To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/password-request.c
- browse files at revision 110
- compare with another revision
- download diff
- download tarball
- view history from revision 110
- Committer: Teddy Hogeborn
- Date: 2008-08-29 05:53:59 UTC
- Revision ID: teddy@fukt.bsnet.se-20080829055359-wkdasnyxtylmnxus
* mandos.xml (EXAMPLE): Replaced all occurences of command name with
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
"&COMMANDNAME;".
* plugins.d/password-prompt.c (main): Improved some documentation
strings. Do perror() of
tcgetattr() fails. Add debug
output if interrupted by signal.
Loop over write() instead of
using fwrite() when outputting
password. Add debug output if
getline() returns 0, unless it
was caused by a signal. Add
exit status code to debug
output.
* plugins.d/password-prompt.xml: Changed all single quotes to double
quotes for consistency. Removed
<?xml-stylesheet>.
(ENTITY TIMESTAMP): New. Automatically updated by Emacs time-stamp
by using Emacs local variables.
(/refentry/refentryinfo/title): Changed to "Mandos Manual".
(/refentry/refentryinfo/productname): Changed to "Mandos".
(/refentry/refentryinfo/date): New; set to "&TIMESTAMP;".
(/refentry/refentryinfo/copyright): Split copyright holders.
(/refentry/refnamediv/refpurpose): Improved wording.
(SYNOPSIS): Fix to use correct markup. Add short options.
(DESCRIPTION, OPTIONS): Improved wording.
(OPTIONS): Improved wording. Use more correct markup. Document
short options.
(EXIT STATUS): Add text.
(ENVIRONMENT): Document use of "cryptsource" and "crypttarget".
(FILES): REMOVED.
(BUGS): Add text.
(EXAMPLE): Added some examples.
(SECURITY): Added text.
(SEE ALSO): Remove reference to mandos(8). Add reference to
crypttab(5).
- files added:
- plugins.d/usplash
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- plugins.d/mandos-client.c => plugins.d/password-request.c
- plugins.d/mandos-client.xml => plugins.d/password-request.xml
- files modified:
- .bzrignore
added
removed
plugins.d/password-request.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
3
* Mandos client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
13
*
15
14
* This program is free software: you can redistribute it and/or
16
15
* modify it under the terms of the GNU General Public License as
36
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
36
38
37
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
38
stdout, ferror() */
41
39
#include <stdint.h> /* uint16_t, uint32_t */
42
40
#include <stddef.h> /* NULL, size_t, ssize_t */
43
41
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
42
srand() */
45
#include <stdbool.h> /* bool, false, true */
43
#include <stdbool.h> /* bool, true */
46
44
#include <string.h> /* memset(), strcmp(), strlen(),
47
45
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
46
#include <sys/ioctl.h> /* ioctl */
49
47
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
48
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, uid_t, gid_t, open(),
52
opendir(), DIR */
53
#include <sys/stat.h> /* open() */
49
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
54
52
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
inet_pton(), connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir()
58
*/
59
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
53
struct in6_addr, inet_pton(),
54
connect() */
60
55
#include <assert.h> /* assert() */
61
56
#include <errno.h> /* perror(), errno */
62
#include <time.h> /* nanosleep(), time() */
57
#include <time.h> /* time() */
63
58
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
64
59
SIOCSIFFLAGS, if_indextoname(),
65
60
if_nametoindex(), IF_NAMESIZE */
66
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
67
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
68
*/
69
61
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
62
getuid(), getgid(), setuid(),
71
63
setgid() */
64
#include <netinet/in.h>
72
65
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, or, and */
66
#include <iso646.h> /* not, and */
74
67
#include <argp.h> /* struct argp_option, error_t, struct
75
68
argp_state, struct argp,
76
69
argp_parse(), ARGP_KEY_ARG,
77
70
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction,
80
sig_atomic_t */
81
82
#ifdef __linux__
83
#include <sys/klog.h> /* klogctl() */
84
#endif /* __linux__ */
85
71
86
72
/* Avahi */
87
73
/* All Avahi types, constants and functions
100
86
gnutls_*
101
87
init_gnutls_session(),
102
88
GNUTLS_* */
103
#include <gnutls/openpgp.h>
104
/* gnutls_certificate_set_openpgp_key_file(),
89
#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),
105
90
GNUTLS_OPENPGP_FMT_BASE64 */
106
91
107
92
/* GPGME */
113
98
114
99
#define BUFFER_SIZE 256
115
100
116
#define PATHDIR "/conf/conf.d/mandos"
117
#define SECKEY "seckey.txt"
118
#define PUBKEY "pubkey.txt"
119
120
101
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
121
103
static const char mandos_protocol_version[] = "1";
122
const char *argp_program_version = "mandos-client " VERSION;
104
const char *argp_program_version = "password-request 1.0";
123
105
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
124
106
125
107
/* Used for passing in values through the Avahi callback functions */
130
112
unsigned int dh_bits;
131
113
gnutls_dh_params_t dh_params;
132
114
const char *priority;
133
gpgme_ctx_t ctx;
134
115
} mandos_context;
135
116
136
/* global context so signal handler can reach it*/
137
mandos_context mc;
138
139
117
/*
140
* Make additional room in "buffer" for at least BUFFER_SIZE more
141
* bytes. "buffer_capacity" is how much is currently allocated,
118
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
119
* "buffer_capacity" is how much is currently allocated,
142
120
* "buffer_length" is how much is already used.
143
121
*/
144
size_t incbuffer(char **buffer, size_t buffer_length,
122
size_t adjustbuffer(char **buffer, size_t buffer_length,
145
123
size_t buffer_capacity){
146
if(buffer_length + BUFFER_SIZE > buffer_capacity){
124
if (buffer_length + BUFFER_SIZE > buffer_capacity){
147
125
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
148
if(buffer == NULL){
126
if (buffer == NULL){
149
127
return 0;
150
128
}
151
129
buffer_capacity += BUFFER_SIZE;
154
132
}
155
133
156
134
/*
157
* Initialize GPGME.
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
158
137
*/
159
static bool init_gpgme(const char *seckey,
160
const char *pubkey, const char *tempdir){
161
int ret;
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
141
const char *homedir){
142
gpgme_data_t dh_crypto, dh_plain;
143
gpgme_ctx_t ctx;
162
144
gpgme_error_t rc;
145
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
163
148
gpgme_engine_info_t engine_info;
164
149
165
166
/*
167
* Helper function to insert pub and seckey to the engine keyring.
