To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 30
- compare with another revision
- download diff
- download tarball
- view history from revision 30
- Committer: Teddy Hogeborn
- Date: 2008-07-31 19:51:44 UTC
- mfrom: (24.1.5 mandos)
- Revision ID: teddy@fukt.bsnet.se-20080731195144-yb37wz2sr1e6b3m4
Merge.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
26
25
* along with this program. If not, see
27
26
* <http://www.gnu.org/licenses/>.
28
27
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
33
#define _LARGEFILE_SOURCE
34
34
#define _FILE_OFFSET_BITS 64
35
35
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#ifdef __linux__
79
#include <sys/klog.h> /* klogctl() */
80
#endif
81
82
/* Avahi */
83
/* All Avahi types, constants and functions
84
Avahi*, avahi_*,
85
AVAHI_* */
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
86
42
#include <avahi-core/core.h>
87
43
#include <avahi-core/lookup.h>
88
44
#include <avahi-core/log.h>
90
46
#include <avahi-common/malloc.h>
91
47
#include <avahi-common/error.h>
92
48
93
/* GnuTLS */
94
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
95
functions:
96
gnutls_*
97
init_gnutls_session(),
98
GNUTLS_* */
99
#include <gnutls/openpgp.h>
100
/* gnutls_certificate_set_openpgp_key_file(),
101
GNUTLS_OPENPGP_FMT_BASE64 */
102
103
/* GPGME */
104
#include <gpgme.h> /* All GPGME types, constants and
105
functions:
106
gpgme_*
107
GPGME_PROTOCOL_OpenPGP,
108
GPG_ERR_NO_* */
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
109
69
110
70
#define BUFFER_SIZE 256
71
#define DH_BITS 1024
111
72
112
#define PATHDIR "/conf/conf.d/mandos"
113
#define SECKEY "seckey.txt"
114
#define PUBKEY "pubkey.txt"
73
const char *certdir = "/conf/conf.d/cryptkeyreq/";
74
const char *certfile = "openpgp-client.txt";
75
const char *certkey = "openpgp-client-key.txt";
115
76
116
77
bool debug = false;
117
static const char mandos_protocol_version[] = "1";
118
const char *argp_program_version = "mandos-client " VERSION;
119
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
120
78
121
/* Used for passing in values through the Avahi callback functions */
122
79
typedef struct {
123
AvahiSimplePoll *simple_poll;
124
AvahiServer *server;
80
gnutls_session_t session;
125
81
gnutls_certificate_credentials_t cred;
126
unsigned int dh_bits;
127
82
gnutls_dh_params_t dh_params;
128
const char *priority;
83
} encrypted_session;
84
85
86
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
87
char **new_packet, const char *homedir){
88
gpgme_data_t dh_crypto, dh_plain;
129
89
gpgme_ctx_t ctx;
130
} mandos_context;
131
132
/*
133
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
134
* "buffer_capacity" is how much is currently allocated,
135
* "buffer_length" is how much is already used.
136
*/
137
size_t adjustbuffer(char **buffer, size_t buffer_length,
138
size_t buffer_capacity){
139
if(buffer_length + BUFFER_SIZE > buffer_capacity){
140
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
141
if(buffer == NULL){
142
return 0;
143
}
144
buffer_capacity += BUFFER_SIZE;
145
}
146
return buffer_capacity;
147
}
148
149
/*
150
* Initialize GPGME.
151
*/
152
static bool init_gpgme(mandos_context *mc, const char *seckey,
153
const char *pubkey, const char *tempdir){
154
int ret;
155
90
gpgme_error_t rc;
91
ssize_t ret;
92
ssize_t new_packet_capacity = 0;
93
ssize_t new_packet_length = 0;
156
94
gpgme_engine_info_t engine_info;
157
158
159
/*
160
* Helper function to insert pub and seckey to the engine keyring.
161
*/
162
bool import_key(const char *filename){
163
int fd;
164
gpgme_data_t pgp_data;
165
166
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
167
if(fd == -1){
168
perror("open");
169
return false;
170
}
171
172
rc = gpgme_data_new_from_fd(&pgp_data, fd);
173
if(rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
rc = gpgme_op_import(mc->ctx, pgp_data);
180
if(rc != GPG_ERR_NO_ERROR){
181
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
182
gpgme_strsource(rc), gpgme_strerror(rc));
183
return false;
184
}
185
186
ret = (int)TEMP_FAILURE_RETRY(close(fd));
187
if(ret == -1){
188
perror("close");
189
}
190
gpgme_data_release(pgp_data);
191
return true;
192
}
193
194
if(debug){
195
fprintf(stderr, "Initialize gpgme\n");
95
96
if (debug){
97
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
196
98
}
197
99
198
100
/* Init GPGME */
199
101
gpgme_check_version(NULL);
200
102
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
201
if(rc != GPG_ERR_NO_ERROR){
103
if (rc != GPG_ERR_NO_ERROR){
202
104
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
203
105
gpgme_strsource(rc), gpgme_strerror(rc));
204
return false;
106
return -1;
205
107
}
206
108
207
/* Set GPGME home directory for the OpenPGP engine only */
208
rc = gpgme_get_engine_info(&engine_info);
209
if(rc != GPG_ERR_NO_ERROR){
109
/* Set GPGME home directory */
110
rc = gpgme_get_engine_info (&engine_info);
111
if (rc != GPG_ERR_NO_ERROR){
210
112
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
211
113
gpgme_strsource(rc), gpgme_strerror(rc));
212
return false;
114
return -1;
213
115
}
214
116
while(engine_info != NULL){
215
117
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
216
118
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
217
engine_info->file_name, tempdir);
119
engine_info->file_name, homedir);
218
120
break;
219
121
}
220
122
engine_info = engine_info->next;
221
123
}
222
124
if(engine_info == NULL){
223
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
224
return false;
225
}
226
227
/* Create new GPGME "context" */
228
rc = gpgme_new(&(mc->ctx));
229
if(rc != GPG_ERR_NO_ERROR){
230
fprintf(stderr, "bad gpgme_new: %s: %s\n",
231
gpgme_strsource(rc), gpgme_strerror(rc));
232
return false;
233
}
234
235
if(not import_key(pubkey) or not import_key(seckey)){
236
return false;
237
}
238
239
return true;
240
}
241
242
/*
243
* Decrypt OpenPGP data.
