To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 110
- compare with another revision
- download diff
- download tarball
- view history from revision 110
- Committer: Teddy Hogeborn
- Date: 2008-08-29 05:53:59 UTC
- Revision ID: teddy@fukt.bsnet.se-20080829055359-wkdasnyxtylmnxus
* mandos.xml (EXAMPLE): Replaced all occurences of command name with
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
plugins.d/password-request.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
36
38
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
38
stdout, ferror() */
41
39
#include <stdint.h> /* uint16_t, uint32_t */
42
40
#include <stddef.h> /* NULL, size_t, ssize_t */
43
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
49
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
48
sockaddr_in6, PF_INET6,
51
49
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
55
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
53
struct in6_addr, inet_pton(),
57
54
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
55
#include <assert.h> /* assert() */
63
56
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* nanosleep(), time() */
57
#include <time.h> /* time() */
65
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
59
SIOCSIFFLAGS, if_indextoname(),
67
60
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
62
getuid(), getgid(), setuid(),
71
63
setgid() */
64
#include <netinet/in.h>
72
65
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
66
#include <iso646.h> /* not, and */
74
67
#include <argp.h> /* struct argp_option, error_t, struct
75
68
argp_state, struct argp,
76
69
argp_parse(), ARGP_KEY_ARG,
77
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#ifdef __linux__
79
#include <sys/klog.h> /* klogctl() */
80
#endif
81
71
82
72
/* Avahi */
83
73
/* All Avahi types, constants and functions
96
86
gnutls_*
97
87
init_gnutls_session(),
98
88
GNUTLS_* */
99
#include <gnutls/openpgp.h>
100
/* gnutls_certificate_set_openpgp_key_file(),
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
101
90
GNUTLS_OPENPGP_FMT_BASE64 */
102
91
103
92
/* GPGME */
109
98
110
99
#define BUFFER_SIZE 256
111
100
112
#define PATHDIR "/conf/conf.d/mandos"
113
#define SECKEY "seckey.txt"
114
#define PUBKEY "pubkey.txt"
115
116
101
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
117
103
static const char mandos_protocol_version[] = "1";
118
const char *argp_program_version = "mandos-client " VERSION;
104
const char *argp_program_version = "password-request 1.0";
119
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
120
106
121
107
/* Used for passing in values through the Avahi callback functions */
126
112
unsigned int dh_bits;
127
113
gnutls_dh_params_t dh_params;
128
114
const char *priority;
129
gpgme_ctx_t ctx;
130
115
} mandos_context;
131
116
132
117
/*
136
121
*/
137
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
138
123
size_t buffer_capacity){
139
if(buffer_length + BUFFER_SIZE > buffer_capacity){
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
140
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
141
if(buffer == NULL){
126
if (buffer == NULL){
142
127
return 0;
143
128
}
144
129
buffer_capacity += BUFFER_SIZE;
147
132
}
148
133
149
134
/*
150
* Initialize GPGME.
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
151
137
*/
152
static bool init_gpgme(mandos_context *mc, const char *seckey,
153
const char *pubkey, const char *tempdir){
154
int ret;
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
141
const char *homedir){
142
gpgme_data_t dh_crypto, dh_plain;
143
gpgme_ctx_t ctx;
155
144
gpgme_error_t rc;
145
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
156
148
gpgme_engine_info_t engine_info;
157
149
158
159
/*
160
* Helper function to insert pub and seckey to the engine keyring.
161
*/
162
bool import_key(const char *filename){
163
int fd;
164
gpgme_data_t pgp_data;
165
166
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
167
if(fd == -1){
168
perror("open");
169
return false;
170
}
171
172
rc = gpgme_data_new_from_fd(&pgp_data, fd);
173
if(rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
rc = gpgme_op_import(mc->ctx, pgp_data);
180
if(rc != GPG_ERR_NO_ERROR){
181
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
182
gpgme_strsource(rc), gpgme_strerror(rc));
183
return false;
184
}
185
186
ret = (int)TEMP_FAILURE_RETRY(close(fd));
187
if(ret == -1){
188
perror("close");
189
}
190
gpgme_data_release(pgp_data);
191
return true;
192
}
193
194
if(debug){
195
fprintf(stderr, "Initialize gpgme\n");
150
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
196
152
}
197
153
198
154
/* Init GPGME */
199
155
gpgme_check_version(NULL);
200
156
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
201
if(rc != GPG_ERR_NO_ERROR){
157
if (rc != GPG_ERR_NO_ERROR){
202
158
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
203
159
gpgme_strsource(rc), gpgme_strerror(rc));
204
return false;
160
return -1;
205
161
}
206
162
207
/* Set GPGME home directory for the OpenPGP engine only */
208
rc = gpgme_get_engine_info(&engine_info);
209
if(rc != GPG_ERR_NO_ERROR){
163
/* Set GPGME home directory for the OpenPGP engine only */
164
rc = gpgme_get_engine_info (&engine_info);
165
if (rc != GPG_ERR_NO_ERROR){
210
166
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
211
167
gpgme_strsource(rc), gpgme_strerror(rc));
212
return false;
168
return -1;
213
169
}
214
170
while(engine_info != NULL){
215
171
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
216
172
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
217
engine_info->file_name, tempdir);
173
engine_info->file_name, homedir);
218
174
break;
219
175
}
220
176
engine_info = engine_info->next;
221
177
}
222
178
if(engine_info == NULL){
223
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
224
return false;
225
}
226
227
/* Create new GPGME "context" */
228
rc = gpgme_new(&(mc->ctx));
229
if(rc != GPG_ERR_NO_ERROR){
230
fprintf(stderr, "bad gpgme_new: %s: %s\n",
231
gpgme_strsource(rc), gpgme_strerror(rc));
232
return false;
233
}
234
235
if(not import_key(pubkey) or not import_key(seckey)){
236
return false;
237
}
238
239
return true;
240
}
241
242
/*
243
* Decrypt OpenPGP data.
