To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 39
- compare with another revision
- download diff
- download tarball
- view history from revision 39
- Committer: Teddy Hogeborn
- Date: 2008-08-03 03:33:56 UTC
- Revision ID: teddy@fukt.bsnet.se-20080803033356-6aemgj0g0hoz91ow
* plugins.d/mandosclient.c (pgp_packet_decrypt): Renamed variables.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
On debug, show
decrypted plaintext
in hexadecimal. Free
the GPGME data
buffers even on
errors.
- files added:
- ca.pem
- files removed:
- initramfs-tools-hook
- files renamed:
- plugin-runner.c => plugbasedclient.c
- plugins.d/password-request.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos.conf => server.conf
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
32
32
#define _LARGEFILE_SOURCE
33
33
#define _FILE_OFFSET_BITS 64
34
34
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
39
#include <stdint.h> /* uint16_t, uint32_t */
40
#include <stddef.h> /* NULL, size_t, ssize_t */
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
srand() */
43
#include <stdbool.h> /* bool, true */
44
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
#include <sys/ioctl.h> /* ioctl */
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
sockaddr_in6, PF_INET6,
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
struct in6_addr, inet_pton(),
54
connect() */
55
#include <assert.h> /* assert() */
56
#include <errno.h> /* perror(), errno */
57
#include <time.h> /* time() */
35
#include <stdio.h>
36
#include <assert.h>
37
#include <stdlib.h>
38
#include <time.h>
39
#include <net/if.h> /* if_nametoindex */
40
#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
41
SIOCSIFFLAGS */
58
42
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
SIOCSIFFLAGS, if_indextoname(),
60
if_nametoindex(), IF_NAMESIZE */
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
getuid(), getgid(), setuid(),
63
setgid() */
64
#include <netinet/in.h>
65
#include <arpa/inet.h> /* inet_pton(), htons */
66
#include <iso646.h> /* not, and */
67
#include <argp.h> /* struct argp_option, error_t, struct
68
argp_state, struct argp,
69
argp_parse(), ARGP_KEY_ARG,
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
43
SIOCSIFFLAGS */
71
44
72
/* Avahi */
73
/* All Avahi types, constants and functions
74
Avahi*, avahi_*,
75
AVAHI_* */
76
45
#include <avahi-core/core.h>
77
46
#include <avahi-core/lookup.h>
78
47
#include <avahi-core/log.h>
80
49
#include <avahi-common/malloc.h>
81
50
#include <avahi-common/error.h>
82
51
83
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
85
gnutls_*
86
init_gnutls_session(),
87
GNUTLS_* */
88
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
89
GNUTLS_OPENPGP_FMT_BASE64 */
90
91
/* GPGME */
92
#include <gpgme.h> /* All GPGME types, constants and functions
93
gpgme_*
94
GPGME_PROTOCOL_OpenPGP,
95
GPG_ERR_NO_* */
52
//mandos client part
53
#include <sys/types.h> /* socket(), inet_pton() */
54
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
struct in6_addr, inet_pton() */
56
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
57
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
58
59
#include <unistd.h> /* close() */
60
#include <netinet/in.h>
61
#include <stdbool.h> /* true */
62
#include <string.h> /* memset */
63
#include <arpa/inet.h> /* inet_pton() */
64
#include <iso646.h> /* not */
65
66
// gpgme
67
#include <errno.h> /* perror() */
68
#include <gpgme.h>
69
70
// getopt_long
71
#include <getopt.h>
96
72
97
73
#define BUFFER_SIZE 256
98
74
75
static const char *keydir = "/conf/conf.d/mandos";
76
static const char *pubkeyfile = "pubkey.txt";
77
static const char *seckeyfile = "seckey.txt";
78
99
79
bool debug = false;
100
static const char *keydir = "/conf/conf.d/mandos";
101
static const char mandos_protocol_version[] = "1";
102
const char *argp_program_version = "password-request 1.0";
103
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
104
80
105
/* Used for passing in values through the Avahi callback functions */
81
/* Used for passing in values through all the callback functions */
106
82
typedef struct {
107
83
AvahiSimplePoll *simple_poll;
108
84
AvahiServer *server;
109
85
gnutls_certificate_credentials_t cred;
110
86
unsigned int dh_bits;
111
gnutls_dh_params_t dh_params;
112
87
const char *priority;
113
88
} mandos_context;
114
89
115
/*
116
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
117
* "buffer_capacity" is how much is currently allocated,
118
* "buffer_length" is how much is already used.
