/mandos/release : revision 50

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

35

37

#include <stdio.h>

36

38

#include <assert.h>

37

39

#include <stdlib.h>

38

40

#include <time.h>

39

41

#include <net/if.h> /* if_nametoindex */

40

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

41

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

42

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

43

SIOCSIFFLAGS */

44

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

45

SIOCSIFFLAGS */

42

46

43

47

#include <avahi-core/core.h>

44

48

#include <avahi-core/lookup.h>

47

51

#include <avahi-common/malloc.h>

48

52

#include <avahi-common/error.h>

49

53

50

//mandos client part

54

/* Mandos client part */

51

55

#include <sys/types.h> /* socket(), inet_pton() */

52

56

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

53

57

struct in6_addr, inet_pton() */

60

64

#include <string.h> /* memset */

61

65

#include <arpa/inet.h> /* inet_pton() */

62

66

#include <iso646.h> /* not */

63

64

// gpgme

67

#include <net/if.h> /* IF_NAMESIZE */

68

#include <argp.h> /* struct argp_option,

69

struct argp_state, struct argp,

70

argp_parse() */

71

/* GPGME */

65

72

#include <errno.h> /* perror() */

66

73

#include <gpgme.h>

67

74

68

// getopt_long

69

#include <getopt.h>

70

71

75

#define BUFFER_SIZE 256

72

76

77

bool debug = false;

73

78

static const char *keydir = "/conf/conf.d/mandos";

74

static const char *pubkeyfile = "pubkey.txt";

75

static const char *seckeyfile = "seckey.txt";

76

77

bool debug = false;

78

79

/* Used for passing in values through all the callback functions */

79

static const char mandos_protocol_version[] = "1";

80

const char *argp_program_version = "mandosclient 0.9";

81

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

82

83

/* Used for passing in values through the Avahi callback functions */

80

84

typedef struct {

81

85

AvahiSimplePoll *simple_poll;

82

86

AvahiServer *server;

83

87

gnutls_certificate_credentials_t cred;

84

88

unsigned int dh_bits;

89

gnutls_dh_params_t dh_params;

85

90

const char *priority;

86

91

} mandos_context;

87

92

88

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

89

char **new_packet,

93

/*

94

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

95

* "buffer_capacity" is how much is currently allocated,

96

* "buffer_length" is how much is already used.

97

*/

98

size_t adjustbuffer(char **buffer, size_t buffer_length,

99

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

101

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

103

return 0;

104

}

105

buffer_capacity += BUFFER_SIZE;

106

}

107

return buffer_capacity;

108

}

109

110

/*

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

113

*/

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

90

117

const char *homedir){

91

118

gpgme_data_t dh_crypto, dh_plain;

92

119

gpgme_ctx_t ctx;

93

120

gpgme_error_t rc;

94

121

ssize_t ret;

95

ssize_t new_packet_capacity = 0;

96

ssize_t new_packet_length = 0;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

97

124

gpgme_engine_info_t engine_info;

98

125

99

126

if (debug){

100

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

101

128

}

102

129

103

130

/* Init GPGME */

109

136

return -1;

110

137

}

111

138

112

/* Set GPGME home directory */

139

/* Set GPGME home directory for the OpenPGP engine only */

113

140

rc = gpgme_get_engine_info (&engine_info);

114

141

if (rc != GPG_ERR_NO_ERROR){

115

142

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

125

152

engine_info = engine_info->next;

126

153

}

127

154

if(engine_info == NULL){

128

fprintf(stderr, "Could not set home dir to %s\n", homedir);

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

129

156

return -1;

130

157

}

131

158

132

/* Create new GPGME data buffer from packet buffer */

133

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

159

/* Create new GPGME data buffer from memory cryptotext */

160

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

161

0);

134

162

if (rc != GPG_ERR_NO_ERROR){

135

163

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

136

164

gpgme_strsource(rc), gpgme_strerror(rc));

142

170

if (rc != GPG_ERR_NO_ERROR){

143

171

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

144

172

gpgme_strsource(rc), gpgme_strerror(rc));

173

gpgme_data_release(dh_crypto);

145

174

return -1;

146

175

}

147

176

150

179

if (rc != GPG_ERR_NO_ERROR){

151

180

fprintf(stderr, "bad gpgme_new: %s: %s\n",

152

181

gpgme_strsource(rc), gpgme_strerror(rc));

153

return -1;