168
*/
169
bool import_key(const char *filename){
170
int fd;
171
gpgme_data_t pgp_data;
172
173
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
174
if(fd == -1){
175
perror("open");
176
return false;
177
}
178
179
rc = gpgme_data_new_from_fd(&pgp_data, fd);
180
if(rc != GPG_ERR_NO_ERROR){
181
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
182
gpgme_strsource(rc), gpgme_strerror(rc));
183
return false;
184
}
185
186
rc = gpgme_op_import(mc.ctx, pgp_data);
187
if(rc != GPG_ERR_NO_ERROR){
188
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
189
gpgme_strsource(rc), gpgme_strerror(rc));
190
return false;
191
}
192
193
ret = (int)TEMP_FAILURE_RETRY(close(fd));
194
if(ret == -1){
195
perror("close");
196
}
197
gpgme_data_release(pgp_data);
198
return true;
199
}
200
201
if(debug){
202
fprintf(stderr, "Initializing GPGME\n");
150
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
203
152
}
204
153
205
154
/* Init GPGME */
206
155
gpgme_check_version(NULL);
207
156
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
208
if(rc != GPG_ERR_NO_ERROR){
157
if (rc != GPG_ERR_NO_ERROR){
209
158
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
210
159
gpgme_strsource(rc), gpgme_strerror(rc));
211
return false;
160
return -1;
212
161
}
213
162
214
/* Set GPGME home directory for the OpenPGP engine only */
215
rc = gpgme_get_engine_info(&engine_info);
216
if(rc != GPG_ERR_NO_ERROR){
163
/* Set GPGME home directory for the OpenPGP engine only */
164
rc = gpgme_get_engine_info (&engine_info);
165
if (rc != GPG_ERR_NO_ERROR){
217
166
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
218
167
gpgme_strsource(rc), gpgme_strerror(rc));
219
return false;
168
return -1;
220
169
}
221
170
while(engine_info != NULL){
222
171
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
223
172
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
224
engine_info->file_name, tempdir);
173
engine_info->file_name, homedir);
225
174
break;
226
175
}
227
176
engine_info = engine_info->next;
228
177
}
229
178
if(engine_info == NULL){
230
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
231
return false;
232
}
233
234
/* Create new GPGME "context" */
235
rc = gpgme_new(&(mc.ctx));
236
if(rc != GPG_ERR_NO_ERROR){
237
fprintf(stderr, "bad gpgme_new: %s: %s\n",
238
gpgme_strsource(rc), gpgme_strerror(rc));
239
return false;
240
}
241
242
if(not import_key(pubkey) or not import_key(seckey)){
243
return false;
244
}
245
246
return true;
247
}
248
249
/*
250
* Decrypt OpenPGP data.
251
* Returns -1 on error
252
*/
253
static ssize_t pgp_packet_decrypt(const char *cryptotext,
254
size_t crypto_size,
255
char **plaintext){
256
gpgme_data_t dh_crypto, dh_plain;
257
gpgme_error_t rc;
258
ssize_t ret;
259
size_t plaintext_capacity = 0;
260
ssize_t plaintext_length = 0;
261
262
if(debug){
263
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
180
return -1;
264
181
}
265
182
266
183
/* Create new GPGME data buffer from memory cryptotext */
267
184
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
268
185
0);
269
if(rc != GPG_ERR_NO_ERROR){
186
if (rc != GPG_ERR_NO_ERROR){
270
187
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
271
188
gpgme_strsource(rc), gpgme_strerror(rc));
272
189
return -1;
274
191
275
192
/* Create new empty GPGME data buffer for the plaintext */
276
193
rc = gpgme_data_new(&dh_plain);
277
if(rc != GPG_ERR_NO_ERROR){
194
if (rc != GPG_ERR_NO_ERROR){
278
195
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
279
196
gpgme_strsource(rc), gpgme_strerror(rc));
280
197
gpgme_data_release(dh_crypto);
281
198
return -1;
282
199
}
283
200
201
/* Create new GPGME "context" */
202
rc = gpgme_new(&ctx);
203
if (rc != GPG_ERR_NO_ERROR){
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
208
}
209
284
210
/* Decrypt data from the cryptotext data buffer to the plaintext
285
211
data buffer */
286
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
287
if(rc != GPG_ERR_NO_ERROR){
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
213
if (rc != GPG_ERR_NO_ERROR){
288
214
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
289
215
gpgme_strsource(rc), gpgme_strerror(rc));
290
216
plaintext_length = -1;
291
if(debug){
217
if (debug){
292
218
gpgme_decrypt_result_t result;
293
result = gpgme_op_decrypt_result(mc.ctx);
294
if(result == NULL){
219
result = gpgme_op_decrypt_result(ctx);
220
if (result == NULL){
295
221
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
296
222
} else {
297
223
fprintf(stderr, "Unsupported algorithm: %s\n",
324
250
}
325
251
326
252
/* Seek back to the beginning of the GPGME plaintext data buffer */
327
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
328
perror("gpgme_data_seek");
253
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
254
perror("pgpme_data_seek");
329
255
plaintext_length = -1;
330
256
goto decrypt_end;
331
257
}
332
258
333
259
*plaintext = NULL;
334
260
while(true){
335
plaintext_capacity = incbuffer(plaintext,
261
plaintext_capacity = adjustbuffer(plaintext,
336
262
(size_t)plaintext_length,
337
263
plaintext_capacity);
338
if(plaintext_capacity == 0){
339
perror("incbuffer");
264
if (plaintext_capacity == 0){
265
perror("adjustbuffer");
340
266
plaintext_length = -1;
341
267
goto decrypt_end;
342
268
}
344
270
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
345
271
BUFFER_SIZE);
346
272
/* Print the data, if any */
347
if(ret == 0){
273
if (ret == 0){
348
274
/* EOF */
349
275
break;
350
276
}
355
281
}
356
282
plaintext_length += ret;
357
283
}
358
284
359
285
if(debug){
360
286
fprintf(stderr, "Decrypted password is: ");
361
287
for(ssize_t i = 0; i < plaintext_length; i++){
374
300
return plaintext_length;
375
301
}
376
302
377
static const char * safer_gnutls_strerror(int value){
378
const char *ret = gnutls_strerror(value); /* Spurious warning from
379
-Wunreachable-code */
380
if(ret == NULL)
303
static const char * safer_gnutls_strerror (int value) {
304
const char *ret = gnutls_strerror (value); /* Spurious warning */
305
if (ret == NULL)
381
306
ret = "(unknown)";
382
307
return ret;
383
308
}
388
313
fprintf(stderr, "GnuTLS: %s", string);
389
314
}
390
315
391
static int init_gnutls_global(const char *pubkeyfilename,
316
static int init_gnutls_global(mandos_context *mc,
317
const char *pubkeyfilename,
392
318
const char *seckeyfilename){
393
319
int ret;
394
320
397
323
}
398
324
399
325
ret = gnutls_global_init();
400
if(ret != GNUTLS_E_SUCCESS){
401
fprintf(stderr, "GnuTLS global_init: %s\n",
402
safer_gnutls_strerror(ret));
326
if (ret != GNUTLS_E_SUCCESS) {
327
fprintf (stderr, "GnuTLS global_init: %s\n",
328
safer_gnutls_strerror(ret));
403
329
return -1;
404
330
}
405
331
406
if(debug){
332
if (debug){
407
333
/* "Use a log level over 10 to enable all debugging options."
