To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 15.1.4
- compare with another revision
- download diff
- download tarball
- view history from revision 15.1.4
- Committer: Björn Påhlsson
- Date: 2008-07-21 19:15:06 UTC
- mfrom: (19 mandos)
- mto: This revision was merged to the branch mainline in revision 22.
- Revision ID: belorn@braxen-20080721191506-f4av11wlu2cmmeid
merge
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
14
*
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
19
*
20
* This program is distributed in the hope that it will be useful, but
21
* WITHOUT ANY WARRANTY; without even the implied warranty of
22
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23
* General Public License for more details.
24
*
25
* You should have received a copy of the GNU General Public License
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
28
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
*/
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
31
19
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
34
20
#define _LARGEFILE_SOURCE
35
#endif
36
#ifndef _FILE_OFFSET_BITS
37
21
#define _FILE_OFFSET_BITS 64
38
#endif
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open() */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect() */
59
#include <fcntl.h> /* open() */
60
#include <dirent.h> /* opendir(), struct dirent, readdir()
61
*/
62
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
63
strtoimax() */
64
#include <assert.h> /* assert() */
65
#include <errno.h> /* perror(), errno */
66
#include <time.h> /* nanosleep(), time() */
67
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
68
SIOCSIFFLAGS, if_indextoname(),
69
if_nametoindex(), IF_NAMESIZE */
70
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
71
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
72
*/
73
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
74
getuid(), getgid(), seteuid(),
75
setgid(), pause() */
76
#include <arpa/inet.h> /* inet_pton(), htons */
77
#include <iso646.h> /* not, or, and */
78
#include <argp.h> /* struct argp_option, error_t, struct
79
argp_state, struct argp,
80
argp_parse(), ARGP_KEY_ARG,
81
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
82
#include <signal.h> /* sigemptyset(), sigaddset(),
83
sigaction(), SIGTERM, sig_atomic_t,
84
raise() */
85
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
86
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
87
88
#ifdef __linux__
89
#include <sys/klog.h> /* klogctl() */
90
#endif /* __linux__ */
91
92
/* Avahi */
93
/* All Avahi types, constants and functions
94
Avahi*, avahi_*,
95
AVAHI_* */
22
23
#include <stdio.h>
24
#include <assert.h>
25
#include <stdlib.h>
26
#include <time.h>
27
#include <net/if.h> /* if_nametoindex */
28
96
29
#include <avahi-core/core.h>
97
30
#include <avahi-core/lookup.h>
98
31
#include <avahi-core/log.h>
100
33
#include <avahi-common/malloc.h>
101
34
#include <avahi-common/error.h>
102
35
103
/* GnuTLS */
104
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
105
functions:
106
gnutls_*
107
init_gnutls_session(),
108
GNUTLS_* */
109
#include <gnutls/openpgp.h>
110
/* gnutls_certificate_set_openpgp_key_file(),
111
GNUTLS_OPENPGP_FMT_BASE64 */
112
113
/* GPGME */
114
#include <gpgme.h> /* All GPGME types, constants and
115
functions:
116
gpgme_*
117
GPGME_PROTOCOL_OpenPGP,
118
GPG_ERR_NO_* */
119
36
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
41
42
#include <unistd.h> /* close() */
43
#include <netinet/in.h>
44
#include <stdbool.h> /* true */
45
#include <string.h> /* memset */
46
#include <arpa/inet.h> /* inet_pton() */
47
#include <iso646.h> /* not */
48
49
// gpgme
50
#include <errno.h> /* perror() */
51
#include <gpgme.h>
52
53
// getopt long
54
#include <getopt.h>
55
56
#ifndef CERT_ROOT
57
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
58
#endif
59
#define CERTFILE CERT_ROOT "openpgp-client.txt"
60
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
120
61
#define BUFFER_SIZE 256
121
122
#define PATHDIR "/conf/conf.d/mandos"
123
#define SECKEY "seckey.txt"
124
#define PUBKEY "pubkey.txt"
62
#define DH_BITS 1024
125
63
126
64
bool debug = false;
127
static const char mandos_protocol_version[] = "1";
128
const char *argp_program_version = "mandos-client " VERSION;
129
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
65
char *interface = "eth0";
130
66
131
/* Used for passing in values through the Avahi callback functions */
132
67
typedef struct {
133
AvahiSimplePoll *simple_poll;
134
AvahiServer *server;
68
gnutls_session_t session;
135
69
gnutls_certificate_credentials_t cred;
136
unsigned int dh_bits;
137
70
gnutls_dh_params_t dh_params;
138
const char *priority;
71
} encrypted_session;
72
73
74
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
75
gpgme_data_t dh_crypto, dh_plain;
139
76
gpgme_ctx_t ctx;
140
} mandos_context;
141
142
/* global context so signal handler can reach it*/
143
mandos_context mc = { .simple_poll = NULL, .server = NULL,
144
.dh_bits = 1024, .priority = "SECURE256"
145
":!CTYPE-X.509:+CTYPE-OPENPGP" };
146
147
sig_atomic_t quit_now = 0;
148
int signal_received = 0;
149
150
/*
151
* Make additional room in "buffer" for at least BUFFER_SIZE more
152
* bytes. "buffer_capacity" is how much is currently allocated,
153
* "buffer_length" is how much is already used.
154
*/
155
size_t incbuffer(char **buffer, size_t buffer_length,
156
size_t buffer_capacity){
157
if(buffer_length + BUFFER_SIZE > buffer_capacity){
158
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
159
if(buffer == NULL){
160
return 0;
161
}
162
buffer_capacity += BUFFER_SIZE;
163
}
164
return buffer_capacity;
165
}
166
167
/*
168
* Initialize GPGME.
169
*/
170
static bool init_gpgme(const char *seckey,
171
const char *pubkey, const char *tempdir){
172
77
gpgme_error_t rc;
78
ssize_t ret;
79
size_t new_packet_capacity = 0;
80
size_t new_packet_length = 0;
173
81
gpgme_engine_info_t engine_info;
174
175
176
/*
177
* Helper function to insert pub and seckey to the engine keyring.
178
*/
179
bool import_key(const char *filename){
180
int ret;
181
int fd;
182
gpgme_data_t pgp_data;
183
184
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
185
if(fd == -1){
186
perror("open");
187
return false;
188
}
189
190
rc = gpgme_data_new_from_fd(&pgp_data, fd);
191
if(rc != GPG_ERR_NO_ERROR){
192
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
193
gpgme_strsource(rc), gpgme_strerror(rc));
194
return false;
195
}
196
197
rc = gpgme_op_import(mc.ctx, pgp_data);
198
if(rc != GPG_ERR_NO_ERROR){
199
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
200
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
202
}
203
204
ret = (int)TEMP_FAILURE_RETRY(close(fd));
205
if(ret == -1){
206
perror("close");
207
}
208
gpgme_data_release(pgp_data);
209
return true;
210
}
211
212
if(debug){
213
fprintf(stderr, "Initializing GPGME\n");
82
83
if (debug){
84
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
214
85
}
215
86
216
87
/* Init GPGME */
217
88
gpgme_check_version(NULL);
218
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
219
if(rc != GPG_ERR_NO_ERROR){
220
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
221
gpgme_strsource(rc), gpgme_strerror(rc));
222
return false;
223
}
89
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
224
90
225
/* Set GPGME home directory for the OpenPGP engine only */
226
rc = gpgme_get_engine_info(&engine_info);
227
if(rc != GPG_ERR_NO_ERROR){
91
/* Set GPGME home directory */
92
rc = gpgme_get_engine_info (&engine_info);
93
if (rc != GPG_ERR_NO_ERROR){
228
94
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
229
95
gpgme_strsource(rc), gpgme_strerror(rc));
230
return false;
96
return -1;
231
97
}
232
98
while(engine_info != NULL){
233
99
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
234
100
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
235
engine_info->file_name, tempdir);
101
engine_info->file_name, homedir);
236
102
break;
237
103
}
238
104
engine_info = engine_info->next;
239
105
}
240
106
if(engine_info == NULL){
241
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
242
return false;
243
}
244
245
/* Create new GPGME "context" */
246
rc = gpgme_new(&(mc.ctx));
247
if(rc != GPG_ERR_NO_ERROR){
248
fprintf(stderr, "bad gpgme_new: %s: %s\n",
249
gpgme_strsource(rc), gpgme_strerror(rc));
250
return false;
251
}
252
253
if(not import_key(pubkey) or not import_key(seckey)){
254
return false;
255
}
256
257
return true;
258
}
259
260
/*
261
* Decrypt OpenPGP data.