182

plaintext_length = -1;

183

goto decrypt_end;

154

184

}

155

185

156

/* Decrypt data from the FILE pointer to the plaintext data

157

buffer */

186

/* Decrypt data from the cryptotext data buffer to the plaintext

187

data buffer */

158

188

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

159

189

if (rc != GPG_ERR_NO_ERROR){

160

190

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

161

191

gpgme_strsource(rc), gpgme_strerror(rc));

162

return -1;

192

plaintext_length = -1;

193

goto decrypt_end;

163

194

}

164

195

165

196

if(debug){

166

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

197

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

167

198

}

168

199

169

200

if (debug){

170

201

gpgme_decrypt_result_t result;

171

202

result = gpgme_op_decrypt_result(ctx);

195

226

}

196

227

}

197

228

198

/* Delete the GPGME FILE pointer cryptotext data buffer */

199

gpgme_data_release(dh_crypto);

200

201

229

/* Seek back to the beginning of the GPGME plaintext data buffer */

202

230

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

203

231

perror("pgpme_data_seek");

232

plaintext_length = -1;

233

goto decrypt_end;

204

234

}

205

235

206

*new_packet = 0;

236

*plaintext = NULL;

207

237

while(true){

208

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

209

*new_packet = realloc(*new_packet,

210

(unsigned int)new_packet_capacity

211

+ BUFFER_SIZE);

212

if (*new_packet == NULL){

213

perror("realloc");

214

return -1;

215

}

216

new_packet_capacity += BUFFER_SIZE;

238

plaintext_capacity = adjustbuffer(plaintext,

239

(size_t)plaintext_length,

240

plaintext_capacity);

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

243

plaintext_length = -1;

244

goto decrypt_end;

217

245

}

218

246

219

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

247

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

220

248

BUFFER_SIZE);

221

249

/* Print the data, if any */

222

250

if (ret == 0){

251

/* EOF */

223

252

break;

224

253

}

225

254

if(ret < 0){

226

255

perror("gpgme_data_read");

227

return -1;

256

plaintext_length = -1;

257

goto decrypt_end;

228

258

}

229

new_packet_length += ret;

259

plaintext_length += ret;

230

260

}

231

261

232

/* FIXME: check characters before printing to screen so to not print

233

terminal control characters */

234

/* if(debug){ */

235

/* fprintf(stderr, "decrypted password is: "); */

236

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

237

/* fprintf(stderr, "\n"); */

238

/* } */

262

if(debug){

263

fprintf(stderr, "Decrypted password is: ");

264

for(ssize_t i = 0; i < plaintext_length; i++){

265

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

266

}

267

fprintf(stderr, "\n");

268

}

269

270

decrypt_end:

271

272

/* Delete the GPGME cryptotext data buffer */

273

gpgme_data_release(dh_crypto);

239

274

240

275

/* Delete the GPGME plaintext data buffer */

241

276

gpgme_data_release(dh_plain);

242

return new_packet_length;

277

return plaintext_length;

243

278

}

244

279

245

280

static const char * safer_gnutls_strerror (int value) {

249

284

return ret;

250

285

}

251

286

287

/* GnuTLS log function callback */

252

288

static void debuggnutls(__attribute__((unused)) int level,

253

289

const char* string){

254

fprintf(stderr, "%s", string);

290

fprintf(stderr, "GnuTLS: %s", string);

255

291

}

256

292

257

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

258

gnutls_dh_params_t *dh_params){

259

const char *err;

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

260

296

int ret;

261

297

262

298

if(debug){

265

301

266

302

if ((ret = gnutls_global_init ())

267

303

!= GNUTLS_E_SUCCESS) {

268

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

269

306

return -1;

270

307

}

271

308

272

309

if (debug){

310

/* "Use a log level over 10 to enable all debugging options."

