To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 31
- compare with another revision
- download diff
- download tarball
- view history from revision 31
- Committer: Teddy Hogeborn
- Date: 2008-08-01 06:33:15 UTC
- Revision ID: teddy@fukt.bsnet.se-20080801063315-4k33q3ek28hjc3tu
* plugins.d/plugbasedclient.c: Update include file comments.
(struct process.disable): Renamed to "disabled". All users changed.
(addarguments): Renamed to "addargument". All callers changed.
(doc, args_doc): Removed.
(main): Changed default "plugindir" to
"/conf/conf.d/mandos/plugins.d". Renamed "rfds_orig" to
"rfds_all"; all users changed. New "debug" and
"exitstatus" variables. New "--debug" option. Removed
unnecessary ".flags = 0" from all options. Changed so that
"--disable-plugin" only takes one plugin. Check for
non-existence of ":" in argument to "--options-for". Added
some debugging outputs. Set the FD_CLOEXEC flag on the
directory FD. More capable code for dealing with
disallowed plugin file name prefixes and suffixes. Bug
fix: check for some malloc failures. Moved allocating the
"struct process *new_process" to after the fork. Do
_exit() instead of exit() in the child.
* plugins.d/mandosclient.c: Updated contact information.
(struct process.disable): Renamed to "disabled". All users changed.
(addarguments): Renamed to "addargument". All callers changed.
(doc, args_doc): Removed.
(main): Changed default "plugindir" to
"/conf/conf.d/mandos/plugins.d". Renamed "rfds_orig" to
"rfds_all"; all users changed. New "debug" and
"exitstatus" variables. New "--debug" option. Removed
unnecessary ".flags = 0" from all options. Changed so that
"--disable-plugin" only takes one plugin. Check for
non-existence of ":" in argument to "--options-for". Added
some debugging outputs. Set the FD_CLOEXEC flag on the
directory FD. More capable code for dealing with
disallowed plugin file name prefixes and suffixes. Bug
fix: check for some malloc failures. Moved allocating the
"struct process *new_process" to after the fork. Do
_exit() instead of exit() in the child.
* plugins.d/mandosclient.c: Updated contact information.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
30
29
*/
31
30
32
31
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
32
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
33
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
47
srand(), strtof() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), setuid(),
75
setgid() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sigaction,
84
sig_atomic_t */
85
86
#ifdef __linux__
87
#include <sys/klog.h> /* klogctl() */
88
#endif /* __linux__ */
89
90
/* Avahi */
91
/* All Avahi types, constants and functions
92
Avahi*, avahi_*,
93
AVAHI_* */
34
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
94
41
#include <avahi-core/core.h>
95
42
#include <avahi-core/lookup.h>
96
43
#include <avahi-core/log.h>
98
45
#include <avahi-common/malloc.h>
99
46
#include <avahi-common/error.h>
100
47
101
/* GnuTLS */
102
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
103
functions:
104
gnutls_*
105
init_gnutls_session(),
106
GNUTLS_* */
107
#include <gnutls/openpgp.h>
108
/* gnutls_certificate_set_openpgp_key_file(),
109
GNUTLS_OPENPGP_FMT_BASE64 */
110
111
/* GPGME */
112
#include <gpgme.h> /* All GPGME types, constants and
113
functions:
114
gpgme_*
115
GPGME_PROTOCOL_OpenPGP,
116
GPG_ERR_NO_* */
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt long
67
#include <getopt.h>
117
68
118
69
#define BUFFER_SIZE 256
70
#define DH_BITS 1024
119
71
120
#define PATHDIR "/conf/conf.d/mandos"
121
#define SECKEY "seckey.txt"
122
#define PUBKEY "pubkey.txt"
72
const char *certdir = "/conf/conf.d/cryptkeyreq/";
73
const char *certfile = "openpgp-client.txt";
74
const char *certkey = "openpgp-client-key.txt";
123
75
124
76
bool debug = false;
125
static const char mandos_protocol_version[] = "1";
126
const char *argp_program_version = "mandos-client " VERSION;
127
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
128
77
129
/* Used for passing in values through the Avahi callback functions */
130
78
typedef struct {
131
AvahiSimplePoll *simple_poll;
132
AvahiServer *server;
79
gnutls_session_t session;
133
80
gnutls_certificate_credentials_t cred;
134
unsigned int dh_bits;
135
81
gnutls_dh_params_t dh_params;
136
const char *priority;
82
} encrypted_session;
83
84
85
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
86
char **new_packet, const char *homedir){
87
gpgme_data_t dh_crypto, dh_plain;
137
88
gpgme_ctx_t ctx;
138
} mandos_context;
139
140
/* global context so signal handler can reach it*/
141
mandos_context mc = { .simple_poll = NULL, .server = NULL,
142
.dh_bits = 1024, .priority = "SECURE256"
143
":!CTYPE-X.509:+CTYPE-OPENPGP" };
144
145
/*
146
* Make additional room in "buffer" for at least BUFFER_SIZE more
147
* bytes. "buffer_capacity" is how much is currently allocated,
148
* "buffer_length" is how much is already used.
149
*/
150
size_t incbuffer(char **buffer, size_t buffer_length,
151
size_t buffer_capacity){
152
if(buffer_length + BUFFER_SIZE > buffer_capacity){
153
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
154
if(buffer == NULL){
155
return 0;
156
}
157
buffer_capacity += BUFFER_SIZE;
158
}
159
return buffer_capacity;
160
}
161
162
/*
163
* Initialize GPGME.
164
*/
165
static bool init_gpgme(const char *seckey,
166
const char *pubkey, const char *tempdir){
167
int ret;
168
89
gpgme_error_t rc;
90
ssize_t ret;
91
ssize_t new_packet_capacity = 0;
92
ssize_t new_packet_length = 0;
169
93
gpgme_engine_info_t engine_info;
170
171
172
/*
173
* Helper function to insert pub and seckey to the engine keyring.
