/mandos/trunk : revision 237.2.14

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2009-02-13 09:03:22 UTC
mto: (24.1.170 mandos) (237.4.29 release)
mto: This revision was merged to the branch mainline in revision 316.
Revision ID: teddy@fukt.bsnet.se-20090213090322-6ixytwlkdsm637d7

Tags: version-1.0.6-1

* Makefile (version): Changed to "1.0.6".
NEWS (Version 1.0.6): New entry.
debian/changelog (1.0.6-1): - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.lsm

overview.xml

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
network-protocol.txt

files renamed:
mandos-client.c => plugin-runner.c

mandos-client.xml => plugin-runner.xml

plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
Makefile

TODO

clients.conf

mandos

mandos-clients.conf.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

/* -*- coding: utf-8 -*- */

* Mandos client - get and decrypt data from a Mandos server

* Mandos-client - get and decrypt data from a Mandos server

* This program is partly derived from an example program for an Avahi

* service browser, downloaded from

* "browse_callback", and parts of "main".

* Everything else is

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror(), remove() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand(), strtof() */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, uid_t, gid_t, open(),

opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

inet_pton(), connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir()

#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,

strtoimax() */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* nanosleep(), time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS */

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,

INET_ADDRSTRLEN, INET6_ADDRSTRLEN

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, or, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

#include <signal.h> /* sigemptyset(), sigaddset(),

sigaction(), SIGTERM, sigaction,

sig_atomic_t */

#ifdef __linux__

#include <sys/klog.h> /* klogctl() */

#endif /* __linux__ */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* Mandos client part */

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

100

gnutls_*

101

init_gnutls_session(),

102

GNUTLS_* */

103

#include <gnutls/openpgp.h>

104

/* gnutls_certificate_set_openpgp_key_file(),

105

GNUTLS_OPENPGP_FMT_BASE64 */

106

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

#include <net/if.h> /* IF_NAMESIZE */

#include <argp.h> /* struct argp_option,

struct argp_state, struct argp,

argp_parse() */

107

/* GPGME */

#include <errno.h> /* perror() */

#include <gpgme.h>

108

#include <gpgme.h> /* All GPGME types, constants and

109

functions:

110

gpgme_*

111

GPGME_PROTOCOL_OpenPGP,

112

GPG_ERR_NO_* */

113

114

#define BUFFER_SIZE 256

115

116

#define PATHDIR "/conf/conf.d/mandos"

117

#define SECKEY "seckey.txt"

118

#define PUBKEY "pubkey.txt"

119

120

bool debug = false;

static const char *keydir = "/conf/conf.d/mandos";

121

static const char mandos_protocol_version[] = "1";

const char *argp_program_version = "mandosclient 0.9";

122

const char *argp_program_version = "mandos-client " VERSION;

123

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

124

125

/* Used for passing in values through the Avahi callback functions */

130

unsigned int dh_bits;

131

gnutls_dh_params_t dh_params;

132

const char *priority;

133

gpgme_ctx_t ctx;

134

} mandos_context;

135

136

/* global context so signal handler can reach it*/

137

mandos_context mc = { .simple_poll = NULL, .server = NULL,

138

.dh_bits = 1024, .priority = "SECURE256"

139

":!CTYPE-X.509:+CTYPE-OPENPGP" };

140

141

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

* "buffer_capacity" is how much is currently allocated,

142

* Make additional room in "buffer" for at least BUFFER_SIZE more

143

* bytes. "buffer_capacity" is how much is currently allocated,

144

* "buffer_length" is how much is already used.

145

size_t adjustbuffer(char **buffer, size_t buffer_length,

146

size_t incbuffer(char **buffer, size_t buffer_length,

147

size_t buffer_capacity){

100

if (buffer_length + BUFFER_SIZE > buffer_capacity){

148

if(buffer_length + BUFFER_SIZE > buffer_capacity){

101

149

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

102

if (buffer == NULL){

150

if(buffer == NULL){

103

151

return 0;

104

152

}

105

153

buffer_capacity += BUFFER_SIZE;

108

156

}

109

157

110

158

111

* Decrypt OpenPGP data using keyrings in HOMEDIR.

112

* Returns -1 on error

159

* Initialize GPGME.

113

160

114

static ssize_t pgp_packet_decrypt (const char *cryptotext,

115

size_t crypto_size,

116

char **plaintext,

117

const char *homedir){

118

gpgme_data_t dh_crypto, dh_plain;

119

gpgme_ctx_t ctx;

161

static bool init_gpgme(const char *seckey,

162

const char *pubkey, const char *tempdir){

163

int ret;

120

164

gpgme_error_t rc;

121

ssize_t ret;

122

size_t plaintext_capacity = 0;

123

ssize_t plaintext_length = 0;

124

165

gpgme_engine_info_t engine_info;

125

166

126

if (debug){

127

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

167

168

169

* Helper function to insert pub and seckey to the engine keyring.

170

171

bool import_key(const char *filename){

172

int fd;

173

gpgme_data_t pgp_data;

174

175

fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

176

if(fd == -1){

177

perror("open");

178

return false;

179

}

180

181

rc = gpgme_data_new_from_fd(&pgp_data, fd);

182

if(rc != GPG_ERR_NO_ERROR){

183

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

184

gpgme_strsource(rc), gpgme_strerror(rc));

185

return false;

186

}

187

188

rc = gpgme_op_import(mc.ctx, pgp_data);

189

if(rc != GPG_ERR_NO_ERROR){

190

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

191

gpgme_strsource(rc), gpgme_strerror(rc));

192

return false;

193

}

194

195

ret = (int)TEMP_FAILURE_RETRY(close(fd));

196

if(ret == -1){

197

perror("close");

198

}

199

gpgme_data_release(pgp_data);

200

return true;

201

}

202

203

if(debug){

204

fprintf(stderr, "Initializing GPGME\n");

128

205

}

129

206

130

207

/* Init GPGME */

131

208

gpgme_check_version(NULL);

132

209

rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);

133

if (rc != GPG_ERR_NO_ERROR){

210

if(rc != GPG_ERR_NO_ERROR){

134

211

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

135

212

gpgme_strsource(rc), gpgme_strerror(rc));

136

return -1;

213

return false;

137

214

}

138

215

139

/* Set GPGME home directory for the OpenPGP engine only */

140

rc = gpgme_get_engine_info (&engine_info);

141

if (rc != GPG_ERR_NO_ERROR){

216

/* Set GPGME home directory for the OpenPGP engine only */

217

rc = gpgme_get_engine_info(&engine_info);

218

if(rc != GPG_ERR_NO_ERROR){

142

219

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

143

220

gpgme_strsource(rc), gpgme_strerror(rc));

144

return -1;

221

return false;

145

222

}

146

223

while(engine_info != NULL){

147

224

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

148

225

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

149

engine_info->file_name, homedir);

226

engine_info->file_name, tempdir);

150

227

break;

151

228

}

152

229

engine_info = engine_info->next;

153

230

}

154

231

if(engine_info == NULL){

155

fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);

156

return -1;

232

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

233

return false;

234

}

235

236

/* Create new GPGME "context" */

237

rc = gpgme_new(&(mc.ctx));

238

if(rc != GPG_ERR_NO_ERROR){

239

fprintf(stderr, "bad gpgme_new: %s: %s\n",

240

gpgme_strsource(rc), gpgme_strerror(rc));

241

return false;

242

}

243

244

if(not import_key(pubkey) or not import_key(seckey)){

245

return false;

246

}

247

248

return true;

249

}

250

251

252

* Decrypt OpenPGP data.

