To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 238
- compare with another revision
- download diff
- download tarball
- view history from revision 238
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- network-protocol.txt
- files renamed:
- mandos-client.c => plugin-runner.c
- mandos-client.xml => plugin-runner.xml
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008 Teddy Hogeborn
13
* Copyright © 2008 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
39
40
#include <stdint.h> /* uint16_t, uint32_t */
40
41
#include <stddef.h> /* NULL, size_t, ssize_t */
41
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
43
srand() */
43
44
#include <stdbool.h> /* bool, true */
44
45
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
strerror(), asprintf(), strcpy() */
46
47
#include <sys/ioctl.h> /* ioctl */
47
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
48
49
sockaddr_in6, PF_INET6,
49
50
SOCK_STREAM, INET6_ADDRSTRLEN,
50
uid_t, gid_t */
51
#include <inttypes.h> /* PRIu16 */
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
52
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
53
54
struct in6_addr, inet_pton(),
54
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
55
59
#include <assert.h> /* assert() */
56
60
#include <errno.h> /* perror(), errno */
57
61
#include <time.h> /* time() */
58
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
59
63
SIOCSIFFLAGS, if_indextoname(),
60
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
61
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
62
67
getuid(), getgid(), setuid(),
63
68
setgid() */
64
#include <netinet/in.h>
65
69
#include <arpa/inet.h> /* inet_pton(), htons */
66
70
#include <iso646.h> /* not, and */
67
71
#include <argp.h> /* struct argp_option, error_t, struct
81
85
#include <avahi-common/error.h>
82
86
83
87
/* GnuTLS */
84
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
85
90
gnutls_*
86
91
init_gnutls_session(),
87
92
GNUTLS_* */
89
94
GNUTLS_OPENPGP_FMT_BASE64 */
90
95
91
96
/* GPGME */
92
#include <gpgme.h> /* All GPGME types, constants and functions
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
93
99
gpgme_*
94
100
GPGME_PROTOCOL_OpenPGP,
95
101
GPG_ERR_NO_* */
96
102
97
103
#define BUFFER_SIZE 256
98
104
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
108
99
109
bool debug = false;
100
static const char *keydir = "/conf/conf.d/mandos";
101
110
static const char mandos_protocol_version[] = "1";
102
const char *argp_program_version = "password-request 1.0";
111
const char *argp_program_version = "mandos-client " VERSION;
103
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
104
113
105
114
/* Used for passing in values through the Avahi callback functions */
110
119
unsigned int dh_bits;
111
120
gnutls_dh_params_t dh_params;
112
121
const char *priority;
122
gpgme_ctx_t ctx;
113
123
} mandos_context;
114
124
115
125
/*
130
140
}
131
141
132
142
/*
133
* Decrypt OpenPGP data using keyrings in HOMEDIR.
134
* Returns -1 on error
143
* Initialize GPGME.
135
144
*/
136
static ssize_t pgp_packet_decrypt (const char *cryptotext,
137
size_t crypto_size,
138
char **plaintext,
139
const char *homedir){
140
gpgme_data_t dh_crypto, dh_plain;
141
gpgme_ctx_t ctx;
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
142
148
gpgme_error_t rc;
143
ssize_t ret;
144
size_t plaintext_capacity = 0;
145
ssize_t plaintext_length = 0;
146
149
gpgme_engine_info_t engine_info;
147
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
148
187
if (debug){
149
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
188
fprintf(stderr, "Initialize gpgme\n");
150
189
}
151
190
152
191
/* Init GPGME */
155
194
if (rc != GPG_ERR_NO_ERROR){
156
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
157
196
gpgme_strsource(rc), gpgme_strerror(rc));
158
return -1;
197
return false;