119
*/
120
size_t adjustbuffer(char **buffer, size_t buffer_length,
121
size_t buffer_capacity){
122
if (buffer_length + BUFFER_SIZE > buffer_capacity){
123
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
124
if (buffer == NULL){
125
return 0;
126
}
127
buffer_capacity += BUFFER_SIZE;
128
}
129
return buffer_capacity;
130
}
131
132
90
/*
133
91
* Decrypt OpenPGP data using keyrings in HOMEDIR.
134
92
* Returns -1 on error
141
99
gpgme_ctx_t ctx;
142
100
gpgme_error_t rc;
143
101
ssize_t ret;
144
size_t plaintext_capacity = 0;
102
ssize_t plaintext_capacity = 0;
145
103
ssize_t plaintext_length = 0;
146
104
gpgme_engine_info_t engine_info;
147
105
227
185
} else {
228
186
fprintf(stderr, "Unsupported algorithm: %s\n",
229
187
result->unsupported_algorithm);
230
fprintf(stderr, "Wrong key usage: %u\n",
188
fprintf(stderr, "Wrong key usage: %d\n",
231
189
result->wrong_key_usage);
232
190
if(result->file_name != NULL){
233
191
fprintf(stderr, "File name: %s\n", result->file_name);
257
215
258
216
*plaintext = NULL;
259
217
while(true){
260
plaintext_capacity = adjustbuffer(plaintext,
261
(size_t)plaintext_length,
262
plaintext_capacity);
263
if (plaintext_capacity == 0){
264
perror("adjustbuffer");
218
if (plaintext_length + BUFFER_SIZE > plaintext_capacity){
219
*plaintext = realloc(*plaintext,
220
(unsigned int)plaintext_capacity
221
+ BUFFER_SIZE);
222
if (*plaintext == NULL){
223
perror("realloc");
265
224
plaintext_length = -1;
266
225
goto decrypt_end;
226
}
227
plaintext_capacity += BUFFER_SIZE;
267
228
}
268
229
269
230
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
283
244
284
245
if(debug){
285
246
fprintf(stderr, "Decrypted password is: ");
286
for(ssize_t i = 0; i < plaintext_length; i++){
247
for(size_t i = 0; i < plaintext_length; i++){
287
248
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
288
249
}
289
250
fprintf(stderr, "\n");
306
267
return ret;
307
268
}
308
269
309
/* GnuTLS log function callback */
310
270
static void debuggnutls(__attribute__((unused)) int level,
311
271
const char* string){
312
fprintf(stderr, "GnuTLS: %s", string);
272
fprintf(stderr, "%s", string);
313
273
}
314
274
315
static int init_gnutls_global(mandos_context *mc,
316
const char *pubkeyfile,
317
const char *seckeyfile){
275
static int initgnutls(mandos_context *mc, gnutls_session_t *session,
276
gnutls_dh_params_t *dh_params){
277
const char *err;
318
278
int ret;
319
279
320
280
if(debug){
321
281
fprintf(stderr, "Initializing GnuTLS\n");
322
282
}
323
324
ret = gnutls_global_init();
325
if (ret != GNUTLS_E_SUCCESS) {
326
fprintf (stderr, "GnuTLS global_init: %s\n",
327
safer_gnutls_strerror(ret));
283
284
if ((ret = gnutls_global_init ())
285
!= GNUTLS_E_SUCCESS) {
286
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
328
287
return -1;
329
288
}
330
289
331
290
if (debug){
332
/* "Use a log level over 10 to enable all debugging options."
