/mandos/trunk : revision 22

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Teddy Hogeborn
Date: 2008-07-21 22:51:46 UTC
mfrom: (15.1.4 mandos)
Revision ID: teddy@fukt.bsnet.se-20080721225146-55gbo7fqocy4m930

* plugins.d/mandosclient.c (pgp_packet_decrypt): Cast "0" argument to
                                                 gpgme_data_seek.
(start_mandos_communication): Change "ip" arg to "const char *".  New
                               variable "written".  Remove setsockopt.
                               Bug fix: Do not change decrypted_buffer.
(resolve_callback): Removed AVAHI_GCC_UNUSED from "interface".

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-list

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

* includes the following functions: "resolve_callback",

* "browse_callback", and parts of "main".

* Everything else is

* Påhlsson.

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and

* <https://www.fukt.bsnet.se/~teddy/>.

/* Needed by GPGME, specifically gpgme_data_seek() */

#define _FORTIFY_SOURCE 2

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

100

GPGME_PROTOCOL_OpenPGP,

101

GPG_ERR_NO_* */

102

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

#ifndef CERT_ROOT

#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"

#endif

#define CERTFILE CERT_ROOT "openpgp-client.txt"

#define KEYFILE CERT_ROOT "openpgp-client-key.txt"

103

#define BUFFER_SIZE 256

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

#define SECKEY "seckey.txt"

107

#define PUBKEY "pubkey.txt"

#define DH_BITS 1024

108

109

bool debug = false;

110

static const char mandos_protocol_version[] = "1";

111

const char *argp_program_version = "mandos-client " VERSION;

112

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

113

114

/* Used for passing in values through the Avahi callback functions */

115

typedef struct {

116

AvahiSimplePoll *simple_poll;

117

AvahiServer *server;

gnutls_session_t session;

118

gnutls_certificate_credentials_t cred;

119

unsigned int dh_bits;

120

gnutls_dh_params_t dh_params;

121

const char *priority;

} encrypted_session;

ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

char **new_packet, const char *homedir){

gpgme_data_t dh_crypto, dh_plain;

122

gpgme_ctx_t ctx;

123

} mandos_context;

124

125

126

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

127

* "buffer_capacity" is how much is currently allocated,

128

* "buffer_length" is how much is already used.

129

130

size_t adjustbuffer(char **buffer, size_t buffer_length,

131

size_t buffer_capacity){

132

if (buffer_length + BUFFER_SIZE > buffer_capacity){

133

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

134

if (buffer == NULL){

135

return 0;

136

}

137

buffer_capacity += BUFFER_SIZE;

138

}

139

return buffer_capacity;

140

}

141

142

143

* Initialize GPGME.

144

145

static bool init_gpgme(mandos_context *mc, const char *seckey,

146

const char *pubkey, const char *tempdir){

147

int ret;

148

gpgme_error_t rc;

ssize_t ret;

ssize_t new_packet_capacity = 0;

ssize_t new_packet_length = 0;

149

gpgme_engine_info_t engine_info;

150

151

152

153

* Helper function to insert pub and seckey to the enigne keyring.

154

155

bool import_key(const char *filename){

156

int fd;

157

gpgme_data_t pgp_data;

158

159

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

160

if(fd == -1){

161

perror("open");

162

return false;

163

}

164

165

rc = gpgme_data_new_from_fd(&pgp_data, fd);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return false;

170

}

171

172

rc = gpgme_op_import(mc->ctx, pgp_data);

173

if (rc != GPG_ERR_NO_ERROR){

174

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

175

gpgme_strsource(rc), gpgme_strerror(rc));

176

return false;

177

}

178

179

ret = TEMP_FAILURE_RETRY(close(fd));

180

if(ret == -1){

181

perror("close");

182

}

183

gpgme_data_release(pgp_data);

184

return true;

185

}

186

187

if (debug){

188

fprintf(stderr, "Initialize gpgme\n");

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

189

100

}

190

101

191

102

/* Init GPGME */

192

103

gpgme_check_version(NULL);

193

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

194

if (rc != GPG_ERR_NO_ERROR){

195

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

196

gpgme_strsource(rc), gpgme_strerror(rc));

197

return false;

198

}

104

gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

199

105

200

/* Set GPGME home directory for the OpenPGP engine only */

106

/* Set GPGME home directory */

201

107

rc = gpgme_get_engine_info (&engine_info);

202

108

if (rc != GPG_ERR_NO_ERROR){

203

109

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

204

110

gpgme_strsource(rc), gpgme_strerror(rc));

205

return false;

111

return -1;

206

112

}

207

113

while(engine_info != NULL){

208

114

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

209

115

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

210

engine_info->file_name, tempdir);

116

engine_info->file_name, homedir);

211

117

break;

212

118

}

213

119

engine_info = engine_info->next;

214

120

}

215

121

if(engine_info == NULL){

216

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

217

return false;

218

}

219

220

/* Create new GPGME "context" */

221

rc = gpgme_new(&(mc->ctx));

222

if (rc != GPG_ERR_NO_ERROR){

223

fprintf(stderr, "bad gpgme_new: %s: %s\n",

224

gpgme_strsource(rc), gpgme_strerror(rc));

225

return false;

226

}

227

228

if (not import_key(pubkey) or not import_key(seckey)){

229

return false;

230

}

231

232

return true;

233

}

234

235

236

* Decrypt OpenPGP data.

