275
123
/* Create new empty GPGME data buffer for the plaintext */
276
124
rc = gpgme_data_new(&dh_plain);
277
if(rc != GPG_ERR_NO_ERROR){
125
if (rc != GPG_ERR_NO_ERROR){
278
126
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
279
127
gpgme_strsource(rc), gpgme_strerror(rc));
280
gpgme_data_release(dh_crypto);
284
/* Decrypt data from the cryptotext data buffer to the plaintext
286
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
287
if(rc != GPG_ERR_NO_ERROR){
131
/* Create new GPGME "context" */
132
rc = gpgme_new(&ctx);
133
if (rc != GPG_ERR_NO_ERROR){
134
fprintf(stderr, "bad gpgme_new: %s: %s\n",
135
gpgme_strsource(rc), gpgme_strerror(rc));
139
/* Decrypt data from the FILE pointer to the plaintext data buffer */
140
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
141
if (rc != GPG_ERR_NO_ERROR){
288
142
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
289
143
gpgme_strsource(rc), gpgme_strerror(rc));
290
plaintext_length = -1;
292
gpgme_decrypt_result_t result;
293
result = gpgme_op_decrypt_result(mc.ctx);
295
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
297
fprintf(stderr, "Unsupported algorithm: %s\n",
298
result->unsupported_algorithm);
299
fprintf(stderr, "Wrong key usage: %u\n",
300
result->wrong_key_usage);
301
if(result->file_name != NULL){
302
fprintf(stderr, "File name: %s\n", result->file_name);
304
gpgme_recipient_t recipient;
305
recipient = result->recipients;
307
while(recipient != NULL){
308
fprintf(stderr, "Public key algorithm: %s\n",
309
gpgme_pubkey_algo_name(recipient->pubkey_algo));
310
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
311
fprintf(stderr, "Secret key available: %s\n",
312
recipient->status == GPG_ERR_NO_SECKEY
314
recipient = recipient->next;
323
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
147
/* gpgme_decrypt_result_t result; */
148
/* result = gpgme_op_decrypt_result(ctx); */
149
/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */
150
/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */
151
/* if(result->file_name != NULL){ */
152
/* fprintf(stderr, "File name: %s\n", result->file_name); */
154
/* gpgme_recipient_t recipient; */
155
/* recipient = result->recipients; */
157
/* while(recipient != NULL){ */
158
/* fprintf(stderr, "Public key algorithm: %s\n", */
159
/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */
160
/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */
161
/* fprintf(stderr, "Secret key available: %s\n", */
162
/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */
163
/* recipient = recipient->next; */
167
/* Delete the GPGME FILE pointer cryptotext data buffer */
168
gpgme_data_release(dh_crypto);
326
170
/* Seek back to the beginning of the GPGME plaintext data buffer */
327
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
328
perror("gpgme_data_seek");
329
plaintext_length = -1;
171
gpgme_data_seek(dh_plain, 0, SEEK_SET);
335
plaintext_capacity = incbuffer(plaintext,
336
(size_t)plaintext_length,
338
if(plaintext_capacity == 0){
340
plaintext_length = -1;
175
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
176
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
177
if (*new_packet == NULL){
181
new_packet_capacity += BUFFER_SIZE;
344
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
184
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
346
185
/* Print the data, if any */
187
/* If password is empty, then a incorrect error will be printed */
352
191
perror("gpgme_data_read");
353
plaintext_length = -1;
356
plaintext_length += ret;
360
fprintf(stderr, "Decrypted password is: ");
361
for(ssize_t i = 0; i < plaintext_length; i++){
362
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
364
fprintf(stderr, "\n");
369
/* Delete the GPGME cryptotext data buffer */
370
gpgme_data_release(dh_crypto);
372
/* Delete the GPGME plaintext data buffer */
194
new_packet_length += ret;
197
/* Delete the GPGME plaintext data buffer */
373
198
gpgme_data_release(dh_plain);
374
return plaintext_length;
199
return new_packet_length;
377
static const char * safer_gnutls_strerror(int value){
378
const char *ret = gnutls_strerror(value); /* Spurious warning from
379
-Wunreachable-code */
202
static const char * safer_gnutls_strerror (int value) {
203
const char *ret = gnutls_strerror (value);
381
205
ret = "(unknown)";
385
/* GnuTLS log function callback */
386
static void debuggnutls(__attribute__((unused)) int level,
388
fprintf(stderr, "GnuTLS: %s", string);
209
void debuggnutls(int level, const char* string){
210
fprintf(stderr, "%s", string);
391
static int init_gnutls_global(const char *pubkeyfilename,
392
const char *seckeyfilename){
213
int initgnutls(encrypted_session *es){
396
fprintf(stderr, "Initializing GnuTLS\n");
399
ret = gnutls_global_init();
400
if(ret != GNUTLS_E_SUCCESS){
401
fprintf(stderr, "GnuTLS global_init: %s\n",
402
safer_gnutls_strerror(ret));
407
/* "Use a log level over 10 to enable all debugging options."