253

* Returns -1 on error

254

255

static ssize_t pgp_packet_decrypt(const char *cryptotext,

256

size_t crypto_size,

257

char **plaintext){

258

gpgme_data_t dh_crypto, dh_plain;

259

gpgme_error_t rc;

260

ssize_t ret;

261

size_t plaintext_capacity = 0;

262

ssize_t plaintext_length = 0;

263

264

if(debug){

265

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

157

266

}

158

267

159

268

/* Create new GPGME data buffer from memory cryptotext */

160

269

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

161

270

0);

162

if (rc != GPG_ERR_NO_ERROR){

271

if(rc != GPG_ERR_NO_ERROR){

163

272

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

164

273

gpgme_strsource(rc), gpgme_strerror(rc));

165

274

return -1;

167

276

168

277

/* Create new empty GPGME data buffer for the plaintext */

169

278

rc = gpgme_data_new(&dh_plain);

170

if (rc != GPG_ERR_NO_ERROR){

279

if(rc != GPG_ERR_NO_ERROR){

171

280

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

172

281

gpgme_strsource(rc), gpgme_strerror(rc));

173

282

gpgme_data_release(dh_crypto);

174

283

return -1;

175

284

}

176

285

177

/* Create new GPGME "context" */

178

rc = gpgme_new(&ctx);

179

if (rc != GPG_ERR_NO_ERROR){

180

fprintf(stderr, "bad gpgme_new: %s: %s\n",

181

gpgme_strsource(rc), gpgme_strerror(rc));

182

plaintext_length = -1;

183

goto decrypt_end;

184

}

185

186

286

/* Decrypt data from the cryptotext data buffer to the plaintext

187

287

data buffer */

188

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

189

if (rc != GPG_ERR_NO_ERROR){

288

rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);

289

if(rc != GPG_ERR_NO_ERROR){

190

290

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

191

291

gpgme_strsource(rc), gpgme_strerror(rc));

192

292

plaintext_length = -1;

293

if(debug){

294

gpgme_decrypt_result_t result;

295

result = gpgme_op_decrypt_result(mc.ctx);

296

if(result == NULL){

297

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

298

} else {

299

fprintf(stderr, "Unsupported algorithm: %s\n",

300

result->unsupported_algorithm);

301

fprintf(stderr, "Wrong key usage: %u\n",

302

result->wrong_key_usage);

303

if(result->file_name != NULL){

304

fprintf(stderr, "File name: %s\n", result->file_name);

305

}

306

gpgme_recipient_t recipient;

307

recipient = result->recipients;

308

if(recipient){

309

while(recipient != NULL){

310

fprintf(stderr, "Public key algorithm: %s\n",

311

gpgme_pubkey_algo_name(recipient->pubkey_algo));

312

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

313

fprintf(stderr, "Secret key available: %s\n",

314

recipient->status == GPG_ERR_NO_SECKEY

315

? "No" : "Yes");

316

recipient = recipient->next;

317

}

318

}

319

}

320

}

193

321

goto decrypt_end;

194

322

}

195

323

197

325

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

198

326

}

199

327

200

if (debug){

201

gpgme_decrypt_result_t result;

202

result = gpgme_op_decrypt_result(ctx);

203

if (result == NULL){

204

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

205

} else {

206

fprintf(stderr, "Unsupported algorithm: %s\n",

207

result->unsupported_algorithm);

208

fprintf(stderr, "Wrong key usage: %d\n",

209

result->wrong_key_usage);

210

if(result->file_name != NULL){

211

fprintf(stderr, "File name: %s\n", result->file_name);

212

}

213

gpgme_recipient_t recipient;

214

recipient = result->recipients;

215

if(recipient){

216

while(recipient != NULL){

217

fprintf(stderr, "Public key algorithm: %s\n",

218

gpgme_pubkey_algo_name(recipient->pubkey_algo));

219

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

220

fprintf(stderr, "Secret key available: %s\n",

221

recipient->status == GPG_ERR_NO_SECKEY

222

? "No" : "Yes");

223

recipient = recipient->next;

224

}

225

}

226

}

227

}

228

229

328

/* Seek back to the beginning of the GPGME plaintext data buffer */

230

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

231

perror("pgpme_data_seek");

329

if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){

330

perror("gpgme_data_seek");

232

331

plaintext_length = -1;

233

332

goto decrypt_end;

234

333

}

235

334

236

335

*plaintext = NULL;

237

336

while(true){

238

plaintext_capacity = adjustbuffer(plaintext,

337

plaintext_capacity = incbuffer(plaintext,

239

338

(size_t)plaintext_length,

240

339

plaintext_capacity);

241

if (plaintext_capacity == 0){

242

perror("adjustbuffer");

340

if(plaintext_capacity == 0){

341

perror("incbuffer");

243

342

plaintext_length = -1;

244

343

goto decrypt_end;

245

344

}

247

346

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

248

347

BUFFER_SIZE);

249

348

/* Print the data, if any */

250

if (ret == 0){

349

if(ret == 0){

251

350

/* EOF */

252

351

break;

253

352

}

258

357

}

259

358

plaintext_length += ret;

260

359

}

261

360

262

361

if(debug){

263

362

fprintf(stderr, "Decrypted password is: ");

264

363

for(ssize_t i = 0; i < plaintext_length; i++){

277

376

return plaintext_length;

278

377

}

279

378

280

static const char * safer_gnutls_strerror (int value) {

281

const char *ret = gnutls_strerror (value);

282

if (ret == NULL)

379

static const char * safer_gnutls_strerror(int value){

380

const char *ret = gnutls_strerror(value); /* Spurious warning from

381

-Wunreachable-code */

382

if(ret == NULL)

283

383

ret = "(unknown)";

284

384

return ret;

285

385

}

290

390

fprintf(stderr, "GnuTLS: %s", string);

291

391

}

292

392

293

static int init_gnutls_global(mandos_context *mc,

294

const char *pubkeyfile,

295

const char *seckeyfile){

393

static int init_gnutls_global(const char *pubkeyfilename,

394

const char *seckeyfilename){

296

395

int ret;

297

396

298

397

if(debug){

299

398

fprintf(stderr, "Initializing GnuTLS\n");

300

399

}

301

302

if ((ret = gnutls_global_init ())

303

!= GNUTLS_E_SUCCESS) {

304

fprintf (stderr, "GnuTLS global_init: %s\n",

305

safer_gnutls_strerror(ret));

400

401

ret = gnutls_global_init();

402

if(ret != GNUTLS_E_SUCCESS){

403

fprintf(stderr, "GnuTLS global_init: %s\n",

404

safer_gnutls_strerror(ret));

306

405

return -1;

307

406

}

308

407

309

if (debug){

408

if(debug){

310

409

/* "Use a log level over 10 to enable all debugging options."

