/mandos/trunk : revision 186

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2008-09-17 00:36:05 UTC
mfrom: (24.1.95 mandos)
Revision ID: teddy@fukt.bsnet.se-20080917003605-m64km1tbwn3wrpbf

Merge.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

README

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/rules

default-mandos

etc-plugins.d-README

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/usplash

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Påhlsson.

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

#define _FORTIFY_SOURCE 2

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

//mandos client part

#include <sys/types.h> /* socket(), setsockopt(),

inet_pton() */

#include <sys/socket.h> /* socket(), setsockopt(),

struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

100

GPG_ERR_NO_* */

101

102

#define BUFFER_SIZE 256

#define DH_BITS 1024

103

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "mandos-client 1.0";

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

118

typedef struct {

gnutls_session_t session;

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

137

if (buffer == NULL){

138

return 0;

139

}

140

buffer_capacity += BUFFER_SIZE;

141

}

142

return buffer_capacity;

143

}

144

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

151

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

152

gpgme_engine_info_t engine_info;

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if (rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if (rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

100

190

if (debug){

101

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

191

fprintf(stderr, "Initialize gpgme\n");

102

192

}

103

193

104

194

/* Init GPGME */

105

195

gpgme_check_version(NULL);

106

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

196

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

197

if (rc != GPG_ERR_NO_ERROR){

198

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

201

}

107

202

108

/* Set GPGME home directory */

203

/* Set GPGME home directory for the OpenPGP engine only */

109

204

rc = gpgme_get_engine_info (&engine_info);

110

205

if (rc != GPG_ERR_NO_ERROR){

111

206

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

112

207

gpgme_strsource(rc), gpgme_strerror(rc));

113

return -1;

208

return false;

114

209

}

115

210

while(engine_info != NULL){

116

211

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

117

212

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

118

engine_info->file_name, homedir);

213

engine_info->file_name, tempdir);

119

214

break;

120

215

}

121

216

engine_info = engine_info->next;

122

217

}

123

218

if(engine_info == NULL){

124

fprintf(stderr, "Could not set home dir to %s\n", homedir);

125

return -1;

126

}

127

128

/* Create new GPGME data buffer from packet buffer */

129

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if (rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if (not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if (debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

130

259

if (rc != GPG_ERR_NO_ERROR){

131

260

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

132

261

gpgme_strsource(rc), gpgme_strerror(rc));

138

267

if (rc != GPG_ERR_NO_ERROR){

139

268

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

140

269

gpgme_strsource(rc), gpgme_strerror(rc));

141

return -1;

142

}

143

144

/* Create new GPGME "context" */

145

rc = gpgme_new(&ctx);

146

if (rc != GPG_ERR_NO_ERROR){

147

fprintf(stderr, "bad gpgme_new: %s: %s\n",

148

gpgme_strsource(rc), gpgme_strerror(rc));

149

return -1;

150

}

151

152

/* Decrypt data from the FILE pointer to the plaintext data

153

buffer */

154

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

155

277

if (rc != GPG_ERR_NO_ERROR){

156

278

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

157

279

gpgme_strsource(rc), gpgme_strerror(rc));

158

return -1;

280

plaintext_length = -1;

281

if (debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if (result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

306

}

307

}

308

}

309

goto decrypt_end;

159

310

}

160

311

161

312

if(debug){

162

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

163

}

164

165

if (debug){

166

gpgme_decrypt_result_t result;

167

result = gpgme_op_decrypt_result(ctx);

168

if (result == NULL){

169

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

170

} else {

171

fprintf(stderr, "Unsupported algorithm: %s\n",

172

result->unsupported_algorithm);

173

fprintf(stderr, "Wrong key usage: %d\n",

174

result->wrong_key_usage);

175

if(result->file_name != NULL){

176

fprintf(stderr, "File name: %s\n", result->file_name);

177

}

178

gpgme_recipient_t recipient;

179

recipient = result->recipients;

180

if(recipient){

181

while(recipient != NULL){

182

fprintf(stderr, "Public key algorithm: %s\n",

183

gpgme_pubkey_algo_name(recipient->pubkey_algo));

184

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

185

fprintf(stderr, "Secret key available: %s\n",

186

recipient->status == GPG_ERR_NO_SECKEY

187

? "No" : "Yes");

188

recipient = recipient->next;

189

}

190

}

191

}

192

}

193

194

/* Delete the GPGME FILE pointer cryptotext data buffer */

195

gpgme_data_release(dh_crypto);

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

196

315

197

316

/* Seek back to the beginning of the GPGME plaintext data buffer */

198

gpgme_data_seek(dh_plain, 0, SEEK_SET);

199

200

*new_packet = 0;

317

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

318

perror("gpgme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

}

322

323

*plaintext = NULL;

201

324

while(true){

202

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

203

*new_packet = realloc(*new_packet,

204

(unsigned int)new_packet_capacity

205

+ BUFFER_SIZE);

