/mandos/trunk : revision 185

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2008-09-17 00:34:09 UTC
Revision ID: teddy@fukt.bsnet.se-20080917003409-bxbjsc4o69nx40t6

* .bzr-builddeb/default.conf: New.

* Makefile (install-server): Do not create directories that
                             should already be present in a
                             normal system.
  (install-client-nokey): - '' -  Also specify non-executable
                          mode for "initramfs-tools-hook-conf".

* README: Improved wording.  Use real copyright mark.

* debian/changelog: New.
* debian/compat: - '' -
* debian/control: - '' -
* debian/copyright: - '' -
* debian/mandos-client.README.Debian: - '' -
* debian/mandos-client.dirs: - '' -
* debian/mandos-client.lintian-overrides: - '' -
* debian/mandos-client.postinst: - '' -
* debian/mandos-client.postrm: - '' -
* debian/mandos.dirs: - '' -
* debian/mandos.lintian-overrides: - '' -
* debian/rules: - '' -
* default-mandos: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/rules

default-mandos

etc-plugins.d-README

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/usplash

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* $Id$ */

/* PLEASE NOTE *

* This file demonstrates how to use Avahi's core API, this is

* the embeddable mDNS stack for embedded applications.

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* End user applications should *not* use this API and should use

* the D-Bus or C APIs, please see

* client-browse-services.c and glib-integration.c

* I repeat, you probably do *not* want to use this example.

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* <http://avahi.org/browser/examples/core-browse-services.c>. This

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

/***

This file is part of avahi.

avahi is free software; you can redistribute it and/or modify it

under the terms of the GNU Lesser General Public License as

published by the Free Software Foundation; either version 2.1 of the

License, or (at your option) any later version.

avahi is distributed in the hope that it will be useful, but WITHOUT

ANY WARRANTY; without even the implied warranty of MERCHANTABILITY

or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General

Public License for more details.

You should have received a copy of the GNU Lesser General Public

License along with avahi; if not, write to the Free Software

Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

USA.

***/

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */

#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

100

GPG_ERR_NO_* */

101

102

#define BUFFER_SIZE 256

#define DH_BITS 1024

103

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client 1.0";

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

gnutls_session_t session;

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){

gpgme_data_t dh_crypto, dh_plain;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if (buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

size_t new_packet_capacity = 0;

size_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if (rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if (rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

190

if (debug){

191

fprintf(stderr, "Initialize gpgme\n");

192

}

193

194

/* Init GPGME */

195

gpgme_check_version(NULL);

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if (rc != GPG_ERR_NO_ERROR){

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

201

}

202

/* Set GPGME home directory */

203

/* Set GPGME home directory for the OpenPGP engine only */

204

rc = gpgme_get_engine_info (&engine_info);

205

if (rc != GPG_ERR_NO_ERROR){

206

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

207

gpgme_strsource(rc), gpgme_strerror(rc));

100

return -1;

208

return false;

101

209

}

102

210

while(engine_info != NULL){

103

211

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

104

212

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

105

engine_info->file_name, homedir);

213

engine_info->file_name, tempdir);

106

214

break;

107

215

}

108

216

engine_info = engine_info->next;

109

217

}

110

218

if(engine_info == NULL){

111

fprintf(stderr, "Could not set home dir to %s\n", homedir);

112

return -1;

113

}

114

115

/* Create new GPGME data buffer from packet buffer */

116

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if (rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if (not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if (debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

117

259

if (rc != GPG_ERR_NO_ERROR){

118

260

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

119

261

gpgme_strsource(rc), gpgme_strerror(rc));

125

267

if (rc != GPG_ERR_NO_ERROR){

126

268

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

127

269

gpgme_strsource(rc), gpgme_strerror(rc));

128

return -1;

129

}

130

131

/* Create new GPGME "context" */

132

rc = gpgme_new(&ctx);

133

if (rc != GPG_ERR_NO_ERROR){

134

fprintf(stderr, "bad gpgme_new: %s: %s\n",

135

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

137

}

138

139

/* Decrypt data from the FILE pointer to the plaintext data buffer */

140

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

141

277

if (rc != GPG_ERR_NO_ERROR){

142

278

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

143

279

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

280

plaintext_length = -1;

281

if (debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if (result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

306

}

307

}

308

}

309

goto decrypt_end;

