To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 37
- compare with another revision
- download diff
- download tarball
- view history from revision 37
- Committer: Teddy Hogeborn
- Date: 2008-08-02 21:06:12 UTC
- Revision ID: teddy@fukt.bsnet.se-20080802210612-4c1waup4z0f66ya7
Non-tested commit for merge purposes.
* plugbasedclient.c (getplugin, addargument, set_cloexec): Made static.
* plugins.d/passprompt.c (termination_handler): Made static.
* plugbasedclient.c (getplugin, addargument, set_cloexec): Made static.
* plugins.d/passprompt.c (termination_handler): Made static.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
35
34
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, false, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
60
#include <assert.h> /* assert() */
61
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
63
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
SIOCSIFFLAGS, if_indextoname(),
65
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction */
80
81
#ifdef __linux__
82
#include <sys/klog.h> /* klogctl() */
83
#endif
84
85
/* Avahi */
86
/* All Avahi types, constants and functions
87
Avahi*, avahi_*,
88
AVAHI_* */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
89
41
#include <avahi-core/core.h>
90
42
#include <avahi-core/lookup.h>
91
43
#include <avahi-core/log.h>
93
45
#include <avahi-common/malloc.h>
94
46
#include <avahi-common/error.h>
95
47
96
/* GnuTLS */
97
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
98
functions:
99
gnutls_*
100
init_gnutls_session(),
101
GNUTLS_* */
102
#include <gnutls/openpgp.h>
103
/* gnutls_certificate_set_openpgp_key_file(),
104
GNUTLS_OPENPGP_FMT_BASE64 */
105
106
/* GPGME */
107
#include <gpgme.h> /* All GPGME types, constants and
108
functions:
109
gpgme_*
110
GPGME_PROTOCOL_OpenPGP,
111
GPG_ERR_NO_* */
48
//mandos client part
49
#include <sys/types.h> /* socket(), inet_pton() */
50
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
51
struct in6_addr, inet_pton() */
52
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
53
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
54
55
#include <unistd.h> /* close() */
56
#include <netinet/in.h>
57
#include <stdbool.h> /* true */
58
#include <string.h> /* memset */
59
#include <arpa/inet.h> /* inet_pton() */
60
#include <iso646.h> /* not */
61
62
// gpgme
63
#include <errno.h> /* perror() */
64
#include <gpgme.h>
65
66
// getopt_long
67
#include <getopt.h>
112
68
113
69
#define BUFFER_SIZE 256
114
70
115
#define PATHDIR "/conf/conf.d/mandos"
116
#define SECKEY "seckey.txt"
117
#define PUBKEY "pubkey.txt"
71
static int dh_bits = 1024;
72
73
static const char *keydir = "/conf/conf.d/mandos";
74
static const char *pubkeyfile = "pubkey.txt";
75
static const char *seckeyfile = "seckey.txt";
118
76
119
77
bool debug = false;
120
static const char mandos_protocol_version[] = "1";
121
const char *argp_program_version = "mandos-client " VERSION;
122
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
123
78
124
/* Used for passing in values through the Avahi callback functions */
79
/* Used for */
125
80
typedef struct {
126
AvahiSimplePoll *simple_poll;
127
AvahiServer *server;
81
gnutls_session_t session;
128
82
gnutls_certificate_credentials_t cred;
129
unsigned int dh_bits;
130
83
gnutls_dh_params_t dh_params;
131
const char *priority;
84
} encrypted_session;
85
86
87
static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet,
89
const char *homedir){
90
gpgme_data_t dh_crypto, dh_plain;
132
91
gpgme_ctx_t ctx;
133
} mandos_context;
134
135
/* global context so signal handler can reach it*/
136
mandos_context mc;
137
138
/*
139
* Make additional room in "buffer" for at least BUFFER_SIZE
140
* additional bytes. "buffer_capacity" is how much is currently
141
* allocated, "buffer_length" is how much is already used.
142
*/
143
size_t incbuffer(char **buffer, size_t buffer_length,
144
size_t buffer_capacity){
145
if(buffer_length + BUFFER_SIZE > buffer_capacity){
146
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
147
if(buffer == NULL){
148
return 0;
149
}
150
buffer_capacity += BUFFER_SIZE;
151
}
152
return buffer_capacity;
153
}
154
155
/*
156
* Initialize GPGME.
157
*/
158
static bool init_gpgme(const char *seckey,
159
const char *pubkey, const char *tempdir){
160
int ret;
161
92
gpgme_error_t rc;
93
ssize_t ret;
94
ssize_t new_packet_capacity = 0;
95
ssize_t new_packet_length = 0;
162
96
gpgme_engine_info_t engine_info;
163
164
165
/*
166
* Helper function to insert pub and seckey to the engine keyring.
167
*/
168
bool import_key(const char *filename){
169
int fd;
170
gpgme_data_t pgp_data;
171
172
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
173
if(fd == -1){
174
perror("open");
175
return false;
176
}
177
178
rc = gpgme_data_new_from_fd(&pgp_data, fd);
179
if(rc != GPG_ERR_NO_ERROR){
180
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
181
gpgme_strsource(rc), gpgme_strerror(rc));
182
return false;
183
}
184
185
rc = gpgme_op_import(mc.ctx, pgp_data);
186
if(rc != GPG_ERR_NO_ERROR){
187
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
188
gpgme_strsource(rc), gpgme_strerror(rc));
189
return false;
190
}
191
192
ret = (int)TEMP_FAILURE_RETRY(close(fd));
193
if(ret == -1){
194
perror("close");
195
}
196
gpgme_data_release(pgp_data);
197
return true;
198
}
199
200
if(debug){
201
fprintf(stderr, "Initializing GPGME\n");
97
98
if (debug){
99
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
202
100
}
203
101
204
102
/* Init GPGME */
205
103
gpgme_check_version(NULL);
206
104
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
207
if(rc != GPG_ERR_NO_ERROR){
105
if (rc != GPG_ERR_NO_ERROR){
208
106
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
209
107
gpgme_strsource(rc), gpgme_strerror(rc));
210
return false;
108
return -1;
211
109
}
212
110
213
/* Set GPGME home directory for the OpenPGP engine only */
214
rc = gpgme_get_engine_info(&engine_info);
215
if(rc != GPG_ERR_NO_ERROR){
111
/* Set GPGME home directory */
112
rc = gpgme_get_engine_info (&engine_info);
113
if (rc != GPG_ERR_NO_ERROR){
216
114
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
217
115
gpgme_strsource(rc), gpgme_strerror(rc));
218
return false;
116
return -1;
219
117
}
220
118
while(engine_info != NULL){
221
119
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
222
120
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
223
engine_info->file_name, tempdir);
121
engine_info->file_name, homedir);
224
122
break;
225
123
}
226
124
engine_info = engine_info->next;
227
125
}
228
126
if(engine_info == NULL){
229
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
230
return false;
231
}
232
233
/* Create new GPGME "context" */
234
rc = gpgme_new(&(mc.ctx));
235
if(rc != GPG_ERR_NO_ERROR){
236
fprintf(stderr, "bad gpgme_new: %s: %s\n",
237
gpgme_strsource(rc), gpgme_strerror(rc));
238
return false;
239
}
240
241
if(not import_key(pubkey) or not import_key(seckey)){
242
return false;
243
}
244
245
return true;
246
}
247
248
/*
249
* Decrypt OpenPGP data.