237

* Returns -1 on error

238

239

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

240

const char *cryptotext,

241

size_t crypto_size,

242

char **plaintext){

243

gpgme_data_t dh_crypto, dh_plain;

244

gpgme_error_t rc;

245

ssize_t ret;

246

size_t plaintext_capacity = 0;

247

ssize_t plaintext_length = 0;

248

249

if (debug){

250

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

251

}

252

253

/* Create new GPGME data buffer from memory cryptotext */

254

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

255

0);

122

fprintf(stderr, "Could not set home dir to %s\n", homedir);

123

return -1;

124

}

125

126

/* Create new GPGME data buffer from packet buffer */

127

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

256

128

if (rc != GPG_ERR_NO_ERROR){

257

129

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

258

130

gpgme_strsource(rc), gpgme_strerror(rc));

264

136

if (rc != GPG_ERR_NO_ERROR){

265

137

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

266

138

gpgme_strsource(rc), gpgme_strerror(rc));

267

gpgme_data_release(dh_crypto);

268

return -1;

269

}

270

271

/* Decrypt data from the cryptotext data buffer to the plaintext

272

data buffer */

273

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

139

return -1;

140

}

141

142

/* Create new GPGME "context" */

143

rc = gpgme_new(&ctx);

144

if (rc != GPG_ERR_NO_ERROR){

145

fprintf(stderr, "bad gpgme_new: %s: %s\n",

146

gpgme_strsource(rc), gpgme_strerror(rc));

147

return -1;

148

}

149

150

/* Decrypt data from the FILE pointer to the plaintext data

151

buffer */

152

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

274

153

if (rc != GPG_ERR_NO_ERROR){

275

154

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

276

155

gpgme_strsource(rc), gpgme_strerror(rc));

277

plaintext_length = -1;

278

if (debug){

279

gpgme_decrypt_result_t result;

280

result = gpgme_op_decrypt_result(mc->ctx);

281

if (result == NULL){

282

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

283

} else {

284

fprintf(stderr, "Unsupported algorithm: %s\n",

285

result->unsupported_algorithm);

286

fprintf(stderr, "Wrong key usage: %u\n",

287

result->wrong_key_usage);

288

if(result->file_name != NULL){

289

fprintf(stderr, "File name: %s\n", result->file_name);

290

}

291

gpgme_recipient_t recipient;

292

recipient = result->recipients;

293

if(recipient){

294

while(recipient != NULL){

295

fprintf(stderr, "Public key algorithm: %s\n",

296

gpgme_pubkey_algo_name(recipient->pubkey_algo));

297

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

298

fprintf(stderr, "Secret key available: %s\n",

299

recipient->status == GPG_ERR_NO_SECKEY

300

? "No" : "Yes");

301

recipient = recipient->next;

302

}

156

return -1;

157

}

158

159

if(debug){

160

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

161

}

162

163

if (debug){

164

gpgme_decrypt_result_t result;

165

result = gpgme_op_decrypt_result(ctx);

166

if (result == NULL){

167

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

168

} else {

169

fprintf(stderr, "Unsupported algorithm: %s\n",

170

result->unsupported_algorithm);

171

fprintf(stderr, "Wrong key usage: %d\n",

172

result->wrong_key_usage);

173

if(result->file_name != NULL){

174

fprintf(stderr, "File name: %s\n", result->file_name);

175

}

176

gpgme_recipient_t recipient;

177

recipient = result->recipients;

178

if(recipient){

179

while(recipient != NULL){

180

fprintf(stderr, "Public key algorithm: %s\n",

181

gpgme_pubkey_algo_name(recipient->pubkey_algo));

182

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

183

fprintf(stderr, "Secret key available: %s\n",

184

recipient->status == GPG_ERR_NO_SECKEY

185

? "No" : "Yes");

186

recipient = recipient->next;

303

187

}

304

188

}

305

189

}

306

goto decrypt_end;

307

190

}

308

191

309

if(debug){

310

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

311

}

192

/* Delete the GPGME FILE pointer cryptotext data buffer */

193

gpgme_data_release(dh_crypto);

312

194

313

195

/* Seek back to the beginning of the GPGME plaintext data buffer */

314

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

315

perror("gpgme_data_seek");

316

plaintext_length = -1;

317

goto decrypt_end;

318

}

319

320

*plaintext = NULL;

196

gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);

197

198

*new_packet = 0;

321

199

while(true){

322

plaintext_capacity = adjustbuffer(plaintext,

323

(size_t)plaintext_length,

324

plaintext_capacity);

325

if (plaintext_capacity == 0){

326

perror("adjustbuffer");

327

plaintext_length = -1;

328

goto decrypt_end;

200

if (new_packet_length + BUFFER_SIZE > new_packet_capacity){

201

*new_packet = realloc(*new_packet,

202

(unsigned int)new_packet_capacity

203

+ BUFFER_SIZE);

204

if (*new_packet == NULL){

205

perror("realloc");

206

return -1;

207

}

208

new_packet_capacity += BUFFER_SIZE;

329

209

}

330

210

331

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

211

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

332

212

BUFFER_SIZE);

333

213

/* Print the data, if any */

334

214

if (ret == 0){

335

/* EOF */

336

215

break;

337

216

}

338

217

if(ret < 0){

339

218

perror("gpgme_data_read");

340

plaintext_length = -1;

341

goto decrypt_end;

342

}

343

plaintext_length += ret;

344

}

345

346

if(debug){

347

fprintf(stderr, "Decrypted password is: ");

348

for(ssize_t i = 0; i < plaintext_length; i++){

349

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

350

}

351

fprintf(stderr, "\n");

352

}

353

354

decrypt_end:

355

356

/* Delete the GPGME cryptotext data buffer */

357

gpgme_data_release(dh_crypto);

219

return -1;

