To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandosclient.c
- browse files at revision 19
- compare with another revision
- download diff
- download tarball
- view history from revision 19
- Committer: Teddy Hogeborn
- Date: 2008-07-21 02:35:05 UTC
- Revision ID: teddy@fukt.bsnet.se-20080721023505-x7pjntkgur2h5jkg
* plugins.d/mandosclient.c (start_mandos_communcation): Renamed to
"start_mandos_communication"
"start_mandos_communication"
- files added:
- ca.pem
- files removed:
- .bzr-builddeb
- debian
- debian/po
- files renamed:
- clients.conf => mandos-clients.conf
- plugin-runner.c => plugbasedclient.c
- plugins.d/mandos-client.c => plugins.d/mandosclient.c
- plugins.d/password-prompt.c => plugins.d/passprompt.c
- mandos => server.py
- files modified:
- Makefile
added
removed
plugins.d/mandosclient.c
1
/* -*- coding: utf-8 -*- */
2
/*
3
* Mandos-client - get and decrypt data from a Mandos server
4
*
5
* This program is partly derived from an example program for an Avahi
6
* service browser, downloaded from
7
* <http://avahi.org/browser/examples/core-browse-services.c>. This
8
* includes the following functions: "resolve_callback",
9
* "browse_callback", and parts of "main".
10
*
11
* Everything else is
12
* Copyright © 2008,2009 Teddy Hogeborn
13
* Copyright © 2008,2009 Björn Påhlsson
14
*
15
* This program is free software: you can redistribute it and/or
16
* modify it under the terms of the GNU General Public License as
17
* published by the Free Software Foundation, either version 3 of the
18
* License, or (at your option) any later version.
19
*
20
* This program is distributed in the hope that it will be useful, but
21
* WITHOUT ANY WARRANTY; without even the implied warranty of
22
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23
* General Public License for more details.
24
*
25
* You should have received a copy of the GNU General Public License
26
* along with this program. If not, see
27
* <http://www.gnu.org/licenses/>.
28
*
29
* Contact the authors at <mandos@fukt.bsnet.se>.
30
*/
1
/***
2
This file is part of avahi.
3
4
avahi is free software; you can redistribute it and/or modify it
5
under the terms of the GNU Lesser General Public License as
6
published by the Free Software Foundation; either version 2.1 of the
7
License, or (at your option) any later version.
8
9
avahi is distributed in the hope that it will be useful, but WITHOUT
10
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
12
Public License for more details.
13
14
You should have received a copy of the GNU Lesser General Public
15
License along with avahi; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
17
USA.
18
***/
31
19
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
20
#define _LARGEFILE_SOURCE
34
21
#define _FILE_OFFSET_BITS 64
35
22
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
37
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror(), sscanf(),
40
remove() */
41
#include <stdint.h> /* uint16_t, uint32_t */
42
#include <stddef.h> /* NULL, size_t, ssize_t */
43
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
44
srand() */
45
#include <stdbool.h> /* bool, true */
46
#include <string.h> /* memset(), strcmp(), strlen(),
47
strerror(), asprintf(), strcpy() */
48
#include <sys/ioctl.h> /* ioctl */
49
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
sockaddr_in6, PF_INET6,
51
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t, open(), opendir(),
53
DIR */
54
#include <sys/stat.h> /* open() */
55
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
56
struct in6_addr, inet_pton(),
57
connect() */
58
#include <fcntl.h> /* open() */
59
#include <dirent.h> /* opendir(), struct dirent, readdir()
60
*/
61
#include <inttypes.h> /* PRIu16, intmax_t, SCNdMAX */
62
#include <assert.h> /* assert() */
63
#include <errno.h> /* perror(), errno */
64
#include <time.h> /* time() */
65
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
66
SIOCSIFFLAGS, if_indextoname(),
67
if_nametoindex(), IF_NAMESIZE */
68
#include <netinet/in.h>
69
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
70
getuid(), getgid(), setuid(),
71
setgid() */
72
#include <arpa/inet.h> /* inet_pton(), htons */
73
#include <iso646.h> /* not, and, or */
74
#include <argp.h> /* struct argp_option, error_t, struct
75
argp_state, struct argp,
76
argp_parse(), ARGP_KEY_ARG,
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
79
/* Avahi */
80
/* All Avahi types, constants and functions
81
Avahi*, avahi_*,
82
AVAHI_* */
23
#include <stdio.h>
24
#include <assert.h>
25
#include <stdlib.h>
26
#include <time.h>
27
#include <net/if.h> /* if_nametoindex */
28
83
29
#include <avahi-core/core.h>
84
30
#include <avahi-core/lookup.h>
85
31
#include <avahi-core/log.h>
87
33
#include <avahi-common/malloc.h>
88
34
#include <avahi-common/error.h>
89
35
90
/* GnuTLS */
91
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
92
functions:
93
gnutls_*
94
init_gnutls_session(),
95
GNUTLS_* */
96
#include <gnutls/openpgp.h>
97
/* gnutls_certificate_set_openpgp_key_file(),
98
GNUTLS_OPENPGP_FMT_BASE64 */
99
100
/* GPGME */
101
#include <gpgme.h> /* All GPGME types, constants and
102
functions:
103
gpgme_*
104
GPGME_PROTOCOL_OpenPGP,
105
GPG_ERR_NO_* */
106
36
//mandos client part
37
#include <sys/types.h> /* socket(), setsockopt(), inet_pton() */
38
#include <sys/socket.h> /* socket(), setsockopt(), struct sockaddr_in6, struct in6_addr, inet_pton() */
39
#include <gnutls/gnutls.h> /* ALL GNUTLS STUFF */
40
#include <gnutls/openpgp.h> /* gnutls with openpgp stuff */
41
42
#include <unistd.h> /* close() */
43
#include <netinet/in.h>
44
#include <stdbool.h> /* true */
45
#include <string.h> /* memset */
46
#include <arpa/inet.h> /* inet_pton() */
47
#include <iso646.h> /* not */
48
49
// gpgme
50
#include <errno.h> /* perror() */
51
#include <gpgme.h>
52
53
54
#ifndef CERT_ROOT
55
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
56
#endif
57
#define CERTFILE CERT_ROOT "openpgp-client.txt"
58
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
107
59
#define BUFFER_SIZE 256
108
109
#define PATHDIR "/conf/conf.d/mandos"
110
#define SECKEY "seckey.txt"
111
#define PUBKEY "pubkey.txt"
60
#define DH_BITS 1024
112
61
113
62
bool debug = false;
114
static const char mandos_protocol_version[] = "1";
115
const char *argp_program_version = "mandos-client " VERSION;
116
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
117
63
118
/* Used for passing in values through the Avahi callback functions */
119
64
typedef struct {
120
AvahiSimplePoll *simple_poll;
121
AvahiServer *server;
65
gnutls_session_t session;
122
66
gnutls_certificate_credentials_t cred;
123
unsigned int dh_bits;
124
67
gnutls_dh_params_t dh_params;
125
const char *priority;
68
} encrypted_session;
69
70
71
ssize_t gpg_packet_decrypt (char *packet, size_t packet_size, char **new_packet, char *homedir){
72
gpgme_data_t dh_crypto, dh_plain;
126
73
gpgme_ctx_t ctx;
127
} mandos_context;
128
129
/*
130
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
131
* "buffer_capacity" is how much is currently allocated,
132
* "buffer_length" is how much is already used.
