To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- ca.pem
- files removed:
- initramfs-tools-hook
- files renamed:
- mandos-client.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
54
connect() */
55
#include <assert.h> /* assert() */
56
#include <errno.h> /* perror(), errno */
57
#include <time.h> /* time() */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
58
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
SIOCSIFFLAGS, if_indextoname(),
60
if_nametoindex(), IF_NAMESIZE */
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
65
#include <arpa/inet.h> /* inet_pton(), htons */
66
#include <iso646.h> /* not, and */
67
#include <argp.h> /* struct argp_option, error_t, struct
68
argp_state, struct argp,
69
argp_parse(), ARGP_KEY_ARG,
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
43
SIOCSIFFLAGS */
71
44
72
/* Avahi */
73
/* All Avahi types, constants and functions
74
Avahi*, avahi_*,
75
AVAHI_* */
76
45
#include <avahi-core/core.h>
77
46
#include <avahi-core/lookup.h>
78
47
#include <avahi-core/log.h>
80
49
#include <avahi-common/malloc.h>
81
50
#include <avahi-common/error.h>
82
51
83
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
85
gnutls_*
86
init_gnutls_session(),
87
GNUTLS_* */
88
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
89
GNUTLS_OPENPGP_FMT_BASE64 */
90
91
/* GPGME */
92
#include <gpgme.h> /* All GPGME types, constants and functions
93
gpgme_*
94
GPGME_PROTOCOL_OpenPGP,
95
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
96
72
97
73
#define BUFFER_SIZE 256
98
74
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
78
99
79
bool debug = false;
100
static const char *keydir = "/conf/conf.d/mandos";
101
static const char mandos_protocol_version[] = "1";
102
const char *argp_program_version = "password-request 1.0";
103
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
104
80
105
/* Used for passing in values through the Avahi callback functions */
81
/* Used for passing in values through all the callback functions */
106
82
typedef struct {
107
83
AvahiSimplePoll *simple_poll;
108
84
AvahiServer *server;
109
85
gnutls_certificate_credentials_t cred;
110
86
unsigned int dh_bits;
111
gnutls_dh_params_t dh_params;
112
87
const char *priority;
113
88
} mandos_context;
114
89
115
/*
116
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
117
* "buffer_capacity" is how much is currently allocated,
118
* "buffer_length" is how much is already used.
119
*/
120
size_t adjustbuffer(char **buffer, size_t buffer_length,
121
size_t buffer_capacity){
122
if (buffer_length + BUFFER_SIZE > buffer_capacity){
123
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
124
if (buffer == NULL){
125
return 0;
126
}
127
buffer_capacity += BUFFER_SIZE;
128
}
129
return buffer_capacity;
130
}
131
132
90
/*
133
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
134
92
* Returns -1 on error
141
99
gpgme_ctx_t ctx;
142
100
gpgme_error_t rc;
143
101
ssize_t ret;
144
size_t plaintext_capacity = 0;
102
ssize_t plaintext_capacity = 0;
145
103
ssize_t plaintext_length = 0;
146
104
gpgme_engine_info_t engine_info;
147
105
227
185
} else {
228
186
fprintf(stderr, "Unsupported algorithm: %s\n",
229
187
result->unsupported_algorithm);
230
fprintf(stderr, "Wrong key usage: %u\n",
188
fprintf(stderr, "Wrong key usage: %d\n",
231
189
result->wrong_key_usage);
232
190
if(result->file_name != NULL){
233
191
fprintf(stderr, "File name: %s\n", result->file_name);
257
215
258
216
*plaintext = NULL;
259
217
while(true){
260
plaintext_capacity = adjustbuffer(plaintext,
261
(size_t)plaintext_length,
262
plaintext_capacity);
263
if (plaintext_capacity == 0){
264
perror("adjustbuffer");
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
265
224
plaintext_length = -1;
266
225
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
267
228
}
268
229
269
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
283
244
284
245
if(debug){
285
246
fprintf(stderr, "Decrypted password is: ");
286
for(ssize_t i = 0; i < plaintext_length; i++){
247
for(size_t i = 0; i < plaintext_length; i++){
287
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
288
249
}
289
250
fprintf(stderr, "\n");
306
267
return ret;
307
268
}
308
269
309
/* GnuTLS log function callback */
310
270
static void debuggnutls(__attribute__((unused)) int level,
311
271
const char* string){
312
fprintf(stderr, "GnuTLS: %s", string);
272
fprintf(stderr, "%s", string);
313
273
}
314
274
315
static int init_gnutls_global(mandos_context *mc,
316
const char *pubkeyfile,
317
const char *seckeyfile){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
318
278
int ret;
319
279
320
280
if(debug){
321
281
fprintf(stderr, "Initializing GnuTLS\n");
322
282
}
323
324
ret = gnutls_global_init();
325
if (ret != GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "GnuTLS global_init: %s\n",
327
safer_gnutls_strerror(ret));
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
328
287
return -1;
329
288
}
330
289
331
290
if (debug){
332
/* "Use a log level over 10 to enable all debugging options."
