To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 238
- compare with another revision
- download diff
- download tarball
- view history from revision 238
- Committer: Teddy Hogeborn
- Date: 2008-12-10 01:26:02 UTC
- mfrom: (237.1.2 mandos)
- Revision ID: teddy@fukt.bsnet.se-20081210012602-vhz3h75xkj24t340
First version of a somewhat complete D-Bus server interface. Also
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
change user/group name to "_mandos".
* debian/mandos.postinst: Rename old "mandos" user and group to
"_mandos"; create "_mandos" user and group
if none exist.
* debian/mandos-client.postinst: - '' -
* initramfs-tools-hook: Try "_mandos" before "mandos" as user and
group name.
* mandos (_datetime_to_dbus_struct): New; was previously local.
(Client.started): Renamed to "last_started". All users changed.
(Client.started): New; boolean.
(Client.dbus_object_path): New.
(Client.check_command): Renamed to "checker_command". All users
changed.
(Client.__init__): Set and use "self.dbus_object_path". Set
"self.started".
(Client.start): Update "self.started". Emit "self.PropertyChanged"
signals for both "started" and "last_started".
(Client.stop): Update "self.started". Emit "self.PropertyChanged"
signal for "started".
(Client.checker_callback): Take additional "command" argument. All
callers changed. Emit
"self.PropertyChanged" signal.
(Client.bump_timeout): Emit "self.PropertyChanged" signal for
"last_checked_ok".
(Client.start_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.stop_checker): Emit "self.PropertyChanged" signal for
"checker_running".
(Client.still_valid): Bug fix: use "getattr(self, started, False)"
instead of "self.started" in case this client
object is so new that the "started" attribute
has not been created yet.
(Client.IntervalChanged, Client.CheckerIsRunning, Client.GetChecker,
Client.GetCreated, Client.GetFingerprint, Client.GetHost,
Client.GetInterval, Client.GetName, Client.GetStarted,
Client.GetTimeout, Client.StateChanged, Client.TimeoutChanged):
Removed; all callers changed.
(Client.CheckerCompleted): Add "condition" and "command" arguments.
All callers changed.
(Client.GetAllProperties, Client.PropertyChanged): New.
(Client.StillValid): Renamed to "IsStillValid".
(Client.StartChecker): Changed to its own function to avoid the
return value from "Client.start_checker()".
(Client.Stop): Changed to its own function to avoid the return value
from "Client.stop()".
(main): Try "_mandos" before "mandos" as user and group name.
Removed inner function "remove_from_clients". New inner
class "MandosServer".
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- network-protocol.txt
- files renamed:
- mandos-client.c => plugin-runner.c
- mandos-client.xml => plugin-runner.xml
- plugins.d/password-request.c => plugins.d/mandos-client.c
- plugins.d/password-request.xml => plugins.d/mandos-client.xml
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008 Teddy Hogeborn
13
* Copyright © 2008 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
32
33
#define _LARGEFILE_SOURCE
33
34
#define _FILE_OFFSET_BITS 64
34
35
35
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */
36
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
36
37
37
#include <stdio.h> /* fprintf(), stderr, fwrite(), stdout,
38
ferror() */
38
#include <stdio.h> /* fprintf(), stderr, fwrite(),
39
stdout, ferror() */
39
40
#include <stdint.h> /* uint16_t, uint32_t */
40
41
#include <stddef.h> /* NULL, size_t, ssize_t */
