/mandos/release : revision 60

32

#define _LARGEFILE_SOURCE

33

#define _FILE_OFFSET_BITS 64

34

35

#include <stdio.h>

36

#include <assert.h>

37

#include <stdlib.h>

38

#include <time.h>

39

#include <net/if.h> /* if_nametoindex */

40

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

41

SIOCSIFFLAGS */

35

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

36

37

#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,

38

ferror() */

39

#include <stdint.h> /* uint16_t, uint32_t */

40

#include <stddef.h> /* NULL, size_t, ssize_t */

41

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

42

srand() */

43

#include <stdbool.h> /* bool, true */

44

#include <string.h> /* memset(), strcmp(), strlen(),

45

strerror(), memcpy(), strcpy() */

46

#include <sys/ioctl.h> /* ioctl */

47

#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,

48

IFF_UP */

49

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

50

sockaddr_in6, PF_INET6,

51

SOCK_STREAM, INET6_ADDRSTRLEN,

52

uid_t, gid_t */

53

#include <inttypes.h> /* PRIu16 */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton(),

56

connect() */

57

#include <assert.h> /* assert() */

58

#include <errno.h> /* perror(), errno */

59

#include <time.h> /* time() */

42

60

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

43

SIOCSIFFLAGS */

61

SIOCSIFFLAGS, if_indextoname(),

62

if_nametoindex(), IF_NAMESIZE */

63

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

64

getuid(), getgid(), setuid(),

65

setgid() */

66

#include <netinet/in.h>

67

#include <arpa/inet.h> /* inet_pton(), htons */

68

#include <iso646.h> /* not, and */

69

#include <argp.h> /* struct argp_option, error_t, struct

70

argp_state, struct argp,

71

argp_parse(), ARGP_KEY_ARG,

72

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

44

73

74

/* Avahi */

75

/* All Avahi types, constants and functions

76

Avahi*, avahi_*,

77

AVAHI_* */

45

78

#include <avahi-core/core.h>

46

79

#include <avahi-core/lookup.h>

47

80

#include <avahi-core/log.h>

49

82

#include <avahi-common/malloc.h>

50

83

#include <avahi-common/error.h>

51

84

52

//mandos client part

53

#include <sys/types.h> /* socket(), inet_pton() */

54

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

55

struct in6_addr, inet_pton() */

56

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

57

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

58

59

#include <unistd.h> /* close() */

60

#include <netinet/in.h>

61

#include <stdbool.h> /* true */

62

#include <string.h> /* memset */

63

#include <arpa/inet.h> /* inet_pton() */

64

#include <iso646.h> /* not */

65

66

// gpgme

67

#include <errno.h> /* perror() */

68

#include <gpgme.h>

69

70

// getopt_long

71

#include <getopt.h>

85

/* GnuTLS */

86

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions

87

gnutls_*

88

init_gnutls_session(),

89

GNUTLS_* */

90

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

91

GNUTLS_OPENPGP_FMT_BASE64 */

92

93

/* GPGME */

94

#include <gpgme.h> /* All GPGME types, constants and functions

95

gpgme_*

96

GPGME_PROTOCOL_OpenPGP,

97

GPG_ERR_NO_* */

72

98

73

99

#define BUFFER_SIZE 256

74

100

101

bool debug = false;

75

102

static const char *keydir = "/conf/conf.d/mandos";

76

static const char *pubkeyfile = "pubkey.txt";

77

static const char *seckeyfile = "seckey.txt";

78

79

bool debug = false;

80

81

/* Used for passing in values through all the callback functions */

103

static const char mandos_protocol_version[] = "1";

104

const char *argp_program_version = "password-request 1.0";

105

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

106

107

/* Used for passing in values through the Avahi callback functions */

82

108

typedef struct {

83

109

AvahiSimplePoll *simple_poll;

84

110

AvahiServer *server;

85

111

gnutls_certificate_credentials_t cred;

86

112

unsigned int dh_bits;

113

gnutls_dh_params_t dh_params;

87

114

const char *priority;

88

115

} mandos_context;

89

116

117

/*

118

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

119

* "buffer_capacity" is how much is currently allocated,

120

* "buffer_length" is how much is already used.

