/mandos/trunk : revision 24.1.10

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandosclient.c

Committer: Björn Påhlsson
Date: 2008-08-03 14:57:46 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 41.
Revision ID: belorn@braxen-20080803145746-4boahihngi1uwjap

merge commit

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files removed:
.bzrignore

COPYING

README

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.xml

plugins.d/usplash

files renamed:
plugin-runner.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos.conf => server.conf

mandos => server.py

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

plugins.d/mandosclient.c

#define _LARGEFILE_SOURCE

#define _FILE_OFFSET_BITS 64

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */

#include <stdio.h> /* fprintf(), stderr, fwrite(),

stdout, ferror() */

#include <stdint.h> /* uint16_t, uint32_t */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <stdlib.h> /* free(), EXIT_SUCCESS, EXIT_FAILURE,

srand() */

#include <stdbool.h> /* bool, true */

#include <string.h> /* memset(), strcmp(), strlen(),

strerror(), asprintf(), strcpy() */

#include <sys/ioctl.h> /* ioctl */

#include <sys/types.h> /* socket(), inet_pton(), sockaddr,

sockaddr_in6, PF_INET6,

SOCK_STREAM, INET6_ADDRSTRLEN,

uid_t, gid_t, open(), opendir(), DIR */

#include <sys/stat.h> /* open() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton(),

connect() */

#include <fcntl.h> /* open() */

#include <dirent.h> /* opendir(), struct dirent, readdir() */

#include <inttypes.h> /* PRIu16 */

#include <assert.h> /* assert() */

#include <errno.h> /* perror(), errno */

#include <time.h> /* time() */

#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,

SIOCSIFFLAGS, if_indextoname(),

if_nametoindex(), IF_NAMESIZE */

#include <netinet/in.h>

#include <unistd.h> /* close(), SEEK_SET, off_t, write(),

getuid(), getgid(), setuid(),

setgid() */

#include <arpa/inet.h> /* inet_pton(), htons */

#include <iso646.h> /* not, and */

#include <argp.h> /* struct argp_option, error_t, struct

argp_state, struct argp,

argp_parse(), ARGP_KEY_ARG,

ARGP_KEY_END, ARGP_ERR_UNKNOWN */

/* Avahi */

/* All Avahi types, constants and functions

Avahi*, avahi_*,

AVAHI_* */

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */

#include <stdio.h>

#include <assert.h>

#include <stdlib.h>

#include <time.h>

#include <net/if.h> /* if_nametoindex */

#include <sys/ioctl.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <net/if.h> // ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS

#include <avahi-core/core.h>

#include <avahi-core/lookup.h>

#include <avahi-core/log.h>

#include <avahi-common/malloc.h>

#include <avahi-common/error.h>

/* GnuTLS */

#include <gnutls/gnutls.h> /* All GnuTLS types, constants and

functions:

gnutls_*

init_gnutls_session(),

GNUTLS_* */

#include <gnutls/openpgp.h> /* gnutls_certificate_set_openpgp_key_file(),

GNUTLS_OPENPGP_FMT_BASE64 */

/* GPGME */

#include <gpgme.h> /* All GPGME types, constants and

functions:

gpgme_*

GPGME_PROTOCOL_OpenPGP,

100

GPG_ERR_NO_* */

//mandos client part

#include <sys/types.h> /* socket(), inet_pton() */

#include <sys/socket.h> /* socket(), struct sockaddr_in6,

struct in6_addr, inet_pton() */

#include <gnutls/gnutls.h> /* All GnuTLS stuff */

#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */

#include <unistd.h> /* close() */

#include <netinet/in.h>

#include <stdbool.h> /* true */

#include <string.h> /* memset */

#include <arpa/inet.h> /* inet_pton() */

#include <iso646.h> /* not */

// gpgme

#include <errno.h> /* perror() */

#include <gpgme.h>

// getopt long

#include <getopt.h>

101

102

#define BUFFER_SIZE 256

103

104

105

#define PATHDIR "/conf/conf.d/mandos"

106

107

108

#define PATHDIR "/conf/conf.d/mandos"

109

#define SECKEY "seckey.txt"

110

#define PUBKEY "pubkey.txt"

#define DH_BITS 1024

static const char *certdir = "/conf/conf.d/mandos";

static const char *certfile = "openpgp-client.txt";

static const char *certkey = "openpgp-client-key.txt";

111

112

bool debug = false;

113

static const char mandos_protocol_version[] = "1";

114

const char *argp_program_version = "password-request 1.0";

115

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

116

117

/* Used for passing in values through the Avahi callback functions */

const char mandos_protocol_version[] = "1";

118

typedef struct {

119

AvahiSimplePoll *simple_poll;

120

AvahiServer *server;

121

gnutls_certificate_credentials_t cred;

122

unsigned int dh_bits;

123

gnutls_dh_params_t dh_params;

124

const char *priority;

125

gpgme_ctx_t ctx;

126

} mandos_context;

127

128

129

* Make room in "buffer" for at least BUFFER_SIZE additional bytes.

130

* "buffer_capacity" is how much is currently allocated,

131

* "buffer_length" is how much is already used.

132

133

size_t adjustbuffer(char **buffer, size_t buffer_length,

size_t adjustbuffer(char *buffer, size_t buffer_length,

134

size_t buffer_capacity){

135

if (buffer_length + BUFFER_SIZE > buffer_capacity){

136

*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);

buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);

137

if (buffer == NULL){

138

return 0;

139

}

142

101

return buffer_capacity;

143

102

}

144

103

145

146

* Initialize GPGME.

147

148

static bool init_gpgme(mandos_context *mc, const char *seckey,

149

const char *pubkey, const char *tempdir){

150

int ret;

104

static ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,

105

char **new_packet,

106

const char *homedir){

107

gpgme_data_t dh_crypto, dh_plain;

108

gpgme_ctx_t ctx;

151

109

gpgme_error_t rc;

110

ssize_t ret;

111

size_t new_packet_capacity = 0;

112

ssize_t new_packet_length = 0;

152

113

gpgme_engine_info_t engine_info;

153

154

155

156

* Helper function to insert pub and seckey to the enigne keyring.