333
* - GnuTLS manual
334
*/
335
291
gnutls_global_set_log_level(11);
336
292
gnutls_global_set_log_function(debuggnutls);
337
293
}
338
294
339
/* OpenPGP credentials */
340
gnutls_certificate_allocate_credentials(&mc->cred);
341
if (ret != GNUTLS_E_SUCCESS){
342
fprintf (stderr, "GnuTLS memory error: %s\n",
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
343
299
safer_gnutls_strerror(ret));
344
gnutls_global_deinit ();
345
300
return -1;
346
301
}
347
302
354
309
ret = gnutls_certificate_set_openpgp_key_file
355
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
356
311
if (ret != GNUTLS_E_SUCCESS) {
357
fprintf(stderr,
358
"Error[%d] while reading the OpenPGP key pair ('%s',"
359
" '%s')\n", ret, pubkeyfile, seckeyfile);
360
fprintf(stdout, "The GnuTLS error is: %s\n",
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
361
317
safer_gnutls_strerror(ret));
362
goto globalfail;
363
}
364
365
/* GnuTLS server initialization */
366
ret = gnutls_dh_params_init(&mc->dh_params);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
369
" %s\n", safer_gnutls_strerror(ret));
370
goto globalfail;
371
}
372
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
373
if (ret != GNUTLS_E_SUCCESS) {
374
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
375
safer_gnutls_strerror(ret));
376
goto globalfail;
377
}
378
379
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
380
381
return 0;
382
383
globalfail:
384
385
gnutls_certificate_free_credentials(mc->cred);
386
gnutls_global_deinit();
387
return -1;
388
389
}
390
391
static int init_gnutls_session(mandos_context *mc,
392
gnutls_session_t *session){
393
int ret;
394
/* GnuTLS session creation */
395
ret = gnutls_init(session, GNUTLS_SERVER);
396
if (ret != GNUTLS_E_SUCCESS){
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
397
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
398
342
safer_gnutls_strerror(ret));
399
343
}
400
344
401
{
402
const char *err;
403
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
404
if (ret != GNUTLS_E_SUCCESS) {
405
fprintf(stderr, "Syntax error at: %s\n", err);
406
fprintf(stderr, "GnuTLS error: %s\n",
407
safer_gnutls_strerror(ret));
408
gnutls_deinit (*session);
409
return -1;
410
}
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
411
351
}
412
352
413
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
414
mc->cred);
415
if (ret != GNUTLS_E_SUCCESS) {
416
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
417
357
safer_gnutls_strerror(ret));
418
gnutls_deinit (*session);
419
358
return -1;
420
359
}
421
360
428
367
return 0;
429
368
}
430
369
431
/* Avahi log function callback */
432
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
433
371
__attribute__((unused)) const char *txt){}
434
372
435
/* Called when a Mandos server is found */
436
373
static int start_mandos_communication(const char *ip, uint16_t port,
437
374
AvahiIfIndex if_index,
438
375
mandos_context *mc){
439
376
int ret, tcp_sd;
440
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
377
struct sockaddr_in6 to;
441
378
char *buffer = NULL;
442
379
char *decrypted_buffer;
443
380
size_t buffer_length = 0;
444
381
size_t buffer_capacity = 0;
445
382
ssize_t decrypted_buffer_size;
446
size_t written;
383
size_t written = 0;
447
384
int retval = 0;
448
385
char interface[IF_NAMESIZE];
449
386
gnutls_session_t session;
450
451
ret = init_gnutls_session (mc, &session);
452
if (ret != 0){
453
return -1;
454
}
387
gnutls_dh_params_t dh_params;
455
388
456
389
if(debug){
457
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
458
"\n", ip, port);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