262
* Returns -1 on error
263
*/
264
static ssize_t pgp_packet_decrypt(const char *cryptotext,
265
size_t crypto_size,
266
char **plaintext){
267
gpgme_data_t dh_crypto, dh_plain;
268
gpgme_error_t rc;
269
ssize_t ret;
270
size_t plaintext_capacity = 0;
271
ssize_t plaintext_length = 0;
272
273
if(debug){
274
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
275
}
276
277
/* Create new GPGME data buffer from memory cryptotext */
278
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
279
0);
280
if(rc != GPG_ERR_NO_ERROR){
107
fprintf(stderr, "Could not set home dir to %s\n", homedir);
108
return -1;
109
}
110
111
/* Create new GPGME data buffer from packet buffer */
112
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
113
if (rc != GPG_ERR_NO_ERROR){
281
114
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
282
115
gpgme_strsource(rc), gpgme_strerror(rc));
283
116
return -1;
285
118
286
119
/* Create new empty GPGME data buffer for the plaintext */
287
120
rc = gpgme_data_new(&dh_plain);
288
if(rc != GPG_ERR_NO_ERROR){
121
if (rc != GPG_ERR_NO_ERROR){
289
122
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
290
123
gpgme_strsource(rc), gpgme_strerror(rc));
291
gpgme_data_release(dh_crypto);
292
return -1;
293
}
294
295
/* Decrypt data from the cryptotext data buffer to the plaintext
296
data buffer */
297
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
298
if(rc != GPG_ERR_NO_ERROR){
124
return -1;
125
}
126
127
/* Create new GPGME "context" */
128
rc = gpgme_new(&ctx);
129
if (rc != GPG_ERR_NO_ERROR){
130
fprintf(stderr, "bad gpgme_new: %s: %s\n",
131
gpgme_strsource(rc), gpgme_strerror(rc));
132
return -1;
133
}
134
135
/* Decrypt data from the FILE pointer to the plaintext data buffer */
136
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
137
if (rc != GPG_ERR_NO_ERROR){
299
138
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
300
139
gpgme_strsource(rc), gpgme_strerror(rc));
301
plaintext_length = -1;
302
if(debug){
303
gpgme_decrypt_result_t result;
304
result = gpgme_op_decrypt_result(mc.ctx);
305
if(result == NULL){
306
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
307
} else {
308
fprintf(stderr, "Unsupported algorithm: %s\n",
309
result->unsupported_algorithm);
310
fprintf(stderr, "Wrong key usage: %u\n",
311
result->wrong_key_usage);
312
if(result->file_name != NULL){
313
fprintf(stderr, "File name: %s\n", result->file_name);
314
}
315
gpgme_recipient_t recipient;
316
recipient = result->recipients;
140
return -1;
141
}
142
143
if(debug){
144
fprintf(stderr, "decryption of gpg packet succeeded\n");
145
}
146
147
if (debug){
148
gpgme_decrypt_result_t result;
149
result = gpgme_op_decrypt_result(ctx);
150
if (result == NULL){
151
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
152
} else {
153
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
154
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
155
if(result->file_name != NULL){
156
fprintf(stderr, "File name: %s\n", result->file_name);
157
}
158
gpgme_recipient_t recipient;
159
recipient = result->recipients;
160
if(recipient){
317
161
while(recipient != NULL){
318
162
fprintf(stderr, "Public key algorithm: %s\n",
319
163
gpgme_pubkey_algo_name(recipient->pubkey_algo));
320
164
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
321
165
fprintf(stderr, "Secret key available: %s\n",
322
recipient->status == GPG_ERR_NO_SECKEY
323
? "No" : "Yes");
166
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
324
167
recipient = recipient->next;
325
168
}
326
169
}
327
170
}
328
goto decrypt_end;
329
171
}
330
172
331
if(debug){
332
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
333
}
173
/* Delete the GPGME FILE pointer cryptotext data buffer */
174
gpgme_data_release(dh_crypto);
334
175
335
176
/* Seek back to the beginning of the GPGME plaintext data buffer */
336
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
337
perror("gpgme_data_seek");
338
plaintext_length = -1;
339
goto decrypt_end;
340
}
341
342
*plaintext = NULL;
177
gpgme_data_seek(dh_plain, 0, SEEK_SET);
178
179
*new_packet = 0;
343
180
while(true){
344
plaintext_capacity = incbuffer(plaintext,
345
(size_t)plaintext_length,
346
plaintext_capacity);
347
if(plaintext_capacity == 0){
348
perror("incbuffer");
349
plaintext_length = -1;
350
goto decrypt_end;
181
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
182
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
183
if (*new_packet == NULL){
184
perror("realloc");
185
return -1;
186
}
187
new_packet_capacity += BUFFER_SIZE;
351
188
}
352
189
353
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
354
BUFFER_SIZE);
190
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
355
191
/* Print the data, if any */
356
if(ret == 0){
357
/* EOF */
192
if (ret == 0){
193
/* If password is empty, then a incorrect error will be printed */
358
194
break;
359
195
}
360
196
if(ret < 0){
361
197
perror("gpgme_data_read");
362
plaintext_length = -1;
363
goto decrypt_end;
364
}
365
plaintext_length += ret;
366
}
367
368
if(debug){
369
fprintf(stderr, "Decrypted password is: ");
370
for(ssize_t i = 0; i < plaintext_length; i++){
371
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
372
}
373
fprintf(stderr, "\n");
374
}
375
376
decrypt_end:
377
378
/* Delete the GPGME cryptotext data buffer */
379
gpgme_data_release(dh_crypto);
198
return -1;
199
}
200
new_packet_length += ret;
201
}
202
203
/* FIXME: check characters before printing to screen so to not print
204
terminal control characters */
205
/* if(debug){ */
206
/* fprintf(stderr, "decrypted password is: "); */
207
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
208
/* fprintf(stderr, "\n"); */
209
/* } */
380
210
381
211
/* Delete the GPGME plaintext data buffer */
382
212
gpgme_data_release(dh_plain);
383
return plaintext_length;
213
return new_packet_length;
384
214
}
385
215
386
static const char * safer_gnutls_strerror(int value){
387
const char *ret = gnutls_strerror(value); /* Spurious warning from
388
-Wunreachable-code */
389
if(ret == NULL)
216
static const char * safer_gnutls_strerror (int value) {
217
const char *ret = gnutls_strerror (value);
218
if (ret == NULL)
390
219
ret = "(unknown)";
391
220
return ret;
392
221
}
393
222
394
/* GnuTLS log function callback */
395
static void debuggnutls(__attribute__((unused)) int level,
396
const char* string){
397
fprintf(stderr, "GnuTLS: %s", string);
223
void debuggnutls(int level, const char* string){
224
fprintf(stderr, "%s", string);
398
225
}
399
226
400
static int init_gnutls_global(const char *pubkeyfilename,
401
const char *seckeyfilename){
227
int initgnutls(encrypted_session *es){
228
const char *err;
402
229
int ret;
403
230
404
231
if(debug){
405
fprintf(stderr, "Initializing GnuTLS\n");
232
fprintf(stderr, "Initializing gnutls\n");
406
233
}
234
407
235
408
ret = gnutls_global_init();
409
if(ret != GNUTLS_E_SUCCESS){
410
fprintf(stderr, "GnuTLS global_init: %s\n",
411
safer_gnutls_strerror(ret));
236
if ((ret = gnutls_global_init ())
237
!= GNUTLS_E_SUCCESS) {
238
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
412
239
return -1;
413
240
}
414
415
if(debug){
416
/* "Use a log level over 10 to enable all debugging options."
