To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
33
32
#define _LARGEFILE_SOURCE
34
33
#define _FILE_OFFSET_BITS 64
35
34
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
65
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
43
SIOCSIFFLAGS */
78
44
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
83
45
#include <avahi-core/core.h>
84
46
#include <avahi-core/lookup.h>
85
47
#include <avahi-core/log.h>
87
49
#include <avahi-common/malloc.h>
88
50
#include <avahi-common/error.h>
89
51
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
106
72
107
73
#define BUFFER_SIZE 256
108
74
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
112
78
113
79
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
80
118
/* Used for passing in values through the Avahi callback functions */
81
/* Used for passing in values through all the callback functions */
119
82
typedef struct {
120
83
AvahiSimplePoll *simple_poll;
121
84
AvahiServer *server;
122
85
gnutls_certificate_credentials_t cred;
123
86
unsigned int dh_bits;
124
gnutls_dh_params_t dh_params;
125
87
const char *priority;
88
} mandos_context;
89
90
/*
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
92
* Returns -1 on error
93
*/
94
static ssize_t pgp_packet_decrypt (const char *cryptotext,
95
size_t crypto_size,
96
char **plaintext,
97
const char *homedir){
98
gpgme_data_t dh_crypto, dh_plain;
126
99
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
152
100
gpgme_error_t rc;
101
ssize_t ret;
102
ssize_t plaintext_capacity = 0;
103
ssize_t plaintext_length = 0;
153
104
gpgme_engine_info_t engine_info;
154
105
155
156
/*
157
* Helper function to insert pub and seckey to the engine keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
106
if (debug){
107
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
193
108
}
194
109
195
110
/* Init GPGME */
196
111
gpgme_check_version(NULL);
197
112
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
if(rc != GPG_ERR_NO_ERROR){
113
if (rc != GPG_ERR_NO_ERROR){
199
114
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
200
115
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
116
return -1;
202
117
}
203
118
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
119
/* Set GPGME home directory for the OpenPGP engine only */
120
rc = gpgme_get_engine_info (&engine_info);
121
if (rc != GPG_ERR_NO_ERROR){
207
122
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
208
123
gpgme_strsource(rc), gpgme_strerror(rc));
209
return false;
124
return -1;
210
125
}
211
126
while(engine_info != NULL){
212
127
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
213
128
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
214
engine_info->file_name, tempdir);
129
engine_info->file_name, homedir);
215
130
break;
216
131
}
217
132
engine_info = engine_info->next;
218
133
}
219
134
if(engine_info == NULL){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
135
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
136
return -1;
255
137
}
256
138
257
139
/* Create new GPGME data buffer from memory cryptotext */
258
140
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
141
0);
260
if(rc != GPG_ERR_NO_ERROR){
142
if (rc != GPG_ERR_NO_ERROR){
261
143
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
262
144
gpgme_strsource(rc), gpgme_strerror(rc));
263
145
return -1;
265
147
266
148
/* Create new empty GPGME data buffer for the plaintext */
267
149
rc = gpgme_data_new(&dh_plain);
268
if(rc != GPG_ERR_NO_ERROR){
150
if (rc != GPG_ERR_NO_ERROR){
269
151
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
270
152
gpgme_strsource(rc), gpgme_strerror(rc));
271
153
gpgme_data_release(dh_crypto);
272
154
return -1;
273
155
}
274
156
157
/* Create new GPGME "context" */
158
rc = gpgme_new(&ctx);
159
if (rc != GPG_ERR_NO_ERROR){