333
* - GnuTLS manual
334
*/
335
291
gnutls_global_set_log_level(11);
336
292
gnutls_global_set_log_function(debuggnutls);
337
293
}
338
294
339
/* OpenPGP credentials */
340
gnutls_certificate_allocate_credentials(&mc->cred);
341
if (ret != GNUTLS_E_SUCCESS){
342
fprintf (stderr, "GnuTLS memory error: %s\n",
295
/* openpgp credentials */
296
if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))
297
!= GNUTLS_E_SUCCESS) {
298
fprintf (stderr, "memory error: %s\n",
343
299
safer_gnutls_strerror(ret));
344
gnutls_global_deinit ();
345
300
return -1;
346
301
}
347
302
354
309
ret = gnutls_certificate_set_openpgp_key_file
355
310
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
356
311
if (ret != GNUTLS_E_SUCCESS) {
357
fprintf(stderr,
358
"Error[%d] while reading the OpenPGP key pair ('%s',"
359
" '%s')\n", ret, pubkeyfile, seckeyfile);
360
fprintf(stdout, "The GnuTLS error is: %s\n",
312
fprintf
313
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
314
" '%s')\n",
315
ret, pubkeyfile, seckeyfile);
316
fprintf(stdout, "The Error is: %s\n",
361
317
safer_gnutls_strerror(ret));
362
goto globalfail;
363
}
364
365
/* GnuTLS server initialization */
366
ret = gnutls_dh_params_init(&mc->dh_params);
367
if (ret != GNUTLS_E_SUCCESS) {
368
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
369
" %s\n", safer_gnutls_strerror(ret));
370
goto globalfail;
371
}
372
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
373
if (ret != GNUTLS_E_SUCCESS) {
374
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
375
safer_gnutls_strerror(ret));
376
goto globalfail;
377
}
378
379
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
380
381
return 0;
382
383
globalfail:
384
385
gnutls_certificate_free_credentials(mc->cred);
386
gnutls_global_deinit();
387
return -1;
388
389
}
390
391
static int init_gnutls_session(mandos_context *mc,
392
gnutls_session_t *session){
393
int ret;
394
/* GnuTLS session creation */
395
ret = gnutls_init(session, GNUTLS_SERVER);
396
if (ret != GNUTLS_E_SUCCESS){
318
return -1;
319
}
320
321
//GnuTLS server initialization
322
if ((ret = gnutls_dh_params_init(dh_params))
323
!= GNUTLS_E_SUCCESS) {
324
fprintf (stderr, "Error in dh parameter initialization: %s\n",
325
safer_gnutls_strerror(ret));
326
return -1;
327
}
328
329
if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))
330
!= GNUTLS_E_SUCCESS) {
331
fprintf (stderr, "Error in prime generation: %s\n",
332
safer_gnutls_strerror(ret));
333
return -1;
334
}
335
336
gnutls_certificate_set_dh_params(mc->cred, *dh_params);
337
338
// GnuTLS session creation
339
if ((ret = gnutls_init(session, GNUTLS_SERVER))
340
!= GNUTLS_E_SUCCESS){
397
341
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
398
342
safer_gnutls_strerror(ret));
399
343
}
400
344
401
{
402
const char *err;
403
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
404
if (ret != GNUTLS_E_SUCCESS) {
405
fprintf(stderr, "Syntax error at: %s\n", err);
406
fprintf(stderr, "GnuTLS error: %s\n",
407
safer_gnutls_strerror(ret));
408
gnutls_deinit (*session);
409
return -1;
410
}
345
if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))
346
!= GNUTLS_E_SUCCESS) {
347
fprintf(stderr, "Syntax error at: %s\n", err);
348
fprintf(stderr, "GnuTLS error: %s\n",
349
safer_gnutls_strerror(ret));
350
return -1;
411
351
}
412
352
413
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
414
mc->cred);
415
if (ret != GNUTLS_E_SUCCESS) {
416
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
353
if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
354
mc->cred))
355
!= GNUTLS_E_SUCCESS) {
356
fprintf(stderr, "Error setting a credentials set: %s\n",
417
357
safer_gnutls_strerror(ret));
418
gnutls_deinit (*session);
419
358
return -1;
420
359
}
421
360
428
367
return 0;
429
368
}
430
369
431
/* Avahi log function callback */
432
370