157

158

bool import_key(const char *filename){

159

int fd;

160

gpgme_data_t pgp_data;

161

162

fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY));

163

if(fd == -1){

164

perror("open");

165

return false;

166

}

167

168

rc = gpgme_data_new_from_fd(&pgp_data, fd);

169

if (rc != GPG_ERR_NO_ERROR){

170

fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",

171

gpgme_strsource(rc), gpgme_strerror(rc));

172

return false;

173

}

174

175

rc = gpgme_op_import(mc->ctx, pgp_data);

176

if (rc != GPG_ERR_NO_ERROR){

177

fprintf(stderr, "bad gpgme_op_import: %s: %s\n",

178

gpgme_strsource(rc), gpgme_strerror(rc));

179

return false;

180

}

181

182

ret = TEMP_FAILURE_RETRY(close(fd));

183

if(ret == -1){

184

perror("close");

185

}

186

gpgme_data_release(pgp_data);

187

return true;

188

}

189

114

190

115

if (debug){

191

fprintf(stderr, "Initialize gpgme\n");

116

fprintf(stderr, "Trying to decrypt OpenPGP packet\n");

192

117

}

193

118

194

119

/* Init GPGME */

197

122

if (rc != GPG_ERR_NO_ERROR){

198

123

fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",

199

124

gpgme_strsource(rc), gpgme_strerror(rc));

200

return false;

125

return -1;

201

126

}

202

127

203

/* Set GPGME home directory for the OpenPGP engine only */

128

/* Set GPGME home directory */

204

129

rc = gpgme_get_engine_info (&engine_info);

205

130

if (rc != GPG_ERR_NO_ERROR){

206

131

fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",

207

132

gpgme_strsource(rc), gpgme_strerror(rc));

208

return false;

133

return -1;

209

134

}

210

135

while(engine_info != NULL){

211

136

if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){

212

137

gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,

213

engine_info->file_name, tempdir);

138

engine_info->file_name, homedir);

214

139

break;

215

140

}

216

141

engine_info = engine_info->next;

217

142

}

218

143

if(engine_info == NULL){

219

fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);

220

return false;

221

}

222

223

/* Create new GPGME "context" */

224

rc = gpgme_new(&(mc->ctx));

225

if (rc != GPG_ERR_NO_ERROR){

226

fprintf(stderr, "bad gpgme_new: %s: %s\n",

227

gpgme_strsource(rc), gpgme_strerror(rc));

228

return false;

229

}

230

231

if (not import_key(pubkey) or not import_key(seckey)){

232

return false;

233

}

234

235

return true;

236

}

237

238

239

* Decrypt OpenPGP data.

240

* Returns -1 on error

241

242

static ssize_t pgp_packet_decrypt (const mandos_context *mc,

243

const char *cryptotext,

244

size_t crypto_size,

245

char **plaintext){

246

gpgme_data_t dh_crypto, dh_plain;

247

gpgme_error_t rc;

248

ssize_t ret;

249

size_t plaintext_capacity = 0;

250

ssize_t plaintext_length = 0;

251

252

if (debug){

253

fprintf(stderr, "Trying to decrypt OpenPGP data\n");

254

}

255

256

/* Create new GPGME data buffer from memory cryptotext */

257

rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,

258

0);

144

fprintf(stderr, "Could not set home dir to %s\n", homedir);

145

return -1;

146

}

147

148

/* Create new GPGME data buffer from packet buffer */

149

rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);

259

150

if (rc != GPG_ERR_NO_ERROR){

260

151

fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",

261

152

gpgme_strsource(rc), gpgme_strerror(rc));

267

158

if (rc != GPG_ERR_NO_ERROR){

268

159

fprintf(stderr, "bad gpgme_data_new: %s: %s\n",

269

160

gpgme_strsource(rc), gpgme_strerror(rc));

270

gpgme_data_release(dh_crypto);

271

return -1;

272

}

273

274

/* Decrypt data from the cryptotext data buffer to the plaintext

275

data buffer */

276

rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);

161

return -1;

162

}

163

164

/* Create new GPGME "context" */

165

rc = gpgme_new(&ctx);

166

if (rc != GPG_ERR_NO_ERROR){

167

fprintf(stderr, "bad gpgme_new: %s: %s\n",

168

gpgme_strsource(rc), gpgme_strerror(rc));

169

return -1;

170

}

171

172

/* Decrypt data from the FILE pointer to the plaintext data

173

buffer */

174

rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);

277

175

if (rc != GPG_ERR_NO_ERROR){

278

176

fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",

279

177

gpgme_strsource(rc), gpgme_strerror(rc));

280

plaintext_length = -1;

281

if (debug){

282

gpgme_decrypt_result_t result;

283

result = gpgme_op_decrypt_result(mc->ctx);

284

if (result == NULL){

285

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

286

} else {

287

fprintf(stderr, "Unsupported algorithm: %s\n",

288

result->unsupported_algorithm);

289

fprintf(stderr, "Wrong key usage: %u\n",

290

result->wrong_key_usage);

291

if(result->file_name != NULL){

292

fprintf(stderr, "File name: %s\n", result->file_name);

293

}

294

gpgme_recipient_t recipient;

295

recipient = result->recipients;

296

if(recipient){

297

while(recipient != NULL){

298

fprintf(stderr, "Public key algorithm: %s\n",

299

gpgme_pubkey_algo_name(recipient->pubkey_algo));

300

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

301

fprintf(stderr, "Secret key available: %s\n",

302

recipient->status == GPG_ERR_NO_SECKEY

303

? "No" : "Yes");

304

recipient = recipient->next;

305

}

178

return -1;

179

}

180

181

if(debug){

182

fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");

183

}

184

185

if (debug){

186

gpgme_decrypt_result_t result;

187

result = gpgme_op_decrypt_result(ctx);

188

if (result == NULL){

189

fprintf(stderr, "gpgme_op_decrypt_result failed\n");

190

} else {

191

fprintf(stderr, "Unsupported algorithm: %s\n",

192

result->unsupported_algorithm);

193

fprintf(stderr, "Wrong key usage: %d\n",

194

result->wrong_key_usage);

195

if(result->file_name != NULL){

196

fprintf(stderr, "File name: %s\n", result->file_name);

197

}

198

gpgme_recipient_t recipient;

199

recipient = result->recipients;

200

if(recipient){

201

while(recipient != NULL){

202

fprintf(stderr, "Public key algorithm: %s\n",

203

gpgme_pubkey_algo_name(recipient->pubkey_algo));

204

fprintf(stderr, "Key ID: %s\n", recipient->keyid);

205

fprintf(stderr, "Secret key available: %s\n",

206

recipient->status == GPG_ERR_NO_SECKEY

207

? "No" : "Yes");