121

*/

122

size_t adjustbuffer(char **buffer, size_t buffer_length,

123

size_t buffer_capacity){

124

if (buffer_length + BUFFER_SIZE > buffer_capacity){

125

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

126

if (buffer == NULL){

127

return 0;

128

}

129

buffer_capacity += BUFFER_SIZE;

130

}

131

return buffer_capacity;

132

}

133

90

134

/*

91

135

* Decrypt OpenPGP data using keyrings in HOMEDIR.

92

136

* Returns -1 on error

99

143

gpgme_ctx_t ctx;

100

144

gpgme_error_t rc;

101

145

ssize_t ret;

102

ssize_t plaintext_capacity = 0;

146

size_t plaintext_capacity = 0;

103

147

ssize_t plaintext_length = 0;

104

148

gpgme_engine_info_t engine_info;

105

149

185

229

} else {

186

230

fprintf(stderr, "Unsupported algorithm: %s\n",

187

231

result->unsupported_algorithm);

188

fprintf(stderr, "Wrong key usage: %d\n",

232

fprintf(stderr, "Wrong key usage: %u\n",

189

233

result->wrong_key_usage);

190

234

if(result->file_name != NULL){

191

235

fprintf(stderr, "File name: %s\n", result->file_name);

215

259

216

260

*plaintext = NULL;

217

261

while(true){

218

if (plaintext_length + BUFFER_SIZE > plaintext_capacity){

219

*plaintext = realloc(*plaintext,

220

(unsigned int)plaintext_capacity

221

+ BUFFER_SIZE);

222

if (*plaintext == NULL){

223

perror("realloc");

262

plaintext_capacity = adjustbuffer(plaintext,

263

(size_t)plaintext_length,

264

plaintext_capacity);

265

if (plaintext_capacity == 0){

266

perror("adjustbuffer");

224

267

plaintext_length = -1;

225

268

goto decrypt_end;

226

}

227

plaintext_capacity += BUFFER_SIZE;

228

269

}

229

270

230

271

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

244

285

245

286

if(debug){

246

287

fprintf(stderr, "Decrypted password is: ");

247

for(size_t i = 0; i < plaintext_length; i++){

288

for(ssize_t i = 0; i < plaintext_length; i++){

248

289

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

249

290

}

250

291

fprintf(stderr, "\n");

267

308

return ret;

268

309

}

269

310

311

/* GnuTLS log function callback */

270

312

static void debuggnutls(__attribute__((unused)) int level,

271

313

const char* string){

272

fprintf(stderr, "%s", string);

314

fprintf(stderr, "GnuTLS: %s", string);

273

315

}

274

316

275

static int initgnutls(mandos_context *mc, gnutls_session_t *session,

276

gnutls_dh_params_t *dh_params){

277

const char *err;

317

static int init_gnutls_global(mandos_context *mc,

318

const char *pubkeyfile,

319

const char *seckeyfile){

278

320

int ret;

279

321

280

322

if(debug){

281

323

fprintf(stderr, "Initializing GnuTLS\n");

282

324

}

283

284

if ((ret = gnutls_global_init ())

285

!= GNUTLS_E_SUCCESS) {

286

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

325

326

ret = gnutls_global_init();

327

if (ret != GNUTLS_E_SUCCESS) {

328

fprintf (stderr, "GnuTLS global_init: %s\n",

329

safer_gnutls_strerror(ret));

287

330

return -1;

288

331

}

289

332

290

333

if (debug){

334

/* "Use a log level over 10 to enable all debugging options."

335

* - GnuTLS manual

336

*/

291

337

gnutls_global_set_log_level(11);

292

338

gnutls_global_set_log_function(debuggnutls);

293

339

}

294

340

295

/* openpgp credentials */

296

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

297

!= GNUTLS_E_SUCCESS) {

298

fprintf (stderr, "memory error: %s\n",

341

/* OpenPGP credentials */

342

gnutls_certificate_allocate_credentials(&mc->cred);

343

if (ret != GNUTLS_E_SUCCESS){

344

fprintf (stderr, "GnuTLS memory error: %s\n",

299

345

safer_gnutls_strerror(ret));

346

gnutls_global_deinit ();

300

347

return -1;

301

348

}

302

349

309

356

ret = gnutls_certificate_set_openpgp_key_file

310

357

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

311

358

if (ret != GNUTLS_E_SUCCESS) {

312

fprintf

313

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

314

" '%s')\n",

315

ret, pubkeyfile, seckeyfile);