410
gnutls_global_set_log_level(11);
411
gnutls_global_set_log_function(debuggnutls);
414
/* OpenPGP credentials */
415
gnutls_certificate_allocate_credentials(&mc.cred);
416
if(ret != GNUTLS_E_SUCCESS){
417
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
421
safer_gnutls_strerror(ret));
422
gnutls_global_deinit();
427
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
428
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
217
if ((ret = gnutls_global_init ())
218
!= GNUTLS_E_SUCCESS) {
219
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
223
/* Uncomment to enable full debuggin on the gnutls library */
224
/* gnutls_global_set_log_level(11); */
225
/* gnutls_global_set_log_function(debuggnutls); */
228
/* openpgp credentials */
229
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
230
!= GNUTLS_E_SUCCESS) {
231
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
432
235
ret = gnutls_certificate_set_openpgp_key_file
433
(mc.cred, pubkeyfilename, seckeyfilename,
434
GNUTLS_OPENPGP_FMT_BASE64);
435
if(ret != GNUTLS_E_SUCCESS){
437
"Error[%d] while reading the OpenPGP key pair ('%s',"
438
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
439
fprintf(stderr, "The GnuTLS error is: %s\n",
440
safer_gnutls_strerror(ret));
444
/* GnuTLS server initialization */
445
ret = gnutls_dh_params_init(&mc.dh_params);
446
if(ret != GNUTLS_E_SUCCESS){
447
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
448
" %s\n", safer_gnutls_strerror(ret));
451
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
452
if(ret != GNUTLS_E_SUCCESS){
453
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
454
safer_gnutls_strerror(ret));
458
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
464
gnutls_certificate_free_credentials(mc.cred);
465
gnutls_global_deinit();
466
gnutls_dh_params_deinit(mc.dh_params);
470
static int init_gnutls_session(gnutls_session_t *session){
472
/* GnuTLS session creation */
473
ret = gnutls_init(session, GNUTLS_SERVER);
474
if(ret != GNUTLS_E_SUCCESS){
475
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
476
safer_gnutls_strerror(ret));
481
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
482
if(ret != GNUTLS_E_SUCCESS){
483
fprintf(stderr, "Syntax error at: %s\n", err);
484
fprintf(stderr, "GnuTLS error: %s\n",
485
safer_gnutls_strerror(ret));
486
gnutls_deinit(*session);
491
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
493
if(ret != GNUTLS_E_SUCCESS){
494
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
495
safer_gnutls_strerror(ret));
496
gnutls_deinit(*session);
236
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
237
if (ret != GNUTLS_E_SUCCESS) {
239
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
240
ret, CERTFILE, KEYFILE);
241
fprintf(stdout, "The Error is: %s\n",
242
safer_gnutls_strerror(ret));
246
//Gnutls server initialization
247
if ((ret = gnutls_dh_params_init (&es->dh_params))
248
!= GNUTLS_E_SUCCESS) {
249
fprintf (stderr, "Error in dh parameter initialization: %s\n",
250
safer_gnutls_strerror(ret));
254
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
255
!= GNUTLS_E_SUCCESS) {
256
fprintf (stderr, "Error in prime generation: %s\n",
257
safer_gnutls_strerror(ret));
261
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
263
// Gnutls session creation
264
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
265
!= GNUTLS_E_SUCCESS){
266
fprintf(stderr, "Error in gnutls session initialization: %s\n",
267
safer_gnutls_strerror(ret));
270
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
271
!= GNUTLS_E_SUCCESS) {
272
fprintf(stderr, "Syntax error at: %s\n", err);
273
fprintf(stderr, "Gnutls error: %s\n",
274
safer_gnutls_strerror(ret));
278
if ((ret = gnutls_credentials_set
279
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
280
!= GNUTLS_E_SUCCESS) {
281
fprintf(stderr, "Error setting a credentials set: %s\n",
282
safer_gnutls_strerror(ret));
500
286
/* ignore client certificate if any. */
501
gnutls_certificate_server_set_request(*session,