41
42
#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,
42
43
srand() */
43
44
#include <stdbool.h> /* bool, true */
44
45
#include <string.h> /* memset(), strcmp(), strlen(),
45
strerror(), memcpy(), strcpy() */
46
strerror(), asprintf(), strcpy() */
46
47
#include <sys/ioctl.h> /* ioctl */
47
#include <net/if.h> /* ifreq, SIOCGIFFLAGS, SIOCSIFFLAGS,
48
IFF_UP */
49
48
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
50
49
sockaddr_in6, PF_INET6,
51
50
SOCK_STREAM, INET6_ADDRSTRLEN,
52
uid_t, gid_t */
53
#include <inttypes.h> /* PRIu16 */
51
uid_t, gid_t, open(), opendir(), DIR */
52
#include <sys/stat.h> /* open() */
54
53
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
55
54
struct in6_addr, inet_pton(),
56
55
connect() */
56
#include <fcntl.h> /* open() */
57
#include <dirent.h> /* opendir(), struct dirent, readdir() */
58
#include <inttypes.h> /* PRIu16 */
57
59
#include <assert.h> /* assert() */
58
60
#include <errno.h> /* perror(), errno */
59
61
#include <time.h> /* time() */
60
62
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
61
63
SIOCSIFFLAGS, if_indextoname(),
62
64
if_nametoindex(), IF_NAMESIZE */
65
#include <netinet/in.h>
63
66
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
64
67
getuid(), getgid(), setuid(),
65
68
setgid() */
66
#include <netinet/in.h>
67
69
#include <arpa/inet.h> /* inet_pton(), htons */
68
70
#include <iso646.h> /* not, and */
69
71
#include <argp.h> /* struct argp_option, error_t, struct
83
85
#include <avahi-common/error.h>
84
86
85
87
/* GnuTLS */
86
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and functions
88
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
89
functions:
87
90
gnutls_*
88
91
init_gnutls_session(),
89
92
GNUTLS_* */
91
94
GNUTLS_OPENPGP_FMT_BASE64 */
92
95
93
96
/* GPGME */
94
#include <gpgme.h> /* All GPGME types, constants and functions
97
#include <gpgme.h> /* All GPGME types, constants and
98
functions:
95
99
gpgme_*
96
100
GPGME_PROTOCOL_OpenPGP,
97
101
GPG_ERR_NO_* */
98
102
99
103
#define BUFFER_SIZE 256
100
104
105
#define PATHDIR "/conf/conf.d/mandos"
106
#define SECKEY "seckey.txt"
107
#define PUBKEY "pubkey.txt"
108
101
109
bool debug = false;
102
static const char *keydir = "/conf/conf.d/mandos";
103
110
static const char mandos_protocol_version[] = "1";
104
const char *argp_program_version = "password-request 1.0";
111
const char *argp_program_version = "mandos-client " VERSION;
105
112
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
106
113
107
114
/* Used for passing in values through the Avahi callback functions */
112
119
unsigned int dh_bits;
113
120
gnutls_dh_params_t dh_params;
114
121
const char *priority;
122
gpgme_ctx_t ctx;
115
123
} mandos_context;
116
124
117
125
/*
132
140
}
133
141
134
142
/*
135
* Decrypt OpenPGP data using keyrings in HOMEDIR.
136
* Returns -1 on error
143
* Initialize GPGME.
137
144
*/
138
static ssize_t pgp_packet_decrypt (const char *cryptotext,
139
size_t crypto_size,
140
char **plaintext,
141
const char *homedir){
142
gpgme_data_t dh_crypto, dh_plain;
143
gpgme_ctx_t ctx;
145
static bool init_gpgme(mandos_context *mc, const char *seckey,
146
const char *pubkey, const char *tempdir){
147
int ret;
144
148
gpgme_error_t rc;
145
ssize_t ret;
146
size_t plaintext_capacity = 0;
147
ssize_t plaintext_length = 0;
148
149
gpgme_engine_info_t engine_info;
149
150
151
152
/*
153
* Helper function to insert pub and seckey to the enigne keyring.