316

fprintf(stdout, "The Error is: %s\n",

359

fprintf(stderr,

360

"Error[%d] while reading the OpenPGP key pair ('%s',"

361

" '%s')\n", ret, pubkeyfile, seckeyfile);

362

fprintf(stdout, "The GnuTLS error is: %s\n",

317

363

safer_gnutls_strerror(ret));

318

return -1;

319

}

320

321

//GnuTLS server initialization

322

if ((ret = gnutls_dh_params_init(dh_params))

323

!= GNUTLS_E_SUCCESS) {

324

fprintf (stderr, "Error in dh parameter initialization: %s\n",

325

safer_gnutls_strerror(ret));

326

return -1;

327

}

328

329

if ((ret = gnutls_dh_params_generate2(*dh_params, mc->dh_bits))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf (stderr, "Error in prime generation: %s\n",

332

safer_gnutls_strerror(ret));

333

return -1;

334

}

335

336

gnutls_certificate_set_dh_params(mc->cred, *dh_params);

337

338

// GnuTLS session creation

339

if ((ret = gnutls_init(session, GNUTLS_SERVER))

340

!= GNUTLS_E_SUCCESS){

364

goto globalfail;

365

}

366

367

/* GnuTLS server initialization */

368

ret = gnutls_dh_params_init(&mc->dh_params);

369

if (ret != GNUTLS_E_SUCCESS) {

370

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

371

" %s\n", safer_gnutls_strerror(ret));

372

goto globalfail;

373

}

374

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

375

if (ret != GNUTLS_E_SUCCESS) {

376

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

377

safer_gnutls_strerror(ret));

378

goto globalfail;

379

}

380

381

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

382

383

return 0;

384

385

globalfail:

386

387

gnutls_certificate_free_credentials(mc->cred);

388

gnutls_global_deinit();

389

return -1;

390

391

}

392

393

static int init_gnutls_session(mandos_context *mc,

394

gnutls_session_t *session){

395

int ret;

396

/* GnuTLS session creation */

397

ret = gnutls_init(session, GNUTLS_SERVER);

398

if (ret != GNUTLS_E_SUCCESS){

341

399

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

342

400

safer_gnutls_strerror(ret));

343

401

}

344

402

345

if ((ret = gnutls_priority_set_direct(*session, mc->priority, &err))

346

!= GNUTLS_E_SUCCESS) {

347

fprintf(stderr, "Syntax error at: %s\n", err);

348

fprintf(stderr, "GnuTLS error: %s\n",

349

safer_gnutls_strerror(ret));

350

return -1;

403

{

404

const char *err;

405

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

406

if (ret != GNUTLS_E_SUCCESS) {

407

fprintf(stderr, "Syntax error at: %s\n", err);

408

fprintf(stderr, "GnuTLS error: %s\n",

409

safer_gnutls_strerror(ret));

410

gnutls_deinit (*session);

411

return -1;

412

}

351

413

}

352

414

353

if ((ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

354

mc->cred))

355

!= GNUTLS_E_SUCCESS) {

356

fprintf(stderr, "Error setting a credentials set: %s\n",

415

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

416

mc->cred);

417

if (ret != GNUTLS_E_SUCCESS) {

418

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

357

419

safer_gnutls_strerror(ret));

420

gnutls_deinit (*session);

358

421

return -1;

359

422

}

360

423

367

430

return 0;

368

431

}

369

432

433

/* Avahi log function callback */

370

434

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

371

435

__attribute__((unused)) const char *txt){}

372

436

437

/* Called when a Mandos server is found */

373

438

static int start_mandos_communication(const char *ip, uint16_t port,

374

439

AvahiIfIndex if_index,

375

440

mandos_context *mc){

376

441

int ret, tcp_sd;

377

struct sockaddr_in6 to;

442

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

378

443

char *buffer = NULL;

379

444

char *decrypted_buffer;

380

445

size_t buffer_length = 0;

381

446

size_t buffer_capacity = 0;

382

447

ssize_t decrypted_buffer_size;

383

size_t written = 0;

448

size_t written;

384

449

int retval = 0;

385

450

char interface[IF_NAMESIZE];

386

451

gnutls_session_t session;

387

gnutls_dh_params_t dh_params;