417
* - GnuTLS manual
418
*/
241
242
if (debug){
419
243
gnutls_global_set_log_level(11);
420
244
gnutls_global_set_log_function(debuggnutls);
421
245
}
422
246
423
/* OpenPGP credentials */
424
gnutls_certificate_allocate_credentials(&mc.cred);
425
if(ret != GNUTLS_E_SUCCESS){
426
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
427
from
428
-Wunreachable-code
429
*/
430
safer_gnutls_strerror(ret));
431
gnutls_global_deinit();
247
248
/* openpgp credentials */
249
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
250
!= GNUTLS_E_SUCCESS) {
251
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
432
252
return -1;
433
253
}
434
254
435
255
if(debug){
436
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
437
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
438
seckeyfilename);
256
fprintf(stderr, "Attempting to use openpgp certificate %s"
257
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
439
258
}
440
259
441
260
ret = gnutls_certificate_set_openpgp_key_file
442
(mc.cred, pubkeyfilename, seckeyfilename,
443
GNUTLS_OPENPGP_FMT_BASE64);
444
if(ret != GNUTLS_E_SUCCESS){
445
fprintf(stderr,
446
"Error[%d] while reading the OpenPGP key pair ('%s',"
447
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
448
fprintf(stderr, "The GnuTLS error is: %s\n",
449
safer_gnutls_strerror(ret));
450
goto globalfail;
451
}
452
453
/* GnuTLS server initialization */
454
ret = gnutls_dh_params_init(&mc.dh_params);
455
if(ret != GNUTLS_E_SUCCESS){
456
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
457
" %s\n", safer_gnutls_strerror(ret));
458
goto globalfail;
459
}
460
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
461
if(ret != GNUTLS_E_SUCCESS){
462
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
463
safer_gnutls_strerror(ret));
464
goto globalfail;
465
}
466
467
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
468
469
return 0;
470
471
globalfail:
472
473
gnutls_certificate_free_credentials(mc.cred);
474
gnutls_global_deinit();
475
gnutls_dh_params_deinit(mc.dh_params);
476
return -1;
477
}
478
479
static int init_gnutls_session(gnutls_session_t *session){
480
int ret;
481
/* GnuTLS session creation */
482
do {
483
ret = gnutls_init(session, GNUTLS_SERVER);
484
if(quit_now){
485
return -1;
486
}
487
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
488
if(ret != GNUTLS_E_SUCCESS){
489
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
490
safer_gnutls_strerror(ret));
491
}
492
493
{
494
const char *err;
495
do {
496
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
497
if(quit_now){
498
gnutls_deinit(*session);
499
return -1;
500
}
501
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
502
if(ret != GNUTLS_E_SUCCESS){
503
fprintf(stderr, "Syntax error at: %s\n", err);
504
fprintf(stderr, "GnuTLS error: %s\n",
505
safer_gnutls_strerror(ret));
506
gnutls_deinit(*session);
507
return -1;
508
}
509
}
510
511
do {
512
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
513
mc.cred);
514
if(quit_now){
515
gnutls_deinit(*session);
516
return -1;
517
}
518
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
519
if(ret != GNUTLS_E_SUCCESS){
520
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
521
safer_gnutls_strerror(ret));
522
gnutls_deinit(*session);
523
return -1;
524
}
525
261
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
262
if (ret != GNUTLS_E_SUCCESS) {
263
fprintf
264
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
265
ret, CERTFILE, KEYFILE);
266
fprintf(stdout, "The Error is: %s\n",
267
safer_gnutls_strerror(ret));
268
return -1;
269
}
270
271
//Gnutls server initialization
272
if ((ret = gnutls_dh_params_init (&es->dh_params))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in dh parameter initialization: %s\n",
275
safer_gnutls_strerror(ret));
276
return -1;
277
}
278
279
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
280
!= GNUTLS_E_SUCCESS) {
281
fprintf (stderr, "Error in prime generation: %s\n",
282
safer_gnutls_strerror(ret));
283
return -1;
284
}
285
286
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
287
288
// Gnutls session creation
289
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
290
!= GNUTLS_E_SUCCESS){
291
fprintf(stderr, "Error in gnutls session initialization: %s\n",
292
safer_gnutls_strerror(ret));
293
}
294
295
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
296
!= GNUTLS_E_SUCCESS) {
297
fprintf(stderr, "Syntax error at: %s\n", err);
298
fprintf(stderr, "Gnutls error: %s\n",
299
safer_gnutls_strerror(ret));
300
return -1;
301
}
302
303
if ((ret = gnutls_credentials_set
304
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
305
!= GNUTLS_E_SUCCESS) {
306
fprintf(stderr, "Error setting a credentials set: %s\n",
307
safer_gnutls_strerror(ret));
308
return -1;
309
}
310
526
311
/* ignore client certificate if any. */
527
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
312
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
528
313
529
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
314
gnutls_dh_set_prime_bits (es->session, DH_BITS);
530
315
531
316
return 0;
532
317
}
533
318
534
/* Avahi log function callback */
535
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
536
__attribute__((unused)) const char *txt){}
319
void empty_log(AvahiLogLevel level, const char *txt){}
537
320
538
/* Called when a Mandos server is found */
539
static int start_mandos_communication(const char *ip, uint16_t port,
540
AvahiIfIndex if_index,
541
int af){
542
int ret, tcp_sd = -1;
543
ssize_t sret;
544
union {
545
struct sockaddr_in in;
546
struct sockaddr_in6 in6;
547
} to;
321
int start_mandos_communication(char *ip, uint16_t port){
322
int ret, tcp_sd;
323
struct sockaddr_in6 to;
324
encrypted_session es;
548
325
char *buffer = NULL;
549
char *decrypted_buffer = NULL;
326
char *decrypted_buffer;
550
327
size_t buffer_length = 0;
551
328
size_t buffer_capacity = 0;
552
size_t written;
553
int retval = -1;
554
gnutls_session_t session;
555
int pf; /* Protocol family */
556
557
errno = 0;
558
559
if(quit_now){
560
errno = EINTR;
561
return -1;
562
}
563
564
switch(af){
565
case AF_INET6:
566
pf = PF_INET6;
567
break;
568
case AF_INET:
569
pf = PF_INET;
570
break;
571
default:
572
fprintf(stderr, "Bad address family: %d\n", af);
573
errno = EINVAL;
574
return -1;
575
}
576
577
ret = init_gnutls_session(&session);
578
if(ret != 0){
579
return -1;
580
}
581
329
ssize_t decrypted_buffer_size;
330
int retval = 0;
331
582
332
if(debug){
583
fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16
584
"\n", ip, port);
333
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
585
334
}
586
335
587
tcp_sd = socket(pf, SOCK_STREAM, 0);
588
if(tcp_sd < 0){
589
int e = errno;
336
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