250
* Returns -1 on error
251
*/
252
static ssize_t pgp_packet_decrypt(const char *cryptotext,
253
size_t crypto_size,
254
char **plaintext){
255
gpgme_data_t dh_crypto, dh_plain;
256
gpgme_error_t rc;
257
ssize_t ret;
258
size_t plaintext_capacity = 0;
259
ssize_t plaintext_length = 0;
260
261
if(debug){
262
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
263
}
264
265
/* Create new GPGME data buffer from memory cryptotext */
266
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
267
0);
268
if(rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "Could not set home dir to %s\n", homedir);
128
return -1;
129
}
130
131
/* Create new GPGME data buffer from packet buffer */
132
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
133
if (rc != GPG_ERR_NO_ERROR){
269
134
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
270
135
gpgme_strsource(rc), gpgme_strerror(rc));
271
136
return -1;
273
138
274
139
/* Create new empty GPGME data buffer for the plaintext */
275
140
rc = gpgme_data_new(&dh_plain);
276
if(rc != GPG_ERR_NO_ERROR){
141
if (rc != GPG_ERR_NO_ERROR){
277
142
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
278
143
gpgme_strsource(rc), gpgme_strerror(rc));
279
gpgme_data_release(dh_crypto);
280
return -1;
281
}
282
283
/* Decrypt data from the cryptotext data buffer to the plaintext
284
data buffer */
285
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
286
if(rc != GPG_ERR_NO_ERROR){
144
return -1;
145
}
146
147
/* Create new GPGME "context" */
148
rc = gpgme_new(&ctx);
149
if (rc != GPG_ERR_NO_ERROR){
150
fprintf(stderr, "bad gpgme_new: %s: %s\n",
151
gpgme_strsource(rc), gpgme_strerror(rc));
152
return -1;
153
}
154
155
/* Decrypt data from the FILE pointer to the plaintext data
156
buffer */
157
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
158
if (rc != GPG_ERR_NO_ERROR){
287
159
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
288
160
gpgme_strsource(rc), gpgme_strerror(rc));
289
plaintext_length = -1;
290
if(debug){
291
gpgme_decrypt_result_t result;
292
result = gpgme_op_decrypt_result(mc.ctx);
293
if(result == NULL){
294
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
295
} else {
296
fprintf(stderr, "Unsupported algorithm: %s\n",
297
result->unsupported_algorithm);
298
fprintf(stderr, "Wrong key usage: %u\n",
299
result->wrong_key_usage);
300
if(result->file_name != NULL){
301
fprintf(stderr, "File name: %s\n", result->file_name);
302
}
303
gpgme_recipient_t recipient;
304
recipient = result->recipients;
305
if(recipient){
306
while(recipient != NULL){
307
fprintf(stderr, "Public key algorithm: %s\n",
308
gpgme_pubkey_algo_name(recipient->pubkey_algo));
309
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
310
fprintf(stderr, "Secret key available: %s\n",
311
recipient->status == GPG_ERR_NO_SECKEY
312
? "No" : "Yes");
313
recipient = recipient->next;
314
}
161
return -1;
162
}
163
164
if(debug){
165
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
166
}
167
168
if (debug){
169
gpgme_decrypt_result_t result;
170
result = gpgme_op_decrypt_result(ctx);
171
if (result == NULL){
172
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
173
} else {
174
fprintf(stderr, "Unsupported algorithm: %s\n",
175
result->unsupported_algorithm);
176
fprintf(stderr, "Wrong key usage: %d\n",
177
result->wrong_key_usage);
178
if(result->file_name != NULL){
179
fprintf(stderr, "File name: %s\n", result->file_name);
180
}
181
gpgme_recipient_t recipient;
182
recipient = result->recipients;
183
if(recipient){
184
while(recipient != NULL){
185
fprintf(stderr, "Public key algorithm: %s\n",
186
gpgme_pubkey_algo_name(recipient->pubkey_algo));
187
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
188
fprintf(stderr, "Secret key available: %s\n",
189
recipient->status == GPG_ERR_NO_SECKEY
190
? "No" : "Yes");
191
recipient = recipient->next;
315
192
}
316
193
}
317
194
}
318
goto decrypt_end;
319
195
}
320
196
321
if(debug){
322
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
323
}
197
/* Delete the GPGME FILE pointer cryptotext data buffer */
198
gpgme_data_release(dh_crypto);
324
199
325
200
/* Seek back to the beginning of the GPGME plaintext data buffer */
326
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
327
perror("gpgme_data_seek");
328
plaintext_length = -1;
329
goto decrypt_end;
201
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
202
perror("pgpme_data_seek");
330
203
}
331
204
332
*plaintext = NULL;
205
*new_packet = 0;
333
206
while(true){
334
plaintext_capacity = incbuffer(plaintext,
335
(size_t)plaintext_length,
336
plaintext_capacity);
337
if(plaintext_capacity == 0){
338
perror("incbuffer");
339
plaintext_length = -1;
340
goto decrypt_end;
207
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
208
*new_packet = realloc(*new_packet,
209
(unsigned int)new_packet_capacity
210
+ BUFFER_SIZE);
211
if (*new_packet == NULL){
212
perror("realloc");
213
return -1;
214
}
215
new_packet_capacity += BUFFER_SIZE;
341
216
}
342
217
343
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
218
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
344
219
BUFFER_SIZE);
345
220
/* Print the data, if any */
346
if(ret == 0){
347
/* EOF */
221
if (ret == 0){
348
222
break;
349
223
}
350
224
if(ret < 0){
351
225
perror("gpgme_data_read");
352
plaintext_length = -1;
353
goto decrypt_end;
354
}
355
plaintext_length += ret;
356
}
357
358
if(debug){
359
fprintf(stderr, "Decrypted password is: ");
360
for(ssize_t i = 0; i < plaintext_length; i++){
361
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
362
}
363
fprintf(stderr, "\n");
364
}
365
366
decrypt_end:
367
368
/* Delete the GPGME cryptotext data buffer */
369
gpgme_data_release(dh_crypto);
226
return -1;
227
}
228
new_packet_length += ret;
229
}
230
231
/* FIXME: check characters before printing to screen so to not print
232
terminal control characters */
233
/* if(debug){ */
234
/* fprintf(stderr, "decrypted password is: "); */
235
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
236
/* fprintf(stderr, "\n"); */
237
/* } */
370
238
371
239
/* Delete the GPGME plaintext data buffer */
372
240
gpgme_data_release(dh_plain);
373
return plaintext_length;
241
return new_packet_length;
374
242
}
375
243
376
static const char * safer_gnutls_strerror(int value){
377
const char *ret = gnutls_strerror(value); /* Spurious warning from
378
-Wunreachable-code */
379
if(ret == NULL)
244
static const char * safer_gnutls_strerror (int value) {
245
const char *ret = gnutls_strerror (value);
246
if (ret == NULL)
380
247
ret = "(unknown)";
381
248
return ret;
382
249
}
383
250
384
/* GnuTLS log function callback */
385
251
static void debuggnutls(__attribute__((unused)) int level,
386
252
const char* string){
387
fprintf(stderr, "GnuTLS: %s", string);
253
fprintf(stderr, "%s", string);
388
254
}
389
255
390
static int init_gnutls_global(const char *pubkeyfilename,
391
const char *seckeyfilename){
256
static int initgnutls(encrypted_session *es){
257
const char *err;
392
258
int ret;
393
259
394
260
if(debug){
395
261
fprintf(stderr, "Initializing GnuTLS\n");
396
262
}
397
398
ret = gnutls_global_init();
399
if(ret != GNUTLS_E_SUCCESS){
400
fprintf(stderr, "GnuTLS global_init: %s\n",
401
safer_gnutls_strerror(ret));
263
264
if ((ret = gnutls_global_init ())
265
!= GNUTLS_E_SUCCESS) {
266
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
402
267
return -1;
403
268
}
404
405
if(debug){
406
/* "Use a log level over 10 to enable all debugging options."
