To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 28
- compare with another revision
- download diff
- download tarball
- view history from revision 28
- Committer: Teddy Hogeborn
- Date: 2008-07-29 03:35:39 UTC
- Revision ID: teddy@fukt.bsnet.se-20080729033539-08zecoj3jwlkpjhw
* server.conf: New file.
* mandos-clients.conf: Renamed to clients.conf.
* Makefile (FORTIFY): New.
(CFLAGS): Include $(FORTIFY).
* plugins.d/mandosclient.c (main): New "if_index" variable. Bug fix:
check if interface exists. New
"--connect" option.
* server.py (serviceInterface): Removed; replaced by
"AvahiService.interface". All users
changed.
(AvahiError, AvahiServiceError, AvahiGroupError): New exception
classes.
(AvahiService): New class.
(serviceName): Removed; replaced by "AvahiService.name". All users
changed.
(serviceType): Removed; replaced by "AvahiService.type". All users
changed.
(servicePort): Removed; replaced by "AvahiService.port". All users
changed.
(serviceTXT): Removed; replaced by "AvahiService.TXT". All users
changed.
(domain): Removed; replaced by "AvahiService.domain". All users
changed.
(host): Removed; replaced by "AvahiService.host". All users
changed.
(rename_count): Removed; replaced by "AvahiService.rename_count" and
"AvahiService.max_renames". All users changed.
(Client.__init__): If no secret or secfile, raise TypeError instead
of RuntimeError.
(Client.last_seen): Renamed to "Client.last_checked_ok". All users
changed.
(Client.stop, Client.stop_checker): Use "getattr" with default value
instead of "hasattr".
(Client.still_valid): Removed "now" argument.
(Client.handle): Separate the "no client found" and "client invalid"
cases for clearer code.
(IPv6_TCPServer.__init__): "options" argument replaced by
"settings". All callers changed.
(IPv6_TCPServer.options): Replaced by "IPv6_TCPServer.settings".
All users changed.
(IPv6_TCPServer.server_bind): Use getattr instead of hasattr.
(add_service): Removed; replaced by "AvahiService.add". All callers
changed.
(remove_service): Removed; replaced by "AvahiService.remove". All
callers changed.
(entry_group_state_changed): On entry group collision, call the new
AvahiService.rename method. Raise
AvahiGroupError on group error.
(if_nametoindex): Use ctypes.utils.find_library to locate the C
library. Cache the result. Loop on EINTR.
(daemon): Use os.path.devnull to locate "/dev/null".
(killme): Removed. All callers changed to do "sys.exit()" instead,
except where stated otherwise.
(main): Removed "exitstatus". Removed all default values from all
non-bool options. New option "--configdir". New variables
"server_defaults" and "server_settings", read from
"%(configdir)s/server.conf". Let any supplied command line
options override server settings. Variable "defaults"
renamed to "client_defaults", which is read from
"clients.conf" instead of "mandos-clients.conf". New global
AvahiService object "service" replaces old global variables.
Catch AvahiError and exit with error if caught.
* mandos-clients.conf: Renamed to clients.conf.
* Makefile (FORTIFY): New.
(CFLAGS): Include $(FORTIFY).
* plugins.d/mandosclient.c (main): New "if_index" variable. Bug fix:
check if interface exists. New
"--connect" option.
* server.py (serviceInterface): Removed; replaced by
"AvahiService.interface". All users
changed.
(AvahiError, AvahiServiceError, AvahiGroupError): New exception
classes.
(AvahiService): New class.
(serviceName): Removed; replaced by "AvahiService.name". All users
changed.
(serviceType): Removed; replaced by "AvahiService.type". All users
changed.
(servicePort): Removed; replaced by "AvahiService.port". All users
changed.
(serviceTXT): Removed; replaced by "AvahiService.TXT". All users
changed.
(domain): Removed; replaced by "AvahiService.domain". All users
changed.
(host): Removed; replaced by "AvahiService.host". All users
changed.
(rename_count): Removed; replaced by "AvahiService.rename_count" and
"AvahiService.max_renames". All users changed.
(Client.__init__): If no secret or secfile, raise TypeError instead
of RuntimeError.
(Client.last_seen): Renamed to "Client.last_checked_ok". All users
changed.
(Client.stop, Client.stop_checker): Use "getattr" with default value
instead of "hasattr".
(Client.still_valid): Removed "now" argument.
(Client.handle): Separate the "no client found" and "client invalid"
cases for clearer code.
(IPv6_TCPServer.__init__): "options" argument replaced by
"settings". All callers changed.
(IPv6_TCPServer.options): Replaced by "IPv6_TCPServer.settings".
All users changed.
(IPv6_TCPServer.server_bind): Use getattr instead of hasattr.
(add_service): Removed; replaced by "AvahiService.add". All callers
changed.
(remove_service): Removed; replaced by "AvahiService.remove". All
callers changed.
(entry_group_state_changed): On entry group collision, call the new
AvahiService.rename method. Raise
AvahiGroupError on group error.
(if_nametoindex): Use ctypes.utils.find_library to locate the C
library. Cache the result. Loop on EINTR.
(daemon): Use os.path.devnull to locate "/dev/null".
(killme): Removed. All callers changed to do "sys.exit()" instead,
except where stated otherwise.
(main): Removed "exitstatus". Removed all default values from all
non-bool options. New option "--configdir". New variables
"server_defaults" and "server_settings", read from
"%(configdir)s/server.conf". Let any supplied command line
options override server settings. Variable "defaults"
renamed to "client_defaults", which is read from
"clients.conf" instead of "mandos-clients.conf". New global
AvahiService object "service" replaces old global variables.