159
198
}
160
199
161
/* Set GPGME home directory for the OpenPGP engine only */
200
/* Set GPGME home directory for the OpenPGP engine only */
162
201
rc = gpgme_get_engine_info (&engine_info);
163
202
if (rc != GPG_ERR_NO_ERROR){
164
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
165
204
gpgme_strsource(rc), gpgme_strerror(rc));
166
return -1;
205
return false;
167
206
}
168
207
while(engine_info != NULL){
169
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
170
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
171
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
172
211
break;
173
212
}
174
213
engine_info = engine_info->next;
175
214
}
176
215
if(engine_info == NULL){
177
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
178
return -1;
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
179
251
}
180
252
181
253
/* Create new GPGME data buffer from memory cryptotext */
196
268
return -1;
197
269
}
198
270
199
/* Create new GPGME "context" */
200
rc = gpgme_new(&ctx);
201
if (rc != GPG_ERR_NO_ERROR){
202
fprintf(stderr, "bad gpgme_new: %s: %s\n",
203
gpgme_strsource(rc), gpgme_strerror(rc));
204
plaintext_length = -1;
205
goto decrypt_end;
206
}
207
208
271
/* Decrypt data from the cryptotext data buffer to the plaintext
209
272
data buffer */
210
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
211
274
if (rc != GPG_ERR_NO_ERROR){
212
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
213
276
gpgme_strsource(rc), gpgme_strerror(rc));
214
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
215
306
goto decrypt_end;
216
307
}
217
308
219
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
220
311
}
221
312
222
if (debug){
223
gpgme_decrypt_result_t result;
224
result = gpgme_op_decrypt_result(ctx);
225
if (result == NULL){
226
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
227
} else {
228
fprintf(stderr, "Unsupported algorithm: %s\n",
229
result->unsupported_algorithm);
230
fprintf(stderr, "Wrong key usage: %u\n",
231
result->wrong_key_usage);
232
if(result->file_name != NULL){
233
fprintf(stderr, "File name: %s\n", result->file_name);
234
}
235
gpgme_recipient_t recipient;
236
recipient = result->recipients;
237
if(recipient){
238
while(recipient != NULL){
239
fprintf(stderr, "Public key algorithm: %s\n",
240
gpgme_pubkey_algo_name(recipient->pubkey_algo));
241
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
242
fprintf(stderr, "Secret key available: %s\n",
243
recipient->status == GPG_ERR_NO_SECKEY
244
? "No" : "Yes");
245
recipient = recipient->next;
246
}
247
}
248
}
249
}
250
251
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
252
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
253
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
254
316
plaintext_length = -1;
255
317
goto decrypt_end;
256
318
}
280
342
}
281
343
plaintext_length += ret;
282
344
}
283
345
284
346
if(debug){
285
347
fprintf(stderr, "Decrypted password is: ");
286
348
for(ssize_t i = 0; i < plaintext_length; i++){
300
362
}
301
363
302
364
static const char * safer_gnutls_strerror (int value) {
303
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
304
366
if (ret == NULL)
305
367
ret = "(unknown)";
306
368
return ret;
313
375
}
314
376
315
377
static int init_gnutls_global(mandos_context *mc,
316
const char *pubkeyfile,
317
const char *seckeyfile){
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
318
380
int ret;
319
381
320
382
if(debug){
339
401
/* OpenPGP credentials */
340
402
gnutls_certificate_allocate_credentials(&mc->cred);
341
403
if (ret != GNUTLS_E_SUCCESS){
342
fprintf (stderr, "GnuTLS memory error: %s\n",
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
343
406
safer_gnutls_strerror(ret));
344
407
gnutls_global_deinit ();
345
408
return -1;
346
409
}
347
410
348
411
if(debug){
349