311

410

* - GnuTLS manual

312

411

315

414

}

316

415

317

416

/* OpenPGP credentials */

318

if ((ret = gnutls_certificate_allocate_credentials (&mc->cred))

319

!= GNUTLS_E_SUCCESS) {

320

fprintf (stderr, "GnuTLS memory error: %s\n",

321

safer_gnutls_strerror(ret));

322

gnutls_global_deinit ();

417

gnutls_certificate_allocate_credentials(&mc.cred);

418

if(ret != GNUTLS_E_SUCCESS){

419

fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning

420

from

421

-Wunreachable-code

422

423

safer_gnutls_strerror(ret));

424

gnutls_global_deinit();

323

425

return -1;

324

426

}

325

427

326

428

if(debug){

327

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

328

" and keyfile %s as GnuTLS credentials\n", pubkeyfile,

329

seckeyfile);

429

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

430

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

431

seckeyfilename);

330

432

}

331

433

332

434

ret = gnutls_certificate_set_openpgp_key_file

333

(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);

334

if (ret != GNUTLS_E_SUCCESS) {

435

(mc.cred, pubkeyfilename, seckeyfilename,

436

GNUTLS_OPENPGP_FMT_BASE64);

437

if(ret != GNUTLS_E_SUCCESS){

335

438

fprintf(stderr,

336

439

"Error[%d] while reading the OpenPGP key pair ('%s',"

337

" '%s')\n", ret, pubkeyfile, seckeyfile);

338

fprintf(stdout, "The GnuTLS error is: %s\n",

440

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

441

fprintf(stderr, "The GnuTLS error is: %s\n",

339

442

safer_gnutls_strerror(ret));

340

443

goto globalfail;

341

444

}

342

445

343

446

/* GnuTLS server initialization */

344

ret = gnutls_dh_params_init(&mc->dh_params);

345

if (ret != GNUTLS_E_SUCCESS) {

346

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

347

" %s\n", safer_gnutls_strerror(ret));

348

goto globalfail;

349

}

350

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

351

if (ret != GNUTLS_E_SUCCESS) {

352

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

353

safer_gnutls_strerror(ret));

354

goto globalfail;

355

}

356

357

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

358

447

ret = gnutls_dh_params_init(&mc.dh_params);

448

if(ret != GNUTLS_E_SUCCESS){

449

fprintf(stderr, "Error in GnuTLS DH parameter initialization:"

450

" %s\n", safer_gnutls_strerror(ret));

451

goto globalfail;

452

}

453

ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);

454

if(ret != GNUTLS_E_SUCCESS){

455

fprintf(stderr, "Error in GnuTLS prime generation: %s\n",

456

safer_gnutls_strerror(ret));

457

goto globalfail;

458

}

459

460

gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);

461

359

462

return 0;

360

463

361

464

globalfail:

362

363

gnutls_certificate_free_credentials (mc->cred);

364

gnutls_global_deinit ();

465

466

gnutls_certificate_free_credentials(mc.cred);

467

gnutls_global_deinit();

468

gnutls_dh_params_deinit(mc.dh_params);

365

469

return -1;

366

367

470

}

368

471

369

static int init_gnutls_session(mandos_context *mc,

370

gnutls_session_t *session){

472

static int init_gnutls_session(gnutls_session_t *session){

371

473

int ret;

372

474

/* GnuTLS session creation */

373

475

ret = gnutls_init(session, GNUTLS_SERVER);

374

if (ret != GNUTLS_E_SUCCESS){

476

if(ret != GNUTLS_E_SUCCESS){

375

477

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

376

478

safer_gnutls_strerror(ret));

377

479

}

378

480

379

481

{

380

482

const char *err;

381

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

382

if (ret != GNUTLS_E_SUCCESS) {

483

ret = gnutls_priority_set_direct(*session, mc.priority, &err);

484

if(ret != GNUTLS_E_SUCCESS){

383

485

fprintf(stderr, "Syntax error at: %s\n", err);

384

486

fprintf(stderr, "GnuTLS error: %s\n",

385

487

safer_gnutls_strerror(ret));

386

gnutls_deinit (*session);

488

gnutls_deinit(*session);

387

489

return -1;

388

490

}

389

491

}

390

492

391

493

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

392

mc->cred);

393

if (ret != GNUTLS_E_SUCCESS) {

494

mc.cred);

495

if(ret != GNUTLS_E_SUCCESS){

394

496

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

395

497

safer_gnutls_strerror(ret));

396

gnutls_deinit (*session);

498

gnutls_deinit(*session);

397

499

return -1;

398

500

}

399

501

400

502

/* ignore client certificate if any. */

401

gnutls_certificate_server_set_request (*session,

402

GNUTLS_CERT_IGNORE);

503

gnutls_certificate_server_set_request(*session,

504

GNUTLS_CERT_IGNORE);

403

505

404

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

506

gnutls_dh_set_prime_bits(*session, mc.dh_bits);

405

507

406

508

return 0;

407

509

}

413

515

/* Called when a Mandos server is found */

414

516

static int start_mandos_communication(const char *ip, uint16_t port,

415

517

AvahiIfIndex if_index,

416

mandos_context *mc){

518

int af){

417

519

int ret, tcp_sd;

418

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

520

ssize_t sret;

521

union {

522

struct sockaddr_in in;

523

struct sockaddr_in6 in6;

524

} to;

419

525

char *buffer = NULL;

420

526

char *decrypted_buffer;

421

527

size_t buffer_length = 0;

423

529

ssize_t decrypted_buffer_size;

424

530

size_t written;

425

531

int retval = 0;

426

char interface[IF_NAMESIZE];

427

532

gnutls_session_t session;

428

429

ret = init_gnutls_session (mc, &session);

430

if (ret != 0){

533

int pf; /* Protocol family */

534

535

switch(af){

536

case AF_INET6:

537

pf = PF_INET6;

538

break;

539

case AF_INET:

540

pf = PF_INET;

541

break;

542

default:

543

fprintf(stderr, "Bad address family: %d\n", af);

544

return -1;

545

}

546

547

ret = init_gnutls_session(&session);

548

if(ret != 0){

431

549

return -1;

432

550

}

433

551

434

552

if(debug){

435

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

436

ip, port);

553

fprintf(stderr, "Setting up a TCP connection to %s, port %" PRIu16

554

"\n", ip, port);

437

555

}

438

556

439

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

440

if(tcp_sd < 0) {

557

tcp_sd = socket(pf, SOCK_STREAM, 0);

558

if(tcp_sd < 0){

441

559

perror("socket");

442

560

return -1;

443

561

}

444

445

if(debug){

446

if(if_indextoname((unsigned int)if_index, interface) == NULL){

447

perror("if_indextoname");

448

return -1;

449

}

450

fprintf(stderr, "Binding to interface %s\n", interface);

451

}

452

562

453

memset(&to,0,sizeof(to)); /* Spurious warning */

454

to.in6.sin6_family = AF_INET6;

455

/* It would be nice to have a way to detect if we were passed an

456

IPv4 address here. Now we assume an IPv6 address. */

457

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

458

if (ret < 0 ){

563

memset(&to, 0, sizeof(to));

564

if(af == AF_INET6){

565

to.in6.sin6_family = (uint16_t)af;

566

ret = inet_pton(af, ip, &to.in6.sin6_addr);

567

} else { /* IPv4 */

568

to.in.sin_family = (sa_family_t)af;

569

ret = inet_pton(af, ip, &to.in.sin_addr);