459
392
}
460
393
461
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
473
406
}
474
407
475
408
memset(&to,0,sizeof(to)); /* Spurious warning */
476
to.in6.sin6_family = AF_INET6;
477
/* It would be nice to have a way to detect if we were passed an
478
IPv4 address here. Now we assume an IPv6 address. */
479
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
480
411
if (ret < 0 ){
481
412
perror("inet_pton");
482
413
return -1;
485
416
fprintf(stderr, "Bad address: %s\n", ip);
486
417
return -1;
487
418
}
488
to.in6.sin6_port = htons(port); /* Spurious warning */
419
to.sin6_port = htons(port); /* Spurious warning */
489
420
490
to.in6.sin6_scope_id = (uint32_t)if_index;
421
to.sin6_scope_id = (uint32_t)if_index;
491
422
492
423
if(debug){
493
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
494
port);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
495
425
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
497
427
sizeof(addrstr)) == NULL){
498
428
perror("inet_ntop");
499
429
} else {
503
433
}
504
434
}
505
435
506
ret = connect(tcp_sd, &to.in, sizeof(to));
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
507
437
if (ret < 0){
508
438
perror("connect");
509
439
return -1;
510
440
}
511
512
const char *out = mandos_protocol_version;
513
written = 0;
514
while (true){
515
size_t out_size = strlen(out);
516
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
517
out_size - written));
518
if (ret == -1){
519
perror("write");
520
retval = -1;
521
goto mandos_end;
522
}
523
written += (size_t)ret;
524
if(written < out_size){
525
continue;
526
} else {
527
if (out == mandos_protocol_version){
528
written = 0;
529
out = "\r\n";
530
} else {
531
break;
532
}
533
}
441
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
534
446
}
535
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
536
450
if(debug){
537
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
452
}
539
453
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
454
ret = gnutls_handshake (session);
545
455
546
456
if (ret != GNUTLS_E_SUCCESS){
547
457
if(debug){
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
458
fprintf(stderr, "\n*** Handshake failed ***\n");
549
459
gnutls_perror (ret);
550
460
}
551
461
retval = -1;
552
goto mandos_end;
462
goto exit;
553
463
}
554
464
555
/* Read OpenPGP packet that contains the wanted password */
465
//Retrieve OpenPGP packet that contains the wanted password
556
466
557
467
if(debug){
558
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
560
470
}
561
471
562
472
while(true){
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
565
if (buffer_capacity == 0){
566
perror("adjustbuffer");
567
retval = -1;
568
goto mandos_end;
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
569
480
}
570
481
571
482
ret = gnutls_record_recv(session, buffer+buffer_length,
579
490
case GNUTLS_E_AGAIN:
580
491
break;
581
492
case GNUTLS_E_REHANDSHAKE:
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
493
ret = gnutls_handshake (session);
585
494
if (ret < 0){
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
495
fprintf(stderr, "\n*** Handshake failed ***\n");
587
496
gnutls_perror (ret);
588
497
retval = -1;
589
goto mandos_end;
498
goto exit;
590
499
}
591
500
break;
592
501
default:
593
502
fprintf(stderr, "Unknown error while reading data from"
594
" encrypted session with Mandos server\n");
503
" encrypted session with mandos server\n");
595
504
retval = -1;
596
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
506
goto exit;
598
507
}
599
508
} else {
600
509
buffer_length += (size_t) ret;
601
510
}
602
511
}
603