220

}

221

new_packet_length += ret;

222

}

223

224

/* FIXME: check characters before printing to screen so to not print

225

terminal control characters */

226

/* if(debug){ */

227

/* fprintf(stderr, "decrypted password is: "); */

228

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

229

/* fprintf(stderr, "\n"); */

230

/* } */

358

231

359

232

/* Delete the GPGME plaintext data buffer */

360

233

gpgme_data_release(dh_plain);

361

return plaintext_length;

234

return new_packet_length;

362

235

}

363

236

364

237

static const char * safer_gnutls_strerror (int value) {

365

const char *ret = gnutls_strerror (value); /* Spurious warning */

238

const char *ret = gnutls_strerror (value);

366

239

if (ret == NULL)

367

240

ret = "(unknown)";

368

241

return ret;

369

242

}

370

243

371

/* GnuTLS log function callback */

372

static void debuggnutls(__attribute__((unused)) int level,

373

const char* string){

374

fprintf(stderr, "GnuTLS: %s", string);

244

void debuggnutls(__attribute__((unused)) int level,

245

const char* string){

246

fprintf(stderr, "%s", string);

375

247

}

376

248

377

static int init_gnutls_global(mandos_context *mc,

378

const char *pubkeyfilename,

379

const char *seckeyfilename){

249

int initgnutls(encrypted_session *es){

250

const char *err;

380

251

int ret;

381

252

382

253

if(debug){

383

254

fprintf(stderr, "Initializing GnuTLS\n");

384

255

}

385

256

386

ret = gnutls_global_init();

387

if (ret != GNUTLS_E_SUCCESS) {

388

fprintf (stderr, "GnuTLS global_init: %s\n",

389

safer_gnutls_strerror(ret));

257

if ((ret = gnutls_global_init ())

258

!= GNUTLS_E_SUCCESS) {

259

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

390

260

return -1;

391

261

}

392

262

393

263

if (debug){

394

/* "Use a log level over 10 to enable all debugging options."

395

* - GnuTLS manual

396

397

264

gnutls_global_set_log_level(11);

398

265

gnutls_global_set_log_function(debuggnutls);

399

266

}

400

267

401

/* OpenPGP credentials */

402

gnutls_certificate_allocate_credentials(&mc->cred);

403

if (ret != GNUTLS_E_SUCCESS){

404

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

405

warning */

268

/* openpgp credentials */

269

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

270

!= GNUTLS_E_SUCCESS) {

271

fprintf (stderr, "memory error: %s\n",

406

272

safer_gnutls_strerror(ret));

407

gnutls_global_deinit ();

408

273

return -1;

409

274

}

410

275

411

276

if(debug){

412

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

413

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

414

seckeyfilename);

277

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

278

" and keyfile %s as GnuTLS credentials\n", CERTFILE,

279

KEYFILE);

415

280

}

416

281

417

282

ret = gnutls_certificate_set_openpgp_key_file

418

(mc->cred, pubkeyfilename, seckeyfilename,

419

GNUTLS_OPENPGP_FMT_BASE64);

283

(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);

420

284

if (ret != GNUTLS_E_SUCCESS) {

421

fprintf(stderr,

422

"Error[%d] while reading the OpenPGP key pair ('%s',"

423

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

424

fprintf(stderr, "The GnuTLS error is: %s\n",

285

fprintf

286

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

287

" '%s')\n",

288

ret, CERTFILE, KEYFILE);

289

fprintf(stdout, "The Error is: %s\n",

425

290

safer_gnutls_strerror(ret));

426

goto globalfail;

427

}

428

429

/* GnuTLS server initialization */

430

ret = gnutls_dh_params_init(&mc->dh_params);

431

if (ret != GNUTLS_E_SUCCESS) {

432

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

433

" %s\n", safer_gnutls_strerror(ret));

434

goto globalfail;

435

}

436

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

437

if (ret != GNUTLS_E_SUCCESS) {

438

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

439

safer_gnutls_strerror(ret));

440

goto globalfail;

441

}

442

443

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

444

445

return 0;

446

447

globalfail:

448

449

gnutls_certificate_free_credentials(mc->cred);

450

gnutls_global_deinit();

451

gnutls_dh_params_deinit(mc->dh_params);

452

return -1;

453

}

454

455

static int init_gnutls_session(mandos_context *mc,

456

gnutls_session_t *session){

457

int ret;

458

/* GnuTLS session creation */

459

ret = gnutls_init(session, GNUTLS_SERVER);

460

if (ret != GNUTLS_E_SUCCESS){

291

return -1;

292

}

293

294

//GnuTLS server initialization

295

if ((ret = gnutls_dh_params_init (&es->dh_params))

296

!= GNUTLS_E_SUCCESS) {

297

fprintf (stderr, "Error in dh parameter initialization: %s\n",

298

safer_gnutls_strerror(ret));

299

return -1;

300

}

301

302

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "Error in prime generation: %s\n",

305

safer_gnutls_strerror(ret));

306

return -1;

307

}

308

309

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

310

311

// GnuTLS session creation

312

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

313

!= GNUTLS_E_SUCCESS){

461

314

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

462

315

safer_gnutls_strerror(ret));

463

316

}

464

317

465

{

466

const char *err;

467

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

468

if (ret != GNUTLS_E_SUCCESS) {

469

fprintf(stderr, "Syntax error at: %s\n", err);

470

fprintf(stderr, "GnuTLS error: %s\n",

471

safer_gnutls_strerror(ret));

472

gnutls_deinit (*session);

473

return -1;

474

}

318

if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf(stderr, "Syntax error at: %s\n", err);

