To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 30
- compare with another revision
- download diff
- download tarball
- view history from revision 30
- Committer: Teddy Hogeborn
- Date: 2008-07-31 19:51:44 UTC
- mfrom: (24.1.5 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080731195144-yb37wz2sr1e6b3m4
Merge.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
83
42
#include <avahi-core/core.h>
84
43
#include <avahi-core/lookup.h>
85
44
#include <avahi-core/log.h>
87
46
#include <avahi-common/malloc.h>
88
47
#include <avahi-common/error.h>
89
48
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
106
69
107
70
#define BUFFER_SIZE 256
71
#define DH_BITS 1024
108
72
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
73
const char *certdir = "/conf/conf.d/cryptkeyreq/";
74
const char *certfile = "openpgp-client.txt";
75
const char *certkey = "openpgp-client-key.txt";
112
76
113
77
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
78
118
/* Used for passing in values through the Avahi callback functions */
119
79
typedef struct {
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
80
gnutls_session_t session;
122
81
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
124
82
gnutls_dh_params_t dh_params;
125
const char *priority;
83
} encrypted_session;
84
85
86
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
87
char **new_packet, const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
126
89
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
152
90
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
153
94
gpgme_engine_info_t engine_info;
154
155
156
/*
157
* Helper function to insert pub and seckey to the engine keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
193
98
}
194
99
195
100
/* Init GPGME */
196
101
gpgme_check_version(NULL);
197
102
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
if(rc != GPG_ERR_NO_ERROR){
103
if (rc != GPG_ERR_NO_ERROR){
199
104
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
200
105
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
106
return -1;
202
107
}
203
108
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
207
112
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
208
113
gpgme_strsource(rc), gpgme_strerror(rc));
209
return false;
114
return -1;
210
115
}
211
116
while(engine_info != NULL){
212
117
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
213
118
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
214
engine_info->file_name, tempdir);
119
engine_info->file_name, homedir);
215
120
break;
216
121
}
217
122
engine_info = engine_info->next;
218
123
}
219
124
if(engine_info == NULL){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
261
132
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
262
133
gpgme_strsource(rc), gpgme_strerror(rc));
263
134
return -1;
265
136
266
137
/* Create new empty GPGME data buffer for the plaintext */
267
138
rc = gpgme_data_new(&dh_plain);
268
if(rc != GPG_ERR_NO_ERROR){
139
if (rc != GPG_ERR_NO_ERROR){
269
140
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
270
141
gpgme_strsource(rc), gpgme_strerror(rc));
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
279
157
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
280
158
gpgme_strsource(rc), gpgme_strerror(rc));
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
159
return -1;
160
}
161
162
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
307
190
}
308
191
}
309
192
}
310
goto decrypt_end;
311
193
}
312
194
313
if(debug){
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
316
197
317
198
/* Seek back to the beginning of the GPGME plaintext data buffer */
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
322
201
}
323
202
324
*plaintext = NULL;
203
*new_packet = 0;
325
204
while(true){
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
333
214
}
334
215
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
336
217
BUFFER_SIZE);
337
218
/* Print the data, if any */
338
if(ret == 0){
339
/* EOF */
