/mandos/release : revision 37

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-08-02 21:06:12 UTC
Revision ID: teddy@fukt.bsnet.se-20080802210612-4c1waup4z0f66ya7

Non-tested commit for merge purposes.

* plugbasedclient.c (getplugin, addargument, set_cloexec): Made static.

* plugins.d/passprompt.c (termination_handler): Made static.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

100

#include <gpgme.h> /* All GPGME types, constants and

101

functions:

102

gpgme_*

103

GPGME_PROTOCOL_OpenPGP,

104

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt_long

#include <getopt.h>

105

106

#define BUFFER_SIZE 256

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

static int dh_bits = 1024;

static const char *keydir = "/conf/conf.d/mandos";

static const char *pubkeyfile = "pubkey.txt";

static const char *seckeyfile = "seckey.txt";

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client " VERSION;

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

/* Used for */

118

typedef struct {

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

gnutls_session_t session;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

124

const char *priority;

} encrypted_session;

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if(buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if(buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if(rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if(rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = (int)TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if(debug){

191

fprintf(stderr, "Initialize gpgme\n");

if (debug){

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

192

100

}

193

101

194

102

/* Init GPGME */

195

103

gpgme_check_version(NULL);

196

104

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if(rc != GPG_ERR_NO_ERROR){

105

if (rc != GPG_ERR_NO_ERROR){

198

106

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

107

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

108

return -1;

201

109

}

202

110

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info(&engine_info);

205

if(rc != GPG_ERR_NO_ERROR){

111

/* Set GPGME home directory */

112

rc = gpgme_get_engine_info (&engine_info);

113

if (rc != GPG_ERR_NO_ERROR){

206

114

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

207

115

gpgme_strsource(rc), gpgme_strerror(rc));

208

return false;

116

return -1;

209

117

}

210

118

while(engine_info != NULL){

211

119

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

212

120

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

213

engine_info->file_name, tempdir);

121

engine_info->file_name, homedir);

214

122

break;

215

123

}

216

124

engine_info = engine_info->next;

217

125

}

218

126

if(engine_info == NULL){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if(rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if(not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if(debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

259

if(rc != GPG_ERR_NO_ERROR){

127

fprintf(stderr, "Could not set home dir to %s\n", homedir);

128

return -1;

129

}

130

131

/* Create new GPGME data buffer from packet buffer */

132

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

133

if (rc != GPG_ERR_NO_ERROR){

260

134

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

261

135

gpgme_strsource(rc), gpgme_strerror(rc));

262

136

return -1;

264

138

265

139

/* Create new empty GPGME data buffer for the plaintext */

266

140

rc = gpgme_data_new(&dh_plain);

267

if(rc != GPG_ERR_NO_ERROR){

141

if (rc != GPG_ERR_NO_ERROR){

268

142

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

269

143

gpgme_strsource(rc), gpgme_strerror(rc));

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

277

if(rc != GPG_ERR_NO_ERROR){

144

return -1;

145

}

146

147

/* Create new GPGME "context" */

148

rc = gpgme_new(&ctx);

149

if (rc != GPG_ERR_NO_ERROR){

150

fprintf(stderr, "bad gpgme_new: %s: %s\n",

151

gpgme_strsource(rc), gpgme_strerror(rc));

152

return -1;

153

}

154

155

/* Decrypt data from the FILE pointer to the plaintext data

156

buffer */

157

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

158

if (rc != GPG_ERR_NO_ERROR){

278

159

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

279

160

gpgme_strsource(rc), gpgme_strerror(rc));

280

plaintext_length = -1;

281

if(debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if(result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

161

return -1;

162

}

163

164

if(debug){

165

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

166

}

167

168

if (debug){

169

gpgme_decrypt_result_t result;

170

result = gpgme_op_decrypt_result(ctx);

171

if (result == NULL){

172

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

173

} else {

174

fprintf(stderr, "Unsupported algorithm: %s\n",

175

result->unsupported_algorithm);

176

fprintf(stderr, "Wrong key usage: %d\n",

177

result->wrong_key_usage);

178

if(result->file_name != NULL){

179

fprintf(stderr, "File name: %s\n", result->file_name);

180

}

181

gpgme_recipient_t recipient;

182

recipient = result->recipients;

183

if(recipient){

184

while(recipient != NULL){

185

fprintf(stderr, "Public key algorithm: %s\n",

186

gpgme_pubkey_algo_name(recipient->pubkey_algo));

187

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

188

fprintf(stderr, "Secret key available: %s\n",

189

recipient->status == GPG_ERR_NO_SECKEY

190

? "No" : "Yes");

191

recipient = recipient->next;

306

192

}

307

193

}

308

194

}

309

goto decrypt_end;

310

195

}

311

196

312

if(debug){

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

197

/* Delete the GPGME FILE pointer cryptotext data buffer */

198

gpgme_data_release(dh_crypto);

315

199

316

200

/* Seek back to the beginning of the GPGME plaintext data buffer */

317

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

201

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

202

perror("pgpme_data_seek");

321

203

}

322

204

323

*plaintext = NULL;

205

*new_packet = 0;

324

206

while(true){

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if(plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

207

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

208

*new_packet = realloc(*new_packet,

209

(unsigned int)new_packet_capacity

210

+ BUFFER_SIZE);