160
fprintf(stderr, "bad gpgme_new: %s: %s\n",
161
gpgme_strsource(rc), gpgme_strerror(rc));
162
plaintext_length = -1;
163
goto decrypt_end;
164
}
165
275
166
/* Decrypt data from the cryptotext data buffer to the plaintext
276
167
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
168
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
169
if (rc != GPG_ERR_NO_ERROR){
279
170
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
280
171
gpgme_strsource(rc), gpgme_strerror(rc));
281
172
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
307
}
308
}
309
}
310
173
goto decrypt_end;
311
174
}
312
175
314
177
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
178
}
316
179
180
if (debug){
181
gpgme_decrypt_result_t result;
182
result = gpgme_op_decrypt_result(ctx);
183
if (result == NULL){
184
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
185
} else {
186
fprintf(stderr, "Unsupported algorithm: %s\n",
187
result->unsupported_algorithm);
188
fprintf(stderr, "Wrong key usage: %d\n",
189
result->wrong_key_usage);
190
if(result->file_name != NULL){
191
fprintf(stderr, "File name: %s\n", result->file_name);
192
}
193
gpgme_recipient_t recipient;
194
recipient = result->recipients;
195
if(recipient){
196
while(recipient != NULL){
197
fprintf(stderr, "Public key algorithm: %s\n",
198
gpgme_pubkey_algo_name(recipient->pubkey_algo));
199
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
200
fprintf(stderr, "Secret key available: %s\n",
201
recipient->status == GPG_ERR_NO_SECKEY
202
? "No" : "Yes");
203
recipient = recipient->next;
204
}
205
}
206
}
207
}
208
317
209
/* Seek back to the beginning of the GPGME plaintext data buffer */
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
210
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
211
perror("pgpme_data_seek");
320
212
plaintext_length = -1;
321
213
goto decrypt_end;
322
214
}
323
215
324
216
*plaintext = NULL;
325
217
while(true){
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
331
224
plaintext_length = -1;
332
225
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
333
228
}
334
229
335
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
336
231
BUFFER_SIZE);
337
232
/* Print the data, if any */
338
if(ret == 0){
233
if (ret == 0){
339
234
/* EOF */
340
235
break;
341
236
}
346
241
}
347
242
plaintext_length += ret;
348
243
}
349
244
350
245
if(debug){
351
246
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
247
for(size_t i = 0; i < plaintext_length; i++){
353
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
249
}
355
250
fprintf(stderr, "\n");
365
260
return plaintext_length;
366
261
}
367
262
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
263
static const char * safer_gnutls_strerror (int value) {
264
const char *ret = gnutls_strerror (value);
265
if (ret == NULL)
372
266
ret = "(unknown)";
373
267
return ret;
374
268
}
375
269
376
/* GnuTLS log function callback */
377
270
static void debuggnutls(__attribute__((unused)) int level,
378
271
const char* string){
379
fprintf(stderr, "GnuTLS: %s", string);
272
fprintf(stderr, "%s", string);
380
273
}
381
274
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
385
278
int ret;
386
279
387
280
if(debug){
388
281
fprintf(stderr, "Initializing GnuTLS\n");
389
282
}
390
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
395
287
return -1;
396
288
}
397
289
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
290
if (debug){
402
291
gnutls_global_set_log_level(11);
403
292
gnutls_global_set_log_function(debuggnutls);
404
293
}
405
294
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
299
safer_gnutls_strerror(ret));
415
300
return -1;
416
301
}
417
302
418
303
if(debug){
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
304
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