337
if(tcp_sd < 0) {
590
338
perror("socket");
591
errno = e;
592
goto mandos_end;
593
}
594
595
if(quit_now){
596
errno = EINTR;
597
goto mandos_end;
598
}
599
600
memset(&to, 0, sizeof(to));
601
if(af == AF_INET6){
602
to.in6.sin6_family = (sa_family_t)af;
603
ret = inet_pton(af, ip, &to.in6.sin6_addr);
604
} else { /* IPv4 */
605
to.in.sin_family = (sa_family_t)af;
606
ret = inet_pton(af, ip, &to.in.sin_addr);
607
}
608
if(ret < 0 ){
609
int e = errno;
339
return -1;
340
}
341
342
if(debug){
343
fprintf(stderr, "Binding to interface %s\n", interface);
344
}
345
346
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
347
if(tcp_sd < 0) {
348
perror("setsockopt bindtodevice");
349
return -1;
350
}
351
352
memset(&to,0,sizeof(to));
353
to.sin6_family = AF_INET6;
354
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
355
if (ret < 0 ){
610
356
perror("inet_pton");
611
errno = e;
612
goto mandos_end;
613
}
357
return -1;
358
}
614
359
if(ret == 0){
615
int e = errno;
616
360
fprintf(stderr, "Bad address: %s\n", ip);
617
errno = e;
618
goto mandos_end;
619
}
620
if(af == AF_INET6){
621
to.in6.sin6_port = htons(port); /* Spurious warnings from
622
-Wconversion and
623
-Wunreachable-code */
624
625
if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */
626
(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and
627
-Wunreachable-code*/
628
if(if_index == AVAHI_IF_UNSPEC){
629
fprintf(stderr, "An IPv6 link-local address is incomplete"
630
" without a network interface\n");
631
errno = EINVAL;
632
goto mandos_end;
633
}
634
/* Set the network interface number as scope */
635
to.in6.sin6_scope_id = (uint32_t)if_index;
636
}
637
} else {
638
to.in.sin_port = htons(port); /* Spurious warnings from
639
-Wconversion and
640
-Wunreachable-code */
641
}
642
643
if(quit_now){
644
errno = EINTR;
645
goto mandos_end;
646
}
647
361
return -1;
362
}
363
to.sin6_port = htons(port);
364
to.sin6_scope_id = if_nametoindex(interface);
365
648
366
if(debug){
649
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
650
char interface[IF_NAMESIZE];
651
if(if_indextoname((unsigned int)if_index, interface) == NULL){
652
perror("if_indextoname");
653
} else {
654
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
655
ip, interface, port);
656
}
657
} else {
658
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
659
port);
660
}
661
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
662
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
663
const char *pcret;
664
if(af == AF_INET6){
665
pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,
666
sizeof(addrstr));
667
} else {
668
pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,
669
sizeof(addrstr));
670
}
671
if(pcret == NULL){
672
perror("inet_ntop");
673
} else {
674
if(strcmp(addrstr, ip) != 0){
675
fprintf(stderr, "Canonical address form: %s\n", addrstr);
676
}
677
}
678
}
679
680
if(quit_now){
681
errno = EINTR;
682
goto mandos_end;
683
}
684
685
if(af == AF_INET6){
686
ret = connect(tcp_sd, &to.in6, sizeof(to));
687
} else {
688
ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */
689
}
690
if(ret < 0){
691
int e = errno;
367
fprintf(stderr, "Connection to: %s\n", ip);
368
}
369
370
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
371
if (ret < 0){
692
372
perror("connect");
693
errno = e;
694
goto mandos_end;
695
}
696
697
if(quit_now){
698
errno = EINTR;
699
goto mandos_end;
700
}
701
702
const char *out = mandos_protocol_version;
703
written = 0;
373
return -1;
374
}
375
376
ret = initgnutls (&es);
377
if (ret != 0){
378
retval = -1;
379
return -1;
380
}
381
382
383
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
384
385
if(debug){
386
fprintf(stderr, "Establishing tls session with %s\n", ip);
387
}
388
389
390
ret = gnutls_handshake (es.session);
391
392
if (ret != GNUTLS_E_SUCCESS){
393
fprintf(stderr, "\n*** Handshake failed ***\n");
394
gnutls_perror (ret);
395
retval = -1;
396
goto exit;
397
}
398
399
//Retrieve gpg packet that contains the wanted password
400
401
if(debug){
402
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
403
}
404
704
405
while(true){
705
size_t out_size = strlen(out);
706
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
707
out_size - written));
708
if(ret == -1){
709
int e = errno;
710
perror("write");
711
errno = e;
712
goto mandos_end;
713
}
714
written += (size_t)ret;
715
if(written < out_size){
716
continue;
717
} else {
718
if(out == mandos_protocol_version){
719
written = 0;
720
out = "\r\n";
721
} else {
722
break;
406
if (buffer_length + BUFFER_SIZE > buffer_capacity){
407
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
408
if (buffer == NULL){
409
perror("realloc");
410
goto exit;
723
411
}
724
}
725
726
if(quit_now){
727
errno = EINTR;
728
goto mandos_end;
729
}
730
}
731
732
if(debug){
733
fprintf(stderr, "Establishing TLS session with %s\n", ip);
734
}
735
736
if(quit_now){
737
errno = EINTR;
738
goto mandos_end;
739
}
740
741
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
742
743
if(quit_now){
744
errno = EINTR;
745
goto mandos_end;
746
}
747
748
do {
749
ret = gnutls_handshake(session);
750
if(quit_now){
751
errno = EINTR;
752
goto mandos_end;
753
}
754
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
755
756
if(ret != GNUTLS_E_SUCCESS){
757
if(debug){
758
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
759
gnutls_perror(ret);
760
}
761
errno = EPROTO;
762
goto mandos_end;
763
}
764
765
/* Read OpenPGP packet that contains the wanted password */
766
767
if(debug){
768
fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",
769
ip);
770
}
771
772
while(true){
773
774
if(quit_now){
775
errno = EINTR;
776
goto mandos_end;
777
}
778
779
buffer_capacity = incbuffer(&buffer, buffer_length,
780
buffer_capacity);
781
if(buffer_capacity == 0){
782
int e = errno;
783
perror("incbuffer");
784
errno = e;
785
goto mandos_end;
786
}
787
788
if(quit_now){
789
errno = EINTR;
790
goto mandos_end;
791
}
792
793
sret = gnutls_record_recv(session, buffer+buffer_length,
794
BUFFER_SIZE);
795
if(sret == 0){
412
buffer_capacity += BUFFER_SIZE;
413
}
414
415
ret = gnutls_record_recv
416
(es.session, buffer+buffer_length, BUFFER_SIZE);
417
if (ret == 0){
796
418
break;
797
419
}
798
if(sret < 0){
799
switch(sret){
420
if (ret < 0){
421
switch(ret){
800
422
case GNUTLS_E_INTERRUPTED:
801
423
case GNUTLS_E_AGAIN:
802
424
break;
803
425
case GNUTLS_E_REHANDSHAKE:
804
do {
805
ret = gnutls_handshake(session);
806
807
if(quit_now){
808
errno = EINTR;
809
goto mandos_end;
810
}
811
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
812
if(ret < 0){
813
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
814
gnutls_perror(ret);
815
errno = EPROTO;
816
goto mandos_end;
426
ret = gnutls_handshake (es.session);
427
if (ret < 0){