321

fprintf(stderr, "GnuTLS error: %s\n",

322

safer_gnutls_strerror(ret));

323

return -1;

475

324

}

476

325

477

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

478

mc->cred);

479

if (ret != GNUTLS_E_SUCCESS) {

480

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

326

if ((ret = gnutls_credentials_set

327

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

328

!= GNUTLS_E_SUCCESS) {

329

fprintf(stderr, "Error setting a credentials set: %s\n",

481

330

safer_gnutls_strerror(ret));

482

gnutls_deinit (*session);

483

331

return -1;

484

332

}

485

333

486

334

/* ignore client certificate if any. */

487

gnutls_certificate_server_set_request (*session,

335

gnutls_certificate_server_set_request (es->session,

488

336

GNUTLS_CERT_IGNORE);

489

337

490

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

338

gnutls_dh_set_prime_bits (es->session, DH_BITS);

491

339

492

340

return 0;

493

341

}

494

342

495

/* Avahi log function callback */

496

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

497

__attribute__((unused)) const char *txt){}

343

void empty_log(__attribute__((unused)) AvahiLogLevel level,

344

__attribute__((unused)) const char *txt){}

498

345

499

/* Called when a Mandos server is found */

500

static int start_mandos_communication(const char *ip, uint16_t port,

501

AvahiIfIndex if_index,

502

mandos_context *mc){

346

int start_mandos_communication(const char *ip, uint16_t port,

347

unsigned int if_index){

503

348

int ret, tcp_sd;

504

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

349

struct sockaddr_in6 to;

350

encrypted_session es;

505

351

char *buffer = NULL;

506

352

char *decrypted_buffer;

507

353

size_t buffer_length = 0;

508

354

size_t buffer_capacity = 0;

509

355

ssize_t decrypted_buffer_size;

510

size_t written;

356

size_t written = 0;

511

357

int retval = 0;

512

358

char interface[IF_NAMESIZE];

513

gnutls_session_t session;

514

515

ret = init_gnutls_session (mc, &session);

516

if (ret != 0){

517

return -1;

518

}

519

359

520

360

if(debug){

521

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

522

"\n", ip, port);

361

fprintf(stderr, "Setting up a tcp connection to %s\n", ip);

523

362

}

524

363

525

364

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

528

367

return -1;

529

368

}

530

369

531

if(debug){

532

if(if_indextoname((unsigned int)if_index, interface) == NULL){

370

if(if_indextoname(if_index, interface) == NULL){

371

if(debug){

533

372

perror("if_indextoname");

534

return -1;

535

373

}

374

return -1;

375

}

376

377

if(debug){

536

378

fprintf(stderr, "Binding to interface %s\n", interface);

537

379

}

538

380

539

memset(&to, 0, sizeof(to));

540

to.in6.sin6_family = AF_INET6;

541

/* It would be nice to have a way to detect if we were passed an

542

IPv4 address here. Now we assume an IPv6 address. */

543

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

381

memset(&to,0,sizeof(to)); /* Spurious warning */

382

to.sin6_family = AF_INET6;

383

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

544

384

if (ret < 0 ){

545

385

perror("inet_pton");

546

386

return -1;

547

}

387

}

548

388

if(ret == 0){

549

389

fprintf(stderr, "Bad address: %s\n", ip);

550

390

return -1;

551

391

}

552

to.in6.sin6_port = htons(port); /* Spurious warning */

392

to.sin6_port = htons(port); /* Spurious warning */

553

393

554

to.in6.sin6_scope_id = (uint32_t)if_index;

394

to.sin6_scope_id = (uint32_t)if_index;

555

395

556

396

if(debug){

557

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

558

port);

559

char addrstr[INET6_ADDRSTRLEN] = "";

560

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

561

sizeof(addrstr)) == NULL){

562

perror("inet_ntop");

563

} else {

564

if(strcmp(addrstr, ip) != 0){

565

fprintf(stderr, "Canonical address form: %s\n", addrstr);

566

}

567

}

397

fprintf(stderr, "Connection to: %s\n", ip);

568

398

}

569

399

570

ret = connect(tcp_sd, &to.in, sizeof(to));

400

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

571

401

if (ret < 0){

572

402

perror("connect");

573

403

return -1;

574

404

}

575

405

576

const char *out = mandos_protocol_version;

577

written = 0;

578

while (true){

579

size_t out_size = strlen(out);

580

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

581

out_size - written));

582

if (ret == -1){

583

perror("write");

584

retval = -1;

585

goto mandos_end;

586

}

587

written += (size_t)ret;

588

if(written < out_size){

589

continue;

590

} else {

591

if (out == mandos_protocol_version){

592

written = 0;

593

out = "\r\n";

594

} else {

595

break;

596

}

597

}

406

ret = initgnutls (&es);

407

if (ret != 0){

408

retval = -1;

409

return -1;

598

410

}

599

411

412

gnutls_transport_set_ptr (es.session,

413

(gnutls_transport_ptr_t) tcp_sd);

414

600

415

if(debug){

601

416

fprintf(stderr, "Establishing TLS session with %s\n", ip);

602

417

}

603

418

604

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

605

606

do{

607

ret = gnutls_handshake (session);

608

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

419

ret = gnutls_handshake (es.session);

609

420

610

421

if (ret != GNUTLS_E_SUCCESS){

611

if(debug){

612

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

613

gnutls_perror (ret);

614

}

422

fprintf(stderr, "\n*** Handshake failed ***\n");

423

gnutls_perror (ret);

615

424

retval = -1;

616

goto mandos_end;

425

goto exit;