244
* Returns -1 on error
245
*/
246
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
247
const char *cryptotext,
248
size_t crypto_size,
249
char **plaintext){
250
gpgme_data_t dh_crypto, dh_plain;
251
gpgme_error_t rc;
252
ssize_t ret;
253
size_t plaintext_capacity = 0;
254
ssize_t plaintext_length = 0;
255
256
if(debug){
257
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
258
}
259
260
/* Create new GPGME data buffer from memory cryptotext */
261
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
262
0);
263
if(rc != GPG_ERR_NO_ERROR){
125
fprintf(stderr, "Could not set home dir to %s\n", homedir);
126
return -1;
127
}
128
129
/* Create new GPGME data buffer from packet buffer */
130
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
131
if (rc != GPG_ERR_NO_ERROR){
264
132
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
265
133
gpgme_strsource(rc), gpgme_strerror(rc));
266
134
return -1;
268
136
269
137
/* Create new empty GPGME data buffer for the plaintext */
270
138
rc = gpgme_data_new(&dh_plain);
271
if(rc != GPG_ERR_NO_ERROR){
139
if (rc != GPG_ERR_NO_ERROR){
272
140
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
273
141
gpgme_strsource(rc), gpgme_strerror(rc));
274
gpgme_data_release(dh_crypto);
275
return -1;
276
}
277
278
/* Decrypt data from the cryptotext data buffer to the plaintext
279
data buffer */
280
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
281
if(rc != GPG_ERR_NO_ERROR){
142
return -1;
143
}
144
145
/* Create new GPGME "context" */
146
rc = gpgme_new(&ctx);
147
if (rc != GPG_ERR_NO_ERROR){
148
fprintf(stderr, "bad gpgme_new: %s: %s\n",
149
gpgme_strsource(rc), gpgme_strerror(rc));
150
return -1;
151
}
152
153
/* Decrypt data from the FILE pointer to the plaintext data
154
buffer */
155
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
156
if (rc != GPG_ERR_NO_ERROR){
282
157
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
283
158
gpgme_strsource(rc), gpgme_strerror(rc));
284
plaintext_length = -1;
285
if(debug){
286
gpgme_decrypt_result_t result;
287
result = gpgme_op_decrypt_result(mc->ctx);
288
if(result == NULL){
289
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
290
} else {
291
fprintf(stderr, "Unsupported algorithm: %s\n",
292
result->unsupported_algorithm);
293
fprintf(stderr, "Wrong key usage: %u\n",
294
result->wrong_key_usage);
295
if(result->file_name != NULL){
296
fprintf(stderr, "File name: %s\n", result->file_name);
297
}
298
gpgme_recipient_t recipient;
299
recipient = result->recipients;
300
if(recipient){
301
while(recipient != NULL){
302
fprintf(stderr, "Public key algorithm: %s\n",
303
gpgme_pubkey_algo_name(recipient->pubkey_algo));
304
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
305
fprintf(stderr, "Secret key available: %s\n",
306
recipient->status == GPG_ERR_NO_SECKEY
307
? "No" : "Yes");
308
recipient = recipient->next;
309
}
159
return -1;
160
}
161
162
if(debug){
163
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
164
}
165
166
if (debug){
167
gpgme_decrypt_result_t result;
168
result = gpgme_op_decrypt_result(ctx);
169
if (result == NULL){
170
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
171
} else {
172
fprintf(stderr, "Unsupported algorithm: %s\n",
173
result->unsupported_algorithm);
174
fprintf(stderr, "Wrong key usage: %d\n",
175
result->wrong_key_usage);
176
if(result->file_name != NULL){
177
fprintf(stderr, "File name: %s\n", result->file_name);
178
}
179
gpgme_recipient_t recipient;
180
recipient = result->recipients;
181
if(recipient){
182
while(recipient != NULL){
183
fprintf(stderr, "Public key algorithm: %s\n",
184
gpgme_pubkey_algo_name(recipient->pubkey_algo));
185
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
186
fprintf(stderr, "Secret key available: %s\n",
187
recipient->status == GPG_ERR_NO_SECKEY
188
? "No" : "Yes");
189
recipient = recipient->next;
310
190
}
311
191
}
312
192
}
313
goto decrypt_end;
314
193
}
315
194
316
if(debug){
317
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
318
}
195
/* Delete the GPGME FILE pointer cryptotext data buffer */
196
gpgme_data_release(dh_crypto);
319
197
320
198
/* Seek back to the beginning of the GPGME plaintext data buffer */
321
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
322
perror("gpgme_data_seek");
323
plaintext_length = -1;
324
goto decrypt_end;
199
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
200
perror("pgpme_data_seek");
325
201
}
326
202
327
*plaintext = NULL;
203
*new_packet = 0;
328
204
while(true){
329
plaintext_capacity = adjustbuffer(plaintext,
330
(size_t)plaintext_length,
331
plaintext_capacity);
332
if(plaintext_capacity == 0){
333
perror("adjustbuffer");
334
plaintext_length = -1;
335
goto decrypt_end;
205
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
206
*new_packet = realloc(*new_packet,
207
(unsigned int)new_packet_capacity
208
+ BUFFER_SIZE);
209
if (*new_packet == NULL){
210
perror("realloc");
211
return -1;
212
}
213
new_packet_capacity += BUFFER_SIZE;
336
214
}
337
215
338
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
216
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
339
217
BUFFER_SIZE);
340
218
/* Print the data, if any */
341
if(ret == 0){
342
/* EOF */
219
if (ret == 0){
343
220
break;
344
221
}
345
222
if(ret < 0){
346
223
perror("gpgme_data_read");
347
plaintext_length = -1;
348
goto decrypt_end;
349
}
350
plaintext_length += ret;
351
}
352
353
if(debug){
354
fprintf(stderr, "Decrypted password is: ");
355
for(ssize_t i = 0; i < plaintext_length; i++){
356
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
357
}
358
fprintf(stderr, "\n");
359
}
360
361
decrypt_end:
362
363
/* Delete the GPGME cryptotext data buffer */
364
gpgme_data_release(dh_crypto);
224
return -1;
225
}
226
new_packet_length += ret;
227
}
228
229
/* FIXME: check characters before printing to screen so to not print
230
terminal control characters */
231
/* if(debug){ */
232
/* fprintf(stderr, "decrypted password is: "); */
233
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
234
/* fprintf(stderr, "\n"); */
235
/* } */
365
236
366
237
/* Delete the GPGME plaintext data buffer */
367
238
gpgme_data_release(dh_plain);
368
return plaintext_length;
239
return new_packet_length;
369
240
}
370
241
371
static const char * safer_gnutls_strerror(int value){
372
const char *ret = gnutls_strerror(value); /* Spurious warning from
373
-Wunreachable-code */
374
if(ret == NULL)
242
static const char * safer_gnutls_strerror (int value) {
243
const char *ret = gnutls_strerror (value);
244
if (ret == NULL)
375
245
ret = "(unknown)";
376
246
return ret;
377
247
}
378
248
379
/* GnuTLS log function callback */
380
static void debuggnutls(__attribute__((unused)) int level,
381
const char* string){
382
fprintf(stderr, "GnuTLS: %s", string);
249
void debuggnutls(__attribute__((unused)) int level,
250
const char* string){
251
fprintf(stderr, "%s", string);
383
252
}
384
253
385
static int init_gnutls_global(mandos_context *mc,
386
const char *pubkeyfilename,
387
const char *seckeyfilename){
254
int initgnutls(encrypted_session *es){
255
const char *err;
388
256
int ret;
389
257
390
258
if(debug){
391
259
fprintf(stderr, "Initializing GnuTLS\n");
392
260
}
393
394
ret = gnutls_global_init();
395
if(ret != GNUTLS_E_SUCCESS){
396
fprintf(stderr, "GnuTLS global_init: %s\n",
397
safer_gnutls_strerror(ret));
261
262
if ((ret = gnutls_global_init ())
263
!= GNUTLS_E_SUCCESS) {
264
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
398
265
return -1;
399
266
}
400
401
if(debug){
402
/* "Use a log level over 10 to enable all debugging options."