174
*/
175
bool import_key(const char *filename){
176
int fd;
177
gpgme_data_t pgp_data;
178
179
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
180
if(fd == -1){
181
perror("open");
182
return false;
183
}
184
185
rc = gpgme_data_new_from_fd(&pgp_data, fd);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
rc = gpgme_op_import(mc.ctx, pgp_data);
193
if(rc != GPG_ERR_NO_ERROR){
194
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
195
gpgme_strsource(rc), gpgme_strerror(rc));
196
return false;
197
}
198
199
ret = (int)TEMP_FAILURE_RETRY(close(fd));
200
if(ret == -1){
201
perror("close");
202
}
203
gpgme_data_release(pgp_data);
204
return true;
205
}
206
207
if(debug){
208
fprintf(stderr, "Initializing GPGME\n");
94
95
if (debug){
96
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
209
97
}
210
98
211
99
/* Init GPGME */
212
100
gpgme_check_version(NULL);
213
101
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
214
if(rc != GPG_ERR_NO_ERROR){
102
if (rc != GPG_ERR_NO_ERROR){
215
103
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
216
104
gpgme_strsource(rc), gpgme_strerror(rc));
217
return false;
105
return -1;
218
106
}
219
107
220
/* Set GPGME home directory for the OpenPGP engine only */
221
rc = gpgme_get_engine_info(&engine_info);
222
if(rc != GPG_ERR_NO_ERROR){
108
/* Set GPGME home directory */
109
rc = gpgme_get_engine_info (&engine_info);
110
if (rc != GPG_ERR_NO_ERROR){
223
111
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
224
112
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
113
return -1;
226
114
}
227
115
while(engine_info != NULL){
228
116
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
229
117
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
230
engine_info->file_name, tempdir);
118
engine_info->file_name, homedir);
231
119
break;
232
120
}
233
121
engine_info = engine_info->next;
234
122
}
235
123
if(engine_info == NULL){
236
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
237
return false;
238
}
239
240
/* Create new GPGME "context" */
241
rc = gpgme_new(&(mc.ctx));
242
if(rc != GPG_ERR_NO_ERROR){
243
fprintf(stderr, "bad gpgme_new: %s: %s\n",
244
gpgme_strsource(rc), gpgme_strerror(rc));
245
return false;
246
}
247
248
if(not import_key(pubkey) or not import_key(seckey)){
249
return false;
250
}
251
252
return true;
253
}
254
255
/*
256
* Decrypt OpenPGP data.
257
* Returns -1 on error
258
*/
259
static ssize_t pgp_packet_decrypt(const char *cryptotext,
260
size_t crypto_size,
261
char **plaintext){
262
gpgme_data_t dh_crypto, dh_plain;
263
gpgme_error_t rc;
264
ssize_t ret;
265
size_t plaintext_capacity = 0;
266
ssize_t plaintext_length = 0;
267
268
if(debug){
269
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
270
}
271
272
/* Create new GPGME data buffer from memory cryptotext */
273
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
274
0);
275
if(rc != GPG_ERR_NO_ERROR){
124
fprintf(stderr, "Could not set home dir to %s\n", homedir);
125
return -1;
126
}
127
128
/* Create new GPGME data buffer from packet buffer */
129
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
130
if (rc != GPG_ERR_NO_ERROR){
276
131
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
277
132
gpgme_strsource(rc), gpgme_strerror(rc));
278
133
return -1;
280
135
281
136
/* Create new empty GPGME data buffer for the plaintext */
282
137
rc = gpgme_data_new(&dh_plain);
283
if(rc != GPG_ERR_NO_ERROR){
138
if (rc != GPG_ERR_NO_ERROR){
284
139
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
285
140
gpgme_strsource(rc), gpgme_strerror(rc));
286
gpgme_data_release(dh_crypto);
287
return -1;
288
}
289
290
/* Decrypt data from the cryptotext data buffer to the plaintext
291
data buffer */
292
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
293
if(rc != GPG_ERR_NO_ERROR){
141
return -1;
142
}
143
144
/* Create new GPGME "context" */
145
rc = gpgme_new(&ctx);
146
if (rc != GPG_ERR_NO_ERROR){
147
fprintf(stderr, "bad gpgme_new: %s: %s\n",
148
gpgme_strsource(rc), gpgme_strerror(rc));
149
return -1;
150
}
151
152
/* Decrypt data from the FILE pointer to the plaintext data
153
buffer */
154
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
155
if (rc != GPG_ERR_NO_ERROR){
294
156
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
295
157
gpgme_strsource(rc), gpgme_strerror(rc));
296
plaintext_length = -1;
297
if(debug){
298
gpgme_decrypt_result_t result;
299
result = gpgme_op_decrypt_result(mc.ctx);
300
if(result == NULL){
301
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
302
} else {
303
fprintf(stderr, "Unsupported algorithm: %s\n",
304
result->unsupported_algorithm);
305
fprintf(stderr, "Wrong key usage: %u\n",
306
result->wrong_key_usage);
307
if(result->file_name != NULL){
308
fprintf(stderr, "File name: %s\n", result->file_name);
309
}
310
gpgme_recipient_t recipient;
311
recipient = result->recipients;
158
return -1;
159
}
160
161
if(debug){
162
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
163
}
164
165
if (debug){
166
gpgme_decrypt_result_t result;
167
result = gpgme_op_decrypt_result(ctx);
168
if (result == NULL){
169
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
170
} else {
171
fprintf(stderr, "Unsupported algorithm: %s\n",
172
result->unsupported_algorithm);
173
fprintf(stderr, "Wrong key usage: %d\n",
174
result->wrong_key_usage);
175
if(result->file_name != NULL){
176
fprintf(stderr, "File name: %s\n", result->file_name);
177
}
178
gpgme_recipient_t recipient;
179
recipient = result->recipients;
180
if(recipient){
312
181
while(recipient != NULL){
313
182
fprintf(stderr, "Public key algorithm: %s\n",
314
183
gpgme_pubkey_algo_name(recipient->pubkey_algo));
320
189
}
321
190
}
322
191
}
323
goto decrypt_end;
324
192
}
325
193
326
if(debug){
327
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
328
}
194
/* Delete the GPGME FILE pointer cryptotext data buffer */
195
gpgme_data_release(dh_crypto);
329
196
330
197
/* Seek back to the beginning of the GPGME plaintext data buffer */
331
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
332
perror("gpgme_data_seek");
333
plaintext_length = -1;
334
goto decrypt_end;
198
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
199
perror("pgpme_data_seek");
335
200
}
336
201
337
*plaintext = NULL;
202
*new_packet = 0;
338
203
while(true){
339
plaintext_capacity = incbuffer(plaintext,
340
(size_t)plaintext_length,
341
plaintext_capacity);
342
if(plaintext_capacity == 0){
343
perror("incbuffer");
344
plaintext_length = -1;
345
goto decrypt_end;
204
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
205
*new_packet = realloc(*new_packet,
206
(unsigned int)new_packet_capacity
207
+ BUFFER_SIZE);
208
if (*new_packet == NULL){
209
perror("realloc");
210
return -1;
211
}
212
new_packet_capacity += BUFFER_SIZE;
346
213
}
347
214
348
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
215
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
349
216
BUFFER_SIZE);
350
217
/* Print the data, if any */
351
if(ret == 0){
352
/* EOF */
218
if (ret == 0){
353
219
break;
354
220
}
355
221
if(ret < 0){
356
222
perror("gpgme_data_read");
357
plaintext_length = -1;
358
goto decrypt_end;
359
}
360
plaintext_length += ret;
361
}
362
363
if(debug){
364
fprintf(stderr, "Decrypted password is: ");
365
for(ssize_t i = 0; i < plaintext_length; i++){
366
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
367
}
368
fprintf(stderr, "\n");
369
}
370
371
decrypt_end:
372
373
/* Delete the GPGME cryptotext data buffer */
374
gpgme_data_release(dh_crypto);
223
return -1;
224
}
225
new_packet_length += ret;
226
}
227
228
/* FIXME: check characters before printing to screen so to not print
229
terminal control characters */
230
/* if(debug){ */
231
/* fprintf(stderr, "decrypted password is: "); */
232
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
233
/* fprintf(stderr, "\n"); */
234
/* } */
375
235
376
236
/* Delete the GPGME plaintext data buffer */
377
237
gpgme_data_release(dh_plain);
378
return plaintext_length;
238
return new_packet_length;
379
239
}
380
240
381
static const char * safer_gnutls_strerror(int value){
382
const char *ret = gnutls_strerror(value); /* Spurious warning from
383
-Wunreachable-code */
384
if(ret == NULL)
241
static const char * safer_gnutls_strerror (int value) {
242
const char *ret = gnutls_strerror (value);
243
if (ret == NULL)
385
244
ret = "(unknown)";
386
245
return ret;
387
246
}
388
247
389
/* GnuTLS log function callback */
390
static void debuggnutls(__attribute__((unused)) int level,
391
const char* string){
392
fprintf(stderr, "GnuTLS: %s", string);
248
void debuggnutls(__attribute__((unused)) int level,
249
const char* string){
250
fprintf(stderr, "%s", string);
393
251
}
394
252
395
static int init_gnutls_global(const char *pubkeyfilename,
396
const char *seckeyfilename){
253
int initgnutls(encrypted_session *es){
254
const char *err;
397
255
int ret;
398
256
399
257
if(debug){
400
258
fprintf(stderr, "Initializing GnuTLS\n");
401
259
}
402
403
ret = gnutls_global_init();
404
if(ret != GNUTLS_E_SUCCESS){
405
fprintf(stderr, "GnuTLS global_init: %s\n",
406
safer_gnutls_strerror(ret));
260
261
if ((ret = gnutls_global_init ())
262
!= GNUTLS_E_SUCCESS) {
263
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
407
264
return -1;
408
265
}
409
410
if(debug){
411
/* "Use a log level over 10 to enable all debugging options."