287
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
504
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
289
gnutls_dh_set_prime_bits (es->session, DH_BITS);
509
/* Avahi log function callback */
510
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
511
__attribute__((unused)) const char *txt){}
294
void empty_log(AvahiLogLevel level, const char *txt){}
513
/* Called when a Mandos server is found */
514
static int start_mandos_communication(const char *ip, uint16_t port,
515
AvahiIfIndex if_index,
296
int start_mandos_communcation(char *ip, uint16_t port){
520
struct sockaddr_in in;
521
struct sockaddr_in6 in6;
298
struct sockaddr_in6 to;
299
struct in6_addr ip_addr;
300
encrypted_session es;
523
301
char *buffer = NULL;
524
302
char *decrypted_buffer;
525
303
size_t buffer_length = 0;
526
304
size_t buffer_capacity = 0;
527
305
ssize_t decrypted_buffer_size;
530
gnutls_session_t session;
531
int pf; /* Protocol family */
541
fprintf(stderr, "Bad address family: %d\n", af);
545
ret = init_gnutls_session(&session);
551
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
555
tcp_sd = socket(pf, SOCK_STREAM, 0);
309
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
557
311
perror("socket");
561
memset(&to, 0, sizeof(to));
563
to.in6.sin6_family = (uint16_t)af;
564
ret = inet_pton(af, ip, &to.in6.sin6_addr);
566
to.in.sin_family = (sa_family_t)af;
567
ret = inet_pton(af, ip, &to.in.sin_addr);
315
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);
317
perror("setsockopt bindtodevice");
321
memset(&to,0,sizeof(to));
322
to.sin6_family = AF_INET6;
323
ret = inet_pton(AF_INET6, ip, &ip_addr);
570
325
perror("inet_pton");
574
329
fprintf(stderr, "Bad address: %s\n", ip);
578
to.in6.sin6_port = htons(port); /* Spurious warnings from
580
-Wunreachable-code */
582
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
583
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
585
if(if_index == AVAHI_IF_UNSPEC){
586
fprintf(stderr, "An IPv6 link-local address is incomplete"
587
" without a network interface\n");
590
/* Set the network interface number as scope */
591
to.in6.sin6_scope_id = (uint32_t)if_index;
594
to.in.sin_port = htons(port); /* Spurious warnings from
596
-Wunreachable-code */
600
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
601
char interface[IF_NAMESIZE];
602
if(if_indextoname((unsigned int)if_index, interface) == NULL){
603
perror("if_indextoname");
605
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
606
ip, interface, port);
609
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
612
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
613
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
616
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
619
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
625
if(strcmp(addrstr, ip) != 0){
626
fprintf(stderr, "Canonical address form: %s\n", addrstr);
632
ret = connect(tcp_sd, &to.in6, sizeof(to));
634
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
332
to.sin6_port = htons(port);
333
to.sin6_scope_id = if_nametoindex("eth0");
335
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
637
337
perror("connect");
641
const char *out = mandos_protocol_version;
341
ret = initgnutls (&es);
348
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
350
ret = gnutls_handshake (es.session);
352
if (ret != GNUTLS_E_SUCCESS){
353
fprintf(stderr, "\n*** Handshake failed ***\n");
644
size_t out_size = strlen(out);
645
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
646
out_size - written));
652
written += (size_t)ret;
653
if(written < out_size){
656
if(out == mandos_protocol_version){
361
if (buffer_length + BUFFER_SIZE > buffer_capacity){
362
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
666
fprintf(stderr, "Establishing TLS session with %s\n", ip);
669
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
672
ret = gnutls_handshake(session);
673
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
