/mandos/release : revision 39

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

35

#include <stdio.h>

38

36

#include <assert.h>

39

37

#include <stdlib.h>

51

49

#include <avahi-common/malloc.h>

52

50

#include <avahi-common/error.h>

53

51

54

/* Mandos client part */

52

//mandos client part

55

53

#include <sys/types.h> /* socket(), inet_pton() */

56

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

57

55

struct in6_addr, inet_pton() */

64

62

#include <string.h> /* memset */

65

63

#include <arpa/inet.h> /* inet_pton() */

66

64

#include <iso646.h> /* not */

67

#include <net/if.h> /* IF_NAMESIZE */

68

#include <argp.h> /* struct argp_option,

69

struct argp_state, struct argp,

70

argp_parse() */

71

/* GPGME */

65

66

// gpgme

72

67

#include <errno.h> /* perror() */

73

68

#include <gpgme.h>

74

69

70

// getopt_long

71

#include <getopt.h>

72

75

73

#define BUFFER_SIZE 256

76

74

75

static const char *keydir = "/conf/conf.d/mandos";

76

static const char *pubkeyfile = "pubkey.txt";

77

static const char *seckeyfile = "seckey.txt";

78

77

79

bool debug = false;

78

static const char *keydir = "/conf/conf.d/mandos";

79

const char *argp_program_version = "mandosclient 0.9";

80

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

81

static const char mandos_protocol_version[] = "1";

82

80

83

/* Used for passing in values through the Avahi callback functions */

81

/* Used for passing in values through all the callback functions */

84

82

typedef struct {

85

83

AvahiSimplePoll *simple_poll;

86

84

AvahiServer *server;

87

85

gnutls_certificate_credentials_t cred;

88

86

unsigned int dh_bits;

89

gnutls_dh_params_t dh_params;

90

87

const char *priority;

91

88

} mandos_context;

92

89

93

/* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

94

* "buffer_capacity" is how much is currently allocated,

95

* "buffer_length" is how much is already used. */

96

size_t adjustbuffer(char **buffer, size_t buffer_length,

97

size_t buffer_capacity){

98

if (buffer_length + BUFFER_SIZE > buffer_capacity){

99

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

100

if (buffer == NULL){

101

return 0;

102

}

103

buffer_capacity += BUFFER_SIZE;

104

}

105

return buffer_capacity;

106

}

107

108

90

/*

109

91

* Decrypt OpenPGP data using keyrings in HOMEDIR.

110

92

* Returns -1 on error

117

99

gpgme_ctx_t ctx;

118

100

gpgme_error_t rc;

119

101

ssize_t ret;

120

size_t plaintext_capacity = 0;

102

ssize_t plaintext_capacity = 0;

121

103

ssize_t plaintext_length = 0;

122

104

gpgme_engine_info_t engine_info;

123

105

233

215

234

216

*plaintext = NULL;

235

217

while(true){

236

plaintext_capacity = adjustbuffer(plaintext,

237

(size_t)plaintext_length,

238

plaintext_capacity);

239

if (plaintext_capacity == 0){

240

perror("adjustbuffer");

218

if (plaintext_length + BUFFER_SIZE > plaintext_capacity){

219

*plaintext = realloc(*plaintext,

220

(unsigned int)plaintext_capacity

221

+ BUFFER_SIZE);

222

if (*plaintext == NULL){

223

perror("realloc");

241

224

plaintext_length = -1;

242

225

goto decrypt_end;

226

}

227

plaintext_capacity += BUFFER_SIZE;

243

228

}

244

229

245

230

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

259

244

260

245

if(debug){

261

246

fprintf(stderr, "Decrypted password is: ");

262

for(ssize_t i = 0; i < plaintext_length; i++){

247

for(size_t i = 0; i < plaintext_length; i++){

263

248

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

264

249

}

265

250

fprintf(stderr, "\n");

282

267

return ret;

283

268

}

284

269

285

/* GnuTLS log function callback */

286

270

static void debuggnutls(__attribute__((unused)) int level,

287

271

const char* string){

288

fprintf(stderr, "GnuTLS: %s", string);

272

fprintf(stderr, "%s", string);

289

273

}

290

274

291

static int init_gnutls_global(mandos_context *mc,

292

const char *pubkeyfile,

293

const char *seckeyfile){

275

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

276

gnutls_dh_params_t *dh_params){

277

const char *err;

294

278

int ret;

295

279

296

280

if(debug){

299

283

300

284

if ((ret = gnutls_global_init ())

301

285

!= GNUTLS_E_SUCCESS) {

302

fprintf (stderr, "GnuTLS global_init: %s\n",

303

safer_gnutls_strerror(ret));

286

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

304

287

return -1;

305

288

}

306

289

307

290

if (debug){

308

/* "Use a log level over 10 to enable all debugging options."