428
fprintf(stderr, "\n*** Handshake failed ***\n");
429
gnutls_perror (ret);
430
retval = -1;
431
goto exit;
817
432
}
818
433
break;
819
434
default:
820
fprintf(stderr, "Unknown error while reading data from"
821
" encrypted session with Mandos server\n");
822
gnutls_bye(session, GNUTLS_SHUT_RDWR);
823
errno = EIO;
824
goto mandos_end;
825
}
826
} else {
827
buffer_length += (size_t) sret;
828
}
829
}
830
831
if(debug){
832
fprintf(stderr, "Closing TLS session\n");
833
}
834
835
if(quit_now){
836
errno = EINTR;
837
goto mandos_end;
838
}
839
840
do {
841
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
842
if(quit_now){
843
errno = EINTR;
844
goto mandos_end;
845
}
846
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
847
848
if(buffer_length > 0){
849
ssize_t decrypted_buffer_size;
850
decrypted_buffer_size = pgp_packet_decrypt(buffer,
851
buffer_length,
852
&decrypted_buffer);
853
if(decrypted_buffer_size >= 0){
854
855
written = 0;
856
while(written < (size_t) decrypted_buffer_size){
857
if(quit_now){
858
errno = EINTR;
859
goto mandos_end;
860
}
861
862
ret = (int)fwrite(decrypted_buffer + written, 1,
863
(size_t)decrypted_buffer_size - written,
864
stdout);
865
if(ret == 0 and ferror(stdout)){
866
int e = errno;
867
if(debug){
868
fprintf(stderr, "Error writing encrypted data: %s\n",
869
strerror(errno));
870
}
871
errno = e;
872
goto mandos_end;
873
}
874
written += (size_t)ret;
875
}
876
retval = 0;
877
}
878
}
879
880
/* Shutdown procedure */
881
882
mandos_end:
883
{
884
int e = errno;
885
free(decrypted_buffer);
886
free(buffer);
887
if(tcp_sd >= 0){
888
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
889
}
890
if(ret == -1){
891
if(e == 0){
892
e = errno;
893
}
894
perror("close");
895
}
896
gnutls_deinit(session);
897
if(quit_now){
898
e = EINTR;
435
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
436
retval = -1;
437
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
438
goto exit;
439
}
440
} else {
441
buffer_length += ret;
442
}
443
}
444
445
if (buffer_length > 0){
446
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
447
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
448
free(decrypted_buffer);
449
} else {
899
450
retval = -1;
900
451
}
901
errno = e;
902
}
452
}
453
454
//shutdown procedure
455
456
if(debug){
457
fprintf(stderr, "Closing tls session\n");
458
}
459
460
free(buffer);
461
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
462
exit:
463
close(tcp_sd);
464
gnutls_deinit (es.session);
465
gnutls_certificate_free_credentials (es.cred);
466
gnutls_global_deinit ();
903
467
return retval;
904
468
}
905
469
906
static void resolve_callback(AvahiSServiceResolver *r,
907
AvahiIfIndex interface,
908
AvahiProtocol proto,
909
AvahiResolverEvent event,
910
const char *name,
911
const char *type,
912
const char *domain,
913
const char *host_name,
914
const AvahiAddress *address,
915
uint16_t port,
916
AVAHI_GCC_UNUSED AvahiStringList *txt,
917
AVAHI_GCC_UNUSED AvahiLookupResultFlags
918
flags,
919
AVAHI_GCC_UNUSED void* userdata){
920
assert(r);
921
922
/* Called whenever a service has been resolved successfully or
923
timed out */
924
925
if(quit_now){
926
return;
927
}
928
929
switch(event){
930
default:
931
case AVAHI_RESOLVER_FAILURE:
932
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
933
" of type '%s' in domain '%s': %s\n", name, type, domain,
934
avahi_strerror(avahi_server_errno(mc.server)));
935
break;
936
937
case AVAHI_RESOLVER_FOUND:
938
{
939
char ip[AVAHI_ADDRESS_STR_MAX];
940
avahi_address_snprint(ip, sizeof(ip), address);
941
if(debug){
942
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
943
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
944
ip, (intmax_t)interface, port);
945
}
946
int ret = start_mandos_communication(ip, port, interface,
947
avahi_proto_to_af(proto));
948
if(ret == 0){
949
avahi_simple_poll_quit(mc.simple_poll);
950
}
951
}
952
}
953
avahi_s_service_resolver_free(r);
954
}
955
956
static void browse_callback(AvahiSServiceBrowser *b,
957
AvahiIfIndex interface,
958
AvahiProtocol protocol,
959
AvahiBrowserEvent event,
960
const char *name,
961
const char *type,
962
const char *domain,
963
AVAHI_GCC_UNUSED AvahiLookupResultFlags
964
flags,
965
AVAHI_GCC_UNUSED void* userdata){
966
assert(b);
967
968
/* Called whenever a new services becomes available on the LAN or
969
is removed from the LAN */
970
971
if(quit_now){
972
return;
973
}
974
975
switch(event){
976
default:
977
case AVAHI_BROWSER_FAILURE:
978
979
fprintf(stderr, "(Avahi browser) %s\n",
980
avahi_strerror(avahi_server_errno(mc.server)));
981
avahi_simple_poll_quit(mc.simple_poll);
982
return;
983
984
case AVAHI_BROWSER_NEW:
985
/* We ignore the returned Avahi resolver object. In the callback
986
function we free it. If the Avahi server is terminated before
987
the callback function is called the Avahi server will free the
988
resolver for us. */
989
990
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
991
name, type, domain, protocol, 0,
992
resolve_callback, NULL) == NULL)
993
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
994
name, avahi_strerror(avahi_server_errno(mc.server)));
995
break;
996
997
case AVAHI_BROWSER_REMOVE:
998
break;
999
1000
case AVAHI_BROWSER_ALL_FOR_NOW:
1001
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1002
if(debug){
1003
fprintf(stderr, "No Mandos server found, still searching...\n");
1004
}
1005
break;
1006
}
1007
}
1008
1009
/* stop main loop after sigterm has been called */
1010
static void handle_sigterm(int sig){
1011
if(quit_now){
1012
return;
1013
}
1014
quit_now = 1;
1015
signal_received = sig;
1016
int old_errno = errno;
1017
if(mc.simple_poll != NULL){
1018
avahi_simple_poll_quit(mc.simple_poll);
1019
}
1020
errno = old_errno;
1021
}
1022
1023
int main(int argc, char *argv[]){
1024
AvahiSServiceBrowser *sb = NULL;
1025
int error;
1026
int ret;
1027
intmax_t tmpmax;
1028
char *tmp;
1029
int exitcode = EXIT_SUCCESS;
1030
const char *interface = "eth0";
1031
struct ifreq network;
1032
int sd = -1;
1033
bool take_down_interface = false;
1034
uid_t uid;
1035
gid_t gid;
1036
char *connect_to = NULL;
1037
char tempdir[] = "/tmp/mandosXXXXXX";
1038
bool tempdir_created = false;
1039
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1040
const char *seckey = PATHDIR "/" SECKEY;
1041
const char *pubkey = PATHDIR "/" PUBKEY;
1042
1043
bool gnutls_initialized = false;
1044
bool gpgme_initialized = false;
1045
float delay = 2.5f;
1046
1047
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
1048
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1049
1050
uid = getuid();
1051
gid = getgid();
1052
1053
/* Lower any group privileges we might have, just to be safe */
1054
errno = 0;
1055
ret = setgid(gid);
1056
if(ret == -1){