617

426

}

618

427

619

/* Read OpenPGP packet that contains the wanted password */

428

//Retrieve OpenPGP packet that contains the wanted password

620

429

621

430

if(debug){

622

431

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

623

432

ip);

624

433

}

625

434

626

435

while(true){

627

buffer_capacity = adjustbuffer(&buffer, buffer_length,

628

buffer_capacity);

629

if (buffer_capacity == 0){

630

perror("adjustbuffer");

631

retval = -1;

632

goto mandos_end;

436

if (buffer_length + BUFFER_SIZE > buffer_capacity){

437

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

438

if (buffer == NULL){

439

perror("realloc");

440

goto exit;

441

}

442

buffer_capacity += BUFFER_SIZE;

633

443

}

634

444

635

ret = gnutls_record_recv(session, buffer+buffer_length,

636

BUFFER_SIZE);

445

ret = gnutls_record_recv

446

(es.session, buffer+buffer_length, BUFFER_SIZE);

637

447

if (ret == 0){

638

448

break;

639

449

}

643

453

case GNUTLS_E_AGAIN:

644

454

break;

645

455

case GNUTLS_E_REHANDSHAKE:

646

do{

647

ret = gnutls_handshake (session);

648

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

456

ret = gnutls_handshake (es.session);

649

457

if (ret < 0){

650

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

458

fprintf(stderr, "\n*** Handshake failed ***\n");

651

459

gnutls_perror (ret);

652

460

retval = -1;

653

goto mandos_end;

461

goto exit;

654

462

}

655

463

break;

656

464

default:

657

465

fprintf(stderr, "Unknown error while reading data from"

658

" encrypted session with Mandos server\n");

466

" encrypted session with mandos server\n");

659

467

retval = -1;

660

gnutls_bye (session, GNUTLS_SHUT_RDWR);

661

goto mandos_end;

468

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

469

goto exit;

662

470

}

663

471

} else {

664

472

buffer_length += (size_t) ret;

665

473

}

666

474

}

667

475

668

if(debug){

669

fprintf(stderr, "Closing TLS session\n");

670

}

671

672

gnutls_bye (session, GNUTLS_SHUT_RDWR);

673

674

476

if (buffer_length > 0){

675

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

477

decrypted_buffer_size = pgp_packet_decrypt(buffer,

676

478

buffer_length,

677

&decrypted_buffer);

479

&decrypted_buffer,

480

CERT_ROOT);

678

481

if (decrypted_buffer_size >= 0){

679

written = 0;

680

while(written < (size_t) decrypted_buffer_size){

482

while(written < decrypted_buffer_size){

681

483

ret = (int)fwrite (decrypted_buffer + written, 1,

682

484

(size_t)decrypted_buffer_size - written,

683

485

stdout);

695

497

} else {

696

498

retval = -1;

697

499

}

698

} else {

699

retval = -1;

700

}

701

702

/* Shutdown procedure */

703

704

mandos_end:

500

}

501

502

//shutdown procedure

503

504

if(debug){

505

fprintf(stderr, "Closing TLS session\n");

506

}

507

705

508

free(buffer);

706

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

707

if(ret == -1){

708

perror("close");

709

}

710

gnutls_deinit (session);

509

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

510

exit:

511

close(tcp_sd);

512

gnutls_deinit (es.session);

513

gnutls_certificate_free_credentials (es.cred);

514

gnutls_global_deinit ();

711

515

return retval;

712

516

}

713

517

714

static void resolve_callback(AvahiSServiceResolver *r,

715

AvahiIfIndex interface,

716

AVAHI_GCC_UNUSED AvahiProtocol protocol,

717

AvahiResolverEvent event,

718

const char *name,

719

const char *type,

720

const char *domain,

721

const char *host_name,

722

const AvahiAddress *address,

723

uint16_t port,

724

AVAHI_GCC_UNUSED AvahiStringList *txt,

725

AVAHI_GCC_UNUSED AvahiLookupResultFlags

726

flags,

727

void* userdata) {

728

mandos_context *mc = userdata;

729

assert(r);

518

static AvahiSimplePoll *simple_poll = NULL;

519

static AvahiServer *server = NULL;

520

521

static void resolve_callback(

522

AvahiSServiceResolver *r,

523

AvahiIfIndex interface,

524

AVAHI_GCC_UNUSED AvahiProtocol protocol,

525

AvahiResolverEvent event,

526

const char *name,

527

const char *type,

528

const char *domain,

529

const char *host_name,

530

const AvahiAddress *address,

531

uint16_t port,

532

AVAHI_GCC_UNUSED AvahiStringList *txt,

533

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

534

AVAHI_GCC_UNUSED void* userdata) {

535

536

assert(r); /* Spurious warning */

730

537

731

538

/* Called whenever a service has been resolved successfully or

732

539

timed out */

734

541

switch (event) {

735

542

default:

736

543

case AVAHI_RESOLVER_FAILURE:

737

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

738

" of type '%s' in domain '%s': %s\n", name, type, domain,

739

avahi_strerror(avahi_server_errno(mc->server)));

544

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

545

" type '%s' in domain '%s': %s\n", name, type, domain,

546

avahi_strerror(avahi_server_errno(server)));

740

547

break;

741

548

742

549

case AVAHI_RESOLVER_FOUND:

744

551

char ip[AVAHI_ADDRESS_STR_MAX];

745

552

avahi_address_snprint(ip, sizeof(ip), address);

746

553

if(debug){

747

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

748

PRIu16 ") on port %d\n", name, host_name, ip,

749

interface, port);

554

fprintf(stderr, "Mandos server found on %s (%s) on port %d\n",

555

host_name, ip, port);