570

}

571

if(ret < 0 ){

459

572

perror("inet_pton");

460

573

return -1;

461

574

}

463

576

fprintf(stderr, "Bad address: %s\n", ip);

464

577

return -1;

465

578

}

466

to.in6.sin6_port = htons(port); /* Spurious warning */

467

468

to.in6.sin6_scope_id = (uint32_t)if_index;

579

if(af == AF_INET6){

580

to.in6.sin6_port = htons(port); /* Spurious warnings from

581

-Wconversion and

582

-Wunreachable-code */

583

584

if(IN6_IS_ADDR_LINKLOCAL /* Spurious warnings from */

585

(&to.in6.sin6_addr)){ /* -Wstrict-aliasing=2 or lower and

586

-Wunreachable-code*/

587

if(if_index == AVAHI_IF_UNSPEC){

588

fprintf(stderr, "An IPv6 link-local address is incomplete"

589

" without a network interface\n");

590

return -1;

591

}

592

/* Set the network interface number as scope */

593

to.in6.sin6_scope_id = (uint32_t)if_index;

594

}

595

} else {

596

to.in.sin_port = htons(port); /* Spurious warnings from

597

-Wconversion and

598

-Wunreachable-code */

599

}

469

600

470

601

if(debug){

471

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

472

char addrstr[INET6_ADDRSTRLEN] = "";

473

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

474

sizeof(addrstr)) == NULL){

602

if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){

603

char interface[IF_NAMESIZE];

604

if(if_indextoname((unsigned int)if_index, interface) == NULL){

605

perror("if_indextoname");

606

} else {

607

fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",

608

ip, interface, port);

609

}

610

} else {

611

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

612

port);

613

}

614

char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?

615

INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";

616

const char *pcret;

617

if(af == AF_INET6){

618

pcret = inet_ntop(af, &(to.in6.sin6_addr), addrstr,

619

sizeof(addrstr));

620

} else {

621

pcret = inet_ntop(af, &(to.in.sin_addr), addrstr,

622

sizeof(addrstr));

623

}

624

if(pcret == NULL){

475

625

perror("inet_ntop");

476

626

} else {

477

627

if(strcmp(addrstr, ip) != 0){

480

630

}

481

631

}

482

632

483

ret = connect(tcp_sd, &to.in, sizeof(to));

484

if (ret < 0){

633

if(af == AF_INET6){

634

ret = connect(tcp_sd, &to.in6, sizeof(to));

635

} else {

636

ret = connect(tcp_sd, &to.in, sizeof(to)); /* IPv4 */

637

}

638

if(ret < 0){

485

639

perror("connect");

486

640

return -1;

487

641

}

488

642

489

643

const char *out = mandos_protocol_version;

490

644

written = 0;

491

while (true){

645

while(true){

492

646

size_t out_size = strlen(out);

493

ret = TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

647

ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,

494

648

out_size - written));

495

if (ret == -1){

649

if(ret == -1){

496

650

perror("write");

497

651

retval = -1;

498

652

goto mandos_end;

501

655

if(written < out_size){

502

656

continue;

503

657

} else {

504

if (out == mandos_protocol_version){

658

if(out == mandos_protocol_version){

505

659

written = 0;

506

660

out = "\r\n";

507

661

} else {

509

663

}

510

664

}

511

665

}

512

666

513

667

if(debug){

514

668

fprintf(stderr, "Establishing TLS session with %s\n", ip);

515

669

}

516

670

517

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

518

519

ret = gnutls_handshake (session);

520

521

if (ret != GNUTLS_E_SUCCESS){

671

gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);

672

673

do{

674

ret = gnutls_handshake(session);

675

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

676

677

if(ret != GNUTLS_E_SUCCESS){

522

678

if(debug){

523

679

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

524

gnutls_perror (ret);

680

gnutls_perror(ret);

525

681

}

526

682

retval = -1;

527

683

goto mandos_end;

530

686

/* Read OpenPGP packet that contains the wanted password */

531

687

532

688

if(debug){

533

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

689

fprintf(stderr, "Retrieving OpenPGP encrypted password from %s\n",

534

690

ip);

535

691

}

536

692

537

693

while(true){

538

buffer_capacity = adjustbuffer(&buffer, buffer_length,

694

buffer_capacity = incbuffer(&buffer, buffer_length,

539

695

buffer_capacity);

540

if (buffer_capacity == 0){

541

perror("adjustbuffer");

696

if(buffer_capacity == 0){

697

perror("incbuffer");

542

698

retval = -1;

543

699

goto mandos_end;

544

700

}

545

701

546

ret = gnutls_record_recv(session, buffer+buffer_length,

547

BUFFER_SIZE);

548

if (ret == 0){

702

sret = gnutls_record_recv(session, buffer+buffer_length,

703

BUFFER_SIZE);

704

if(sret == 0){

549

705

break;

550

706

}

551

if (ret < 0){

552

switch(ret){

707

if(sret < 0){

708

switch(sret){

553

709

case GNUTLS_E_INTERRUPTED:

554

710

case GNUTLS_E_AGAIN:

555

711

break;

556

712

case GNUTLS_E_REHANDSHAKE:

557

ret = gnutls_handshake (session);

558

if (ret < 0){

713

do{

714

ret = gnutls_handshake(session);

715

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

716

if(ret < 0){

559

717

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

560

gnutls_perror (ret);

718

gnutls_perror(ret);

561

719

retval = -1;

562

720

goto mandos_end;

563

721

}

566

724

fprintf(stderr, "Unknown error while reading data from"

567

725

" encrypted session with Mandos server\n");

568

726

retval = -1;

569

gnutls_bye (session, GNUTLS_SHUT_RDWR);

727

gnutls_bye(session, GNUTLS_SHUT_RDWR);

570

728

goto mandos_end;

571

729

}

572

730

} else {

573

buffer_length += (size_t) ret;

731

buffer_length += (size_t) sret;

574

732

}

575

733

}

576

734

578

736

fprintf(stderr, "Closing TLS session\n");

579

737

}

580

738

581

gnutls_bye (session, GNUTLS_SHUT_RDWR);

739

gnutls_bye(session, GNUTLS_SHUT_RDWR);

582

740

583

if (buffer_length > 0){

741

if(buffer_length > 0){

584

742

decrypted_buffer_size = pgp_packet_decrypt(buffer,

585

743

buffer_length,

586

&decrypted_buffer,

587

keydir);

588

if (decrypted_buffer_size >= 0){

744

&decrypted_buffer);

745

if(decrypted_buffer_size >= 0){

589

746

written = 0;

590

747

while(written < (size_t) decrypted_buffer_size){

591

ret = (int)fwrite (decrypted_buffer + written, 1,

592

(size_t)decrypted_buffer_size - written,

593

stdout);

748

ret = (int)fwrite(decrypted_buffer + written, 1,

749

(size_t)decrypted_buffer_size - written,

750

stdout);

594

751

if(ret == 0 and ferror(stdout)){

595

752

if(debug){

596

753

fprintf(stderr, "Error writing encrypted data: %s\n",

605

762

} else {

606

763

retval = -1;

607

764

}

765

} else {

766

retval = -1;

608

767

}

609

768

610

769

/* Shutdown procedure */

611

770

612

771

mandos_end:

613

772

free(buffer);

614

close(tcp_sd);

615

gnutls_deinit (session);

773

ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));

774

if(ret == -1){

775

perror("close");

776

}

777

gnutls_deinit(session);

616

778

return retval;

617

779

}

618

780

619

781

static void resolve_callback(AvahiSServiceResolver *r,

620

782

AvahiIfIndex interface,

621

AVAHI_GCC_UNUSED AvahiProtocol protocol,

783

AvahiProtocol proto,

622

784

AvahiResolverEvent event,

623

785

const char *name,

624

786

const char *type,

629

791

AVAHI_GCC_UNUSED AvahiStringList *txt,

630

792

AVAHI_GCC_UNUSED AvahiLookupResultFlags

631

793

flags,

632

void* userdata) {

633

mandos_context *mc = userdata;

634

assert(r); /* Spurious warning */

794

AVAHI_GCC_UNUSED void* userdata){

795

assert(r);

635

796

636

797

/* Called whenever a service has been resolved successfully or

637

798

timed out */

638

799

639

switch (event) {

800

switch(event){

640

801

default:

641

802

case AVAHI_RESOLVER_FAILURE:

642

803

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

643

804

" of type '%s' in domain '%s': %s\n", name, type, domain,

644

avahi_strerror(avahi_server_errno(mc->server)));

805

avahi_strerror(avahi_server_errno(mc.server)));

645

806

break;

646

807

647

808

case AVAHI_RESOLVER_FOUND:

649

810

char ip[AVAHI_ADDRESS_STR_MAX];

650

811

avahi_address_snprint(ip, sizeof(ip), address);

651

812

if(debug){

652

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %d) on"

653

" port %d\n", name, host_name, ip, interface, port);

813

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

814

PRIdMAX ") on port %" PRIu16 "\n", name, host_name,

815

ip, (intmax_t)interface, port);

654

816

}

655

int ret = start_mandos_communication(ip, port, interface, mc);

656

if (ret == 0){

657

exit(EXIT_SUCCESS);

817

int ret = start_mandos_communication(ip, port, interface,

818

avahi_proto_to_af(proto));

819

if(ret == 0){

820

avahi_simple_poll_quit(mc.simple_poll);

658

821

}

659

822

}

660

823

}

661

824

avahi_s_service_resolver_free(r);

662

825

}

663

826

664

static void browse_callback( AvahiSServiceBrowser *b,

665

AvahiIfIndex interface,

666

AvahiProtocol protocol,

667

AvahiBrowserEvent event,

668

const char *name,

669

const char *type,

670

const char *domain,

671

AVAHI_GCC_UNUSED AvahiLookupResultFlags

672

flags,

673

void* userdata) {

674

mandos_context *mc = userdata;

675

assert(b); /* Spurious warning */

827

static void browse_callback(AvahiSServiceBrowser *b,

828

AvahiIfIndex interface,

829

AvahiProtocol protocol,

830

AvahiBrowserEvent event,

831

const char *name,

832

const char *type,

833

const char *domain,

834

AVAHI_GCC_UNUSED AvahiLookupResultFlags

835

flags,

836

AVAHI_GCC_UNUSED void* userdata){

837

assert(b);

676

838

677

839

/* Called whenever a new services becomes available on the LAN or

678

840

is removed from the LAN */

679

841

680

switch (event) {

842

switch(event){

681

843

default:

682

844

case AVAHI_BROWSER_FAILURE:

683

845

684

846

fprintf(stderr, "(Avahi browser) %s\n",

685

avahi_strerror(avahi_server_errno(mc->server)));

686

avahi_simple_poll_quit(mc->simple_poll);

847

avahi_strerror(avahi_server_errno(mc.server)));

848

avahi_simple_poll_quit(mc.simple_poll);

687

849

return;

688

850

689

851

case AVAHI_BROWSER_NEW:

692

854

the callback function is called the Avahi server will free the

693

855

resolver for us. */

694

856

695

if (!(avahi_s_service_resolver_new(mc->server, interface,

696

protocol, name, type, domain,

697

AVAHI_PROTO_INET6, 0,

698

resolve_callback, mc)))

857

if(avahi_s_service_resolver_new(mc.server, interface, protocol,

858

name, type, domain, protocol, 0,

859

resolve_callback, NULL) == NULL)

699

860

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

700

name, avahi_strerror(avahi_server_errno(mc->server)));

861

name, avahi_strerror(avahi_server_errno(mc.server)));

701

862

break;

702

863

703

864

case AVAHI_BROWSER_REMOVE:

712

873

}

713

874

}

714

875

715

/* Combines file name and path and returns the malloced new

716

string. some sane checks could/should be added */

717

static const char *combinepath(const char *first, const char *second){

718

size_t f_len = strlen(first);

719

size_t s_len = strlen(second);

720

char *tmp = malloc(f_len + s_len + 2);

721

if (tmp == NULL){

722

return NULL;

723

}

724

if(f_len > 0){

725

memcpy(tmp, first, f_len); /* Spurious warning */

726

}

727

tmp[f_len] = '/';

728

if(s_len > 0){

729

memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */

730

}

731

tmp[f_len + 1 + s_len] = '\0';

732

return tmp;

876

sig_atomic_t quit_now = 0;

877

878

/* stop main loop after sigterm has been called */

879

static void handle_sigterm(__attribute__((unused)) int sig){

880

if(quit_now){

881

return;

882

}

883

quit_now = 1;

884

int old_errno = errno;

885

if(mc.simple_poll != NULL){

886

avahi_simple_poll_quit(mc.simple_poll);

887

}

888

errno = old_errno;

733

889

}

734

890

735

736

891

int main(int argc, char *argv[]){

737

AvahiSServiceBrowser *sb = NULL;

738

int error;

739

int ret;

740

int exitcode = EXIT_SUCCESS;

741

const char *interface = "eth0";

742

struct ifreq network;

743

int sd;

744

uid_t uid;

745

gid_t gid;

746

char *connect_to = NULL;

747

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

748

const char *pubkeyfile = "pubkey.txt";

749

const char *seckeyfile = "seckey.txt";

750

mandos_context mc = { .simple_poll = NULL, .server = NULL,

751

.dh_bits = 1024, .priority = "SECURE256"};

752

bool gnutls_initalized = false;

753

754

{

755

struct argp_option options[] = {

756

{ .name = "debug", .key = 128,

757

.doc = "Debug mode", .group = 3 },

758

{ .name = "connect", .key = 'c',

759

.arg = "IP",

760

.doc = "Connect directly to a sepcified mandos server",

761

.group = 1 },

762

{ .name = "interface", .key = 'i',

763

.arg = "INTERFACE",

764

.doc = "Interface that Avahi will conntect through",

765

.group = 1 },

766

{ .name = "keydir", .key = 'd',

767

.arg = "KEYDIR",

768

.doc = "Directory where the openpgp keyring is",

769

.group = 1 },

770

{ .name = "seckey", .key = 's',

771

.arg = "SECKEY",

772

.doc = "Secret openpgp key for gnutls authentication",

773

.group = 1 },

774

{ .name = "pubkey", .key = 'p',

775

.arg = "PUBKEY",

776

.doc = "Public openpgp key for gnutls authentication",

777

.group = 2 },

778

{ .name = "dh-bits", .key = 129,

779

.arg = "BITS",

780

.doc = "dh-bits to use in gnutls communication",

781

.group = 2 },

782

{ .name = "priority", .key = 130,

783

.arg = "PRIORITY",

784

.doc = "GNUTLS priority", .group = 1 },

785

{ .name = NULL }

786

};