309

* - GnuTLS manual

310

*/

311

291

gnutls_global_set_log_level(11);

312

292

gnutls_global_set_log_function(debuggnutls);

313

293

}

314

294

315

/* OpenPGP credentials */

295

/* openpgp credentials */

316

296

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

317

297

!= GNUTLS_E_SUCCESS) {

318

fprintf (stderr, "GnuTLS memory error: %s\n",

298

fprintf (stderr, "memory error: %s\n",

319

299

safer_gnutls_strerror(ret));

320

300

return -1;

321

301

}

329

309

ret = gnutls_certificate_set_openpgp_key_file

330

310

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

331

311

if (ret != GNUTLS_E_SUCCESS) {

332

fprintf(stderr,

333

"Error[%d] while reading the OpenPGP key pair ('%s',"

334

" '%s')\n", ret, pubkeyfile, seckeyfile);

335

fprintf(stdout, "The GnuTLS error is: %s\n",

312

fprintf

313

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

314

" '%s')\n",

315

ret, pubkeyfile, seckeyfile);

316

fprintf(stdout, "The Error is: %s\n",

336

317

safer_gnutls_strerror(ret));

337

318

return -1;

338

319

}

339

320

340

/* GnuTLS server initialization */

341

ret = gnutls_dh_params_init(&mc->dh_params);

342

if (ret != GNUTLS_E_SUCCESS) {

343

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

344

" %s\n", safer_gnutls_strerror(ret));

345

return -1;

346

}

347

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

348

if (ret != GNUTLS_E_SUCCESS) {

349

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

350

safer_gnutls_strerror(ret));

351

return -1;

352

}

353

354

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

355

356

return 0;

357

}

358

359

static int init_gnutls_session(mandos_context *mc,

360

gnutls_session_t *session){

361

int ret;

362

/* GnuTLS session creation */

363

ret = gnutls_init(session, GNUTLS_SERVER);

364

if (ret != GNUTLS_E_SUCCESS){

321

//GnuTLS server initialization

322

if ((ret = gnutls_dh_params_init(dh_params))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf (stderr, "Error in dh parameter initialization: %s\n",

325

safer_gnutls_strerror(ret));

326

return -1;

327

}

328

329

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf (stderr, "Error in prime generation: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

337

338

// GnuTLS session creation

339

if ((ret = gnutls_init(session, GNUTLS_SERVER))

340

!= GNUTLS_E_SUCCESS){

365

341

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

366

342

safer_gnutls_strerror(ret));

367

343

}

368

344

369

{

370

const char *err;

371

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

372

if (ret != GNUTLS_E_SUCCESS) {

373

fprintf(stderr, "Syntax error at: %s\n", err);

374

fprintf(stderr, "GnuTLS error: %s\n",

375

safer_gnutls_strerror(ret));

376

return -1;

377

}

345

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

346

!= GNUTLS_E_SUCCESS) {

347

fprintf(stderr, "Syntax error at: %s\n", err);

348

fprintf(stderr, "GnuTLS error: %s\n",

349

safer_gnutls_strerror(ret));

350

return -1;

378

351

}

379

352

380

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

381

mc->cred);

382

if (ret != GNUTLS_E_SUCCESS) {

383

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

353

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

354

mc->cred))

355

!= GNUTLS_E_SUCCESS) {

356

fprintf(stderr, "Error setting a credentials set: %s\n",

384

357

safer_gnutls_strerror(ret));

385

358

return -1;

386

359

}

394

367

return 0;