311

* - GnuTLS manual

312

*/

273

313

gnutls_global_set_log_level(11);

274

314

gnutls_global_set_log_function(debuggnutls);

275

315

}

276

316

277

/* openpgp credentials */

317

/* OpenPGP credentials */

278

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

279

319

!= GNUTLS_E_SUCCESS) {

280

fprintf (stderr, "memory error: %s\n",

320

fprintf (stderr, "GnuTLS memory error: %s\n",

281

321

safer_gnutls_strerror(ret));

322

gnutls_global_deinit ();

282

323

return -1;

283

324

}

284

325

291

332

ret = gnutls_certificate_set_openpgp_key_file

292

333

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

293

334

if (ret != GNUTLS_E_SUCCESS) {

294

fprintf

295

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

296

" '%s')\n",

297

ret, pubkeyfile, seckeyfile);

298

fprintf(stdout, "The Error is: %s\n",

335

fprintf(stderr,

336

"Error[%d] while reading the OpenPGP key pair ('%s',"

337

" '%s')\n", ret, pubkeyfile, seckeyfile);

338

fprintf(stdout, "The GnuTLS error is: %s\n",

299

339

safer_gnutls_strerror(ret));

300

return -1;

301

}

302

303

//GnuTLS server initialization

304

if ((ret = gnutls_dh_params_init(dh_params))

305

!= GNUTLS_E_SUCCESS) {

306

fprintf (stderr, "Error in dh parameter initialization: %s\n",

307

safer_gnutls_strerror(ret));

308

return -1;

309

}

310

311

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

312

!= GNUTLS_E_SUCCESS) {

313

fprintf (stderr, "Error in prime generation: %s\n",

314

safer_gnutls_strerror(ret));

315

return -1;

316

}

317

318

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

319

320

// GnuTLS session creation

321

if ((ret = gnutls_init(session, GNUTLS_SERVER))

322

!= GNUTLS_E_SUCCESS){

340

goto globalfail;

341

}

342

343

/* GnuTLS server initialization */

344

ret = gnutls_dh_params_init(&mc->dh_params);

345

if (ret != GNUTLS_E_SUCCESS) {

346

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

347

" %s\n", safer_gnutls_strerror(ret));

348

goto globalfail;

349

}

350

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

351

if (ret != GNUTLS_E_SUCCESS) {

352

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

353

safer_gnutls_strerror(ret));

354

goto globalfail;

355

}

356

357

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

358

359

return 0;

360

361

globalfail:

362

363

gnutls_certificate_free_credentials (mc->cred);

364

gnutls_global_deinit ();

365

return -1;

366

367

}

368

369

static int init_gnutls_session(mandos_context *mc,

370

gnutls_session_t *session){

371

int ret;

372

/* GnuTLS session creation */

373

ret = gnutls_init(session, GNUTLS_SERVER);

374

if (ret != GNUTLS_E_SUCCESS){

323

375

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

324

376

safer_gnutls_strerror(ret));

325

377

}

326

378

327

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

328

!= GNUTLS_E_SUCCESS) {

329

fprintf(stderr, "Syntax error at: %s\n", err);

330

fprintf(stderr, "GnuTLS error: %s\n",

331

safer_gnutls_strerror(ret));

332

return -1;

379

{

380

const char *err;

381

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

382

if (ret != GNUTLS_E_SUCCESS) {

383

fprintf(stderr, "Syntax error at: %s\n", err);

384

fprintf(stderr, "GnuTLS error: %s\n",

385

safer_gnutls_strerror(ret));

386

gnutls_deinit (*session);

387

return -1;

388

}

333

389

}

334

390

335

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

336

mc->cred))

337

!= GNUTLS_E_SUCCESS) {

338

fprintf(stderr, "Error setting a credentials set: %s\n",

391

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

392

mc->cred);

393

if (ret != GNUTLS_E_SUCCESS) {

394

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

339

395

safer_gnutls_strerror(ret));

396

gnutls_deinit (*session);

340

397

return -1;

341

398

}

342

399

349

406

return 0;

350

407

}

351

408

409

/* Avahi log function callback */

352

410

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

353

411

__attribute__((unused)) const char *txt){}

354

412

413

/* Called when a Mandos server is found */

355

414

static int start_mandos_communication(const char *ip, uint16_t port,

356

415

AvahiIfIndex if_index,

357

416

mandos_context *mc){

358

417

int ret, tcp_sd;

359

struct sockaddr_in6 to;

418

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

360

419

char *buffer = NULL;

361

420

char *decrypted_buffer;

362

421

size_t buffer_length = 0;

363

422

size_t buffer_capacity = 0;

364

423

ssize_t decrypted_buffer_size;

365

size_t written = 0;

424

size_t written;

366

425

int retval = 0;

367

426

char interface[IF_NAMESIZE];

368

427

gnutls_session_t session;

369

gnutls_dh_params_t dh_params;

428

429

ret = init_gnutls_session (mc, &session);

430

if (ret != 0){

431

return -1;