208

recipient = recipient->next;

306

209

}

307

210

}

308

211

}

309

goto decrypt_end;

310

212

}

311

213

312

if(debug){

313

fprintf(stderr, "Decryption of OpenPGP data succeeded\n");

314

}

214

/* Delete the GPGME FILE pointer cryptotext data buffer */

215

gpgme_data_release(dh_crypto);

315

216

316

217

/* Seek back to the beginning of the GPGME plaintext data buffer */

317

218

if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){

318

219

perror("pgpme_data_seek");

319

plaintext_length = -1;

320

goto decrypt_end;

321

220

}

322

221

323

*plaintext = NULL;

222

*new_packet = 0;

324

223

while(true){

325

plaintext_capacity = adjustbuffer(plaintext,

326

(size_t)plaintext_length,

327

plaintext_capacity);

328

if (plaintext_capacity == 0){

224

new_packet_capacity = adjustbuffer(*new_packet, new_packet_length,

225

new_packet_capacity);

226

if (new_packet_capacity == 0){

329

227

perror("adjustbuffer");

330

plaintext_length = -1;

331

goto decrypt_end;

228

return -1;

229

}

230

new_packet_capacity += BUFFER_SIZE;

332

231

}

333

232

334

ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,

233

ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,

335

234

BUFFER_SIZE);

336

235

/* Print the data, if any */

337

236

if (ret == 0){

338

/* EOF */

339

237

break;

340

238

}

341

239

if(ret < 0){

342

240

perror("gpgme_data_read");

343

plaintext_length = -1;

344

goto decrypt_end;

345

}

346

plaintext_length += ret;

347

}

348

349

if(debug){

350

fprintf(stderr, "Decrypted password is: ");

351

for(ssize_t i = 0; i < plaintext_length; i++){

352

fprintf(stderr, "%02hhX ", (*plaintext)[i]);

353

}

354

fprintf(stderr, "\n");

355

}

356

357

decrypt_end:

358

359

/* Delete the GPGME cryptotext data buffer */

360

gpgme_data_release(dh_crypto);

241

return -1;

242

}

243

new_packet_length += ret;

244

}

245

246

/* FIXME: check characters before printing to screen so to not print

247

terminal control characters */

248

/* if(debug){ */

249

/* fprintf(stderr, "decrypted password is: "); */

250

/* fwrite(*new_packet, 1, new_packet_length, stderr); */

251

/* fprintf(stderr, "\n"); */

252

/* } */

361

253

362

254

/* Delete the GPGME plaintext data buffer */

363

255

gpgme_data_release(dh_plain);

364

return plaintext_length;

256

return new_packet_length;

365

257

}

366

258

367

259

static const char * safer_gnutls_strerror (int value) {

368

const char *ret = gnutls_strerror (value); /* Spurious warning */

260

const char *ret = gnutls_strerror (value);

369

261

if (ret == NULL)

370

262

ret = "(unknown)";

371

263

return ret;

372

264

}

373

265

374

/* GnuTLS log function callback */

375

266

static void debuggnutls(__attribute__((unused)) int level,

376

267

const char* string){

377

fprintf(stderr, "GnuTLS: %s", string);

268

fprintf(stderr, "%s", string);

378

269

}

379

270

380

static int init_gnutls_global(mandos_context *mc,

381

const char *pubkeyfilename,

382

const char *seckeyfilename){

271

static int initgnutls(mandos_context *mc){

272

const char *err;

383

273

int ret;

384

274

385

275

if(debug){

386

276

fprintf(stderr, "Initializing GnuTLS\n");

387

277

}

388

389

ret = gnutls_global_init();

390

if (ret != GNUTLS_E_SUCCESS) {

391

fprintf (stderr, "GnuTLS global_init: %s\n",

392

safer_gnutls_strerror(ret));

278

279

if ((ret = gnutls_global_init ())

280

!= GNUTLS_E_SUCCESS) {

281

fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));

393

282

return -1;

394

283

}

395

284

396

285

if (debug){

397

/* "Use a log level over 10 to enable all debugging options."

398

* - GnuTLS manual

399

400

286

gnutls_global_set_log_level(11);

401

287

gnutls_global_set_log_function(debuggnutls);

402

288

}

403

289

404

/* OpenPGP credentials */

405

gnutls_certificate_allocate_credentials(&mc->cred);

406

if (ret != GNUTLS_E_SUCCESS){

407

fprintf (stderr, "GnuTLS memory error: %s\n", /* Spurious

408

warning */

290

/* openpgp credentials */

291

if ((ret = gnutls_certificate_allocate_credentials (&es->cred))

292

!= GNUTLS_E_SUCCESS) {

293

fprintf (stderr, "memory error: %s\n",

409

294

safer_gnutls_strerror(ret));

410

gnutls_global_deinit ();

411

295

return -1;

412

296

}

413

297

414

298

if(debug){

415

fprintf(stderr, "Attempting to use OpenPGP public key %s and"

416

" secret key %s as GnuTLS credentials\n", pubkeyfilename,

417

seckeyfilename);

299

fprintf(stderr, "Attempting to use OpenPGP certificate %s"

300

" and keyfile %s as GnuTLS credentials\n", certfile,

301

certkey);

418

302

}

419

303

420

304

ret = gnutls_certificate_set_openpgp_key_file

421

(mc->cred, pubkeyfilename, seckeyfilename,

422

GNUTLS_OPENPGP_FMT_BASE64);

305

(es->cred, certfile, certkey, GNUTLS_OPENPGP_FMT_BASE64);

423

306

if (ret != GNUTLS_E_SUCCESS) {

424

fprintf(stderr,

425

"Error[%d] while reading the OpenPGP key pair ('%s',"

426

" '%s')\n", ret, pubkeyfilename, seckeyfilename);

427

fprintf(stderr, "The GnuTLS error is: %s\n",

307

fprintf

308

(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"

309

" '%s')\n",

310

ret, certfile, certkey);

311

fprintf(stdout, "The Error is: %s\n",

428

312

safer_gnutls_strerror(ret));

429

goto globalfail;

430

}

431

432

/* GnuTLS server initialization */

433

ret = gnutls_dh_params_init(&mc->dh_params);

434

if (ret != GNUTLS_E_SUCCESS) {

435

fprintf (stderr, "Error in GnuTLS DH parameter initialization:"

436

" %s\n", safer_gnutls_strerror(ret));