145

310

}

146

311

147

/* gpgme_decrypt_result_t result; */

148

/* result = gpgme_op_decrypt_result(ctx); */

149

/* fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm); */

150

/* fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage); */

151

/* if(result->file_name != NULL){ */

152

/* fprintf(stderr, "File name: %s\n", result->file_name); */

153

/* } */

154

/* gpgme_recipient_t recipient; */

155

/* recipient = result->recipients; */

156

/* if(recipient){ */

157

/* while(recipient != NULL){ */

158

/* fprintf(stderr, "Public key algorithm: %s\n", */

159

/* gpgme_pubkey_algo_name(recipient->pubkey_algo)); */

160

/* fprintf(stderr, "Key ID: %s\n", recipient->keyid); */

161

/* fprintf(stderr, "Secret key available: %s\n", */

162

/* recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes"); */

163

/* recipient = recipient->next; */

164

/* } */

165

/* } */

166

167

/* Delete the GPGME FILE pointer cryptotext data buffer */

168

gpgme_data_release(dh_crypto);

312

if(debug){

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

169

315

170

316

/* Seek back to the beginning of the GPGME plaintext data buffer */

171

gpgme_data_seek(dh_plain, 0, SEEK_SET);

172

173

*new_packet = 0;

317

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

}

322

323

*plaintext = NULL;

174

324

while(true){

175

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

176

*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);

177

if (*new_packet == NULL){

178

perror("realloc");

179

return -1;

180

}

181

new_packet_capacity += BUFFER_SIZE;

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if (plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

182

332

}

183

333

184

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

335

BUFFER_SIZE);

185

336

/* Print the data, if any */

186

337

if (ret == 0){

187

/* If password is empty, then a incorrect error will be printed */

338

/* EOF */

188

339

break;

189

340

}

190

341

if(ret < 0){

191

342

perror("gpgme_data_read");

192

return -1;

193

}

194

new_packet_length += ret;

195

}

196

197

/* Delete the GPGME plaintext data buffer */

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

361

362

/* Delete the GPGME plaintext data buffer */

198

363

gpgme_data_release(dh_plain);

199

return new_packet_length;

364

return plaintext_length;

200

365

}

201

366

202

367

static const char * safer_gnutls_strerror (int value) {

203

const char *ret = gnutls_strerror (value);

368

const char *ret = gnutls_strerror (value); /* Spurious warning */

204

369

if (ret == NULL)

205

370

ret = "(unknown)";

206

371

return ret;

207

372

}

208

373

209

void debuggnutls(int level, const char* string){

210

fprintf(stderr, "%s", string);

374

/* GnuTLS log function callback */

375

static void debuggnutls(__attribute__((unused)) int level,

376

const char* string){

377

fprintf(stderr, "GnuTLS: %s", string);

211

378

}

212

379

213

int initgnutls(encrypted_session *es){

214

const char *err;

380

static int init_gnutls_global(mandos_context *mc,

381

const char *pubkeyfilename,

382

const char *seckeyfilename){

215

383

int ret;

216

384

217

if ((ret = gnutls_global_init ())

218

!= GNUTLS_E_SUCCESS) {

219

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

220

return -1;

221

}

222

223

/* Uncomment to enable full debuggin on the gnutls library */

224

/* gnutls_global_set_log_level(11); */

225

/* gnutls_global_set_log_function(debuggnutls); */

226

227

228

/* openpgp credentials */

229

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

230

!= GNUTLS_E_SUCCESS) {

231

fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));

232

return -1;

233

}

234

385

if(debug){

386

fprintf(stderr, "Initializing GnuTLS\n");

387

}

388

389

ret = gnutls_global_init();

390

if (ret != GNUTLS_E_SUCCESS) {

391

fprintf (stderr, "GnuTLS global_init: %s\n",

392

safer_gnutls_strerror(ret));

393

return -1;

394

}

395

396

if (debug){

397

/* "Use a log level over 10 to enable all debugging options."

398

* - GnuTLS manual

399

400

gnutls_global_set_log_level(11);

401

gnutls_global_set_log_function(debuggnutls);

402

}

403

404

/* OpenPGP credentials */

405

gnutls_certificate_allocate_credentials(&mc->cred);

406

if (ret != GNUTLS_E_SUCCESS){

407

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

408

warning */

409

safer_gnutls_strerror(ret));

410

gnutls_global_deinit ();

411

return -1;

412

}

413

414

if(debug){

415

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

416

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

417

seckeyfilename);

418

}

419

235

420

ret = gnutls_certificate_set_openpgp_key_file

236

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

237

if (ret != GNUTLS_E_SUCCESS) {

238

fprintf

239

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",

240

ret, CERTFILE, KEYFILE);

241

fprintf(stdout, "The Error is: %s\n",

242

safer_gnutls_strerror(ret));

243

return -1;

244

}

245

246

//Gnutls server initialization

247

if ((ret = gnutls_dh_params_init (&es->dh_params))

248

!= GNUTLS_E_SUCCESS) {

249

fprintf (stderr, "Error in dh parameter initialization: %s\n",

250

safer_gnutls_strerror(ret));

251

return -1;

252

}

253

254

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

255

!= GNUTLS_E_SUCCESS) {

256

fprintf (stderr, "Error in prime generation: %s\n",

257

safer_gnutls_strerror(ret));