395

368

}

396

369

397

/* Avahi log function callback */

398

370

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

399

371

__attribute__((unused)) const char *txt){}

400

372

401

/* Called when a Mandos server is found */

402

373

static int start_mandos_communication(const char *ip, uint16_t port,

403

374

AvahiIfIndex if_index,

404

375

mandos_context *mc){

405

376

int ret, tcp_sd;

406

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

377

struct sockaddr_in6 to;

407

378

char *buffer = NULL;

408

379

char *decrypted_buffer;

409

380

size_t buffer_length = 0;

410

381

size_t buffer_capacity = 0;

411

382

ssize_t decrypted_buffer_size;

412

size_t written;

383

size_t written = 0;

413

384

int retval = 0;

414

385

char interface[IF_NAMESIZE];

415

386

gnutls_session_t session;

416

417

ret = init_gnutls_session (mc, &session);

418

if (ret != 0){

419

return -1;

420

}

387

gnutls_dh_params_t dh_params;

421

388

422

389

if(debug){

423

390

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

439

406

}

440

407

441

408

memset(&to,0,sizeof(to)); /* Spurious warning */

442

to.in6.sin6_family = AF_INET6;

443

/* It would be nice to have a way to detect if we were passed an

444

IPv4 address here. Now we assume an IPv6 address. */

445

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

409

to.sin6_family = AF_INET6;

410

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

446

411

if (ret < 0 ){

447

412

perror("inet_pton");

448

413

return -1;

451

416

fprintf(stderr, "Bad address: %s\n", ip);

452

417

return -1;

453

418

}

454

to.in6.sin6_port = htons(port); /* Spurious warning */

419

to.sin6_port = htons(port); /* Spurious warning */

455

420

456

to.in6.sin6_scope_id = (uint32_t)if_index;

421

to.sin6_scope_id = (uint32_t)if_index;

457

422

458

423

if(debug){

459

424

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

460

425

char addrstr[INET6_ADDRSTRLEN] = "";

461

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

426

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

462

427

sizeof(addrstr)) == NULL){

463

428

perror("inet_ntop");

464

429

} else {

468

433

}

469

434

}

470

435

471

ret = connect(tcp_sd, &to.in, sizeof(to));

436

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

472

437

if (ret < 0){

473

438

perror("connect");

474

439

return -1;

475

440

}

476

477

const char *out = mandos_protocol_version;

478

written = 0;

479

while (true){

480

size_t out_size = strlen(out);

481

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

482

out_size - written));

483

if (ret == -1){

484

perror("write");

485

retval = -1;

486

goto mandos_end;

487

}

488

written += (size_t)ret;

489

if(written < out_size){

490

continue;

491

} else {

492

if (out == mandos_protocol_version){

493

written = 0;

494

out = "\r\n";

495

} else {

496

break;

497

}

498

}

441

442

ret = initgnutls (mc, &session, &dh_params);

443

if (ret != 0){

444

retval = -1;

445

return -1;

499

446

}

500

447

448

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

449

501

450

if(debug){

502

451

fprintf(stderr, "Establishing TLS session with %s\n", ip);

503

452

}

504

453

505

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

506

507

454

ret = gnutls_handshake (session);

508

455

509

456

if (ret != GNUTLS_E_SUCCESS){

510

457

if(debug){

511

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

458

fprintf(stderr, "\n*** Handshake failed ***\n");

512

459

gnutls_perror (ret);

513

460

}

514

461

retval = -1;

515

goto mandos_end;

462

goto exit;

516

463

}

517

464

518

/* Read OpenPGP packet that contains the wanted password */

465

//Retrieve OpenPGP packet that contains the wanted password

519

466

520

467

if(debug){

521

468

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

523

470

}

524

471

525

472

while(true){

526

buffer_capacity = adjustbuffer(&buffer, buffer_length,

527

buffer_capacity);

528

if (buffer_capacity == 0){

529

perror("adjustbuffer");

530

retval = -1;

531

goto mandos_end;

473

if (buffer_length + BUFFER_SIZE > buffer_capacity){

474

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

475

if (buffer == NULL){

476

perror("realloc");

477

goto exit;

478

}

479

buffer_capacity += BUFFER_SIZE;

532

480

}

533

481

534

482

ret = gnutls_record_recv(session, buffer+buffer_length,

544

492

case GNUTLS_E_REHANDSHAKE:

545

493

ret = gnutls_handshake (session);

546

494

if (ret < 0){

547

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

495

fprintf(stderr, "\n*** Handshake failed ***\n");

548

496

gnutls_perror (ret);

549

497

retval = -1;

550

goto mandos_end;

498

goto exit;

551

499

}

552

500

break;

553

501

default:

554

502

fprintf(stderr, "Unknown error while reading data from"

555

" encrypted session with Mandos server\n");

503

" encrypted session with mandos server\n");

556

504

retval = -1;

557

505

gnutls_bye (session, GNUTLS_SHUT_RDWR);

558

goto mandos_end;

506

goto exit;

559

507

}

560

508

} else {

561

509

buffer_length += (size_t) ret;

562

510

}

563

511

}

564

512

565

if(debug){

566

fprintf(stderr, "Closing TLS session\n");

567

}

568

569

gnutls_bye (session, GNUTLS_SHUT_RDWR);

570

571

513

if (buffer_length > 0){

572

514

decrypted_buffer_size = pgp_packet_decrypt(buffer,

573

515

buffer_length,

574

516

&decrypted_buffer,

575

517

keydir);

576

518

if (decrypted_buffer_size >= 0){

577

written = 0;

578

519

while(written < (size_t) decrypted_buffer_size){

579

520

ret = (int)fwrite (decrypted_buffer + written, 1,

580

521

(size_t)decrypted_buffer_size - written,

594

535

retval = -1;

595

536

}

596

537

}

597

598

/* Shutdown procedure */

599

600

mandos_end:

538

539

//shutdown procedure

540

541

if(debug){

542

fprintf(stderr, "Closing TLS session\n");

543

}

544

601

545

free(buffer);

546

gnutls_bye (session, GNUTLS_SHUT_RDWR);

547

exit:

602

548

close(tcp_sd);

603

549

gnutls_deinit (session);

604

550

gnutls_certificate_free_credentials (mc->cred);

629

575

switch (event) {

630

576

default:

631

577

case AVAHI_RESOLVER_FAILURE:

632

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

633

" of type '%s' in domain '%s': %s\n", name, type, domain,

578

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

579

" type '%s' in domain '%s': %s\n", name, type, domain,

634

580

avahi_strerror(avahi_server_errno(mc->server)));

635

581

break;

636

582

639

585

char ip[AVAHI_ADDRESS_STR_MAX];

640

586

avahi_address_snprint(ip, sizeof(ip), address);

641

587

if(debug){

642

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

643

" port %d\n", name, host_name, ip, interface, port);

588

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

589

" port %d\n", name, host_name, ip, port);

644

590

}

645

591

int ret = start_mandos_communication(ip, port, interface, mc);

646

592

if (ret == 0){

671

617

default:

672

618

case AVAHI_BROWSER_FAILURE:

673

619

674

fprintf(stderr, "(Avahi browser) %s\n",

620

fprintf(stderr, "(Browser) %s\n",

675

621

avahi_strerror(avahi_server_errno(mc->server)));

676

622

avahi_simple_poll_quit(mc->simple_poll);

677

623

return;

678

624

679

625

case AVAHI_BROWSER_NEW:

680

/* We ignore the returned Avahi resolver object. In the callback

681

function we free it. If the Avahi server is terminated before

682

the callback function is called the Avahi server will free the

683

resolver for us. */

626

/* We ignore the returned resolver object. In the callback

627

function we free it. If the server is terminated before

628

the callback function is called the server will free

629

the resolver for us. */

684

630

685

631

if (!(avahi_s_service_resolver_new(mc->server, interface,

686

632

protocol, name, type, domain,

687

633

AVAHI_PROTO_INET6, 0,

688

634

resolve_callback, mc)))

689

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

690

name, avahi_strerror(avahi_server_errno(mc->server)));

635

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

636

avahi_strerror(avahi_server_errno(mc->server)));

691

637

break;

692

638

693

639

case AVAHI_BROWSER_REMOVE:

695

641

696

642

case AVAHI_BROWSER_ALL_FOR_NOW:

697

643

case AVAHI_BROWSER_CACHE_EXHAUSTED:

698

if(debug){

699

fprintf(stderr, "No Mandos server found, still searching...\n");

700

}

701

644

break;

702

645

}

703

646

}

723

666

}

724

667

725

668

726

int main(int argc, char *argv[]){

669

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

670

AvahiServerConfig config;

727

671

AvahiSServiceBrowser *sb = NULL;

728

672

int error;

729

673

int ret;

730

int exitcode = EXIT_SUCCESS;

674

int debug_int;

675

int returncode = EXIT_SUCCESS;

731

676

const char *interface = "eth0";

732

677

struct ifreq network;

733

678

int sd;

734

uid_t uid;

735

gid_t gid;

736

679

char *connect_to = NULL;

737

680

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

738

const char *pubkeyfile = "pubkey.txt";

739

const char *seckeyfile = "seckey.txt";

740

681

mandos_context mc = { .simple_poll = NULL, .server = NULL,

741

682

.dh_bits = 1024, .priority = "SECURE256"};

742

683

743

{

744

struct argp_option options[] = {

745

{ .name = "debug", .key = 128,

746

.doc = "Debug mode", .group = 3 },

747

{ .name = "connect", .key = 'c',

748

.arg = "IP",

749

.doc = "Connect directly to a sepcified mandos server",

750

.group = 1 },

751

{ .name = "interface", .key = 'i',

752

.arg = "INTERFACE",

753

.doc = "Interface that Avahi will conntect through",

754

.group = 1 },

755

{ .name = "keydir", .key = 'd',

756

.arg = "KEYDIR",

757

.doc = "Directory where the openpgp keyring is",

758

.group = 1 },

759

{ .name = "seckey", .key = 's',

760

.arg = "SECKEY",

761

.doc = "Secret openpgp key for gnutls authentication",

762

.group = 1 },

763

{ .name = "pubkey", .key = 'p',

764

.arg = "PUBKEY",

765

.doc = "Public openpgp key for gnutls authentication",

766

.group = 2 },

767

{ .name = "dh-bits", .key = 129,

768

.arg = "BITS",

769

.doc = "dh-bits to use in gnutls communication",

770

.group = 2 },

771

{ .name = "priority", .key = 130,

772

.arg = "PRIORITY",

773

.doc = "GNUTLS priority", .group = 1 },

774

{ .name = NULL }

775

};

776

777

778

error_t parse_opt (int key, char *arg,

779

struct argp_state *state) {

780

/* Get the INPUT argument from `argp_parse', which we know is

781

a pointer to our plugin list pointer. */

782

switch (key) {

783

case 128:

784

debug = true;

785

break;

786

case 'c':

787

connect_to = arg;

788

break;

789

case 'i':

790

interface = arg;

791

break;

792

case 'd':

793

keydir = arg;

794

break;

795

case 's':

796

seckeyfile = arg;

797

break;

798

case 'p':

799

pubkeyfile = arg;

800

break;

801

case 129:

802

errno = 0;

803

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

804

if (errno){

805

perror("strtol");

806

exit(EXIT_FAILURE);

807

}

808

break;

809

case 130:

810

mc.priority = arg;

811

break;

812

case ARGP_KEY_ARG:

813

argp_usage (state);

814

break;

815

case ARGP_KEY_END:

816

break;

817

default:

818

return ARGP_ERR_UNKNOWN;

684

debug_int = debug ? 1 : 0;

685

while (true){

686

struct option long_options[] = {

687

{"debug", no_argument, &debug_int, 1},

688

{"connect", required_argument, NULL, 'c'},

689

{"interface", required_argument, NULL, 'i'},

690

{"keydir", required_argument, NULL, 'd'},

691

{"seckey", required_argument, NULL, 's'},

692

{"pubkey", required_argument, NULL, 'p'},

693

{"dh-bits", required_argument, NULL, 'D'},

694

{"priority", required_argument, NULL, 'P'},

695

{0, 0, 0, 0} };

696

697

int option_index = 0;

698

ret = getopt_long (argc, argv, "i:", long_options,

699

&option_index);

700

701

if (ret == -1){

702

break;

703

}

704

705

switch(ret){

706

case 0:

707

break;

708

case 'i':

709

interface = optarg;

710

break;

711

case 'c':

712

connect_to = optarg;