Catch AvahiError and exit with error if caught.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(), sigaction(), SIGTERM, sigaction */
79
#ifdef __linux__
80
#include <sys/klog.h> /* klogctl() */
81
#endif
82
83
/* Avahi */
84
/* All Avahi types, constants and functions
85
Avahi*, avahi_*,
86
AVAHI_* */
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
87
42
#include <avahi-core/core.h>
88
43
#include <avahi-core/lookup.h>
89
44
#include <avahi-core/log.h>
91
46
#include <avahi-common/malloc.h>
92
47
#include <avahi-common/error.h>
93
48
94
/* GnuTLS */
95
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
96
functions:
97
gnutls_*
98
init_gnutls_session(),
99
GNUTLS_* */
100
#include <gnutls/openpgp.h>
101
/* gnutls_certificate_set_openpgp_key_file(),
102
GNUTLS_OPENPGP_FMT_BASE64 */
103
104
/* GPGME */
105
#include <gpgme.h> /* All GPGME types, constants and
106
functions:
107
gpgme_*
108
GPGME_PROTOCOL_OpenPGP,
109
GPG_ERR_NO_* */
110
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
69
70
#ifndef CERT_ROOT
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
72
#endif
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
111
75
#define BUFFER_SIZE 256
112
113
#define PATHDIR "/conf/conf.d/mandos"
114
#define SECKEY "seckey.txt"
115
#define PUBKEY "pubkey.txt"
76
#define DH_BITS 1024
116
77
117
78
bool debug = false;
118
static const char mandos_protocol_version[] = "1";
119
const char *argp_program_version = "mandos-client " VERSION;
120
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
121
79
122
/* Used for passing in values through the Avahi callback functions */
123
80
typedef struct {
124
AvahiSimplePoll *simple_poll;
125
AvahiServer *server;
81
gnutls_session_t session;
126
82
gnutls_certificate_credentials_t cred;
127
unsigned int dh_bits;
128
83
gnutls_dh_params_t dh_params;
129
const char *priority;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
130
90
gpgme_ctx_t ctx;
131
} mandos_context;
132
133
/* global context so signal handler can reach it*/
134
mandos_context mc = { .simple_poll = NULL, .server = NULL,
135
.dh_bits = 1024, .priority = "SECURE256"
136
":!CTYPE-X.509:+CTYPE-OPENPGP" };
137
138
/*
139
* Make additional room in "buffer" for at least BUFFER_SIZE
140
* additional bytes. "buffer_capacity" is how much is currently
141
* allocated, "buffer_length" is how much is already used.
142
*/
143
size_t incbuffer(char **buffer, size_t buffer_length,
144
size_t buffer_capacity){
145
if(buffer_length + BUFFER_SIZE > buffer_capacity){
146
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
147
if(buffer == NULL){
148
return 0;
149
}
150
buffer_capacity += BUFFER_SIZE;
151
}
152
return buffer_capacity;
153
}
154
155
/*
156
* Initialize GPGME.
157
*/
158
static bool init_gpgme(const char *seckey,
159
const char *pubkey, const char *tempdir){
160
int ret;
161
91
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
162
95
gpgme_engine_info_t engine_info;
163
164
165
/*
166
* Helper function to insert pub and seckey to the engine keyring.
167
*/
168
bool import_key(const char *filename){
169
int fd;
170
gpgme_data_t pgp_data;
171
172
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
173
if(fd == -1){
174
perror("open");
175
return false;
176
}
177
178
rc = gpgme_data_new_from_fd(&pgp_data, fd);
179
if(rc != GPG_ERR_NO_ERROR){
180
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
181
gpgme_strsource(rc), gpgme_strerror(rc));
182
return false;
183
}
184
185
rc = gpgme_op_import(mc.ctx, pgp_data);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
ret = (int)TEMP_FAILURE_RETRY(close(fd));
193
if(ret == -1){
194
perror("close");
195
}
196
gpgme_data_release(pgp_data);
197
return true;
198
}
199
200
if(debug){
201
fprintf(stderr, "Initialize gpgme\n");
96
97
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
202
99
}
203
100
204
101
/* Init GPGME */
205
102
gpgme_check_version(NULL);
206
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
207
if(rc != GPG_ERR_NO_ERROR){
208
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
209
gpgme_strsource(rc), gpgme_strerror(rc));
210
return false;
211
}
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
212
104
213
/* Set GPGME home directory for the OpenPGP engine only */
214
rc = gpgme_get_engine_info(&engine_info);
215
if(rc != GPG_ERR_NO_ERROR){
105
/* Set GPGME home directory */
106
rc = gpgme_get_engine_info (&engine_info);
107
if (rc != GPG_ERR_NO_ERROR){
216
108
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
217
109
gpgme_strsource(rc), gpgme_strerror(rc));
218
return false;
110
return -1;
219
111
}
220
112
while(engine_info != NULL){
221
113
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
222
114
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
223
engine_info->file_name, tempdir);
115
engine_info->file_name, homedir);
224
116
break;
225
117
}
226
118
engine_info = engine_info->next;
227
119
}
228
120
if(engine_info == NULL){
229
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
230
return false;
231
}
232
233
/* Create new GPGME "context" */
234
rc = gpgme_new(&(mc.ctx));
235
if(rc != GPG_ERR_NO_ERROR){
236
fprintf(stderr, "bad gpgme_new: %s: %s\n",
237
gpgme_strsource(rc), gpgme_strerror(rc));
238
return false;
239
}
240
241
if(not import_key(pubkey) or not import_key(seckey)){
242
return false;
243
}
244
245
return true;
246
}
247
248
/*
249
* Decrypt OpenPGP data.
250
* Returns -1 on error
251
*/
252
static ssize_t pgp_packet_decrypt(const char *cryptotext,
253
size_t crypto_size,
254
char **plaintext){
255
gpgme_data_t dh_crypto, dh_plain;
256
gpgme_error_t rc;
257
ssize_t ret;
258
size_t plaintext_capacity = 0;
259
ssize_t plaintext_length = 0;
260
261
if(debug){
262
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
263
}
264
265
/* Create new GPGME data buffer from memory cryptotext */
266
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
267
0);
268
if(rc != GPG_ERR_NO_ERROR){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
122
return -1;
123
}
124
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
127
if (rc != GPG_ERR_NO_ERROR){
269
128
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
270
129
gpgme_strsource(rc), gpgme_strerror(rc));
271
130
return -1;
273
132
274
133