211

if (*new_packet == NULL){

212

perror("realloc");

213

return -1;

214

}

215

new_packet_capacity += BUFFER_SIZE;

332

216

}

333

217

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

218

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

335

219

BUFFER_SIZE);

336

220

/* Print the data, if any */

337

if(ret == 0){

338

/* EOF */

221

if (ret == 0){

339

222

break;

340

223

}

341

224

if(ret < 0){

342

225

perror("gpgme_data_read");

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

226

return -1;

227

}

228

new_packet_length += ret;

229

}

230

231

/* FIXME: check characters before printing to screen so to not print

232

terminal control characters */

233

/* if(debug){ */

234

/* fprintf(stderr, "decrypted password is: "); */

235

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

236

/* fprintf(stderr, "\n"); */

237

/* } */

361

238

362

239

/* Delete the GPGME plaintext data buffer */

363

240

gpgme_data_release(dh_plain);

364

return plaintext_length;

241

return new_packet_length;

365

242

}

366

243

367

static const char * safer_gnutls_strerror(int value) {

368

const char *ret = gnutls_strerror(value); /* Spurious warning from

369

-Wunreachable-code */

370

if(ret == NULL)

244

static const char * safer_gnutls_strerror (int value) {

245

const char *ret = gnutls_strerror (value);

246

if (ret == NULL)

371

247

ret = "(unknown)";

372

248

return ret;

373

249

}

374

250

375

/* GnuTLS log function callback */

376

251

static void debuggnutls(__attribute__((unused)) int level,

377

252

const char* string){

378

fprintf(stderr, "GnuTLS: %s", string);

253

fprintf(stderr, "%s", string);

379

254

}

380

255

381

static int init_gnutls_global(mandos_context *mc,

382

const char *pubkeyfilename,

383

const char *seckeyfilename){

256

static int initgnutls(encrypted_session *es){

257

const char *err;

384

258

int ret;

385

259

386

260

if(debug){

387

261

fprintf(stderr, "Initializing GnuTLS\n");

388

262

}

389

390

ret = gnutls_global_init();

391

if(ret != GNUTLS_E_SUCCESS) {

392

fprintf(stderr, "GnuTLS global_init: %s\n",

393

safer_gnutls_strerror(ret));

263

264

if ((ret = gnutls_global_init ())

265

!= GNUTLS_E_SUCCESS) {

266

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

394

267

return -1;

395

268

}

396

397

if(debug){

398

/* "Use a log level over 10 to enable all debugging options."

399

* - GnuTLS manual

400

269

270

if (debug){

401

271

gnutls_global_set_log_level(11);

402

272

gnutls_global_set_log_function(debuggnutls);

403

273

}

404

274

405

/* OpenPGP credentials */

406

gnutls_certificate_allocate_credentials(&mc->cred);

407

if(ret != GNUTLS_E_SUCCESS){

408

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

409

* from

410

* -Wunreachable-code

411

412

safer_gnutls_strerror(ret));

413

gnutls_global_deinit();

275

/* openpgp credentials */

276

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

277

!= GNUTLS_E_SUCCESS) {

278

fprintf (stderr, "memory error: %s\n",

279

safer_gnutls_strerror(ret));

414

280

return -1;

415

281

}

416

282

417

283

if(debug){

418

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

419

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

420

seckeyfilename);

284

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

285

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

286

seckeyfile);

421

287

}

422

288

423

289

ret = gnutls_certificate_set_openpgp_key_file

424

(mc->cred, pubkeyfilename, seckeyfilename,

425

GNUTLS_OPENPGP_FMT_BASE64);

426

if(ret != GNUTLS_E_SUCCESS) {

427

fprintf(stderr,

428

"Error[%d] while reading the OpenPGP key pair ('%s',"

429

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

430

fprintf(stderr, "The GnuTLS error is: %s\n",

431

safer_gnutls_strerror(ret));

432

goto globalfail;

433

}

434

435

/* GnuTLS server initialization */

436

ret = gnutls_dh_params_init(&mc->dh_params);

437

if(ret != GNUTLS_E_SUCCESS) {

438

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

439

" %s\n", safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

443

if(ret != GNUTLS_E_SUCCESS) {

444

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

445

safer_gnutls_strerror(ret));

446

goto globalfail;

447

}

448

449

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

450

451

return 0;

452

453

globalfail:

454

455

gnutls_certificate_free_credentials(mc->cred);

456

gnutls_global_deinit();

457

gnutls_dh_params_deinit(mc->dh_params);

458

return -1;

459

}

460

461

static int init_gnutls_session(mandos_context *mc,

462

gnutls_session_t *session){

463

int ret;

464

/* GnuTLS session creation */

465

ret = gnutls_init(session, GNUTLS_SERVER);

466

if(ret != GNUTLS_E_SUCCESS){

290

(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

291

if (ret != GNUTLS_E_SUCCESS) {

292

fprintf

293

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

294

" '%s')\n",

295

ret, pubkeyfile, seckeyfile);

296

fprintf(stdout, "The Error is: %s\n",

297

safer_gnutls_strerror(ret));

298

return -1;

299

}

300

301

//GnuTLS server initialization

302

if ((ret = gnutls_dh_params_init (&es->dh_params))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in dh parameter initialization: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))