154
*/
155
bool import_key(const char *filename){
156
int fd;
157
gpgme_data_t pgp_data;
158
159
fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
160
if(fd == -1){
161
perror("open");
162
return false;
163
}
164
165
rc = gpgme_data_new_from_fd(&pgp_data, fd);
166
if (rc != GPG_ERR_NO_ERROR){
167
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
168
gpgme_strsource(rc), gpgme_strerror(rc));
169
return false;
170
}
171
172
rc = gpgme_op_import(mc->ctx, pgp_data);
173
if (rc != GPG_ERR_NO_ERROR){
174
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
175
gpgme_strsource(rc), gpgme_strerror(rc));
176
return false;
177
}
178
179
ret = TEMP_FAILURE_RETRY(close(fd));
180
if(ret == -1){
181
perror("close");
182
}
183
gpgme_data_release(pgp_data);
184
return true;
185
}
186
150
187
if (debug){
151
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
188
fprintf(stderr, "Initialize gpgme\n");
152
189
}
153
190
154
191
/* Init GPGME */
157
194
if (rc != GPG_ERR_NO_ERROR){
158
195
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
159
196
gpgme_strsource(rc), gpgme_strerror(rc));
160
return -1;
197
return false;
161
198
}
162
199
163
/* Set GPGME home directory for the OpenPGP engine only */
200
/* Set GPGME home directory for the OpenPGP engine only */
164
201
rc = gpgme_get_engine_info (&engine_info);
165
202
if (rc != GPG_ERR_NO_ERROR){
166
203
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
167
204
gpgme_strsource(rc), gpgme_strerror(rc));
168
return -1;
205
return false;
169
206
}
170
207
while(engine_info != NULL){
171
208
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
172
209
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
173
engine_info->file_name, homedir);
210
engine_info->file_name, tempdir);
174
211
break;
175
212
}
176
213
engine_info = engine_info->next;
177
214
}
178
215
if(engine_info == NULL){
179
fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir);
180
return -1;
216
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
217
return false;
218
}
219
220
/* Create new GPGME "context" */
221
rc = gpgme_new(&(mc->ctx));
222
if (rc != GPG_ERR_NO_ERROR){
223
fprintf(stderr, "bad gpgme_new: %s: %s\n",
224
gpgme_strsource(rc), gpgme_strerror(rc));
225
return false;
226
}
227
228
if (not import_key(pubkey) or not import_key(seckey)){
229
return false;
230
}
231
232
return true;
233
}
234
235
/*
236
* Decrypt OpenPGP data.
237
* Returns -1 on error
238
*/
239
static ssize_t pgp_packet_decrypt (const mandos_context *mc,
240
const char *cryptotext,
241
size_t crypto_size,
242
char **plaintext){
243
gpgme_data_t dh_crypto, dh_plain;
244
gpgme_error_t rc;
245
ssize_t ret;
246
size_t plaintext_capacity = 0;
247
ssize_t plaintext_length = 0;
248
249
if (debug){
250
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
181
251
}
182
252
183
253
/* Create new GPGME data buffer from memory cryptotext */
198
268
return -1;
199
269
}
200
270
201
/* Create new GPGME "context" */
202
rc = gpgme_new(&ctx);
203
if (rc != GPG_ERR_NO_ERROR){
204
fprintf(stderr, "bad gpgme_new: %s: %s\n",
205
gpgme_strsource(rc), gpgme_strerror(rc));
206
plaintext_length = -1;
207
goto decrypt_end;
208
}
209
210
271
/* Decrypt data from the cryptotext data buffer to the plaintext
211
272
data buffer */
212
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
273
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
213
274
if (rc != GPG_ERR_NO_ERROR){
214
275
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
215
276