408
334
* - GnuTLS manual
409
335
*/
412
338
}
413
339
414
340
/* OpenPGP credentials */
415
gnutls_certificate_allocate_credentials(&mc.cred);
416
if(ret != GNUTLS_E_SUCCESS){
417
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
418
from
419
-Wunreachable-code
420
*/
421
safer_gnutls_strerror(ret));
422
gnutls_global_deinit();
341
gnutls_certificate_allocate_credentials(&mc->cred);
342
if (ret != GNUTLS_E_SUCCESS){
343
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
344
warning */
345
safer_gnutls_strerror(ret));
346
gnutls_global_deinit ();
423
347
return -1;
424
348
}
425
349
426
350
if(debug){
427
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
428
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfilename,
429
353
seckeyfilename);
430
354
}
431
355
432
356
ret = gnutls_certificate_set_openpgp_key_file
433
(mc.cred, pubkeyfilename, seckeyfilename,
357
(mc->cred, pubkeyfilename, seckeyfilename,
434
358
GNUTLS_OPENPGP_FMT_BASE64);
435
if(ret != GNUTLS_E_SUCCESS){
359
if (ret != GNUTLS_E_SUCCESS) {
436
360
fprintf(stderr,
437
361
"Error[%d] while reading the OpenPGP key pair ('%s',"
438
362
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
439
fprintf(stderr, "The GnuTLS error is: %s\n",
363
fprintf(stdout, "The GnuTLS error is: %s\n",
440
364
safer_gnutls_strerror(ret));
441
365
goto globalfail;
442
366
}
443
367
444
368
/* GnuTLS server initialization */
445
ret = gnutls_dh_params_init(&mc.dh_params);
446
if(ret != GNUTLS_E_SUCCESS){
447
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
448
" %s\n", safer_gnutls_strerror(ret));
449
goto globalfail;
450
}
451
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
452
if(ret != GNUTLS_E_SUCCESS){
453
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
454
safer_gnutls_strerror(ret));
455
goto globalfail;
456
}
457
458
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
459
369
ret = gnutls_dh_params_init(&mc->dh_params);
370
if (ret != GNUTLS_E_SUCCESS) {
371
fprintf (stderr, "Error in GnuTLS DH parameter initialization:"
372
" %s\n", safer_gnutls_strerror(ret));
373
goto globalfail;
374
}
375
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
376
if (ret != GNUTLS_E_SUCCESS) {
377
fprintf (stderr, "Error in GnuTLS prime generation: %s\n",
378
safer_gnutls_strerror(ret));
379
goto globalfail;
380
}
381
382
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
383
460
384
return 0;
461
385
462
386
globalfail:
463
464
gnutls_certificate_free_credentials(mc.cred);
387
388
gnutls_certificate_free_credentials(mc->cred);
465
389
gnutls_global_deinit();
466
gnutls_dh_params_deinit(mc.dh_params);
467
390
return -1;
391
468
392
}
469
393
470
static int init_gnutls_session(gnutls_session_t *session){
394
static int init_gnutls_session(mandos_context *mc,
395
gnutls_session_t *session){
471
396
int ret;
472
397
/* GnuTLS session creation */
473
398
ret = gnutls_init(session, GNUTLS_SERVER);
474
if(ret != GNUTLS_E_SUCCESS){
399
if (ret != GNUTLS_E_SUCCESS){
475
400
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
476
401
safer_gnutls_strerror(ret));
477
402
}
478
403
479
404
{
480
405
const char *err;
481
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
482
if(ret != GNUTLS_E_SUCCESS){
406
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
407
if (ret != GNUTLS_E_SUCCESS) {
483
408
fprintf(stderr, "Syntax error at: %s\n", err);
484
409
fprintf(stderr, "GnuTLS error: %s\n",
485
410
safer_gnutls_strerror(ret));
486
gnutls_deinit(*session);
411
gnutls_deinit (*session);
487
412
return -1;
488
413
}
489
414
}
490
415
491
416
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
492
mc.cred);
493
if(ret != GNUTLS_E_SUCCESS){
417
mc->cred);
418
if (ret != GNUTLS_E_SUCCESS) {
494
419
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
495
420
safer_gnutls_strerror(ret));
496
gnutls_deinit(*session);
421
gnutls_deinit (*session);
497
422
return -1;
498
423
}
499
424
500
425
/* ignore client certificate if any. */
501
gnutls_certificate_server_set_request(*session,
502
GNUTLS_CERT_IGNORE);
426
gnutls_certificate_server_set_request (*session,
427
GNUTLS_CERT_IGNORE);
503
428
504
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
429
gnutls_dh_set_prime_bits (*session, mc->dh_bits);
505
430
506
431
return 0;
507
432
}
513
438
/* Called when a Mandos server is found */
514
439
static int start_mandos_communication(const char *ip, uint16_t port,
515
440
AvahiIfIndex if_index,
516
int af){
441
mandos_context *mc){
517
442
int ret, tcp_sd;
518
ssize_t sret;
519
union {
520
struct sockaddr_in in;
521
struct sockaddr_in6 in6;
522
} to;
443
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
523
444
char *buffer = NULL;
524
445
char *decrypted_buffer;
525
446
size_t buffer_length = 0;
527
448
ssize_t decrypted_buffer_size;
528
449
size_t written;
529
450
int retval = 0;
451
char interface[IF_NAMESIZE];
530
452
gnutls_session_t session;
531
int pf; /* Protocol family */
532
533
switch(af){
534
case AF_INET6:
535
pf = PF_INET6;
536
break;
537
case AF_INET:
538
pf = PF_INET;
539
break;
540
default:
541
fprintf(stderr, "Bad address family: %d\n", af);
542
return -1;
543
}
544
545
ret = init_gnutls_session(&session);
546
if(ret != 0){
453
454
ret = init_gnutls_session (mc, &session);
455
if (ret != 0){
547
456
return -1;
548
457
}
549
458
550
459
if(debug){
551
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
460
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
552
461
"\n", ip, port);
553
462
}
554
463
555
tcp_sd = socket(pf, SOCK_STREAM, 0);
556
if(tcp_sd < 0){
464
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
465
if(tcp_sd < 0) {
557
466
perror("socket");
558
467
return -1;
559
468
}
469
470
if(debug){
471
if(if_indextoname((unsigned int)if_index, interface) == NULL){
472
perror("if_indextoname");
473
return -1;
474
}
475
fprintf(stderr, "Binding to interface %s\n", interface);
476
}
560
477
561
478
memset(&to, 0, sizeof(to));
562
if(af == AF_INET6){
563
to.in6.sin6_family = (uint16_t)af;