437

goto globalfail;

438

}

439

ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);

440

if (ret != GNUTLS_E_SUCCESS) {

441

fprintf (stderr, "Error in GnuTLS prime generation: %s\n",

442

safer_gnutls_strerror(ret));

443

goto globalfail;

444

}

445

446

gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);

447

448

return 0;

449

450

globalfail:

451

452

gnutls_certificate_free_credentials(mc->cred);

453

gnutls_global_deinit();

454

return -1;

455

}

456

457

static int init_gnutls_session(mandos_context *mc,

458

gnutls_session_t *session){

459

int ret;

460

/* GnuTLS session creation */

461

ret = gnutls_init(session, GNUTLS_SERVER);

462

if (ret != GNUTLS_E_SUCCESS){

313

return -1;

314

}

315

316

//GnuTLS server initialization

317

if ((ret = gnutls_dh_params_init (&es->dh_params))

318

!= GNUTLS_E_SUCCESS) {

319

fprintf (stderr, "Error in dh parameter initialization: %s\n",

320

safer_gnutls_strerror(ret));

321

return -1;

322

}

323

324

if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))

325

!= GNUTLS_E_SUCCESS) {

326

fprintf (stderr, "Error in prime generation: %s\n",

327

safer_gnutls_strerror(ret));

328

return -1;

329

}

330

331

gnutls_certificate_set_dh_params (es->cred, es->dh_params);

332

333

// GnuTLS session creation

334

if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))

335

!= GNUTLS_E_SUCCESS){

463

336

fprintf(stderr, "Error in GnuTLS session initialization: %s\n",

464

337

safer_gnutls_strerror(ret));

465

338

}

466

339

467

{

468

const char *err;

469

ret = gnutls_priority_set_direct(*session, mc->priority, &err);

470

if (ret != GNUTLS_E_SUCCESS) {

471

fprintf(stderr, "Syntax error at: %s\n", err);

472

fprintf(stderr, "GnuTLS error: %s\n",

473

safer_gnutls_strerror(ret));

474

gnutls_deinit (*session);

475

return -1;

476

}

340

if ((ret = gnutls_priority_set_direct (es->session, mc->priority, &err))

341

!= GNUTLS_E_SUCCESS) {

342

fprintf(stderr, "Syntax error at: %s\n", err);

343

fprintf(stderr, "GnuTLS error: %s\n",

344

safer_gnutls_strerror(ret));

345

return -1;

477

346

}

478

347

479

ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,

480

mc->cred);

481

if (ret != GNUTLS_E_SUCCESS) {

482

fprintf(stderr, "Error setting GnuTLS credentials: %s\n",

348

if ((ret = gnutls_credentials_set

349

(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))

350

!= GNUTLS_E_SUCCESS) {

351

fprintf(stderr, "Error setting a credentials set: %s\n",

483

352

safer_gnutls_strerror(ret));

484

gnutls_deinit (*session);

485

353

return -1;

486

354

}

487

355

488

356

/* ignore client certificate if any. */

489

gnutls_certificate_server_set_request (*session,

357

gnutls_certificate_server_set_request (es->session,

490

358

GNUTLS_CERT_IGNORE);

491

359

492

gnutls_dh_set_prime_bits (*session, mc->dh_bits);

360

gnutls_dh_set_prime_bits (es->session, DH_BITS);

493

361

494

362

return 0;

495

363

}

496

364

497

/* Avahi log function callback */

498

365

static void empty_log(__attribute__((unused)) AvahiLogLevel level,

499

366

__attribute__((unused)) const char *txt){}

500

367

501

/* Called when a Mandos server is found */

502

368

static int start_mandos_communication(const char *ip, uint16_t port,

503

369

AvahiIfIndex if_index,

504

370

mandos_context *mc){

505

371

int ret, tcp_sd;

506

union { struct sockaddr in; struct sockaddr_in6 in6; } to;

372

struct sockaddr_in6 to;

373

encrypted_session es;

507

374

char *buffer = NULL;

508

375

char *decrypted_buffer;

509

376

size_t buffer_length = 0;

512

379

size_t written;

513

380

int retval = 0;

514

381

char interface[IF_NAMESIZE];

515

gnutls_session_t session;

516

517

ret = init_gnutls_session (mc, &session);

518

if (ret != 0){

519

return -1;

520

}

521

382

522

383

if(debug){

523

fprintf(stderr, "Setting up a tcp connection to %s, port %" PRIu16

524

"\n", ip, port);

384

fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",

385

ip, port);

525

386

}

526

387

527

388

tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);

529

390

perror("socket");

530

391

return -1;

531

392

}

532

393

533

394

if(debug){

534

395

if(if_indextoname((unsigned int)if_index, interface) == NULL){

535

perror("if_indextoname");

396

if(debug){

397

perror("if_indextoname");

398

}

536

399

return -1;

537

400

}

401

538

402

fprintf(stderr, "Binding to interface %s\n", interface);

539

403

}

540

404

541

memset(&to, 0, sizeof(to));

542

to.in6.sin6_family = AF_INET6;

543

/* It would be nice to have a way to detect if we were passed an

544

IPv4 address here. Now we assume an IPv6 address. */

545

ret = inet_pton(AF_INET6, ip, &to.in6.sin6_addr);

405

memset(&to,0,sizeof(to)); /* Spurious warning */

406

to.sin6_family = AF_INET6;

407

ret = inet_pton(AF_INET6, ip, &to.sin6_addr);

546

408

if (ret < 0 ){

547

409

perror("inet_pton");

548

410

return -1;

549

}

411

}

550

412

if(ret == 0){

551

413

fprintf(stderr, "Bad address: %s\n", ip);

552

414

return -1;

553

415

}

554

to.in6.sin6_port = htons(port); /* Spurious warning */

416

to.sin6_port = htons(port); /* Spurious warning */

555

417

556

to.in6.sin6_scope_id = (uint32_t)if_index;

418

to.sin6_scope_id = (uint32_t)if_index;

557

419

558

420

if(debug){

559

fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,

560

port);

561

char addrstr[INET6_ADDRSTRLEN] = "";

562

if(inet_ntop(to.in6.sin6_family, &(to.in6.sin6_addr), addrstr,

563

sizeof(addrstr)) == NULL){

564

perror("inet_ntop");

565

} else {

566

if(strcmp(addrstr, ip) != 0){

567

fprintf(stderr, "Canonical address form: %s\n", addrstr);