133
*/
134
size_t adjustbuffer(char **buffer, size_t buffer_length,
135
size_t buffer_capacity){
136
if(buffer_length + BUFFER_SIZE > buffer_capacity){
137
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
138
if(buffer == NULL){
139
return 0;
140
}
141
buffer_capacity += BUFFER_SIZE;
142
}
143
return buffer_capacity;
144
}
145
146
/*
147
* Initialize GPGME.
148
*/
149
static bool init_gpgme(mandos_context *mc, const char *seckey,
150
const char *pubkey, const char *tempdir){
151
int ret;
152
74
gpgme_error_t rc;
75
ssize_t ret;
76
size_t new_packet_capacity = 0;
77
size_t new_packet_length = 0;
153
78
gpgme_engine_info_t engine_info;
154
155
156
/*
157
* Helper function to insert pub and seckey to the enigne keyring.
158
*/
159
bool import_key(const char *filename){
160
int fd;
161
gpgme_data_t pgp_data;
162
163
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
164
if(fd == -1){
165
perror("open");
166
return false;
167
}
168
169
rc = gpgme_data_new_from_fd(&pgp_data, fd);
170
if(rc != GPG_ERR_NO_ERROR){
171
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
172
gpgme_strsource(rc), gpgme_strerror(rc));
173
return false;
174
}
175
176
rc = gpgme_op_import(mc->ctx, pgp_data);
177
if(rc != GPG_ERR_NO_ERROR){
178
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
179
gpgme_strsource(rc), gpgme_strerror(rc));
180
return false;
181
}
182
183
ret = (int)TEMP_FAILURE_RETRY(close(fd));
184
if(ret == -1){
185
perror("close");
186
}
187
gpgme_data_release(pgp_data);
188
return true;
189
}
190
191
if(debug){
192
fprintf(stderr, "Initialize gpgme\n");
79
80
if (debug){
81
fprintf(stderr, "Attempting to decrypt password from gpg packet\n");
193
82
}
194
83
195
84
/* Init GPGME */
196
85
gpgme_check_version(NULL);
197
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
198
if(rc != GPG_ERR_NO_ERROR){
199
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
200
gpgme_strsource(rc), gpgme_strerror(rc));
201
return false;
202
}
86
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
203
87
204
/* Set GPGME home directory for the OpenPGP engine only */
205
rc = gpgme_get_engine_info(&engine_info);
206
if(rc != GPG_ERR_NO_ERROR){
88
/* Set GPGME home directory */
89
rc = gpgme_get_engine_info (&engine_info);
90
if (rc != GPG_ERR_NO_ERROR){
207
91
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
208
92
gpgme_strsource(rc), gpgme_strerror(rc));
209
return false;
93
return -1;
210
94
}
211
95
while(engine_info != NULL){
212
96
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
213
97
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
214
engine_info->file_name, tempdir);
98
engine_info->file_name, homedir);
215
99
break;
216
100
}
217
101
engine_info = engine_info->next;
218
102
}
219
103
if(engine_info == NULL){
220
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
221
return false;
222
}
223
224
/* Create new GPGME "context" */
225
rc = gpgme_new(&(mc->ctx));
226
if(rc != GPG_ERR_NO_ERROR){
227
fprintf(stderr, "bad gpgme_new: %s: %s\n",
228
gpgme_strsource(rc), gpgme_strerror(rc));
229
return false;
230
}
231
232
if(not import_key(pubkey) or not import_key(seckey)){
233
return false;
234
}
235
236
return true;
237
}
238
239
/*
240
* Decrypt OpenPGP data.
241
* Returns -1 on error
242
*/
243
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
244
const char *cryptotext,
245
size_t crypto_size,
246
char **plaintext){
247
gpgme_data_t dh_crypto, dh_plain;
248
gpgme_error_t rc;
249
ssize_t ret;
250
size_t plaintext_capacity = 0;
251
ssize_t plaintext_length = 0;
252
253
if(debug){
254
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
255
}
256
257
/* Create new GPGME data buffer from memory cryptotext */
258
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
259
0);
260
if(rc != GPG_ERR_NO_ERROR){
104
fprintf(stderr, "Could not set home dir to %s\n", homedir);
105
return -1;
106
}
107
108
/* Create new GPGME data buffer from packet buffer */
109
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
110
if (rc != GPG_ERR_NO_ERROR){
261
111
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
262
112
gpgme_strsource(rc), gpgme_strerror(rc));
263
113
return -1;
265
115
266
116
/* Create new empty GPGME data buffer for the plaintext */
267
117
rc = gpgme_data_new(&dh_plain);
268
if(rc != GPG_ERR_NO_ERROR){
118
if (rc != GPG_ERR_NO_ERROR){
269
119
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
270
120
gpgme_strsource(rc), gpgme_strerror(rc));
271
gpgme_data_release(dh_crypto);
272
return -1;
273
}
274
275
/* Decrypt data from the cryptotext data buffer to the plaintext
276
data buffer */
277
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
278
if(rc != GPG_ERR_NO_ERROR){
121
return -1;
122
}
123
124
/* Create new GPGME "context" */
125
rc = gpgme_new(&ctx);
126
if (rc != GPG_ERR_NO_ERROR){
127
fprintf(stderr, "bad gpgme_new: %s: %s\n",
128
gpgme_strsource(rc), gpgme_strerror(rc));
129
return -1;
130
}
131
132
/* Decrypt data from the FILE pointer to the plaintext data buffer */
133
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
134
if (rc != GPG_ERR_NO_ERROR){
279
135
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
280
136
gpgme_strsource(rc), gpgme_strerror(rc));
281
plaintext_length = -1;
282
if(debug){
283
gpgme_decrypt_result_t result;
284
result = gpgme_op_decrypt_result(mc->ctx);
285
if(result == NULL){