403
* - GnuTLS manual
404
*/
267
268
if (debug){
405
269
gnutls_global_set_log_level(11);
406
270
gnutls_global_set_log_function(debuggnutls);
407
271
}
408
272
409
/* OpenPGP credentials */
410
gnutls_certificate_allocate_credentials(&mc->cred);
411
if(ret != GNUTLS_E_SUCCESS){
412
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
413
from
414
-Wunreachable-code
415
*/
416
safer_gnutls_strerror(ret));
417
gnutls_global_deinit();
273
/* openpgp credentials */
274
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
275
!= GNUTLS_E_SUCCESS) {
276
fprintf (stderr, "memory error: %s\n",
277
safer_gnutls_strerror(ret));
418
278
return -1;
419
279
}
420
280
421
281
if(debug){
422
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
423
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
424
seckeyfilename);
282
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
283
" and keyfile %s as GnuTLS credentials\n", certfile,
284
certkey);
425
285
}
426
286
427
287
ret = gnutls_certificate_set_openpgp_key_file
428
(mc->cred, pubkeyfilename, seckeyfilename,
429
GNUTLS_OPENPGP_FMT_BASE64);
430
if(ret != GNUTLS_E_SUCCESS){
431
fprintf(stderr,
432
"Error[%d] while reading the OpenPGP key pair ('%s',"
433
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
434
fprintf(stderr, "The GnuTLS error is: %s\n",
435
safer_gnutls_strerror(ret));
436
goto globalfail;
437
}
438
439
/* GnuTLS server initialization */
440
ret = gnutls_dh_params_init(&mc->dh_params);
441
if(ret != GNUTLS_E_SUCCESS){
442
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
443
" %s\n", safer_gnutls_strerror(ret));
444
goto globalfail;
445
}
446
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
447
if(ret != GNUTLS_E_SUCCESS){
448
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
454
455
return 0;
456
457
globalfail:
458
459
gnutls_certificate_free_credentials(mc->cred);
460
gnutls_global_deinit();
461
gnutls_dh_params_deinit(mc->dh_params);
462
return -1;
463
}
464
465
static int init_gnutls_session(mandos_context *mc,
466
gnutls_session_t *session){
467
int ret;
468
/* GnuTLS session creation */
469
ret = gnutls_init(session, GNUTLS_SERVER);
470
if(ret != GNUTLS_E_SUCCESS){
288
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
289
if (ret != GNUTLS_E_SUCCESS) {
290
fprintf
291
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
292
" '%s')\n",
293
ret, certfile, certkey);
294
fprintf(stdout, "The Error is: %s\n",
295
safer_gnutls_strerror(ret));
296
return -1;
297
}
298
299
//GnuTLS server initialization
300
if ((ret = gnutls_dh_params_init (&es->dh_params))
301
!= GNUTLS_E_SUCCESS) {
302
fprintf (stderr, "Error in dh parameter initialization: %s\n",
303
safer_gnutls_strerror(ret));
304
return -1;
305
}
306
307
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
308
!= GNUTLS_E_SUCCESS) {
309
fprintf (stderr, "Error in prime generation: %s\n",
310
safer_gnutls_strerror(ret));
311
return -1;
312
}
313
314
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
315
316
// GnuTLS session creation
317
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
318
!= GNUTLS_E_SUCCESS){
471
319
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
472
320
safer_gnutls_strerror(ret));
473
321
}
474
322
475
{
476
const char *err;
477
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
478
if(ret != GNUTLS_E_SUCCESS){
479
fprintf(stderr, "Syntax error at: %s\n", err);
480
fprintf(stderr, "GnuTLS error: %s\n",
481
safer_gnutls_strerror(ret));
482
gnutls_deinit(*session);
483
return -1;
484
}
323
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
324
!= GNUTLS_E_SUCCESS) {
325
fprintf(stderr, "Syntax error at: %s\n", err);
326
fprintf(stderr, "GnuTLS error: %s\n",
327
safer_gnutls_strerror(ret));
328
return -1;
485
329
}
486
330
487
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
488
mc->cred);
489
if(ret != GNUTLS_E_SUCCESS){
490
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
331
if ((ret = gnutls_credentials_set
332
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
333
!= GNUTLS_E_SUCCESS) {
334
fprintf(stderr, "Error setting a credentials set: %s\n",
491
335
safer_gnutls_strerror(ret));
492
gnutls_deinit(*session);
493
336
return -1;
494
337
}
495
338
496
339
/* ignore client certificate if any. */
497
gnutls_certificate_server_set_request(*session,
498
GNUTLS_CERT_IGNORE);
340
gnutls_certificate_server_set_request (es->session,
341
GNUTLS_CERT_IGNORE);
499
342
500
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
343
gnutls_dh_set_prime_bits (es->session, DH_BITS);
501
344
502
345
return 0;
503
346
}
504
347
505
/* Avahi log function callback */
506
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
507
__attribute__((unused)) const char *txt){}
348
void empty_log(__attribute__((unused)) AvahiLogLevel level,
349
__attribute__((unused)) const char *txt){}
508
350
509
/* Called when a Mandos server is found */
510
static int start_mandos_communication(const char *ip, uint16_t port,
511
AvahiIfIndex if_index,
512
mandos_context *mc, int af){
351
int start_mandos_communication(const char *ip, uint16_t port,
352
AvahiIfIndex if_index){
513
353
int ret, tcp_sd;
514
ssize_t sret;
515
union {
516
struct sockaddr_in in;
517
struct sockaddr_in6 in6;
518
} to;
354
struct sockaddr_in6 to;
355
encrypted_session es;
519
356
char *buffer = NULL;
520
357
char *decrypted_buffer;
521
358
size_t buffer_length = 0;
522
359
size_t buffer_capacity = 0;
523
360
ssize_t decrypted_buffer_size;
524
size_t written;
361
size_t written = 0;
525
362
int retval = 0;
526
gnutls_session_t session;
527
int pf; /* Protocol family */
528
529
switch(af){
530
case AF_INET6:
531
pf = PF_INET6;
532
break;
533
case AF_INET:
534
pf = PF_INET;
535
break;
536
default:
537
fprintf(stderr, "Bad address family: %d\n", af);