258

return -1;

259

}

260

261

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

262

263

// Gnutls session creation

264

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

265

!= GNUTLS_E_SUCCESS){

266

fprintf(stderr, "Error in gnutls session initialization: %s\n",

267

safer_gnutls_strerror(ret));

268

}

269

270

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

271

!= GNUTLS_E_SUCCESS) {

272

fprintf(stderr, "Syntax error at: %s\n", err);

273

fprintf(stderr, "Gnutls error: %s\n",

274

safer_gnutls_strerror(ret));

275

return -1;

276

}

277

278

if ((ret = gnutls_credentials_set

279

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

280

!= GNUTLS_E_SUCCESS) {

281

fprintf(stderr, "Error setting a credentials set: %s\n",

282

safer_gnutls_strerror(ret));

283

return -1;

284

}

285

421

(mc->cred, pubkeyfilename, seckeyfilename,

422

GNUTLS_OPENPGP_FMT_BASE64);

423

if (ret != GNUTLS_E_SUCCESS) {

424

fprintf(stderr,

425

"Error[%d] while reading the OpenPGP key pair ('%s',"

426

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

427

fprintf(stderr, "The GnuTLS error is: %s\n",

428

safer_gnutls_strerror(ret));

429

goto globalfail;

430

}

431

432

/* GnuTLS server initialization */

433

ret = gnutls_dh_params_init(&mc->dh_params);

434

if (ret != GNUTLS_E_SUCCESS) {

435

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

436

" %s\n", safer_gnutls_strerror(ret));

437

goto globalfail;

438

}

439

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

440

if (ret != GNUTLS_E_SUCCESS) {

441

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

442

safer_gnutls_strerror(ret));

443

goto globalfail;

444

}

445

446

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

447

448

return 0;

449

450

globalfail:

451

452

gnutls_certificate_free_credentials(mc->cred);

453

gnutls_global_deinit();

454

gnutls_dh_params_deinit(mc->dh_params);

455

return -1;

456

}

457

458

static int init_gnutls_session(mandos_context *mc,

459

gnutls_session_t *session){

460

int ret;

461

/* GnuTLS session creation */

462

ret = gnutls_init(session, GNUTLS_SERVER);

463

if (ret != GNUTLS_E_SUCCESS){

464

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

465

safer_gnutls_strerror(ret));

466

}

467

468

{

469

const char *err;

470

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

471

if (ret != GNUTLS_E_SUCCESS) {

472

fprintf(stderr, "Syntax error at: %s\n", err);

473

fprintf(stderr, "GnuTLS error: %s\n",

474

safer_gnutls_strerror(ret));

475

gnutls_deinit (*session);

476

return -1;

477

}

478

}

479

480

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

481

mc->cred);

482

if (ret != GNUTLS_E_SUCCESS) {

483

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

484

safer_gnutls_strerror(ret));

485

gnutls_deinit (*session);

486

return -1;

487

}

488

286

489

/* ignore client certificate if any. */

287

gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);

490

gnutls_certificate_server_set_request (*session,

491

GNUTLS_CERT_IGNORE);

288

492

289

gnutls_dh_set_prime_bits (es->session, DH_BITS);

493

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

290

494

291

495

return 0;

292

496

}

293

497

294

void empty_log(AvahiLogLevel level, const char *txt){}

498

/* Avahi log function callback */

499

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

500

__attribute__((unused)) const char *txt){}

295

501

296

int start_mandos_communcation(char *ip, uint16_t port){

502

/* Called when a Mandos server is found */

503

static int start_mandos_communication(const char *ip, uint16_t port,

504

AvahiIfIndex if_index,

505

mandos_context *mc){

297

506

int ret, tcp_sd;

298

struct sockaddr_in6 to;

299

struct in6_addr ip_addr;

300

encrypted_session es;

507

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

301

508

char *buffer = NULL;

302

509

char *decrypted_buffer;

303

510

size_t buffer_length = 0;

304

511

size_t buffer_capacity = 0;

305

512

ssize_t decrypted_buffer_size;

513

size_t written;

306

514

int retval = 0;

307

515

char interface[IF_NAMESIZE];

516

gnutls_session_t session;

517

518

ret = init_gnutls_session (mc, &session);

519

if (ret != 0){

520

return -1;

521

}

522

523

if(debug){

524

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

525

"\n", ip, port);

526

}

308

527

309

528

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

310

529

if(tcp_sd < 0) {

312

531

return -1;

313

532

}

314

533

315

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, "eth0", 5);

316

if(tcp_sd < 0) {

317

perror("setsockopt bindtodevice");

318

return -1;

534

if(debug){

535

if(if_indextoname((unsigned int)if_index, interface) == NULL){

536

perror("if_indextoname");

537

return -1;

538

}

539

fprintf(stderr, "Binding to interface %s\n", interface);