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
350
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
351
seckeyfile);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
352
415
}
353
416
354
417
ret = gnutls_certificate_set_openpgp_key_file
355
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
356
420
if (ret != GNUTLS_E_SUCCESS) {
357
421
fprintf(stderr,
358
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
359
" '%s')\n", ret, pubkeyfile, seckeyfile);
360
fprintf(stdout, "The GnuTLS error is: %s\n",
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
361
425
safer_gnutls_strerror(ret));
362
426
goto globalfail;
363
427
}
377
441
}
378
442
379
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
380
444
381
445
return 0;
382
446
383
447
globalfail:
384
448
385
449
gnutls_certificate_free_credentials(mc->cred);
386
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
387
452
return -1;
388
389
453
}
390
454
391
455
static int init_gnutls_session(mandos_context *mc,
463
527
perror("socket");
464
528
return -1;
465
529
}
466
530
467
531
if(debug){
468
532
if(if_indextoname((unsigned int)if_index, interface) == NULL){
469
533
perror("if_indextoname");
472
536
fprintf(stderr, "Binding to interface %s\n", interface);
473
537
}
474
538
475
memset(&to,0,sizeof(to)); /* Spurious warning */
539
memset(&to, 0, sizeof(to));
476
540
to.in6.sin6_family = AF_INET6;
477
541
/* It would be nice to have a way to detect if we were passed an
478
542
IPv4 address here. Now we assume an IPv6 address. */
508
572
perror("connect");
509
573
return -1;
510
574
}
511
575
512
576
const char *out = mandos_protocol_version;
513
577
written = 0;
514
578
while (true){
532
596
}
533
597
}
534
598
}
535
599
536
600
if(debug){
537
601
fprintf(stderr, "Establishing TLS session with %s\n", ip);
538
602
}
539
603
540
604
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
541
605
542
606
do{
543
607
ret = gnutls_handshake (session);
544
608
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
558
622
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
559
623
ip);
560
624
}
561
625
562
626
while(true){
563
627
buffer_capacity = adjustbuffer(&buffer, buffer_length,
564
628
buffer_capacity);
608
672
gnutls_bye (session, GNUTLS_SHUT_RDWR);
609
673
610
674
if (buffer_length > 0){
611
decrypted_buffer_size = pgp_packet_decrypt(buffer,
675
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
612
676
buffer_length,
613
&decrypted_buffer,
614
keydir);
677
&decrypted_buffer);
615
678
if (decrypted_buffer_size >= 0){
616
679
written = 0;
617
680
while(written < (size_t) decrypted_buffer_size){
632
695
} else {
633
696
retval = -1;
634
697
}
698
} else {
699
retval = -1;
635
700
}
636
701
637
702
/* Shutdown procedure */
638
703
639
704
mandos_end:
640
705
free(buffer);
641
close(tcp_sd);
706
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
707
if(ret == -1){
708
perror("close");
709
}
642
710
gnutls_deinit (session);
643
711
return retval;
644
712
}
658
726
flags,
659
727
void* userdata) {
660
728
mandos_context *mc = userdata;
661
assert(r); /* Spurious warning */
729
assert(r);
662
730
663
731
/* Called whenever a service has been resolved successfully or
664
732
timed out */
700
768
flags,
701
769
void* userdata) {
702
770
mandos_context *mc = userdata;
703
assert(b); /* Spurious warning */
771
assert(b);
704
772
705
773
/* Called whenever a new services becomes available on the LAN or
706
774
is removed from the LAN */
740
808
}
741
809
}
742
810
743
/* Combines file name and path and returns the malloced new
744
string. some sane checks could/should be added */
745
static const char *combinepath(const char *first, const char *second){
746
size_t f_len = strlen(first);
747
size_t s_len = strlen(second);
748
char *tmp = malloc(f_len + s_len + 2);
749
if (tmp == NULL){
750
return NULL;
751
}
752
if(f_len > 0){