538
return -1;
539
}
540
541
ret = init_gnutls_session(mc, &session);
542
if(ret != 0){
543
return -1;
544
}
363
char interface[IF_NAMESIZE];
545
364
546
365
if(debug){
547
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
548
"\n", ip, port);
366
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
367
ip, port);
549
368
}
550
369
551
tcp_sd = socket(pf, SOCK_STREAM, 0);
552
if(tcp_sd < 0){
370
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
371
if(tcp_sd < 0) {
553
372
perror("socket");
554
373
return -1;
555
374
}
556
375
557
memset(&to, 0, sizeof(to));
558
if(af == AF_INET6){
559
to.in6.sin6_family = (uint16_t)af;
560
ret = inet_pton(af, ip, &to.in6.sin6_addr);
561
} else { /* IPv4 */
562
to.in.sin_family = (sa_family_t)af;
563
ret = inet_pton(af, ip, &to.in.sin_addr);
564
}
565
if(ret < 0 ){
376
if(if_indextoname((unsigned int)if_index, interface) == NULL){
377
if(debug){
378
perror("if_indextoname");
379
}
380
return -1;
381
}
382
383
if(debug){
384
fprintf(stderr, "Binding to interface %s\n", interface);
385
}
386
387
memset(&to,0,sizeof(to)); /* Spurious warning */
388
to.sin6_family = AF_INET6;
389
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
390
if (ret < 0 ){
566
391
perror("inet_pton");
567
392
return -1;
568
}
393
}
569
394
if(ret == 0){
570
395
fprintf(stderr, "Bad address: %s\n", ip);
571
396
return -1;
572
397
}
573
if(af == AF_INET6){
574
to.in6.sin6_port = htons(port); /* Spurious warnings from
575
-Wconversion and
576
-Wunreachable-code */
577
578
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
579
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
580
-Wunreachable-code*/
581
if(if_index == AVAHI_IF_UNSPEC){
582
fprintf(stderr, "An IPv6 link-local address is incomplete"
583
" without a network interface\n");
584
return -1;
585
}
586
/* Set the network interface number as scope */
587
to.in6.sin6_scope_id = (uint32_t)if_index;
588
}
589
} else {
590
to.in.sin_port = htons(port); /* Spurious warnings from
591
-Wconversion and
592
-Wunreachable-code */
593
}
398
to.sin6_port = htons(port); /* Spurious warning */
399
400
to.sin6_scope_id = (uint32_t)if_index;
594
401
595
402
if(debug){
596
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
597
char interface[IF_NAMESIZE];
598
if(if_indextoname((unsigned int)if_index, interface) == NULL){
599
perror("if_indextoname");
600
} else {
601
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
602
ip, interface, port);
603
}
604
} else {
605
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
606
port);
607
}
608
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
609
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
610
const char *pcret;
611
if(af == AF_INET6){
612
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
613
sizeof(addrstr));
614
} else {
615
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
616
sizeof(addrstr));
617
}
618
if(pcret == NULL){
619
perror("inet_ntop");
620
} else {
621
if(strcmp(addrstr, ip) != 0){
622
fprintf(stderr, "Canonical address form: %s\n", addrstr);
623
}
624
}
403
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
404
/* char addrstr[INET6_ADDRSTRLEN]; */
405
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
406
/* sizeof(addrstr)) == NULL){ */
407
/* perror("inet_ntop"); */
408
/* } else { */
409
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
410
/* addrstr, ntohs(to.sin6_port)); */
411
/* } */
625
412
}
626
413
627
if(af == AF_INET6){
628
ret = connect(tcp_sd, &to.in6, sizeof(to));
629
} else {
630
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
631
}
632
if(ret < 0){
414
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
415
if (ret < 0){
633
416
perror("connect");
634
417
return -1;
635
418
}
636
419
637
const char *out = mandos_protocol_version;
638
written = 0;
639
while(true){
640
size_t out_size = strlen(out);
641
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
642
out_size - written));
643
if(ret == -1){
644
perror("write");
645
retval = -1;
646
goto mandos_end;
647
}
648
written += (size_t)ret;
649
if(written < out_size){
650
continue;
651
} else {
652
if(out == mandos_protocol_version){
653
written = 0;
654
out = "\r\n";
655
} else {
656
break;
657
}
658
}
420
ret = initgnutls (&es);
421
if (ret != 0){
422
retval = -1;
423
return -1;
659
424
}
660
425
426
gnutls_transport_set_ptr (es.session,
427
(gnutls_transport_ptr_t) tcp_sd);
428
661
429
if(debug){
662
430
fprintf(stderr, "Establishing TLS session with %s\n", ip);
663
431
}
664
432
665
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
666
667
do{
668
ret = gnutls_handshake(session);
669
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
670
671
if(ret != GNUTLS_E_SUCCESS){
433
ret = gnutls_handshake (es.session);
434
435
if (ret != GNUTLS_E_SUCCESS){
672
436
if(debug){
673
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
674
gnutls_perror(ret);
437
fprintf(stderr, "\n*** Handshake failed ***\n");
438
gnutls_perror (ret);
675
439
}
676
440
retval = -1;
677
goto mandos_end;
441
goto exit;
678
442
}
679
443
680
/* Read OpenPGP packet that contains the wanted password */
444
//Retrieve OpenPGP packet that contains the wanted password
681
445
682
446
if(debug){
683
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
447
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
684
448
ip);
685
449
}
686
450
687
451
while(true){
688
buffer_capacity = adjustbuffer(&buffer, buffer_length,
689
buffer_capacity);
690
if(buffer_capacity == 0){
691
perror("adjustbuffer");
692
retval = -1;
693
goto mandos_end;
452
if (buffer_length + BUFFER_SIZE > buffer_capacity){
453
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
454
if (buffer == NULL){
455
perror("realloc");
456
goto exit;
457
}
458
buffer_capacity += BUFFER_SIZE;
694