564
ret = inet_pton(af, ip, &to.in6.sin6_addr);
565
} else { /* IPv4 */
566
to.in.sin_family = (sa_family_t)af;
567
ret = inet_pton(af, ip, &to.in.sin_addr);
568
}
569
if(ret < 0 ){
479
to.in6.sin6_family = AF_INET6;
480
/* It would be nice to have a way to detect if we were passed an
481
IPv4 address here. Now we assume an IPv6 address. */
482
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
483
if (ret < 0 ){
570
484
perror("inet_pton");
571
485
return -1;
572
486
}
574
488
fprintf(stderr, "Bad address: %s\n", ip);
575
489
return -1;
576
490
}
577
if(af == AF_INET6){
578
to.in6.sin6_port = htons(port); /* Spurious warnings from
579
-Wconversion and
580
-Wunreachable-code */
581
582
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
583
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
584
-Wunreachable-code*/
585
if(if_index == AVAHI_IF_UNSPEC){
586
fprintf(stderr, "An IPv6 link-local address is incomplete"
587
" without a network interface\n");
588
return -1;
589
}
590
/* Set the network interface number as scope */
591
to.in6.sin6_scope_id = (uint32_t)if_index;
592
}
593
} else {
594
to.in.sin_port = htons(port); /* Spurious warnings from
595
-Wconversion and
596
-Wunreachable-code */
597
}
491
to.in6.sin6_port = htons(port); /* Spurious warning */
492
493
to.in6.sin6_scope_id = (uint32_t)if_index;
598
494
599
495
if(debug){
600
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
601
char interface[IF_NAMESIZE];
602
if(if_indextoname((unsigned int)if_index, interface) == NULL){
603
perror("if_indextoname");
604
} else {
605
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
606
ip, interface, port);
607
}
608
} else {
609
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
610
port);
611
}
612
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
613
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
614
const char *pcret;
615
if(af == AF_INET6){
616
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
617
sizeof(addrstr));
618
} else {
619
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
620
sizeof(addrstr));
621
}
622
if(pcret == NULL){
496
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
497
port);
498
char addrstr[INET6_ADDRSTRLEN] = "";
499
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
500
sizeof(addrstr)) == NULL){
623
501
perror("inet_ntop");
624
502
} else {
625
503
if(strcmp(addrstr, ip) != 0){
628
506
}
629
507
}
630
508
631
if(af == AF_INET6){
632
ret = connect(tcp_sd, &to.in6, sizeof(to));
633
} else {
634
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
635
}
636
if(ret < 0){
509
ret = connect(tcp_sd, &to.in, sizeof(to));
510
if (ret < 0){
637
511
perror("connect");
638
512
return -1;
639
513
}
640
514
641
515
const char *out = mandos_protocol_version;
642
516
written = 0;
643
while(true){
517
while (true){
644
518
size_t out_size = strlen(out);
645
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
519
ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
646
520
out_size - written));
647
if(ret == -1){
521
if (ret == -1){
648
522
perror("write");
649
523
retval = -1;
650
524
goto mandos_end;
653
527
if(written < out_size){
654
528
continue;
655
529
} else {
656
if(out == mandos_protocol_version){
530
if (out == mandos_protocol_version){
657
531
written = 0;
658
532
out = "\r\n";
659
533
} else {
661
535
}
662
536
}
663
537
}
664
538
665
539
if(debug){
666
540
fprintf(stderr, "Establishing TLS session with %s\n", ip);
667
541
}
668
542
669
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
670
543
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
544
671
545
do{
672
ret = gnutls_handshake(session);
546
ret = gnutls_handshake (session);
673
547
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
674
548
675
if(ret != GNUTLS_E_SUCCESS){
549
if (ret != GNUTLS_E_SUCCESS){
676
550
if(debug){
677
551
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
678
gnutls_perror(ret);
552
gnutls_perror (ret);
679
553
}
680
554
retval = -1;
681
555
goto mandos_end;
684
558
/* Read OpenPGP packet that contains the wanted password */
685
559
686
560
if(debug){
687
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
561
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
688
562
ip);
689
563
}
690
564
691
565
while(true){
692
buffer_capacity = incbuffer(&buffer, buffer_length,
566
buffer_capacity = adjustbuffer(&buffer, buffer_length,
693
567
buffer_capacity);
694
if(buffer_capacity == 0){
695
perror("incbuffer");
568
if (buffer_capacity == 0){
569
perror("adjustbuffer");
696
570
retval = -1;
697
571
goto mandos_end;
698
572
}
699
573
700
sret = gnutls_record_recv(session, buffer+buffer_length,
701
BUFFER_SIZE);
702
if(sret == 0){
574
ret = gnutls_record_recv(session, buffer+buffer_length,
575
BUFFER_SIZE);
576
if (ret == 0){
703
577
break;
704
578
}
705
if(sret < 0){
706
switch(sret){
579
if (ret < 0){
580
switch(ret){
707
581
case GNUTLS_E_INTERRUPTED:
708
582
case GNUTLS_E_AGAIN:
709
583
break;
710
584
case GNUTLS_E_REHANDSHAKE:
711
585
do{
712
ret = gnutls_handshake(session);
586
ret = gnutls_handshake (session);
713
587
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
714
if(ret < 0){
588
if (ret < 0){
715
589
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
716
gnutls_perror(ret);
590
gnutls_perror (ret);
717
591
retval = -1;
718
592
goto mandos_end;
719
593
}
722
596
fprintf(stderr, "Unknown error while reading data from"
723
597
" encrypted session with Mandos server\n");
724
598
retval = -1;
725
gnutls_bye(session, GNUTLS_SHUT_RDWR);
599
gnutls_bye (session, GNUTLS_SHUT_RDWR);
726
600
goto mandos_end;
727
601
}
728
602
} else {
729
buffer_length += (size_t) sret;
603
buffer_length += (size_t) ret;
730
604
}
731
605
}
732
606
734
608
fprintf(stderr, "Closing TLS session\n");
735
609
}
736
610
737
gnutls_bye(session, GNUTLS_SHUT_RDWR);
611
gnutls_bye (session, GNUTLS_SHUT_RDWR);
738
612
739
if(buffer_length > 0){
613
if (buffer_length > 0){
740
614