244
* Returns -1 on error
245
*/
246
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
247
const char *cryptotext,
248
size_t crypto_size,
249
char **plaintext){
250
gpgme_data_t dh_crypto, dh_plain;
251
gpgme_error_t rc;
252
ssize_t ret;
253
size_t plaintext_capacity = 0;
254
ssize_t plaintext_length = 0;
255
256
if(debug){
257
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
180
return -1;
258
181
}
259
182
260
183
/* Create new GPGME data buffer from memory cryptotext */
261
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
262
185
0);
263
if(rc != GPG_ERR_NO_ERROR){
186
if (rc != GPG_ERR_NO_ERROR){
264
187
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
265
188
gpgme_strsource(rc), gpgme_strerror(rc));
266
189
return -1;
268
191
269
192
/* Create new empty GPGME data buffer for the plaintext */
270
193
rc = gpgme_data_new(&dh_plain);
271
if(rc != GPG_ERR_NO_ERROR){
194
if (rc != GPG_ERR_NO_ERROR){
272
195
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
273
196
gpgme_strsource(rc), gpgme_strerror(rc));
274
197
gpgme_data_release(dh_crypto);
275
198
return -1;
276
199
}
277
200
201
/* Create new GPGME "context" */
202
rc = gpgme_new(&ctx);
203
if (rc != GPG_ERR_NO_ERROR){
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
208
}
209
278
210
/* Decrypt data from the cryptotext data buffer to the plaintext
279
211
data buffer */
280
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
281
if(rc != GPG_ERR_NO_ERROR){
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
213
if (rc != GPG_ERR_NO_ERROR){
282
214
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
283
215
gpgme_strsource(rc), gpgme_strerror(rc));
284
216
plaintext_length = -1;
285
if(debug){
217
if (debug){
286
218
gpgme_decrypt_result_t result;
287
result = gpgme_op_decrypt_result(mc->ctx);
288
if(result == NULL){
219
result = gpgme_op_decrypt_result(ctx);
220
if (result == NULL){
289
221
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
290
222
} else {
291
223
fprintf(stderr, "Unsupported algorithm: %s\n",
318
250
}
319
251
320
252
/* Seek back to the beginning of the GPGME plaintext data buffer */
321
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
322
perror("gpgme_data_seek");
253
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
perror("pgpme_data_seek");
323
255
plaintext_length = -1;
324
256
goto decrypt_end;
325
257
}
329
261
plaintext_capacity = adjustbuffer(plaintext,
330
262
(size_t)plaintext_length,
331
263
plaintext_capacity);
332
if(plaintext_capacity == 0){
264
if (plaintext_capacity == 0){
333
265
perror("adjustbuffer");
334
266
plaintext_length = -1;
335
267
goto decrypt_end;
338
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
339
271
BUFFER_SIZE);
340
272
/* Print the data, if any */
341
if(ret == 0){
273
if (ret == 0){
342
274
/* EOF */
343
275
break;
344
276
}
349
281
}
350
282
plaintext_length += ret;
351
283
}
352
284
353
285
if(debug){
354
286
fprintf(stderr, "Decrypted password is: ");
355
287
for(ssize_t i = 0; i < plaintext_length; i++){
368
300
return plaintext_length;
369
301
}
370
302
371
static const char * safer_gnutls_strerror(int value){
372
const char *ret = gnutls_strerror(value); /* Spurious warning from
373
-Wunreachable-code */
374
if(ret == NULL)
303
static const char * safer_gnutls_strerror (int value) {
304
const char *ret = gnutls_strerror (value); /* Spurious warning */
305
if (ret == NULL)
375
306
ret = "(unknown)";
376
307
return ret;
377
308
}
392
323
}
393
324
394
325
ret = gnutls_global_init();
395
if(ret != GNUTLS_E_SUCCESS){
396
fprintf(stderr, "GnuTLS global_init: %s\n",
397
safer_gnutls_strerror(ret));
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
398
329
return -1;
399
330
}
400
331
401
if(debug){
332
if (debug){
402
333
/* "Use a log level over 10 to enable all debugging options."