319

540

}

320

541

321

memset(&to,0,sizeof(to));

322

to.sin6_family = AF_INET6;

323

ret = inet_pton(AF_INET6, ip, &ip_addr);

542

memset(&to, 0, sizeof(to));

543

to.in6.sin6_family = AF_INET6;

544

/* It would be nice to have a way to detect if we were passed an

545

IPv4 address here. Now we assume an IPv6 address. */

546

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

324

547

if (ret < 0 ){

325

548

perror("inet_pton");

326

549

return -1;

327

}

550

}

328

551

if(ret == 0){

329

552

fprintf(stderr, "Bad address: %s\n", ip);

330

553

return -1;

331

554

}

332

to.sin6_port = htons(port);

333

to.sin6_scope_id = if_nametoindex("eth0");

334

335

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

555

to.in6.sin6_port = htons(port); /* Spurious warning */

556

557

to.in6.sin6_scope_id = (uint32_t)if_index;

558

559

if(debug){

560

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

561

port);

562

char addrstr[INET6_ADDRSTRLEN] = "";

563

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

564

sizeof(addrstr)) == NULL){

565

perror("inet_ntop");

566

} else {

567

if(strcmp(addrstr, ip) != 0){

568

fprintf(stderr, "Canonical address form: %s\n", addrstr);

569

}

570

}

571

}

572

573

ret = connect(tcp_sd, &to.in, sizeof(to));

336

574

if (ret < 0){

337

575

perror("connect");

338

576

return -1;

339

577

}

340

578

341

ret = initgnutls (&es);

342

if (ret != 0){

343

retval = -1;

344

return -1;

345

}

346

347

348

gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);

349

350

ret = gnutls_handshake (es.session);

579

const char *out = mandos_protocol_version;

580

written = 0;

581

while (true){

582

size_t out_size = strlen(out);

583

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

584

out_size - written));

585

if (ret == -1){

586

perror("write");

587

retval = -1;

588

goto mandos_end;

589

}

590

written += (size_t)ret;

591

if(written < out_size){

592

continue;

593

} else {

594

if (out == mandos_protocol_version){

595

written = 0;

596

out = "\r\n";

597

} else {

598

break;

599

}

600

}

601

}

602

603

if(debug){

604

fprintf(stderr, "Establishing TLS session with %s\n", ip);

605

}

606

607

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

608

609

do{

610

ret = gnutls_handshake (session);

611

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

351

612

352

613

if (ret != GNUTLS_E_SUCCESS){

353

fprintf(stderr, "\n*** Handshake failed ***\n");

354

gnutls_perror (ret);

614

if(debug){

615

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

616

gnutls_perror (ret);

617

}

355

618

retval = -1;

356

goto exit;

357

}

358

359

//retrive password

619

goto mandos_end;

620

}

621

622

/* Read OpenPGP packet that contains the wanted password */

623

624

if(debug){

625

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

626

ip);

627

}

628

360

629

while(true){

361

if (buffer_length + BUFFER_SIZE > buffer_capacity){

362

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

363

if (buffer == NULL){

364

perror("realloc");

365

goto exit;

366

}

367

buffer_capacity += BUFFER_SIZE;

630

buffer_capacity = adjustbuffer(&buffer, buffer_length,

631

buffer_capacity);

632

if (buffer_capacity == 0){

633

perror("adjustbuffer");

634

retval = -1;

635

goto mandos_end;

368

636

}

369

637

370

ret = gnutls_record_recv

371

(es.session, buffer+buffer_length, BUFFER_SIZE);

638

ret = gnutls_record_recv(session, buffer+buffer_length,

639

BUFFER_SIZE);

372

640

if (ret == 0){

373

641

break;

374

642

}

378

646

case GNUTLS_E_AGAIN:

379

647

break;

380

648

case GNUTLS_E_REHANDSHAKE:

381

ret = gnutls_handshake (es.session);

649

do{

650

ret = gnutls_handshake (session);

651

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

382

652

if (ret < 0){

383

fprintf(stderr, "\n*** Handshake failed ***\n");

653

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

384

654

gnutls_perror (ret);

385

655

retval = -1;

386

goto exit;

656

goto mandos_end;

387

657

}

388

658

break;

389

659

default:

390

fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");

660

fprintf(stderr, "Unknown error while reading data from"

661

" encrypted session with Mandos server\n");

391

662

retval = -1;

392

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

393

goto exit;

663

gnutls_bye (session, GNUTLS_SHUT_RDWR);

664

goto mandos_end;

394

665

}

395

666

} else {

396

buffer_length += ret;

667

buffer_length += (size_t) ret;

397

668

}

398

669

}

399

670

671

if(debug){

672

fprintf(stderr, "Closing TLS session\n");

673

}

674

675

gnutls_bye (session, GNUTLS_SHUT_RDWR);