459
}
695
460
696
sret = gnutls_record_recv(session, buffer+buffer_length,
697
BUFFER_SIZE);
698
if(sret == 0){
461
ret = gnutls_record_recv
462
(es.session, buffer+buffer_length, BUFFER_SIZE);
463
if (ret == 0){
699
464
break;
700
465
}
701
if(sret < 0){
702
switch(sret){
466
if (ret < 0){
467
switch(ret){
703
468
case GNUTLS_E_INTERRUPTED:
704
469
case GNUTLS_E_AGAIN:
705
470
break;
706
471
case GNUTLS_E_REHANDSHAKE:
707
do{
708
ret = gnutls_handshake(session);
709
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
710
if(ret < 0){
711
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
712
gnutls_perror(ret);
472
ret = gnutls_handshake (es.session);
473
if (ret < 0){
474
fprintf(stderr, "\n*** Handshake failed ***\n");
475
gnutls_perror (ret);
713
476
retval = -1;
714
goto mandos_end;
477
goto exit;
715
478
}
716
479
break;
717
480
default:
718
481
fprintf(stderr, "Unknown error while reading data from"
719
" encrypted session with Mandos server\n");
482
" encrypted session with mandos server\n");
720
483
retval = -1;
721
gnutls_bye(session, GNUTLS_SHUT_RDWR);
722
goto mandos_end;
484
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
485
goto exit;
723
486
}
724
487
} else {
725
buffer_length += (size_t) sret;
488
buffer_length += (size_t) ret;
726
489
}
727
490
}
728
491
729
if(debug){
730
fprintf(stderr, "Closing TLS session\n");
731
}
732
733
gnutls_bye(session, GNUTLS_SHUT_RDWR);
734
735
if(buffer_length > 0){
736
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
492
if (buffer_length > 0){
493
decrypted_buffer_size = pgp_packet_decrypt(buffer,
737
494
buffer_length,
738
&decrypted_buffer);
739
if(decrypted_buffer_size >= 0){
740
written = 0;
495
&decrypted_buffer,
496
certdir);
497
if (decrypted_buffer_size >= 0){
741
498
while(written < (size_t) decrypted_buffer_size){
742
ret = (int)fwrite(decrypted_buffer + written, 1,
743
(size_t)decrypted_buffer_size - written,
744
stdout);
499
ret = (int)fwrite (decrypted_buffer + written, 1,
500
(size_t)decrypted_buffer_size - written,
501
stdout);
745
502
if(ret == 0 and ferror(stdout)){
746
503
if(debug){
747
504
fprintf(stderr, "Error writing encrypted data: %s\n",
756
513
} else {
757
514
retval = -1;
758
515
}
759
} else {
760
retval = -1;
761
}
762
763
/* Shutdown procedure */
764
765
mandos_end:
516
}
517
518
//shutdown procedure
519
520
if(debug){
521
fprintf(stderr, "Closing TLS session\n");
522
}
523
766
524
free(buffer);
767
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
768
if(ret == -1){
769
perror("close");
770
}
771
gnutls_deinit(session);
525
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
526
exit:
527
close(tcp_sd);
528
gnutls_deinit (es.session);
529
gnutls_certificate_free_credentials (es.cred);
530
gnutls_global_deinit ();
772
531
return retval;
773
532
}
774
533
775
static void resolve_callback(AvahiSServiceResolver *r,
776
AvahiIfIndex interface,
777
AvahiProtocol proto,
778
AvahiResolverEvent event,
779
const char *name,
780
const char *type,
781
const char *domain,
782
const char *host_name,
783
const AvahiAddress *address,
784
uint16_t port,
785
AVAHI_GCC_UNUSED AvahiStringList *txt,
786
AVAHI_GCC_UNUSED AvahiLookupResultFlags
787
flags,
788
void* userdata){
789
mandos_context *mc = userdata;
790
assert(r);
534
static AvahiSimplePoll *simple_poll = NULL;
535
static AvahiServer *server = NULL;
536
537
static void resolve_callback(
538
AvahiSServiceResolver *r,
539
AvahiIfIndex interface,
540
AVAHI_GCC_UNUSED AvahiProtocol protocol,
541
AvahiResolverEvent event,
542
const char *name,
543
const char *type,
544
const char *domain,
545
const char *host_name,
546
const AvahiAddress *address,
547
uint16_t port,
548
AVAHI_GCC_UNUSED AvahiStringList *txt,
549
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
550
AVAHI_GCC_UNUSED void* userdata) {
551
552
assert(r); /* Spurious warning */
791
553
792
554
/* Called whenever a service has been resolved successfully or
793
555
timed out */
794
556
795
switch(event){
557
switch (event) {
796
558
default:
797
559
case AVAHI_RESOLVER_FAILURE:
798
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
799
" of type '%s' in domain '%s': %s\n", name, type, domain,
800
avahi_strerror(avahi_server_errno(mc->server)));
560
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
561
" type '%s' in domain '%s': %s\n", name, type, domain,
562
avahi_strerror(avahi_server_errno(server)));
801
563
break;
802
564
803
565
case AVAHI_RESOLVER_FOUND:
805
567
char ip[AVAHI_ADDRESS_STR_MAX];
806
568
avahi_address_snprint(ip, sizeof(ip), address);
807
569
if(debug){
808
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
809
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
810
ip, (intmax_t)interface, port);
570
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
571
" port %d\n", name, host_name, ip, port);
811
572
}
812
int ret = start_mandos_communication(ip, port, interface, mc,
813
avahi_proto_to_af(proto));
814
if(ret == 0){
815
avahi_simple_poll_quit(mc->simple_poll);
573
int ret = start_mandos_communication(ip, port, interface);
574
if (ret == 0){
575
exit(EXIT_SUCCESS);
816
576
}
817
577
}
818
578
}
819
579
avahi_s_service_resolver_free(r);
820
580
}
821
581
822
static void browse_callback(AvahiSServiceBrowser *b,
823
AvahiIfIndex interface,
824
AvahiProtocol protocol,
825
AvahiBrowserEvent event,
826
const char *name,
827
const char *type,
828
const char *domain,
829
AVAHI_GCC_UNUSED AvahiLookupResultFlags
830
flags,
831
void* userdata){
832
mandos_context *mc = userdata;
833
assert(b);
834
835
/* Called whenever a new services becomes available on the LAN or
836
is removed from the LAN */
837
838
switch(event){
839
default:
840
case AVAHI_BROWSER_FAILURE:
841
842
fprintf(stderr, "(Avahi browser) %s\n",
843