305
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
306
seckeyfile);
422
307
}
423
308
424
309
ret = gnutls_certificate_set_openpgp_key_file
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
311
if (ret != GNUTLS_E_SUCCESS) {
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
317
safer_gnutls_strerror(ret));
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
468
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
469
342
safer_gnutls_strerror(ret));
470
343
}
471
344
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
482
351
}
483
352
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
488
357
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
490
358
return -1;
491
359
}
492
360
493
361
/* ignore client certificate if any. */
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
362
gnutls_certificate_server_set_request (*session,
363
GNUTLS_CERT_IGNORE);
496
364
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
365
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
498
366
499
367
return 0;
500
368
}
501
369
502
/* Avahi log function callback */
503
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
504
371
__attribute__((unused)) const char *txt){}
505
372
506
/* Called when a Mandos server is found */
507
373
static int start_mandos_communication(const char *ip, uint16_t port,
508
374
AvahiIfIndex if_index,
509
375
mandos_context *mc){
510
376
int ret, tcp_sd;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
377
struct sockaddr_in6 to;
513
378
char *buffer = NULL;
514
379
char *decrypted_buffer;
515
380
size_t buffer_length = 0;
516
381
size_t buffer_capacity = 0;
517
382
ssize_t decrypted_buffer_size;
518
size_t written;
383
size_t written = 0;
519
384
int retval = 0;
520
385
char interface[IF_NAMESIZE];
521
386
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
387
gnutls_dh_params_t dh_params;
527
388
528
389
if(debug){
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
531
392
}
532
393
533
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
535
396
perror("socket");
536
397
return -1;
537
398
}
538
399
539
400
if(debug){
540
401
if(if_indextoname((unsigned int)if_index, interface) == NULL){
541
402
perror("if_indextoname");
544
405
fprintf(stderr, "Binding to interface %s\n", interface);
545
406
}
546
407
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
408
memset(&to,0,sizeof(to)); /* Spurious warning */
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
411
if (ret < 0 ){
553
412
perror("inet_pton");
554
413
return -1;
555
414
}
557
416
fprintf(stderr, "Bad address: %s\n", ip);
558
417
return -1;
559
418
}
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
419
to.sin6_port = htons(port); /* Spurious warning */
563
420
564
to.in6.sin6_scope_id = (uint32_t)if_index;
421
to.sin6_scope_id = (uint32_t)if_index;
565
422
566
423
if(debug){
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
569
425
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
571
427
sizeof(addrstr)) == NULL){
572
428
perror("inet_ntop");
573
429
} else {
577
433
}
578
434
}
579
435
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
437
if (ret < 0){
582
438
perror("connect");
583
439
return -1;
584
440
}
585
441
586
const char *out = mandos_protocol_version;
587
written = 0;
588
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
606
}
607
}
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
608
446
}
609
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
610
450
if(debug){
611
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
612
452
}
613
453
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
454
ret = gnutls_handshake (session);
455
456
if (ret != GNUTLS_E_SUCCESS){
621
457
if(debug){
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
458