/* Create new empty GPGME data buffer for the plaintext */
275
134
rc = gpgme_data_new(&dh_plain);
276
if(rc != GPG_ERR_NO_ERROR){
135
if (rc != GPG_ERR_NO_ERROR){
277
136
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
278
137
gpgme_strsource(rc), gpgme_strerror(rc));
279
gpgme_data_release(dh_crypto);
280
return -1;
281
}
282
283
/* Decrypt data from the cryptotext data buffer to the plaintext
284
data buffer */
285
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
286
if(rc != GPG_ERR_NO_ERROR){
138
return -1;
139
}
140
141
/* Create new GPGME "context" */
142
rc = gpgme_new(&ctx);
143
if (rc != GPG_ERR_NO_ERROR){
144
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
gpgme_strsource(rc), gpgme_strerror(rc));
146
return -1;
147
}
148
149
/* Decrypt data from the FILE pointer to the plaintext data
150
buffer */
151
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
152
if (rc != GPG_ERR_NO_ERROR){
287
153
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
288
154
gpgme_strsource(rc), gpgme_strerror(rc));
289
plaintext_length = -1;
290
if(debug){
291
gpgme_decrypt_result_t result;
292
result = gpgme_op_decrypt_result(mc.ctx);
293
if(result == NULL){
294
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
295
} else {
296
fprintf(stderr, "Unsupported algorithm: %s\n",
297
result->unsupported_algorithm);
298
fprintf(stderr, "Wrong key usage: %u\n",
299
result->wrong_key_usage);
300
if(result->file_name != NULL){
301
fprintf(stderr, "File name: %s\n", result->file_name);
302
}
303
gpgme_recipient_t recipient;
304
recipient = result->recipients;
305
if(recipient){
306
while(recipient != NULL){
307
fprintf(stderr, "Public key algorithm: %s\n",
308
gpgme_pubkey_algo_name(recipient->pubkey_algo));
309
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
310
fprintf(stderr, "Secret key available: %s\n",
311
recipient->status == GPG_ERR_NO_SECKEY
312
? "No" : "Yes");
313
recipient = recipient->next;
314
}
155
return -1;
156
}
157
158
if(debug){
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
160
}
161
162
if (debug){
163
gpgme_decrypt_result_t result;
164
result = gpgme_op_decrypt_result(ctx);
165
if (result == NULL){
166
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
167
} else {
168
fprintf(stderr, "Unsupported algorithm: %s\n",
169
result->unsupported_algorithm);
170
fprintf(stderr, "Wrong key usage: %d\n",
171
result->wrong_key_usage);
172
if(result->file_name != NULL){
173
fprintf(stderr, "File name: %s\n", result->file_name);
174
}
175
gpgme_recipient_t recipient;
176
recipient = result->recipients;
177
if(recipient){
178
while(recipient != NULL){
179
fprintf(stderr, "Public key algorithm: %s\n",
180
gpgme_pubkey_algo_name(recipient->pubkey_algo));
181
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
182
fprintf(stderr, "Secret key available: %s\n",
183
recipient->status == GPG_ERR_NO_SECKEY
184
? "No" : "Yes");
185
recipient = recipient->next;
315
186
}
316
187
}
317
188
}
318
goto decrypt_end;
319
189
}
320
190
321
if(debug){
322
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
323
}
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
324
193
325
194
/* Seek back to the beginning of the GPGME plaintext data buffer */
326
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
327
perror("gpgme_data_seek");
328
plaintext_length = -1;
329
goto decrypt_end;
330
}
331
332
*plaintext = NULL;
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
196
197
*new_packet = 0;
333
198
while(true){
334
plaintext_capacity = incbuffer(plaintext,
335
(size_t)plaintext_length,
336
plaintext_capacity);
337
if(plaintext_capacity == 0){
338
perror("incbuffer");
339
plaintext_length = -1;
340
goto decrypt_end;
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
202
+ BUFFER_SIZE);
203
if (*new_packet == NULL){
204
perror("realloc");
205
return -1;
206
}
207
new_packet_capacity += BUFFER_SIZE;
341
208
}
342
209
343
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
344
211
BUFFER_SIZE);
345
212
/* Print the data, if any */
346
if(ret == 0){
347
/* EOF */
213
if (ret == 0){
348
214
break;
349
215
}
350
216
if(ret < 0){
351
217
perror("gpgme_data_read");
352
plaintext_length = -1;
353
goto decrypt_end;
354
}
355
plaintext_length += ret;
356
}
357
358
if(debug){
359
fprintf(stderr, "Decrypted password is: ");
360
for(ssize_t i = 0; i < plaintext_length; i++){
361
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
362
}
363
fprintf(stderr, "\n");
364
}
365
366
decrypt_end:
367
368
/* Delete the GPGME cryptotext data buffer */
369
gpgme_data_release(dh_crypto);
218
return -1;
219
}
220
new_packet_length += ret;
221
}
222
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
225
/* if(debug){ */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
229
/* } */
370
230
371
231
/* Delete the GPGME plaintext data buffer */
372
232
gpgme_data_release(dh_plain);
373
return plaintext_length;
233
return new_packet_length;
374
234
}
375
235
376
static const char * safer_gnutls_strerror(int value){
377
const char *ret = gnutls_strerror(value); /* Spurious warning from
378
-Wunreachable-code */
379
if(ret == NULL)
236
static const char * safer_gnutls_strerror (int value) {
237
const char *ret = gnutls_strerror (value);
238
if (ret == NULL)
380
239
ret = "(unknown)";
381
240
return ret;
382
241
}
383
242
384
/* GnuTLS log function callback */
385
static void debuggnutls(__attribute__((unused)) int level,
386
const char* string){
387
fprintf(stderr, "GnuTLS: %s", string);
243
void debuggnutls(__attribute__((unused)) int level,
244
const char* string){
245
fprintf(stderr, "%s", string);
388
246
}
389
247
390
static int init_gnutls_global(const char *pubkeyfilename,
391
const char *seckeyfilename){
248
int initgnutls(encrypted_session *es){
249
const char *err;
392
250
int ret;
393
251
394
252
if(debug){
395
253
fprintf(stderr, "Initializing GnuTLS\n");
396
254
}
397
255
398
ret = gnutls_global_init();
399
if(ret != GNUTLS_E_SUCCESS){
400
fprintf(stderr, "GnuTLS global_init: %s\n",
401
safer_gnutls_strerror(ret));
256
if ((ret = gnutls_global_init ())
257
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
402
259
return -1;
403
260
}
404
405
if(debug){
406
/* "Use a log level over 10 to enable all debugging options."