713

break;

714

case 'd':

715

keydir = optarg;

716

break;

717

case 'p':

718

pubkeyfile = optarg;

719

break;

720

case 's':

721

seckeyfile = optarg;

722

break;

723

case 'D':

724

errno = 0;

725

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

726

if (errno){

727

perror("strtol");

728

exit(EXIT_FAILURE);

819

729

}

820

return 0;

730

break;

731

case 'P':

732

mc.priority = optarg;

733

break;

734

case '?':

735

default:

736

exit(EXIT_FAILURE);

821

737

}

822

823

struct argp argp = { .options = options, .parser = parse_opt,

824

.args_doc = "",

825

.doc = "Mandos client -- Get and decrypt"

826

" passwords from mandos server" };

827

argp_parse (&argp, argc, argv, 0, 0, NULL);

828

738

}

829

739

debug = debug_int ? true : false;

740

830

741

pubkeyfile = combinepath(keydir, pubkeyfile);

831

742

if (pubkeyfile == NULL){

832

743

perror("combinepath");

833

exitcode = EXIT_FAILURE;

834

goto end;

744

returncode = EXIT_FAILURE;

745

goto exit;

835

746

}

836

747

837

748

seckeyfile = combinepath(keydir, seckeyfile);

838

749

if (seckeyfile == NULL){

839

750

perror("combinepath");

840

goto end;

841

}

842

843

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

844

if (ret == -1){

845

fprintf(stderr, "init_gnutls_global\n");

846

goto end;

847

}

848

849

uid = getuid();

850

gid = getgid();

851

852

ret = setuid(uid);

853

if (ret == -1){

854

perror("setuid");

855

}

856

857

setgid(gid);

858

if (ret == -1){

859

perror("setgid");

751

goto exit;

860

752

}

861

753

862

754

if_index = (AvahiIfIndex) if_nametoindex(interface);

871

763

char *address = strrchr(connect_to, ':');

872

764

if(address == NULL){

873

765

fprintf(stderr, "No colon in address\n");

874

exitcode = EXIT_FAILURE;

875

goto end;

766

exit(EXIT_FAILURE);

876

767

}

877

768

errno = 0;

878

769

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

879

770

if(errno){

880

771

perror("Bad port number");

881

exitcode = EXIT_FAILURE;

882

goto end;

772

exit(EXIT_FAILURE);

883

773

}

884

774

*address = '\0';

885

775

address = connect_to;

886

776

ret = start_mandos_communication(address, port, if_index, &mc);

887

777

if(ret < 0){

888

exitcode = EXIT_FAILURE;

778

exit(EXIT_FAILURE);

889

779

} else {

890

exitcode = EXIT_SUCCESS;

780

exit(EXIT_SUCCESS);

891

781

}

892

goto end;

893

782

}

894

783

895

/* If the interface is down, bring it up */

896

{

897

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

898

if(sd < 0) {

899

perror("socket");

900

exitcode = EXIT_FAILURE;

901

goto end;

902

}

903

strcpy(network.ifr_name, interface); /* Spurious warning */

904

ret = ioctl(sd, SIOCGIFFLAGS, &network);

784

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

785

if(sd < 0) {

786

perror("socket");

787

returncode = EXIT_FAILURE;

788

goto exit;

789

}

790

strcpy(network.ifr_name, interface); /* Spurious warning */

791

ret = ioctl(sd, SIOCGIFFLAGS, &network);

792

if(ret == -1){

793

794

perror("ioctl SIOCGIFFLAGS");

795

returncode = EXIT_FAILURE;

796

goto exit;

797

}

798

if((network.ifr_flags & IFF_UP) == 0){

799

network.ifr_flags |= IFF_UP;

800

ret = ioctl(sd, SIOCSIFFLAGS, &network);

905

801

if(ret == -1){

906

perror("ioctl SIOCGIFFLAGS");

907

exitcode = EXIT_FAILURE;

908

goto end;

909

}

910

if((network.ifr_flags & IFF_UP) == 0){

911

network.ifr_flags |= IFF_UP;

912

ret = ioctl(sd, SIOCSIFFLAGS, &network);

913

if(ret == -1){

914

perror("ioctl SIOCSIFFLAGS");