206

if (*new_packet == NULL){

207

perror("realloc");

208

return -1;

209

}

210

new_packet_capacity += BUFFER_SIZE;

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if (plaintext_capacity == 0){

329

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

211

332

}

212

333

213

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

214

335

BUFFER_SIZE);

215

336

/* Print the data, if any */

216

337

if (ret == 0){

338

/* EOF */

217

339

break;

218

340

}

219

341

if(ret < 0){

220

342

perror("gpgme_data_read");

221

return -1;

222

}

223

new_packet_length += ret;

224

}

225

226

/* FIXME: check characters before printing to screen so to not print

227

terminal control characters */

228

/* if(debug){ */

229

/* fprintf(stderr, "decrypted password is: "); */

230

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

231

/* fprintf(stderr, "\n"); */

232

/* } */

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

233

361

234

362

/* Delete the GPGME plaintext data buffer */

235

363

gpgme_data_release(dh_plain);

236

return new_packet_length;

364

return plaintext_length;

237

365

}

238

366

239

367

static const char * safer_gnutls_strerror (int value) {

240

const char *ret = gnutls_strerror (value);

368

const char *ret = gnutls_strerror (value); /* Spurious warning */

241

369

if (ret == NULL)

242

370

ret = "(unknown)";

243

371

return ret;

244

372

}

245

373

246

void debuggnutls(__attribute__((unused)) int level,

247

const char* string){

248

fprintf(stderr, "%s", string);

374

/* GnuTLS log function callback */

375

static void debuggnutls(__attribute__((unused)) int level,

376

const char* string){

377

fprintf(stderr, "GnuTLS: %s", string);

249

378

}

250

379

251

int initgnutls(encrypted_session *es){

252

const char *err;

380

static int init_gnutls_global(mandos_context *mc,

381

const char *pubkeyfilename,

382

const char *seckeyfilename){

253

383

int ret;

254

384

255

385

if(debug){

256

386

fprintf(stderr, "Initializing GnuTLS\n");

257

387

}

258

388

259

if ((ret = gnutls_global_init ())

260

!= GNUTLS_E_SUCCESS) {

261

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

389

ret = gnutls_global_init();

390

if (ret != GNUTLS_E_SUCCESS) {

391

fprintf (stderr, "GnuTLS global_init: %s\n",

392

safer_gnutls_strerror(ret));

262

393

return -1;

263

394

}

264

395

265

396

if (debug){

397

/* "Use a log level over 10 to enable all debugging options."

398

* - GnuTLS manual

399

266

400

gnutls_global_set_log_level(11);

267

401

gnutls_global_set_log_function(debuggnutls);

268

402

}

269

403

270

/* openpgp credentials */

271

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

272

!= GNUTLS_E_SUCCESS) {

273

fprintf (stderr, "memory error: %s\n",

404

/* OpenPGP credentials */

405

gnutls_certificate_allocate_credentials(&mc->cred);

406

if (ret != GNUTLS_E_SUCCESS){

407

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

408

warning */

274

409

safer_gnutls_strerror(ret));

410

gnutls_global_deinit ();

275

411

return -1;

276

412

}

277

413

278

414

if(debug){

279

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

280

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

281

KEYFILE);

415

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

416

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

417

seckeyfilename);

282

418

}

283

419

284

420

ret = gnutls_certificate_set_openpgp_key_file

285

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

421

(mc->cred, pubkeyfilename, seckeyfilename,

422

GNUTLS_OPENPGP_FMT_BASE64);

286

423

if (ret != GNUTLS_E_SUCCESS) {

287

fprintf

288

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

289

" '%s')\n",

290

ret, CERTFILE, KEYFILE);

291

fprintf(stdout, "The Error is: %s\n",

424

fprintf(stderr,

425

"Error[%d] while reading the OpenPGP key pair ('%s',"

426

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

427

fprintf(stderr, "The GnuTLS error is: %s\n",

292

428

safer_gnutls_strerror(ret));

293

return -1;

294

}

295

296

//GnuTLS server initialization

297

if ((ret = gnutls_dh_params_init (&es->dh_params))

298

!= GNUTLS_E_SUCCESS) {

299

fprintf (stderr, "Error in dh parameter initialization: %s\n",

300

safer_gnutls_strerror(ret));

301

return -1;

302

}

303

304

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

305

!= GNUTLS_E_SUCCESS) {

306

fprintf (stderr, "Error in prime generation: %s\n",

307

safer_gnutls_strerror(ret));

308

return -1;

309

}

310

311

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

312

313

// GnuTLS session creation

314

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

315

!= GNUTLS_E_SUCCESS){

429

goto globalfail;

430

}

431

432

/* GnuTLS server initialization */

433

ret = gnutls_dh_params_init(&mc->dh_params);

434

if (ret != GNUTLS_E_SUCCESS) {

435

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

436

" %s\n", safer_gnutls_strerror(ret));

437

goto globalfail;