decrypted_buffer_size = pgp_packet_decrypt(buffer,
741
615
buffer_length,
742
&decrypted_buffer);
743
if(decrypted_buffer_size >= 0){
616
&decrypted_buffer,
617
keydir);
618
if (decrypted_buffer_size >= 0){
744
619
written = 0;
745
620
while(written < (size_t) decrypted_buffer_size){
746
ret = (int)fwrite(decrypted_buffer + written, 1,
747
(size_t)decrypted_buffer_size - written,
748
stdout);
621
ret = (int)fwrite (decrypted_buffer + written, 1,
622
(size_t)decrypted_buffer_size - written,
623
stdout);
749
624
if(ret == 0 and ferror(stdout)){
750
625
if(debug){
751
626
fprintf(stderr, "Error writing encrypted data: %s\n",
768
643
769
644
mandos_end:
770
645
free(buffer);
771
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
772
if(ret == -1){
773
perror("close");
774
}
775
gnutls_deinit(session);
646
close(tcp_sd);
647
gnutls_deinit (session);
776
648
return retval;
777
649
}
778
650
779
651
static void resolve_callback(AvahiSServiceResolver *r,
780
652
AvahiIfIndex interface,
781
AvahiProtocol proto,
653
AVAHI_GCC_UNUSED AvahiProtocol protocol,
782
654
AvahiResolverEvent event,
783
655
const char *name,
784
656
const char *type,
789
661
AVAHI_GCC_UNUSED AvahiStringList *txt,
790
662
AVAHI_GCC_UNUSED AvahiLookupResultFlags
791
663
flags,
792
AVAHI_GCC_UNUSED void* userdata){
664
void* userdata) {
665
mandos_context *mc = userdata;
793
666
assert(r);
794
667
795
668
/* Called whenever a service has been resolved successfully or
796
669
timed out */
797
670
798
switch(event){
671
switch (event) {
799
672
default:
800
673
case AVAHI_RESOLVER_FAILURE:
801
674
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
802
675
" of type '%s' in domain '%s': %s\n", name, type, domain,
803
avahi_strerror(avahi_server_errno(mc.server)));
676
avahi_strerror(avahi_server_errno(mc->server)));
804
677
break;
805
678
806
679
case AVAHI_RESOLVER_FOUND:
809
682
avahi_address_snprint(ip, sizeof(ip), address);
810
683
if(debug){
811
684
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
812
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
813
ip, (intmax_t)interface, port);
685
PRIu16 ") on port %d\n", name, host_name, ip,
686
interface, port);
814
687
}
815
int ret = start_mandos_communication(ip, port, interface,
816
avahi_proto_to_af(proto));
817
if(ret == 0){
818
avahi_simple_poll_quit(mc.simple_poll);
688
int ret = start_mandos_communication(ip, port, interface, mc);
689
if (ret == 0){
690
avahi_simple_poll_quit(mc->simple_poll);
819
691
}
820
692
}
821
693
}
822
694
avahi_s_service_resolver_free(r);
823
695
}
824
696
825
static void browse_callback(AvahiSServiceBrowser *b,
826
AvahiIfIndex interface,
827
AvahiProtocol protocol,
828
AvahiBrowserEvent event,
829
const char *name,
830
const char *type,
831
const char *domain,
832
AVAHI_GCC_UNUSED AvahiLookupResultFlags
833
flags,
834
AVAHI_GCC_UNUSED void* userdata){
697
static void browse_callback( AvahiSServiceBrowser *b,
698
AvahiIfIndex interface,
699
AvahiProtocol protocol,
700
AvahiBrowserEvent event,
701
const char *name,
702
const char *type,
703
const char *domain,
704
AVAHI_GCC_UNUSED AvahiLookupResultFlags
705
flags,
706
void* userdata) {
707
mandos_context *mc = userdata;
835
708
assert(b);
836
709
837
710
/* Called whenever a new services becomes available on the LAN or
838
711
is removed from the LAN */
839
712
840
switch(event){
713
switch (event) {
841
714
default:
842
715
case AVAHI_BROWSER_FAILURE:
843
716
844
717
fprintf(stderr, "(Avahi browser) %s\n",
845
avahi_strerror(avahi_server_errno(mc.server)));
846
avahi_simple_poll_quit(mc.simple_poll);
718
avahi_strerror(avahi_server_errno(mc->server)));
719
avahi_simple_poll_quit(mc->simple_poll);
847
720
return;
848
721
849
722
case AVAHI_BROWSER_NEW:
852
725
the callback function is called the Avahi server will free the
853
726
resolver for us. */
854
727
855
if(!(avahi_s_service_resolver_new(mc.server, interface,
728
if (!(avahi_s_service_resolver_new(mc->server, interface,
856
729
protocol, name, type, domain,
857
730
AVAHI_PROTO_INET6, 0,
858
resolve_callback, NULL)))
731
resolve_callback, mc)))
859
732
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
860
name, avahi_strerror(avahi_server_errno(mc.server)));
733
name, avahi_strerror(avahi_server_errno(mc->server)));
861
734
break;
862
735
863
736
case AVAHI_BROWSER_REMOVE:
872
745
}
873
746
}
874
747
875
sig_atomic_t quit_now = 0;
876
877
static void handle_sigterm(__attribute__((unused)) int sig){
878
if(quit_now){
879
return;
880
}
881
quit_now = 1;
882
int old_errno = errno;
883
if(mc.simple_poll != NULL){
884
avahi_simple_poll_quit(mc.simple_poll);
885
}
886
errno = old_errno;
748
/* Combines file name and path and returns the malloced new
749
string. some sane checks could/should be added */
750
static char *combinepath(const char *first, const char *second){
751
char *tmp;
752
int ret = asprintf(&tmp, "%s/%s", first, second);
753
if(ret < 0){
754
return NULL;
755
}
756
return tmp;
887
757
}
888
758
759
889
760
int main(int argc, char *argv[]){
890
AvahiSServiceBrowser *sb = NULL;
891
int error;
892
int ret;
893
intmax_t tmpmax;
894
int numchars;
895
int exitcode = EXIT_SUCCESS;
896
const char *interface = "eth0";
897
struct ifreq network;
898
int sd;
899
uid_t uid;
900
gid_t gid;
901
char *connect_to = NULL;
902
char tempdir[] = "/tmp/mandosXXXXXX";
903
bool tempdir_created = false;
904
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
905
const char *seckey = PATHDIR "/" SECKEY;
906
const char *pubkey = PATHDIR "/" PUBKEY;
907
908
/* Initialize Mandos context */
909
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
910
.dh_bits = 1024, .priority = "SECURE256"
911
":!CTYPE-X.509:+CTYPE-OPENPGP" };
912
bool gnutls_initialized = false;
913
bool gpgme_initialized = false;
914
double delay = 2.5;
761
AvahiSServiceBrowser *sb = NULL;
762
int error;
763
int ret;
764
int exitcode = EXIT_SUCCESS;
765
const char *interface = "eth0";
766
struct ifreq network;
767
int sd;
768
uid_t uid;
769
gid_t gid;
770
char *connect_to = NULL;