310

!= GNUTLS_E_SUCCESS) {

311

fprintf (stderr, "Error in prime generation: %s\n",

312

safer_gnutls_strerror(ret));

313

return -1;

314

}

315

316

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

317

318

// GnuTLS session creation

319

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

320

!= GNUTLS_E_SUCCESS){

467

321

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

468

322

safer_gnutls_strerror(ret));

469

323

}

470

324

471

{

472

const char *err;

473

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

474

if(ret != GNUTLS_E_SUCCESS) {

475

fprintf(stderr, "Syntax error at: %s\n", err);

476

fprintf(stderr, "GnuTLS error: %s\n",

477

safer_gnutls_strerror(ret));

478

gnutls_deinit(*session);

479

return -1;

480

}

325

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

326

!= GNUTLS_E_SUCCESS) {

327

fprintf(stderr, "Syntax error at: %s\n", err);

328

fprintf(stderr, "GnuTLS error: %s\n",

329

safer_gnutls_strerror(ret));

330

return -1;

481

331

}

482

332

483

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

484

mc->cred);

485

if(ret != GNUTLS_E_SUCCESS) {

486

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

333

if ((ret = gnutls_credentials_set

334

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

335

!= GNUTLS_E_SUCCESS) {

336

fprintf(stderr, "Error setting a credentials set: %s\n",

487

337

safer_gnutls_strerror(ret));

488

gnutls_deinit(*session);

489

338

return -1;

490

339

}

491

340

492

341

/* ignore client certificate if any. */

493

gnutls_certificate_server_set_request(*session,

494

GNUTLS_CERT_IGNORE);

342

gnutls_certificate_server_set_request (es->session,

343

GNUTLS_CERT_IGNORE);

495

344

496

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

345

gnutls_dh_set_prime_bits (es->session, dh_bits);

497

346

498

347

return 0;

499

348

}

500

349

501

/* Avahi log function callback */

502

350

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

503

351

__attribute__((unused)) const char *txt){}

504

352

505

/* Called when a Mandos server is found */

506

353

static int start_mandos_communication(const char *ip, uint16_t port,

507

AvahiIfIndex if_index,

508

mandos_context *mc){

354

AvahiIfIndex if_index){

509

355

int ret, tcp_sd;

510

ssize_t sret;

511

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

356

struct sockaddr_in6 to;

357

encrypted_session es;

512

358

char *buffer = NULL;

513

359

char *decrypted_buffer;

514

360

size_t buffer_length = 0;

515

361

size_t buffer_capacity = 0;

516

362

ssize_t decrypted_buffer_size;

517

size_t written;

363

size_t written = 0;

518

364

int retval = 0;

519

365

char interface[IF_NAMESIZE];

520

gnutls_session_t session;

521

522

ret = init_gnutls_session(mc, &session);

523

if(ret != 0){

524

return -1;

525

}

526

366

527

367

if(debug){

528

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

529

"\n", ip, port);

368

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

369

ip, port);

530

370

}

531

371

532

372

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

535

375

return -1;

536

376

}

537

377

538

if(debug){

539

if(if_indextoname((unsigned int)if_index, interface) == NULL){

378

if(if_indextoname((unsigned int)if_index, interface) == NULL){

379

if(debug){

540

380

perror("if_indextoname");

541

return -1;

542

381

}

382

return -1;

383

}

384

385

if(debug){

543

386

fprintf(stderr, "Binding to interface %s\n", interface);

544

387

}

545

388

546

memset(&to, 0, sizeof(to));

547

to.in6.sin6_family = AF_INET6;

548

/* It would be nice to have a way to detect if we were passed an

549

IPv4 address here. Now we assume an IPv6 address. */

550

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

551

if(ret < 0 ){

389

memset(&to,0,sizeof(to)); /* Spurious warning */

390

to.sin6_family = AF_INET6;

391

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

392

if (ret < 0 ){

552

393

perror("inet_pton");

553

394

return -1;

554

}

395

}

555

396

if(ret == 0){

556

397

fprintf(stderr, "Bad address: %s\n", ip);

557

398

return -1;

558

399

}

559

to.in6.sin6_port = htons(port); /* Spurious warnings from

560

-Wconversion and

561

-Wunreachable-code */

400

to.sin6_port = htons(port); /* Spurious warning */

562

401

563

to.in6.sin6_scope_id = (uint32_t)if_index;

402

to.sin6_scope_id = (uint32_t)if_index;

564

403

565

404

if(debug){

566

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

567

port);

405

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

568

406

char addrstr[INET6_ADDRSTRLEN] = "";

569

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

407

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

570

408

sizeof(addrstr)) == NULL){

571

409

perror("inet_ntop");

572

410

} else {

573

411

if(strcmp(addrstr, ip) != 0){

574

fprintf(stderr, "Canonical address form: %s\n", addrstr);

412

fprintf(stderr, "Canonical address form: %s\n",

413

addrstr, ntohs(to.sin6_port));

575

414

}

576

415

}

577

416

}

578

417

579

ret = connect(tcp_sd, &to.in, sizeof(to));

580

if(ret < 0){

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

419

if (ret < 0){

581

420

perror("connect");

582

421

return -1;

583

422

}

584

423

585

const char *out = mandos_protocol_version;

586

written = 0;

587

while(true){

588

size_t out_size = strlen(out);

589

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

590

out_size - written));