fprintf(stderr, "\n*** Handshake failed ***\n");
459
gnutls_perror (ret);
624
460
}
625
461
retval = -1;
626
goto mandos_end;
462
goto exit;
627
463
}
628
464
629
/* Read OpenPGP packet that contains the wanted password */
465
//Retrieve OpenPGP packet that contains the wanted password
630
466
631
467
if(debug){
632
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
633
469
ip);
634
470
}
635
471
636
472
while(true){
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
643
480
}
644
481
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
482
ret = gnutls_record_recv(session, buffer+buffer_length,
483
BUFFER_SIZE);
484
if (ret == 0){
648
485
break;
649
486
}
650
if(sret < 0){
651
switch(sret){
487
if (ret < 0){
488
switch(ret){
652
489
case GNUTLS_E_INTERRUPTED:
653
490
case GNUTLS_E_AGAIN:
654
491
break;
655
492
case GNUTLS_E_REHANDSHAKE:
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
493
ret = gnutls_handshake (session);
494
if (ret < 0){
495
fprintf(stderr, "\n*** Handshake failed ***\n");
496
gnutls_perror (ret);
662
497
retval = -1;
663
goto mandos_end;
498
goto exit;
664
499
}
665
500
break;
666
501
default:
667
502
fprintf(stderr, "Unknown error while reading data from"
668
" encrypted session with Mandos server\n");
503
" encrypted session with mandos server\n");
669
504
retval = -1;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
506
goto exit;
672
507
}
673
508
} else {
674
buffer_length += (size_t) sret;
509
buffer_length += (size_t) ret;
675
510
}
676
511
}
677
512
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
513
if (buffer_length > 0){
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
686
515
buffer_length,
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
516
&decrypted_buffer,
517
keydir);
518
if (decrypted_buffer_size >= 0){
690
519
while(written < (size_t) decrypted_buffer_size){
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
520
ret = (int)fwrite (decrypted_buffer + written, 1,
521
(size_t)decrypted_buffer_size - written,
522
stdout);
694
523
if(ret == 0 and ferror(stdout)){
695
524
if(debug){
696
525
fprintf(stderr, "Error writing encrypted data: %s\n",
705
534
} else {
706
535
retval = -1;
707
536
}
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
537
}
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
715
545
free(buffer);
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
548
close(tcp_sd);
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
721
552
return retval;
722
553
}
723
554
736
567
flags,
737
568
void* userdata) {
738
569
mandos_context *mc = userdata;
739
assert(r);
570
assert(r); /* Spurious warning */
740
571
741
572
/* Called whenever a service has been resolved successfully or
742
573
timed out */
743
574
744
switch(event) {
575
switch (event) {
745
576
default:
746
577
case AVAHI_RESOLVER_FAILURE:
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
749
580
avahi_strerror(avahi_server_errno(mc->server)));
750
581
break;
751
582
754
585
char ip[AVAHI_ADDRESS_STR_MAX];
755
586
avahi_address_snprint(ip, sizeof(ip), address);
756
587
if(debug){
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
760
590
}
761
591
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
592
if (ret == 0){
593
exit(EXIT_SUCCESS);
764
594
}
765
595
}
766
596
}
778
608
flags,
779
609
void* userdata) {
780
610
mandos_context *mc = userdata;
781
assert(b);
611
assert(b); /* Spurious warning */
782
612
783
613
/* Called whenever a new services becomes available on the LAN or
784
614
is removed from the LAN */
785
615
786
switch(event) {
616
switch (event) {
787
617
default:
788
618
case AVAHI_BROWSER_FAILURE:
789
619
790
fprintf(stderr, "(Avahi browser) %s\n",
620
fprintf(stderr, "(Browser) %s\n",
791
621
avahi_strerror(avahi_server_errno(mc->server)));
792
622