412
* - GnuTLS manual
413
*/
266
267
if (debug){
414
268
gnutls_global_set_log_level(11);
415
269
gnutls_global_set_log_function(debuggnutls);
416
270
}
417
271
418
/* OpenPGP credentials */
419
gnutls_certificate_allocate_credentials(&mc.cred);
420
if(ret != GNUTLS_E_SUCCESS){
421
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
422
from
423
-Wunreachable-code
424
*/
425
safer_gnutls_strerror(ret));
426
gnutls_global_deinit();
272
/* openpgp credentials */
273
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
274
!= GNUTLS_E_SUCCESS) {
275
fprintf (stderr, "memory error: %s\n",
276
safer_gnutls_strerror(ret));
427
277
return -1;
428
278
}
429
279
430
280
if(debug){
431
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
432
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
433
seckeyfilename);
281
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
282
" and keyfile %s as GnuTLS credentials\n", certfile,
283
certkey);
434
284
}
435
285
436
286
ret = gnutls_certificate_set_openpgp_key_file
437
(mc.cred, pubkeyfilename, seckeyfilename,
438
GNUTLS_OPENPGP_FMT_BASE64);
439
if(ret != GNUTLS_E_SUCCESS){
440
fprintf(stderr,
441
"Error[%d] while reading the OpenPGP key pair ('%s',"
442
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
443
fprintf(stderr, "The GnuTLS error is: %s\n",
444
safer_gnutls_strerror(ret));
445
goto globalfail;
446
}
447
448
/* GnuTLS server initialization */
449
ret = gnutls_dh_params_init(&mc.dh_params);
450
if(ret != GNUTLS_E_SUCCESS){
451
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
452
" %s\n", safer_gnutls_strerror(ret));
453
goto globalfail;
454
}
455
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
456
if(ret != GNUTLS_E_SUCCESS){
457
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
458
safer_gnutls_strerror(ret));
459
goto globalfail;
460
}
461
462
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
463
464
return 0;
465
466
globalfail:
467
468
gnutls_certificate_free_credentials(mc.cred);
469
gnutls_global_deinit();
470
gnutls_dh_params_deinit(mc.dh_params);
471
return -1;
472
}
473
474
static int init_gnutls_session(gnutls_session_t *session){
475
int ret;
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
478
if(ret != GNUTLS_E_SUCCESS){
287
(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);
288
if (ret != GNUTLS_E_SUCCESS) {
289
fprintf
290
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
291
" '%s')\n",
292
ret, certfile, certkey);
293
fprintf(stdout, "The Error is: %s\n",
294
safer_gnutls_strerror(ret));
295
return -1;
296
}
297
298
//GnuTLS server initialization
299
if ((ret = gnutls_dh_params_init (&es->dh_params))
300
!= GNUTLS_E_SUCCESS) {
301
fprintf (stderr, "Error in dh parameter initialization: %s\n",
302
safer_gnutls_strerror(ret));
303
return -1;
304
}
305
306
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
307
!= GNUTLS_E_SUCCESS) {
308
fprintf (stderr, "Error in prime generation: %s\n",
309
safer_gnutls_strerror(ret));
310
return -1;
311
}
312
313
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
314
315
// GnuTLS session creation
316
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
317
!= GNUTLS_E_SUCCESS){
479
318
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
319
safer_gnutls_strerror(ret));
481
320
}
482
321
483
{
484
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
486
if(ret != GNUTLS_E_SUCCESS){
487
fprintf(stderr, "Syntax error at: %s\n", err);
488
fprintf(stderr, "GnuTLS error: %s\n",
489
safer_gnutls_strerror(ret));
490
gnutls_deinit(*session);
491
return -1;
492
}
322
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf(stderr, "Syntax error at: %s\n", err);
325
fprintf(stderr, "GnuTLS error: %s\n",
326
safer_gnutls_strerror(ret));
327
return -1;
493
328
}
494
329
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
497
if(ret != GNUTLS_E_SUCCESS){
498
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
330
if ((ret = gnutls_credentials_set
331
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
332
!= GNUTLS_E_SUCCESS) {
333
fprintf(stderr, "Error setting a credentials set: %s\n",
499
334
safer_gnutls_strerror(ret));
500
gnutls_deinit(*session);
501
335
return -1;
502
336
}
503
337
504
338
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
339
gnutls_certificate_server_set_request (es->session,
340
GNUTLS_CERT_IGNORE);
507
341
508
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
342
gnutls_dh_set_prime_bits (es->session, DH_BITS);
509
343
510
344
return 0;
511
345
}
512
346
513
/* Avahi log function callback */
514
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
515
__attribute__((unused)) const char *txt){}
347
void empty_log(__attribute__((unused)) AvahiLogLevel level,
348
__attribute__((unused)) const char *txt){}
516
349
517
/* Called when a Mandos server is found */
518
static int start_mandos_communication(const char *ip, uint16_t port,
519
AvahiIfIndex if_index,
520
int af){
350
int start_mandos_communication(const char *ip, uint16_t port,
351
AvahiIfIndex if_index){
521
352
int ret, tcp_sd;
522
ssize_t sret;
523
union {
524
struct sockaddr_in in;
525
struct sockaddr_in6 in6;
526
} to;
353
struct sockaddr_in6 to;
354
encrypted_session es;
527
355
char *buffer = NULL;
528
356
char *decrypted_buffer;
529
357
size_t buffer_length = 0;
530
358
size_t buffer_capacity = 0;
531
359
ssize_t decrypted_buffer_size;
532
size_t written;
360
size_t written = 0;
533
361
int retval = 0;
534
gnutls_session_t session;
535
int pf; /* Protocol family */
536
537
switch(af){
538
case AF_INET6:
539
pf = PF_INET6;
540
break;
541
case AF_INET:
542
pf = PF_INET;
543
break;
544
default:
545
fprintf(stderr, "Bad address family: %d\n", af);
546
return -1;
547
}
548
549
ret = init_gnutls_session(&session);
550
if(ret != 0){
551
return -1;
552
}
362
char interface[IF_NAMESIZE];
553
363
554
364
if(debug){
555
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
556
"\n", ip, port);
365
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
366
ip, port);
557
367
}
558
368
559