219
if (ret == 0){
340
220
break;
341
221
}
342
222
if(ret < 0){
343
223
perror("gpgme_data_read");
344
plaintext_length = -1;
345
goto decrypt_end;
346
}
347
plaintext_length += ret;
348
}
349
350
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
356
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
362
236
363
237
/* Delete the GPGME plaintext data buffer */
364
238
gpgme_data_release(dh_plain);
365
return plaintext_length;
239
return new_packet_length;
366
240
}
367
241
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
372
245
ret = "(unknown)";
373
246
return ret;
374
247
}
375
248
376
/* GnuTLS log function callback */
377
static void debuggnutls(__attribute__((unused)) int level,
378
const char* string){
379
fprintf(stderr, "GnuTLS: %s", string);
249
void debuggnutls(__attribute__((unused)) int level,
250
const char* string){
251
fprintf(stderr, "%s", string);
380
252
}
381
253
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
254
int initgnutls(encrypted_session *es){
255
const char *err;
385
256
int ret;
386
257
387
258
if(debug){
388
259
fprintf(stderr, "Initializing GnuTLS\n");
389
260
}
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
395
265
return -1;
396
266
}
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
267
268
if (debug){
402
269
gnutls_global_set_log_level(11);
403
270
gnutls_global_set_log_function(debuggnutls);
404
271
}
405
272
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
415
278
return -1;
416
279
}
417
280
418
281
if(debug){
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
422
285
}
423
286
424
287
ret = gnutls_certificate_set_openpgp_key_file
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
468
319
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
469
320
safer_gnutls_strerror(ret));
470
321
}
471
322
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
482
329
}
483
330
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
488
335
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
490
336
return -1;
491
337
}
492
338
493
339
/* ignore client certificate if any. */
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
496
342
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
344
499
345
return 0;
500
346
}
501
347
502
/* Avahi log function callback */
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
504
__attribute__((unused)) const char *txt){}
348
void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
__attribute__((unused)) const char *txt){}
505
350
506
/* Called when a Mandos server is found */
507
static int start_mandos_communication(const char *ip, uint16_t port,
508
AvahiIfIndex if_index,
509
mandos_context *mc){
351
int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
510
353
int ret, tcp_sd;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
354
struct sockaddr_in6 to;
355
encrypted_session es;
513
356
char *buffer = NULL;
514
357
char *decrypted_buffer;
515
358
size_t buffer_length = 0;
516
359
size_t buffer_capacity = 0;
517
360
ssize_t decrypted_buffer_size;
518
size_t written;
361
size_t written = 0;
519
362
int retval = 0;
520
363
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
527
364
528
365
if(debug){
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
531
368
}
532
369
533
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
536
373
return -1;
537
374
}
538
375
539
if(debug){
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
541
378
perror("if_indextoname");
542
return -1;
543
379
}
380
return -1;
381
}
382
383
if(debug){
544
384
fprintf(stderr, "Binding to interface %s\n", interface);
545
385
}
546
386
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
553
391
perror("inet_pton");
554
392
return -1;
555
}
393
}
556
394
if(ret == 0){
557
395
fprintf(stderr, "Bad address: %s\n", ip);
558
396
return -1;
559
397
}
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
398
to.sin6_port = htons(port); /* Spurious warning */
563
399
564
to.in6.sin6_scope_id = (uint32_t)if_index;
400
to.sin6_scope_id = (uint32_t)if_index;