452

453

ret = init_gnutls_session (mc, &session);

454

if (ret != 0){

455

return -1;

456

}

388

457

389

458

if(debug){

390

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

391

ip, port);

459

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

460

"\n", ip, port);

392

461

}

393

462

394

463

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

406

475

}

407

476

408

477

memset(&to,0,sizeof(to)); /* Spurious warning */

409

to.sin6_family = AF_INET6;

410

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

478

to.in6.sin6_family = AF_INET6;

479

/* It would be nice to have a way to detect if we were passed an

480

IPv4 address here. Now we assume an IPv6 address. */

481

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

411

482

if (ret < 0 ){

412

483

perror("inet_pton");

413

484

return -1;

416

487

fprintf(stderr, "Bad address: %s\n", ip);

417

488

return -1;

418

489

}

419

to.sin6_port = htons(port); /* Spurious warning */

490

to.in6.sin6_port = htons(port); /* Spurious warning */

420

491

421

to.sin6_scope_id = (uint32_t)if_index;

492

to.in6.sin6_scope_id = (uint32_t)if_index;

422

493

423

494

if(debug){

424

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

495

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

496

port);

425

497

char addrstr[INET6_ADDRSTRLEN] = "";

426

if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr,

498

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

427

499

sizeof(addrstr)) == NULL){

428

500

perror("inet_ntop");

429

501

} else {

433

505

}

434

506

}

435

507

436

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

508

ret = connect(tcp_sd, &to.in, sizeof(to));

437

509

if (ret < 0){

438

510

perror("connect");

439

511

return -1;

440

512

}

441

442

ret = initgnutls (mc, &session, &dh_params);

443

if (ret != 0){

444

retval = -1;

445

return -1;

513

514

const char *out = mandos_protocol_version;

515

written = 0;

516

while (true){

517

size_t out_size = strlen(out);

518

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

519

out_size - written));

520

if (ret == -1){

521

perror("write");

522

retval = -1;

523

goto mandos_end;

524

}

525

written += (size_t)ret;

526

if(written < out_size){

527

continue;

528

} else {

529

if (out == mandos_protocol_version){

530

written = 0;

531

out = "\r\n";

532

} else {

533

break;

534

}

535

}

536

}

537

538

if(debug){

539

fprintf(stderr, "Establishing TLS session with %s\n", ip);

446

540

}

447

541

448

542

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

449

450

if(debug){

451

fprintf(stderr, "Establishing TLS session with %s\n", ip);

452

}

453

454

ret = gnutls_handshake (session);

543

544

do{

545

ret = gnutls_handshake (session);

546

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

455

547

456

548

if (ret != GNUTLS_E_SUCCESS){

457

549

if(debug){

458

fprintf(stderr, "\n*** Handshake failed ***\n");

550

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

459

551

gnutls_perror (ret);

460

552

}

461

553

retval = -1;

462

goto exit;

554

goto mandos_end;

463

555

}

464

556

465

//Retrieve OpenPGP packet that contains the wanted password

557

/* Read OpenPGP packet that contains the wanted password */

466

558

467

559

if(debug){

468

560

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

470

562

}

471

563

472

564

while(true){

473

if (buffer_length + BUFFER_SIZE > buffer_capacity){

474

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

475

if (buffer == NULL){

476

perror("realloc");

477

goto exit;

478

}

479

buffer_capacity += BUFFER_SIZE;

565

buffer_capacity = adjustbuffer(&buffer, buffer_length,

566

buffer_capacity);

567

if (buffer_capacity == 0){

568

perror("adjustbuffer");

569

retval = -1;

570

goto mandos_end;

480

571

}

481

572

482

573

ret = gnutls_record_recv(session, buffer+buffer_length,

490

581

case GNUTLS_E_AGAIN:

491

582

break;

492

583

case GNUTLS_E_REHANDSHAKE:

493

ret = gnutls_handshake (session);

584

do{

585

ret = gnutls_handshake (session);

586

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

494

587

if (ret < 0){

495

fprintf(stderr, "\n*** Handshake failed ***\n");

588

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

496

589

gnutls_perror (ret);

497

590

retval = -1;

498

goto exit;

591

goto mandos_end;

499

592

}

500

593

break;

501

594

default:

502

595

fprintf(stderr, "Unknown error while reading data from"

