/mandos/release : revision 38

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-08-03 01:09:36 UTC
mfrom: (24.1.9 mandos)
Revision ID: teddy@fukt.bsnet.se-20080803010936-ujme8tgxceszfbi1

* plugbasedclient.c (main): New "--userid" and "--groupid" options.
                            Take an additional non-option argument and
                            parse it as a plus-separated and -prefixed
                            list of additional options.

* plugins.d/mandosclient.c (DH_BITS): Replaced with
                                      "mandos_context.dh_bits".  All
                                      users changed.
  (certdir): Renamed to "keydir".  All users changed.
  (certfile): Renamed to "pubkeyfile".  All users changed.
  (certkey): Renamed to "seckeyfile".  All users changed.
  (encrypted_session): Replaced with "mandos_context".  All users
                       changed.
  (initgnutls): Take additional "session" and "dh_params" arguments.
                All callers changed.
  (start_mandos_communication): Take additional "mc" argument.  All
                                callers changed.  Print target IPv6
                                address if different than supplied
                                string.
  (simple_poll) Replaced with "mandos_context.simple_poll".  All users
                changed.
  (server): Replaced with "mandos_context.server".  All users changed.
  (main): Default interface to "eth0".  Rename "--certdir" to
          "--keydir", "--certkey" to "--seckey", and "--certfile" to
          "--pubkey".  New options "--dh-bits" and "--priority".  If
          the interface is not up, bring it up.

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

/* -*- coding: utf-8 -*- */

* Mandos-client - get and decrypt data from a Mandos server

* Mandos client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), sscanf(),

remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(),

DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and, or */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h>

/* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

100

/* GPGME */

101

#include <gpgme.h> /* All GPGME types, constants and

102

functions:

103

gpgme_*

104

GPGME_PROTOCOL_OpenPGP,

105

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt_long

#include <getopt.h>

106

107

#define BUFFER_SIZE 256

108

109

#define PATHDIR "/conf/conf.d/mandos"

110

#define SECKEY "seckey.txt"

111

#define PUBKEY "pubkey.txt"

static const char *keydir = "/conf/conf.d/mandos";

static const char *pubkeyfile = "pubkey.txt";

static const char *seckeyfile = "seckey.txt";

112

113

bool debug = false;

114

static const char mandos_protocol_version[] = "1";

115

const char *argp_program_version = "mandos-client " VERSION;

116

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

117

118

/* Used for passing in values through the Avahi callback functions */

/* Used for passing in values through all the callback functions */

119

typedef struct {

120

AvahiSimplePoll *simple_poll;

121

AvahiServer *server;

122

gnutls_certificate_credentials_t cred;

123

unsigned int dh_bits;

124

gnutls_dh_params_t dh_params;

125

const char *priority;

} mandos_context;

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet,

const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

126

gpgme_ctx_t ctx;

127

} mandos_context;

128

129

130

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

131

* "buffer_capacity" is how much is currently allocated,

132

* "buffer_length" is how much is already used.

133

134

size_t adjustbuffer(char **buffer, size_t buffer_length,

135

size_t buffer_capacity){

136

if(buffer_length + BUFFER_SIZE > buffer_capacity){

137

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

138

if(buffer == NULL){

139

return 0;

140

}

141

buffer_capacity += BUFFER_SIZE;

142

}

143

return buffer_capacity;

144

}

145

146

147

* Initialize GPGME.

148

149

static bool init_gpgme(mandos_context *mc, const char *seckey,

150

const char *pubkey, const char *tempdir){

151

int ret;

152

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

153

gpgme_engine_info_t engine_info;

154

155

156

157

* Helper function to insert pub and seckey to the engine keyring.

158

159

bool import_key(const char *filename){

160

int fd;

161

gpgme_data_t pgp_data;

162

163

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

164

if(fd == -1){

165

perror("open");

166

return false;

167

}

168

169

rc = gpgme_data_new_from_fd(&pgp_data, fd);

170

if(rc != GPG_ERR_NO_ERROR){

171

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

172

gpgme_strsource(rc), gpgme_strerror(rc));

173

return false;

174

}

175

176

rc = gpgme_op_import(mc->ctx, pgp_data);

177

if(rc != GPG_ERR_NO_ERROR){

178

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

179

gpgme_strsource(rc), gpgme_strerror(rc));

180

return false;

181

}

182

183

ret = (int)TEMP_FAILURE_RETRY(close(fd));

184

if(ret == -1){

185

perror("close");

186

}

187

gpgme_data_release(pgp_data);

188

return true;

189

}

190

191

if(debug){

192

fprintf(stderr, "Initialize gpgme\n");

if (debug){

100

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

193

101

}

194

102

195

103

/* Init GPGME */

196

104

gpgme_check_version(NULL);

197

105

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

198

if(rc != GPG_ERR_NO_ERROR){

106

if (rc != GPG_ERR_NO_ERROR){

199

107

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

200

108

gpgme_strsource(rc), gpgme_strerror(rc));

201

return false;

109

return -1;

202

110

}

203

111

204

/* Set GPGME home directory for the OpenPGP engine only */

205

rc = gpgme_get_engine_info(&engine_info);

206

if(rc != GPG_ERR_NO_ERROR){

112

/* Set GPGME home directory */

113

rc = gpgme_get_engine_info (&engine_info);

114

if (rc != GPG_ERR_NO_ERROR){

207

115

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

208

116

gpgme_strsource(rc), gpgme_strerror(rc));

209

return false;

117

return -1;

210

118

}

211

119

while(engine_info != NULL){

212

120

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

213

121

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

214

engine_info->file_name, tempdir);

122

engine_info->file_name, homedir);

215

123

break;

216

124

}

217

125

engine_info = engine_info->next;

218

126

}

219

127

if(engine_info == NULL){

220

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

221

return false;

222

}

223

224

/* Create new GPGME "context" */

225

rc = gpgme_new(&(mc->ctx));

226

if(rc != GPG_ERR_NO_ERROR){

227

fprintf(stderr, "bad gpgme_new: %s: %s\n",

228

gpgme_strsource(rc), gpgme_strerror(rc));

229

return false;

230

}

231

232

if(not import_key(pubkey) or not import_key(seckey)){

233

return false;

234

}

235

236

return true;

237

}

238

239

240

* Decrypt OpenPGP data.