avahi_simple_poll_quit(mc->simple_poll);
793
623
return;
794
624
795
625
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
800
630
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
802
632
protocol, name, type, domain,
803
633
AVAHI_PROTO_INET6, 0,
804
634
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
807
637
break;
808
638
809
639
case AVAHI_BROWSER_REMOVE:
811
641
812
642
case AVAHI_BROWSER_ALL_FOR_NOW:
813
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
816
}
817
644
break;
818
645
}
819
646
}
820
647
821
int main(int argc, char *argv[]){
648
/* Combines file name and path and returns the malloced new
649
string. some sane checks could/should be added */
650
static const char *combinepath(const char *first, const char *second){
651
size_t f_len = strlen(first);
652
size_t s_len = strlen(second);
653
char *tmp = malloc(f_len + s_len + 2);
654
if (tmp == NULL){
655
return NULL;
656
}
657
if(f_len > 0){
658
memcpy(tmp, first, f_len); /* Spurious warning */
659
}
660
tmp[f_len] = '/';
661
if(s_len > 0){
662
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
663
}
664
tmp[f_len + 1 + s_len] = '\0';
665
return tmp;
666
}
667
668
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
822
671
AvahiSServiceBrowser *sb = NULL;
823
672
int error;
824
673
int ret;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
828
676
const char *interface = "eth0";
829
677
struct ifreq network;
830
678
int sd;
831
uid_t uid;
832
gid_t gid;
833
679
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
835
bool tempdir_created = false;
836
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
837
const char *seckey = PATHDIR "/" SECKEY;
838
const char *pubkey = PATHDIR "/" PUBKEY;
839
840
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
841
.dh_bits = 1024, .priority = "SECURE256"
842
":!CTYPE-X.509:+CTYPE-OPENPGP" };
843
bool gnutls_initialized = false;
844
bool gpgme_initialized = false;
845
846
{
847
struct argp_option options[] = {
848
{ .name = "debug", .key = 128,
849
.doc = "Debug mode", .group = 3 },
850
{ .name = "connect", .key = 'c',
851
.arg = "ADDRESS:PORT",
852
.doc = "Connect directly to a specific Mandos server",
853
.group = 1 },
854
{ .name = "interface", .key = 'i',
855
.arg = "NAME",
856
.doc = "Interface that will be used to search for Mandos"
857
" servers",
858
.group = 1 },
859
{ .name = "seckey", .key = 's',
860
.arg = "FILE",
861
.doc = "OpenPGP secret key file base name",
862
.group = 1 },
863
{ .name = "pubkey", .key = 'p',
864
.arg = "FILE",
865
.doc = "OpenPGP public key file base name",
866
.group = 2 },
867
{ .name = "dh-bits", .key = 129,
868
.arg = "BITS",
869
.doc = "Bit length of the prime number used in the"
870
" Diffie-Hellman key exchange",
871
.group = 2 },
872
{ .name = "priority", .key = 130,
873
.arg = "STRING",
874
.doc = "GnuTLS priority string for the TLS handshake",
875
.group = 1 },
876
{ .name = NULL }
877
};
878
879
error_t parse_opt(int key, char *arg,
880
struct argp_state *state) {
881
switch(key) {
882
case 128: /* --debug */
883
debug = true;
884
break;
885
case 'c': /* --connect */
886
connect_to = arg;
887
break;
888
case 'i': /* --interface */
889
interface = arg;
890
break;
891
case 's': /* --seckey */
892
seckey = arg;
893
break;
894
case 'p': /* --pubkey */
895
pubkey = arg;
896
break;
897
case 129: /* --dh-bits */
898
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
899
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
900
or arg[numchars] != '\0'){
901
fprintf(stderr, "Bad number of DH bits\n");
902
exit(EXIT_FAILURE);
903
}
904
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
905
break;
906
case 130: /* --priority */
907
mc.priority = arg;
908
break;
909
case ARGP_KEY_ARG:
910
argp_usage(state);
911
case ARGP_KEY_END:
912
break;
913
default:
914
return ARGP_ERR_UNKNOWN;