403
334
* - GnuTLS manual
404
335
*/
408
339
409
340
/* OpenPGP credentials */
410
341
gnutls_certificate_allocate_credentials(&mc->cred);
411
if(ret != GNUTLS_E_SUCCESS){
412
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
413
* from
414
* -Wunreachable-code
415
*/
416
safer_gnutls_strerror(ret));
417
gnutls_global_deinit();
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
344
warning */
345
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
418
347
return -1;
419
348
}
420
349
421
350
if(debug){
422
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
423
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
424
353
seckeyfilename);
425
354
}
426
355
427
356
ret = gnutls_certificate_set_openpgp_key_file
428
357
(mc->cred, pubkeyfilename, seckeyfilename,
429
358
GNUTLS_OPENPGP_FMT_BASE64);
430
if(ret != GNUTLS_E_SUCCESS){
359
if (ret != GNUTLS_E_SUCCESS) {
431
360
fprintf(stderr,
432
361
"Error[%d] while reading the OpenPGP key pair ('%s',"
433
362
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
434
fprintf(stderr, "The GnuTLS error is: %s\n",
363
fprintf(stdout, "The GnuTLS error is: %s\n",
435
364
safer_gnutls_strerror(ret));
436
365
goto globalfail;
437
366
}
438
367
439
368
/* GnuTLS server initialization */
440
369
ret = gnutls_dh_params_init(&mc->dh_params);
441
if(ret != GNUTLS_E_SUCCESS){
442
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
443
" %s\n", safer_gnutls_strerror(ret));
370
if (ret != GNUTLS_E_SUCCESS) {
371
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
372
" %s\n", safer_gnutls_strerror(ret));
444
373
goto globalfail;
445
374
}
446
375
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
447
if(ret != GNUTLS_E_SUCCESS){
448
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
449
safer_gnutls_strerror(ret));
376
if (ret != GNUTLS_E_SUCCESS) {
377
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
378
safer_gnutls_strerror(ret));
450
379
goto globalfail;
451
380
}
452
381
453
382
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
454
383
455
384
return 0;
456
385
457
386
globalfail:
458
387
459
388
gnutls_certificate_free_credentials(mc->cred);
460
389
gnutls_global_deinit();
461
gnutls_dh_params_deinit(mc->dh_params);
462
390
return -1;
391
463
392
}
464
393
465
394
static int init_gnutls_session(mandos_context *mc,
467
396
int ret;
468
397
/* GnuTLS session creation */
469
398
ret = gnutls_init(session, GNUTLS_SERVER);
470
if(ret != GNUTLS_E_SUCCESS){
399
if (ret != GNUTLS_E_SUCCESS){
471
400
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
472
401
safer_gnutls_strerror(ret));
473
402
}
475
404
{
476
405
const char *err;
477
406
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
478
if(ret != GNUTLS_E_SUCCESS){
407
if (ret != GNUTLS_E_SUCCESS) {
479
408
fprintf(stderr, "Syntax error at: %s\n", err);
480
409
fprintf(stderr, "GnuTLS error: %s\n",
481
410
safer_gnutls_strerror(ret));
482
gnutls_deinit(*session);
411
gnutls_deinit (*session);
483
412
return -1;
484
413
}
485
414
}
486
415
487
416
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
488
417
mc->cred);
489
if(ret != GNUTLS_E_SUCCESS){
418
if (ret != GNUTLS_E_SUCCESS) {
490
419
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
491
420
safer_gnutls_strerror(ret));
492
gnutls_deinit(*session);
421
gnutls_deinit (*session);
493
422
return -1;
494
423
}
495
424
496
425
/* ignore client certificate if any. */
497
gnutls_certificate_server_set_request(*session,
498
GNUTLS_CERT_IGNORE);
426
gnutls_certificate_server_set_request (*session,
427
GNUTLS_CERT_IGNORE);
499
428
500
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
429
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
501
430
502
431
return 0;
503
432
}
511
440
AvahiIfIndex if_index,
512
441
mandos_context *mc){
513
442
int ret, tcp_sd;
514
ssize_t sret;
515
443
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
516
444
char *buffer = NULL;
517
445
char *decrypted_buffer;
523
451
char interface[IF_NAMESIZE];
524
452
gnutls_session_t session;
525
453
526
ret = init_gnutls_session(mc, &session);
527
if(ret != 0){
454
ret = init_gnutls_session (mc, &session);
455
if (ret != 0){
528
456
return -1;
529
457
}
530
458
534
462
}
535
463
536
464
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
537
if(tcp_sd < 0){
465
if(tcp_sd < 0) {
538
466
perror("socket");
539
467
return -1;
540
468
}
541
469
542
470
if(debug){
543
471
if(if_indextoname((unsigned int)if_index, interface) == NULL){
544
472
perror("if_indextoname");
552
480
/* It would be nice to have a way to detect if we were passed an
553
481
IPv4 address here. Now we assume an IPv6 address. */
554
482
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
555
if(ret < 0 ){
483
if (ret < 0 ){
556