676

400

677

if (buffer_length > 0){

401

if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) == 0){

402

retval = -1;

403

} else {

404

fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);

678

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

679

buffer_length,

680

&decrypted_buffer);

681

if (decrypted_buffer_size >= 0){

682

written = 0;

683

while(written < (size_t) decrypted_buffer_size){

684

ret = (int)fwrite (decrypted_buffer + written, 1,

685

(size_t)decrypted_buffer_size - written,

686

stdout);

687

if(ret == 0 and ferror(stdout)){

688

if(debug){

689

fprintf(stderr, "Error writing encrypted data: %s\n",

690

strerror(errno));

691

}

692

retval = -1;

693

break;

694

}

695

written += (size_t)ret;

696

}

405

697

free(decrypted_buffer);

698

} else {

699

retval = -1;

406

700

}

701

} else {

702

retval = -1;

407

703

}

408

704

705

/* Shutdown procedure */

706

707

mandos_end:

409

708

free(buffer);

410

411

//shutdown procedure

412

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

413

exit:

414

close(tcp_sd);

415

gnutls_deinit (es.session);

416

gnutls_certificate_free_credentials (es.cred);

417

gnutls_global_deinit ();

709

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

710

if(ret == -1){

711

perror("close");

712

}

713

gnutls_deinit (session);

418

714

return retval;

419

715

}

420

716

421

static AvahiSimplePoll *simple_poll = NULL;

422

static AvahiServer *server = NULL;

423

424

static void resolve_callback(

425

AvahiSServiceResolver *r,

426

AVAHI_GCC_UNUSED AvahiIfIndex interface,

427

AVAHI_GCC_UNUSED AvahiProtocol protocol,

428

AvahiResolverEvent event,

429

const char *name,

430

const char *type,

431

const char *domain,

432

const char *host_name,

433

const AvahiAddress *address,

434

uint16_t port,

435

AvahiStringList *txt,

436

AvahiLookupResultFlags flags,

437

AVAHI_GCC_UNUSED void* userdata) {

438

439

assert(r);

440

441

/* Called whenever a service has been resolved successfully or timed out */

442

443

switch (event) {

444

case AVAHI_RESOLVER_FAILURE:

445

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));

446

break;

447

448

case AVAHI_RESOLVER_FOUND: {

449

char ip[AVAHI_ADDRESS_STR_MAX];

450

avahi_address_snprint(ip, sizeof(ip), address);

451

int ret = start_mandos_communcation(ip, port);

452

if (ret == 0){

453

exit(EXIT_SUCCESS);

454

} else {

455

exit(EXIT_FAILURE);

456

}

457

}

458

}

459

avahi_s_service_resolver_free(r);

460

}

461

462

static void browse_callback(

463

AvahiSServiceBrowser *b,

464

AvahiIfIndex interface,

465

AvahiProtocol protocol,

466

AvahiBrowserEvent event,

467

const char *name,

468

const char *type,

469

const char *domain,

470

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

471

void* userdata) {

472

473

AvahiServer *s = userdata;

474

assert(b);

475

476

/* Called whenever a new services becomes available on the LAN or is removed from the LAN */

477

478

switch (event) {

479

480

case AVAHI_BROWSER_FAILURE:

481

482

fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));

483

avahi_simple_poll_quit(simple_poll);

484

return;

485

486

case AVAHI_BROWSER_NEW:

487

/* We ignore the returned resolver object. In the callback

488

function we free it. If the server is terminated before

489

the callback function is called the server will free

490

the resolver for us. */

491

492

if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))

493

fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));

494

495

break;

496

497

case AVAHI_BROWSER_REMOVE:

498

break;

499

500

case AVAHI_BROWSER_ALL_FOR_NOW:

501

case AVAHI_BROWSER_CACHE_EXHAUSTED:

502

break;

503

}

504

}

505

506

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

507

AvahiServerConfig config;

717

static void resolve_callback(AvahiSServiceResolver *r,

718

AvahiIfIndex interface,

719

AVAHI_GCC_UNUSED AvahiProtocol protocol,

720

AvahiResolverEvent event,

721

const char *name,

722

const char *type,

723

const char *domain,

724

const char *host_name,

725

const AvahiAddress *address,

726

uint16_t port,

727

AVAHI_GCC_UNUSED AvahiStringList *txt,

728

AVAHI_GCC_UNUSED AvahiLookupResultFlags

729

flags,

730

void* userdata) {

731

mandos_context *mc = userdata;

732

assert(r);

733

734

/* Called whenever a service has been resolved successfully or

735

timed out */

736

737

switch (event) {

738

default:

739

case AVAHI_RESOLVER_FAILURE:

740

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

741

" of type '%s' in domain '%s': %s\n", name, type, domain,

742

avahi_strerror(avahi_server_errno(mc->server)));