438

}

439

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

440

if (ret != GNUTLS_E_SUCCESS) {

441

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

442

safer_gnutls_strerror(ret));

443

goto globalfail;

444

}

445

446

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

447

448

return 0;

449

450

globalfail:

451

452

gnutls_certificate_free_credentials(mc->cred);

453

gnutls_global_deinit();

454

gnutls_dh_params_deinit(mc->dh_params);

455

return -1;

456

}

457

458

static int init_gnutls_session(mandos_context *mc,

459

gnutls_session_t *session){

460

int ret;

461

/* GnuTLS session creation */

462

ret = gnutls_init(session, GNUTLS_SERVER);

463

if (ret != GNUTLS_E_SUCCESS){

316

464

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

317

465

safer_gnutls_strerror(ret));

318

466

}

319

467

320

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

321

!= GNUTLS_E_SUCCESS) {

322

fprintf(stderr, "Syntax error at: %s\n", err);

323

fprintf(stderr, "GnuTLS error: %s\n",

324

safer_gnutls_strerror(ret));

325

return -1;

468

{

469

const char *err;

470

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

471

if (ret != GNUTLS_E_SUCCESS) {

472

fprintf(stderr, "Syntax error at: %s\n", err);

473

fprintf(stderr, "GnuTLS error: %s\n",

474

safer_gnutls_strerror(ret));

475

gnutls_deinit (*session);

476

return -1;

477

}

326

478

}

327

479

328

if ((ret = gnutls_credentials_set

329

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

330

!= GNUTLS_E_SUCCESS) {

331

fprintf(stderr, "Error setting a credentials set: %s\n",

480

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

481

mc->cred);

482

if (ret != GNUTLS_E_SUCCESS) {

483

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

332

484

safer_gnutls_strerror(ret));

485

gnutls_deinit (*session);

333

486

return -1;

334

487

}

335

488

336

489

/* ignore client certificate if any. */

337

gnutls_certificate_server_set_request (es->session,

490

gnutls_certificate_server_set_request (*session,

338

491

GNUTLS_CERT_IGNORE);

339

492

340

gnutls_dh_set_prime_bits (es->session, DH_BITS);

493

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

341

494

342

495

return 0;

343

496

}

344

497

345

void empty_log(__attribute__((unused)) AvahiLogLevel level,

346

__attribute__((unused)) const char *txt){}

498

/* Avahi log function callback */

499

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

500

__attribute__((unused)) const char *txt){}

347

501

348

int start_mandos_communication(char *ip, uint16_t port,

349

unsigned int if_index){

502

/* Called when a Mandos server is found */

503

static int start_mandos_communication(const char *ip, uint16_t port,

504

AvahiIfIndex if_index,

505

mandos_context *mc){

350

506

int ret, tcp_sd;

351

struct sockaddr_in6 to;

352

encrypted_session es;

507

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

353

508

char *buffer = NULL;

354

509

char *decrypted_buffer;

355

510

size_t buffer_length = 0;

356

511

size_t buffer_capacity = 0;

357

512

ssize_t decrypted_buffer_size;

513

size_t written;

358

514

int retval = 0;

359

515

char interface[IF_NAMESIZE];

516

gnutls_session_t session;

517

518

ret = init_gnutls_session (mc, &session);

519

if (ret != 0){

520

return -1;

521

}

360

522

361

523

if(debug){

362

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

524

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

525

"\n", ip, port);

363

526

}

364

527

365

528

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

368

531

return -1;

369

532

}

370

533

371

if(if_indextoname(if_index, interface) == NULL){

372

if(debug){

534

if(debug){

535

if(if_indextoname((unsigned int)if_index, interface) == NULL){

373

536

perror("if_indextoname");

537

return -1;

374

538

}

375

return -1;

376

}

377

378

if(debug){

379

539

fprintf(stderr, "Binding to interface %s\n", interface);

380

540

}

381

541

382

ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);

383

if(ret < 0) {

384

perror("setsockopt bindtodevice");

385

return -1;

386

}

387

388

memset(&to,0,sizeof(to));

389

to.sin6_family = AF_INET6;

390

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

542

memset(&to, 0, sizeof(to));

543

to.in6.sin6_family = AF_INET6;

544

/* It would be nice to have a way to detect if we were passed an

545

IPv4 address here. Now we assume an IPv6 address. */

546

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

391

547

if (ret < 0 ){

392

548

perror("inet_pton");

393

549

return -1;

394

}

550

}

395

551

if(ret == 0){

396

552

fprintf(stderr, "Bad address: %s\n", ip);

397

553

return -1;

398

554

}

399

/* Spurious warnings for the next line, see for instance

400

<http://bugs.debian.org/488884> */

401

to.sin6_port = htons(port);

555

to.in6.sin6_port = htons(port); /* Spurious warning */

402

556

403

to.sin6_scope_id = (uint32_t)if_index;

557

to.in6.sin6_scope_id = (uint32_t)if_index;