565
401
566
402
if(debug){
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
569
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
571
sizeof(addrstr)) == NULL){
572
perror("inet_ntop");
573
} else {
574
if(strcmp(addrstr, ip) != 0){
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
576
}
577
}
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
578
412
}
579
413
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
582
416
perror("connect");
583
417
return -1;
584
418
}
585
419
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
608
424
}
609
425
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
610
429
if(debug){
611
430
fprintf(stderr, "Establishing TLS session with %s\n", ip);
612
431
}
613
432
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
621
436
if(debug){
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
624
439
}
625
440
retval = -1;
626
goto mandos_end;
441
goto exit;
627
442
}
628
443
629
/* Read OpenPGP packet that contains the wanted password */
444
//Retrieve OpenPGP packet that contains the wanted password
630
445
631
446
if(debug){
632
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
633
448
ip);
634
449
}
635
450
636
451
while(true){
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
643
459
}
644
460
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
648
464
break;
649
465
}
650
if(sret < 0){
651
switch(sret){
466
if (ret < 0){
467
switch(ret){
652
468
case GNUTLS_E_INTERRUPTED:
653
469
case GNUTLS_E_AGAIN:
654
470
break;
655
471
case GNUTLS_E_REHANDSHAKE:
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
662
476
retval = -1;
663
goto mandos_end;
477
goto exit;
664
478
}
665
479
break;
666
480
default:
667
481
fprintf(stderr, "Unknown error while reading data from"
668
" encrypted session with Mandos server\n");
482
" encrypted session with mandos server\n");
669
483
retval = -1;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
672
486
}
673
487
} else {
674
buffer_length += (size_t) sret;
488
buffer_length += (size_t) ret;
675
489
}
676
490
}
677
491
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
492
if (buffer_length > 0){
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
686
494
buffer_length,
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
690
498
while(written < (size_t) decrypted_buffer_size){
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
694
502
if(ret == 0 and ferror(stdout)){
695
503
if(debug){
696
504
fprintf(stderr, "Error writing encrypted data: %s\n",
705
513
} else {
706
514
retval = -1;
707
515
}
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
715
524
free(buffer);
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
721
531
return retval;
722
532
}
723
533
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
740
553
741
554
/* Called whenever a service has been resolved successfully or
742
555
timed out */
743
556
744
switch(event) {
557
switch (event) {
745
558
default:
746
559
case AVAHI_RESOLVER_FAILURE:
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
750
563
break;
751
564
752
565
case AVAHI_RESOLVER_FOUND:
754
567
char ip[AVAHI_ADDRESS_STR_MAX];
755
568
avahi_address_snprint(ip, sizeof(ip), address);
756
569
if(debug){
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
760
572
}
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
764
576
}
765
577
}
766
578
}
767
579
avahi_s_service_resolver_free(r);
768
580
}
769
581
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
816
628
}
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
629
}
630
631
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
632
const char *combinepath(const char *first, const char *second){
633
char *tmp;
634
tmp = malloc(strlen(first) + strlen(second) + 2);
635
if (tmp == NULL){
636
perror("malloc");
637
return NULL;
638
}
639
strcpy(tmp, first);
640
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
641
strcat(tmp, "/");
642
}
643
strcat(tmp, second);
644
return tmp;
645
}
646
647
648