gpgme_strsource(rc), gpgme_strerror(rc));
216
277
plaintext_length = -1;
278
if (debug){
279
gpgme_decrypt_result_t result;
280
result = gpgme_op_decrypt_result(mc->ctx);
281
if (result == NULL){
282
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
283
} else {
284
fprintf(stderr, "Unsupported algorithm: %s\n",
285
result->unsupported_algorithm);
286
fprintf(stderr, "Wrong key usage: %u\n",
287
result->wrong_key_usage);
288
if(result->file_name != NULL){
289
fprintf(stderr, "File name: %s\n", result->file_name);
290
}
291
gpgme_recipient_t recipient;
292
recipient = result->recipients;
293
if(recipient){
294
while(recipient != NULL){
295
fprintf(stderr, "Public key algorithm: %s\n",
296
gpgme_pubkey_algo_name(recipient->pubkey_algo));
297
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
298
fprintf(stderr, "Secret key available: %s\n",
299
recipient->status == GPG_ERR_NO_SECKEY
300
? "No" : "Yes");
301
recipient = recipient->next;
302
}
303
}
304
}
305
}
217
306
goto decrypt_end;
218
307
}
219
308
221
310
fprintf(stderr, "Decryption of OpenPGP data succeeded\n");
222
311
}
223
312
224
if (debug){
225
gpgme_decrypt_result_t result;
226
result = gpgme_op_decrypt_result(ctx);
227
if (result == NULL){
228
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
229
} else {
230
fprintf(stderr, "Unsupported algorithm: %s\n",
231
result->unsupported_algorithm);
232
fprintf(stderr, "Wrong key usage: %u\n",
233
result->wrong_key_usage);
234
if(result->file_name != NULL){
235
fprintf(stderr, "File name: %s\n", result->file_name);
236
}
237
gpgme_recipient_t recipient;
238
recipient = result->recipients;
239
if(recipient){
240
while(recipient != NULL){
241
fprintf(stderr, "Public key algorithm: %s\n",
242
gpgme_pubkey_algo_name(recipient->pubkey_algo));
243
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
244
fprintf(stderr, "Secret key available: %s\n",
245
recipient->status == GPG_ERR_NO_SECKEY
246
? "No" : "Yes");
247
recipient = recipient->next;
248
}
249
}
250
}
251
}
252
253
313
/* Seek back to the beginning of the GPGME plaintext data buffer */
254
314
if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){
255
perror("pgpme_data_seek");
315
perror("gpgme_data_seek");
256
316
plaintext_length = -1;
257
317
goto decrypt_end;
258
318
}
282
342
}
283
343
plaintext_length += ret;
284
344
}
285
345
286
346
if(debug){
287
347
fprintf(stderr, "Decrypted password is: ");
288
348
for(ssize_t i = 0; i < plaintext_length; i++){
302
362
}
303
363
304
364
static const char * safer_gnutls_strerror (int value) {
305
const char *ret = gnutls_strerror (value);
365
const char *ret = gnutls_strerror (value); /* Spurious warning */
306
366
if (ret == NULL)
307
367
ret = "(unknown)";
308
368
return ret;
315
375
}
316
376
317
377
static int init_gnutls_global(mandos_context *mc,
318
const char *pubkeyfile,
319
const char *seckeyfile){
378
const char *pubkeyfilename,
379
const char *seckeyfilename){
320
380
int ret;
321
381
322
382
if(debug){
341
401
/* OpenPGP credentials */
342
402
gnutls_certificate_allocate_credentials(&mc->cred);
343
403
if (ret != GNUTLS_E_SUCCESS){
344
fprintf (stderr, "GnuTLS memory error: %s\n",
404
fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious
405
warning */
345
406
safer_gnutls_strerror(ret));
346
407
gnutls_global_deinit ();
347
408
return -1;
348
409
}
349
410
350
411
if(debug){
351
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
352
" and keyfile %s as GnuTLS credentials\n", pubkeyfile,
353
seckeyfile);