286
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
287
} else {
288
fprintf(stderr, "Unsupported algorithm: %s\n",
289
result->unsupported_algorithm);
290
fprintf(stderr, "Wrong key usage: %u\n",
291
result->wrong_key_usage);
292
if(result->file_name != NULL){
293
fprintf(stderr, "File name: %s\n", result->file_name);
294
}
295
gpgme_recipient_t recipient;
296
recipient = result->recipients;
297
if(recipient){
298
while(recipient != NULL){
299
fprintf(stderr, "Public key algorithm: %s\n",
300
gpgme_pubkey_algo_name(recipient->pubkey_algo));
301
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
302
fprintf(stderr, "Secret key available: %s\n",
303
recipient->status == GPG_ERR_NO_SECKEY
304
? "No" : "Yes");
305
recipient = recipient->next;
306
}
137
return -1;
138
}
139
140
if(debug){
141
fprintf(stderr, "decryption of gpg packet succeeded\n");
142
}
143
144
if (debug){
145
gpgme_decrypt_result_t result;
146
result = gpgme_op_decrypt_result(ctx);
147
if (result == NULL){
148
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
149
} else {
150
fprintf(stderr, "Unsupported algorithm: %s\n", result->unsupported_algorithm);
151
fprintf(stderr, "Wrong key usage: %d\n", result->wrong_key_usage);
152
if(result->file_name != NULL){
153
fprintf(stderr, "File name: %s\n", result->file_name);
154
}
155
gpgme_recipient_t recipient;
156
recipient = result->recipients;
157
if(recipient){
158
while(recipient != NULL){
159
fprintf(stderr, "Public key algorithm: %s\n",
160
gpgme_pubkey_algo_name(recipient->pubkey_algo));
161
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
162
fprintf(stderr, "Secret key available: %s\n",
163
recipient->status == GPG_ERR_NO_SECKEY ? "No" : "Yes");
164
recipient = recipient->next;
307
165
}
308
166
}
309
167
}
310
goto decrypt_end;
311
168
}
312
169
313
if(debug){
314
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
315
}
170
/* Delete the GPGME FILE pointer cryptotext data buffer */
171
gpgme_data_release(dh_crypto);
316
172
317
173
/* Seek back to the beginning of the GPGME plaintext data buffer */
318
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
319
perror("gpgme_data_seek");
320
plaintext_length = -1;
321
goto decrypt_end;
322
}
323
324
*plaintext = NULL;
174
gpgme_data_seek(dh_plain, 0, SEEK_SET);
175
176
*new_packet = 0;
325
177
while(true){
326
plaintext_capacity = adjustbuffer(plaintext,
327
(size_t)plaintext_length,
328
plaintext_capacity);
329
if(plaintext_capacity == 0){
330
perror("adjustbuffer");
331
plaintext_length = -1;
332
goto decrypt_end;
178
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
179
*new_packet = realloc(*new_packet, new_packet_capacity + BUFFER_SIZE);
180
if (*new_packet == NULL){
181
perror("realloc");
182
return -1;
183
}
184
new_packet_capacity += BUFFER_SIZE;
333
185
}
334
186
335
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
336
BUFFER_SIZE);
187
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length, BUFFER_SIZE);
337
188
/* Print the data, if any */
338
if(ret == 0){
339
/* EOF */
189
if (ret == 0){
190
/* If password is empty, then a incorrect error will be printed */
340
191
break;
341
192
}
342
193
if(ret < 0){
343
194
perror("gpgme_data_read");
344
plaintext_length = -1;
345
goto decrypt_end;
195
return -1;
346
196
}
347
plaintext_length += ret;
197
new_packet_length += ret;
348
198
}
349
199
350
200
if(debug){
351
fprintf(stderr, "Decrypted password is: ");
352
for(ssize_t i = 0; i < plaintext_length; i++){
353
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
354
}
355
fprintf(stderr, "\n");
201
fprintf(stderr, "decrypted password is: %s\n", *new_packet);
356
202
}
357
358
decrypt_end:
359
360
/* Delete the GPGME cryptotext data buffer */
361
gpgme_data_release(dh_crypto);
362
363
/* Delete the GPGME plaintext data buffer */
203
204
/* Delete the GPGME plaintext data buffer */
364
205
gpgme_data_release(dh_plain);
365
return plaintext_length;
206
return new_packet_length;
366
207
}
367
208
368
static const char * safer_gnutls_strerror(int value) {
369
const char *ret = gnutls_strerror(value); /* Spurious warning from
370
-Wunreachable-code */
371
if(ret == NULL)
209
static const char * safer_gnutls_strerror (int value) {
210
const char *ret = gnutls_strerror (value);
211
if (ret == NULL)
372
212
ret = "(unknown)";
373
213
return ret;
374
214
}
375
215
376
/* GnuTLS log function callback */
377
static void debuggnutls(__attribute__((unused)) int level,
378
const char* string){
379
fprintf(stderr, "GnuTLS: %s", string);
216
void debuggnutls(int level, const char* string){
217
fprintf(stderr, "%s", string);
380
218
}
381
219
382
static int init_gnutls_global(mandos_context *mc,
383
const char *pubkeyfilename,
384
const char *seckeyfilename){
220
int initgnutls(encrypted_session *es){
221
const char *err;
385
222
int ret;
386
223
387
224
if(debug){
388
fprintf(stderr, "Initializing GnuTLS\n");
225
fprintf(stderr, "Initializing gnutls\n");
389
226
}
227
390
228
391
ret = gnutls_global_init();
392
if(ret != GNUTLS_E_SUCCESS) {
393
fprintf(stderr, "GnuTLS global_init: %s\n",
394
safer_gnutls_strerror(ret));
229
if ((ret = gnutls_global_init ())
230
!= GNUTLS_E_SUCCESS) {
231
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
395
232
return -1;
396
233
}
397
398
if(debug){
399
/* "Use a log level over 10 to enable all debugging options."