404

558

405

559

if(debug){

406

fprintf(stderr, "Connection to: %s\n", ip);

560

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

561

port);

562

char addrstr[INET6_ADDRSTRLEN] = "";

563

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

564

sizeof(addrstr)) == NULL){

565

perror("inet_ntop");

566

} else {

567

if(strcmp(addrstr, ip) != 0){

568

fprintf(stderr, "Canonical address form: %s\n", addrstr);

569

}

570

}

407

571

}

408

572

409

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

573

ret = connect(tcp_sd, &to.in, sizeof(to));

410

574

if (ret < 0){

411

575

perror("connect");

412

576

return -1;

413

577

}

414

578

415

ret = initgnutls (&es);

416

if (ret != 0){

417

retval = -1;

418

return -1;

579

const char *out = mandos_protocol_version;

580

written = 0;

581

while (true){

582

size_t out_size = strlen(out);

583

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

584

out_size - written));

585

if (ret == -1){

586

perror("write");

587

retval = -1;

588

goto mandos_end;

589

}

590

written += (size_t)ret;

591

if(written < out_size){

592

continue;

593

} else {

594

if (out == mandos_protocol_version){

595

written = 0;

596

out = "\r\n";

597

} else {

598

break;

599

}

600

}

419

601

}

420

602

421

gnutls_transport_set_ptr (es.session,

422

(gnutls_transport_ptr_t) tcp_sd);

423

424

603

if(debug){

425

604

fprintf(stderr, "Establishing TLS session with %s\n", ip);

426

605

}

427

606

428

ret = gnutls_handshake (es.session);

607

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

608

609

do{

610

ret = gnutls_handshake (session);

611

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

429

612

430

613

if (ret != GNUTLS_E_SUCCESS){

431

fprintf(stderr, "\n*** Handshake failed ***\n");

432

gnutls_perror (ret);

614

if(debug){

615

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

616

gnutls_perror (ret);

617

}

433

618

retval = -1;

434

goto exit;

619

goto mandos_end;

435

620

}

436

621

437

//Retrieve OpenPGP packet that contains the wanted password

622

/* Read OpenPGP packet that contains the wanted password */

438

623

439

624

if(debug){

440

625

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

441

626

ip);

442

627

}

443

628

444

629

while(true){

445

if (buffer_length + BUFFER_SIZE > buffer_capacity){

446

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

447

if (buffer == NULL){

448

perror("realloc");

449

goto exit;

450

}

451

buffer_capacity += BUFFER_SIZE;

630

buffer_capacity = adjustbuffer(&buffer, buffer_length,

631

buffer_capacity);

632

if (buffer_capacity == 0){

633

perror("adjustbuffer");

634

retval = -1;

635

goto mandos_end;

452

636

}

453

637

454

ret = gnutls_record_recv

455

(es.session, buffer+buffer_length, BUFFER_SIZE);

638

ret = gnutls_record_recv(session, buffer+buffer_length,

639

BUFFER_SIZE);

456

640

if (ret == 0){

457

641

break;

458

642

}

462

646

case GNUTLS_E_AGAIN:

463

647

break;

464

648

case GNUTLS_E_REHANDSHAKE:

465

ret = gnutls_handshake (es.session);

649

do{

650

ret = gnutls_handshake (session);

651

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

466

652

if (ret < 0){

467

fprintf(stderr, "\n*** Handshake failed ***\n");

653

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

468

654

gnutls_perror (ret);

469

655

retval = -1;

470

goto exit;

656

goto mandos_end;

471

657

}

472

658

break;

473

659

default:

474

660

fprintf(stderr, "Unknown error while reading data from"

475

" encrypted session with mandos server\n");

661

" encrypted session with Mandos server\n");

476

662

retval = -1;

477

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

478

goto exit;

663

gnutls_bye (session, GNUTLS_SHUT_RDWR);

664

goto mandos_end;

479

665

}

480

666

} else {

481

667

buffer_length += (size_t) ret;

482

668

}

483

669

}

484

670

671

if(debug){

672

fprintf(stderr, "Closing TLS session\n");

673

}

674

675

gnutls_bye (session, GNUTLS_SHUT_RDWR);

676

485

677

if (buffer_length > 0){

486

decrypted_buffer_size = pgp_packet_decrypt(buffer,

678

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

487

679

buffer_length,

488

&decrypted_buffer,

489

CERT_ROOT);

680

&decrypted_buffer);

490

681

if (decrypted_buffer_size >= 0){

491

while(decrypted_buffer_size > 0){

492

ret = fwrite (decrypted_buffer, 1, (size_t)decrypted_buffer_size,

493

stdout);

682

written = 0;

683

while(written < (size_t) decrypted_buffer_size){

684

ret = (int)fwrite (decrypted_buffer + written, 1,

685

(size_t)decrypted_buffer_size - written,

686

stdout);

494

687

if(ret == 0 and ferror(stdout)){

495

688

if(debug){

496

689

fprintf(stderr, "Error writing encrypted data: %s\n",

499

692

retval = -1;