568

}

569

}

421

fprintf(stderr, "Connection to: %s, port %d\n", ip, port);

422

/* char addrstr[INET6_ADDRSTRLEN]; */

423

/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */

424

/* sizeof(addrstr)) == NULL){ */

425

/* perror("inet_ntop"); */

426

/* } else { */

427

/* fprintf(stderr, "Really connecting to: %s, port %d\n", */

428

/* addrstr, ntohs(to.sin6_port)); */

429

/* } */

570

430

}

571

431

572

ret = connect(tcp_sd, &to.in, sizeof(to));

432

ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));

573

433

if (ret < 0){

574

434

perror("connect");

575

435

return -1;

576

436

}

577

578

const char *out = mandos_protocol_version;

437

438

char *out = mandos_protocol_version;

579

439

written = 0;

580

440

while (true){

581

441

size_t out_size = strlen(out);

584

444

if (ret == -1){

585

445

perror("write");

586

446

retval = -1;

587

goto mandos_end;

447

goto end;

588

448

}

589

written += (size_t)ret;

449

written += ret;

590

450

if(written < out_size){

591

451

continue;

592

452

} else {

598

458

}

599

459

}

600

460

}

461

462

ret = initgnutls (&es);

463

if (ret != 0){

464

retval = -1;

465

return -1;

466

}

467

468

gnutls_transport_set_ptr (es.session,

469

(gnutls_transport_ptr_t) tcp_sd);

601

470

602

471

if(debug){

603

472

fprintf(stderr, "Establishing TLS session with %s\n", ip);

604

473

}

605

474

606

gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd);

607

608

do{

609

ret = gnutls_handshake (session);

610

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

475

ret = gnutls_handshake (es.session);

611

476

612

477

if (ret != GNUTLS_E_SUCCESS){

613

478

if(debug){

614

fprintf(stderr, "*** GnuTLS Handshake failed ***\n");

479

fprintf(stderr, "\n*** Handshake failed ***\n");

615

480

gnutls_perror (ret);

616

481

}

617

482

retval = -1;

618

goto mandos_end;

483

goto exit;

619

484

}

620

485

621

/* Read OpenPGP packet that contains the wanted password */

486

//Retrieve OpenPGP packet that contains the wanted password

622

487

623

488

if(debug){

624

489

fprintf(stderr, "Retrieving pgp encrypted password from %s\n",

625

490

ip);

626

491

}

627

492

628

493

while(true){

629

buffer_capacity = adjustbuffer(&buffer, buffer_length,

630

buffer_capacity);

494

buffer_capacity = adjustbuffer(buffer, buffer_length, buffer_capacity);

631

495

if (buffer_capacity == 0){

632

496

perror("adjustbuffer");

633

497

retval = -1;

634

goto mandos_end;

498

goto exit;

635

499

}

636

500

637

ret = gnutls_record_recv(session, buffer+buffer_length,

638

BUFFER_SIZE);

501

ret = gnutls_record_recv

502

(es.session, buffer+buffer_length, BUFFER_SIZE);

639

503

if (ret == 0){

640

504

break;

641

505

}

645

509

case GNUTLS_E_AGAIN:

646

510

break;

647

511

case GNUTLS_E_REHANDSHAKE:

648

do{

649

ret = gnutls_handshake (session);

650

} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);

512

ret = gnutls_handshake (es.session);

651

513

if (ret < 0){

652

fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");

514

fprintf(stderr, "\n*** Handshake failed ***\n");

653

515

gnutls_perror (ret);

654

516

retval = -1;

655

goto mandos_end;

517

goto exit;

656

518

}

657

519

break;

658

520

default:

659

521

fprintf(stderr, "Unknown error while reading data from"

660

" encrypted session with Mandos server\n");

522

" encrypted session with mandos server\n");

661

523

retval = -1;

662

gnutls_bye (session, GNUTLS_SHUT_RDWR);

663

goto mandos_end;

524

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

525

goto exit;

664

526

}

665

527

} else {

666

528

buffer_length += (size_t) ret;

667

529

}

668

530

}

669

531

670

if(debug){

671

fprintf(stderr, "Closing TLS session\n");

672

}

673

674

gnutls_bye (session, GNUTLS_SHUT_RDWR);

675

676

532

if (buffer_length > 0){

677

decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,

533

decrypted_buffer_size = pgp_packet_decrypt(buffer,

678

534

buffer_length,

679

&decrypted_buffer);

535

&decrypted_buffer,

536

certdir);

680

537

if (decrypted_buffer_size >= 0){

681

538

written = 0;

682

539

while(written < (size_t) decrypted_buffer_size){

697

554

} else {

698

555

retval = -1;

699

556

}

700

} else {

701

retval = -1;

702

}

703

704

/* Shutdown procedure */

705

706

mandos_end:

557

}

558

559

//shutdown procedure

560

561

if(debug){

562

fprintf(stderr, "Closing TLS session\n");

563

}

564

707

565

free(buffer);

708

ret = TEMP_FAILURE_RETRY(close(tcp_sd));

709

if(ret == -1){

710

perror("close");

711

}

712

gnutls_deinit (session);

566

gnutls_bye (es.session, GNUTLS_SHUT_RDWR);

567

exit:

568

close(tcp_sd);

569

gnutls_deinit (es.session);

570

gnutls_certificate_free_credentials (es.cred);

571

gnutls_global_deinit ();

713

572

return retval;

714

573

}

715

574

716

static void resolve_callback(AvahiSServiceResolver *r,

717

AvahiIfIndex interface,

718

AVAHI_GCC_UNUSED AvahiProtocol protocol,

719

AvahiResolverEvent event,

720

const char *name,

721

const char *type,

722

const char *domain,

723

const char *host_name,

724

const AvahiAddress *address,

725

uint16_t port,

726

AVAHI_GCC_UNUSED AvahiStringList *txt,

727

AVAHI_GCC_UNUSED AvahiLookupResultFlags

728

flags,

729

void* userdata) {

575

static void resolve_callback( AvahiSServiceResolver *r,

576

AvahiIfIndex interface,

577

AVAHI_GCC_UNUSED AvahiProtocol protocol,

578

AvahiResolverEvent event,

579

const char *name,

580

const char *type,

581

const char *domain,

582

const char *host_name,

583

const AvahiAddress *address,

584

uint16_t port,

585

AVAHI_GCC_UNUSED AvahiStringList *txt,

586

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

587

AVAHI_GCC_UNUSED void* userdata) {

730

588

mandos_context *mc = userdata;