753
memcpy(tmp, first, f_len); /* Spurious warning */
754
}
755
tmp[f_len] = '/';
756
if(s_len > 0){
757
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
758
}
759
tmp[f_len + 1 + s_len] = '\0';
760
return tmp;
761
}
762
763
764
811
int main(int argc, char *argv[]){
765
812
AvahiSServiceBrowser *sb = NULL;
766
813
int error;
772
819
uid_t uid;
773
820
gid_t gid;
774
821
char *connect_to = NULL;
822
char tempdir[] = "/tmp/mandosXXXXXX";
775
823
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
776
const char *pubkeyfile = "pubkey.txt";
777
const char *seckeyfile = "seckey.txt";
824
const char *seckey = PATHDIR "/" SECKEY;
825
const char *pubkey = PATHDIR "/" PUBKEY;
826
778
827
mandos_context mc = { .simple_poll = NULL, .server = NULL,
779
.dh_bits = 1024, .priority = "SECURE256"};
828
.dh_bits = 1024, .priority = "SECURE256"
829
":!CTYPE-X.509:+CTYPE-OPENPGP" };
780
830
bool gnutls_initalized = false;
831
bool gpgme_initalized = false;
781
832
782
833
{
783
834
struct argp_option options[] = {
784
835
{ .name = "debug", .key = 128,
785
836
.doc = "Debug mode", .group = 3 },
786
837
{ .name = "connect", .key = 'c',
787
.arg = "IP",
788
.doc = "Connect directly to a sepcified mandos server",
838
.arg = "ADDRESS:PORT",
839
.doc = "Connect directly to a specific Mandos server",
789
840
.group = 1 },
790
841
{ .name = "interface", .key = 'i',
791
.arg = "INTERFACE",
792
.doc = "Interface that Avahi will conntect through",
793
.group = 1 },
794
{ .name = "keydir", .key = 'd',
795
.arg = "KEYDIR",
796
.doc = "Directory where the openpgp keyring is",
842
.arg = "NAME",
843
.doc = "Interface that will be used to search for Mandos"
844
" servers",
797
845
.group = 1 },
798
846
{ .name = "seckey", .key = 's',
799
.arg = "SECKEY",
800
.doc = "Secret openpgp key for gnutls authentication",
847
.arg = "FILE",
848
.doc = "OpenPGP secret key file base name",
801
849
.group = 1 },
802
850
{ .name = "pubkey", .key = 'p',
803
.arg = "PUBKEY",
804
.doc = "Public openpgp key for gnutls authentication",
851
.arg = "FILE",
852
.doc = "OpenPGP public key file base name",
805
853
.group = 2 },
806
854
{ .name = "dh-bits", .key = 129,
807
855
.arg = "BITS",
808
.doc = "dh-bits to use in gnutls communication",
856
.doc = "Bit length of the prime number used in the"
857
" Diffie-Hellman key exchange",
809
858
.group = 2 },
810
859
{ .name = "priority", .key = 130,
811
.arg = "PRIORITY",
812
.doc = "GNUTLS priority", .group = 1 },
860
.arg = "STRING",
861
.doc = "GnuTLS priority string for the TLS handshake",
862
.group = 1 },
813
863
{ .name = NULL }
814
864
};
815
816
865
817
866
error_t parse_opt (int key, char *arg,
818
867
struct argp_state *state) {
819
868
/* Get the INPUT argument from `argp_parse', which we know is
820
869
a pointer to our plugin list pointer. */
821
870
switch (key) {
822
case 128:
871
case 128: /* --debug */
823
872
debug = true;
824
873
break;
825
case 'c':
874
case 'c': /* --connect */
826
875
connect_to = arg;
827
876
break;
828
case 'i':
877
case 'i': /* --interface */
829
878
interface = arg;
830
879
break;
831
case 'd':
832
keydir = arg;
833
break;
834
case 's':
835
seckeyfile = arg;
836
break;
837
case 'p':
838
pubkeyfile = arg;
839
break;
840
case 129:
880
case 's': /* --seckey */
881
seckey = arg;
882
break;
883
case 'p': /* --pubkey */
884
pubkey = arg;
885
break;
886
case 129: /* --dh-bits */
841
887
errno = 0;
842
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
843
889
if (errno){
845
891
exit(EXIT_FAILURE);
846
892
}
847
893
break;
848
case 130:
894
case 130: /* --priority */
849
895
mc.priority = arg;
850
896
break;
851
897
case ARGP_KEY_ARG:
857
903
}
858
904
return 0;
859
905
}
860
906
861
907
struct argp argp = { .options = options, .parser = parse_opt,
862
908
.args_doc = "",
863
909
.doc = "Mandos client -- Get and decrypt"
864