241

* Returns -1 on error

242

243

static ssize_t pgp_packet_decrypt(const mandos_context *mc,

244

const char *cryptotext,

245

size_t crypto_size,

246

char **plaintext){

247

gpgme_data_t dh_crypto, dh_plain;

248

gpgme_error_t rc;

249

ssize_t ret;

250

size_t plaintext_capacity = 0;

251

ssize_t plaintext_length = 0;

252

253

if(debug){

254

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

255

}

256

257

/* Create new GPGME data buffer from memory cryptotext */

258

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

259

0);

260

if(rc != GPG_ERR_NO_ERROR){

128

fprintf(stderr, "Could not set home dir to %s\n", homedir);

129

return -1;

130

}

131

132

/* Create new GPGME data buffer from packet buffer */

133

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

134

if (rc != GPG_ERR_NO_ERROR){

261

135

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

262

136

gpgme_strsource(rc), gpgme_strerror(rc));

263

137

return -1;

265

139

266

140

/* Create new empty GPGME data buffer for the plaintext */

267

141

rc = gpgme_data_new(&dh_plain);

268

if(rc != GPG_ERR_NO_ERROR){

142

if (rc != GPG_ERR_NO_ERROR){

269

143

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

270

144

gpgme_strsource(rc), gpgme_strerror(rc));

271

gpgme_data_release(dh_crypto);

272

return -1;

273

}

274

275

/* Decrypt data from the cryptotext data buffer to the plaintext

276

data buffer */

277

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

278

if(rc != GPG_ERR_NO_ERROR){

145

return -1;

146

}

147

148

/* Create new GPGME "context" */

149

rc = gpgme_new(&ctx);

150

if (rc != GPG_ERR_NO_ERROR){

151

fprintf(stderr, "bad gpgme_new: %s: %s\n",

152

gpgme_strsource(rc), gpgme_strerror(rc));

153

return -1;

154

}

155

156

/* Decrypt data from the FILE pointer to the plaintext data

157

buffer */

158

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

159

if (rc != GPG_ERR_NO_ERROR){

279

160

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

280

161

gpgme_strsource(rc), gpgme_strerror(rc));

281

plaintext_length = -1;

282

if(debug){

283

gpgme_decrypt_result_t result;

284

result = gpgme_op_decrypt_result(mc->ctx);

285

if(result == NULL){

286

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

287

} else {

288

fprintf(stderr, "Unsupported algorithm: %s\n",

289

result->unsupported_algorithm);

290

fprintf(stderr, "Wrong key usage: %u\n",

291

result->wrong_key_usage);

292

if(result->file_name != NULL){

293

fprintf(stderr, "File name: %s\n", result->file_name);

294

}

295

gpgme_recipient_t recipient;

296

recipient = result->recipients;

297

if(recipient){

298

while(recipient != NULL){

299

fprintf(stderr, "Public key algorithm: %s\n",

300

gpgme_pubkey_algo_name(recipient->pubkey_algo));

301

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

302

fprintf(stderr, "Secret key available: %s\n",

303

recipient->status == GPG_ERR_NO_SECKEY

304

? "No" : "Yes");

305

recipient = recipient->next;

306

}

162

return -1;

163

}

164

165

if(debug){

166

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

167

}

168

169

if (debug){

170

gpgme_decrypt_result_t result;

171

result = gpgme_op_decrypt_result(ctx);

172

if (result == NULL){

173

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

174

} else {

175

fprintf(stderr, "Unsupported algorithm: %s\n",

176

result->unsupported_algorithm);

177

fprintf(stderr, "Wrong key usage: %d\n",

178

result->wrong_key_usage);

179

if(result->file_name != NULL){

180

fprintf(stderr, "File name: %s\n", result->file_name);

181

}

182

gpgme_recipient_t recipient;

183

recipient = result->recipients;

184

if(recipient){

185

while(recipient != NULL){

186

fprintf(stderr, "Public key algorithm: %s\n",

187

gpgme_pubkey_algo_name(recipient->pubkey_algo));

188

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

189

fprintf(stderr, "Secret key available: %s\n",

190

recipient->status == GPG_ERR_NO_SECKEY

191

? "No" : "Yes");

192

recipient = recipient->next;

307

193

}

308

194

}

309

195

}

310

goto decrypt_end;

311

196

}

312

197

313

if(debug){

314

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

315

}

198

/* Delete the GPGME FILE pointer cryptotext data buffer */

199

gpgme_data_release(dh_crypto);

316

200

317

201

/* Seek back to the beginning of the GPGME plaintext data buffer */

318

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

319

perror("gpgme_data_seek");

320

plaintext_length = -1;

321

goto decrypt_end;

202

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

203

perror("pgpme_data_seek");

322

204

}

323

205

324

*plaintext = NULL;

206

*new_packet = 0;

325

207

while(true){

326

plaintext_capacity = adjustbuffer(plaintext,

327

(size_t)plaintext_length,

328

plaintext_capacity);

329

if(plaintext_capacity == 0){

330

perror("adjustbuffer");

331

plaintext_length = -1;

332

goto decrypt_end;

208

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

209

*new_packet = realloc(*new_packet,

210

(unsigned int)new_packet_capacity

211

+ BUFFER_SIZE);

212

if (*new_packet == NULL){

213

perror("realloc");

214

return -1;

215

}

216

new_packet_capacity += BUFFER_SIZE;

333

217

}

334

218

335

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

219

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

336

220

BUFFER_SIZE);

337

221

/* Print the data, if any */

338

if(ret == 0){

339

/* EOF */

222

if (ret == 0){

340

223

break;

341

224

}

342

225

if(ret < 0){

343

226

perror("gpgme_data_read");

344

plaintext_length = -1;

345

goto decrypt_end;

346

}

347

plaintext_length += ret;