787

788

789

error_t parse_opt (int key, char *arg,

790

struct argp_state *state) {

791

/* Get the INPUT argument from `argp_parse', which we know is

792

a pointer to our plugin list pointer. */

793

switch (key) {

794

case 128:

795

debug = true;

796

break;

797

case 'c':

798

connect_to = arg;

799

break;

800

case 'i':

801

interface = arg;

802

break;

803

case 'd':

804

keydir = arg;

805

break;

806

case 's':

807

seckeyfile = arg;

808

break;

809

case 'p':

810

pubkeyfile = arg;

811

break;

812

case 129:

813

errno = 0;

814

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

815

if (errno){

816

perror("strtol");

817

exit(EXIT_FAILURE);

892

AvahiSServiceBrowser *sb = NULL;

893

int error;

894

int ret;

895

intmax_t tmpmax;

896

char *tmp;

897

int exitcode = EXIT_SUCCESS;

898

const char *interface = "eth0";

899

struct ifreq network;

900

int sd;

901

uid_t uid;

902

gid_t gid;

903

char *connect_to = NULL;

904

char tempdir[] = "/tmp/mandosXXXXXX";

905

bool tempdir_created = false;

906

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

907

const char *seckey = PATHDIR "/" SECKEY;

908

const char *pubkey = PATHDIR "/" PUBKEY;

909

910

bool gnutls_initialized = false;

911

bool gpgme_initialized = false;

912

float delay = 2.5f;

913

914

struct sigaction old_sigterm_action;

915

struct sigaction sigterm_action = { .sa_handler = handle_sigterm };

916

917

{

918

struct argp_option options[] = {

919

{ .name = "debug", .key = 128,

920

.doc = "Debug mode", .group = 3 },

921

{ .name = "connect", .key = 'c',

922

.arg = "ADDRESS:PORT",

923

.doc = "Connect directly to a specific Mandos server",

924

.group = 1 },

925

{ .name = "interface", .key = 'i',

926

.arg = "NAME",

927

.doc = "Network interface that will be used to search for"

928

" Mandos servers",

929

.group = 1 },

930

{ .name = "seckey", .key = 's',

931

.arg = "FILE",

932

.doc = "OpenPGP secret key file base name",

933

.group = 1 },

934

{ .name = "pubkey", .key = 'p',

935

.arg = "FILE",

936

.doc = "OpenPGP public key file base name",

937

.group = 2 },

938

{ .name = "dh-bits", .key = 129,

939

.arg = "BITS",

940

.doc = "Bit length of the prime number used in the"

941

" Diffie-Hellman key exchange",

942

.group = 2 },

943

{ .name = "priority", .key = 130,

944

.arg = "STRING",

945

.doc = "GnuTLS priority string for the TLS handshake",

946

.group = 1 },

947

{ .name = "delay", .key = 131,

948

.arg = "SECONDS",

949

.doc = "Maximum delay to wait for interface startup",

950

.group = 2 },

951

{ .name = NULL }

952

};

953

954

error_t parse_opt(int key, char *arg,

955

struct argp_state *state){

956

switch(key){

957

case 128: /* --debug */

958

debug = true;

959

break;

960

case 'c': /* --connect */

961

connect_to = arg;

962

break;

963

case 'i': /* --interface */

964

interface = arg;

965

break;

966

case 's': /* --seckey */

967

seckey = arg;

968

break;

969

case 'p': /* --pubkey */

970

pubkey = arg;

971

break;

972

case 129: /* --dh-bits */

973

errno = 0;

974

tmpmax = strtoimax(arg, &tmp, 10);

975

if(errno != 0 or tmp == arg or *tmp != '\0'

976

or tmpmax != (typeof(mc.dh_bits))tmpmax){

977

fprintf(stderr, "Bad number of DH bits\n");

978

exit(EXIT_FAILURE);

979

}

980

mc.dh_bits = (typeof(mc.dh_bits))tmpmax;

981

break;

982

case 130: /* --priority */

983

mc.priority = arg;

984

break;

985

case 131: /* --delay */

986

errno = 0;

987

delay = strtof(arg, &tmp);

988

if(errno != 0 or tmp == arg or *tmp != '\0'){

989

fprintf(stderr, "Bad delay\n");

990

exit(EXIT_FAILURE);

991

}

992

break;

993

case ARGP_KEY_ARG:

994

argp_usage(state);

995

case ARGP_KEY_END:

996

break;

997

default:

998

return ARGP_ERR_UNKNOWN;

999

}

1000

return 0;

1001

}

1002

1003

struct argp argp = { .options = options, .parser = parse_opt,

1004

.args_doc = "",

1005

.doc = "Mandos client -- Get and decrypt"

1006

" passwords from a Mandos server" };

1007

ret = argp_parse(&argp, argc, argv, 0, 0, NULL);

1008

if(ret == ARGP_ERR_UNKNOWN){

1009

fprintf(stderr, "Unknown error while parsing arguments\n");

1010

exitcode = EXIT_FAILURE;

1011

goto end;

1012

}

1013

}

1014

1015

if(not debug){

1016

avahi_set_log_function(empty_log);

1017

}

1018

1019

/* Initialize Avahi early so avahi_simple_poll_quit() can be called

1020

from the signal handler */

1021

/* Initialize the pseudo-RNG for Avahi */

1022

srand((unsigned int) time(NULL));

1023

mc.simple_poll = avahi_simple_poll_new();

1024

if(mc.simple_poll == NULL){

1025

fprintf(stderr, "Avahi: Failed to create simple poll object.\n");

1026

exitcode = EXIT_FAILURE;

1027

goto end;

1028

}

1029

1030

sigemptyset(&sigterm_action.sa_mask);

1031

ret = sigaddset(&sigterm_action.sa_mask, SIGINT);

1032

if(ret == -1){

1033

perror("sigaddset");

1034

exitcode = EXIT_FAILURE;

1035

goto end;

1036

}

1037

ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);

1038

if(ret == -1){

1039

perror("sigaddset");

1040

exitcode = EXIT_FAILURE;

1041

goto end;

1042

}

1043

ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);

1044

if(ret == -1){

1045

perror("sigaddset");

1046

exitcode = EXIT_FAILURE;

1047

goto end;

1048

}

1049

ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);

1050

if(ret == -1){

1051

perror("sigaction");

1052

exitcode = EXIT_FAILURE;

1053

goto end;

1054

}

1055

1056

/* If the interface is down, bring it up */

1057

if(interface[0] != '\0'){

1058

#ifdef __linux__

1059

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1060

messages to mess up the prompt */

1061

ret = klogctl(8, NULL, 5);

1062

bool restore_loglevel = true;

1063

if(ret == -1){

1064

restore_loglevel = false;

1065

perror("klogctl");

1066

}

1067

#endif /* __linux__ */

1068

1069

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1070

if(sd < 0){

1071

perror("socket");

1072

exitcode = EXIT_FAILURE;

1073

#ifdef __linux__

1074

if(restore_loglevel){

1075

ret = klogctl(7, NULL, 0);