591

if(ret == -1){

592

perror("write");

593

retval = -1;

594

goto mandos_end;

595

}

596

written += (size_t)ret;

597

if(written < out_size){

598

continue;

599

} else {

600

if(out == mandos_protocol_version){

601

written = 0;

602

out = "\r\n";

603

} else {

604

break;

605

}

606

}

424

ret = initgnutls (&es);

425

if (ret != 0){

426

retval = -1;

427

return -1;

607

428

}

608

429

430

gnutls_transport_set_ptr (es.session,

431

(gnutls_transport_ptr_t) tcp_sd);

432

609

433

if(debug){

610

434

fprintf(stderr, "Establishing TLS session with %s\n", ip);

611

435

}

612

436

613

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

614

615

do{

616

ret = gnutls_handshake(session);

617

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

618

619

if(ret != GNUTLS_E_SUCCESS){

437

ret = gnutls_handshake (es.session);

438

439

if (ret != GNUTLS_E_SUCCESS){

620

440

if(debug){

621

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

622

gnutls_perror(ret);

441

fprintf(stderr, "\n*** Handshake failed ***\n");

442

gnutls_perror (ret);

623

443

}

624

444

retval = -1;

625

goto mandos_end;

445

goto exit;

626

446

}

627

447

628

/* Read OpenPGP packet that contains the wanted password */

448

//Retrieve OpenPGP packet that contains the wanted password

629

449

630

450

if(debug){

631

451

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

632

452

ip);

633

453

}

634

454

635

455

while(true){

636

buffer_capacity = adjustbuffer(&buffer, buffer_length,

637

buffer_capacity);

638

if(buffer_capacity == 0){

639

perror("adjustbuffer");

640

retval = -1;

641

goto mandos_end;

456

if (buffer_length + BUFFER_SIZE > buffer_capacity){

457

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

458

if (buffer == NULL){

459

perror("realloc");

460

goto exit;

461

}

462

buffer_capacity += BUFFER_SIZE;

642

463

}

643

464

644

sret = gnutls_record_recv(session, buffer+buffer_length,

645

BUFFER_SIZE);

646

if(sret == 0){

465

ret = gnutls_record_recv

466

(es.session, buffer+buffer_length, BUFFER_SIZE);

467

if (ret == 0){

647

468

break;

648

469

}

649

if(sret < 0){

650

switch(sret){

470

if (ret < 0){

471

switch(ret){

651

472

case GNUTLS_E_INTERRUPTED:

652

473

case GNUTLS_E_AGAIN:

653

474

break;

654

475

case GNUTLS_E_REHANDSHAKE:

655

do{

656

ret = gnutls_handshake(session);

657

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

658

if(ret < 0){

659

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

660

gnutls_perror(ret);

476

ret = gnutls_handshake (es.session);

477

if (ret < 0){

478

fprintf(stderr, "\n*** Handshake failed ***\n");

479

gnutls_perror (ret);

661

480

retval = -1;

662

goto mandos_end;

481

goto exit;

663

482

}

664

483

break;

665

484

default:

666

485

fprintf(stderr, "Unknown error while reading data from"

667

" encrypted session with Mandos server\n");

486

" encrypted session with mandos server\n");

668

487

retval = -1;

669

gnutls_bye(session, GNUTLS_SHUT_RDWR);

670

goto mandos_end;

488

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

489

goto exit;

671

490

}

672

491

} else {

673

buffer_length += (size_t) sret;

492

buffer_length += (size_t) ret;

674

493

}

675

494

}

676

495

677

if(debug){

678

fprintf(stderr, "Closing TLS session\n");

679

}

680

681

gnutls_bye(session, GNUTLS_SHUT_RDWR);

682

683

if(buffer_length > 0){

684

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

496

if (buffer_length > 0){

497

decrypted_buffer_size = pgp_packet_decrypt(buffer,

685

498

buffer_length,

686

&decrypted_buffer);

687

if(decrypted_buffer_size >= 0){

688

written = 0;

499

&decrypted_buffer,

500

keydir);

501

if (decrypted_buffer_size >= 0){

689

502

while(written < (size_t) decrypted_buffer_size){

690

ret = (int)fwrite(decrypted_buffer + written, 1,

691

(size_t)decrypted_buffer_size - written,

692

stdout);

503

ret = (int)fwrite (decrypted_buffer + written, 1,

504

(size_t)decrypted_buffer_size - written,

505

stdout);

693

506

if(ret == 0 and ferror(stdout)){

694

507

if(debug){

695

508

fprintf(stderr, "Error writing encrypted data: %s\n",

704

517

} else {

705

518

retval = -1;

706

519

}

707

} else {

708

retval = -1;

709

}

710

711

/* Shutdown procedure */

712

713

mandos_end:

520

}

521

522

//shutdown procedure

523

524

if(debug){

525

fprintf(stderr, "Closing TLS session\n");

526

}

527

714

528

free(buffer);

715

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

716

if(ret == -1){

717

perror("close");

718

}

719

gnutls_deinit(session);

529

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

530

exit:

531

close(tcp_sd);

532

gnutls_deinit (es.session);

533

gnutls_certificate_free_credentials (es.cred);

534

gnutls_global_deinit ();

720

535

return retval;