675
if(ret != GNUTLS_E_SUCCESS){
677
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
684
/* Read OpenPGP packet that contains the wanted password */
687
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
692
buffer_capacity = incbuffer(&buffer, buffer_length,
694
if(buffer_capacity == 0){
367
buffer_capacity += BUFFER_SIZE;
700
sret = gnutls_record_recv(session, buffer+buffer_length,
370
ret = gnutls_record_recv
371
(es.session, buffer+buffer_length, BUFFER_SIZE);
707
377
case GNUTLS_E_INTERRUPTED:
708
378
case GNUTLS_E_AGAIN:
710
380
case GNUTLS_E_REHANDSHAKE:
712
ret = gnutls_handshake(session);
713
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
715
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
381
ret = gnutls_handshake (es.session);
383
fprintf(stderr, "\n*** Handshake failed ***\n");
722
fprintf(stderr, "Unknown error while reading data from"
723
" encrypted session with Mandos server\n");
390
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
725
gnutls_bye(session, GNUTLS_SHUT_RDWR);
392
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
729
buffer_length += (size_t) sret;
396
buffer_length += ret;
734
fprintf(stderr, "Closing TLS session\n");
737
gnutls_bye(session, GNUTLS_SHUT_RDWR);
739
if(buffer_length > 0){
740
decrypted_buffer_size = pgp_packet_decrypt(buffer,
743
if(decrypted_buffer_size >= 0){
745
while(written < (size_t) decrypted_buffer_size){
746
ret = (int)fwrite(decrypted_buffer + written, 1,
747
(size_t)decrypted_buffer_size - written,
749
if(ret == 0 and ferror(stdout)){
751
fprintf(stderr, "Error writing encrypted data: %s\n",
757
written += (size_t)ret;
400
if (buffer_length > 0){
401
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){
404
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
759
405
free(decrypted_buffer);
767
/* Shutdown procedure */
771
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
775
gnutls_deinit(session);
412
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
415
gnutls_deinit (es.session);
416
gnutls_certificate_free_credentials (es.cred);
417
gnutls_global_deinit ();
779
static void resolve_callback(AvahiSServiceResolver *r,
780
AvahiIfIndex interface,
782
AvahiResolverEvent event,
786
const char *host_name,
787
const AvahiAddress *address,
789
AVAHI_GCC_UNUSED AvahiStringList *txt,
790
AVAHI_GCC_UNUSED AvahiLookupResultFlags
792
AVAHI_GCC_UNUSED void* userdata){
795
/* Called whenever a service has been resolved successfully or
800
case AVAHI_RESOLVER_FAILURE:
801
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
802
" of type '%s' in domain '%s': %s\n", name, type, domain,
803
avahi_strerror(avahi_server_errno(mc.server)));
806
case AVAHI_RESOLVER_FOUND:
808
char ip[AVAHI_ADDRESS_STR_MAX];
809
avahi_address_snprint(ip, sizeof(ip), address);
811
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
812
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
813
ip, (intmax_t)interface, port);
815
int ret = start_mandos_communication(ip, port, interface,
816
avahi_proto_to_af(proto));
818
avahi_simple_poll_quit(mc.simple_poll);
822
avahi_s_service_resolver_free(r);
825
static void browse_callback(AvahiSServiceBrowser *b,
826
AvahiIfIndex interface,
827
AvahiProtocol protocol,
828
AvahiBrowserEvent event,
832
AVAHI_GCC_UNUSED AvahiLookupResultFlags
834
AVAHI_GCC_UNUSED void* userdata){
837
/* Called whenever a new services becomes available on the LAN or
838
is removed from the LAN */
842
case AVAHI_BROWSER_FAILURE:
844
fprintf(stderr, "(Avahi browser) %s\n",
845
avahi_strerror(avahi_server_errno(mc.server)));
846
avahi_simple_poll_quit(mc.simple_poll);
849
case AVAHI_BROWSER_NEW:
850
/* We ignore the returned Avahi resolver object. In the callback
851
function we free it. If the Avahi server is terminated before
852
the callback function is called the Avahi server will free the
855
if(!(avahi_s_service_resolver_new(mc.server, interface,
856
protocol, name, type, domain,
857
AVAHI_PROTO_INET6, 0,
858
resolve_callback, NULL)))