tcp_sd = socket(pf, SOCK_STREAM, 0);
560
if(tcp_sd < 0){
369
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
370
if(tcp_sd < 0) {
561
371
perror("socket");
562
372
return -1;
563
373
}
564
374
565
memset(&to, 0, sizeof(to));
566
if(af == AF_INET6){
567
to.in6.sin6_family = (sa_family_t)af;
568
ret = inet_pton(af, ip, &to.in6.sin6_addr);
569
} else { /* IPv4 */
570
to.in.sin_family = (sa_family_t)af;
571
ret = inet_pton(af, ip, &to.in.sin_addr);
572
}
573
if(ret < 0 ){
375
if(if_indextoname((unsigned int)if_index, interface) == NULL){
376
if(debug){
377
perror("if_indextoname");
378
}
379
return -1;
380
}
381
382
if(debug){
383
fprintf(stderr, "Binding to interface %s\n", interface);
384
}
385
386
memset(&to,0,sizeof(to)); /* Spurious warning */
387
to.sin6_family = AF_INET6;
388
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
389
if (ret < 0 ){
574
390
perror("inet_pton");
575
391
return -1;
576
}
392
}
577
393
if(ret == 0){
578
394
fprintf(stderr, "Bad address: %s\n", ip);
579
395
return -1;
580
396
}
581
if(af == AF_INET6){
582
to.in6.sin6_port = htons(port); /* Spurious warnings from
583
-Wconversion and
584
-Wunreachable-code */
585
586
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
587
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
588
-Wunreachable-code*/
589
if(if_index == AVAHI_IF_UNSPEC){
590
fprintf(stderr, "An IPv6 link-local address is incomplete"
591
" without a network interface\n");
592
return -1;
593
}
594
/* Set the network interface number as scope */
595
to.in6.sin6_scope_id = (uint32_t)if_index;
596
}
597
} else {
598
to.in.sin_port = htons(port); /* Spurious warnings from
599
-Wconversion and
600
-Wunreachable-code */
601
}
397
to.sin6_port = htons(port); /* Spurious warning */
398
399
to.sin6_scope_id = (uint32_t)if_index;
602
400
603
401
if(debug){
604
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
605
char interface[IF_NAMESIZE];
606
if(if_indextoname((unsigned int)if_index, interface) == NULL){
607
perror("if_indextoname");
608
} else {
609
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
610
ip, interface, port);
611
}
612
} else {
613
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
614
port);
615
}
616
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
617
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
618
const char *pcret;
619
if(af == AF_INET6){
620
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
621
sizeof(addrstr));
622
} else {
623
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
624
sizeof(addrstr));
625
}
626
if(pcret == NULL){
627
perror("inet_ntop");
628
} else {
629
if(strcmp(addrstr, ip) != 0){
630
fprintf(stderr, "Canonical address form: %s\n", addrstr);
631
}
632
}
402
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
403
/* char addrstr[INET6_ADDRSTRLEN]; */
404
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
405
/* sizeof(addrstr)) == NULL){ */
406
/* perror("inet_ntop"); */
407
/* } else { */
408
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
409
/* addrstr, ntohs(to.sin6_port)); */
410
/* } */
633
411
}
634
412
635
if(af == AF_INET6){
636
ret = connect(tcp_sd, &to.in6, sizeof(to));
637
} else {
638
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
639
}
640
if(ret < 0){
413
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
414
if (ret < 0){
641
415
perror("connect");
642
416
return -1;
643
417
}
644
418
645
const char *out = mandos_protocol_version;
646
written = 0;
647
while(true){
648
size_t out_size = strlen(out);
649
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
650
out_size - written));
651
if(ret == -1){
652
perror("write");
653
retval = -1;
654
goto mandos_end;
655
}
656
written += (size_t)ret;
657
if(written < out_size){
658
continue;
659
} else {
660
if(out == mandos_protocol_version){
661
written = 0;
662
out = "\r\n";
663
} else {
664
break;
665
}
666
}
419
ret = initgnutls (&es);
420
if (ret != 0){
421
retval = -1;
422
return -1;
667
423
}
668
424
425
gnutls_transport_set_ptr (es.session,
426
(gnutls_transport_ptr_t) tcp_sd);
427
669
428
if(debug){
670
429
fprintf(stderr, "Establishing TLS session with %s\n", ip);
671
430
}
672
431
673
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
674
675
do{
676
ret = gnutls_handshake(session);
677
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
678
679
if(ret != GNUTLS_E_SUCCESS){
432
ret = gnutls_handshake (es.session);
433
434
if (ret != GNUTLS_E_SUCCESS){
680
435
if(debug){
681
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
682
gnutls_perror(ret);
436
fprintf(stderr, "\n*** Handshake failed ***\n");
437
gnutls_perror (ret);
683
438
}
684
439
retval = -1;
685
goto mandos_end;
440
goto exit;
686
441
}
687
442
688
/* Read OpenPGP packet that contains the wanted password */
443
//Retrieve OpenPGP packet that contains the wanted password
689
444
690
445
if(debug){
691
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
446
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
692
447
ip);
693
448
}
694
449
695
450
while(true){
696
buffer_capacity = incbuffer(&buffer, buffer_length,
697
buffer_capacity);
698
if(buffer_capacity == 0){
699
perror("incbuffer");
700
retval = -1;
701
goto mandos_end;
451
if (buffer_length + BUFFER_SIZE > buffer_capacity){
452
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
453
if (buffer == NULL){
454
perror("realloc");
455
goto exit;
456
}
457
buffer_capacity += BUFFER_SIZE;
702
458
}
703
459
704
sret = gnutls_record_recv(session, buffer+buffer_length,
705
BUFFER_SIZE);
706
if(sret == 0){
460
ret = gnutls_record_recv
461
(es.session, buffer+buffer_length, BUFFER_SIZE);
462
if (ret == 0){
707
463
break;
708
464
}
709
if(sret < 0){
710
switch(sret){
465
if (ret < 0){
466
switch(ret){
711
467
case GNUTLS_E_INTERRUPTED:
712
468
case GNUTLS_E_AGAIN:
713
469
break;
714
470
case GNUTLS_E_REHANDSHAKE:
715
do{
716
ret = gnutls_handshake(session);
717
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
718
if(ret < 0){
719
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
720