503

" encrypted session with mandos server\n");

596

" encrypted session with Mandos server\n");

504

597

retval = -1;

505

598

gnutls_bye (session, GNUTLS_SHUT_RDWR);

506

goto exit;

599

goto mandos_end;

507

600

}

508

601

} else {

509

602

buffer_length += (size_t) ret;

510

603

}

511

604

}

512

605

606

if(debug){

607

fprintf(stderr, "Closing TLS session\n");

608

}

609

610

gnutls_bye (session, GNUTLS_SHUT_RDWR);

611

513

612

if (buffer_length > 0){

514

613

decrypted_buffer_size = pgp_packet_decrypt(buffer,

515

614

buffer_length,

516

615

&decrypted_buffer,

517

616

keydir);

518

617

if (decrypted_buffer_size >= 0){

618

written = 0;

519

619

while(written < (size_t) decrypted_buffer_size){

520

620

ret = (int)fwrite (decrypted_buffer + written, 1,

521

621

(size_t)decrypted_buffer_size - written,

535

635

retval = -1;

536

636

}

537

637

}

538

539

//shutdown procedure

540

541

if(debug){

542

fprintf(stderr, "Closing TLS session\n");

543

}

544

638

639

/* Shutdown procedure */

640

641

mandos_end:

545

642

free(buffer);

546

gnutls_bye (session, GNUTLS_SHUT_RDWR);

547

exit:

548

643

close(tcp_sd);

549

644

gnutls_deinit (session);

550

gnutls_certificate_free_credentials (mc->cred);

551

gnutls_global_deinit ();

552

645

return retval;

553

646

}

554

647

575

668

switch (event) {

576

669

default:

577

670

case AVAHI_RESOLVER_FAILURE:

578

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

579

" type '%s' in domain '%s': %s\n", name, type, domain,

671

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

672

" of type '%s' in domain '%s': %s\n", name, type, domain,

580

673

avahi_strerror(avahi_server_errno(mc->server)));

581

674

break;

582

675

585

678

char ip[AVAHI_ADDRESS_STR_MAX];

586

679

avahi_address_snprint(ip, sizeof(ip), address);

587

680

if(debug){

588

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

589

" port %d\n", name, host_name, ip, port);

681

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

682

PRIu16 ") on port %d\n", name, host_name, ip,

683

interface, port);

590

684

}

591

685

int ret = start_mandos_communication(ip, port, interface, mc);

592

686

if (ret == 0){

617

711

default:

618

712

case AVAHI_BROWSER_FAILURE:

619

713

620

fprintf(stderr, "(Browser) %s\n",

714

fprintf(stderr, "(Avahi browser) %s\n",

621

715

avahi_strerror(avahi_server_errno(mc->server)));

622

716

avahi_simple_poll_quit(mc->simple_poll);

623

717

return;

624

718

625

719

case AVAHI_BROWSER_NEW:

626

/* We ignore the returned resolver object. In the callback

627

function we free it. If the server is terminated before

628

the callback function is called the server will free

629

the resolver for us. */

720

/* We ignore the returned Avahi resolver object. In the callback

721

function we free it. If the Avahi server is terminated before

722

the callback function is called the Avahi server will free the

723

resolver for us. */

630

724

631

725

if (!(avahi_s_service_resolver_new(mc->server, interface,

632

726

protocol, name, type, domain,

633

727

AVAHI_PROTO_INET6, 0,

634

728

resolve_callback, mc)))

635

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

636

avahi_strerror(avahi_server_errno(mc->server)));

729

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

730

name, avahi_strerror(avahi_server_errno(mc->server)));

637

731

break;

638

732

639

733

case AVAHI_BROWSER_REMOVE:

641

735

642

736

case AVAHI_BROWSER_ALL_FOR_NOW:

643

737

case AVAHI_BROWSER_CACHE_EXHAUSTED:

738

if(debug){

739

fprintf(stderr, "No Mandos server found, still searching...\n");

740

}

644

741

break;

645

742

}

646

743

}

666

763

}

667

764

668

765

669

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

670

AvahiServerConfig config;

766

int main(int argc, char *argv[]){

671

767

AvahiSServiceBrowser *sb = NULL;

672

768

int error;

673

769

int ret;

674

int debug_int;

675

int returncode = EXIT_SUCCESS;