859
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
860
name, avahi_strerror(avahi_server_errno(mc.server)));
863
case AVAHI_BROWSER_REMOVE:
866
case AVAHI_BROWSER_ALL_FOR_NOW:
867
case AVAHI_BROWSER_CACHE_EXHAUSTED:
869
fprintf(stderr, "No Mandos server found, still searching...\n");
875
sig_atomic_t quit_now = 0;
877
static void handle_sigterm(__attribute__((unused)) int sig){
882
int old_errno = errno;
883
if(mc.simple_poll != NULL){
884
avahi_simple_poll_quit(mc.simple_poll);
889
int main(int argc, char *argv[]){
890
AvahiSServiceBrowser *sb = NULL;
895
int exitcode = EXIT_SUCCESS;
896
const char *interface = "eth0";
897
struct ifreq network;
901
char *connect_to = NULL;
902
char tempdir[] = "/tmp/mandosXXXXXX";
903
bool tempdir_created = false;
904
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
905
const char *seckey = PATHDIR "/" SECKEY;
906
const char *pubkey = PATHDIR "/" PUBKEY;
908
/* Initialize Mandos context */
909
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
910
.dh_bits = 1024, .priority = "SECURE256"
911
":!CTYPE-X.509:+CTYPE-OPENPGP" };
912
bool gnutls_initialized = false;
913
bool gpgme_initialized = false;
916
struct sigaction old_sigterm_action;
917
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
920
struct argp_option options[] = {
921
{ .name = "debug", .key = 128,
922
.doc = "Debug mode", .group = 3 },
923
{ .name = "connect", .key = 'c',
924
.arg = "ADDRESS:PORT",
925
.doc = "Connect directly to a specific Mandos server",
927
{ .name = "interface", .key = 'i',
929
.doc = "Network interface that will be used to search for"
932
{ .name = "seckey", .key = 's',
934
.doc = "OpenPGP secret key file base name",
936
{ .name = "pubkey", .key = 'p',
938
.doc = "OpenPGP public key file base name",
940
{ .name = "dh-bits", .key = 129,
942
.doc = "Bit length of the prime number used in the"
943
" Diffie-Hellman key exchange",
945
{ .name = "priority", .key = 130,
947
.doc = "GnuTLS priority string for the TLS handshake",
949
{ .name = "delay", .key = 131,
951
.doc = "Maximum delay to wait for interface startup",
956
error_t parse_opt(int key, char *arg,
957
struct argp_state *state){
959
case 128: /* --debug */
962
case 'c': /* --connect */
965
case 'i': /* --interface */
968
case 's': /* --seckey */
971
case 'p': /* --pubkey */
974
case 129: /* --dh-bits */
975
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
976
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
977
or arg[numchars] != '\0'){
978
fprintf(stderr, "Bad number of DH bits\n");
981
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
983
case 130: /* --priority */
986
case 131: /* --delay */
987
ret = sscanf(arg, "%lf%n", &delay, &numchars);
988
if(ret < 1 or arg[numchars] != '\0'){
989
fprintf(stderr, "Bad delay\n");
998
return ARGP_ERR_UNKNOWN;
1003
struct argp argp = { .options = options, .parser = parse_opt,
1005
.doc = "Mandos client -- Get and decrypt"
1006
" passwords from a Mandos server" };
1007
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
1008
if(ret == ARGP_ERR_UNKNOWN){
1009
fprintf(stderr, "Unknown error while parsing arguments\n");
1010
exitcode = EXIT_FAILURE;
1015
/* If the interface is down, bring it up */
1016
if(interface[0] != '\0'){
1018
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1019
messages to mess up the prompt */
1020
ret = klogctl(8, NULL, 5);
1021
bool restore_loglevel = true;
1023
restore_loglevel = false;
1026
#endif /* __linux__ */
1028
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1031
exitcode = EXIT_FAILURE;
1033
if(restore_loglevel){
1034
ret = klogctl(7, NULL, 0);
1039
#endif /* __linux__ */
1042
strcpy(network.ifr_name, interface);
1043
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1045
perror("ioctl SIOCGIFFLAGS");
1047
if(restore_loglevel){
1048
ret = klogctl(7, NULL, 0);
1053
#endif /* __linux__ */
1054
exitcode = EXIT_FAILURE;
1057
if((network.ifr_flags & IFF_UP) == 0){
1058
network.ifr_flags |= IFF_UP;
1059