915
}
916
return 0;
917
}
918
919
struct argp argp = { .options = options, .parser = parse_opt,
920
.args_doc = "",
921
.doc = "Mandos client -- Get and decrypt"
922
" passwords from a Mandos server" };
923
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
924
if(ret == ARGP_ERR_UNKNOWN){
925
fprintf(stderr, "Unknown error while parsing arguments\n");
926
exitcode = EXIT_FAILURE;
927
goto end;
928
}
929
}
930
931
/* If the interface is down, bring it up */
932
{
933
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
934
if(sd < 0) {
935
perror("socket");
936
exitcode = EXIT_FAILURE;
937
goto end;
938
}
939
strcpy(network.ifr_name, interface);
940
ret = ioctl(sd, SIOCGIFFLAGS, &network);
941
if(ret == -1){
942
perror("ioctl SIOCGIFFLAGS");
943
exitcode = EXIT_FAILURE;
944
goto end;
945
}
946
if((network.ifr_flags & IFF_UP) == 0){
947
network.ifr_flags |= IFF_UP;
948
ret = ioctl(sd, SIOCSIFFLAGS, &network);
949
if(ret == -1){
950
perror("ioctl SIOCSIFFLAGS");
951
exitcode = EXIT_FAILURE;
952
goto end;
953
}
954
}
955
ret = (int)TEMP_FAILURE_RETRY(close(sd));
956
if(ret == -1){
957
perror("close");
958
}
959
}
960
961
uid = getuid();
962
gid = getgid();
963
964
ret = setuid(uid);
965
if(ret == -1){
966
perror("setuid");
967
}
968
969
setgid(gid);
970
if(ret == -1){
971
perror("setgid");
972
}
973
974
ret = init_gnutls_global(&mc, pubkey, seckey);
975
if(ret == -1){
976
fprintf(stderr, "init_gnutls_global failed\n");
977
exitcode = EXIT_FAILURE;
978
goto end;
979
} else {
980
gnutls_initialized = true;
981
}
982
983
if(mkdtemp(tempdir) == NULL){
984
perror("mkdtemp");
985
goto end;
986
}
987
tempdir_created = true;
988
989
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
990
fprintf(stderr, "init_gpgme failed\n");
991
exitcode = EXIT_FAILURE;
992
goto end;
993
} else {
994
gpgme_initialized = true;
682
.dh_bits = 1024, .priority = "SECURE256"};
683
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
729
}
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
737
}
738
}
739
debug = debug_int ? true : false;
740
741
pubkeyfile = combinepath(keydir, pubkeyfile);
742
if (pubkeyfile == NULL){
743
perror("combinepath");
744
returncode = EXIT_FAILURE;
745
goto exit;
746
}
747
748
seckeyfile = combinepath(keydir, seckeyfile);
749
if (seckeyfile == NULL){
750
perror("combinepath");
751
goto exit;
995
752
}
996
753
997
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
998
755
if(if_index == 0){
999
756
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1000
exitcode = EXIT_FAILURE;
1001
goto end;
757
exit(EXIT_FAILURE);
1002
758
}
1003
759
1004
760
if(connect_to != NULL){
1007
763
char *address = strrchr(connect_to, ':');
1008
764
if(address == NULL){
1009
765
fprintf(stderr, "No colon in address\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
uint16_t port;
1014
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1015
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1016
or address[numchars+1] != '\0'){
1017
fprintf(stderr, "Bad port number\n");
1018
exitcode = EXIT_FAILURE;
1019
goto end;
1020
}
1021
port = (uint16_t)tmpmax;
766
exit(EXIT_FAILURE);
767
}
768
errno = 0;
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
770
if(errno){
771
perror("Bad port number");
772
exit(EXIT_FAILURE);
773
}
1022
774
*address = '\0';
1023
775
address = connect_to;
1024
776
ret = start_mandos_communication(address, port, if_index, &mc);
1025
777
if(ret < 0){
1026
exitcode = EXIT_FAILURE;
778
exit(EXIT_FAILURE);
1027
779
} else {
1028
exitcode = EXIT_SUCCESS;
1029
}
1030
goto end;
1031
}
1032
1033
if(not debug){
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
808
809
if (not debug){
1034
810
avahi_set_log_function(empty_log);
1035
811
}
1036
812
1037
/* Initialize the pseudo-RNG for Avahi */
813