500

693

break;

501

694

}

502

decrypted_buffer += ret;

503

decrypted_buffer_size -= ret;

695

written += (size_t)ret;

504

696

}

505

697

free(decrypted_buffer);

506

698

} else {

507

699

retval = -1;

508

700

}

509

}

510

511

//shutdown procedure

512

513

if(debug){

514

fprintf(stderr, "Closing TLS session\n");

515

}

516

701

} else {

702

retval = -1;

703

}

704

705

/* Shutdown procedure */

706

707

mandos_end:

517

708

free(buffer);

518

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

519

exit:

520

close(tcp_sd);

521

gnutls_deinit (es.session);

522

gnutls_certificate_free_credentials (es.cred);

523

gnutls_global_deinit ();

709

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

710

if(ret == -1){

711

perror("close");

712

}

713

gnutls_deinit (session);

524

714

return retval;

525

715

}

526

716

527

static AvahiSimplePoll *simple_poll = NULL;

528

static AvahiServer *server = NULL;

529

530

static void resolve_callback(

531

AvahiSServiceResolver *r,

532

AVAHI_GCC_UNUSED AvahiIfIndex interface,

533

AVAHI_GCC_UNUSED AvahiProtocol protocol,

534

AvahiResolverEvent event,

535

const char *name,

536

const char *type,

537

const char *domain,

538

const char *host_name,

539

const AvahiAddress *address,

540

uint16_t port,

541

AVAHI_GCC_UNUSED AvahiStringList *txt,

542

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

543

AVAHI_GCC_UNUSED void* userdata) {

544

717

static void resolve_callback(AvahiSServiceResolver *r,

718

AvahiIfIndex interface,

719

AVAHI_GCC_UNUSED AvahiProtocol protocol,

720

AvahiResolverEvent event,

721

const char *name,

722

const char *type,

723

const char *domain,

724

const char *host_name,

725

const AvahiAddress *address,

726

uint16_t port,

727

AVAHI_GCC_UNUSED AvahiStringList *txt,

728

AVAHI_GCC_UNUSED AvahiLookupResultFlags

729

flags,

730

void* userdata) {

731

mandos_context *mc = userdata;

545

732

assert(r);

546

733

547

734

/* Called whenever a service has been resolved successfully or

548

735

timed out */

549

736

550

737

switch (event) {

551

738

default:

552

739

case AVAHI_RESOLVER_FAILURE:

553

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

554

" type '%s' in domain '%s': %s\n", name, type, domain,

555

avahi_strerror(avahi_server_errno(server)));

740

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

741

" of type '%s' in domain '%s': %s\n", name, type, domain,

742

avahi_strerror(avahi_server_errno(mc->server)));

556

743

break;

557

744

558

745

case AVAHI_RESOLVER_FOUND:

559

746

{

560

747

char ip[AVAHI_ADDRESS_STR_MAX];

561

748

avahi_address_snprint(ip, sizeof(ip), address);

562

749

if(debug){

563

fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",

564

host_name, ip, port);

750

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

751

PRIu16 ") on port %d\n", name, host_name, ip,

752

interface, port);

565

753

}

566

int ret = start_mandos_communication(ip, port,

567

(unsigned int)

568

interface);

754

int ret = start_mandos_communication(ip, port, interface, mc);

569

755

if (ret == 0){

570

exit(EXIT_SUCCESS);

571

} else {

572

exit(EXIT_FAILURE);

756

avahi_simple_poll_quit(mc->simple_poll);

573

757

}

574

758

}

575

759

}

576

760

avahi_s_service_resolver_free(r);

577

761

}

578

762

579

static void browse_callback(

580

AvahiSServiceBrowser *b,

581

AvahiIfIndex interface,

582

AvahiProtocol protocol,

583

AvahiBrowserEvent event,

584

const char *name,

585

const char *type,

586

const char *domain,

587

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

588

void* userdata) {

589

590

AvahiServer *s = userdata;

591

assert(b);

592

593

/* Called whenever a new services becomes available on the LAN or

594

is removed from the LAN */

595

596

switch (event) {

597

default:

598

case AVAHI_BROWSER_FAILURE:

599

600

fprintf(stderr, "(Browser) %s\n",

601

avahi_strerror(avahi_server_errno(server)));

602

avahi_simple_poll_quit(simple_poll);

603

return;

604

605

case AVAHI_BROWSER_NEW:

606

/* We ignore the returned resolver object. In the callback

607

function we free it. If the server is terminated before

608

the callback function is called the server will free

609

the resolver for us. */

610

611

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

612

type, domain,

613

AVAHI_PROTO_INET6, 0,

614

resolve_callback, s)))

615

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

616

avahi_strerror(avahi_server_errno(s)));

617

break;

618

619

case AVAHI_BROWSER_REMOVE:

620

break;

621

622

case AVAHI_BROWSER_ALL_FOR_NOW:

623

case AVAHI_BROWSER_CACHE_EXHAUSTED:

624

break;

763

static void browse_callback( AvahiSServiceBrowser *b,

764

AvahiIfIndex interface,

765

AvahiProtocol protocol,

766

AvahiBrowserEvent event,

767

const char *name,

768

const char *type,

769

const char *domain,

770

AVAHI_GCC_UNUSED AvahiLookupResultFlags

771

flags,

772

void* userdata) {

773

mandos_context *mc = userdata;

774

assert(b);

775

776

/* Called whenever a new services becomes available on the LAN or

777

is removed from the LAN */

778

779

switch (event) {

780

default:

781

case AVAHI_BROWSER_FAILURE:

782

783

fprintf(stderr, "(Avahi browser) %s\n",

784

avahi_strerror(avahi_server_errno(mc->server)));

785

avahi_simple_poll_quit(mc->simple_poll);

786

return;

787

788

case AVAHI_BROWSER_NEW:

789

/* We ignore the returned Avahi resolver object. In the callback

790

function we free it. If the Avahi server is terminated before

791

the callback function is called the Avahi server will free the

792

resolver for us. */

793

794

if (!(avahi_s_service_resolver_new(mc->server, interface,

795

protocol, name, type, domain,

796

AVAHI_PROTO_INET6, 0,

797

resolve_callback, mc)))

798

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

799

name, avahi_strerror(avahi_server_errno(mc->server)));

800

break;

801

802

case AVAHI_BROWSER_REMOVE:

803

break;

804

805

case AVAHI_BROWSER_ALL_FOR_NOW:

806

case AVAHI_BROWSER_CACHE_EXHAUSTED:

807

if(debug){

808

fprintf(stderr, "No Mandos server found, still searching...\n");

625

809

}

810

break;

811

}

626

812

}

627

813

628

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

629

AvahiServerConfig config;

814

int main(int argc, char *argv[]){

630

815

AvahiSServiceBrowser *sb = NULL;

631

816

int error;

632

817

int ret;

633

int returncode = EXIT_SUCCESS;

818

int exitcode = EXIT_SUCCESS;

634

819

const char *interface = "eth0";

635

636

while (true){

637

static struct option long_options[] = {

638

{"debug", no_argument, (int *)&debug, 1},

639

{"interface", required_argument, 0, 'i'},

640

{0, 0, 0, 0} };

641

642

int option_index = 0;

643

ret = getopt_long (argc, argv, "i:", long_options,

644

&option_index);

645

646

if (ret == -1){

647

break;

648

}

649

650

switch(ret){

651

case 0:

652

break;

653

case 'i':

654

interface = optarg;

655

break;

656

default:

657

exit(EXIT_FAILURE);

658

}

820

struct ifreq network;

821

int sd;

822

uid_t uid;

823

gid_t gid;

824

char *connect_to = NULL;

825

char tempdir[] = "/tmp/mandosXXXXXX";

826

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

827

const char *seckey = PATHDIR "/" SECKEY;

828

const char *pubkey = PATHDIR "/" PUBKEY;

829

830

mandos_context mc = { .simple_poll = NULL, .server = NULL,

831

.dh_bits = 1024, .priority = "SECURE256"

832

":!CTYPE-X.509:+CTYPE-OPENPGP" };

833

bool gnutls_initalized = false;

834

bool gpgme_initalized = false;

835

836

{

837

struct argp_option options[] = {

838

{ .name = "debug", .key = 128,

839

.doc = "Debug mode", .group = 3 },

840

{ .name = "connect", .key = 'c',

841

.arg = "ADDRESS:PORT",

842

.doc = "Connect directly to a specific Mandos server",

843

.group = 1 },

844

{ .name = "interface", .key = 'i',

845

.arg = "NAME",

846

.doc = "Interface that will be used to search for Mandos"

847

" servers",

848

.group = 1 },

849

{ .name = "seckey", .key = 's',

850

.arg = "FILE",

851

.doc = "OpenPGP secret key file base name",

852

.group = 1 },

853

{ .name = "pubkey", .key = 'p',

854

.arg = "FILE",

855

.doc = "OpenPGP public key file base name",

856

.group = 2 },

857

{ .name = "dh-bits", .key = 129,

858

.arg = "BITS",

859

.doc = "Bit length of the prime number used in the"

860

" Diffie-Hellman key exchange",

861

.group = 2 },

862

{ .name = "priority", .key = 130,

863

.arg = "STRING",

864

.doc = "GnuTLS priority string for the TLS handshake",

865

.group = 1 },

866

{ .name = NULL }

867

};

868

869

error_t parse_opt (int key, char *arg,

870

struct argp_state *state) {

871

/* Get the INPUT argument from `argp_parse', which we know is

872

a pointer to our plugin list pointer. */

873

switch (key) {

874

case 128: /* --debug */

875

debug = true;

876

break;

877

case 'c': /* --connect */

878

connect_to = arg;

879

break;