348

}

349

350

if(debug){

351

fprintf(stderr, "Decrypted password is: ");

352

for(ssize_t i = 0; i < plaintext_length; i++){

353

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

354

}

355

fprintf(stderr, "\n");

356

}

357

358

decrypt_end:

359

360

/* Delete the GPGME cryptotext data buffer */

361

gpgme_data_release(dh_crypto);

227

return -1;

228

}

229

new_packet_length += ret;

230

}

231

232

/* FIXME: check characters before printing to screen so to not print

233

terminal control characters */

234

/* if(debug){ */

235

/* fprintf(stderr, "decrypted password is: "); */

236

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

237

/* fprintf(stderr, "\n"); */

238

/* } */

362

239

363

240

/* Delete the GPGME plaintext data buffer */

364

241

gpgme_data_release(dh_plain);

365

return plaintext_length;

242

return new_packet_length;

366

243

}

367

244

368

static const char * safer_gnutls_strerror(int value) {

369

const char *ret = gnutls_strerror(value); /* Spurious warning from

370

-Wunreachable-code */

371

if(ret == NULL)

245

static const char * safer_gnutls_strerror (int value) {

246

const char *ret = gnutls_strerror (value);

247

if (ret == NULL)

372

248

ret = "(unknown)";

373

249

return ret;

374

250

}

375

251

376

/* GnuTLS log function callback */

377

252

static void debuggnutls(__attribute__((unused)) int level,

378

253

const char* string){

379

fprintf(stderr, "GnuTLS: %s", string);

254

fprintf(stderr, "%s", string);

380

255

}

381

256

382

static int init_gnutls_global(mandos_context *mc,

383

const char *pubkeyfilename,

384

const char *seckeyfilename){

257

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

258

gnutls_dh_params_t *dh_params){

259

const char *err;

385

260

int ret;

386

261

387

262

if(debug){

388

263

fprintf(stderr, "Initializing GnuTLS\n");

389

264

}

390

391

ret = gnutls_global_init();

392

if(ret != GNUTLS_E_SUCCESS) {

393

fprintf(stderr, "GnuTLS global_init: %s\n",

394

safer_gnutls_strerror(ret));

265

266

if ((ret = gnutls_global_init ())

267

!= GNUTLS_E_SUCCESS) {

268

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

395

269

return -1;

396

270

}

397

271

398

if(debug){

399

/* "Use a log level over 10 to enable all debugging options."

400

* - GnuTLS manual

401

272

if (debug){

402

273

gnutls_global_set_log_level(11);

403

274

gnutls_global_set_log_function(debuggnutls);

404

275

}

405

276

406

/* OpenPGP credentials */

407

gnutls_certificate_allocate_credentials(&mc->cred);

408

if(ret != GNUTLS_E_SUCCESS){

409

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

410

* from

411

* -Wunreachable-code

412

413

safer_gnutls_strerror(ret));

414

gnutls_global_deinit();

277

/* openpgp credentials */

278

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

279

!= GNUTLS_E_SUCCESS) {

280

fprintf (stderr, "memory error: %s\n",

281

safer_gnutls_strerror(ret));

415

282

return -1;

416

283

}

417

284

418

285

if(debug){

419

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

420

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

421

seckeyfilename);

286

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

287

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

288

seckeyfile);

422

289

}

423

290

424

291

ret = gnutls_certificate_set_openpgp_key_file

425

(mc->cred, pubkeyfilename, seckeyfilename,

426

GNUTLS_OPENPGP_FMT_BASE64);

427

if(ret != GNUTLS_E_SUCCESS) {

428

fprintf(stderr,

429

"Error[%d] while reading the OpenPGP key pair ('%s',"

430

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

431

fprintf(stderr, "The GnuTLS error is: %s\n",

432

safer_gnutls_strerror(ret));

433

goto globalfail;

434

}

435

436

/* GnuTLS server initialization */

437

ret = gnutls_dh_params_init(&mc->dh_params);

438

if(ret != GNUTLS_E_SUCCESS) {

439

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

440

" %s\n", safer_gnutls_strerror(ret));

441

goto globalfail;

442

}

443

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

444

if(ret != GNUTLS_E_SUCCESS) {

445

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

446

safer_gnutls_strerror(ret));

447

goto globalfail;

448

}

449

450

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

451

452

return 0;

453

454

globalfail:

455

456

gnutls_certificate_free_credentials(mc->cred);

457

gnutls_global_deinit();

458

gnutls_dh_params_deinit(mc->dh_params);

459

return -1;

460

}

461

462

static int init_gnutls_session(mandos_context *mc,

463

gnutls_session_t *session){

464

int ret;

465

/* GnuTLS session creation */

466

ret = gnutls_init(session, GNUTLS_SERVER);

467

if(ret != GNUTLS_E_SUCCESS){

292

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

293

if (ret != GNUTLS_E_SUCCESS) {

294

fprintf

295

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

296

" '%s')\n",

297

ret, pubkeyfile, seckeyfile);

298

fprintf(stdout, "The Error is: %s\n",

299

safer_gnutls_strerror(ret));

300

return -1;

301

}

302

303

//GnuTLS server initialization

304

if ((ret = gnutls_dh_params_init(dh_params))

305

!= GNUTLS_E_SUCCESS) {

306

fprintf (stderr, "Error in dh parameter initialization: %s\n",

307

safer_gnutls_strerror(ret));

308

return -1;

309

}

310

311

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

312

!= GNUTLS_E_SUCCESS) {

313

fprintf (stderr, "Error in prime generation: %s\n",

314

safer_gnutls_strerror(ret));

315

return -1;

316

}

317

318

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

319

320

// GnuTLS session creation

321

if ((ret = gnutls_init(session, GNUTLS_SERVER))

322

!= GNUTLS_E_SUCCESS){

468

323

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

469

324

safer_gnutls_strerror(ret));

470

325

}

471

326

472

{

473

const char *err;

474

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

475

if(ret != GNUTLS_E_SUCCESS) {

476

fprintf(stderr, "Syntax error at: %s\n", err);