771
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
772
char *pubkeyfilename = NULL;
773
char *seckeyfilename = NULL;
774
const char *pubkeyname = "pubkey.txt";
775
const char *seckeyname = "seckey.txt";
776
mandos_context mc = { .simple_poll = NULL, .server = NULL,
777
.dh_bits = 1024, .priority = "SECURE256"};
778
bool gnutls_initalized = false;
779
780
{
781
struct argp_option options[] = {
782
{ .name = "debug", .key = 128,
783
.doc = "Debug mode", .group = 3 },
784
{ .name = "connect", .key = 'c',
785
.arg = "IP",
786
.doc = "Connect directly to a sepcified mandos server",
787
.group = 1 },
788
{ .name = "interface", .key = 'i',
789
.arg = "INTERFACE",
790
.doc = "Interface that Avahi will conntect through",
791
.group = 1 },
792
{ .name = "keydir", .key = 'd',
793
.arg = "KEYDIR",
794
.doc = "Directory where the openpgp keyring is",
795
.group = 1 },
796
{ .name = "seckey", .key = 's',
797
.arg = "SECKEY",
798
.doc = "Secret openpgp key for gnutls authentication",
799
.group = 1 },
800
{ .name = "pubkey", .key = 'p',
801
.arg = "PUBKEY",
802
.doc = "Public openpgp key for gnutls authentication",
803
.group = 2 },
804
{ .name = "dh-bits", .key = 129,
805
.arg = "BITS",
806
.doc = "dh-bits to use in gnutls communication",
807
.group = 2 },
808
{ .name = "priority", .key = 130,
809
.arg = "PRIORITY",
810
.doc = "GNUTLS priority", .group = 1 },
811
{ .name = NULL }
812
};
915
813
916
struct sigaction old_sigterm_action;
917
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
918
919
{
920
struct argp_option options[] = {
921
{ .name = "debug", .key = 128,
922
.doc = "Debug mode", .group = 3 },
923
{ .name = "connect", .key = 'c',
924
.arg = "ADDRESS:PORT",
925
.doc = "Connect directly to a specific Mandos server",
926
.group = 1 },
927
{ .name = "interface", .key = 'i',
928
.arg = "NAME",
929
.doc = "Network interface that will be used to search for"
930
" Mandos servers",
931
.group = 1 },
932
{ .name = "seckey", .key = 's',
933
.arg = "FILE",
934
.doc = "OpenPGP secret key file base name",
935
.group = 1 },
936
{ .name = "pubkey", .key = 'p',
937
.arg = "FILE",
938
.doc = "OpenPGP public key file base name",
939
.group = 2 },
940
{ .name = "dh-bits", .key = 129,
941
.arg = "BITS",
942
.doc = "Bit length of the prime number used in the"
943
" Diffie-Hellman key exchange",
944
.group = 2 },
945
{ .name = "priority", .key = 130,
946
.arg = "STRING",
947
.doc = "GnuTLS priority string for the TLS handshake",
948
.group = 1 },
949
{ .name = "delay", .key = 131,
950
.arg = "SECONDS",
951
.doc = "Maximum delay to wait for interface startup",
952
.group = 2 },
953
{ .name = NULL }
954
};
955
956
error_t parse_opt(int key, char *arg,
957
struct argp_state *state){
958
switch(key){
959
case 128: /* --debug */
960
debug = true;
961
break;
962
case 'c': /* --connect */
963
connect_to = arg;
964
break;
965
case 'i': /* --interface */
966
interface = arg;
967
break;
968
case 's': /* --seckey */
969
seckey = arg;
970
break;
971
case 'p': /* --pubkey */
972
pubkey = arg;
973
break;
974
case 129: /* --dh-bits */
975
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
976
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
977
or arg[numchars] != '\0'){
978
fprintf(stderr, "Bad number of DH bits\n");
979
exit(EXIT_FAILURE);
980
}
981
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
982
break;
983
case 130: /* --priority */
984
mc.priority = arg;
985
break;
986
case 131: /* --delay */
987
ret = sscanf(arg, "%lf%n", &delay, &numchars);
988
if(ret < 1 or arg[numchars] != '\0'){
989
fprintf(stderr, "Bad delay\n");
990
exit(EXIT_FAILURE);
991
}
992
break;
993
case ARGP_KEY_ARG:
994
argp_usage(state);
995
case ARGP_KEY_END:
996
break;
997
default:
998
return ARGP_ERR_UNKNOWN;
999
}
1000
return 0;
1001
}
1002
1003
struct argp argp = { .options = options, .parser = parse_opt,
1004
.args_doc = "",
1005
.doc = "Mandos client -- Get and decrypt"
1006
" passwords from a Mandos server" };
1007
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1008
if(ret == ARGP_ERR_UNKNOWN){
1009
fprintf(stderr, "Unknown error while parsing arguments\n");
1010
exitcode = EXIT_FAILURE;
1011
goto end;
1012
}
1013
}
1014
1015
/* If the interface is down, bring it up */
1016
if(interface[0] != '\0'){
1017
#ifdef __linux__
1018
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1019
messages to mess up the prompt */
1020
ret = klogctl(8, NULL, 5);
1021
bool restore_loglevel = true;
1022
if(ret == -1){
1023
restore_loglevel = false;
1024
perror("klogctl");
1025
}
1026
#endif /* __linux__ */
1027
1028
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1029
if(sd < 0){
1030
perror("socket");
1031
exitcode = EXIT_FAILURE;
1032
#ifdef __linux__
1033
if(restore_loglevel){
1034
ret = klogctl(7, NULL, 0);
1035
if(ret == -1){
1036
perror("klogctl");
1037
}
1038
}
1039
#endif /* __linux__ */
1040
goto end;
1041
}
1042
strcpy(network.ifr_name, interface);
1043
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1044
if(ret == -1){
1045
perror("ioctl SIOCGIFFLAGS");
1046
#ifdef __linux__
1047
if(restore_loglevel){
1048
ret = klogctl(7, NULL, 0);
1049
if(ret == -1){
1050
perror("klogctl");
1051
}
1052
}
1053
#endif /* __linux__ */
1054
exitcode = EXIT_FAILURE;
1055
goto end;
1056
}
1057
if((network.ifr_flags & IFF_UP) == 0){
1058
network.ifr_flags |= IFF_UP;
1059
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1060
if(ret == -1){
1061
perror("ioctl SIOCSIFFLAGS");
1062
exitcode = EXIT_FAILURE;
1063
#ifdef __linux__
1064
if(restore_loglevel){
1065
ret = klogctl(7, NULL, 0);
1066
if(ret == -1){
1067
perror("klogctl");
814
815
error_t parse_opt (int key, char *arg,
816
struct argp_state *state) {
817
/* Get the INPUT argument from `argp_parse', which we know is
818
a pointer to our plugin list pointer. */
819
switch (key) {
820
case 128:
821
debug = true;
822
break;
823
case 'c':
824
connect_to = arg;
825
break;
826
case 'i':
827
interface = arg;
828
break;
829
case 'd':
830
keydir = arg;