721

536

}

722

537

723

static void resolve_callback(AvahiSServiceResolver *r,

724

AvahiIfIndex interface,

725

AVAHI_GCC_UNUSED AvahiProtocol protocol,

726

AvahiResolverEvent event,

727

const char *name,

728

const char *type,

729

const char *domain,

730

const char *host_name,

731

const AvahiAddress *address,

732

uint16_t port,

733

AVAHI_GCC_UNUSED AvahiStringList *txt,

734

AVAHI_GCC_UNUSED AvahiLookupResultFlags

735

flags,

736

void* userdata) {

737

mandos_context *mc = userdata;

738

assert(r);

538

static AvahiSimplePoll *simple_poll = NULL;

539

static AvahiServer *server = NULL;

540

541

static void resolve_callback(

542

AvahiSServiceResolver *r,

543

AvahiIfIndex interface,

544

AVAHI_GCC_UNUSED AvahiProtocol protocol,

545

AvahiResolverEvent event,

546

const char *name,

547

const char *type,

548

const char *domain,

549

const char *host_name,

550

const AvahiAddress *address,

551

uint16_t port,

552

AVAHI_GCC_UNUSED AvahiStringList *txt,

553

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

554

AVAHI_GCC_UNUSED void* userdata) {

555

556

assert(r); /* Spurious warning */

739

557

740

558

/* Called whenever a service has been resolved successfully or

741

559

timed out */

742

560

743

switch(event) {

561

switch (event) {

744

562

default:

745

563

case AVAHI_RESOLVER_FAILURE:

746

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

747

" of type '%s' in domain '%s': %s\n", name, type, domain,

748

avahi_strerror(avahi_server_errno(mc->server)));

564

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

565

" type '%s' in domain '%s': %s\n", name, type, domain,

566

avahi_strerror(avahi_server_errno(server)));

749

567

break;

750

568

751

569

case AVAHI_RESOLVER_FOUND:

753

571

char ip[AVAHI_ADDRESS_STR_MAX];

754

572

avahi_address_snprint(ip, sizeof(ip), address);

755

573

if(debug){

756

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

757

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

758

ip, (intmax_t)interface, port);

574

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

575

" port %d\n", name, host_name, ip, port);

759

576

}

760

int ret = start_mandos_communication(ip, port, interface, mc);

761

if(ret == 0){

762

avahi_simple_poll_quit(mc->simple_poll);

577

int ret = start_mandos_communication(ip, port, interface);

578

if (ret == 0){

579

exit(EXIT_SUCCESS);

763

580

}

764

581

}

765

582

}

766

583

avahi_s_service_resolver_free(r);

767

584

}

768

585

769

static void browse_callback( AvahiSServiceBrowser *b,

770

AvahiIfIndex interface,

771

AvahiProtocol protocol,

772

AvahiBrowserEvent event,

773

const char *name,

774

const char *type,

775

const char *domain,

776

AVAHI_GCC_UNUSED AvahiLookupResultFlags

777

flags,

778

void* userdata) {

779

mandos_context *mc = userdata;

780

assert(b);

781

782

/* Called whenever a new services becomes available on the LAN or

783

is removed from the LAN */

784

785

switch(event) {

786

default:

787

case AVAHI_BROWSER_FAILURE:

788

789

fprintf(stderr, "(Avahi browser) %s\n",

790

avahi_strerror(avahi_server_errno(mc->server)));

791

avahi_simple_poll_quit(mc->simple_poll);

792

return;

793

794

case AVAHI_BROWSER_NEW:

795

/* We ignore the returned Avahi resolver object. In the callback

796

function we free it. If the Avahi server is terminated before

797

the callback function is called the Avahi server will free the

798

resolver for us. */

799

800

if(!(avahi_s_service_resolver_new(mc->server, interface,

801

protocol, name, type, domain,

802

AVAHI_PROTO_INET6, 0,

803

resolve_callback, mc)))

804

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

805

name, avahi_strerror(avahi_server_errno(mc->server)));

806

break;

807

808

case AVAHI_BROWSER_REMOVE:

809

break;

810

811

case AVAHI_BROWSER_ALL_FOR_NOW:

812

case AVAHI_BROWSER_CACHE_EXHAUSTED:

813

if(debug){

814

fprintf(stderr, "No Mandos server found, still searching...\n");

586

static void browse_callback(

587

AvahiSServiceBrowser *b,

588

AvahiIfIndex interface,

589

AvahiProtocol protocol,

590

AvahiBrowserEvent event,

591

const char *name,

592

const char *type,

593

const char *domain,

594

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

595

void* userdata) {

596

597

AvahiServer *s = userdata;

598

assert(b); /* Spurious warning */

599

600

/* Called whenever a new services becomes available on the LAN or

601

is removed from the LAN */

602

603

switch (event) {

604

default:

605

case AVAHI_BROWSER_FAILURE:

606

607

fprintf(stderr, "(Browser) %s\n",

608

avahi_strerror(avahi_server_errno(server)));

609

avahi_simple_poll_quit(simple_poll);

610

return;

611

612

case AVAHI_BROWSER_NEW:

613

/* We ignore the returned resolver object. In the callback

614

function we free it. If the server is terminated before

615

the callback function is called the server will free

616

the resolver for us. */

617

618

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

619

type, domain,

620

AVAHI_PROTO_INET6, 0,

621

resolve_callback, s)))

622

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

623

avahi_strerror(avahi_server_errno(s)));