432

}

370

433

371

434

if(debug){

372

435

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

388

451

}

389

452

390

453

memset(&to,0,sizeof(to)); /* Spurious warning */

391

to.sin6_family = AF_INET6;

392

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

454

to.in6.sin6_family = AF_INET6;

455

/* It would be nice to have a way to detect if we were passed an

456

IPv4 address here. Now we assume an IPv6 address. */

457

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

393

458

if (ret < 0 ){

394

459

perror("inet_pton");

395

460

return -1;

398

463

fprintf(stderr, "Bad address: %s\n", ip);

399

464

return -1;

400

465

}

401

to.sin6_port = htons(port); /* Spurious warning */

466

to.in6.sin6_port = htons(port); /* Spurious warning */

402

467

403

to.sin6_scope_id = (uint32_t)if_index;

468

to.in6.sin6_scope_id = (uint32_t)if_index;

404

469

405

470

if(debug){

406

471

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

407

472

char addrstr[INET6_ADDRSTRLEN] = "";

408

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

473

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

409

474

sizeof(addrstr)) == NULL){

410

475

perror("inet_ntop");

411

476

} else {

415

480

}

416

481

}

417

482

418

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

483

ret = connect(tcp_sd, &to.in, sizeof(to));

419

484

if (ret < 0){

420

485

perror("connect");

421

486

return -1;

422

487

}

423

424

ret = initgnutls (mc, &session, &dh_params);

425

if (ret != 0){

426

retval = -1;

427

return -1;

488

489

const char *out = mandos_protocol_version;

490

written = 0;

491

while (true){

492

size_t out_size = strlen(out);

493

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

494

out_size - written));

495

if (ret == -1){

496

perror("write");

497

retval = -1;

498

goto mandos_end;

499

}

500

written += (size_t)ret;

501

if(written < out_size){

502

continue;

503

} else {

504

if (out == mandos_protocol_version){

505

written = 0;

506

out = "\r\n";

507

} else {

508

break;

509

}

510

}

511

}

512

513

if(debug){

514

fprintf(stderr, "Establishing TLS session with %s\n", ip);

428

515

}

429

516

430

517

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

431

518

432

if(debug){

433

fprintf(stderr, "Establishing TLS session with %s\n", ip);

434

}

435

436

519

ret = gnutls_handshake (session);

437

520

438

521

if (ret != GNUTLS_E_SUCCESS){

439

522

if(debug){

440

fprintf(stderr, "\n*** Handshake failed ***\n");

523

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

441

524

gnutls_perror (ret);

442

525

}

443

526

retval = -1;

444

goto exit;

527

goto mandos_end;

445

528

}

446

529

447

//Retrieve OpenPGP packet that contains the wanted password

530

/* Read OpenPGP packet that contains the wanted password */

448

531

449

532

if(debug){

450

533

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

452

535

}

453

536

454

537

while(true){

455

if (buffer_length + BUFFER_SIZE > buffer_capacity){

456

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

457

if (buffer == NULL){

458

perror("realloc");

459

goto exit;

460

}

461

buffer_capacity += BUFFER_SIZE;

538

buffer_capacity = adjustbuffer(&buffer, buffer_length,

539

buffer_capacity);

540

if (buffer_capacity == 0){

541

perror("adjustbuffer");

542

retval = -1;

543

goto mandos_end;

462

544

}

463

545

464

546

ret = gnutls_record_recv(session, buffer+buffer_length,

474

556

case GNUTLS_E_REHANDSHAKE:

475

557

ret = gnutls_handshake (session);

476

558

if (ret < 0){

477

fprintf(stderr, "\n*** Handshake failed ***\n");

559

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

478

560

gnutls_perror (ret);

479

561

retval = -1;

480

goto exit;

562

goto mandos_end;

481

563

}

482

564

break;

483

565

default:

484

566

fprintf(stderr, "Unknown error while reading data from"

485

" encrypted session with mandos server\n");

567

" encrypted session with Mandos server\n");

486

568

retval = -1;

487

569

gnutls_bye (session, GNUTLS_SHUT_RDWR);

488

goto exit;

570

goto mandos_end;

489

571

}

490

572

} else {

491

573

buffer_length += (size_t) ret;

492

574

}

493

575

}

494

576

577

if(debug){

578

fprintf(stderr, "Closing TLS session\n");

579

}

580

581

gnutls_bye (session, GNUTLS_SHUT_RDWR);