477

fprintf(stderr, "GnuTLS error: %s\n",

478

safer_gnutls_strerror(ret));

479

gnutls_deinit(*session);

480

return -1;

481

}

327

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

328

!= GNUTLS_E_SUCCESS) {

329

fprintf(stderr, "Syntax error at: %s\n", err);

330

fprintf(stderr, "GnuTLS error: %s\n",

331

safer_gnutls_strerror(ret));

332

return -1;

482

333

}

483

334

484

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

485

mc->cred);

486

if(ret != GNUTLS_E_SUCCESS) {

487

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

335

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

336

mc->cred))

337

!= GNUTLS_E_SUCCESS) {

338

fprintf(stderr, "Error setting a credentials set: %s\n",

488

339

safer_gnutls_strerror(ret));

489

gnutls_deinit(*session);

490

340

return -1;

491

341

}

492

342

493

343

/* ignore client certificate if any. */

494

gnutls_certificate_server_set_request(*session,

495

GNUTLS_CERT_IGNORE);

344

gnutls_certificate_server_set_request (*session,

345

GNUTLS_CERT_IGNORE);

496

346

497

gnutls_dh_set_prime_bits(*session, mc->dh_bits);

347

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

498

348

499

349

return 0;

500

350

}

501

351

502

/* Avahi log function callback */

503

352

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

504

353

__attribute__((unused)) const char *txt){}

505

354

506

/* Called when a Mandos server is found */

507

355

static int start_mandos_communication(const char *ip, uint16_t port,

508

356

AvahiIfIndex if_index,

509

357

mandos_context *mc){

510

358

int ret, tcp_sd;

511

ssize_t sret;

512

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

359

struct sockaddr_in6 to;

513

360

char *buffer = NULL;

514

361

char *decrypted_buffer;

515

362

size_t buffer_length = 0;

516

363

size_t buffer_capacity = 0;

517

364

ssize_t decrypted_buffer_size;

518

size_t written;

365

size_t written = 0;

519

366

int retval = 0;

520

367

char interface[IF_NAMESIZE];

521

368

gnutls_session_t session;

522

523

ret = init_gnutls_session(mc, &session);

524

if(ret != 0){

525

return -1;

526

}

369

gnutls_dh_params_t dh_params;

527

370

528

371

if(debug){

529

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

530

"\n", ip, port);

372

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

373

ip, port);

531

374

}

532

375

533

376

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

535

378

perror("socket");

536

379

return -1;

537

380

}

538

381

539

382

if(debug){

540

383

if(if_indextoname((unsigned int)if_index, interface) == NULL){

541

384

perror("if_indextoname");

544

387

fprintf(stderr, "Binding to interface %s\n", interface);

545

388

}

546

389

547

memset(&to, 0, sizeof(to));

548

to.in6.sin6_family = AF_INET6;

549

/* It would be nice to have a way to detect if we were passed an

550

IPv4 address here. Now we assume an IPv6 address. */

551

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

552

if(ret < 0 ){

390

memset(&to,0,sizeof(to)); /* Spurious warning */

391

to.sin6_family = AF_INET6;

392

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

393

if (ret < 0 ){

553

394

perror("inet_pton");

554

395

return -1;

555

396

}

557

398

fprintf(stderr, "Bad address: %s\n", ip);

558

399

return -1;

559

400

}

560

to.in6.sin6_port = htons(port); /* Spurious warnings from

561

-Wconversion and

562

-Wunreachable-code */

401

to.sin6_port = htons(port); /* Spurious warning */

563

402

564

to.in6.sin6_scope_id = (uint32_t)if_index;

403

to.sin6_scope_id = (uint32_t)if_index;

565

404

566

405

if(debug){

567

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

568

port);

406

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

569

407

char addrstr[INET6_ADDRSTRLEN] = "";

570

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

408

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

571

409

sizeof(addrstr)) == NULL){

572

410

perror("inet_ntop");

573

411

} else {

577

415

}

578

416

}

579

417

580

ret = connect(tcp_sd, &to.in, sizeof(to));

581

if(ret < 0){

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

419

if (ret < 0){

582

420

perror("connect");

583

421

return -1;

584

422

}

585

423

586

const char *out = mandos_protocol_version;

587

written = 0;

588

while(true){

589

size_t out_size = strlen(out);

590

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

591

out_size - written));

592

if(ret == -1){

593

perror("write");

594

retval = -1;

595

goto mandos_end;

596

}

597

written += (size_t)ret;

598

if(written < out_size){

599

continue;

600

} else {

601

if(out == mandos_protocol_version){

602

written = 0;

603

out = "\r\n";

604

} else {

605

break;

606

}

607

}

424

ret = initgnutls (mc, &session, &dh_params);

425

if (ret != 0){

426

retval = -1;

427

return -1;

608

428

}

609

429

430

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

431

610

432

if(debug){

611

433

fprintf(stderr, "Establishing TLS session with %s\n", ip);

612

434

}

613

435

614

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

615

616

do{

617

ret = gnutls_handshake(session);

618

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

619

620

if(ret != GNUTLS_E_SUCCESS){

436

ret = gnutls_handshake (session);

437

438

if (ret != GNUTLS_E_SUCCESS){

621

439

if(debug){

622

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

623

gnutls_perror(ret);

440

fprintf(stderr, "\n*** Handshake failed ***\n");

441

gnutls_perror (ret);

624

442

}

625

443

retval = -1;

626

goto mandos_end;

444

goto exit;

627

445

}

628

446

629

/* Read OpenPGP packet that contains the wanted password */

447

//Retrieve OpenPGP packet that contains the wanted password

630

448

631

449

if(debug){

632

450

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

633

451

ip);

634

452

}

635

453

636

454

while(true){

637

buffer_capacity = adjustbuffer(&buffer, buffer_length,

638

buffer_capacity);

639

if(buffer_capacity == 0){

640

perror("adjustbuffer");

641

retval = -1;

642

goto mandos_end;

455

if (buffer_length + BUFFER_SIZE > buffer_capacity){

456

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

457

if (buffer == NULL){

458

perror("realloc");