gnutls_perror(ret);
471
ret = gnutls_handshake (es.session);
472
if (ret < 0){
473
fprintf(stderr, "\n*** Handshake failed ***\n");
474
gnutls_perror (ret);
721
475
retval = -1;
722
goto mandos_end;
476
goto exit;
723
477
}
724
478
break;
725
479
default:
726
480
fprintf(stderr, "Unknown error while reading data from"
727
" encrypted session with Mandos server\n");
481
" encrypted session with mandos server\n");
728
482
retval = -1;
729
gnutls_bye(session, GNUTLS_SHUT_RDWR);
730
goto mandos_end;
483
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
484
goto exit;
731
485
}
732
486
} else {
733
buffer_length += (size_t) sret;
487
buffer_length += (size_t) ret;
734
488
}
735
489
}
736
490
737
if(debug){
738
fprintf(stderr, "Closing TLS session\n");
739
}
740
741
gnutls_bye(session, GNUTLS_SHUT_RDWR);
742
743
if(buffer_length > 0){
491
if (buffer_length > 0){
744
492
decrypted_buffer_size = pgp_packet_decrypt(buffer,
745
493
buffer_length,
746
&decrypted_buffer);
747
if(decrypted_buffer_size >= 0){
748
written = 0;
494
&decrypted_buffer,
495
certdir);
496
if (decrypted_buffer_size >= 0){
749
497
while(written < (size_t) decrypted_buffer_size){
750
ret = (int)fwrite(decrypted_buffer + written, 1,
751
(size_t)decrypted_buffer_size - written,
752
stdout);
498
ret = (int)fwrite (decrypted_buffer + written, 1,
499
(size_t)decrypted_buffer_size - written,
500
stdout);
753
501
if(ret == 0 and ferror(stdout)){
754
502
if(debug){
755
503
fprintf(stderr, "Error writing encrypted data: %s\n",
764
512
} else {
765
513
retval = -1;
766
514
}
767
} else {
768
retval = -1;
769
}
770
771
/* Shutdown procedure */
772
773
mandos_end:
515
}
516
517
//shutdown procedure
518
519
if(debug){
520
fprintf(stderr, "Closing TLS session\n");
521
}
522
774
523
free(buffer);
775
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
776
if(ret == -1){
777
perror("close");
778
}
779
gnutls_deinit(session);
524
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
525
exit:
526
close(tcp_sd);
527
gnutls_deinit (es.session);
528
gnutls_certificate_free_credentials (es.cred);
529
gnutls_global_deinit ();
780
530
return retval;
781
531
}
782
532
783
static void resolve_callback(AvahiSServiceResolver *r,
784
AvahiIfIndex interface,
785
AvahiProtocol proto,
786
AvahiResolverEvent event,
787
const char *name,
788
const char *type,
789
const char *domain,
790
const char *host_name,
791
const AvahiAddress *address,
792
uint16_t port,
793
AVAHI_GCC_UNUSED AvahiStringList *txt,
794
AVAHI_GCC_UNUSED AvahiLookupResultFlags
795
flags,
796
AVAHI_GCC_UNUSED void* userdata){
797
assert(r);
533
static AvahiSimplePoll *simple_poll = NULL;
534
static AvahiServer *server = NULL;
535
536
static void resolve_callback(
537
AvahiSServiceResolver *r,
538
AvahiIfIndex interface,
539
AVAHI_GCC_UNUSED AvahiProtocol protocol,
540
AvahiResolverEvent event,
541
const char *name,
542
const char *type,
543
const char *domain,
544
const char *host_name,
545
const AvahiAddress *address,
546
uint16_t port,
547
AVAHI_GCC_UNUSED AvahiStringList *txt,
548
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
549
AVAHI_GCC_UNUSED void* userdata) {
550
551
assert(r); /* Spurious warning */
798
552
799
553
/* Called whenever a service has been resolved successfully or
800
554
timed out */
801
555
802
switch(event){
556
switch (event) {
803
557
default:
804
558
case AVAHI_RESOLVER_FAILURE:
805
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
806
" of type '%s' in domain '%s': %s\n", name, type, domain,
807
avahi_strerror(avahi_server_errno(mc.server)));
559
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
560
" type '%s' in domain '%s': %s\n", name, type, domain,
561
avahi_strerror(avahi_server_errno(server)));
808
562
break;
809
563
810
564
case AVAHI_RESOLVER_FOUND:
812
566
char ip[AVAHI_ADDRESS_STR_MAX];
813
567
avahi_address_snprint(ip, sizeof(ip), address);
814
568
if(debug){
815
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
816
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
817
ip, (intmax_t)interface, port);
569
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
570
" port %d\n", name, host_name, ip, port);
818
571
}
819
int ret = start_mandos_communication(ip, port, interface,
820
avahi_proto_to_af(proto));
821
if(ret == 0){
822
avahi_simple_poll_quit(mc.simple_poll);
572
int ret = start_mandos_communication(ip, port, interface);
573
if (ret == 0){
574
exit(EXIT_SUCCESS);
823
575
}
824
576
}
825
577
}
826
578
avahi_s_service_resolver_free(r);
827
579
}
828
580
829
static void browse_callback(AvahiSServiceBrowser *b,
830
AvahiIfIndex interface,
831
AvahiProtocol protocol,
832
AvahiBrowserEvent event,
833
const char *name,
834
const char *type,
835
const char *domain,
836
AVAHI_GCC_UNUSED AvahiLookupResultFlags
837
flags,
838
AVAHI_GCC_UNUSED void* userdata){
839
assert(b);
840
841
/* Called whenever a new services becomes available on the LAN or
842
is removed from the LAN */
843
844
switch(event){
845
default:
846
case AVAHI_BROWSER_FAILURE:
847
848
fprintf(stderr, "(Avahi browser) %s\n",
849
avahi_strerror(avahi_server_errno(mc.server)));
850
avahi_simple_poll_quit(mc.simple_poll);
851
return;
852
853
case AVAHI_BROWSER_NEW:
854
/* We ignore the returned Avahi resolver object. In the callback
855
function we free it. If the Avahi server is terminated before
856
the callback function is called the Avahi server will free the
857
resolver for us. */
858
859
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
860
name, type, domain, protocol, 0,
861
resolve_callback, NULL) == NULL)
862
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
863
name, avahi_strerror(avahi_server_errno(mc.server)));
864
break;
865
866
case AVAHI_BROWSER_REMOVE:
867
break;
868
869
case AVAHI_BROWSER_ALL_FOR_NOW:
870
case AVAHI_BROWSER_CACHE_EXHAUSTED:
871
if(debug){
872
fprintf(stderr, "No Mandos server found, still searching...\n");
581
static void browse_callback(
582
AvahiSServiceBrowser *b,
583
AvahiIfIndex interface,
584
AvahiProtocol protocol,
585
AvahiBrowserEvent event,
586