582

495

583

if (buffer_length > 0){

496

584

decrypted_buffer_size = pgp_packet_decrypt(buffer,

497

585

buffer_length,

498

586

&decrypted_buffer,

499

587

keydir);

500

588

if (decrypted_buffer_size >= 0){

589

written = 0;

501

590

while(written < (size_t) decrypted_buffer_size){

502

591

ret = (int)fwrite (decrypted_buffer + written, 1,

503

592

(size_t)decrypted_buffer_size - written,

517

606

retval = -1;

518

607

}

519

608

}

520

521

//shutdown procedure

522

523

if(debug){

524

fprintf(stderr, "Closing TLS session\n");

525

}

526

609

610

/* Shutdown procedure */

611

612

mandos_end:

527

613

free(buffer);

528

gnutls_bye (session, GNUTLS_SHUT_RDWR);

529

exit:

530

614

close(tcp_sd);

531

615

gnutls_deinit (session);

532

gnutls_certificate_free_credentials (mc->cred);

533

gnutls_global_deinit ();

534

616

return retval;

535

617

}

536

618

537

static void resolve_callback( AvahiSServiceResolver *r,

538

AvahiIfIndex interface,

539

AVAHI_GCC_UNUSED AvahiProtocol protocol,

540

AvahiResolverEvent event,

541

const char *name,

542

const char *type,

543

const char *domain,

544

const char *host_name,

545

const AvahiAddress *address,

546

uint16_t port,

547

AVAHI_GCC_UNUSED AvahiStringList *txt,

548

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

549

void* userdata) {

619

static void resolve_callback(AvahiSServiceResolver *r,

620

AvahiIfIndex interface,

621

AVAHI_GCC_UNUSED AvahiProtocol protocol,

622

AvahiResolverEvent event,

623

const char *name,

624

const char *type,

625

const char *domain,

626

const char *host_name,

627

const AvahiAddress *address,

628

uint16_t port,

629

AVAHI_GCC_UNUSED AvahiStringList *txt,

630

AVAHI_GCC_UNUSED AvahiLookupResultFlags

631

flags,

632

void* userdata) {

550

633

mandos_context *mc = userdata;

551

634

assert(r); /* Spurious warning */

552

635

556

639

switch (event) {

557

640

default:

558

641

case AVAHI_RESOLVER_FAILURE:

559

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

560

" type '%s' in domain '%s': %s\n", name, type, domain,

642

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

643

" of type '%s' in domain '%s': %s\n", name, type, domain,

561

644

avahi_strerror(avahi_server_errno(mc->server)));

562

645

break;

563

646

566

649

char ip[AVAHI_ADDRESS_STR_MAX];

567

650

avahi_address_snprint(ip, sizeof(ip), address);

568

651

if(debug){

569

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

570

" port %d\n", name, host_name, ip, port);

652

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

653

" port %d\n", name, host_name, ip, interface, port);

571

654

}

572

655

int ret = start_mandos_communication(ip, port, interface, mc);

573

656

if (ret == 0){

585

668

const char *name,

586

669

const char *type,

587

670

const char *domain,

588

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

671

AVAHI_GCC_UNUSED AvahiLookupResultFlags

672

flags,

589

673

void* userdata) {

590

674

mandos_context *mc = userdata;

591

675

assert(b); /* Spurious warning */

597

681

default:

598

682

case AVAHI_BROWSER_FAILURE:

599

683

600

fprintf(stderr, "(Browser) %s\n",

684

fprintf(stderr, "(Avahi browser) %s\n",

601

685

avahi_strerror(avahi_server_errno(mc->server)));

602

686

avahi_simple_poll_quit(mc->simple_poll);

603

687

return;

604

688

605

689

case AVAHI_BROWSER_NEW:

606

/* We ignore the returned resolver object. In the callback

607

function we free it. If the server is terminated before

608

the callback function is called the server will free

609

the resolver for us. */

690

/* We ignore the returned Avahi resolver object. In the callback

691

function we free it. If the Avahi server is terminated before

692

the callback function is called the Avahi server will free the

693

resolver for us. */

610

694

611

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

612

type, domain,

695

if (!(avahi_s_service_resolver_new(mc->server, interface,

696

protocol, name, type, domain,

613

697

AVAHI_PROTO_INET6, 0,

614

698

resolve_callback, mc)))

615

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

616

avahi_strerror(avahi_server_errno(mc->server)));