743

break;

744

745

case AVAHI_RESOLVER_FOUND:

746

{

747

char ip[AVAHI_ADDRESS_STR_MAX];

748

avahi_address_snprint(ip, sizeof(ip), address);

749

if(debug){

750

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

751

PRIu16 ") on port %d\n", name, host_name, ip,

752

interface, port);

753

}

754

int ret = start_mandos_communication(ip, port, interface, mc);

755

if (ret == 0){

756

avahi_simple_poll_quit(mc->simple_poll);

757

}

758

}

759

}

760

avahi_s_service_resolver_free(r);

761

}

762

763

static void browse_callback( AvahiSServiceBrowser *b,

764

AvahiIfIndex interface,

765

AvahiProtocol protocol,

766

AvahiBrowserEvent event,

767

const char *name,

768

const char *type,

769

const char *domain,

770

AVAHI_GCC_UNUSED AvahiLookupResultFlags

771

flags,

772

void* userdata) {

773

mandos_context *mc = userdata;

774

assert(b);

775

776

/* Called whenever a new services becomes available on the LAN or

777

is removed from the LAN */

778

779

switch (event) {

780

default:

781

case AVAHI_BROWSER_FAILURE:

782

783

fprintf(stderr, "(Avahi browser) %s\n",

784

avahi_strerror(avahi_server_errno(mc->server)));

785

avahi_simple_poll_quit(mc->simple_poll);

786

return;

787

788

case AVAHI_BROWSER_NEW:

789

/* We ignore the returned Avahi resolver object. In the callback

790

function we free it. If the Avahi server is terminated before

791

the callback function is called the Avahi server will free the

792

resolver for us. */

793

794

if (!(avahi_s_service_resolver_new(mc->server, interface,

795

protocol, name, type, domain,

796

AVAHI_PROTO_INET6, 0,

797

resolve_callback, mc)))

798

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

799

name, avahi_strerror(avahi_server_errno(mc->server)));

800

break;

801

802

case AVAHI_BROWSER_REMOVE:

803

break;

804

805

case AVAHI_BROWSER_ALL_FOR_NOW:

806

case AVAHI_BROWSER_CACHE_EXHAUSTED:

807

if(debug){

808

fprintf(stderr, "No Mandos server found, still searching...\n");

809

}

810

break;

811

}

812

}

813

814

int main(int argc, char *argv[]){

508

815

AvahiSServiceBrowser *sb = NULL;

509

816

int error;

510

int ret = 1;

511

512

avahi_set_log_function(empty_log);

513

514

/* Initialize the psuedo-RNG */

515

srand(time(NULL));

516

517

/* Allocate main loop object */

518

if (!(simple_poll = avahi_simple_poll_new())) {

519

fprintf(stderr, "Failed to create simple poll object.\n");

520

goto fail;

521

}

522

523

/* Do not publish any local records */

524

avahi_server_config_init(&config);

525

config.publish_hinfo = 0;

526

config.publish_addresses = 0;

527

config.publish_workstation = 0;

528

config.publish_domain = 0;

529

530

/* /\* Set a unicast DNS server for wide area DNS-SD *\/ */

531

/* avahi_address_parse("193.11.177.11", AVAHI_PROTO_UNSPEC, &config.wide_area_servers[0]); */

532

/* config.n_wide_area_servers = 1; */

533

/* config.enable_wide_area = 1; */

534

535

/* Allocate a new server */

536

server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);

537

538

/* Free the configuration data */

539

avahi_server_config_free(&config);

540

541

/* Check wether creating the server object succeeded */

542

if (!server) {

543

fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));

544

goto fail;

545

}

546

547

/* Create the service browser */

548

if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {

549

fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));

550

goto fail;

817

int ret;

818

int exitcode = EXIT_SUCCESS;

819

const char *interface = "eth0";

820

struct ifreq network;

821

int sd;

822

uid_t uid;

823

gid_t gid;

824

char *connect_to = NULL;

825

char tempdir[] = "/tmp/mandosXXXXXX";

826

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

827

const char *seckey = PATHDIR "/" SECKEY;

828

const char *pubkey = PATHDIR "/" PUBKEY;

829

830

mandos_context mc = { .simple_poll = NULL, .server = NULL,

831

.dh_bits = 1024, .priority = "SECURE256"

832

":!CTYPE-X.509:+CTYPE-OPENPGP" };

833

bool gnutls_initalized = false;

834

bool gpgme_initalized = false;

835

836

{

837

struct argp_option options[] = {

838

{ .name = "debug", .key = 128,

839

.doc = "Debug mode", .group = 3 },

840

{ .name = "connect", .key = 'c',

841

.arg = "ADDRESS:PORT",

842

.doc = "Connect directly to a specific Mandos server",

843

.group = 1 },

844

{ .name = "interface", .key = 'i',

845

.arg = "NAME",

846

.doc = "Interface that will be used to search for Mandos"