770

int exitcode = EXIT_SUCCESS;

676

771

const char *interface = "eth0";

677

772

struct ifreq network;

678

773

int sd;

774

uid_t uid;

775

gid_t gid;

679

776

char *connect_to = NULL;

680

777

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

778

const char *pubkeyfile = "pubkey.txt";

779

const char *seckeyfile = "seckey.txt";

681

780

mandos_context mc = { .simple_poll = NULL, .server = NULL,

682

781

.dh_bits = 1024, .priority = "SECURE256"};

782

bool gnutls_initalized = false;

683

783

684

debug_int = debug ? 1 : 0;

685

while (true){

686

struct option long_options[] = {

687

{"debug", no_argument, &debug_int, 1},

688

{"connect", required_argument, NULL, 'c'},

689

{"interface", required_argument, NULL, 'i'},

690

{"keydir", required_argument, NULL, 'd'},

691

{"seckey", required_argument, NULL, 's'},

692

{"pubkey", required_argument, NULL, 'p'},

693

{"dh-bits", required_argument, NULL, 'D'},

694

{"priority", required_argument, NULL, 'P'},

695

{0, 0, 0, 0} };

696

697

int option_index = 0;

698

ret = getopt_long (argc, argv, "i:", long_options,

699

&option_index);

700

701

if (ret == -1){

702

break;

703

}

704

705

switch(ret){

706

case 0:

707

break;

708

case 'i':

709

interface = optarg;

710

break;

711

case 'c':

712

connect_to = optarg;

713

break;

714

case 'd':

715

keydir = optarg;

716

break;

717

case 'p':

718

pubkeyfile = optarg;

719

break;

720

case 's':

721

seckeyfile = optarg;

722

break;

723

case 'D':

724

errno = 0;

725

mc.dh_bits = (unsigned int) strtol(optarg, NULL, 10);

726

if (errno){

727

perror("strtol");

728

exit(EXIT_FAILURE);

784

{

785

struct argp_option options[] = {

786

{ .name = "debug", .key = 128,

787

.doc = "Debug mode", .group = 3 },

788

{ .name = "connect", .key = 'c',

789

.arg = "IP",

790

.doc = "Connect directly to a sepcified mandos server",

791

.group = 1 },

792

{ .name = "interface", .key = 'i',

793

.arg = "INTERFACE",

794

.doc = "Interface that Avahi will conntect through",

795

.group = 1 },

796

{ .name = "keydir", .key = 'd',

797

.arg = "KEYDIR",

798

.doc = "Directory where the openpgp keyring is",

799

.group = 1 },

800

{ .name = "seckey", .key = 's',

801

.arg = "SECKEY",

802

.doc = "Secret openpgp key for gnutls authentication",

803

.group = 1 },

804

{ .name = "pubkey", .key = 'p',

805

.arg = "PUBKEY",

806

.doc = "Public openpgp key for gnutls authentication",

807

.group = 2 },

808

{ .name = "dh-bits", .key = 129,

809

.arg = "BITS",

810

.doc = "dh-bits to use in gnutls communication",

811

.group = 2 },

812

{ .name = "priority", .key = 130,

813

.arg = "PRIORITY",

814

.doc = "GNUTLS priority", .group = 1 },

815

{ .name = NULL }

816

};

817

818

819

error_t parse_opt (int key, char *arg,

820

struct argp_state *state) {

821

/* Get the INPUT argument from `argp_parse', which we know is

822

a pointer to our plugin list pointer. */

823

switch (key) {

824

case 128:

825

debug = true;

826

break;

827

case 'c':

828

connect_to = arg;

829

break;

830

case 'i':

831

interface = arg;

832

break;

833

case 'd':

834

keydir = arg;

835

break;

836

case 's':

837

seckeyfile = arg;

838

break;

839

case 'p':

840

pubkeyfile = arg;

841

break;

842

case 129:

843

errno = 0;

844

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

845

if (errno){

846

perror("strtol");

847

exit(EXIT_FAILURE);

848

}

849

break;

850

case 130:

851

mc.priority = arg;

852

break;

853

case ARGP_KEY_ARG:

854

argp_usage (state);

855

break;

856

case ARGP_KEY_END:

857

break;

858

default:

859

return ARGP_ERR_UNKNOWN;

729

860

}

730

break;