" passwords from mandos server" };
910
" passwords from a Mandos server" };
865
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
866
912
if (ret == ARGP_ERR_UNKNOWN){
867
913
fprintf(stderr, "Unknown error while parsing arguments\n");
869
915
goto end;
870
916
}
871
917
}
872
873
pubkeyfile = combinepath(keydir, pubkeyfile);
874
if (pubkeyfile == NULL){
875
perror("combinepath");
876
exitcode = EXIT_FAILURE;
877
goto end;
878
}
879
880
seckeyfile = combinepath(keydir, seckeyfile);
881
if (seckeyfile == NULL){
882
perror("combinepath");
883
exitcode = EXIT_FAILURE;
884
goto end;
885
}
886
887
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
888
if (ret == -1){
889
fprintf(stderr, "init_gnutls_global failed\n");
890
exitcode = EXIT_FAILURE;
891
goto end;
892
} else {
893
gnutls_initalized = true;
894
}
895
918
896
919
/* If the interface is down, bring it up */
897
920
{
901
924
exitcode = EXIT_FAILURE;
902
925
goto end;
903
926
}
904
strcpy(network.ifr_name, interface); /* Spurious warning */
927
strcpy(network.ifr_name, interface);
905
928
ret = ioctl(sd, SIOCGIFFLAGS, &network);
906
929
if(ret == -1){
907
930
perror("ioctl SIOCGIFFLAGS");
917
940
goto end;
918
941
}
919
942
}
920
close(sd);
943
ret = TEMP_FAILURE_RETRY(close(sd));
944
if(ret == -1){
945
perror("close");
946
}
921
947
}
922
948
923
949
uid = getuid();
933
959
perror("setgid");
934
960
}
935
961
962
ret = init_gnutls_global(&mc, pubkey, seckey);
963
if (ret == -1){
964
fprintf(stderr, "init_gnutls_global failed\n");
965
exitcode = EXIT_FAILURE;
966
goto end;
967
} else {
968
gnutls_initalized = true;
969
}
970
971
if(mkdtemp(tempdir) == NULL){
972
perror("mkdtemp");
973
tempdir[0] = '\0';
974
goto end;
975
}
976
977
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
978
fprintf(stderr, "gpgme_initalized failed\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
} else {
982
gpgme_initalized = true;
983
}
984
936
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
937
986
if(if_index == 0){
938
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
981
1030
exitcode = EXIT_FAILURE;
982
1031
goto end;
983
1032
}
984
1033
985
1034
{
986
1035
AvahiServerConfig config;
987
1036
/* Do not publish any local Zeroconf records */
990
1039
config.publish_addresses = 0;
991
1040
config.publish_workstation = 0;
992
1041
config.publish_domain = 0;
993
1042
994
1043
/* Allocate a new server */
995
1044
mc.server = avahi_server_new(avahi_simple_poll_get
996
1045
(mc.simple_poll), &config, NULL,
997
1046
NULL, &error);
998
1047
999
1048
/* Free the Avahi configuration data */
1000
1049
avahi_server_config_free(&config);
1001
1050
}
1021
1070
}
1022
1071
1023
1072
/* Run the main loop */
1024
1073
1025
1074
if (debug){
1026
1075
fprintf(stderr, "Starting Avahi loop search\n");
1027
1076
}
1029
1078
avahi_simple_poll_loop(mc.simple_poll);
1030
1079
1031
1080
end:
1032
1081
1033
1082
if (debug){
1034
1083
fprintf(stderr, "%s exiting\n", argv[0]);
1035
1084
}
1040
1089
1041
1090
if (mc.server != NULL)
1042
1091
avahi_server_free(mc.server);
1043
1092
1044
1093
if (mc.simple_poll != NULL)
1045
1094
avahi_simple_poll_free(mc.simple_poll);
1046
free(pubkeyfile);
1047
free(seckeyfile);
1048
1095
1049
1096
if (gnutls_initalized){
1050
1097
gnutls_certificate_free_credentials(mc.cred);
1051
1098
gnutls_global_deinit ();
1052
}
1053
1099
gnutls_dh_params_deinit(mc.dh_params);
1100
}
1101
1102
if(gpgme_initalized){
1103
gpgme_release(mc.ctx);
1104
}
1105
1106
/* Removes the temp directory used by GPGME */
1107
if(tempdir[0] != '\0'){
1108
DIR *d;
1109
struct dirent *direntry;
1110
d = opendir(tempdir);
1111
if(d == NULL){
1112
perror("opendir");
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1){
1139
perror("rmdir");
1140
}
1141
}
1142
1054
1143
return exitcode;
1055
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0