915

exitcode = EXIT_FAILURE;

916

goto end;

917

}

918

}

919

close(sd);

802

perror("ioctl SIOCSIFFLAGS");

803

returncode = EXIT_FAILURE;

804

goto exit;

805

}

920

806

}

807

close(sd);

921

808

922

809

if (not debug){

923

810

avahi_set_log_function(empty_log);

924

811

}

925

812

926

/* Initialize the pseudo-RNG for Avahi */

813

/* Initialize the psuedo-RNG */

927

814

srand((unsigned int) time(NULL));

928

929

/* Allocate main Avahi loop object */

930

mc.simple_poll = avahi_simple_poll_new();

931

if (mc.simple_poll == NULL) {

932

fprintf(stderr, "Avahi: Failed to create simple poll"

933

" object.\n");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

938

{

939

AvahiServerConfig config;

940

/* Do not publish any local Zeroconf records */

941

avahi_server_config_init(&config);

942

config.publish_hinfo = 0;

943

config.publish_addresses = 0;

944

config.publish_workstation = 0;

945

config.publish_domain = 0;

946

947

/* Allocate a new server */

948

mc.server = avahi_server_new(avahi_simple_poll_get

949

(mc.simple_poll), &config, NULL,

950

NULL, &error);

951

952

/* Free the Avahi configuration data */

953

avahi_server_config_free(&config);

954

}

955

956

/* Check if creating the Avahi server object succeeded */

957

if (mc.server == NULL) {

958

fprintf(stderr, "Failed to create Avahi server: %s\n",

815

816

/* Allocate main loop object */

817

if (!(mc.simple_poll = avahi_simple_poll_new())) {

818

fprintf(stderr, "Failed to create simple poll object.\n");

819

returncode = EXIT_FAILURE;

820

goto exit;

821

}

822

823

/* Do not publish any local records */

824

avahi_server_config_init(&config);

825

config.publish_hinfo = 0;

826

config.publish_addresses = 0;

827

config.publish_workstation = 0;

828

config.publish_domain = 0;

829

830

/* Allocate a new server */

831

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

832

&config, NULL, NULL, &error);

833

834

/* Free the configuration data */

835

avahi_server_config_free(&config);

836

837

/* Check if creating the server object succeeded */

838

if (!mc.server) {

839

fprintf(stderr, "Failed to create server: %s\n",

959

840

avahi_strerror(error));

960

exitcode = EXIT_FAILURE;

961

goto end;

841

returncode = EXIT_FAILURE;

842

goto exit;

962

843

}

963

844

964

/* Create the Avahi service browser */

845

/* Create the service browser */

965

846

sb = avahi_s_service_browser_new(mc.server, if_index,

966

847

AVAHI_PROTO_INET6,

967

848

"_mandos._tcp", NULL, 0,

968

849

browse_callback, &mc);

969

if (sb == NULL) {

850

if (!sb) {

970

851

fprintf(stderr, "Failed to create service browser: %s\n",

971

852

avahi_strerror(avahi_server_errno(mc.server)));

972

exitcode = EXIT_FAILURE;

973

goto end;

853

returncode = EXIT_FAILURE;

854

goto exit;

974

855

}

975

856

976

857

/* Run the main loop */

977

858

978

859

if (debug){

979

fprintf(stderr, "Starting Avahi loop search\n");

860

fprintf(stderr, "Starting avahi loop search\n");

980

861

}

981

862

982

863

avahi_simple_poll_loop(mc.simple_poll);

983

864

984

end:

865

exit:

985

866

986

867

if (debug){

987

868

fprintf(stderr, "%s exiting\n", argv[0]);

988

869

}

989

870

990

871

/* Cleanup things */

991

if (sb != NULL)

872

if (sb)

992

873

avahi_s_service_browser_free(sb);

993

874

994

if (mc.server != NULL)

875

if (mc.server)

995

876

avahi_server_free(mc.server);

996

877

997

if (mc.simple_poll != NULL)

878

if (mc.simple_poll)

998

879

avahi_simple_poll_free(mc.simple_poll);

999

880

free(pubkeyfile);

1000

881

free(seckeyfile);

1001

882

1002

return exitcode;

883

return returncode;

1003

884

}