512
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
610
513
if (buffer_length > 0){
611
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
612
515
buffer_length,
613
516
&decrypted_buffer,
614
517
keydir);
615
518
if (decrypted_buffer_size >= 0){
616
written = 0;
617
519
while(written < (size_t) decrypted_buffer_size){
618
520
ret = (int)fwrite (decrypted_buffer + written, 1,
619
521
(size_t)decrypted_buffer_size - written,
633
535
retval = -1;
634
536
}
635
537
}
636
637
/* Shutdown procedure */
638
639
mandos_end:
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
640
545
free(buffer);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
641
548
close(tcp_sd);
642
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
643
552
return retval;
644
553
}
645
554
666
575
switch (event) {
667
576
default:
668
577
case AVAHI_RESOLVER_FAILURE:
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
671
580
avahi_strerror(avahi_server_errno(mc->server)));
672
581
break;
673
582
676
585
char ip[AVAHI_ADDRESS_STR_MAX];
677
586
avahi_address_snprint(ip, sizeof(ip), address);
678
587
if(debug){
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
680
PRIu16 ") on port %d\n", name, host_name, ip,
681
interface, port);
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
682
590
}
683
591
int ret = start_mandos_communication(ip, port, interface, mc);
684
592
if (ret == 0){
709
617
default:
710
618
case AVAHI_BROWSER_FAILURE:
711
619
712
fprintf(stderr, "(Avahi browser) %s\n",
620
fprintf(stderr, "(Browser) %s\n",
713
621
avahi_strerror(avahi_server_errno(mc->server)));
714
622
avahi_simple_poll_quit(mc->simple_poll);
715
623
return;
716
624
717
625
case AVAHI_BROWSER_NEW:
718
/* We ignore the returned Avahi resolver object. In the callback
719
function we free it. If the Avahi server is terminated before
720
the callback function is called the Avahi server will free the
721
resolver for us. */
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
722
630
723
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
724
632
protocol, name, type, domain,
725
633
AVAHI_PROTO_INET6, 0,
726
634
resolve_callback, mc)))
727
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
728
name, avahi_strerror(avahi_server_errno(mc->server)));
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
729
637
break;
730
638
731
639
case AVAHI_BROWSER_REMOVE:
733
641
734
642
case AVAHI_BROWSER_ALL_FOR_NOW:
735
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
736
if(debug){
737
fprintf(stderr, "No Mandos server found, still searching...\n");
738
}
739
644
break;
740
645
}
741
646
}
761
666
}
762
667
763
668
764
int main(int argc, char *argv[]){
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
765
671
AvahiSServiceBrowser *sb = NULL;
766
672
int error;
767
673
int ret;
768
int exitcode = EXIT_SUCCESS;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
769
676
const char *interface = "eth0";
770
677
struct ifreq network;
771
678
int sd;
772
uid_t uid;
773
gid_t gid;
774
679
char *connect_to = NULL;
775
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
776
const char *pubkeyfile = "pubkey.txt";
777
const char *seckeyfile = "seckey.txt";
778
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
779
682
.dh_bits = 1024, .priority = "SECURE256"};
780
bool gnutls_initalized = false;
781
683
782
{
783
struct argp_option options[] = {
784
{ .name = "debug", .key = 128,
785
.doc = "Debug mode", .group = 3 },
786
{ .name = "connect", .key = 'c',
787
.arg = "IP",
788
.doc = "Connect directly to a sepcified mandos server",
789
.group = 1 },
790
{ .name = "interface", .key = 'i',
791