407
* - GnuTLS manual
408
*/
261
262
if (debug){
409
263
gnutls_global_set_log_level(11);
410
264
gnutls_global_set_log_function(debuggnutls);
411
265
}
412
266
413
/* OpenPGP credentials */
414
gnutls_certificate_allocate_credentials(&mc.cred);
415
if(ret != GNUTLS_E_SUCCESS){
416
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
417
from
418
-Wunreachable-code
419
*/
420
safer_gnutls_strerror(ret));
421
gnutls_global_deinit();
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
269
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
271
safer_gnutls_strerror(ret));
422
272
return -1;
423
273
}
424
274
425
275
if(debug){
426
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
427
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
428
seckeyfilename);
276
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
278
KEYFILE);
429
279
}
430
280
431
281
ret = gnutls_certificate_set_openpgp_key_file
432
(mc.cred, pubkeyfilename, seckeyfilename,
433
GNUTLS_OPENPGP_FMT_BASE64);
434
if(ret != GNUTLS_E_SUCCESS){
435
fprintf(stderr,
436
"Error[%d] while reading the OpenPGP key pair ('%s',"
437
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
438
fprintf(stderr, "The GnuTLS error is: %s\n",
439
safer_gnutls_strerror(ret));
440
goto globalfail;
441
}
442
443
/* GnuTLS server initialization */
444
ret = gnutls_dh_params_init(&mc.dh_params);
445
if(ret != GNUTLS_E_SUCCESS){
446
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
447
" %s\n", safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
451
if(ret != GNUTLS_E_SUCCESS){
452
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
453
safer_gnutls_strerror(ret));
454
goto globalfail;
455
}
456
457
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
458
459
return 0;
460
461
globalfail:
462
463
gnutls_certificate_free_credentials(mc.cred);
464
gnutls_global_deinit();
465
gnutls_dh_params_deinit(mc.dh_params);
466
return -1;
467
}
468
469
static int init_gnutls_session(gnutls_session_t *session){
470
int ret;
471
/* GnuTLS session creation */
472
ret = gnutls_init(session, GNUTLS_SERVER);
473
if(ret != GNUTLS_E_SUCCESS){
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
283
if (ret != GNUTLS_E_SUCCESS) {
284
fprintf
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
286
" '%s')\n",
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
289
safer_gnutls_strerror(ret));
290
return -1;
291
}
292
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
309
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
474
313
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
475
314
safer_gnutls_strerror(ret));
476
315
}
477
316
478
{
479
const char *err;
480
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
481
if(ret != GNUTLS_E_SUCCESS){
482
fprintf(stderr, "Syntax error at: %s\n", err);
483
fprintf(stderr, "GnuTLS error: %s\n",
484
safer_gnutls_strerror(ret));
485
gnutls_deinit(*session);
486
return -1;
487
}
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
488
323
}
489
324
490
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
491
mc.cred);
492
if(ret != GNUTLS_E_SUCCESS){
493
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
494
329
safer_gnutls_strerror(ret));
495
gnutls_deinit(*session);
496
330
return -1;
497
331
}
498
332
499
333
/* ignore client certificate if any. */
500
gnutls_certificate_server_set_request(*session,
501
GNUTLS_CERT_IGNORE);
334
gnutls_certificate_server_set_request (es->session,
335
GNUTLS_CERT_IGNORE);
502
336
503
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
504
338
505
339
return 0;
506
340
}
507
341
508
/* Avahi log function callback */
509
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
510
__attribute__((unused)) const char *txt){}
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
511
344
512
/* Called when a Mandos server is found */
513
static int start_mandos_communication(const char *ip, uint16_t port,
514
AvahiIfIndex if_index,
515
int af){
345
int start_mandos_communication(const char *ip, uint16_t port,
346
unsigned int if_index){
516
347
int ret, tcp_sd;
517
ssize_t sret;
518
union {
519
struct sockaddr_in in;
520
struct sockaddr_in6 in6;
521
} to;
348
struct sockaddr_in6 to;
349
encrypted_session es;
522
350
char *buffer = NULL;
523
351
char *decrypted_buffer;
524
352
size_t buffer_length = 0;
525
353
size_t buffer_capacity = 0;
526
354
ssize_t decrypted_buffer_size;
527
size_t written;
355
size_t written = 0;
528
356
int retval = 0;
529
gnutls_session_t session;
530
int pf; /* Protocol family */
531
532
switch(af){
533
case AF_INET6:
534
pf = PF_INET6;
535
break;
536
case AF_INET:
537
pf = PF_INET;
538
break;
539
default:
540
fprintf(stderr, "Bad address family: %d\n", af);
541
return -1;
542
}
543
544
ret = init_gnutls_session(&session);
545
if(ret != 0){
546
return -1;
547
}
357
char interface[IF_NAMESIZE];
548
358
549
359
if(debug){
550
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
551
"\n", ip, port);
360
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
361
ip, port);
552
362
}
553
363
554
tcp_sd = socket(pf, SOCK_STREAM, 0);
555
if(tcp_sd < 0){
364
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
365
if(tcp_sd < 0) {
556
366
perror("socket");
557
367
return -1;
558
368
}
559
369
560
memset(&to, 0, sizeof(to));
561
if(af == AF_INET6){
562
to.in6.sin6_family = (uint16_t)af;
563
ret = inet_pton(af, ip, &to.in6.sin6_addr);
564
} else { /* IPv4 */
565
to.in.sin_family = (sa_family_t)af;
566
ret = inet_pton(af, ip, &to.in.sin_addr);
567
}
568
if(ret < 0 ){
370
if(if_indextoname(if_index, interface) == NULL){
371
if(debug){
372
perror("if_indextoname");
373
}
374
return -1;
375
}
376
377
if(debug){
378
fprintf(stderr, "Binding to interface %s\n", interface);
379
}
380
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
if (ret < 0 ){
569
385
perror("inet_pton");
570
386
return -1;
571
}
387
}
572
388
if(ret == 0){
573
389
fprintf(stderr, "Bad address: %s\n", ip);
574
390
return -1;
575
391
}
576
if(af == AF_INET6){
577
to.in6.sin6_port = htons(port); /* Spurious warnings from
578
-Wconversion and
579
-Wunreachable-code */
580
581
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
582
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
583
-Wunreachable-code*/
584
if(if_index == AVAHI_IF_UNSPEC){
585
fprintf(stderr, "An IPv6 link-local address is incomplete"