750

556

}

751

int ret = start_mandos_communication(ip, port, interface, mc);

557

int ret = start_mandos_communication(ip, port,

558

(unsigned int) interface);

752

559

if (ret == 0){

753

avahi_simple_poll_quit(mc->simple_poll);

560

exit(EXIT_SUCCESS);

561

} else {

562

exit(EXIT_FAILURE);

754

563

}

755

564

}

756

565

}

757

566

avahi_s_service_resolver_free(r);

758

567

}

759

568

760

static void browse_callback( AvahiSServiceBrowser *b,

761

AvahiIfIndex interface,

762

AvahiProtocol protocol,

763

AvahiBrowserEvent event,

764

const char *name,

765

const char *type,

766

const char *domain,

767

AVAHI_GCC_UNUSED AvahiLookupResultFlags

768

flags,

769

void* userdata) {

770

mandos_context *mc = userdata;

771

assert(b);

772

773

/* Called whenever a new services becomes available on the LAN or

774

is removed from the LAN */

775

776

switch (event) {

777

default:

778

case AVAHI_BROWSER_FAILURE:

779

780

fprintf(stderr, "(Avahi browser) %s\n",

781

avahi_strerror(avahi_server_errno(mc->server)));

782

avahi_simple_poll_quit(mc->simple_poll);

783

return;

784

785

case AVAHI_BROWSER_NEW:

786

/* We ignore the returned Avahi resolver object. In the callback

787

function we free it. If the Avahi server is terminated before

788

the callback function is called the Avahi server will free the

789

resolver for us. */

790

791

if (!(avahi_s_service_resolver_new(mc->server, interface,

792

protocol, name, type, domain,

793

AVAHI_PROTO_INET6, 0,

794

resolve_callback, mc)))

795

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

796

name, avahi_strerror(avahi_server_errno(mc->server)));

797

break;

798

799

case AVAHI_BROWSER_REMOVE:

800

break;

801

802

case AVAHI_BROWSER_ALL_FOR_NOW:

803

case AVAHI_BROWSER_CACHE_EXHAUSTED:

804

if(debug){

805

fprintf(stderr, "No Mandos server found, still searching...\n");

569

static void browse_callback(

570

AvahiSServiceBrowser *b,

571

AvahiIfIndex interface,

572

AvahiProtocol protocol,

573

AvahiBrowserEvent event,

574

const char *name,

575

const char *type,

576

const char *domain,

577

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

578

void* userdata) {

579

580

AvahiServer *s = userdata;

581

assert(b); /* Spurious warning */

582

583

/* Called whenever a new services becomes available on the LAN or

584

is removed from the LAN */

585

586

switch (event) {

587

default:

588

case AVAHI_BROWSER_FAILURE:

589

590

fprintf(stderr, "(Browser) %s\n",

591

avahi_strerror(avahi_server_errno(server)));

592

avahi_simple_poll_quit(simple_poll);

593

return;

594

595

case AVAHI_BROWSER_NEW:

596

/* We ignore the returned resolver object. In the callback

597

function we free it. If the server is terminated before

598

the callback function is called the server will free

599

the resolver for us. */

600

601

if (!(avahi_s_service_resolver_new(s, interface, protocol, name,

602

type, domain,

603

AVAHI_PROTO_INET6, 0,

604

resolve_callback, s)))

605

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

606

avahi_strerror(avahi_server_errno(s)));

607

break;

608

609

case AVAHI_BROWSER_REMOVE:

610

break;

611

612

case AVAHI_BROWSER_ALL_FOR_NOW:

613

case AVAHI_BROWSER_CACHE_EXHAUSTED:

614

break;

806

615

}

807

break;

808

}

809

616

}

810

617

811

int main(int argc, char *argv[]){

618

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

619

AvahiServerConfig config;

812

620

AvahiSServiceBrowser *sb = NULL;

813

621

int error;

814

622

int ret;

815

int exitcode = EXIT_SUCCESS;

623

int returncode = EXIT_SUCCESS;

816

624

const char *interface = "eth0";

817

struct ifreq network;

818

int sd;

819

uid_t uid;

820

gid_t gid;

821

char *connect_to = NULL;

822

char tempdir[] = "/tmp/mandosXXXXXX";

823

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

824

const char *seckey = PATHDIR "/" SECKEY;

825

const char *pubkey = PATHDIR "/" PUBKEY;

826

827

mandos_context mc = { .simple_poll = NULL, .server = NULL,

828

.dh_bits = 1024, .priority = "SECURE256"

829

":!CTYPE-X.509:+CTYPE-OPENPGP" };

830

bool gnutls_initalized = false;

831

bool gpgme_initalized = false;

832

833

{

834

struct argp_option options[] = {

835

{ .name = "debug", .key = 128,

836

.doc = "Debug mode", .group = 3 },

837

{ .name = "connect", .key = 'c',

838

.arg = "ADDRESS:PORT",

839

.doc = "Connect directly to a specific Mandos server",

840

.group = 1 },

841

{ .name = "interface", .key = 'i',

842

.arg = "NAME",

843

.doc = "Interface that will be used to search for Mandos"

844

" servers",

845

.group = 1 },

846

{ .name = "seckey", .key = 's',

847

.arg = "FILE",

848

.doc = "OpenPGP secret key file base name",

849

.group = 1 },

850

{ .name = "pubkey", .key = 'p',

851

.arg = "FILE",

852

.doc = "OpenPGP public key file base name",

853

.group = 2 },

854

{ .name = "dh-bits", .key = 129,

855

.arg = "BITS",

856

.doc = "Bit length of the prime number used in the"