407
* - GnuTLS manual
408
*/
269
270
if (debug){
409
271
gnutls_global_set_log_level(11);
410
272
gnutls_global_set_log_function(debuggnutls);
411
273
}
412
274
413
/* OpenPGP credentials */
414
gnutls_certificate_allocate_credentials(&mc.cred);
415
if(ret != GNUTLS_E_SUCCESS){
416
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
417
from
418
-Wunreachable-code
419
*/
420
safer_gnutls_strerror(ret));
421
gnutls_global_deinit();
275
/* openpgp credentials */
276
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
277
!= GNUTLS_E_SUCCESS) {
278
fprintf (stderr, "memory error: %s\n",
279
safer_gnutls_strerror(ret));
422
280
return -1;
423
281
}
424
282
425
283
if(debug){
426
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
427
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
428
seckeyfilename);
284
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
285
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
286
seckeyfile);
429
287
}
430
288
431
289
ret = gnutls_certificate_set_openpgp_key_file
432
(mc.cred, pubkeyfilename, seckeyfilename,
433
GNUTLS_OPENPGP_FMT_BASE64);
434
if(ret != GNUTLS_E_SUCCESS){
435
fprintf(stderr,
436
"Error[%d] while reading the OpenPGP key pair ('%s',"
437
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
438
fprintf(stderr, "The GnuTLS error is: %s\n",
439
safer_gnutls_strerror(ret));
440
goto globalfail;
441
}
442
443
/* GnuTLS server initialization */
444
ret = gnutls_dh_params_init(&mc.dh_params);
445
if(ret != GNUTLS_E_SUCCESS){
446
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
447
" %s\n", safer_gnutls_strerror(ret));
448
goto globalfail;
449
}
450
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
451
if(ret != GNUTLS_E_SUCCESS){
452
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
453
safer_gnutls_strerror(ret));
454
goto globalfail;
455
}
456
457
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
458
459
return 0;
460
461
globalfail:
462
463
gnutls_certificate_free_credentials(mc.cred);
464
gnutls_global_deinit();
465
gnutls_dh_params_deinit(mc.dh_params);
466
return -1;
467
}
468
469
static int init_gnutls_session(gnutls_session_t *session){
470
int ret;
471
/* GnuTLS session creation */
472
ret = gnutls_init(session, GNUTLS_SERVER);
473
if(ret != GNUTLS_E_SUCCESS){
290
(es->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
291
if (ret != GNUTLS_E_SUCCESS) {
292
fprintf
293
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
294
" '%s')\n",
295
ret, pubkeyfile, seckeyfile);
296
fprintf(stdout, "The Error is: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
//GnuTLS server initialization
302
if ((ret = gnutls_dh_params_init (&es->dh_params))
303
!= GNUTLS_E_SUCCESS) {
304
fprintf (stderr, "Error in dh parameter initialization: %s\n",
305
safer_gnutls_strerror(ret));
306
return -1;
307
}
308
309
if ((ret = gnutls_dh_params_generate2 (es->dh_params, dh_bits))
310
!= GNUTLS_E_SUCCESS) {
311
fprintf (stderr, "Error in prime generation: %s\n",
312
safer_gnutls_strerror(ret));
313
return -1;
314
}
315
316
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
317
318
// GnuTLS session creation
319
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
320
!= GNUTLS_E_SUCCESS){
474
321
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
475
322
safer_gnutls_strerror(ret));
476
323
}
477
324
478
{
479
const char *err;
480
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
481
if(ret != GNUTLS_E_SUCCESS){
482
fprintf(stderr, "Syntax error at: %s\n", err);
483
fprintf(stderr, "GnuTLS error: %s\n",
484
safer_gnutls_strerror(ret));
485
gnutls_deinit(*session);
486
return -1;
487
}
325
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
326
!= GNUTLS_E_SUCCESS) {
327
fprintf(stderr, "Syntax error at: %s\n", err);
328
fprintf(stderr, "GnuTLS error: %s\n",
329
safer_gnutls_strerror(ret));
330
return -1;
488
331
}
489
332
490
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
491
mc.cred);
492
if(ret != GNUTLS_E_SUCCESS){
493
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
333
if ((ret = gnutls_credentials_set
334
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
335
!= GNUTLS_E_SUCCESS) {
336
fprintf(stderr, "Error setting a credentials set: %s\n",
494
337
safer_gnutls_strerror(ret));
495
gnutls_deinit(*session);
496
338
return -1;
497
339
}
498
340
499
341
/* ignore client certificate if any. */
500
gnutls_certificate_server_set_request(*session,
501
GNUTLS_CERT_IGNORE);
342
gnutls_certificate_server_set_request (es->session,
343
GNUTLS_CERT_IGNORE);
502
344
503
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
345
gnutls_dh_set_prime_bits (es->session, dh_bits);
504
346
505
347
return 0;
506
348
}
507
349
508
/* Avahi log function callback */
509
350
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
510
351
__attribute__((unused)) const char *txt){}
511
352
512
/* Called when a Mandos server is found */
513
353
static int start_mandos_communication(const char *ip, uint16_t port,
514
AvahiIfIndex if_index,
515
int af){
354
AvahiIfIndex if_index){
516
355
int ret, tcp_sd;
517
ssize_t sret;
518
union {
519
struct sockaddr_in in;
520
struct sockaddr_in6 in6;
521
} to;
356
struct sockaddr_in6 to;
357
encrypted_session es;
522
358
char *buffer = NULL;
523
359
char *decrypted_buffer;
524
360
size_t buffer_length = 0;
525
361
size_t buffer_capacity = 0;
526
362
ssize_t decrypted_buffer_size;
527
size_t written;
363
size_t written = 0;
528
364
int retval = 0;
529
gnutls_session_t session;
530
int pf; /* Protocol family */
531
532
switch(af){
533
case AF_INET6:
534
pf = PF_INET6;
535
break;
536
case AF_INET:
537
pf = PF_INET;
538
break;
539
default:
540
fprintf(stderr, "Bad address family: %d\n", af);
541
return -1;
542
}
543
544
ret = init_gnutls_session(&session);
545
if(ret != 0){
546
return -1;
547
}
365
char interface[IF_NAMESIZE];
548
366
549
367
if(debug){
550
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
