sb = NULL;
724
657
int error;
725
658
int ret;
726
int exitcode = EXIT_SUCCESS;
659
int returncode = EXIT_SUCCESS;
727
660
const char *interface = "eth0";
728
661
struct ifreq network;
729
662
int sd;
730
uid_t uid;
731
gid_t gid;
732
663
char *connect_to = NULL;
733
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
734
mandos_context mc = { .simple_poll = NULL, .server = NULL,
735
.dh_bits = 1024, .priority = "SECURE256"};
736
737
{
738
/* Temporary int to get the address of for getopt_long */
739
int debug_int = debug ? 1 : 0;
740
while (true){
741
struct option long_options[] = {
742
{"debug", no_argument, &debug_int, 1},
743
{"connect", required_argument, NULL, 'c'},
744
{"interface", required_argument, NULL, 'i'},
745
{"keydir", required_argument, NULL, 'd'},
746
{"seckey", required_argument, NULL, 's'},
747
{"pubkey", required_argument, NULL, 'p'},
748
{"dh-bits", required_argument, NULL, 'D'},
749
{"priority", required_argument, NULL, 'P'},
750
{0, 0, 0, 0} };
751
752
int option_index = 0;
753
ret = getopt_long (argc, argv, "i:", long_options,
754
&option_index);
755
756
if (ret == -1){
757
break;
758
}
759
760
switch(ret){
761
case 0:
762
break;
763
case 'i':
764
interface = optarg;
765
break;
766
case 'c':
767
connect_to = optarg;
768
break;
769
case 'd':
770
keydir = optarg;
771
break;
772
case 'p':
773
pubkeyfile = optarg;
774
break;
775
case 's':
776
seckeyfile = optarg;
777
break;
778
case 'D':
779
errno = 0;
780
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
781
if (errno){
782
perror("strtol");
783
exit(EXIT_FAILURE);
784
}
785
break;
786
case 'P':
787
mc.priority = optarg;
788
break;
789
case '?':
790
default:
791
/* getopt_long() has already printed a message about the
792
unrcognized option, so just exit. */
793
exit(EXIT_FAILURE);
794
}
795
}
796
/* Set the global debug flag from the temporary int */
797
debug = debug_int ? true : false;
798
}
799
800
pubkeyfile = combinepath(keydir, pubkeyfile);
801
if (pubkeyfile == NULL){
802
perror("combinepath");
803
exitcode = EXIT_FAILURE;
804
goto end;
805
}
806
807
seckeyfile = combinepath(keydir, seckeyfile);
808
if (seckeyfile == NULL){
809
perror("combinepath");
810
goto end;
811
}
812
813
ret = init_gnutls_global(&mc);
814
if (ret == -1){
815
fprintf(stderr, "init_gnutls_global\n");
816
goto end;
817
}
818
819
uid = getuid();
820
gid = getgid();
821
822
ret = setuid(uid);
823
if (ret == -1){
824
perror("setuid");
825
}
826
827
setgid(gid);
828
if (ret == -1){
829
perror("setgid");
665
666
while (true){
667
static struct option long_options[] = {
668
{"debug", no_argument, (int *)&debug, 1},
669
{"connect", required_argument, 0, 'C'},
670
{"interface", required_argument, 0, 'i'},
671
{"certdir", required_argument, 0, 'd'},
672
{"certkey", required_argument, 0, 'c'},
673
{"certfile", required_argument, 0, 'k'},
674
{0, 0, 0, 0} };
675
676
int option_index = 0;
677
ret = getopt_long (argc, argv, "i:", long_options,
678
&option_index);
679
680
if (ret == -1){
681
break;
682
}
683
684
switch(ret){
685
case 0:
686
break;
687
case 'i':
688
interface = optarg;
689
break;
690
case 'C':
691
connect_to = optarg;
692
break;
693
case 'd':
694
certdir = optarg;
695
break;
696
case 'c':
697
certfile = optarg;
698
break;
699
case 'k':
700
certkey = optarg;
701
break;
702
default:
703
exit(EXIT_FAILURE);
704
}
705
}
706
707
certfile = combinepath(certdir, certfile);
708
if (certfile == NULL){
709
perror("combinepath");
710
returncode = EXIT_FAILURE;
711
goto exit;
712
}
713
714
certkey = combinepath(certdir, certkey);
715
if (certkey == NULL){
716
perror("combinepath");
717
returncode = EXIT_FAILURE;
718
goto exit;
830
719
}
831
720
832
721
if_index = (AvahiIfIndex) if_nametoindex(interface);
841
730
char *address = strrchr(connect_to, ':');
842
731
if(address == NULL){
843
732
fprintf(stderr, "No colon in address\n");
844
exitcode = EXIT_FAILURE;
845
goto end;
733
exit(EXIT_FAILURE);
846
734
}
847
735
errno = 0;
848
736
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
849
737
if(errno){
850
738
perror("Bad port number");
851
exitcode = EXIT_FAILURE;
852
goto end;
739
exit(EXIT_FAILURE);
853
740
}
854
741
*address = '\0';
855
742
address = connect_to;
856
ret = start_mandos_communication(address, port, if_index, &mc);
743
ret = start_mandos_communication(address, port, if_index);
857
744
if(ret < 0){
858
exitcode = EXIT_FAILURE;
745
exit(EXIT_FAILURE);
859
746
} else {
860
exitcode = EXIT_SUCCESS;
747
exit(EXIT_SUCCESS);
861
748
}
862
goto end;
863
749
}
864
750
865
/* If the interface is down, bring it up */
866
{
867
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
868
if(sd < 0) {
869
perror("socket");
870