412
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
413
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
414
seckeyfilename);
354
415
}
355
416
356
417
ret = gnutls_certificate_set_openpgp_key_file
357
(mc->cred, pubkeyfile, seckeyfile, GNUTLS_OPENPGP_FMT_BASE64);
418
(mc->cred, pubkeyfilename, seckeyfilename,
419
GNUTLS_OPENPGP_FMT_BASE64);
358
420
if (ret != GNUTLS_E_SUCCESS) {
359
421
fprintf(stderr,
360
422
"Error[%d] while reading the OpenPGP key pair ('%s',"
361
" '%s')\n", ret, pubkeyfile, seckeyfile);
362
fprintf(stdout, "The GnuTLS error is: %s\n",
423
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
424
fprintf(stderr, "The GnuTLS error is: %s\n",
363
425
safer_gnutls_strerror(ret));
364
426
goto globalfail;
365
427
}
379
441
}
380
442
381
443
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
382
444
383
445
return 0;
384
446
385
447
globalfail:
386
448
387
449
gnutls_certificate_free_credentials(mc->cred);
388
450
gnutls_global_deinit();
451
gnutls_dh_params_deinit(mc->dh_params);
389
452
return -1;
390
391
453
}
392
454
393
455
static int init_gnutls_session(mandos_context *mc,
465
527
perror("socket");
466
528
return -1;
467
529
}
468
530
469
531
if(debug){
470
532
if(if_indextoname((unsigned int)if_index, interface) == NULL){
471
533
perror("if_indextoname");
474
536
fprintf(stderr, "Binding to interface %s\n", interface);
475
537
}
476
538
477
memset(&to,0,sizeof(to)); /* Spurious warning */
539
memset(&to, 0, sizeof(to));
478
540
to.in6.sin6_family = AF_INET6;
479
541
/* It would be nice to have a way to detect if we were passed an
480
542
IPv4 address here. Now we assume an IPv6 address. */
487
549
fprintf(stderr, "Bad address: %s\n", ip);
488
550
return -1;
489
551
}
490
to.in6.sin6_port = htons(port); /* Spurious warning */
552
to.in6.sin6_port = htons(port); /* Spurious warning */
491
553
492
554
to.in6.sin6_scope_id = (uint32_t)if_index;
493
555
510
572
perror("connect");
511
573
return -1;
512
574
}
513
575
514
576
const char *out = mandos_protocol_version;
515
577
written = 0;
516
578
while (true){
534
596
}
535
597
}
536
598
}
537
599
538
600
if(debug){
539
601
fprintf(stderr, "Establishing TLS session with %s\n", ip);
540
602
}
541
603
542
604
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);
543
605
544
606
do{
545
607
ret = gnutls_handshake (session);
546
608
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
560
622
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
561
623
ip);
562
624
}
563
625
564
626
while(true){
565
627
buffer_capacity = adjustbuffer(&buffer, buffer_length,
566
628
buffer_capacity);
610
672
gnutls_bye (session, GNUTLS_SHUT_RDWR);
611
673
612
674
if (buffer_length > 0){
613
decrypted_buffer_size = pgp_packet_decrypt(buffer,
675
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
614
676
buffer_length,
615
&decrypted_buffer,
616
keydir);
677
&decrypted_buffer);
617
678
if (decrypted_buffer_size >= 0){
618
679
written = 0;
619
680
while(written < (size_t) decrypted_buffer_size){
634
695
} else {
635
696
retval = -1;
636
697
}
698
} else {
699
retval = -1;
637
700
}
638
701
639
702
/* Shutdown procedure */
640
703
641
704
mandos_end:
642
705
free(buffer);
643
close(tcp_sd);
706
ret = TEMP_FAILURE_RETRY(close(tcp_sd));
707
if(ret == -1){
708
perror("close");
709
}
644
710
gnutls_deinit (session);
645
711
return retval;
646
712
}
660
726
flags,
661
727
void* userdata) {
662
728
mandos_context *mc = userdata;
663
assert(r); /* Spurious warning */
729