586
" without a network interface\n");
587
return -1;
588
}
589
/* Set the network interface number as scope */
590
to.in6.sin6_scope_id = (uint32_t)if_index;
591
}
592
} else {
593
to.in.sin_port = htons(port); /* Spurious warnings from
594
-Wconversion and
595
-Wunreachable-code */
596
}
392
to.sin6_port = htons(port); /* Spurious warning */
393
394
to.sin6_scope_id = (uint32_t)if_index;
597
395
598
396
if(debug){
599
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
600
char interface[IF_NAMESIZE];
601
if(if_indextoname((unsigned int)if_index, interface) == NULL){
602
perror("if_indextoname");
603
} else {
604
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
605
ip, interface, port);
606
}
607
} else {
608
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
609
port);
610
}
611
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
612
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
613
const char *pcret;
614
if(af == AF_INET6){
615
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
616
sizeof(addrstr));
617
} else {
618
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
619
sizeof(addrstr));
620
}
621
if(pcret == NULL){
622
perror("inet_ntop");
623
} else {
624
if(strcmp(addrstr, ip) != 0){
625
fprintf(stderr, "Canonical address form: %s\n", addrstr);
626
}
627
}
397
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
402
/* } else { */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
405
/* } */
628
406
}
629
407
630
if(af == AF_INET6){
631
ret = connect(tcp_sd, &to.in6, sizeof(to));
632
} else {
633
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
634
}
635
if(ret < 0){
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
409
if (ret < 0){
636
410
perror("connect");
637
411
return -1;
638
412
}
639
413
640
const char *out = mandos_protocol_version;
641
written = 0;
642
while(true){
643
size_t out_size = strlen(out);
644
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
645
out_size - written));
646
if(ret == -1){
647
perror("write");
648
retval = -1;
649
goto mandos_end;
650
}
651
written += (size_t)ret;
652
if(written < out_size){
653
continue;
654
} else {
655
if(out == mandos_protocol_version){
656
written = 0;
657
out = "\r\n";
658
} else {
659
break;
660
}
661
}
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
662
418
}
663
419
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
664
423
if(debug){
665
424
fprintf(stderr, "Establishing TLS session with %s\n", ip);
666
425
}
667
426
668
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
669
670
do{
671
ret = gnutls_handshake(session);
672
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
673
674
if(ret != GNUTLS_E_SUCCESS){
427
ret = gnutls_handshake (es.session);
428
429
if (ret != GNUTLS_E_SUCCESS){
675
430
if(debug){
676
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
677
gnutls_perror(ret);
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
678
433
}
679
434
retval = -1;
680
goto mandos_end;
435
goto exit;
681
436
}
682
437
683
/* Read OpenPGP packet that contains the wanted password */
438
//Retrieve OpenPGP packet that contains the wanted password
684
439
685
440
if(debug){
686
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
441
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
687
442
ip);
688
443
}
689
444
690
445
while(true){
691
buffer_capacity = incbuffer(&buffer, buffer_length,
692
buffer_capacity);
693
if(buffer_capacity == 0){
694
perror("incbuffer");
695
retval = -1;
696
goto mandos_end;
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
if (buffer == NULL){
449
perror("realloc");
450
goto exit;
451
}
452
buffer_capacity += BUFFER_SIZE;
697
453
}
698
454
699
sret = gnutls_record_recv(session, buffer+buffer_length,
700
BUFFER_SIZE);
701
if(sret == 0){
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
457
if (ret == 0){
702
458
break;
703
459
}
704
if(sret < 0){
705
switch(sret){
460
if (ret < 0){
461
switch(ret){
706
462
case GNUTLS_E_INTERRUPTED:
707
463
case GNUTLS_E_AGAIN:
708
464
break;
709
465
case GNUTLS_E_REHANDSHAKE:
710
do{
711
ret = gnutls_handshake(session);
712
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
713
if(ret < 0){
714
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
715
gnutls_perror(ret);
466
ret = gnutls_handshake (es.session);
467
if (ret < 0){
468
fprintf(stderr, "\n*** Handshake failed ***\n");
469
gnutls_perror (ret);
716
470
retval = -1;
717
goto mandos_end;
471
goto exit;
718
472
}
719
473
break;
720
474
default:
721
475
fprintf(stderr, "Unknown error while reading data from"
722
" encrypted session with Mandos server\n");
476
" encrypted session with mandos server\n");
723
477
retval = -1;
724
gnutls_bye(session, GNUTLS_SHUT_RDWR);
725
goto mandos_end;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
726
480
}
727
481
} else {
728
buffer_length += (size_t) sret;
482
buffer_length += (size_t) ret;
729
483
}
730
484
}
731
485
732
if(debug){
733
fprintf(stderr, "Closing TLS session\n");
734
}
735
736
gnutls_bye(session, GNUTLS_SHUT_RDWR);
737
738
if(buffer_length > 0){
486
if (buffer_length > 0){
739
487
decrypted_buffer_size = pgp_packet_decrypt(buffer,
740
488
buffer_length,
741
&decrypted_buffer);
742
if(decrypted_buffer_size >= 0){
743
written = 0;
489
&decrypted_buffer,
490
CERT_ROOT);
491
if (decrypted_buffer_size >= 0){
744
492
while(written < (size_t) decrypted_buffer_size){
745
ret = (int)fwrite(decrypted_buffer + written, 1,
746
(size_t)decrypted_buffer_size - written,
747
stdout);
493
ret = (int)fwrite (decrypted_buffer + written, 1,
494
(size_t)decrypted_buffer_size - written,
495
stdout);
748
496
if(ret == 0 and ferror(stdout)){
749
497
if(debug){
750
498
fprintf(stderr, "Error writing encrypted data: %s\n",
759
507
} else {
760
508
retval = -1;
761
509
}
762
} else {
763
retval = -1;
764
}
765
766
/* Shutdown procedure */
767
768
mandos_end:
510
}
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
769
518
free(buffer);
770
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
771
if(ret == -1){
772
perror("close");
773
}
774
gnutls_deinit(session);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
521
close(tcp_sd);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
524
gnutls_global_deinit ();
775
525
return retval;
776
526
}
777
527
778
static void resolve_callback(AvahiSServiceResolver *r,
779