484
perror("inet_pton");
557
485
return -1;
558
486
}
560
488
fprintf(stderr, "Bad address: %s\n", ip);
561
489
return -1;
562
490
}
563
to.in6.sin6_port = htons(port); /* Spurious warnings from
564
-Wconversion and
565
-Wunreachable-code */
491
to.in6.sin6_port = htons(port); /* Spurious warning */
566
492
567
493
to.in6.sin6_scope_id = (uint32_t)if_index;
568
494
581
507
}
582
508
583
509
ret = connect(tcp_sd, &to.in, sizeof(to));
584
if(ret < 0){
510
if (ret < 0){
585
511
perror("connect");
586
512
return -1;
587
513
}
588
514
589
515
const char *out = mandos_protocol_version;
590
516
written = 0;
591
while(true){
517
while (true){
592
518
size_t out_size = strlen(out);
593
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
519
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
594
520
out_size - written));
595
if(ret == -1){
521
if (ret == -1){
596
522
perror("write");
597
523
retval = -1;
598
524
goto mandos_end;
601
527
if(written < out_size){
602
528
continue;
603
529
} else {
604
if(out == mandos_protocol_version){
530
if (out == mandos_protocol_version){
605
531
written = 0;
606
532
out = "\r\n";
607
533
} else {
609
535
}
610
536
}
611
537
}
612
538
613
539
if(debug){
614
540
fprintf(stderr, "Establishing TLS session with %s\n", ip);
615
541
}
616
542
617
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
618
543
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
544
619
545
do{
620
ret = gnutls_handshake(session);
546
ret = gnutls_handshake (session);
621
547
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
622
548
623
if(ret != GNUTLS_E_SUCCESS){
549
if (ret != GNUTLS_E_SUCCESS){
624
550
if(debug){
625
551
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
626
gnutls_perror(ret);
552
gnutls_perror (ret);
627
553
}
628
554
retval = -1;
629
555
goto mandos_end;
635
561
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
636
562
ip);
637
563
}
638
564
639
565
while(true){
640
566
buffer_capacity = adjustbuffer(&buffer, buffer_length,
641
567
buffer_capacity);
642
if(buffer_capacity == 0){
568
if (buffer_capacity == 0){
643
569
perror("adjustbuffer");
644
570
retval = -1;
645
571
goto mandos_end;
646
572
}
647
573
648
sret = gnutls_record_recv(session, buffer+buffer_length,
649
BUFFER_SIZE);
650
if(sret == 0){
574
ret = gnutls_record_recv(session, buffer+buffer_length,
575
BUFFER_SIZE);
576
if (ret == 0){
651
577
break;
652
578
}
653
if(sret < 0){
654
switch(sret){
579
if (ret < 0){
580
switch(ret){
655
581
case GNUTLS_E_INTERRUPTED:
656
582
case GNUTLS_E_AGAIN:
657
583
break;
658
584
case GNUTLS_E_REHANDSHAKE:
659
585
do{
660
ret = gnutls_handshake(session);
586
ret = gnutls_handshake (session);
661
587
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
662
if(ret < 0){
588
if (ret < 0){
663
589
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
664
gnutls_perror(ret);
590
gnutls_perror (ret);
665
591
retval = -1;
666
592
goto mandos_end;
667
593
}
670
596
fprintf(stderr, "Unknown error while reading data from"
671
597
" encrypted session with Mandos server\n");
672
598
retval = -1;
673
gnutls_bye(session, GNUTLS_SHUT_RDWR);
599
gnutls_bye (session, GNUTLS_SHUT_RDWR);
674
600
goto mandos_end;
675
601
}
676
602
} else {
677
buffer_length += (size_t) sret;
603
buffer_length += (size_t) ret;
678
604
}
679
605
}
680
606
682
608
fprintf(stderr, "Closing TLS session\n");
683
609
}
684
610
685
gnutls_bye(session, GNUTLS_SHUT_RDWR);
611
gnutls_bye (session, GNUTLS_SHUT_RDWR);
686
612
687
if(buffer_length > 0){
688
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
613
if (buffer_length > 0){
614
decrypted_buffer_size = pgp_packet_decrypt(buffer,
689
615
buffer_length,
690
&decrypted_buffer);
691
if(decrypted_buffer_size >= 0){
616
&decrypted_buffer,
617
keydir);
618
if (decrypted_buffer_size >= 0){
692
619
written = 0;
693
620
while(written < (size_t) decrypted_buffer_size){
694
ret = (int)fwrite(decrypted_buffer + written, 1,
695
(size_t)decrypted_buffer_size - written,
696
stdout);
621
ret = (int)fwrite (decrypted_buffer + written, 1,
622
(size_t)decrypted_buffer_size - written,
623
stdout);
697
624
if(ret == 0 and ferror(stdout)){
698
625
if(debug){
699
626
fprintf(stderr, "Error writing encrypted data: %s\n",
716
643
717
644
mandos_end:
718
645
free(buffer);
719
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
720
if(ret == -1){
721
perror("close");
722
}
723
gnutls_deinit(session);
646
close(tcp_sd);
647
gnutls_deinit (session);
724
648
return retval;
725
649
}
726
650
737
661
AVAHI_GCC_UNUSED AvahiStringList *txt,
738
662
AVAHI_GCC_UNUSED AvahiLookupResultFlags
739
663
flags,
740
void* userdata){
664
void* userdata) {
741
665
mandos_context *mc = userdata;
742
666
assert(r);
743
667
744
668