880

case 'i': /* --interface */

881

interface = arg;

882

break;

883

case 's': /* --seckey */

884

seckey = arg;

885

break;

886

case 'p': /* --pubkey */

887

pubkey = arg;

888

break;

889

case 129: /* --dh-bits */

890

errno = 0;

891

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

892

if (errno){

893

perror("strtol");

894

exit(EXIT_FAILURE);

895

}

896

break;

897

case 130: /* --priority */

898

mc.priority = arg;

899

break;

900

case ARGP_KEY_ARG:

901

argp_usage (state);

902

case ARGP_KEY_END:

903

break;

904

default:

905

return ARGP_ERR_UNKNOWN;

906

}

907

return 0;

908

}

909

910

struct argp argp = { .options = options, .parser = parse_opt,

911

.args_doc = "",

912

.doc = "Mandos client -- Get and decrypt"

913

" passwords from a Mandos server" };

914

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

915

if (ret == ARGP_ERR_UNKNOWN){

916

fprintf(stderr, "Unknown error while parsing arguments\n");

917

exitcode = EXIT_FAILURE;

918

goto end;

919

}

920

}

921

922

/* If the interface is down, bring it up */

923

{

924

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

925

if(sd < 0) {

926

perror("socket");

927

exitcode = EXIT_FAILURE;

928

goto end;

929

}

930

strcpy(network.ifr_name, interface);

931

ret = ioctl(sd, SIOCGIFFLAGS, &network);

932

if(ret == -1){

933

perror("ioctl SIOCGIFFLAGS");

934

exitcode = EXIT_FAILURE;

935

goto end;

936

}

937

if((network.ifr_flags & IFF_UP) == 0){

938

network.ifr_flags |= IFF_UP;

939

ret = ioctl(sd, SIOCSIFFLAGS, &network);

940

if(ret == -1){

941

perror("ioctl SIOCSIFFLAGS");

942

exitcode = EXIT_FAILURE;

943

goto end;

944

}

945

}

946

ret = TEMP_FAILURE_RETRY(close(sd));

947

if(ret == -1){

948

perror("close");

949

}

950

}

951

952

uid = getuid();

953

gid = getgid();

954

955

ret = setuid(uid);

956

if (ret == -1){

957

perror("setuid");

958

}

959

960

setgid(gid);

961

if (ret == -1){

962

perror("setgid");

963

}

964

965

ret = init_gnutls_global(&mc, pubkey, seckey);

966

if (ret == -1){

967

fprintf(stderr, "init_gnutls_global failed\n");

968

exitcode = EXIT_FAILURE;

969

goto end;

970

} else {

971

gnutls_initalized = true;

972

}

973

974

if(mkdtemp(tempdir) == NULL){

975

perror("mkdtemp");

976

tempdir[0] = '\0';

977

goto end;

978

}

979

980

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

981

fprintf(stderr, "gpgme_initalized failed\n");

982

exitcode = EXIT_FAILURE;

983

goto end;

984

} else {

985

gpgme_initalized = true;

986

}

987

988

if_index = (AvahiIfIndex) if_nametoindex(interface);

989

if(if_index == 0){

990

fprintf(stderr, "No such interface: \"%s\"\n", interface);

991

exit(EXIT_FAILURE);

992

}

993

994

if(connect_to != NULL){

995

/* Connect directly, do not use Zeroconf */

996

/* (Mainly meant for debugging) */

997

char *address = strrchr(connect_to, ':');

998

if(address == NULL){

999

fprintf(stderr, "No colon in address\n");

1000

exitcode = EXIT_FAILURE;

1001

goto end;

1002

}

1003

errno = 0;

1004

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1005

if(errno){

1006

perror("Bad port number");

1007

exitcode = EXIT_FAILURE;

1008

goto end;

1009

}

1010

*address = '\0';

1011

address = connect_to;

1012

ret = start_mandos_communication(address, port, if_index, &mc);

1013

if(ret < 0){

1014

exitcode = EXIT_FAILURE;

1015

} else {

1016

exitcode = EXIT_SUCCESS;

1017

}

1018

goto end;

659

1019

}

660

1020

661

1021

if (not debug){

662

1022

avahi_set_log_function(empty_log);

663

1023

}

664

1024

665

/* Initialize the psuedo-RNG */

1025

/* Initialize the pseudo-RNG for Avahi */

666

1026

srand((unsigned int) time(NULL));

667

668

/* Allocate main loop object */

669

if (!(simple_poll = avahi_simple_poll_new())) {

670

fprintf(stderr, "Failed to create simple poll object.\n");

671

672

goto exit;

673

}

674

675

/* Do not publish any local records */

676

avahi_server_config_init(&config);

677

config.publish_hinfo = 0;

678

config.publish_addresses = 0;

679

config.publish_workstation = 0;

680

config.publish_domain = 0;

681

682

/* Allocate a new server */

683

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

684

&config, NULL, NULL, &error);