.arg = "INTERFACE",
792
.doc = "Interface that Avahi will conntect through",
793
.group = 1 },
794
{ .name = "keydir", .key = 'd',
795
.arg = "KEYDIR",
796
.doc = "Directory where the openpgp keyring is",
797
.group = 1 },
798
{ .name = "seckey", .key = 's',
799
.arg = "SECKEY",
800
.doc = "Secret openpgp key for gnutls authentication",
801
.group = 1 },
802
{ .name = "pubkey", .key = 'p',
803
.arg = "PUBKEY",
804
.doc = "Public openpgp key for gnutls authentication",
805
.group = 2 },
806
{ .name = "dh-bits", .key = 129,
807
.arg = "BITS",
808
.doc = "dh-bits to use in gnutls communication",
809
.group = 2 },
810
{ .name = "priority", .key = 130,
811
.arg = "PRIORITY",
812
.doc = "GNUTLS priority", .group = 1 },
813
{ .name = NULL }
814
};
815
816
817
error_t parse_opt (int key, char *arg,
818
struct argp_state *state) {
819
/* Get the INPUT argument from `argp_parse', which we know is
820
a pointer to our plugin list pointer. */
821
switch (key) {
822
case 128:
823
debug = true;
824
break;
825
case 'c':
826
connect_to = arg;
827
break;
828
case 'i':
829
interface = arg;
830
break;
831
case 'd':
832
keydir = arg;
833
break;
834
case 's':
835
seckeyfile = arg;
836
break;
837
case 'p':
838
pubkeyfile = arg;
839
break;
840
case 129:
841
errno = 0;
842
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
843
if (errno){
844
perror("strtol");
845
exit(EXIT_FAILURE);
846
}
847
break;
848
case 130:
849
mc.priority = arg;
850
break;
851
case ARGP_KEY_ARG:
852
argp_usage (state);
853
break;
854
case ARGP_KEY_END:
855
break;
856
default:
857
return ARGP_ERR_UNKNOWN;
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
858
729
}
859
return 0;
860
}
861
862
struct argp argp = { .options = options, .parser = parse_opt,
863
.args_doc = "",
864
.doc = "Mandos client -- Get and decrypt"
865
" passwords from mandos server" };
866
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
867
if (ret == ARGP_ERR_UNKNOWN){
868
fprintf(stderr, "Unknown error while parsing arguments\n");
869
exitcode = EXIT_FAILURE;
870
goto end;
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
871
737
}
872
738
}
873
739
debug = debug_int ? true : false;
740
874
741
pubkeyfile = combinepath(keydir, pubkeyfile);
875
742
if (pubkeyfile == NULL){
876
743
perror("combinepath");
877
exitcode = EXIT_FAILURE;
878
goto end;
744
returncode = EXIT_FAILURE;
745
goto exit;
879
746
}
880
747
881
748
seckeyfile = combinepath(keydir, seckeyfile);
882
749
if (seckeyfile == NULL){
883
750
perror("combinepath");
884
exitcode = EXIT_FAILURE;
885
goto end;
886
}
887
888
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
889
if (ret == -1){
890
fprintf(stderr, "init_gnutls_global failed\n");
891
exitcode = EXIT_FAILURE;
892
goto end;
893
} else {
894
gnutls_initalized = true;
895
}
896
897
/* If the interface is down, bring it up */
898
{
899
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
900
if(sd < 0) {
901
perror("socket");
902
exitcode = EXIT_FAILURE;
903
goto end;
904
}
905
strcpy(network.ifr_name, interface); /* Spurious warning */
906
ret = ioctl(sd, SIOCGIFFLAGS, &network);
907
if(ret == -1){
908
perror("ioctl SIOCGIFFLAGS");
909
exitcode = EXIT_FAILURE;
910
goto end;
911
}
912
if((network.ifr_flags & IFF_UP) == 0){
913
network.ifr_flags |= IFF_UP;
914
ret = ioctl(sd, SIOCSIFFLAGS, &network);
915
if(ret == -1){
916
perror("ioctl SIOCSIFFLAGS");
917
exitcode = EXIT_FAILURE;
918
goto end;
919
}
920
}
921
close(sd);
922
}
923
924
uid = getuid();
925
gid = getgid();
926
927
ret = setuid(uid);
928
if (ret == -1){
929
perror("setuid");
930
}
931
932
setgid(gid);
933
if (ret == -1){
934
perror("setgid");
751
goto exit;