AvahiIfIndex interface,
780
AvahiProtocol proto,
781
AvahiResolverEvent event,
782
const char *name,
783
const char *type,
784
const char *domain,
785
const char *host_name,
786
const AvahiAddress *address,
787
uint16_t port,
788
AVAHI_GCC_UNUSED AvahiStringList *txt,
789
AVAHI_GCC_UNUSED AvahiLookupResultFlags
790
flags,
791
__attribute__((unused)) void* userdata){
792
assert(r);
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
546
assert(r); /* Spurious warning */
793
547
794
548
/* Called whenever a service has been resolved successfully or
795
549
timed out */
796
550
797
switch(event){
551
switch (event) {
798
552
default:
799
553
case AVAHI_RESOLVER_FAILURE:
800
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
801
" of type '%s' in domain '%s': %s\n", name, type, domain,
802
avahi_strerror(avahi_server_errno(mc.server)));
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
803
557
break;
804
558
805
559
case AVAHI_RESOLVER_FOUND:
807
561
char ip[AVAHI_ADDRESS_STR_MAX];
808
562
avahi_address_snprint(ip, sizeof(ip), address);
809
563
if(debug){
810
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
811
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
812
ip, (intmax_t)interface, port);
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
813
566
}
814
int ret = start_mandos_communication(ip, port, interface,
815
avahi_proto_to_af(proto));
816
if(ret == 0){
817
avahi_simple_poll_quit(mc.simple_poll);
567
int ret = start_mandos_communication(ip, port,
568
(unsigned int) interface);
569
if (ret == 0){
570
exit(EXIT_SUCCESS);
818
571
}
819
572
}
820
573
}
821
574
avahi_s_service_resolver_free(r);
822
575
}
823
576
824
static void browse_callback(AvahiSServiceBrowser *b,
825
AvahiIfIndex interface,
826
AvahiProtocol protocol,
827
AvahiBrowserEvent event,
828
const char *name,
829
const char *type,
830
const char *domain,
831
AVAHI_GCC_UNUSED AvahiLookupResultFlags
832
flags,
833
__attribute__((unused)) void* userdata){
834
assert(b);
835
836
/* Called whenever a new services becomes available on the LAN or
837
is removed from the LAN */
838
839
switch(event){
840
default:
841
case AVAHI_BROWSER_FAILURE:
842
843
fprintf(stderr, "(Avahi browser) %s\n",
844
avahi_strerror(avahi_server_errno(mc.server)));
845
avahi_simple_poll_quit(mc.simple_poll);
846
return;
847
848
case AVAHI_BROWSER_NEW:
849
/* We ignore the returned Avahi resolver object. In the callback
850
function we free it. If the Avahi server is terminated before
851
the callback function is called the Avahi server will free the
852
resolver for us. */
853
854
if(!(avahi_s_service_resolver_new(mc.server, interface,
855
protocol, name, type, domain,
856
AVAHI_PROTO_INET6, 0,
857
resolve_callback, NULL)))
858
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
859
name, avahi_strerror(avahi_server_errno(mc.server)));
860
break;
861
862
case AVAHI_BROWSER_REMOVE:
863
break;
864
865
case AVAHI_BROWSER_ALL_FOR_NOW:
866
case AVAHI_BROWSER_CACHE_EXHAUSTED:
867
if(debug){
868
fprintf(stderr, "No Mandos server found, still searching...\n");
577
static void browse_callback(
578
AvahiSServiceBrowser *b,
579
AvahiIfIndex interface,
580
AvahiProtocol protocol,
581
AvahiBrowserEvent event,
582
const char *name,
583
const char *type,
584
const char *domain,
585
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
586
void* userdata) {
587
588
AvahiServer *s = userdata;
589
assert(b); /* Spurious warning */
590
591
/* Called whenever a new services becomes available on the LAN or
592
is removed from the LAN */
593
594
switch (event) {
595
default:
596
case AVAHI_BROWSER_FAILURE:
597
598
fprintf(stderr, "(Browser) %s\n",
599
avahi_strerror(avahi_server_errno(server)));
600
avahi_simple_poll_quit(simple_poll);
601
return;
602
603
case AVAHI_BROWSER_NEW:
604
/* We ignore the returned resolver object. In the callback
605
function we free it. If the server is terminated before
606
the callback function is called the server will free
607
the resolver for us. */
608
609
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
610
type, domain,
611
AVAHI_PROTO_INET6, 0,
612
resolve_callback, s)))
613
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
614
avahi_strerror(avahi_server_errno(s)));
615
break;
616
617
case AVAHI_BROWSER_REMOVE:
618
break;
619
620
case AVAHI_BROWSER_ALL_FOR_NOW:
621
case AVAHI_BROWSER_CACHE_EXHAUSTED:
622
break;
869
623
}
870
break;
871
}
872
}
873
874
/* stop main loop after sigterm has been called */
875
static void handle_sigterm(__attribute__((unused)) int sig){
876
int old_errno = errno;
877
avahi_simple_poll_quit(mc.simple_poll);
878
errno = old_errno;
879
}
880
881
int main(int argc, char *argv[]){
882
AvahiSServiceBrowser *sb = NULL;
883
int error;
884
int ret;
885
intmax_t tmpmax;
886
int numchars;
887
int exitcode = EXIT_SUCCESS;
888
const char *interface = "eth0";
889
struct ifreq network;
890
int sd;
891
uid_t uid;
892
gid_t gid;
893
char *connect_to = NULL;
894
char tempdir[] = "/tmp/mandosXXXXXX";
895
bool tempdir_created = false;
896
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
897
const char *seckey = PATHDIR "/" SECKEY;
898
const char *pubkey = PATHDIR "/" PUBKEY;
899
900
bool gnutls_initialized = false;
901
bool gpgme_initialized = false;
902
double delay = 2.5;
903
904
struct sigaction old_sigterm_action;
905
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
906
907
{
908
struct argp_option options[] = {
909
{ .name = "debug", .key = 128,
910
.doc = "Debug mode", .group = 3 },
911
{ .name = "connect", .key = 'c',
912
.arg = "ADDRESS:PORT",
913
.doc = "Connect directly to a specific Mandos server",
914
.group = 1 },
915
{ .name = "interface", .key = 'i',
916
.arg = "NAME",
917
.doc = "Network interface that will be used to search for"
918
" Mandos servers",
919
.group = 1 },
920
{ .name = "seckey", .key = 's',
921
.arg = "FILE",
922
.doc = "OpenPGP secret key file base name",
923
.group = 1 },
924
{ .name = "pubkey", .key = 'p',
925
.arg = "FILE",
926
.doc = "OpenPGP public key file base name",
927
.group = 2 },
928
{ .name = "dh-bits", .key = 129,
929
.arg = "BITS",
930
.doc = "Bit length of the prime number used in the"
931
" Diffie-Hellman key exchange",
932
.group = 2 },
933
{ .name = "priority", .key = 130,
934
.arg = "STRING",
935
.doc = "GnuTLS priority string for the TLS handshake",
936