731

assert(r);

589

assert(r); /* Spurious warning */

732

590

733

591

/* Called whenever a service has been resolved successfully or

734

592

timed out */

736

594

switch (event) {

737

595

default:

738

596

case AVAHI_RESOLVER_FAILURE:

739

fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"

740

" of type '%s' in domain '%s': %s\n", name, type, domain,

597

fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"

598

" type '%s' in domain '%s': %s\n", name, type, domain,

741

599

avahi_strerror(avahi_server_errno(mc->server)));

742

600

break;

743

601

746

604

char ip[AVAHI_ADDRESS_STR_MAX];

747

605

avahi_address_snprint(ip, sizeof(ip), address);

748

606

if(debug){

749

fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"

750

PRIu16 ") on port %d\n", name, host_name, ip,

751

interface, port);

607

fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"

608

" port %d\n", name, host_name, ip, port);

752

609

}

753

610

int ret = start_mandos_communication(ip, port, interface, mc);

754

611

if (ret == 0){

755

avahi_simple_poll_quit(mc->simple_poll);

612

exit(EXIT_SUCCESS);

756

613

}

757

614

}

758

615

}

766

623

const char *name,

767

624

const char *type,

768

625

const char *domain,

769

AVAHI_GCC_UNUSED AvahiLookupResultFlags

770

flags,

626

AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,

771

627

void* userdata) {

772

628

mandos_context *mc = userdata;

773

assert(b);

629

assert(b); /* Spurious warning */

774

630

775

631

/* Called whenever a new services becomes available on the LAN or

776

632

is removed from the LAN */

778

634

switch (event) {

779

635

default:

780

636

case AVAHI_BROWSER_FAILURE:

781

782

fprintf(stderr, "(Avahi browser) %s\n",

637

638

fprintf(stderr, "(Browser) %s\n",

783

639

avahi_strerror(avahi_server_errno(mc->server)));

784

640

avahi_simple_poll_quit(mc->simple_poll);

785

641

return;

786

642

787

643

case AVAHI_BROWSER_NEW:

788

/* We ignore the returned Avahi resolver object. In the callback

789

function we free it. If the Avahi server is terminated before

790

the callback function is called the Avahi server will free the

791

resolver for us. */

792

793

if (!(avahi_s_service_resolver_new(mc->server, interface,

794

protocol, name, type, domain,

644

/* We ignore the returned resolver object. In the callback

645

function we free it. If the server is terminated before

646

the callback function is called the server will free

647

the resolver for us. */

648

649

if (!(avahi_s_service_resolver_new(mc->server, interface, protocol, name,

650

type, domain,

795

651

AVAHI_PROTO_INET6, 0,

796

652

resolve_callback, mc)))

797

fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",

798

name, avahi_strerror(avahi_server_errno(mc->server)));

653

fprintf(stderr, "Failed to resolve service '%s': %s\n", name,

654

avahi_strerror(avahi_server_errno(s)));

799

655

break;

800

656

801

657

case AVAHI_BROWSER_REMOVE:

802

658

break;

803

659

804

660

case AVAHI_BROWSER_ALL_FOR_NOW:

805

661

case AVAHI_BROWSER_CACHE_EXHAUSTED:

806

if(debug){

807

fprintf(stderr, "No Mandos server found, still searching...\n");

808

}

809

662

break;

810

663

}

811

664

}

812

665

813

int main(int argc, char *argv[]){

666

/* Combines file name and path and returns the malloced new

667

string. some sane checks could/should be added */

668

static const char *combinepath(const char *first, const char *second){

669

size_t f_len = strlen(first);

670

size_t s_len = strlen(second);

671

char *tmp = malloc(f_len + s_len + 2);

672

if (tmp == NULL){

673

return NULL;

674

}

675

if(f_len > 0){

676

memcpy(tmp, first, f_len);

677

}

678

tmp[f_len] = '/';

679

if(s_len > 0){

680

memcpy(tmp + f_len + 1, second, s_len);

681

}

682

tmp[f_len + 1 + s_len] = '\0';

683

return tmp;

684

}

685

686

687

int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {

688

AvahiServerConfig config;

814

689

AvahiSServiceBrowser *sb = NULL;

815

690

int error;

816

691

int ret;

817

int exitcode = EXIT_SUCCESS;

692

int returncode = EXIT_SUCCESS;

818

693

const char *interface = "eth0";

819

694

struct ifreq network;

820

695

int sd;

821

uid_t uid;

822

gid_t gid;

823

696

char *connect_to = NULL;

824

char tempdir[] = "/tmp/mandosXXXXXX";

825

697

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

826

const char *seckey = PATHDIR "/" SECKEY;

827

const char *pubkey = PATHDIR "/" PUBKEY;

828

829

698

mandos_context mc = { .simple_poll = NULL, .server = NULL,

830

.dh_bits = 1024, .priority = "SECURE256"

831

":!CTYPE-X.509:+CTYPE-OPENPGP" };

832

bool gnutls_initalized = false;

833

bool pgpme_initalized = false;

699

.dh_bits = 2048, .priority = "SECURE256"};

834

700

835

{

836

struct argp_option options[] = {

837

{ .name = "debug", .key = 128,

838

.doc = "Debug mode", .group = 3 },

839

{ .name = "connect", .key = 'c',

840

.arg = "ADDRESS:PORT",

841

.doc = "Connect directly to a specific Mandos server",

842

.group = 1 },

843

{ .name = "interface", .key = 'i',

844

.arg = "NAME",

845

.doc = "Interface that will be used to search for Mandos"

846

" servers",

847

.group = 1 },

848

{ .name = "seckey", .key = 's',

849

.arg = "FILE",

850

.doc = "OpenPGP secret key file base name",

851

.group = 1 },

852

{ .name = "pubkey", .key = 'p',

853

.arg = "FILE",

854

.doc = "OpenPGP public key file base name",

855

.group = 2 },

856

{ .name = "dh-bits", .key = 129,

857

.arg = "BITS",

858

.doc = "Bit length of the prime number used in the"

859

" Diffie-Hellman key exchange",

860

.group = 2 },

861

{ .name = "priority", .key = 130,

862

.arg = "STRING",

863

.doc = "GnuTLS priority string for the TLS handshake",

864

.group = 1 },

865

{ .name = NULL }

866

};