459

goto exit;

460

}

461

buffer_capacity += BUFFER_SIZE;

643

462

}

644

463

645

sret = gnutls_record_recv(session, buffer+buffer_length,

646

BUFFER_SIZE);

647

if(sret == 0){

464

ret = gnutls_record_recv(session, buffer+buffer_length,

465

BUFFER_SIZE);

466

if (ret == 0){

648

467

break;

649

468

}

650

if(sret < 0){

651

switch(sret){

469

if (ret < 0){

470

switch(ret){

652

471

case GNUTLS_E_INTERRUPTED:

653

472

case GNUTLS_E_AGAIN:

654

473

break;

655

474

case GNUTLS_E_REHANDSHAKE:

656

do{

657

ret = gnutls_handshake(session);

658

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

659

if(ret < 0){

660

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

661

gnutls_perror(ret);

475

ret = gnutls_handshake (session);

476

if (ret < 0){

477

fprintf(stderr, "\n*** Handshake failed ***\n");

478

gnutls_perror (ret);

662

479

retval = -1;

663

goto mandos_end;

480

goto exit;

664

481

}

665

482

break;

666

483

default:

667

484

fprintf(stderr, "Unknown error while reading data from"

668

" encrypted session with Mandos server\n");

485

" encrypted session with mandos server\n");

669

486

retval = -1;

670

gnutls_bye(session, GNUTLS_SHUT_RDWR);

671

goto mandos_end;

487

gnutls_bye (session, GNUTLS_SHUT_RDWR);

488

goto exit;

672

489

}

673

490

} else {

674

buffer_length += (size_t) sret;

491

buffer_length += (size_t) ret;

675

492

}

676

493

}

677

494

678

if(debug){

679

fprintf(stderr, "Closing TLS session\n");

680

}

681

682

gnutls_bye(session, GNUTLS_SHUT_RDWR);

683

684

if(buffer_length > 0){

685

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

495

if (buffer_length > 0){

496

decrypted_buffer_size = pgp_packet_decrypt(buffer,

686

497

buffer_length,

687

&decrypted_buffer);

688

if(decrypted_buffer_size >= 0){

689

written = 0;

498

&decrypted_buffer,

499

keydir);

500

if (decrypted_buffer_size >= 0){

690

501

while(written < (size_t) decrypted_buffer_size){

691

ret = (int)fwrite(decrypted_buffer + written, 1,

692

(size_t)decrypted_buffer_size - written,

693

stdout);

502

ret = (int)fwrite (decrypted_buffer + written, 1,

503

(size_t)decrypted_buffer_size - written,

504

stdout);

694

505

if(ret == 0 and ferror(stdout)){

695

506

if(debug){

696

507

fprintf(stderr, "Error writing encrypted data: %s\n",

705

516

} else {

706

517

retval = -1;

707

518

}

708

} else {

709

retval = -1;

710

}

711

712

/* Shutdown procedure */

713

714

mandos_end:

519

}

520

521

//shutdown procedure

522

523

if(debug){

524

fprintf(stderr, "Closing TLS session\n");

525

}

526

715

527

free(buffer);

716

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

717

if(ret == -1){

718

perror("close");

719

}

720

gnutls_deinit(session);

528

gnutls_bye (session, GNUTLS_SHUT_RDWR);

529

exit:

530

close(tcp_sd);

531

gnutls_deinit (session);

532

gnutls_certificate_free_credentials (mc->cred);

533

gnutls_global_deinit ();

721

534

return retval;

722

535

}

723

536

724

static void resolve_callback(AvahiSServiceResolver *r,

725

AvahiIfIndex interface,

726

AVAHI_GCC_UNUSED AvahiProtocol protocol,

727

AvahiResolverEvent event,

728

const char *name,

729

const char *type,

730

const char *domain,

731

const char *host_name,

732

const AvahiAddress *address,

733

uint16_t port,

734

AVAHI_GCC_UNUSED AvahiStringList *txt,

735

AVAHI_GCC_UNUSED AvahiLookupResultFlags

736

flags,

737

void* userdata) {

537

static void resolve_callback( AvahiSServiceResolver *r,

538

AvahiIfIndex interface,

539

AVAHI_GCC_UNUSED AvahiProtocol protocol,

540

AvahiResolverEvent event,

541

const char *name,

542

const char *type,

543

const char *domain,

544

const char *host_name,

545

const AvahiAddress *address,

546

uint16_t port,

547

AVAHI_GCC_UNUSED AvahiStringList *txt,

548

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

549

void* userdata) {

738

550

mandos_context *mc = userdata;

739

assert(r);

551

assert(r); /* Spurious warning */

740

552

741

553

/* Called whenever a service has been resolved successfully or

742

554

timed out */

743

555

744

switch(event) {

556

switch (event) {

745

557

default:

746

558

case AVAHI_RESOLVER_FAILURE:

747

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

748

" of type '%s' in domain '%s': %s\n", name, type, domain,

559

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

560

" type '%s' in domain '%s': %s\n", name, type, domain,

749

561

avahi_strerror(avahi_server_errno(mc->server)));

750

562

break;

751

563

754

566

char ip[AVAHI_ADDRESS_STR_MAX];

755

567

avahi_address_snprint(ip, sizeof(ip), address);

756

568

if(debug){

757

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

758

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

759

ip, (intmax_t)interface, port);

569

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

570

" port %d\n", name, host_name, ip, port);

760

571

}

761

572

int ret = start_mandos_communication(ip, port, interface, mc);

762

if(ret == 0){

763

avahi_simple_poll_quit(mc->simple_poll);

573

if (ret == 0){

574

exit(EXIT_SUCCESS);

764

575

}

765

576

}

766

577

}

774

585

const char *name,

775

586

const char *type,

776

587

const char *domain,

777

AVAHI_GCC_UNUSED AvahiLookupResultFlags

778

flags,

588

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

779

589

void* userdata) {

780

590

mandos_context *mc = userdata;

781

assert(b);

591

assert(b); /* Spurious warning */

782

592

783

593

/* Called whenever a new services becomes available on the LAN or

784

594

is removed from the LAN */

785

595

786

switch(event) {

596

switch (event) {

787

597

default:

788

598

case AVAHI_BROWSER_FAILURE:

789

599

790

fprintf(stderr, "(Avahi browser) %s\n",

600

fprintf(stderr, "(Browser) %s\n",

791

601

avahi_strerror(avahi_server_errno(mc->server)));

792

602

avahi_simple_poll_quit(mc->simple_poll);

793

603

return;

794

604

795

605

case AVAHI_BROWSER_NEW:

796

/* We ignore the returned Avahi resolver object. In the callback

797

function we free it. If the Avahi server is terminated before

798

the callback function is called the Avahi server will free the

799

resolver for us. */

606

/* We ignore the returned resolver object. In the callback

607

function we free it. If the server is terminated before

608

the callback function is called the server will free

609

the resolver for us. */

800

610

801

if(!(avahi_s_service_resolver_new(mc->server, interface,

802

protocol, name, type, domain,

611

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

612

type, domain,

803

613

AVAHI_PROTO_INET6, 0,

804

614

resolve_callback, mc)))

805

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

806

name, avahi_strerror(avahi_server_errno(mc->server)));

615

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

616

avahi_strerror(avahi_server_errno(mc->server)));

807

617

break;

808

618

809

619

case AVAHI_BROWSER_REMOVE:

811

621

812

622

case AVAHI_BROWSER_ALL_FOR_NOW:

813

623

case AVAHI_BROWSER_CACHE_EXHAUSTED:

814

if(debug){

815

fprintf(stderr, "No Mandos server found, still searching...\n");

816

}

817

624

break;

818

625

}

819

626

}

820

627

821

int main(int argc, char *argv[]){

628

/* Combines file name and path and returns the malloced new

629

string. some sane checks could/should be added */

630

static const char *combinepath(const char *first, const char *second){

631

size_t f_len = strlen(first);

632

size_t s_len = strlen(second);

633

char *tmp = malloc(f_len + s_len + 2);

634

if (tmp == NULL){

635

return NULL;

636

}

637

if(f_len > 0){

638

memcpy(tmp, first, f_len); /* Spurious warning */

639

}

640

tmp[f_len] = '/';

641

if(s_len > 0){

642

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

643

}

644

tmp[f_len + 1 + s_len] = '\0';

645

return tmp;

646

}

647

648

649

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

650

AvahiServerConfig config;

822

651

AvahiSServiceBrowser *sb = NULL;

823

652

int error;

824

653

int ret;

825

intmax_t tmpmax;

826

int numchars;

827

int exitcode = EXIT_SUCCESS;

654

int debug_int;

655

int returncode = EXIT_SUCCESS;

828

656

const char *interface = "eth0";

829

657

struct ifreq network;

830

658

int sd;

831

uid_t uid;

832

gid_t gid;

833

659

char *connect_to = NULL;

834

char tempdir[] = "/tmp/mandosXXXXXX";

835

bool tempdir_created = false;

836

660

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

837

const char *seckey = PATHDIR "/" SECKEY;

838

const char *pubkey = PATHDIR "/" PUBKEY;

839

840

661

mandos_context mc = { .simple_poll = NULL, .server = NULL,

841

.dh_bits = 1024, .priority = "SECURE256"

842

":!CTYPE-X.509:+CTYPE-OPENPGP" };

843

bool gnutls_initialized = false;

844

bool gpgme_initialized = false;

845

846

{

847

struct argp_option options[] = {

848

{ .name = "debug", .key = 128,

849

.doc = "Debug mode", .group = 3 },

850

{ .name = "connect", .key = 'c',

851

.arg = "ADDRESS:PORT",

852

.doc = "Connect directly to a specific Mandos server",

853

.group = 1 },

854

{ .name = "interface", .key = 'i',

855

.arg = "NAME",

856

.doc = "Interface that will be used to search for Mandos"

857

" servers",

858

.group = 1 },

859

{ .name = "seckey", .key = 's',

860

.arg = "FILE",

861

.doc = "OpenPGP secret key file base name",

862

.group = 1 },

863

{ .name = "pubkey", .key = 'p',

864

.arg = "FILE",

865

.doc = "OpenPGP public key file base name",

866

.group = 2 },

867

{ .name = "dh-bits", .key = 129,

868

.arg = "BITS",

869

.doc = "Bit length of the prime number used in the"

870

" Diffie-Hellman key exchange",

871

.group = 2 },

872

{ .name = "priority", .key = 130,

873

.arg = "STRING",

874

.doc = "GnuTLS priority string for the TLS handshake",

875

.group = 1 },

876

{ .name = NULL }

877

};

878

879

error_t parse_opt(int key, char *arg,

880

struct argp_state *state) {

881

switch(key) {

882

case 128: /* --debug */

883

debug = true;

884

break;

885

case 'c': /* --connect */

886

connect_to = arg;

887

break;

888

case 'i': /* --interface */

889

interface = arg;

890

break;

891

case 's': /* --seckey */

892

seckey = arg;

893

break;

894

case 'p': /* --pubkey */

895

pubkey = arg;

896

break;

897

case 129: /* --dh-bits */

898

ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);

899

if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax

900

or arg[numchars] != '\0'){

901

fprintf(stderr, "Bad number of DH bits\n");

902

exit(EXIT_FAILURE);

903

}

904

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

905

break;

906

case 130: /* --priority */

907

mc.priority = arg;

908

break;

909

case ARGP_KEY_ARG:

910

argp_usage(state);

911

case ARGP_KEY_END:

912

break;

913

default:

914

return ARGP_ERR_UNKNOWN;

915

}

916

return 0;

917

}

918

919

struct argp argp = { .options = options, .parser = parse_opt,

920

.args_doc = "",

921

.doc = "Mandos client -- Get and decrypt"

922

" passwords from a Mandos server" };

923

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

924

if(ret == ARGP_ERR_UNKNOWN){

925

fprintf(stderr, "Unknown error while parsing arguments\n");

926

exitcode = EXIT_FAILURE;

927

goto end;