/* Initialize the psuedo-RNG */
1038
814
srand((unsigned int) time(NULL));
1039
1040
/* Allocate main Avahi loop object */
1041
mc.simple_poll = avahi_simple_poll_new();
1042
if(mc.simple_poll == NULL) {
1043
fprintf(stderr, "Avahi: Failed to create simple poll"
1044
" object.\n");
1045
exitcode = EXIT_FAILURE;
1046
goto end;
1047
}
1048
1049
{
1050
AvahiServerConfig config;
1051
/* Do not publish any local Zeroconf records */
1052
avahi_server_config_init(&config);
1053
config.publish_hinfo = 0;
1054
config.publish_addresses = 0;
1055
config.publish_workstation = 0;
1056
config.publish_domain = 0;
1057
1058
/* Allocate a new server */
1059
mc.server = avahi_server_new(avahi_simple_poll_get
1060
(mc.simple_poll), &config, NULL,
1061
NULL, &error);
1062
1063
/* Free the Avahi configuration data */
1064
avahi_server_config_free(&config);
1065
}
1066
1067
/* Check if creating the Avahi server object succeeded */
1068
if(mc.server == NULL) {
1069
fprintf(stderr, "Failed to create Avahi server: %s\n",
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1070
840
avahi_strerror(error));
1071
exitcode = EXIT_FAILURE;
1072
goto end;
841
returncode = EXIT_FAILURE;
842
goto exit;
1073
843
}
1074
844
1075
/* Create the Avahi service browser */
845
/* Create the service browser */
1076
846
sb = avahi_s_service_browser_new(mc.server, if_index,
1077
847
AVAHI_PROTO_INET6,
1078
848
"_mandos._tcp", NULL, 0,
1079
849
browse_callback, &mc);
1080
if(sb == NULL) {
850
if (!sb) {
1081
851
fprintf(stderr, "Failed to create service browser: %s\n",
1082
852
avahi_strerror(avahi_server_errno(mc.server)));
1083
exitcode = EXIT_FAILURE;
1084
goto end;
853
returncode = EXIT_FAILURE;
854
goto exit;
1085
855
}
1086
856
1087
857
/* Run the main loop */
1088
1089
if(debug){
1090
fprintf(stderr, "Starting Avahi loop search\n");
858
859
if (debug){
860
fprintf(stderr, "Starting avahi loop search\n");
1091
861
}
1092
862
1093
863
avahi_simple_poll_loop(mc.simple_poll);
1094
864
1095
end:
1096
1097
if(debug){
865
exit:
866
867
if (debug){
1098
868
fprintf(stderr, "%s exiting\n", argv[0]);
1099
869
}
1100
870
1101
871
/* Cleanup things */
1102
if(sb != NULL)
872
if (sb)
1103
873
avahi_s_service_browser_free(sb);
1104
874
1105
if(mc.server != NULL)
875
if (mc.server)
1106
876
avahi_server_free(mc.server);
1107
1108
if(mc.simple_poll != NULL)
877
878
if (mc.simple_poll)
1109
879
avahi_simple_poll_free(mc.simple_poll);
1110
1111
if(gnutls_initialized){
1112
gnutls_certificate_free_credentials(mc.cred);
1113
gnutls_global_deinit();
1114
gnutls_dh_params_deinit(mc.dh_params);
1115
}
1116
1117
if(gpgme_initialized){
1118
gpgme_release(mc.ctx);
1119
}
1120
1121
/* Removes the temp directory used by GPGME */
1122
if(tempdir_created){
1123
DIR *d;
1124
struct dirent *direntry;
1125
d = opendir(tempdir);
1126
if(d == NULL){
1127
if(errno != ENOENT){
1128
perror("opendir");
1129
}
1130
} else {
1131
while(true){
1132
direntry = readdir(d);
1133
if(direntry == NULL){
1134
break;
1135
}
1136
/* Skip "." and ".." */
1137
if(direntry->d_name[0] == '.'
1138
and (direntry->d_name[1] == '\0'
1139
or (direntry->d_name[1] == '.'
1140
and direntry->d_name[2] == '\0'))){
1141
continue;
1142
}
1143
char *fullname = NULL;
1144
ret = asprintf(&fullname, "%s/%s", tempdir,
1145
direntry->d_name);
1146
if(ret < 0){
1147
perror("asprintf");
1148
continue;
1149
}
1150
ret = remove(fullname);
1151
if(ret == -1){
1152
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1153
strerror(errno));
1154
}
1155
free(fullname);
1156
}
1157
closedir(d);
1158
}
1159
ret = rmdir(tempdir);
1160
if(ret == -1 and errno != ENOENT){
1161
perror("rmdir");
1162
}
1163
}
1164
1165
return exitcode;
880
free(pubkeyfile);
881
free(seckeyfile);
882
883
return returncode;
1166
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0