avahi_strerror(avahi_server_errno(mc->server)));
844
avahi_simple_poll_quit(mc->simple_poll);
845
return;
846
847
case AVAHI_BROWSER_NEW:
848
/* We ignore the returned Avahi resolver object. In the callback
849
function we free it. If the Avahi server is terminated before
850
the callback function is called the Avahi server will free the
851
resolver for us. */
852
853
if(!(avahi_s_service_resolver_new(mc->server, interface,
854
protocol, name, type, domain,
855
AVAHI_PROTO_INET6, 0,
856
resolve_callback, mc)))
857
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
858
name, avahi_strerror(avahi_server_errno(mc->server)));
859
break;
860
861
case AVAHI_BROWSER_REMOVE:
862
break;
863
864
case AVAHI_BROWSER_ALL_FOR_NOW:
865
case AVAHI_BROWSER_CACHE_EXHAUSTED:
866
if(debug){
867
fprintf(stderr, "No Mandos server found, still searching...\n");
868
}
869
break;
870
}
871
}
872
873
int main(int argc, char *argv[]){
874
AvahiSServiceBrowser *sb = NULL;
875
int error;
876
int ret;
877
intmax_t tmpmax;
878
int numchars;
879
int exitcode = EXIT_SUCCESS;
880
const char *interface = "eth0";
881
struct ifreq network;
882
int sd;
883
uid_t uid;
884
gid_t gid;
885
char *connect_to = NULL;
886
char tempdir[] = "/tmp/mandosXXXXXX";
887
bool tempdir_created = false;
888
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
889
const char *seckey = PATHDIR "/" SECKEY;
890
const char *pubkey = PATHDIR "/" PUBKEY;
891
892
mandos_context mc = { .simple_poll = NULL, .server = NULL,
893
.dh_bits = 1024, .priority = "SECURE256"
894
":!CTYPE-X.509:+CTYPE-OPENPGP" };
895
bool gnutls_initialized = false;
896
bool gpgme_initialized = false;
897
double delay = 2.5;
898
899
{
900
struct argp_option options[] = {
901
{ .name = "debug", .key = 128,
902
.doc = "Debug mode", .group = 3 },
903
{ .name = "connect", .key = 'c',
904
.arg = "ADDRESS:PORT",
905
.doc = "Connect directly to a specific Mandos server",
906
.group = 1 },
907
{ .name = "interface", .key = 'i',
908
.arg = "NAME",
909
.doc = "Network interface that will be used to search for"
910
" Mandos servers",
911
.group = 1 },
912
{ .name = "seckey", .key = 's',
913
.arg = "FILE",
914
.doc = "OpenPGP secret key file base name",
915
.group = 1 },
916
{ .name = "pubkey", .key = 'p',
917
.arg = "FILE",
918
.doc = "OpenPGP public key file base name",
919
.group = 2 },
920
{ .name = "dh-bits", .key = 129,
921
.arg = "BITS",
922
.doc = "Bit length of the prime number used in the"
923
" Diffie-Hellman key exchange",
924
.group = 2 },
925
{ .name = "priority", .key = 130,
926
.arg = "STRING",
927
.doc = "GnuTLS priority string for the TLS handshake",
928
.group = 1 },
929
{ .name = "delay", .key = 131,
930
.arg = "SECONDS",
931
.doc = "Maximum delay to wait for interface startup",
932
.group = 2 },
933
{ .name = NULL }
934
};
935
936
error_t parse_opt(int key, char *arg,
937
struct argp_state *state){
938
switch(key){
939
case 128: /* --debug */
940
debug = true;
941
break;
942
case 'c': /* --connect */
943
connect_to = arg;
944
break;
945
case 'i': /* --interface */
946
interface = arg;
947
break;
948
case 's': /* --seckey */
949
seckey = arg;
950
break;
951
case 'p': /* --pubkey */
952
pubkey = arg;
953
break;
954
case 129: /* --dh-bits */
955
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
956
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
957
or arg[numchars] != '\0'){
958
fprintf(stderr, "Bad number of DH bits\n");
959
exit(EXIT_FAILURE);
960
}
961
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
962
break;
963
case 130: /* --priority */
964
mc.priority = arg;
965
break;
966
case 131: /* --delay */
967
ret = sscanf(arg, "%lf%n", &delay, &numchars);
968
if(ret < 1 or arg[numchars] != '\0'){
969
fprintf(stderr, "Bad delay\n");
970
exit(EXIT_FAILURE);
971
}
972
break;
973
case ARGP_KEY_ARG:
974
argp_usage(state);
975
case ARGP_KEY_END:
976
break;
977
default:
978
return ARGP_ERR_UNKNOWN;
979
}
980
return 0;
981
}
982
983
struct argp argp = { .options = options, .parser = parse_opt,
984
.args_doc = "",
985
.doc = "Mandos client -- Get and decrypt"
986
" passwords from a Mandos server" };
987
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
988
if(ret == ARGP_ERR_UNKNOWN){
989
fprintf(stderr, "Unknown error while parsing arguments\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
}
993
}
994
995
/* If the interface is down, bring it up */
996
if(interface[0] != '\0'){
997
#ifdef __linux__
998
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
999
messages to mess up the prompt */
1000
ret = klogctl(8, NULL, 5);
1001
bool restore_loglevel = true;
1002
if(ret == -1){
1003
restore_loglevel = false;
1004
perror("klogctl");
1005
}
1006
#endif
1007
1008
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1009
if(sd < 0){
1010
perror("socket");
1011
exitcode = EXIT_FAILURE;
1012
#ifdef __linux__
1013
if(restore_loglevel){
1014
ret = klogctl(7, NULL, 0);
1015
if(ret == -1){
1016
perror("klogctl");
1017
}
1018
}
1019
#endif
1020
goto end;
1021
}
1022
strcpy(network.ifr_name, interface);
1023
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1024
if(ret == -1){
1025
perror("ioctl SIOCGIFFLAGS");
1026
#ifdef __linux__
1027
if(restore_loglevel){
1028
ret = klogctl(7, NULL, 0);
1029
if(ret == -1){
1030
perror("klogctl");
1031
}
1032
}
1033
#endif
1034
exitcode = EXIT_FAILURE;
1035
goto end;
1036
}
1037
if((network.ifr_flags & IFF_UP) == 0){
1038
network.ifr_flags |= IFF_UP;
1039
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1040
if(ret == -1){
1041
perror("ioctl SIOCSIFFLAGS");
1042
exitcode = EXIT_FAILURE;
1043
#ifdef __linux__
1044
if(restore_loglevel){
1045
ret = klogctl(7, NULL, 0);
1046
if(ret == -1){
1047
perror("klogctl");
1048
}
1049
}
1050
#endif
1051
goto end;
1052
}
1053
}
1054
/* sleep checking until interface is running */
1055