624

break;

625

626

case AVAHI_BROWSER_REMOVE:

627

break;

628

629

case AVAHI_BROWSER_ALL_FOR_NOW:

630

case AVAHI_BROWSER_CACHE_EXHAUSTED:

631

break;

815

632

}

816

break;

817

}

818

}

819

820

int main(int argc, char *argv[]){

633

}

634

635

/* Combines file name and path and returns the malloced new

636

string. some sane checks could/should be added */

637

static const char *combinepath(const char *first, const char *second){

638

size_t f_len = strlen(first);

639

size_t s_len = strlen(second);

640

char *tmp = malloc(f_len + s_len + 2);

641

if (tmp == NULL){

642

return NULL;

643

}

644

if(f_len > 0){

645

memcpy(tmp, first, f_len);

646

}

647

tmp[f_len] = '/';

648

if(s_len > 0){

649

memcpy(tmp + f_len + 1, second, s_len);

650

}

651

tmp[f_len + 1 + s_len] = '\0';

652

return tmp;

653

}

654

655

656

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

657

AvahiServerConfig config;

821

658

AvahiSServiceBrowser *sb = NULL;

822

659

int error;

823

660

int ret;

824

intmax_t tmpmax;

825

int numchars;

826

int exitcode = EXIT_SUCCESS;

827

const char *interface = "eth0";

828

struct ifreq network;

829

int sd;

830

uid_t uid;

831

gid_t gid;

661

int debug_int = 0;

662

int returncode = EXIT_SUCCESS;

663

const char *interface = NULL;

664

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

832

665

char *connect_to = NULL;

833

char tempdir[] = "/tmp/mandosXXXXXX";

834

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

835

const char *seckey = PATHDIR "/" SECKEY;

836

const char *pubkey = PATHDIR "/" PUBKEY;

837

838

mandos_context mc = { .simple_poll = NULL, .server = NULL,

839

.dh_bits = 1024, .priority = "SECURE256"

840

":!CTYPE-X.509:+CTYPE-OPENPGP" };

841

bool gnutls_initalized = false;

842

bool gpgme_initalized = false;

843

844

{

845

struct argp_option options[] = {

846

{ .name = "debug", .key = 128,

847

.doc = "Debug mode", .group = 3 },

848

{ .name = "connect", .key = 'c',

849

.arg = "ADDRESS:PORT",

850

.doc = "Connect directly to a specific Mandos server",

851

.group = 1 },

852

{ .name = "interface", .key = 'i',

853

.arg = "NAME",

854

.doc = "Interface that will be used to search for Mandos"

855

" servers",

856

.group = 1 },

857

{ .name = "seckey", .key = 's',

858

.arg = "FILE",

859

.doc = "OpenPGP secret key file base name",

860

.group = 1 },

861

{ .name = "pubkey", .key = 'p',

862

.arg = "FILE",

863

.doc = "OpenPGP public key file base name",

864

.group = 2 },

865

{ .name = "dh-bits", .key = 129,

866

.arg = "BITS",

867

.doc = "Bit length of the prime number used in the"

868

" Diffie-Hellman key exchange",

869

.group = 2 },

870

{ .name = "priority", .key = 130,

871

.arg = "STRING",

872

.doc = "GnuTLS priority string for the TLS handshake",

873

.group = 1 },

874

{ .name = NULL }

875

};

876

877

error_t parse_opt(int key, char *arg,

878

struct argp_state *state) {

879

switch(key) {

880

case 128: /* --debug */

881

debug = true;

882

break;

883

case 'c': /* --connect */

884

connect_to = arg;

885

break;

886

case 'i': /* --interface */

887

interface = arg;

888

break;

889

case 's': /* --seckey */

890

seckey = arg;

891

break;

892

case 'p': /* --pubkey */

893

pubkey = arg;

894

break;

895

case 129: /* --dh-bits */

896

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

897

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

898

or arg[numchars] != '\0'){

899

fprintf(stderr, "Bad number of DH bits\n");

900

exit(EXIT_FAILURE);

901

}

902

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

903

break;

904

case 130: /* --priority */

905

mc.priority = arg;

906

break;

907

case ARGP_KEY_ARG:

908

argp_usage(state);

909

case ARGP_KEY_END:

910

break;

911

default:

912

return ARGP_ERR_UNKNOWN;

913

}

914

return 0;

915

}

916

917

struct argp argp = { .options = options, .parser = parse_opt,

918

.args_doc = "",

919

.doc = "Mandos client -- Get and decrypt"

920

" passwords from a Mandos server" };

921

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

922

if(ret == ARGP_ERR_UNKNOWN){

923

fprintf(stderr, "Unknown error while parsing arguments\n");

924

exitcode = EXIT_FAILURE;

925

goto end;

926

}

927

}

928

929

/* If the interface is down, bring it up */

930

{

931

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

932

if(sd < 0) {

933

perror("socket");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

strcpy(network.ifr_name, interface);

938

ret = ioctl(sd, SIOCGIFFLAGS, &network);

939

if(ret == -1){

940

perror("ioctl SIOCGIFFLAGS");

941

exitcode = EXIT_FAILURE;

942

goto end;

943

}

944

if((network.ifr_flags & IFF_UP) == 0){

945

network.ifr_flags |= IFF_UP;