const char *name,
587
const char *type,
588
const char *domain,
589
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
590
void* userdata) {
591
592
AvahiServer *s = userdata;
593
assert(b); /* Spurious warning */
594
595
/* Called whenever a new services becomes available on the LAN or
596
is removed from the LAN */
597
598
switch (event) {
599
default:
600
case AVAHI_BROWSER_FAILURE:
601
602
fprintf(stderr, "(Browser) %s\n",
603
avahi_strerror(avahi_server_errno(server)));
604
avahi_simple_poll_quit(simple_poll);
605
return;
606
607
case AVAHI_BROWSER_NEW:
608
/* We ignore the returned resolver object. In the callback
609
function we free it. If the server is terminated before
610
the callback function is called the server will free
611
the resolver for us. */
612
613
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
614
type, domain,
615
AVAHI_PROTO_INET6, 0,
616
resolve_callback, s)))
617
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
618
avahi_strerror(avahi_server_errno(s)));
619
break;
620
621
case AVAHI_BROWSER_REMOVE:
622
break;
623
624
case AVAHI_BROWSER_ALL_FOR_NOW:
625
case AVAHI_BROWSER_CACHE_EXHAUSTED:
626
break;
873
627
}
874
break;
875
}
876
}
877
878
sig_atomic_t quit_now = 0;
879
880
/* stop main loop after sigterm has been called */
881
static void handle_sigterm(__attribute__((unused)) int sig){
882
if(quit_now){
883
return;
884
}
885
quit_now = 1;
886
int old_errno = errno;
887
if(mc.simple_poll != NULL){
888
avahi_simple_poll_quit(mc.simple_poll);
889
}
890
errno = old_errno;
891
}
892
893
int main(int argc, char *argv[]){
894
AvahiSServiceBrowser *sb = NULL;
895
int error;
896
int ret;
897
intmax_t tmpmax;
628
}
629
630
/* combinds file name and path and returns the malloced new string. som sane checks could/should be added */
631
const char *combinepath(const char *first, const char *second){
898
632
char *tmp;
899
int exitcode = EXIT_SUCCESS;
900
const char *interface = "eth0";
901
struct ifreq network;
902
int sd = -1;
903
bool interface_taken_up = false;
904
uid_t uid;
905
gid_t gid;
906
char *connect_to = NULL;
907
char tempdir[] = "/tmp/mandosXXXXXX";
908
bool tempdir_created = false;
909
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
910
const char *seckey = PATHDIR "/" SECKEY;
911
const char *pubkey = PATHDIR "/" PUBKEY;
912
913
bool gnutls_initialized = false;
914
bool gpgme_initialized = false;
915
float delay = 2.5f;
916
917
struct sigaction old_sigterm_action;
918
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
919
920
{
921
struct argp_option options[] = {
922
{ .name = "debug", .key = 128,
923
.doc = "Debug mode", .group = 3 },
924
{ .name = "connect", .key = 'c',
925
.arg = "ADDRESS:PORT",
926
.doc = "Connect directly to a specific Mandos server",
927
.group = 1 },
928
{ .name = "interface", .key = 'i',
929
.arg = "NAME",
930
.doc = "Network interface that will be used to search for"
931
" Mandos servers",
932
.group = 1 },
933
{ .name = "seckey", .key = 's',
934
.arg = "FILE",
935
.doc = "OpenPGP secret key file base name",
936
.group = 1 },
937
{ .name = "pubkey", .key = 'p',
938
.arg = "FILE",
939
.doc = "OpenPGP public key file base name",
940
.group = 2 },
941
{ .name = "dh-bits", .key = 129,
942
.arg = "BITS",
943
.doc = "Bit length of the prime number used in the"
944
" Diffie-Hellman key exchange",
945
.group = 2 },
946
{ .name = "priority", .key = 130,
947
.arg = "STRING",
948
.doc = "GnuTLS priority string for the TLS handshake",
949
.group = 1 },
950
{ .name = "delay", .key = 131,
951
.arg = "SECONDS",
952
.doc = "Maximum delay to wait for interface startup",
953
.group = 2 },
954
{ .name = NULL }
955
};
956
957
error_t parse_opt(int key, char *arg,
958
struct argp_state *state){
959
switch(key){
960
case 128: /* --debug */
961
debug = true;
962
break;
963
case 'c': /* --connect */
964
connect_to = arg;
965
break;
966
case 'i': /* --interface */
967
interface = arg;
968
break;
969
case 's': /* --seckey */
970
seckey = arg;
971
break;
972
case 'p': /* --pubkey */
973
pubkey = arg;
974
break;
975
case 129: /* --dh-bits */
976
errno = 0;
977
tmpmax = strtoimax(arg, &tmp, 10);
978
if(errno != 0 or tmp == arg or *tmp != '\0'
979
or tmpmax != (typeof(mc.dh_bits))tmpmax){
980
fprintf(stderr, "Bad number of DH bits\n");
981
exit(EXIT_FAILURE);
982
}
983
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
984
break;
985
case 130: /* --priority */
986
mc.priority = arg;
987
break;
988
case 131: /* --delay */
989
errno = 0;
990
delay = strtof(arg, &tmp);
991
if(errno != 0 or tmp == arg or *tmp != '\0'){
992
fprintf(stderr, "Bad delay\n");
993
exit(EXIT_FAILURE);
994
}
995
break;
996
case ARGP_KEY_ARG:
997
argp_usage(state);
998
case ARGP_KEY_END:
999
break;
1000
default:
1001
return ARGP_ERR_UNKNOWN;
1002
}
1003
return 0;
1004
}
1005
1006
struct argp argp = { .options = options, .parser = parse_opt,
1007
.args_doc = "",
1008
.doc = "Mandos client -- Get and decrypt"
1009
" passwords from a Mandos server" };
1010
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1011
if(ret == ARGP_ERR_UNKNOWN){
1012
fprintf(stderr, "Unknown error while parsing arguments\n");
1013
exitcode = EXIT_FAILURE;
1014
goto end;
1015
}
1016
}
1017
1018
if(not debug){
1019
avahi_set_log_function(empty_log);
1020
}
1021
1022
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1023
from the signal handler */
1024
/* Initialize the pseudo-RNG for Avahi */
1025
srand((unsigned int) time(NULL));
1026
mc.simple_poll = avahi_simple_poll_new();
1027
if(mc.simple_poll == NULL){
1028
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1029
exitcode = EXIT_FAILURE;
1030
goto end;
1031
}
1032
1033
sigemptyset(&sigterm_action.sa_mask);
1034
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1035
if(ret == -1){
1036
perror("sigaddset");
1037
exitcode = EXIT_FAILURE;
1038
goto end;
1039
}
1040
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1041
if(ret == -1){
1042
perror("sigaddset");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1047
if(ret == -1){
1048
perror("sigaddset");