/* Called whenever a service has been resolved successfully or
745
669
timed out */
746
670
747
switch(event){
671
switch (event) {
748
672
default:
749
673
case AVAHI_RESOLVER_FAILURE:
750
674
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
758
682
avahi_address_snprint(ip, sizeof(ip), address);
759
683
if(debug){
760
684
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
761
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
762
ip, (intmax_t)interface, port);
685
PRIu16 ") on port %d\n", name, host_name, ip,
686
interface, port);
763
687
}
764
688
int ret = start_mandos_communication(ip, port, interface, mc);
765
if(ret == 0){
689
if (ret == 0){
766
690
avahi_simple_poll_quit(mc->simple_poll);
767
691
}
768
692
}
770
694
avahi_s_service_resolver_free(r);
771
695
}
772
696
773
static void browse_callback(AvahiSServiceBrowser *b,
774
AvahiIfIndex interface,
775
AvahiProtocol protocol,
776
AvahiBrowserEvent event,
777
const char *name,
778
const char *type,
779
const char *domain,
780
AVAHI_GCC_UNUSED AvahiLookupResultFlags
781
flags,
782
void* userdata){
697
static void browse_callback( AvahiSServiceBrowser *b,
698
AvahiIfIndex interface,
699
AvahiProtocol protocol,
700
AvahiBrowserEvent event,
701
const char *name,
702
const char *type,
703
const char *domain,
704
AVAHI_GCC_UNUSED AvahiLookupResultFlags
705
flags,
706
void* userdata) {
783
707
mandos_context *mc = userdata;
784
708
assert(b);
785
709
786
710
/* Called whenever a new services becomes available on the LAN or
787
711
is removed from the LAN */
788
712
789
switch(event){
713
switch (event) {
790
714
default:
791
715
case AVAHI_BROWSER_FAILURE:
792
716
801
725
the callback function is called the Avahi server will free the
802
726
resolver for us. */
803
727
804
if(!(avahi_s_service_resolver_new(mc->server, interface,
728
if (!(avahi_s_service_resolver_new(mc->server, interface,
805
729
protocol, name, type, domain,
806
730
AVAHI_PROTO_INET6, 0,
807
731
resolve_callback, mc)))
821
745
}
822
746
}
823
747
748
/* Combines file name and path and returns the malloced new
749
string. some sane checks could/should be added */
750
static char *combinepath(const char *first, const char *second){
751
char *tmp;
752
int ret = asprintf(&tmp, "%s/%s", first, second);
753
if(ret < 0){
754
return NULL;
755
}
756
return tmp;
757
}
758
759
824
760
int main(int argc, char *argv[]){
825
AvahiSServiceBrowser *sb = NULL;
826
int error;
827
int ret;
828
intmax_t tmpmax;
829
int numchars;
830
int exitcode = EXIT_SUCCESS;
831
const char *interface = "eth0";
832
struct ifreq network;
833
int sd;
834
uid_t uid;
835
gid_t gid;
836
char *connect_to = NULL;
837
char tempdir[] = "/tmp/mandosXXXXXX";
838
bool tempdir_created = false;
839
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
840
const char *seckey = PATHDIR "/" SECKEY;
841
const char *pubkey = PATHDIR "/" PUBKEY;
842
843
mandos_context mc = { .simple_poll = NULL, .server = NULL,
844
.dh_bits = 1024, .priority = "SECURE256"
845
":!CTYPE-X.509:+CTYPE-OPENPGP" };
846
bool gnutls_initialized = false;
847
bool gpgme_initialized = false;
848
double delay = 2.5;
849
850
{
851
struct argp_option options[] = {
852
{ .name = "debug", .key = 128,
853
.doc = "Debug mode", .group = 3 },
854
{ .name = "connect", .key = 'c',
855
.arg = "ADDRESS:PORT",
856
.doc = "Connect directly to a specific Mandos server",
857
.group = 1 },
858
{ .name = "interface", .key = 'i',
859
.arg = "NAME",
860
.doc = "Interface that will be used to search for Mandos"
861
" servers",
862
.group = 1 },
863
{ .name = "seckey", .key = 's',
864
.arg = "FILE",
865
.doc = "OpenPGP secret key file base name",
866
.group = 1 },
867
{ .name = "pubkey", .key = 'p',
868
.arg = "FILE",
869
.doc = "OpenPGP public key file base name",
870
.group = 2 },
871
{ .name = "dh-bits", .key = 129,
872
.arg = "BITS",
873
.doc = "Bit length of the prime number used in the"
874
" Diffie-Hellman key exchange",
875
.group = 2 },
876
{ .name = "priority", .key = 130,
877
.arg = "STRING",
878
.doc = "GnuTLS priority string for the TLS handshake",
879
.group = 1 },
880
{ .name = "delay", .key = 131,
881
.arg = "SECONDS",
882
.doc = "Maximum delay to wait for interface startup",
883
.group = 2 },
884
{ .name = NULL }
885
};
886
887
error_t parse_opt(int key, char *arg,
888
struct argp_state *state){
889
switch(key){
890
case 128: /* --debug */
891
debug = true;
892
break;
893
case 'c': /* --connect */
894
connect_to = arg;
895
break;
896
case 'i': /* --interface */
897
interface = arg;
898
break;
899
case 's': /* --seckey */
900
seckey = arg;
901
break;
902
case 'p': /* --pubkey */
903
pubkey = arg;
904
break;
905
case 129: /* --dh-bits */
906
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
907