847

" servers",

848

.group = 1 },

849

{ .name = "seckey", .key = 's',

850

.arg = "FILE",

851

.doc = "OpenPGP secret key file base name",

852

.group = 1 },

853

{ .name = "pubkey", .key = 'p',

854

.arg = "FILE",

855

.doc = "OpenPGP public key file base name",

856

.group = 2 },

857

{ .name = "dh-bits", .key = 129,

858

.arg = "BITS",

859

.doc = "Bit length of the prime number used in the"

860

" Diffie-Hellman key exchange",

861

.group = 2 },

862

{ .name = "priority", .key = 130,

863

.arg = "STRING",

864

.doc = "GnuTLS priority string for the TLS handshake",

865

.group = 1 },

866

{ .name = NULL }

867

};

868

869

error_t parse_opt (int key, char *arg,

870

struct argp_state *state) {

871

/* Get the INPUT argument from `argp_parse', which we know is

872

a pointer to our plugin list pointer. */

873

switch (key) {

874

case 128: /* --debug */

875

debug = true;

876

break;

877

case 'c': /* --connect */

878

connect_to = arg;

879

break;

880

case 'i': /* --interface */

881

interface = arg;

882

break;

883

case 's': /* --seckey */

884

seckey = arg;

885

break;

886

case 'p': /* --pubkey */

887

pubkey = arg;

888

break;

889

case 129: /* --dh-bits */

890

errno = 0;

891

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

892

if (errno){

893

perror("strtol");

894

exit(EXIT_FAILURE);

895

}

896

break;

897

case 130: /* --priority */

898

mc.priority = arg;

899

break;

900

case ARGP_KEY_ARG:

901

argp_usage (state);

902

case ARGP_KEY_END:

903

break;

904

default:

905

return ARGP_ERR_UNKNOWN;

906

}

907

return 0;

908

}

909

910

struct argp argp = { .options = options, .parser = parse_opt,

911

.args_doc = "",

912

.doc = "Mandos client -- Get and decrypt"

913

" passwords from a Mandos server" };

914

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

915

if (ret == ARGP_ERR_UNKNOWN){

916

fprintf(stderr, "Unknown error while parsing arguments\n");

917

exitcode = EXIT_FAILURE;

918

goto end;

919

}

920

}

921

922

/* If the interface is down, bring it up */

923

{

924

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

925

if(sd < 0) {

926

perror("socket");

927

exitcode = EXIT_FAILURE;

928

goto end;

929

}

930

strcpy(network.ifr_name, interface);

931

ret = ioctl(sd, SIOCGIFFLAGS, &network);

932

if(ret == -1){

933

perror("ioctl SIOCGIFFLAGS");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

if((network.ifr_flags & IFF_UP) == 0){

938

network.ifr_flags |= IFF_UP;

939

ret = ioctl(sd, SIOCSIFFLAGS, &network);

940

if(ret == -1){

941

perror("ioctl SIOCSIFFLAGS");

942

exitcode = EXIT_FAILURE;

943

goto end;

944

}

945

}

946

ret = TEMP_FAILURE_RETRY(close(sd));

947

if(ret == -1){

948

perror("close");

949

}

950

}

951

952

uid = getuid();

953

gid = getgid();

954

955

ret = setuid(uid);

956

if (ret == -1){

957

perror("setuid");

958

}

959

960

setgid(gid);

961

if (ret == -1){

962

perror("setgid");

963

}

964

965

ret = init_gnutls_global(&mc, pubkey, seckey);

966

if (ret == -1){

967

fprintf(stderr, "init_gnutls_global failed\n");

968

exitcode = EXIT_FAILURE;

969

goto end;

970

} else {

971

gnutls_initalized = true;

972

}

973

974

if(mkdtemp(tempdir) == NULL){

975

perror("mkdtemp");

976

tempdir[0] = '\0';

977

goto end;

978

}

979

980

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

981

fprintf(stderr, "gpgme_initalized failed\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

} else {

985

gpgme_initalized = true;

986

}

987

988

if_index = (AvahiIfIndex) if_nametoindex(interface);

989

if(if_index == 0){

990

fprintf(stderr, "No such interface: \"%s\"\n", interface);

991

exit(EXIT_FAILURE);

992

}

993

994

if(connect_to != NULL){

995

/* Connect directly, do not use Zeroconf */

996

/* (Mainly meant for debugging) */

997

char *address = strrchr(connect_to, ':');

998

if(address == NULL){

999

fprintf(stderr, "No colon in address\n");

1000

exitcode = EXIT_FAILURE;

1001

goto end;

1002

}

1003

errno = 0;

1004

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1005

if(errno){

1006

perror("Bad port number");

1007

exitcode = EXIT_FAILURE;