685

686

/* Free the configuration data */

687

avahi_server_config_free(&config);

688

689

/* Check if creating the server object succeeded */

690

if (!server) {

691

fprintf(stderr, "Failed to create server: %s\n",

1027

1028

/* Allocate main Avahi loop object */

1029

mc.simple_poll = avahi_simple_poll_new();

1030

if (mc.simple_poll == NULL) {

1031

fprintf(stderr, "Avahi: Failed to create simple poll"

1032

" object.\n");

1033

exitcode = EXIT_FAILURE;

1034

goto end;

1035

}

1036

1037

{

1038

AvahiServerConfig config;

1039

/* Do not publish any local Zeroconf records */

1040

avahi_server_config_init(&config);

1041

config.publish_hinfo = 0;

1042

config.publish_addresses = 0;

1043

config.publish_workstation = 0;

1044

config.publish_domain = 0;

1045

1046

/* Allocate a new server */

1047

mc.server = avahi_server_new(avahi_simple_poll_get

1048

(mc.simple_poll), &config, NULL,

1049

NULL, &error);

1050

1051

/* Free the Avahi configuration data */

1052

avahi_server_config_free(&config);

1053

}

1054

1055

/* Check if creating the Avahi server object succeeded */

1056

if (mc.server == NULL) {

1057

fprintf(stderr, "Failed to create Avahi server: %s\n",

692

1058

avahi_strerror(error));

693

returncode = EXIT_FAILURE;

694

goto exit;

1059

exitcode = EXIT_FAILURE;

1060

goto end;

695

1061

}

696

1062

697

/* Create the service browser */

698

sb = avahi_s_service_browser_new(server,

699

(AvahiIfIndex)

700

if_nametoindex(interface),

1063

/* Create the Avahi service browser */

1064

sb = avahi_s_service_browser_new(mc.server, if_index,

701

1065

AVAHI_PROTO_INET6,

702

1066

"_mandos._tcp", NULL, 0,

703

browse_callback, server);

704

if (!sb) {

1067

browse_callback, &mc);

1068

if (sb == NULL) {

705

1069

fprintf(stderr, "Failed to create service browser: %s\n",

706

avahi_strerror(avahi_server_errno(server)));

707

returncode = EXIT_FAILURE;

708

goto exit;

1070

avahi_strerror(avahi_server_errno(mc.server)));

1071

exitcode = EXIT_FAILURE;

1072

goto end;

709

1073

}

710

1074

711

1075

/* Run the main loop */

712

1076

713

1077

if (debug){

714

fprintf(stderr, "Starting avahi loop search\n");

1078

fprintf(stderr, "Starting Avahi loop search\n");

715

1079

}

716

1080

717

avahi_simple_poll_loop(simple_poll);

718

719

exit:

720

1081

avahi_simple_poll_loop(mc.simple_poll);

1082

1083

end:

1084

721

1085

if (debug){

722

1086

fprintf(stderr, "%s exiting\n", argv[0]);

723

1087

}

724

1088

725

1089

/* Cleanup things */

726

if (sb)

1090

if (sb != NULL)

727

1091

avahi_s_service_browser_free(sb);

728

1092

729

if (server)

730

avahi_server_free(server);

731

732

if (simple_poll)

733

avahi_simple_poll_free(simple_poll);

734

735

return returncode;

1093

if (mc.server != NULL)

1094

avahi_server_free(mc.server);

1095

1096

if (mc.simple_poll != NULL)

1097

avahi_simple_poll_free(mc.simple_poll);

1098

1099

if (gnutls_initalized){

1100

gnutls_certificate_free_credentials(mc.cred);

1101

gnutls_global_deinit ();

1102

gnutls_dh_params_deinit(mc.dh_params);

1103

}

1104

1105

if(gpgme_initalized){

1106

gpgme_release(mc.ctx);

1107

}

1108

1109

/* Removes the temp directory used by GPGME */

1110

if(tempdir[0] != '\0'){

1111

DIR *d;

1112

struct dirent *direntry;

1113

d = opendir(tempdir);

1114

if(d == NULL){

1115

perror("opendir");

1116

} else {

1117

while(true){

1118

direntry = readdir(d);

1119

if(direntry == NULL){

1120

break;

1121

}

1122

if (direntry->d_type == DT_REG){

1123

char *fullname = NULL;

1124

ret = asprintf(&fullname, "%s/%s", tempdir,

1125

direntry->d_name);

1126

if(ret < 0){

1127

perror("asprintf");

1128

continue;

1129

}

1130

ret = unlink(fullname);

1131

if(ret == -1){

1132

fprintf(stderr, "unlink(\"%s\"): %s",

1133

fullname, strerror(errno));

1134

}

1135

free(fullname);

1136

}

1137

}

1138

closedir(d);

1139

}

1140

ret = rmdir(tempdir);

1141

if(ret == -1){

1142

perror("rmdir");

1143

}

1144

}

1145

1146

return exitcode;

736

1147

}

Older »