867

868

error_t parse_opt (int key, char *arg,

869

struct argp_state *state) {

870

/* Get the INPUT argument from `argp_parse', which we know is

871

a pointer to our plugin list pointer. */

872

switch (key) {

873

case 128: /* --debug */

874

debug = true;

875

break;

876

case 'c': /* --connect */

877

connect_to = arg;

878

break;

879

case 'i': /* --interface */

880

interface = arg;

881

break;

882

case 's': /* --seckey */

883

seckey = arg;

884

break;

885

case 'p': /* --pubkey */

886

pubkey = arg;

887

break;

888

case 129: /* --dh-bits */

701

while (true){

702

static struct option long_options[] = {

703

{"debug", no_argument, (int *)&debug, 1},

704

{"connect", required_argument, 0, 'C'},

705

{"interface", required_argument, 0, 'i'},

706

{"certdir", required_argument, 0, 'd'},

707

{"certkey", required_argument, 0, 'c'},

708

{"certfile", required_argument, 0, 'k'},

709

{"dh_bits", required_argument, 0, 'D'},

710

{"priority", required_argument, 0, 'p'},

711

{0, 0, 0, 0} };

712

713

int option_index = 0;

714

ret = getopt_long (argc, argv, "i:", long_options,

715

&option_index);

716

717

if (ret == -1){

718

break;

719

}

720

721

switch(ret){

722

case 0:

723

break;

724

case 'i':

725

interface = optarg;

726

break;

727

case 'C':

728

connect_to = optarg;

729

break;

730

case 'd':

731

certdir = optarg;

732

break;

733

case 'c':

734

certfile = optarg;

735

break;

736

case 'k':

737

certkey = optarg;

738

break;

739

case 'D':

740

{

741

long int tmp;

889

742

errno = 0;

890

mc.dh_bits = (unsigned int) strtol(arg, NULL, 10);

891

if (errno){

743

tmp = strtol(optarg, NULL, 10);

744

if (errno == ERANGE){

892

745

perror("strtol");

893

746

exit(EXIT_FAILURE);

894

747

}

895

break;

896

case 130: /* --priority */

897

mc.priority = arg;

898

break;

899

case ARGP_KEY_ARG:

900

argp_usage (state);

901

case ARGP_KEY_END:

902

break;

903

default:

904

return ARGP_ERR_UNKNOWN;

905

}

906

return 0;

907

}

908

909

struct argp argp = { .options = options, .parser = parse_opt,

910

.args_doc = "",

911

.doc = "Mandos client -- Get and decrypt"

912

" passwords from a Mandos server" };

913

ret = argp_parse (&argp, argc, argv, 0, 0, NULL);

914

if (ret == ARGP_ERR_UNKNOWN){

915

fprintf(stderr, "Unknown error while parsing arguments\n");

916

exitcode = EXIT_FAILURE;

917

goto end;

918

}

919

}

920

921

/* If the interface is down, bring it up */

922

{

923

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

924

if(sd < 0) {

925

perror("socket");

926

exitcode = EXIT_FAILURE;

927

goto end;

928

}

929

strcpy(network.ifr_name, interface);

930

ret = ioctl(sd, SIOCGIFFLAGS, &network);

931

if(ret == -1){

932

perror("ioctl SIOCGIFFLAGS");

933

exitcode = EXIT_FAILURE;

934

goto end;

935

}

936

if((network.ifr_flags & IFF_UP) == 0){

937

network.ifr_flags |= IFF_UP;

938

ret = ioctl(sd, SIOCSIFFLAGS, &network);

939

if(ret == -1){

940

perror("ioctl SIOCSIFFLAGS");

941

exitcode = EXIT_FAILURE;

942

goto end;

943

}

944

}

945

ret = TEMP_FAILURE_RETRY(close(sd));

946

if(ret == -1){

947

perror("close");

948

}

949

}

950

951

uid = getuid();

952

gid = getgid();

953

954

ret = setuid(uid);

955

if (ret == -1){

956

perror("setuid");

957

}

958

959

setgid(gid);

960

if (ret == -1){

961

perror("setgid");

962

}

963

964

ret = init_gnutls_global(&mc, pubkey, seckey);

965

if (ret == -1){

966

fprintf(stderr, "init_gnutls_global failed\n");

967

exitcode = EXIT_FAILURE;

968

goto end;

969

} else {

970

gnutls_initalized = true;

971

}

972

973

if(mkdtemp(tempdir) == NULL){

974

perror("mkdtemp");

975

tempdir[0] = '\0';

976

goto end;

977

}

978

979

if(not init_gpgme(&mc, pubkey, seckey, tempdir)){

980

fprintf(stderr, "pgpme_initalized failed\n");

981

exitcode = EXIT_FAILURE;

982

goto end;

983

} else {

984

pgpme_initalized = true;

748

mc.dh_bits = tmp;

749

}

750

break;

751

case 'p':

752

mc.priority = optarg;

753

break;

754

default:

755

exit(EXIT_FAILURE);

756

}

757

}

758

759

certfile = combinepath(certdir, certfile);

760

if (certfile == NULL){

761

perror("combinepath");

762

returncode = EXIT_FAILURE;

763

goto exit;

764

}

765

766

certkey = combinepath(certdir, certkey);

767

if (certkey == NULL){

768

perror("combinepath");

769

returncode = EXIT_FAILURE;

770

goto exit;

985

771

}

986

772

987

773

if_index = (AvahiIfIndex) if_nametoindex(interface);

996

782

char *address = strrchr(connect_to, ':');

997

783

if(address == NULL){

998

784

fprintf(stderr, "No colon in address\n");

999

exitcode = EXIT_FAILURE;

1000

goto end;

785

exit(EXIT_FAILURE);

1001

786

}

1002

787

errno = 0;

1003

788

uint16_t port = (uint16_t) strtol(address+1, NULL, 10);

1004

789

if(errno){

1005

790

perror("Bad port number");

1006

exitcode = EXIT_FAILURE;

1007

goto end;

791

exit(EXIT_FAILURE);

1008

792

}

1009

793

*address = '\0';

1010

794

address = connect_to;

1011

ret = start_mandos_communication(address, port, if_index, &mc);

795

ret = start_mandos_communication(address, port, if_index);

1012

796

if(ret < 0){

1013

exitcode = EXIT_FAILURE;

797

exit(EXIT_FAILURE);

1014

798

} else {

1015

exitcode = EXIT_SUCCESS;

1016

}

1017

goto end;