551
"\n", ip, port);
368
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
369
ip, port);
552
370
}
553
371
554
tcp_sd = socket(pf, SOCK_STREAM, 0);
555
if(tcp_sd < 0){
372
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
373
if(tcp_sd < 0) {
556
374
perror("socket");
557
375
return -1;
558
376
}
559
377
560
memset(&to, 0, sizeof(to));
561
if(af == AF_INET6){
562
to.in6.sin6_family = (uint16_t)af;
563
ret = inet_pton(af, ip, &to.in6.sin6_addr);
564
} else { /* IPv4 */
565
to.in.sin_family = (sa_family_t)af;
566
ret = inet_pton(af, ip, &to.in.sin_addr);
567
}
568
if(ret < 0 ){
378
if(if_indextoname((unsigned int)if_index, interface) == NULL){
379
if(debug){
380
perror("if_indextoname");
381
}
382
return -1;
383
}
384
385
if(debug){
386
fprintf(stderr, "Binding to interface %s\n", interface);
387
}
388
389
memset(&to,0,sizeof(to)); /* Spurious warning */
390
to.sin6_family = AF_INET6;
391
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
392
if (ret < 0 ){
569
393
perror("inet_pton");
570
394
return -1;
571
}
395
}
572
396
if(ret == 0){
573
397
fprintf(stderr, "Bad address: %s\n", ip);
574
398
return -1;
575
399
}
576
if(af == AF_INET6){
577
to.in6.sin6_port = htons(port); /* Spurious warnings from
578
-Wconversion and
579
-Wunreachable-code */
580
581
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
582
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
583
-Wunreachable-code*/
584
if(if_index == AVAHI_IF_UNSPEC){
585
fprintf(stderr, "An IPv6 link-local address is incomplete"
586
" without a network interface\n");
587
return -1;
588
}
589
/* Set the network interface number as scope */
590
to.in6.sin6_scope_id = (uint32_t)if_index;
591
}
592
} else {
593
to.in.sin_port = htons(port); /* Spurious warnings from
594
-Wconversion and
595
-Wunreachable-code */
596
}
400
to.sin6_port = htons(port); /* Spurious warning */
401
402
to.sin6_scope_id = (uint32_t)if_index;
597
403
598
404
if(debug){
599
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
600
char interface[IF_NAMESIZE];
601
if(if_indextoname((unsigned int)if_index, interface) == NULL){
602
perror("if_indextoname");
603
} else {
604
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
605
ip, interface, port);
606
}
607
} else {
608
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
609
port);
610
}
611
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
612
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
613
const char *pcret;
614
if(af == AF_INET6){
615
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
616
sizeof(addrstr));
617
} else {
618
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
619
sizeof(addrstr));
620
}
621
if(pcret == NULL){
405
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
406
char addrstr[INET6_ADDRSTRLEN] = "";
407
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
408
sizeof(addrstr)) == NULL){
622
409
perror("inet_ntop");
623
410
} else {
624
411
if(strcmp(addrstr, ip) != 0){
625
fprintf(stderr, "Canonical address form: %s\n", addrstr);
412
fprintf(stderr, "Canonical address form: %s\n",
413
addrstr, ntohs(to.sin6_port));
626
414
}
627
415
}
628
416
}
629
417
630
if(af == AF_INET6){
631
ret = connect(tcp_sd, &to.in6, sizeof(to));
632
} else {
633
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
634
}
635
if(ret < 0){
418
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
419
if (ret < 0){
636
420
perror("connect");
637
421
return -1;
638
422
}
639
423
640
const char *out = mandos_protocol_version;
641
written = 0;
642
while(true){
643
size_t out_size = strlen(out);
644
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
645
out_size - written));
646
if(ret == -1){
647
perror("write");
648
retval = -1;
649
goto mandos_end;
650
}
651
written += (size_t)ret;
652
if(written < out_size){
653
continue;
654
} else {
655
if(out == mandos_protocol_version){
656
written = 0;
657
out = "\r\n";
658
} else {
659
break;
660
}
661
}
424
ret = initgnutls (&es);
425
if (ret != 0){
426
retval = -1;
427
return -1;
662
428
}
663
429
430
gnutls_transport_set_ptr (es.session,
431
(gnutls_transport_ptr_t) tcp_sd);
432
664
433
if(debug){
665
434
fprintf(stderr, "Establishing TLS session with %s\n", ip);
666
435
}
667
436
668
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
669
670
do{
671
ret = gnutls_handshake(session);
672
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
673
674
if(ret != GNUTLS_E_SUCCESS){
437
ret = gnutls_handshake (es.session);
438
439
if (ret != GNUTLS_E_SUCCESS){
675
440
if(debug){
676
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
677
gnutls_perror(ret);
441
fprintf(stderr, "\n*** Handshake failed ***\n");
442
gnutls_perror (ret);
678
443
}
679
444
retval = -1;
680
goto mandos_end;
445
goto exit;
681
446
}
682
447
683
/* Read OpenPGP packet that contains the wanted password */
448
//Retrieve OpenPGP packet that contains the wanted password
684
449
685
450
if(debug){
686
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
451
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
687
452
ip);
688
453
}
689
454
690
455
while(true){
691
buffer_capacity = incbuffer(&buffer, buffer_length,
692
buffer_capacity);
693
if(buffer_capacity == 0){
694
perror("incbuffer");
695
retval = -1;
696
goto mandos_end;
456
if (buffer_length + BUFFER_SIZE > buffer_capacity){
457
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
458
if (buffer == NULL){
459
perror("realloc");
460
goto exit;
461
}
462
buffer_capacity += BUFFER_SIZE;
697
463
}
698
464
699
sret = gnutls_record_recv(session, buffer+buffer_length,
700
BUFFER_SIZE);
701
if(sret == 0){
465
ret = gnutls_record_recv
466
(es.session, buffer+buffer_length, BUFFER_SIZE);
467
if (ret == 0){
702
468
break;
703
469
}
704
if(sret < 0){
705
switch(sret){
470
if (ret < 0){
471
switch(ret){
706
472
case GNUTLS_E_INTERRUPTED:
707
473
case GNUTLS_E_AGAIN:
708
474
break;
709
475
case GNUTLS_E_REHANDSHAKE:
710
do{