699

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

700

name, avahi_strerror(avahi_server_errno(mc->server)));

617

701

break;

618

702

619

703

case AVAHI_BROWSER_REMOVE:

621

705

622

706

case AVAHI_BROWSER_ALL_FOR_NOW:

623

707

case AVAHI_BROWSER_CACHE_EXHAUSTED:

708

if(debug){

709

fprintf(stderr, "No Mandos server found, still searching...\n");

710

}

624

711

break;

625

712

}

626

713

}

646

733

}

647

734

648

735

649

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

650

AvahiServerConfig config;

736

int main(int argc, char *argv[]){

651

737

AvahiSServiceBrowser *sb = NULL;

652

738

int error;

653

739

int ret;

654

int debug_int;

655

int returncode = EXIT_SUCCESS;

740

int exitcode = EXIT_SUCCESS;

656

741

const char *interface = "eth0";

657

742

struct ifreq network;

658

743

int sd;

744

uid_t uid;

745

gid_t gid;

659

746

char *connect_to = NULL;

660

747

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

748

const char *pubkeyfile = "pubkey.txt";

749

const char *seckeyfile = "seckey.txt";

661

750

mandos_context mc = { .simple_poll = NULL, .server = NULL,

662

751

.dh_bits = 1024, .priority = "SECURE256"};

752

bool gnutls_initalized = false;

663

753

664

debug_int = debug ? 1 : 0;

665

while (true){

666

struct option long_options[] = {

667

{"debug", no_argument, &debug_int, 1},

668

{"connect", required_argument, NULL, 'c'},

669

{"interface", required_argument, NULL, 'i'},

670

{"keydir", required_argument, NULL, 'd'},

671

{"seckey", required_argument, NULL, 's'},

672

{"pubkey", required_argument, NULL, 'p'},

673

{"dh-bits", required_argument, NULL, 'D'},

674

{"priority", required_argument, NULL, 'P'},

675

{0, 0, 0, 0} };

676

677

int option_index = 0;

678

ret = getopt_long (argc, argv, "i:", long_options,

679

&option_index);

680

681

if (ret == -1){

682

break;

683

}

684

685

switch(ret){

686

case 0:

687

break;

688

case 'i':

689

interface = optarg;

690

break;

691

case 'c':

692

connect_to = optarg;

693

break;

694

case 'd':

695

keydir = optarg;

696

break;

697

case 'p':

698

pubkeyfile = optarg;

699

break;

700

case 's':

701

seckeyfile = optarg;

702

break;

703

case 'D':

704

errno = 0;

705

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

706

if (errno){

707

perror("strtol");

708

exit(EXIT_FAILURE);

754

{

755

struct argp_option options[] = {

756

{ .name = "debug", .key = 128,

757

.doc = "Debug mode", .group = 3 },

758

{ .name = "connect", .key = 'c',

759

.arg = "IP",

760

.doc = "Connect directly to a sepcified mandos server",

761

.group = 1 },

762

{ .name = "interface", .key = 'i',

763

.arg = "INTERFACE",

764

.doc = "Interface that Avahi will conntect through",

765

.group = 1 },

766

{ .name = "keydir", .key = 'd',

767

.arg = "KEYDIR",

768

.doc = "Directory where the openpgp keyring is",

769

.group = 1 },

770

{ .name = "seckey", .key = 's',

771

.arg = "SECKEY",

772

.doc = "Secret openpgp key for gnutls authentication",

773

.group = 1 },

774

{ .name = "pubkey", .key = 'p',

775

.arg = "PUBKEY",

776

.doc = "Public openpgp key for gnutls authentication",

777

.group = 2 },

778

{ .name = "dh-bits", .key = 129,

779

.arg = "BITS",

780

.doc = "dh-bits to use in gnutls communication",

781

.group = 2 },

782

{ .name = "priority", .key = 130,

783

.arg = "PRIORITY",

784

.doc = "GNUTLS priority", .group = 1 },

785

{ .name = NULL }

786

};

787

788

789

error_t parse_opt (int key, char *arg,

790

struct argp_state *state) {

791

/* Get the INPUT argument from `argp_parse', which we know is

792

a pointer to our plugin list pointer. */

793

switch (key) {

794

case 128:

795

debug = true;

796

break;

797

case 'c':

798

connect_to = arg;

799

break;

800

case 'i':

801

interface = arg;

802

break;

803

case 'd':