1076

if(ret == -1){

1077

perror("klogctl");

1078

}

1079

}

1080

#endif /* __linux__ */

1081

goto end;

1082

}

1083

strcpy(network.ifr_name, interface);

1084

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1085

if(ret == -1){

1086

perror("ioctl SIOCGIFFLAGS");

1087

#ifdef __linux__

1088

if(restore_loglevel){

1089

ret = klogctl(7, NULL, 0);

1090

if(ret == -1){

1091

perror("klogctl");

1092

}

1093

}

1094

#endif /* __linux__ */

1095

exitcode = EXIT_FAILURE;

1096

goto end;

1097

}

1098

if((network.ifr_flags & IFF_UP) == 0){

1099

network.ifr_flags |= IFF_UP;

1100

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1101

if(ret == -1){

1102

perror("ioctl SIOCSIFFLAGS");

1103

exitcode = EXIT_FAILURE;

1104

#ifdef __linux__

1105

if(restore_loglevel){

1106

ret = klogctl(7, NULL, 0);

1107

if(ret == -1){

1108

perror("klogctl");

818

1109

}

819

break;

820

case 130:

821

mc.priority = arg;

822

break;

823

case ARGP_KEY_ARG:

824

argp_usage (state);

825

break;

826

case ARGP_KEY_END:

827

break;

828

default:

829

return ARGP_ERR_UNKNOWN;

830

1110

}

831

return 0;

832

}

833

834

struct argp argp = { .options = options, .parser = parse_opt,

835

.args_doc = "",

836

.doc = "Mandos client -- Get and decrypt"

837

" passwords from mandos server" };

838

argp_parse (&argp, argc, argv, 0, 0, NULL);

839

}

840

841

pubkeyfile = combinepath(keydir, pubkeyfile);

842

if (pubkeyfile == NULL){

843

perror("combinepath");

844

exitcode = EXIT_FAILURE;

845

goto end;

846

}

847

848

seckeyfile = combinepath(keydir, seckeyfile);

849

if (seckeyfile == NULL){

850

perror("combinepath");

851

goto end;

852

}

853

854

ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);

855

if (ret == -1){

856

fprintf(stderr, "init_gnutls_global\n");

857

goto end;

858

} else {

859

gnutls_initalized = true;

860

}

861

862

uid = getuid();

863

gid = getgid();

864

865

ret = setuid(uid);

866

if (ret == -1){

867

perror("setuid");

868

}

869

870

setgid(gid);

871

if (ret == -1){

872

perror("setgid");

873

}

874

1111

#endif /* __linux__ */

1112

goto end;

1113

}

1114

}

1115

/* sleep checking until interface is running */

1116

for(int i=0; i < delay * 4; i++){

1117

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1118

if(ret == -1){

1119

perror("ioctl SIOCGIFFLAGS");

1120

} else if(network.ifr_flags & IFF_RUNNING){

1121

break;

1122

}

1123

struct timespec sleeptime = { .tv_nsec = 250000000 };

1124

ret = nanosleep(&sleeptime, NULL);

1125

if(ret == -1 and errno != EINTR){

1126

perror("nanosleep");

1127

}

1128

}

1129

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1130

if(ret == -1){

1131

perror("close");

1132

}

1133

#ifdef __linux__

1134

if(restore_loglevel){

1135

/* Restores kernel loglevel to default */

1136

ret = klogctl(7, NULL, 0);

1137

if(ret == -1){

1138

perror("klogctl");

1139

}

1140

}

1141

#endif /* __linux__ */

1142

}

1143

1144

uid = getuid();

1145

gid = getgid();

1146

1147

errno = 0;

1148

setgid(gid);

1149

if(ret == -1){

1150

perror("setgid");

1151

}

1152

1153

ret = setuid(uid);

1154

if(ret == -1){

1155

perror("setuid");

1156

}

1157

1158

ret = init_gnutls_global(pubkey, seckey);

1159

if(ret == -1){

1160

fprintf(stderr, "init_gnutls_global failed\n");

1161

exitcode = EXIT_FAILURE;

1162

goto end;

1163

} else {

1164

gnutls_initialized = true;

1165

}

1166

1167

if(mkdtemp(tempdir) == NULL){

1168

perror("mkdtemp");

1169

goto end;

1170

}

1171

tempdir_created = true;

1172

1173

if(not init_gpgme(pubkey, seckey, tempdir)){

1174

fprintf(stderr, "init_gpgme failed\n");

1175

exitcode = EXIT_FAILURE;

1176

goto end;

1177

} else {

1178

gpgme_initialized = true;

1179

}

1180

1181

if(interface[0] != '\0'){

875

1182

if_index = (AvahiIfIndex) if_nametoindex(interface);

876

1183

if(if_index == 0){

877

1184

fprintf(stderr, "No such interface: \"%s\"\n", interface);

878

exit(EXIT_FAILURE);

879

}

880

881

if(connect_to != NULL){

882

/* Connect directly, do not use Zeroconf */

883

/* (Mainly meant for debugging) */

884

char *address = strrchr(connect_to, ':');

885

if(address == NULL){

886

fprintf(stderr, "No colon in address\n");

887

exitcode = EXIT_FAILURE;

888

goto end;

889

}

890

errno = 0;

891

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

892

if(errno){

893

perror("Bad port number");

894

exitcode = EXIT_FAILURE;

895

goto end;

896

}

897

*address = '\0';

898

address = connect_to;

899

ret = start_mandos_communication(address, port, if_index, &mc);

900

if(ret < 0){

901

exitcode = EXIT_FAILURE;

902

} else {

903

exitcode = EXIT_SUCCESS;

904

}

905

goto end;

906

}

907

908

/* If the interface is down, bring it up */

909

{

910

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

911

if(sd < 0) {

912

perror("socket");

913

exitcode = EXIT_FAILURE;

914

goto end;

915

}

916

strcpy(network.ifr_name, interface); /* Spurious warning */

917

ret = ioctl(sd, SIOCGIFFLAGS, &network);

918

if(ret == -1){

919

perror("ioctl SIOCGIFFLAGS");

920

exitcode = EXIT_FAILURE;

921

goto end;

922

}

923

if((network.ifr_flags & IFF_UP) == 0){

924

network.ifr_flags |= IFF_UP;

925

ret = ioctl(sd, SIOCSIFFLAGS, &network);

926

if(ret == -1){

927

perror("ioctl SIOCSIFFLAGS");

928

exitcode = EXIT_FAILURE;

929

goto end;

930

}

931

}

932

close(sd);

933

}

934

935

if (not debug){

936

avahi_set_log_function(empty_log);

937

}

938

939

/* Initialize the pseudo-RNG for Avahi */

940

srand((unsigned int) time(NULL));

941

942

/* Allocate main Avahi loop object */

943

mc.simple_poll = avahi_simple_poll_new();

944

if (mc.simple_poll == NULL) {

945

fprintf(stderr, "Avahi: Failed to create simple poll"

946

" object.\n");

947

exitcode = EXIT_FAILURE;

948

goto end;

949

}

950

951

{

952

AvahiServerConfig config;

953

/* Do not publish any local Zeroconf records */

954

avahi_server_config_init(&config);

955

config.publish_hinfo = 0;

956

config.publish_addresses = 0;