857

" Diffie-Hellman key exchange",

858

.group = 2 },

859

{ .name = "priority", .key = 130,

860

.arg = "STRING",

861

.doc = "GnuTLS priority string for the TLS handshake",

862

.group = 1 },

863

{ .name = NULL }

864

};

865

866

error_t parse_opt (int key, char *arg,

867

struct argp_state *state) {

868

/* Get the INPUT argument from `argp_parse', which we know is

869

a pointer to our plugin list pointer. */

870

switch (key) {

871

case 128: /* --debug */

872

debug = true;

873

break;

874

case 'c': /* --connect */

875

connect_to = arg;

876

break;

877

case 'i': /* --interface */

878

interface = arg;

879

break;

880

case 's': /* --seckey */

881

seckey = arg;

882

break;

883

case 'p': /* --pubkey */

884

pubkey = arg;

885

break;

886

case 129: /* --dh-bits */

887

errno = 0;

888

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

889

if (errno){

890

perror("strtol");

891

exit(EXIT_FAILURE);

892

}

893

break;

894

case 130: /* --priority */

895

mc.priority = arg;

896

break;

897

case ARGP_KEY_ARG:

898

argp_usage (state);

899

case ARGP_KEY_END:

900

break;

901

default:

902

return ARGP_ERR_UNKNOWN;

903

}

904

return 0;

905

}

906

907

struct argp argp = { .options = options, .parser = parse_opt,

908

.args_doc = "",

909

.doc = "Mandos client -- Get and decrypt"

910

" passwords from a Mandos server" };

911

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

912

if (ret == ARGP_ERR_UNKNOWN){

913

fprintf(stderr, "Unknown error while parsing arguments\n");

914

exitcode = EXIT_FAILURE;

915

goto end;

916

}

917

}

918

919

/* If the interface is down, bring it up */

920

{

921

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

922

if(sd < 0) {

923

perror("socket");

924

exitcode = EXIT_FAILURE;

925

goto end;

926

}

927

strcpy(network.ifr_name, interface);

928

ret = ioctl(sd, SIOCGIFFLAGS, &network);

929

if(ret == -1){

930

perror("ioctl SIOCGIFFLAGS");

931

exitcode = EXIT_FAILURE;

932

goto end;

933

}

934

if((network.ifr_flags & IFF_UP) == 0){

935

network.ifr_flags |= IFF_UP;

936

ret = ioctl(sd, SIOCSIFFLAGS, &network);

937

if(ret == -1){

938

perror("ioctl SIOCSIFFLAGS");

939

exitcode = EXIT_FAILURE;

940

goto end;

941

}

942

}

943

ret = TEMP_FAILURE_RETRY(close(sd));

944

if(ret == -1){

945

perror("close");

946

}

947

}

948

949

uid = getuid();

950

gid = getgid();

951

952

ret = setuid(uid);

953

if (ret == -1){

954

perror("setuid");

955

}

956

957

setgid(gid);

958

if (ret == -1){

959

perror("setgid");

960

}

961

962

ret = init_gnutls_global(&mc, pubkey, seckey);

963

if (ret == -1){

964

fprintf(stderr, "init_gnutls_global failed\n");

965

exitcode = EXIT_FAILURE;

966

goto end;

967

} else {

968

gnutls_initalized = true;

969

}

970

971

if(mkdtemp(tempdir) == NULL){

972

perror("mkdtemp");

973

tempdir[0] = '\0';

974

goto end;

975

}

976

977

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

978

fprintf(stderr, "gpgme_initalized failed\n");

979

exitcode = EXIT_FAILURE;

980

goto end;

981

} else {

982

gpgme_initalized = true;

983

}

984

985

if_index = (AvahiIfIndex) if_nametoindex(interface);

986

if(if_index == 0){

987

fprintf(stderr, "No such interface: \"%s\"\n", interface);

988

exit(EXIT_FAILURE);

989

}

990

991

if(connect_to != NULL){

992

/* Connect directly, do not use Zeroconf */

993

/* (Mainly meant for debugging) */

994

char *address = strrchr(connect_to, ':');

995

if(address == NULL){

996

fprintf(stderr, "No colon in address\n");

997

exitcode = EXIT_FAILURE;

998

goto end;

999

}

1000

errno = 0;

1001

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1002

if(errno){

1003

perror("Bad port number");

1004

exitcode = EXIT_FAILURE;

1005

goto end;

1006

}

1007

*address = '\0';

1008

address = connect_to;

1009

ret = start_mandos_communication(address, port, if_index, &mc);

1010

if(ret < 0){

1011

exitcode = EXIT_FAILURE;

1012

} else {

1013

exitcode = EXIT_SUCCESS;

1014

}

1015

goto end;

625

626

while (true){

627

static struct option long_options[] = {

628

{"debug", no_argument, (int *)&debug, 1},

629

{"interface", required_argument, 0, 'i'},

630

{0, 0, 0, 0} };

631

632

int option_index = 0;

633

ret = getopt_long (argc, argv, "i:", long_options,

634

&option_index);

635

636

if (ret == -1){

637

break;

638

}

639

640

switch(ret){

641

case 0:

642

break;

643

case 'i':

644

interface = optarg;

645

break;

646

default:

647

exit(EXIT_FAILURE);

648

}

1016

649

}

1017

650

1018

651

if (not debug){

1019

652

avahi_set_log_function(empty_log);

1020

653

}

1021

654

1022

/* Initialize the pseudo-RNG for Avahi */

655

/* Initialize the psuedo-RNG */

1023

656

srand((unsigned int) time(NULL));