711
ret = gnutls_handshake(session);
712
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
713
if(ret < 0){
714
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
715
gnutls_perror(ret);
476
ret = gnutls_handshake (es.session);
477
if (ret < 0){
478
fprintf(stderr, "\n*** Handshake failed ***\n");
479
gnutls_perror (ret);
716
480
retval = -1;
717
goto mandos_end;
481
goto exit;
718
482
}
719
483
break;
720
484
default:
721
485
fprintf(stderr, "Unknown error while reading data from"
722
" encrypted session with Mandos server\n");
486
" encrypted session with mandos server\n");
723
487
retval = -1;
724
gnutls_bye(session, GNUTLS_SHUT_RDWR);
725
goto mandos_end;
488
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
489
goto exit;
726
490
}
727
491
} else {
728
buffer_length += (size_t) sret;
492
buffer_length += (size_t) ret;
729
493
}
730
494
}
731
495
732
if(debug){
733
fprintf(stderr, "Closing TLS session\n");
734
}
735
736
gnutls_bye(session, GNUTLS_SHUT_RDWR);
737
738
if(buffer_length > 0){
496
if (buffer_length > 0){
739
497
decrypted_buffer_size = pgp_packet_decrypt(buffer,
740
498
buffer_length,
741
&decrypted_buffer);
742
if(decrypted_buffer_size >= 0){
743
written = 0;
499
&decrypted_buffer,
500
keydir);
501
if (decrypted_buffer_size >= 0){
744
502
while(written < (size_t) decrypted_buffer_size){
745
ret = (int)fwrite(decrypted_buffer + written, 1,
746
(size_t)decrypted_buffer_size - written,
747
stdout);
503
ret = (int)fwrite (decrypted_buffer + written, 1,
504
(size_t)decrypted_buffer_size - written,
505
stdout);
748
506
if(ret == 0 and ferror(stdout)){
749
507
if(debug){
750
508
fprintf(stderr, "Error writing encrypted data: %s\n",
759
517
} else {
760
518
retval = -1;
761
519
}
762
} else {
763
retval = -1;
764
}
765
766
/* Shutdown procedure */
767
768
mandos_end:
520
}
521
522
//shutdown procedure
523
524
if(debug){
525
fprintf(stderr, "Closing TLS session\n");
526
}
527
769
528
free(buffer);
770
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
771
if(ret == -1){
772
perror("close");
773
}
774
gnutls_deinit(session);
529
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
530
exit:
531
close(tcp_sd);
532
gnutls_deinit (es.session);
533
gnutls_certificate_free_credentials (es.cred);
534
gnutls_global_deinit ();
775
535
return retval;
776
536
}
777
537
778
static void resolve_callback(AvahiSServiceResolver *r,
779
AvahiIfIndex interface,
780
AvahiProtocol proto,
781
AvahiResolverEvent event,
782
const char *name,
783
const char *type,
784
const char *domain,
785
const char *host_name,
786
const AvahiAddress *address,
787
uint16_t port,
788
AVAHI_GCC_UNUSED AvahiStringList *txt,
789
AVAHI_GCC_UNUSED AvahiLookupResultFlags
790
flags,
791
AVAHI_GCC_UNUSED void* userdata){
792
assert(r);
538
static AvahiSimplePoll *simple_poll = NULL;
539
static AvahiServer *server = NULL;
540
541
static void resolve_callback(
542
AvahiSServiceResolver *r,
543
AvahiIfIndex interface,
544
AVAHI_GCC_UNUSED AvahiProtocol protocol,
545
AvahiResolverEvent event,
546
const char *name,
547
const char *type,
548
const char *domain,
549
const char *host_name,
550
const AvahiAddress *address,
551
uint16_t port,
552
AVAHI_GCC_UNUSED AvahiStringList *txt,
553
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
554
AVAHI_GCC_UNUSED void* userdata) {
555
556
assert(r); /* Spurious warning */
793
557
794
558
/* Called whenever a service has been resolved successfully or
795
559
timed out */
796
560
797
switch(event){
561
switch (event) {
798
562
default:
799
563
case AVAHI_RESOLVER_FAILURE:
800
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
801
" of type '%s' in domain '%s': %s\n", name, type, domain,
802
avahi_strerror(avahi_server_errno(mc.server)));
564
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
565
" type '%s' in domain '%s': %s\n", name, type, domain,
566
avahi_strerror(avahi_server_errno(server)));
803
567
break;
804
568
805
569
case AVAHI_RESOLVER_FOUND:
807
571
char ip[AVAHI_ADDRESS_STR_MAX];
808
572
avahi_address_snprint(ip, sizeof(ip), address);
809
573
if(debug){
810
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
811
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
812
ip, (intmax_t)interface, port);
574
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
575
" port %d\n", name, host_name, ip, port);
813
576
}
814
int ret = start_mandos_communication(ip, port, interface,
815
avahi_proto_to_af(proto));
816
if(ret == 0){
817
avahi_simple_poll_quit(mc.simple_poll);
577
int ret = start_mandos_communication(ip, port, interface);
578
if (ret == 0){
579
exit(EXIT_SUCCESS);
818
580
}
819
581
}
820
582
}
821
583
avahi_s_service_resolver_free(r);
822
584
}
823
585
824
static void browse_callback(AvahiSServiceBrowser *b,
825
AvahiIfIndex interface,
826
AvahiProtocol protocol,
827
AvahiBrowserEvent event,
828
const char *name,
829
const char *type,
830
const char *domain,
831
AVAHI_GCC_UNUSED AvahiLookupResultFlags
832
flags,
833
AVAHI_GCC_UNUSED void* userdata){
834
assert(b);
835
836
/* Called whenever a new services becomes available on the LAN or
837
is removed from the LAN */
838
839
switch(event){
840
default:
841
case AVAHI_BROWSER_FAILURE:
842
843
fprintf(stderr, "(Avahi browser) %s\n",
844
avahi_strerror(avahi_server_errno(mc.server)));
845
avahi_simple_poll_quit(mc.simple_poll);
846
return;
847
848
case AVAHI_BROWSER_NEW:
849
/* We ignore the returned Avahi resolver object. In the callback
850
function we free it. If the Avahi server is terminated before
851
the callback function is called the Avahi server will free the
852
resolver for us. */
853
854
if(!(avahi_s_service_resolver_new(mc.server, interface,
855
protocol, name, type, domain,
856
AVAHI_PROTO_INET6, 0,
857
resolve_callback, NULL)))
858
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
859
name, avahi_strerror(avahi_server_errno(mc.server)));
860
break;
861
862
case AVAHI_BROWSER_REMOVE:
863
break;