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
908
or arg[numchars] != '\0'){
909
fprintf(stderr, "Bad number of DH bits\n");
910
exit(EXIT_FAILURE);
911
}
912
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
913
break;
914
case 130: /* --priority */
915
mc.priority = arg;
916
break;
917
case 131: /* --delay */
918
ret = sscanf(arg, "%lf%n", &delay, &numchars);
919
if(ret < 1 or arg[numchars] != '\0'){
920
fprintf(stderr, "Bad delay\n");
921
exit(EXIT_FAILURE);
922
}
923
break;
924
case ARGP_KEY_ARG:
925
argp_usage(state);
926
case ARGP_KEY_END:
927
break;
928
default:
929
return ARGP_ERR_UNKNOWN;
930
}
931
return 0;
932
}
933
934
struct argp argp = { .options = options, .parser = parse_opt,
935
.args_doc = "",
936
.doc = "Mandos client -- Get and decrypt"
937
" passwords from a Mandos server" };
938
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
939
if(ret == ARGP_ERR_UNKNOWN){
940
fprintf(stderr, "Unknown error while parsing arguments\n");
941
exitcode = EXIT_FAILURE;
942
goto end;
943
}
944
}
945
946
/* If the interface is down, bring it up */
947
{
948
#ifdef __linux__
949
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
950
messages to mess up the prompt */
951
ret = klogctl(8, NULL, 5);
952
if(ret == -1){
953
perror("klogctl");
954
}
955
#endif
956
957
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
958
if(sd < 0){
959
perror("socket");
960
exitcode = EXIT_FAILURE;
961
#ifdef __linux__
962
ret = klogctl(7, NULL, 0);
963
if(ret == -1){
964
perror("klogctl");
965
}
966
#endif
967
goto end;
968
}
969
strcpy(network.ifr_name, interface);
970
ret = ioctl(sd, SIOCGIFFLAGS, &network);
971
if(ret == -1){
972
perror("ioctl SIOCGIFFLAGS");
973
#ifdef __linux__
974
ret = klogctl(7, NULL, 0);
975
if(ret == -1){
976
perror("klogctl");
977
}
978
#endif
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
if((network.ifr_flags & IFF_UP) == 0){
983
network.ifr_flags |= IFF_UP;
984
ret = ioctl(sd, SIOCSIFFLAGS, &network);
985
if(ret == -1){
986
perror("ioctl SIOCSIFFLAGS");
987
exitcode = EXIT_FAILURE;
988
#ifdef __linux__
989
ret = klogctl(7, NULL, 0);
990
if(ret == -1){
991
perror("klogctl");
992
}
993
#endif
994
goto end;
995
}
996
}
997
/* sleep checking until interface is running */
998
for(int i=0; i < delay * 4; i++){
761
AvahiSServiceBrowser *sb = NULL;
762
int error;
763
int ret;
764
int exitcode = EXIT_SUCCESS;
765
const char *interface = "eth0";
766
struct ifreq network;
767
int sd;
768
uid_t uid;
769
gid_t gid;
770
char *connect_to = NULL;
771
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
772
char *pubkeyfilename = NULL;
773
char *seckeyfilename = NULL;
774
const char *pubkeyname = "pubkey.txt";
775
const char *seckeyname = "seckey.txt";
776
mandos_context mc = { .simple_poll = NULL, .server = NULL,
777
.dh_bits = 1024, .priority = "SECURE256"};
778
bool gnutls_initalized = false;
779
780
{
781
struct argp_option options[] = {
782
{ .name = "debug", .key = 128,
783
.doc = "Debug mode", .group = 3 },
784
{ .name = "connect", .key = 'c',
785
.arg = "IP",
786
.doc = "Connect directly to a sepcified mandos server",
787
.group = 1 },
788
{ .name = "interface", .key = 'i',
789
.arg = "INTERFACE",
790
.doc = "Interface that Avahi will conntect through",
791
.group = 1 },
792
{ .name = "keydir", .key = 'd',
793
.arg = "KEYDIR",
794
.doc = "Directory where the openpgp keyring is",
795
.group = 1 },
796
{ .name = "seckey", .key = 's',
797
.arg = "SECKEY",
798
.doc = "Secret openpgp key for gnutls authentication",
799
.group = 1 },
800
{ .name = "pubkey", .key = 'p',
801
.arg = "PUBKEY",
802
.doc = "Public openpgp key for gnutls authentication",
803
.group = 2 },
804
{ .name = "dh-bits", .key = 129,
805
.arg = "BITS",
806
.doc = "dh-bits to use in gnutls communication",
807
.group = 2 },
808
{ .name = "priority", .key = 130,
809
.arg = "PRIORITY",
810
.doc = "GNUTLS priority", .group = 1 },
811
{ .name = NULL }
812
};
813
814
815
error_t parse_opt (int key, char *arg,
816
struct argp_state *state) {
817
/* Get the INPUT argument from `argp_parse', which we know is
818
a pointer to our plugin list pointer. */
819
switch (key) {
820
case 128:
821
debug = true;
822
break;
823
case 'c':
824
connect_to = arg;
825
break;
826
case 'i':
827
interface = arg;
828
break;
829
case 'd':
830
keydir = arg;
831
break;
832
case 's':
833
seckeyname = arg;
834
break;
835
case 'p':
836
pubkeyname = arg;
837
break;
838
case 129:
839
errno = 0;
840
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
841
if (errno){
842
perror("strtol");
843
exit(EXIT_FAILURE);
844
}
845
break;
846
case 130:
847
mc.priority = arg;
848
break;
849
case ARGP_KEY_ARG:
850
argp_usage (state);
851
case ARGP_KEY_END:
852
break;
853
default:
854
return ARGP_ERR_UNKNOWN;
855