400
* - GnuTLS manual
401
*/
234
235
if (debug){
402
236
gnutls_global_set_log_level(11);
403
237
gnutls_global_set_log_function(debuggnutls);
404
238
}
405
239
406
/* OpenPGP credentials */
407
gnutls_certificate_allocate_credentials(&mc->cred);
408
if(ret != GNUTLS_E_SUCCESS){
409
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
410
* from
411
* -Wunreachable-code
412
*/
413
safer_gnutls_strerror(ret));
414
gnutls_global_deinit();
240
241
/* openpgp credentials */
242
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
243
!= GNUTLS_E_SUCCESS) {
244
fprintf (stderr, "memory error: %s\n", safer_gnutls_strerror(ret));
415
245
return -1;
416
246
}
417
247
418
248
if(debug){
419
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
420
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
421
seckeyfilename);
249
fprintf(stderr, "Attempting to use openpgp certificate %s"
250
" and keyfile %s as gnutls credentials\n", CERTFILE, KEYFILE);
422
251
}
423
252
424
253
ret = gnutls_certificate_set_openpgp_key_file
425
(mc->cred, pubkeyfilename, seckeyfilename,
426
GNUTLS_OPENPGP_FMT_BASE64);
427
if(ret != GNUTLS_E_SUCCESS) {
428
fprintf(stderr,
429
"Error[%d] while reading the OpenPGP key pair ('%s',"
430
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
431
fprintf(stderr, "The GnuTLS error is: %s\n",
432
safer_gnutls_strerror(ret));
433
goto globalfail;
434
}
435
436
/* GnuTLS server initialization */
437
ret = gnutls_dh_params_init(&mc->dh_params);
438
if(ret != GNUTLS_E_SUCCESS) {
439
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
440
" %s\n", safer_gnutls_strerror(ret));
441
goto globalfail;
442
}
443
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
444
if(ret != GNUTLS_E_SUCCESS) {
445
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
446
safer_gnutls_strerror(ret));
447
goto globalfail;
448
}
449
450
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
451
452
return 0;
453
454
globalfail:
455
456
gnutls_certificate_free_credentials(mc->cred);
457
gnutls_global_deinit();
458
gnutls_dh_params_deinit(mc->dh_params);
459
return -1;
460
}
461
462
static int init_gnutls_session(mandos_context *mc,
463
gnutls_session_t *session){
464
int ret;
465
/* GnuTLS session creation */
466
ret = gnutls_init(session, GNUTLS_SERVER);
467
if(ret != GNUTLS_E_SUCCESS){
468
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
469
safer_gnutls_strerror(ret));
470
}
471
472
{
473
const char *err;
474
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
475
if(ret != GNUTLS_E_SUCCESS) {
476
fprintf(stderr, "Syntax error at: %s\n", err);
477
fprintf(stderr, "GnuTLS error: %s\n",
478
safer_gnutls_strerror(ret));
479
gnutls_deinit(*session);
480
return -1;
481
}
482
}
483
484
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
485
mc->cred);
486
if(ret != GNUTLS_E_SUCCESS) {
487
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
488
safer_gnutls_strerror(ret));
489
gnutls_deinit(*session);
490
return -1;
491
}
492
254
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
255
if (ret != GNUTLS_E_SUCCESS) {
256
fprintf
257
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s', '%s')\n",
258
ret, CERTFILE, KEYFILE);
259
fprintf(stdout, "The Error is: %s\n",
260
safer_gnutls_strerror(ret));
261
return -1;
262
}
263
264
//Gnutls server initialization
265
if ((ret = gnutls_dh_params_init (&es->dh_params))
266
!= GNUTLS_E_SUCCESS) {
267
fprintf (stderr, "Error in dh parameter initialization: %s\n",
268
safer_gnutls_strerror(ret));
269
return -1;
270
}
271
272
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
273
!= GNUTLS_E_SUCCESS) {
274
fprintf (stderr, "Error in prime generation: %s\n",
275
safer_gnutls_strerror(ret));
276
return -1;
277
}
278
279
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
280
281
// Gnutls session creation
282
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
283
!= GNUTLS_E_SUCCESS){
284
fprintf(stderr, "Error in gnutls session initialization: %s\n",
285
safer_gnutls_strerror(ret));
286
}
287
288
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
289
!= GNUTLS_E_SUCCESS) {
290
fprintf(stderr, "Syntax error at: %s\n", err);
291
fprintf(stderr, "Gnutls error: %s\n",
292
safer_gnutls_strerror(ret));
293
return -1;
294
}
295
296
if ((ret = gnutls_credentials_set
297
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
298
!= GNUTLS_E_SUCCESS) {
299
fprintf(stderr, "Error setting a credentials set: %s\n",
300
safer_gnutls_strerror(ret));
301
return -1;
302
}
303
493
304
/* ignore client certificate if any. */
494
gnutls_certificate_server_set_request(*session,
495
GNUTLS_CERT_IGNORE);
305
gnutls_certificate_server_set_request (es->session, GNUTLS_CERT_IGNORE);
496
306
497
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
307
gnutls_dh_set_prime_bits (es->session, DH_BITS);
498
308
499
309
return 0;
500
310
}
501
311
502
/* Avahi log function callback */
503
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
504
__attribute__((unused)) const char *txt){}
312
void empty_log(AvahiLogLevel level, const char *txt){}
505
313
506
/* Called when a Mandos server is found */
507
static int start_mandos_communication(const char *ip, uint16_t port,
508
AvahiIfIndex if_index,
509
mandos_context *mc){
314
int start_mandos_communication(char *ip, uint16_t port){
510
315
int ret, tcp_sd;
511
ssize_t sret;
512
union { struct sockaddr in; struct sockaddr_in6 in6; } to;
316
struct sockaddr_in6 to;
317
encrypted_session es;
513
318
char *buffer = NULL;
514
319
char *decrypted_buffer;
515
320
size_t buffer_length = 0;
516
321
size_t buffer_capacity = 0;
517
322
ssize_t decrypted_buffer_size;
518
size_t written;
519
323
int retval = 0;
520
char interface[IF_NAMESIZE];
521
gnutls_session_t session;
522
523
ret = init_gnutls_session(mc, &session);
524
if(ret != 0){
525
return -1;
526
}
527
324
const char interface[] = "eth0";
325
528
326
if(debug){
529
fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16
530
"\n", ip, port);
327
fprintf(stderr, "Setting up a tcp connection to %s\n", ip);
531
328
}
532
329
533
330
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
535
332
perror("socket");
536
333
return -1;
537
334
}
538
335
539
336
if(debug){
540
if(if_indextoname((unsigned int)if_index, interface) == NULL){
541
perror("if_indextoname");
542
return -1;
543
}
544
337
fprintf(stderr, "Binding to interface %s\n", interface);
545
338
}
339
340
ret = setsockopt(tcp_sd, SOL_SOCKET, SO_BINDTODEVICE, interface, 5);
341
if(tcp_sd < 0) {
342
perror("setsockopt bindtodevice");
343
return -1;
344
}
546
345
547
memset(&to, 0, sizeof(to));
548
to.in6.sin6_family = AF_INET6;
549
/* It would be nice to have a way to detect if we were passed an
550
IPv4 address here. Now we assume an IPv6 address. */
551
ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);
552
if(ret < 0 ){
346
memset(&to,0,sizeof(to));
347
to.sin6_family = AF_INET6;
348
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
349
if (ret < 0 ){
553
350
perror("inet_pton");
554
351
return -1;
555
}
352
}
556
353
if(ret == 0){
557
354
fprintf(stderr, "Bad address: %s\n", ip);
558
355
return -1;
559
356
}
560
to.in6.sin6_port = htons(port); /* Spurious warnings from
561
-Wconversion and
562
-Wunreachable-code */
563
564
to.in6.sin6_scope_id = (uint32_t)if_index;
565
357
to.sin6_port = htons(port);
358
to.sin6_scope_id = if_nametoindex(interface);
359
566
360
if(debug){
567
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
568
port);
569
char addrstr[INET6_ADDRSTRLEN] = "";
570
if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,
571
sizeof(addrstr)) == NULL){
572
perror("inet_ntop");
573
} else {
574
if(strcmp(addrstr, ip) != 0){
575
fprintf(stderr, "Canonical address form: %s\n", addrstr);
576
}
577
}
361
fprintf(stderr, "Connection to: %s\n", ip);
578
362
}
579
363
580
ret = connect(tcp_sd, &to.in, sizeof(to));
581
if(ret < 0){
364
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
365
if (ret < 0){
582
366
perror("connect");
583
367
return -1;
584
368
}
585
369
586
const char *out = mandos_protocol_version;
587
written = 0;
370
ret = initgnutls (&es);
371
if (ret != 0){
372
retval = -1;
373
return -1;
374
}
375
376
377
gnutls_transport_set_ptr (es.session, (gnutls_transport_ptr_t) tcp_sd);
378
379
if(debug){
380
fprintf(stderr, "Establishing tls session with %s\n", ip);
381
}
382
383
384
ret = gnutls_handshake (es.session);
385
386
if (ret != GNUTLS_E_SUCCESS){
387
fprintf(stderr, "\n*** Handshake failed ***\n");
388
gnutls_perror (ret);
389
retval = -1;
390
goto exit;
391
}
392
393
//Retrieve gpg packet that contains the wanted password
394
395
if(debug){
396
fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip);
397
}
398
588
399
while(true){
589
size_t out_size = strlen(out);
590
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
591
out_size - written));
592
if(ret == -1){
593
perror("write");
594
retval = -1;
595
goto mandos_end;
596
}
597
written += (size_t)ret;
598
if(written < out_size){
599
continue;
600
} else {
601
if(out == mandos_protocol_version){
602
written = 0;
603
out = "\r\n";
604
} else {
605
break;
400
if (buffer_length + BUFFER_SIZE > buffer_capacity){
401
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
402
if (buffer == NULL){
403
perror("realloc");
404
goto exit;
606
405
}
607
}
608
}
609
610
if(debug){
611
fprintf(stderr, "Establishing TLS session with %s\n", ip);
612
}
613
614
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
615
616
do{
617
ret = gnutls_handshake(session);
618
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
619
620
if(ret != GNUTLS_E_SUCCESS){
621
if(debug){
622
fprintf(stderr, "*** GnuTLS Handshake failed ***\n");
623
gnutls_perror(ret);
624
}
625
retval = -1;
626
goto mandos_end;
627
}
628
629
/* Read OpenPGP packet that contains the wanted password */
630
631
if(debug){
632
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
633
ip);
634
}
635
636
while(true){
637
buffer_capacity = adjustbuffer(&buffer, buffer_length,
638
buffer_capacity);
639
if(buffer_capacity == 0){
640
perror("adjustbuffer");
641
retval = -1;
642
goto mandos_end;
406
buffer_capacity += BUFFER_SIZE;
643
407
}
644
408
645
sret = gnutls_record_recv(session, buffer+buffer_length,
646
BUFFER_SIZE);
647
if(sret == 0){
409
ret = gnutls_record_recv
410
(es.session, buffer+buffer_length, BUFFER_SIZE);
411
if (ret == 0){
648
412
break;
649
413
}
650
if(sret < 0){
651
switch(sret){
414
if (ret < 0){
415
switch(ret){
652
416
case GNUTLS_E_INTERRUPTED:
653
417
case GNUTLS_E_AGAIN:
654
418
break;
655
419
case GNUTLS_E_REHANDSHAKE:
656
do{
657
ret = gnutls_handshake(session);
658
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
659
if(ret < 0){
660
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
661
gnutls_perror(ret);
420
ret = gnutls_handshake (es.session);
421
if (ret < 0){
422
fprintf(stderr, "\n*** Handshake failed ***\n");
423
gnutls_perror (ret);
662
424
retval = -1;
663
goto mandos_end;
425
goto exit;
664
426
}
665
427
break;
666
428
default:
667
fprintf(stderr, "Unknown error while reading data from"
668
" encrypted session with Mandos server\n");
429
fprintf(stderr, "Unknown error while reading data from encrypted session with mandos server\n");
669
430
retval = -1;
670
gnutls_bye(session, GNUTLS_SHUT_RDWR);
671
goto mandos_end;
431
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
432
goto exit;
672
433
}
673
434
} else {
674
buffer_length += (size_t) sret;
435
buffer_length += ret;
675
436
}
676
437
}
677
438
678
if(debug){
679
fprintf(stderr, "Closing TLS session\n");
680
}
681
682
gnutls_bye(session, GNUTLS_SHUT_RDWR);
683
684
if(buffer_length > 0){
685
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
686
buffer_length,
687
&decrypted_buffer);
688
if(decrypted_buffer_size >= 0){
689
written = 0;
690
while(written < (size_t) decrypted_buffer_size){