1024

1025

/* Allocate main Avahi loop object */

1026

mc.simple_poll = avahi_simple_poll_new();

1027

if (mc.simple_poll == NULL) {

1028

fprintf(stderr, "Avahi: Failed to create simple poll"

1029

" object.\n");

1030

exitcode = EXIT_FAILURE;

1031

goto end;

1032

}

1033

1034

{

1035

AvahiServerConfig config;

1036

/* Do not publish any local Zeroconf records */

1037

avahi_server_config_init(&config);

1038

config.publish_hinfo = 0;

1039

config.publish_addresses = 0;

1040

config.publish_workstation = 0;

1041

config.publish_domain = 0;

1042

1043

/* Allocate a new server */

1044

mc.server = avahi_server_new(avahi_simple_poll_get

1045

(mc.simple_poll), &config, NULL,

1046

NULL, &error);

1047

1048

/* Free the Avahi configuration data */

1049

avahi_server_config_free(&config);

1050

}

1051

1052

/* Check if creating the Avahi server object succeeded */

1053

if (mc.server == NULL) {

1054

fprintf(stderr, "Failed to create Avahi server: %s\n",

657

658

/* Allocate main loop object */

659

if (!(simple_poll = avahi_simple_poll_new())) {

660

fprintf(stderr, "Failed to create simple poll object.\n");

661

662

goto exit;

663

}

664

665

/* Do not publish any local records */

666

avahi_server_config_init(&config);

667

config.publish_hinfo = 0;

668

config.publish_addresses = 0;

669

config.publish_workstation = 0;

670

config.publish_domain = 0;

671

672

/* Allocate a new server */

673

server = avahi_server_new(avahi_simple_poll_get(simple_poll),

674

&config, NULL, NULL, &error);

675

676

/* Free the configuration data */

677

avahi_server_config_free(&config);

678

679

/* Check if creating the server object succeeded */

680

if (!server) {

681

fprintf(stderr, "Failed to create server: %s\n",

1055

682

avahi_strerror(error));

1056

exitcode = EXIT_FAILURE;

1057

goto end;

683

returncode = EXIT_FAILURE;

684

goto exit;

1058

685

}

1059

686

1060

/* Create the Avahi service browser */

1061

sb = avahi_s_service_browser_new(mc.server, if_index,

687

/* Create the service browser */

688

sb = avahi_s_service_browser_new(server,

689

(AvahiIfIndex)

690

if_nametoindex(interface),

1062

691

AVAHI_PROTO_INET6,

1063

692

"_mandos._tcp", NULL, 0,

1064

browse_callback, &mc);

1065

if (sb == NULL) {

693

browse_callback, server);

694

if (!sb) {

1066

695

fprintf(stderr, "Failed to create service browser: %s\n",

1067

avahi_strerror(avahi_server_errno(mc.server)));

1068

exitcode = EXIT_FAILURE;

1069

goto end;

696

avahi_strerror(avahi_server_errno(server)));

697

returncode = EXIT_FAILURE;

698

goto exit;

1070

699

}

1071

700

1072

701

/* Run the main loop */

1073

702

1074

703

if (debug){

1075

fprintf(stderr, "Starting Avahi loop search\n");

704

fprintf(stderr, "Starting avahi loop search\n");

1076

705

}

1077

706

1078

avahi_simple_poll_loop(mc.simple_poll);

1079

1080

end:

1081

707

avahi_simple_poll_loop(simple_poll);

708

709

exit:

710

1082

711

if (debug){

1083

712

fprintf(stderr, "%s exiting\n", argv[0]);

1084

713

}

1085

714

1086

715

/* Cleanup things */

1087

if (sb != NULL)

716

if (sb)

1088

717

avahi_s_service_browser_free(sb);

1089

718

1090

if (mc.server != NULL)

1091

avahi_server_free(mc.server);

1092

1093

if (mc.simple_poll != NULL)

1094

avahi_simple_poll_free(mc.simple_poll);

1095

1096

if (gnutls_initalized){

1097

gnutls_certificate_free_credentials(mc.cred);

1098

gnutls_global_deinit ();

1099

gnutls_dh_params_deinit(mc.dh_params);

1100

}

1101

1102

if(gpgme_initalized){

1103

gpgme_release(mc.ctx);

1104

}

1105

1106

/* Removes the temp directory used by GPGME */

1107

if(tempdir[0] != '\0'){

1108

DIR *d;

1109

struct dirent *direntry;

1110

d = opendir(tempdir);

1111

if(d == NULL){

1112

perror("opendir");

1113

} else {

1114

while(true){

1115

direntry = readdir(d);

1116

if(direntry == NULL){

1117

break;

1118

}

1119

if (direntry->d_type == DT_REG){

1120

char *fullname = NULL;

1121

ret = asprintf(&fullname, "%s/%s", tempdir,

1122

direntry->d_name);

1123

if(ret < 0){

1124

perror("asprintf");

1125

continue;

1126

}

1127

ret = unlink(fullname);

1128

if(ret == -1){

1129

fprintf(stderr, "unlink(\"%s\"): %s",

1130

fullname, strerror(errno));

1131

}

1132

free(fullname);

1133

}

1134

}

1135

closedir(d);

1136

}

1137

ret = rmdir(tempdir);

1138

if(ret == -1){

1139

perror("rmdir");

1140

}

1141

}

1142

1143

return exitcode;

719

if (server)

720

avahi_server_free(server);

721

722

if (simple_poll)

723

avahi_simple_poll_free(simple_poll);

724

725

return returncode;

1144

726

}

Older »