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
649
AvahiServerConfig config;
822
650
AvahiSServiceBrowser *sb = NULL;
823
651
int error;
824
652
int ret;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
828
const char *interface = "eth0";
829
struct ifreq network;
830
int sd;
831
uid_t uid;
832
gid_t gid;
653
int returncode = EXIT_SUCCESS;
654
const char *interface = NULL;
655
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
833
656
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
835
bool tempdir_created = false;
836
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
837
const char *seckey = PATHDIR "/" SECKEY;
838
const char *pubkey = PATHDIR "/" PUBKEY;
839
840
mandos_context mc = { .simple_poll = NULL, .server = NULL,
841
.dh_bits = 1024, .priority = "SECURE256"
842
":!CTYPE-X.509:+CTYPE-OPENPGP" };
843
bool gnutls_initialized = false;
844
bool gpgme_initialized = false;
845
846
{
847
struct argp_option options[] = {
848
{ .name = "debug", .key = 128,
849
.doc = "Debug mode", .group = 3 },
850
{ .name = "connect", .key = 'c',
851
.arg = "ADDRESS:PORT",
852
.doc = "Connect directly to a specific Mandos server",
853
.group = 1 },
854
{ .name = "interface", .key = 'i',
855
.arg = "NAME",
856
.doc = "Interface that will be used to search for Mandos"
857
" servers",
858
.group = 1 },
859
{ .name = "seckey", .key = 's',
860
.arg = "FILE",
861
.doc = "OpenPGP secret key file base name",
862
.group = 1 },
863
{ .name = "pubkey", .key = 'p',
864
.arg = "FILE",
865
.doc = "OpenPGP public key file base name",
866
.group = 2 },
867
{ .name = "dh-bits", .key = 129,
868
.arg = "BITS",
869
.doc = "Bit length of the prime number used in the"
870
" Diffie-Hellman key exchange",
871
.group = 2 },
872
{ .name = "priority", .key = 130,
873
.arg = "STRING",
874
.doc = "GnuTLS priority string for the TLS handshake",
875
.group = 1 },
876
{ .name = NULL }
877
};
878
879
error_t parse_opt(int key, char *arg,
880
struct argp_state *state) {
881
switch(key) {
882
case 128: /* --debug */
883
debug = true;
884
break;
885
case 'c': /* --connect */
886
connect_to = arg;
887
break;
888
case 'i': /* --interface */
889
interface = arg;
890
break;
891
case 's': /* --seckey */
892
seckey = arg;
893
break;
894
case 'p': /* --pubkey */
895
pubkey = arg;
896
break;
897
case 129: /* --dh-bits */
898
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
899
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
900
or arg[numchars] != '\0'){
901
fprintf(stderr, "Bad number of DH bits\n");
902
exit(EXIT_FAILURE);
903
}
904
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
905
break;
906
case 130: /* --priority */
907
mc.priority = arg;
908
break;
909
case ARGP_KEY_ARG:
910
argp_usage(state);
911
case ARGP_KEY_END:
912
break;
913
default:
914
return ARGP_ERR_UNKNOWN;
915
}
916
return 0;
917
}
918
919
struct argp argp = { .options = options, .parser = parse_opt,
920
.args_doc = "",
921
.doc = "Mandos client -- Get and decrypt"
922
" passwords from a Mandos server" };
923
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
924
if(ret == ARGP_ERR_UNKNOWN){
925
fprintf(stderr, "Unknown error while parsing arguments\n");
926
exitcode = EXIT_FAILURE;
927
goto end;
928
}
929
}
930
931
/* If the interface is down, bring it up */
932
{
933
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
934
if(sd < 0) {
935
perror("socket");
936
exitcode = EXIT_FAILURE;
937
goto end;
938
}
939
strcpy(network.ifr_name, interface);
940
ret = ioctl(sd, SIOCGIFFLAGS, &network);
941
if(ret == -1){
942
perror("ioctl SIOCGIFFLAGS");
943
exitcode = EXIT_FAILURE;
944
goto end;
945
}
946
if((network.ifr_flags & IFF_UP) == 0){
947
network.ifr_flags |= IFF_UP;
948
ret = ioctl(sd, SIOCSIFFLAGS, &network);
949
if(ret == -1){
950
perror("ioctl SIOCSIFFLAGS");
951
exitcode = EXIT_FAILURE;
952
goto end;
953
}
954
}
955
ret = (int)TEMP_FAILURE_RETRY(close(sd));
956
if(ret == -1){
957
perror("close");
958
}
959
}
960
961
uid = getuid();
962
gid = getgid();
963
964
ret = setuid(uid);
965