1057
perror("setgid");
1058
}
1059
1060
/* Lower user privileges (temporarily) */
1061
errno = 0;
1062
ret = seteuid(uid);
1063
if(ret == -1){
1064
perror("seteuid");
1065
}
1066
1067
if(quit_now){
1068
goto end;
1069
}
1070
1071
{
1072
struct argp_option options[] = {
1073
{ .name = "debug", .key = 128,
1074
.doc = "Debug mode", .group = 3 },
1075
{ .name = "connect", .key = 'c',
1076
.arg = "ADDRESS:PORT",
1077
.doc = "Connect directly to a specific Mandos server",
1078
.group = 1 },
1079
{ .name = "interface", .key = 'i',
1080
.arg = "NAME",
1081
.doc = "Network interface that will be used to search for"
1082
" Mandos servers",
1083
.group = 1 },
1084
{ .name = "seckey", .key = 's',
1085
.arg = "FILE",
1086
.doc = "OpenPGP secret key file base name",
1087
.group = 1 },
1088
{ .name = "pubkey", .key = 'p',
1089
.arg = "FILE",
1090
.doc = "OpenPGP public key file base name",
1091
.group = 2 },
1092
{ .name = "dh-bits", .key = 129,
1093
.arg = "BITS",
1094
.doc = "Bit length of the prime number used in the"
1095
" Diffie-Hellman key exchange",
1096
.group = 2 },
1097
{ .name = "priority", .key = 130,
1098
.arg = "STRING",
1099
.doc = "GnuTLS priority string for the TLS handshake",
1100
.group = 1 },
1101
{ .name = "delay", .key = 131,
1102
.arg = "SECONDS",
1103
.doc = "Maximum delay to wait for interface startup",
1104
.group = 2 },
1105
/*
1106
* These reproduce what we would get without ARGP_NO_HELP
1107
*/
1108
{ .name = "help", .key = '?',
1109
.doc = "Give this help list", .group = -1 },
1110
{ .name = "usage", .key = -3,
1111
.doc = "Give a short usage message", .group = -1 },
1112
{ .name = "version", .key = 'V',
1113
.doc = "Print program version", .group = -1 },
1114
{ .name = NULL }
1115
};
1116
1117
error_t parse_opt(int key, char *arg,
1118
struct argp_state *state){
1119
errno = 0;
1120
switch(key){
1121
case 128: /* --debug */
1122
debug = true;
1123
break;
1124
case 'c': /* --connect */
1125
connect_to = arg;
1126
break;
1127
case 'i': /* --interface */
1128
interface = arg;
1129
break;
1130
case 's': /* --seckey */
1131
seckey = arg;
1132
break;
1133
case 'p': /* --pubkey */
1134
pubkey = arg;
1135
break;
1136
case 129: /* --dh-bits */
1137
errno = 0;
1138
tmpmax = strtoimax(arg, &tmp, 10);
1139
if(errno != 0 or tmp == arg or *tmp != '\0'
1140
or tmpmax != (typeof(mc.dh_bits))tmpmax){
1141
argp_error(state, "Bad number of DH bits");
1142
}
1143
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
1144
break;
1145
case 130: /* --priority */
1146
mc.priority = arg;
1147
break;
1148
case 131: /* --delay */
1149
errno = 0;
1150
delay = strtof(arg, &tmp);
1151
if(errno != 0 or tmp == arg or *tmp != '\0'){
1152
argp_error(state, "Bad delay");
1153
}
1154
break;
1155
/*
1156
* These reproduce what we would get without ARGP_NO_HELP
1157
*/
1158
case '?': /* --help */
1159
argp_state_help(state, state->out_stream,
1160
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
1161
& ~(unsigned int)ARGP_HELP_EXIT_OK);
1162
case -3: /* --usage */
1163
argp_state_help(state, state->out_stream,
1164
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
1165
case 'V': /* --version */
1166
fprintf(state->out_stream, "%s\n", argp_program_version);
1167
exit(argp_err_exit_status);
1168
break;
1169
default:
1170
return ARGP_ERR_UNKNOWN;
1171
}
1172
return errno;
1173
}
1174
1175
struct argp argp = { .options = options, .parser = parse_opt,
1176
.args_doc = "",
1177
.doc = "Mandos client -- Get and decrypt"
1178
" passwords from a Mandos server" };
1179
ret = argp_parse(&argp, argc, argv,
1180
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
1181
switch(ret){
1182
case 0:
1183
break;
1184
case ENOMEM:
1185
default:
1186
errno = ret;
1187
perror("argp_parse");
1188
exitcode = EX_OSERR;
1189
goto end;
1190
case EINVAL:
1191
exitcode = EX_USAGE;
1192
goto end;
1193
}
1194
}
1195
1196
if(not debug){
1197
avahi_set_log_function(empty_log);
1198
}
1199
1200
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
1201
from the signal handler */
1202
/* Initialize the pseudo-RNG for Avahi */
1203
srand((unsigned int) time(NULL));
1204
mc.simple_poll = avahi_simple_poll_new();
1205
if(mc.simple_poll == NULL){
1206
fprintf(stderr, "Avahi: Failed to create simple poll object.\n");
1207
exitcode = EX_UNAVAILABLE;
1208
goto end;
1209
}
1210
1211
sigemptyset(&sigterm_action.sa_mask);
1212
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
1213
if(ret == -1){
1214
perror("sigaddset");
1215
exitcode = EX_OSERR;
1216
goto end;
1217
}
1218
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
1219
if(ret == -1){
1220
perror("sigaddset");
1221
exitcode = EX_OSERR;
1222
goto end;
1223
}
1224
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1225
if(ret == -1){
1226
perror("sigaddset");
1227
exitcode = EX_OSERR;
1228
goto end;
1229
}
1230
/* Need to check if the handler is SIG_IGN before handling:
1231
| [[info:libc:Initial Signal Actions]] |
1232
| [[info:libc:Basic Signal Handling]] |
1233
*/
1234
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
1235
if(ret == -1){
1236
perror("sigaction");
1237
return EX_OSERR;
1238
}
1239
if(old_sigterm_action.sa_handler != SIG_IGN){
1240
ret = sigaction(SIGINT, &sigterm_action, NULL);
1241
if(ret == -1){
1242
perror("sigaction");
1243
exitcode = EX_OSERR;
1244
goto end;
1245
}
1246
}
1247
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
1248
if(ret == -1){
1249
perror("sigaction");
1250
return EX_OSERR;
1251
}
1252
if(old_sigterm_action.sa_handler != SIG_IGN){
1253
ret = sigaction(SIGHUP, &sigterm_action, NULL);
1254
if(ret == -1){
1255
perror("sigaction");
1256
exitcode = EX_OSERR;
1257
goto end;
1258
}
1259
}
1260
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
1261
if(ret == -1){
1262
perror("sigaction");
1263
return EX_OSERR;
1264
}
1265
if(old_sigterm_action.sa_handler != SIG_IGN){
1266
ret = sigaction(SIGTERM, &sigterm_action, NULL);
1267
if(ret == -1){
1268
perror("sigaction");
1269
exitcode = EX_OSERR;
1270
goto end;
1271
}
1272
}
1273
1274
/* If the interface is down, bring it up */
1275
if(interface[0] != '\0'){
1276
if_index = (AvahiIfIndex) if_nametoindex(interface);
1277
if(if_index == 0){
1278
fprintf(stderr, "No such interface: \"%s\"\n", interface);
1279
exitcode = EX_UNAVAILABLE;
1280
goto end;
1281
}
1282
1283
if(quit_now){
1284
goto end;
1285
}
1286
1287
/* Re-raise priviliges */
1288
errno = 0;
1289
ret = seteuid(0);
1290
if(ret == -1){
1291
perror("seteuid");
1292
}
1293
1294
#ifdef __linux__
1295
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1296
messages about the network interface to mess up the prompt */
1297
ret = klogctl(8, NULL, 5);
1298
bool restore_loglevel = true;
1299
if(ret == -1){
1300
restore_loglevel = false;
1301
perror("klogctl");
1302
}
1303
#endif /* __linux__ */