for(int i=0; i < delay * 4; i++){
1056
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1057
if(ret == -1){
1058
perror("ioctl SIOCGIFFLAGS");
1059
} else if(network.ifr_flags & IFF_RUNNING){
1060
break;
1061
}
1062
struct timespec sleeptime = { .tv_nsec = 250000000 };
1063
ret = nanosleep(&sleeptime, NULL);
1064
if(ret == -1 and errno != EINTR){
1065
perror("nanosleep");
1066
}
1067
}
1068
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1069
if(ret == -1){
1070
perror("close");
1071
}
1072
#ifdef __linux__
1073
if(restore_loglevel){
1074
/* Restores kernel loglevel to default */
1075
ret = klogctl(7, NULL, 0);
1076
if(ret == -1){
1077
perror("klogctl");
1078
}
1079
}
1080
#endif
1081
}
1082
1083
uid = getuid();
1084
gid = getgid();
1085
1086
errno = 0;
1087
setgid(gid);
1088
if(ret == -1){
1089
perror("setgid");
1090
}
1091
1092
ret = setuid(uid);
1093
if(ret == -1){
1094
perror("setuid");
1095
}
1096
1097
ret = init_gnutls_global(&mc, pubkey, seckey);
1098
if(ret == -1){
1099
fprintf(stderr, "init_gnutls_global failed\n");
1100
exitcode = EXIT_FAILURE;
1101
goto end;
1102
} else {
1103
gnutls_initialized = true;
1104
}
1105
1106
if(mkdtemp(tempdir) == NULL){
1107
perror("mkdtemp");
1108
goto end;
1109
}
1110
tempdir_created = true;
1111
1112
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1113
fprintf(stderr, "init_gpgme failed\n");
1114
exitcode = EXIT_FAILURE;
1115
goto end;
1116
} else {
1117
gpgme_initialized = true;
1118
}
1119
1120
if(interface[0] != '\0'){
1121
if_index = (AvahiIfIndex) if_nametoindex(interface);
1122
if(if_index == 0){
1123
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1124
exitcode = EXIT_FAILURE;
1125
goto end;
1126
}
1127
}
1128
1129
if(connect_to != NULL){
1130
/* Connect directly, do not use Zeroconf */
1131
/* (Mainly meant for debugging) */
1132
char *address = strrchr(connect_to, ':');
1133
if(address == NULL){
1134
fprintf(stderr, "No colon in address\n");
1135
exitcode = EXIT_FAILURE;
1136
goto end;
1137
}
1138
uint16_t port;
1139
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1140
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1141
or address[numchars+1] != '\0'){
1142
fprintf(stderr, "Bad port number\n");
1143
exitcode = EXIT_FAILURE;
1144
goto end;
1145
}
1146
port = (uint16_t)tmpmax;
1147
*address = '\0';
1148
address = connect_to;
1149
/* Colon in address indicates IPv6 */
1150
int af;
1151
if(strchr(address, ':') != NULL){
1152
af = AF_INET6;
1153
} else {
1154
af = AF_INET;
1155
}
1156
ret = start_mandos_communication(address, port, if_index, &mc,
1157
af);
1158
if(ret < 0){
1159
exitcode = EXIT_FAILURE;
1160
} else {
1161
exitcode = EXIT_SUCCESS;
1162
}
1163
goto end;
1164
}
1165
1166
if(not debug){
1167
avahi_set_log_function(empty_log);
1168
}
1169
1170
/* Initialize the pseudo-RNG for Avahi */
1171
srand((unsigned int) time(NULL));
1172
1173
/* Allocate main Avahi loop object */
1174
mc.simple_poll = avahi_simple_poll_new();
1175
if(mc.simple_poll == NULL){
1176
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1177
exitcode = EXIT_FAILURE;
1178
goto end;
1179
}
1180
1181
{
582
static void browse_callback(
583
AvahiSServiceBrowser *b,
584
AvahiIfIndex interface,
585
AvahiProtocol protocol,
586
AvahiBrowserEvent event,
587
const char *name,
588
const char *type,
589
const char *domain,
590
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
591
void* userdata) {
592
593
AvahiServer *s = userdata;
594
assert(b); /* Spurious warning */
595
596
/* Called whenever a new services becomes available on the LAN or
597
is removed from the LAN */
598
599
switch (event) {
600
default:
601
case AVAHI_BROWSER_FAILURE:
602
603
fprintf(stderr, "(Browser) %s\n",
604
avahi_strerror(avahi_server_errno(server)));
605
avahi_simple_poll_quit(simple_poll);
606
return;
607
608
case AVAHI_BROWSER_NEW:
609
/* We ignore the returned resolver object. In the callback
610
function we free it. If the server is terminated before
611
the callback function is called the server will free
612
the resolver for us. */
613
614
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
615
type, domain,
616
AVAHI_PROTO_INET6, 0,
617
resolve_callback, s)))
618
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
619
avahi_strerror(avahi_server_errno(s)));
620
break;
621
622
case AVAHI_BROWSER_REMOVE:
623
break;
624
625
case AVAHI_BROWSER_ALL_FOR_NOW:
626
case AVAHI_BROWSER_CACHE_EXHAUSTED:
627
break;
628
}
629
}
630
631
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
632
const char *combinepath(const char *first, const char *second){
633
char *tmp;
634
tmp = malloc(strlen(first) + strlen(second) + 2);
635
if (tmp == NULL){
636
perror("malloc");
637
return NULL;
638
}
639
strcpy(tmp, first);
640
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
641
strcat(tmp, "/");
642
}
643
strcat(tmp, second);
644
return tmp;
645
}
646
647
648
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1182
649
AvahiServerConfig config;
1183
/* Do not publish any local Zeroconf records */
650
AvahiSServiceBrowser *sb = NULL;
651
int error;
652
int ret;
653
int returncode = EXIT_SUCCESS;
654
const char *interface = NULL;
655
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
656
char *connect_to = NULL;
657
658
while (true){
659
static struct option long_options[] = {
660
{"debug", no_argument, (int *)&debug, 1},
661
{"connect", required_argument, 0, 'C'},
662
{"interface", required_argument, 0, 'i'},
663
{"certdir", required_argument, 0, 'd'},
664
{"certkey", required_argument, 0, 'c'},
665
{"certfile", required_argument, 0, 'k'},
666
{0, 0, 0, 0} };
667
668
int option_index = 0;
669
ret = getopt_long (argc, argv, "i:", long_options,
670
&option_index);
671
672
if (ret == -1){
673
break;
674
}
675
676
switch(ret){
677
case 0:
678
break;