if(ret == -1){
966
perror("setuid");
967
}
968
969
setgid(gid);
970
if(ret == -1){
971
perror("setgid");
972
}
973
974
ret = init_gnutls_global(&mc, pubkey, seckey);
975
if(ret == -1){
976
fprintf(stderr, "init_gnutls_global failed\n");
977
exitcode = EXIT_FAILURE;
978
goto end;
979
} else {
980
gnutls_initialized = true;
981
}
982
983
if(mkdtemp(tempdir) == NULL){
984
perror("mkdtemp");
985
goto end;
986
}
987
tempdir_created = true;
988
989
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
990
fprintf(stderr, "init_gpgme failed\n");
991
exitcode = EXIT_FAILURE;
992
goto end;
993
} else {
994
gpgme_initialized = true;
995
}
996
997
if_index = (AvahiIfIndex) if_nametoindex(interface);
998
if(if_index == 0){
999
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1000
exitcode = EXIT_FAILURE;
1001
goto end;
657
658
while (true){
659
static struct option long_options[] = {
660
{"debug", no_argument, (int *)&debug, 1},
661
{"connect", required_argument, 0, 'C'},
662
{"interface", required_argument, 0, 'i'},
663
{"certdir", required_argument, 0, 'd'},
664
{"certkey", required_argument, 0, 'c'},
665
{"certfile", required_argument, 0, 'k'},
666
{0, 0, 0, 0} };
667
668
int option_index = 0;
669
ret = getopt_long (argc, argv, "i:", long_options,
670
&option_index);
671
672
if (ret == -1){
673
break;
674
}
675
676
switch(ret){
677
case 0:
678
break;
679
case 'i':
680
interface = optarg;
681
break;
682
case 'C':
683
connect_to = optarg;
684
break;
685
case 'd':
686
certdir = optarg;
687
break;
688
case 'c':
689
certfile = optarg;
690
break;
691
case 'k':
692
certkey = optarg;
693
break;
694
default:
695
exit(EXIT_FAILURE);
696
}
697
}
698
699
certfile = combinepath(certdir, certfile);
700
if (certfile == NULL){
701
goto exit;
702
}
703
704
if(interface != NULL){
705
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
if(if_index == 0){
707
fprintf(stderr, "No such interface: \"%s\"\n", interface);
708
exit(EXIT_FAILURE);
709
}
1002
710
}
1003
711
1004
712
if(connect_to != NULL){
1007
715
char *address = strrchr(connect_to, ':');
1008
716
if(address == NULL){
1009
717
fprintf(stderr, "No colon in address\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
uint16_t port;
1014
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1015
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1016
or address[numchars+1] != '\0'){
1017
fprintf(stderr, "Bad port number\n");
1018
exitcode = EXIT_FAILURE;
1019
goto end;
1020
}
1021
port = (uint16_t)tmpmax;
718
exit(EXIT_FAILURE);
719
}
720
errno = 0;
721
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
if(errno){
723
perror("Bad port number");
724
exit(EXIT_FAILURE);
725
}
1022
726
*address = '\0';
1023
727
address = connect_to;
1024
ret = start_mandos_communication(address, port, if_index, &mc);
728
ret = start_mandos_communication(address, port, if_index);
1025
729
if(ret < 0){
1026
exitcode = EXIT_FAILURE;
730
exit(EXIT_FAILURE);
1027
731
} else {
1028
exitcode = EXIT_SUCCESS;
732
exit(EXIT_SUCCESS);
1029
733
}
1030
goto end;
1031
}
1032
1033
if(not debug){
734
}
735
736
certkey = combinepath(certdir, certkey);
737
if (certkey == NULL){
738
goto exit;
739
}
740
741
if (not debug){
1034
742
avahi_set_log_function(empty_log);
1035
743
}
1036
744
1037
/* Initialize the pseudo-RNG for Avahi */
745
/* Initialize the psuedo-RNG */
1038
746
srand((unsigned int) time(NULL));
1039
1040
/* Allocate main Avahi loop object */
1041
mc.simple_poll = avahi_simple_poll_new();
1042
if(mc.simple_poll == NULL) {
1043
fprintf(stderr, "Avahi: Failed to create simple poll"
1044
" object.\n");
1045
exitcode = EXIT_FAILURE;
1046
goto end;
1047
}
1048
1049
{
1050
AvahiServerConfig config;
1051
/* Do not publish any local Zeroconf records */
1052
avahi_server_config_init(&config);
1053
config.publish_hinfo = 0;
1054
config.publish_addresses = 0;
1055
config.publish_workstation = 0;
1056
config.publish_domain = 0;
1057
1058
/* Allocate a new server */
1059
mc.server = avahi_server_new(avahi_simple_poll_get
1060