exitcode = EXIT_FAILURE;
871
goto end;
872
}
873
strcpy(network.ifr_name, interface); /* Spurious warning */
874
ret = ioctl(sd, SIOCGIFFLAGS, &network);
751
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
752
if(sd < 0) {
753
perror("socket");
754
returncode = EXIT_FAILURE;
755
goto exit;
756
}
757
strcpy(network.ifr_name, interface);
758
ret = ioctl(sd, SIOCGIFFLAGS, &network);
759
if(ret == -1){
760
761
perror("ioctl SIOCGIFFLAGS");
762
returncode = EXIT_FAILURE;
763
goto exit;
764
}
765
if((network.ifr_flags & IFF_UP) == 0){
766
network.ifr_flags |= IFF_UP;
767
ret = ioctl(sd, SIOCSIFFLAGS, &network);
875
768
if(ret == -1){
876
perror("ioctl SIOCGIFFLAGS");
877
exitcode = EXIT_FAILURE;
878
goto end;
879
}
880
if((network.ifr_flags & IFF_UP) == 0){
881
network.ifr_flags |= IFF_UP;
882
ret = ioctl(sd, SIOCSIFFLAGS, &network);
883
if(ret == -1){
884
perror("ioctl SIOCSIFFLAGS");
885
exitcode = EXIT_FAILURE;
886
goto end;
887
}
888
}
889
close(sd);
769
perror("ioctl SIOCSIFFLAGS");
770
returncode = EXIT_FAILURE;
771
goto exit;
772
}
890
773
}
774
close(sd);
891
775
892
776
if (not debug){
893
777
avahi_set_log_function(empty_log);
894
778
}
895
779
896
/* Initialize the pseudo-RNG for Avahi */
780
/* Initialize the psuedo-RNG */
897
781
srand((unsigned int) time(NULL));
898
899
/* Allocate main Avahi loop object */
900
mc.simple_poll = avahi_simple_poll_new();
901
if (mc.simple_poll == NULL) {
902
fprintf(stderr, "Avahi: Failed to create simple poll"
903
" object.\n");
904
exitcode = EXIT_FAILURE;
905
goto end;
906
}
907
908
{
909
AvahiServerConfig config;
910
/* Do not publish any local Zeroconf records */
911
avahi_server_config_init(&config);
912
config.publish_hinfo = 0;
913
config.publish_addresses = 0;
914
config.publish_workstation = 0;
915
config.publish_domain = 0;
916
917
/* Allocate a new server */
918
mc.server = avahi_server_new(avahi_simple_poll_get
919
(mc.simple_poll), &config, NULL,
920
NULL, &error);
921
922
/* Free the Avahi configuration data */
923
avahi_server_config_free(&config);
924
}
925
926
/* Check if creating the Avahi server object succeeded */
927
if (mc.server == NULL) {
928
fprintf(stderr, "Failed to create Avahi server: %s\n",
782
783
/* Allocate main loop object */
784
if (!(simple_poll = avahi_simple_poll_new())) {
785
fprintf(stderr, "Failed to create simple poll object.\n");
786
returncode = EXIT_FAILURE;
787
goto exit;
788
}
789
790
/* Do not publish any local records */
791
avahi_server_config_init(&config);
792
config.publish_hinfo = 0;
793
config.publish_addresses = 0;
794
config.publish_workstation = 0;
795
config.publish_domain = 0;
796
797
/* Allocate a new server */
798
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
799
&config, NULL, NULL, &error);
800
801
/* Free the configuration data */
802
avahi_server_config_free(&config);
803
804
/* Check if creating the server object succeeded */
805
if (!server) {
806
fprintf(stderr, "Failed to create server: %s\n",
929
807
avahi_strerror(error));
930
exitcode = EXIT_FAILURE;
931
goto end;
808
returncode = EXIT_FAILURE;
809
goto exit;
932
810
}
933
811
934
/* Create the Avahi service browser */
935
sb = avahi_s_service_browser_new(mc.server, if_index,
812
/* Create the service browser */
813
sb = avahi_s_service_browser_new(server, if_index,
936
814
AVAHI_PROTO_INET6,
937
815
"_mandos._tcp", NULL, 0,
938
browse_callback, &mc);
939
if (sb == NULL) {
816
browse_callback, server);
817
if (!sb) {
940
818
fprintf(stderr, "Failed to create service browser: %s\n",
941
avahi_strerror(avahi_server_errno(mc.server)));
942
exitcode = EXIT_FAILURE;
943
goto end;
819
avahi_strerror(avahi_server_errno(server)));
820
returncode = EXIT_FAILURE;
821
goto exit;
944
822
}
945
823
946
824
/* Run the main loop */
947
825
948
826
if (debug){
949
fprintf(stderr, "Starting Avahi loop search\n");
827
fprintf(stderr, "Starting avahi loop search\n");
950
828
}
951
829
952
avahi_simple_poll_loop(mc.simple_poll);
830
avahi_simple_poll_loop(simple_poll);
953
831
954
end:
832
exit:
955
833
956
834
if (debug){
957
835
fprintf(stderr, "%s exiting\n", argv[0]);
958
836
}
959
837
960
838
/* Cleanup things */
961
if (sb != NULL)
839
if (sb)
962
840
avahi_s_service_browser_free(sb);
963
841
964
if (mc.server != NULL)
965
avahi_server_free(mc.server);
842
if (server)
843
avahi_server_free(server);
966
844
967
if (mc.simple_poll != NULL)
968
avahi_simple_poll_free(mc.simple_poll);
969
free(pubkeyfile);
970
free(seckeyfile);
845
if (simple_poll)
846
avahi_simple_poll_free(simple_poll);
847
free(certfile);
848
free(certkey);
971
849
972
return exitcode;
850
return returncode;
973
851
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0