831
break;
832
case 's':
833
seckeyname = arg;
834
break;
835
case 'p':
836
pubkeyname = arg;
837
break;
838
case 129:
839
errno = 0;
840
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
841
if (errno){
842
perror("strtol");
843
exit(EXIT_FAILURE);
1068
844
}
845
break;
846
case 130:
847
mc.priority = arg;
848
break;
849
case ARGP_KEY_ARG:
850
argp_usage (state);
851
case ARGP_KEY_END:
852
break;
853
default:
854
return ARGP_ERR_UNKNOWN;
1069
855
}
1070
#endif /* __linux__ */
1071
goto end;
1072
}
1073
}
1074
/* sleep checking until interface is running */
1075
for(int i=0; i < delay * 4; i++){
856
return 0;
857
}
858
859
struct argp argp = { .options = options, .parser = parse_opt,
860
.args_doc = "",
861
.doc = "Mandos client -- Get and decrypt"
862
" passwords from mandos server" };
863
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
864
if (ret == ARGP_ERR_UNKNOWN){
865
fprintf(stderr, "Unknown error while parsing arguments\n");
866
exitcode = EXIT_FAILURE;
867
goto end;
868
}
869
}
870
871
pubkeyfilename = combinepath(keydir, pubkeyname);
872
if (pubkeyfilename == NULL){
873
perror("combinepath");
874
exitcode = EXIT_FAILURE;
875
goto end;
876
}
877
878
seckeyfilename = combinepath(keydir, seckeyname);
879
if (seckeyfilename == NULL){
880
perror("combinepath");
881
exitcode = EXIT_FAILURE;
882
goto end;
883
}
884
885
ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename);
886
if (ret == -1){
887
fprintf(stderr, "init_gnutls_global failed\n");
888
exitcode = EXIT_FAILURE;
889
goto end;
890
} else {
891
gnutls_initalized = true;
892
}
893
894
/* If the interface is down, bring it up */
895
{
896
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
897
if(sd < 0) {
898
perror("socket");
899
exitcode = EXIT_FAILURE;
900
goto end;
901
}
902
strcpy(network.ifr_name, interface);
1076
903
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1077
904
if(ret == -1){
1078
905
perror("ioctl SIOCGIFFLAGS");
1079
} else if(network.ifr_flags & IFF_RUNNING){
1080
break;
1081
}
1082
struct timespec sleeptime = { .tv_nsec = 250000000 };
1083
ret = nanosleep(&sleeptime, NULL);
1084
if(ret == -1 and errno != EINTR){
1085
perror("nanosleep");
1086
}
1087
}
1088
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1089
if(ret == -1){
1090
perror("close");
1091
}
1092
#ifdef __linux__
1093
if(restore_loglevel){
1094
/* Restores kernel loglevel to default */
1095
ret = klogctl(7, NULL, 0);
1096
if(ret == -1){
1097
perror("klogctl");
1098
}
1099
}
1100
#endif /* __linux__ */
1101
}
1102
1103
uid = getuid();
1104
gid = getgid();
1105
1106
errno = 0;
1107
setgid(gid);
1108
if(ret == -1){
1109
perror("setgid");
1110
}
1111
1112
ret = setuid(uid);
1113
if(ret == -1){
1114
perror("setuid");
1115
}
1116
1117
ret = init_gnutls_global(pubkey, seckey);
1118
if(ret == -1){
1119
fprintf(stderr, "init_gnutls_global failed\n");
1120
exitcode = EXIT_FAILURE;
1121
goto end;
1122
} else {
1123
gnutls_initialized = true;
1124
}
1125
1126
if(mkdtemp(tempdir) == NULL){
1127
perror("mkdtemp");
1128
goto end;
1129
}
1130
tempdir_created = true;
1131
1132
if(not init_gpgme(pubkey, seckey, tempdir)){
1133
fprintf(stderr, "init_gpgme failed\n");
1134
exitcode = EXIT_FAILURE;
1135
goto end;
1136
} else {
1137
gpgme_initialized = true;
1138
}
1139
1140
if(interface[0] != '\0'){
906
exitcode = EXIT_FAILURE;
907
goto end;
908
}
909
if((network.ifr_flags & IFF_UP) == 0){
910
network.ifr_flags |= IFF_UP;
911
ret = ioctl(sd, SIOCSIFFLAGS, &network);
912
if(ret == -1){
913
perror("ioctl SIOCSIFFLAGS");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
close(sd);
919
}
920
921
uid = getuid();
922
gid = getgid();
923
924
ret = setuid(uid);
925
if (ret == -1){
926
perror("setuid");
927
}
928
929
setgid(gid);
930
if (ret == -1){
931
perror("setgid");
932
}
933
1141
934
if_index = (AvahiIfIndex) if_nametoindex(interface);
1142
935
if(if_index == 0){
1143
936
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1144
exitcode = EXIT_FAILURE;
1145
goto end;
1146
}
1147
}
1148
1149
if(connect_to != NULL){
1150
/* Connect directly, do not use Zeroconf */
1151
/* (Mainly meant for debugging) */
1152
char *address = strrchr(connect_to, ':');
1153
if(address == NULL){
1154
fprintf(stderr, "No colon in address\n");
1155
exitcode = EXIT_FAILURE;
1156
goto end;
1157
}
1158
uint16_t port;
1159
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1160
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1161
or address[numchars+1] != '\0'){
1162
fprintf(stderr, "Bad port number\n");
1163
exitcode = EXIT_FAILURE;
1164
goto end;
1165
}
1166
port = (uint16_t)tmpmax;
1167
*address = '\0';
1168
address = connect_to;
1169
/* Colon in address indicates IPv6 */
1170
int af;
1171
if(strchr(address, ':') != NULL){
1172
af = AF_INET6;
1173
} else {
1174
af = AF_INET;
1175
}
1176
ret = start_mandos_communication(address, port, if_index, af);
1177
if(ret < 0){
1178
exitcode = EXIT_FAILURE;
1179
} else {
1180
exitcode = EXIT_SUCCESS;
1181
}
1182
goto end;
1183
}
1184
1185
if(not debug){
1186
avahi_set_log_function(empty_log);
1187
}
1188
1189
/* Initialize the pseudo-RNG for Avahi */
1190
srand((unsigned int) time(NULL));
1191
1192
/* Allocate main Avahi loop object */
1193
mc.simple_poll = avahi_simple_poll_new();
1194
if(mc.simple_poll == NULL){
1195
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1196
exitcode = EXIT_FAILURE;
1197
goto end;
1198
}
1199
1200
{
1201
AvahiServerConfig config;
1202
/* Do not publish any local Zeroconf records */
1203
avahi_server_config_init(&config);
1204
config.publish_hinfo = 0;
1205
config.publish_addresses = 0;
1206
config.publish_workstation = 0;
1207
config.publish_domain = 0;
1208
1209
/* Allocate a new server */
1210
mc.server = avahi_server_new(avahi_simple_poll_get
1211
(mc.simple_poll), &config, NULL,
1212
NULL, &error);
1213
1214
/* Free the Avahi configuration data */
1215
avahi_server_config_free(&config);
1216
}
1217
1218
/* Check if creating the Avahi server object succeeded */