(mc.simple_poll), &config, NULL,
1061
NULL, &error);
1062
1063
/* Free the Avahi configuration data */
1064
avahi_server_config_free(&config);
1065
}
1066
1067
/* Check if creating the Avahi server object succeeded */
1068
if(mc.server == NULL) {
1069
fprintf(stderr, "Failed to create Avahi server: %s\n",
747
748
/* Allocate main loop object */
749
if (!(simple_poll = avahi_simple_poll_new())) {
750
fprintf(stderr, "Failed to create simple poll object.\n");
751
752
goto exit;
753
}
754
755
/* Do not publish any local records */
756
avahi_server_config_init(&config);
757
config.publish_hinfo = 0;
758
config.publish_addresses = 0;
759
config.publish_workstation = 0;
760
config.publish_domain = 0;
761
762
/* Allocate a new server */
763
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
764
&config, NULL, NULL, &error);
765
766
/* Free the configuration data */
767
avahi_server_config_free(&config);
768
769
/* Check if creating the server object succeeded */
770
if (!server) {
771
fprintf(stderr, "Failed to create server: %s\n",
1070
772
avahi_strerror(error));
1071
exitcode = EXIT_FAILURE;
1072
goto end;
773
returncode = EXIT_FAILURE;
774
goto exit;
1073
775
}
1074
776
1075
/* Create the Avahi service browser */
1076
sb = avahi_s_service_browser_new(mc.server, if_index,
777
/* Create the service browser */
778
sb = avahi_s_service_browser_new(server, if_index,
1077
779
AVAHI_PROTO_INET6,
1078
780
"_mandos._tcp", NULL, 0,
1079
browse_callback, &mc);
1080
if(sb == NULL) {
781
browse_callback, server);
782
if (!sb) {
1081
783
fprintf(stderr, "Failed to create service browser: %s\n",
1082
avahi_strerror(avahi_server_errno(mc.server)));
1083
exitcode = EXIT_FAILURE;
1084
goto end;
784
avahi_strerror(avahi_server_errno(server)));
785
returncode = EXIT_FAILURE;
786
goto exit;
1085
787
}
1086
788
1087
789
/* Run the main loop */
1088
1089
if(debug){
1090
fprintf(stderr, "Starting Avahi loop search\n");
790
791
if (debug){
792
fprintf(stderr, "Starting avahi loop search\n");
1091
793
}
1092
794
1093
avahi_simple_poll_loop(mc.simple_poll);
1094
1095
end:
1096
1097
if(debug){
795
avahi_simple_poll_loop(simple_poll);
796
797
exit:
798
799
if (debug){
1098
800
fprintf(stderr, "%s exiting\n", argv[0]);
1099
801
}
1100
802
1101
803
/* Cleanup things */
1102
if(sb != NULL)
804
if (sb)
1103
805
avahi_s_service_browser_free(sb);
1104
806
1105
if(mc.server != NULL)
1106
avahi_server_free(mc.server);
1107
1108
if(mc.simple_poll != NULL)
1109
avahi_simple_poll_free(mc.simple_poll);
1110
1111
if(gnutls_initialized){
1112
gnutls_certificate_free_credentials(mc.cred);
1113
gnutls_global_deinit();
1114
gnutls_dh_params_deinit(mc.dh_params);
1115
}
1116
1117
if(gpgme_initialized){
1118
gpgme_release(mc.ctx);
1119
}
1120
1121
/* Removes the temp directory used by GPGME */
1122
if(tempdir_created){
1123
DIR *d;
1124
struct dirent *direntry;
1125
d = opendir(tempdir);
1126
if(d == NULL){
1127
if(errno != ENOENT){
1128
perror("opendir");
1129
}
1130
} else {
1131
while(true){
1132
direntry = readdir(d);
1133
if(direntry == NULL){
1134
break;
1135
}
1136
/* Skip "." and ".." */
1137
if(direntry->d_name[0] == '.'
1138
and (direntry->d_name[1] == '\0'
1139
or (direntry->d_name[1] == '.'
1140
and direntry->d_name[2] == '\0'))){
1141
continue;
1142
}
1143
char *fullname = NULL;
1144
ret = asprintf(&fullname, "%s/%s", tempdir,
1145
direntry->d_name);
1146
if(ret < 0){
1147
perror("asprintf");
1148
continue;
1149
}
1150
ret = remove(fullname);
1151
if(ret == -1){
1152
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1153
strerror(errno));
1154
}
1155
free(fullname);
1156
}
1157
closedir(d);
1158
}
1159
ret = rmdir(tempdir);
1160
if(ret == -1 and errno != ENOENT){
1161
perror("rmdir");
1162
}
1163
}
1164
1165
return exitcode;
807
if (server)
808
avahi_server_free(server);
809
810
if (simple_poll)
811
avahi_simple_poll_free(simple_poll);
812
free(certfile);
813
free(certkey);
814
815
return returncode;
1166
816
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0