}
856
return 0;
857
}
858
859
struct argp argp = { .options = options, .parser = parse_opt,
860
.args_doc = "",
861
.doc = "Mandos client -- Get and decrypt"
862
" passwords from mandos server" };
863
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
864
if (ret == ARGP_ERR_UNKNOWN){
865
fprintf(stderr, "Unknown error while parsing arguments\n");
866
exitcode = EXIT_FAILURE;
867
goto end;
868
}
869
}
870
871
pubkeyfilename = combinepath(keydir, pubkeyname);
872
if (pubkeyfilename == NULL){
873
perror("combinepath");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
878
seckeyfilename = combinepath(keydir, seckeyname);
879
if (seckeyfilename == NULL){
880
perror("combinepath");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
885
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
886
if (ret == -1){
887
fprintf(stderr, "init_gnutls_global failed\n");
888
exitcode = EXIT_FAILURE;
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
/* If the interface is down, bring it up */
895
{
896
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
897
if(sd < 0) {
898
perror("socket");
899
exitcode = EXIT_FAILURE;
900
goto end;
901
}
902
strcpy(network.ifr_name, interface);
999
903
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1000
904
if(ret == -1){
1001
905
perror("ioctl SIOCGIFFLAGS");
1002
} else if(network.ifr_flags & IFF_RUNNING){
1003
break;
1004
}
1005
struct timespec sleeptime = { .tv_nsec = 250000000 };
1006
ret = nanosleep(&sleeptime, NULL);
1007
if(ret == -1 and errno != EINTR){
1008
perror("nanosleep");
1009
}
1010
}
1011
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1012
if(ret == -1){
1013
perror("close");
1014
}
1015
#ifdef __linux__
1016
/* Restores kernel loglevel to default */
1017
ret = klogctl(7, NULL, 0);
1018
if(ret == -1){
1019
perror("klogctl");
1020
}
1021
#endif
1022
}
1023
1024
uid = getuid();
1025
gid = getgid();
1026
1027
setgid(gid);
1028
if(ret == -1){
1029
perror("setgid");
1030
}
1031
1032
ret = setuid(uid);
1033
if(ret == -1){
1034
perror("setuid");
1035
}
1036
1037
ret = init_gnutls_global(&mc, pubkey, seckey);
1038
if(ret == -1){
1039
fprintf(stderr, "init_gnutls_global failed\n");
1040
exitcode = EXIT_FAILURE;
1041
goto end;
1042
} else {
1043
gnutls_initialized = true;
1044
}
1045
1046
if(mkdtemp(tempdir) == NULL){
1047
perror("mkdtemp");
1048
goto end;
1049
}
1050
tempdir_created = true;
1051
1052
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1053
fprintf(stderr, "init_gpgme failed\n");
1054
exitcode = EXIT_FAILURE;
1055
goto end;
1056
} else {
1057
gpgme_initialized = true;
1058
}
1059
1060
if_index = (AvahiIfIndex) if_nametoindex(interface);
1061
if(if_index == 0){
1062
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1063
exitcode = EXIT_FAILURE;
1064
goto end;
1065
}
1066
1067
if(connect_to != NULL){
1068
/* Connect directly, do not use Zeroconf */
1069
/* (Mainly meant for debugging) */
1070
char *address = strrchr(connect_to, ':');
1071
if(address == NULL){
1072
fprintf(stderr, "No colon in address\n");
1073
exitcode = EXIT_FAILURE;
1074
goto end;
1075
}
1076
uint16_t port;
1077
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1078
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1079
or address[numchars+1] != '\0'){
1080
fprintf(stderr, "Bad port number\n");
1081
exitcode = EXIT_FAILURE;
1082
goto end;
1083
}
1084
port = (uint16_t)tmpmax;
1085
*address = '\0';
1086
address = connect_to;
1087
ret = start_mandos_communication(address, port, if_index, &mc);
1088
if(ret < 0){
1089
exitcode = EXIT_FAILURE;
1090
} else {
1091
exitcode = EXIT_SUCCESS;
1092
}
1093
goto end;
1094
}
1095
1096
if(not debug){
1097
avahi_set_log_function(empty_log);
1098
}
1099
1100
/* Initialize the pseudo-RNG for Avahi */
1101
srand((unsigned int) time(NULL));
1102
1103
/* Allocate main Avahi loop object */
1104
mc.simple_poll = avahi_simple_poll_new();
1105
if(mc.simple_poll == NULL){
1106
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1107
exitcode = EXIT_FAILURE;
1108
goto end;
1109
}
1110
1111
{
1112
AvahiServerConfig config;
1113
/* Do not publish any local Zeroconf records */
1114
avahi_server_config_init(&config);
1115
config.publish_hinfo = 0;
1116
config.publish_addresses = 0;
1117
config.publish_workstation = 0;
1118
config.publish_domain = 0;
1119
1120
/* Allocate a new server */
1121
mc.server = avahi_server_new(avahi_simple_poll_get
1122
(mc.simple_poll), &config, NULL,
1123
NULL, &error);
1124
1125
/* Free the Avahi configuration data */
1126
avahi_server_config_free(&config);
1127
}
1128
1129
/* Check if creating the Avahi server object succeeded */
1130
if(mc.server == NULL){
1131
fprintf(stderr, "Failed to create Avahi server: %s\n",
1132
avahi_strerror(error));
1133