1304
1305
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1306
if(sd < 0){
1307
perror("socket");
1308
exitcode = EX_OSERR;
1309
#ifdef __linux__
1310
if(restore_loglevel){
1311
ret = klogctl(7, NULL, 0);
1312
if(ret == -1){
1313
perror("klogctl");
1314
}
1315
}
1316
#endif /* __linux__ */
1317
/* Lower privileges */
1318
errno = 0;
1319
ret = seteuid(uid);
1320
if(ret == -1){
1321
perror("seteuid");
1322
}
1323
goto end;
1324
}
1325
strcpy(network.ifr_name, interface);
1326
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1327
if(ret == -1){
1328
perror("ioctl SIOCGIFFLAGS");
1329
#ifdef __linux__
1330
if(restore_loglevel){
1331
ret = klogctl(7, NULL, 0);
1332
if(ret == -1){
1333
perror("klogctl");
1334
}
1335
}
1336
#endif /* __linux__ */
1337
exitcode = EX_OSERR;
1338
/* Lower privileges */
1339
errno = 0;
1340
ret = seteuid(uid);
1341
if(ret == -1){
1342
perror("seteuid");
1343
}
1344
goto end;
1345
}
1346
if((network.ifr_flags & IFF_UP) == 0){
1347
network.ifr_flags |= IFF_UP;
1348
take_down_interface = true;
1349
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1350
if(ret == -1){
1351
take_down_interface = false;
1352
perror("ioctl SIOCSIFFLAGS");
1353
exitcode = EX_OSERR;
1354
#ifdef __linux__
1355
if(restore_loglevel){
1356
ret = klogctl(7, NULL, 0);
1357
if(ret == -1){
1358
perror("klogctl");
1359
}
1360
}
1361
#endif /* __linux__ */
1362
/* Lower privileges */
1363
errno = 0;
1364
ret = seteuid(uid);
1365
if(ret == -1){
1366
perror("seteuid");
1367
}
1368
goto end;
1369
}
1370
}
1371
/* sleep checking until interface is running */
1372
for(int i=0; i < delay * 4; i++){
1373
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1374
if(ret == -1){
1375
perror("ioctl SIOCGIFFLAGS");
1376
} else if(network.ifr_flags & IFF_RUNNING){
1377
break;
1378
}
1379
struct timespec sleeptime = { .tv_nsec = 250000000 };
1380
ret = nanosleep(&sleeptime, NULL);
1381
if(ret == -1 and errno != EINTR){
1382
perror("nanosleep");
1383
}
1384
}
1385
if(not take_down_interface){
1386
/* We won't need the socket anymore */
1387
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1388
if(ret == -1){
1389
perror("close");
1390
}
1391
}
1392
#ifdef __linux__
1393
if(restore_loglevel){
1394
/* Restores kernel loglevel to default */
1395
ret = klogctl(7, NULL, 0);
1396
if(ret == -1){
1397
perror("klogctl");
1398
}
1399
}
1400
#endif /* __linux__ */
1401
/* Lower privileges */
1402
errno = 0;
1403
if(take_down_interface){
1404
/* Lower privileges */
1405
ret = seteuid(uid);
1406
if(ret == -1){
1407
perror("seteuid");
1408
}
1409
} else {
1410
/* Lower privileges permanently */
1411
ret = setuid(uid);
1412
if(ret == -1){
1413
perror("setuid");
1414
}
1415
}
1416
}
1417
1418
if(quit_now){
1419
goto end;
1420
}
1421
1422
ret = init_gnutls_global(pubkey, seckey);
1423
if(ret == -1){
1424
fprintf(stderr, "init_gnutls_global failed\n");
1425
exitcode = EX_UNAVAILABLE;
1426
goto end;
1427
} else {
1428
gnutls_initialized = true;
1429
}
1430
1431
if(quit_now){
1432
goto end;
1433
}
1434
1435
tempdir_created = true;
1436
if(mkdtemp(tempdir) == NULL){
1437
tempdir_created = false;
1438
perror("mkdtemp");
1439
goto end;
1440
}
1441
1442
if(quit_now){
1443
goto end;
1444
}
1445
1446
if(not init_gpgme(pubkey, seckey, tempdir)){
1447
fprintf(stderr, "init_gpgme failed\n");
1448
exitcode = EX_UNAVAILABLE;
1449
goto end;
1450
} else {
1451
gpgme_initialized = true;
1452
}
1453
1454
if(quit_now){
1455
goto end;
1456
}
1457
1458
if(connect_to != NULL){
1459
/* Connect directly, do not use Zeroconf */
1460
/* (Mainly meant for debugging) */
1461
char *address = strrchr(connect_to, ':');
1462
if(address == NULL){
1463
fprintf(stderr, "No colon in address\n");
1464
exitcode = EX_USAGE;
1465
goto end;
1466
}
1467
1468
if(quit_now){
1469
goto end;
1470
}
1471
1472
uint16_t port;
1473
errno = 0;
1474
tmpmax = strtoimax(address+1, &tmp, 10);
1475
if(errno != 0 or tmp == address+1 or *tmp != '\0'
1476
or tmpmax != (uint16_t)tmpmax){
1477
fprintf(stderr, "Bad port number\n");
1478
exitcode = EX_USAGE;
1479
goto end;
1480
}
1481
1482
if(quit_now){
1483
goto end;
1484
}
1485
1486
port = (uint16_t)tmpmax;
1487
*address = '\0';
1488
address = connect_to;
1489
/* Colon in address indicates IPv6 */
1490
int af;
1491
if(strchr(address, ':') != NULL){
1492
af = AF_INET6;
1493
} else {
1494
af = AF_INET;
1495
}
1496
1497
if(quit_now){
1498
goto end;
1499
}
1500
1501
ret = start_mandos_communication(address, port, if_index, af);
1502
if(ret < 0){
1503
switch(errno){
1504
case ENETUNREACH:
1505
case EHOSTDOWN:
1506
case EHOSTUNREACH:
1507
exitcode = EX_NOHOST;
1508
break;
1509
case EINVAL:
1510
exitcode = EX_USAGE;
1511
break;
1512
case EIO:
1513
exitcode = EX_IOERR;
1514
break;
1515
case EPROTO:
1516
exitcode = EX_PROTOCOL;
1517
break;
1518
default:
1519
exitcode = EX_OSERR;
1520
break;
1521
}
1522
} else {
1523
exitcode = EXIT_SUCCESS;
1524
}
1525
goto end;
1526
}
1527
1528
if(quit_now){
1529
goto end;
1530
}
1531
1532
{
470
static AvahiSimplePoll *simple_poll = NULL;
471
static AvahiServer *server = NULL;
472
473
static void resolve_callback(
474
AvahiSServiceResolver *r,
475
AVAHI_GCC_UNUSED AvahiIfIndex interface,
476
AVAHI_GCC_UNUSED AvahiProtocol protocol,
477
AvahiResolverEvent event,
478
const char *name,
479
const char *type,
480
const char *domain,
481
const char *host_name,
482
const AvahiAddress *address,
483
uint16_t port,
484
AvahiStringList *txt,
485
AvahiLookupResultFlags flags,
486
AVAHI_GCC_UNUSED void* userdata) {
487
488
assert(r);
489
490
/* Called whenever a service has been resolved successfully or timed out */
491
492
switch (event) {
493
case AVAHI_RESOLVER_FAILURE:
494
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
495
break;
496
497
case AVAHI_RESOLVER_FOUND: {
498
char ip[AVAHI_ADDRESS_STR_MAX];
499
avahi_address_snprint(ip, sizeof(ip), address);
500
if(debug){
501
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
502
}
503
int ret = start_mandos_communication(ip, port);
504
if (ret == 0){
505
exit(EXIT_SUCCESS);
506
} else {
507
exit(EXIT_FAILURE);
508
}
509
}
510
}
511
avahi_s_service_resolver_free(r);
512
}
513
514
static void browse_callback(
515
AvahiSServiceBrowser *b,
516
AvahiIfIndex interface,
517
AvahiProtocol protocol,
518
AvahiBrowserEvent event,
519
const char *name,
520
const char *type,
521
const char *domain,
522
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
523
void* userdata) {
524
525
AvahiServer *s = userdata;
526
assert(b);
527
528
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
529
530
switch (event) {
531
532
case AVAHI_BROWSER_FAILURE:
533
534
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
535
avahi_simple_poll_quit(simple_poll);
536
return;
537
538
case AVAHI_BROWSER_NEW:
539