864
865
case AVAHI_BROWSER_ALL_FOR_NOW:
866
case AVAHI_BROWSER_CACHE_EXHAUSTED:
867
if(debug){
868
fprintf(stderr, "No Mandos server found, still searching...\n");
869
}
870
break;
871
}
872
}
873
874
static void handle_sigterm(__attribute__((unused)) int sig){
875
int old_errno = errno;
876
avahi_simple_poll_quit(mc.simple_poll);
877
errno = old_errno;
878
}
879
880
int main(int argc, char *argv[]){
881
AvahiSServiceBrowser *sb = NULL;
882
int error;
883
int ret;
884
intmax_t tmpmax;
885
int numchars;
886
int exitcode = EXIT_SUCCESS;
887
const char *interface = "eth0";
888
struct ifreq network;
889
int sd;
890
uid_t uid;
891
gid_t gid;
892
char *connect_to = NULL;
893
char tempdir[] = "/tmp/mandosXXXXXX";
894
bool tempdir_created = false;
895
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
896
const char *seckey = PATHDIR "/" SECKEY;
897
const char *pubkey = PATHDIR "/" PUBKEY;
898
899
/* Initialize Mandos context */
900
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
901
.dh_bits = 1024, .priority = "SECURE256"
902
":!CTYPE-X.509:+CTYPE-OPENPGP" };
903
bool gnutls_initialized = false;
904
bool gpgme_initialized = false;
905
double delay = 2.5;
906
907
struct sigaction old_sigterm_action;
908
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
909
910
{
911
struct argp_option options[] = {
912
{ .name = "debug", .key = 128,
913
.doc = "Debug mode", .group = 3 },
914
{ .name = "connect", .key = 'c',
915
.arg = "ADDRESS:PORT",
916
.doc = "Connect directly to a specific Mandos server",
917
.group = 1 },
918
{ .name = "interface", .key = 'i',
919
.arg = "NAME",
920
.doc = "Network interface that will be used to search for"
921
" Mandos servers",
922
.group = 1 },
923
{ .name = "seckey", .key = 's',
924
.arg = "FILE",
925
.doc = "OpenPGP secret key file base name",
926
.group = 1 },
927
{ .name = "pubkey", .key = 'p',
928
.arg = "FILE",
929
.doc = "OpenPGP public key file base name",
930
.group = 2 },
931
{ .name = "dh-bits", .key = 129,
932
.arg = "BITS",
933
.doc = "Bit length of the prime number used in the"
934
" Diffie-Hellman key exchange",
935
.group = 2 },
936
{ .name = "priority", .key = 130,
937
.arg = "STRING",
938
.doc = "GnuTLS priority string for the TLS handshake",
939
.group = 1 },
940
{ .name = "delay", .key = 131,
941
.arg = "SECONDS",
942
.doc = "Maximum delay to wait for interface startup",
943
.group = 2 },
944
{ .name = NULL }
945
};
946
947
error_t parse_opt(int key, char *arg,
948
struct argp_state *state){
949
switch(key){
950
case 128: /* --debug */
951
debug = true;
952
break;
953
case 'c': /* --connect */
954
connect_to = arg;
955
break;
956
case 'i': /* --interface */
957
interface = arg;
958
break;
959
case 's': /* --seckey */
960
seckey = arg;
961
break;
962
case 'p': /* --pubkey */
963
pubkey = arg;
964
break;
965
case 129: /* --dh-bits */
966
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
967
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
968
or arg[numchars] != '\0'){
969
fprintf(stderr, "Bad number of DH bits\n");
970
exit(EXIT_FAILURE);
971
}
972
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
973
break;
974
case 130: /* --priority */
975
mc.priority = arg;
976
break;
977
case 131: /* --delay */
978
ret = sscanf(arg, "%lf%n", &delay, &numchars);
979
if(ret < 1 or arg[numchars] != '\0'){
980
fprintf(stderr, "Bad delay\n");
981
exit(EXIT_FAILURE);
982
}
983
break;
984
case ARGP_KEY_ARG:
985
argp_usage(state);
986
case ARGP_KEY_END:
987
break;
988
default:
989
return ARGP_ERR_UNKNOWN;
990
}
991
return 0;
992
}
993
994
struct argp argp = { .options = options, .parser = parse_opt,
995
.args_doc = "",
996
.doc = "Mandos client -- Get and decrypt"
997
" passwords from a Mandos server" };
998
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
999
if(ret == ARGP_ERR_UNKNOWN){
1000
fprintf(stderr, "Unknown error while parsing arguments\n");
1001
exitcode = EXIT_FAILURE;
1002
goto end;
1003
}
1004
}
1005
1006
/* If the interface is down, bring it up */
1007
if(interface[0] != '\0'){
1008
#ifdef __linux__
1009
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1010
messages to mess up the prompt */
1011
ret = klogctl(8, NULL, 5);
1012
bool restore_loglevel = true;
1013
if(ret == -1){
1014
restore_loglevel = false;
1015
perror("klogctl");
1016
}
1017
#endif
1018
1019
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1020
if(sd < 0){
1021
perror("socket");
1022
exitcode = EXIT_FAILURE;
1023
#ifdef __linux__
1024
if(restore_loglevel){
1025
ret = klogctl(7, NULL, 0);
1026
if(ret == -1){
1027
perror("klogctl");
1028
}
1029
}
1030
#endif
1031
goto end;
1032
}
1033
strcpy(network.ifr_name, interface);
1034
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1035
if(ret == -1){
1036
perror("ioctl SIOCGIFFLAGS");
1037
#ifdef __linux__
1038
if(restore_loglevel){
1039
ret = klogctl(7, NULL, 0);
1040
if(ret == -1){
1041
perror("klogctl");
1042
}
1043
}
1044
#endif
1045
exitcode = EXIT_FAILURE;
1046
goto end;
1047
}
1048
if((network.ifr_flags & IFF_UP) == 0){
1049
network.ifr_flags |= IFF_UP;
1050
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1051
if(ret == -1){
1052
perror("ioctl SIOCSIFFLAGS");
1053
exitcode = EXIT_FAILURE;
1054
#ifdef __linux__
1055
if(restore_loglevel){
1056
ret = klogctl(7, NULL, 0);
1057
if(ret == -1){
1058
perror("klogctl");
1059
}
1060
}
1061
#endif
1062
goto end;
1063
}
1064
}
1065
/* sleep checking until interface is running */
1066
for(int i=0; i < delay * 4; i++){
1067
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1068
if(ret == -1){
1069
perror("ioctl SIOCGIFFLAGS");
1070
} else if(network.ifr_flags & IFF_RUNNING){
1071
break;
1072
}
1073
struct timespec sleeptime = { .tv_nsec = 250000000 };
1074
ret = nanosleep(&sleeptime, NULL);
1075
if(ret == -1 and errno != EINTR){
1076
perror("nanosleep");
1077
}
1078
}
1079
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1080
if(ret == -1){
1081
perror("close");
1082