928

}

929

}

930

931

/* If the interface is down, bring it up */

932

{

933

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

934

if(sd < 0) {

935

perror("socket");

936

exitcode = EXIT_FAILURE;

937

goto end;

938

}

939

strcpy(network.ifr_name, interface);

940

ret = ioctl(sd, SIOCGIFFLAGS, &network);

941

if(ret == -1){

942

perror("ioctl SIOCGIFFLAGS");

943

exitcode = EXIT_FAILURE;

944

goto end;

945

}

946

if((network.ifr_flags & IFF_UP) == 0){

947

network.ifr_flags |= IFF_UP;

948

ret = ioctl(sd, SIOCSIFFLAGS, &network);

949

if(ret == -1){

950

perror("ioctl SIOCSIFFLAGS");

951

exitcode = EXIT_FAILURE;

952

goto end;

953

}

954

}

955

ret = (int)TEMP_FAILURE_RETRY(close(sd));

956

if(ret == -1){

957

perror("close");

958

}

959

}

960

961

uid = getuid();

962

gid = getgid();

963

964

ret = setuid(uid);

965

if(ret == -1){

966

perror("setuid");

967

}

968

969

setgid(gid);

970

if(ret == -1){

971

perror("setgid");

972

}

973

974

ret = init_gnutls_global(&mc, pubkey, seckey);

975

if(ret == -1){

976

fprintf(stderr, "init_gnutls_global failed\n");

977

exitcode = EXIT_FAILURE;

978

goto end;

979

} else {

980

gnutls_initialized = true;

981

}

982

983

if(mkdtemp(tempdir) == NULL){

984

perror("mkdtemp");

985

goto end;

986

}

987

tempdir_created = true;

988

989

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

990

fprintf(stderr, "init_gpgme failed\n");

991

exitcode = EXIT_FAILURE;

992

goto end;

993

} else {

994

gpgme_initialized = true;

662

.dh_bits = 1024, .priority = "SECURE256"};

663

664

debug_int = debug ? 1 : 0;

665

while (true){

666

struct option long_options[] = {

667

{"debug", no_argument, &debug_int, 1},

668

{"connect", required_argument, NULL, 'c'},

669

{"interface", required_argument, NULL, 'i'},

670

{"keydir", required_argument, NULL, 'd'},

671

{"seckey", required_argument, NULL, 's'},

672

{"pubkey", required_argument, NULL, 'p'},

673

{"dh-bits", required_argument, NULL, 'D'},

674

{"priority", required_argument, NULL, 'P'},

675

{0, 0, 0, 0} };

676

677

int option_index = 0;

678

ret = getopt_long (argc, argv, "i:", long_options,

679

&option_index);

680

681

if (ret == -1){

682

break;

683

}

684

685

switch(ret){

686

case 0:

687

break;

688

case 'i':

689

interface = optarg;

690

break;

691

case 'c':

692

connect_to = optarg;

693

break;

694

case 'd':

695

keydir = optarg;

696

break;

697

case 'p':

698

pubkeyfile = optarg;

699

break;

700

case 's':

701

seckeyfile = optarg;

702

break;

703

case 'D':

704

errno = 0;

705

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

706

if (errno){

707

perror("strtol");

708

exit(EXIT_FAILURE);

709

}

710

break;

711

case 'P':

712

mc.priority = optarg;

713

break;

714

case '?':

715

default:

716

exit(EXIT_FAILURE);

717

}

718

}

719

debug = debug_int ? true : false;

720

721

pubkeyfile = combinepath(keydir, pubkeyfile);

722

if (pubkeyfile == NULL){

723

perror("combinepath");

724

returncode = EXIT_FAILURE;

725

goto exit;

726

}

727

728

seckeyfile = combinepath(keydir, seckeyfile);

729

if (seckeyfile == NULL){

730

perror("combinepath");

731

goto exit;

995

732

}

996

733

997

734

if_index = (AvahiIfIndex) if_nametoindex(interface);

998

735

if(if_index == 0){

999

736

fprintf(stderr, "No such interface: \"%s\"\n", interface);

1000

exitcode = EXIT_FAILURE;

1001

goto end;

737

exit(EXIT_FAILURE);

1002

738

}

1003

739

1004

740

if(connect_to != NULL){

1007

743

char *address = strrchr(connect_to, ':');

1008

744

if(address == NULL){

1009

745

fprintf(stderr, "No colon in address\n");

1010

exitcode = EXIT_FAILURE;

1011

goto end;

1012

}

1013

uint16_t port;

1014

ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);

1015

if(ret < 1 or tmpmax != (uint16_t)tmpmax

1016

or address[numchars+1] != '\0'){

1017

fprintf(stderr, "Bad port number\n");

1018

exitcode = EXIT_FAILURE;

1019

goto end;

1020

}

1021

port = (uint16_t)tmpmax;

746

exit(EXIT_FAILURE);

747

}

748

errno = 0;

749

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

750

if(errno){

751

perror("Bad port number");

752

exit(EXIT_FAILURE);

753

}

1022

754

*address = '\0';

1023

755

address = connect_to;

1024

756

ret = start_mandos_communication(address, port, if_index, &mc);

1025

757

if(ret < 0){

1026

exitcode = EXIT_FAILURE;

758

exit(EXIT_FAILURE);

1027

759

} else {

1028

exitcode = EXIT_SUCCESS;

1029

}

1030

goto end;

1031

}

1032

1033

if(not debug){

760

exit(EXIT_SUCCESS);

761

}

762

}

763

764

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

765

if(sd < 0) {

766

perror("socket");

767

returncode = EXIT_FAILURE;

768

goto exit;

769

}

770

strcpy(network.ifr_name, interface); /* Spurious warning */

771

ret = ioctl(sd, SIOCGIFFLAGS, &network);

772

if(ret == -1){

773

774

perror("ioctl SIOCGIFFLAGS");

775

returncode = EXIT_FAILURE;

776

goto exit;

777

}

778

if((network.ifr_flags & IFF_UP) == 0){

779

network.ifr_flags |= IFF_UP;