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
433
371
__attribute__((unused)) const char *txt){}
434
372
435
/* Called when a Mandos server is found */
436
373
static int start_mandos_communication(const char *ip, uint16_t port,
437
374
AvahiIfIndex if_index,
438
375
mandos_context *mc){
439
376
int ret, tcp_sd;
440
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
377
struct sockaddr_in6 to;
441
378
char *buffer = NULL;
442
379
char *decrypted_buffer;
443
380
size_t buffer_length = 0;
444
381
size_t buffer_capacity = 0;
445
382
ssize_t decrypted_buffer_size;
446
size_t written;
383
size_t written = 0;
447
384
int retval = 0;
448
385
char interface[IF_NAMESIZE];
449
386
gnutls_session_t session;
450
451
ret = init_gnutls_session (mc, &session);
452
if (ret != 0){
453
return -1;
454
}
387
gnutls_dh_params_t dh_params;
455
388
456
389
if(debug){
457
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
458
"\n", ip, port);
390
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
391
ip, port);
459
392
}
460
393
461
394
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
473
406
}
474
407
475
408
memset(&to,0,sizeof(to)); /* Spurious warning */
476
to.in6.sin6_family = AF_INET6;
477
/* It would be nice to have a way to detect if we were passed an
478
IPv4 address here. Now we assume an IPv6 address. */
479
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
409
to.sin6_family = AF_INET6;
410
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
480
411
if (ret < 0 ){
481
412
perror("inet_pton");
482
413
return -1;
485
416
fprintf(stderr, "Bad address: %s\n", ip);
486
417
return -1;
487
418
}
488
to.in6.sin6_port = htons(port); /* Spurious warning */
419
to.sin6_port = htons(port); /* Spurious warning */
489
420
490
to.in6.sin6_scope_id = (uint32_t)if_index;
421
to.sin6_scope_id = (uint32_t)if_index;
491
422
492
423
if(debug){
493
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
494
port);
424
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
495
425
char addrstr[INET6_ADDRSTRLEN] = "";
496
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
426
if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,
497
427
sizeof(addrstr)) == NULL){
498
428
perror("inet_ntop");
499
429
} else {
503
433
}
504
434
}
505
435
506
ret = connect(tcp_sd, &to.in, sizeof(to));
436
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
507
437
if (ret < 0){
508
438
perror("connect");
509
439
return -1;
510
440
}
511
512
const char *out = mandos_protocol_version;
513
written = 0;
514
while (true){
515
size_t out_size = strlen(out);
516
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
517
out_size - written));
518
if (ret == -1){
519
perror("write");
520
retval = -1;
521
goto mandos_end;
522
}
523
written += (size_t)ret;
524
if(written < out_size){
525
continue;
526
} else {
527
if (out == mandos_protocol_version){
528
written = 0;
529
out = "\r\n";
530
} else {
531
break;
532
}
533
}
441
442
ret = initgnutls (mc, &session, &dh_params);
443
if (ret != 0){
444
retval = -1;
445
return -1;
534
446
}
535
447
448
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
449
536
450
if(debug){
537
451
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
452
}
539
453
540
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
542
do{
543
ret = gnutls_handshake (session);
544
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
454
ret = gnutls_handshake (session);
545
455
546
456
if (ret != GNUTLS_E_SUCCESS){
547
457
if(debug){
548
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
458
fprintf(stderr, "\n*** Handshake failed ***\n");
549
459
gnutls_perror (ret);
550
460
}
551
461
retval = -1;
552
goto mandos_end;
462
goto exit;
553
463
}
554
464
555
/* Read OpenPGP packet that contains the wanted password */
465
//Retrieve OpenPGP packet that contains the wanted password
556
466
557
467
if(debug){
558
468