}
1083
#ifdef __linux__
1084
if(restore_loglevel){
1085
/* Restores kernel loglevel to default */
1086
ret = klogctl(7, NULL, 0);
1087
if(ret == -1){
1088
perror("klogctl");
1089
}
1090
}
1091
#endif
1092
}
1093
1094
uid = getuid();
1095
gid = getgid();
1096
1097
errno = 0;
1098
setgid(gid);
1099
if(ret == -1){
1100
perror("setgid");
1101
}
1102
1103
ret = setuid(uid);
1104
if(ret == -1){
1105
perror("setuid");
1106
}
1107
1108
ret = init_gnutls_global(pubkey, seckey);
1109
if(ret == -1){
1110
fprintf(stderr, "init_gnutls_global failed\n");
1111
exitcode = EXIT_FAILURE;
1112
goto end;
1113
} else {
1114
gnutls_initialized = true;
1115
}
1116
1117
if(mkdtemp(tempdir) == NULL){
1118
perror("mkdtemp");
1119
goto end;
1120
}
1121
tempdir_created = true;
1122
1123
if(not init_gpgme(pubkey, seckey, tempdir)){
1124
fprintf(stderr, "init_gpgme failed\n");
1125
exitcode = EXIT_FAILURE;
1126
goto end;
1127
} else {
1128
gpgme_initialized = true;
1129
}
1130
1131
if(interface[0] != '\0'){
1132
if_index = (AvahiIfIndex) if_nametoindex(interface);
1133
if(if_index == 0){
1134
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1135
exitcode = EXIT_FAILURE;
1136
goto end;
1137
}
1138
}
1139
1140
if(connect_to != NULL){
1141
/* Connect directly, do not use Zeroconf */
1142
/* (Mainly meant for debugging) */
1143
char *address = strrchr(connect_to, ':');
1144
if(address == NULL){
1145
fprintf(stderr, "No colon in address\n");
1146
exitcode = EXIT_FAILURE;
1147
goto end;
1148
}
1149
uint16_t port;
1150
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1151
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1152
or address[numchars+1] != '\0'){
1153
fprintf(stderr, "Bad port number\n");
1154
exitcode = EXIT_FAILURE;
1155
goto end;
1156
}
1157
port = (uint16_t)tmpmax;
1158
*address = '\0';
1159
address = connect_to;
1160
/* Colon in address indicates IPv6 */
1161
int af;
1162
if(strchr(address, ':') != NULL){
1163
af = AF_INET6;
1164
} else {
1165
af = AF_INET;
1166
}
1167
ret = start_mandos_communication(address, port, if_index, af);
1168
if(ret < 0){
1169
exitcode = EXIT_FAILURE;
1170
} else {
1171
exitcode = EXIT_SUCCESS;
1172
}
1173
goto end;
1174
}
1175
1176
if(not debug){
1177
avahi_set_log_function(empty_log);
1178
}
1179
1180
/* Initialize the pseudo-RNG for Avahi */
1181
srand((unsigned int) time(NULL));
1182
1183
/* Allocate main Avahi loop object */
1184
mc.simple_poll = avahi_simple_poll_new();
1185
if(mc.simple_poll == NULL){
1186
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1187
exitcode = EXIT_FAILURE;
1188
goto end;
1189
}
1190
1191
{
586
static void browse_callback(
587
AvahiSServiceBrowser *b,
588
AvahiIfIndex interface,
589
AvahiProtocol protocol,
590
AvahiBrowserEvent event,
591
const char *name,
592
const char *type,
593
const char *domain,
594
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
595
void* userdata) {
596
597
AvahiServer *s = userdata;
598
assert(b); /* Spurious warning */
599
600
/* Called whenever a new services becomes available on the LAN or
601
is removed from the LAN */
602
603
switch (event) {
604
default:
605
case AVAHI_BROWSER_FAILURE:
606
607
fprintf(stderr, "(Browser) %s\n",
608
avahi_strerror(avahi_server_errno(server)));
609
avahi_simple_poll_quit(simple_poll);
610
return;
611
612
case AVAHI_BROWSER_NEW:
613
/* We ignore the returned resolver object. In the callback
614
function we free it. If the server is terminated before
615
the callback function is called the server will free
616
the resolver for us. */
617
618
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
619
type, domain,
620
AVAHI_PROTO_INET6, 0,
621
resolve_callback, s)))
622
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
623
avahi_strerror(avahi_server_errno(s)));
624
break;
625
626
case AVAHI_BROWSER_REMOVE:
627
break;
628
629
case AVAHI_BROWSER_ALL_FOR_NOW:
630
case AVAHI_BROWSER_CACHE_EXHAUSTED:
631
break;
632
}
633
}
634
635
/* Combines file name and path and returns the malloced new
636
string. some sane checks could/should be added */
637
static const char *combinepath(const char *first, const char *second){
638
size_t f_len = strlen(first);
639
size_t s_len = strlen(second);
640
char *tmp = malloc(f_len + s_len + 2);
641
if (tmp == NULL){
642
return NULL;
643
}
644
if(f_len > 0){
645
memcpy(tmp, first, f_len);
646
}
647
tmp[f_len] = '/';
648
if(s_len > 0){
649
memcpy(tmp + f_len + 1, second, s_len);
650
}
651
tmp[f_len + 1 + s_len] = '\0';
652
return tmp;
653
}
654
655
656
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1192
657
AvahiServerConfig config;
1193
/* Do not publish any local Zeroconf records */
658
AvahiSServiceBrowser *sb = NULL;
659
int error;
660
int ret;
661
int debug_int = 0;
662
int returncode = EXIT_SUCCESS;
663
const char *interface = NULL;
664
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
665
char *connect_to = NULL;
666
667
debug_int = debug ? 1 : 0;
668
while (true){
669
static struct option long_options[] = {
670
{"debug", no_argument, &debug_int, 1},
671
{"connect", required_argument, NULL, 'C'},
672
{"interface", required_argument, NULL, 'i'},
673
{"keydir", required_argument, NULL, 'd'},
674
{"seckey", required_argument, NULL, 'c'},
675
{"pubkey", required_argument, NULL, 'k'},
676
{"dh-bits", required_argument, NULL, 'D'},
677
{0, 0, 0, 0} };
678
679
int option_index = 0;
680
ret = getopt_long (argc, argv, "i:", long_options,
681
&option_index);
682
683
if (ret == -1){
684
break;
685
}
686
687
switch(ret){
688
case 0:
689
break;
690
case 'i':
691
interface = optarg;
692
break;
693
case 'C':
694
connect_to = optarg;
695
break;
696
case 'd':
697
keydir = optarg;
698
break;
699
case 'c':
700
pubkeyfile = optarg;
701
break;
702
case 'k':
703
seckeyfile = optarg;
704
break;
705
case 'D':
706
dh_bits = atoi(optarg);
707
break;
708
case '?':
709
break
710
default:
711
exit(EXIT_FAILURE);
712
}
713
}
714
debug = debug_int ? true : false;