780

ret = ioctl(sd, SIOCSIFFLAGS, &network);

781

if(ret == -1){

782

perror("ioctl SIOCSIFFLAGS");

783

returncode = EXIT_FAILURE;

784

goto exit;

785

}

786

}

787

close(sd);

788

789

if (not debug){

1034

790

avahi_set_log_function(empty_log);

1035

791

}

1036

792

1037

/* Initialize the pseudo-RNG for Avahi */

793

/* Initialize the psuedo-RNG */

1038

794

srand((unsigned int) time(NULL));

1039

1040

/* Allocate main Avahi loop object */

1041

mc.simple_poll = avahi_simple_poll_new();

1042

if(mc.simple_poll == NULL) {

1043

fprintf(stderr, "Avahi: Failed to create simple poll"

1044

" object.\n");

1045

exitcode = EXIT_FAILURE;

1046

goto end;

1047

}

1048

1049

{

1050

AvahiServerConfig config;

1051

/* Do not publish any local Zeroconf records */

1052

avahi_server_config_init(&config);

1053

config.publish_hinfo = 0;

1054

config.publish_addresses = 0;

1055

config.publish_workstation = 0;

1056

config.publish_domain = 0;

1057

1058

/* Allocate a new server */

1059

mc.server = avahi_server_new(avahi_simple_poll_get

1060

(mc.simple_poll), &config, NULL,

1061

NULL, &error);

1062

1063

/* Free the Avahi configuration data */

1064

avahi_server_config_free(&config);

1065

}

1066

1067

/* Check if creating the Avahi server object succeeded */

1068

if(mc.server == NULL) {

1069

fprintf(stderr, "Failed to create Avahi server: %s\n",

795

796

/* Allocate main loop object */

797

if (!(mc.simple_poll = avahi_simple_poll_new())) {

798

fprintf(stderr, "Failed to create simple poll object.\n");

799

returncode = EXIT_FAILURE;

800

goto exit;

801

}

802

803

/* Do not publish any local records */

804

avahi_server_config_init(&config);

805

config.publish_hinfo = 0;

806

config.publish_addresses = 0;

807

config.publish_workstation = 0;

808

config.publish_domain = 0;

809

810

/* Allocate a new server */

811

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

812

&config, NULL, NULL, &error);

813

814

/* Free the configuration data */

815

avahi_server_config_free(&config);

816

817

/* Check if creating the server object succeeded */

818

if (!mc.server) {

819

fprintf(stderr, "Failed to create server: %s\n",

1070

820

avahi_strerror(error));

1071

exitcode = EXIT_FAILURE;

1072

goto end;

821

returncode = EXIT_FAILURE;

822

goto exit;

1073

823

}

1074

824

1075

/* Create the Avahi service browser */

825

/* Create the service browser */

1076

826

sb = avahi_s_service_browser_new(mc.server, if_index,

1077

827

AVAHI_PROTO_INET6,

1078

828

"_mandos._tcp", NULL, 0,

1079

829

browse_callback, &mc);

1080

if(sb == NULL) {

830

if (!sb) {

1081

831

fprintf(stderr, "Failed to create service browser: %s\n",

1082

832

avahi_strerror(avahi_server_errno(mc.server)));

1083

exitcode = EXIT_FAILURE;

1084

goto end;

833

returncode = EXIT_FAILURE;

834

goto exit;

1085

835

}

1086

836

1087

837

/* Run the main loop */

1088

1089

if(debug){

1090

fprintf(stderr, "Starting Avahi loop search\n");

838

839

if (debug){

840

fprintf(stderr, "Starting avahi loop search\n");

1091

841

}

1092

842

1093

843

avahi_simple_poll_loop(mc.simple_poll);

1094

844

1095

end:

1096

1097

if(debug){

845

exit:

846

847

if (debug){

1098

848

fprintf(stderr, "%s exiting\n", argv[0]);

1099

849

}

1100

850

1101

851

/* Cleanup things */

1102

if(sb != NULL)

852

if (sb)

1103

853

avahi_s_service_browser_free(sb);

1104

854

1105

if(mc.server != NULL)

855

if (mc.server)

1106

856

avahi_server_free(mc.server);

1107

1108

if(mc.simple_poll != NULL)

857

858

if (mc.simple_poll)

1109

859

avahi_simple_poll_free(mc.simple_poll);

1110

1111

if(gnutls_initialized){

1112

gnutls_certificate_free_credentials(mc.cred);

1113

gnutls_global_deinit();

1114

gnutls_dh_params_deinit(mc.dh_params);

1115

}

1116

1117

if(gpgme_initialized){

1118

gpgme_release(mc.ctx);

1119

}

1120

1121

/* Removes the temp directory used by GPGME */

1122

if(tempdir_created){

1123

DIR *d;

1124

struct dirent *direntry;

1125

d = opendir(tempdir);

1126

if(d == NULL){

1127

if(errno != ENOENT){

1128

perror("opendir");

1129

}

1130

} else {

1131

while(true){

1132

direntry = readdir(d);

1133

if(direntry == NULL){

1134

break;

1135

}

1136

/* Skip "." and ".." */

1137

if(direntry->d_name[0] == '.'

1138

and (direntry->d_name[1] == '\0'

1139

or (direntry->d_name[1] == '.'

1140

and direntry->d_name[2] == '\0'))){

1141

continue;

1142

}

1143

char *fullname = NULL;

1144

ret = asprintf(&fullname, "%s/%s", tempdir,

1145

direntry->d_name);

1146

if(ret < 0){

1147

perror("asprintf");

1148

continue;

1149

}

1150

ret = remove(fullname);

1151

if(ret == -1){

1152

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1153

strerror(errno));

1154

}

1155

free(fullname);

1156

}

1157

closedir(d);

1158

}

1159

ret = rmdir(tempdir);

1160

if(ret == -1 and errno != ENOENT){

1161

perror("rmdir");

1162

}

1163

}

1164

1165

return exitcode;

860

free(pubkeyfile);

861

free(seckeyfile);

862

863

return returncode;

1166

864

}

Older »