.group = 1 },
937
{ .name = "delay", .key = 131,
938
.arg = "SECONDS",
939
.doc = "Maximum delay to wait for interface startup",
940
.group = 2 },
941
{ .name = NULL }
942
};
624
}
625
626
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
627
AvahiServerConfig config;
628
AvahiSServiceBrowser *sb = NULL;
629
int error;
630
int ret;
631
int returncode = EXIT_SUCCESS;
632
const char *interface = "eth0";
633
unsigned int if_index;
634
char *connect_to = NULL;
943
635
944
error_t parse_opt(int key, char *arg,
945
struct argp_state *state){
946
switch(key){
947
case 128: /* --debug */
948
debug = true;
949
break;
950
case 'c': /* --connect */
951
connect_to = arg;
952
break;
953
case 'i': /* --interface */
954
interface = arg;
955
break;
956
case 's': /* --seckey */
957
seckey = arg;
958
break;
959
case 'p': /* --pubkey */
960
pubkey = arg;
961
break;
962
case 129: /* --dh-bits */
963
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
964
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
965
or arg[numchars] != '\0'){
966
fprintf(stderr, "Bad number of DH bits\n");
967
exit(EXIT_FAILURE);
968
}
969
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
970
break;
971
case 130: /* --priority */
972
mc.priority = arg;
973
break;
974
case 131: /* --delay */
975
ret = sscanf(arg, "%lf%n", &delay, &numchars);
976
if(ret < 1 or arg[numchars] != '\0'){
977
fprintf(stderr, "Bad delay\n");
978
exit(EXIT_FAILURE);
979
}
980
break;
981
case ARGP_KEY_ARG:
982
argp_usage(state);
983
case ARGP_KEY_END:
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"connect", required_argument, 0, 'c'},
640
{"interface", required_argument, 0, 'i'},
641
{0, 0, 0, 0} };
642
643
int option_index = 0;
644
ret = getopt_long (argc, argv, "i:", long_options,
645
&option_index);
646
647
if (ret == -1){
648
break;
649
}
650
651
switch(ret){
652
case 0:
653
break;
654
case 'i':
655
interface = optarg;
656
break;
657
case 'c':
658
connect_to = optarg;
984
659
break;
985
660
default:
986
return ARGP_ERR_UNKNOWN;
987
}
988
return 0;
989
}
990
991
struct argp argp = { .options = options, .parser = parse_opt,
992
.args_doc = "",
993
.doc = "Mandos client -- Get and decrypt"
994
" passwords from a Mandos server" };
995
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
996
if(ret == ARGP_ERR_UNKNOWN){
997
fprintf(stderr, "Unknown error while parsing arguments\n");
998
exitcode = EXIT_FAILURE;
999
goto end;
1000
}
1001
}
1002
1003
if(not debug){
1004
avahi_set_log_function(empty_log);
1005
}
1006
1007
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1008
from the signal handler */
1009
/* Initialize the pseudo-RNG for Avahi */
1010
srand((unsigned int) time(NULL));
1011
mc.simple_poll = avahi_simple_poll_new();
1012
if(mc.simple_poll == NULL){
1013
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1014
exitcode = EXIT_FAILURE;
1015
goto end;
1016
}
1017
1018
sigemptyset(&sigterm_action.sa_mask);
1019
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1020
if(ret == -1){
1021
perror("sigaddset");
1022
exitcode = EXIT_FAILURE;
1023
goto end;
1024
}
1025
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1026
if(ret == -1){
1027
perror("sigaction");
1028
exitcode = EXIT_FAILURE;
1029
goto end;
1030
}
1031
1032
1033
/* If the interface is down, bring it up */
1034
if(interface[0] != '\0'){
1035
#ifdef __linux__
1036
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1037
messages to mess up the prompt */
1038
ret = klogctl(8, NULL, 5);
1039
bool restore_loglevel = true;
1040
if(ret == -1){
1041
restore_loglevel = false;
1042
perror("klogctl");
1043
}
1044
#endif
1045
1046
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1047
if(sd < 0){
1048
perror("socket");
1049
exitcode = EXIT_FAILURE;
1050
#ifdef __linux__
1051
if(restore_loglevel){
1052
ret = klogctl(7, NULL, 0);
1053
if(ret == -1){
1054
perror("klogctl");
1055
}
1056
}
1057
#endif
1058
goto end;
1059
}
1060
strcpy(network.ifr_name, interface);
1061
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1062
if(ret == -1){
1063
perror("ioctl SIOCGIFFLAGS");
1064
#ifdef __linux__
1065
if(restore_loglevel){
1066
ret = klogctl(7, NULL, 0);
1067
if(ret == -1){
1068
perror("klogctl");
1069
}
1070
}
1071
#endif
1072
exitcode = EXIT_FAILURE;
1073
goto end;
1074
}
1075
if((network.ifr_flags & IFF_UP) == 0){
1076
network.ifr_flags |= IFF_UP;
1077
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1078
if(ret == -1){
1079
perror("ioctl SIOCSIFFLAGS");
1080
exitcode = EXIT_FAILURE;
1081
#ifdef __linux__
1082
if(restore_loglevel){
1083
ret = klogctl(7, NULL, 0);
1084
if(ret == -1){
1085
perror("klogctl");
1086
}
1087
}
1088
#endif
1089
goto end;
1090
}
1091
}
1092
/* sleep checking until interface is running */
1093
for(int i=0; i < delay * 4; i++){
1094
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1095
if(ret == -1){
1096
perror("ioctl SIOCGIFFLAGS");
1097
} else if(network.ifr_flags & IFF_RUNNING){
1098
break;
1099
}
1100
struct timespec sleeptime = { .tv_nsec = 250000000 };
1101
ret = nanosleep(&sleeptime, NULL);
1102
if(ret == -1 and errno != EINTR){
1103
perror("nanosleep");
1104
}
1105
}
1106
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1107
if(ret == -1){
1108
perror("close");
1109
}
1110
#ifdef __linux__
1111
if(restore_loglevel){
1112
/* Restores kernel loglevel to default */
1113
ret = klogctl(7, NULL, 0);
1114
if(ret == -1){
1115
perror("klogctl");
1116
}
1117
}
1118
#endif
1119
}
1120
1121
uid = getuid();
1122
gid = getgid();
1123
1124
errno = 0;
1125
setgid(gid);
1126
if(ret == -1){
1127
perror("setgid");
1128
}
1129
1130
ret = setuid(uid);
1131
if(ret == -1){
1132
perror("setuid");
1133
}
1134
1135
ret = init_gnutls_global(pubkey, seckey);
1136
if(ret == -1){
1137
fprintf(stderr, "init_gnutls_global failed\n");
1138
exitcode = EXIT_FAILURE;
1139
goto end;
1140
} else {
1141
gnutls_initialized = true;
1142
}
1143
1144
if(mkdtemp(tempdir) == NULL){
1145
perror("mkdtemp");
1146
goto end;
1147
}
1148
tempdir_created = true;
1149
1150
if(not init_gpgme(pubkey, seckey, tempdir)){
1151
fprintf(stderr, "init_gpgme failed\n");
1152
exitcode = EXIT_FAILURE;
1153
goto end;
1154
} else {
1155
gpgme_initialized = true;
1156
}
1157
1158
if(interface[0] != '\0'){
1159
if_index = (AvahiIfIndex) if_nametoindex(interface);
661
exit(EXIT_FAILURE);
662
}
663
}
664
665