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
560
470
}
561
471
562
472
while(true){
563
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
buffer_capacity);
565
if (buffer_capacity == 0){
566
perror("adjustbuffer");
567
retval = -1;
568
goto mandos_end;
473
if (buffer_length + BUFFER_SIZE > buffer_capacity){
474
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
475
if (buffer == NULL){
476
perror("realloc");
477
goto exit;
478
}
479
buffer_capacity += BUFFER_SIZE;
569
480
}
570
481
571
482
ret = gnutls_record_recv(session, buffer+buffer_length,
579
490
case GNUTLS_E_AGAIN:
580
491
break;
581
492
case GNUTLS_E_REHANDSHAKE:
582
do{
583
ret = gnutls_handshake (session);
584
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
493
ret = gnutls_handshake (session);
585
494
if (ret < 0){
586
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
495
fprintf(stderr, "\n*** Handshake failed ***\n");
587
496
gnutls_perror (ret);
588
497
retval = -1;
589
goto mandos_end;
498
goto exit;
590
499
}
591
500
break;
592
501
default:
593
502
fprintf(stderr, "Unknown error while reading data from"
594
" encrypted session with Mandos server\n");
503
" encrypted session with mandos server\n");
595
504
retval = -1;
596
505
gnutls_bye (session, GNUTLS_SHUT_RDWR);
597
goto mandos_end;
506
goto exit;
598
507
}
599
508
} else {
600
509
buffer_length += (size_t) ret;
601
510
}
602
511
}
603
512
604
if(debug){
605
fprintf(stderr, "Closing TLS session\n");
606
}
607
608
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
610
513
if (buffer_length > 0){
611
514
decrypted_buffer_size = pgp_packet_decrypt(buffer,
612
515
buffer_length,
613
516
&decrypted_buffer,
614
517
keydir);
615
518
if (decrypted_buffer_size >= 0){
616
written = 0;
617
519
while(written < (size_t) decrypted_buffer_size){
618
520
ret = (int)fwrite (decrypted_buffer + written, 1,
619
521
(size_t)decrypted_buffer_size - written,
633
535
retval = -1;
634
536
}
635
537
}
636
637
/* Shutdown procedure */
638
639
mandos_end:
538
539
//shutdown procedure
540
541
if(debug){
542
fprintf(stderr, "Closing TLS session\n");
543
}
544
640
545
free(buffer);
546
gnutls_bye (session, GNUTLS_SHUT_RDWR);
547
exit:
641
548
close(tcp_sd);
642
549
gnutls_deinit (session);
550
gnutls_certificate_free_credentials (mc->cred);
551
gnutls_global_deinit ();
643
552
return retval;
644
553
}
645
554
666
575
switch (event) {
667
576
default:
668
577
case AVAHI_RESOLVER_FAILURE:
669
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
670
" of type '%s' in domain '%s': %s\n", name, type, domain,
578
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
579
" type '%s' in domain '%s': %s\n", name, type, domain,
671
580
avahi_strerror(avahi_server_errno(mc->server)));
672
581
break;
673
582
676
585
char ip[AVAHI_ADDRESS_STR_MAX];
677
586
avahi_address_snprint(ip, sizeof(ip), address);
678
587
if(debug){
679
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
680
PRIu16 ") on port %d\n", name, host_name, ip,
681
interface, port);
588
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
589
" port %d\n", name, host_name, ip, port);
682
590
}
683
591
int ret = start_mandos_communication(ip, port, interface, mc);
684
592
if (ret == 0){
685
avahi_simple_poll_quit(mc->simple_poll);
593
exit(EXIT_SUCCESS);
686
594
}
687
595
}
688
596
}
709
617
default:
710
618
case AVAHI_BROWSER_FAILURE:
711
619
712
fprintf(stderr, "(Avahi browser) %s\n",
620
fprintf(stderr, "(Browser) %s\n",
713
621
avahi_strerror(avahi_server_errno(mc->server)));
714
622
avahi_simple_poll_quit(mc->simple_poll);
715
623
return;
716
624
717
625
case AVAHI_BROWSER_NEW:
718
/* We ignore the returned Avahi resolver object. In the callback
719
function we free it. If the Avahi server is terminated before
720
the callback function is called the Avahi server will free the
721
resolver for us. */
626