691
ret = (int)fwrite(decrypted_buffer + written, 1,
692
(size_t)decrypted_buffer_size - written,
693
stdout);
694
if(ret == 0 and ferror(stdout)){
695
if(debug){
696
fprintf(stderr, "Error writing encrypted data: %s\n",
697
strerror(errno));
698
}
699
retval = -1;
700
break;
701
}
702
written += (size_t)ret;
703
}
439
if (buffer_length > 0){
440
if ((decrypted_buffer_size = gpg_packet_decrypt(buffer, buffer_length, &decrypted_buffer, CERT_ROOT)) >= 0){
441
fwrite (decrypted_buffer, 1, decrypted_buffer_size, stdout);
704
442
free(decrypted_buffer);
705
443
} else {
706
444
retval = -1;
707
445
}
708
} else {
709
retval = -1;
710
}
711
712
/* Shutdown procedure */
713
714
mandos_end:
446
}
447
448
//shutdown procedure
449
450
if(debug){
451
fprintf(stderr, "Closing tls session\n");
452
}
453
715
454
free(buffer);
716
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
717
if(ret == -1){
718
perror("close");
719
}
720
gnutls_deinit(session);
455
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
456
exit:
457
close(tcp_sd);
458
gnutls_deinit (es.session);
459
gnutls_certificate_free_credentials (es.cred);
460
gnutls_global_deinit ();
721
461
return retval;
722
462
}
723
463
724
static void resolve_callback(AvahiSServiceResolver *r,
725
AvahiIfIndex interface,
726
AVAHI_GCC_UNUSED AvahiProtocol protocol,
727
AvahiResolverEvent event,
728
const char *name,
729
const char *type,
730
const char *domain,
731
const char *host_name,
732
const AvahiAddress *address,
733
uint16_t port,
734
AVAHI_GCC_UNUSED AvahiStringList *txt,
735
AVAHI_GCC_UNUSED AvahiLookupResultFlags
736
flags,
737
void* userdata) {
738
mandos_context *mc = userdata;
739
assert(r);
740
741
/* Called whenever a service has been resolved successfully or
742
timed out */
743
744
switch(event) {
745
default:
746
case AVAHI_RESOLVER_FAILURE:
747
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
748
" of type '%s' in domain '%s': %s\n", name, type, domain,
749
avahi_strerror(avahi_server_errno(mc->server)));
750
break;
751
752
case AVAHI_RESOLVER_FOUND:
753
{
754
char ip[AVAHI_ADDRESS_STR_MAX];
755
avahi_address_snprint(ip, sizeof(ip), address);
756
if(debug){
757
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
758
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
759
ip, (intmax_t)interface, port);
760
}
761
int ret = start_mandos_communication(ip, port, interface, mc);
762
if(ret == 0){
763
avahi_simple_poll_quit(mc->simple_poll);
764
}
765
}
766
}
767
avahi_s_service_resolver_free(r);
768
}
769
770
static void browse_callback( AvahiSServiceBrowser *b,
771
AvahiIfIndex interface,
772
AvahiProtocol protocol,
773
AvahiBrowserEvent event,
774
const char *name,
775
const char *type,
776
const char *domain,
777
AVAHI_GCC_UNUSED AvahiLookupResultFlags
778
flags,
779
void* userdata) {
780
mandos_context *mc = userdata;
781
assert(b);
782
783
/* Called whenever a new services becomes available on the LAN or
784
is removed from the LAN */
785
786
switch(event) {
787
default:
788
case AVAHI_BROWSER_FAILURE:
789
790
fprintf(stderr, "(Avahi browser) %s\n",
791
avahi_strerror(avahi_server_errno(mc->server)));
792
avahi_simple_poll_quit(mc->simple_poll);
793
return;
794
795
case AVAHI_BROWSER_NEW:
796
/* We ignore the returned Avahi resolver object. In the callback
797
function we free it. If the Avahi server is terminated before
798
the callback function is called the Avahi server will free the
799
resolver for us. */
800
801
if(!(avahi_s_service_resolver_new(mc->server, interface,
802
protocol, name, type, domain,
803
AVAHI_PROTO_INET6, 0,
804
resolve_callback, mc)))
805
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
806
name, avahi_strerror(avahi_server_errno(mc->server)));
807
break;
808
809
case AVAHI_BROWSER_REMOVE:
810
break;
811
812
case AVAHI_BROWSER_ALL_FOR_NOW:
813
case AVAHI_BROWSER_CACHE_EXHAUSTED:
814
if(debug){
815
fprintf(stderr, "No Mandos server found, still searching...\n");
816
}
817
break;
818
}
819
}
820
821
int main(int argc, char *argv[]){
464
static AvahiSimplePoll *simple_poll = NULL;
465
static AvahiServer *server = NULL;
466
467
static void resolve_callback(
468
AvahiSServiceResolver *r,
469
AVAHI_GCC_UNUSED AvahiIfIndex interface,
470
AVAHI_GCC_UNUSED AvahiProtocol protocol,
471
AvahiResolverEvent event,
472
const char *name,
473
const char *type,
474
const char *domain,
475
const char *host_name,
476
const AvahiAddress *address,
477
uint16_t port,
478
AvahiStringList *txt,
479
AvahiLookupResultFlags flags,
480
AVAHI_GCC_UNUSED void* userdata) {
481
482
assert(r);
483
484
/* Called whenever a service has been resolved successfully or timed out */
485
486
switch (event) {
487
case AVAHI_RESOLVER_FAILURE:
488
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of type '%s' in domain '%s': %s\n", name, type, domain, avahi_strerror(avahi_server_errno(server)));
489
break;
490
491
case AVAHI_RESOLVER_FOUND: {
492
char ip[AVAHI_ADDRESS_STR_MAX];
493
avahi_address_snprint(ip, sizeof(ip), address);
494
if(debug){
495
fprintf(stderr, "Mandos server found at %s on port %d\n", ip, port);
496
}
497
int ret = start_mandos_communication(ip, port);
498
if (ret == 0){
499
exit(EXIT_SUCCESS);
500
} else {
501
exit(EXIT_FAILURE);
502
}
503
}
504
}
505
avahi_s_service_resolver_free(r);
506
}
507
508
static void browse_callback(
509
AvahiSServiceBrowser *b,
510
AvahiIfIndex interface,
511
AvahiProtocol protocol,
512
AvahiBrowserEvent event,
513
const char *name,
514
const char *type,
515
const char *domain,
516
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
517
void* userdata) {
518
519
AvahiServer *s = userdata;
520
assert(b);
521
522
/* Called whenever a new services becomes available on the LAN or is removed from the LAN */
523
524
switch (event) {
525
526
case AVAHI_BROWSER_FAILURE:
527
528
fprintf(stderr, "(Browser) %s\n", avahi_strerror(avahi_server_errno(server)));
529
avahi_simple_poll_quit(simple_poll);