1049
exitcode = EXIT_FAILURE;
1050
goto end;
1051
}
1052
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1053
if(ret == -1){
1054
perror("sigaction");
1055
exitcode = EXIT_FAILURE;
1056
goto end;
1057
}
1058
1059
/* If the interface is down, bring it up */
1060
if(interface[0] != '\0'){
1061
#ifdef __linux__
1062
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1063
messages to mess up the prompt */
1064
ret = klogctl(8, NULL, 5);
1065
bool restore_loglevel = true;
1066
if(ret == -1){
1067
restore_loglevel = false;
1068
perror("klogctl");
1069
}
1070
#endif /* __linux__ */
1071
1072
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1073
if(sd < 0){
1074
perror("socket");
1075
exitcode = EXIT_FAILURE;
1076
#ifdef __linux__
1077
if(restore_loglevel){
1078
ret = klogctl(7, NULL, 0);
1079
if(ret == -1){
1080
perror("klogctl");
1081
}
1082
}
1083
#endif /* __linux__ */
1084
goto end;
1085
}
1086
strcpy(network.ifr_name, interface);
1087
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1088
if(ret == -1){
1089
perror("ioctl SIOCGIFFLAGS");
1090
#ifdef __linux__
1091
if(restore_loglevel){
1092
ret = klogctl(7, NULL, 0);
1093
if(ret == -1){
1094
perror("klogctl");
1095
}
1096
}
1097
#endif /* __linux__ */
1098
exitcode = EXIT_FAILURE;
1099
goto end;
1100
}
1101
if((network.ifr_flags & IFF_UP) == 0){
1102
network.ifr_flags |= IFF_UP;
1103
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1104
if(ret == -1){
1105
perror("ioctl SIOCSIFFLAGS");
1106
exitcode = EXIT_FAILURE;
1107
#ifdef __linux__
1108
if(restore_loglevel){
1109
ret = klogctl(7, NULL, 0);
1110
if(ret == -1){
1111
perror("klogctl");
1112
}
1113
}
1114
#endif /* __linux__ */
1115
goto end;
1116
}
1117
interface_taken_up = true;
1118
}
1119
/* sleep checking until interface is running */
1120
for(int i=0; i < delay * 4; i++){
1121
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1122
if(ret == -1){
1123
perror("ioctl SIOCGIFFLAGS");
1124
} else if(network.ifr_flags & IFF_RUNNING){
1125
break;
1126
}
1127
struct timespec sleeptime = { .tv_nsec = 250000000 };
1128
ret = nanosleep(&sleeptime, NULL);
1129
if(ret == -1 and errno != EINTR){
1130
perror("nanosleep");
1131
}
1132
}
1133
if(not interface_taken_up){
1134
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1135
if(ret == -1){
1136
perror("close");
1137
}
1138
}
1139
#ifdef __linux__
1140
if(restore_loglevel){
1141
/* Restores kernel loglevel to default */
1142
ret = klogctl(7, NULL, 0);
1143
if(ret == -1){
1144
perror("klogctl");
1145
}
1146
}
1147
#endif /* __linux__ */
1148
}
1149
1150
uid = getuid();
1151
gid = getgid();
1152
1153
errno = 0;
1154
setgid(gid);
1155
if(ret == -1){
1156
perror("setgid");
1157
}
1158
1159
ret = setuid(uid);
1160
if(ret == -1){
1161
perror("setuid");
1162
}
1163
1164
ret = init_gnutls_global(pubkey, seckey);
1165
if(ret == -1){
1166
fprintf(stderr, "init_gnutls_global failed\n");
1167
exitcode = EXIT_FAILURE;
1168
goto end;
1169
} else {
1170
gnutls_initialized = true;
1171
}
1172
1173
if(mkdtemp(tempdir) == NULL){
1174
perror("mkdtemp");
1175
goto end;
1176
}
1177
tempdir_created = true;
1178
1179
if(not init_gpgme(pubkey, seckey, tempdir)){
1180
fprintf(stderr, "init_gpgme failed\n");
1181
exitcode = EXIT_FAILURE;
1182
goto end;
1183
} else {
1184
gpgme_initialized = true;
1185
}
1186
1187
if(interface[0] != '\0'){
1188
if_index = (AvahiIfIndex) if_nametoindex(interface);
1189
if(if_index == 0){
1190
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1191
exitcode = EXIT_FAILURE;
1192
goto end;
1193
}
1194
}
1195
1196
if(connect_to != NULL){
1197
/* Connect directly, do not use Zeroconf */
1198
/* (Mainly meant for debugging) */
1199
char *address = strrchr(connect_to, ':');
1200
if(address == NULL){
1201
fprintf(stderr, "No colon in address\n");
1202
exitcode = EXIT_FAILURE;
1203
goto end;
1204
}
1205
uint16_t port;
1206
errno = 0;
1207
tmpmax = strtoimax(address+1, &tmp, 10);
1208
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1209
or tmpmax != (uint16_t)tmpmax){
1210
fprintf(stderr, "Bad port number\n");
1211
exitcode = EXIT_FAILURE;
1212
goto end;
1213
}
1214
port = (uint16_t)tmpmax;
1215
*address = '\0';
1216
address = connect_to;
1217
/* Colon in address indicates IPv6 */
1218
int af;
1219
if(strchr(address, ':') != NULL){
1220
af = AF_INET6;
1221
} else {
1222
af = AF_INET;
1223
}
1224
ret = start_mandos_communication(address, port, if_index, af);
1225
if(ret < 0){
1226
exitcode = EXIT_FAILURE;
1227
} else {
1228
exitcode = EXIT_SUCCESS;
1229
}
1230
goto end;
1231
}
1232
1233
{
633
tmp = malloc(strlen(first) + strlen(second) + 2);
634
if (tmp == NULL){
635
perror("malloc");
636
return NULL;
637
}
638
strcpy(tmp, first);
639
if (first[0] != '\0' and first[strlen(first) - 1] != '/'){
640
strcat(tmp, "/");
641
}
642
strcat(tmp, second);
643
return tmp;
644
}
645
646
647
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1234
648
AvahiServerConfig config;
1235
/* Do not publish any local Zeroconf records */
649
AvahiSServiceBrowser *sb = NULL;
650
int error;
651
int ret;
652
int returncode = EXIT_SUCCESS;
653
const char *interface = NULL;
654
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
655
char *connect_to = NULL;
656
657
while (true){
658
static struct option long_options[] = {
659
{"debug", no_argument, (int *)&debug, 1},
660
{"connect", required_argument, 0, 'C'},
661
{"interface", required_argument, 0, 'i'},
662
{"certdir", required_argument, 0, 'd'},
663
{"certkey", required_argument, 0, 'c'},
664
{"certfile", required_argument, 0, 'k'},
665
{0, 0, 0, 0} };
666
667
int option_index = 0;
668
ret = getopt_long (argc, argv, "i:", long_options,
669
&option_index);
670
671
if (ret == -1){
672
break;
673
}
674
675
switch(ret){
676
case 0:
677
break;
678
case 'i':
679
interface = optarg;
680
break;
681
case 'C':
682
connect_to = optarg;
683
break;
684
case 'd':
685
certdir = optarg;
686
break;
687
case 'c':
688
certfile = optarg;
689
break;
690
case 'k':
691
certkey = optarg;
692
break;
693
default:
694
exit(EXIT_FAILURE);
695
}
696