715
716
pubkeyfile = combinepath(keydir, pubkeyfile);
717
if (pubkeyfile == NULL){
718
perror("combinepath");
719
goto exit;
720
}
721
722
if(interface != NULL){
723
if_index = (AvahiIfIndex) if_nametoindex(interface);
724
if(if_index == 0){
725
fprintf(stderr, "No such interface: \"%s\"\n", interface);
726
exit(EXIT_FAILURE);
727
}
728
}
729
730
if(connect_to != NULL){
731
/* Connect directly, do not use Zeroconf */
732
/* (Mainly meant for debugging) */
733
char *address = strrchr(connect_to, ':');
734
if(address == NULL){
735
fprintf(stderr, "No colon in address\n");
736
exit(EXIT_FAILURE);
737
}
738
errno = 0;
739
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
740
if(errno){
741
perror("Bad port number");
742
exit(EXIT_FAILURE);
743
}
744
*address = '\0';
745
address = connect_to;
746
ret = start_mandos_communication(address, port, if_index);
747
if(ret < 0){
748
exit(EXIT_FAILURE);
749
} else {
750
exit(EXIT_SUCCESS);
751
}
752
}
753
754
seckeyfile = combinepath(keydir, seckeyfile);
755
if (seckeyfile == NULL){
756
perror("combinepath");
757
goto exit;
758
}
759
760
if (not debug){
761
avahi_set_log_function(empty_log);
762
}
763
764
/* Initialize the psuedo-RNG */
765
srand((unsigned int) time(NULL));
766
767
/* Allocate main loop object */
768
if (!(simple_poll = avahi_simple_poll_new())) {
769
fprintf(stderr, "Failed to create simple poll object.\n");
770
771
goto exit;
772
}
773
774
/* Do not publish any local records */
1194
775
avahi_server_config_init(&config);
1195
776
config.publish_hinfo = 0;
1196
777
config.publish_addresses = 0;
1197
778
config.publish_workstation = 0;
1198
779
config.publish_domain = 0;
1199
780
1200
781
/* Allocate a new server */
1201
mc.server = avahi_server_new(avahi_simple_poll_get
1202
(mc.simple_poll), &config, NULL,
1203
NULL, &error);
1204
1205
/* Free the Avahi configuration data */
782
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
783
&config, NULL, NULL, &error);
784
785
/* Free the configuration data */
1206
786
avahi_server_config_free(&config);
1207
}
1208
1209
/* Check if creating the Avahi server object succeeded */
1210
if(mc.server == NULL){
1211
fprintf(stderr, "Failed to create Avahi server: %s\n",
1212
avahi_strerror(error));
1213
exitcode = EXIT_FAILURE;
1214
goto end;
1215
}
1216
1217
/* Create the Avahi service browser */
1218
sb = avahi_s_service_browser_new(mc.server, if_index,
1219
AVAHI_PROTO_INET6, "_mandos._tcp",
1220
NULL, 0, browse_callback, NULL);
1221
if(sb == NULL){
1222
fprintf(stderr, "Failed to create service browser: %s\n",
1223
avahi_strerror(avahi_server_errno(mc.server)));
1224
exitcode = EXIT_FAILURE;
1225
goto end;
1226
}
1227
1228
sigemptyset(&sigterm_action.sa_mask);
1229
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1230
if(ret == -1){
1231
perror("sigaddset");
1232
exitcode = EXIT_FAILURE;
1233
goto end;
1234
}
1235
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1236
if(ret == -1){
1237
perror("sigaction");
1238
exitcode = EXIT_FAILURE;
1239
goto end;
1240
}
1241
1242
/* Run the main loop */
1243
1244
if(debug){
1245
fprintf(stderr, "Starting Avahi loop search\n");
1246
}
1247
1248
avahi_simple_poll_loop(mc.simple_poll);
1249
1250
end:
1251
1252
if(debug){
1253
fprintf(stderr, "%s exiting\n", argv[0]);
1254
}
1255
1256
/* Cleanup things */
1257
if(sb != NULL)
1258
avahi_s_service_browser_free(sb);
1259
1260
if(mc.server != NULL)
1261
avahi_server_free(mc.server);
1262
1263
if(mc.simple_poll != NULL)
1264
avahi_simple_poll_free(mc.simple_poll);
1265
1266
if(gnutls_initialized){
1267
gnutls_certificate_free_credentials(mc.cred);
1268
gnutls_global_deinit();
1269
gnutls_dh_params_deinit(mc.dh_params);
1270
}
1271
1272
if(gpgme_initialized){
1273
gpgme_release(mc.ctx);
1274
}
1275
1276
/* Removes the temp directory used by GPGME */
1277
if(tempdir_created){
1278
DIR *d;
1279
struct dirent *direntry;
1280
d = opendir(tempdir);
1281
if(d == NULL){
1282
if(errno != ENOENT){
1283
perror("opendir");
1284
}
1285
} else {
1286
while(true){
1287
direntry = readdir(d);
1288
if(direntry == NULL){
1289
break;
1290
}
1291
/* Skip "." and ".." */
1292
if(direntry->d_name[0] == '.'
1293
and (direntry->d_name[1] == '\0'
1294
or (direntry->d_name[1] == '.'
1295
and direntry->d_name[2] == '\0'))){
1296
continue;
1297
}
1298
char *fullname = NULL;
1299
ret = asprintf(&fullname, "%s/%s", tempdir,
1300
direntry->d_name);
1301
if(ret < 0){
1302
perror("asprintf");
1303
continue;
1304
}
1305
ret = remove(fullname);
1306
if(ret == -1){
1307
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1308
strerror(errno));
1309
}
1310
free(fullname);
1311
}
1312
closedir(d);
1313
}
1314
ret = rmdir(tempdir);
1315
if(ret == -1 and errno != ENOENT){
1316
perror("rmdir");
1317
}
1318
}
1319
1320
return exitcode;
787
788
/* Check if creating the server object succeeded */
789
if (!server) {
790
fprintf(stderr, "Failed to create server: %s\n",
791
avahi_strerror(error));
792
returncode = EXIT_FAILURE;
793
goto exit;
794
}
795
796
/* Create the service browser */
797
sb = avahi_s_service_browser_new(server, if_index,
798
AVAHI_PROTO_INET6,
799
"_mandos._tcp", NULL, 0,
800
browse_callback, server);
801
if (!sb) {
802
fprintf(stderr, "Failed to create service browser: %s\n",
803
avahi_strerror(avahi_server_errno(server)));
804
returncode = EXIT_FAILURE;
805
goto exit;
806
}
807
808
/* Run the main loop */
809
810
if (debug){
811
fprintf(stderr, "Starting avahi loop search\n");
812
}
813
814
avahi_simple_poll_loop(simple_poll);
815
816
exit:
817
818
if (debug){
819
fprintf(stderr, "%s exiting\n", argv[0]);
820
}
821
822
/* Cleanup things */
823
if (sb)
824
avahi_s_service_browser_free(sb);
825
826
if (server)
827
avahi_server_free(server);
828
829
if (simple_poll)
830
avahi_simple_poll_free(simple_poll);
831
free(pubkeyfile);
832
free(seckeyfile);
833
834
return returncode;
1321
835
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0