530
return;
531
532
case AVAHI_BROWSER_NEW:
533
/* We ignore the returned resolver object. In the callback
534
function we free it. If the server is terminated before
535
the callback function is called the server will free
536
the resolver for us. */
537
538
if (!(avahi_s_service_resolver_new(s, interface, protocol, name, type, domain, AVAHI_PROTO_INET6, 0, resolve_callback, s)))
539
fprintf(stderr, "Failed to resolve service '%s': %s\n", name, avahi_strerror(avahi_server_errno(s)));
540
541
break;
542
543
case AVAHI_BROWSER_REMOVE:
544
break;
545
546
case AVAHI_BROWSER_ALL_FOR_NOW:
547
case AVAHI_BROWSER_CACHE_EXHAUSTED:
548
break;
549
}
550
}
551
552
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
553
AvahiServerConfig config;
822
554
AvahiSServiceBrowser *sb = NULL;
555
const char db[] = "--debug";
823
556
int error;
824
int ret;
825
intmax_t tmpmax;
826
int numchars;
827
int exitcode = EXIT_SUCCESS;
828
const char *interface = "eth0";
829
struct ifreq network;
830
int sd;
831
uid_t uid;
832
gid_t gid;
833
char *connect_to = NULL;
834
char tempdir[] = "/tmp/mandosXXXXXX";
835
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
836
const char *seckey = PATHDIR "/" SECKEY;
837
const char *pubkey = PATHDIR "/" PUBKEY;
838
839
mandos_context mc = { .simple_poll = NULL, .server = NULL,
840
.dh_bits = 1024, .priority = "SECURE256"
841
":!CTYPE-X.509:+CTYPE-OPENPGP" };
842
bool gnutls_initialized = false;
843
bool gpgme_initialized = false;
844
845
{
846
struct argp_option options[] = {
847
{ .name = "debug", .key = 128,
848
.doc = "Debug mode", .group = 3 },
849
{ .name = "connect", .key = 'c',
850
.arg = "ADDRESS:PORT",
851
.doc = "Connect directly to a specific Mandos server",
852
.group = 1 },
853
{ .name = "interface", .key = 'i',
854
.arg = "NAME",
855
.doc = "Interface that will be used to search for Mandos"
856
" servers",
857
.group = 1 },
858
{ .name = "seckey", .key = 's',
859
.arg = "FILE",
860
.doc = "OpenPGP secret key file base name",
861
.group = 1 },
862
{ .name = "pubkey", .key = 'p',
863
.arg = "FILE",
864
.doc = "OpenPGP public key file base name",
865
.group = 2 },
866
{ .name = "dh-bits", .key = 129,
867
.arg = "BITS",
868
.doc = "Bit length of the prime number used in the"
869
" Diffie-Hellman key exchange",
870
.group = 2 },
871
{ .name = "priority", .key = 130,
872
.arg = "STRING",
873
.doc = "GnuTLS priority string for the TLS handshake",
874
.group = 1 },
875
{ .name = NULL }
876
};
877
878
error_t parse_opt(int key, char *arg,
879
struct argp_state *state) {
880
switch(key) {
881
case 128: /* --debug */
882
debug = true;
883
break;
884
case 'c': /* --connect */
885
connect_to = arg;
886
break;
887
case 'i': /* --interface */
888
interface = arg;
889
break;
890
case 's': /* --seckey */
891
seckey = arg;
892
break;
893
case 'p': /* --pubkey */
894
pubkey = arg;
895
break;
896
case 129: /* --dh-bits */
897
ret = sscanf(arg, "%" SCNdMAX "%n", &tmpmax, &numchars);
898
if(ret < 1 or tmpmax != (typeof(mc.dh_bits))tmpmax
899
or arg[numchars] != '\0'){
900
fprintf(stderr, "Bad number of DH bits\n");
901
exit(EXIT_FAILURE);
557
int ret = 1;
558
int returncode = EXIT_SUCCESS;
559
char *basename = rindex(argv[0], '/');
560
if(basename == NULL){
561
basename = argv[0];
562
} else {
563
basename++;
564
}
565
566
char *program_name = malloc(strlen(basename) + sizeof(db));
567
568
if (program_name == NULL){
569
perror("argv[0]");
570
return EXIT_FAILURE;
571
}
572
573
program_name[0] = '\0';
574
575
for (int i = 1; i < argc; i++){
576
if (not strncmp(argv[i], db, 5)){
577
strcat(strcat(strcat(program_name, db ), "="), basename);
578
if(not strcmp(argv[i], db) or not strcmp(argv[i], program_name)){
579
debug = true;
902
580
}
903
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
904
break;
905
case 130: /* --priority */
906
mc.priority = arg;
907
break;
908
case ARGP_KEY_ARG:
909
argp_usage(state);
910
case ARGP_KEY_END:
911
break;
912
default:
913
return ARGP_ERR_UNKNOWN;
914
}
915
return 0;
916
}
917
918
struct argp argp = { .options = options, .parser = parse_opt,
919
.args_doc = "",
920
.doc = "Mandos client -- Get and decrypt"
921
" passwords from a Mandos server" };
922
ret = argp_parse(&argp, argc, argv, 0, 0, NULL);
923
if(ret == ARGP_ERR_UNKNOWN){
924
fprintf(stderr, "Unknown error while parsing arguments\n");
925
exitcode = EXIT_FAILURE;
926
goto end;
927
}
928
}
929
930
/* If the interface is down, bring it up */
931
{
932
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
933
if(sd < 0) {
934
perror("socket");
935
exitcode = EXIT_FAILURE;
936
goto end;
937
}
938
strcpy(network.ifr_name, interface);
939
ret = ioctl(sd, SIOCGIFFLAGS, &network);
940
if(ret == -1){
941
perror("ioctl SIOCGIFFLAGS");
942
exitcode = EXIT_FAILURE;
943
goto end;
944
}
945
if((network.ifr_flags & IFF_UP) == 0){
946
network.ifr_flags |= IFF_UP;
947
ret = ioctl(sd, SIOCSIFFLAGS, &network);
948
if(ret == -1){
949
perror("ioctl SIOCSIFFLAGS");
950
exitcode = EXIT_FAILURE;
951
goto end;
952
}
953
}
954
ret = (int)TEMP_FAILURE_RETRY(close(sd));
955
if(ret == -1){
956
perror("close");
957
}
958
}
959
960
uid = getuid();
961
gid = getgid();
962
963
ret = setuid(uid);
964
if(ret == -1){
965
perror("setuid");
966
}
967
968
setgid(gid);
969
if(ret == -1){
970
perror("setgid");
971
}
972
973
ret = init_gnutls_global(&mc, pubkey, seckey);
974
if(ret == -1){
975
fprintf(stderr, "init_gnutls_global failed\n");
976
exitcode = EXIT_FAILURE;
977
goto end;
978
} else {
979
gnutls_initialized = true;
980
}
981
982
if(mkdtemp(tempdir) == NULL){
983
perror("mkdtemp");
984
tempdir[0] = '\0';
985
goto end;
986
}
987
988
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
989
fprintf(stderr, "init_gpgme failed\n");
990
exitcode = EXIT_FAILURE;
991
goto end;
992
} else {
993
gpgme_initialized = true;
994
}
995
996
if_index = (AvahiIfIndex) if_nametoindex(interface);
997
if(if_index == 0){
998