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1061
perror("ioctl SIOCSIFFLAGS");
1062
exitcode = EXIT_FAILURE;
1064
if(restore_loglevel){
1065
ret = klogctl(7, NULL, 0);
1070
#endif /* __linux__ */
1074
/* sleep checking until interface is running */
1075
for(int i=0; i < delay * 4; i++){
1076
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1078
perror("ioctl SIOCGIFFLAGS");
1079
} else if(network.ifr_flags & IFF_RUNNING){
1082
struct timespec sleeptime = { .tv_nsec = 250000000 };
1083
ret = nanosleep(&sleeptime, NULL);
1084
if(ret == -1 and errno != EINTR){
1085
perror("nanosleep");
1088
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1093
if(restore_loglevel){
1094
/* Restores kernel loglevel to default */
1095
ret = klogctl(7, NULL, 0);
1100
#endif /* __linux__ */
1117
ret = init_gnutls_global(pubkey, seckey);
1119
fprintf(stderr, "init_gnutls_global failed\n");
1120
exitcode = EXIT_FAILURE;
1123
gnutls_initialized = true;
1126
if(mkdtemp(tempdir) == NULL){
1130
tempdir_created = true;
1132
if(not init_gpgme(pubkey, seckey, tempdir)){
1133
fprintf(stderr, "init_gpgme failed\n");
1134
exitcode = EXIT_FAILURE;
1137
gpgme_initialized = true;
1140
if(interface[0] != '\0'){
1141
if_index = (AvahiIfIndex) if_nametoindex(interface);
1143
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1144
exitcode = EXIT_FAILURE;
1149
if(connect_to != NULL){
1150
/* Connect directly, do not use Zeroconf */
1151
/* (Mainly meant for debugging) */
1152
char *address = strrchr(connect_to, ':');
1153
if(address == NULL){
1154
fprintf(stderr, "No colon in address\n");
1155
exitcode = EXIT_FAILURE;
1159
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1160
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1161
or address[numchars+1] != '\0'){
1162
fprintf(stderr, "Bad port number\n");
1163
exitcode = EXIT_FAILURE;
1166
port = (uint16_t)tmpmax;
1168
address = connect_to;
1169
/* Colon in address indicates IPv6 */
1171
if(strchr(address, ':') != NULL){
1176
ret = start_mandos_communication(address, port, if_index, af);
1178
exitcode = EXIT_FAILURE;
1180
exitcode = EXIT_SUCCESS;
421
static AvahiSimplePoll *simple_poll = NULL;
422
static AvahiServer *server = NULL;
424
static void resolve_callback(
425
AvahiSServiceResolver *r,
426
AVAHI_GCC_UNUSED AvahiIfIndex interface,
427
AVAHI_GCC_UNUSED AvahiProtocol protocol,
428
AvahiResolverEvent event,
432
const char *host_name,
433
const AvahiAddress *address,
435
AvahiStringList *txt,
436
AvahiLookupResultFlags flags,
437
AVAHI_GCC_UNUSED void* userdata) {
441
/* Called whenever a service has been resolved successfully or timed out */
444
case AVAHI_RESOLVER_FAILURE:
445
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
448
case AVAHI_RESOLVER_FOUND: {
449
char ip[AVAHI_ADDRESS_STR_MAX];
450
avahi_address_snprint(ip, sizeof(ip), address);
451
int ret = start_mandos_communcation(ip, port);
459
avahi_s_service_resolver_free(r);
462
static void browse_callback(
463
AvahiSServiceBrowser *b,
464
AvahiIfIndex interface,
465
AvahiProtocol protocol,
466
AvahiBrowserEvent event,
470
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
473
AvahiServer *s = userdata;
476
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
480
case AVAHI_BROWSER_FAILURE:
482
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
483
avahi_simple_poll_quit(simple_poll);
486
case AVAHI_BROWSER_NEW:
487
/* We ignore the returned resolver object. In the callback
488
function we free it. If the server is terminated before
489
the callback function is called the server will free
490
the resolver for us. */
492
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
493
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
497
case AVAHI_BROWSER_REMOVE:
500
case AVAHI_BROWSER_ALL_FOR_NOW:
501
case AVAHI_BROWSER_CACHE_EXHAUSTED:
506
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
507
AvahiServerConfig config;
508
AvahiSServiceBrowser *sb = NULL;
1186
512
avahi_set_log_function(empty_log);
1189
/* Initialize the pseudo-RNG for Avahi */