1219
if(mc.server == NULL){
1220
fprintf(stderr, "Failed to create Avahi server: %s\n",
1221
avahi_strerror(error));
1222
exitcode = EXIT_FAILURE;
1223
goto end;
1224
}
1225
1226
/* Create the Avahi service browser */
1227
sb = avahi_s_service_browser_new(mc.server, if_index,
1228
AVAHI_PROTO_INET6, "_mandos._tcp",
1229
NULL, 0, browse_callback, NULL);
1230
if(sb == NULL){
1231
fprintf(stderr, "Failed to create service browser: %s\n",
1232
avahi_strerror(avahi_server_errno(mc.server)));
1233
exitcode = EXIT_FAILURE;
1234
goto end;
1235
}
1236
1237
sigemptyset(&sigterm_action.sa_mask);
1238
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1239
if(ret == -1){
1240
perror("sigaddset");
1241
exitcode = EXIT_FAILURE;
1242
goto end;
1243
}
1244
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1245
if(ret == -1){
1246
perror("sigaddset");
1247
exitcode = EXIT_FAILURE;
1248
goto end;
1249
}
1250
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1251
if(ret == -1){
1252
perror("sigaddset");
1253
exitcode = EXIT_FAILURE;
1254
goto end;
1255
}
1256
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1257
if(ret == -1){
1258
perror("sigaction");
1259
exitcode = EXIT_FAILURE;
1260
goto end;
1261
}
1262
1263
/* Run the main loop */
1264
1265
if(debug){
1266
fprintf(stderr, "Starting Avahi loop search\n");
1267
}
1268
1269
avahi_simple_poll_loop(mc.simple_poll);
1270
937
exit(EXIT_FAILURE);
938
}
939
940
if(connect_to != NULL){
941
/* Connect directly, do not use Zeroconf */
942
/* (Mainly meant for debugging) */
943
char *address = strrchr(connect_to, ':');
944
if(address == NULL){
945
fprintf(stderr, "No colon in address\n");
946
exitcode = EXIT_FAILURE;
947
goto end;
948
}
949
errno = 0;
950
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
951
if(errno){
952
perror("Bad port number");
953
exitcode = EXIT_FAILURE;
954
goto end;
955
}
956
*address = '\0';
957
address = connect_to;
958
ret = start_mandos_communication(address, port, if_index, &mc);
959
if(ret < 0){
960
exitcode = EXIT_FAILURE;
961
} else {
962
exitcode = EXIT_SUCCESS;
963
}
964
goto end;
965
}
966
967
if (not debug){
968
avahi_set_log_function(empty_log);
969
}
970
971
/* Initialize the pseudo-RNG for Avahi */
972
srand((unsigned int) time(NULL));
973
974
/* Allocate main Avahi loop object */
975
mc.simple_poll = avahi_simple_poll_new();
976
if (mc.simple_poll == NULL) {
977
fprintf(stderr, "Avahi: Failed to create simple poll"
978
" object.\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
}
982
983
{
984
AvahiServerConfig config;
985
/* Do not publish any local Zeroconf records */
986
avahi_server_config_init(&config);
987
config.publish_hinfo = 0;
988
config.publish_addresses = 0;
989
config.publish_workstation = 0;
990
config.publish_domain = 0;
991
992
/* Allocate a new server */
993
mc.server = avahi_server_new(avahi_simple_poll_get
994
(mc.simple_poll), &config, NULL,
995
NULL, &error);
996
997
/* Free the Avahi configuration data */
998
avahi_server_config_free(&config);
999
}
1000
1001
/* Check if creating the Avahi server object succeeded */
1002
if (mc.server == NULL) {
1003
fprintf(stderr, "Failed to create Avahi server: %s\n",
1004
avahi_strerror(error));
1005
exitcode = EXIT_FAILURE;
1006
goto end;
1007
}
1008
1009
/* Create the Avahi service browser */
1010
sb = avahi_s_service_browser_new(mc.server, if_index,
1011
AVAHI_PROTO_INET6,
1012
"_mandos._tcp", NULL, 0,
1013
browse_callback, &mc);
1014
if (sb == NULL) {
1015
fprintf(stderr, "Failed to create service browser: %s\n",
1016
avahi_strerror(avahi_server_errno(mc.server)));
1017
exitcode = EXIT_FAILURE;
1018
goto end;
1019
}
1020
1021
/* Run the main loop */
1022
1023
if (debug){
1024
fprintf(stderr, "Starting Avahi loop search\n");
1025
}
1026
1027
avahi_simple_poll_loop(mc.simple_poll);
1028
1271
1029
end:
1272
1273
if(debug){
1274
fprintf(stderr, "%s exiting\n", argv[0]);
1275
}
1276
1277
/* Cleanup things */
1278
if(sb != NULL)
1279
avahi_s_service_browser_free(sb);
1280
1281
if(mc.server != NULL)
1282
avahi_server_free(mc.server);
1283
1284
if(mc.simple_poll != NULL)
1285
avahi_simple_poll_free(mc.simple_poll);
1286
1287
if(gnutls_initialized){
1288
gnutls_certificate_free_credentials(mc.cred);
1289
gnutls_global_deinit();
1290
gnutls_dh_params_deinit(mc.dh_params);
1291
}
1292
1293
if(gpgme_initialized){
1294
gpgme_release(mc.ctx);
1295
}
1296
1297
/* Removes the temp directory used by GPGME */
1298
if(tempdir_created){
1299
DIR *d;
1300
struct dirent *direntry;
1301
d = opendir(tempdir);
1302
if(d == NULL){
1303
if(errno != ENOENT){
1304
perror("opendir");
1305
}
1306
} else {
1307
while(true){
1308
direntry = readdir(d);
1309
if(direntry == NULL){
1310
break;
1311
}
1312
/* Skip "." and ".." */
1313
if(direntry->d_name[0] == '.'
1314
and (direntry->d_name[1] == '\0'
1315
or (direntry->d_name[1] == '.'
1316
and direntry->d_name[2] == '\0'))){
1317
continue;
1318
}
1319
char *fullname = NULL;
1320
ret = asprintf(&fullname, "%s/%s", tempdir,
1321
direntry->d_name);
1322
if(ret < 0){
1323
perror("asprintf");
1324
continue;
1325
}
1326
ret = remove(fullname);
1327
if(ret == -1){
1328
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1329
strerror(errno));
1330
}
1331
free(fullname);
1332
}
1333
closedir(d);
1334
}
1335
ret = rmdir(tempdir);
1336
if(ret == -1 and errno != ENOENT){
1337
perror("rmdir");
1338
}
1339
}
1340
1341
return exitcode;
1030
1031
if (debug){
1032
fprintf(stderr, "%s exiting\n", argv[0]);
1033
}
1034
1035
/* Cleanup things */
1036
if (sb != NULL)
1037
avahi_s_service_browser_free(sb);
1038
1039
if (mc.server != NULL)
1040
avahi_server_free(mc.server);
1041
1042
if (mc.simple_poll != NULL)
1043
avahi_simple_poll_free(mc.simple_poll);
1044
free(pubkeyfilename);
1045
free(seckeyfilename);
1046
1047
if (gnutls_initalized){
1048
gnutls_certificate_free_credentials(mc.cred);
1049
gnutls_global_deinit ();
1050
}
1051
1052
return exitcode;
1342
1053
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0