935
752
}
936
753
937
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
946
763
char *address = strrchr(connect_to, ':');
947
764
if(address == NULL){
948
765
fprintf(stderr, "No colon in address\n");
949
exitcode = EXIT_FAILURE;
950
goto end;
766
exit(EXIT_FAILURE);
951
767
}
952
768
errno = 0;
953
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
954
770
if(errno){
955
771
perror("Bad port number");
956
exitcode = EXIT_FAILURE;
957
goto end;
772
exit(EXIT_FAILURE);
958
773
}
959
774
*address = '\0';
960
775
address = connect_to;
961
776
ret = start_mandos_communication(address, port, if_index, &mc);
962
777
if(ret < 0){
963
exitcode = EXIT_FAILURE;
778
exit(EXIT_FAILURE);
964
779
} else {
965
exitcode = EXIT_SUCCESS;
966
}
967
goto end;
968
}
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
969
808
970
809
if (not debug){
971
810
avahi_set_log_function(empty_log);
972
811
}
973
812
974
/* Initialize the pseudo-RNG for Avahi */
813
/* Initialize the psuedo-RNG */
975
814
srand((unsigned int) time(NULL));
976
977
/* Allocate main Avahi loop object */
978
mc.simple_poll = avahi_simple_poll_new();
979
if (mc.simple_poll == NULL) {
980
fprintf(stderr, "Avahi: Failed to create simple poll"
981
" object.\n");
982
exitcode = EXIT_FAILURE;
983
goto end;
984
}
985
986
{
987
AvahiServerConfig config;
988
/* Do not publish any local Zeroconf records */
989
avahi_server_config_init(&config);
990
config.publish_hinfo = 0;
991
config.publish_addresses = 0;
992
config.publish_workstation = 0;
993
config.publish_domain = 0;
994
995
/* Allocate a new server */
996
mc.server = avahi_server_new(avahi_simple_poll_get
997
(mc.simple_poll), &config, NULL,
998
NULL, &error);
999
1000
/* Free the Avahi configuration data */
1001
avahi_server_config_free(&config);
1002
}
1003
1004
/* Check if creating the Avahi server object succeeded */
1005
if (mc.server == NULL) {
1006
fprintf(stderr, "Failed to create Avahi server: %s\n",
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1007
840
avahi_strerror(error));
1008
exitcode = EXIT_FAILURE;
1009
goto end;
841
returncode = EXIT_FAILURE;
842
goto exit;
1010
843
}
1011
844
1012
/* Create the Avahi service browser */
845
/* Create the service browser */
1013
846
sb = avahi_s_service_browser_new(mc.server, if_index,
1014
847
AVAHI_PROTO_INET6,
1015
848
"_mandos._tcp", NULL, 0,
1016
849
browse_callback, &mc);
1017
if (sb == NULL) {
850
if (!sb) {
1018
851
fprintf(stderr, "Failed to create service browser: %s\n",
1019
852
avahi_strerror(avahi_server_errno(mc.server)));
1020
exitcode = EXIT_FAILURE;
1021
goto end;
853
returncode = EXIT_FAILURE;
854
goto exit;
1022
855
}
1023
856
1024
857
/* Run the main loop */
1025
858
1026
859
if (debug){
1027
fprintf(stderr, "Starting Avahi loop search\n");
860
fprintf(stderr, "Starting avahi loop search\n");
1028
861
}
1029
862
1030
863
avahi_simple_poll_loop(mc.simple_poll);
1031
864
1032
end:
865
exit:
1033
866
1034
867
if (debug){
1035
868
fprintf(stderr, "%s exiting\n", argv[0]);
1036
869
}
1037
870
1038
871
/* Cleanup things */
1039
if (sb != NULL)
872
if (sb)
1040
873
avahi_s_service_browser_free(sb);
1041
874
1042
if (mc.server != NULL)
875
if (mc.server)
1043
876
avahi_server_free(mc.server);
1044
877
1045
if (mc.simple_poll != NULL)
878
if (mc.simple_poll)
1046
879
avahi_simple_poll_free(mc.simple_poll);
1047
880
free(pubkeyfile);
1048
881
free(seckeyfile);
1049
1050
if (gnutls_initalized){
1051
gnutls_certificate_free_credentials(mc.cred);
1052
gnutls_global_deinit ();
1053
}
1054
882
1055
return exitcode;
883
return returncode;
1056
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0