731

case 'P':

732

mc.priority = optarg;

733

break;

734

case '?':

735

default:

736

exit(EXIT_FAILURE);

861

return 0;

862

}

863

864

struct argp argp = { .options = options, .parser = parse_opt,

865

.args_doc = "",

866

.doc = "Mandos client -- Get and decrypt"

867

" passwords from mandos server" };

868

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

869

if (ret == ARGP_ERR_UNKNOWN){

870

fprintf(stderr, "Unkown error while parsing arguments\n");

871

exitcode = EXIT_FAILURE;

872

goto end;

737

873

}

738

874

}

739

debug = debug_int ? true : false;

740

875

741

876

pubkeyfile = combinepath(keydir, pubkeyfile);

742

877

if (pubkeyfile == NULL){

743

878

perror("combinepath");

744

returncode = EXIT_FAILURE;

745

goto exit;

879

exitcode = EXIT_FAILURE;

880

goto end;

746

881

}

747

882

748

883

seckeyfile = combinepath(keydir, seckeyfile);

749

884

if (seckeyfile == NULL){

750

885

perror("combinepath");

751

goto exit;

886

goto end;

887

}

888

889

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

890

if (ret == -1){

891

fprintf(stderr, "init_gnutls_global\n");

892

goto end;

893

} else {

894

gnutls_initalized = true;

895

}

896

897

uid = getuid();

898

gid = getgid();

899

900

ret = setuid(uid);

901

if (ret == -1){

902

perror("setuid");

903

}

904

905

setgid(gid);

906

if (ret == -1){

907

perror("setgid");

752

908

}

753

909

754

910

if_index = (AvahiIfIndex) if_nametoindex(interface);

763

919

char *address = strrchr(connect_to, ':');

764

920

if(address == NULL){

765

921

fprintf(stderr, "No colon in address\n");

766

exit(EXIT_FAILURE);

922

exitcode = EXIT_FAILURE;

923

goto end;

767

924

}

768

925

errno = 0;

769

926

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

770

927

if(errno){

771

928

perror("Bad port number");

772

exit(EXIT_FAILURE);

929

exitcode = EXIT_FAILURE;

930

goto end;

773

931

}

774

932

*address = '\0';

775

933

address = connect_to;

776

934

ret = start_mandos_communication(address, port, if_index, &mc);

777

935

if(ret < 0){

778

exit(EXIT_FAILURE);

936

exitcode = EXIT_FAILURE;

779

937

} else {

780

exit(EXIT_SUCCESS);

938

exitcode = EXIT_SUCCESS;

781

939

}

940

goto end;

782

941

}

783

942

784

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

785

if(sd < 0) {

786

perror("socket");

787

returncode = EXIT_FAILURE;

788

goto exit;

789

}

790

strcpy(network.ifr_name, interface); /* Spurious warning */

791

ret = ioctl(sd, SIOCGIFFLAGS, &network);

792

if(ret == -1){

793

794

perror("ioctl SIOCGIFFLAGS");

795

returncode = EXIT_FAILURE;

796

goto exit;

797

}

798

if((network.ifr_flags & IFF_UP) == 0){

799

network.ifr_flags |= IFF_UP;

800

ret = ioctl(sd, SIOCSIFFLAGS, &network);

943

/* If the interface is down, bring it up */

944

{

945

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

946

if(sd < 0) {

947

perror("socket");

948

exitcode = EXIT_FAILURE;

949

goto end;

950

}

951

strcpy(network.ifr_name, interface); /* Spurious warning */

952

ret = ioctl(sd, SIOCGIFFLAGS, &network);

801

953

if(ret == -1){

802

perror("ioctl SIOCSIFFLAGS");

803

returncode = EXIT_FAILURE;

804

goto exit;

805

}

954

perror("ioctl SIOCGIFFLAGS");

955

exitcode = EXIT_FAILURE;

956

goto end;

957

}

958

if((network.ifr_flags & IFF_UP) == 0){

959

network.ifr_flags |= IFF_UP;

960

ret = ioctl(sd, SIOCSIFFLAGS, &network);

961

if(ret == -1){

962

perror("ioctl SIOCSIFFLAGS");

963

exitcode = EXIT_FAILURE;

964

goto end;

965

}

966

}

967

close(sd);

806

968

}

807

close(sd);