946

ret = ioctl(sd, SIOCSIFFLAGS, &network);

947

if(ret == -1){

948

perror("ioctl SIOCSIFFLAGS");

949

exitcode = EXIT_FAILURE;

950

goto end;

951

}

952

}

953

ret = (int)TEMP_FAILURE_RETRY(close(sd));

954

if(ret == -1){

955

perror("close");

956

}

957

}

958

959

uid = getuid();

960

gid = getgid();

961

962

ret = setuid(uid);

963

if(ret == -1){

964

perror("setuid");

965

}

966

967

setgid(gid);

968

if(ret == -1){

969

perror("setgid");

970

}

971

972

ret = init_gnutls_global(&mc, pubkey, seckey);

973

if(ret == -1){

974

fprintf(stderr, "init_gnutls_global failed\n");

975

exitcode = EXIT_FAILURE;

976

goto end;

977

} else {

978

gnutls_initalized = true;

979

}

980

981

if(mkdtemp(tempdir) == NULL){

982

perror("mkdtemp");

983

tempdir[0] = '\0';

984

goto end;

985

}

986

987

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

988

fprintf(stderr, "gpgme_initalized failed\n");

989

exitcode = EXIT_FAILURE;

990

goto end;

991

} else {

992

gpgme_initalized = true;

993

}

994

995

if_index = (AvahiIfIndex) if_nametoindex(interface);

996

if(if_index == 0){

997

fprintf(stderr, "No such interface: \"%s\"\n", interface);

998

exit(EXIT_FAILURE);

666

667

debug_int = debug ? 1 : 0;

668

while (true){

669

static struct option long_options[] = {

670

{"debug", no_argument, &debug_int, 1},

671

{"connect", required_argument, NULL, 'C'},

672

{"interface", required_argument, NULL, 'i'},

673

{"keydir", required_argument, NULL, 'd'},

674

{"seckey", required_argument, NULL, 'c'},

675

{"pubkey", required_argument, NULL, 'k'},

676

{"dh-bits", required_argument, NULL, 'D'},

677

{0, 0, 0, 0} };

678

679

int option_index = 0;

680

ret = getopt_long (argc, argv, "i:", long_options,

681

&option_index);

682

683

if (ret == -1){

684

break;

685

}

686

687

switch(ret){

688

case 0:

689

break;

690

case 'i':

691

interface = optarg;

692

break;

693

case 'C':

694

connect_to = optarg;

695

break;

696

case 'd':

697

keydir = optarg;

698

break;

699

case 'c':

700

pubkeyfile = optarg;

701

break;

702

case 'k':

703

seckeyfile = optarg;

704

break;

705

case 'D':

706

dh_bits = atoi(optarg);

707

break;

708

case '?':

709

break

710

default:

711

exit(EXIT_FAILURE);

712

}

713

}

714

debug = debug_int ? true : false;

715

716

pubkeyfile = combinepath(keydir, pubkeyfile);

717

if (pubkeyfile == NULL){

718

perror("combinepath");

719

goto exit;

720

}

721

722

if(interface != NULL){

723

if_index = (AvahiIfIndex) if_nametoindex(interface);

724

if(if_index == 0){

725

fprintf(stderr, "No such interface: \"%s\"\n", interface);

726

exit(EXIT_FAILURE);

727

}

999

728

}

1000

729

1001

730

if(connect_to != NULL){

1004

733

char *address = strrchr(connect_to, ':');

1005

734

if(address == NULL){

1006

735

fprintf(stderr, "No colon in address\n");

1007

exitcode = EXIT_FAILURE;

1008

goto end;

1009

}

1010

uint16_t port;

1011

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1012

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1013

or address[numchars+1] != '\0'){

1014

fprintf(stderr, "Bad port number\n");

1015

exitcode = EXIT_FAILURE;

1016

goto end;

1017

}

1018

port = (uint16_t)tmpmax;

736

exit(EXIT_FAILURE);

737

}

738

errno = 0;

739

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

740

if(errno){

741

perror("Bad port number");

742

exit(EXIT_FAILURE);

743

}

1019

744

*address = '\0';

1020

745

address = connect_to;

1021

ret = start_mandos_communication(address, port, if_index, &mc);

746

ret = start_mandos_communication(address, port, if_index);

1022

747

if(ret < 0){

1023

exitcode = EXIT_FAILURE;

748

exit(EXIT_FAILURE);

1024

749

} else {

1025

exitcode = EXIT_SUCCESS;

750

exit(EXIT_SUCCESS);

1026

751

}

1027

goto end;

1028

}

1029

1030

if(not debug){

752

}

753

754

seckeyfile = combinepath(keydir, seckeyfile);

755

if (seckeyfile == NULL){

756

perror("combinepath");

757

goto exit;

758

}

759

760

if (not debug){

1031

761

avahi_set_log_function(empty_log);

1032

762

}

1033

763

1034

/* Initialize the pseudo-RNG for Avahi */

764

/* Initialize the psuedo-RNG */

1035

765

srand((unsigned int) time(NULL));

1036

1037

/* Allocate main Avahi loop object */

1038

mc.simple_poll = avahi_simple_poll_new();

1039

if(mc.simple_poll == NULL) {

1040

fprintf(stderr, "Avahi: Failed to create simple poll"

1041

" object.\n");