1008

goto end;

1009

}

1010

*address = '\0';

1011

address = connect_to;

1012

ret = start_mandos_communication(address, port, if_index, &mc);

1013

if(ret < 0){

1014

exitcode = EXIT_FAILURE;

1015

} else {

1016

exitcode = EXIT_SUCCESS;

1017

}

1018

goto end;

1019

}

1020

1021

if (not debug){

1022

avahi_set_log_function(empty_log);

1023

}

1024

1025

/* Initialize the pseudo-RNG for Avahi */

1026

srand((unsigned int) time(NULL));

1027

1028

/* Allocate main Avahi loop object */

1029

mc.simple_poll = avahi_simple_poll_new();

1030

if (mc.simple_poll == NULL) {

1031

fprintf(stderr, "Avahi: Failed to create simple poll"

1032

" object.\n");

1033

exitcode = EXIT_FAILURE;

1034

goto end;

1035

}

1036

1037

{

1038

AvahiServerConfig config;

1039

/* Do not publish any local Zeroconf records */

1040

avahi_server_config_init(&config);

1041

config.publish_hinfo = 0;

1042

config.publish_addresses = 0;

1043

config.publish_workstation = 0;

1044

config.publish_domain = 0;

1045

1046

/* Allocate a new server */

1047

mc.server = avahi_server_new(avahi_simple_poll_get

1048

(mc.simple_poll), &config, NULL,

1049

NULL, &error);

1050

1051

/* Free the Avahi configuration data */

1052

avahi_server_config_free(&config);

1053

}

1054

1055

/* Check if creating the Avahi server object succeeded */

1056

if (mc.server == NULL) {

1057

fprintf(stderr, "Failed to create Avahi server: %s\n",

1058

avahi_strerror(error));

1059

exitcode = EXIT_FAILURE;

1060

goto end;

1061

}

1062

1063

/* Create the Avahi service browser */

1064

sb = avahi_s_service_browser_new(mc.server, if_index,

1065

AVAHI_PROTO_INET6,

1066

"_mandos._tcp", NULL, 0,

1067

browse_callback, &mc);

1068

if (sb == NULL) {

1069

fprintf(stderr, "Failed to create service browser: %s\n",

1070

avahi_strerror(avahi_server_errno(mc.server)));

1071

exitcode = EXIT_FAILURE;

1072

goto end;

551

1073

}

552

1074

553

1075

/* Run the main loop */

554

avahi_simple_poll_loop(simple_poll);

555

556

ret = 0;

557

558

fail:

1076

1077

if (debug){

1078

fprintf(stderr, "Starting Avahi loop search\n");

1079

}

1080

1081

avahi_simple_poll_loop(mc.simple_poll);

1082

1083

end:

1084

1085

if (debug){

1086

fprintf(stderr, "%s exiting\n", argv[0]);

1087

}

559

1088

560

1089

/* Cleanup things */

561

if (sb)

1090

if (sb != NULL)

562

1091

avahi_s_service_browser_free(sb);

563

1092

564

if (server)

565

avahi_server_free(server);

566

567

if (simple_poll)

568

avahi_simple_poll_free(simple_poll);

569

570

return ret;

1093

if (mc.server != NULL)

1094

avahi_server_free(mc.server);

1095

1096

if (mc.simple_poll != NULL)

1097

avahi_simple_poll_free(mc.simple_poll);

1098

1099

if (gnutls_initalized){

1100

gnutls_certificate_free_credentials(mc.cred);

1101

gnutls_global_deinit ();

1102

gnutls_dh_params_deinit(mc.dh_params);

1103

}

1104

1105

if(gpgme_initalized){

1106

gpgme_release(mc.ctx);

1107

}

1108

1109

/* Removes the temp directory used by GPGME */

1110

if(tempdir[0] != '\0'){

1111

DIR *d;

1112

struct dirent *direntry;

1113

d = opendir(tempdir);

1114

if(d == NULL){

1115

perror("opendir");

1116

} else {

1117

while(true){

1118

direntry = readdir(d);

1119

if(direntry == NULL){

1120

break;

1121

}

1122

if (direntry->d_type == DT_REG){

1123

char *fullname = NULL;

1124

ret = asprintf(&fullname, "%s/%s", tempdir,

1125

direntry->d_name);

1126

if(ret < 0){

1127

perror("asprintf");

1128

continue;

1129

}

1130

ret = unlink(fullname);

1131

if(ret == -1){

1132

fprintf(stderr, "unlink(\"%s\"): %s",

1133

fullname, strerror(errno));

1134

}

1135

free(fullname);

1136

}

1137

}

1138

closedir(d);

1139

}

1140

ret = rmdir(tempdir);

1141

if(ret == -1){

1142

perror("rmdir");

1143

}

1144

}

1145

1146

return exitcode;

571

1147

}

Older »