assert(r);
664
730
665
731
/* Called whenever a service has been resolved successfully or
666
732
timed out */
684
750
}
685
751
int ret = start_mandos_communication(ip, port, interface, mc);
686
752
if (ret == 0){
687
exit(EXIT_SUCCESS);
753
avahi_simple_poll_quit(mc->simple_poll);
688
754
}
689
755
}
690
756
}
702
768
flags,
703
769
void* userdata) {
704
770
mandos_context *mc = userdata;
705
assert(b); /* Spurious warning */
771
assert(b);
706
772
707
773
/* Called whenever a new services becomes available on the LAN or
708
774
is removed from the LAN */
742
808
}
743
809
}
744
810
745
/* Combines file name and path and returns the malloced new
746
string. some sane checks could/should be added */
747
static const char *combinepath(const char *first, const char *second){
748
size_t f_len = strlen(first);
749
size_t s_len = strlen(second);
750
char *tmp = malloc(f_len + s_len + 2);
751
if (tmp == NULL){
752
return NULL;
753
}
754
if(f_len > 0){
755
memcpy(tmp, first, f_len); /* Spurious warning */
756
}
757
tmp[f_len] = '/';
758
if(s_len > 0){
759
memcpy(tmp + f_len + 1, second, s_len); /* Spurious warning */
760
}
761
tmp[f_len + 1 + s_len] = '\0';
762
return tmp;
763
}
764
765
766
811
int main(int argc, char *argv[]){
767
812
AvahiSServiceBrowser *sb = NULL;
768
813
int error;
774
819
uid_t uid;
775
820
gid_t gid;
776
821
char *connect_to = NULL;
822
char tempdir[] = "/tmp/mandosXXXXXX";
777
823
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
778
const char *pubkeyfile = "pubkey.txt";
779
const char *seckeyfile = "seckey.txt";
824
const char *seckey = PATHDIR "/" SECKEY;
825
const char *pubkey = PATHDIR "/" PUBKEY;
826
780
827
mandos_context mc = { .simple_poll = NULL, .server = NULL,
781
.dh_bits = 1024, .priority = "SECURE256"};
828
.dh_bits = 1024, .priority = "SECURE256"
829
":!CTYPE-X.509:+CTYPE-OPENPGP" };
782
830
bool gnutls_initalized = false;
831
bool gpgme_initalized = false;
783
832
784
833
{
785
834
struct argp_option options[] = {
786
835
{ .name = "debug", .key = 128,
787
836
.doc = "Debug mode", .group = 3 },
788
837
{ .name = "connect", .key = 'c',
789
.arg = "IP",
790
.doc = "Connect directly to a sepcified mandos server",
838
.arg = "ADDRESS:PORT",
839
.doc = "Connect directly to a specific Mandos server",
791
840
.group = 1 },
792
841
{ .name = "interface", .key = 'i',
793
.arg = "INTERFACE",
794
.doc = "Interface that Avahi will conntect through",
795
.group = 1 },
796
{ .name = "keydir", .key = 'd',
797
.arg = "KEYDIR",
798
.doc = "Directory where the openpgp keyring is",
842
.arg = "NAME",
843
.doc = "Interface that will be used to search for Mandos"
844
" servers",
799
845
.group = 1 },
800
846
{ .name = "seckey", .key = 's',
801
.arg = "SECKEY",
802
.doc = "Secret openpgp key for gnutls authentication",
847
.arg = "FILE",
848
.doc = "OpenPGP secret key file base name",
803
849
.group = 1 },
804
850
{ .name = "pubkey", .key = 'p',
805
.arg = "PUBKEY",
806
.doc = "Public openpgp key for gnutls authentication",
851
.arg = "FILE",
852
.doc = "OpenPGP public key file base name",
807
853
.group = 2 },
808
854
{ .name = "dh-bits", .key = 129,
809
855
.arg = "BITS",
810
.doc = "dh-bits to use in gnutls communication",
856
.doc = "Bit length of the prime number used in the"
857
" Diffie-Hellman key exchange",
811
858
.group = 2 },
812
859
{ .name = "priority", .key = 130,
813
.arg = "PRIORITY",
814
.doc = "GNUTLS priority", .group = 1 },
860
.arg = "STRING",
861
.doc = "GnuTLS priority string for the TLS handshake",