808

969

809

970

if (not debug){

810

971

avahi_set_log_function(empty_log);

811

972

}

812

973

813

/* Initialize the psuedo-RNG */

974

/* Initialize the pseudo-RNG for Avahi */

814

975

srand((unsigned int) time(NULL));

815

816

/* Allocate main loop object */

817

if (!(mc.simple_poll = avahi_simple_poll_new())) {

818

fprintf(stderr, "Failed to create simple poll object.\n");

819

returncode = EXIT_FAILURE;

820

goto exit;

821

}

822

823

/* Do not publish any local records */

824

avahi_server_config_init(&config);

825

config.publish_hinfo = 0;

826

config.publish_addresses = 0;

827

config.publish_workstation = 0;

828

config.publish_domain = 0;

829

830

/* Allocate a new server */

831

mc.server=avahi_server_new(avahi_simple_poll_get(mc.simple_poll),

832

&config, NULL, NULL, &error);

833

834

/* Free the configuration data */

835

avahi_server_config_free(&config);

836

837

/* Check if creating the server object succeeded */

838

if (!mc.server) {

839

fprintf(stderr, "Failed to create server: %s\n",

976

977

/* Allocate main Avahi loop object */

978

mc.simple_poll = avahi_simple_poll_new();

979

if (mc.simple_poll == NULL) {

980

fprintf(stderr, "Avahi: Failed to create simple poll"

981

" object.\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

}

985

986

{

987

AvahiServerConfig config;

988

/* Do not publish any local Zeroconf records */

989

avahi_server_config_init(&config);

990

config.publish_hinfo = 0;

991

config.publish_addresses = 0;

992

config.publish_workstation = 0;

993

config.publish_domain = 0;

994

995

/* Allocate a new server */

996

mc.server = avahi_server_new(avahi_simple_poll_get

997

(mc.simple_poll), &config, NULL,

998

NULL, &error);

999

1000

/* Free the Avahi configuration data */

1001

avahi_server_config_free(&config);

1002

}

1003

1004

/* Check if creating the Avahi server object succeeded */

1005

if (mc.server == NULL) {

1006

fprintf(stderr, "Failed to create Avahi server: %s\n",

840

1007

avahi_strerror(error));

841

returncode = EXIT_FAILURE;

842

goto exit;

1008

exitcode = EXIT_FAILURE;

1009

goto end;

843

1010

}

844

1011

845

/* Create the service browser */

1012

/* Create the Avahi service browser */

846

1013

sb = avahi_s_service_browser_new(mc.server, if_index,

847

1014

AVAHI_PROTO_INET6,

848

1015

"_mandos._tcp", NULL, 0,

849

1016

browse_callback, &mc);

850

if (!sb) {

1017

if (sb == NULL) {

851

1018

fprintf(stderr, "Failed to create service browser: %s\n",

852

1019

avahi_strerror(avahi_server_errno(mc.server)));

853

returncode = EXIT_FAILURE;

854

goto exit;

1020

exitcode = EXIT_FAILURE;

1021

goto end;

855

1022

}

856

1023

857

1024

/* Run the main loop */

858

1025

859

1026

if (debug){

860

fprintf(stderr, "Starting avahi loop search\n");

1027

fprintf(stderr, "Starting Avahi loop search\n");

861

1028

}

862

1029

863

1030

avahi_simple_poll_loop(mc.simple_poll);

864

1031

865

exit:

1032

end:

866

1033

867

1034

if (debug){

868

1035

fprintf(stderr, "%s exiting\n", argv[0]);

869

1036

}

870

1037

871

1038

/* Cleanup things */

872

if (sb)

1039

if (sb != NULL)

873

1040

avahi_s_service_browser_free(sb);

874

1041

875

if (mc.server)

1042

if (mc.server != NULL)

876

1043

avahi_server_free(mc.server);

877

1044

878

if (mc.simple_poll)

1045

if (mc.simple_poll != NULL)

879

1046

avahi_simple_poll_free(mc.simple_poll);

880

1047

free(pubkeyfile);

881

1048

free(seckeyfile);

1049

1050

if (gnutls_initalized){

1051

gnutls_certificate_free_credentials(mc.cred);

1052

gnutls_global_deinit ();

1053

}

882

1054

883

return returncode;

1055

return exitcode;

884

1056

}