/* We ignore the returned resolver object. In the callback
627
function we free it. If the server is terminated before
628
the callback function is called the server will free
629
the resolver for us. */
722
630
723
631
if (!(avahi_s_service_resolver_new(mc->server, interface,
724
632
protocol, name, type, domain,
725
633
AVAHI_PROTO_INET6, 0,
726
634
resolve_callback, mc)))
727
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
728
name, avahi_strerror(avahi_server_errno(mc->server)));
635
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
636
avahi_strerror(avahi_server_errno(mc->server)));
729
637
break;
730
638
731
639
case AVAHI_BROWSER_REMOVE:
733
641
734
642
case AVAHI_BROWSER_ALL_FOR_NOW:
735
643
case AVAHI_BROWSER_CACHE_EXHAUSTED:
736
if(debug){
737
fprintf(stderr, "No Mandos server found, still searching...\n");
738
}
739
644
break;
740
645
}
741
646
}
761
666
}
762
667
763
668
764
int main(int argc, char *argv[]){
669
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
670
AvahiServerConfig config;
765
671
AvahiSServiceBrowser *sb = NULL;
766
672
int error;
767
673
int ret;
768
int exitcode = EXIT_SUCCESS;
674
int debug_int;
675
int returncode = EXIT_SUCCESS;
769
676
const char *interface = "eth0";
770
677
struct ifreq network;
771
678
int sd;
772
uid_t uid;
773
gid_t gid;
774
679
char *connect_to = NULL;
775
680
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
776
const char *pubkeyfile = "pubkey.txt";
777
const char *seckeyfile = "seckey.txt";
778
681
mandos_context mc = { .simple_poll = NULL, .server = NULL,
779
682
.dh_bits = 1024, .priority = "SECURE256"};
780
bool gnutls_initalized = false;
781
683
782
{
783
struct argp_option options[] = {
784
{ .name = "debug", .key = 128,
785
.doc = "Debug mode", .group = 3 },
786
{ .name = "connect", .key = 'c',
787
.arg = "IP",
788
.doc = "Connect directly to a sepcified mandos server",
789
.group = 1 },
790
{ .name = "interface", .key = 'i',
791
.arg = "INTERFACE",
792
.doc = "Interface that Avahi will conntect through",
793
.group = 1 },
794
{ .name = "keydir", .key = 'd',
795
.arg = "KEYDIR",
796
.doc = "Directory where the openpgp keyring is",
797
.group = 1 },
798
{ .name = "seckey", .key = 's',
799
.arg = "SECKEY",
800
.doc = "Secret openpgp key for gnutls authentication",
801
.group = 1 },
802
{ .name = "pubkey", .key = 'p',
803
.arg = "PUBKEY",
804
.doc = "Public openpgp key for gnutls authentication",
805
.group = 2 },
806
{ .name = "dh-bits", .key = 129,
807
.arg = "BITS",
808
.doc = "dh-bits to use in gnutls communication",
809
.group = 2 },
810
{ .name = "priority", .key = 130,
811
.arg = "PRIORITY",
812
.doc = "GNUTLS priority", .group = 1 },
813
{ .name = NULL }
814
};
815
816
817
error_t parse_opt (int key, char *arg,
818
struct argp_state *state) {
819
/* Get the INPUT argument from `argp_parse', which we know is
820
a pointer to our plugin list pointer. */
821
switch (key) {
822
case 128:
823
debug = true;
824
break;
825
case 'c':
826
connect_to = arg;
827
break;
828
case 'i':
829
interface = arg;
830
break;
831
case 'd':
832
keydir = arg;
833
break;
834
case 's':
835
seckeyfile = arg;
836
break;
837
case 'p':
838
pubkeyfile = arg;
839
break;
840
case 129:
841
errno = 0;
842
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
843
if (errno){
844
perror("strtol");
845
exit(EXIT_FAILURE);
846
}
847
break;
848
case 130:
849
mc.priority = arg;
850
break;
851
case ARGP_KEY_ARG:
852
argp_usage (state);
853
case ARGP_KEY_END:
854
break;
855
default:
856
return ARGP_ERR_UNKNOWN;
684
debug_int = debug ? 1 : 0;
685
while (true){
686
struct option long_options[] = {
687
{"debug", no_argument, &debug_int, 1},
688
{"connect", required_argument, NULL, 'c'},
689
{"interface", required_argument, NULL, 'i'},
690
{"keydir", required_argument, NULL, 'd'},
691
{"seckey", required_argument, NULL, 's'},
692