804

keydir = arg;

805

break;

806

case 's':

807

seckeyfile = arg;

808

break;

809

case 'p':

810

pubkeyfile = arg;

811

break;

812

case 129:

813

errno = 0;

814

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

815

if (errno){

816

perror("strtol");

817

exit(EXIT_FAILURE);

818

}

819

break;

820

case 130:

821

mc.priority = arg;

822

break;

823

case ARGP_KEY_ARG:

824

argp_usage (state);

825

break;

826

case ARGP_KEY_END:

827

break;

828

default:

829

return ARGP_ERR_UNKNOWN;

709

830

}

710

break;

711

case 'P':

712

mc.priority = optarg;

713

break;

714

case '?':

715

default:

716

exit(EXIT_FAILURE);

831

return 0;

717

832

}

833

834

struct argp argp = { .options = options, .parser = parse_opt,

835

.args_doc = "",

836

.doc = "Mandos client -- Get and decrypt"

837

" passwords from mandos server" };

838

argp_parse (&argp, argc, argv, 0, 0, NULL);

718

839

}

719

debug = debug_int ? true : false;

720

840

721

841

pubkeyfile = combinepath(keydir, pubkeyfile);

722

842

if (pubkeyfile == NULL){

723

843

perror("combinepath");

724

returncode = EXIT_FAILURE;

725

goto exit;

844

exitcode = EXIT_FAILURE;

845

goto end;

726

846

}

727

847

728

848

seckeyfile = combinepath(keydir, seckeyfile);

729

849

if (seckeyfile == NULL){

730

850

perror("combinepath");

731

goto exit;

851

goto end;

852

}

853

854

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

855

if (ret == -1){

856

fprintf(stderr, "init_gnutls_global\n");

857

goto end;

858

} else {

859

gnutls_initalized = true;

860

}

861

862

uid = getuid();

863

gid = getgid();

864

865

ret = setuid(uid);

866

if (ret == -1){

867

perror("setuid");

868

}

869

870

setgid(gid);

871

if (ret == -1){

872

perror("setgid");

732

873

}

733

874

734

875

if_index = (AvahiIfIndex) if_nametoindex(interface);

743

884

char *address = strrchr(connect_to, ':');

744

885

if(address == NULL){

745

886

fprintf(stderr, "No colon in address\n");

746

exit(EXIT_FAILURE);

887

exitcode = EXIT_FAILURE;

888

goto end;

747

889

}

748

890

errno = 0;

749

891

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

750

892

if(errno){

751

893

perror("Bad port number");

752

exit(EXIT_FAILURE);

894

exitcode = EXIT_FAILURE;

895

goto end;

753

896

}

754

897

*address = '\0';

755

898

address = connect_to;

756

899

ret = start_mandos_communication(address, port, if_index, &mc);

757

900

if(ret < 0){

758

exit(EXIT_FAILURE);

901

exitcode = EXIT_FAILURE;

759

902

} else {

760

exit(EXIT_SUCCESS);

903

exitcode = EXIT_SUCCESS;

761

904

}

905

goto end;

762

906

}

763

907

764

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

765

if(sd < 0) {

766

perror("socket");

767

returncode = EXIT_FAILURE;

768

goto exit;

769

}

770

strcpy(network.ifr_name, interface); /* Spurious warning */

771

ret = ioctl(sd, SIOCGIFFLAGS, &network);

772

if(ret == -1){

773

774

perror("ioctl SIOCGIFFLAGS");

775

returncode = EXIT_FAILURE;

776

goto exit;

777

}

778

if((network.ifr_flags & IFF_UP) == 0){

779

network.ifr_flags |= IFF_UP;

780

ret = ioctl(sd, SIOCSIFFLAGS, &network);

908

/* If the interface is down, bring it up */

909

{

910

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

911

if(sd < 0) {

912

perror("socket");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

strcpy(network.ifr_name, interface); /* Spurious warning */

917

ret = ioctl(sd, SIOCGIFFLAGS, &network);

781

918

if(ret == -1){

782

perror("ioctl SIOCSIFFLAGS");

783

returncode = EXIT_FAILURE;

784

goto exit;

785

}

919

perror("ioctl SIOCGIFFLAGS");

920

exitcode = EXIT_FAILURE;

921

goto end;

922

}

923

if((network.ifr_flags & IFF_UP) == 0){

924

network.ifr_flags |= IFF_UP;