679
case 'i':
680
interface = optarg;
681
break;
682
case 'C':
683
connect_to = optarg;
684
break;
685
case 'd':
686
certdir = optarg;
687
break;
688
case 'c':
689
certfile = optarg;
690
break;
691
case 'k':
692
certkey = optarg;
693
break;
694
default:
695
exit(EXIT_FAILURE);
696
}
697
}
698
699
certfile = combinepath(certdir, certfile);
700
if (certfile == NULL){
701
goto exit;
702
}
703
704
if(interface != NULL){
705
if_index = (AvahiIfIndex) if_nametoindex(interface);
706
if(if_index == 0){
707
fprintf(stderr, "No such interface: \"%s\"\n", interface);
708
exit(EXIT_FAILURE);
709
}
710
}
711
712
if(connect_to != NULL){
713
/* Connect directly, do not use Zeroconf */
714
/* (Mainly meant for debugging) */
715
char *address = strrchr(connect_to, ':');
716
if(address == NULL){
717
fprintf(stderr, "No colon in address\n");
718
exit(EXIT_FAILURE);
719
}
720
errno = 0;
721
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
722
if(errno){
723
perror("Bad port number");
724
exit(EXIT_FAILURE);
725
}
726
*address = '\0';
727
address = connect_to;
728
ret = start_mandos_communication(address, port, if_index);
729
if(ret < 0){
730
exit(EXIT_FAILURE);
731
} else {
732
exit(EXIT_SUCCESS);
733
}
734
}
735
736
certkey = combinepath(certdir, certkey);
737
if (certkey == NULL){
738
goto exit;
739
}
740
741
if (not debug){
742
avahi_set_log_function(empty_log);
743
}
744
745
/* Initialize the psuedo-RNG */
746
srand((unsigned int) time(NULL));
747
748
/* Allocate main loop object */
749
if (!(simple_poll = avahi_simple_poll_new())) {
750
fprintf(stderr, "Failed to create simple poll object.\n");
751
752
goto exit;
753
}
754
755
/* Do not publish any local records */
1184
756
avahi_server_config_init(&config);
1185
757
config.publish_hinfo = 0;
1186
758
config.publish_addresses = 0;
1187
759
config.publish_workstation = 0;
1188
760
config.publish_domain = 0;
1189
761
1190
762
/* Allocate a new server */
1191
mc.server = avahi_server_new(avahi_simple_poll_get
1192
(mc.simple_poll), &config, NULL,
1193
NULL, &error);
1194
1195
/* Free the Avahi configuration data */
763
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
764
&config, NULL, NULL, &error);
765
766
/* Free the configuration data */
1196
767
avahi_server_config_free(&config);
1197
}
1198
1199
/* Check if creating the Avahi server object succeeded */
1200
if(mc.server == NULL){
1201
fprintf(stderr, "Failed to create Avahi server: %s\n",
1202
avahi_strerror(error));
1203
exitcode = EXIT_FAILURE;
1204
goto end;
1205
}
1206
1207
/* Create the Avahi service browser */
1208
sb = avahi_s_service_browser_new(mc.server, if_index,
1209
AVAHI_PROTO_INET6, "_mandos._tcp",
1210
NULL, 0, browse_callback, &mc);
1211
if(sb == NULL){
1212
fprintf(stderr, "Failed to create service browser: %s\n",
1213
avahi_strerror(avahi_server_errno(mc.server)));
1214
exitcode = EXIT_FAILURE;
1215
goto end;
1216
}
1217
1218
/* Run the main loop */
1219
1220
if(debug){
1221
fprintf(stderr, "Starting Avahi loop search\n");
1222
}
1223
1224
avahi_simple_poll_loop(mc.simple_poll);
1225
1226
end:
1227
1228
if(debug){
1229
fprintf(stderr, "%s exiting\n", argv[0]);
1230
}
1231
1232
/* Cleanup things */
1233
if(sb != NULL)
1234
avahi_s_service_browser_free(sb);
1235
1236
if(mc.server != NULL)
1237
avahi_server_free(mc.server);
1238
1239
if(mc.simple_poll != NULL)
1240
avahi_simple_poll_free(mc.simple_poll);
1241
1242
if(gnutls_initialized){
1243
gnutls_certificate_free_credentials(mc.cred);
1244
gnutls_global_deinit();
1245
gnutls_dh_params_deinit(mc.dh_params);
1246
}
1247
1248
if(gpgme_initialized){
1249
gpgme_release(mc.ctx);
1250
}
1251
1252
/* Removes the temp directory used by GPGME */
1253
if(tempdir_created){
1254
DIR *d;
1255
struct dirent *direntry;
1256
d = opendir(tempdir);
1257
if(d == NULL){
1258
if(errno != ENOENT){
1259
perror("opendir");
1260
}
1261
} else {
1262
while(true){
1263
direntry = readdir(d);
1264
if(direntry == NULL){
1265
break;
1266
}
1267
/* Skip "." and ".." */
1268
if(direntry->d_name[0] == '.'
1269
and (direntry->d_name[1] == '\0'
1270
or (direntry->d_name[1] == '.'
1271
and direntry->d_name[2] == '\0'))){
1272
continue;
1273
}
1274
char *fullname = NULL;
1275
ret = asprintf(&fullname, "%s/%s", tempdir,
1276
direntry->d_name);
1277
if(ret < 0){
1278
perror("asprintf");
1279
continue;
1280
}
1281
ret = remove(fullname);
1282
if(ret == -1){
1283
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1284
strerror(errno));
1285
}
1286
free(fullname);
1287
}
1288
closedir(d);
1289
}
1290
ret = rmdir(tempdir);
1291
if(ret == -1 and errno != ENOENT){
1292
perror("rmdir");
1293
}
1294
}
1295
1296
return exitcode;
768
769
/* Check if creating the server object succeeded */
770
if (!server) {
771
fprintf(stderr, "Failed to create server: %s\n",
772
avahi_strerror(error));
773
returncode = EXIT_FAILURE;
774
goto exit;
775
}
776
777
/* Create the service browser */
778
sb = avahi_s_service_browser_new(server, if_index,
779
AVAHI_PROTO_INET6,
780
"_mandos._tcp", NULL, 0,
781
browse_callback, server);
782
if (!sb) {
783
fprintf(stderr, "Failed to create service browser: %s\n",
784
avahi_strerror(avahi_server_errno(server)));
785
returncode = EXIT_FAILURE;
786
goto exit;
787
}
788
789
/* Run the main loop */
790
791
if (debug){
792
fprintf(stderr, "Starting avahi loop search\n");
793
}
794
795
avahi_simple_poll_loop(simple_poll);
796
797
exit:
798
799
if (debug){
800
fprintf(stderr, "%s exiting\n", argv[0]);
801
}
802
803
/* Cleanup things */
804
if (sb)
805
avahi_s_service_browser_free(sb);
806
807
if (server)
808
avahi_server_free(server);
809
810
if (simple_poll)
811
avahi_simple_poll_free(simple_poll);
812
free(certfile);
813
free(certkey);
814
815
return returncode;
1297
816
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0