exitcode = EXIT_FAILURE;
1134
goto end;
1135
}
1136
1137
/* Create the Avahi service browser */
1138
sb = avahi_s_service_browser_new(mc.server, if_index,
1139
AVAHI_PROTO_INET6, "_mandos._tcp",
1140
NULL, 0, browse_callback, &mc);
1141
if(sb == NULL){
1142
fprintf(stderr, "Failed to create service browser: %s\n",
1143
avahi_strerror(avahi_server_errno(mc.server)));
1144
exitcode = EXIT_FAILURE;
1145
goto end;
1146
}
1147
1148
/* Run the main loop */
1149
1150
if(debug){
1151
fprintf(stderr, "Starting Avahi loop search\n");
1152
}
1153
1154
avahi_simple_poll_loop(mc.simple_poll);
1155
906
exitcode = EXIT_FAILURE;
907
goto end;
908
}
909
if((network.ifr_flags & IFF_UP) == 0){
910
network.ifr_flags |= IFF_UP;
911
ret = ioctl(sd, SIOCSIFFLAGS, &network);
912
if(ret == -1){
913
perror("ioctl SIOCSIFFLAGS");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
close(sd);
919
}
920
921
uid = getuid();
922
gid = getgid();
923
924
ret = setuid(uid);
925
if (ret == -1){
926
perror("setuid");
927
}
928
929
setgid(gid);
930
if (ret == -1){
931
perror("setgid");
932
}
933
934
if_index = (AvahiIfIndex) if_nametoindex(interface);
935
if(if_index == 0){
936
fprintf(stderr, "No such interface: \"%s\"\n", interface);
937
exit(EXIT_FAILURE);
938
}
939
940
if(connect_to != NULL){
941
/* Connect directly, do not use Zeroconf */
942
/* (Mainly meant for debugging) */
943
char *address = strrchr(connect_to, ':');
944
if(address == NULL){
945
fprintf(stderr, "No colon in address\n");
946
exitcode = EXIT_FAILURE;
947
goto end;
948
}
949
errno = 0;
950
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
951
if(errno){
952
perror("Bad port number");
953
exitcode = EXIT_FAILURE;
954
goto end;
955
}
956
*address = '\0';
957
address = connect_to;
958
ret = start_mandos_communication(address, port, if_index, &mc);
959
if(ret < 0){
960
exitcode = EXIT_FAILURE;
961
} else {
962
exitcode = EXIT_SUCCESS;
963
}
964
goto end;
965
}
966
967
if (not debug){
968
avahi_set_log_function(empty_log);
969
}
970
971
/* Initialize the pseudo-RNG for Avahi */
972
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
1004
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
1007
}
1008
1009
/* Create the Avahi service browser */
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
1011
AVAHI_PROTO_INET6,
1012
"_mandos._tcp", NULL, 0,
1013
browse_callback, &mc);
1014
if (sb == NULL) {
1015
fprintf(stderr, "Failed to create service browser: %s\n",
1016
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
1019
}
1020
1021
/* Run the main loop */
1022
1023
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
1025
}
1026
1027
avahi_simple_poll_loop(mc.simple_poll);
1028
1156
1029
end:
1157
1158
if(debug){
1159
fprintf(stderr, "%s exiting\n", argv[0]);
1160
}
1161
1162
/* Cleanup things */
1163
if(sb != NULL)
1164
avahi_s_service_browser_free(sb);
1165
1166
if(mc.server != NULL)
1167
avahi_server_free(mc.server);
1168
1169
if(mc.simple_poll != NULL)
1170
avahi_simple_poll_free(mc.simple_poll);
1171
1172
if(gnutls_initialized){
1173
gnutls_certificate_free_credentials(mc.cred);
1174
gnutls_global_deinit();
1175
gnutls_dh_params_deinit(mc.dh_params);
1176
}
1177
1178
if(gpgme_initialized){
1179
gpgme_release(mc.ctx);
1180
}
1181
1182
/* Removes the temp directory used by GPGME */
1183
if(tempdir_created){
1184
DIR *d;
1185
struct dirent *direntry;
1186
d = opendir(tempdir);
1187
if(d == NULL){
1188
if(errno != ENOENT){
1189
perror("opendir");
1190
}
1191
} else {
1192
while(true){
1193
direntry = readdir(d);
1194
if(direntry == NULL){
1195
break;
1196
}
1197
/* Skip "." and ".." */
1198
if(direntry->d_name[0] == '.'
1199
and (direntry->d_name[1] == '\0'
1200
or (direntry->d_name[1] == '.'
1201
and direntry->d_name[2] == '\0'))){
1202
continue;
1203
}
1204
char *fullname = NULL;
1205
ret = asprintf(&fullname, "%s/%s", tempdir,
1206
direntry->d_name);
1207
if(ret < 0){
1208
perror("asprintf");
1209
continue;
1210
}
1211
ret = remove(fullname);
1212
if(ret == -1){
1213
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1214
strerror(errno));
1215
}
1216
free(fullname);
1217
}
1218
closedir(d);
1219
}
1220
ret = rmdir(tempdir);
1221
if(ret == -1 and errno != ENOENT){
1222
perror("rmdir");
1223
}
1224
}
1225
1226
return exitcode;
1030
1031
if (debug){
1032
fprintf(stderr, "%s exiting\n", argv[0]);
1033
}
1034
1035
/* Cleanup things */
1036
if (sb != NULL)
1037
avahi_s_service_browser_free(sb);
1038
1039
if (mc.server != NULL)
1040
avahi_server_free(mc.server);
1041
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfilename);
1045
free(seckeyfilename);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
1051
1052
return exitcode;
1227
1053
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0