925

ret = ioctl(sd, SIOCSIFFLAGS, &network);

926

if(ret == -1){

927

perror("ioctl SIOCSIFFLAGS");

928

exitcode = EXIT_FAILURE;

929

goto end;

930

}

931

}

932

close(sd);

786

933

}

787

close(sd);

788

934

789

935

if (not debug){

790

936

avahi_set_log_function(empty_log);

791

937

}

792

938

793

/* Initialize the psuedo-RNG */

939

/* Initialize the pseudo-RNG for Avahi */

794

940

srand((unsigned int) time(NULL));

795

796

/* Allocate main loop object */

797

if (!(mc.simple_poll = avahi_simple_poll_new())) {

798

fprintf(stderr, "Failed to create simple poll object.\n");

799

returncode = EXIT_FAILURE;

800

goto exit;

801

}

802

803

/* Do not publish any local records */

804

avahi_server_config_init(&config);

805

config.publish_hinfo = 0;

806

config.publish_addresses = 0;

807

config.publish_workstation = 0;

808

config.publish_domain = 0;

809

810

/* Allocate a new server */

811

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

812

&config, NULL, NULL, &error);

813

814

/* Free the configuration data */

815

avahi_server_config_free(&config);

816

817

/* Check if creating the server object succeeded */

818

if (!mc.server) {

819

fprintf(stderr, "Failed to create server: %s\n",

941

942

/* Allocate main Avahi loop object */

943

mc.simple_poll = avahi_simple_poll_new();

944

if (mc.simple_poll == NULL) {

945

fprintf(stderr, "Avahi: Failed to create simple poll"

946

" object.\n");

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

{

952

AvahiServerConfig config;

953

/* Do not publish any local Zeroconf records */

954

avahi_server_config_init(&config);

955

config.publish_hinfo = 0;

956

config.publish_addresses = 0;

957

config.publish_workstation = 0;

958

config.publish_domain = 0;

959

960

/* Allocate a new server */

961

mc.server = avahi_server_new(avahi_simple_poll_get

962

(mc.simple_poll), &config, NULL,

963

NULL, &error);

964

965

/* Free the Avahi configuration data */

966

avahi_server_config_free(&config);

967

}

968

969

/* Check if creating the Avahi server object succeeded */

970

if (mc.server == NULL) {

971

fprintf(stderr, "Failed to create Avahi server: %s\n",

820

972

avahi_strerror(error));

821

returncode = EXIT_FAILURE;

822

goto exit;

973

exitcode = EXIT_FAILURE;

974

goto end;

823

975

}

824

976

825

/* Create the service browser */

977

/* Create the Avahi service browser */

826

978

sb = avahi_s_service_browser_new(mc.server, if_index,

827

979

AVAHI_PROTO_INET6,

828

980

"_mandos._tcp", NULL, 0,

829

981

browse_callback, &mc);

830

if (!sb) {

982

if (sb == NULL) {

831

983

fprintf(stderr, "Failed to create service browser: %s\n",

832

984

avahi_strerror(avahi_server_errno(mc.server)));

833

returncode = EXIT_FAILURE;

834

goto exit;

985

exitcode = EXIT_FAILURE;

986

goto end;

835

987

}

836

988

837

989

/* Run the main loop */

838

990

839

991

if (debug){

840

fprintf(stderr, "Starting avahi loop search\n");

992

fprintf(stderr, "Starting Avahi loop search\n");

841

993

}

842

994

843

995

avahi_simple_poll_loop(mc.simple_poll);

844

996

845

exit:

997

end:

846

998

847

999

if (debug){

848

1000

fprintf(stderr, "%s exiting\n", argv[0]);

849

1001

}

850

1002

851

1003

/* Cleanup things */

852

if (sb)

1004

if (sb != NULL)

853

1005

avahi_s_service_browser_free(sb);

854

1006

855

if (mc.server)

1007

if (mc.server != NULL)

856

1008

avahi_server_free(mc.server);

857

1009

858

if (mc.simple_poll)

1010

if (mc.simple_poll != NULL)

859

1011

avahi_simple_poll_free(mc.simple_poll);

860

1012

free(pubkeyfile);

861

1013

free(seckeyfile);

1014

1015

if (gnutls_initalized){

1016

gnutls_certificate_free_credentials (mc.cred);

1017

gnutls_global_deinit ();

1018

}

862

1019

863

return returncode;

1020

return exitcode;

864

1021

}