fprintf(stderr, "No such interface: \"%s\"\n", interface);
999
exit(EXIT_FAILURE);
1000
}
1001
1002
if(connect_to != NULL){
1003
/* Connect directly, do not use Zeroconf */
1004
/* (Mainly meant for debugging) */
1005
char *address = strrchr(connect_to, ':');
1006
if(address == NULL){
1007
fprintf(stderr, "No colon in address\n");
1008
exitcode = EXIT_FAILURE;
1009
goto end;
1010
}
1011
uint16_t port;
1012
ret = sscanf(address+1, "%" SCNdMAX "%n", &tmpmax, &numchars);
1013
if(ret < 1 or tmpmax != (uint16_t)tmpmax
1014
or address[numchars+1] != '\0'){
1015
fprintf(stderr, "Bad port number\n");
1016
exitcode = EXIT_FAILURE;
1017
goto end;
1018
}
1019
port = (uint16_t)tmpmax;
1020
*address = '\0';
1021
address = connect_to;
1022
ret = start_mandos_communication(address, port, if_index, &mc);
1023
if(ret < 0){
1024
exitcode = EXIT_FAILURE;
1025
} else {
1026
exitcode = EXIT_SUCCESS;
1027
}
1028
goto end;
1029
}
1030
1031
if(not debug){
581
}
582
}
583
free(program_name);
584
585
if (not debug){
1032
586
avahi_set_log_function(empty_log);
1033
587
}
1034
588
1035
/* Initialize the pseudo-RNG for Avahi */
1036
srand((unsigned int) time(NULL));
1037
1038
/* Allocate main Avahi loop object */
1039
mc.simple_poll = avahi_simple_poll_new();
1040
if(mc.simple_poll == NULL) {
1041
fprintf(stderr, "Avahi: Failed to create simple poll"
1042
" object.\n");
1043
exitcode = EXIT_FAILURE;
1044
goto end;
1045
}
1046
1047
{
1048
AvahiServerConfig config;
1049
/* Do not publish any local Zeroconf records */
1050
avahi_server_config_init(&config);
1051
config.publish_hinfo = 0;
1052
config.publish_addresses = 0;
1053
config.publish_workstation = 0;
1054
config.publish_domain = 0;
1055
1056
/* Allocate a new server */
1057
mc.server = avahi_server_new(avahi_simple_poll_get
1058
(mc.simple_poll), &config, NULL,
1059
NULL, &error);
1060
1061
/* Free the Avahi configuration data */
1062
avahi_server_config_free(&config);
1063
}
1064
1065
/* Check if creating the Avahi server object succeeded */
1066
if(mc.server == NULL) {
1067
fprintf(stderr, "Failed to create Avahi server: %s\n",
1068
avahi_strerror(error));
1069
exitcode = EXIT_FAILURE;
1070
goto end;
1071
}
1072
1073
/* Create the Avahi service browser */
1074
sb = avahi_s_service_browser_new(mc.server, if_index,
1075
AVAHI_PROTO_INET6,
1076
"_mandos._tcp", NULL, 0,
1077
browse_callback, &mc);
1078
if(sb == NULL) {
1079
fprintf(stderr, "Failed to create service browser: %s\n",
1080
avahi_strerror(avahi_server_errno(mc.server)));
1081
exitcode = EXIT_FAILURE;
1082
goto end;
589
/* Initialize the psuedo-RNG */
590
srand(time(NULL));
591
592
/* Allocate main loop object */
593
if (!(simple_poll = avahi_simple_poll_new())) {
594
fprintf(stderr, "Failed to create simple poll object.\n");
595
596
goto exit;
597
}
598
599
/* Do not publish any local records */
600
avahi_server_config_init(&config);
601
config.publish_hinfo = 0;
602
config.publish_addresses = 0;
603
config.publish_workstation = 0;
604
config.publish_domain = 0;
605
606
/* Allocate a new server */
607
server = avahi_server_new(avahi_simple_poll_get(simple_poll), &config, NULL, NULL, &error);
608
609
/* Free the configuration data */
610
avahi_server_config_free(&config);
611
612
/* Check if creating the server object succeeded */
613
if (!server) {
614
fprintf(stderr, "Failed to create server: %s\n", avahi_strerror(error));
615
returncode = EXIT_FAILURE;
616
goto exit;
617
}
618
619
/* Create the service browser */
620
if (!(sb = avahi_s_service_browser_new(server, if_nametoindex("eth0"), AVAHI_PROTO_INET6, "_mandos._tcp", NULL, 0, browse_callback, server))) {
621
fprintf(stderr, "Failed to create service browser: %s\n", avahi_strerror(avahi_server_errno(server)));
622
returncode = EXIT_FAILURE;
623
goto exit;
1083
624
}
1084
625
1085
626
/* Run the main loop */
1086
1087
if(debug){
1088
fprintf(stderr, "Starting Avahi loop search\n");
627
628
if (debug){
629
fprintf(stderr, "Starting avahi loop search\n");
1089
630
}
1090
631
1091
avahi_simple_poll_loop(mc.simple_poll);
1092
1093
end:
1094
1095
if(debug){
632
avahi_simple_poll_loop(simple_poll);
633
634
exit:
635
636
if (debug){
1096
637
fprintf(stderr, "%s exiting\n", argv[0]);
1097
638
}
1098
639
1099
640
/* Cleanup things */
1100
if(sb != NULL)
641
if (sb)
1101
642
avahi_s_service_browser_free(sb);
1102
643
1103
if(mc.server != NULL)
1104
avahi_server_free(mc.server);
1105
1106
if(mc.simple_poll != NULL)
1107
avahi_simple_poll_free(mc.simple_poll);
1108
1109
if(gnutls_initialized){
1110
gnutls_certificate_free_credentials(mc.cred);
1111
gnutls_global_deinit();
1112
gnutls_dh_params_deinit(mc.dh_params);
1113
}
1114
1115
if(gpgme_initialized){
1116
gpgme_release(mc.ctx);
1117
}
1118
1119
/* Removes the temp directory used by GPGME */
1120
if(tempdir[0] != '\0'){
1121
DIR *d;
1122
struct dirent *direntry;
1123
d = opendir(tempdir);
1124
if(d == NULL){
1125
if(errno != ENOENT){
1126
perror("opendir");
1127
}
1128
} else {
1129
while(true){
1130
direntry = readdir(d);
1131
if(direntry == NULL){
1132
break;
1133
}
1134
/* Skip "." and ".." */
1135
if(direntry->d_name[0] == '.'
1136
and (direntry->d_name[1] == '\0'
1137
or (direntry->d_name[1] == '.'
1138
and direntry->d_name[2] == '\0'))){
1139
continue;
1140
}
1141
char *fullname = NULL;
1142
ret = asprintf(&fullname, "%s/%s", tempdir,
1143
direntry->d_name);
1144
if(ret < 0){
1145
perror("asprintf");
1146
continue;
1147
}
1148
ret = remove(fullname);
1149
if(ret == -1){
1150
fprintf(stderr, "remove(\"%s\"): %s\n", fullname,
1151
strerror(errno));
1152
}
1153
free(fullname);
1154
}
1155
closedir(d);
1156
}
1157
ret = rmdir(tempdir);
1158
if(ret == -1 and errno != ENOENT){
1159
perror("rmdir");
1160
}
1161
}
1162
1163
return exitcode;
644
if (server)
645
avahi_server_free(server);
646
647
if (simple_poll)
648
avahi_simple_poll_free(simple_poll);
649
650
return ret;
1164
651
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0