1042

exitcode = EXIT_FAILURE;

1043

goto end;

1044

}

1045

1046

{

1047

AvahiServerConfig config;

1048

/* Do not publish any local Zeroconf records */

1049

avahi_server_config_init(&config);

1050

config.publish_hinfo = 0;

1051

config.publish_addresses = 0;

1052

config.publish_workstation = 0;

1053

config.publish_domain = 0;

1054

1055

/* Allocate a new server */

1056

mc.server = avahi_server_new(avahi_simple_poll_get

1057

(mc.simple_poll), &config, NULL,

1058

NULL, &error);

1059

1060

/* Free the Avahi configuration data */

1061

avahi_server_config_free(&config);

1062

}

1063

1064

/* Check if creating the Avahi server object succeeded */

1065

if(mc.server == NULL) {

1066

fprintf(stderr, "Failed to create Avahi server: %s\n",

766

767

/* Allocate main loop object */

768

if (!(simple_poll = avahi_simple_poll_new())) {

769

fprintf(stderr, "Failed to create simple poll object.\n");

770

771

goto exit;

772

}

773

774

/* Do not publish any local records */

775

avahi_server_config_init(&config);

776

config.publish_hinfo = 0;

777

config.publish_addresses = 0;

778

config.publish_workstation = 0;

779

config.publish_domain = 0;

780

781

/* Allocate a new server */

782

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

783

&config, NULL, NULL, &error);

784

785

/* Free the configuration data */

786

avahi_server_config_free(&config);

787

788

/* Check if creating the server object succeeded */

789

if (!server) {

790

fprintf(stderr, "Failed to create server: %s\n",

1067

791

avahi_strerror(error));

1068

exitcode = EXIT_FAILURE;

1069

goto end;

792

returncode = EXIT_FAILURE;

793

goto exit;

1070

794

}

1071

795

1072

/* Create the Avahi service browser */

1073

sb = avahi_s_service_browser_new(mc.server, if_index,

796

/* Create the service browser */

797

sb = avahi_s_service_browser_new(server, if_index,

1074

798

AVAHI_PROTO_INET6,

1075

799

"_mandos._tcp", NULL, 0,

1076

browse_callback, &mc);

1077

if(sb == NULL) {

800

browse_callback, server);

801

if (!sb) {

1078

802

fprintf(stderr, "Failed to create service browser: %s\n",

1079

avahi_strerror(avahi_server_errno(mc.server)));

1080

exitcode = EXIT_FAILURE;

1081

goto end;

803

avahi_strerror(avahi_server_errno(server)));

804

returncode = EXIT_FAILURE;

805

goto exit;

1082

806

}

1083

807

1084

808

/* Run the main loop */

1085

1086

if(debug){

1087

fprintf(stderr, "Starting Avahi loop search\n");

809

810

if (debug){

811

fprintf(stderr, "Starting avahi loop search\n");

1088

812

}

1089

813

1090

avahi_simple_poll_loop(mc.simple_poll);

1091

1092

end:

1093

1094

if(debug){

814

avahi_simple_poll_loop(simple_poll);

815

816

exit:

817

818

if (debug){

1095

819

fprintf(stderr, "%s exiting\n", argv[0]);

1096

820

}

1097

821

1098

822

/* Cleanup things */

1099

if(sb != NULL)

823

if (sb)

1100

824

avahi_s_service_browser_free(sb);

1101

825

1102

if(mc.server != NULL)

1103

avahi_server_free(mc.server);

1104

1105

if(mc.simple_poll != NULL)

1106

avahi_simple_poll_free(mc.simple_poll);

1107

1108

if(gnutls_initalized){

1109

gnutls_certificate_free_credentials(mc.cred);

1110

gnutls_global_deinit();

1111

gnutls_dh_params_deinit(mc.dh_params);

1112

}

1113

1114

if(gpgme_initalized){

1115

gpgme_release(mc.ctx);

1116

}

1117

1118

/* Removes the temp directory used by GPGME */

1119

if(tempdir[0] != '\0'){

1120

DIR *d;

1121

struct dirent *direntry;

1122

d = opendir(tempdir);

1123

if(d == NULL){

1124

if(errno != ENOENT){

1125

perror("opendir");

1126

}

1127

} else {

1128

while(true){

1129

direntry = readdir(d);

1130

if(direntry == NULL){

1131

break;

1132

}

1133

if(direntry->d_type == DT_REG){

1134

char *fullname = NULL;

1135

ret = asprintf(&fullname, "%s/%s", tempdir,

1136

direntry->d_name);

1137

if(ret < 0){

1138

perror("asprintf");

1139

continue;

1140

}

1141

ret = unlink(fullname);

1142

if(ret == -1){

1143

fprintf(stderr, "unlink(\"%s\"): %s",

1144

fullname, strerror(errno));

1145

}

1146

free(fullname);

1147

}

1148

}

1149

closedir(d);

1150

}

1151

ret = rmdir(tempdir);

1152

if(ret == -1 and errno != ENOENT){

1153

perror("rmdir");

1154

}

1155

}

1156

1157

return exitcode;

826

if (server)

827

avahi_server_free(server);

828

829

if (simple_poll)

830

avahi_simple_poll_free(simple_poll);

831

free(pubkeyfile);

832

free(seckeyfile);

833

834

return returncode;

1158

835

}

Older »