{"pubkey", required_argument, NULL, 'p'},
693
{"dh-bits", required_argument, NULL, 'D'},
694
{"priority", required_argument, NULL, 'P'},
695
{0, 0, 0, 0} };
696
697
int option_index = 0;
698
ret = getopt_long (argc, argv, "i:", long_options,
699
&option_index);
700
701
if (ret == -1){
702
break;
703
}
704
705
switch(ret){
706
case 0:
707
break;
708
case 'i':
709
interface = optarg;
710
break;
711
case 'c':
712
connect_to = optarg;
713
break;
714
case 'd':
715
keydir = optarg;
716
break;
717
case 'p':
718
pubkeyfile = optarg;
719
break;
720
case 's':
721
seckeyfile = optarg;
722
break;
723
case 'D':
724
errno = 0;
725
mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);
726
if (errno){
727
perror("strtol");
728
exit(EXIT_FAILURE);
857
729
}
858
return 0;
859
}
860
861
struct argp argp = { .options = options, .parser = parse_opt,
862
.args_doc = "",
863
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
865
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
if (ret == ARGP_ERR_UNKNOWN){
867
fprintf(stderr, "Unknown error while parsing arguments\n");
868
exitcode = EXIT_FAILURE;
869
goto end;
730
break;
731
case 'P':
732
mc.priority = optarg;
733
break;
734
case '?':
735
default:
736
exit(EXIT_FAILURE);
870
737
}
871
738
}
872
739
debug = debug_int ? true : false;
740
873
741
pubkeyfile = combinepath(keydir, pubkeyfile);
874
742
if (pubkeyfile == NULL){
875
743
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
744
returncode = EXIT_FAILURE;
745
goto exit;
878
746
}
879
747
880
748
seckeyfile = combinepath(keydir, seckeyfile);
881
749
if (seckeyfile == NULL){
882
750
perror("combinepath");
883
exitcode = EXIT_FAILURE;
884
goto end;
885
}
886
887
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
888
if (ret == -1){
889
fprintf(stderr, "init_gnutls_global failed\n");
890
exitcode = EXIT_FAILURE;
891
goto end;
892
} else {
893
gnutls_initalized = true;
894
}
895
896
/* If the interface is down, bring it up */
897
{
898
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
899
if(sd < 0) {
900
perror("socket");
901
exitcode = EXIT_FAILURE;
902
goto end;
903
}
904
strcpy(network.ifr_name, interface); /* Spurious warning */
905
ret = ioctl(sd, SIOCGIFFLAGS, &network);
906
if(ret == -1){
907
perror("ioctl SIOCGIFFLAGS");
908
exitcode = EXIT_FAILURE;
909
goto end;
910
}
911
if((network.ifr_flags & IFF_UP) == 0){
912
network.ifr_flags |= IFF_UP;
913
ret = ioctl(sd, SIOCSIFFLAGS, &network);
914
if(ret == -1){
915
perror("ioctl SIOCSIFFLAGS");
916
exitcode = EXIT_FAILURE;
917
goto end;
918
}
919
}
920
close(sd);
921
}
922
923
uid = getuid();
924
gid = getgid();
925
926
ret = setuid(uid);
927
if (ret == -1){
928
perror("setuid");
929
}
930
931
setgid(gid);
932
if (ret == -1){
933
perror("setgid");
751
goto exit;
934
752
}
935
753
936
754
if_index = (AvahiIfIndex) if_nametoindex(interface);
945
763
char *address = strrchr(connect_to, ':');
946
764
if(address == NULL){
947
765
fprintf(stderr, "No colon in address\n");
948
exitcode = EXIT_FAILURE;
949
goto end;
766
exit(EXIT_FAILURE);
950
767
}
951
768
errno = 0;
952
769
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
953
770
if(errno){
954
771
perror("Bad port number");
955
exitcode = EXIT_FAILURE;
956
goto end;
772
exit(EXIT_FAILURE);
957
773
}
958
774
*address = '\0';
959
775
address = connect_to;
960
776
ret = start_mandos_communication(address, port, if_index, &mc);
961
777
if(ret < 0){
962
exitcode = EXIT_FAILURE;
778
exit(EXIT_FAILURE);
963
779
} else {
964
exitcode = EXIT_SUCCESS;
965
}
966
goto end;
967
}
780
exit(EXIT_SUCCESS);
781
}
782
}
783
784
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
785
if(sd < 0) {
786
perror("socket");
787
returncode = EXIT_FAILURE;
788
goto exit;
789
}
790
strcpy(network.ifr_name, interface); /* Spurious warning */
791
ret = ioctl(sd, SIOCGIFFLAGS, &network);
792
if(ret == -1){
793
794