if_index = if_nametoindex(interface);
1160
666
if(if_index == 0){
1161
667
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1162
exitcode = EXIT_FAILURE;
1163
goto end;
1164
}
1165
}
1166
1167
if(connect_to != NULL){
1168
/* Connect directly, do not use Zeroconf */
1169
/* (Mainly meant for debugging) */
1170
char *address = strrchr(connect_to, ':');
1171
if(address == NULL){
1172
fprintf(stderr, "No colon in address\n");
1173
exitcode = EXIT_FAILURE;
1174
goto end;
1175
}
1176
uint16_t port;
1177
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1178
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1179
or address[numchars+1] != '\0'){
1180
fprintf(stderr, "Bad port number\n");
1181
exitcode = EXIT_FAILURE;
1182
goto end;
1183
}
1184
port = (uint16_t)tmpmax;
1185
*address = '\0';
1186
address = connect_to;
1187
/* Colon in address indicates IPv6 */
1188
int af;
1189
if(strchr(address, ':') != NULL){
1190
af = AF_INET6;
1191
} else {
1192
af = AF_INET;
1193
}
1194
ret = start_mandos_communication(address, port, if_index,
1195
af);
1196
if(ret < 0){
1197
exitcode = EXIT_FAILURE;
1198
} else {
1199
exitcode = EXIT_SUCCESS;
1200
}
1201
goto end;
1202
}
1203
1204
{
1205
AvahiServerConfig config;
1206
/* Do not publish any local Zeroconf records */
668
exit(EXIT_FAILURE);
669
}
670
671
if(connect_to != NULL){
672
/* Connect directly, do not use Zeroconf */
673
/* (Mainly meant for debugging) */
674
char *address = strrchr(connect_to, ':');
675
if(address == NULL){
676
fprintf(stderr, "No colon in address\n");
677
exit(EXIT_FAILURE);
678
}
679
errno = 0;
680
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
681
if(errno){
682
perror("Bad port number");
683
exit(EXIT_FAILURE);
684
}
685
*address = '\0';
686
address = connect_to;
687
ret = start_mandos_communication(address, port, if_index);
688
if(ret < 0){
689
exit(EXIT_FAILURE);
690
} else {
691
exit(EXIT_SUCCESS);
692
}
693
}
694
695
if (not debug){
696
avahi_set_log_function(empty_log);
697
}
698
699
/* Initialize the psuedo-RNG */
700
srand((unsigned int) time(NULL));
701
702
/* Allocate main loop object */
703
if (!(simple_poll = avahi_simple_poll_new())) {
704
fprintf(stderr, "Failed to create simple poll object.\n");
705
706
goto exit;
707
}
708
709
/* Do not publish any local records */
1207
710
avahi_server_config_init(&config);
1208
711
config.publish_hinfo = 0;
1209
712
config.publish_addresses = 0;
1210
713
config.publish_workstation = 0;
1211
714
config.publish_domain = 0;
1212
715
1213
716
/* Allocate a new server */
1214
mc.server = avahi_server_new(avahi_simple_poll_get
1215
(mc.simple_poll), &config, NULL,
1216
NULL, &error);
1217
1218
/* Free the Avahi configuration data */
717
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
718
&config, NULL, NULL, &error);
719
720
/* Free the configuration data */
1219
721
avahi_server_config_free(&config);
1220
}
1221
1222
/* Check if creating the Avahi server object succeeded */
1223
if(mc.server == NULL){
1224
fprintf(stderr, "Failed to create Avahi server: %s\n",
1225
avahi_strerror(error));
1226
exitcode = EXIT_FAILURE;
1227
goto end;
1228
}
1229
1230
/* Create the Avahi service browser */
1231
sb = avahi_s_service_browser_new(mc.server, if_index,
1232
AVAHI_PROTO_INET6, "_mandos._tcp",
1233
NULL, 0, browse_callback, NULL);
1234
if(sb == NULL){
1235
fprintf(stderr, "Failed to create service browser: %s\n",
1236
avahi_strerror(avahi_server_errno(mc.server)));
1237
exitcode = EXIT_FAILURE;
1238
goto end;
1239
}
1240
1241
/* Run the main loop */
1242
1243
if(debug){
1244
fprintf(stderr, "Starting Avahi loop search\n");
1245
}
1246
1247
avahi_simple_poll_loop(mc.simple_poll);
1248
1249
end:
1250
1251
if(debug){
1252
fprintf(stderr, "%s exiting\n", argv[0]);
1253
}
1254
1255
/* Cleanup things */
1256
if(sb != NULL)
1257
avahi_s_service_browser_free(sb);
1258
1259
if(mc.server != NULL)
1260
avahi_server_free(mc.server);
1261
1262
if(mc.simple_poll != NULL)
1263
avahi_simple_poll_free(mc.simple_poll);
1264
1265
if(gnutls_initialized){
1266
gnutls_certificate_free_credentials(mc.cred);
1267
gnutls_global_deinit();
1268
gnutls_dh_params_deinit(mc.dh_params);
1269
}
1270
1271
if(gpgme_initialized){
1272
gpgme_release(mc.ctx);
1273
}
1274
1275
/* Removes the temp directory used by GPGME */
1276
if(tempdir_created){
1277
DIR *d;
1278
struct dirent *direntry;
1279
d = opendir(tempdir);
1280
if(d == NULL){
1281
if(errno != ENOENT){
1282
perror("opendir");
1283
}
1284
} else {
1285
while(true){
1286
direntry = readdir(d);
1287
if(direntry == NULL){
1288
break;
1289
}
1290
/* Skip "." and ".." */
1291
if(direntry->d_name[0] == '.'
1292
and (direntry->d_name[1] == '\0'
1293
or (direntry->d_name[1] == '.'
1294
and direntry->d_name[2] == '\0'))){
1295
continue;
1296
}
1297
char *fullname = NULL;
1298
ret = asprintf(&fullname, "%s/%s", tempdir,
1299
direntry->d_name);
1300
if(ret < 0){
1301
perror("asprintf");
1302
continue;
1303
}
1304
ret = remove(fullname);
1305
if(ret == -1){
1306
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1307
strerror(errno));
1308
}
1309
free(fullname);
1310
}
1311
closedir(d);
1312
}
1313
ret = rmdir(tempdir);
1314
if(ret == -1 and errno != ENOENT){
1315
perror("rmdir");
1316
}
1317
}
1318
1319
return exitcode;
722
723
/* Check if creating the server object succeeded */
724
if (!server) {
725
fprintf(stderr, "Failed to create server: %s\n",
726
avahi_strerror(error));
727
returncode = EXIT_FAILURE;
728
goto exit;
729
}
730
731
/* Create the service browser */
732
sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,
733
AVAHI_PROTO_INET6,
734
"_mandos._tcp", NULL, 0,
735
browse_callback, server);
736
if (!sb) {
737
fprintf(stderr, "Failed to create service browser: %s\n",
738
avahi_strerror(avahi_server_errno(server)));
739
returncode = EXIT_FAILURE;
740
goto exit;
741
}
742
743
/* Run the main loop */
744
745
if (debug){
746
fprintf(stderr, "Starting avahi loop search\n");
747
}
748
749
avahi_simple_poll_loop(simple_poll);
750
751
exit:
752
753
if (debug){
754
fprintf(stderr, "%s exiting\n", argv[0]);
755
}
756
757
/* Cleanup things */
758
if (sb)
759
avahi_s_service_browser_free(sb);
760
761
if (server)
762
avahi_server_free(server);
763
764
if (simple_poll)
765
avahi_simple_poll_free(simple_poll);
766
767
return returncode;
1320
768
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0