862
.group = 1 },
815
863
{ .name = NULL }
816
864
};
817
818
865
819
866
error_t parse_opt (int key, char *arg,
820
867
struct argp_state *state) {
821
868
/* Get the INPUT argument from `argp_parse', which we know is
822
869
a pointer to our plugin list pointer. */
823
870
switch (key) {
824
case 128:
871
case 128: /* --debug */
825
872
debug = true;
826
873
break;
827
case 'c':
874
case 'c': /* --connect */
828
875
connect_to = arg;
829
876
break;
830
case 'i':
877
case 'i': /* --interface */
831
878
interface = arg;
832
879
break;
833
case 'd':
834
keydir = arg;
835
break;
836
case 's':
837
seckeyfile = arg;
838
break;
839
case 'p':
840
pubkeyfile = arg;
841
break;
842
case 129:
880
case 's': /* --seckey */
881
seckey = arg;
882
break;
883
case 'p': /* --pubkey */
884
pubkey = arg;
885
break;
886
case 129: /* --dh-bits */
843
887
errno = 0;
844
888
mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);
845
889
if (errno){
847
891
exit(EXIT_FAILURE);
848
892
}
849
893
break;
850
case 130:
894
case 130: /* --priority */
851
895
mc.priority = arg;
852
896
break;
853
897
case ARGP_KEY_ARG:
854
898
argp_usage (state);
899
case ARGP_KEY_END:
855
900
break;
856
case ARGP_KEY_END:
857
break;
858
901
default:
859
902
return ARGP_ERR_UNKNOWN;
860
903
}
861
904
return 0;
862
905
}
863
906
864
907
struct argp argp = { .options = options, .parser = parse_opt,
865
908
.args_doc = "",
866
909
.doc = "Mandos client -- Get and decrypt"
867
" passwords from mandos server" };
910
" passwords from a Mandos server" };
868
911
ret = argp_parse (&argp, argc, argv, 0, 0, NULL);
869
912
if (ret == ARGP_ERR_UNKNOWN){
870
fprintf(stderr, "Unkown error while parsing arguments\n");
871
exitcode = EXIT_FAILURE;
872
goto end;
873
}
874
}
875
876
pubkeyfile = combinepath(keydir, pubkeyfile);
877
if (pubkeyfile == NULL){
878
perror("combinepath");
879
exitcode = EXIT_FAILURE;
880
goto end;
881
}
882
883
seckeyfile = combinepath(keydir, seckeyfile);
884
if (seckeyfile == NULL){
885
perror("combinepath");
886
goto end;
887
}
888
889
ret = init_gnutls_global(&mc, pubkeyfile, seckeyfile);
890
if (ret == -1){
891
fprintf(stderr, "init_gnutls_global\n");
892
goto end;
893
} else {
894
gnutls_initalized = true;
895
}
896
913
fprintf(stderr, "Unknown error while parsing arguments\n");
914
exitcode = EXIT_FAILURE;
915
goto end;
916
}
917
}
918
919
/* If the interface is down, bring it up */
920
{
921
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
922
if(sd < 0) {
923
perror("socket");
924
exitcode = EXIT_FAILURE;
925
goto end;
926
}
927
strcpy(network.ifr_name, interface);
928
ret = ioctl(sd, SIOCGIFFLAGS, &network);
929
if(ret == -1){
930
perror("ioctl SIOCGIFFLAGS");
931
exitcode = EXIT_FAILURE;
932
goto end;
933
}
934
if((network.ifr_flags & IFF_UP) == 0){
935
network.ifr_flags |= IFF_UP;
936
ret = ioctl(sd, SIOCSIFFLAGS, &network);
937
if(ret == -1){
938
perror("ioctl SIOCSIFFLAGS");
939
exitcode = EXIT_FAILURE;
940
goto end;
941
}
942
}
943
ret = TEMP_FAILURE_RETRY(close(sd));
944
if(ret == -1){
945
perror("close");
946
}
947
}
948
897
949
uid = getuid();
898
950
gid = getgid();
899
951
900
952
ret = setuid(uid);
901
953
if (ret == -1){
902
954
perror("setuid");
907
959
perror("setgid");
908
960
}
909
961
962
ret = init_gnutls_global(&mc, pubkey, seckey);
963
if (ret == -1){
964
fprintf(stderr, "init_gnutls_global failed\n");
965
exitcode = EXIT_FAILURE;
966
goto end;
967
} else {
968
gnutls_initalized = true;
969
}
970
971
if(mkdtemp(tempdir) == NULL){