perror("ioctl SIOCGIFFLAGS");
795
returncode = EXIT_FAILURE;
796
goto exit;
797
}
798
if((network.ifr_flags & IFF_UP) == 0){
799
network.ifr_flags |= IFF_UP;
800
ret = ioctl(sd, SIOCSIFFLAGS, &network);
801
if(ret == -1){
802
perror("ioctl SIOCSIFFLAGS");
803
returncode = EXIT_FAILURE;
804
goto exit;
805
}
806
}
807
close(sd);
968
808
969
809
if (not debug){
970
810
avahi_set_log_function(empty_log);
971
811
}
972
812
973
/* Initialize the pseudo-RNG for Avahi */
813
/* Initialize the psuedo-RNG */
974
814
srand((unsigned int) time(NULL));
975
976
/* Allocate main Avahi loop object */
977
mc.simple_poll = avahi_simple_poll_new();
978
if (mc.simple_poll == NULL) {
979
fprintf(stderr, "Avahi: Failed to create simple poll"
980
" object.\n");
981
exitcode = EXIT_FAILURE;
982
goto end;
983
}
984
985
{
986
AvahiServerConfig config;
987
/* Do not publish any local Zeroconf records */
988
avahi_server_config_init(&config);
989
config.publish_hinfo = 0;
990
config.publish_addresses = 0;
991
config.publish_workstation = 0;
992
config.publish_domain = 0;
993
994
/* Allocate a new server */
995
mc.server = avahi_server_new(avahi_simple_poll_get
996
(mc.simple_poll), &config, NULL,
997
NULL, &error);
998
999
/* Free the Avahi configuration data */
1000
avahi_server_config_free(&config);
1001
}
1002
1003
/* Check if creating the Avahi server object succeeded */
1004
if (mc.server == NULL) {
1005
fprintf(stderr, "Failed to create Avahi server: %s\n",
815
816
/* Allocate main loop object */
817
if (!(mc.simple_poll = avahi_simple_poll_new())) {
818
fprintf(stderr, "Failed to create simple poll object.\n");
819
returncode = EXIT_FAILURE;
820
goto exit;
821
}
822
823
/* Do not publish any local records */
824
avahi_server_config_init(&config);
825
config.publish_hinfo = 0;
826
config.publish_addresses = 0;
827
config.publish_workstation = 0;
828
config.publish_domain = 0;
829
830
/* Allocate a new server */
831
mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),
832
&config, NULL, NULL, &error);
833
834
/* Free the configuration data */
835
avahi_server_config_free(&config);
836
837
/* Check if creating the server object succeeded */
838
if (!mc.server) {
839
fprintf(stderr, "Failed to create server: %s\n",
1006
840
avahi_strerror(error));
1007
exitcode = EXIT_FAILURE;
1008
goto end;
841
returncode = EXIT_FAILURE;
842
goto exit;
1009
843
}
1010
844
1011
/* Create the Avahi service browser */
845
/* Create the service browser */
1012
846
sb = avahi_s_service_browser_new(mc.server, if_index,
1013
847
AVAHI_PROTO_INET6,
1014
848
"_mandos._tcp", NULL, 0,
1015
849
browse_callback, &mc);
1016
if (sb == NULL) {
850
if (!sb) {
1017
851
fprintf(stderr, "Failed to create service browser: %s\n",
1018
852
avahi_strerror(avahi_server_errno(mc.server)));
1019
exitcode = EXIT_FAILURE;
1020
goto end;
853
returncode = EXIT_FAILURE;
854
goto exit;
1021
855
}
1022
856
1023
857
/* Run the main loop */
1024
858
1025
859
if (debug){
1026
fprintf(stderr, "Starting Avahi loop search\n");
860
fprintf(stderr, "Starting avahi loop search\n");
1027
861
}
1028
862
1029
863
avahi_simple_poll_loop(mc.simple_poll);
1030
864
1031
end:
865
exit:
1032
866
1033
867
if (debug){
1034
868
fprintf(stderr, "%s exiting\n", argv[0]);
1035
869
}
1036
870
1037
871
/* Cleanup things */
1038
if (sb != NULL)
872
if (sb)
1039
873
avahi_s_service_browser_free(sb);
1040
874
1041
if (mc.server != NULL)
875
if (mc.server)
1042
876
avahi_server_free(mc.server);
1043
877
1044
if (mc.simple_poll != NULL)
878
if (mc.simple_poll)
1045
879
avahi_simple_poll_free(mc.simple_poll);
1046
880
free(pubkeyfile);
1047
881
free(seckeyfile);
1048
1049
if (gnutls_initalized){
1050
gnutls_certificate_free_credentials(mc.cred);
1051
gnutls_global_deinit ();
1052
}
1053
882
1054
return exitcode;
883
return returncode;
1055
884
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0