}
697
698
certfile = combinepath(certdir, certfile);
699
if (certfile == NULL){
700
goto exit;
701
}
702
703
if(interface != NULL){
704
if_index = (AvahiIfIndex) if_nametoindex(interface);
705
if(if_index == 0){
706
fprintf(stderr, "No such interface: \"%s\"\n", interface);
707
exit(EXIT_FAILURE);
708
}
709
}
710
711
if(connect_to != NULL){
712
/* Connect directly, do not use Zeroconf */
713
/* (Mainly meant for debugging) */
714
char *address = strrchr(connect_to, ':');
715
if(address == NULL){
716
fprintf(stderr, "No colon in address\n");
717
exit(EXIT_FAILURE);
718
}
719
errno = 0;
720
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
721
if(errno){
722
perror("Bad port number");
723
exit(EXIT_FAILURE);
724
}
725
*address = '\0';
726
address = connect_to;
727
ret = start_mandos_communication(address, port, if_index);
728
if(ret < 0){
729
exit(EXIT_FAILURE);
730
} else {
731
exit(EXIT_SUCCESS);
732
}
733
}
734
735
certkey = combinepath(certdir, certkey);
736
if (certkey == NULL){
737
goto exit;
738
}
739
740
if (not debug){
741
avahi_set_log_function(empty_log);
742
}
743
744
/* Initialize the psuedo-RNG */
745
srand((unsigned int) time(NULL));
746
747
/* Allocate main loop object */
748
if (!(simple_poll = avahi_simple_poll_new())) {
749
fprintf(stderr, "Failed to create simple poll object.\n");
750
751
goto exit;
752
}
753
754
/* Do not publish any local records */
1236
755
avahi_server_config_init(&config);
1237
756
config.publish_hinfo = 0;
1238
757
config.publish_addresses = 0;
1239
758
config.publish_workstation = 0;
1240
759
config.publish_domain = 0;
1241
760
1242
761
/* Allocate a new server */
1243
mc.server = avahi_server_new(avahi_simple_poll_get
1244
(mc.simple_poll), &config, NULL,
1245
NULL, &error);
1246
1247
/* Free the Avahi configuration data */
762
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
763
&config, NULL, NULL, &error);
764
765
/* Free the configuration data */
1248
766
avahi_server_config_free(&config);
1249
}
1250
1251
/* Check if creating the Avahi server object succeeded */
1252
if(mc.server == NULL){
1253
fprintf(stderr, "Failed to create Avahi server: %s\n",
1254
avahi_strerror(error));
1255
exitcode = EXIT_FAILURE;
1256
goto end;
1257
}
1258
1259
/* Create the Avahi service browser */
1260
sb = avahi_s_service_browser_new(mc.server, if_index,
1261
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1262
NULL, 0, browse_callback, NULL);
1263
if(sb == NULL){
1264
fprintf(stderr, "Failed to create service browser: %s\n",
1265
avahi_strerror(avahi_server_errno(mc.server)));
1266
exitcode = EXIT_FAILURE;
1267
goto end;
1268
}
1269
1270
/* Run the main loop */
1271
1272
if(debug){
1273
fprintf(stderr, "Starting Avahi loop search\n");
1274
}
1275
1276
avahi_simple_poll_loop(mc.simple_poll);
1277
1278
end:
1279
1280
if(debug){
1281
fprintf(stderr, "%s exiting\n", argv[0]);
1282
}
1283
1284
/* Cleanup things */
1285
if(sb != NULL)
1286
avahi_s_service_browser_free(sb);
1287
1288
if(mc.server != NULL)
1289
avahi_server_free(mc.server);
1290
1291
if(mc.simple_poll != NULL)
1292
avahi_simple_poll_free(mc.simple_poll);
1293
1294
if(gnutls_initialized){
1295
gnutls_certificate_free_credentials(mc.cred);
1296
gnutls_global_deinit();
1297
gnutls_dh_params_deinit(mc.dh_params);
1298
}
1299
1300
if(gpgme_initialized){
1301
gpgme_release(mc.ctx);
1302
}
1303
1304
/* Take down the network interface */
1305
if(interface_taken_up){
1306
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1307
if(ret == -1){
1308
perror("ioctl SIOCGIFFLAGS");
1309
} else if(network.ifr_flags & IFF_UP) {
1310
network.ifr_flags &= ~IFF_UP; /* clear flag */
1311
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1312
if(ret == -1){
1313
perror("ioctl SIOCSIFFLAGS");
1314
}
1315
}
1316
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1317
if(ret == -1){
1318
perror("close");
1319
}
1320
}
1321
1322
/* Removes the temp directory used by GPGME */
1323
if(tempdir_created){
1324
DIR *d;
1325
struct dirent *direntry;
1326
d = opendir(tempdir);
1327
if(d == NULL){
1328
if(errno != ENOENT){
1329
perror("opendir");
1330
}
1331
} else {
1332
while(true){
1333
direntry = readdir(d);
1334
if(direntry == NULL){
1335
break;
1336
}
1337
/* Skip "." and ".." */
1338
if(direntry->d_name[0] == '.'
1339
and (direntry->d_name[1] == '\0'
1340
or (direntry->d_name[1] == '.'
1341
and direntry->d_name[2] == '\0'))){
1342
continue;
1343
}
1344
char *fullname = NULL;
1345
ret = asprintf(&fullname, "%s/%s", tempdir,
1346
direntry->d_name);
1347
if(ret < 0){
1348
perror("asprintf");
1349
continue;
1350
}
1351
ret = remove(fullname);
1352
if(ret == -1){
1353
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1354
strerror(errno));
1355
}
1356
free(fullname);
1357
}
1358
closedir(d);
1359
}
1360
ret = rmdir(tempdir);
1361
if(ret == -1 and errno != ENOENT){
1362
perror("rmdir");
1363
}
1364
}
1365
1366
return exitcode;
767
768
/* Check if creating the server object succeeded */
769
if (!server) {
770
fprintf(stderr, "Failed to create server: %s\n",
771
avahi_strerror(error));
772
returncode = EXIT_FAILURE;
773
goto exit;
774
}
775
776
/* Create the service browser */
777
sb = avahi_s_service_browser_new(server, if_index,
778
AVAHI_PROTO_INET6,
779
"_mandos._tcp", NULL, 0,
780
browse_callback, server);
781
if (!sb) {
782
fprintf(stderr, "Failed to create service browser: %s\n",
783
avahi_strerror(avahi_server_errno(server)));
784
returncode = EXIT_FAILURE;
785
goto exit;
786
}
787
788
/* Run the main loop */
789
790
if (debug){
791
fprintf(stderr, "Starting avahi loop search\n");
792
}
793
794
avahi_simple_poll_loop(simple_poll);
795
796
exit:
797
798
if (debug){
799
fprintf(stderr, "%s exiting\n", argv[0]);
800
}
801
802
/* Cleanup things */
803
if (sb)
804
avahi_s_service_browser_free(sb);
805
806
if (server)
807
avahi_server_free(server);
808
809
if (simple_poll)
810
avahi_simple_poll_free(simple_poll);
811
free(certfile);
812
free(certkey);
813
814
return returncode;
1367
815
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0