972
perror("mkdtemp");
973
tempdir[0] = '\0';
974
goto end;
975
}
976
977
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
978
fprintf(stderr, "gpgme_initalized failed\n");
979
exitcode = EXIT_FAILURE;
980
goto end;
981
} else {
982
gpgme_initalized = true;
983
}
984
910
985
if_index = (AvahiIfIndex) if_nametoindex(interface);
911
986
if(if_index == 0){
912
987
fprintf(stderr, "No such interface: \"%s\"\n", interface);
940
1015
goto end;
941
1016
}
942
1017
943
/* If the interface is down, bring it up */
944
{
945
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
946
if(sd < 0) {
947
perror("socket");
948
exitcode = EXIT_FAILURE;
949
goto end;
950
}
951
strcpy(network.ifr_name, interface); /* Spurious warning */
952
ret = ioctl(sd, SIOCGIFFLAGS, &network);
953
if(ret == -1){
954
perror("ioctl SIOCGIFFLAGS");
955
exitcode = EXIT_FAILURE;
956
goto end;
957
}
958
if((network.ifr_flags & IFF_UP) == 0){
959
network.ifr_flags |= IFF_UP;
960
ret = ioctl(sd, SIOCSIFFLAGS, &network);
961
if(ret == -1){
962
perror("ioctl SIOCSIFFLAGS");
963
exitcode = EXIT_FAILURE;
964
goto end;
965
}
966
}
967
close(sd);
968
}
969
970
1018
if (not debug){
971
1019
avahi_set_log_function(empty_log);
972
1020
}
982
1030
exitcode = EXIT_FAILURE;
983
1031
goto end;
984
1032
}
985
1033
986
1034
{
987
1035
AvahiServerConfig config;
988
1036
/* Do not publish any local Zeroconf records */
991
1039
config.publish_addresses = 0;
992
1040
config.publish_workstation = 0;
993
1041
config.publish_domain = 0;
994
1042
995
1043
/* Allocate a new server */
996
1044
mc.server = avahi_server_new(avahi_simple_poll_get
997
1045
(mc.simple_poll), &config, NULL,
998
1046
NULL, &error);
999
1047
1000
1048
/* Free the Avahi configuration data */
1001
1049
avahi_server_config_free(&config);
1002
1050
}
1022
1070
}
1023
1071
1024
1072
/* Run the main loop */
1025
1073
1026
1074
if (debug){
1027
1075
fprintf(stderr, "Starting Avahi loop search\n");
1028
1076
}
1030
1078
avahi_simple_poll_loop(mc.simple_poll);
1031
1079
1032
1080
end:
1033
1081
1034
1082
if (debug){
1035
1083
fprintf(stderr, "%s exiting\n", argv[0]);
1036
1084
}
1041
1089
1042
1090
if (mc.server != NULL)
1043
1091
avahi_server_free(mc.server);
1044
1092
1045
1093
if (mc.simple_poll != NULL)
1046
1094
avahi_simple_poll_free(mc.simple_poll);
1047
free(pubkeyfile);
1048
free(seckeyfile);
1049
1095
1050
1096
if (gnutls_initalized){
1051
1097
gnutls_certificate_free_credentials(mc.cred);
1052
1098
gnutls_global_deinit ();
1053
}
1054
1099
gnutls_dh_params_deinit(mc.dh_params);
1100
}
1101
1102
if(gpgme_initalized){
1103
gpgme_release(mc.ctx);
1104
}
1105
1106
/* Removes the temp directory used by GPGME */
1107
if(tempdir[0] != '\0'){
1108
DIR *d;
1109
struct dirent *direntry;
1110
d = opendir(tempdir);
1111
if(d == NULL){
1112
perror("opendir");
1113
} else {
1114
while(true){
1115
direntry = readdir(d);
1116
if(direntry == NULL){
1117
break;
1118
}
1119
if (direntry->d_type == DT_REG){
1120
char *fullname = NULL;
1121
ret = asprintf(&fullname, "%s/%s", tempdir,
1122
direntry->d_name);
1123
if(ret < 0){
1124
perror("asprintf");
1125
continue;
1126
}
1127
ret = unlink(fullname);
1128
if(ret == -1){
1129
fprintf(stderr, "unlink(\"%s\"): %s",
1130
fullname, strerror(errno));
1131
}
1132
free(fullname);
1133
}
1134
}
1135
closedir(d);
1136
}
1137
ret = rmdir(tempdir);
1138
if(ret == -1){
1139
perror("rmdir");
1140
}
1141
}
1142
1055
1143
return exitcode;
1056
1144
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0