1018

}

799

exit(EXIT_SUCCESS);

800

}

801

}

802

803

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

804

if(sd < 0) {

805

perror("socket");

806

returncode = EXIT_FAILURE;

807

goto exit;

808

}

809

strcpy(network.ifr_name, interface);

810

ret = ioctl(sd, SIOCGIFFLAGS, &network);

811

if(ret == -1){

812

813

perror("ioctl SIOCGIFFLAGS");

814

returncode = EXIT_FAILURE;

815

goto exit;

816

}

817

if((network.ifr_flags & IFF_UP) == 0){

818

network.ifr_flags |= IFF_UP;

819

ret = ioctl(sd, SIOCSIFFLAGS, &network);

820

if(ret == -1){

821

perror("ioctl SIOCSIFFLAGS");

822

returncode = EXIT_FAILURE;

823

goto exit;

824

}

825

}

826

close(sd);

1019

827

1020

828

if (not debug){

1021

829

avahi_set_log_function(empty_log);

1022

830

}

1023

831

1024

/* Initialize the pseudo-RNG for Avahi */

832

/* Initialize the psuedo-RNG */

1025

833

srand((unsigned int) time(NULL));

1026

1027

/* Allocate main Avahi loop object */

1028

mc.simple_poll = avahi_simple_poll_new();

1029

if (mc.simple_poll == NULL) {

1030

fprintf(stderr, "Avahi: Failed to create simple poll"

1031

" object.\n");

1032

exitcode = EXIT_FAILURE;

1033

goto end;

1034

}

1035

1036

{

1037

AvahiServerConfig config;

1038

/* Do not publish any local Zeroconf records */

1039

avahi_server_config_init(&config);

1040

config.publish_hinfo = 0;

1041

config.publish_addresses = 0;

1042

config.publish_workstation = 0;

1043

config.publish_domain = 0;

1044

1045

/* Allocate a new server */

1046

mc.server = avahi_server_new(avahi_simple_poll_get

1047

(mc.simple_poll), &config, NULL,

1048

NULL, &error);

1049

1050

/* Free the Avahi configuration data */

1051

avahi_server_config_free(&config);

1052

}

1053

1054

/* Check if creating the Avahi server object succeeded */

1055

if (mc.server == NULL) {

1056

fprintf(stderr, "Failed to create Avahi server: %s\n",

834

835

/* Allocate main loop object */

836

if (!(mc.simple_poll = avahi_simple_poll_new())) {

837

fprintf(stderr, "Failed to create simple poll object.\n");

838

returncode = EXIT_FAILURE;

839

goto exit;

840

}

841

842

/* Do not publish any local records */

843

avahi_server_config_init(&config);

844

config.publish_hinfo = 0;

845

config.publish_addresses = 0;

846

config.publish_workstation = 0;

847

config.publish_domain = 0;

848

849

/* Allocate a new server */

850

mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),

851

&config, NULL, NULL, &error);

852

853

/* Free the configuration data */

854

avahi_server_config_free(&config);

855

856

/* Check if creating the server object succeeded */

857

if (!mc.server) {

858

fprintf(stderr, "Failed to create server: %s\n",

1057

859

avahi_strerror(error));

1058

exitcode = EXIT_FAILURE;

1059

goto end;

860

returncode = EXIT_FAILURE;

861

goto exit;

1060

862

}

1061

863

1062

/* Create the Avahi service browser */

864

/* Create the service browser */

1063

865

sb = avahi_s_service_browser_new(mc.server, if_index,

1064

866

AVAHI_PROTO_INET6,

1065

867

"_mandos._tcp", NULL, 0,

1066

868

browse_callback, &mc);

1067

if (sb == NULL) {

869

if (!sb) {

1068

870

fprintf(stderr, "Failed to create service browser: %s\n",

1069

871

avahi_strerror(avahi_server_errno(mc.server)));

1070

exitcode = EXIT_FAILURE;

1071

goto end;

872

returncode = EXIT_FAILURE;

873

goto exit;

1072

874

}

1073

875

1074

876

/* Run the main loop */

1075

877

1076

878

if (debug){

1077

fprintf(stderr, "Starting Avahi loop search\n");

879

fprintf(stderr, "Starting avahi loop search\n");

1078

880

}

1079

881

1080

avahi_simple_poll_loop(mc.simple_poll);

1081

1082

end:

1083

882

avahi_simple_poll_loop(simple_poll);

883

884

exit:

885

1084

886

if (debug){

1085

887

fprintf(stderr, "%s exiting\n", argv[0]);

1086

888

}

1087

889

1088

890

/* Cleanup things */

1089

if (sb != NULL)

891

if (sb)

1090

892

avahi_s_service_browser_free(sb);

1091

893

1092

if (mc.server != NULL)

894

if (mc.server)

1093

895

avahi_server_free(mc.server);

1094

1095

if (mc.simple_poll != NULL)

1096

avahi_simple_poll_free(mc.simple_poll);

1097

1098

if (gnutls_initalized){

1099

gnutls_certificate_free_credentials(mc.cred);

1100

gnutls_global_deinit ();

1101

}

1102

1103

if(pgpme_initalized){

1104

gpgme_release(mc.ctx);

1105

}

1106

1107

/* Removes the temp directory used by GPGME */

1108

if(tempdir[0] != '\0'){

1109

DIR *d;

1110

struct dirent *direntry;

1111

d = opendir(tempdir);

1112

if(d == NULL){

1113

perror("opendir");

1114

} else {

1115

while(true){

1116

direntry = readdir(d);

1117

if(direntry == NULL){

1118

break;

1119

}

1120

if (direntry->d_type == DT_REG){

1121

char *fullname = NULL;

1122

ret = asprintf(&fullname, "%s/%s", tempdir,

1123

direntry->d_name);

1124

if(ret < 0){

1125

perror("asprintf");

1126

continue;

1127

}

1128

ret = unlink(fullname);

1129

if(ret == -1){

1130

fprintf(stderr, "unlink(\"%s\"): %s",

1131

fullname, strerror(errno));

1132

}

1133

free(fullname);

1134

}

1135

}

1136

}

1137

ret = rmdir(tempdir);

1138

if(ret == -1){

1139

perror("rmdir");

1140

}

1141

}

1142

1143

return exitcode;

896

897

if (simple_poll)

898

avahi_simple_poll_free(simple_poll);

899

free(certfile);

900

free(certkey);

901

902

return returncode;

1144

903

}

Older »