/* We ignore the returned resolver object. In the callback
540
function we free it. If the server is terminated before
541
the callback function is called the server will free
542
the resolver for us. */
543
544
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
545
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
546
547
break;
548
549
case AVAHI_BROWSER_REMOVE:
550
break;
551
552
case AVAHI_BROWSER_ALL_FOR_NOW:
553
case AVAHI_BROWSER_CACHE_EXHAUSTED:
554
break;
555
}
556
}
557
558
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
1533
559
AvahiServerConfig config;
1534
/* Do not publish any local Zeroconf records */
560
AvahiSServiceBrowser *sb = NULL;
561
int error;
562
int ret;
563
int returncode = EXIT_SUCCESS;
564
565
while (true){
566
static struct option long_options[] = {
567
{"debug", no_argument, (int *)&debug, 1},
568
{"interface", required_argument, 0, 'i'},
569
{0, 0, 0, 0} };
570
571
int option_index = 0;
572
ret = getopt_long (argc, argv, "i:", long_options, &option_index);
573
574
if (ret == -1){
575
break;
576
}
577
578
switch(ret){
579
case 0:
580
break;
581
case 'i':
582
interface = optarg;
583
break;
584
default:
585
exit(EXIT_FAILURE);
586
}
587
}
588
589
if (not debug){
590
avahi_set_log_function(empty_log);
591
}
592
593
/* Initialize the psuedo-RNG */
594
srand(time(NULL));
595
596
/* Allocate main loop object */
597
if (!(simple_poll = avahi_simple_poll_new())) {
598
fprintf(stderr, "Failed to create simple poll object.\n");
599
600
goto exit;
601
}
602
603
/* Do not publish any local records */
1535
604
avahi_server_config_init(&config);
1536
605
config.publish_hinfo = 0;
1537
606
config.publish_addresses = 0;
1538
607
config.publish_workstation = 0;
1539
608
config.publish_domain = 0;
1540
609
1541
610
/* Allocate a new server */
1542
mc.server = avahi_server_new(avahi_simple_poll_get
1543
(mc.simple_poll), &config, NULL,
1544
NULL, &error);
1545
1546
/* Free the Avahi configuration data */
611
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
612
613
/* Free the configuration data */
1547
614
avahi_server_config_free(&config);
1548
}
1549
1550
/* Check if creating the Avahi server object succeeded */
1551
if(mc.server == NULL){
1552
fprintf(stderr, "Failed to create Avahi server: %s\n",
1553
avahi_strerror(error));
1554
exitcode = EX_UNAVAILABLE;
1555
goto end;
1556
}
1557
1558
if(quit_now){
1559
goto end;
1560
}
1561
1562
/* Create the Avahi service browser */
1563
sb = avahi_s_service_browser_new(mc.server, if_index,
1564
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
1565
NULL, 0, browse_callback, NULL);
1566
if(sb == NULL){
1567
fprintf(stderr, "Failed to create service browser: %s\n",
1568
avahi_strerror(avahi_server_errno(mc.server)));
1569
exitcode = EX_UNAVAILABLE;
1570
goto end;
1571
}
1572
1573
if(quit_now){
1574
goto end;
1575
}
1576
1577
/* Run the main loop */
1578
1579
if(debug){
1580
fprintf(stderr, "Starting Avahi loop search\n");
1581
}
1582
1583
avahi_simple_poll_loop(mc.simple_poll);
1584
1585
end:
1586
1587
if(debug){
1588
fprintf(stderr, "%s exiting\n", argv[0]);
1589
}
1590
1591
/* Cleanup things */
1592
if(sb != NULL)
1593
avahi_s_service_browser_free(sb);
1594
1595
if(mc.server != NULL)
1596
avahi_server_free(mc.server);
1597
1598
if(mc.simple_poll != NULL)
1599
avahi_simple_poll_free(mc.simple_poll);
1600
1601
if(gnutls_initialized){
1602
gnutls_certificate_free_credentials(mc.cred);
1603
gnutls_global_deinit();
1604
gnutls_dh_params_deinit(mc.dh_params);
1605
}
1606
1607
if(gpgme_initialized){
1608
gpgme_release(mc.ctx);
1609
}
1610
1611
/* Take down the network interface */
1612
if(take_down_interface){
1613
/* Re-raise priviliges */
1614
errno = 0;
1615
ret = seteuid(0);
1616
if(ret == -1){
1617
perror("seteuid");
1618
}
1619
if(geteuid() == 0){
1620
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1621
if(ret == -1){
1622
perror("ioctl SIOCGIFFLAGS");
1623
} else if(network.ifr_flags & IFF_UP) {
1624
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
1625
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1626
if(ret == -1){
1627
perror("ioctl SIOCSIFFLAGS");
1628
}
1629
}
1630
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1631
if(ret == -1){
1632
perror("close");
1633
}
1634
/* Lower privileges permanently */
1635
errno = 0;
1636
ret = setuid(uid);
1637
if(ret == -1){
1638
perror("setuid");
1639
}
1640
}
1641
}
1642
1643
/* Removes the temp directory used by GPGME */
1644
if(tempdir_created){
1645
DIR *d;
1646
struct dirent *direntry;
1647
d = opendir(tempdir);
1648
if(d == NULL){
1649
if(errno != ENOENT){
1650
perror("opendir");
1651
}
1652
} else {
1653
while(true){
1654
direntry = readdir(d);
1655
if(direntry == NULL){
1656
break;
1657
}
1658
/* Skip "." and ".." */
1659
if(direntry->d_name[0] == '.'
1660
and (direntry->d_name[1] == '\0'
1661
or (direntry->d_name[1] == '.'
1662
and direntry->d_name[2] == '\0'))){
1663
continue;
1664
}
1665
char *fullname = NULL;
1666
ret = asprintf(&fullname, "%s/%s", tempdir,
1667
direntry->d_name);
1668
if(ret < 0){
1669
perror("asprintf");
1670
continue;
1671
}
1672
ret = remove(fullname);
1673
if(ret == -1){
1674
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1675
strerror(errno));
1676
}
1677
free(fullname);
1678
}
1679
closedir(d);
1680
}
1681
ret = rmdir(tempdir);
1682
if(ret == -1 and errno != ENOENT){
1683
perror("rmdir");
1684
}
1685
}
1686
1687
if(quit_now){
1688
sigemptyset(&old_sigterm_action.sa_mask);
1689
old_sigterm_action.sa_handler = SIG_DFL;
1690
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
1691
&old_sigterm_action,
1692
NULL));
1693
if(ret == -1){
1694
perror("sigaction");
1695
}
1696
do {
1697
ret = raise(signal_received);
1698
} while(ret != 0 and errno == EINTR);
1699
if(ret != 0){
1700
perror("raise");
1701
abort();
1702
}
1703
TEMP_FAILURE_RETRY(pause());
1704
}
1705
1706
return exitcode;
615
616
/* Check if creating the server object succeeded */
617
if (!server) {
618
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
619
returncode = EXIT_FAILURE;
620
goto exit;
621
}
622
623
/* Create the service browser */
624
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
625
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
626
returncode = EXIT_FAILURE;
627
goto exit;
628
}
629
630
/* Run the main loop */
631
632
if (debug){
633
fprintf(stderr, "Starting avahi loop search\n");
634
}
635
636
avahi_simple_poll_loop(simple_poll);
637
638
exit:
639
640
if (debug){
641
fprintf(stderr, "%s exiting\n", argv[0]);
642
}
643
644
/* Cleanup things */
645
if (sb)
646
avahi_s_service_browser_free(sb);
647
648
if (server)
649
avahi_server_free(server);
650
651
if (simple_poll)
652
avahi_simple_poll_free(simple_poll);
653
654
return returncode;
1707
655
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0