957

config.publish_workstation = 0;

958

config.publish_domain = 0;

959

960

/* Allocate a new server */

961

mc.server = avahi_server_new(avahi_simple_poll_get

962

(mc.simple_poll), &config, NULL,

963

NULL, &error);

964

965

/* Free the Avahi configuration data */

966

avahi_server_config_free(&config);

967

}

968

969

/* Check if creating the Avahi server object succeeded */

970

if (mc.server == NULL) {

971

fprintf(stderr, "Failed to create Avahi server: %s\n",

972

avahi_strerror(error));

973

exitcode = EXIT_FAILURE;

974

goto end;

975

}

976

977

/* Create the Avahi service browser */

978

sb = avahi_s_service_browser_new(mc.server, if_index,

979

AVAHI_PROTO_INET6,

980

"_mandos._tcp", NULL, 0,

981

browse_callback, &mc);

982

if (sb == NULL) {

983

fprintf(stderr, "Failed to create service browser: %s\n",

984

avahi_strerror(avahi_server_errno(mc.server)));

985

exitcode = EXIT_FAILURE;

986

goto end;

987

}

988

989

/* Run the main loop */

990

991

if (debug){

992

fprintf(stderr, "Starting Avahi loop search\n");

993

}

994

995

avahi_simple_poll_loop(mc.simple_poll);

996

1185

exitcode = EXIT_FAILURE;

1186

goto end;

1187

}

1188

}

1189

1190

if(connect_to != NULL){

1191

/* Connect directly, do not use Zeroconf */

1192

/* (Mainly meant for debugging) */

1193

char *address = strrchr(connect_to, ':');

1194

if(address == NULL){

1195

fprintf(stderr, "No colon in address\n");

1196

exitcode = EXIT_FAILURE;

1197

goto end;

1198

}

1199

uint16_t port;

1200

errno = 0;

1201

tmpmax = strtoimax(address+1, &tmp, 10);

1202

if(errno != 0 or tmp == address+1 or *tmp != '\0'

1203

or tmpmax != (uint16_t)tmpmax){

1204

fprintf(stderr, "Bad port number\n");

1205

exitcode = EXIT_FAILURE;

1206

goto end;

1207

}

1208

port = (uint16_t)tmpmax;

1209

*address = '\0';

1210

address = connect_to;

1211

/* Colon in address indicates IPv6 */

1212

int af;

1213

if(strchr(address, ':') != NULL){

1214

af = AF_INET6;

1215

} else {

1216

af = AF_INET;

1217

}

1218

ret = start_mandos_communication(address, port, if_index, af);

1219

if(ret < 0){

1220

exitcode = EXIT_FAILURE;

1221

} else {

1222

exitcode = EXIT_SUCCESS;

1223

}

1224

goto end;

1225

}

1226

1227

{

1228

AvahiServerConfig config;

1229

/* Do not publish any local Zeroconf records */

1230

avahi_server_config_init(&config);

1231

config.publish_hinfo = 0;

1232

config.publish_addresses = 0;

1233

config.publish_workstation = 0;

1234

config.publish_domain = 0;

1235

1236

/* Allocate a new server */

1237

mc.server = avahi_server_new(avahi_simple_poll_get

1238

(mc.simple_poll), &config, NULL,

1239

NULL, &error);

1240

1241

/* Free the Avahi configuration data */

1242

avahi_server_config_free(&config);

1243

}

1244

1245

/* Check if creating the Avahi server object succeeded */

1246

if(mc.server == NULL){

1247

fprintf(stderr, "Failed to create Avahi server: %s\n",

1248

avahi_strerror(error));

1249

exitcode = EXIT_FAILURE;

1250

goto end;

1251

}

1252

1253

/* Create the Avahi service browser */

1254

sb = avahi_s_service_browser_new(mc.server, if_index,

1255

AVAHI_PROTO_UNSPEC, "_mandos._tcp",

1256

NULL, 0, browse_callback, NULL);

1257

if(sb == NULL){

1258

fprintf(stderr, "Failed to create service browser: %s\n",

1259

avahi_strerror(avahi_server_errno(mc.server)));

1260

exitcode = EXIT_FAILURE;

1261

goto end;

1262

}

1263

1264

/* Run the main loop */

1265

1266

if(debug){

1267

fprintf(stderr, "Starting Avahi loop search\n");

1268

}

1269

1270

avahi_simple_poll_loop(mc.simple_poll);

1271

997

1272

end:

998

999

if (debug){

1000

fprintf(stderr, "%s exiting\n", argv[0]);

1001

}

1002

1003

/* Cleanup things */

1004

if (sb != NULL)

1005

avahi_s_service_browser_free(sb);

1006

1007

if (mc.server != NULL)

1008

avahi_server_free(mc.server);

1009

1010

if (mc.simple_poll != NULL)

1011

avahi_simple_poll_free(mc.simple_poll);

1012

free(pubkeyfile);

1013

free(seckeyfile);

1014

1015

if (gnutls_initalized){

1016

gnutls_certificate_free_credentials (mc.cred);

1017

gnutls_global_deinit ();

1018

}

1019

1020

return exitcode;

1273

1274

if(debug){

1275

fprintf(stderr, "%s exiting\n", argv[0]);

1276

}

1277

1278

/* Cleanup things */

1279

if(sb != NULL)

1280

avahi_s_service_browser_free(sb);

1281

1282

if(mc.server != NULL)

1283

avahi_server_free(mc.server);

1284

1285

if(mc.simple_poll != NULL)

1286

avahi_simple_poll_free(mc.simple_poll);

1287

1288

if(gnutls_initialized){

1289

gnutls_certificate_free_credentials(mc.cred);

1290

gnutls_global_deinit();

1291

gnutls_dh_params_deinit(mc.dh_params);

1292

}

1293

1294

if(gpgme_initialized){

1295

gpgme_release(mc.ctx);

1296

}

1297

1298

/* Removes the temp directory used by GPGME */

1299

if(tempdir_created){

1300

DIR *d;

1301

struct dirent *direntry;

1302

d = opendir(tempdir);

1303

if(d == NULL){

1304

if(errno != ENOENT){

1305

perror("opendir");

1306

}

1307

} else {

1308

while(true){

1309

direntry = readdir(d);

1310

if(direntry == NULL){

1311

break;

1312

}

1313

/* Skip "." and ".." */

1314

if(direntry->d_name[0] == '.'

1315

and (direntry->d_name[1] == '\0'

1316

or (direntry->d_name[1] == '.'

1317

and direntry->d_name[2] == '\0'))){

1318

continue;

1319

}

1320

char *fullname = NULL;

1321

ret = asprintf(&fullname, "%s/%s", tempdir,

1322

direntry->d_name);

1323

if(ret < 0){

1324

perror("asprintf");

1325

continue;

1326

}

1327

ret = remove(fullname);

1328

if(ret == -1){

1329

fprintf(stderr, "remove(\"%s\"): %s\n", fullname,

1330

strerror(errno));

1331

}

1332

free(fullname);

1333

}

1334

closedir(d);

1335

}

1336

ret = rmdir(tempdir);

1337

if(ret == -1 and errno != ENOENT){

1338

perror("rmdir");

1339

}

1340

}

1341

1342

return exitcode;

1021

1343

}

Older »