1190
srand((unsigned int) time(NULL));
1192
/* Allocate main Avahi loop object */
1193
mc.simple_poll = avahi_simple_poll_new();
1194
if(mc.simple_poll == NULL){
1195
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1196
exitcode = EXIT_FAILURE;
1201
AvahiServerConfig config;
1202
/* Do not publish any local Zeroconf records */
514
/* Initialize the psuedo-RNG */
517
/* Allocate main loop object */
518
if (!(simple_poll = avahi_simple_poll_new())) {
519
fprintf(stderr, "Failed to create simple poll object.\n");
523
/* Do not publish any local records */
1203
524
avahi_server_config_init(&config);
1204
525
config.publish_hinfo = 0;
1205
526
config.publish_addresses = 0;
1206
527
config.publish_workstation = 0;
1207
528
config.publish_domain = 0;
530
/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */
531
/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */
532
/* config.n_wide_area_servers = 1; */
533
/* config.enable_wide_area = 1; */
1209
535
/* Allocate a new server */
1210
mc.server = avahi_server_new(avahi_simple_poll_get
1211
(mc.simple_poll), &config, NULL,
1214
/* Free the Avahi configuration data */
536
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
538
/* Free the configuration data */
1215
539
avahi_server_config_free(&config);
1218
/* Check if creating the Avahi server object succeeded */
1219
if(mc.server == NULL){
1220
fprintf(stderr, "Failed to create Avahi server: %s\n",
1221
avahi_strerror(error));
1222
exitcode = EXIT_FAILURE;
1226
/* Create the Avahi service browser */
1227
sb = avahi_s_service_browser_new(mc.server, if_index,
1228
AVAHI_PROTO_INET6, "_mandos._tcp",
1229
NULL, 0, browse_callback, NULL);
1231
fprintf(stderr, "Failed to create service browser: %s\n",
1232
avahi_strerror(avahi_server_errno(mc.server)));
1233
exitcode = EXIT_FAILURE;
1237
sigemptyset(&sigterm_action.sa_mask);
1238
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1240
perror("sigaddset");
1241
exitcode = EXIT_FAILURE;
1244
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1246
perror("sigaddset");
1247
exitcode = EXIT_FAILURE;
1250
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1252
perror("sigaddset");
1253
exitcode = EXIT_FAILURE;
1256
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1258
perror("sigaction");
1259
exitcode = EXIT_FAILURE;
1263
/* Run the main loop */
1266
fprintf(stderr, "Starting Avahi loop search\n");
1269
avahi_simple_poll_loop(mc.simple_poll);
1274
fprintf(stderr, "%s exiting\n", argv[0]);
1277
/* Cleanup things */
1279
avahi_s_service_browser_free(sb);
1281
if(mc.server != NULL)
1282
avahi_server_free(mc.server);
1284
if(mc.simple_poll != NULL)
1285
avahi_simple_poll_free(mc.simple_poll);
1287
if(gnutls_initialized){
1288
gnutls_certificate_free_credentials(mc.cred);
1289
gnutls_global_deinit();
1290
gnutls_dh_params_deinit(mc.dh_params);
1293
if(gpgme_initialized){
1294
gpgme_release(mc.ctx);
1297
/* Removes the temp directory used by GPGME */
1298
if(tempdir_created){
1300
struct dirent *direntry;
1301
d = opendir(tempdir);
1303
if(errno != ENOENT){
1308
direntry = readdir(d);
1309
if(direntry == NULL){
1312
/* Skip "." and ".." */
1313
if(direntry->d_name[0] == '.'
1314
and (direntry->d_name[1] == '\0'
1315
or (direntry->d_name[1] == '.'
1316
and direntry->d_name[2] == '\0'))){
1319
char *fullname = NULL;
1320
ret = asprintf(&fullname, "%s/%s", tempdir,
1326
ret = remove(fullname);
1328
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1335
ret = rmdir(tempdir);
1336
if(ret == -1 and errno != ENOENT){
541
/* Check wether creating the server object succeeded */
543
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
547
/* Create the service browser */
548
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
549
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
553
/* Run the main loop */
554
avahi_simple_poll_loop(simple_poll);
562
avahi_s_service_browser_free(sb);
565
avahi_server_free(server);
568
avahi_simple_poll_free(simple_poll);